Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

hijacker issue with unremovable Trogen Horse Agent_r.OT


  • This topic is locked This topic is locked
17 replies to this topic

#1 mathgeek

mathgeek

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:39 AM

Posted 12 November 2009 - 04:12 PM

Hi there, recently my computer is being redirected to unknown and unsolicited sites and also opens up numerous IE windows going to a site where there is no information (http://lightseek.biz/). I've run AVG9.0 full version scan and keep getting Trogen Agent_r.OT virus error 130 times in various locations. It removes it but the next time I re-boot, it appears. Hopefully you can help me. I've attached my DDS log for your review below. Sorry for the double posts but i messed up the first one and will try to delete the other one. I also have an XVID that I cannot remove (it says i am missing the unins000.dat file). I remember somewhere I was asked to download codex or xvid file to view video and i said ok and then all this crazy stuff started to happen. Yes, I learned my lesson.

Thanks for your help in advance.
MG
Ok, I've run DDS and here is the log:


DDS (Ver_09-10-26.01) - NTFSx86
Run by Karla Friesen at 13:17:40.84 on Thu 11/12/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2017 [GMT -8:00]

AV: AVG Internet Security *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: AVG Firewall *enabled* {8decf618-9569-4340-b34a-d78d28969b66}

============== Running Processes ===============

C:WINDOWSsystem32svchost -k DcomLaunch
svchost.exe
C:WINDOWSSystem32svchost.exe -k netsvcs
C:Program FilesWIDCOMMBluetooth Softwarebinbtwdins.exe
C:WINDOWSsystem32svchost.exe -k WudfServiceGroup
C:WINDOWSsystem32vfsFPService.exe
C:Program FilesAVGAVG9avgrsx.exe
C:Program FilesIntelWirelessBinS24EvMon.exe
C:Program FilesAVGAVG9avgcsrvx.exe
svchost.exe
svchost.exe
C:WINDOWSsystem32spoolsv.exe
C:Program FilesAVGAVG9Identity ProtectionAgentBinAVGIDSAgent.exe
C:WINDOWSExplorer.EXE
C:Program FilesIntelWirelessbinZCfgSvc.exe
C:Program FilesIntelWirelessBinifrmewrk.exe
C:WINDOWSRTHDCPL.EXE
C:WINDOWSSOUNDMAN.EXE
C:WINDOWSPLFSetI.exe
C:Program FilesCommon FilesInstallShieldUpdateServiceisuspm.exe
C:PROGRA~1LAUNCH~1LManager.exe
C:Program FilesSynapticsSynTPSynTPEnh.exe
C:WINDOWSsystem32ICO.EXE
C:Program FilesJavajre6binjusched.exe
C:WINDOWSsystem32FSRremoS.EXE
C:WINDOWSsystem32RUNDLL32.EXE
svchost.exe
C:Program FilesCommon FilesNeroLibNMIndexStoreSvr.exe
C:WINDOWSsystem32agrsmsvc.exe
C:WINDOWSsystem32ctfmon.exe
C:Program FilesWIDCOMMBluetooth SoftwareBTTray.exe
C:Program FilesWindows Desktop SearchWindowsSearch.exe
C:Program FilesWinZipWZQKPICK.EXE
C:Program FilesIntelWirelessBinEvtEng.exe
C:Program FilesJavajre6binjqs.exe
C:Program FilesNeroNero8Nero BackItUpNBService.exe
C:WINDOWSsystem32nvsvc32.exe
C:Program FilesRaxcoPerfectDiskPDAgent.exe
C:WINDOWSsystem32IoctlSvc.exe
C:Program FilesIntelWirelessBinRegSrvc.exe
C:DOCUME~1KARLAF~1LOCALS~1TempRtkBtMnt.exe
C:WINDOWSsystem32svchost.exe -k imgsvc
C:WINDOWSsystem32SearchIndexer.exe
C:Program FilesCommon FilesNeroLibNMIndexingService.exe
C:Program FilesRaxcoPerfectDiskPDEngine.exe
C:Program FilesMicrosoft OfficeOFFICE11EXCEL.EXE
C:Program FilesAVGAVG9avgcsrvx.exe
C:Program FilesJavajre6binjucheck.exe
C:Program FilesAVGAVG9avgchsvx.exe
C:Program FilesAVGAVG9avgwdsvc.exe
C:Program FilesAVGAVG9avgam.exe
C:Program FilesAVGAVG9avgnsx.exe
C:Program FilesAVGAVG9avgfws9.exe
C:Program FilesAVGAVG9avgtray.exe
C:Program FilesAVGAVG9Identity Protectionagentbinavgidsmonitor.exe
C:Program FilesAVGAVG9avgcsrvx.exe
C:WINDOWSMicrosoft.NETFrameworkv3.0Windows Communication Foundationinfocard.exe
C:Program FilesInternet ExplorerIEXPLORE.EXE
C:Program FilesInternet ExplorerIEXPLORE.EXE
C:Program FilesInternet ExplorerIEXPLORE.EXE
C:WINDOWSsystem32SearchProtocolHost.exe
C:WINDOWSsystem32SearchProtocolHost.exe
C:Documents and SettingsKarla FriesenDesktopdds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.ca/
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:program filescommon filesadobeacrobatactivexAcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:program filesavgavg9avgssie.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:program filesjavajre6binssv.dll
BHO: Megaupload Toolbar: {a057a204-bacc-4d26-c39e-35f1d2a32ec8} - c:progra~1megaup~1MEGAUP~1.DLL
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:program filesavgavg9toolbarIEToolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:program filesjavajre6binjp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:program filesjavajre6libdeployjqsiejqs_plugin.dll
TB: Megaupload Toolbar: {a057a204-bacc-4d26-c39e-35f1d2a32ec8} - c:progra~1megaup~1MEGAUP~1.DLL
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:program filesavgavg9toolbarIEToolbar.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
uRun: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:program filescommon filesnerolibNMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
uRun: [ctfmon.exe] c:windowssystem32ctfmon.exe
mRun: [IntelZeroConfig] "c:program filesintelwirelessbinZCfgSvc.exe"
mRun: [IntelWireless] "c:program filesintelwirelessbinifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [AlcWzrd] ALCWZRD.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [AzMixerSel] c:program filesrealtekaudioinstallshieldAzMixerSel.exe
mRun: [PLFSetI] c:windowsPLFSetI.exe
mRun: [ISUSPM] "c:program filescommon filesinstallshieldupdateserviceisuspm.exe" -scheduler
mRun: [LManager] c:progra~1launch~1LManager.exe
mRun: [SynTPEnh] c:program filessynapticssyntpSynTPEnh.exe
mRun: [Mouse Suite 98 Daemon] ICO.EXE
mRun: [NeroFilterCheck] c:program filescommon filesnerolibNeroCheck.exe
mRun: [NBKeyScan] "c:program filesneronero8nero backitupNBKeyScan.exe"
mRun: [SunJavaUpdateSched] "c:program filesjavajre6binjusched.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:windowssystem32NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:windowssystem32NvMcTray.dll,NvTaskbarInit
mRun: [QuickTime Task] "c:program filesquicktimeqttask.exe" -atboottime
mRun: [AVG9_TRAY] c:progra~1avgavg9avgtray.exe
StartupFolder: c:docume~1alluse~1startm~1programsstartupadober~1.lnk - c:program filesadobereader 8.0readerreader_sl.exe
StartupFolder: c:docume~1alluse~1startm~1programsstartupadober~2.lnk - c:program filesadobereader 8.0readerAdobeCollabSync.exe
StartupFolder: c:docume~1alluse~1startm~1programsstartupblueto~1.lnk - c:program fileswidcommbluetooth softwareBTTray.exe
StartupFolder: c:docume~1alluse~1startm~1programsstartupwindow~1.lnk - c:program fileswindows desktop searchWindowsSearch.exe
StartupFolder: c:docume~1alluse~1startm~1programsstartupwinzip~1.lnk - c:program fileswinzipWZQKPICK.EXE
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:program fileswidcommbluetooth softwarebtsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%Network Diagnosticxpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:program filesmessengermsmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:progra~1micros~2office11REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:program filesavgavg9avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:windowssystem32WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:program fileswindows desktop searchMSNLNamespaceMgr.dll

============= SERVICES / DRIVERS ===============

R0 AVGIDSErHrxpx;AVG9IDSErHr;c:windowssystem32driversAVGIDSxx.sys [2009-10-27 25608]
R0 AvgRkx86;avgrkx86.sys;c:windowssystem32driversavgrkx86.sys [2009-9-16 161800]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:windowssystem32driversavgldx86.sys [2009-9-16 333192]
R1 AvgTdiX;AVG8 Network Redirector;c:windowssystem32driversavgtdix.sys [2009-9-16 360584]
R2 avg9wd;AVG WatchDog;c:program filesavgavg9avgwdsvc.exe [2009-10-27 285392]
R2 avgfws9;AVG Firewall;c:program filesavgavg9avgfws9.exe [2009-11-9 2304192]
R2 AVGIDSAgent;AVG9IDSAgent;c:program filesavgavg9identity protectionagentbinAVGIDSAgent.exe [2009-10-27 5832712]
R2 vfsFPService;Validity Fingerprint Service;c:windowssystem32vfsFPService.exe [2008-2-15 595248]
R3 Avgfwdx;Avgfwdx;c:windowssystem32driversavgfwdx.sys [2009-9-16 30104]
R3 AVGIDSDriverxpx;AVG9IDSDriver;c:program filesavgavg9identity protectionagentdriverplatform_xpAVGIDSDriver.sys [2009-10-27 122376]
R3 AVGIDSFilterxpx;AVG9IDSFilter;c:program filesavgavg9identity protectionagentdriverplatform_xpAVGIDSFilter.sys [2009-10-27 30216]
R3 AVGIDSShimxpx;AVG9IDSShim;c:program filesavgavg9identity protectionagentdriverplatform_xpAVGIDSShim.sys [2009-10-27 25736]
R3 L1e;Miniport Driver for Atheros AR8121/AR8113/AR8114 PCI-E Ethernet Controller;c:windowssystem32driversl1e51x86.sys [2009-9-8 39424]
R3 vfs101x;vfs101x;c:windowssystem32driversvfs101x.sys [2009-9-9 40752]
S3 Avgfwfd;AVG network filter service;c:windowssystem32driversavgfwdx.sys [2009-9-16 30104]
S3 axvbusx;axvbusx;c:windowssystem32driversaxvbusx.sys [2002-12-27 8384]
S3 axvscsi;axvscsi;c:windowssystem32driversaxvscsi.sys [2002-12-27 98560]
S3 pelmouse;Mouse Suite Driver;c:windowssystem32driversPELMOUSE.SYS [2009-9-9 16384]
S3 pelusblf;USB Mouse Low Filter Driver;c:windowssystem32driverspelusblf.sys [2009-9-9 9216]

=============== Created Last 30 ================

2009-11-12 20:55:05 0 d-----w- c:program filestrend micro
2009-11-06 22:39:03 0 d-----w- c:windowssystem32wbemRepository
2009-11-06 22:37:14 0 d-----w- c:docume~1karlaf~1applic~1MegauploadToolbar
2009-11-06 22:37:13 0 d-----w- c:docume~1alluse~1applic~1Megaupload
2009-11-06 22:37:12 0 d-----w- c:docume~1karlaf~1applic~1EmailNotifier
2009-11-06 22:37:12 0 d-----w- c:docume~1alluse~1applic~1EmailNotifier
2009-11-06 22:37:10 0 d-----w- c:program filesMegauploadToolbar
2009-11-06 22:36:35 0 d-----w- c:program filesXvid
2009-11-06 00:05:58 0 d-----w- c:documents and settingsall usersAVP 2009
2009-11-05 07:55:52 0 d-----w- c:program filesMozilla Firefox(2)
2009-11-05 05:54:36 0 d-----w- c:program filesSpybot - Search & Destroy
2009-11-05 05:54:36 0 d-----w- c:docume~1alluse~1applic~1Spybot - Search & Destroy
2009-10-27 23:26:07 0 d--h--w- C:$AVG
2009-10-27 23:25:43 25608 ----a-w- c:windowssystem32driversAVGIDSxx.sys
2009-10-27 23:25:40 0 d-----w- c:docume~1alluse~1applic~1AVG Security Toolbar
2009-10-27 23:25:21 0 d-----w- c:docume~1alluse~1applic~1avg9

==================== Find3M ====================

2009-11-09 17:47:32 360584 ----a-w- c:windowssystem32driversavgtdix.sys
2009-10-27 23:25:59 333192 ----a-w- c:windowssystem32driversavgldx86.sys
2009-10-27 23:25:44 12464 ----a-w- c:windowssystem32avgrsstx.dll
2009-10-27 23:25:43 161800 ----a-w- c:windowssystem32driversavgrkx86.sys
2009-10-27 23:25:22 50968 ----a-w- c:windowssystem32avgfwdx.dll
2009-10-27 23:25:22 30104 ----a-w- c:windowssystem32driversavgfwdx.sys
2009-09-16 20:52:14 410984 ----a-w- c:windowssystem32deploytk.dll
2009-09-11 14:18:39 136192 ----a-w- c:windowssystem32msv1_0.dll
2009-09-09 17:10:57 315392 ----a-w- c:windowsHideWin.exe
2009-09-09 17:06:57 376832 ----a-w- c:windowssystem32AegisI5Installer.exe
2009-09-09 17:06:57 21361 ----a-w- c:windowsAegisP.sys
2009-09-09 16:42:42 87608 ----a-w- c:docume~1karlaf~1applic~1ezpinst.exe
2009-09-09 16:42:42 47360 ----a-w- c:docume~1karlaf~1applic~1pcouffin.sys
2009-09-08 22:56:11 21640 ----a-w- c:windowssystem32emptyregdb.dat
2009-09-04 21:03:36 58880 ----a-w- c:windowssystem32msasn1.dll
2009-08-29 08:08:21 916480 ----a-w- c:windowssystem32wininet.dll
2009-08-26 08:00:21 247326 ----a-w- c:windowssystem32strmdll.dll
2009-08-21 20:17:52 485920 ----a-w- c:windowssystem32NVUNINST.EXE
2009-08-19 20:35:00 678432 ----a-w- c:windowssystem32nvcuvid.dll
2009-08-19 20:35:00 485920 ----a-w- c:windowssystem32nvudisp.exe
2009-08-19 20:35:00 1580550 ----a-w- c:windowssystem32nvdata.bin
2009-08-19 20:35:00 1317408 ----a-w- c:windowssystem32nvcuvenc.dll

============= FINISH: 13:19:03.87 ===============

Merged posts, then removed initial post made irrelevant by doing so. ~ OB

Attached Files


Edited by Orange Blossom, 13 November 2009 - 12:38 PM.


BC AdBot (Login to Remove)

 


#2 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,817 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:03:39 PM

Posted 20 November 2009 - 06:49 AM

Hello ,
And :( to the Bleeping Computer Malware Removal Forum
. My name is Elise and I'll be glad to help you with your computer problems.


I will be working on your malware issues, this may or may not solve other issues you may have with your machine.

Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.

You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.
-----------------------------------------------------------
If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

-------------------------------------------------------------
Please be patient and I'd be grateful if you would note the following
  • The cleaning process is not instant. DDS logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.
  • Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic.
  • The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.
In the meantime please, do NOT install any new programs or update anything unless told to do so while we are fixing your problem

If you still need help, please include the following in your next reply
  • A detailed description of your problems
  • A new DDS log
  • GMER log


Please give me some time to review your logs and take the steps necessary with you to get your machine back in working order clean and free of malware.

Thanks and again sorry for the delay
.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#3 mathgeek

mathgeek
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:39 AM

Posted 21 November 2009 - 02:03 AM

Hey Elise, I know your busy and really appreciate any help you can give me. Yes, I still have the problem and it is getting worse. When I search with either IE or Firefox, I get redirected at least 3 times and additional windows pop up now. Audio commercials from I don't know where are starting to play randomly when I am not even on-line (still attached to internet but I don't have a browser open at the time).

Since you don't want me to install anything, what about automatic updates for say Windows and AVG?

Below are the logs you requested. Thanks again.
Mathgeek.



GMER 1.0.15.15227 - http://www.gmer.net
Rootkit scan 2009-11-20 22:01:24
Windows 5.1.2600 Service Pack 3
Running: f0lmtnww.exe; Driver: C:\DOCUME~1\KARLAF~1\LOCALS~1\Temp\kwkorpow.sys


---- System - GMER 1.0.15 ----

SSDT \??\C:\Program Files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSShim.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies ) ZwOpenProcess [0xB8381470]
SSDT \??\C:\Program Files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSShim.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies ) ZwTerminateProcess [0xB8381520]
SSDT \??\C:\Program Files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSShim.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies ) ZwTerminateThread [0xB83815C0]
SSDT \??\C:\Program Files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSShim.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies ) ZwWriteVirtualMemory [0xB8381660]

---- Kernel code sections - GMER 1.0.15 ----

.rsrc C:\WINDOWS\system32\drivers\atapi.sys entry point in ".rsrc" section [0xB7F217AC]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\SearchIndexer.exe[3860] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs AVGIDSFilter.sys (IDS Application Activity Monitor Filter Driver./AVG Technologies )
AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\00001285 -> \Driver\atapi \Device\Harddisk0\DR0 8AC1850C

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----


DDS (Ver_09-10-26.01) - NTFSx86
Run by Karla Friesen at 20:42:08.29 on Fri 11/20/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2258 [GMT -8:00]

AV: AVG Internet Security *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: AVG Firewall *enabled* {8decf618-9569-4340-b34a-d78d28969b66}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\WINDOWS\system32\vfsFPService.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG\AVG9\Identity Protection\Agent\Bin\AVGIDSAgent.exe
svchost.exe
C:\WINDOWS\system32\agrsmsvc.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\AVG\AVG9\avgfws9.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\AVG\AVG9\avgam.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\PLFSetI.exe
C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe
C:\PROGRA~1\LAUNCH~1\LManager.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\ICO.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\system32\FSRremoS.EXE
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\AVG\AVG9\Identity Protection\agent\bin\avgidsmonitor.exe
C:\DOCUME~1\KARLAF~1\LOCALS~1\Temp\RtkBtMnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Karla Friesen\Local Settings\Temporary Internet Files\Content.IE5\5JBVY8ON\dds[1].scr
C:\WINDOWS\system32\SearchProtocolHost.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.ca/
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Megaupload Toolbar: {a057a204-bacc-4d26-c39e-35f1d2a32ec8} - c:\progra~1\megaup~1\MEGAUP~1.DLL
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Megaupload Toolbar: {a057a204-bacc-4d26-c39e-35f1d2a32ec8} - c:\progra~1\megaup~1\MEGAUP~1.DLL
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
uRun: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\nero\lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [AlcWzrd] ALCWZRD.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [AzMixerSel] c:\program files\realtek\audio\installshield\AzMixerSel.exe
mRun: [PLFSetI] c:\windows\PLFSetI.exe
mRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\isuspm.exe" -scheduler
mRun: [LManager] c:\progra~1\launch~1\LManager.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [Mouse Suite 98 Daemon] ICO.EXE
mRun: [NeroFilterCheck] c:\program files\common files\nero\lib\NeroCheck.exe
mRun: [NBKeyScan] "c:\program files\nero\nero8\nero backitup\NBKeyScan.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\reader 8.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~2.lnk - c:\program files\adobe\reader 8.0\reader\AdobeCollabSync.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\winzip~1.lnk - c:\program files\winzip\WZQKPICK.EXE
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

============= SERVICES / DRIVERS ===============

R0 AVGIDSErHrxpx;AVG9IDSErHr;c:\windows\system32\drivers\AVGIDSxx.sys [2009-10-27 25608]
R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2009-9-16 161800]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-9-16 333192]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-9-16 360584]
R2 avg9wd;AVG WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2009-10-27 285392]
R2 avgfws9;AVG Firewall;c:\program files\avg\avg9\avgfws9.exe [2009-11-9 2304192]
R2 AVGIDSAgent;AVG9IDSAgent;c:\program files\avg\avg9\identity protection\agent\bin\AVGIDSAgent.exe [2009-10-27 5832712]
R2 vfsFPService;Validity Fingerprint Service;c:\windows\system32\vfsFPService.exe [2008-2-15 595248]
R3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [2009-9-16 30104]
R3 AVGIDSDriverxpx;AVG9IDSDriver;c:\program files\avg\avg9\identity protection\agent\driver\platform_xp\AVGIDSDriver.sys [2009-10-27 122376]
R3 AVGIDSFilterxpx;AVG9IDSFilter;c:\program files\avg\avg9\identity protection\agent\driver\platform_xp\AVGIDSFilter.sys [2009-10-27 30216]
R3 AVGIDSShimxpx;AVG9IDSShim;c:\program files\avg\avg9\identity protection\agent\driver\platform_xp\AVGIDSShim.sys [2009-10-27 25736]
R3 L1e;Miniport Driver for Atheros AR8121/AR8113/AR8114 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1e51x86.sys [2009-9-8 39424]
R3 vfs101x;vfs101x;c:\windows\system32\drivers\vfs101x.sys [2009-9-9 40752]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [2009-9-16 30104]
S3 axvbusx;axvbusx;c:\windows\system32\drivers\axvbusx.sys [2002-12-27 8384]
S3 axvscsi;axvscsi;c:\windows\system32\drivers\axvscsi.sys [2002-12-27 98560]
S3 pelmouse;Mouse Suite Driver;c:\windows\system32\drivers\PELMOUSE.SYS [2009-9-9 16384]
S3 pelusblf;USB Mouse Low Filter Driver;c:\windows\system32\drivers\pelusblf.sys [2009-9-9 9216]

=============== Created Last 30 ================

2009-11-19 14:18:02 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-11-12 20:55:05 0 d-----w- c:\program files\trend micro
2009-11-06 22:39:03 0 d-----w- c:\windows\system32\wbem\Repository
2009-11-06 22:37:14 0 d-----w- c:\docume~1\karlaf~1\applic~1\MegauploadToolbar
2009-11-06 22:37:13 0 d-----w- c:\docume~1\alluse~1\applic~1\Megaupload
2009-11-06 22:37:12 0 d-----w- c:\docume~1\karlaf~1\applic~1\EmailNotifier
2009-11-06 22:37:12 0 d-----w- c:\docume~1\alluse~1\applic~1\EmailNotifier
2009-11-06 22:37:10 0 d-----w- c:\program files\MegauploadToolbar
2009-11-06 22:36:35 0 d-----w- c:\program files\Xvid
2009-11-06 00:05:58 0 d-----w- c:\documents and settings\all users\AVP 2009
2009-11-05 07:55:52 0 d-----w- c:\program files\Mozilla Firefox(2)
2009-11-05 05:54:36 0 d-----w- c:\program files\Spybot - Search & Destroy
2009-11-05 05:54:36 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-10-27 23:26:07 0 d--h--w- C:\$AVG
2009-10-27 23:25:43 25608 ----a-w- c:\windows\system32\drivers\AVGIDSxx.sys
2009-10-27 23:25:40 0 d-----w- c:\docume~1\alluse~1\applic~1\AVG Security Toolbar
2009-10-27 23:25:21 0 d-----w- c:\docume~1\alluse~1\applic~1\avg9

==================== Find3M ====================

2009-11-09 17:47:32 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-10-27 23:25:59 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-10-27 23:25:44 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2009-10-27 23:25:43 161800 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2009-10-27 23:25:22 50968 ----a-w- c:\windows\system32\avgfwdx.dll
2009-10-27 23:25:22 30104 ----a-w- c:\windows\system32\drivers\avgfwdx.sys
2009-10-11 12:17:27 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-09-11 14:18:39 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-09 17:10:57 315392 ----a-w- c:\windows\HideWin.exe
2009-09-09 17:06:57 376832 ----a-w- c:\windows\system32\AegisI5Installer.exe
2009-09-09 17:06:57 21361 ----a-w- c:\windows\AegisP.sys
2009-09-09 16:42:42 87608 ----a-w- c:\docume~1\karlaf~1\applic~1\ezpinst.exe
2009-09-09 16:42:42 47360 ----a-w- c:\docume~1\karlaf~1\applic~1\pcouffin.sys
2009-09-08 22:56:11 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2009-09-04 21:03:36 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 08:08:21 916480 ----a-w- c:\windows\system32\wininet.dll
2009-08-26 08:00:21 247326 ----a-w- c:\windows\system32\strmdll.dll

============= FINISH: 20:43:39.10 ===============

#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,817 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:03:39 PM

Posted 21 November 2009 - 03:05 AM

Hello mathgeek,

You can let AVG update and install Windows updates :(

We have a nasty rootkit on hands here, so lets try to get it out of your computer!

P2P WARNING
-------------------
Going over your logs I noticed that you have uTorrent installed.
  • Avoid gaming sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs.
  • They are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites.
  • Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users.
  • The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications.
It is pretty much certain that if you continue to use P2P programs, you will get infected again.
I would recommend that you uninstall uTorrent, however that choice is up to you. If you choose to remove these programs, you can do so via Start > Control Panel > Add/Remove Programs.

If you wish to keep it, please do not use it until your computer is cleaned.


COMBOFIX
---------------
Please download ComboFix from one of these locations:Bleepingcomputer
ForoSpyware
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.


In your next reply, please include the following:
  • Combofix.txt

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#5 mathgeek

mathgeek
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:39 AM

Posted 21 November 2009 - 12:21 PM

Hey Elise, thanks for getting back to me so quickly. :(

Yes, Utorrent is gone - it's kindof how things started :) Please note that the Window's Recovery couldn't be installed - COMBOFIX tried twice.

I also removed megauploader. I just ran a quick google search and it seems like when i click on a link, i go directly to the site i want!!! :( Let me know what else I need to do if anything.

Below is the combofix log:

ComboFix 09-11-20.05 - Karla Friesen 11/21/2009 8:52.1.2 - x86
Running from: c:\documents and settings\Karla Friesen\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\AegisP.inf

Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected
Restored copy from - Kitty ate it :)
.
((((((((((((((((((((((((( Files Created from 2009-10-21 to 2009-11-21 )))))))))))))))))))))))))))))))
.

2009-11-21 16:49 . 2008-04-14 07:10 96512 ----a-w- c:\windows\system32\drivers\atapi_2.sys
2009-11-21 16:42 . 2009-11-21 16:42 -------- d-----w- C:\32788R22FWJFW
2009-11-19 17:47 . 2009-10-27 23:25 877848 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.exe
2009-11-19 14:18 . 2009-11-19 15:36 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-11-19 00:43 . 2009-11-19 00:43 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2009-11-18 01:30 . 2009-11-18 01:30 152576 ----a-w- c:\documents and settings\Karla Friesen\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-11-12 20:55 . 2009-11-12 20:55 -------- d-----w- c:\program files\trend micro
2009-11-12 20:55 . 2009-11-12 20:55 -------- d-----w- C:\rsit
2009-11-12 16:58 . 2009-11-09 17:47 4026136 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgui.exe
2009-11-12 16:58 . 2009-11-09 17:47 2016536 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtray.exe
2009-11-12 16:58 . 2009-11-09 17:47 1257240 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgfrw.exe
2009-11-12 16:58 . 2009-10-27 23:25 600344 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgnsx.exe
2009-11-12 16:58 . 2009-11-12 16:58 3963648 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcorex.dll
2009-11-12 16:58 . 2009-11-12 16:58 497944 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgchjwx.dll
2009-11-11 16:14 . 2009-11-18 01:30 79488 ----a-w- c:\documents and settings\Karla Friesen\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2009-11-09 17:47 . 2009-10-27 23:25 360584 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtdix.sys
2009-11-09 17:46 . 2009-11-09 17:46 1657112 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.dll
2009-11-09 17:46 . 2009-10-27 23:25 610072 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgiproxy.exe
2009-11-06 22:46 . 2009-10-27 23:25 3767064 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\setup.exe
2009-11-06 22:46 . 2009-10-27 23:25 292632 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avglngx.dll
2009-11-06 22:46 . 2009-10-27 23:25 5459880 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\winspamcatcher.dll
2009-11-06 22:46 . 2009-10-27 23:25 2321208 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgfws9.exe
2009-11-06 22:39 . 2009-11-06 22:39 -------- d-----w- c:\windows\system32\wbem\Repository
2009-11-06 22:37 . 2009-11-06 22:37 -------- d-----w- c:\documents and settings\Karla Friesen\Application Data\MegauploadToolbar
2009-11-06 22:37 . 2009-11-06 22:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Megaupload
2009-11-06 22:37 . 2009-11-06 22:37 -------- d-----w- c:\documents and settings\All Users\Application Data\EmailNotifier
2009-11-05 04:44 . 2009-11-05 04:44 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-10-27 23:31 . 2009-10-16 19:13 1115392 ----a-w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar\IEToolbar.dll
2009-10-27 23:26 . 2009-10-27 23:29 -------- d-----w- C:\$AVG
2009-10-27 23:25 . 2009-10-27 23:25 25608 ----a-w- c:\windows\system32\drivers\AVGIDSxx.sys
2009-10-27 23:25 . 2009-10-27 23:31 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2009-10-27 23:25 . 2009-11-21 16:00 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2009-10-27 23:21 . 2009-10-20 19:57 3767064 ----a-w- c:\documents and settings\All Users\Application Data\Temp\AVG\setup.exe
2009-10-27 23:21 . 2009-10-27 23:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Temp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-21 04:42 . 2009-09-09 18:16 -------- d-----w- c:\documents and settings\Karla Friesen\Application Data\NewsBin
2009-11-18 01:31 . 2009-09-16 20:52 -------- d-----w- c:\program files\Java
2009-11-12 20:45 . 2009-09-15 02:32 -------- d-----w- c:\program files\AVG
2009-11-11 07:08 . 2009-09-09 16:42 -------- d-----w- c:\documents and settings\Karla Friesen\Application Data\Vso
2009-11-09 17:47 . 2009-09-16 19:56 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-11-06 22:37 . 2009-11-05 05:54 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-11-06 22:37 . 2009-11-05 05:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-11-06 22:37 . 2009-11-06 22:37 -------- d-----w- c:\program files\MegauploadToolbar
2009-11-06 22:37 . 2009-11-06 22:37 -------- d-----w- c:\documents and settings\Karla Friesen\Application Data\EmailNotifier
2009-11-06 22:37 . 2009-09-09 20:26 -------- d-----w- c:\program files\Windows Media Connect 2
2009-11-06 22:36 . 2009-11-05 07:55 -------- d-----w- c:\program files\Mozilla Firefox(2)
2009-11-06 22:36 . 2009-11-06 00:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-11-06 22:36 . 2009-11-06 22:36 -------- d-----w- c:\program files\Xvid
2009-11-06 22:36 . 2009-11-06 22:36 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-11-05 07:56 . 2009-11-05 07:56 0 ----a-w- c:\windows\nsreg.dat
2009-10-27 23:25 . 2009-09-16 19:56 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-10-27 23:25 . 2009-09-16 19:56 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-10-27 23:25 . 2009-09-16 19:56 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2009-10-27 23:25 . 2009-09-16 19:56 161800 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2009-10-27 23:25 . 2009-09-16 19:55 50968 ----a-w- c:\windows\system32\avgfwdx.dll
2009-10-27 23:25 . 2009-09-16 19:55 30104 ----a-w- c:\windows\system32\drivers\avgfwdx.sys
2009-10-13 19:12 . 2009-09-09 17:36 -------- d-----w- c:\program files\Launch Manager
2009-10-12 23:05 . 2009-09-09 16:42 -------- d-----w- c:\program files\DVDFab Platinum 3
2009-10-11 22:11 . 2009-10-11 22:11 -------- d-----w- c:\documents and settings\Karla Friesen\Application Data\Apple Computer
2009-10-11 21:52 . 2009-10-11 21:52 -------- d-----w- c:\documents and settings\Karla Friesen\Application Data\Sony
2009-10-11 21:52 . 2009-10-11 21:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Sony
2009-10-11 21:48 . 2009-10-11 21:48 -------- d-----w- c:\program files\Common Files\Sony Shared
2009-10-11 21:48 . 2009-10-11 21:48 -------- d-----w- c:\program files\Sony
2009-10-11 21:47 . 2009-10-11 21:47 -------- d-----w- c:\program files\QuickTime
2009-10-11 21:47 . 2009-10-11 21:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2009-10-11 21:46 . 2009-10-11 21:46 -------- d-----w- c:\program files\Apple Software Update
2009-10-11 21:46 . 2009-10-11 21:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2009-10-11 12:17 . 2009-09-16 20:52 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-10-03 21:23 . 2009-10-03 21:23 -------- d-----w- c:\documents and settings\Karla Friesen\Application Data\vlc
2009-10-02 00:40 . 2009-10-02 00:40 8 ----a-w- c:\windows\system32\nvModes.dat
2009-10-02 00:39 . 2009-10-02 00:39 -------- d-----w- c:\documents and settings\All Users\Application Data\nView_Profiles
2009-10-01 23:50 . 2009-10-01 23:50 -------- d-----w- c:\program files\NVIDIA
2009-10-01 23:37 . 2009-10-01 23:37 -------- d-----w- c:\program files\Haali
2009-10-01 23:37 . 2009-10-01 23:37 -------- d-----w- c:\program files\CoreCodec
2009-09-23 01:03 . 2009-09-23 01:03 34 ----a-w- c:\windows\system32\BD2170W.DAT
2009-09-21 18:17 . 2009-09-21 18:17 1059112 ----a-w- c:\documents and settings\Karla Friesen\Application Data\MegauploadToolbar\megauper.exe
2009-09-17 02:17 . 2009-09-17 02:17 1961720 ----a-w- c:\documents and settings\Karla Friesen\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdateax\fpupdateax.exe
2009-09-16 20:51 . 2009-09-16 20:51 152576 ----a-w- c:\documents and settings\Karla Friesen\Application Data\Sun\Java\jre1.6.0_11\lzma.dll
2009-09-11 14:18 . 2006-02-28 12:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-10 01:03 . 2009-09-10 01:03 42944 ----a-w- c:\documents and settings\Karla Friesen\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-09 17:56 . 2009-09-08 22:58 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-09-09 17:35 . 2009-09-09 17:34 251 ----a-w- c:\windows\xUninstall.bat
2009-09-09 17:16 . 2009-09-09 17:16 0 ----a-w- c:\windows\system32\drivers\SETC5.tmp
2009-09-09 17:10 . 2009-09-09 17:10 315392 ----a-w- c:\windows\HideWin.exe
2009-09-09 17:06 . 2009-09-09 17:06 376832 ----a-w- c:\windows\system32\AegisI5Installer.exe
2009-09-09 17:06 . 2009-09-09 17:06 21361 ----a-w- c:\windows\system32\drivers\AegisP.sys
2009-09-09 17:06 . 2009-09-09 17:06 21361 ----a-w- c:\windows\AegisP.sys
2009-09-09 16:42 . 2009-09-09 16:42 87608 ----a-w- c:\documents and settings\Karla Friesen\Application Data\ezpinst.exe
2009-09-09 16:42 . 2009-09-09 16:42 87608 ----a-w- c:\documents and settings\Karla Friesen\Application Data\ezpinst.exe
2009-09-09 16:42 . 2009-09-09 16:42 47360 ----a-w- c:\windows\system32\drivers\pcouffin.sys
2009-09-09 16:42 . 2009-09-09 16:42 47360 ----a-w- c:\documents and settings\Karla Friesen\Application Data\pcouffin.sys
2009-09-09 16:42 . 2009-09-09 16:42 47360 ----a-w- c:\documents and settings\Karla Friesen\Application Data\pcouffin.sys
2009-09-08 22:56 . 2009-09-08 22:56 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2009-09-04 21:03 . 2006-02-28 12:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 08:08 . 2006-02-28 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2009-08-26 08:00 . 2006-02-28 12:00 247326 ----a-w- c:\windows\system32\strmdll.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A057A204-BACC-4D26-C39E-35F1D2A32EC8}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-10-16 19:13 1115392 ----a-w- c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-10-16 1115392]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-10-16 1115392]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" [2008-06-24 1840424]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2008-01-09 999424]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2008-01-09 1101824]
"AzMixerSel"="c:\program files\Realtek\Audio\InstallShield\AzMixerSel.exe" [2006-07-18 53248]
"PLFSetI"="c:\windows\PLFSetI.exe" [2007-10-23 200704]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2006-05-17 213936]
"LManager"="c:\progra~1\LAUNCH~1\LManager.exe" [2008-03-14 805384]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-01-18 1028096]
"NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2008-06-19 570664]
"NBKeyScan"="c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2008-06-08 2221352]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-06-18 13533184]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-06-18 86016]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2009-11-12 2020120]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2008-03-07 16858112]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\SoundMan.exe [2006-07-21 86016]
"AlcWzrd"="ALCWZRD.EXE" - c:\windows\alcwzrd.exe [2006-05-04 2808832]
"Mouse Suite 98 Daemon"="ICO.EXE" - c:\windows\system32\ico.exe [2003-11-20 57344]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2008-06-18 1657376]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-10-27 23:25 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ PDBoot.exe\0autocheck autochk *

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Acer Arcade Deluxe\\HomeMedia\\HomeMedia.exe"=
"c:\\Program Files\\Sony\\Media Manager for WALKMAN\\MediaManager.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgam.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

R3 Avgfwfd;AVG network filter service;c:\windows\system32\DRIVERS\avgfwdx.sys [2009-10-27 30104]
R3 axvbusx;axvbusx;c:\windows\system32\DRIVERS\axvbusx.sys [2002-12-28 8384]
R3 axvscsi;axvscsi;c:\windows\system32\DRIVERS\axvscsi.sys [2002-12-28 98560]
R3 pelmouse;Mouse Suite Driver;c:\windows\system32\DRIVERS\pelmouse.sys [2003-01-10 16384]
R3 pelusblf;USB Mouse Low Filter Driver;c:\windows\system32\DRIVERS\pelusblf.sys [2003-02-11 9216]
S0 AVGIDSErHrxpx;AVG9IDSErHr;c:\windows\System32\Drivers\AVGIDSxx.sys [2009-10-27 25608]
S0 AvgRkx86;avgrkx86.sys;c:\windows\System32\Drivers\avgrkx86.sys [2009-10-27 161800]
S1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2009-10-27 333192]
S1 AvgTdiX;AVG8 Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2009-11-09 360584]
S2 avg9wd;AVG WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [2009-10-27 285392]
S2 avgfws9;AVG Firewall;c:\program files\AVG\AVG9\avgfws9.exe [2009-11-09 2304192]
S2 AVGIDSAgent;AVG9IDSAgent;c:\program files\AVG\AVG9\Identity Protection\Agent\Bin\AVGIDSAgent.exe AVGIDSAgent [x]
S2 vfsFPService;Validity Fingerprint Service;c:\windows\system32\vfsFPService.exe [2008-02-15 595248]
S3 Avgfwdx;Avgfwdx;c:\windows\system32\DRIVERS\avgfwdx.sys [2009-10-27 30104]
S3 AVGIDSDriverxpx;AVG9IDSDriver;c:\program files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSDriver.sys [2009-10-27 122376]
S3 AVGIDSFilterxpx;AVG9IDSFilter;c:\program files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSFilter.sys [2009-10-27 30216]
S3 AVGIDSShimxpx;AVG9IDSShim;c:\program files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSShim.sys [2009-10-27 25736]
S3 L1e;Miniport Driver for Atheros AR8121/AR8113/AR8114 PCI-E Ethernet Controller;c:\windows\system32\DRIVERS\l1e51x86.sys [2009-08-05 39424]
S3 vfs101x;vfs101x;c:\windows\system32\drivers\vfs101x.sys [2008-02-15 40752]

.
Contents of the 'Scheduled Tasks' folder

2009-11-18 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-12 00:57]

2009-11-21 c:\windows\Tasks\User_Feed_Synchronization-{6D7A13DC-633D-4D2B-9C87-5049E0C73264}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 11:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ca/
.
- - - - ORPHANS REMOVED - - - -

Toolbar-Locked - (no file)
Notify-AWinNotifyVitaKey MC3000 - (no file)
AddRemove-AVerMedia A309 (MiniCard, DVB-T) - c:\program files\AVerMedia\AVerMedia A309 (MiniCard
AddRemove-HijackThis - c:\documents and settings\Karla Friesen\Local Settings\Temporary Internet Files\Content.IE5\9TI7MX2G\HijackThis.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-21 09:00
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1324)
c:\windows\system32\netprovcredman.dll
.
Completion time: 2009-11-21 09:02
ComboFix-quarantined-files.txt 2009-11-21 17:02

Pre-Run: 112,748,089,344 bytes free
Post-Run: 113,209,462,784 bytes free

- - End Of File - - 08BC8A5385EDC1E851F2566B05277A03

Edited by mathgeek, 21 November 2009 - 12:27 PM.


#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,817 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:03:39 PM

Posted 21 November 2009 - 12:38 PM

Hello mathgeek,

Why could the Recovery console not be installed? No internet connection?

If your internet connection is fine, but the Recovery Console still could not be installed, please do the following.

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    :filefind
    boot.*
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

In your next reply, please include the following:
  • SystemLook.txt

Edited by elise025, 21 November 2009 - 12:39 PM.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#7 mathgeek

mathgeek
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:39 AM

Posted 21 November 2009 - 02:10 PM

I was hooked up to internet but viruses started attacking my computer and compufix said it couldn't find and wanted to reboot and it tried again....

Still good on internet searching!


Here is the log:

SystemLook v1.0 by jpshortstuff (29.08.09)
Log created at 11:07 on 21/11/2009 by Karla Friesen (Administrator - Elevation successful)

========== filefind ==========

Searching for "boot.*"
C:\boot.ini ---hs- 211 bytes [15:43 08/09/2009] [22:53 08/09/2009] FA579938B0733B87066546AFE951082C
C:\Program Files\Nero\Nero8\Nero BackItUp\BackItUp_ImageTool\boot.msg --a--- 138 bytes [19:39 29/02/2008] [19:39 29/02/2008] B3C795EB2CE52EF7953B34770623D2C3

-=End Of File=-

#8 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,817 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:03:39 PM

Posted 21 November 2009 - 02:23 PM

Okay, lets try if we can force it to install the Recovery Console.

Download ComboFix from one of these locations:

Link 1
Link 2


**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

With malware infections being as they are today, it's strongly recommended to have the Windows Recovery Console pre-installed on your machine before doing any malware removal.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.


Go to Microsoft's website => http://support.microsoft.com/kb/310994

Scroll down to Step 1, and select the download that's appropriate for your Operating System. Download the file & save it as it's originally named.

Note: If you have SP3, use the SP2 package.


---------------------------------------------------------------------

Transfer all files you just downloaded, to the desktop of the infected computer.

--------------------------------------------------------------------


Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

Posted Image

  • Drag the setup package onto ComboFix.exe and drop it.

  • Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.


    Posted Image


  • At the next prompt, click 'Yes' to run the full ComboFix scan.

  • When the tool is finished, it will produce a report for you.
Please post the C:\ComboFix.txt in your next reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#9 mathgeek

mathgeek
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:39 AM

Posted 21 November 2009 - 02:35 PM

Elise,

Is there an easy way to tell if I have XP Home or XP Professional. I initially had Vista (and hated it) and my HD crashed one day so my friend bought a new HD and set it up for me. He is out of town this weekend so I can't ask him. Note, I have service pack 3 installed. And the link you sent me is for booting from a floppy disk, which I do not have...only DVD/CD.

MG

Edited by mathgeek, 21 November 2009 - 02:39 PM.


#10 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,817 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:03:39 PM

Posted 21 November 2009 - 03:14 PM

Yes there is an easy way to tell you if you have Home or Professional :(

Right click on My Computer and select Properties. The first tab of the Properties window should tell you your windows version.

And the link you sent me is for booting from a floppy disk, which I do not have...only DVD/CD.

Please read the instructions carefully. You do not need floppy's or CD's. Just download the appropriate file and drag it onto Combofix.exe, thats all :(

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#11 mathgeek

mathgeek
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:39 AM

Posted 21 November 2009 - 03:43 PM

Here you go:

ComboFix 09-11-20.05 - Karla Friesen 11/21/2009 12:30.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2290 [GMT -8:00]
Running from: c:\documents and settings\Karla Friesen\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Karla Friesen\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
.

((((((((((((((((((((((((( Files Created from 2009-10-21 to 2009-11-21 )))))))))))))))))))))))))))))))
.

2009-11-21 16:49 . 2008-04-14 07:10 96512 ----a-w- c:\windows\system32\drivers\atapi_2.sys
2009-11-19 17:47 . 2009-10-27 23:25 877848 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.exe
2009-11-19 14:18 . 2009-11-19 15:36 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-11-19 00:43 . 2009-11-19 00:43 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2009-11-18 01:30 . 2009-11-18 01:30 152576 ----a-w- c:\documents and settings\Karla Friesen\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-11-12 20:55 . 2009-11-12 20:55 -------- d-----w- c:\program files\trend micro
2009-11-12 20:55 . 2009-11-12 20:55 -------- d-----w- C:\rsit
2009-11-12 16:58 . 2009-11-09 17:47 4026136 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgui.exe
2009-11-12 16:58 . 2009-11-09 17:47 2016536 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtray.exe
2009-11-12 16:58 . 2009-11-09 17:47 1257240 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgfrw.exe
2009-11-12 16:58 . 2009-10-27 23:25 600344 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgnsx.exe
2009-11-12 16:58 . 2009-11-12 16:58 3963648 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcorex.dll
2009-11-12 16:58 . 2009-11-12 16:58 497944 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgchjwx.dll
2009-11-11 16:14 . 2009-11-18 01:30 79488 ----a-w- c:\documents and settings\Karla Friesen\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2009-11-09 17:47 . 2009-10-27 23:25 360584 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtdix.sys
2009-11-09 17:46 . 2009-11-09 17:46 1657112 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.dll
2009-11-09 17:46 . 2009-10-27 23:25 610072 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgiproxy.exe
2009-11-06 22:46 . 2009-10-27 23:25 3767064 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\setup.exe
2009-11-06 22:46 . 2009-10-27 23:25 292632 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avglngx.dll
2009-11-06 22:46 . 2009-10-27 23:25 5459880 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\winspamcatcher.dll
2009-11-06 22:46 . 2009-10-27 23:25 2321208 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgfws9.exe
2009-11-06 22:39 . 2009-11-06 22:39 -------- d-----w- c:\windows\system32\wbem\Repository
2009-11-06 22:37 . 2009-11-06 22:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Megaupload
2009-11-05 04:44 . 2009-11-05 04:44 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-10-27 23:31 . 2009-10-16 19:13 1115392 ----a-w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar\IEToolbar.dll
2009-10-27 23:26 . 2009-10-27 23:29 -------- d-----w- C:\$AVG
2009-10-27 23:25 . 2009-10-27 23:25 25608 ----a-w- c:\windows\system32\drivers\AVGIDSxx.sys
2009-10-27 23:25 . 2009-10-27 23:31 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2009-10-27 23:25 . 2009-11-21 16:00 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2009-10-27 23:21 . 2009-10-20 19:57 3767064 ----a-w- c:\documents and settings\All Users\Application Data\Temp\AVG\setup.exe
2009-10-27 23:21 . 2009-10-27 23:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Temp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-21 04:42 . 2009-09-09 18:16 -------- d-----w- c:\documents and settings\Karla Friesen\Application Data\NewsBin
2009-11-18 01:31 . 2009-09-16 20:52 -------- d-----w- c:\program files\Java
2009-11-12 20:45 . 2009-09-15 02:32 -------- d-----w- c:\program files\AVG
2009-11-11 07:08 . 2009-09-09 16:42 -------- d-----w- c:\documents and settings\Karla Friesen\Application Data\Vso
2009-11-09 17:47 . 2009-09-16 19:56 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-11-06 22:37 . 2009-11-05 05:54 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-11-06 22:37 . 2009-11-05 05:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-11-06 22:37 . 2009-11-06 22:37 -------- d-----w- c:\documents and settings\All Users\Application Data\EmailNotifier
2009-11-06 22:37 . 2009-11-06 22:37 -------- d-----w- c:\documents and settings\Karla Friesen\Application Data\EmailNotifier
2009-11-06 22:37 . 2009-09-09 20:26 -------- d-----w- c:\program files\Windows Media Connect 2
2009-11-06 22:36 . 2009-11-05 07:55 -------- d-----w- c:\program files\Mozilla Firefox(2)
2009-11-06 22:36 . 2009-11-06 00:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-11-06 22:36 . 2009-11-06 22:36 -------- d-----w- c:\program files\Xvid
2009-11-06 22:36 . 2009-11-06 22:36 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-11-05 07:56 . 2009-11-05 07:56 0 ----a-w- c:\windows\nsreg.dat
2009-10-27 23:25 . 2009-09-16 19:56 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-10-27 23:25 . 2009-09-16 19:56 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-10-27 23:25 . 2009-09-16 19:56 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2009-10-27 23:25 . 2009-09-16 19:56 161800 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2009-10-27 23:25 . 2009-09-16 19:55 50968 ----a-w- c:\windows\system32\avgfwdx.dll
2009-10-27 23:25 . 2009-09-16 19:55 30104 ----a-w- c:\windows\system32\drivers\avgfwdx.sys
2009-10-13 19:12 . 2009-09-09 17:36 -------- d-----w- c:\program files\Launch Manager
2009-10-12 23:05 . 2009-09-09 16:42 -------- d-----w- c:\program files\DVDFab Platinum 3
2009-10-11 22:11 . 2009-10-11 22:11 -------- d-----w- c:\documents and settings\Karla Friesen\Application Data\Apple Computer
2009-10-11 21:52 . 2009-10-11 21:52 -------- d-----w- c:\documents and settings\Karla Friesen\Application Data\Sony
2009-10-11 21:52 . 2009-10-11 21:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Sony
2009-10-11 21:48 . 2009-10-11 21:48 -------- d-----w- c:\program files\Common Files\Sony Shared
2009-10-11 21:48 . 2009-10-11 21:48 -------- d-----w- c:\program files\Sony
2009-10-11 21:47 . 2009-10-11 21:47 -------- d-----w- c:\program files\QuickTime
2009-10-11 21:47 . 2009-10-11 21:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2009-10-11 21:46 . 2009-10-11 21:46 -------- d-----w- c:\program files\Apple Software Update
2009-10-11 21:46 . 2009-10-11 21:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2009-10-11 12:17 . 2009-09-16 20:52 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-10-03 21:23 . 2009-10-03 21:23 -------- d-----w- c:\documents and settings\Karla Friesen\Application Data\vlc
2009-10-02 00:40 . 2009-10-02 00:40 8 ----a-w- c:\windows\system32\nvModes.dat
2009-10-02 00:39 . 2009-10-02 00:39 -------- d-----w- c:\documents and settings\All Users\Application Data\nView_Profiles
2009-10-01 23:50 . 2009-10-01 23:50 -------- d-----w- c:\program files\NVIDIA
2009-10-01 23:37 . 2009-10-01 23:37 -------- d-----w- c:\program files\Haali
2009-10-01 23:37 . 2009-10-01 23:37 -------- d-----w- c:\program files\CoreCodec
2009-09-23 01:03 . 2009-09-23 01:03 34 ----a-w- c:\windows\system32\BD2170W.DAT
2009-09-17 02:17 . 2009-09-17 02:17 1961720 ----a-w- c:\documents and settings\Karla Friesen\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdateax\fpupdateax.exe
2009-09-16 20:51 . 2009-09-16 20:51 152576 ----a-w- c:\documents and settings\Karla Friesen\Application Data\Sun\Java\jre1.6.0_11\lzma.dll
2009-09-11 14:18 . 2006-02-28 12:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-10 01:03 . 2009-09-10 01:03 42944 ----a-w- c:\documents and settings\Karla Friesen\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-09 17:56 . 2009-09-08 22:58 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-09-09 17:35 . 2009-09-09 17:34 251 ----a-w- c:\windows\xUninstall.bat
2009-09-09 17:16 . 2009-09-09 17:16 0 ----a-w- c:\windows\system32\drivers\SETC5.tmp
2009-09-09 17:10 . 2009-09-09 17:10 315392 ----a-w- c:\windows\HideWin.exe
2009-09-09 17:06 . 2009-09-09 17:06 376832 ----a-w- c:\windows\system32\AegisI5Installer.exe
2009-09-09 17:06 . 2009-09-09 17:06 21361 ----a-w- c:\windows\system32\drivers\AegisP.sys
2009-09-09 17:06 . 2009-09-09 17:06 21361 ----a-w- c:\windows\AegisP.sys
2009-09-09 16:42 . 2009-09-09 16:42 87608 ----a-w- c:\documents and settings\Karla Friesen\Application Data\ezpinst.exe
2009-09-09 16:42 . 2009-09-09 16:42 87608 ----a-w- c:\documents and settings\Karla Friesen\Application Data\ezpinst.exe
2009-09-09 16:42 . 2009-09-09 16:42 47360 ----a-w- c:\windows\system32\drivers\pcouffin.sys
2009-09-09 16:42 . 2009-09-09 16:42 47360 ----a-w- c:\documents and settings\Karla Friesen\Application Data\pcouffin.sys
2009-09-09 16:42 . 2009-09-09 16:42 47360 ----a-w- c:\documents and settings\Karla Friesen\Application Data\pcouffin.sys
2009-09-08 22:56 . 2009-09-08 22:56 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2009-09-04 21:03 . 2006-02-28 12:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 08:08 . 2006-02-28 12:00 916480 ------w- c:\windows\system32\wininet.dll
2009-08-26 08:00 . 2006-02-28 12:00 247326 ----a-w- c:\windows\system32\strmdll.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-11-21_17.00.04 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-11-21 17:14 . 2009-11-21 17:14 16384 c:\windows\Temp\Perflib_Perfdata_6dc.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-10-16 19:13 1115392 ----a-w- c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-10-16 1115392]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-10-16 1115392]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" [2008-06-24 1840424]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2008-01-09 999424]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2008-01-09 1101824]
"AzMixerSel"="c:\program files\Realtek\Audio\InstallShield\AzMixerSel.exe" [2006-07-18 53248]
"PLFSetI"="c:\windows\PLFSetI.exe" [2007-10-23 200704]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2006-05-17 213936]
"LManager"="c:\progra~1\LAUNCH~1\LManager.exe" [2008-03-14 805384]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-01-18 1028096]
"NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2008-06-19 570664]
"NBKeyScan"="c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2008-06-08 2221352]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-06-18 13533184]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-06-18 86016]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2009-11-12 2020120]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2008-03-07 16858112]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\SoundMan.exe [2006-07-21 86016]
"AlcWzrd"="ALCWZRD.EXE" - c:\windows\alcwzrd.exe [2006-05-04 2808832]
"Mouse Suite 98 Daemon"="ICO.EXE" - c:\windows\system32\ico.exe [2003-11-20 57344]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2008-06-18 1657376]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe [2006-10-23 40048]
Adobe Reader Synchronizer.lnk - c:\program files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2006-10-22 734872]
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2007-4-1 568176]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2009-9-9 118784]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-10-27 23:25 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ PDBoot.exe\0autocheck autochk *

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Acer Arcade Deluxe\\HomeMedia\\HomeMedia.exe"=
"c:\\Program Files\\Sony\\Media Manager for WALKMAN\\MediaManager.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgam.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

R0 AVGIDSErHrxpx;AVG9IDSErHr;c:\windows\system32\drivers\AVGIDSxx.sys [10/27/2009 3:25 PM 25608]
R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [9/16/2009 11:56 AM 161800]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [9/16/2009 11:56 AM 333192]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [9/16/2009 11:56 AM 360584]
R2 avg9wd;AVG WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [10/27/2009 3:25 PM 285392]
R2 avgfws9;AVG Firewall;c:\program files\AVG\AVG9\avgfws9.exe [11/9/2009 9:47 AM 2304192]
R2 AVGIDSAgent;AVG9IDSAgent;c:\program files\AVG\AVG9\Identity Protection\Agent\Bin\AVGIDSAgent.exe [10/27/2009 3:25 PM 5832712]
R2 vfsFPService;Validity Fingerprint Service;c:\windows\system32\vfsFPService.exe [2/15/2008 8:09 AM 595248]
R3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [9/16/2009 11:55 AM 30104]
R3 AVGIDSDriverxpx;AVG9IDSDriver;c:\program files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSDriver.sys [10/27/2009 3:25 PM 122376]
R3 AVGIDSFilterxpx;AVG9IDSFilter;c:\program files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSFilter.sys [10/27/2009 3:25 PM 30216]
R3 AVGIDSShimxpx;AVG9IDSShim;c:\program files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSShim.sys [10/27/2009 3:25 PM 25736]
R3 L1e;Miniport Driver for Atheros AR8121/AR8113/AR8114 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1e51x86.sys [9/8/2009 6:32 PM 39424]
R3 vfs101x;vfs101x;c:\windows\system32\drivers\vfs101x.sys [9/9/2009 9:31 AM 40752]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [9/16/2009 11:55 AM 30104]
S3 axvbusx;axvbusx;c:\windows\system32\drivers\axvbusx.sys [12/27/2002 7:14 PM 8384]
S3 axvscsi;axvscsi;c:\windows\system32\drivers\axvscsi.sys [12/27/2002 7:14 PM 98560]
S3 pelmouse;Mouse Suite Driver;c:\windows\system32\drivers\PELMOUSE.SYS [9/9/2009 12:24 PM 16384]
S3 pelusblf;USB Mouse Low Filter Driver;c:\windows\system32\drivers\pelusblf.sys [9/9/2009 12:24 PM 9216]
.
Contents of the 'Scheduled Tasks' folder

2009-11-18 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-12 00:57]

2009-11-21 c:\windows\Tasks\User_Feed_Synchronization-{6D7A13DC-633D-4D2B-9C87-5049E0C73264}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 11:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ca/
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{A057A204-BACC-4D26-C39E-35F1D2A32EC8} - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-21 12:36
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1312)
c:\windows\system32\netprovcredman.dll

- - - - - - - > 'explorer.exe'(160)
c:\windows\system32\WININET.dll
c:\windows\system32\btmmhook.dll
c:\program files\Windows Desktop Search\deskbar.dll
c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
c:\program files\Windows Desktop Search\dbres.dll
c:\program files\Windows Desktop Search\wordwheel.dll
c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
c:\program files\Windows Desktop Search\msnlExtRes.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-11-21 12:39
ComboFix-quarantined-files.txt 2009-11-21 20:39
ComboFix2.txt 2009-11-21 17:02

Pre-Run: 113,310,351,360 bytes free
Post-Run: 113,268,584,448 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 297C9DDBA1421F55B2AFFB46C69F7DE3

#12 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,817 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:03:39 PM

Posted 22 November 2009 - 06:37 AM

Hello mathgeek,

Well done :(

MALWAREBYTES ANTIMALWARE
-------------------------------------------
Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Full Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

If after installation, MBAM will not run, open the Malwarebytes' Anti-Malware folder in Program Files.
  • Right-click on mbam.exe, rename it to myscan.exe.
  • Double-click on myscan.exe to launch the program.
  • If that did not work, then try renaming and change the .exe extension in the same way as noted above.
  • Double-click on myscan.scr (or whatever extension you renamed it) to launch the program.
If using Windows Vista, refer to How to Change a File Extension in Windows Vista.


In your next reply, please include the following:
  • MBAM log

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#13 mathgeek

mathgeek
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:39 AM

Posted 22 November 2009 - 11:53 AM

Morning (or Good afternoon - depending on your location) Elise,

I just thought I would let you know that I am in the process of scanning both my HD's (one's external - use periodically but i want to make sure) and i'm sure it will take some time. I also scanned using my AVG software when I woke and found no "Trogen_Agents" listed. We are definately making progress and searching on internet yields great results (no funny audio adds or hijacking taking place). You and your site ROCK! I'm going to send you an hug.

Cheers,
Karla

MBAM LOG:

Malwarebytes' Anti-Malware 1.41
Database version: 3213
Windows 5.1.2600 Service Pack 3

11/22/2009 9:33:08 AM
mbam-log-2009-11-22 (09-33-08).txt

Scan type: Full Scan (C:\|D:\|E:\|)
Objects scanned: 169171
Time elapsed: 42 minute(s), 32 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Documents and Settings\All Users\AVP 2009 (Malware.Trace) -> Quarantined and deleted successfully.

Files Infected:
C:\System Volume Information\_restore{0345ACE6-6E54-4B40-A033-2C4B6D655CE5}\RP69\A0014981.exe (Rogue.AntivirusDoktor) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\AVP 2009\1.dat (Malware.Trace) -> Quarantined and deleted successfully.

Edited by mathgeek, 22 November 2009 - 12:35 PM.


#14 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,817 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:03:39 PM

Posted 22 November 2009 - 01:33 PM

Hello mathgeek,

I am glad you are happy with our help :( Things are looking good, but we still have to take care of some things. When you are cleaned up, I will let you know and give you some final advice, so don't worry about that.

UPDATE JAVA
------------------
Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for "Java Runtime Environment (JRE)" JRE 6 Update 16.
  • Click the Download button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u15-windows-i586.exe to install the newest version.
-- If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
-- If you choose to update via the Java applet in Control Panel, uncheck the option to install the Toolbar unless you want it.
-- The uninstaller incorporated in this release removes previous Updates 10 and above, but does not remove older versions, so they still need to be removed manually.


Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.


ESET ONLINE SCANNER
----------------------------
I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
    Note - when ESET doesn't find any threats, no report will be created.
  • Push the Posted Image button.
  • Push Posted Image
In your next reply, please include the following:
  • ESET online scan results

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#15 mathgeek

mathgeek
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:39 AM

Posted 22 November 2009 - 04:21 PM

Here you go Elise:

C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\atapi.sys.vir Win32/Olmarik.PY virus deleted - quarantined
E:\Recovery\Nero-8.3.6.0_eng_update.exe Win32/Toolbar.AskSBar application deleted - quarantined
E:\Recovery\toolbar.exe Win32/Toolbar.MegaUpload application deleted - quarantined


The last 2 were found on the drive I rarely use now but glad I scanned it.

What's next?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users