Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google searches redirected, programs lose internet access, other weird problems.


  • This topic is locked This topic is locked
9 replies to this topic

#1 trustandfall

trustandfall

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:20 PM

Posted 16 September 2009 - 04:51 PM

Hey there, first time poster, hope I follow all the rules right.

I've recently run into a series of issues with my desktop. Long story short, I got AVG 8.5 and Advanced Systemcare Professional. I thought all my problems had been fixed, till I turned my computer on today.

I cant think of anything I've downloaded or done that could have caused my problems but..

Now, if I click on a google search result, I typically get redirected to another site. If I click back in internet explorer from this new site, then click the search result link again, it works everytime and takes me to the correct place.

2nd problem, firefox can never find a server. I click the firefox shortcut from the desktop, google pops up, but nothing works after that. If I try to search in google, it says server cannot be found. If I type in a direct URL, same result.

I also tried logging into a few different poker sites that I use to play online poker at. As soon as I enter any characters in the username fields, the programs lose their connection to the internet and just sit there trying to reconnect, strangely enough though, internet explorer still has access to the net just fine.

Advanced Systemcare Pro sees no problems.

AVG 8.5 comes up with 2 problems.
1)"C:\WINDOWS\explorer.exe (1884)" "Virus identified Packed.Hidden" "Infected"
2)"\\?\globalroot\systemroot\system32\kbiwkmkbmuiyqv.dll";"Virus identified Packed.Hidden";"Infected"

However, when I click "remove all unhealed infections", AVG just tells me the threat cannot be removed by a standard user. I tell it to remove it as the administrator of the computer and it comes back to me saying
"objects cannot be removed, object(s) are not on a local drive".

I have two seperate hard drives, but no thumb drives or external hdd's or anything being used.

That's all the information I can think of to supply.. Here's my HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:39:22 AM, on 9/16/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG\AVG8\IdentityProtection\agent\Bin\AVGIDSAgent.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\AVG\AVG8\IdentityProtection\agent\bin\AVGIDSUI.exe
C:\PROGRA~1\AVG\AVG8\avgfws8.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\AVG\AVG8\IdentityProtection\agent\Bin\AVGIDSWatcher.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\NETGEAR\WG111v2\WG111v2.exe
C:\WINDOWS\system32\libusbd-nt.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\AVG\AVG8\IdentityProtection\agent\bin\AVGIDSMonitor.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: C:\WINDOWS\system32\ygsuhdf83id.dll - {BA603215-23F2-42AD-F4E4-00AAC39CAA53} - C:\WINDOWS\system32\ygsuhdf83id.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [AVGIDS] "C:\Program Files\AVG\AVG8\IdentityProtection\agent\bin\AVGIDSUI.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [Advanced SystemCare 3] "C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe" /startup
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - Global Startup: NETGEAR WG111v2 Smart Wizard.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O22 - SharedTaskScheduler: ghya673gidh87we9inkff - {BF56A325-23F2-42AD-F4E4-00AAC39CAA53} - (no file)
O22 - SharedTaskScheduler: ksfe98wjkodsngiwiojndg873hundggdd - {BA603215-23F2-42AD-F4E4-00AAC39CAA53} - C:\WINDOWS\system32\ygsuhdf83id.dll
O23 - Service: AntipyProex (AntipPro2009_100) - Unknown owner - C:\WINDOWS\svchasts.exe (file missing)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: AVG8 Firewall (avgfws8) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgfws8.exe
O23 - Service: AVGIDSAgent - AVG - C:\Program Files\AVG\AVG8\IdentityProtection\agent\Bin\AVGIDSAgent.exe
O23 - Service: AVGIDSWatcher - AVG - C:\Program Files\AVG\AVG8\IdentityProtection\agent\Bin\AVGIDSWatcher.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LibUsb-Win32 - Daemon, Version 0.1.10.1 (libusbd) - http://libusb-win32.sourceforge.net - C:\WINDOWS\system32\libusbd-nt.exe
O23 - Service: TVersityMediaServer - Unknown owner - C:\Program Files\TVersity\Media Server\MediaServer.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
--
End of file - 6560 bytes

BC AdBot (Login to Remove)

 


#2 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:20 PM

Posted 16 September 2009 - 06:23 PM

Hello, trustandfall.
Welcome to Bleeping Computer. My name is etavares and I will be helping you with your log.

Please give me a little time to go through your log. I'd also like to let you know that I am in training here at BC. At each stage of the process, my work will be checked by an expert coach. That means there may be a slight delay between my responses as they check it. Don't worry, we won't leave you.

Please note that I may have taken this log out of order. As a HJT trainee, I occasionally take logs out of order to further develop my skills. I have a balance of older logs (e.g. first come, first served) and fresh logs. If you are reading this and are still waiting, please be patient. Our volunteers are working as hard we as we can to help everyone.

Here's a few things to get started:
  • Please subscribe to this topic, if you haven't already, and wait for me to get back to you.
  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.
  • Even if things appear better, that does not mean we are finished. Please continue to follow my instructions until I give you the all clean.
  • If at any point, you are not sure what I am asking for, please ask me and I can better communicate what I mean.
  • Please reply within 5 days of my last post or the thread will be closed. If you will be away or unable to reply, please let me know in advance so the thread is not closed. We have many folks waiting for help and it is not fair to keep an unresponsive thread open.
  • Please reply to this post with an updated DDS log so we have the most up to date information. Please also let me know any symptoms your computer is showing.

    We need to see some information about what is happening in your machine. Please perform the following scan:
    • Download DDS by sUBs from one of the following links. Save it to your desktop.
    • DDS.scr
    • DDS.pif
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.
Thanks!

Edited by etavares, 16 September 2009 - 06:24 PM.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#3 trustandfall

trustandfall
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:20 PM

Posted 16 September 2009 - 06:44 PM

Attached File  Attach.zip   2.9KB   1 downloadsThank you so much for your help Etavares.

I will be pasting the DDS txt file as per the programs request.
Also, as requested, I've zipped and attached the attach txt the program created.

Here you are:

DDS (Ver_09-07-30.01) - NTFSx86
Run by Owner at 18:38:48.40 on Wed 09/16/2009
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_15
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1535.913 [GMT -5:00]

AV: AVG Internet Security *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG\AVG8\IdentityProtection\agent\Bin\AVGIDSAgent.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgfws8.exe
C:\Program Files\AVG\AVG8\IdentityProtection\agent\Bin\AVGIDSWatcher.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\libusbd-nt.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\AVG\AVG8\IdentityProtection\agent\bin\AVGIDSUI.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe
C:\Program Files\AVG\AVG8\IdentityProtection\agent\bin\AVGIDSMonitor.exe
C:\Program Files\NETGEAR\WG111v2\WG111v2.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\I94D6P05\dds[1].scr

============== Pseudo HJT Report ===============

uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
uURLSearchHooks: H - No File
mURLSearchHooks: H - No File
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: c:\windows\system32\ygsuhdf83id.dll: {ba603215-23f2-42ad-f4e4-00aac39caa53} - c:\windows\system32\ygsuhdf83id.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [DAEMON Tools Lite] "c:\program files\daemon tools lite\daemon.exe" -autorun
uRun: [Advanced SystemCare 3] "c:\program files\iobit\advanced systemcare 3\AWC.exe" /startup
uRun: [Aim6] "c:\program files\aim6\aim6.exe" /d locale=en-US ee://aol/imApp
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [AVGIDS] "c:\program files\avg\avg8\identityprotection\agent\bin\AVGIDSUI.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\netgea~1.lnk - c:\program files\netgear\wg111v2\WG111v2.exe
uPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
uPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
uPolicies-explorer: DisallowRun = 0 (0x0)
mPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-explorer: DisallowRun = 0 (0x0)
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
dPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
dPolicies-explorer: NoFolderOptions = 1 (0x1)
dPolicies-system: DisableTaskMgr = 1 (0x1)
dPolicies-system: DisableRegistryTools = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - c:\program files\pokerstars\PokerStarsUpdate.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
STS: ghya673gidh87we9inkff: {bf56a325-23f2-42ad-f4e4-00aac39caa53} - c:\windows\system32\tajf83ikdmf.dll
STS: c:\windows\system32\ygsuhdf83id.dll: {ba603215-23f2-42ad-f4e4-00aac39caa53} - c:\windows\system32\ygsuhdf83id.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\1bcmbjl9.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-msgr&p=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://us.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_us&p=
FF - plugin: c:\documents and settings\owner\application data\mozilla\firefox\profiles\1bcmbjl9.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071301000019.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\mozilla firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\mozilla firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");

============= SERVICES / DRIVERS ===============

R0 AVGIDSErHr;AVGIDSErHr;c:\windows\system32\drivers\AVGIDSErHr.sys [2009-7-22 25608]
R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2009-9-8 12552]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-9-8 335240]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-9-8 27784]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-9-8 108552]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-9-8 297752]
R2 avgfws8;AVG8 Firewall;c:\progra~1\avg\avg8\avgfws8.exe [2009-9-8 1370488]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg8\identityprotection\agent\bin\AVGIDSAgent.exe [2009-7-22 5641736]
R2 AVGIDSWatcher;AVGIDSWatcher;c:\program files\avg\avg8\identityprotection\agent\bin\AVGIDSWatcher.exe [2009-7-22 571912]
R2 libusbd;LibUsb-Win32 - Daemon, Version 0.1.10.1;system32\libusbd-nt.exe --> system32\libusbd-nt.exe [?]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2009-3-25 24652]
R3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [2009-9-8 29208]
R3 AVGIDSDriver;AVGIDSDriver;c:\program files\avg\avg8\identityprotection\agent\driver\platform_xp\AVGIDSDriver.sys [2009-7-22 121352]
R3 AVGIDSFilter;AVGIDSFilter;c:\program files\avg\avg8\identityprotection\agent\driver\platform_xp\AVGIDSFilter.sys [2009-7-22 30216]
R3 AVGIDSShim;AVGIDSShim;c:\program files\avg\avg8\identityprotection\agent\driver\platform_xp\AVGIDSShim.sys [2009-7-22 27232]
R3 libusb0;LibUsb-Win32 - Kernel Driver, Version 0.1.10.1;c:\windows\system32\drivers\libusb0.sys [2009-3-10 33792]
R3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;c:\windows\system32\drivers\wg111v2.sys [2008-11-24 194304]
S2 AntipPro2009_100;AntipyProex;c:\windows\svchasts.exe --> c:\windows\svchasts.exe [?]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [2009-9-8 29208]
S3 XPADFL02;XPAD Filter Service 02;c:\windows\system32\drivers\xPADFL02.sys [2009-3-10 27904]

=============== Created Last 30 ================

2009-09-16 01:39 <DIR> --d----- c:\program files\Trend Micro
2009-09-16 01:29 <DIR> --d----- c:\program files\PokerStars
2009-09-15 14:36 <DIR> --d----- c:\windows\log
2009-09-15 14:36 15,000 a------- c:\windows\system32\ygsuhdf83id.dll
2009-09-15 14:31 <DIR> --dsh--- c:\windows\system32\lowsec
2009-09-11 01:11 <DIR> --d----- c:\program files\uTorrent
2009-09-11 01:11 <DIR> --d----- c:\docume~1\owner\applic~1\uTorrent
2009-09-10 23:51 107,368 a------- c:\windows\system32\GEARAspi.dll
2009-09-10 23:50 <DIR> --d----- c:\program files\iPod
2009-09-10 23:50 <DIR> --d----- c:\program files\iTunes
2009-09-10 23:50 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-09-10 23:50 <DIR> --d----- c:\program files\Bonjour
2009-09-10 23:47 2,065,696 a------- c:\windows\system32\usbaaplrc.dll
2009-09-10 23:47 40,448 a------- c:\windows\system32\drivers\usbaapl.sys
2009-09-10 20:06 <DIR> --d----- c:\docume~1\owner\applic~1\Office Genuine Advantage
2009-09-09 11:37 <DIR> --d----- c:\program files\Yahoo!
2009-09-08 21:48 <DIR> --d----- c:\program files\common files\Macrovision Shared
2009-09-08 18:10 7,680 a------- c:\windows\system32\ff_vfw.dll
2009-09-08 18:10 547 a------- c:\windows\system32\ff_vfw.dll.manifest
2009-09-08 18:10 60,273 a------- c:\windows\system32\pthreadGC2.dll
2009-09-08 18:10 <DIR> --d----- c:\program files\ffdshow
2009-09-08 17:55 <DIR> --d----- c:\program files\Microsoft ActiveSync
2009-09-08 17:44 <DIR> --d----- c:\program files\IObit
2009-09-08 17:28 <DIR> --d----- c:\windows\SxsCaPendDel
2009-09-08 16:59 108,552 a------- c:\windows\system32\drivers\avgtdix.sys
2009-09-08 16:59 12,552 a------- c:\windows\system32\drivers\avgrkx86.sys
2009-09-08 16:59 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-09-08 16:58 335,240 a------- c:\windows\system32\drivers\avgldx86.sys
2009-09-08 16:58 <DIR> --d----- c:\windows\system32\drivers\Avg
2009-09-08 16:58 <DIR> --d----- c:\docume~1\alluse~1\applic~1\AVG Security Toolbar
2009-09-08 16:58 50,968 a------- c:\windows\system32\avgfwdx.dll
2009-09-08 16:58 29,208 a------- c:\windows\system32\drivers\avgfwdx.sys
2009-09-08 13:26 <DIR> --d-h--- c:\windows\system32\GroupPolicy
2009-09-08 13:13 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Downloaded Installations
2009-09-08 12:54 0 a------- c:\windows\system32\22662.exe
2009-09-08 12:28 <DIR> --d----- c:\docume~1\owner\applic~1\IObit
2009-09-08 11:51 0 a------- c:\windows\system32\41.exe
2009-09-06 19:14 0 a---h--- c:\windows\system32\drivers\Msft_Kernel_WinUSB_01007.Wdf
2009-09-06 19:13 0 a---h--- c:\windows\system32\drivers\MsftWdf_Kernel_01007_Coinstaller_Critical.Wdf
2009-09-06 19:13 14,640 -------- c:\windows\system32\spmsgXP_2k3.dll
2009-09-06 19:07 1,112,288 a------- c:\windows\system32\WdfCoInstaller01007.dll
2009-09-06 19:07 581,192 a------- c:\windows\system32\WinUSBCoInstaller.dll
2009-09-05 01:54 94,208 a------- c:\windows\system32\QuickTimeVR.qtx
2009-09-05 01:54 69,632 a------- c:\windows\system32\QuickTime.qts
2009-09-03 14:31 7,396 a------- c:\windows\system32\drivers\pctcore.cat
2009-08-30 18:01 4 a------- c:\windows\system32\bincd32.dat
2009-08-24 12:24 58 a------- c:\windows\ppp4.dat
2009-08-24 12:24 9 a------- c:\windows\system32\bennuar.old
2009-08-24 12:24 1 a------- c:\windows\ppp3.dat
2009-08-24 12:24 87 a------- c:\windows\system32\sonhelp.htm
2009-08-24 12:24 0 a------- c:\windows\system32\desot.exe
2009-08-18 11:34 <DIR> --d----- c:\windows\system32\appmgmt

==================== Find3M ====================

2009-09-08 13:17 6,611 a------- c:\windows\system32\uacinit.dll
2009-08-05 04:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-08-03 15:07 403,816 a------- c:\windows\system32\OGACheckControl.dll
2009-08-03 15:07 322,928 a------- c:\windows\system32\OGAAddin.dll
2009-08-03 15:07 230,768 a------- c:\windows\system32\OGAEXEC.exe
2009-07-25 05:23 411,368 a------- c:\windows\system32\deploytk.dll
2009-07-22 17:23 74,760 a------- c:\windows\system32\drivers\UniversalDD.sys
2009-07-22 17:23 25,608 a------- c:\windows\system32\drivers\AVGIDSErHr.sys
2009-07-20 16:22 25,280 a------- c:\windows\system32\drivers\hamachi.sys
2009-07-17 14:01 58,880 a------- c:\windows\system32\atl.dll
2009-07-12 12:21 233,472 a------- c:\windows\system32\wmpdxm.dll
2009-06-26 11:50 666,624 a------- c:\windows\system32\wininet.dll
2009-06-26 11:50 81,920 a------- c:\windows\system32\ieencode.dll
2009-06-25 03:25 730,112 a------- c:\windows\system32\lsasrv.dll
2009-06-25 03:25 301,568 a------- c:\windows\system32\kerberos.dll
2009-06-25 03:25 147,456 a------- c:\windows\system32\schannel.dll
2009-06-25 03:25 136,192 a------- c:\windows\system32\msv1_0.dll
2009-06-25 03:25 56,832 a------- c:\windows\system32\secur32.dll
2009-06-25 03:25 54,272 a------- c:\windows\system32\wdigest.dll
2009-01-24 06:39 87,608 a------- c:\docume~1\owner\applic~1\inst.exe
2009-01-24 06:39 47,360 a------- c:\docume~1\owner\applic~1\pcouffin.sys

============= FINISH: 18:40:09.95 ===============

#4 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:20 PM

Posted 20 September 2009 - 06:07 AM

Hello, trustandfall.

Sorry for the delay.

Ok, your computer is definitely infected. First, I need to take a deeper look and get answers to a few questions.

From the logs, I see the default user has no access to task manager, and other parts of the windows system. That could be due to intentional settings by you, or malware locking down what you can and can't do on your computer. Did you intentionally limit permissions for the default user?


Your logs show that you have online poker programs installed on your computer. I know that you may use these (this) game(s) on a regular basis but I think it's important to note that often these kind of programmes are installed with other unwanted software, namely spyware or adware. Due to this I strongly suggest that you uninstall these programmes if you do not use them anymore or did not install these programmes yourself on purpose. There are so many online poker games out there these days that it is close to impossible to keep track of whether a programme is infected or not. Should you have installed this online poker game on purpose and wish to continue using this, you may ignore this. Should you decide to uninstall the programme, then you can do so by following the below steps:

You can remove this via Add/Remove programs.



Step 1

The log shows that you have been using so called peer-to-peer or file-sharing programmes (in your case uTorrent). These programmes allow to share files between users as the name(s) suggest. In today's world the cyber crime has come a long way and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of their malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. I recommend that you uninstall this program. That is optional, however. If you decide to not uninstall, please refrain from using it until I let you know your computer is clean.



Step 2

We Need to check for Rootkits with RootRepeal
  • Download RootRepeal from the following location and save it to your desktop.
  • Extract RootRepeal.exe from the archive.
  • Open Posted Image on your desktop.
  • Click the Posted Image tab.
  • Click the Posted Image button.
  • Check all seven boxes: Posted Image
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.


Step 3

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Please click this link-->Jotti

When the jotti page has finished loading, click the Browse button and navigate to the following file and click Submit.

C:\windows\explorer.exe

Please post back the results of the scan in your next post.

If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/



Step 4

In your reply, please include the following:
  • Answer to my question about the permissions.
  • RootRepeal log
  • Virus scan results on explorer.exe
  • Please run and attach another DDS scan. I do NOT need the attach.txt this time, though.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#5 trustandfall

trustandfall
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:20 PM

Posted 20 September 2009 - 01:12 PM

No luck. Rootrepeal freezes my system where it says "Initiliazing", just after you select the partition to scan.

As for the permissions for task manager.. hm. I used to not be able to get to task manager, but AVG 8.5 and Advanced Systemcare Pro seemed to fix that. Something may be marked that I don't have permission but I am indeed able to access it.

I'm going to leave the Poker programs on my computer because I've used them for years with no ill effect. I'm also generally cautious about which files I receive over Utorrent, though I admit, there is one thing I downloaded recently I'm suspect of, however I have since deleted that file/folder and any remnants of the program that came in it. I'm pretty sure it left some obviously ill long term effect on my PC though.

Any alternative to rootrepeal?

#6 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:20 PM

Posted 20 September 2009 - 01:43 PM

Let's try GMER.

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#7 trustandfall

trustandfall
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:20 PM

Posted 20 September 2009 - 07:27 PM

GMER 1.0.15.15087 - http://www.gmer.net
Rootkit scan 2009-09-20 19:22:59
Windows 5.1.2600 Service Pack 3
Running: lvi0666m[1].exe; Driver: C:\DOCUME~1\Owner\LOCALS~1\Temp\uwtdqkow.sys


---- System - GMER 1.0.15 ----

INT 0x62 ? 89916BF8
INT 0x63 ? 89698F00
INT 0x73 ? 89698F00
INT 0x82 ? 89916BF8
INT 0xB4 ? 89698F00

Code 88BE9C18 ZwEnumerateKey
Code 89407490 ZwFlushInstructionCache
Code 88C0C2D6 ZwSaveKey
Code 88C26C16 ZwSaveKeyEx
Code 88CC913E IofCallDriver
Code 88BD00EE IofCompleteRequest

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!IofCallDriver 804E37C5 5 Bytes JMP 88CC9143
.text ntoskrnl.exe!IofCompleteRequest 804E3BF6 5 Bytes JMP 88BD00F3
PAGE ntoskrnl.exe!ZwEnumerateKey 80570D64 5 Bytes JMP 88BE9C1C
PAGE ntoskrnl.exe!ZwFlushInstructionCache 80577693 5 Bytes JMP 89407494
PAGE ntoskrnl.exe!ZwSaveKey 8064ED72 5 Bytes JMP 88C0C2DA
PAGE ntoskrnl.exe!ZwSaveKeyEx 8064EE5D 5 Bytes JMP 88C26C1A
? spjz.sys The system cannot find the file specified. !
.text USBPORT.SYS!DllUnload B8AE38AC 5 Bytes JMP 896984E0

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \WINDOWS\System32\Drivers\SCSIPORT.SYS[ntoskrnl.exe!DbgBreakPoint] 898AB2D8
IAT pci.sys[ntoskrnl.exe!IoDetachDevice] [F7508C4C] spjz.sys
IAT pci.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [F7508CA0] spjz.sys
IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [F74D8040] spjz.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [F74D813C] spjz.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [F74D80BE] spjz.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [F74D87FC] spjz.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [F74D86D2] spjz.sys
IAT \SystemRoot\system32\DRIVERS\USBPORT.SYS[ntoskrnl.exe!DbgBreakPoint] 896985E0

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 899151F8

AttachedDevice \FileSystem\Ntfs \Ntfs AVGIDSFilter.sys (IDS Application Activity Monitor Filter Driver./AVG Technologies )
AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\usbohci \Device\USBPDO-0 896A41F8
Device \Driver\PCI_PNP6960 \Device\00000051 spjz.sys
Device \Driver\PCI_PNP6960 \Device\00000051 spjz.sys
Device \Driver\dmio \Device\DmControl\DmIoDaemon 899171F8
Device \Driver\dmio \Device\DmControl\DmConfig 899171F8
Device \Driver\dmio \Device\DmControl\DmPnP 899171F8
Device \Driver\dmio \Device\DmControl\DmInfo 899171F8
Device \Driver\usbohci \Device\USBPDO-1 896A41F8
Device \Driver\usbehci \Device\USBPDO-2 8963F500

AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\Ftdisk \Device\HarddiskVolume1 898A91F8
Device \Driver\Ftdisk \Device\HarddiskVolume2 898A91F8
Device \Driver\Cdrom \Device\CdRom0 896031F8
Device \Driver\Cdrom \Device\CdRom1 896031F8
Device \Driver\Cdrom \Device\CdRom2 896031F8
Device \Driver\NetBT \Device\NetBt_Wins_Export 88C3D500
Device \Driver\sptd \Device\1697744460 spjz.sys
Device \Driver\NetBT \Device\NetbiosSmb 88C3D500
Device \Driver\NetBT \Device\NetBT_Tcpip_{674D4E60-E6D8-40FE-BE3D-72CBB360185B} 88C3D500
Device \Driver\NetBT \Device\NetBT_Tcpip_{92B8F70E-71EF-4634-9D1F-E930DD1B9882} 88C3D500

AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\usbohci \Device\USBFDO-0 896A41F8
Device \Driver\usbohci \Device\USBFDO-1 896A41F8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 88C45500
Device \Driver\usbehci \Device\USBFDO-2 8963F500
Device \FileSystem\MRxSmb \Device\LanmanRedirector 88C45500
Device \Driver\Ftdisk \Device\FtControl 898A91F8
Device \Driver\arrvu8yu \Device\Scsi\arrvu8yu1Port1Path0Target0Lun0 8953B1F8
Device \Driver\arrvu8yu \Device\Scsi\arrvu8yu1 8953B1F8
Device \FileSystem\Cdfs \Cdfs 895AB1F8
---- Processes - GMER 1.0.15 ----

Library \\?\globalroot\systemroot\system32\kbiwkmkbmuiyqv.dll (*** hidden *** ) @ C:\WINDOWS\Explorer.EXE [1860] 0x10000000
Library \\?\globalroot\systemroot\system32\kbiwkmkbmuiyqv.dll (*** hidden *** ) @ C:\Program Files\Internet Explorer\IEXPLORE.EXE [3204] 0x10000000

---- Services - GMER 1.0.15 ----

Service C:\WINDOWS\system32\drivers\kbiwkmmexudovf.sys (*** hidden *** ) [SYSTEM] kbiwkmbnmtnkpa <-- ROOTKIT !!!
Service system32\drivers\UACeigiljwnss.sys (*** hidden *** ) [SYSTEM] UACd.sys <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmbnmtnkpa
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmbnmtnkpa@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmbnmtnkpa@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmbnmtnkpa@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmbnmtnkpa@imagepath \systemroot\system32\drivers\kbiwkmmexudovf.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmbnmtnkpa\main
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmbnmtnkpa\main@aid 10002
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmbnmtnkpa\main@sid 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmbnmtnkpa\main@cmddelay 14400
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmbnmtnkpa\main\delete
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmbnmtnkpa\main\injector
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmbnmtnkpa\main\injector@* kbiwkmwsp8.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmbnmtnkpa\main\tasks
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmbnmtnkpa\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmbnmtnkpa\modules@kbiwkmrk.sys \systemroot\system32\drivers\kbiwkmmexudovf.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmbnmtnkpa\modules@kbiwkmcmd.dll \systemroot\system32\kbiwkmpfqxjycb.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmbnmtnkpa\modules@kbiwkmlog.dat \systemroot\system32\kbiwkmrrtvkixd.dat
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmbnmtnkpa\modules@kbiwkmwsp.dll \systemroot\system32\kbiwkmhxmkowbi.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmbnmtnkpa\modules@kbiwkm.dat \systemroot\system32\kbiwkmcxyybwev.dat
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmbnmtnkpa\modules@kbiwkmwsp8.dll \systemroot\system32\kbiwkmkbmuiyqv.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xF0 0xFA 0x2F 0x0B ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x7E 0x81 0x66 0x63 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xE9 0xF0 0xD9 0x59 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys@imagepath \systemroot\system32\drivers\UACeigiljwnss.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@UACd \\?\globalroot\systemroot\system32\drivers\UACeigiljwnss.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@UACc \\?\globalroot\systemroot\system32\UACyubvsbnses.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@UACsr \\?\globalroot\systemroot\system32\UACfpollxiqtn.dat
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacbbr \\?\globalroot\systemroot\system32\UACvttdlnkakp.dll
Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmbnmtnkpa (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmbnmtnkpa@start 1
Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmbnmtnkpa@type 1
Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmbnmtnkpa@group file system
Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmbnmtnkpa@imagepath \systemroot\system32\drivers\kbiwkmmexudovf.sys
Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmbnmtnkpa\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmbnmtnkpa\main@aid 10002
Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmbnmtnkpa\main@sid 1
Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmbnmtnkpa\main@cmddelay 14400
Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmbnmtnkpa\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmbnmtnkpa\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmbnmtnkpa\main\injector@* kbiwkmwsp8.dll
Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmbnmtnkpa\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmbnmtnkpa\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmbnmtnkpa\modules@kbiwkmrk.sys \systemroot\system32\drivers\kbiwkmmexudovf.sys
Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmbnmtnkpa\modules@kbiwkmcmd.dll \systemroot\system32\kbiwkmpfqxjycb.dll
Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmbnmtnkpa\modules@kbiwkmlog.dat \systemroot\system32\kbiwkmrrtvkixd.dat
Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmbnmtnkpa\modules@kbiwkmwsp.dll \systemroot\system32\kbiwkmhxmkowbi.dll
Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmbnmtnkpa\modules@kbiwkm.dat \systemroot\system32\kbiwkmcxyybwev.dat
Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmbnmtnkpa\modules@kbiwkmwsp8.dll \systemroot\system32\kbiwkmkbmuiyqv.dll
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xF0 0xFA 0x2F 0x0B ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x7E 0x81 0x66 0x63 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xEE 0xEA 0xD6 0x13 ...
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys@start 1
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys@type 1
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys@imagepath \systemroot\system32\drivers\UACeigiljwnss.sys
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys@group file system
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@UACd \\?\globalroot\systemroot\system32\drivers\UACeigiljwnss.sys
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@UACc \\?\globalroot\systemroot\system32\UACyubvsbnses.dll
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@UACsr \\?\globalroot\systemroot\system32\UACfpollxiqtn.dat
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@uacbbr \\?\globalroot\systemroot\system32\UACvttdlnkakp.dll

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\kbiwkmmexudovf.sys 71168 bytes executable <-- ROOTKIT !!!
File C:\WINDOWS\system32\kbiwkmcxyybwev.dat 43 bytes
File C:\WINDOWS\system32\kbiwkmhxmkowbi.dll 20480 bytes executable
File C:\WINDOWS\system32\kbiwkmkbmuiyqv.dll 19456 bytes executable
File C:\WINDOWS\system32\kbiwkmpfqxjycb.dll 45056 bytes executable
File C:\WINDOWS\system32\kbiwkmrrtvkixd.dat 81178 bytes
File C:\WINDOWS\Temp\kbiwkmnmdfdnskqi.tmp 43 bytes
File C:\WINDOWS\Temp\kbiwkmxohuftkbcj.tmp 19456 bytes executable
File C:\WINDOWS\Temp\0c3e8ca3-46d7-49d0-b374-a5a6d7d88427.tmp 0 bytes

---- EOF - GMER 1.0.15 ----

_____________________________________________________________________________________________________________________________________________



The Jotti scan found nothing on any scan...


Filename: explorer.exe
Status: Scan finished. 0 out of 21 scanners reported malware.
Scan taken on: Wed 9 Sep 2009 01:35:32 (CET)
______________________________________________________________________________________________________________________________________________






DDS (Ver_09-07-30.01) - NTFSx86
Run by Owner at 19:27:49.40 on Sun 09/20/2009
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_15
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1535.969 [GMT -5:00]

AV: AVG Internet Security *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG\AVG8\IdentityProtection\agent\Bin\AVGIDSAgent.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\AVG\AVG8\IdentityProtection\agent\bin\AVGIDSUI.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgfws8.exe
C:\Program Files\AVG\AVG8\IdentityProtection\agent\bin\AVGIDSMonitor.exe
C:\Program Files\AVG\AVG8\IdentityProtection\agent\Bin\AVGIDSWatcher.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\libusbd-nt.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\G5ABG9QJ\dds[1].scr

============== Pseudo HJT Report ===============

uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
uURLSearchHooks: H - No File
mURLSearchHooks: H - No File
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: c:\windows\system32\ygsuhdf83id.dll: {ba603215-23f2-42ad-f4e4-00aac39caa53} - c:\windows\system32\ygsuhdf83id.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [DAEMON Tools Lite] "c:\program files\daemon tools lite\daemon.exe" -autorun
uRun: [Advanced SystemCare 3] "c:\program files\iobit\advanced systemcare 3\AWC.exe" /startup
uRun: [Aim6] "c:\program files\aim6\aim6.exe" /d locale=en-US ee://aol/imApp
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [AVGIDS] "c:\program files\avg\avg8\identityprotection\agent\bin\AVGIDSUI.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\netgea~1.lnk - c:\program files\netgear\wg111v2\WG111v2.exe
uPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
uPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
uPolicies-explorer: DisallowRun = 0 (0x0)
mPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-explorer: DisallowRun = 0 (0x0)
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
dPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
dPolicies-explorer: NoFolderOptions = 1 (0x1)
dPolicies-system: DisableTaskMgr = 1 (0x1)
dPolicies-system: DisableRegistryTools = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - c:\program files\pokerstars\PokerStarsUpdate.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
STS: ghya673gidh87we9inkff: {bf56a325-23f2-42ad-f4e4-00aac39caa53} - c:\windows\system32\tajf83ikdmf.dll
STS: c:\windows\system32\ygsuhdf83id.dll: {ba603215-23f2-42ad-f4e4-00aac39caa53} - c:\windows\system32\ygsuhdf83id.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\1bcmbjl9.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-msgr&p=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://us.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_us&p=
FF - plugin: c:\documents and settings\owner\application data\mozilla\firefox\profiles\1bcmbjl9.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071301000019.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\mozilla firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\mozilla firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");

============= SERVICES / DRIVERS ===============

R0 AVGIDSErHr;AVGIDSErHr;c:\windows\system32\drivers\AVGIDSErHr.sys [2009-7-22 25608]
R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2009-9-8 12552]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-9-8 335240]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-9-8 27784]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-9-8 108552]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-9-8 297752]
R2 avgfws8;AVG8 Firewall;c:\progra~1\avg\avg8\avgfws8.exe [2009-9-8 1370488]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg8\identityprotection\agent\bin\AVGIDSAgent.exe [2009-7-22 5641736]
R2 AVGIDSWatcher;AVGIDSWatcher;c:\program files\avg\avg8\identityprotection\agent\bin\AVGIDSWatcher.exe [2009-7-22 571912]
R2 libusbd;LibUsb-Win32 - Daemon, Version 0.1.10.1;system32\libusbd-nt.exe --> system32\libusbd-nt.exe [?]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2009-3-25 24652]
R3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [2009-9-8 29208]
R3 AVGIDSDriver;AVGIDSDriver;c:\program files\avg\avg8\identityprotection\agent\driver\platform_xp\AVGIDSDriver.sys [2009-7-22 121352]
R3 AVGIDSFilter;AVGIDSFilter;c:\program files\avg\avg8\identityprotection\agent\driver\platform_xp\AVGIDSFilter.sys [2009-7-22 30216]
R3 AVGIDSShim;AVGIDSShim;c:\program files\avg\avg8\identityprotection\agent\driver\platform_xp\AVGIDSShim.sys [2009-7-22 27232]
R3 libusb0;LibUsb-Win32 - Kernel Driver, Version 0.1.10.1;c:\windows\system32\drivers\libusb0.sys [2009-3-10 33792]
R3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;c:\windows\system32\drivers\wg111v2.sys [2008-11-24 194304]
S2 AntipPro2009_100;AntipyProex;c:\windows\svchasts.exe --> c:\windows\svchasts.exe [?]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [2009-9-8 29208]
S3 rootrepeal;rootrepeal;\??\c:\windows\system32\drivers\rootrepeal.sys --> c:\windows\system32\drivers\rootrepeal.sys [?]
S3 XPADFL02;XPAD Filter Service 02;c:\windows\system32\drivers\xPADFL02.sys [2009-3-10 27904]

=============== Created Last 30 ================

2009-09-16 01:39 <DIR> --d----- c:\program files\Trend Micro
2009-09-16 01:29 <DIR> --d----- c:\program files\PokerStars
2009-09-15 14:36 <DIR> --d----- c:\windows\log
2009-09-15 14:31 <DIR> --dsh--- c:\windows\system32\lowsec
2009-09-11 01:11 <DIR> --d----- c:\program files\uTorrent
2009-09-11 01:11 <DIR> --d----- c:\docume~1\owner\applic~1\uTorrent
2009-09-10 23:51 107,368 a------- c:\windows\system32\GEARAspi.dll
2009-09-10 23:50 <DIR> --d----- c:\program files\iPod
2009-09-10 23:50 <DIR> --d----- c:\program files\iTunes
2009-09-10 23:50 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-09-10 23:50 <DIR> --d----- c:\program files\Bonjour
2009-09-10 23:47 2,065,696 a------- c:\windows\system32\usbaaplrc.dll
2009-09-10 23:47 40,448 a------- c:\windows\system32\drivers\usbaapl.sys
2009-09-10 20:06 <DIR> --d----- c:\docume~1\owner\applic~1\Office Genuine Advantage
2009-09-09 11:37 <DIR> --d----- c:\program files\Yahoo!
2009-09-08 21:48 <DIR> --d----- c:\program files\common files\Macrovision Shared
2009-09-08 18:10 7,680 a------- c:\windows\system32\ff_vfw.dll
2009-09-08 18:10 547 a------- c:\windows\system32\ff_vfw.dll.manifest
2009-09-08 18:10 60,273 a------- c:\windows\system32\pthreadGC2.dll
2009-09-08 18:10 <DIR> --d----- c:\program files\ffdshow
2009-09-08 17:55 <DIR> --d----- c:\program files\Microsoft ActiveSync
2009-09-08 17:44 <DIR> --d----- c:\program files\IObit
2009-09-08 17:28 <DIR> --d----- c:\windows\SxsCaPendDel
2009-09-08 16:59 108,552 a------- c:\windows\system32\drivers\avgtdix.sys
2009-09-08 16:59 12,552 a------- c:\windows\system32\drivers\avgrkx86.sys
2009-09-08 16:59 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-09-08 16:58 335,240 a------- c:\windows\system32\drivers\avgldx86.sys
2009-09-08 16:58 <DIR> --d----- c:\windows\system32\drivers\Avg
2009-09-08 16:58 <DIR> --d----- c:\docume~1\alluse~1\applic~1\AVG Security Toolbar
2009-09-08 16:58 50,968 a------- c:\windows\system32\avgfwdx.dll
2009-09-08 16:58 29,208 a------- c:\windows\system32\drivers\avgfwdx.sys
2009-09-08 13:26 <DIR> --d-h--- c:\windows\system32\GroupPolicy
2009-09-08 13:13 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Downloaded Installations
2009-09-08 12:54 0 a------- c:\windows\system32\22662.exe
2009-09-08 12:28 <DIR> --d----- c:\docume~1\owner\applic~1\IObit
2009-09-08 11:51 0 a------- c:\windows\system32\41.exe
2009-09-06 19:14 0 a---h--- c:\windows\system32\drivers\Msft_Kernel_WinUSB_01007.Wdf
2009-09-06 19:13 0 a---h--- c:\windows\system32\drivers\MsftWdf_Kernel_01007_Coinstaller_Critical.Wdf
2009-09-06 19:13 14,640 -------- c:\windows\system32\spmsgXP_2k3.dll
2009-09-06 19:07 1,112,288 a------- c:\windows\system32\WdfCoInstaller01007.dll
2009-09-06 19:07 581,192 a------- c:\windows\system32\WinUSBCoInstaller.dll
2009-09-05 01:54 94,208 a------- c:\windows\system32\QuickTimeVR.qtx
2009-09-05 01:54 69,632 a------- c:\windows\system32\QuickTime.qts
2009-09-03 14:31 7,396 a------- c:\windows\system32\drivers\pctcore.cat
2009-08-30 18:01 4 a------- c:\windows\system32\bincd32.dat
2009-08-24 12:24 58 a------- c:\windows\ppp4.dat
2009-08-24 12:24 9 a------- c:\windows\system32\bennuar.old
2009-08-24 12:24 1 a------- c:\windows\ppp3.dat
2009-08-24 12:24 87 a------- c:\windows\system32\sonhelp.htm
2009-08-24 12:24 0 a------- c:\windows\system32\desot.exe

==================== Find3M ====================

2009-09-08 13:17 6,611 a------- c:\windows\system32\uacinit.dll
2009-08-05 04:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-08-03 15:07 403,816 a------- c:\windows\system32\OGACheckControl.dll
2009-08-03 15:07 322,928 a------- c:\windows\system32\OGAAddin.dll
2009-08-03 15:07 230,768 a------- c:\windows\system32\OGAEXEC.exe
2009-07-25 05:23 411,368 a------- c:\windows\system32\deploytk.dll
2009-07-17 14:01 58,880 a------- c:\windows\system32\atl.dll
2009-07-12 12:21 233,472 a------- c:\windows\system32\wmpdxm.dll
2009-06-26 11:50 666,624 a------- c:\windows\system32\wininet.dll
2009-06-26 11:50 81,920 a------- c:\windows\system32\ieencode.dll
2009-06-25 03:25 730,112 a------- c:\windows\system32\lsasrv.dll
2009-06-25 03:25 301,568 a------- c:\windows\system32\kerberos.dll
2009-06-25 03:25 147,456 a------- c:\windows\system32\schannel.dll
2009-06-25 03:25 136,192 a------- c:\windows\system32\msv1_0.dll
2009-06-25 03:25 56,832 a------- c:\windows\system32\secur32.dll
2009-06-25 03:25 54,272 a------- c:\windows\system32\wdigest.dll
2009-01-24 06:39 87,608 a------- c:\docume~1\owner\applic~1\inst.exe
2009-01-24 06:39 47,360 a------- c:\docume~1\owner\applic~1\pcouffin.sys

============= FINISH: 19:28:52.48 ===============

Attached Files

  • Attached File  gmer.log   25.49KB   0 downloads


#8 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:20 PM

Posted 21 September 2009 - 06:16 PM

Hello, trustandfall.
Next, please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply, along with any symptoms that are present after it runs.

Edited by etavares, 21 September 2009 - 06:16 PM.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#9 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:20 PM

Posted 24 September 2009 - 04:58 PM

Hi trustandfall....have you had a chance to do the steps above yet? Please let me know. This thread may be closed if I don't get a reply in the next couple of days.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#10 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:20 PM

Posted 27 September 2009 - 01:01 PM

This thread will now be closed.

If you need this topic reopened, please send etavares PM and we will reopen it for you.

If you should have a new issue, please start a new topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users