Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

search links take me to random sites using XP & Firefox


  • This topic is locked This topic is locked
26 replies to this topic

#1 Mickey Boy

Mickey Boy

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NN144UH
  • Local time:10:48 AM

Posted 27 October 2009 - 11:28 AM

Hi,

I am new to this site so please bear with me until I find my way around. I have a recurring problem whenever I get results from Google, Yahoo etc and click on one of the links, I get taken to a completely random site. If I RT click and use open in new tab, after about the fouth atempt it will take me to the site that the link is displaying. The other tabs are mainly other search engines like "Britannia search" or "MyComputerSpywareRemover" or just a "404 Error" page.


I have run every type of virus scanner and malware scanner that I can find but it is still happening. Programs I have used are:

AVG version 8.5.423
Advanced System Care Pro version 3.3.4
IOBit Security 360 updated daily
Max Spyware Detector Registered & updated
Windows Defender
Dr Web Cureit
CWShredder.exe
MalwareBytes version 1.41.

These are just a few of the things I have tried.

On a daily basis the Max Spyware detector seems to find something onle for it to reappear the next time i run the program. The only thing that seems to have found the cause but not the solution is "MalwareBytes 1.41" It says it has found 2 x "HijackWindowsUpates" and it has deleted them (log below)

Malwarebytes' Anti-Malware 1.41
Database version: 3038
Windows 5.1.2600 Service Pack 3

27/10/2009 11:47:04
mbam-log-2009-10-27 (11-47-04).txt

Scan type: Full Scan (C:\|)
Objects scanned: 217582
Time elapsed: 1 hour(s), 59 minute(s), 32 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\wuauserv\ImagePath (Hijack.WindowsUpdates) -> Bad: (%fystemroot%\system32\svchost.exe -k netsvcs) Good: (%SystemRoot%\System32\svchost.exe -k netsvcs) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BITS\ImagePath (Hijack.WindowsUpdates) -> Bad: (%fystemRoot%\System32\svchost.exe -k netsvcs) Good: (%SystemRoot%\System32\svchost.exe -k netsvcs) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Unfortunately I still have the problem and keep getting re-dirtected to wrong sites. I tried to identify the culprit in the registry but although I deleted a couple of things I don't know enough about what I'm looking at and fear that I could do more harm than good.

I hope this is enough information for you to help me. I have also attached a HijackThis Log . If you need any more info please let me know.

Regards
Mick

Attached Files



BC AdBot (Login to Remove)

 


#2 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,204 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:12:48 PM

Posted 03 November 2009 - 04:07 AM

Hello ,
And :( to the Bleeping Computer Malware Removal Forum
. My name is Elise and I'll be glad to help you with your computer problems.


I will be working on your malware issues, this may or may not solve other issues you may have with your machine.

Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.

You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.
-----------------------------------------------------------
If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

-------------------------------------------------------------
Please be patient and I'd be grateful if you would note the following
  • The cleaning process is not instant. DDS logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.
  • Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic.
  • The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.
In the meantime please, do NOT install any new programs or update anything unless told to do so while we are fixing your problem

If you still need help, please include the following in your next reply
  • A detailed description of your problems
  • A new DDS log
  • GMER log


Please give me some time to review your logs and take the steps necessary with you to get your machine back in working order clean and free of malware.

Thanks and again sorry for the delay
.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#3 Mickey Boy

Mickey Boy
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NN144UH
  • Local time:10:48 AM

Posted 04 November 2009 - 09:56 AM

Hi Elise,

Thank you for helping me.
The problem I am having is I belive caused by HijackWindowsUpdate. Malware bytes finds it, deletes it and then its just there again. I have run so many different types of spyware/malware detectors to try and rid myself of the thing. When I open Firefox and click on a link I just keep getting redirected to some random site or a 404 error page, adpage etc. Its driving me mad.

I have followed your instructions exactly but the DDR.scr opens up with a command box then closes almost instantly and does no more. I have disabled scripts in my browser, is there something else i have to do to get it to run the report scan. In the meantime I have run the gmer file and the log is pasted below. It took nearly 5.1/2 hours to run the report.

Please let me know what you would like me to do next.

Kind Regards

Mick

GMER 1.0.15.15163 - http://www.gmer.net
Rootkit scan 2009-11-04 14:15:53
Windows 5.1.2600 Service Pack 3
Running: ttporqfq.exe; Driver: C:\DOCUME~1\Mick\LOCALS~1\Temp\pxtdipow.sys


---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Services - GMER 1.0.15 ----

Service system32\drivers\ovfsthacjxfudjnjppmbnbrylyuswmfvwgefgg.sys (*** hidden *** ) [SYSTEM] ovfsthloewbnyllyfucrmtnbsbrrnaeleyxdby <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet001\Services\ovfsthloewbnyllyfucrmtnbsbrrnaeleyxdby@start 1
Reg HKLM\SYSTEM\ControlSet001\Services\ovfsthloewbnyllyfucrmtnbsbrrnaeleyxdby@type 1
Reg HKLM\SYSTEM\ControlSet001\Services\ovfsthloewbnyllyfucrmtnbsbrrnaeleyxdby@group file system
Reg HKLM\SYSTEM\ControlSet001\Services\ovfsthloewbnyllyfucrmtnbsbrrnaeleyxdby@imagepath \systemroot\system32\drivers\ovfsthacjxfudjnjppmbnbrylyuswmfvwgefgg.sys
Reg HKLM\SYSTEM\ControlSet001\Services\ovfsthloewbnyllyfucrmtnbsbrrnaeleyxdby@inst 0
Reg HKLM\SYSTEM\ControlSet001\Services\ovfsthloewbnyllyfucrmtnbsbrrnaeleyxdby\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\ovfsthloewbnyllyfucrmtnbsbrrnaeleyxdby\main@ver icv310309
Reg HKLM\SYSTEM\ControlSet001\Services\ovfsthloewbnyllyfucrmtnbsbrrnaeleyxdby\main@cid 01
Reg HKLM\SYSTEM\ControlSet001\Services\ovfsthloewbnyllyfucrmtnbsbrrnaeleyxdby\main@bid 4034634894-1576462213-3136207814-3958095517
Reg HKLM\SYSTEM\ControlSet001\Services\ovfsthloewbnyllyfucrmtnbsbrrnaeleyxdby\main@aid 303350
Reg HKLM\SYSTEM\ControlSet001\Services\ovfsthloewbnyllyfucrmtnbsbrrnaeleyxdby\main@sid 4
Reg HKLM\SYSTEM\ControlSet001\Services\ovfsthloewbnyllyfucrmtnbsbrrnaeleyxdby\main@feed 0x22 0x64 0x78 0x36 ...
Reg HKLM\SYSTEM\ControlSet001\Services\ovfsthloewbnyllyfucrmtnbsbrrnaeleyxdby\main@cmddelay 14401
Reg HKLM\SYSTEM\ControlSet001\Services\ovfsthloewbnyllyfucrmtnbsbrrnaeleyxdby\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\ovfsthloewbnyllyfucrmtnbsbrrnaeleyxdby\main\ff (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\ovfsthloewbnyllyfucrmtnbsbrrnaeleyxdby\main\ff@extension \\?\C:\Program Files\Mozilla Firefox\extensions\{0769B548-3E5B-40B4-A1CE-6869A73EF5C5}
Reg HKLM\SYSTEM\ControlSet001\Services\ovfsthloewbnyllyfucrmtnbsbrrnaeleyxdby\main\ff@version 1
Reg HKLM\SYSTEM\ControlSet001\Services\ovfsthloewbnyllyfucrmtnbsbrrnaeleyxdby\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\ovfsthloewbnyllyfucrmtnbsbrrnaeleyxdby\main\injector@iexplore.exe ovfsthwi.dll
Reg HKLM\SYSTEM\ControlSet001\Services\ovfsthloewbnyllyfucrmtnbsbrrnaeleyxdby\main\injector@explorer.exe ovfsthff.dll
Reg HKLM\SYSTEM\ControlSet001\Services\ovfsthloewbnyllyfucrmtnbsbrrnaeleyxdby\main\injector@winlogon.exe senekaadwrem.dll
Reg HKLM\SYSTEM\ControlSet001\Services\ovfsthloewbnyllyfucrmtnbsbrrnaeleyxdby\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\ovfsthloewbnyllyfucrmtnbsbrrnaeleyxdby\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\ovfsthloewbnyllyfucrmtnbsbrrnaeleyxdby\modules@ovfsth.dll \systemroot\system32\ovfsthxolduepdwkmothwbnshpxypxivikwwux.dll
Reg HKLM\SYSTEM\ControlSet001\Services\ovfsthloewbnyllyfucrmtnbsbrrnaeleyxdby\modules@ovfsth.sys \systemroot\system32\drivers\ovfsthacjxfudjnjppmbnbrylyuswmfvwgefgg.sys
Reg HKLM\SYSTEM\ControlSet001\Services\ovfsthloewbnyllyfucrmtnbsbrrnaeleyxdby\modules@ovfsthlog.dat \systemroot\system32\ovfsthimfpocugxymepraswymmntrfvkvkosrr.dat
Reg HKLM\SYSTEM\ControlSet001\Services\ovfsthloewbnyllyfucrmtnbsbrrnaeleyxdby\modules@ovfsthwi.dll \systemroot\system32\ovfsthtslngwxivpbuiqisyaqhtipqpwjpbipr.dll
Reg HKLM\SYSTEM\ControlSet001\Services\ovfsthloewbnyllyfucrmtnbsbrrnaeleyxdby\modules@ovfsthff.dll \systemroot\system32\ovfsthvlbjkeqqfswgvasqaumoyyydvpqfxajm.dll
Reg HKLM\SYSTEM\ControlSet001\Services\ovfsthloewbnyllyfucrmtnbsbrrnaeleyxdby\modules@ovfsth.dat \systemroot\system32\ovfsthpjeestywvkahvtpmwrsypytojgwcxsbw.dat
Reg HKLM\SYSTEM\ControlSet001\Services\ovfsthloewbnyllyfucrmtnbsbrrnaeleyxdby\modules@ovfsthmal.db \systemroot\system32\ovfsthimifstfkekemfnuycrrcemgkrghxctgd.db
Reg HKLM\SYSTEM\ControlSet001\Services\ovfsthloewbnyllyfucrmtnbsbrrnaeleyxdby\modules@ovfsthadwrem.dll \systemroot\system32\ovfsthehrxmidighfxriobphijnddolqnoqedo.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\ovfsthloewbnyllyfucrmtnbsbrrnaeleyxdby@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\ovfsthloewbnyllyfucrmtnbsbrrnaeleyxdby@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\ovfsthloewbnyllyfucrmtnbsbrrnaeleyxdby@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\ovfsthloewbnyllyfucrmtnbsbrrnaeleyxdby@imagepath \systemroot\system32\drivers\ovfsthacjxfudjnjppmbnbrylyuswmfvwgefgg.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\ovfsthloewbnyllyfucrmtnbsbrrnaeleyxdby@inst 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\ovfsthloewbnyllyfucrmtnbsbrrnaeleyxdby\main
Reg HKLM\SYSTEM\CurrentControlSet\Services\ovfsthloewbnyllyfucrmtnbsbrrnaeleyxdby\main@ver icv310309
Reg HKLM\SYSTEM\CurrentControlSet\Services\ovfsthloewbnyllyfucrmtnbsbrrnaeleyxdby\main@cid 01
Reg HKLM\SYSTEM\CurrentControlSet\Services\ovfsthloewbnyllyfucrmtnbsbrrnaeleyxdby\main@bid 4034634894-1576462213-3136207814-3958095517
Reg HKLM\SYSTEM\CurrentControlSet\Services\ovfsthloewbnyllyfucrmtnbsbrrnaeleyxdby\main@aid 303350
Reg HKLM\SYSTEM\CurrentControlSet\Services\ovfsthloewbnyllyfucrmtnbsbrrnaeleyxdby\main@sid 4
Reg HKLM\SYSTEM\CurrentControlSet\Services\ovfsthloewbnyllyfucrmtnbsbrrnaeleyxdby\main@feed 0x22 0x64 0x78 0x36 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\ovfsthloewbnyllyfucrmtnbsbrrnaeleyxdby\main@cmddelay 14401
Reg HKLM\SYSTEM\CurrentControlSet\Services\ovfsthloewbnyllyfucrmtnbsbrrnaeleyxdby\main\delete
Reg HKLM\SYSTEM\CurrentControlSet\Services\ovfsthloewbnyllyfucrmtnbsbrrnaeleyxdby\main\ff
Reg HKLM\SYSTEM\CurrentControlSet\Services\ovfsthloewbnyllyfucrmtnbsbrrnaeleyxdby\main\ff@extension \\?\C:\Program Files\Mozilla Firefox\extensions\{0769B548-3E5B-40B4-A1CE-6869A73EF5C5}
Reg HKLM\SYSTEM\CurrentControlSet\Services\ovfsthloewbnyllyfucrmtnbsbrrnaeleyxdby\main\ff@version 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\ovfsthloewbnyllyfucrmtnbsbrrnaeleyxdby\main\injector
Reg HKLM\SYSTEM\CurrentControlSet\Services\ovfsthloewbnyllyfucrmtnbsbrrnaeleyxdby\main\injector@iexplore.exe ovfsthwi.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\ovfsthloewbnyllyfucrmtnbsbrrnaeleyxdby\main\injector@explorer.exe ovfsthff.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\ovfsthloewbnyllyfucrmtnbsbrrnaeleyxdby\main\injector@winlogon.exe senekaadwrem.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\ovfsthloewbnyllyfucrmtnbsbrrnaeleyxdby\main\tasks
Reg HKLM\SYSTEM\CurrentControlSet\Services\ovfsthloewbnyllyfucrmtnbsbrrnaeleyxdby\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\ovfsthloewbnyllyfucrmtnbsbrrnaeleyxdby\modules@ovfsth.dll \systemroot\system32\ovfsthxolduepdwkmothwbnshpxypxivikwwux.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\ovfsthloewbnyllyfucrmtnbsbrrnaeleyxdby\modules@ovfsth.sys \systemroot\system32\drivers\ovfsthacjxfudjnjppmbnbrylyuswmfvwgefgg.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\ovfsthloewbnyllyfucrmtnbsbrrnaeleyxdby\modules@ovfsthlog.dat \systemroot\system32\ovfsthimfpocugxymepraswymmntrfvkvkosrr.dat
Reg HKLM\SYSTEM\CurrentControlSet\Services\ovfsthloewbnyllyfucrmtnbsbrrnaeleyxdby\modules@ovfsthwi.dll \systemroot\system32\ovfsthtslngwxivpbuiqisyaqhtipqpwjpbipr.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\ovfsthloewbnyllyfucrmtnbsbrrnaeleyxdby\modules@ovfsthff.dll \systemroot\system32\ovfsthvlbjkeqqfswgvasqaumoyyydvpqfxajm.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\ovfsthloewbnyllyfucrmtnbsbrrnaeleyxdby\modules@ovfsth.dat \systemroot\system32\ovfsthpjeestywvkahvtpmwrsypytojgwcxsbw.dat
Reg HKLM\SYSTEM\CurrentControlSet\Services\ovfsthloewbnyllyfucrmtnbsbrrnaeleyxdby\modules@ovfsthmal.db \systemroot\system32\ovfsthimifstfkekemfnuycrrcemgkrghxctgd.db
Reg HKLM\SYSTEM\CurrentControlSet\Services\ovfsthloewbnyllyfucrmtnbsbrrnaeleyxdby\modules@ovfsthadwrem.dll \systemroot\system32\ovfsthehrxmidighfxriobphijnddolqnoqedo.dll
Reg HKLM\SYSTEM\controlset003\Control\Class\{4D36E965-E325-11CE-BFC1-08002BE10318}\Properties@DeviceType 2
Reg HKLM\SYSTEM\controlset003\Control\Class\{4D36E965-E325-11CE-BFC1-08002BE10318}\Properties@DeviceCharacteristics 256
Reg HKLM\SYSTEM\controlset003\Control\Class\{4D36E967-E325-11CE-BFC1-08002BE10318}\Properties@DeviceType 7
Reg HKLM\SYSTEM\controlset003\Control\Class\{4D36E967-E325-11CE-BFC1-08002BE10318}\Properties@DeviceCharacteristics 256
Reg HKLM\SYSTEM\controlset003\Control\Class\{4D36E969-E325-11CE-BFC1-08002BE10318}\Properties@DeviceType 4
Reg HKLM\SYSTEM\controlset003\Control\Class\{4D36E969-E325-11CE-BFC1-08002BE10318}\Properties@DeviceCharacteristics 256
Reg HKLM\SYSTEM\controlset003\Control\Class\{4D36E96A-E325-11CE-BFC1-08002BE10318}\Properties@DeviceType 4
Reg HKLM\SYSTEM\controlset003\Control\Class\{4D36E96A-E325-11CE-BFC1-08002BE10318}\Properties@DeviceCharacteristics 256
Reg HKLM\SYSTEM\controlset003\Control\Class\{4D36E97B-E325-11CE-BFC1-08002BE10318}\Properties@DeviceType 4
Reg HKLM\SYSTEM\controlset003\Control\Class\{4D36E97B-E325-11CE-BFC1-08002BE10318}\Properties@DeviceCharacteristics 256
Reg HKLM\SYSTEM\controlset003\Control\Class\{4D36E980-E325-11CE-BFC1-08002BE10318}\Properties@DeviceType 7
Reg HKLM\SYSTEM\controlset003\Control\Class\{4D36E980-E325-11CE-BFC1-08002BE10318}\Properties@DeviceCharacteristics 256
Reg HKLM\SYSTEM\controlset003\Services\MRxDAV\EncryptedDirectories@
Reg HKLM\SYSTEM\controlset003\Services\ovfsthloewbnyllyfucrmtnbsbrrnaeleyxdby@start 1
Reg HKLM\SYSTEM\controlset003\Services\ovfsthloewbnyllyfucrmtnbsbrrnaeleyxdby@type 1
Reg HKLM\SYSTEM\controlset003\Services\ovfsthloewbnyllyfucrmtnbsbrrnaeleyxdby@group file system
Reg HKLM\SYSTEM\controlset003\Services\ovfsthloewbnyllyfucrmtnbsbrrnaeleyxdby@imagepath \systemroot\system32\drivers\ovfsthacjxfudjnjppmbnbrylyuswmfvwgefgg.sys
Reg HKLM\SYSTEM\controlset003\Services\ovfsthloewbnyllyfucrmtnbsbrrnaeleyxdby@inst 0
Reg HKLM\SYSTEM\controlset003\Services\ovfsthloewbnyllyfucrmtnbsbrrnaeleyxdby\main
Reg HKLM\SYSTEM\controlset003\Services\ovfsthloewbnyllyfucrmtnbsbrrnaeleyxdby\main@ver icv310309
Reg HKLM\SYSTEM\controlset003\Services\ovfsthloewbnyllyfucrmtnbsbrrnaeleyxdby\main@cid 01
Reg HKLM\SYSTEM\controlset003\Services\ovfsthloewbnyllyfucrmtnbsbrrnaeleyxdby\main@bid 4034634894-1576462213-3136207814-3958095517
Reg HKLM\SYSTEM\controlset003\Services\ovfsthloewbnyllyfucrmtnbsbrrnaeleyxdby\main@aid 303350
Reg HKLM\SYSTEM\controlset003\Services\ovfsthloewbnyllyfucrmtnbsbrrnaeleyxdby\main@sid 4
Reg HKLM\SYSTEM\controlset003\Services\ovfsthloewbnyllyfucrmtnbsbrrnaeleyxdby\main@feed 0x22 0x64 0x78 0x36 ...
Reg HKLM\SYSTEM\controlset003\Services\ovfsthloewbnyllyfucrmtnbsbrrnaeleyxdby\main@cmddelay 14401
Reg HKLM\SYSTEM\controlset003\Services\ovfsthloewbnyllyfucrmtnbsbrrnaeleyxdby\main\delete
Reg HKLM\SYSTEM\controlset003\Services\ovfsthloewbnyllyfucrmtnbsbrrnaeleyxdby\main\ff
Reg HKLM\SYSTEM\controlset003\Services\ovfsthloewbnyllyfucrmtnbsbrrnaeleyxdby\main\ff@extension \\?\C:\Program Files\Mozilla Firefox\extensions\{0769B548-3E5B-40B4-A1CE-6869A73EF5C5}
Reg HKLM\SYSTEM\controlset003\Services\ovfsthloewbnyllyfucrmtnbsbrrnaeleyxdby\main\ff@version 1
Reg HKLM\SYSTEM\controlset003\Services\ovfsthloewbnyllyfucrmtnbsbrrnaeleyxdby\main\injector
Reg HKLM\SYSTEM\controlset003\Services\ovfsthloewbnyllyfucrmtnbsbrrnaeleyxdby\main\injector@iexplore.exe ovfsthwi.dll
Reg HKLM\SYSTEM\controlset003\Services\ovfsthloewbnyllyfucrmtnbsbrrnaeleyxdby\main\injector@explorer.exe ovfsthff.dll
Reg HKLM\SYSTEM\controlset003\Services\ovfsthloewbnyllyfucrmtnbsbrrnaeleyxdby\main\injector@winlogon.exe senekaadwrem.dll
Reg HKLM\SYSTEM\controlset003\Services\ovfsthloewbnyllyfucrmtnbsbrrnaeleyxdby\main\tasks
Reg HKLM\SYSTEM\controlset003\Services\ovfsthloewbnyllyfucrmtnbsbrrnaeleyxdby\modules
Reg HKLM\SYSTEM\controlset003\Services\ovfsthloewbnyllyfucrmtnbsbrrnaeleyxdby\modules@ovfsth.dll \systemroot\system32\ovfsthxolduepdwkmothwbnshpxypxivikwwux.dll
Reg HKLM\SYSTEM\controlset003\Services\ovfsthloewbnyllyfucrmtnbsbrrnaeleyxdby\modules@ovfsth.sys \systemroot\system32\drivers\ovfsthacjxfudjnjppmbnbrylyuswmfvwgefgg.sys
Reg HKLM\SYSTEM\controlset003\Services\ovfsthloewbnyllyfucrmtnbsbrrnaeleyxdby\modules@ovfsthlog.dat \systemroot\system32\ovfsthimfpocugxymepraswymmntrfvkvkosrr.dat
Reg HKLM\SYSTEM\controlset003\Services\ovfsthloewbnyllyfucrmtnbsbrrnaeleyxdby\modules@ovfsthwi.dll \systemroot\system32\ovfsthtslngwxivpbuiqisyaqhtipqpwjpbipr.dll
Reg HKLM\SYSTEM\controlset003\Services\ovfsthloewbnyllyfucrmtnbsbrrnaeleyxdby\modules@ovfsthff.dll \systemroot\system32\ovfsthvlbjkeqqfswgvasqaumoyyydvpqfxajm.dll
Reg HKLM\SYSTEM\controlset003\Services\ovfsthloewbnyllyfucrmtnbsbrrnaeleyxdby\modules@ovfsth.dat \systemroot\system32\ovfsthpjeestywvkahvtpmwrsypytojgwcxsbw.dat
Reg HKLM\SYSTEM\controlset003\Services\ovfsthloewbnyllyfucrmtnbsbrrnaeleyxdby\modules@ovfsthmal.db \systemroot\system32\ovfsthimifstfkekemfnuycrrcemgkrghxctgd.db
Reg HKLM\SYSTEM\controlset003\Services\ovfsthloewbnyllyfucrmtnbsbrrnaeleyxdby\modules@ovfsthadwrem.dll \systemroot\system32\ovfsthehrxmidighfxriobphijnddolqnoqedo.dll

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\Temp\c71210e6-a0b3-457c-a319-6b0533a686a9.tmp (size mismatch) 500139/0 bytes executable

---- EOF - GMER 1.0.15 ----

#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,204 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:12:48 PM

Posted 04 November 2009 - 10:36 AM

Hello Mickey Boy,

Looks like a pretty bad rootkit infection. Lets see if we can tackle it :(

COMBOFIX
---------------
Please download ComboFix from one of these locations:Bleepingcomputer
ForoSpyware
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.


In your next reply, please include the following:
  • Combofix.txt

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#5 Mickey Boy

Mickey Boy
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NN144UH
  • Local time:10:48 AM

Posted 04 November 2009 - 01:15 PM

Hello again Elise,

My machine didn't like that. At first it kept giving me an error box stating it couldn't find the path although all I was doing was double clicking on the .exe file on my desktop. After closing the error with the task manager process stop it eventually turned to a blue screen and started to run. The log is below.

Regards

Mick

ComboFix 09-11-03.03 - Mick 04/11/2009 17:37.1.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1791.1242 [GMT 0:00]
Running from: c:\documents and settings\Mick\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
ADS - svchost.exe: deleted 88 bytes in 2 streams.
/wow section - STAGE 10
Access is denied.
Access is denied.
Access is denied.
Access is denied.


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Mozilla Firefox\extensions\{0769B548-3E5B-40B4-A1CE-6869A73EF5C5}
c:\program files\Mozilla Firefox\extensions\{0769B548-3E5B-40B4-A1CE-6869A73EF5C5}\chrome.manifest
c:\program files\Mozilla Firefox\extensions\{0769B548-3E5B-40B4-A1CE-6869A73EF5C5}\chrome\content\overlay.xul
c:\program files\Mozilla Firefox\extensions\{0769B548-3E5B-40B4-A1CE-6869A73EF5C5}\install.rdf
c:\windows\system32\drivers\npf.sys
c:\windows\system32\drivers\ovfsth.sys
c:\windows\system32\Packet.dll
c:\windows\system32\twain.dll
c:\windows\system32\UltraAdkiller.dll
c:\windows\system32\WanPacket.dll
c:\windows\system32\wpcap.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_NPF
-------\Service_ovfsthloewbnyllyfucrmtnbsbrrnaeleyxdby


((((((((((((((((((((((((( Files Created from 2009-10-04 to 2009-11-04 )))))))))))))))))))))))))))))))
.

2009-11-04 09:05 . 2009-11-04 09:05 -------- d-----w- c:\documents and settings\Mick\Application Data\Windows Search
2009-11-02 12:09 . 2009-11-02 12:09 -------- d-----w- c:\documents and settings\Mick\Application Data\AVG9
2009-10-30 18:40 . 2009-10-30 18:40 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-10-30 18:40 . 2009-10-30 18:40 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-10-30 18:40 . 2009-10-30 18:40 -------- d-----w- c:\documents and settings\Mick\Application Data\SUPERAntiSpyware.com
2009-10-30 18:39 . 2009-10-30 18:39 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-10-30 11:04 . 2009-10-28 19:31 656784 ----a-w- C:\WindowsXP-KB969632-x86-ENU.exe
2009-10-29 21:32 . 2009-10-29 21:32 274432 ----a-w- c:\windows\system32\vocobdos.dll
2009-10-29 20:48 . 2009-10-29 20:48 -------- d-----w- c:\documents and settings\Mick\Local Settings\Application Data\Identities
2009-10-29 20:48 . 2009-10-29 20:48 -------- d-----w- c:\documents and settings\Mick\Application Data\Windows Desktop Search
2009-10-29 20:00 . 2009-10-29 20:56 -------- d-----w- C:\$AVG
2009-10-29 20:00 . 2009-10-29 20:00 161800 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2009-10-29 19:58 . 2009-10-29 19:58 -------- d-----w- c:\program files\Windows Desktop Search
2009-10-29 19:58 . 2009-10-29 19:58 -------- d-----w- c:\windows\system32\GroupPolicy
2009-10-29 19:58 . 2009-10-29 19:58 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2009-10-29 19:56 . 2009-10-29 20:55 -------- d-----w- c:\windows\SxsCaPendDel
2009-10-29 15:23 . 2009-10-29 15:23 -------- d-----w- C:\VundoFix Backups
2009-10-27 20:14 . 2009-10-01 10:29 195440 ------w- c:\windows\system32\MpSigStub.exe
2009-10-27 20:02 . 2009-10-27 20:02 -------- d-----w- c:\windows\system32\wbem\Repository
2009-10-27 10:15 . 2009-10-27 10:15 -------- d-----w- c:\documents and settings\Mick\DoctorWeb
2009-10-27 09:31 . 2009-10-27 20:13 -------- d-----w- c:\program files\Windows Defender
2009-10-26 22:06 . 2009-10-26 22:06 -------- d-----w- c:\documents and settings\Mick\Application Data\Malwarebytes
2009-10-26 22:05 . 2009-09-10 14:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-26 22:05 . 2009-11-02 11:06 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-26 22:05 . 2009-10-26 22:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-26 22:05 . 2009-09-10 14:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-26 18:56 . 2009-10-26 18:56 -------- d-----w- c:\documents and settings\Administrator\Application Data\IObit
2009-10-26 18:21 . 2009-10-26 18:21 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2009-10-22 20:01 . 2009-10-22 20:01 -------- d-----w- c:\documents and settings\Mick\Local Settings\Application Data\Magentic
2009-10-22 12:59 . 2001-10-11 03:21 76000 ------w- c:\windows\system32\drivers\DRVMCDB.SYS
2009-10-22 12:59 . 2001-10-01 01:21 54784 ------w- c:\windows\system32\PNPNINST.EXE
2009-10-22 12:59 . 2001-04-26 18:19 49152 ------w- c:\windows\system32\DRVWENU.dll
2009-10-22 12:59 . 2001-04-26 01:01 24576 ------w- c:\windows\system32\DRVWUNIN.exe
2009-10-22 11:29 . 2009-10-27 11:57 -------- d-----w- c:\program files\DDR - Removable Media (Demo)
2009-10-22 11:22 . 2009-10-22 11:22 -------- d-----w- c:\program files\Driver-Soft
2009-10-22 09:09 . 2009-10-22 09:09 -------- d-----w- c:\program files\Vimicro
2009-10-22 07:44 . 2009-10-22 07:44 168160 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-10-21 22:04 . 2009-10-22 11:32 -------- d-----w- c:\windows\system32\ALIEHCI
2009-10-21 21:59 . 2009-10-21 21:59 -------- d-----w- c:\documents and settings\Mick\Application Data\Uniblue
2009-10-21 21:59 . 2009-10-21 21:59 -------- d-----w- c:\program files\Uniblue
2009-10-18 15:52 . 2009-10-18 16:07 -------- d-----w- c:\documents and settings\Mick\Application Data\SmartDraw
2009-10-18 15:47 . 2009-10-22 12:23 -------- d-----w- c:\program files\SmartDraw 2007
2009-10-18 15:32 . 2009-10-18 15:32 -------- d-----w- c:\documents and settings\Mick\Application Data\Thinstall
2009-10-13 23:59 . 2009-10-13 23:59 2146304 ----a-w- c:\windows\system32\GPhotos.scr
2009-10-13 08:04 . 2009-10-29 12:46 -------- d-----w- c:\program files\Max Spyware Detector
2009-10-13 07:43 . 2009-10-13 07:43 -------- d-----w- c:\documents and settings\Mick\Application Data\Blitware
2009-10-10 08:52 . 2009-10-13 08:10 -------- d-----w- c:\program files\PC Satellite TV
2009-10-10 08:39 . 2009-10-13 08:10 -------- d-----w- c:\program files\TVAnts
2009-10-08 12:19 . 2009-10-22 12:17 -------- d-----w- c:\program files\Panda Security

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-03 09:16 . 2009-08-17 12:50 -------- d-----w- c:\documents and settings\Mick\Application Data\vlc
2009-10-29 20:00 . 2008-10-24 23:04 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-10-29 20:00 . 2008-10-24 23:04 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2009-10-29 20:00 . 2008-10-24 23:04 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-10-29 20:00 . 2008-10-24 23:04 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-10-29 20:00 . 2008-10-24 23:04 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-10-29 19:58 . 2008-10-24 23:04 -------- d-----w- c:\program files\AVG
2009-10-28 18:41 . 2008-10-24 23:00 69040 ----a-w- c:\documents and settings\Mick\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-27 20:03 . 2008-12-12 15:18 -------- d-----w- c:\program files\Microsoft Silverlight
2009-10-27 20:01 . 2008-10-26 09:43 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-10-23 21:00 . 2009-06-12 10:52 499712 ----a-w- c:\windows\system32\CheckDll.dll
2009-10-22 11:34 . 2008-10-26 09:49 -------- d-----w- c:\program files\Common Files\Adobe
2009-10-22 09:09 . 2008-10-24 22:56 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-10-22 06:47 . 2009-09-11 15:30 -------- d-----w- c:\documents and settings\Mick\Application Data\Apple Computer
2009-10-19 08:50 . 2009-05-26 12:55 -------- d-----w- c:\program files\SIM Edit Tool
2009-10-13 07:43 . 2009-08-17 10:43 -------- d-----w- c:\program files\Driver Robot
2009-10-06 13:56 . 2009-09-11 17:04 -------- d-----w- c:\documents and settings\Mick\Application Data\OpenDNS Updater
2009-09-15 07:23 . 2009-09-15 07:22 -------- d-----w- c:\documents and settings\All Users\Application Data\IM
2009-09-14 14:54 . 2009-04-14 10:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Downloaded Installations
2009-09-11 17:04 . 2009-09-11 17:04 -------- d-----w- c:\program files\OpenDNS Updater
2009-09-11 15:59 . 2009-09-11 15:59 54996 ---ha-w- c:\windows\system32\mlfcache.dat
2009-09-11 15:30 . 2009-09-11 15:27 -------- d-----w- c:\program files\iTunes
2009-09-11 15:27 . 2009-09-11 15:27 -------- d-----w- c:\program files\iPod
2009-09-11 15:27 . 2009-09-11 15:21 -------- d-----w- c:\program files\Common Files\Apple
2009-09-11 15:27 . 2009-09-11 15:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2009-09-11 15:26 . 2009-09-11 15:26 -------- d-----w- c:\program files\Bonjour
2009-09-11 15:25 . 2009-09-11 15:24 -------- d-----w- c:\program files\QuickTime
2009-09-11 15:22 . 2009-09-11 15:22 -------- d-----w- c:\program files\Apple Software Update
2009-09-11 15:21 . 2009-09-11 15:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2009-09-10 14:29 . 2003-03-12 21:50 -------- d-----w- c:\program files\IncrediMail
2009-08-17 15:25 . 2008-10-30 21:05 348160 ----a-w- c:\windows\system32\msvcr71.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OpenDNS Updater"="c:\program files\OpenDNS Updater\OpenDNSUpdater.exe" [2009-09-24 834560]
"SmartRAM"="c:\program files\IObit\Advanced SystemCare 3\Sup_SmartRAM.exe" [2009-02-19 202064]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2009-10-29 2010904]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)
"NoThumbnailCache"= 1 (0x1)
"NoNetSetup"= 0 (0x0)
"NoPrinters"= 0 (0x0)
"RestrictRun"= 0 (0x0)
"link"= 00000000

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-26 304128]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 15:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-10-29 20:00 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=c:\windows\system32\ctfmon.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\IncrediMail\\bin\\IncMail.exe"=
"c:\\Program Files\\IncrediMail\\bin\\ImApp.exe"=
"c:\\Program Files\\IncrediMail\\bin\\ImpCnt.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\SAGENT4.EXE"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\TomTom HOME 2\\xulrunner\\TomTomHOMERuntime.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaws.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgam.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"2179:UDP"= 2179:UDP:Windows Media Format SDK (wmplayer.exe)
"2178:UDP"= 2178:UDP:Windows Media Format SDK (wmplayer.exe)
"2218:UDP"= 2218:UDP:Windows Media Format SDK (wmplayer.exe)

R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [29/10/2009 20:00 161800]
R0 Pnp680;SiI 680 ATA Controller;c:\windows\system32\drivers\PnP680.sys [13/11/2007 22:48 71720]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [24/10/2008 23:04 333192]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [24/10/2008 23:04 360584]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [12/10/2009 21:24 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [12/10/2009 21:24 74480]
R2 avg9emc;AVG E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [29/10/2009 19:58 906520]
R2 avg9wd;AVG WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [29/10/2009 19:58 285392]
R2 MaxWatchDogService;MaxWatchDogService;c:\program files\Max Spyware Detector\MaxWatchDogService.exe [13/10/2009 09:17 426928]
R2 supersafer;supersafer;c:\windows\system32\drivers\supersafer.sys [03/07/2009 11:10 354176]
R2 tomtomhomeservice;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [27/08/2009 15:05 92008]
R3 pmxscan;Visioneer USB Kernel;c:\windows\system32\drivers\usbscan.sys [05/11/2008 18:22 15104]
R3 sdactmon;SDActMon;c:\program files\Max Spyware Detector\SDActMon.sys [13/10/2009 09:17 30128]
S1 dbed317;dbed317;c:\windows\system32\drivers\dbed317.sys --> c:\windows\system32\drivers\dbed317.sys [?]
S2 is360service;IS360service;c:\program files\IObit\IObit Security 360\is360srv.exe [02/10/2009 12:51 309008]
S2 sdmainsvc;SDMainSvc;c:\program files\SpywareDetector\SDMainService.exe --> c:\program files\SpywareDetector\SDMainService.exe [?]
S2 sdservice;SDService;c:\program files\SpywareDetector\SDService.exe --> c:\program files\SpywareDetector\SDService.exe [?]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [03/11/2006 19:19 13592]
S3 PsSdk41;PsSdk41;c:\windows\system32\drivers\pssdk41.sys [25/01/2009 14:38 36928]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [12/10/2009 21:24 7408]
S3 SDAntiRtKt;SDAntiRtKt;c:\program files\Max Spyware Detector\SDAntiRtKt.sys [13/10/2009 09:17 17968]
.
Contents of the 'Scheduled Tasks' folder

2009-10-27 c:\windows\Tasks\DataBackupFully.job
- c:\program files\Spotmau\backup_recovery\bin\DoTask.exe [2009-07-03 18:50]

2009-10-26 c:\windows\Tasks\SmartDefrag.job
- c:\program files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe [2009-07-19 08:22]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page =
mStart Page = hxxp://www.msn.com
mWindow Title = Microsoft Internet Explorer
uInternet Settings,ProxyOverride = *.local
IE: &add animation to incredimail style box - c:\program files\IncrediMail\bin\resources\WebMenuImg.htm
Trusted Zone: musicmatch.com\online
FF - ProfilePath - c:\documents and settings\Mick\Application Data\Mozilla\Firefox\Profiles\9s666bpm.default\
FF - prefs.js: browser.startup.homepage - hxxp://news.bbc.co.uk/1/hi/england/northamptonshire/default.stm
FF - prefs.js: keyword.URL - hxxp://mystart.incredimail.com/?loc=ff_address_bar_im2_test_v2&search=
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll

---- FIREFOX POLICIES ----
FF - user.js: browser.cache.memory.capacity - 65536
FF - user.js: browser.chrome.favicons - fales
FF - user.js: browser.display.show_image_placeholders - true
FF - user.js: browser.turbo.enabled - true
FF - user.js: browser.urlbar.autocomplete.enabled - true
FF - user.js: browser.urlbar.autofill - true
FF - user.js: content.interrupt.parsing - true
FF - user.js: content.max.tokenizing.time - 2250000
FF - user.js: content.notify.backoffcount - 5
FF - user.js: content.notify.interval - 750000
FF - user.js: content.notify.ontimer - true
FF - user.js: content.switch.threshold - 750000
FF - user.js: network.http.max-connections - 48
FF - user.js: network.http.max-connections-per-server - 16
FF - user.js: network.http.max-persistent-connections-per-proxy - 16
FF - user.js: network.http.max-persistent-connections-per-server - 8
FF - user.js: network.http.pipelining - true
FF - user.js: network.http.pipelining.firstrequest - true
FF - user.js: network.http.pipelining.maxrequests - 8
FF - user.js: network.http.proxy.pipelining - true
FF - user.js: network.http.request.max-start-delay - 0
FF - user.js: nglayout.initialpaint.delay - 0
FF - user.js: plugin.expose_full_path - true
FF - user.js: ui.submenuDelay - 0
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.
- - - - ORPHANS REMOVED - - - -

ShellIconOverlayIdentifiers-{1D718A2B-91BF-4405-8CC0-C278D1453AF3} - (no file)
SSODL-Comendel-{C84567F9-96CE-44F1-AB48-E3577176C350} - (no file)
Notify-sdnotify - (no file)



**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\user preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,74,fe,53,5c,11,23,1b,40,94,97,fd,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,74,fe,53,5c,11,23,1b,40,94,97,fd,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(672)
c:\program files\SUPERAntiSpyware\SASWINLO.dll

- - - - - - - > 'explorer.exe'(5052)
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Nokia\Nokia PC Suite 7\PhoneBrowser.dll
c:\program files\Nokia\Nokia PC Suite 7\NGSCM.DLL
c:\program files\Nokia\Nokia PC Suite 7\Lang\PhoneBrowser_eng.nlr
c:\program files\Nokia\Nokia PC Suite 7\Resource\PhoneBrowser_Nokia.ngr
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Max Spyware Detector\MaxActMon.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\nvsvc32.exe
c:\program files\AVG\AVG9\avgam.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
.
**************************************************************************
.
Completion time: 2009-11-04 18:02 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-04 18:02

Pre-Run: 38,539,157,504 bytes free
Post-Run: 38,404,648,960 bytes free

#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,204 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:12:48 PM

Posted 04 November 2009 - 01:32 PM

Hi Mick,

Did you get the prompt to install the Recovery Console when running Combofix?

For Combofix to be fully functional, the Recovery Console has to be installed.

ONLY IF YOUR INTERNET CONNECTION IS WORKING, try to re-run Combofix and install the Recovery Console.

If you cant connect to the internet for some reason, just let me know and I will give you additional instructions.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#7 Mickey Boy

Mickey Boy
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NN144UH
  • Local time:10:48 AM

Posted 04 November 2009 - 02:16 PM

Hi Elise,

My internet connection is fine. Combofix doesn't ask me to download the windows recovery software. When I click on the combofix.exe it gives me the attached screenshot. If I keep clicking OK it eventually goes after about 10 - 15 times then combofix runs. I have attached another combo log as well.

Kind Regards

Mick

Attached Files



#8 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,204 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:12:48 PM

Posted 04 November 2009 - 02:19 PM

Go to Microsoft's website => http://support.microsoft.com/kb/310994

Scroll down to Step 1, and select the download that's appropriate for your Operating System. Download the file & save it as it's originally named.

Note: If you have SP3, use the SP2 package.


---------------------------------------------------------------------

Transfer all files you just downloaded, to the desktop of the infected computer.

--------------------------------------------------------------------


Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

Posted Image

  • Drag the setup package onto ComboFix.exe and drop it.

  • Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.


    Posted Image


  • At the next prompt, click 'Yes' to run the full ComboFix scan.

  • When the tool is finished, it will produce a report for you.
Please post the C:\ComboFix.txt in your next reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#9 Mickey Boy

Mickey Boy
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NN144UH
  • Local time:10:48 AM

Posted 04 November 2009 - 02:49 PM

Hi Elise,

Doesn't work. Each time I drag the file onto the combofix it asks if i want to run it. I click yes and combo starts to load with the small green bars. I then get an error box which I am having trouble pasting into this post and I cant upload the screenshot as the file is too large.

The file is named:
32788R22FWJFW\iexplore.exe

It says:Windows cannot access the specified device, Path or file. You may not have the appropriate peremissions to access the item. This appears over and over.

What am I doing wrong.

Regards
Mick

#10 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,204 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:12:48 PM

Posted 04 November 2009 - 03:12 PM

Download this file to your desktop. Double click WUS_Fix.exe to run it. A command window will show shortly.

After doing this, try to run Combofix again.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#11 Mickey Boy

Mickey Boy
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NN144UH
  • Local time:10:48 AM

Posted 04 November 2009 - 03:26 PM

Sorry Elise,

No Go. The WUS.exe cmd screen flashed up for a second. I waited for a few mins and then tried running combofix again. Same thing happened error box.

Also tried dragging the Windows XP SP2 that we downloaded onto the combofix again to see if the recovery console would load and it just gave me the error agin.

Regards

Mick.

If your getting tired with this we can resume 2moro if you'd prefer hun.

#12 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,204 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:12:48 PM

Posted 04 November 2009 - 03:50 PM

Its getting late indeed :( Last thing today, lets check if the original problem detected by MBAM at least is gone.

Please start MBAM and update to the latest definitions (Update tab, check for updates now button).

After that, run a full scan and post the results here.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#13 Mickey Boy

Mickey Boy
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NN144UH
  • Local time:10:48 AM

Posted 04 November 2009 - 04:57 PM

Hi Elise,

Well what da ya know. The MBAM was clear. Your a genius.

Does this mean its sorted? If so, Thank you ever so much for all your help its really appreciated. However, I've got a feeling your going to say "No, we're not finished yet"

Speak to you tomorrow

Many Thanks and sleep well.

Regards

Mick.

Malwarebytes' Anti-Malware 1.41
Database version: 3101
Windows 5.1.2600 Service Pack 3

04/11/2009 21:53:44
mbam-log-2009-11-04 (21-53-44).txt

Scan type: Full Scan (C:\|)
Objects scanned: 221630
Time elapsed: 50 minute(s), 18 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#14 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,204 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:12:48 PM

Posted 05 November 2009 - 04:32 AM

Unfortunately I can't give you the assurance you are clean :( I wanted to check with MBAM if we got rid of the %fystemroot% problem, which appears to be gone indeed.

I am gonna look for an explanation for the Combofix problem and will post back to you as soon as I get more information on that.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#15 Mickey Boy

Mickey Boy
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NN144UH
  • Local time:10:48 AM

Posted 05 November 2009 - 01:48 PM

Good evening Elise.

After reading your last post I decided to run Max spyware detector on my machine as MBAM had removed all the malware I thought that there might be a virus as well so i ran a scan. It found 3 different things with 19 components there were 2 trojans and i'm not sure what the other was. To cut a long storey short, I then tried dropping the Windows XP.exe onto the combofix.exe again and low and behold it works.

However, it doesn't ask me to install the recovery console but it does say that AVG real time scanner is still running even though I have disabled it.

I haven't had the nerve to let Combofix run yet as I cant stop the AVG warning so I thought I'd drop you a line instead to see what you'd like me to do..

Hope your online.

Best Regards

Mick :(

Hi Elise,

I think I have finally sorted it out. I ran Max spyware detector which deleted the trojans and files that were stoping the combofix from working. I then deleted all the system restore points by turning off SR as the trojans were in there as well. I then ran the max spyware detector again. this time there was nothing there. I then dropped the Windows XP.exe Boot Enu onto the combofix and it did its stuff including downloading the Windows recovery console. The report is attached. This time I think I am clean as my machine has never run so fast, even from new.

If all is well, I bid you fairwell and would like to thank you again for all your help. You and Bleeping Computers provide an invaluable service to us lesser mortals and we are indeed very grateful.

All the best

Kind Regards
Mick :(

Attached Files


Edited by Mickey Boy, 06 November 2009 - 05:24 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users