Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google Gala Hijack


  • Please log in to reply
31 replies to this topic

#1 MLinau

MLinau

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:08:06 PM

Posted 22 September 2009 - 05:32 PM

I have the same problem as a few others with a IE and Firefox hijack that redirects to weird search engines and doesnt let you click on the found results. I have read and followed the instructions of another user up till running combofix.exe

It found and deleted something with Firefox and start up programs. (I have WinXP)
However I think it's still not 100% ok as it IE or Firefox still take a long time to load google.com etc.

I have the combofix log saved but I would like to follow the rules and wait for your prompt to post it.
Looking forward to your help!
Monika

BC AdBot (Login to Remove)

 


#2 jpshortstuff

jpshortstuff

    WhatTheTech Teacher


  • Members
  • 660 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:05:06 AM

Posted 22 September 2009 - 05:47 PM

Hi,

Please post the ComboFix log. Please also run the following scans.

Please download DDS and save it to your desktop.
  • Disable any script blocking protection
  • Double click dds.scr to run the tool.
  • When done two logs should open:
  • DDS.txt
  • Attach.txt
  • Save both reports to your desktop.
---------------------------------------------------
  • Post the contents of the DDS.txt report in your next reply
  • Attach the Attach.txt report to your post by scrolling down to the Attachments area and then clicking Browse. Browse to where you saved the file, and click Open and then click UPLOAD.
We Need to check for Rootkits with RootRepeal
  • Download RootRepeal from one of the following locations and save it to your desktop.
  • Open Posted Image on your desktop.
  • Click the Posted Image tab.
  • Click the Posted Image button.
  • In the Select Scan dialog, check
    Posted Image
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Please post this log in your next reply.

Trained at the What The Tech Classroom where you too could learn to help others.

My help is free, however, if you wish to make a small donation to show appreciation and to help me continue the fight against Malware, then click here Posted Image

Posted Image

#3 MLinau

MLinau
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:08:06 PM

Posted 22 September 2009 - 06:12 PM

ComboFix 09-09-22.01 - Monika 09/22/2009 14:36.1.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.503.265 [GMT -8:00]
Running from: c:\documents and settings\Monika\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Start Menu\Programs\Uninstall.lnk
c:\program files\Mozilla Firefox\searchplugins\search.xml
c:\windows\Installer\13b34c.msi

.
((((((((((((((((((((((((( Files Created from 2009-08-22 to 2009-09-22 )))))))))))))))))))))))))))))))
.

2009-09-01 20:10 . 2008-12-10 19:36 64392 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2009-09-01 20:10 . 2009-09-22 21:39 -------- d-----w- c:\program files\Spyware Doctor
2009-09-01 19:43 . 2009-09-01 19:43 -------- d-----w- c:\program files\Trend Micro
2009-08-24 23:09 . 2009-08-24 23:09 -------- d-----w- c:\documents and settings\Monika\Application Data\IObit
2009-08-24 23:09 . 2009-08-24 23:09 -------- d-----w- c:\program files\IObit
2009-08-24 21:55 . 2009-08-24 21:55 -------- d-----w- c:\windows\system32\wbem\Repository

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-22 22:01 . 2009-09-22 21:39 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-09-22 21:39 . 2009-09-04 19:43 -------- d-----w- c:\program files\Malwarebytes Anti-Malware
2009-09-22 21:39 . 2009-09-01 20:11 -------- d-----w- c:\program files\Common Files\PC Tools
2009-09-22 21:39 . 2009-09-22 21:39 -------- d-----w- c:\documents and settings\Monika\Application Data\PC Tools
2009-09-22 21:39 . 2009-09-22 21:39 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2009-09-22 21:13 . 2007-11-08 00:21 -------- d-----w- c:\documents and settings\Monika\Application Data\Skype
2009-09-22 06:14 . 2007-11-11 17:08 -------- d-----w- c:\documents and settings\Bert\Application Data\Skype
2009-09-21 20:49 . 2008-07-03 17:59 -------- d-----w- c:\documents and settings\Monika\Application Data\skypePM
2009-09-04 22:50 . 2008-07-04 18:56 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-09-04 19:43 . 2009-09-04 19:43 -------- d-----w- c:\documents and settings\Monika\Application Data\Malwarebytes
2009-09-04 19:43 . 2009-09-04 19:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-27 21:29 . 2008-07-04 18:57 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-08-27 21:29 . 2008-07-04 18:57 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-08-27 21:29 . 2007-06-06 18:19 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-08-24 22:05 . 2009-09-01 20:11 206256 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2009-08-22 21:44 . 2008-07-03 19:32 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-08-19 19:01 . 2009-09-01 20:11 86888 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2009-08-14 14:58 . 2009-09-01 20:11 7396 ----a-w- c:\windows\system32\drivers\pctcore.cat
2009-08-12 21:19 . 2009-08-12 21:19 -------- d-----w- c:\program files\USPS
2009-08-03 21:36 . 2009-09-04 19:43 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-03 21:36 . 2009-09-04 19:43 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-11 04:29 . 2007-06-07 17:12 21896 ----a-w- c:\documents and settings\Monika\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-27 21:29 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\Macromedia\\Dreamweaver 3\\Dreamweaver.exe"=
"c:\\Program Files\\Macromedia\\Dreamweaver 8\\Dreamweaver.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [9/1/2009 12:11 PM 206256]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [7/4/2008 10:57 AM 335240]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [7/4/2008 10:57 AM 108552]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [7/4/2008 1:12 PM 908056]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [7/4/2008 1:12 PM 297752]
R3 XIRLINK;IBM PC Camera;c:\windows\system32\drivers\C-itNT.sys [2/14/2008 10:10 AM 899884]
S3 Atmhub0vete;Atmhub0vete; [x]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [9/1/2009 12:10 PM 348752]
S4 getPlus® Helper;getPlus® Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [4/20/2009 1:21 PM 33176]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
FF - ProfilePath - c:\documents and settings\Monika\Application Data\Mozilla\Firefox\Profiles\5p925vge.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
FF - plugin: c:\program files\Java\j2re1.4.2_04\bin\NPJava11.dll
FF - plugin: c:\program files\Java\j2re1.4.2_04\bin\NPJava12.dll
FF - plugin: c:\program files\Java\j2re1.4.2_04\bin\NPJava13.dll
FF - plugin: c:\program files\Java\j2re1.4.2_04\bin\NPJava14.dll
FF - plugin: c:\program files\Java\j2re1.4.2_04\bin\NPJava32.dll
FF - plugin: c:\program files\Java\j2re1.4.2_04\bin\NPJPI142_04.dll
FF - plugin: c:\program files\Java\j2re1.4.2_04\bin\NPOJI610.dll
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
SafeBoot-AVG Anti-Spyware Driver
SafeBoot-AVG Anti-Spyware Guard



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-22 14:57
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-09-22 14:59
ComboFix-quarantined-files.txt 2009-09-22 22:59

Pre-Run: 62,529,986,560 bytes free
Post-Run: 64,719,507,456 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

114





DDS (Ver_09-07-30.01) - NTFSx86
Run by Monika at 16:02:49.81 on Tue 09/22/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.503.149 [GMT -8:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Monika\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
mURLSearchHooks: H - No File
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
TB: {27743AB1-8A7C-442A-8F10-AE39E2F26538} - No File
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} - hxxp://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
DPF: {6F750202-1362-4815-A476-88533DE61D0C} - hxxp://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_2/axofupld.cab
DPF: {6F750203-1362-4815-A476-88533DE61D0C} - hxxp://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_2/axofupld.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0014-0002-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\monika\applic~1\mozilla\firefox\profiles\5p925vge.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
FF - plugin: c:\program files\java\j2re1.4.2_04\bin\NPJava11.dll
FF - plugin: c:\program files\java\j2re1.4.2_04\bin\NPJava12.dll
FF - plugin: c:\program files\java\j2re1.4.2_04\bin\NPJava13.dll
FF - plugin: c:\program files\java\j2re1.4.2_04\bin\NPJava14.dll
FF - plugin: c:\program files\java\j2re1.4.2_04\bin\NPJava32.dll
FF - plugin: c:\program files\java\j2re1.4.2_04\bin\NPJPI142_04.dll
FF - plugin: c:\program files\java\j2re1.4.2_04\bin\NPOJI610.dll

============= SERVICES / DRIVERS ===============

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-9-1 206256]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-7-4 335240]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2007-6-6 27784]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-7-4 108552]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2008-7-4 908056]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-7-4 297752]
R3 XIRLINK;IBM PC Camera;c:\windows\system32\drivers\C-itNT.sys [2008-2-14 899884]
S3 Atmhub0vete;Atmhub0vete; [x]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2009-9-1 348752]
S3 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2009-9-1 1097096]
S4 getPlus® Helper;getPlus® Helper;c:\program files\nos\bin\getPlus_HelperSvc.exe [2009-4-20 33176]

=============== Created Last 30 ================

2009-09-22 14:34 <DIR> a-dshr-- C:\cmdcons
2009-09-22 14:32 229,888 a------- c:\windows\PEV.exe
2009-09-22 14:32 161,792 a------- c:\windows\SWREG.exe
2009-09-22 14:32 98,816 a------- c:\windows\sed.exe
2009-09-22 13:39 <DIR> --d----- c:\docume~1\monika\applic~1\PC Tools
2009-09-22 13:39 <DIR> --d----- c:\docume~1\alluse~1\applic~1\PC Tools
2009-09-04 11:43 <DIR> --d----- c:\docume~1\monika\applic~1\Malwarebytes
2009-09-04 11:43 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-04 11:43 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-09-04 11:43 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-09-04 11:43 <DIR> --d----- c:\program files\Malwarebytes Anti-Malware
2009-09-01 12:11 159,600 a------- c:\windows\system32\drivers\pctgntdi.sys
2009-09-01 12:11 206,256 a------- c:\windows\system32\drivers\PCTCore.sys
2009-09-01 12:11 86,888 a------- c:\windows\system32\drivers\PCTAppEvent.sys
2009-09-01 12:11 7,396 a------- c:\windows\system32\drivers\pctcore.cat
2009-09-01 12:11 <DIR> --d----- c:\program files\common files\PC Tools
2009-09-01 12:10 64,392 a------- c:\windows\system32\drivers\pctplsg.sys
2009-09-01 12:10 <DIR> --d----- c:\program files\Spyware Doctor
2009-09-01 11:43 <DIR> --d----- c:\program files\Trend Micro
2009-08-24 15:09 <DIR> --d----- c:\docume~1\monika\applic~1\IObit
2009-08-24 15:09 <DIR> --d----- c:\program files\IObit
2009-08-24 13:55 <DIR> --d----- c:\windows\system32\wbem\Repository

==================== Find3M ====================

2009-08-27 13:29 335,240 a------- c:\windows\system32\drivers\avgldx86.sys
2009-08-27 13:29 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-08-14 13:12 21,896 a------- c:\docume~1\monika\applic~1\GDIPFONTCACHEV1.DAT

============= FINISH: 16:03:22.35 ===============




ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/09/22 16:06
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP2
==================================================

Drivers
-------------------
Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xF6527000 Size: 49152 File Visible: No Signed: -
Status: -

SSDT
-------------------
#: 041 Function Name: NtCreateKey
Status: Hooked by "PCTCore.sys" at address 0xf8460d72

#: 047 Function Name: NtCreateProcess
Status: Hooked by "PCTCore.sys" at address 0xf84419a6

#: 048 Function Name: NtCreateProcessEx
Status: Hooked by "PCTCore.sys" at address 0xf8441b98

#: 063 Function Name: NtDeleteKey
Status: Hooked by "PCTCore.sys" at address 0xf8461568

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "PCTCore.sys" at address 0xf8461820

#: 119 Function Name: NtOpenKey
Status: Hooked by "PCTCore.sys" at address 0xf845fa80

#: 192 Function Name: NtRenameKey
Status: Hooked by "PCTCore.sys" at address 0xf8461c8a

#: 247 Function Name: NtSetValueKey
Status: Hooked by "PCTCore.sys" at address 0xf8461036

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "PCTCore.sys" at address 0xf8441656

==EOF==

Attached Files



#4 MLinau

MLinau
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:08:06 PM

Posted 22 September 2009 - 06:15 PM

also when I ran RootRepeal it said:
Error - invalid PE image found

Thanks for your help!

#5 jpshortstuff

jpshortstuff

    WhatTheTech Teacher


  • Members
  • 660 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:05:06 AM

Posted 22 September 2009 - 06:28 PM

Hi,

If you don't mind, I would like a quick sample of something that ComboFix deleted. Please go to this page, and upload this file:
C:\QooBox\c\program files\Mozilla Firefox\searchplugins\search.xml


OK, let's try and clean-up a bit.

First, click Start >> Run, then type sc delete Atmhub0vete (copy/paste may be easier to get it exactly right), then hit Enter.

Next, open your Control Panel and click Add/Remove Programs. Look for this outdated version of Java and click Remove:
Java 2 Runtime Environment, SE v1.4.2_04

To replace it, you can download the latest version here:
http://www.java.com/en/download/index.jsp


Next, we'll run a general scan to check for any remaining Malware.

Please download ATF Cleaner by Atribune.
Download - ATF Cleaner»
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

(If you use FireFox or the Opera browser
To keep saved passwords, click No at the prompt.)

It's normal after running ATF cleaner that the PC will be slower to boot the first time or two.


Please download Malwarebytes' Anti-Malware to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform full scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please save it to a convenient location.
  • The log can also be found here:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
  • Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt
  • Post that log back here.
Thanks.
Trained at the What The Tech Classroom where you too could learn to help others.

My help is free, however, if you wish to make a small donation to show appreciation and to help me continue the fight against Malware, then click here Posted Image

Posted Image

#6 MLinau

MLinau
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:08:06 PM

Posted 22 September 2009 - 06:33 PM

ok, i just sent the file
now doing the rest....

#7 jpshortstuff

jpshortstuff

    WhatTheTech Teacher


  • Members
  • 660 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:05:06 AM

Posted 22 September 2009 - 07:29 PM

:(
Trained at the What The Tech Classroom where you too could learn to help others.

My help is free, however, if you wish to make a small donation to show appreciation and to help me continue the fight against Malware, then click here Posted Image

Posted Image

#8 MLinau

MLinau
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:08:06 PM

Posted 22 September 2009 - 07:36 PM

ok, here is the malewarebytes log

Malwarebytes' Anti-Malware 1.41
Database version: 2845
Windows 5.1.2600 Service Pack 2

9/22/2009 5:31:26 PM
mbam-log-2009-09-22 (17-31-26).txt

Scan type: Full Scan (C:\|K:\|)
Objects scanned: 165947
Time elapsed: 51 minute(s), 43 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#9 jpshortstuff

jpshortstuff

    WhatTheTech Teacher


  • Members
  • 660 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:05:06 AM

Posted 23 September 2009 - 04:07 AM

How's it running at the moment?

Please run DDS again and post the first log it gives (DDS.txt). Let's see if there's anything left to clean up.
Trained at the What The Tech Classroom where you too could learn to help others.

My help is free, however, if you wish to make a small donation to show appreciation and to help me continue the fight against Malware, then click here Posted Image

Posted Image

#10 MLinau

MLinau
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:08:06 PM

Posted 23 September 2009 - 05:05 PM

here is the dds

DDS (Ver_09-07-30.01) - NTFSx86
Run by Monika at 14:57:38.45 on Wed 09/23/2009
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_16
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.503.195 [GMT -8:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Monika\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
mURLSearchHooks: H - No File
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
TB: {27743AB1-8A7C-442A-8F10-AE39E2F26538} - No File
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} - hxxp://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
DPF: {6F750202-1362-4815-A476-88533DE61D0C} - hxxp://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_2/axofupld.cab
DPF: {6F750203-1362-4815-A476-88533DE61D0C} - hxxp://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_2/axofupld.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\monika\applic~1\mozilla\firefox\profiles\5p925vge.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\xpavgtbapi.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-9-1 206256]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-7-4 335240]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2007-6-6 27784]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-7-4 108552]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2008-7-4 908056]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-7-4 297752]
R3 XIRLINK;IBM PC Camera;c:\windows\system32\drivers\C-itNT.sys [2008-2-14 899884]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2009-9-1 348752]
S3 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2009-9-1 1097096]
S4 getPlus® Helper;getPlus® Helper;c:\program files\nos\bin\getPlus_HelperSvc.exe [2009-4-20 33176]

=============== Created Last 30 ================

2009-09-22 16:34 411,368 a------- c:\windows\system32\deploytk.dll
2009-09-22 16:34 73,728 a------- c:\windows\system32\javacpl.cpl
2009-09-22 16:31 <DIR> --d----- c:\windows\system32\appmgmt
2009-09-22 16:24 <DIR> --d----- c:\program files\Microsoft Money 2007
2009-09-22 14:34 <DIR> a-dshr-- C:\cmdcons
2009-09-22 14:32 229,888 a------- c:\windows\PEV.exe
2009-09-22 14:32 161,792 a------- c:\windows\SWREG.exe
2009-09-22 14:32 98,816 a------- c:\windows\sed.exe
2009-09-22 13:39 <DIR> --d----- c:\docume~1\monika\applic~1\PC Tools
2009-09-22 13:39 <DIR> --d----- c:\docume~1\alluse~1\applic~1\PC Tools
2009-09-04 11:43 <DIR> --d----- c:\docume~1\monika\applic~1\Malwarebytes
2009-09-04 11:43 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-04 11:43 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-09-04 11:43 19,160 a------- c:\windows\system32\drivers\mbam.sys
2009-09-04 11:43 <DIR> --d----- c:\program files\Malwarebytes Anti-Malware
2009-09-01 12:11 159,600 a------- c:\windows\system32\drivers\pctgntdi.sys
2009-09-01 12:11 206,256 a------- c:\windows\system32\drivers\PCTCore.sys
2009-09-01 12:11 86,888 a------- c:\windows\system32\drivers\PCTAppEvent.sys
2009-09-01 12:11 7,396 a------- c:\windows\system32\drivers\pctcore.cat
2009-09-01 12:11 <DIR> --d----- c:\program files\common files\PC Tools
2009-09-01 12:10 64,392 a------- c:\windows\system32\drivers\pctplsg.sys
2009-09-01 12:10 <DIR> --d----- c:\program files\Spyware Doctor
2009-09-01 11:43 <DIR> --d----- c:\program files\Trend Micro
2009-08-24 15:09 <DIR> --d----- c:\docume~1\monika\applic~1\IObit
2009-08-24 15:09 <DIR> --d----- c:\program files\IObit

==================== Find3M ====================

2009-08-27 13:29 335,240 a------- c:\windows\system32\drivers\avgldx86.sys
2009-08-27 13:29 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-08-14 13:12 21,896 a------- c:\docume~1\monika\applic~1\GDIPFONTCACHEV1.DAT

============= FINISH: 14:58:16.09 ===============

and I am sending the Attach.txt file as an upload again.

Yesterday I thought it was all better, but then just now when I used IE and Firefox with Google, I still get an empty page sometime and the browser states done when typing in google.com for example.
So it Looks there is still something left....?!

Attached Files



#11 jpshortstuff

jpshortstuff

    WhatTheTech Teacher


  • Members
  • 660 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:05:06 AM

Posted 24 September 2009 - 02:40 AM

Hmm, nothing obvious is showing, just a few scraps, but that doesn't mean there isn't anything nasty lurking.

Please delete your copy of ComboFix, and download the latest version to your Desktop. Do not run it yet.

1. Please open Notepad
  • Click Start , then Run
  • Type notepad.exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:

DDS::
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
TB: {27743AB1-8A7C-442A-8F10-AE39E2F26538} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image

5. After reboot, (in case it asks to reboot), please post ComboFix.txt in your next reply.[/list]
Next, please run RootRepeal again, but this time check all the boxes when scanning. Post the log it gives.

Let me know if you are still having problems.
Trained at the What The Tech Classroom where you too could learn to help others.

My help is free, however, if you wish to make a small donation to show appreciation and to help me continue the fight against Malware, then click here Posted Image

Posted Image

#12 MLinau

MLinau
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:08:06 PM

Posted 24 September 2009 - 01:50 PM

ok, so when I ran root repeal first, I checked my ext. harddrive as well and it froze.
I ran it again with only drive C and here is the report:

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/09/24 11:40
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP2
==================================================

Drivers
-------------------
Name: catchme.sys
Image Path: C:\DOCUME~1\Monika\LOCALS~1\Temp\catchme.sys
Address: 0xF880D000 Size: 31744 File Visible: No Signed: -
Status: -

Name: PROCEXP90.SYS
Image Path: C:\WINDOWS\system32\Drivers\PROCEXP90.SYS
Address: 0xF8B03000 Size: 6464 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xF613E000 Size: 49152 File Visible: No Signed: -
Status: -

SSDT
-------------------
#: 041 Function Name: NtCreateKey
Status: Hooked by "PCTCore.sys" at address 0xf8460d72

#: 047 Function Name: NtCreateProcess
Status: Hooked by "PCTCore.sys" at address 0xf84419a6

#: 048 Function Name: NtCreateProcessEx
Status: Hooked by "PCTCore.sys" at address 0xf8441b98

#: 063 Function Name: NtDeleteKey
Status: Hooked by "PCTCore.sys" at address 0xf8461568

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "PCTCore.sys" at address 0xf8461820

#: 119 Function Name: NtOpenKey
Status: Hooked by "PCTCore.sys" at address 0xf845fa80

#: 192 Function Name: NtRenameKey
Status: Hooked by "PCTCore.sys" at address 0xf8461c8a

#: 247 Function Name: NtSetValueKey
Status: Hooked by "PCTCore.sys" at address 0xf8461036

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "PCTCore.sys" at address 0xf8441656

==EOF==


ComboFix 09-09-23.02 - Monika 09/24/2009 11:17.2.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.503.181 [GMT -8:00]
Running from: c:\documents and settings\Monika\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Monika\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

K:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2009-08-24 to 2009-09-24 )))))))))))))))))))))))))))))))
.

2009-09-23 00:34 . 2009-09-23 00:33 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-09-23 00:33 . 2009-09-23 00:33 -------- d-----w- c:\program files\Java
2009-09-23 00:24 . 2009-09-23 00:51 -------- d-----w- c:\program files\Microsoft Money 2007
2009-09-01 20:10 . 2008-12-10 19:36 64392 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2009-09-01 20:10 . 2009-09-22 21:39 -------- d-----w- c:\program files\Spyware Doctor
2009-09-01 19:43 . 2009-09-01 19:43 -------- d-----w- c:\program files\Trend Micro

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-23 00:38 . 2009-09-04 19:43 -------- d-----w- c:\program files\Malwarebytes Anti-Malware
2009-09-23 00:24 . 2007-06-09 17:56 -------- d-----w- c:\program files\Microsoft Money 2005
2009-09-22 22:01 . 2009-09-22 21:39 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-09-22 21:39 . 2009-09-01 20:11 -------- d-----w- c:\program files\Common Files\PC Tools
2009-09-22 21:39 . 2009-09-22 21:39 -------- d-----w- c:\documents and settings\Monika\Application Data\PC Tools
2009-09-22 21:39 . 2009-09-22 21:39 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2009-09-22 21:13 . 2007-11-08 00:21 -------- d-----w- c:\documents and settings\Monika\Application Data\Skype
2009-09-22 06:14 . 2007-11-11 17:08 -------- d-----w- c:\documents and settings\Bert\Application Data\Skype
2009-09-21 20:49 . 2008-07-03 17:59 -------- d-----w- c:\documents and settings\Monika\Application Data\skypePM
2009-09-10 22:54 . 2009-09-04 19:43 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 22:53 . 2009-09-04 19:43 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-04 22:50 . 2008-07-04 18:56 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-09-04 19:43 . 2009-09-04 19:43 -------- d-----w- c:\documents and settings\Monika\Application Data\Malwarebytes
2009-09-04 19:43 . 2009-09-04 19:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-27 21:29 . 2008-07-04 18:57 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-08-27 21:29 . 2008-07-04 18:57 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-08-27 21:29 . 2007-06-06 18:19 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-08-24 23:09 . 2009-08-24 23:09 -------- d-----w- c:\documents and settings\Monika\Application Data\IObit
2009-08-24 23:09 . 2009-08-24 23:09 -------- d-----w- c:\program files\IObit
2009-08-24 22:05 . 2009-09-01 20:11 206256 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2009-08-22 21:44 . 2008-07-03 19:32 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-08-19 19:01 . 2009-09-01 20:11 86888 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2009-08-14 14:58 . 2009-09-01 20:11 7396 ----a-w- c:\windows\system32\drivers\pctcore.cat
2009-08-12 21:19 . 2009-08-12 21:19 -------- d-----w- c:\program files\USPS
2009-07-11 04:29 . 2007-06-07 17:12 21896 ----a-w- c:\documents and settings\Monika\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((( SnapShot@2009-09-22_22.57.57 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-09-23 07:49 . 2005-09-23 07:49 95744 c:\windows\WinSxS\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_6e805841\ATL80.dll
+ 2009-09-23 00:34 . 2009-09-23 00:33 149280 c:\windows\system32\javaws.exe
+ 2009-09-23 00:34 . 2009-09-23 00:33 145184 c:\windows\system32\javaw.exe
+ 2009-09-23 00:34 . 2009-09-23 00:33 145184 c:\windows\system32\java.exe
+ 2009-09-23 00:33 . 2009-09-23 00:33 537600 c:\windows\Installer\3dde13.msi
+ 2009-09-23 00:23 . 2009-09-23 00:23 204800 c:\windows\Installer\3ddbc9.msi
+ 2004-02-24 04:42 . 2004-02-24 04:42 1386496 c:\windows\system32\msvbvm60.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-08-04 1667584]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-09-23 149280]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-27 21:29 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\Macromedia\\Dreamweaver 3\\Dreamweaver.exe"=
"c:\\Program Files\\Macromedia\\Dreamweaver 8\\Dreamweaver.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [9/1/2009 12:11 PM 206256]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [7/4/2008 10:57 AM 335240]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [7/4/2008 10:57 AM 108552]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [7/4/2008 1:12 PM 908056]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [7/4/2008 1:12 PM 297752]
R3 XIRLINK;IBM PC Camera;c:\windows\system32\drivers\C-itNT.sys [2/14/2008 10:10 AM 899884]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [9/1/2009 12:10 PM 348752]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
FF - ProfilePath - c:\documents and settings\Monika\Application Data\Mozilla\Firefox\Profiles\5p925vge.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-24 11:21
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-09-24 11:23
ComboFix-quarantined-files.txt 2009-09-24 19:23
ComboFix2.txt 2009-09-22 22:59

Pre-Run: 64,606,547,968 bytes free
Post-Run: 64,582,033,408 bytes free

115


So far so good....browsers worked ok for the first 20 min. now....I am so grateful!! Yeppeee

#13 MLinau

MLinau
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:08:06 PM

Posted 24 September 2009 - 01:54 PM

darn...again, when I opened up Firefox
it's trying to open the home link http://www.google.com/firefox?client=firef...:en-US:official
and then page is empty and it's saying 'Done' on the left bottom bar, so something is still going on.
Thank you,
Monika

#14 jpshortstuff

jpshortstuff

    WhatTheTech Teacher


  • Members
  • 660 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:05:06 AM

Posted 24 September 2009 - 04:21 PM

Hmm, hard to say whether or not that is Malware related. How often does it happen? When it happens, does hitting F5 (or Ctrl+F5) load the correct page?

A blank page loading is something that does happen every now and again, I've noticed it a few times on my own machines. There's nothing bad showing in your logs, but we can run a thorough, general scan if you like, just in case. Are you having any other problems apart from these blank pages?

Go here to run an online scanner from ESET.
  • Note: You will need to use Internet explorer for this scan
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activeX control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • Use notepad to open the logfile located at C:\Program Files\Eset\Eset Online Scanner\log.txt
  • Copy and paste that log as a reply to this topic and also let me know how things are now.

Trained at the What The Tech Classroom where you too could learn to help others.

My help is free, however, if you wish to make a small donation to show appreciation and to help me continue the fight against Malware, then click here Posted Image

Posted Image

#15 MLinau

MLinau
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:08:06 PM

Posted 24 September 2009 - 05:01 PM

oh hitting F5 actually loads the google start page
some links when I do a search don't work and redirect to some bogus site.

when I try to go to google.de it doesn't work, it just goes to the english google page




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users