Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HijackThis Log: Please help Diagnose


  • This topic is locked This topic is locked
43 replies to this topic

#1 valorsangel

valorsangel

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:01:21 AM

Posted 26 September 2009 - 03:48 PM

I have run multiple scans using: Spybot, Ad-Aware, IObit Security 360, Malwarebytes' Anti-Malware. Cleared temp

files. Backed up my registry files using ERUNT, and ran NTREGOPT and Wise Registry Cleaner. I am using System

Configuration to "Selective Startup"; unchecked System.ini, Win.in and Startup Items, then hide All

Microsoft Services and disable all. The computer is possessed whether I "Selective Startup" or normal

startup.

In "Selective Startup" new browsers are opened repeatedly, sometimes a lot, sometimes just every once in a while. Sometimes, I will be on a site and the browser will be "hijacked" and go back to the "Home" site, which is currently Blackle.

I also get random numbers and letters typed just one at a time, them another after anywhere from 10 seconds to minutes later another one. Maybe the numbers are not completly random. I seem to notice lots of 9's and 6's.

Right clicks and Browser menus are also opened seemingly randomly.

In regular startup, Windows Messinger and other programs also are opened repeatedly.

Below is the DDS, Root Repeal & Hijack This report, and

the "ATTACH.Txt" is attached.




DDS (Ver_09-09-24.01) - NTFSx86
Run by Y Davis at 11:29:16.59 on Sun 09/27/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional

5.1.2600.3.1252.1.1033.18.2047.1209 [GMT -7:00]

AV: AVG Anti-Virus Free *On-access scanning enabled*

(Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Google\Update\GoogleUpdate.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\ctfmon.exe
C:\Program

Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier

.exe
C:\Program Files\IObit\IObit Security 360\is360.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\PeerGuardian2\pg2.exe
c:\Program Files\Adobe\Reader 9.0\Reader\AcroRd32.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Skype\Toolbars\Shared\SkypeNames.exe
C:\Documents and Settings\Y Davis\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.blackle.com/
uSearch Page =

hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?chan

nel=us-smb
uDefault_Page_URL =

partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&cli

ent=dell-usuk&channel=us-smb&ibd=5090116
uSearch Bar =

hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?chan

nel=us-smb
uSearchMigratedDefaultURL =

hxxp://www.google.com/search?q={searchTerms}&sourceid=ie

7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant =

hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?chan

nel=us-smb
uURLSearchHooks: H - No File
uURLSearchHooks: H - No File
uURLSearchHooks: AVG Security Toolbar BHO:

{a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program

files\avg\avg8\toolbar\IEToolbar.dll
mURLSearchHooks: AVG Security Toolbar BHO:

{a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program

files\avg\avg8\toolbar\IEToolbar.dll
BHO: Adobe PDF Link Helper:

{18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program

files\common

files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Skype add-on (mastermind):

{22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program

files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: AVG Safe Search:

{3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program

files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection:

{53707962-6f74-2d53-2644-206d7942484f} -

c:\progra~1\spybot~1\SDHelper.dll
BHO: SSVHelper Class:

{761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program

files\java\jre1.6.0_07\bin\ssv.dll
BHO: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
BHO: AVG Security Toolbar BHO:

{a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program

files\avg\avg8\toolbar\IEToolbar.dll
BHO: Google Toolbar Helper:

{aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program

files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO:

{af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program

files\google\googletoolbarnotifier\5.3.4501.1418\swg.dll
BHO: Google Dictionary Compression sdch:

{c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program

files\google\google

toolbar\component\fastsearch_219B3E1547538286.dll
BHO: CBrowserHelperObject Object:

{ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program

files\dell\bae\BAE.dll
BHO: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440}

- c:\program files\ask.com\GenericAskToolbar.dll
TB: &Google Toolbar:

{2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program

files\google\google toolbar\GoogleToolbar.dll
TB: ICQToolBar: {855f3b16-6d32-4fe6-8a56-bbb695989046} -

c:\program files\icq6toolbar\ICQToolBar.dll
TB: AVG Security Toolbar:

{ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program

files\avg\avg8\toolbar\IEToolbar.dll
TB: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440}

- c:\program files\ask.com\GenericAskToolbar.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
EB: ICQToolBar: {855f3b16-6d32-4fe6-8a56-bbb695989046} -

c:\program files\icq6toolbar\ICQToolBar.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program

files\google\googletoolbarnotifier\GoogleToolbarNotifier

.exe"
mRun: [MSConfig]

c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
mRun: [IObit Security 360] c:\program files\iobit\iobit

security 360\IS360tray.exe
mRun: [Ad-Watch] c:\program

files\lavasoft\ad-aware\AAWTray.exe
mRun: [dscactivate] "c:\program files\dell support

center\gs_agent\custom\dsca.exe"
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} -

%windir%\Network Diagnostic\xpnetdiag.exe
IE: {E59EB121-F339-4851-A3BA-FE49C35617C2} - c:\program

files\icq6.5\ICQ.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program

files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program

files\java\jre1.6.0_07\bin\ssv.dll
IE: {5067A26B-1337-4436-8AFE-EE169C2DA79F} -

{77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program

files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} -

{77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program

files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} -

{53707962-6F74-2D53-2644-206D7942484F} -

c:\progra~1\spybot~1\SDHelper.dll
DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} -

hxxp://housecall65.trendmicro.com/housecall/applet/html/

native/x86/win32/activex/hcImpl.cab
DPF: {31435657-9980-0010-8000-00AA00389B71} -

hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c

8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} -

hxxp://www.acclaim.com/cabs/acclaim_v5.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} -

hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windo

ws-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} -

hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windo

ws-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} -

hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windo

ws-i586.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
Handler: linkscanner -

{F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program

files\avg\avg8\avgpp.dll
Handler: pure-go -

{4746C79A-2042-4332-8650-48966E44ABA8} - c:\program

files\common files\pure networks

shared\platform\puresp4.dll
Handler: skype4com -

{FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} -

c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj -

{AAA288BA-9A4C-45B0-95D7-94D524869DB5} -

c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys

[2009-9-25 64160]
R1 AvgLdx86;AVG Free AVI Loader Driver

x86;c:\windows\system32\drivers\avgldx86.sys [2009-3-1

335240]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver

x86;c:\windows\system32\drivers\avgmfx86.sys [2009-3-1

27784]
R1 AvgTdiX;AVG Free8 Network

Redirector;c:\windows\system32\drivers\avgtdix.sys

[2009-3-1 108552]
R2 LANPkt;Realtek LANPkt Protocol

Driver;c:\windows\system32\drivers\LANPkt.sys [2009-1-15

8960]
R3 AtiHdmiService;ATI Function Driver for HDMI

Service;c:\windows\system32\drivers\AtiHdmi.sys

[2009-1-16 84992]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware

Service;c:\program

files\lavasoft\ad-aware\AAWService.exe [2009-3-9

1028432]
S3

Diag69xp;Diag69xp;c:\windows\system32\drivers\diag69xp.s

ys [2009-1-15 11264]
S3 RTLVLAN;Realtek VLAN Intermediate

Driver;c:\windows\system32\drivers\RTLVLAN.SYS

[2009-1-15 16640]
S3 vtany;vtany;\??\c:\windows\vtany.sys -->

c:\windows\vtany.sys [?]
S3

vtayn;vtayn;\??\c:\docume~1\ydavis~1\locals~1\temp\vtayn

.sys --> c:\docume~1\ydavis~1\locals~1\temp\vtayn.sys

[?]
S4 avg8emc;AVG Free8 E-mail

Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-3-1

908056]
S4 avg8wd;AVG Free8

WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-3-1

297752]
S4 gupdate;Google Update Service (gupdate);c:\program

files\google\update\GoogleUpdate.exe [2009-9-15 133104]
S4 ICQ Service;ICQ Service;c:\program

files\icq6toolbar\ICQ Service.exe [2009-4-20 222456]
S4 IS360service;IS360service;c:\program

files\iobit\iobit security 360\is360srv.exe [2009-9-20

305936]
S4 npggsvc;nProtect GameGuard

Service;c:\windows\system32\gamemon.des -service -->

c:\windows\system32\GameMon.des -service [?]

=============== Created Last 30 ================


==================== Find3M ====================

2009-08-22 08:40 335,240 a-------

c:\windows\system32\drivers\avgldx86.sys
2009-08-22 08:40 11,952 a-------

c:\windows\system32\avgrsstx.dll
2009-08-05 02:01 204,800 a-------

c:\windows\system32\mswebdvd.dll
2009-07-17 12:01 58,880 a-------

c:\windows\system32\atl.dll
2009-07-13 23:43 286,208 a-------

c:\windows\system32\wmpdxm.dll

============= FINISH: 11:29:34.62 ===============






ROOTREPEAL AD, 2007-2009
==================================================
Scan Start Time: 2009/09/27 11:33
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_iaStor.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_iaStor.sys
Address: 0xA2631000 Size: 888832 File Visible: No

Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0x9ED3A000 Size: 49152 File Visible: No

Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: c:\program files\peerguardian2\history.db
Status: Size mismatch (API: 166502400, Raw: 166494208)

SSDT
-------------------
#: 041 Function Name: NtCreateKey
Status: Hooked by "Lbd.sys" at address 0xba0f887e

#: 247 Function Name: NtSetValueKey
Status: Hooked by "Lbd.sys" at address 0xba0f8bfe

==EOF==







Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:12:50 PM, on 9/26/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16876)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\IObit\IObit Security 360\IS360tray.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program

Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier

.exe
C:\Program Files\IObit\IObit Security 360\is360.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Skype\Toolbars\Shared\SkypeNames.exe

R1 - HKCU\Software\Microsoft\Internet

Explorer\Main,Default_Page_URL =

partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&cli

ent=dell-usuk&channel=us-smb&ibd=5090116
R0 - HKCU\Software\Microsoft\Internet

Explorer\Main,Start Page =

<a href="http://www.blackle.com/" target="_blank" rel="nofollow">http://www.blackle.com/[/ur

l]
R1 - HKLM\Software\Microsoft\Internet

Explorer\Main,Default_Page_URL =

[url=http://go.microsoft.com/fwlink/?LinkId=69157]http:/

/go.microsoft.com/fwlink/?LinkId=69157://http://www.blackle.com/[/ur

l]
R1 ...k/?LinkId=69157</a>
R1 - HKLM\Software\Microsoft\Internet

Explorer\Main,Default_Search_URL =

<a href="http://go.microsoft.com/fwlink/?LinkId=54896" target="_blank" rel="nofollow">http:/

/go.microsoft.com/fwlink/?LinkId=54896</a>
R1 - HKLM\Software\Microsoft\Internet

Explorer\Main,Search Page =

<a href="http://go.microsoft.com/fwlink/?LinkId=54896" target="_blank" rel="nofollow">http:/

/go.microsoft.com/fwlink/?LinkId=54896</a>
R0 - HKLM\Software\Microsoft\Internet

Explorer\Main,Start Page =

<a href="http://go.microsoft.com/fwlink/?LinkId=69157" target="_blank" rel="nofollow">http:/

/go.microsoft.com/fwlink/?LinkId=69157</a>
R1 - HKLM\Software\Microsoft\Internet

Explorer\Search,Default_Page_URL =

partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&cli

ent=dell-usuk&channel=us-smb&ibd=5090116
R0 - HKCU\Software\Microsoft\Internet

Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet

Explorer\Main,Local Page =
R3 - URLSearchHook: (no name) - - (no file)
R3 - URLSearchHook: (no name) -

*{855F3B16-6D32-4fe6-8A56-BBB695989046} - (no file)
R3 - URLSearchHook: AVG Security Toolbar BHO -

{A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program

Files\AVG\AVG8\Toolbar\IEToolbar.dll
O2 - BHO: AcroIEHelperStub -

{18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\Program

Files\Common

Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Skype add-on (mastermind) -

{22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program

Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter -

{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program

Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection -

{53707962-6F74-2D53-2644-206D7942484F} -

C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class -

{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program

Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) -

{A057A204-BACC-4D26-9990-79A187E2698E} - (no file)
O2 - BHO: AVG Security Toolbar BHO -

{A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program

Files\AVG\AVG8\Toolbar\IEToolbar.dll
O2 - BHO: Google Toolbar Helper -

{AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program

Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO -

{AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program

Files\Google\GoogleToolbarNotifier\5.3.4501.1418\swg.dll
O2 - BHO: Google Dictionary Compression sdch -

{C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program

Files\Google\Google

Toolbar\Component\fastsearch_219B3E1547538286.dll
O2 - BHO: Browser Address Error Redirector -

{CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program

Files\Dell\BAE\BAE.dll
O2 - BHO: Ask Toolbar BHO -

{D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program

Files\Ask.com\GenericAskToolbar.dll
O3 - Toolbar: &Google Toolbar -

{2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program

Files\Google\Google Toolbar\GoogleToolbar.dll
O3 - Toolbar: ICQToolBar -

{855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program

Files\ICQ6Toolbar\ICQToolBar.dll
O3 - Toolbar: AVG Security Toolbar -

{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program

Files\AVG\AVG8\Toolbar\IEToolbar.dll
O3 - Toolbar: Ask Toolbar -

{D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program

Files\Ask.com\GenericAskToolbar.dll
O4 - HKLM\..\Run: [MSConfig]

C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [IObit Security 360] C:\Program

Files\IObit\IObit Security 360\IS360tray.exe
O4 - HKLM\..\Run: [Ad-Watch] C:\Program

Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell

Support Center\gs_agent\custom\dsca.exe"
O4 - HKCU\..\Run: [ctfmon.exe]

C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] "C:\Program

Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier

.exe"
O9 - Extra button: (no name) -

{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -

{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) -

{5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Program

Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra 'Tools' menuitem: Skype add-on for Internet

Explorer - {5067A26B-1337-4436-8AFE-EE169C2DA79F} -

C:\Program Files\Skype\Toolbars\Internet

Explorer\SkypeIEPlugin.dll
O9 - Extra button: Skype -

{77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program

Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) -

{DFB852A3-47F8-48C4-A200-58CAB36FD2A2} -

C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy

Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} -

C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) -

{e2e2dd38-d088-4134-82b7-f2ba38496583} -

C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 -

{e2e2dd38-d088-4134-82b7-f2ba38496583} -

C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: ICQ6 -

{E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program

Files\ICQ6.5\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 -

{E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program

Files\ICQ6.5\ICQ.exe
O9 - Extra button: Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend

Micro ActiveX Scan Agent 6.6) -

<a href="http://housecall65.trendmicro.com/housecall/applet/

html/native/x86/win32/activex/hcImpl.cab" target="_blank" rel="nofollow">http://housecal

l65.trendmicro.com/housecal...ivex/hcImpl.cab://http://housecal

l65.trendmicro.com...ivex/hcImpl.cab</a>
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A}

(GameLauncher Control) -

<a href="http://www.acclaim.com/cabs/acclaim_v5.cab" target="_blank" rel="nofollow">http://w

ww.acclaim.com/cabs/acclaim_v5.cab</a>
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
O18 - Protocol: linkscanner -

{F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program

Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com -

{FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} -

C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: avgrsstarter -

C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Google Software Updater (gusvc) - Google

- C:\Program Files\Google\Common\Google

Updater\GoogleUpdaterService.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft -

C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

--
End of file - 7550 bytes


I am looking forward to any help.

Attached Files


Edited by valorsangel, 27 September 2009 - 02:01 PM.


BC AdBot (Login to Remove)

 


#2 valorsangel

valorsangel
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:01:21 AM

Posted 27 September 2009 - 06:39 PM

Added the DDS, Root Repeal and the "ATTACH.Txt", and stated a more detailed description of symtoms.

#3 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:07:21 AM

Posted 13 October 2009 - 11:12 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#4 valorsangel

valorsangel
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:01:21 AM

Posted 15 October 2009 - 10:01 PM

Thank you very much for your help. I appoligize for the late reply. I will monitor this item with renewed zeal going forward.

Here is the new DDS.TXT and I attached an updated "Attach" file also. My symtoms are the same, hijacked to default "home" browser, which is blackle, and entry of numbers and letters.9





DDS (Ver_09-10-13.01) - NTFSx86
Run by Y Davis at 19:50:56.92 on Thu 10/15/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1473 [GMT -7:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
AV: avast! antivirus 4.8.1356 [VPS 091015-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Documents and Settings\Y Davis\Desktop\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.blackle.com/
uSearch Page = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us-smb
uDefault_Page_URL = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=5090116
uSearch Bar = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us-smb
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us-smb
uURLSearchHooks: H - No File
uURLSearchHooks: H - No File
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.3.4501.1418\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_219B3E1547538286.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll
BHO: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: ICQToolBar: {855f3b16-6d32-4fe6-8a56-bbb695989046} - c:\program files\icq6toolbar\ICQToolBar.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
TB: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
EB: ICQToolBar: {855f3b16-6d32-4fe6-8a56-bbb695989046} - c:\program files\icq6toolbar\ICQToolBar.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [IObit Security 360] c:\program files\iobit\iobit security 360\IS360tray.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {E59EB121-F339-4851-A3BA-FE49C35617C2} - c:\program files\icq6.5\ICQ.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {5067A26B-1337-4436-8AFE-EE169C2DA79F} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} - hxxp://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} - hxxp://www.acclaim.com/cabs/acclaim_v5.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Handler: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - c:\program files\common files\pure networks shared\platform\puresp4.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-9-25 64160]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-10-3 114768]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-3-1 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-3-1 108552]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-10-3 108289]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-10-3 20560]
R2 LANPkt;Realtek LANPkt Protocol Driver;c:\windows\system32\drivers\LANPkt.sys [2009-1-15 8960]
R3 AtiHdmiService;ATI Function Driver for HDMI Service;c:\windows\system32\drivers\AtiHdmi.sys [2009-1-16 84992]
S2 IS360service;IS360service;c:\program files\iobit\iobit security 360\is360srv.exe [2009-10-4 309008]
S3 Diag69xp;Diag69xp;c:\windows\system32\drivers\diag69xp.sys [2009-1-15 11264]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-3-9 1028432]
S3 RTLVLAN;Realtek VLAN Intermediate Driver;c:\windows\system32\drivers\RTLVLAN.SYS [2009-1-15 16640]
S3 vtany;vtany;\??\c:\windows\vtany.sys --> c:\windows\vtany.sys [?]
S3 vtayn;vtayn;\??\c:\docume~1\ydavis~1\locals~1\temp\vtayn.sys --> c:\docume~1\ydavis~1\locals~1\temp\vtayn.sys [?]
S3 xhunter1;xhunter1;\??\c:\windows\xhunter1.sys --> c:\windows\xhunter1.sys [?]
S4 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-3-1 908056]
S4 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-3-1 297752]
S4 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-9-15 133104]
S4 ICQ Service;ICQ Service;c:\program files\icq6toolbar\ICQ Service.exe [2009-4-20 222456]
S4 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?]

=============== Created Last 30 ================

2009-10-04 14:54 <DIR> --d----- c:\program files\Yahoo!
2009-10-04 14:54 <DIR> --d----- c:\program files\CCleaner
2009-10-04 09:15 <DIR> --dsh--- c:\windows\ftpcache
2009-10-04 09:14 <DIR> --d----- c:\program files\Showoff Home Design
2009-10-04 09:11 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Protexis
2009-10-03 20:27 55,656 a------- c:\windows\system32\drivers\avgntflt.sys
2009-10-03 20:27 <DIR> --d----- c:\program files\Avira
2009-10-03 20:27 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Avira
2009-10-03 14:06 1,066,176 a------- c:\windows\system32\MSCOMCTL.OCX
2009-10-03 14:06 140,288 a------- c:\windows\system32\Comdlg32.ocx
2009-10-03 14:06 137,000 a------- c:\windows\system32\MSMAPI32.OCX
2009-10-03 14:06 89,360 a------- c:\windows\system32\VB5DB.DLL
2009-10-03 14:06 352,256 a------- c:\windows\system32\ijl15.dll
2009-10-03 14:06 265,216 a------- c:\windows\system32\NVIEWLIB.DLL
2009-10-03 14:06 <DIR> --d----- c:\program files\3D Landscape for Everyone
2009-09-26 15:57 <DIR> --d----- C:\c
2009-09-26 13:34 15,688 a------- c:\windows\system32\lsdelete.exe
2009-09-26 13:10 <DIR> --d----- c:\program files\Trend Micro
2009-09-25 19:23 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-09-25 19:21 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-09-20 14:24 <DIR> --d----- c:\program files\Wise Registry Cleaner 3
2009-09-20 13:58 <DIR> --d----- c:\docume~1\ydavis~1\applic~1\Malwarebytes
2009-09-20 13:58 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-20 13:58 19,160 a------- c:\windows\system32\drivers\mbam.sys
2009-09-20 13:58 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-09-20 13:58 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-09-20 13:42 <DIR> --d----- c:\docume~1\alluse~1\applic~1\IObit
2009-09-20 13:42 <DIR> --d----- c:\program files\IObit
2009-09-19 19:27 <DIR> --d----- c:\program files\Lavasoft
2009-09-18 21:26 0 a---h--- c:\windows\system32\drivers\Msft_Kernel_NuidFltr_01005.Wdf
2009-09-18 21:26 0 a---h--- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2009-09-18 21:25 21,504 a------- c:\windows\system32\drivers\hidserv.dll
2009-09-18 21:19 21,760 a------- c:\windows\system32\drivers\point32.sys
2009-09-18 21:19 <DIR> --d----- c:\program files\Microsoft IntelliPoint
2009-09-18 21:19 1,418,120 a------- c:\windows\system32\wdfcoinstaller01005.dll
2009-09-18 21:19 14,736 a------- c:\windows\system32\drivers\nuidfltr.sys
2009-09-18 21:18 <DIR> --d----- c:\program files\Microsoft IntelliType Pro
2009-09-18 21:00 52,480 ac------ c:\windows\system32\dllcache\i8042prt.sys
2009-09-18 21:00 52,480 a------- c:\windows\system32\drivers\i8042prt.sys

==================== Find3M ====================

2009-09-11 07:18 136,192 a------- c:\windows\system32\msv1_0.dll
2009-09-04 14:03 58,880 a------- c:\windows\system32\msasn1.dll
2009-08-29 00:36 832,512 a------- c:\windows\system32\wininet.dll
2009-08-29 00:36 78,336 a------- c:\windows\system32\ieencode.dll
2009-08-29 00:36 17,408 a------- c:\windows\system32\corpol.dll
2009-08-26 01:00 247,326 a------- c:\windows\system32\strmdll.dll
2009-08-22 08:40 335,240 a------- c:\windows\system32\drivers\avgldx86.sys
2009-08-22 08:40 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-08-05 02:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-08-04 08:13 2,145,280 a------- c:\windows\system32\ntoskrnl.exe
2009-08-04 07:20 2,023,936 a------- c:\windows\system32\ntkrnlpa.exe

============= FINISH: 19:51:19.78 ===============

Attached Files


Edited by valorsangel, 15 October 2009 - 10:05 PM.


#5 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:06:21 AM

Posted 21 October 2009 - 10:12 AM

Hi valorsangel,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks :(
Posted Image
m0le is a proud member of UNITE

#6 valorsangel

valorsangel
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:01:21 AM

Posted 21 October 2009 - 10:00 PM

Hi m0le,

I am so happy you are helping me. I have been lurking and admiring your expertise.

I work away from this computer during the day, but promise to try to accomplish all your requests in the evenings or weekends.

Please direct me and I will try to follow all your instructions.

valor

Edited by valorsangel, 21 October 2009 - 10:08 PM.


#7 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:06:21 AM

Posted 22 October 2009 - 05:45 AM

Hi valorsangel,

Classic case of a hijack and there are two bad drivers in the DDS log which are no doubt the cause.

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop making sure you rename it combo-fix.exe
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Thanks :(
Posted Image
m0le is a proud member of UNITE

#8 valorsangel

valorsangel
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:01:21 AM

Posted 22 October 2009 - 09:30 PM

Hi M0le,

I amy have messed this up. I shut off all the various anti-virus/spyware including AVG resident Sheild, but Combo Fix told me that AVG was still running and it would proceed. I tried to cancel out by closing the window instead of hitting OK but ComboFix went ahead. In hindshight I should have checked task manager and made sure nothing was running that was not showing in the task tray.

If I messed it up, I appoligized and will try harder next time. Attached is the ComboFix log. By the way, while typing this my browser switched to the home page, blackle.com, but I was able to click back and all my typing so far was still there. LOL.

ComboFix 09-10-21.02 - Y Davis 10/22/2009 19:14.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1383 [GMT -7:00]
Running from: c:\documents and settings\Y Davis\Desktop\combo-fix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
AV: avast! antivirus 4.8.1356 [VPS 091022-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((( Files Created from 2009-09-23 to 2009-10-23 )))))))))))))))))))))))))))))))
.

2009-10-04 21:54 . 2009-10-04 21:54 -------- d-----w- c:\documents and settings\Y Davis\Application Data\Yahoo!
2009-10-04 21:54 . 2009-10-04 22:13 -------- d-----w- c:\program files\Yahoo!
2009-10-04 21:54 . 2009-10-04 21:54 -------- d-----w- c:\program files\CCleaner
2009-10-04 16:15 . 2009-10-04 16:15 -------- d-sh--w- c:\windows\ftpcache
2009-10-04 16:14 . 2009-10-04 16:14 -------- d-----w- c:\program files\Showoff Home Design
2009-10-04 16:11 . 2009-10-04 16:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Protexis
2009-10-04 15:51 . 2009-10-04 15:51 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-10-04 03:27 . 2009-07-28 23:33 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-10-04 03:27 . 2009-03-30 17:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2009-10-04 03:27 . 2009-02-13 19:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2009-10-04 03:27 . 2009-02-13 19:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2009-10-04 03:27 . 2009-10-04 03:27 -------- d-----w- c:\program files\Avira
2009-10-04 03:27 . 2009-10-04 03:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2009-10-04 01:39 . 2009-09-15 10:54 52368 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2009-10-04 01:39 . 2009-09-15 10:54 23152 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-10-04 01:39 . 2009-09-15 10:53 27408 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2009-10-04 01:39 . 2009-09-15 10:56 93424 ----a-w- c:\windows\system32\drivers\aswmon.sys
2009-10-04 01:39 . 2009-09-15 10:56 94160 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2009-10-04 01:39 . 2009-09-15 10:55 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2009-10-04 01:39 . 2009-09-15 10:55 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2009-10-04 01:39 . 2009-09-15 10:53 97480 ----a-w- c:\windows\system32\AvastSS.scr
2009-10-04 01:38 . 2009-09-15 10:59 1279968 ----a-w- c:\windows\system32\aswBoot.exe
2009-10-04 01:38 . 2009-10-04 01:38 -------- d-----w- c:\program files\Alwil Software
2009-10-03 21:06 . 1999-06-15 22:30 89360 ----a-w- c:\windows\system32\VB5DB.DLL
2009-10-03 21:06 . 2009-10-03 21:06 -------- d-----w- c:\program files\3D Landscape for Everyone
2009-10-03 21:06 . 2002-03-07 04:58 352256 ----a-w- c:\windows\system32\ijl15.dll
2009-10-03 21:06 . 2002-03-05 07:17 265216 ----a-w- c:\windows\system32\NVIEWLIB.DLL
2009-09-26 22:57 . 2009-09-26 23:27 -------- d-----w- C:\c
2009-09-26 22:37 . 2009-09-26 22:37 -------- d-----w- c:\documents and settings\Y Davis\Application Data\Roxio
2009-09-26 20:34 . 2009-09-26 02:23 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-09-26 20:10 . 2009-09-26 20:10 -------- d-----w- c:\program files\Trend Micro
2009-09-26 20:03 . 2009-09-26 20:03 -------- d-sh--w- c:\documents and settings\TEMP
2009-09-26 20:03 . 2009-09-26 20:03 -------- d-----w- c:\documents and settings\TEMP\Local Settings\Application Data\Microsoft
2009-09-26 02:23 . 2009-09-26 02:23 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-09-26 02:21 . 2009-09-26 02:21 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-09-23 04:27 . 2009-09-23 04:42 -------- d-----w- c:\documents and settings\Y Davis\Local Settings\Application Data\Temp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-20 02:45 . 2009-01-31 17:07 -------- d-----w- c:\documents and settings\Y Davis\Application Data\U3
2009-10-04 22:38 . 2009-08-23 17:25 -------- d-----w- c:\program files\PeerGuardian2
2009-10-04 21:59 . 2009-02-08 19:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-10-04 03:24 . 2009-07-05 03:36 -------- d-----w- c:\documents and settings\Y Davis\Application Data\GetRightToGo
2009-10-03 21:06 . 2009-01-16 06:56 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-09-26 02:21 . 2009-09-20 02:27 -------- d-----w- c:\program files\Lavasoft
2009-09-26 02:21 . 2009-09-20 02:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-09-25 03:21 . 2009-09-09 05:08 -------- d-----w- c:\documents and settings\Y Davis\Application Data\Skype
2009-09-25 03:02 . 2009-09-09 05:11 -------- d-----w- c:\documents and settings\Y Davis\Application Data\skypePM
2009-09-23 04:43 . 2009-01-16 07:00 -------- d-----w- c:\program files\Google
2009-09-22 03:47 . 2009-09-22 03:46 -------- d-----w- c:\program files\ERUNT
2009-09-20 21:28 . 2009-09-20 21:24 -------- d-----w- c:\program files\Wise Registry Cleaner 3
2009-09-20 21:11 . 2009-01-16 07:06 15376 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-09 05:11 . 2009-09-09 05:11 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2009-09-09 05:08 . 2009-09-09 05:07 -------- d-----r- c:\program files\Skype
2009-09-09 05:07 . 2009-09-09 05:07 -------- d-----w- c:\program files\Common Files\Skype
2009-09-09 05:07 . 2009-09-09 05:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2009-09-04 21:03 . 2008-04-25 16:16 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 07:36 . 2008-04-25 16:16 832512 ----a-w- c:\windows\system32\wininet.dll
2009-08-29 07:36 . 2008-04-25 16:16 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-08-29 07:36 . 2008-04-25 16:16 17408 ----a-w- c:\windows\system32\corpol.dll
2009-08-26 08:00 . 2008-04-25 16:16 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-22 15:40 . 2009-03-02 05:17 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-08-22 15:40 . 2009-03-02 05:17 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-08-22 15:40 . 2009-03-02 05:17 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-08-05 09:01 . 2008-04-25 16:16 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-04 15:13 . 2008-04-25 16:16 2145280 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-08-04 14:20 . 2008-04-14 00:01 2023936 ----a-w- c:\windows\system32\ntkrnlpa.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-26 1008896]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-06-26 17:36 1008896 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2009-06-17 00:22 1144712 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-26 1008896]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2009-06-17 1144712]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-26 1008896]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2009-06-17 1144712]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-01-16 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-09-26 520024]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2008-03-11 16384]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-09-15 81000]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"IObit Security 360"="c:\program files\IObit\IObit Security 360\IS360tray.exe" [2009-09-29 1241872]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-22 15:40 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"stllssvr"=3 (0x3)
"sprtsvc_dellsupportcenter"=2 (0x2)
"npggsvc"=3 (0x3)
"nmservice"=2 (0x2)
"Lavasoft Ad-Aware Service"=2 (0x2)
"IS360service"=2 (0x2)
"idsvc"=3 (0x3)
"ICQ Service"=2 (0x2)
"IAANTMON"=2 (0x2)
"gusvc"=2 (0x2)
"gupdate"=2 (0x2)
"EPSON_PM_RPCV4_01"=2 (0x2)
"avg8wd"=2 (0x2)
"avg8emc"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\ICQ6.5\\ICQ.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Acclaim\\2MOONS\\crashreporter.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"67:UDP"= 67:UDP:*:Disabled:DHCP Discovery Service

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [9/25/2009 7:23 PM 64160]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [10/3/2009 6:39 PM 114768]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [3/1/2009 10:17 PM 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [3/1/2009 10:17 PM 108552]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [10/3/2009 8:27 PM 108289]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [10/3/2009 6:39 PM 20560]
R2 LANPkt;Realtek LANPkt Protocol Driver;c:\windows\system32\drivers\LANPkt.sys [1/15/2009 11:56 PM 8960]
S2 IS360service;IS360service;c:\program files\IObit\IObit Security 360\is360srv.exe [10/4/2009 11:39 PM 309008]
S3 Diag69xp;Diag69xp;c:\windows\system32\drivers\diag69xp.sys [1/15/2009 11:56 PM 11264]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [3/9/2009 12:06 PM 1028432]
S3 RTLVLAN;Realtek VLAN Intermediate Driver;c:\windows\system32\drivers\RTLVLAN.SYS [1/15/2009 11:56 PM 16640]
S3 vtany;vtany;\??\c:\windows\vtany.sys --> c:\windows\vtany.sys [?]
S3 vtayn;vtayn;\??\c:\docume~1\YDAVIS~1\LOCALS~1\Temp\vtayn.sys --> c:\docume~1\YDAVIS~1\LOCALS~1\Temp\vtayn.sys [?]
S3 xhunter1;xhunter1;\??\c:\windows\xhunter1.sys --> c:\windows\xhunter1.sys [?]
S4 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [3/1/2009 10:17 PM 908056]
S4 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [3/1/2009 10:17 PM 297752]
S4 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [9/15/2009 7:22 PM 133104]
S4 ICQ Service;ICQ Service;c:\program files\ICQ6Toolbar\ICQ Service.exe [4/20/2009 9:14 PM 222456]
S4 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
.
Contents of the 'Scheduled Tasks' folder

2009-10-20 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 02:23]

2009-10-23 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-01-16 02:21]

2009-10-22 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-09-16 02:22]

2009-10-23 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-09-16 02:22]

2009-10-23 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
- c:\program files\Ask.com\UpdateTask.exe [2009-06-17 00:22]

2009-10-22 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-05-06 05:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.blackle.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-22 19:16
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(804)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(33028)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-10-23 19:17
ComboFix-quarantined-files.txt 2009-10-23 02:17

Pre-Run: 126,047,567,872 bytes free
Post-Run: 126,084,132,864 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 0AC43381AAC50FCDDF67DA356B170D65


Thank you for your help.
valor

#9 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:06:21 AM

Posted 23 October 2009 - 07:40 AM

Never mind, valorsangel. We were on a loser with the antiviruses anyway. :(

I do not recommend that you have more than one anti virus product installed and running on your computer at a time. The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to cause "false alarms". It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause:
1) False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.
2) System Performance Problems: Your system may lock up due to both products attempting to access the same file at the same time.
Therefore please go to add/remove in the control panel and remove two of the following: Antivir, AVG, Avast.


Let's also empty your temp folders.

Please download ATF Cleaner by Atribune. Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

If you are using Firefox and this has caused page loading problems then please clear your private data. To do this go
to the Tools menu, select Clear Private Data, and then check Cache. Click Clear Private Data Now.

Then close Firefox and then reopen it.


Now finally please rerun Combofix with the antivirus that you did not uninstall set to disabled.

Thanks :(
Posted Image
m0le is a proud member of UNITE

#10 valorsangel

valorsangel
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:01:21 AM

Posted 23 October 2009 - 09:33 PM

Ho M0le,

I removed all three Ativi, Avast, but then could not get AVG's processes to close, so I removed it too. I do still have IObit Security 360, but disabled it to run Combo-Fix. Here is the log. It ran smoothly.

ComboFix 09-10-21.02 - Y Davis 10/23/2009 19:25.2.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1682 [GMT -7:00]
Running from: c:\documents and settings\Y Davis\Desktop\combo-fix.exe
.

((((((((((((((((((((((((( Files Created from 2009-09-24 to 2009-10-24 )))))))))))))))))))))))))))))))
.

2009-10-04 21:54 . 2009-10-04 21:54 -------- d-----w- c:\documents and settings\Y Davis\Application Data\Yahoo!
2009-10-04 21:54 . 2009-10-04 22:13 -------- d-----w- c:\program files\Yahoo!
2009-10-04 21:54 . 2009-10-04 21:54 -------- d-----w- c:\program files\CCleaner
2009-10-04 16:15 . 2009-10-04 16:15 -------- d-sh--w- c:\windows\ftpcache
2009-10-04 16:14 . 2009-10-04 16:14 -------- d-----w- c:\program files\Showoff Home Design
2009-10-04 16:11 . 2009-10-04 16:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Protexis
2009-10-04 15:51 . 2009-10-04 15:51 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-10-04 03:27 . 2009-07-28 23:33 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-10-04 01:38 . 2009-10-04 01:38 -------- d-----w- c:\program files\Alwil Software
2009-10-03 21:06 . 1999-06-15 22:30 89360 ----a-w- c:\windows\system32\VB5DB.DLL
2009-10-03 21:06 . 2009-10-03 21:06 -------- d-----w- c:\program files\3D Landscape for Everyone
2009-10-03 21:06 . 2002-03-07 04:58 352256 ----a-w- c:\windows\system32\ijl15.dll
2009-10-03 21:06 . 2002-03-05 07:17 265216 ----a-w- c:\windows\system32\NVIEWLIB.DLL
2009-09-26 22:57 . 2009-09-26 23:27 -------- d-----w- C:\c
2009-09-26 22:37 . 2009-09-26 22:37 -------- d-----w- c:\documents and settings\Y Davis\Application Data\Roxio
2009-09-26 20:34 . 2009-09-26 02:23 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-09-26 20:10 . 2009-09-26 20:10 -------- d-----w- c:\program files\Trend Micro
2009-09-26 20:03 . 2009-09-26 20:03 -------- d-sh--w- c:\documents and settings\TEMP
2009-09-26 20:03 . 2009-09-26 20:03 -------- d-----w- c:\documents and settings\TEMP\Local Settings\Application Data\Microsoft
2009-09-26 02:23 . 2009-09-26 02:23 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-09-26 02:21 . 2009-09-26 02:21 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-24 02:21 . 2009-01-24 19:33 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-10-20 02:45 . 2009-01-31 17:07 -------- d-----w- c:\documents and settings\Y Davis\Application Data\U3
2009-10-04 22:38 . 2009-08-23 17:25 -------- d-----w- c:\program files\PeerGuardian2
2009-10-04 21:59 . 2009-02-08 19:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-10-04 03:24 . 2009-07-05 03:36 -------- d-----w- c:\documents and settings\Y Davis\Application Data\GetRightToGo
2009-10-03 21:06 . 2009-01-16 06:56 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-09-26 02:21 . 2009-09-20 02:27 -------- d-----w- c:\program files\Lavasoft
2009-09-26 02:21 . 2009-09-20 02:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-09-25 03:21 . 2009-09-09 05:08 -------- d-----w- c:\documents and settings\Y Davis\Application Data\Skype
2009-09-25 03:02 . 2009-09-09 05:11 -------- d-----w- c:\documents and settings\Y Davis\Application Data\skypePM
2009-09-23 04:43 . 2009-01-16 07:00 -------- d-----w- c:\program files\Google
2009-09-22 03:47 . 2009-09-22 03:46 -------- d-----w- c:\program files\ERUNT
2009-09-20 21:28 . 2009-09-20 21:24 -------- d-----w- c:\program files\Wise Registry Cleaner 3
2009-09-20 21:11 . 2009-01-16 07:06 15376 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-09 05:11 . 2009-09-09 05:11 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2009-09-09 05:08 . 2009-09-09 05:07 -------- d-----r- c:\program files\Skype
2009-09-09 05:07 . 2009-09-09 05:07 -------- d-----w- c:\program files\Common Files\Skype
2009-09-09 05:07 . 2009-09-09 05:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2009-09-04 21:03 . 2008-04-25 16:16 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 07:36 . 2008-04-25 16:16 832512 ------w- c:\windows\system32\wininet.dll
2009-08-29 07:36 . 2008-04-25 16:16 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-08-29 07:36 . 2008-04-25 16:16 17408 ----a-w- c:\windows\system32\corpol.dll
2009-08-26 08:00 . 2008-04-25 16:16 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-05 09:01 . 2008-04-25 16:16 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-04 15:13 . 2008-04-25 16:16 2145280 ------w- c:\windows\system32\ntoskrnl.exe
2009-08-04 14:20 . 2008-04-14 00:01 2023936 ------w- c:\windows\system32\ntkrnlpa.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2009-06-17 00:22 1144712 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2009-06-17 1144712]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2009-06-17 1144712]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-01-16 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-09-26 520024]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2008-03-11 16384]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"IObit Security 360"="c:\program files\IObit\IObit Security 360\IS360tray.exe" [2009-09-29 1241872]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"stllssvr"=3 (0x3)
"sprtsvc_dellsupportcenter"=2 (0x2)
"npggsvc"=3 (0x3)
"nmservice"=2 (0x2)
"Lavasoft Ad-Aware Service"=2 (0x2)
"IS360service"=2 (0x2)
"idsvc"=3 (0x3)
"ICQ Service"=2 (0x2)
"IAANTMON"=2 (0x2)
"gusvc"=2 (0x2)
"gupdate"=2 (0x2)
"EPSON_PM_RPCV4_01"=2 (0x2)
"avg8wd"=2 (0x2)
"avg8emc"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\ICQ6.5\\ICQ.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Acclaim\\2MOONS\\crashreporter.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"67:UDP"= 67:UDP:*:Disabled:DHCP Discovery Service

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [9/25/2009 7:23 PM 64160]
R2 IS360service;IS360service;c:\program files\IObit\IObit Security 360\is360srv.exe [10/4/2009 11:39 PM 309008]
R2 LANPkt;Realtek LANPkt Protocol Driver;c:\windows\system32\drivers\LANPkt.sys [1/15/2009 11:56 PM 8960]
S3 Diag69xp;Diag69xp;c:\windows\system32\drivers\diag69xp.sys [1/15/2009 11:56 PM 11264]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [3/9/2009 12:06 PM 1028432]
S3 RTLVLAN;Realtek VLAN Intermediate Driver;c:\windows\system32\drivers\RTLVLAN.SYS [1/15/2009 11:56 PM 16640]
S3 vtany;vtany;\??\c:\windows\vtany.sys --> c:\windows\vtany.sys [?]
S3 vtayn;vtayn;\??\c:\docume~1\YDAVIS~1\LOCALS~1\Temp\vtayn.sys --> c:\docume~1\YDAVIS~1\LOCALS~1\Temp\vtayn.sys [?]
S3 xhunter1;xhunter1;\??\c:\windows\xhunter1.sys --> c:\windows\xhunter1.sys [?]
S4 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [9/15/2009 7:22 PM 133104]
S4 ICQ Service;ICQ Service;c:\program files\ICQ6Toolbar\ICQ Service.exe [4/20/2009 9:14 PM 222456]
S4 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
.
Contents of the 'Scheduled Tasks' folder

2009-10-20 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 02:23]

2009-10-24 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-01-16 02:21]

2009-10-24 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-09-16 02:22]

2009-10-24 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-09-16 02:22]

2009-10-24 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
- c:\program files\Ask.com\UpdateTask.exe [2009-06-17 00:22]

2009-10-24 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-05-06 05:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.blackle.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
.
- - - - ORPHANS REMOVED - - - -

Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-23 19:27
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(804)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(2628)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-10-24 19:28
ComboFix-quarantined-files.txt 2009-10-24 02:28
ComboFix2.txt 2009-10-23 02:18

Pre-Run: 126,021,844,992 bytes free
Post-Run: 125,986,631,680 bytes free

- - End Of File - - 00C68C980D3B1D81AD35AEEC1519791C


Once again, thank you for your patience and help.
valor

#11 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:06:21 AM

Posted 24 October 2009 - 03:36 PM

Okay, good work with the antiviruses.

By the way, the Ask toolbar is not recommended. This toolbar enhances internet browsing and provides a direct link to the "ask.com" search engine. This program is not known to be bundled with spyware - The company strongly denies the toolbar as being malware.

Please read why it might be good to remove it here.

If you choose to remove it then follow the instructions below.

Click "start" on the taskbar and then click on the "Control Panel" icon.
Please doubleclick (or right-click, if you are using Vista) the "Add or Remove Programs" icon
A list of programs installed will be "populated" this may take a bit of time.
If they exist, uninstall the following by clicking on the following entries and selecting "remove":



Ask Toolbar



Additional instructions can be found here if needed.


Next

We are going to rerun Combofix but this time with a script. Follow the instructions below.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

File::
c:\windows\vtany.sys
c:\docume~1\YDAVIS~1\LOCALS~1\Temp\vtayn.sys
c:\windows\xhunter1.sys

Driver::
vtany
vtayn
xhunter1


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Thanks :(
Posted Image
m0le is a proud member of UNITE

#12 valorsangel

valorsangel
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:01:21 AM

Posted 24 October 2009 - 05:01 PM

Hi M0le,

I removed Ask program. Below is the new ComboFix text.

ComboFix 09-10-21.02 - Y Davis 10/24/2009 14:53.3.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1685 [GMT -7:00]
Running from: c:\documents and settings\Y Davis\Desktop\combo-fix.exe
Command switches used :: c:\documents and settings\Y Davis\Desktop\CFScript.txt

FILE ::
"c:\docume~1\YDAVIS~1\LOCALS~1\Temp\vtayn.sys"
"c:\windows\vtany.sys"
"c:\windows\xhunter1.sys"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_VTANY
-------\Legacy_VTAYN
-------\Legacy_XHUNTER1
-------\Service_vtany
-------\Service_vtayn
-------\Service_xhunter1


((((((((((((((((((((((((( Files Created from 2009-09-24 to 2009-10-24 )))))))))))))))))))))))))))))))
.

2009-10-04 21:54 . 2009-10-04 21:54 -------- d-----w- c:\documents and settings\Y Davis\Application Data\Yahoo!
2009-10-04 21:54 . 2009-10-04 22:13 -------- d-----w- c:\program files\Yahoo!
2009-10-04 21:54 . 2009-10-04 21:54 -------- d-----w- c:\program files\CCleaner
2009-10-04 16:15 . 2009-10-04 16:15 -------- d-sh--w- c:\windows\ftpcache
2009-10-04 16:14 . 2009-10-04 16:14 -------- d-----w- c:\program files\Showoff Home Design
2009-10-04 16:11 . 2009-10-04 16:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Protexis
2009-10-04 15:51 . 2009-10-04 15:51 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-10-04 03:27 . 2009-07-28 23:33 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-10-04 01:38 . 2009-10-04 01:38 -------- d-----w- c:\program files\Alwil Software
2009-10-03 21:06 . 1999-06-15 22:30 89360 ----a-w- c:\windows\system32\VB5DB.DLL
2009-10-03 21:06 . 2009-10-03 21:06 -------- d-----w- c:\program files\3D Landscape for Everyone
2009-10-03 21:06 . 2002-03-07 04:58 352256 ----a-w- c:\windows\system32\ijl15.dll
2009-10-03 21:06 . 2002-03-05 07:17 265216 ----a-w- c:\windows\system32\NVIEWLIB.DLL
2009-09-26 22:57 . 2009-09-26 23:27 -------- d-----w- C:\c
2009-09-26 22:37 . 2009-09-26 22:37 -------- d-----w- c:\documents and settings\Y Davis\Application Data\Roxio
2009-09-26 20:34 . 2009-09-26 02:23 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-09-26 20:10 . 2009-09-26 20:10 -------- d-----w- c:\program files\Trend Micro
2009-09-26 20:03 . 2009-09-26 20:03 -------- d-sh--w- c:\documents and settings\TEMP
2009-09-26 20:03 . 2009-09-26 20:03 -------- d-----w- c:\documents and settings\TEMP\Local Settings\Application Data\Microsoft
2009-09-26 02:23 . 2009-09-26 02:23 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-09-26 02:21 . 2009-09-26 02:21 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-24 18:40 . 2009-01-31 17:07 -------- d-----w- c:\documents and settings\Y Davis\Application Data\U3
2009-10-24 17:18 . 2009-08-23 17:25 -------- d-----w- c:\program files\PeerGuardian2
2009-10-24 02:21 . 2009-01-24 19:33 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-10-04 21:59 . 2009-02-08 19:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-10-04 03:24 . 2009-07-05 03:36 -------- d-----w- c:\documents and settings\Y Davis\Application Data\GetRightToGo
2009-10-03 21:06 . 2009-01-16 06:56 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-09-26 02:21 . 2009-09-20 02:27 -------- d-----w- c:\program files\Lavasoft
2009-09-26 02:21 . 2009-09-20 02:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-09-25 03:21 . 2009-09-09 05:08 -------- d-----w- c:\documents and settings\Y Davis\Application Data\Skype
2009-09-25 03:02 . 2009-09-09 05:11 -------- d-----w- c:\documents and settings\Y Davis\Application Data\skypePM
2009-09-23 04:43 . 2009-01-16 07:00 -------- d-----w- c:\program files\Google
2009-09-22 03:47 . 2009-09-22 03:46 -------- d-----w- c:\program files\ERUNT
2009-09-20 21:28 . 2009-09-20 21:24 -------- d-----w- c:\program files\Wise Registry Cleaner 3
2009-09-20 21:11 . 2009-01-16 07:06 15376 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-09 05:11 . 2009-09-09 05:11 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2009-09-09 05:08 . 2009-09-09 05:07 -------- d-----r- c:\program files\Skype
2009-09-09 05:07 . 2009-09-09 05:07 -------- d-----w- c:\program files\Common Files\Skype
2009-09-09 05:07 . 2009-09-09 05:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2009-09-04 21:03 . 2008-04-25 16:16 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 07:36 . 2008-04-25 16:16 832512 ------w- c:\windows\system32\wininet.dll
2009-08-29 07:36 . 2008-04-25 16:16 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-08-29 07:36 . 2008-04-25 16:16 17408 ----a-w- c:\windows\system32\corpol.dll
2009-08-26 08:00 . 2008-04-25 16:16 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-05 09:01 . 2008-04-25 16:16 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-04 15:13 . 2008-04-25 16:16 2145280 ------w- c:\windows\system32\ntoskrnl.exe
2009-08-04 14:20 . 2008-04-14 00:01 2023936 ------w- c:\windows\system32\ntkrnlpa.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-01-16 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-09-26 520024]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2008-03-11 16384]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"IObit Security 360"="c:\program files\IObit\IObit Security 360\IS360tray.exe" [2009-09-29 1241872]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"stllssvr"=3 (0x3)
"sprtsvc_dellsupportcenter"=2 (0x2)
"npggsvc"=3 (0x3)
"nmservice"=2 (0x2)
"Lavasoft Ad-Aware Service"=2 (0x2)
"IS360service"=2 (0x2)
"idsvc"=3 (0x3)
"ICQ Service"=2 (0x2)
"IAANTMON"=2 (0x2)
"gusvc"=2 (0x2)
"gupdate"=2 (0x2)
"EPSON_PM_RPCV4_01"=2 (0x2)
"avg8wd"=2 (0x2)
"avg8emc"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\ICQ6.5\\ICQ.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Acclaim\\2MOONS\\crashreporter.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"67:UDP"= 67:UDP:*:Disabled:DHCP Discovery Service

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [9/25/2009 7:23 PM 64160]
R2 IS360service;IS360service;c:\program files\IObit\IObit Security 360\is360srv.exe [10/4/2009 11:39 PM 309008]
R2 LANPkt;Realtek LANPkt Protocol Driver;c:\windows\system32\drivers\LANPkt.sys [1/15/2009 11:56 PM 8960]
S3 Diag69xp;Diag69xp;c:\windows\system32\drivers\diag69xp.sys [1/15/2009 11:56 PM 11264]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [3/9/2009 12:06 PM 1028432]
S3 RTLVLAN;Realtek VLAN Intermediate Driver;c:\windows\system32\drivers\RTLVLAN.SYS [1/15/2009 11:56 PM 16640]
S4 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [9/15/2009 7:22 PM 133104]
S4 ICQ Service;ICQ Service;c:\program files\ICQ6Toolbar\ICQ Service.exe [4/20/2009 9:14 PM 222456]
S4 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
.
Contents of the 'Scheduled Tasks' folder

2009-10-20 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 02:23]

2009-10-24 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-01-16 02:21]

2009-10-24 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-09-16 02:22]

2009-10-24 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-09-16 02:22]

2009-10-24 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-05-06 05:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.blackle.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-24 14:56
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(796)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(3744)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Roxio\Drag-to-Disc\Shellex.dll
c:\program files\Common Files\Roxio Shared\9.0\DLLShared\DLAAPI_W.DLL
c:\program files\Roxio\Drag-to-Disc\ShellRes.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\wscntfy.exe
c:\combo-fix\CF26671.exe
c:\combo-fix\PEV.cfxxe
.
**************************************************************************
.
Completion time: 2009-10-24 14:58 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-24 21:58
ComboFix2.txt 2009-10-24 02:28
ComboFix3.txt 2009-10-23 02:18

Pre-Run: 125,950,107,648 bytes free
Post-Run: 125,872,472,064 bytes free

- - End Of File - - BFC13EF55C5C7CE27799D5EB92B734D1


Thank you,

valor

#13 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:06:21 AM

Posted 24 October 2009 - 05:14 PM

That's a nice clean log now valorsangel.

Let's have an online scan to see how clean the system actually is - very clean is my guess

I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image
Thanks, should be done soon :(
Posted Image
m0le is a proud member of UNITE

#14 valorsangel

valorsangel
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:01:21 AM

Posted 24 October 2009 - 06:51 PM

Hi m0le,

I am sorry I could not find the link to click to get "List of found threats" or "Export to text". Maybe because nothing was found.

I have attached a print screen of the finished program and the next window trying to sell me the program, as I could not seem to just paste it into the reply window.

I am still having my browser hijacked to my home page, blackle. I just happened multiple times while I tried to write this reply. I had to move to type it in Notepad, so I could finish. In addition to the browser switching or opening new browsers, it will open dialog boxes that you reach via right click. It also opened the "Find" window a few times.

When you have time, please let me know what next.

I really appreciate your help.
valor3

P.S. see that 3 after my name, that was the computer typing a 3. It types 9's, 6's, 0's, 5's, periods, slashes and other things. Nothing I can make heads or tails of though.

Attached Files


Edited by valorsangel, 24 October 2009 - 06:52 PM.


#15 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:06:21 AM

Posted 24 October 2009 - 07:51 PM

Okay, your browser is hijacking you to your home page? Is that right?
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users