Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google search links redirected


  • This topic is locked This topic is locked
9 replies to this topic

#1 MRichardson

MRichardson

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:56 AM

Posted 01 December 2009 - 01:44 AM

The problem started over the weekend and twice now I thought it had gone away only to creep back in eventually. AVG 9, Spybot, and Malwarebytes Anti-Malware all found different Trojans and supposedly got rid of them each time. Tonight I had the same problem come up after about six hours of problem-free run time, and scans from all three came back clean, which can't be right.

So at the moment, I'm getting random new tabs opening in Firefox 3 when I click on search links. In addition, clicking on the links sends me through a string of different sites instead, usually search sites listing more results for the topic I searched initially. To get to this forum, I had to copy the link and manually paste it into a new tab's blank address bar.

So of course any help you guys can give me is going to be insanely helpful here.



DDS (Ver_09-11-29.01) - NTFSx86
Run by Owner at 0:41:08.06 on Tue 12/01/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_15
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1244 [GMT -5:00]

AV: AVG Internet Security *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: AVG Firewall *enabled* {8decf618-9569-4340-b34a-d78d28969b66}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG\AVG9\Identity Protection\Agent\Bin\AVGIDSAgent.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Digital Media Reader\readericon45G.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\AVG\AVG9\Identity Protection\agent\bin\avgidsmonitor.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\AVG\AVG9\avgfws9.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\Program Files\AVG\AVG9\avgam.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Google\Update\1.2.183.13\GoogleCrashHandler.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\AVG\AVG9\avgemc.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uStart Page = hxxp://www.yahoo.com/
uSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
mDefault_Page_URL = hxxp://www.yahoo.com/
mDefault_Search_URL = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=DTP&M=GM5072
uInternet Settings,ProxyServer = 63.208.180.6:3128
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
mSearchAssistant = hxxp://www.gateway.com/g/sidepanel.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=DTP&M=GM5072
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Google Gears Helper: {e0fefe40-fbf9-42ae-ba58-794ca7e3fb53} - c:\program files\google\google gears\internet explorer\0.5.33.0\gears.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRunOnce: [ypagerps3] cmd.exe /C del "c:\program files\yahoo!\messenger\ypagerps3.DLL"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [High Definition Audio Property Page Shortcut] HDAShCut.exe
mRun: [readericon] c:\program files\digital media reader\readericon45G.exe
mRun: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
mRun: [zBrowser Launcher] c:\program files\logitech\itouch\iTouch.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [MSKDetectorExe] c:\program files\mcafee\spamkiller\MSKDetct.exe /uninstall
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [nwiz] nwiz.exe /install
mRunOnce: [InstallShieldSetup] "c:\program files\installshield installation information\{c4a4722e-79f9-417c-bd72-8d359a090c97}\setup.exe" -reboot"c:\program files\installshield installation information\{c4a4722e-79f9-417c-bd72-8d359a090c97}\reboot.ini"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\desktop messenger\8876480\program\LDMConf.exe
IE: &Yahoo! Search - file:///c:\program files\yahoo!\Common/ycsrch.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Yahoo! &Dictionary - file:///c:\program files\yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\yahoo!\Common/ycsms.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - {0B4350D1-055F-47A3-B112-5F2F2B0D6F08} - c:\program files\google\google gears\internet explorer\0.5.33.0\gears.dll
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\yinsthelper.dll
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {D1548A26-B8F6-4E86-AE74-E7062CCC2E2A} - hxxp://igloader.com/download/igloader.CAB
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\r5cn8c99.default\
FF - prefs.js: browser.startup.homepage - my.yahoo.com
FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll
FF - component: c:\program files\google\google gears\firefox\lib\ff30\gears.dll
FF - plugin: c:\program files\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npigl.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R0 AVGIDSErHrxpx;AVG9IDSErHr;c:\windows\system32\drivers\AVGIDSxx.sys [2009-11-30 25608]
R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2009-11-30 161800]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-6-23 333192]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2007-5-29 28424]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-6-23 360584]
R2 aawservice;Ad-Aware 2007 Service;c:\program files\lavasoft\ad-aware 2007\aawservice.exe [2007-9-25 574808]
R2 avg9emc;AVG E-mail Scanner;c:\program files\avg\avg9\avgemc.exe [2009-11-30 906520]
R2 avg9wd;AVG WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2009-11-30 285392]
R2 avgfws9;AVG Firewall;c:\program files\avg\avg9\avgfws9.exe [2009-11-30 2304192]
R2 AVGIDSAgent;AVG9IDSAgent;c:\program files\avg\avg9\identity protection\agent\bin\AVGIDSAgent.exe [2009-11-30 5832712]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 ScFBPNT;CanoScan FBP Port Driver;c:\windows\system32\drivers\SCFBPNT.SYS [2008-9-12 16288]
R3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [2009-11-30 30104]
R3 AVGIDSDriverxpx;AVG9IDSDriver;c:\program files\avg\avg9\identity protection\agent\driver\platform_xp\AVGIDSDriver.sys [2009-11-30 122376]
R3 AVGIDSFilterxpx;AVG9IDSFilter;c:\program files\avg\avg9\identity protection\agent\driver\platform_xp\AVGIDSFilter.sys [2009-11-30 30216]
R3 AVGIDSShimxpx;AVG9IDSShim;c:\program files\avg\avg9\identity protection\agent\driver\platform_xp\AVGIDSShim.sys [2009-11-30 25736]
S0 nielprt;Nielsen Patch Service;c:\windows\system32\drivers\nielprt.sys --> c:\windows\system32\drivers\nielprt.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-10-9 133104]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [2009-11-30 30104]
S3 NielGfx;Nielsen USB GFX;c:\windows\system32\drivers\nielgfx.sys --> c:\windows\system32\drivers\nielgfx.sys [?]
S3 PciCon;PciCon;\??\e:\pcicon.sys --> e:\PciCon.sys [?]
S3 QCEmerald;Logitech QuickCam Web;c:\windows\system32\drivers\OVCE.sys [2007-10-21 31872]
S3 VRSService;VRS Recording System;c:\program files\nch swift sound\vrs\vrs.exe [2008-8-28 651268]
S4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-8-25 24652]

=============== Created Last 30 ================

2009-11-30 12:49:39 0 d--h--w- C:\$AVG
2009-11-30 12:49:11 25608 ----a-w- c:\windows\system32\drivers\AVGIDSxx.sys
2009-11-30 12:49:09 161800 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2009-11-30 12:48:29 50968 ----a-w- c:\windows\system32\avgfwdx.dll
2009-11-30 12:48:29 30104 ----a-w- c:\windows\system32\drivers\avgfwdx.sys
2009-11-30 12:48:25 0 d-----w- c:\docume~1\alluse~1\applic~1\avg9
2009-11-30 12:47:50 0 d-----w- c:\windows\SxsCaPendDel
2009-11-28 15:48:13 0 d-sh--w- c:\documents and settings\owner\IECompatCache
2009-11-06 09:17:15 0 d-----w- c:\windows\Performance
2009-11-06 09:16:38 0 d-----w- c:\program files\Microsoft Windows 7 Upgrade Advisor
2009-11-06 06:54:34 7168 -c--a-w- c:\windows\system32\dllcache\wamregps.dll
2009-11-06 06:54:25 66048 -c--a-w- c:\windows\system32\dllcache\s3legacy.dll
2009-11-06 06:54:07 19968 -c--a-w- c:\windows\system32\dllcache\inetsloc.dll
2009-11-06 06:54:06 7680 -c--a-w- c:\windows\system32\dllcache\inetmgr.exe
2009-11-06 06:54:05 169984 -c--a-w- c:\windows\system32\dllcache\iisui.dll
2009-11-06 06:54:04 5632 -c--a-w- c:\windows\system32\dllcache\iisrstap.dll
2009-11-06 06:54:04 14336 -c--a-w- c:\windows\system32\dllcache\iisreset.exe
2009-11-06 06:54:03 6144 -c--a-w- c:\windows\system32\dllcache\ftpsapi2.dll
2009-11-06 06:53:55 94720 -c--a-w- c:\windows\system32\dllcache\certmap.ocx
2009-11-04 23:56:24 0 d-----w- c:\windows\pss
2009-11-04 20:05:05 0 d-----w- c:\windows\system32\wbem\Repository
2009-11-04 15:16:31 4548 ----a-w- c:\windows\system32\PerfStringBackup.TMP
2009-11-04 14:38:29 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
2009-11-04 14:37:48 1089593 -c----w- c:\windows\system32\dllcache\ntprint.cat
2009-11-04 14:33:41 15064 ----a-w- c:\windows\system32\wuapi.dll.mui

==================== Find3M ====================

2009-11-30 14:58:35 2518 ----a-w- c:\docume~1\owner\applic~1\wklnhst.dat
2009-11-30 12:49:23 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-11-30 12:49:23 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-11-30 12:49:12 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2009-10-08 19:57:02 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2009-10-08 19:57:00 220160 ----a-w- c:\windows\system32\oleacc.dll
2009-10-08 19:56:56 20480 ----a-w- c:\windows\system32\oleaccrc.dll
2009-09-11 14:18:39 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03:36 58880 ----a-w- c:\windows\system32\msasn1.dll

============= FINISH: 0:42:54.01 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:11:56 AM

Posted 08 December 2009 - 10:38 AM

Hi,

Sorry for delayed response. Forums have been really busy. If you still need help with this do following, please.


Download DDS and save it to your desktop from here or here or here.
Disable any script blocker, and then double click dds.scr to run the tool.
  • When done, DDS will open two (2) logs:
    • DDS.txt
    • Attach.txt
  • Save both reports to your desktop. Post them back to your topic.

Download GMER here by clicking download exe -button and then saving it your desktop:
  • Double-click .exe that you downloaded
  • Click rootkit-tab and then scan.
  • Don't check
    Show All
    box while scanning in progress!
  • When scanning is ready, click Copy.
  • This copies log to clipboard
  • Post log in your reply.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#3 MRichardson

MRichardson
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:56 AM

Posted 08 December 2009 - 02:50 PM

Thanks for getting back to me. I know it's crazy and that it can take a while to wait my turn, so I knew patience was the key.

I've kept this system mostly disconnected from the net since the issues have come up, so hopefully I can use it again soon now that I'm moved up on the queue. :(

Here we go....


DDS (Ver_09-11-29.01) - NTFSx86
Run by Owner at 11:21:54.77 on Tue 12/08/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_15
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1175 [GMT -5:00]

AV: AVG Internet Security *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: AVG Firewall *enabled* {8decf618-9569-4340-b34a-d78d28969b66}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG\AVG9\Identity Protection\Agent\Bin\AVGIDSAgent.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgfws9.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Google\Update\1.2.183.13\GoogleCrashHandler.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Digital Media Reader\readericon45G.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\AVG\AVG9\Identity Protection\agent\bin\avgidsmonitor.exe
C:\WINDOWS\explorer.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\AVG\AVG9\avgam.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\AVG\AVG9\avgemc.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uStart Page = hxxp://www.yahoo.com/
uSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
mDefault_Page_URL = hxxp://www.yahoo.com/
mDefault_Search_URL = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=DTP&M=GM5072
uInternet Settings,ProxyServer = 63.208.180.6:3128
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
mSearchAssistant = hxxp://www.gateway.com/g/sidepanel.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=DTP&M=GM5072
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Google Gears Helper: {e0fefe40-fbf9-42ae-ba58-794ca7e3fb53} - c:\program files\google\google gears\internet explorer\0.5.33.0\gears.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRunOnce: [ypagerps3] cmd.exe /C del "c:\program files\yahoo!\messenger\ypagerps3.DLL"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [High Definition Audio Property Page Shortcut] HDAShCut.exe
mRun: [readericon] c:\program files\digital media reader\readericon45G.exe
mRun: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
mRun: [zBrowser Launcher] c:\program files\logitech\itouch\iTouch.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [MSKDetectorExe] c:\program files\mcafee\spamkiller\MSKDetct.exe /uninstall
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [nwiz] nwiz.exe /install
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\desktop messenger\8876480\program\LDMConf.exe
IE: &Yahoo! Search - file:///c:\program files\yahoo!\Common/ycsrch.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Yahoo! &Dictionary - file:///c:\program files\yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\yahoo!\Common/ycsms.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - {0B4350D1-055F-47A3-B112-5F2F2B0D6F08} - c:\program files\google\google gears\internet explorer\0.5.33.0\gears.dll
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\yinsthelper.dll
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {D1548A26-B8F6-4E86-AE74-E7062CCC2E2A} - hxxp://igloader.com/download/igloader.CAB
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\r5cn8c99.default\
FF - prefs.js: browser.startup.homepage - my.yahoo.com
FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll
FF - component: c:\program files\google\google gears\firefox\lib\ff30\gears.dll
FF - plugin: c:\program files\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npigl.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R0 AVGIDSErHrxpx;AVG9IDSErHr;c:\windows\system32\drivers\AVGIDSxx.sys [2009-11-30 25608]
R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2009-11-30 161800]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-6-23 333192]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2007-5-29 28424]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-6-23 360584]
R2 avg9emc;AVG E-mail Scanner;c:\program files\avg\avg9\avgemc.exe [2009-11-30 906520]
R2 avg9wd;AVG WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2009-11-30 285392]
R2 avgfws9;AVG Firewall;c:\program files\avg\avg9\avgfws9.exe [2009-11-30 2304192]
R2 AVGIDSAgent;AVG9IDSAgent;c:\program files\avg\avg9\identity protection\agent\bin\AVGIDSAgent.exe [2009-11-30 5832712]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 ScFBPNT;CanoScan FBP Port Driver;c:\windows\system32\drivers\SCFBPNT.SYS [2008-9-12 16288]
R3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [2009-11-30 30104]
R3 AVGIDSDriverxpx;AVG9IDSDriver;c:\program files\avg\avg9\identity protection\agent\driver\platform_xp\AVGIDSDriver.sys [2009-11-30 122376]
R3 AVGIDSFilterxpx;AVG9IDSFilter;c:\program files\avg\avg9\identity protection\agent\driver\platform_xp\AVGIDSFilter.sys [2009-11-30 30216]
R3 AVGIDSShimxpx;AVG9IDSShim;c:\program files\avg\avg9\identity protection\agent\driver\platform_xp\AVGIDSShim.sys [2009-11-30 25736]
S0 nielprt;Nielsen Patch Service;c:\windows\system32\drivers\nielprt.sys --> c:\windows\system32\drivers\nielprt.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-10-9 133104]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [2009-11-30 30104]
S3 NielGfx;Nielsen USB GFX;c:\windows\system32\drivers\nielgfx.sys --> c:\windows\system32\drivers\nielgfx.sys [?]
S3 PciCon;PciCon;\??\e:\pcicon.sys --> e:\PciCon.sys [?]
S3 QCEmerald;Logitech QuickCam Web;c:\windows\system32\drivers\OVCE.sys [2007-10-21 31872]
S3 VRSService;VRS Recording System;c:\program files\nch swift sound\vrs\vrs.exe [2008-8-28 651268]
S4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-8-25 24652]

=============== Created Last 30 ================

2009-11-30 12:49:39 0 d--h--w- C:\$AVG
2009-11-30 12:49:11 25608 ----a-w- c:\windows\system32\drivers\AVGIDSxx.sys
2009-11-30 12:49:09 161800 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2009-11-30 12:48:29 50968 ----a-w- c:\windows\system32\avgfwdx.dll
2009-11-30 12:48:29 30104 ----a-w- c:\windows\system32\drivers\avgfwdx.sys
2009-11-30 12:48:25 0 d-----w- c:\docume~1\alluse~1\applic~1\avg9
2009-11-30 12:47:50 0 d-----w- c:\windows\SxsCaPendDel
2009-11-28 15:48:13 0 d-sh--w- c:\documents and settings\owner\IECompatCache

==================== Find3M ====================

2009-12-07 10:35:03 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2009-12-01 16:05:26 2658 ----a-w- c:\docume~1\owner\applic~1\wklnhst.dat
2009-11-30 12:49:23 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-11-30 12:49:23 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-11-30 12:49:12 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2009-11-04 15:16:31 4548 ----a-w- c:\windows\system32\PerfStringBackup.TMP
2009-10-08 19:57:02 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2009-10-08 19:57:00 220160 ----a-w- c:\windows\system32\oleacc.dll
2009-10-08 19:56:56 20480 ----a-w- c:\windows\system32\oleaccrc.dll
2009-09-11 14:18:39 136192 ----a-w- c:\windows\system32\msv1_0.dll

============= FINISH: 11:25:45.27 ===============




GMER 1.0.15.15273 - http://www.gmer.net
Rootkit scan 2009-12-08 14:44:22
Windows 5.1.2600 Service Pack 3
Running: igq5jdfh.exe; Driver: C:\DOCUME~1\Owner\LOCALS~1\Temp\kfrcipow.sys


---- System - GMER 1.0.15 ----

SSDT \??\C:\Program Files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSShim.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies ) ZwOpenProcess [0xA2F62470]
SSDT \??\C:\Program Files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSShim.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies ) ZwTerminateProcess [0xA2F62520]
SSDT \??\C:\Program Files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSShim.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies ) ZwTerminateThread [0xA2F625C0]
SSDT \??\C:\Program Files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSShim.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies ) ZwWriteVirtualMemory [0xA2F62660]

---- Kernel code sections - GMER 1.0.15 ----

.rsrc C:\WINDOWS\system32\drivers\atapi.sys entry point in ".rsrc" section [0xB9E8D7A4]
.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB7CE5360, 0x32DEFD, 0xE8000020]

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs AVGIDSFilter.sys (IDS Application Activity Monitor Filter Driver./AVG Technologies )
AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat AVGIDSFilter.sys (IDS Application Activity Monitor Filter Driver./AVG Technologies )

Device -> \Driver\atapi \Device\Harddisk0\DR0 8ABE3618

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 59: copy of MBR

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----

Attached Files



#4 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:11:56 AM

Posted 08 December 2009 - 02:52 PM

Shall do my best :(


Please visit this webpage for download links, and instructions for running ComboFix tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully first.


Please continue as follows:
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link
    Remember to re-enable them afterwards.

  • Click Yes to allow ComboFix to continue scanning for malware.
When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New dds log.


A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#5 MRichardson

MRichardson
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:56 AM

Posted 08 December 2009 - 04:48 PM

Okay ran ComboFix and DDS as directed.

Couldn't find a way to disable AVG 9 so I uninstalled for now. Not really an issue since I had mistakenly installed the trial version of the full package instead of AVG Free when I upgraded.

Here are the logs

ComboFix 09-12-08.03 - Owner 12/08/2009 16:35:01.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1532 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2009-11-08 to 2009-12-08 )))))))))))))))))))))))))))))))
.

2009-12-07 08:11 . 2009-11-30 12:48 304408 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgaspmx.dll
2009-11-30 13:05 . 2009-11-30 12:49 497944 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgchjwx.dll
2009-11-30 13:05 . 2009-11-30 12:48 3963648 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcorex.dll
2009-11-30 13:04 . 2009-11-30 12:48 877848 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.exe
2009-11-30 13:04 . 2009-11-30 12:48 1657112 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.dll
2009-11-30 12:49 . 2009-11-30 12:52 -------- d-----w- C:\$AVG
2009-11-30 12:48 . 2009-12-08 20:55 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2009-11-30 12:47 . 2009-11-30 12:52 -------- d-----w- c:\windows\SxsCaPendDel
2009-11-30 03:17 . 2009-11-30 03:17 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-11-30 03:12 . 2009-11-30 03:12 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-11-28 15:48 . 2009-11-28 15:48 -------- d-sh--w- c:\documents and settings\Owner\IECompatCache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-07 10:35 . 2004-08-04 05:59 96512 ------w- c:\windows\system32\drivers\atapi.sys
2009-12-07 08:18 . 2005-01-01 09:24 -------- d-----w- c:\program files\Google
2009-12-07 08:15 . 2008-07-30 17:29 -------- d-----w- c:\documents and settings\Owner\Application Data\Amazon
2009-12-07 08:15 . 2008-07-30 17:29 -------- d-----w- c:\program files\Amazon
2009-12-05 11:35 . 2007-05-11 13:07 -------- d-----w- c:\program files\Trillian
2009-12-04 13:24 . 2007-05-30 13:24 -------- d-----w- c:\program files\Zoom Player
2009-12-01 16:05 . 2007-05-11 21:46 2658 ----a-w- c:\documents and settings\Owner\Application Data\wklnhst.dat
2009-12-01 05:30 . 2008-05-31 14:43 -------- d-----w- c:\documents and settings\Owner\Application Data\Samsung
2009-12-01 05:30 . 2005-01-01 09:24 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-12-01 05:28 . 2008-05-31 13:57 -------- d-----w- c:\program files\NCH Swift Sound
2009-12-01 05:27 . 2008-06-19 12:17 -------- d-----w- c:\program files\AnMing
2009-11-30 12:52 . 2007-10-02 00:51 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-11-30 12:48 . 2008-06-23 09:06 -------- d-----w- c:\program files\AVG
2009-11-30 12:04 . 2007-10-02 00:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-11-29 12:46 . 2009-03-03 11:32 -------- d-----w- c:\documents and settings\Owner\Application Data\Skype
2009-11-29 12:46 . 2008-11-13 03:32 -------- d-----w- c:\documents and settings\Owner\Application Data\skypePM
2009-11-14 20:17 . 2007-05-10 19:14 -------- d-----w- c:\program files\City of Heroes
2009-11-08 10:10 . 2007-08-11 23:49 -------- d-----w- c:\program files\Paint Shop Pro
2009-11-04 22:25 . 2009-02-18 19:51 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-04 22:25 . 2009-02-18 19:51 4045527 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-11-04 20:02 . 2005-01-01 09:35 -------- d-----w- c:\program files\Microsoft Works
2009-11-04 20:02 . 2009-04-22 08:25 -------- d-----w- c:\program files\Microsoft Silverlight
2009-11-04 20:00 . 2009-08-12 00:08 -------- d-----w- c:\program files\Mids Hero Designer
2009-11-04 15:16 . 2009-11-04 15:16 4548 ----a-w- c:\windows\system32\PerfStringBackup.TMP
2009-10-08 19:57 . 2008-07-29 23:59 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2009-10-08 19:57 . 2005-01-09 23:48 220160 ----a-w- c:\windows\system32\oleacc.dll
2009-10-08 19:56 . 2005-01-09 23:48 20480 ----a-w- c:\windows\system32\oleaccrc.dll
2009-09-11 14:18 . 2005-01-09 23:48 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-10 19:54 . 2009-02-18 19:51 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 19:53 . 2009-02-18 19:51 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-09-18 13574144]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-08 61952]
"readericon"="c:\program files\Digital Media Reader\readericon45G.exe" [2005-08-27 139264]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"zBrowser Launcher"="c:\program files\Logitech\iTouch\iTouch.exe" [2003-12-01 892928]
"RTHDCPL"="RTHDCPL.EXE" [2005-09-22 14854144]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-09-18 86016]
"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2005-08-13 1121792]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"nwiz"="nwiz.exe" [2008-09-18 1657376]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2007-5-10 169472]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ypagerps3]
del [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
2005-08-06 04:56 64512 ----a-w- c:\windows\ehome\ehtray.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Trillian\\trillian.exe"=
"c:\\Program Files\\City of Heroes\\CohUpdater.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\City of Heroes\\CityOfHeroes.exe"=
"c:\\Program Files\\CohTest\\CityOfHeroes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"19629:TCP"= 19629:TCP:BitComet 19629 TCP
"19629:UDP"= 19629:UDP:BitComet 19629 UDP
"94:TCP"= 94:TCP:VRS Recording System Web Control Panel
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R2 ScFBPNT;CanoScan FBP Port Driver;c:\windows\system32\drivers\SCFBPNT.SYS [9/12/2008 12:39 AM 16288]
S0 nielprt;Nielsen Patch Service;c:\windows\system32\DRIVERS\nielprt.sys --> c:\windows\system32\DRIVERS\nielprt.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [10/9/2009 11:08 AM 133104]
S3 NielGfx;Nielsen USB GFX;c:\windows\system32\drivers\nielgfx.sys --> c:\windows\system32\drivers\nielgfx.sys [?]
S3 PciCon;PciCon;\??\e:\pcicon.sys --> e:\PciCon.sys [?]
S3 QCEmerald;Logitech QuickCam Web;c:\windows\system32\drivers\OVCE.sys [10/21/2007 2:20 PM 31872]
S3 VRSService;VRS Recording System;c:\program files\NCH Swift Sound\VRS\vrs.exe [8/28/2008 7:14 PM 651268]
S4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [8/25/2008 7:29 PM 24652]
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=DTP&M=GM5072
uInternet Settings,ProxyServer = 63.208.180.6:3128
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\r5cn8c99.default\
FF - prefs.js: browser.startup.homepage - my.yahoo.com
FF - component: c:\program files\Google\Google Gears\Firefox\lib\ff30\gears.dll
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npigl.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-08 16:36
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Swearware\backup\winsock2]
@DACL=(02 0000)
@SACL=
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2496)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-12-08 16:38:37
ComboFix-quarantined-files.txt 2009-12-08 21:38
ComboFix2.txt 2009-12-08 21:31

Pre-Run: 203,090,780,160 bytes free
Post-Run: 203,068,788,736 bytes free

- - End Of File - - F44547CB357E1218347063B491BD4D0A



DDS (Ver_09-11-29.01) - NTFSx86
Run by Owner at 16:41:27.20 on Tue 12/08/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_15
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1457 [GMT -5:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
svchost.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Google\Update\1.2.183.13\GoogleCrashHandler.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=DTP&M=GM5072
uInternet Settings,ProxyServer = 63.208.180.6:3128
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Google Gears Helper: {e0fefe40-fbf9-42ae-ba58-794ca7e3fb53} - c:\program files\google\google gears\internet explorer\0.5.33.0\gears.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [High Definition Audio Property Page Shortcut] HDAShCut.exe
mRun: [readericon] c:\program files\digital media reader\readericon45G.exe
mRun: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
mRun: [zBrowser Launcher] c:\program files\logitech\itouch\iTouch.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [MSKDetectorExe] c:\program files\mcafee\spamkiller\MSKDetct.exe /uninstall
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [nwiz] nwiz.exe /install
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\desktop messenger\8876480\program\LDMConf.exe
IE: &Yahoo! Search - file:///c:\program files\yahoo!\Common/ycsrch.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Yahoo! &Dictionary - file:///c:\program files\yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\yahoo!\Common/ycsms.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - {0B4350D1-055F-47A3-B112-5F2F2B0D6F08} - c:\program files\google\google gears\internet explorer\0.5.33.0\gears.dll
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\yinsthelper.dll
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {D1548A26-B8F6-4E86-AE74-E7062CCC2E2A} - hxxp://igloader.com/download/igloader.CAB
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\r5cn8c99.default\
FF - prefs.js: browser.startup.homepage - my.yahoo.com
FF - component: c:\program files\google\google gears\firefox\lib\ff30\gears.dll
FF - plugin: c:\program files\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npigl.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 ScFBPNT;CanoScan FBP Port Driver;c:\windows\system32\drivers\SCFBPNT.SYS [2008-9-12 16288]
S0 nielprt;Nielsen Patch Service;c:\windows\system32\drivers\nielprt.sys --> c:\windows\system32\drivers\nielprt.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-10-9 133104]
S3 NielGfx;Nielsen USB GFX;c:\windows\system32\drivers\nielgfx.sys --> c:\windows\system32\drivers\nielgfx.sys [?]
S3 PciCon;PciCon;\??\e:\pcicon.sys --> e:\PciCon.sys [?]
S3 QCEmerald;Logitech QuickCam Web;c:\windows\system32\drivers\OVCE.sys [2007-10-21 31872]
S3 VRSService;VRS Recording System;c:\program files\nch swift sound\vrs\vrs.exe [2008-8-28 651268]
S4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-8-25 24652]

=============== Created Last 30 ================

2009-12-08 21:07:43 0 d-sha-r- C:\cmdcons
2009-12-08 21:04:32 98816 ----a-w- c:\windows\sed.exe
2009-12-08 21:04:32 77312 ----a-w- c:\windows\MBR.exe
2009-12-08 21:04:32 260096 ----a-w- c:\windows\PEV.exe
2009-12-08 21:04:32 161792 ----a-w- c:\windows\SWREG.exe
2009-11-30 12:49:39 0 d-----w- C:\$AVG
2009-11-30 12:48:25 0 d-----w- c:\docume~1\alluse~1\applic~1\avg9
2009-11-30 12:47:50 0 d-----w- c:\windows\SxsCaPendDel
2009-11-28 15:48:13 0 d-sh--w- c:\documents and settings\owner\IECompatCache

==================== Find3M ====================

2009-12-07 10:35:03 96512 ------w- c:\windows\system32\drivers\atapi.sys
2009-12-01 16:05:26 2658 ----a-w- c:\docume~1\owner\applic~1\wklnhst.dat
2009-11-04 15:16:31 4548 ----a-w- c:\windows\system32\PerfStringBackup.TMP
2009-10-08 19:57:02 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2009-10-08 19:57:00 220160 ----a-w- c:\windows\system32\oleacc.dll
2009-10-08 19:56:56 20480 ----a-w- c:\windows\system32\oleaccrc.dll
2009-09-11 14:18:39 136192 ----a-w- c:\windows\system32\msv1_0.dll

============= FINISH: 16:41:42.54 ===============

Attached Files



#6 MRichardson

MRichardson
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:56 AM

Posted 08 December 2009 - 05:17 PM

So far so good.

I've been doing random searches on Google and seeing if anything redirects my browser to test this out. So far it looks like the problem is gone. I won't pretend to understand enough of what the logs above say though. And as I said in my initial post, it seemed to go away before back at the start. We'll see how it goes.

Thank you very much for all the help!

#7 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:11:56 AM

Posted 08 December 2009 - 05:23 PM

Hi,

Please look for ComboFix2.txt file in c:\ComboFix or c:\QooBox folder and post its contents back here. It seems that ComboFix got run twice :(

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#8 MRichardson

MRichardson
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:56 AM

Posted 08 December 2009 - 05:35 PM

Ran twice? Huh.... okay then. There is indeed a second ComboFix log.

EDIT: Found out why it ran twice. I left it in the capable hands of my trusted roommate while I stepped out for an errand and he apparently didn't deactivate SpyBot the first time so he ran it again. I'll take the blame on that one for any mixups.

ComboFix 09-12-08.03 - Owner 12/08/2009 16:12:33.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1669 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Owner\EULA.txt
C:\install.exe
c:\recycler\S-1-5-21-1248869063-172760899-454343334-500
c:\recycler\S-1-5-21-1366931732-1974241444-83119282-500
c:\recycler\S-1-5-21-4165287569-3875248238-2152052952-500
c:\windows\kb913800.exe
D:\Autorun.inf

Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected
Restored copy from - Kitty ate it :(
.
((((((((((((((((((((((((( Files Created from 2009-11-08 to 2009-12-08 )))))))))))))))))))))))))))))))
.

2009-12-07 08:11 . 2009-11-30 12:48 304408 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgaspmx.dll
2009-11-30 13:05 . 2009-11-30 12:49 497944 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgchjwx.dll
2009-11-30 13:05 . 2009-11-30 12:48 3963648 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcorex.dll
2009-11-30 13:04 . 2009-11-30 12:48 877848 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.exe
2009-11-30 13:04 . 2009-11-30 12:48 1657112 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.dll
2009-11-30 12:49 . 2009-11-30 12:52 -------- d-----w- C:\$AVG
2009-11-30 12:48 . 2009-12-08 20:55 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2009-11-30 12:47 . 2009-11-30 12:52 -------- d-----w- c:\windows\SxsCaPendDel
2009-11-30 03:17 . 2009-11-30 03:17 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-11-30 03:12 . 2009-11-30 03:12 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-11-28 15:48 . 2009-11-28 15:48 -------- d-sh--w- c:\documents and settings\Owner\IECompatCache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-07 10:35 . 2004-08-04 05:59 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2009-12-07 08:18 . 2005-01-01 09:24 -------- d-----w- c:\program files\Google
2009-12-07 08:15 . 2008-07-30 17:29 -------- d-----w- c:\documents and settings\Owner\Application Data\Amazon
2009-12-07 08:15 . 2008-07-30 17:29 -------- d-----w- c:\program files\Amazon
2009-12-05 11:35 . 2007-05-11 13:07 -------- d-----w- c:\program files\Trillian
2009-12-04 13:24 . 2007-05-30 13:24 -------- d-----w- c:\program files\Zoom Player
2009-12-01 16:05 . 2007-05-11 21:46 2658 ----a-w- c:\documents and settings\Owner\Application Data\wklnhst.dat
2009-12-01 05:30 . 2008-05-31 14:43 -------- d-----w- c:\documents and settings\Owner\Application Data\Samsung
2009-12-01 05:30 . 2005-01-01 09:24 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-12-01 05:28 . 2008-05-31 13:57 -------- d-----w- c:\program files\NCH Swift Sound
2009-12-01 05:27 . 2008-06-19 12:17 -------- d-----w- c:\program files\AnMing
2009-11-30 12:52 . 2007-10-02 00:51 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-11-30 12:48 . 2008-06-23 09:06 -------- d-----w- c:\program files\AVG
2009-11-30 12:04 . 2007-10-02 00:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-11-29 12:46 . 2009-03-03 11:32 -------- d-----w- c:\documents and settings\Owner\Application Data\Skype
2009-11-29 12:46 . 2008-11-13 03:32 -------- d-----w- c:\documents and settings\Owner\Application Data\skypePM
2009-11-14 20:17 . 2007-05-10 19:14 -------- d-----w- c:\program files\City of Heroes
2009-11-08 10:10 . 2007-08-11 23:49 -------- d-----w- c:\program files\Paint Shop Pro
2009-11-04 22:25 . 2009-02-18 19:51 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-04 22:25 . 2009-02-18 19:51 4045527 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-11-04 20:02 . 2005-01-01 09:35 -------- d-----w- c:\program files\Microsoft Works
2009-11-04 20:02 . 2009-04-22 08:25 -------- d-----w- c:\program files\Microsoft Silverlight
2009-11-04 20:00 . 2009-08-12 00:08 -------- d-----w- c:\program files\Mids Hero Designer
2009-11-04 15:16 . 2009-11-04 15:16 4548 ----a-w- c:\windows\system32\PerfStringBackup.TMP
2009-10-08 19:57 . 2008-07-29 23:59 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2009-10-08 19:57 . 2005-01-09 23:48 220160 ----a-w- c:\windows\system32\oleacc.dll
2009-10-08 19:56 . 2005-01-09 23:48 20480 ----a-w- c:\windows\system32\oleaccrc.dll
2009-09-11 14:18 . 2005-01-09 23:48 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-10 19:54 . 2009-02-18 19:51 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 19:53 . 2009-02-18 19:51 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"ypagerps3"="del" [X]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-09-18 13574144]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-08 61952]
"readericon"="c:\program files\Digital Media Reader\readericon45G.exe" [2005-08-27 139264]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"zBrowser Launcher"="c:\program files\Logitech\iTouch\iTouch.exe" [2003-12-01 892928]
"RTHDCPL"="RTHDCPL.EXE" [2005-09-22 14854144]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-09-18 86016]
"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2005-08-13 1121792]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"nwiz"="nwiz.exe" [2008-09-18 1657376]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2007-5-10 169472]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ypagerps3]
del [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
2005-08-06 04:56 64512 ----a-w- c:\windows\ehome\ehtray.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Trillian\\trillian.exe"=
"c:\\Program Files\\City of Heroes\\CohUpdater.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\City of Heroes\\CityOfHeroes.exe"=
"c:\\Program Files\\CohTest\\CityOfHeroes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"19629:TCP"= 19629:TCP:BitComet 19629 TCP
"19629:UDP"= 19629:UDP:BitComet 19629 UDP
"94:TCP"= 94:TCP:VRS Recording System Web Control Panel
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R2 ScFBPNT;CanoScan FBP Port Driver;c:\windows\system32\drivers\SCFBPNT.SYS [9/12/2008 12:39 AM 16288]
S0 nielprt;Nielsen Patch Service;c:\windows\system32\DRIVERS\nielprt.sys --> c:\windows\system32\DRIVERS\nielprt.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [10/9/2009 11:08 AM 133104]
S3 NielGfx;Nielsen USB GFX;c:\windows\system32\drivers\nielgfx.sys --> c:\windows\system32\drivers\nielgfx.sys [?]
S3 PciCon;PciCon;\??\e:\pcicon.sys --> e:\PciCon.sys [?]
S3 QCEmerald;Logitech QuickCam Web;c:\windows\system32\drivers\OVCE.sys [10/21/2007 2:20 PM 31872]
S3 VRSService;VRS Recording System;c:\program files\NCH Swift Sound\VRS\vrs.exe [8/28/2008 7:14 PM 651268]
S4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [8/25/2008 7:29 PM 24652]
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=DTP&M=GM5072
uInternet Settings,ProxyServer = 63.208.180.6:3128
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\r5cn8c99.default\
FF - prefs.js: browser.startup.homepage - my.yahoo.com
FF - component: c:\program files\Google\Google Gears\Firefox\lib\ff30\gears.dll
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npigl.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-aawservice
AddRemove-ScanCraft CS-P - c:\windows\IsUninst.exe -fc:\program files\Canon\ScanCraft CS-P\Uninst.isu -cc:\program files\Canon\ScanCraft CS-P\scuninst.dll
AddRemove-CohSplasher - c:\program files\CohSplasher\uninstall.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-08 16:19
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Swearware\backup\winsock2]
@DACL=(02 0000)
@SACL=
.
Completion time: 2009-12-08 16:31:05
ComboFix-quarantined-files.txt 2009-12-08 21:31

Pre-Run: 203,448,942,592 bytes free
Post-Run: 203,070,431,232 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

- - End Of File - - F6F485F7F4D7BF05A6D5A89E22856316

Edited by MRichardson, 08 December 2009 - 05:40 PM.


#9 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:11:56 AM

Posted 09 December 2009 - 03:43 AM

Hi,

Is d: drive your recovery partition?

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#10 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:11:56 AM

Posted 18 December 2009 - 01:24 AM

Due to inactivity, this thread will now be closed. If you need this topic reopened, please contact a Staff member. Include the address of this thread in your request. This applies only to the original topic starter. Should you have a new issue, please start a New Topic.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users