Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Register a free account to unlock additional features at BleepingComputer.com

Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Latest News: Loud Sound From Fire Alarm System Shuts Down Nasdaq's Scandinavian Data Center

Featured Deal: Get 96% off the MCSA SQL Server Training Deal

Infected with trojan horse rootkit-pakes.U

Started by timmyrob , Nov 16 2009 12:27 AM

This topic is locked

2 replies to this topic

#1 timmyrob

Members
1 posts
OFFLINE

Local time:10:25 AM

Posted 16 November 2009 - 12:27 AM

I have AVG anti-virus software and it will not remove the virus, it says it has been "white listed" and cannot be removed. There haven't been any problems that I have noticed thus far from the virus, I just continually get a pop up warning window from AVG saying that the virus is on my computer (trojan horse rootkit-pakes.U).

DDS (Ver_09-10-26.01) - NTFSx86
Run by timmy at 23:58:19.87 on Sun 11/15/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1045 [GMT -5:00]

AV: AVG Internet Security *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: AVG Firewall *enabled* {8decf618-9569-4340-b34a-d78d28969b66}

============== Running Processes ===============

H:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
H:\WINDOWS\System32\svchost.exe -k netsvcs
H:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
H:\Program Files\AVG\AVG9\avgrsx.exe
H:\Program Files\AVG\AVG9\avgcsrvx.exe
H:\WINDOWS\system32\spoolsv.exe
H:\Program Files\AVG\AVG9\Identity Protection\Agent\Bin\AVGIDSAgent.exe
H:\WINDOWS\Explorer.EXE
H:\WINDOWS\RTHDCPL.EXE
H:\WINDOWS\SkyTel.EXE
H:\WINDOWS\system32\RUNDLL32.EXE
H:\Program Files\Java\jre6\bin\jusched.exe
H:\Program Files\iTunes\iTunesHelper.exe
H:\WINDOWS\system32\ctfmon.exe
H:\Program Files\AIM6\aim6.exe
H:\Program Files\MySpace\IM\MySpaceIM.exe
H:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
H:\Program Files\Messenger\msmsgs.exe
H:\Program Files\Windows Desktop Search\WindowsSearch.exe
svchost.exe
H:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
H:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
H:\Program Files\Bonjour\mDNSResponder.exe
H:\Program Files\Java\jre6\bin\jqs.exe
H:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
H:\WINDOWS\system32\nvsvc32.exe
H:\WINDOWS\system32\IoctlSvc.exe
H:\Program Files\Viewpoint\Common\ViewpointService.exe
H:\WINDOWS\system32\SearchIndexer.exe
H:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
H:\Program Files\iPod\bin\iPodService.exe
H:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
H:\Program Files\AIM6\aolsoftware.exe
H:\Program Files\MySpace\IM\MySpaceIM.exe
H:\WINDOWS\System32\svchost.exe -k HTTPFilter
H:\Program Files\AVG\AVG9\avgchsvx.exe
H:\Program Files\AVG\AVG9\avgwdsvc.exe
H:\Program Files\AVG\AVG9\avgam.exe
H:\Program Files\AVG\AVG9\avgnsx.exe
H:\Program Files\AVG\AVG9\avgfws9.exe
H:\Program Files\AVG\AVG9\avgtray.exe
H:\Program Files\AVG\AVG9\Identity Protection\agent\bin\avgidsmonitor.exe
H:\Program Files\AVG\AVG9\avgcsrvx.exe
H:\WINDOWS\system32\svchost.exe -k imgsvc
H:\Program Files\Common Files\Real\Update_OB\realsched.exe
H:\Program Files\Mozilla Firefox\firefox.exe
H:\WINDOWS\system32\SearchProtocolHost.exe
H:\Documents and Settings\timmy\Desktop\install\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.netflix.com/Login
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - h:\program files\avg\avg9\toolbar\IEToolbar.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - h:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - h:\program files\avg\avg9\avgssie.dll
BHO: {53707962-6f74-2d53-2644-206d7942484f} - h:\program files\spybot\SDHelper.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - h:\program files\java\jre6\bin\ssv.dll
BHO: AOL Toolbar Launcher: {7c554162-8cb7-45a4-b8f4-8ea1c75885f9} - h:\program files\aol\aim toolbar 5.0\aoltb.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - h:\program files\avg\avg9\toolbar\IEToolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - h:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - h:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: AIM Toolbar: {de9c389f-3316-41a7-809b-aa305ed9d922} - h:\program files\aol\aim toolbar 5.0\aoltb.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - h:\program files\avg\avg9\toolbar\IEToolbar.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
uRun: [ctfmon.exe] h:\windows\system32\ctfmon.exe
uRun: [Aim6] "h:\program files\aim6\aim6.exe" /d locale=en-US ee://aol/imApp
uRun: [MySpaceIM] h:\program files\myspace\im\MySpaceIM.exe
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "h:\program files\common files\ahead\lib\NMBgMonitor.exe"
uRun: [MSMSGS] "h:\program files\messenger\msmsgs.exe" /background
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [SkyTel] SkyTel.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [NvCplDaemon] RUNDLL32.EXE h:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE h:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [SunJavaUpdateSched] "h:\program files\java\jre6\bin\jusched.exe"
mRun: [NeroCheck] h:\windows\system32\\NeroCheck.exe
mRun: [InCD] h:\program files\ahead\incd\InCD.exe
mRun: [TkBellExe] "h:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [AppleSyncNotifier] h:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [NeroFilterCheck] h:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [QuickTime Task] "h:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "h:\program files\itunes\iTunesHelper.exe"
mRun: [AVG9_TRAY] h:\progra~1\avg\avg9\avgtray.exe
dRun: [MySpaceIM] h:\program files\myspace\im\MySpaceIM.exe
StartupFolder: h:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - h:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: h:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - h:\program files\windows desktop search\WindowsSearch.exe
IE: &AIM Search - h:\program files\aol\aim toolbar 5.0\resources\en-us\local\search.html
IE: E&xport to Microsoft Excel - h:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - h:\program files\messenger\msmsgs.exe
IE: {3369AF0D-62E9-4bda-8103-B4C75499B578} - {DE9C389F-3316-41A7-809B-AA305ED9D922} - h:\program files\aol\aim toolbar 5.0\aoltb.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - h:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxps://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - h:\program files\avg\avg9\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - h:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - h:\program files\windows desktop search\MSNLNamespaceMgr.dll

================= FIREFOX ===================

FF - ProfilePath - h:\docume~1\timmy\applic~1\mozilla\firefox\profiles\2mhzsghq.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT206422&SearchSource=3&q=
FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://search.aol.com/aolcom/search?invocationType=TB50TRFF;homepage=no;search=yesab&query=
FF - component: h:\documents and settings\timmy\application data\mozilla\firefox\profiles\2mhzsghq.default\extensions\{c7e292f8-1f8d-40a6-8fa6-e6e83d51e7e1}\components\FFExternalAlert.dll
FF - component: h:\program files\avg\avg9\firefox\components\avgssff.dll
FF - component: h:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: h:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: h:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: h:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\xpavgtbapi.dll
FF - plugin: h:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: h:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - h:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - h:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - h:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - h:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R0 AVGIDSErHrxpx;AVG9IDSErHr;h:\windows\system32\drivers\AVGIDSxx.sys [2009-10-27 25608]
R0 AvgRkx86;avgrkx86.sys;h:\windows\system32\drivers\avgrkx86.sys [2009-4-12 161800]
R1 AvgLdx86;AVG AVI Loader Driver x86;h:\windows\system32\drivers\avgldx86.sys [2009-4-12 333192]
R1 AvgTdiX;AVG8 Network Redirector;h:\windows\system32\drivers\avgtdix.sys [2009-4-12 360584]
R2 avg9wd;AVG WatchDog;h:\program files\avg\avg9\avgwdsvc.exe [2009-10-27 285392]
R2 avgfws9;AVG Firewall;h:\program files\avg\avg9\avgfws9.exe [2009-11-9 2304192]
R2 AVGIDSAgent;AVG9IDSAgent;h:\program files\avg\avg9\identity protection\agent\bin\AVGIDSAgent.exe [2009-10-27 5832712]
R2 Viewpoint Manager Service;Viewpoint Manager Service;h:\program files\viewpoint\common\ViewpointService.exe [2007-10-28 24652]
R3 Avgfwdx;Avgfwdx;h:\windows\system32\drivers\avgfwdx.sys [2009-4-12 30104]
R3 AVGIDSDriverxpx;AVG9IDSDriver;h:\program files\avg\avg9\identity protection\agent\driver\platform_xp\AVGIDSDriver.sys [2009-10-27 122376]
R3 AVGIDSFilterxpx;AVG9IDSFilter;h:\program files\avg\avg9\identity protection\agent\driver\platform_xp\AVGIDSFilter.sys [2009-10-27 30216]
R3 AVGIDSShimxpx;AVG9IDSShim;h:\program files\avg\avg9\identity protection\agent\driver\platform_xp\AVGIDSShim.sys [2009-10-27 25736]
S3 Avgfwfd;AVG network filter service;h:\windows\system32\drivers\avgfwdx.sys [2009-4-12 30104]
S3 LUDrv32;LUDrv32;\??\g:\fxdrv32.sys --> g:\FXDrv32.sys [?]

=============== Created Last 30 ================

==================== Find3M ====================

2009-11-09 22:55:29 360584 ----a-w- h:\windows\system32\drivers\avgtdix.sys
2009-10-28 00:09:33 333192 ----a-w- h:\windows\system32\drivers\avgldx86.sys
2009-10-28 00:09:33 161800 ----a-w- h:\windows\system32\drivers\avgrkx86.sys
2009-10-28 00:09:33 12464 ----a-w- h:\windows\system32\avgrsstx.dll
2009-10-28 00:09:09 50968 ----a-w- h:\windows\system32\avgfwdx.dll
2009-10-28 00:09:09 30104 ----a-w- h:\windows\system32\drivers\avgfwdx.sys
2009-09-11 14:18:39 136192 ----a-w- h:\windows\system32\msv1_0.dll
2009-09-04 21:03:36 58880 ----a-w- h:\windows\system32\msasn1.dll
2009-08-29 08:08:21 916480 ----a-w- h:\windows\system32\wininet.dll
2009-08-26 08:00:21 247326 ----a-w- h:\windows\system32\strmdll.dll
2008-12-04 20:47:41 32768 --sha-w- h:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008120420081205\index.dat

============= FINISH: 23:58:42.35 ===============

Attached Files

Attach.txt 13.58KB 0 downloads
ark.txt 3.38KB 1 downloads

Back to top

BC AdBot (Login to Remove)

BleepingComputer.com
Register to remove ads

#2 myrti

Sillyberry

Malware Study Hall Admin
33,766 posts
OFFLINE

Gender:Female
Location:At home
Local time:05:25 PM

Posted 24 November 2009 - 04:40 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

Please include a clear description of the problems you're having, along with any steps you may have performed so far.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.

Please download OTL from following mirror:
- This is THE Mirror
Save it to your desktop.
Double click on the icon on your desktop.
Click the "Scan All Users" checkbox.
Push the button.
Two reports will open, copy and paste them in a reply here:
- OTL.txt <-- Will be opened
- Extra.txt <-- Will be minimized

In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. I suggest you do this and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.

regards _temp_

is that a bird? a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

Follow BleepingComputer on: Facebook | Twitter | Google+

Back to top

#3 myrti

Sillyberry

Malware Study Hall Admin
33,766 posts
OFFLINE

Gender:Female
Location:At home
Local time:05:25 PM

Posted 01 December 2009 - 10:16 AM

Due to lack of feedback, this topic is now Closed

If you need this topic reopened, please send me a PM.
Please include the address of this thread in your request.
This applies only to the original topic starter.

Everyone else please start a new topic.

With Regards,
myrti