Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google Search Redirect Problem


  • This topic is locked This topic is locked
18 replies to this topic

#1 mhorton

mhorton

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:11:10 PM

Posted 30 October 2009 - 10:56 PM

I was hoping to find a guide through this apparently common, and very annoying, problem. I would appreciate any help you could give me.

I am posting the DDS log, I have attached the file Attach.txt and the RootRepeal Report.

Thanks so much,

mhorton


DDS (Ver_09-10-26.01) - NTFSx86
Run by Administrator at 23:40:06.75 on Fri 10/30/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.441 [GMT -4:00]

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\www\Apache2\bin\apache.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\www\Apache2\bin\apache.exe
C:\www\mysql\bin\mysqld-nt.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\VMware\VMware View\Client\bin\wsnm.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
BHO: HelperObject Class: {00c6482d-c502-44c8-8409-fce54ad9c208} - c:\program files\techsmith\snagit 8\SnagItBHO.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: BitComet Helper: {39f7e362-828a-4b5a-bcaf-5b79bfdfea60} - c:\program files\bitcomet\tools\BitCometBHO.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
TB: SnagIt: {8ff5e183-abde-46eb-b09e-d2aab95cabe3} - c:\program files\techsmith\snagit 8\SnagItIEAddin.dll
TB: {4E7BD74F-2B8D-469E-8CBD-FD60BB9AAE2E} - No File
TB: {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No File
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Open with WordPerfect - c:\program files\wordperfect office x3\programs\WPLauncher.hta
IE: Sothink SWF Catcher - c:\program files\common files\sourcetec\swf catcher\InternetExplorer.htm
IE: {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - c:\program files\common files\sourcetec\swf catcher\InternetExplorer.htm
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {36ECAF82-3300-8F84-092E-AFF36D6C7040} - {86529161-034E-4F8A-88D2-3C625E612E04} - c:\program files\winhttrack\WinHTTrackIEBar.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://go.microsoft.com/fwlink/?linkid=58813
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1176780595515
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\o8slbf0x.default\
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start3.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\administrator\application data\move networks\plugins\npqmp071503000010.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npbittorrent.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-5-27 335240]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-2-8 297752]
R2 wsnm;VMware View Client Service;c:\program files\vmware\vmware view\client\bin\wsnm.exe [2008-11-5 147456]
R3 WSUSBDMAN;VMware VDM Virtual Client USB Manager;c:\windows\system32\drivers\WSUSBDMAN.sys [2008-11-5 21504]
S2 Parclass;Parclass;c:\windows\system32\drivers\PARCLASS.SYS [2007-7-31 20272]

=============== Created Last 30 ================

2009-10-31 02:58:06 0 d-----w- c:\windows\system32\wbem\Repository
2009-10-31 02:57:11 0 d-----w- c:\docume~1\admini~1\applic~1\AD ON Multimedia
2009-10-24 00:08:33 0 d-----w- c:\program files\Trend Micro
2009-10-23 23:32:32 0 d-----w- C:\cmdcons
2009-10-23 22:32:58 0 d-----w- c:\program files\Java(2)
2009-10-23 20:21:17 0 d-----w- c:\program files\SUPERAntiSpyware
2009-10-23 20:21:17 0 d-----w- c:\docume~1\admini~1\applic~1\SUPERAntiSpyware.com
2009-10-23 20:19:34 0 d-----w- c:\docume~1\admini~1\applic~1\Malwarebytes
2009-10-23 20:19:26 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-23 20:19:26 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-10-20 22:42:14 0 d-----w- C:\$AVG8.VAULT$
2009-10-03 21:35:15 77312 ----a-w- c:\windows\system32\ztvunace26.dll
2009-10-03 21:35:15 69632 ----a-w- c:\windows\system32\ztvcabinet.dll
2009-10-03 21:35:15 162304 ----a-w- c:\windows\system32\ztvunrar36.dll
2009-10-03 21:35:12 0 d-----w- c:\program files\TUGZip
2009-10-03 16:04:44 0 d-----w- c:\program files\all2lame

==================== Find3M ====================

2009-09-20 14:10:21 12524 --sha-w- c:\windows\system32\KGyGaAvL.sys
2009-08-20 22:20:00 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-08-19 14:06:47 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-08-06 23:23:46 274288 ----a-w- c:\windows\system32\mucltui.dll
2009-08-06 23:23:46 215920 ----a-w- c:\windows\system32\muweb.dll
2006-11-30 03:17:52 8 --sh--r- c:\windows\system32\07A748D392.sys
2007-03-09 04:06:56 88 --sh--r- c:\windows\system32\E42D6376F9.sys

============= FINISH: 23:41:15.32 ===============

Attached Files


Edited by mhorton, 30 October 2009 - 11:08 PM.


BC AdBot (Login to Remove)

 


#2 Guest_superbird_*

Guest_superbird_*

  • Guests
  • OFFLINE
  •  

Posted 31 October 2009 - 06:35 AM

Hi,

I will handle your log. As I am in training all my answers have to be approved by my Coaches.
I hope you understand.

I'll get back to you as soon as is possible.

#3 mhorton

mhorton
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  

Posted 31 October 2009 - 07:11 AM

Sounds great, Superbird. I look forward to resolving the issue with you.

#4 Guest_superbird_*

Guest_superbird_*

  • Guests
  • OFFLINE
  •  

Posted 31 October 2009 - 09:11 AM

Hi,

Download ComboFix from here

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
Posted Image
Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt log in your next reply, together with a new DDS log.

#5 mhorton

mhorton
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:11:10 PM

Posted 31 October 2009 - 09:51 AM

Pasted here are the ComboFix and DDS logs.

Attached is an updated Attach.txt

ComboFix 09-10-30.01 - Administrator 10/31/2009 10:27.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.576 [GMT -4:00]
Running from: c:\documents and settings\Administrator\Desktop\Combo-Fix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Administrator\Application Data\AD ON Multimedia
c:\documents and settings\Administrator\Application Data\AD ON Multimedia\eBay Shortcuts\config.ini
c:\documents and settings\Administrator\Application Data\AD ON Multimedia\eBay Shortcuts\eBayShortcuts.exe
c:\documents and settings\Administrator\Application Data\inst.exe

Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected
Restored copy from - Kitty ate it :(
.
((((((((((((((((((((((((( Files Created from 2009-09-28 to 2009-10-31 )))))))))))))))))))))))))))))))
.

2009-10-23 22:32 . 2009-10-31 02:57 -------- d-----w- c:\program files\Java(2)
2009-10-23 20:21 . 2009-10-31 02:59 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-10-23 20:21 . 2009-10-23 20:21 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2009-10-23 20:19 . 2009-10-23 20:19 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-10-23 20:19 . 2009-10-31 02:57 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-23 20:19 . 2009-10-23 20:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-20 22:42 . 2009-10-20 22:42 -------- d-----w- C:\$AVG8.VAULT$
2009-10-03 21:35 . 2007-03-13 03:34 162304 ----a-w- c:\windows\system32\ztvunrar36.dll
2009-10-03 21:35 . 2007-03-13 03:34 77312 ----a-w- c:\windows\system32\ztvunace26.dll
2009-10-03 21:35 . 2007-03-13 03:34 69632 ----a-w- c:\windows\system32\ztvcabinet.dll
2009-10-03 16:04 . 2009-10-03 16:26 -------- d-----w- c:\program files\all2lame

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-31 14:25 . 2007-01-15 15:19 -------- d-----w- c:\documents and settings\Administrator\Application Data\uTorrent
2009-10-31 14:17 . 2006-06-03 18:37 -------- d-----w- c:\documents and settings\Administrator\Application Data\foobar2000
2009-10-31 04:21 . 2009-08-20 22:20 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-10-31 04:21 . 2009-10-31 04:21 -------- d-----w- c:\program files\Java
2009-10-31 03:32 . 2007-08-09 15:15 -------- d-----w- c:\program files\Common Files\Real
2009-10-31 03:28 . 2007-05-19 13:35 -------- d-----w- c:\program files\Foxit Software
2009-10-31 03:28 . 2007-05-30 20:52 -------- d-----w- c:\program files\Diploma 6
2009-10-31 02:57 . 2009-10-31 02:56 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-10-24 00:08 . 2009-10-24 00:08 -------- d-----w- c:\program files\Trend Micro
2009-10-23 20:31 . 2007-05-04 04:27 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-10-23 20:31 . 2006-04-08 00:46 -------- d-----w- c:\program files\SpywareBlaster
2009-10-23 20:20 . 2007-03-29 22:36 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-10-03 21:58 . 2007-03-09 14:20 -------- d-----w- c:\documents and settings\Administrator\Application Data\Design Science
2009-10-03 21:58 . 2006-05-19 02:46 96888 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-03 21:57 . 2007-03-09 14:20 -------- d-----w- c:\program files\MathType
2009-09-20 14:10 . 2006-11-30 02:35 12524 --sha-w- c:\windows\system32\KGyGaAvL.sys
2009-09-18 20:20 . 2008-05-19 20:51 -------- d-----w- c:\documents and settings\Administrator\Application Data\AccurateRip
2009-09-16 00:43 . 2009-09-16 00:42 -------- d-----w- c:\program files\GIMP-2.0
2009-09-12 19:50 . 2009-08-15 00:41 -------- d-----w- c:\documents and settings\Administrator\Application Data\XBMC
2009-09-07 15:21 . 2006-04-08 01:53 -------- d-----w- c:\documents and settings\Administrator\Application Data\Thunderbird
2009-09-07 15:18 . 2006-04-08 00:42 -------- d-----w- c:\program files\Mozilla Thunderbird
2009-09-07 15:16 . 2006-09-27 15:42 -------- d-----w- c:\program files\SlySoft
2009-08-30 14:24 . 2004-08-04 12:00 360320 ----a-w- c:\windows\system32\drivers\TCPIP.SYS
2009-08-19 14:06 . 2009-02-09 00:13 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-08-19 14:06 . 2008-05-28 00:38 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-08-19 14:06 . 2006-11-02 12:43 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-08-06 23:24 . 2006-04-07 22:14 327896 ----a-w- c:\windows\system32\wucltui.dll
2009-08-06 23:24 . 2006-04-07 22:14 209632 ----a-w- c:\windows\system32\wuweb.dll
2009-08-06 23:24 . 2006-04-07 22:14 35552 ----a-w- c:\windows\system32\wups.dll
2009-08-06 23:24 . 2005-05-26 08:16 44768 ----a-w- c:\windows\system32\wups2.dll
2009-08-06 23:24 . 2006-04-07 22:14 53472 ----a-w- c:\windows\system32\wuauclt.exe
2009-08-06 23:24 . 2004-08-04 12:00 96480 ----a-w- c:\windows\system32\cdm.dll
2009-08-06 23:23 . 2006-04-07 22:14 575704 ----a-w- c:\windows\system32\wuapi.dll
2009-08-06 23:23 . 2007-04-17 22:13 274288 ----a-w- c:\windows\system32\mucltui.dll
2009-08-06 23:23 . 2006-04-07 22:14 1929952 ----a-w- c:\windows\system32\wuaueng.dll
2009-08-06 23:23 . 2005-05-26 08:19 215920 ----a-w- c:\windows\system32\muweb.dll
2006-11-30 03:17 . 2006-11-30 03:17 8 --sh--r- c:\windows\system32\07A748D392.sys
2007-03-09 04:06 . 2007-03-09 03:42 88 --sh--r- c:\windows\system32\E42D6376F9.sys
.

------- Sigcheck -------

[-] 2009-08-30 . 3ADCE4790F591BF160A94F6F08039577 . 360320 . . [5.1.2600.3394] . . c:\windows\system32\drivers\TCPIP.SYS
[-] 2009-08-30 . 3ADCE4790F591BF160A94F6F08039577 . 360320 . . [5.1.2600.3394] . . c:\windows\system32\dllcache\TCPIP.SYS
[7] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
[7] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys
[7] 2008-06-20 . 744E57C99232201AE98C49168B918F48 . 360960 . . [5.1.2600.3394] . . c:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys
[-] 2008-04-13 . 93EA8D04EC73A85DB02EB8805988F733 . 361344 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\tcpip.sys
[7] 2007-10-30 . 90CAFF4B094573449A0872A0F919B178 . 360064 . . [5.1.2600.3244] . . c:\windows\$NtUninstallKB951748$\tcpip.sys
[7] 2007-10-30 . 64798ECFA43D78C7178375FCDD16D8C8 . 360832 . . [5.1.2600.3244] . . c:\windows\$hf_mig$\KB941644\SP2QFE\tcpip.sys
[-] 2006-12-21 . 1A0284770822BD6FA7EBB812EA5D2629 . 359808 . . [5.1.2600.2892] . . c:\windows\$NtUninstallKB941644$\tcpip.sys
[-] 2006-04-24 . FEE433D38495AC76BB4587F6936205CE . 359808 . . [5.1.2600.2827] . . c:\windows\$NtUninstallKB917953$\tcpip.sys
[7] 2006-04-20 . B2220C618B42A2212A59D91EBD6FC4B4 . 360576 . . [5.1.2600.2892] . . c:\windows\$hf_mig$\KB917953\SP2QFE\tcpip.sys
[-] 2006-04-08 . 27A5959C94EE173A063CA06BD14F021A . 359040 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB913446$\tcpip.sys
[7] 2006-01-13 . 5562CC0A47B2AEF06D3417B733F3C195 . 360448 . . [5.1.2600.2827] . . c:\windows\$hf_mig$\KB913446\SP2QFE\tcpip.sys

[-] 2008-04-14 . ED0EF0A136DEC83DF69F04118870003E . 507904 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\winlogon.exe
[-] 2006-04-08 . 6225F14B8CE08CCBA8B25AD27843C674 . 502272 . . [5.1.2600.2180] . . c:\windows\system32\winlogon.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-10-17 2025752]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-31 149280]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-19 14:06 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^Adobe Gamma.lnk]
backup=c:\windows\pss\Adobe Gamma.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^µnBlackList.exe]
path=c:\documents and settings\Administrator\Start Menu\Programs\Startup\µnBlackList.exe
backup=c:\windows\pss\µnBlackList.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
backup=c:\windows\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk.disabled]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk.disabled
backup=c:\windows\pss\Adobe Acrobat Speed Launcher.lnk.disabledCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"µnBlackList"=c:\documents and settings\Administrator\Start Menu\Programs\Startup\µnBlackList.exe
"ctfmon.exe"=c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"<NO NAME>"=
"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\www\\Apache2\\bin\\Apache.exe"=
"c:\\Program Files\\eMule\\emule.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\TightVNC\\WinVNC.exe"=
"c:\\Program Files\\uTorrent\\utorrent.exe"=
"c:\\Program Files\\VMware\\VMware View\\Client\\bin\\wswc.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Documents and Settings\\Administrator\\Application Data\\Macromedia\\Flash Player\\www.macromedia.com\\bin\\octoshape\\octoshape.exe"=

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [5/27/2008 8:38 PM 335240]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2/8/2009 8:13 PM 297752]
R2 wsnm;VMware View Client Service;c:\program files\VMware\VMware View\Client\bin\wsnm.exe [11/5/2008 5:49 PM 147456]
R3 WSUSBDMAN;VMware VDM Virtual Client USB Manager;c:\windows\system32\drivers\WSUSBDMAN.sys [11/5/2008 5:45 PM 21504]
S2 Parclass;Parclass;c:\windows\system32\drivers\PARCLASS.SYS [7/31/2007 7:37 PM 20272]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - MBR
*Deregistered* - mbr
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Open with WordPerfect - c:\program files\WordPerfect Office X3\Programs\WPLauncher.hta
IE: Sothink SWF Catcher - c:\program files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\o8slbf0x.default\
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start3.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\Administrator\Application Data\Move Networks\plugins\npqmp071503000010.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-31 10:34
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version*Version]
"Version"=hex:b9,83,43,81,48,83,c5,02,0b,93,08,7d,d9,0e,60,9a,81,bc,eb,f0,af,
ea,e1,e4,f1,1d,8d,1c,c9,fd,54,f8,dd,8a,18,2e,3d,6b,98,27,45,fc,c1,29,e1,bc,\

[HKEY_LOCAL_MACHINE\software\Minnetonka Audio Software\SurCode Dolby Digital Premiere\Version*Version]
"Version"=hex:b9,83,43,81,48,83,c5,02,0b,93,08,7d,d9,0e,60,9a,81,bc,eb,f0,af,
ea,e1,e4,f1,1d,8d,1c,c9,fd,54,f8,20,53,14,45,46,0b,93,1d,45,fc,c1,29,e1,bc,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(712)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-10-31 10:36
ComboFix-quarantined-files.txt 2009-10-31 14:36
ComboFix2.txt 2009-10-23 23:48

Pre-Run: 9,087,823,872 bytes free
Post-Run: 9,057,628,160 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - EFF741136BA2216097024F445CD9F826


DDS (Ver_09-10-26.01) - NTFSx86
Run by Administrator at 10:47:56.53 on Sat 10/31/2009
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_16
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.516 [GMT -4:00]

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\www\Apache2\bin\apache.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\www\Apache2\bin\apache.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\VMware\VMware View\Client\bin\wsnm.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
BHO: HelperObject Class: {00c6482d-c502-44c8-8409-fce54ad9c208} - c:\program files\techsmith\snagit 8\SnagItBHO.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: BitComet Helper: {39f7e362-828a-4b5a-bcaf-5b79bfdfea60} - c:\program files\bitcomet\tools\BitCometBHO.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
TB: SnagIt: {8ff5e183-abde-46eb-b09e-d2aab95cabe3} - c:\program files\techsmith\snagit 8\SnagItIEAddin.dll
TB: {4E7BD74F-2B8D-469E-8CBD-FD60BB9AAE2E} - No File
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Open with WordPerfect - c:\program files\wordperfect office x3\programs\WPLauncher.hta
IE: Sothink SWF Catcher - c:\program files\common files\sourcetec\swf catcher\InternetExplorer.htm
IE: {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - c:\program files\common files\sourcetec\swf catcher\InternetExplorer.htm
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {36ECAF82-3300-8F84-092E-AFF36D6C7040} - {86529161-034E-4F8A-88D2-3C625E612E04} - c:\program files\winhttrack\WinHTTrackIEBar.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://go.microsoft.com/fwlink/?linkid=58813
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1176780595515
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\o8slbf0x.default\
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start3.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-5-27 335240]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-2-8 297752]
R2 wsnm;VMware View Client Service;c:\program files\vmware\vmware view\client\bin\wsnm.exe [2008-11-5 147456]
R3 WSUSBDMAN;VMware VDM Virtual Client USB Manager;c:\windows\system32\drivers\WSUSBDMAN.sys [2008-11-5 21504]
S2 Parclass;Parclass;c:\windows\system32\drivers\PARCLASS.SYS [2007-7-31 20272]

=============== Created Last 30 ================

2009-10-31 14:19:25 0 d-sha-r- C:\cmdcons
2009-10-31 14:17:37 98816 ----a-w- c:\windows\sed.exe
2009-10-31 14:17:37 77312 ----a-w- c:\windows\MBR.exe
2009-10-31 14:17:37 236544 ----a-w- c:\windows\PEV.exe
2009-10-31 14:17:37 161792 ----a-w- c:\windows\SWREG.exe
2009-10-31 14:17:24 0 d-----w- C:\Combo-Fix
2009-10-31 04:21:48 73728 ----a-w- c:\windows\system32\javacpl.cpl
2009-10-31 02:58:06 0 d-----w- c:\windows\system32\wbem\Repository
2009-10-24 00:08:33 0 d-----w- c:\program files\Trend Micro
2009-10-23 22:32:58 0 d-----w- c:\program files\Java(2)
2009-10-23 20:21:17 0 d-----w- c:\program files\SUPERAntiSpyware
2009-10-23 20:21:17 0 d-----w- c:\docume~1\admini~1\applic~1\SUPERAntiSpyware.com
2009-10-23 20:19:34 0 d-----w- c:\docume~1\admini~1\applic~1\Malwarebytes
2009-10-23 20:19:26 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-23 20:19:26 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-10-20 22:42:14 0 d-----w- C:\$AVG8.VAULT$
2009-10-03 21:35:15 77312 ----a-w- c:\windows\system32\ztvunace26.dll
2009-10-03 21:35:15 69632 ----a-w- c:\windows\system32\ztvcabinet.dll
2009-10-03 21:35:15 162304 ----a-w- c:\windows\system32\ztvunrar36.dll
2009-10-03 16:04:44 0 d-----w- c:\program files\all2lame

==================== Find3M ====================

2009-10-31 04:21:29 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-09-20 14:10:21 12524 --sha-w- c:\windows\system32\KGyGaAvL.sys
2009-08-19 14:06:47 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-08-06 23:23:46 274288 ----a-w- c:\windows\system32\mucltui.dll
2009-08-06 23:23:46 215920 ----a-w- c:\windows\system32\muweb.dll
2006-11-30 03:17:52 8 --sh--r- c:\windows\system32\07A748D392.sys
2007-03-09 04:06:56 88 --sh--r- c:\windows\system32\E42D6376F9.sys

============= FINISH: 10:48:15.71 ===============

Attached Files



#6 Guest_superbird_*

Guest_superbird_*

  • Guests
  • OFFLINE
  •  

Posted 31 October 2009 - 10:30 AM

Hi,

Go to Virustotal.com
Upload the following file by copy/paste the following (so do not use "Browse"!)): c:\windows\system32\drivers\TCPIP.SYS
Wait untill the results appear, and post them in your next reply.

Do this also with thes files:
c:\windows\system32\winlogon.exe
c:\documents and settings\Administrator\Start Menu\Programs\Startup\µnBlackList.exe


#7 mhorton

mhorton
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  

Posted 31 October 2009 - 11:19 AM

c:\documents and settings\Administrator\Start Menu\Programs\Startup\µnBlackList.exe

does not actually exist on my system; at least VirusTotal indicated it was not at that location.

Here are the reports for the other two; both had 0/40 for results:

File TCPIP.SYS received on 2009.10.31 16:01:43 (UTC)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 0/40 (0%)
Loading server information...
Your file is queued in position: 1.
Estimated start time is between 43 and 62 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Compact
Print results Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:

Antivirus Version Last Update Result
a-squared 4.5.0.41 2009.10.31 -
AhnLab-V3 5.0.0.2 2009.10.30 -
AntiVir 7.9.1.53 2009.10.30 -
Antiy-AVL 2.0.3.7 2009.10.30 -
Authentium 5.1.2.4 2009.10.31 -
Avast 4.8.1351.0 2009.10.30 -
AVG 8.5.0.423 2009.10.31 -
BitDefender 7.2 2009.10.31 -
CAT-QuickHeal 10.00 2009.10.31 -
ClamAV 0.94.1 2009.10.31 -
Comodo 2793 2009.10.31 -
DrWeb 5.0.0.12182 2009.10.31 -
eSafe 7.0.17.0 2009.10.29 -
eTrust-Vet 35.1.7094 2009.10.30 -
F-Prot 4.5.1.85 2009.10.31 -
F-Secure 9.0.15370.0 2009.10.30 -
Fortinet 3.120.0.0 2009.10.31 -
GData 19 2009.10.31 -
Ikarus T3.1.1.72.0 2009.10.31 -
Jiangmin 11.0.800 2009.10.31 -
K7AntiVirus 7.10.885 2009.10.31 -
Kaspersky 7.0.0.125 2009.10.31 -
McAfee 5787 2009.10.30 -
McAfee+Artemis 5787 2009.10.30 -
McAfee-GW-Edition 6.8.5 2009.10.31 -
Microsoft 1.5202 2009.10.31 -
NOD32 4561 2009.10.31 -
nProtect 2009.1.8.0 2009.10.31 -
Panda 10.0.2.2 2009.10.31 -
PCTools 7.0.3.5 2009.10.30 -
Prevx 3.0 2009.10.31 -
Rising 21.53.52.00 2009.10.31 -
Sophos 4.47.0 2009.10.31 -
Sunbelt 3.2.1858.2 2009.10.30 -
Symantec 1.4.4.12 2009.10.31 -
TheHacker 6.5.0.2.056 2009.10.28 -
TrendMicro 8.950.0.1094 2009.10.31 -
VBA32 3.12.10.11 2009.10.30 -
ViRobot 2009.10.31.2015 2009.10.31 -
VirusBuster 4.6.5.0 2009.10.30 -
Additional information
File size: 360320 bytes
MD5...: 3adce4790f591bf160a94f6f08039577
SHA1..: d0f02ab9b940322c8644ac49526df1422ba732bd
SHA256: 9566aade9e3c9c749a77da24971d2a2ef5ca284a3ce12697962dc4ca929d9fb5
ssdeep: 6144:LcamciT9y1vHgbQrQZi4TQqSLgh6Ss8tkahEA8t/W/9oeyvO:Lcamcp1vHg
W48qEezdhE0/9
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x51626
timedatestamp.....: 0x485b8a36 (Fri Jun 20 10:45:10 2008)
machinetype.......: 0x14c (I386)

( 10 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x380 0x3ecb2 0x3ed00 6.60 5b9c80815f564a74f0f5c64dfa803bda
.rdata 0x3f080 0x57c 0x580 4.47 b488d9ef4d2a3578ab813a7f32f4942c
.data 0x3f600 0xa4a4 0xa500 0.06 63cbaad4701faecd4d3ce7ae9341bc92
PAGE 0x49b00 0x1f85 0x2000 6.37 c56251bf7fc7eb3705785639ac9df2c7
PAGELK 0x4bb00 0x6f2 0x700 6.20 1bee176b5a4f4e0968c8d94406adff29
PAGEIPMc 0x4c200 0x2781 0x2800 6.45 6792a2763176b917fb8ebf7ceac4b5db
.edata 0x4ea00 0x341 0x380 5.23 0c14056c30ce76c02ee254161feebbeb
INIT 0x4ed80 0x5846 0x5880 6.22 b6a207bc5c2e9b9b2d3f3b23cc2bedaf
.rsrc 0x54600 0x3f0 0x400 3.41 b6707a370be8166e0b9390815731e10f
.reloc 0x54a00 0x3558 0x3580 6.80 d9f2dd16ad4fca1da7dde33b49298001

( 4 imports )
> HAL.dll: KfLowerIrql, KeRaiseIrqlToDpcLevel, KfReleaseSpinLock, KfAcquireSpinLock, KfRaiseIrql, KeGetCurrentIrql, KeQueryPerformanceCounter, ExAcquireFastMutex, ExReleaseFastMutex
> NDIS.SYS: NdisCloseAdapter, NdisCancelSendPackets, NdisFreePacket, NdisUnchainBufferAtFront, NdisCompletePnPEvent, NdisFreePacketPool, NdisRequest, NdisAllocatePacket, NdisFreeMemory, NdisQueryAdapterInstanceName, NdisGetDriverHandle, NdisOpenAdapter, NdisAllocatePacketPoolEx, NdisGetReceivedPacket, NdisRegisterProtocol, NdisAllocateBuffer, NdisSetPacketPoolProtocolId, NdisReturnPackets, NdisCopyBuffer, NdisAllocateBufferPool, NdisFreeBufferPool, NdisReEnumerateProtocolBindings, NdisCompleteBindAdapter
> ntoskrnl.exe: IoCreateDevice, _wcsicmp, wcscpy, wcsncpy, wcschr, ZwSetInformationThread, KeLeaveCriticalRegion, KeEnterCriticalRegion, KeQueryTimeIncrement, KeSetEvent, IoDeleteSymbolicLink, ExDeleteNPagedLookasideList, KeDelayExecutionThread, ZwOpenKey, KeSetTimerEx, KeInitializeTimer, KeInitializeDpc, ExInitializeNPagedLookasideList, MmLockPagableSectionByHandle, ZwQueryValueKey, ZwSetValueKey, InterlockedPopEntrySList, InterlockedPushEntrySList, ExIsProcessorFeaturePresent, RtlAddAccessAllowedAce, RtlCreateAcl, RtlLengthSid, SeExports, RtlMapGenericMask, IoGetFileObjectGenericMapping, ObReleaseObjectSecurity, SeSetSecurityDescriptorInfo, RtlLengthSecurityDescriptor, RtlSetDaclSecurityDescriptor, RtlCreateSecurityDescriptor, ObGetObjectSecurity, IofCallDriver, IoBuildDeviceIoControlRequest, IoGetDeviceObjectPointer, ObfDereferenceObject, RtlAddAce, RtlGetAce, IoCreateSymbolicLink, RtlInitializeSid, RtlLengthRequiredSid, ObSetSecurityObjectByPointer, RtlSelfRelativeToAbsoluteSD, RtlGetSaclSecurityDescriptor, RtlGetGroupSecurityDescriptor, RtlGetOwnerSecurityDescriptor, RtlGetDaclSecurityDescriptor, RtlVerifyVersionInfo, VerSetConditionMask, IoWMIRegistrationControl, IoGetCurrentProcess, KeInitializeTimerEx, RtlExtendedIntegerMultiply, KeQueryInterruptTime, _aulldiv, DbgBreakPoint, KeSetTargetProcessorDpc, RtlSetBit, SeUnlockSubjectContext, SeAccessCheck, SeLockSubjectContext, ObDereferenceSecurityDescriptor, PsGetCurrentProcessId, RtlWalkFrameChain, _aulldvrm, ExNotifyCallback, ExCreateCallback, ObReferenceObjectByHandle, MmUnlockPages, SeFreePrivileges, SeAppendPrivileges, ObLogSecurityDescriptor, SeAssignSecurity, IoFileObjectType, MmProbeAndLockPages, IoAllocateMdl, _except_handler3, ProbeForWrite, ObfReferenceObject, PsGetCurrentProcess, RtlPrefetchMemoryNonTemporal, KeInitializeMutex, MmIsThisAnNtAsSystem, KeWaitForSingleObject, KeReleaseMutex, KeReadStateEvent, IoDeleteDevice, ZwEnumerateValueKey, RtlUnicodeStringToInteger, RtlIpv4StringToAddressW, RtlTimeToTimeFields, ExLocalTimeToSystemTime, RtlExtendedMagicDivide, RtlAppendUnicodeToString, ZwClose, _allmul, MmQuerySystemSize, RtlCompareUnicodeString, RtlInitializeBitMap, RtlClearAllBits, RtlSetBits, wcslen, RtlAreBitsSet, RtlClearBits, RtlFindClearBitsAndSet, RtlFindClearRuns, DbgPrint, memmove, RtlCopyUnicodeString, RtlAppendUnicodeStringToString, ZwLoadDriver, KeResetEvent, IoAcquireCancelSpinLock, IoReleaseCancelSpinLock, IofCompleteRequest, ExfInterlockedAddUlong, MmMapLockedPagesSpecifyCache, IoFreeMdl, ExfInterlockedInsertTailList, RtlInitUnicodeString, MmMapLockedPages, KeNumberProcessors, RtlUnicodeStringToAnsiString, MmLockPagableDataSection, MmUnlockPagableImageSection, RtlCompareMemory, ExAllocatePoolWithTag, KeCancelTimer, KeClearEvent, RtlAnsiStringToUnicodeString, IoRaiseInformationalHardError, KeInitializeEvent, ExFreePoolWithTag, ExAllocatePoolWithTagPriority, KeInitializeSpinLock, _alldiv, KeQuerySystemTime, KefAcquireSpinLockAtDpcLevel, KefReleaseSpinLockFromDpcLevel, KeBugCheckEx, RtlSubAuthoritySid, KeTickCount, MmBuildMdlForNonPagedPool, ZwDeviceIoControlFile, ZwCreateFile
> TDI.SYS: CTESystemUpTime, CTEBlock, CTELogEvent, CTESignal, CTEBlockWithTracker, CTEStartTimer, CTEInitEvent, CTEScheduleDelayedEvent, CTEInitTimer, TdiProviderReady, CTEInitialize, TdiDeregisterNetAddress, TdiRegisterNetAddress, TdiDeregisterDeviceObject, TdiRegisterDeviceObject, TdiDeregisterProvider, TdiRegisterProvider, TdiPnPPowerRequest, TdiCopyMdlChainToMdlChain, TdiInitialize, TdiDeregisterPnPHandlers, TdiRegisterPnPHandlers, CTEScheduleEvent, TdiCopyBufferToMdl, CTERemoveBlockTracker, CTEInsertBlockTracker, TdiMapUserRequest, TdiCopyBufferToMdlWithReservedMappingAtDpcLevel

( 31 exports )
ARPRcv, ARPRcvPacket, FreeIprBuff, GetIFAndLink, IPAddInterface, IPAllocBuff, IPDelInterface, IPDelayedNdisReEnumerateBindings, IPDeregisterARP, IPDisableSniffer, IPEnableSniffer, IPFreeBuff, IPGetAddrType, IPGetBestInterface, IPGetInfo, IPInjectPkt, IPProxyNdisRequest, IPRcvComplete, IPRcvPacket, IPRegisterARP, IPRegisterProtocol, IPSetIPSecStatus, IPTransmit, LookupRoute, LookupRouteInformation, LookupRouteInformationWithBuffer, SendICMPErr, SetIPSecPtr, UnSetIPSecPtr, UnSetIPSecSendPtr, tcpxsum
RDS...: NSRL Reference Data Set
-
pdfid.: -
trid..: Win32 Executable Generic (68.0%)
Generic Win/DOS Executable (15.9%)
DOS Executable Generic (15.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
sigcheck:
publisher....: Microsoft Corporation
copyright....: © Microsoft Corporation. All rights reserved.
product......: Microsoft_ Windows_ Operating System
description..: TCP/IP Protocol Driver
original name: tcpip.sys
internal name: tcpip.sys
file version.: 5.1.2600.3394 (xpsp_sp2_gdr.080620-1245)
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned



File winlogon.exe received on 2009.10.28 15:22:39 (UTC)
Current status: finished
Result: 0/40 (0.00%)
Compact Compact
Print results Print results
Antivirus Version Last Update Result
a-squared 4.5.0.41 2009.10.28 -
AhnLab-V3 5.0.0.2 2009.10.27 -
AntiVir 7.9.1.44 2009.10.28 -
Antiy-AVL 2.0.3.7 2009.10.27 -
Authentium 5.1.2.4 2009.10.28 -
Avast 4.8.1351.0 2009.10.28 -
AVG 8.5.0.423 2009.10.28 -
BitDefender 7.2 2009.10.28 -
CAT-QuickHeal 10.00 2009.10.28 -
ClamAV 0.94.1 2009.10.28 -
Comodo 2757 2009.10.28 -
DrWeb 5.0.0.12182 2009.10.28 -
eSafe 7.0.17.0 2009.10.28 -
eTrust-Vet 35.1.7087 2009.10.28 -
F-Prot 4.5.1.85 2009.10.27 -
Fortinet 3.120.0.0 2009.10.28 -
GData 19 2009.10.28 -
Ikarus T3.1.1.72.0 2009.10.28 -
Jiangmin 11.0.800 2009.10.26 -
K7AntiVirus 7.10.881 2009.10.27 -
Kaspersky 7.0.0.125 2009.10.28 -
McAfee 5784 2009.10.27 -
McAfee+Artemis 5784 2009.10.27 -
McAfee-GW-Edition 6.8.5 2009.10.28 -
Microsoft 1.5202 2009.10.28 -
NOD32 4551 2009.10.28 -
Norman 6.03.02 2009.10.27 -
nProtect 2009.1.8.0 2009.10.28 -
Panda 10.0.2.2 2009.10.27 -
PCTools 4.4.2.0 2009.10.19 -
Prevx 3.0 2009.10.28 -
Rising 21.53.24.00 2009.10.28 -
Sophos 4.46.0 2009.10.28 -
Sunbelt 3.2.1858.2 2009.10.27 -
Symantec 1.4.4.12 2009.10.28 -
TheHacker 6.5.0.2.055 2009.10.27 -
TrendMicro 8.950.0.1094 2009.10.28 -
VBA32 3.12.10.11 2009.10.27 -
ViRobot 2009.10.28.2009 2009.10.28 -
VirusBuster 4.6.5.0 2009.10.28 -
Additional information
File size: 502272 bytes
MD5 : 6225f14b8ce08ccba8b25ad27843c674
SHA1 : ec2dbfe0c28b004bee344daa53fdc2e2ced0695f
SHA256: 3089e8a15776989fbc345a57c47eaaca9a46c3c8f72eec4bb57429f9f4355ad0
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x3D353
timedatestamp.....: 0x41107EDC (Wed Aug 4 08:14:52 2004)
machinetype.......: 0x14C (Intel I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x6F288 0x6F400 6.82 d221db22a9ac855a59358c515e207c45
.data 0x71000 0x4D90 0x2000 6.21 662eceb591c7df2d6e365ae6b9b2da15
.rsrc 0x76000 0x9030 0x9200 3.62 b93cbbc049130e1bad3ea13d7512c074

( 0 imports )


( 0 exports )
TrID : File type identification
Win64 Executable Generic (80.9%)
Win32 Executable Generic (8.0%)
Win32 Dynamic Link Library (generic) (7.1%)
Generic Win/DOS Executable (1.8%)
DOS Executable Generic (1.8%)
ssdeep: 6144:MYuZlm8LRlBw662R1pqrc7FmxSqVw/T+SN1TrSnmhPnpdcbFIzdFz/N5WjyfTNQq:MVLBhic7Qy1vSneJFDNhp8
PEiD : -
CWSandbox: http://research.sunbelt-software.com/partn...8b25ad27843c674
RDS : NSRL Reference Data Set
-

#8 Guest_superbird_*

Guest_superbird_*

  • Guests
  • OFFLINE
  •  

Posted 31 October 2009 - 12:36 PM

Hi,

I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image


#9 mhorton

mhorton
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:11:10 PM

Posted 31 October 2009 - 02:19 PM

ESET scan report:

C:\Documents and Settings\Administrator\Desktop\eac-0.99pb4.exe a variant of Win32/Adware.ADON application
C:\Documents and Settings\Administrator\My Documents\Old\My Documents\Mail File\desktop\Personal.dbx JS/Kak worm
C:\Program Files\Pegasys Inc\TMPGEnc DVD Author 3 with DivX Authoring\TDA30_Activator_En.exe probably a variant of Win32/Agent trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\atapi.sys.vir Win32/Olmarik.OF virus
D:\software\DVD Tools\Nero 6.6.0.6\nerokey.exe probably a variant of Win32/SdBot trojan
D:\software\TMPGEnc DVD Author 3 with DivX Authoring v3.0.8.158\TDA30_v3.0.8.158_Activator_En.rar probably a variant of Win32/Agent trojan
D:\software\TMPGEnc DVD Author 3 with DivX Authoring v3.0.8.158\TDA30_v3.0.8.158_Activator_En\TDA30_Activator_En.exe probably a variant of Win32/Agent trojan

#10 mhorton

mhorton
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  

Posted 31 October 2009 - 02:33 PM

Superbird,

I think the redirection problem has stopped, perhaps when Combofix disinfected my atapi.sys file.

I clicked on about twenty or thirty Google search results and everything was fine. Probability-wise, I would have been redirected again in that many tries.

Is there anything else I should do, maybe with System Restore, to prevent a recurrence?

Thanks so much,

mhorton

#11 Guest_superbird_*

Guest_superbird_*

  • Guests
  • OFFLINE
  •  

Posted 01 November 2009 - 04:48 AM

Hi,

First: You apparently are using cracks/warez. I discommend you to use them, because they are a big source of malware.
Please also see this Youtube video:

1. Go to Start > Control Panel > Add or Remove Programs.

Remove the following programs, if they are present, because you use a crack for them.
  • TMPGEnc DVD Author 3
  • Nero 6.6.0.6
If you are unsure of how to use Add or Remove Programs, the please see this tutorial:
How To Remove An Installed Program From Your Computer

2. Open Notepad.
Copy this in the Notepad-file:

@ECHO OFF
IF EXIST log.txt DEL log.txt
ECHO Deleting files>>log.txt
FOR %%g in (
"C:\Documents and Settings\Administrator\Desktop\eac-0.99pb4.exe"
"C:\Documents and Settings\Administrator\My Documents\Old\My Documents\Mail File\desktop\Personal.dbx") DO (
IF EXIST %%g (
ATTRIB -r -s -h %%g
DEL %%g
IF EXIST %%g (
ECHO %%g not deleted>>log.txt
) ELSE (
ECHO %%g deleted>>log.txt)
) ELSE (
ECHO %%g not found>>log.txt))
>>log.txt (
ECHO.
ECHO Deleting folders)
FOR %%I in (
"C:\Program Files\Pegasys Inc\TMPGEnc DVD Author 3 with DivX Authoring"
"D:\software\DVD Tools\Nero 6.6.0.6"
"D:\software\TMPGEnc DVD Author 3 with DivX Authoring v3.0.8.158") DO (
IF EXIST %%I (
RD /S /Q %%I
IF EXIST %%I (
ECHO %%I not deleted>>log.txt
) ELSE (
ECHO %%I deleted>>log.txt)
) ELSE (
ECHO %%I not found>>log.txt))
START NOTEPAD.EXE log.txt

Go to File - Save as...
Fill in the next values:
Location: Desktop
File name: del.bat
File type: All files (*.*).
Now, click Save.
Doubleclick del.bat.
Post the contents of the logfile that opens in your next reply.

#12 mhorton

mhorton
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:11:10 PM

Posted 01 November 2009 - 09:46 AM

Deleting files
"C:\Documents and Settings\Administrator\Desktop\eac-0.99pb4.exe" deleted
"C:\Documents and Settings\Administrator\My Documents\Old\My Documents\Mail File\desktop\Personal.dbx" deleted

Deleting folders
"C:\Program Files\Pegasys Inc\TMPGEnc DVD Author 3 with DivX Authoring" deleted
"D:\software\DVD Tools\Nero 6.6.0.6" deleted
"D:\software\TMPGEnc DVD Author 3 with DivX Authoring v3.0.8.158" deleted

#13 Guest_superbird_*

Guest_superbird_*

  • Guests
  • OFFLINE
  •  

Posted 01 November 2009 - 12:33 PM

Hi,

Everything looks clean again. Now let's do something about the prevention of your system, and do some cleanup. :(
Do this please:

1. Go to Start > Run. Now type combofix /uninstall and press ENTER.
This will delete ComboFix, and all, possibly infected, system restore points.

2. Download OTC (by OldTimer)
  • Download the file to your Desktop.
  • Take care of an active internet connection and doubleclick OTC.exe to start the program.
  • Now click on the "CleanUp!" button
  • If your firewall, or any other security program, warns you that OTC.exe tries to connect to the internet, then you can allow that, because the program needs that connection.
  • OTC will ask you at the last step to reboot your computer, which you can allow, because it will delete itself too with this.
Note: The usage of OTC will delete all used tools (including logs and backup folders) from your computer.

3. You can also delete all seperate files we used, if still present. Please keep HijackThis installed for now.

4. Go to the Windows update site.
  • Allow if asked to install an ActiveX applet. Go on with Windows Update after this.
  • Now click on the option Custom.
  • Windows Update will check your system now for missing updates. It will present you the results after this.
  • Now check all boxes on the page viewed ("High priority", as you can see in the left menu). I recommend you to do this with the other categories too (in the left menu are also present: Software (optional) and Hardware (optional)), but this remains your choice.
  • Now click on Install updates in the left menu and then on the button Install updates.
  • Windows Update will install all updates now. This can take some minutes or some hours (depending on the amount of available updates).
  • Windows Update will show you when it's ready with installing the updates. If a restart of your system is needed, Windows Update will show you this also. If a restart is needed, please allow this immediately then.
5. Read this page To prevent yourself against re-infection.

6. Please post a new HijackThislog in your next reply.

#14 mhorton

mhorton
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  

Posted 01 November 2009 - 07:12 PM

Superbird,

Here is my latest HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:09:53 PM, on 11/1/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\www\Apache2\bin\apache.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\www\Apache2\bin\apache.exe
C:\www\mysql\bin\mysqld-nt.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\VMware\VMware View\Client\bin\wsnm.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Open with WordPerfect - C:\Program Files\WordPerfect Office X3\Programs\WPLauncher.hta
O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1176780595515
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apache2 - Apache Software Foundation - C:\www\Apache2\bin\apache.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS\system32\bgsvcgen.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: MySQL - Unknown owner - C:\www\mysql\bin\mysqld-nt.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Unknown owner - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe (file missing)
O23 - Service: VMware View Client Service (wsnm) - VMware, Inc. - C:\Program Files\VMware\VMware View\Client\bin\wsnm.exe

--
End of file - 8197 bytes

#15 Guest_superbird_*

Guest_superbird_*

  • Guests
  • OFFLINE
  •  

Posted 02 November 2009 - 10:17 AM

Hi,

Please do step 4 again from my previous post.
At least install Windows XP Service Pack 3
Service Pack 3 contains a lot of security updates.

When you have done this, reboot your computer, and post a fresh HijackThislog.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users