Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

DDS log for unknown spyware causing search engine redirect, browser slowness and sporadic disconnections


  • This topic is locked This topic is locked
23 replies to this topic

#1 RustyCabbage

RustyCabbage

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:09:01 AM

Posted 25 July 2009 - 03:27 PM

AVG/Spybot yields no relief so I was hoping somebody would be so kind as to take a look at my DDS log? I have no idea what to do and the problems seems to be getting worse, which are -

Frequently being disconnected from messenger/webpages timing out aswell as google redirecting me ~50% of the times I click links (often redirected to livetosearch.co.uk if that's any help). Browser running pretty slow on this new computer aswell. So yeah, here's the DDS log and thanks a lot for taking a look.

DDS (Ver_09-06-26.01) - NTFSx86
Run by RoryLaptop at 20:42:47.14 on 25/07/2009
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_14
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1013.517 [GMT 1:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\System Control Manager\MSIService.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\System Control Manager\MGSysCtrl.exe
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\RoryLaptop\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.thetechguys.com
mDefault_Page_URL = hxxp://www.thetechguys.com
uInternet Connection Wizard,ShellNext = hxxp://www.thetechguys.com/
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
uURLSearchHooks: H - No File
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: ZILLAbar Browser Helper Object: {1827766b-9f49-4854-8034-f6ee26fcb1ec} - c:\program files\stopzilla!\SZSG.dll
BHO: AskBar BHO: {201f27d4-3704-41d6-89c1-aa35e39143ed} - c:\program files\askbardis\bar\bin\askBar.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: STOPzilla Browser Helper Object: {e3215f20-3212-11d6-9f8b-00d0b743919d} - c:\program files\stopzilla!\SZIEBHO.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Ask Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
TB: STOPzilla: {98828ded-a591-462f-83ba-d2f62a68b8b8} - c:\program files\stopzilla!\SZSG.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [uTorrent] "c:\program files\utorrent\uTorrent.exe"
uRun: [DAEMON Tools Lite] "c:\program files\daemon tools lite\daemon.exe" -autorun
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [MGSysCtrl] c:\program files\system control manager\MGSysCtrl.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [UCam_Menu] "c:\program files\cyberlink\youcam\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\youcam" update "software\cyberlink\youcam\1.0"
mRun: [ITSecMng] %ProgramFiles%\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe /START
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
IE: {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - c:\program files\pokerstars\PokerStarsUpdate.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
LSP: c:\program files\common files\is3\anti-spyware\iS3lsp.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
TCP: NameServer = 85.255.112.87,85.255.112.195
TCP: {98CB15F5-3D54-4E8C-B22B-A3BECC682900} = 85.255.112.87,85.255.112.195
TCP: {C47AC4D9-F0E8-42B8-B9F4-51E6BAB45C19} = 85.255.112.87,85.255.112.195
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxdev.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\roryla~1\applic~1\mozilla\firefox\profiles\4vblinlm.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: keyword.URL - hxxp://uk.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_uk&p=
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\xpavgtbapi.dll
FF - plugin: c:\program files\google\google updater\2.4.1636.7222\npCIDetect13.dll
FF - plugin: c:\program files\google\update\1.2.183.7\npGoogleOneClick8.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\mozilla firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\mozilla firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\mozilla firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-7-4 335752]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-7-4 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-7-4 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-7-4 907032]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-7-4 298776]
R2 Micro Star SCM;Micro Star SCM;c:\program files\system control manager\MSIService.exe [2008-5-30 159744]
R2 szkg5;szkg;c:\windows\system32\drivers\SZKG.sys [2009-5-12 61328]
R3 RSUSBSTOR;RTS5121.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RTS5121.sys [2008-5-30 153600]
R3 rtl8187Se;Realtek RTL8187SE Wireless LAN PCIE Network Adapter;c:\windows\system32\drivers\rtl8187Se.sys [2008-5-30 263680]
S2 ASKUpgrade;ASKUpgrade;c:\program files\askbardis\bar\bin\ASKUpgrade.exe [2009-7-3 234888]
S2 gupdate1ca07f7fa2f92be;Google Update Service (gupdate1ca07f7fa2f92be);c:\program files\google\update\GoogleUpdate.exe [2009-7-18 133104]

=============== Created Last 30 ================

2009-07-25 20:36 <DIR> --d----- c:\program files\Trend Micro
2009-07-25 20:15 <DIR> --d----- c:\program files\STOPzilla!
2009-07-25 20:15 <DIR> --d----- c:\program files\common files\iS3
2009-07-25 20:15 <DIR> --d----- c:\docume~1\alluse~1\applic~1\STOPzilla!
2009-07-25 14:34 <DIR> --d----- c:\program files\PokerStars
2009-07-20 14:57 17,408 a----r-- c:\windows\system32\SZIO5.dll
2009-07-20 14:56 311,296 a----r-- c:\windows\system32\SZBase5.dll
2009-07-20 14:56 540,672 a----r-- c:\windows\system32\SZComp5.dll
2009-07-18 00:14 410,984 a------- c:\windows\system32\deploytk.dll
2009-07-18 00:14 73,728 a------- c:\windows\system32\javacpl.cpl
2009-07-15 12:56 268,648 a------- c:\windows\system32\mucltui.dll
2009-07-15 12:56 208,744 a------- c:\windows\system32\muweb.dll
2009-07-15 12:56 27,496 a------- c:\windows\system32\mucltui.dll.mui
2009-07-15 11:58 43,520 a------- c:\windows\system32\CmdLineExt03.dll
2009-07-15 11:25 197,120 a------- c:\windows\patchw32.dll
2009-07-15 11:25 <DIR> --d----- c:\program files\common files\PocketSoft
2009-07-15 00:38 <DIR> --d----- c:\program files\e-Speaking
2009-07-14 17:27 <DIR> --d----- c:\documents and settings\rorylaptop\Tracing
2009-07-14 17:22 <DIR> --d----- c:\program files\Microsoft
2009-07-14 17:22 <DIR> --d----- c:\program files\Windows Live SkyDrive
2009-07-14 17:18 <DIR> --d----- c:\program files\common files\Windows Live
2009-07-09 15:52 126,976 a----r-- c:\windows\system32\IS3HTUI5.dll
2009-07-09 15:52 393,216 a----r-- c:\windows\system32\IS3DBA5.dll
2009-07-09 15:51 385,024 a----r-- c:\windows\system32\IS3UI5.dll
2009-07-09 15:51 61,440 a----r-- c:\windows\system32\IS3Hks5.dll
2009-07-09 15:51 23,040 a----r-- c:\windows\system32\IS3XDat5.dll
2009-07-09 15:50 225,280 a----r-- c:\windows\system32\IS3Win325.dll
2009-07-09 15:50 94,208 a----r-- c:\windows\system32\IS3Inet5.dll
2009-07-09 15:50 90,112 a----r-- c:\windows\system32\IS3Svc5.dll
2009-07-09 15:47 724,992 a----r-- c:\windows\system32\IS3Base5.dll
2009-07-05 05:35 21,840 a------t c:\windows\system32\SIntfNT.dll
2009-07-05 05:35 17,212 a------t c:\windows\system32\SIntf32.dll
2009-07-05 05:35 12,067 a------t c:\windows\system32\SIntf16.dll
2009-07-05 05:33 18,280 a------- c:\windows\DIIUnin.dat
2009-07-05 05:33 94,208 a------- c:\windows\DIIUnin.exe
2009-07-05 05:33 2,829 a------- c:\windows\DIIUnin.pif
2009-07-05 05:32 <DIR> --d----- c:\program files\Diablo II
2009-07-05 04:51 <DIR> --d----- c:\program files\Atari
2009-07-05 03:03 <DIR> --d----- c:\program files\common files\DivX Shared
2009-07-05 03:02 <DIR> --d----- c:\program files\DivX
2009-07-05 01:29 227 a------- c:\windows\PowerReg.dat
2009-07-05 01:29 45,568 a------- c:\windows\UniFish3.exe
2009-07-05 01:28 <DIR> --d----- c:\program files\Hasbro Interactive
2009-07-04 22:52 <DIR> --d----- c:\program files\Bullfrog
2009-07-04 22:51 299,008 a------- c:\windows\uninst.exe
2009-07-04 22:51 <DIR> --d----- c:\documents and settings\rorylaptop\WINDOWS
2009-07-04 19:14 <DIR> --d----- c:\docume~1\alluse~1\applic~1\DAEMON Tools Lite
2009-07-04 19:14 <DIR> --d----- c:\program files\DAEMON Tools Toolbar
2009-07-04 19:14 <DIR> --d----- c:\program files\DAEMON Tools Lite
2009-07-04 19:05 721,904 a------- c:\windows\system32\drivers\sptd.sys
2009-07-04 19:05 <DIR> --d----- c:\docume~1\roryla~1\applic~1\DAEMON Tools Lite
2009-07-04 04:54 272,128 -c------ c:\windows\system32\dllcache\bthport.sys
2009-07-04 04:54 272,128 -------- c:\windows\system32\drivers\bthport.sys
2009-07-04 04:53 2,145,280 -c------ c:\windows\system32\dllcache\ntkrnlmp.exe
2009-07-04 04:53 2,189,056 -c------ c:\windows\system32\dllcache\ntoskrnl.exe
2009-07-04 04:53 2,023,936 -c------ c:\windows\system32\dllcache\ntkrpamp.exe
2009-07-04 04:52 455,296 -c------ c:\windows\system32\dllcache\mrxsmb.sys
2009-07-04 04:50 2,560 -------- c:\windows\system32\xpsp4res.dll
2009-07-04 03:00 <DIR> --d----- c:\windows\system32\PreInstall
2009-07-04 03:00 <DIR> --d-h--- c:\windows\$hf_mig$
2009-07-04 00:49 <DIR> --d-h--- C:\$AVG8.VAULT$
2009-07-04 00:41 108,552 a------- c:\windows\system32\drivers\avgtdix.sys
2009-07-04 00:41 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-07-04 00:41 335,752 a------- c:\windows\system32\drivers\avgldx86.sys
2009-07-04 00:41 <DIR> --d----- c:\windows\system32\drivers\Avg
2009-07-04 00:41 <DIR> --d----- c:\docume~1\alluse~1\applic~1\AVG Security Toolbar
2009-07-04 00:41 <DIR> --d----- c:\program files\AVG
2009-07-04 00:41 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8
2009-07-03 22:57 <DIR> --d----- c:\windows\system32\XPSViewer
2009-07-03 22:56 14,048 -------- c:\windows\system32\spmsg2.dll
2009-07-03 22:56 26,488 a------- c:\windows\system32\spupdsvc.exe
2009-07-03 20:15 <DIR> --d----- C:\games
2009-07-03 20:08 <DIR> --d----- c:\docume~1\roryla~1\applic~1\Spotify
2009-07-03 20:08 <DIR> --d----- c:\program files\Spotify
2009-07-03 17:44 12,160 ac------ c:\windows\system32\dllcache\mouhid.sys
2009-07-03 17:44 12,160 a------- c:\windows\system32\drivers\mouhid.sys
2009-07-03 17:43 10,368 ac------ c:\windows\system32\dllcache\hidusb.sys
2009-07-03 17:43 10,368 a------- c:\windows\system32\drivers\hidusb.sys
2009-07-03 17:02 <DIR> --d----- c:\program files\AskBarDis
2009-07-03 17:02 <DIR> --d----- c:\program files\uTorrent
2009-07-03 17:02 <DIR> --d----- c:\docume~1\roryla~1\applic~1\uTorrent
2009-07-03 15:30 <DIR> --d----- c:\program files\Dofus
2009-07-03 15:23 <DIR> --ds---- c:\documents and settings\rorylaptop\UserData
2009-07-03 15:21 <DIR> --d----- c:\windows\system32\SoftwareDistribution
2009-07-03 12:19 <DIR> --d----- c:\documents and settings\RoryLaptop
2009-07-03 12:12 8,192 a------- c:\windows\REGLOCS.OLD

==================== Find3M ====================

2009-06-16 15:36 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 15:36 81,920 a------- c:\windows\system32\fontsub.dll
2009-06-03 20:09 1,291,264 a------- c:\windows\system32\quartz.dll
2009-05-07 16:32 345,600 a------- c:\windows\system32\localspl.dll
2009-05-01 22:03 129,784 -------- c:\windows\system32\pxafs.dll
2009-05-01 22:03 120,056 -------- c:\windows\system32\pxcpyi64.exe
2009-05-01 22:03 118,520 -------- c:\windows\system32\pxinsi64.exe
2009-05-01 22:02 90,112 a------- c:\windows\system32\dpl100.dll
2009-05-01 22:02 823,296 a------- c:\windows\system32\divx_xx0c.dll
2009-05-01 22:02 823,296 a------- c:\windows\system32\divx_xx07.dll
2009-05-01 22:02 815,104 a------- c:\windows\system32\divx_xx0a.dll
2009-05-01 22:02 811,008 a------- c:\windows\system32\divx_xx16.dll
2009-05-01 22:02 802,816 a------- c:\windows\system32\divx_xx11.dll
2009-05-01 22:02 685,056 a------- c:\windows\system32\DivX.dll
2009-04-29 05:46 666,624 a------- c:\windows\system32\wininet.dll
2009-04-29 05:46 81,920 a------- c:\windows\system32\ieencode.dll

============= FINISH: 20:43:12.03 ===============

Thanks,
Rory

Attached Files



BC AdBot (Login to Remove)

 


#2 RustyCabbage

RustyCabbage
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:09:01 AM

Posted 25 July 2009 - 04:10 PM

The problem seems to be getting far worse.. Just got a blue screen and the computer has frozen up and become completely unresponsive a couple of times. HJT doesn't seem to work either, when I try to run it nothing happens... Sorry If I'm seeming impatient after such a short time, I'm just really worried because I paid £200 for this laptop less than a week ago :/.

Hello RustyCabbage,

We ask that once you have posted your log and are waiting, please DO NOT "bump" your thread or make further replies until it has been responded to by a member of the HJT Team. The reason we ask this or do not respond to your requests is because that would remove you from the active queue that Techs and Staff have access to. The malware staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response, there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

That is why I have made an edit to your last post, instead of a reply. Please do not multiple post here, as that only pushes you further down the queue and causes confusion to the staff.

Please be patient. It may take a while to get a response but your log will be reviewed and answered as soon as possible.

Thank you for understanding.

Regards,

The weatherman
(Moderator)


Edit by Rusty

Sorry about that, just panicking a bit. Appreciate the work you guys are doing and apologise for being impatient. I have got 2 more blue screens since I bumped, so I doubt it was a coincidence, unless some hardware problem maybe... Refurbished laptop from reputable retailer.

Thanks again,
Rory

No problem Rory. :thumbup2:

Edited by The weatherman, 29 July 2009 - 05:18 PM.


#3 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:09:01 AM

Posted 04 August 2009 - 04:57 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#4 RustyCabbage

RustyCabbage
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:09:01 AM

Posted 04 August 2009 - 06:26 PM

Thanks a lot for getting back to me. Since my last post the problems I explained earlier have got worse and new ones have developed. They are:

1. Google search results redirect me to mainly skooble.com or something called search pro... The odd time something different but mostly those two.

2. General slowness while browsing, not that bad at all most of the time, but once or twice got very bad.

3. More popups for bleep enlarging supplements than I would appreciate.

4. (new)Upon opening my laptop or starting up after it has been in 'sleep' mode I get either a msg box saying "unkown hard error" (only started doing this since I got infected) or a blue screen/memory dump.

5. (new)When I boot the computer up, often the automated shut down process initiates (the kind that can be stopped with batch cmd shutdown -a). I will try to remember exactly what it says next time and post that up.

I think that's it... avg finds many 'warnings' which it cant remove... I think they are cookies, will post up some names when the scan is finished.

So yeah... Thanks a lot for reading, eagerly awaiting your reply. Here is the new DDS log:


DDS (Ver_09-07-30.01) - NTFSx86
Run by RoryLaptop at 0:08:07.57 on 05/08/2009
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_14
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1013.422 [GMT 1:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\System Control Manager\MSIService.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\System Control Manager\MGSysCtrl.exe
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Java\jre6\bin\jucheck.exe
C:\Documents and Settings\RoryLaptop\My Documents\Downloads\dds(2).scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.thetechguys.com
mDefault_Page_URL = hxxp://www.thetechguys.com
uInternet Connection Wizard,ShellNext = hxxp://www.thetechguys.com/
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
uURLSearchHooks: H - No File
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\windows\system32\oembios.exe,
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: ZILLAbar Browser Helper Object: {1827766b-9f49-4854-8034-f6ee26fcb1ec} - c:\program files\stopzilla!\SZSG.dll
BHO: AskBar BHO: {201f27d4-3704-41d6-89c1-aa35e39143ed} - c:\program files\askbardis\bar\bin\askBar.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: STOPzilla Browser Helper Object: {e3215f20-3212-11d6-9f8b-00d0b743919d} - c:\program files\stopzilla!\SZIEBHO.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Ask Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
TB: STOPzilla: {98828ded-a591-462f-83ba-d2f62a68b8b8} - c:\program files\stopzilla!\SZSG.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [uTorrent] "c:\program files\utorrent\uTorrent.exe"
uRun: [DAEMON Tools Lite] "c:\program files\daemon tools lite\daemon.exe" -autorun
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [Toolfish] c:\program files\toolfish\toolfish.exe -minimize
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [MGSysCtrl] c:\program files\system control manager\MGSysCtrl.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [UCam_Menu] "c:\program files\cyberlink\youcam\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\youcam" update "software\cyberlink\youcam\1.0"
mRun: [ITSecMng] %ProgramFiles%\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe /START
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
IE: {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - c:\program files\pokerstars\PokerStarsUpdate.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
LSP: c:\program files\common files\is3\anti-spyware\iS3lsp.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
TCP: NameServer = 85.255.112.87,85.255.112.195
TCP: {98CB15F5-3D54-4E8C-B22B-A3BECC682900} = 85.255.112.87,85.255.112.195
TCP: {C47AC4D9-F0E8-42B8-B9F4-51E6BAB45C19} = 85.255.112.87,85.255.112.195
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxdev.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\roryla~1\applic~1\mozilla\firefox\profiles\4vblinlm.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.bleepingcomputer.com/forums/lofiversion/index.php/t244387.html
FF - prefs.js: keyword.URL - hxxp://uk.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_uk&p=
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\xpavgtbapi.dll
FF - plugin: c:\program files\google\google updater\2.4.1636.7222\npCIDetect13.dll
FF - plugin: c:\program files\google\update\1.2.183.7\npGoogleOneClick8.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\mozilla firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\mozilla firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\mozilla firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-7-4 335752]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-7-4 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-7-4 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-7-4 907032]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-7-4 298776]
R2 Micro Star SCM;Micro Star SCM;c:\program files\system control manager\MSIService.exe [2008-5-30 159744]
R2 szkg5;szkg;c:\windows\system32\drivers\SZKG.sys [2009-5-12 61328]
R3 RSUSBSTOR;RTS5121.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RTS5121.sys [2008-5-30 153600]
R3 rtl8187Se;Realtek RTL8187SE Wireless LAN PCIE Network Adapter;c:\windows\system32\drivers\rtl8187Se.sys [2008-5-30 263680]
S2 ASKUpgrade;ASKUpgrade;c:\program files\askbardis\bar\bin\ASKUpgrade.exe [2009-7-3 234888]
S2 gupdate1ca07f7fa2f92be;Google Update Service (gupdate1ca07f7fa2f92be);c:\program files\google\update\GoogleUpdate.exe [2009-7-18 133104]

=============== Created Last 30 ================

2009-08-03 02:46 1,215,997 a------- c:\windows\system32\xa.tmp
2009-07-31 03:05 <DIR> --d----- c:\windows\system32\LogFiles
2009-07-29 16:47 <DIR> --d----- c:\program files\World of Warcraft
2009-07-29 16:47 <DIR> --d----- c:\program files\common files\Blizzard Entertainment
2009-07-29 12:53 <DIR> --d----- c:\program files\World of Warcraft.temp
2009-07-29 12:53 <DIR> --d----- c:\program files\common files\Blizzard Entertainment.temp
2009-07-29 12:30 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Blizzard
2009-07-29 12:27 <DIR> --d----- c:\program files\World of Warcraft Trial
2009-07-28 15:27 <DIR> --d----- c:\program files\Toolfish
2009-07-27 15:04 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-27 15:04 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-07-27 15:04 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-07-27 15:04 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-07-25 20:36 <DIR> --d----- c:\program files\Trend Micro
2009-07-25 20:15 <DIR> --d----- c:\program files\STOPzilla!
2009-07-25 20:15 <DIR> --d----- c:\program files\common files\iS3
2009-07-25 20:15 <DIR> --d----- c:\docume~1\alluse~1\applic~1\STOPzilla!
2009-07-25 14:34 <DIR> --d----- c:\program files\PokerStars
2009-07-20 14:57 17,408 a----r-- c:\windows\system32\SZIO5.dll
2009-07-20 14:56 311,296 a----r-- c:\windows\system32\SZBase5.dll
2009-07-20 14:56 540,672 a----r-- c:\windows\system32\SZComp5.dll
2009-07-18 00:14 410,984 a------- c:\windows\system32\deploytk.dll
2009-07-18 00:14 73,728 a------- c:\windows\system32\javacpl.cpl
2009-07-15 12:56 268,648 a------- c:\windows\system32\mucltui.dll
2009-07-15 12:56 208,744 a------- c:\windows\system32\muweb.dll
2009-07-15 12:56 27,496 a------- c:\windows\system32\mucltui.dll.mui
2009-07-15 11:58 43,520 a------- c:\windows\system32\CmdLineExt03.dll
2009-07-15 11:25 197,120 a------- c:\windows\patchw32.dll
2009-07-15 11:25 <DIR> --d----- c:\program files\common files\PocketSoft
2009-07-15 00:38 <DIR> --d----- c:\program files\e-Speaking
2009-07-14 17:27 <DIR> --d----- c:\documents and settings\rorylaptop\Tracing
2009-07-14 17:22 <DIR> --d----- c:\program files\Microsoft
2009-07-14 17:22 <DIR> --d----- c:\program files\Windows Live SkyDrive
2009-07-14 17:18 <DIR> --d----- c:\program files\common files\Windows Live
2009-07-09 15:52 126,976 a----r-- c:\windows\system32\IS3HTUI5.dll
2009-07-09 15:52 393,216 a----r-- c:\windows\system32\IS3DBA5.dll
2009-07-09 15:51 385,024 a----r-- c:\windows\system32\IS3UI5.dll
2009-07-09 15:51 61,440 a----r-- c:\windows\system32\IS3Hks5.dll
2009-07-09 15:51 23,040 a----r-- c:\windows\system32\IS3XDat5.dll
2009-07-09 15:50 225,280 a----r-- c:\windows\system32\IS3Win325.dll
2009-07-09 15:50 94,208 a----r-- c:\windows\system32\IS3Inet5.dll
2009-07-09 15:50 90,112 a----r-- c:\windows\system32\IS3Svc5.dll
2009-07-09 15:47 724,992 a----r-- c:\windows\system32\IS3Base5.dll

==================== Find3M ====================

2009-07-17 16:40 335,752 a------- c:\windows\system32\drivers\avgldx86.sys
2009-07-05 05:46 18,280 a------- c:\windows\DIIUnin.dat
2009-07-05 05:41 21,840 a------t c:\windows\system32\SIntfNT.dll
2009-07-05 05:41 17,212 a------t c:\windows\system32\SIntf32.dll
2009-07-05 05:41 12,067 a------t c:\windows\system32\SIntf16.dll
2009-07-05 05:33 94,208 a------- c:\windows\DIIUnin.exe
2009-07-05 05:33 2,829 a------- c:\windows\DIIUnin.pif
2009-07-04 19:05 721,904 a------- c:\windows\system32\drivers\sptd.sys
2009-07-04 00:41 108,552 a------- c:\windows\system32\drivers\avgtdix.sys
2009-07-04 00:41 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-06-16 15:36 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 15:36 81,920 a------- c:\windows\system32\fontsub.dll
2009-06-03 20:09 1,291,264 a------- c:\windows\system32\quartz.dll
2009-05-07 16:32 345,600 a------- c:\windows\system32\localspl.dll

============= FINISH: 0:11:33.82 ===============


Attach:


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-07-30.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume2
Install Date: 03/07/2009 12:18:48
System Uptime: 08/04/2009 23:43:47 (2833 hours ago)

Motherboard: DIXONSXP | | Advent 4211
Processor: Intel® Atom™ CPU N270 @ 1.60GHz | CPU 1 | 1600/533mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 72 GiB total, 27.051 GiB free.
D: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

No restore point in system.

==== Installed Programs ======================

µTorrent
AAC Decoder
Adobe Flash Player 10 Plugin
Adobe Reader 8.1.2
Apple Software Update
Ask Toolbar
AutoUpdate
AVG Free 8.5
Bluetooth Stack for Windows by Toshiba
Choice Guard
Civilization III Complete Edition
Compatibility Pack for the 2007 Office system
CyberLink YouCam
DAEMON Tools Toolbar
Diablo II
DivX Codec
DivX Converter
DivX Player
DivX Plus DirectShow Filters
DivX Version Checker
DivX Web Player
Dofus 1.27.0
GameSpy Comrade
Google Chrome
Google Earth
Google Update Helper
Google Updater
H.264 Decoder
Hotfix for Windows XP (KB952287)
Intel® Graphics Media Accelerator Driver
Java™ 6 Update 14
Malwarebytes' Anti-Malware
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft .NET Framework 3.0 Service Pack 1
Microsoft .NET Framework 3.5
Microsoft Application Error Reporting
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft Visual C++ 2005 Redistributable
Microsoft Works
MKV Splitter
Mozilla Firefox (3.5.2)
MSVCRT
OmegaBR
PokerStars
QuickTime
Realtek Card Reader
REALTEK GbE & FE Ethernet PCI-E NIC Driver
Realtek High Definition Audio Driver
REALTEK RTL8187SE Wireless LAN Driver
Roll
RollerCoaster Tycoon® 3
Security Update for Windows Media Player (KB952069)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969897)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB973346)
Segoe UI
Spotify
STOPzilla
Synaptics Pointing Device Driver
System Control Manager
Theme Hospital
Toolfish Utility Suite (remove only)
Update for Windows XP (KB898461)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB961503)
Update for Windows XP (KB967715)
VC80CRTRedist - 8.0.50727.762
Voice and Speech Recognition Software
WebFldrs XP
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Live Upload Tool
WinRAR archiver
World of Warcraft
XML Paper Specification Shared Components Pack 1.0

==== Event Viewer Messages From Past Week ========

31/07/2009 17:27:03, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the STOPzilla Service service to connect.
31/07/2009 17:27:03, error: Service Control Manager [7000] - The STOPzilla Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
30/07/2009 00:21:08, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the avg8wd service.
04/08/2009 23:40:31, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the WZCSVC service.
04/08/2009 16:15:13, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the Netman service.
04/08/2009 14:25:37, error: System Error [1003] - Error code 000000f4, parameter1 00000003, parameter2 8589bda0, parameter3 8589bf14, parameter4 805d297c.
03/08/2009 17:43:18, error: Windows Update Agent [20] - Installation Failure: Windows failed to install the following update with error 0x80070643: Internet Explorer 8 for Windows XP.
03/08/2009 12:52:35, error: Service Control Manager [7001] - The Fast User Switching Compatibility service depends on the Terminal Services service which failed to start because of the following error: The pipe state is invalid.
03/08/2009 12:52:35, error: Service Control Manager [7000] - The Terminal Services service failed to start due to the following error: The pipe state is invalid.
03/08/2009 02:55:13, error: Service Control Manager [7031] - The DCOM Server Process Launcher service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Reboot the machine.
03/08/2009 00:17:17, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
01/08/2009 15:00:00, error: MRxSmb [8003] - The master browser has received a server announcement from the computer DELL that believes that it is the master browser for the domain on transport NetBT_Tcpip_{C47AC4D9-F0E8-42B8-B9F4. The master browser is stopping or an election is being forced.

==== End Of File ===========================


Thank you so much for your time :thumbup2:.

#5 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:01 AM

Posted 05 August 2009 - 03:20 PM

Hello.

Please run Malwarebytes and then followed by a rootkit scan.

Download and run MalwareBytes Anti-Malware

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

For complete or visual instructions on installing and running Malwarebytes Anti-Malware please read this link

Download and Run Scan with GMER

We will use GMER to scan for rootkits.This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop. Unzip/extract the file to its own folder. (Click here for information on how to do this if not sure. Win 2000 users click here.
  • Close any and all open programs, as this process may crash your computer.
  • Double click Posted Image or Posted Image on your desktop.
  • When you have done this, close all running programs.
    There is a small chance this application may crash your computer so save any work you have open.
  • Double-click on Gmer.exe to start the program. Right-click and select Run As Administrator... if you are using Vista
  • Allow the gmer.sys driver to load if asked.
    If it detects rootkit activity, you will receive a prompt (refer below) to run a full scan. Click NO..
    Posted Image
  • In the right panel, you will see several boxes that have been checked. Please UNCHECK the following:
    • Sections
    • IAT/EAT
    • Registry
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show all (Don't miss this one!)
  • Click on Posted Image and wait for the scan to finish.
  • If you see a rootkit warning window, click OK.
  • Push Posted Image and save the logfile to your desktop.
  • Copy and Paste the contents of that file in your next post.

If GMER doesn't work in Normal Mode try running it in Safe Mode

Note: Do Not run any program while GMER is running
*Note*: Rootkit scans often produce false positives. Do NOT take any actions on "<--- ROOKIT" entries

~Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#6 RustyCabbage

RustyCabbage
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:09:01 AM

Posted 06 August 2009 - 06:18 AM

Hm... This malware doesn't seem to want to let malwarebytes run... When I tried to download it, I kept getting redirected to nonexistant webpages, so I downloaded it on another computer and put it on this one... Although nothing happens when I try to run the program :/.... Any suggestions?

#7 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:01 AM

Posted 06 August 2009 - 12:27 PM

Hello.

Skip the Malwrebytes part and see if GMER works here.

I can probably conclude that from your description that you have a nasty infection on board that we are going to deal with, but I can't be certain without seeing the GMER log first. If GMER doesn't work either, let me know.

~Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#8 RustyCabbage

RustyCabbage
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:09:01 AM

Posted 06 August 2009 - 12:52 PM

GMER worked fine and detected.. Something. Here's the log:

GMER 1.0.15.15011 [6pbh558h.exe] - http://www.gmer.net
Rootkit scan 2009-08-06 18:47:29
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

SSDT spxl.sys ZwCreateKey [0xF73F20E0] <-- ROOTKIT !!!
SSDT spxl.sys ZwEnumerateKey [0xF7410CA4] <-- ROOTKIT !!!
SSDT spxl.sys ZwEnumerateValueKey [0xF7411032] <-- ROOTKIT !!!
SSDT spxl.sys ZwOpenKey [0xF73F20C0] <-- ROOTKIT !!!
SSDT spxl.sys ZwQueryKey [0xF741110A] <-- ROOTKIT !!!
SSDT spxl.sys ZwQueryValueKey [0xF7410F8A] <-- ROOTKIT !!!
SSDT spxl.sys ZwSetValueKey [0xF741119C] <-- ROOTKIT !!!

INT 0x62 ? 86569BF8
INT 0x63 ? 8646BC80
INT 0x73 ? 8646BC80
INT 0x82 ? 86569BF8
INT 0xA4 ? 8646BC80
INT 0xB4 ? 8646BC80

Code 85DD2068 ZwFlushInstructionCache
Code 85F32066 IofCallDriver
Code 85F1A066 IofCompleteRequest
Code 85E5E065 ZwSaveKey
Code 8602645D ZwSaveKeyEx

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 865681F8
Device \FileSystem\Fastfat \FatCdrom 859261F8
Device \Driver\NetBT \Device\NetBT_Tcpip_{98CB15F5-3D54-4E8C-B22B-A3BECC682900} 858FD1F8

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

Device \Driver\PCI_PNP5794 \Device\00000050 spxl.sys
Device \Driver\PCI_PNP5794 \Device\00000050 spxl.sys
Device \Driver\usbuhci \Device\USBPDO-0 8651F500
Device \Driver\usbehci \Device\USBPDO-1 865121F8
Device \Driver\usbuhci \Device\USBPDO-2 8651F500
Device \Driver\usbuhci \Device\USBPDO-3 8651F500
Device \Driver\usbuhci \Device\USBPDO-4 8651F500

AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\Ftdisk \Device\HarddiskVolume1 865DB1F8
Device \Driver\Ftdisk \Device\HarddiskVolume2 865DB1F8
Device \Driver\NetBT \Device\NetBt_Wins_Export 858FD1F8
Device \Driver\NetBT \Device\NetbiosSmb 858FD1F8
Device \Driver\NetBT \Device\NetBT_Tcpip_{C47AC4D9-F0E8-42B8-B9F4-51E6BAB45C19} 858FD1F8

AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\usbuhci \Device\USBFDO-0 8651F500
Device \Driver\usbuhci \Device\USBFDO-1 8651F500
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 85816500
Device \Driver\usbuhci \Device\USBFDO-2 8651F500
Device \FileSystem\MRxSmb \Device\LanmanRedirector 85816500
Device \Driver\usbuhci \Device\USBFDO-3 8651F500
Device \Driver\usbehci \Device\USBFDO-4 865121F8
Device \Driver\sptd \Device\2099778294 spxl.sys
Device \Driver\Ftdisk \Device\FtControl 865DB1F8
Device \Driver\akxummw0 \Device\Scsi\akxummw01Port2Path0Target0Lun0 86474500
Device \Driver\akxummw0 \Device\Scsi\akxummw01 86474500
Device \FileSystem\Fastfat \Fat 859261F8

AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \FileSystem\Cdfs \Cdfs 84F041F8
Device \FileSystem\Cdfs \Cdfs A8ACDBCE

---- Threads - GMER 1.0.15 ----

Thread System [4:728] 85890470
Thread avgrsx.exe [404:1504] 05DB5008
Thread avgrsx.exe [404:2760] 05DD5008
Thread avgcsrvx.exe [2348:2228] 04FE5008

---- Processes - GMER 1.0.15 ----

Process (*** hidden *** ) [0] A90B99A0
Process (*** hidden *** ) [0] C4D8AC0
Process (*** hidden *** ) [0] 4E005200
Process (*** hidden *** ) [0] 854850B8
Process (*** hidden *** ) [0] A90B9394

---- Services - GMER 1.0.15 ----

Service C:\WINDOWS\system32\drivers\ESQULrxmlalkyxwskyykmxfadbarsthxwbrpd.sys (*** hidden *** ) [SYSTEM] ESQULserv.sys <-- ROOTKIT !!!

---- EOF - GMER 1.0.15 ----

#9 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:01 AM

Posted 06 August 2009 - 01:13 PM

Hello.

Thanks for the log.

We are going to start with Combofix.

Download and Run ComboFix

Note to readers of this post other than the starter of this thread:
ComboFix is a VERY POWERFUL tool which should NOT BE USED without guidance of an expert.

Download Combofix from any of the links below, and save it to your desktop.
Link 1
Link 2

Please refer to this page for full instructions on how to run ComboFix.
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Double click ComboFix.exe to start the program. Agree to the prompts.
  • When ComboFix is finished, a log report (C:\ComboFix.txt) will open. Post back with it.
Leave your computer alone while ComboFix is running.

ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may call it to stall.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#10 RustyCabbage

RustyCabbage
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:09:01 AM

Posted 06 August 2009 - 01:52 PM

Argh... Downloaded ComboFix but when I open the executable nothing happens, like for HJT and malwarebytes...

Any ideas?

#11 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:01 AM

Posted 06 August 2009 - 09:12 PM

Hello.

Let's re-name it and see if it works. If not, let me know and we will try something else.

Download and Run ComboFix (Rename Before Saving)


Note to readers of this post other than the starter of this thread:
ComboFix is a VERY POWERFUL tool which should NOT BE USED without guidance of an expert.

Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 1
Link 2
Link 3

Posted Image

Posted Image

Refer to the page below for further instructions on running ComboFix. This includes installing the Recovery Console. Note that you do not need your Windows XP disk to install it. Refer to this page if you are unsure how.

Double click on Combo-Fix.exe & follow the prompts.

When finished, it will produce a open a report for you. Post back with it. It is at C:\ComboFix.txt.

Do not mouseclick the ComboFix window while it's running. That may cause it to stall.

~Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#12 RustyCabbage

RustyCabbage
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:09:01 AM

Posted 07 August 2009 - 06:20 AM

Renaming was successfull and seems to have removed a lot of problems (faster, no more search engine redirects, popups have stopped) however my computer still tries to shutdown at random times. Thanks for all your help so far, heres the log you asked for:


ComboFix 09-08-06.01 - RoryLaptop 07/08/2009 11:57.1.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1013.611 [GMT 1:00]
Running from: c:\documents and settings\RoryLaptop\My Documents\Downloads\ComboFixa.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\ALLUSE~1\APPLIC~1\13915464
c:\docume~1\ALLUSE~1\APPLIC~1\13915464\13915464.exe
c:\documents and settings\LocalService\Application Data\sysproc64
c:\documents and settings\LocalService\Application Data\sysproc64\sysproc32.sys
c:\windows\system32\drivers\ESQULrxmlalkyxwskyykmxfadbarsthxwbrpd.sys
c:\windows\system32\ESQULfjxjlgiqjenbscugdmqpdoyrbbgtetlt.dll
c:\windows\system32\ESQULuriuiqublotpqvvkootwwabdpfcdoojn.dll
c:\windows\system32\ESQULzcounter
c:\windows\system32\ipcmd.dll
c:\windows\system32\lowsec
c:\windows\system32\lowsec\local.ds
c:\windows\system32\lowsec\user.ds
c:\windows\system32\lowsec\user.ds.lll
c:\windows\system32\oembios.exe
c:\windows\system32\sdra64.exe
c:\windows\system32\sysdiag.dll
c:\windows\system32\sysproc64
c:\windows\system32\sysproc64\sysproc32.sys
c:\windows\system32\sysproc64\sysproc32.sys.cla
c:\windows\system32\sysproc64\sysproc86.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_ESQULserv.sys
-------\Legacy_ESQULserv.sys


((((((((((((((((((((((((( Files Created from 2009-07-07 to 2009-08-07 )))))))))))))))))))))))))))))))
.

2009-08-06 18:25 . 2009-08-06 18:25 223456 ----a-w- c:\windows\system32\drivers\nrt1cb1.sys
2009-08-06 18:25 . 2009-08-06 18:25 223456 ----a-w- c:\windows\system32\drivers\hll846a.sys
2009-08-06 16:45 . 2009-08-06 16:45 223456 ----a-w- c:\windows\system32\drivers\lnad54b.sys
2009-08-06 16:45 . 2009-08-06 16:45 223456 ----a-w- c:\windows\system32\drivers\osa318e.sys
2009-08-06 11:12 . 2009-07-13 12:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-06 11:12 . 2009-08-06 11:12 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-06 11:12 . 2009-08-06 11:12 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Malwarebytes
2009-08-06 11:12 . 2009-07-13 12:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-05 20:35 . 2009-08-05 20:35 223456 ----a-w- c:\windows\system32\drivers\lqs8b8c.sys
2009-08-05 19:38 . 2009-08-05 19:38 223456 ----a-w- c:\windows\system32\drivers\fkm07bb.sys
2009-08-05 17:23 . 2009-08-05 17:23 223456 ----a-w- c:\windows\system32\drivers\rtd9b57.sys
2009-08-05 17:23 . 2009-08-05 17:23 223456 ----a-w- c:\windows\system32\drivers\osa3883.sys
2009-08-05 16:43 . 2009-08-05 16:43 223456 ----a-w- c:\windows\system32\drivers\nrtc946.sys
2009-08-05 16:43 . 2009-08-05 16:43 223456 ----a-w- c:\windows\system32\drivers\prc0a80.sys
2009-08-05 07:59 . 2009-08-05 07:59 223456 ----a-w- c:\windows\system32\drivers\gnp83cb.sys
2009-08-05 07:59 . 2009-08-05 07:59 223456 ----a-w- c:\windows\system32\drivers\otb19a8.sys
2009-08-05 05:29 . 2009-08-05 05:29 223456 ----a-w- c:\windows\system32\drivers\tegc1c1.sys
2009-08-05 05:29 . 2009-08-05 05:29 223456 ----a-w- c:\windows\system32\drivers\sacb532.sys
2009-08-05 04:23 . 2009-08-05 04:23 223456 ----a-w- c:\windows\system32\drivers\qbca524.sys
2009-08-05 04:23 . 2009-08-05 04:23 223456 ----a-w- c:\windows\system32\drivers\lnp2b88.sys
2009-08-04 22:51 . 2009-08-04 23:00 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Temp
2009-07-31 02:05 . 2009-07-31 02:05 -------- d-----w- c:\windows\system32\LogFiles
2009-07-29 15:47 . 2009-07-31 15:04 -------- d-----w- c:\program files\World of Warcraft
2009-07-29 15:47 . 2009-07-29 18:17 -------- d-----w- c:\program files\Common Files\Blizzard Entertainment
2009-07-29 11:53 . 2009-07-29 11:53 -------- d-----w- c:\program files\World of Warcraft.temp
2009-07-29 11:53 . 2009-07-29 11:53 -------- d-----w- c:\program files\Common Files\Blizzard Entertainment.temp
2009-07-29 11:30 . 2009-07-29 11:30 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Blizzard
2009-07-29 11:27 . 2009-07-29 15:39 -------- d-----w- c:\program files\World of Warcraft Trial
2009-07-28 14:27 . 2009-07-28 14:27 -------- d-----w- c:\program files\Toolfish
2009-07-27 12:11 . 2009-07-27 12:11 -------- d-----w- c:\windows\Sun
2009-07-25 19:36 . 2009-07-25 19:36 -------- d-----w- c:\program files\Trend Micro
2009-07-25 19:15 . 2009-07-25 19:15 -------- d-----w- c:\program files\STOPzilla!
2009-07-25 19:15 . 2009-07-25 19:15 -------- d-----w- c:\program files\Common Files\iS3
2009-07-25 19:15 . 2009-08-07 10:57 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\STOPzilla!
2009-07-25 13:34 . 2009-07-27 23:01 -------- d-----w- c:\program files\PokerStars
2009-07-25 01:58 . 2009-07-25 01:58 -------- d-----w- c:\documents and settings\RoryLaptop\Application Data\Apple Computer
2009-07-25 01:31 . 2009-07-25 01:32 -------- d-----w- c:\program files\QuickTime
2009-07-25 01:31 . 2009-07-25 01:31 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Apple Computer
2009-07-25 01:31 . 2009-07-25 01:31 -------- d-----w- c:\documents and settings\RoryLaptop\Local Settings\Application Data\Apple
2009-07-25 01:31 . 2009-07-25 01:31 -------- d-----w- c:\program files\Apple Software Update
2009-07-25 01:31 . 2009-07-25 01:31 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Apple
2009-07-25 01:31 . 2009-07-25 01:31 -------- d-----w- c:\documents and settings\RoryLaptop\Local Settings\Application Data\Apple Computer
2009-07-20 13:57 . 2009-07-20 13:57 17408 ----a-r- c:\windows\system32\SZIO5.dll
2009-07-20 13:56 . 2009-07-20 13:56 311296 ----a-r- c:\windows\system32\SZBase5.dll
2009-07-20 13:56 . 2009-07-20 13:56 540672 ----a-r- c:\windows\system32\SZComp5.dll
2009-07-19 14:51 . 2009-07-19 14:52 -------- d-----w- c:\documents and settings\RoryLaptop\Local Settings\Application Data\Temp
2009-07-18 22:33 . 2009-07-18 22:33 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Google Updater
2009-07-17 23:14 . 2009-07-17 23:14 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-07-17 23:14 . 2009-07-17 23:14 -------- d-----w- c:\program files\Java
2009-07-17 23:13 . 2009-07-17 23:13 152576 ----a-w- c:\documents and settings\RoryLaptop\Application Data\Sun\Java\jre1.6.0_14\lzma.dll
2009-07-15 11:56 . 2008-10-16 13:06 268648 ----a-w- c:\windows\system32\mucltui.dll
2009-07-15 11:56 . 2008-10-16 13:06 208744 ----a-w- c:\windows\system32\muweb.dll
2009-07-15 10:58 . 2009-07-15 11:48 43520 ----a-w- c:\windows\system32\CmdLineExt03.dll
2009-07-15 10:25 . 2002-02-27 17:50 197120 ----a-w- c:\windows\patchw32.dll
2009-07-15 10:25 . 2009-07-15 10:25 -------- d-----w- c:\program files\Common Files\PocketSoft
2009-07-14 23:38 . 2009-07-14 23:38 1078 ----a-r- c:\documents and settings\RoryLaptop\Application Data\Microsoft\Installer\{6624A46E-1215-4525-A7BB-237B6C877EA9}\_235022ee.exe
2009-07-14 23:38 . 2009-07-14 23:38 1078 ----a-r- c:\documents and settings\RoryLaptop\Application Data\Microsoft\Installer\{6624A46E-1215-4525-A7BB-237B6C877EA9}\_120759a.exe
2009-07-14 23:38 . 2009-07-14 23:38 -------- d-----w- c:\program files\e-Speaking
2009-07-14 16:27 . 2009-08-07 10:31 -------- d-----w- c:\documents and settings\RoryLaptop\Tracing
2009-07-14 16:22 . 2009-07-14 16:22 -------- d-----w- c:\program files\Microsoft
2009-07-14 16:22 . 2009-07-14 16:22 -------- d-----w- c:\program files\Windows Live SkyDrive
2009-07-14 16:22 . 2009-07-14 16:22 -------- d-----w- c:\program files\Windows Live
2009-07-14 16:18 . 2009-07-14 16:18 -------- d-----w- c:\program files\Common Files\Windows Live
2009-07-09 14:52 . 2009-07-09 14:52 126976 ----a-r- c:\windows\system32\IS3HTUI5.dll
2009-07-09 14:52 . 2009-07-09 14:52 393216 ----a-r- c:\windows\system32\IS3DBA5.dll
2009-07-09 14:51 . 2009-07-09 14:51 385024 ----a-r- c:\windows\system32\IS3UI5.dll
2009-07-09 14:51 . 2009-07-09 14:51 61440 ----a-r- c:\windows\system32\IS3Hks5.dll
2009-07-09 14:51 . 2009-07-09 14:51 23040 ----a-r- c:\windows\system32\IS3XDat5.dll
2009-07-09 14:50 . 2009-07-09 14:50 225280 ----a-r- c:\windows\system32\IS3Win325.dll
2009-07-09 14:50 . 2009-07-09 14:50 94208 ----a-r- c:\windows\system32\IS3Inet5.dll
2009-07-09 14:50 . 2009-07-09 14:50 90112 ----a-r- c:\windows\system32\IS3Svc5.dll
2009-07-09 14:47 . 2009-07-09 14:47 724992 ----a-r- c:\windows\system32\IS3Base5.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-07 11:09 . 2009-07-03 16:02 -------- d-----w- c:\documents and settings\RoryLaptop\Application Data\uTorrent
2009-08-03 01:46 . 2009-08-03 01:46 1215997 ----a-w- c:\windows\system32\xa.tmp
2009-07-28 11:06 . 2009-07-03 14:30 -------- d-----w- c:\program files\Dofus
2009-07-25 03:12 . 2009-07-03 23:41 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\avg8
2009-07-22 09:27 . 2009-07-03 19:08 -------- d-----w- c:\documents and settings\RoryLaptop\Application Data\Spotify
2009-07-18 22:36 . 2009-07-05 02:03 -------- d-----w- c:\program files\Google
2009-07-17 15:40 . 2009-07-03 23:41 335752 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-07-16 02:01 . 2008-05-30 15:51 -------- d-----w- c:\program files\Microsoft Works
2009-07-15 10:22 . 2008-05-30 15:24 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-07-15 10:22 . 2009-07-05 03:51 -------- d-----w- c:\program files\Atari
2009-07-15 01:31 . 2009-07-05 06:30 -------- d-----w- c:\documents and settings\RoryLaptop\Application Data\DivX
2009-07-14 16:26 . 2009-07-04 03:58 34000 ----a-w- c:\documents and settings\RoryLaptop\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-06 17:35 . 2009-07-05 04:32 -------- d-----w- c:\program files\Diablo II
2009-07-05 04:46 . 2009-07-05 04:33 18280 ----a-w- c:\windows\DIIUnin.dat
2009-07-05 04:41 . 2009-07-05 04:35 21840 ----atw- c:\windows\system32\SIntfNT.dll
2009-07-05 04:41 . 2009-07-05 04:35 17212 ----atw- c:\windows\system32\SIntf32.dll
2009-07-05 04:41 . 2009-07-05 04:35 12067 ----atw- c:\windows\system32\SIntf16.dll
2009-07-05 04:33 . 2009-07-05 04:33 94208 ----a-w- c:\windows\DIIUnin.exe
2009-07-05 04:33 . 2009-07-05 04:33 2829 ----a-w- c:\windows\DIIUnin.pif
2009-07-05 03:58 . 2009-07-05 03:58 -------- d-----w- c:\documents and settings\RoryLaptop\Application Data\Leadertech
2009-07-05 03:50 . 2008-05-30 15:29 -------- d-----w- c:\program files\Common Files\InstallShield
2009-07-05 03:40 . 2009-07-03 23:41 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\AVG Security Toolbar
2009-07-05 02:04 . 2009-07-05 02:02 -------- d-----w- c:\program files\DivX
2009-07-05 02:03 . 2009-07-05 02:03 -------- d-----w- c:\program files\Common Files\DivX Shared
2009-07-05 00:29 . 2009-07-05 00:29 227 ----a-w- c:\windows\PowerReg.dat
2009-07-05 00:28 . 2009-07-05 00:28 -------- d-----w- c:\program files\Hasbro Interactive
2009-07-04 21:55 . 2009-07-04 18:14 -------- d-----w- c:\program files\DAEMON Tools Lite
2009-07-04 21:54 . 2009-07-03 21:57 98008 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-07-04 21:52 . 2009-07-04 21:52 -------- d-----w- c:\program files\Bullfrog
2009-07-04 21:50 . 2009-07-04 18:05 -------- d-----w- c:\documents and settings\RoryLaptop\Application Data\DAEMON Tools Lite
2009-07-04 18:14 . 2009-07-04 18:14 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\DAEMON Tools Lite
2009-07-04 18:14 . 2009-07-04 18:14 -------- d-----w- c:\program files\DAEMON Tools Toolbar
2009-07-04 18:05 . 2009-07-04 18:05 721904 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-07-04 03:58 . 2009-07-04 03:58 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\CyberLink
2009-07-03 23:41 . 2009-07-03 23:41 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-07-03 23:41 . 2009-07-03 23:41 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-07-03 23:41 . 2009-07-03 23:41 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-07-03 23:41 . 2009-07-03 23:41 -------- d-----w- c:\program files\AVG
2009-07-03 22:00 . 2009-07-03 22:00 -------- d-----w- c:\program files\GameSpy
2009-07-03 21:57 . 2009-07-03 21:57 -------- d-----w- c:\program files\MSBuild
2009-07-03 21:57 . 2009-07-03 21:57 -------- d-----w- c:\program files\Reference Assemblies
2009-07-03 19:08 . 2009-07-03 19:08 -------- d-----w- c:\program files\Spotify
2009-07-03 16:02 . 2009-07-03 16:02 -------- d-----w- c:\program files\AskBarDis
2009-07-03 16:02 . 2009-07-03 16:02 -------- d-----w- c:\program files\uTorrent
2009-07-03 14:26 . 2009-07-03 14:26 0 ----a-w- c:\windows\nsreg.dat
2009-06-16 14:36 . 2008-05-15 19:08 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:36 . 2008-05-15 19:07 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-03 19:09 . 2008-05-15 19:07 1291264 ----a-w- c:\windows\system32\quartz.dll
2009-05-12 13:13 . 2009-05-12 13:13 61328 ----a-r- c:\windows\system32\drivers\SZKG.sys
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-26 1008896]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2009-04-02 11:47 333192 ----a-w- c:\program files\AskBarDis\bar\bin\askBar.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-06-26 09:36 1008896 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2009-04-02 333192]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-26 1008896]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2009-04-02 333192]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-26 1008896]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2009-07-03 288048]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2009-04-23 691656]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-06 3885408]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-07-18 39408]
"Toolfish"="c:\program files\Toolfish\toolfish.exe" [2008-05-09 815104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-12-19 135168]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-12-19 159744]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-12-19 131072]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-01-11 1028096]
"MGSysCtrl"="c:\program files\System Control Manager\MGSysCtrl.exe" [2008-04-23 778240]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"UCam_Menu"="c:\program files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" [2007-09-13 222504]
"ITSecMng"="c:\program files\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe" [2007-09-28 75136]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-07-03 1948440]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-17 148888]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2008-05-07 16862208]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-07-03 23:41 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Spotify\\spotify.exe"=
"c:\\WINDOWS\\system32\\dplaysvr.exe"=
"c:\\games\\AOE\\AOE\\EMPIRESX.EXE"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\World of Warcraft\\Launcher.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.0.3.9183-to-3.0.8.9464-enGB-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.0.9.9551-to-3.1.0.9767-enGB-downloader.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [04/07/2009 00:41 335752]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [04/07/2009 00:41 108552]
R1 gnp83cb;gnp83cb;c:\windows\system32\drivers\gnp83cb.sys [05/08/2009 08:59 223456]
R1 hll846a;hll846a;c:\windows\system32\drivers\hll846a.sys [06/08/2009 19:25 223456]
R1 lnad54b;lnad54b;c:\windows\system32\drivers\lnad54b.sys [06/08/2009 17:45 223456]
R1 lnp2b88;lnp2b88;c:\windows\system32\drivers\lnp2b88.sys [05/08/2009 05:23 223456]
R1 nrt1cb1;nrt1cb1;c:\windows\system32\drivers\nrt1cb1.sys [06/08/2009 19:25 223456]
R1 nrtc946;nrtc946;c:\windows\system32\drivers\nrtc946.sys [05/08/2009 17:43 223456]
R1 osa318e;osa318e;c:\windows\system32\drivers\osa318e.sys [06/08/2009 17:45 223456]
R1 osa3883;osa3883;c:\windows\system32\drivers\osa3883.sys [05/08/2009 18:23 223456]
R1 otb19a8;otb19a8;c:\windows\system32\drivers\otb19a8.sys [05/08/2009 08:59 223456]
R1 prc0a80;prc0a80;c:\windows\system32\drivers\prc0a80.sys [05/08/2009 17:43 223456]
R1 qbca524;qbca524;c:\windows\system32\drivers\qbca524.sys [05/08/2009 05:23 223456]
R1 rtd9b57;rtd9b57;c:\windows\system32\drivers\rtd9b57.sys [05/08/2009 18:23 223456]
R1 sacb532;sacb532;c:\windows\system32\drivers\sacb532.sys [05/08/2009 06:29 223456]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [04/07/2009 00:41 907032]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [04/07/2009 00:41 298776]
R2 Micro Star SCM;Micro Star SCM;c:\program files\System Control Manager\MSIService.exe [30/05/2008 16:31 159744]
R2 szkg5;szkg;c:\windows\system32\drivers\SZKG.sys [12/05/2009 14:13 61328]
R3 RSUSBSTOR;RTS5121.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RTS5121.sys [30/05/2008 16:43 153600]
R3 rtl8187Se;Realtek RTL8187SE Wireless LAN PCIE Network Adapter;c:\windows\system32\drivers\rtl8187Se.sys [30/05/2008 16:24 263680]
S1 tegc1c1;tegc1c1;c:\windows\system32\drivers\tegc1c1.sys [05/08/2009 06:29 223456]
S2 ASKUpgrade;ASKUpgrade;c:\program files\AskBarDis\bar\bin\ASKUpgrade.exe [03/07/2009 17:02 234888]
S2 gupdate1ca07f7fa2f92be;Google Update Service (gupdate1ca07f7fa2f92be);c:\program files\Google\Update\GoogleUpdate.exe [18/07/2009 23:34 133104]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.thetechguys.com
uInternet Connection Wizard,ShellNext = hxxp://www.thetechguys.com/
LSP: c:\program files\Common Files\iS3\Anti-Spyware\iS3lsp.dll
FF - ProfilePath - c:\docume~1\RORYLA~1\APPLIC~1\Mozilla\Firefox\Profiles\4vblinlm.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.bleepingcomputer.com/forums/lofiversion/index.php/t244387.html
FF - prefs.js: keyword.URL - hxxp://uk.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_uk&p=
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1636.7222\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.183.7\npGoogleOneClick8.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-07 12:07
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(932)
c:\program files\Common Files\iS3\Anti-Spyware\iS3lsp.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\system32\wbem\unsecapp.exe
.
**************************************************************************
.
Completion time: 2009-08-07 12:11 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-07 11:11

Pre-Run: 27,933,208,576 bytes free
Post-Run: 29,921,034,240 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

359 --- E O F --- 2009-08-03 16:43

Edited by RustyCabbage, 07 August 2009 - 07:47 AM.


#13 RustyCabbage

RustyCabbage
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:09:01 AM

Posted 07 August 2009 - 10:49 AM

Computer got very slow, and froze up a load of times aswell as not letting me go online. Did malwarebytes scan and here's the log:

Malwarebytes' Anti-Malware 1.39
Database version: 2421
Windows 5.1.2600 Service Pack 3

07/08/2009 16:40:52
mbam-log-2009-08-07 (16-40-52).txt

Scan type: Full Scan (C:\|)
Objects scanned: 149063
Time elapsed: 40 minute(s), 4 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\sysdiag.dll (Trojan.Agent) -> Delete on reboot.

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Documents and Settings\NetworkService\Application Data\sysproc64 (Trojan.Agent) -> Quarantined and deleted successfully.

Files Infected:
c:\documents and settings\networkservice\application data\sysproc64\sysproc32.sys (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\Tasks\{5B57CF47-0BFA-43c6-ACF9-3B3653DCADBA}.job (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sysdiag.dll (Trojan.Agent) -> Delete on reboot.

Thanks,
Rory

#14 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:01 AM

Posted 07 August 2009 - 01:00 PM

Hello.

One of the infectiosn detected and removed was sa backdoor rootkit related infection. Take a read below and let me know what you decide to do.

Posted ImageRootkit Threat

Unfortunatly One or more of the identified infections is a Rootkit/backdoor trojan.

IMPORTANT NOTE: Rootkits and backdoor Trojans are very dangerous because they use advanced techniques (backdoors) as a means of accessing a computer system that bypasses security mechanisms and steal sensitive information which they send back to the hacker. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. Remote attackers use backdoor Trojans and rootkits as part of an exploit to gain unauthorized access to a computer and take control of it without your knowledge.

All passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised. You should change each password by using a different computer and not the infected one. If not, an attacker may get the new passwords and transaction information. If using a router, you need to reset it with a strong logon/password so the malware cannot gain control before connect again. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

Although the rootkit has been identified and may be removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume that because this malware has been removed the computer is now secure. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired. The malware may leave so many remnants behind that security tools cannot find them. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:Should you decide not to follow that advice, we will do our best to help clean the computer of any infections but we cannot guarantee it to be trustworthy or that the removal will be successful. Tell me what you want to do.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#15 RustyCabbage

RustyCabbage
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:09:01 AM

Posted 07 August 2009 - 01:46 PM

Hm... I can't find a windows OS disc anywhere and as this laptop was bought second hand, one didn't come with it. I doubt malware would be covered by this computers warranty aswell, so I think I would appreciate if you could help me to clear this computer.

I have only one concern though: would this infection compromise the security of information on other computers connected the the same network as this computer? I could easily use this computer for games/media and use other computers for the odd time I need to use paypal etc.

Thanks,
Rory




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users