Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google redirects to bizrate websites


  • This topic is locked This topic is locked
18 replies to this topic

#1 Kittenofdoom

Kittenofdoom

  • Members
  • 62 posts
  • OFFLINE
  •  
  • Local time:02:01 AM

Posted 28 July 2009 - 02:55 PM

My laptop thinks it is totally cool to refer me to AWESOME deals when I'm searching for stuff with google. It is wrong. Repeated scans with numerous virus and spyware scanners - including Kapersky online scanner - reveal nothing, so I'm clean there. Please help me catch the culprit and send it to INTERNET PRISON.

DDS:


DDS (Ver_09-06-26.01) - NTFSx86
Run by Owner at 12:45:37.29 on Tue 07/28/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_14
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.99 [GMT -7:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\Tablet.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\AGRSMMSG.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://b3ta.com/
uInternet Connection Wizard,ShellNext = iexplore
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: : {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
uRun: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [Apoint] c:\program files\apoint2k\Apoint.exe
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [Cpqset] c:\program files\hpq\default settings\cpqset.exe
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\bttray.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\tabuse~1.lnk - c:\windows\system32\wtablet\TabUserW.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: Send To &Bluetooth - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~4\office12\ONBttnIE.dll
DPF: {14C1B87C-3342-445F-9B5E-365FF330A3AC} - hxxp://h50203.www5.hp.com/HPISWeb/Customer/cabs/HPISDataManager.CAB
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5483.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\9ic1rnv3.default\
FF - prefs.js: browser.startup.homepage - hxxp://b3ta.com
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npwinamp.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-7-26 28544]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-5-23 335752]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2007-2-1 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-5-23 108552]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-6-23 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-6-23 72944]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-5-23 298776]
R2 pciinfo;HP Pci Information;c:\docume~1\owner\locals~1\temp\hpispz\hpdom\pciinfo.sys [2006-12-3 1792]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-6-23 7408]
S3 Drmkerv;Drmkerv;c:\windows\system32\drivers\sffp_sd.sys [2004-8-4 11008]
S3 Plugonlds;Plugonlds; [x]
S3 Px2ifpsnn;Px2ifpsnn; [x]
S4 Dniptsyfist;Dniptsyfist; [x]
S4 Dpt78an;Dpt78an; [x]

=============== Created Last 30 ================

2009-07-28 12:15 <DIR> --d----- c:\program files\Trend Micro
2009-07-26 22:32 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-07-26 22:32 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-07-26 22:32 <DIR> --d----- c:\docume~1\owner\applic~1\SUPERAntiSpyware.com
2009-07-26 15:21 28,544 a------- c:\windows\system32\drivers\pavboot.sys
2009-07-26 15:20 <DIR> --d----- c:\program files\Panda Security
2009-07-26 14:31 73,728 a------- c:\windows\system32\javacpl.cpl
2009-07-18 00:25 <DIR> --d----- c:\windows\A3W_DATA
2009-07-18 00:21 188,960 a------- c:\windows\system\WINGDE.DLL
2009-07-18 00:21 92,208 a------- c:\windows\system\WING.DLL
2009-07-18 00:21 12,800 a------- c:\windows\system32\WING32.DLL
2009-07-18 00:21 6,736 a------- c:\windows\system\WINGDIB.DRV
2009-07-18 00:21 5,024 a------- c:\windows\system\WINGPAL.WND
2009-07-18 00:21 166 a------- c:\windows\civ.ini
2009-07-18 00:20 <DIR> --d----- C:\MPS
2009-07-05 12:02 <DIR> --d----- c:\program files\Ventrilo
2009-07-05 12:01 262 a------- c:\windows\{789289CA-F73A-4A16-A331-54D498CE069F}_WiseFW.ini
2009-07-05 12:01 <DIR> --d----- c:\program files\common files\Wise Installation Wizard

==================== Find3M ====================

2009-07-28 12:38 12,775 a------- c:\windows\system32\tablet.dat
2009-07-26 14:29 410,984 a------- c:\windows\system32\deploytk.dll
2009-07-19 14:45 335,752 a------- c:\windows\system32\drivers\avgldx86.sys
2009-07-13 13:36 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-13 13:36 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-06-23 10:55 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-06-16 07:36 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 07:36 81,920 a------- c:\windows\system32\fontsub.dll
2009-06-03 12:09 1,291,264 a------- c:\windows\system32\quartz.dll
2009-05-12 22:15 915,456 a------- c:\windows\system32\wininet.dll
2009-05-07 08:32 345,600 a------- c:\windows\system32\localspl.dll
2009-05-06 05:26 79,167 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2008-10-22 23:20 3,040 a------- c:\docume~1\owner\applic~1\wklnhst.dat
2006-07-07 03:10 32 a----r-- c:\documents and settings\all users\hash.dat

============= FINISH: 12:48:24.71 ===============

Edited by Kittenofdoom, 28 July 2009 - 02:55 PM.


BC AdBot (Login to Remove)

 


m

#2 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:02:01 AM

Posted 05 August 2009 - 11:48 PM

Hello Kittenofdoom,

Uninstall Spybot - Search & Destroy 1.3, as that is ancient.
Please download, update and run
Spybot 1.6.2.46
I recommend you dont install Teatimer option unless you are familar with registry.


Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.
  • Please download Java Version 6 Update 15
  • Click the "Free Java Download" button.
  • Click "Free Java Download" again
  • Save the file jxpiinstall.exe to your desktop
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
    Examples of older versions in Add or Remove Programs:
    Java™ 6 Update 14
    J2SE Runtime Environment 5.0 Update 6
    Java 6 Update 5

  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jxpiinstall.exe to install the newest version.
Download Security Check by screen317 from here or here.
Save it to your Desktop.
Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
A Notepad document should open automatically called checkup.txt.
Please post the contents of that document.



Please download Malwarebytes' Anti-Malware from one of these places:
http://download.cnet.com/Malwarebytes-Anti...&tag=button
http://www.majorgeeks.com/Malwarebytes_Ant...ware_d5756.html
http://www.besttechie.net/mbam/mbam-setup.exe

Double Click mbam-setup.exe to install the application.

* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select "Perform Full Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy&Paste the entire MBAM report (even if it does not find anything) in your next reply .

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.

Edited by SifuMike, 05 August 2009 - 11:55 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 Kittenofdoom

Kittenofdoom
  • Topic Starter

  • Members
  • 62 posts
  • OFFLINE
  •  
  • Local time:02:01 AM

Posted 06 August 2009 - 05:09 PM

Security Check:
Results of screen317's Security Check version 0.98.7
Windows XP Service Pack 3
``````````````````````````````
Antivirus/Firewall Check:

Windows Firewall Enabled!
AVG Free 8.5
Windows Live OneCare safety scanner
Windows Live OneCare safety scanner


``````````````````````````````
Anti-malware/Other Utilities Check:

Ad-Aware
Spybot - Search & Destroy
Windows Defender Signatures
Malwarebytes' Anti-Malware
HijackThis 2.0.2
Java™ 6 Update 15
Out of date Java installed!
Adobe Flash Player 10
Adobe Reader 7.0.8
Out of date Adobe Reader installed!
``````````````````````````````
Process Check:
objlist.exe by Laurent

Windows Defender MsMpEng.exe is disabled!
Ad-Aware AAWService.exe is disabled!
Ad-Aware AAWTray.exe is disabled!
Malwarebytes' Anti-Malware mbam.exe
AVG avgwdsvc.exe
AVG avgtray.exe
AVG avgrsx.exe
AVG avgnsx.exe


``````````````````````````````
DNS Vulnerability Check:

GREAT! (Very random)

`````````End of Log```````````

MBAM

Malwarebytes' Anti-Malware 1.40
Database version: 2568
Windows 5.1.2600 Service Pack 3

8/6/2009 5:46:29 AM
mbam-log-2009-08-06 (05-46-29).txt

Scan type: Full Scan (C:\|)
Objects scanned: 176755
Time elapsed: 48 minute(s), 53 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 6
Registry Values Infected: 1
Registry Data Items Infected: 3
Folders Infected: 1
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{c48635ad-d6b5-3ee4-aaa2-540d5a173658} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{c48635ad-d6b5-3ee4-aaa2-540d5a173658} (Backdoor.Bot) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.FakeAlert) -> Data: c:\windows\system32\sdra64.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.FakeAlert) -> Data: system32\sdra64.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.Userinit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,) Good: (Userinit.exe) -> Quarantined and deleted successfully.

Folders Infected:
C:\WINDOWS\system32\lowsec (Stolen.data) -> Delete on reboot.

Files Infected:
C:\WINDOWS\system32\lowsec\local.ds (Stolen.data) -> Delete on reboot.
C:\WINDOWS\system32\lowsec\user.ds (Stolen.data) -> Delete on reboot.
C:\WINDOWS\system32\sdra64.exe (Trojan.FakeAlert) -> Delete on reboot.

#4 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:02:01 AM

Posted 06 August 2009 - 05:51 PM

Hi Kittenofdoom,

We will run ComboFix.

You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an Malware Removal Expert, not for private use.

Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.
Please read Combofix's Disclaimer.
Further, ComboFix logs are not permitted outside the HijackThis forums and then only when requested by a HJT Team member.

You need to disable your AVG Antivirus, Windows Defender and Spybot Teatimer before running ComboFix, as they will prevent it from running.

To disable AVG antivirus:  
Please open the AVG Control Center program -> double-click on the "AVG Resident Shield" component (looks like this: Posted Image) -> deselect the "Turn on AVG Resident Shield" checkmark and save the setting.
When you need to enable the AVG Resident Shield, just open the AVG Control Center program -> double-click on the "AVG Resident Shield" component -> select the "Turn on AVG Resident Shield" checkmark and save the setting.

To disable Windows Defender:
Open Windows Defender.
Click on Tools, General Settings.
Scroll down and uncheck Turn on real-time protection (recommended).
After you uncheck this, click on the Save button and close Windows Defender.

To disable Spybot's Teatimer:
Run Spybot-S&D
Go to the Mode menu, and make sure "Advanced Mode" is selected
On the left hand side, choose Tools -> Resident
Uncheck "Resident TeaTimer" and OK any prompts


Note: If you already have a copy of ComboFix on your system it is essential that you delete it before downloading this copy.

Please visit this webpage for instructions for downloading and running ComboFix:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

To work properly, you must install ComboFix on the Desktop..
Post the log from ComboFix in your next reply,

A caution - ComboFix may reset a number of Internet Explorer's settings, including making IE the default browser.
ComboFix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal and increase security. If this is an issue or makes it difficult for you -- please tell me.
Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
Do not run Combofix more than once.
Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock.
The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.
Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 Kittenofdoom

Kittenofdoom
  • Topic Starter

  • Members
  • 62 posts
  • OFFLINE
  •  
  • Local time:02:01 AM

Posted 06 August 2009 - 06:49 PM

Combofix log:

ComboFix 09-08-06.01 - Owner 08/06/2009 16:33.1.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.255 [GMT -7:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Installer\16eb109.msi
c:\windows\Installer\1b76d5a.msi
c:\windows\Installer\1b76d60.msi
c:\windows\system32\config\systemprofile\Desktop\System Security 2009.lnk
c:\windows\system32\config\systemprofile\Start Menu\Programs\System Security
c:\windows\system32\config\systemprofile\Start Menu\Programs\System Security\System Security
c:\windows\system32\drivers\vsfoceklmxmfoj.sys
c:\windows\system32\vsfocentfdhtil.dat
c:\windows\system32\vsfocewuplooju.dat
c:\windows\system32\vsfocewyasrkjk.dll
c:\windows\system32\vsfocexehrhrox.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_vsfoceecsewvsa
-------\Legacy_vsfoceecsewvsa


((((((((((((((((((((((((( Files Created from 2009-07-06 to 2009-08-06 )))))))))))))))))))))))))))))))
.

2009-08-06 11:24 . 2009-08-06 11:24 152576 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\jre1.6.0_15\lzma.dll
2009-08-03 19:31 . 2009-08-03 19:31 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2009-08-03 19:30 . 2009-08-03 19:30 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple
2009-08-02 23:03 . 2009-08-02 23:03 -------- d-sh--w- c:\documents and settings\Owner\IECompatCache
2009-08-02 05:42 . 2009-08-02 05:42 -------- d-----w- c:\program files\EA GAMES
2009-08-02 05:42 . 2004-08-18 02:14 442368 ----a-r- c:\windows\system32\vp6vfw.dll
2009-07-28 19:15 . 2009-07-28 19:15 -------- d-----w- c:\program files\Trend Micro
2009-07-27 05:32 . 2009-07-27 05:32 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2009-07-27 05:32 . 2009-08-02 22:58 -------- d-----w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com
2009-07-27 05:32 . 2009-08-02 22:58 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-07-26 22:20 . 2009-08-02 22:59 -------- d-----w- c:\program files\Panda Security
2009-07-26 22:00 . 2009-07-26 22:00 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-07-26 21:28 . 2009-07-26 21:28 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\McAfee
2009-07-23 18:50 . 2009-07-23 18:50 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-07-18 07:25 . 2009-08-01 10:58 -------- d-----w- c:\windows\A3W_DATA
2009-07-18 07:21 . 1994-09-21 07:00 92208 ----a-w- c:\windows\system\WING.DLL
2009-07-18 07:21 . 1994-09-21 07:00 6736 ----a-w- c:\windows\system\WINGDIB.DRV
2009-07-18 07:21 . 1994-09-21 07:00 12800 ----a-w- c:\windows\system32\WING32.DLL
2009-07-18 07:21 . 1994-08-24 07:00 188960 ----a-w- c:\windows\system\WINGDE.DLL
2009-07-18 07:20 . 2009-07-18 07:20 -------- d-----w- C:\MPS

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-06 23:31 . 2005-07-15 01:01 12775 ----a-w- c:\windows\system32\tablet.dat
2009-08-06 23:11 . 2005-04-21 01:55 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2009-08-06 23:10 . 2005-04-21 01:55 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-08-06 11:25 . 2009-05-16 21:17 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-08-06 11:25 . 2005-04-11 23:04 -------- d-----w- c:\program files\Java
2009-08-05 12:00 . 2008-01-25 06:12 -------- d-----w- c:\documents and settings\Owner\Application Data\Image Zone Express
2009-08-03 21:03 . 2009-04-30 02:59 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-03 20:36 . 2009-04-30 02:59 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-03 20:36 . 2009-04-30 02:59 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-02 22:59 . 2009-03-22 03:37 -------- d-----w- c:\documents and settings\Owner\Application Data\Dropbox
2009-08-02 22:58 . 2009-07-05 19:01 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-07-27 08:54 . 2005-04-21 01:38 68496 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-19 21:45 . 2009-05-23 08:09 335752 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-07-05 19:19 . 2009-07-05 19:05 -------- d-----w- c:\documents and settings\Owner\Application Data\Ventrilo
2009-07-05 19:02 . 2009-07-05 19:02 -------- d-----w- c:\program files\Ventrilo
2009-07-03 17:09 . 2004-08-04 12:00 915456 ----a-w- c:\windows\system32\wininet.dll
2009-06-23 17:55 . 2009-05-23 08:09 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-06-23 17:55 . 2007-02-01 08:44 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-06-16 14:36 . 2004-08-04 12:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:36 . 2004-08-04 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-10 10:15 . 2007-09-25 23:10 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Microsoft Help
2009-06-03 19:09 . 2004-08-04 12:00 1291264 ----a-w- c:\windows\system32\quartz.dll
2009-05-23 08:09 . 2009-05-23 08:09 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVIEW"="nview.dll" - c:\windows\system32\nview.dll [2004-04-08 868421]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2003-10-08 159744]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2004-04-08 4730880]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2004-09-08 213054]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-06-23 1948440]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-08-06 149280]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\AGRSMMSG.exe [2004-09-04 88363]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2004-04-08 323584]

c:\docume~1\ALLUSE~1\STARTM~1\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-4-26 110592]
BTTray.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2004-1-20 507965]
TabUserW.exe.lnk - c:\windows\system32\WTablet\TabUserW.exe [2005-7-14 106496]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-06-23 17:55 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BTTray.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\BTTray.lnk
backup=c:\windows\pss\BTTray.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^EPSON Status Monitor 3 Environment Check 2.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\EPSON Status Monitor 3 Environment Check 2.lnk
backup=c:\windows\pss\EPSON Status Monitor 3 Environment Check 2.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^BitTorrent.lnk]
path=c:\documents and settings\Owner\Start Menu\Programs\Startup\BitTorrent.lnk
backup=c:\windows\pss\BitTorrent.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Dropbox.lnk]
path=c:\documents and settings\Owner\Start Menu\Programs\Startup\Dropbox.lnk
backup=c:\windows\pss\Dropbox.lnkStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"hpqwmi"=3 (0x3)
"EPSONStatusAgent2"=2 (0x2)
"Dpt78an"=3 (0x3)
"Bonjour Service"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Macromedia\\Dreamweaver MX 2004\\Dreamweaver.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [5/23/2009 1:09 AM 335752]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [5/23/2009 1:09 AM 108552]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [5/23/2009 1:08 AM 298776]
R2 pciinfo;HP Pci Information;\??\c:\docume~1\Owner\LOCALS~1\Temp\HPISPz\hpdom\pciinfo.sys --> c:\docume~1\Owner\LOCALS~1\Temp\HPISPz\hpdom\pciinfo.sys [?]
S3 Drmkerv;Drmkerv;c:\windows\system32\drivers\sffp_sd.sys [8/4/2004 5:00 AM 11008]
S3 Plugonlds;Plugonlds; [x]
S3 Px2ifpsnn;Px2ifpsnn; [x]
S4 Dpt78an;Dpt78an; [x]
S4 Moowsslss;Moowsslss; [x]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://b3ta.com/
uInternet Connection Wizard,ShellNext = iexplore
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
IE: Send To &Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
FF - ProfilePath - c:\docume~1\Owner\APPLIC~1\Mozilla\Firefox\Profiles\9ic1rnv3.default\
FF - prefs.js: browser.startup.homepage - hxxp://b3ta.com
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npwinamp.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-06 16:41
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe????????6?8?1?9??????? ???B???????????????B? ??????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-08-06 16:45
ComboFix-quarantined-files.txt 2009-08-06 23:45

Pre-Run: 30,360,084,480 bytes free
Post-Run: 35,993,174,016 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

180 --- E O F --- 2009-07-29 10:01

#6 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:02:01 AM

Posted 06 August 2009 - 07:03 PM

Hi Kittenofdoom,

Please show hidden files and folders
  • Please go to VirSCAN.org FREE on-line scan service
  • Copy and paste the each of the following file paths into the "Suspicious files to scan"box on the top of the page:
    • c:\windows\system32\drivers\sffp_sd.sys
  • Click on the Upload button
  • Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
  • Paste the contents of the Clipboard in your next reply.
  • If Copy to Clipbard does not work, then just copy and paste the output in your next reply.
If VirScan.org server is too busy, please submit the file to VirusTotal instead.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 Kittenofdoom

Kittenofdoom
  • Topic Starter

  • Members
  • 62 posts
  • OFFLINE
  •  
  • Local time:02:01 AM

Posted 07 August 2009 - 04:30 AM

The scan found nothing, but here's the report anyways:

Scanner results : All Scanners reported not find malware!

I swear to God that's how it phrased it :thumbup2:

#8 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:02:01 AM

Posted 07 August 2009 - 10:34 AM

Hi Kittenofdoom,

You need to disable your AVG Antivirus, Windows Defender and Spybot Teatimer before running ComboFix, as they will prevent it from running.

To disable AVG antivirus:  
Please open the AVG Control Center program -> double-click on the "AVG Resident Shield" component (looks like this: Posted Image) -> deselect the "Turn on AVG Resident Shield" checkmark and save the setting.
When you need to enable the AVG Resident Shield, just open the AVG Control Center program -> double-click on the "AVG Resident Shield" component -> select the "Turn on AVG Resident Shield" checkmark and save the setting.

To disable Windows Defender:
Open Windows Defender.
Click on Tools, General Settings.
Scroll down and uncheck Turn on real-time protection (recommended).
After you uncheck this, click on the Save button and close Windows Defender.

To disable Spybot's Teatimer:
Run Spybot-S&D
Go to the Mode menu, and make sure "Advanced Mode" is selected
On the left hand side, choose Tools -> Resident
Uncheck "Resident TeaTimer" and OK any prompts

Click Start, then Run and type Notepad and click OK.
Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the code box below into notepad:

Driver:: 
Plugonlds
Px2ifpsnn
Dpt78an
Moowsslss


Name the Notepad file CFScript.txt and Save it to your desktop.

IMPORTANT: The above script was written specifically for this infection on this person's computer. It is NOT to be used on another computer, as it may cause damage that could result in a format!

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image


This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 Kittenofdoom

Kittenofdoom
  • Topic Starter

  • Members
  • 62 posts
  • OFFLINE
  •  
  • Local time:02:01 AM

Posted 07 August 2009 - 02:52 PM

ComboFix 09-08-06.01 - Owner 08/07/2009 12:28.2.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.255 [GMT -7:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_DPT78AN
-------\Service_Dpt78an
-------\Service_Moowsslss
-------\Service_Plugonlds
-------\Service_Px2ifpsnn


((((((((((((((((((((((((( Files Created from 2009-07-07 to 2009-08-07 )))))))))))))))))))))))))))))))
.

2009-08-06 23:48 . 2009-08-06 23:49 -------- d-----w- c:\program files\Windows Defender
2009-08-06 11:24 . 2009-08-06 11:24 152576 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\jre1.6.0_15\lzma.dll
2009-08-03 19:31 . 2009-08-03 19:31 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2009-08-03 19:30 . 2009-08-03 19:30 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple
2009-08-02 23:03 . 2009-08-02 23:03 -------- d-sh--w- c:\documents and settings\Owner\IECompatCache
2009-08-02 05:42 . 2009-08-02 05:42 -------- d-----w- c:\program files\EA GAMES
2009-08-02 05:42 . 2004-08-18 02:14 442368 ----a-r- c:\windows\system32\vp6vfw.dll
2009-07-28 19:15 . 2009-07-28 19:15 -------- d-----w- c:\program files\Trend Micro
2009-07-27 05:32 . 2009-07-27 05:32 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2009-07-27 05:32 . 2009-08-02 22:58 -------- d-----w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com
2009-07-27 05:32 . 2009-08-02 22:58 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-07-26 22:20 . 2009-08-02 22:59 -------- d-----w- c:\program files\Panda Security
2009-07-26 22:00 . 2009-07-26 22:00 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-07-26 21:28 . 2009-07-26 21:28 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\McAfee
2009-07-23 18:50 . 2009-07-23 18:50 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-07-18 07:25 . 2009-08-01 10:58 -------- d-----w- c:\windows\A3W_DATA
2009-07-18 07:21 . 1994-09-21 07:00 92208 ----a-w- c:\windows\system\WING.DLL
2009-07-18 07:21 . 1994-09-21 07:00 6736 ----a-w- c:\windows\system\WINGDIB.DRV
2009-07-18 07:21 . 1994-09-21 07:00 12800 ----a-w- c:\windows\system32\WING32.DLL
2009-07-18 07:21 . 1994-08-24 07:00 188960 ----a-w- c:\windows\system\WINGDE.DLL
2009-07-18 07:20 . 2009-07-18 07:20 -------- d-----w- C:\MPS

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-07 19:40 . 2005-07-15 01:01 12775 ----a-w- c:\windows\system32\tablet.dat
2009-08-06 23:11 . 2005-04-21 01:55 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2009-08-06 23:10 . 2005-04-21 01:55 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-08-06 11:25 . 2009-05-16 21:17 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-08-06 11:25 . 2005-04-11 23:04 -------- d-----w- c:\program files\Java
2009-08-05 12:00 . 2008-01-25 06:12 -------- d-----w- c:\documents and settings\Owner\Application Data\Image Zone Express
2009-08-03 21:03 . 2009-04-30 02:59 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-03 20:36 . 2009-04-30 02:59 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-03 20:36 . 2009-04-30 02:59 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-02 22:59 . 2009-03-22 03:37 -------- d-----w- c:\documents and settings\Owner\Application Data\Dropbox
2009-08-02 22:58 . 2009-07-05 19:01 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-07-27 08:54 . 2005-04-21 01:38 68496 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-19 21:45 . 2009-05-23 08:09 335752 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-07-05 19:19 . 2009-07-05 19:05 -------- d-----w- c:\documents and settings\Owner\Application Data\Ventrilo
2009-07-05 19:02 . 2009-07-05 19:02 -------- d-----w- c:\program files\Ventrilo
2009-07-03 17:09 . 2004-08-04 12:00 915456 ----a-w- c:\windows\system32\wininet.dll
2009-06-23 17:55 . 2009-05-23 08:09 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-06-23 17:55 . 2007-02-01 08:44 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-06-16 14:36 . 2004-08-04 12:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:36 . 2004-08-04 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-10 10:15 . 2007-09-25 23:10 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Microsoft Help
2009-06-03 19:09 . 2004-08-04 12:00 1291264 ----a-w- c:\windows\system32\quartz.dll
2009-05-23 08:09 . 2009-05-23 08:09 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
.

((((((((((((((((((((((((((((( SnapShot@2009-08-06_23.42.20 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-08-07 19:40 . 2009-08-07 19:40 16384 c:\windows\Temp\Perflib_Perfdata_788.dat
+ 2009-08-06 23:49 . 2009-08-06 23:49 1155072 c:\windows\Installer\10cdf3.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVIEW"="nview.dll" - c:\windows\system32\nview.dll [2004-04-08 868421]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2003-10-08 159744]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2004-04-08 4730880]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2004-09-08 213054]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-06-23 1948440]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-08-06 149280]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-04 866584]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\AGRSMMSG.exe [2004-09-04 88363]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2004-04-08 323584]

c:\docume~1\ALLUSE~1\STARTM~1\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-4-26 110592]
BTTray.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2004-1-20 507965]
TabUserW.exe.lnk - c:\windows\system32\WTablet\TabUserW.exe [2005-7-14 106496]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-06-23 17:55 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BTTray.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\BTTray.lnk
backup=c:\windows\pss\BTTray.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^EPSON Status Monitor 3 Environment Check 2.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\EPSON Status Monitor 3 Environment Check 2.lnk
backup=c:\windows\pss\EPSON Status Monitor 3 Environment Check 2.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^BitTorrent.lnk]
path=c:\documents and settings\Owner\Start Menu\Programs\Startup\BitTorrent.lnk
backup=c:\windows\pss\BitTorrent.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Dropbox.lnk]
path=c:\documents and settings\Owner\Start Menu\Programs\Startup\Dropbox.lnk
backup=c:\windows\pss\Dropbox.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"hpqwmi"=3 (0x3)
"EPSONStatusAgent2"=2 (0x2)
"Dpt78an"=3 (0x3)
"Bonjour Service"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Macromedia\\Dreamweaver MX 2004\\Dreamweaver.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [5/23/2009 1:09 AM 335752]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [5/23/2009 1:09 AM 108552]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [5/23/2009 1:08 AM 298776]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
S2 pciinfo;HP Pci Information;\??\c:\docume~1\Owner\LOCALS~1\Temp\HPISPz\hpdom\pciinfo.sys --> c:\docume~1\Owner\LOCALS~1\Temp\HPISPz\hpdom\pciinfo.sys [?]
S3 Drmkerv;Drmkerv;c:\windows\system32\drivers\sffp_sd.sys [8/4/2004 5:00 AM 11008]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://b3ta.com/
uInternet Connection Wizard,ShellNext = iexplore
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
IE: Send To &Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
FF - ProfilePath - c:\docume~1\Owner\APPLIC~1\Mozilla\Firefox\Profiles\9ic1rnv3.default\
FF - prefs.js: browser.startup.homepage - hxxp://b3ta.com
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npwinamp.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-07 12:40
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe????????6?8?1?9??`???? ???B???????????????B? ??????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1308)
c:\windows\system32\WININET.dll
c:\windows\system32\nView.dll
c:\windows\system32\tabhook.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\btncopy.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Analog Devices\SoundMAX\SMAgent.exe
c:\windows\system32\Tablet.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\windows\system32\wscntfy.exe
c:\program files\Apoint2K\ApntEx.exe
c:\windows\system32\rundll32.exe
c:\progra~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
.
**************************************************************************
.
Completion time: 2009-08-07 12:50 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-07 19:50
ComboFix2.txt 2009-08-06 23:45

Pre-Run: 35,930,734,592 bytes free
Post-Run: 35,841,024,000 bytes free

201 --- E O F --- 2009-07-29 10:01

#10 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:02:01 AM

Posted 07 August 2009 - 03:01 PM

Hi Kittenofdoom,

Looks good so far. :thumbup2: Next step is to scan for lingering malware.

Please do a scan with Kaspersky Online Scanner. Please note: Kaspersky requires Java Runtime Environment (JRE) be installed before scanning for malware, as ActiveX is no longer being used.)

If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.
  • Open the Kaspersky WebScanner
    page.
  • Click on the Posted Image button on the main page.
  • The program will launch and fill in the Information section on the left.
  • Read the "Requirements and Limitations" then press the Posted Image button.
  • The program will begin downloading the latest program and definition files. It may take a while so please be patient and let it finish.
  • Once the files have been downloaded, click on the Posted Image ...button.
    In the scan settings make sure the following are selected:
    • Detect malicious programs of the following categories:
      Viruses, Worms, Trojan Horses, Rootkits
      Spyware, Adware, Dialers and other potentially dangerous programs
    • Scan compound files (doesn't apply to the File scan area):
      Archives
      Mail databases
      By default the above items should already be checked.
    • Click the Posted Image button, if you made any changes.
  • Now under the Scan section on the left:

    Select My Computer
  • The program will now start and scan your system. This will run for a while, be patient and let it finish.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • In the drop down box labeled Files of type change the type to Text file.
  • Save the file to your desktop.
  • Copy and paste that information in your next post even if it finds nothing.
You can refer to this animation by sundavis if needed.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 Kittenofdoom

Kittenofdoom
  • Topic Starter

  • Members
  • 62 posts
  • OFFLINE
  •  
  • Local time:02:01 AM

Posted 08 August 2009 - 06:47 AM

My java is all up to date, but I can't get Kapersky to run properly. It continually fails to download the updates and tells me to close the window and restart. Is there something I'm doing wrong, or something else I can use in its place?

#12 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:02:01 AM

Posted 08 August 2009 - 09:53 AM

Hi Kittenofdoom,

I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 Kittenofdoom

Kittenofdoom
  • Topic Starter

  • Members
  • 62 posts
  • OFFLINE
  •  
  • Local time:02:01 AM

Posted 09 August 2009 - 05:39 AM

ESET came up clean, but I couldn't generate a report to prove it. Just out curiosity, which step took care of the google redirect problem I was having? It's been gone since a step or two ago.

#14 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:02:01 AM

Posted 09 August 2009 - 08:46 AM

Hi,

How is the computer running now?

I need to see report of a virus scanner to make sure your clean.

Lets run an F-Secure online scan for Viruses, Spyware and RootKits:
Go to http://support.f-secure.com/enu/home/ols.shtml

Notes:
This scan will only work with Internet Explorer
You must have administrator rights to run this scan
This scan can take several hours, so please be patient

Scroll to the bottom of the page and click the Start scanning button. A window will pop up.
Allow the Active X control to be installed on your computer, then click the Accept button
Click Full System Scan and allow the components to download and the scan to complete.
If malware is found, check Submit samples to F-Secure then select Automatic cleaning
When cleaning has finitished, click Show report (this will open an Internet Explorer window containing the report)
Highlight and Copy (CTRL + C) the complete report, and Paste (CTRL + V) in a new reply to this post


If Automatic cleaning with Submit samples hangs, click Cancel, then New Scan
When the cleaning option is presented, Uncheck Submit samples to F-Secure
Click Automatic cleaning
When cleaning has finitished, click Show report (this will open an Internet Explorer window containing the report)
Highlight and Copy (CTRL + C) the complete report, and Paste (CTRL + V) in a new reply to this post
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#15 Kittenofdoom

Kittenofdoom
  • Topic Starter

  • Members
  • 62 posts
  • OFFLINE
  •  
  • Local time:02:01 AM

Posted 10 August 2009 - 12:19 PM

Sorry for the delay, I forgot to start my scan last night before work, so I had to start it before bed instead. Here goes:

Scanning Report
Monday, August 10, 2009 05:58:34 - 10:09:23

Computer name: DELLCOMPUTERSON
Scanning type: Scan system for malware, spyware and rootkits
Target: C:\
1 malware found
TrackingCookie.2o7 (spyware)

* System (Disinfected)

Statistics
Scanned:

* Files: 67595
* System: 3538
* Not scanned: 7

Actions:

* Disinfected: 1
* Renamed: 0
* Deleted: 0
* Not cleaned: 0
* Submitted: 0

Files not scanned:

* C:\PAGEFILE.SYS
* C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
* C:\WINDOWS\SYSTEM32\CONFIG\SECURITY
* C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE
* C:\WINDOWS\SYSTEM32\CONFIG\SAM
* C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM
* C:\DOCUMENTS AND SETTINGS\OWNER\LOCAL SETTINGS\TEMP\ETILQS_ILCVCWQIVA9DOADD6O0Y

Options
Scanning engines:

Scanning options:

* Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML XXX ANI AVB BAT CMD JOB LSP MAP MHT MIF PHP POT SWF WMF NWS TAR
* Use advanced heuristics




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users