Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Redirect Virus


  • This topic is locked This topic is locked
19 replies to this topic

#1 Astrella

Astrella

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:55 AM

Posted 08 December 2009 - 05:15 AM

I have a virus that redirects me to random sites while I'm browsing the internet. I have done countless scans with programs such as malwarebytes and superantispyware. I also have AVG and Ad-Aware installed. Nothing has been able to snuff it out. I'm hoping one of the experts here can help me out.

(Sorry for the second post. The first one showed a topic but with no message so I thought I'd try again.)


My Hijackthis Log:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:23:27, on 12/8/2009
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v7.00 (7.00.6002.18005)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\AVG\AVG9\avgtray.exe
C:\Program Files\Electronic Arts\EADM\Core.exe
C:\Program Files\Last.fm\LastFM.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.com/g/startpage.html?Ch...P&M=GM5416E
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.html?Ch...P&M=GM5416E
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.gateway.com/g/sidepanel.html?Ch...P&M=GM5416E
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: StumbleUpon Launcher - {145B29F4-A56B-4b90-BBAC-45784EBEBBB7} - C:\Program Files\StumbleUpon\StumbleUponIEBar.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\google\BAE.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: StumbleUpon Toolbar - {5093EB4C-3E93-40AB-9266-B607BA87BDC8} - C:\Program Files\StumbleUpon\StumbleUponIEBar.dll
O3 - Toolbar: Veoh Web Player Video Finder - {0FBB9689-D3D7-4f7a-A2E2-585B10099BFC} - C:\Program Files\Veoh Networks\VeohWebPlayer\VeohIEToolbar.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKCU\..\Run: [Google Update] "C:\Users\Ashley\AppData\Local\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: StumbleUpon PhotoBlog It! - res://StumbleUponIEBar.dll/blogimage
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: StumbleUpon - {75C9223A-409A-4795-A3CA-08DE6B075B4B} - C:\Program Files\StumbleUpon\StumbleUponIEBar.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - (no file)
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - (no file)
O13 - Gopher Prefix:
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} (get_atlcom Class) - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: Intel® Alert Service (AlertService) - Intel® Corporation - C:\Program Files\Intel\IntelDH\CCU\AlertService.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free E-mail Scanner (avg9emc) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgemc.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: DQLWinService - Unknown owner - C:\Program Files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPBPRO.EXE
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPBOID.EXE
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intel DH Service (IntelDHSvcConf) - Intel® Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Tools\IntelDHSvcConf.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel® Software Services Manager (ISSM) - Intel® Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\ISSM.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Intel® Viiv™ Media Server (M1 Server) - Unknown owner - C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe
O23 - Service: Intel® Application Tracker (MCLServiceATL) - Intel® Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\MCLServiceATL.exe
O23 - Service: NMSAccess - Unknown owner - C:\Windows\system32\NMSAccess.exe
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Intel® Remoting Service (Remote UI Service) - Intel® Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Windows\system32\STacSV.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

Edited by Astrella, 08 December 2009 - 05:45 AM.


BC AdBot (Login to Remove)

 


#2 Astrella

Astrella
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:55 AM

Posted 11 December 2009 - 04:55 AM

I have some sort of spyware that redirects me to random pages when i'm browsing the internet. I've done scans on programs such as superantispyware and malwarebytes but they have not been able to fix it. I was able to run a DDS but the RootRepeal crashed.



DDS (Ver_09-12-01.01) - NTFSx86
Run by Ashley at 4:11:28.75 on Fri 12/11/2009
Internet Explorer: 7.0.6002.18005 BrowserJavaVersion: 1.6.0_17
Microsoft® Windows Vistaâ„¢ Home Premium 6.0.6002.2.1252.1.1033.18.3325.1147 [GMT -5:00]

SP: Avira AntiVir PersonalEdition *enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
SP: Spybot - Search and Destroy *disabled* (Outdated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe
C:\Windows\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\NMSAccess.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Windows\system32\STacSV.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\AVG\AVG9\avgemc.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Windows\system32\WUDFHost.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\AVG\AVG9\avgtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Last.fm\LastFM.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Windows\system32\wuauclt.exe
C:\Users\Public\Games\World of Warcraft\WoW.exe
C:\Program Files\foobar2000\foobar2000.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Users\Ashley\Downloads\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
mStart Page = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=DTP&M=GM5416E
mDefault_Page_URL = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=DTP&M=GM5416E
uInternet Settings,ProxyOverride = <local>
mSearchAssistant = hxxp://www.gateway.com/g/sidepanel.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=DTP&M=GM5416E
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: StumbleUpon Launcher: {145b29f4-a56b-4b90-bbac-45784ebebbb7} - c:\program files\stumbleupon\StumbleUponIEBar.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\google\BAE.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: StumbleUpon Toolbar: {5093eb4c-3e93-40ab-9266-b607ba87bdc8} - c:\program files\stumbleupon\StumbleUponIEBar.dll
TB: Veoh Web Player Video Finder: {0fbb9689-d3d7-4f7a-a2e2-585b10099bfc} - c:\program files\veoh networks\veohwebplayer\VeohIEToolbar.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
uRun: [<NO NAME>]
uRun: [Google Update] "c:\users\ashley\appdata\local\google\update\GoogleUpdate.exe" /c
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [NVIDIA nTune] "c:\program files\nvidia corporation\ntune\nTuneCmd.exe" clear
mRun: [c:\program files\free video zilla\FVZilla.exe]
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
dRun: [MySpaceIM] c:\program files\myspace\im\MySpaceIM.exe
dRun: [Picasa Media Detector] c:\program files\picasa2\PicasaMediaDetector.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: StumbleUpon PhotoBlog It! - StumbleUponIEBar.dll/blogimage
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim95\aim.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {75C9223A-409A-4795-A3CA-08DE6B075B4B} - {145B29F4-A56B-4b90-BBAC-45784EBEBBB7} - c:\program files\stumbleupon\StumbleUponIEBar.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F}
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
AppInit_DLLs: avgrsstx.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\users\ashley\appdata\roaming\mozilla\firefox\profiles\ah3wmhg2.default\
FF - prefs.js: browser.startup.homepage - google.com
FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll
FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\xpavgtbapi.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npPandoWebInst.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\unity\webplayer\loader\npUnity3D32.dll
FF - plugin: c:\program files\veoh networks\veoh\plugins\noreg\NPVeohVersion.dll
FF - plugin: c:\program files\veoh networks\veohwebplayer\NPVeohTVPlugin.dll
FF - plugin: c:\program files\veoh networks\veohwebplayer\npWebPlayerVideoPluginATL.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - plugin: c:\programdata\zylom\zylomgamesplayer\npzylomgamesplayer.dll
FF - plugin: c:\users\ashley\appdata\local\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-11-30 64288]
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-12-7 28552]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-11-30 333192]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-11-30 28424]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-11-30 360584]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-6-23 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-6-23 74480]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\avg\avg9\avgemc.exe [2009-11-30 906520]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2009-11-30 285392]
R2 DQLWinService;DQLWinService;c:\program files\common files\intel\inteldh\nms\adpplugins\DQLWinService.exe [2006-10-29 208896]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-9-24 1184912]
R2 nmsgopro;GoProto Protocol Driver for NMS;c:\windows\system32\drivers\nmsgopro.sys [2006-9-27 28672]
R2 nmsunidr;UniDriver for NMS;c:\windows\system32\drivers\nmsunidr.sys [2006-10-19 7424]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2009-12-5 1153368]
R3 AVMNgBasM780;AVerMedia M780 Base Driver;c:\windows\system32\drivers\AVerBas.sys [2007-1-3 51584]
R3 AVMNgCapM780;AVerMedia M780 Audio/Video Capture Driver;c:\windows\system32\drivers\AVerCap.sys [2007-1-3 364544]
R3 AVMNgTunM780;AVerMedia M780 TVTuner Driver;c:\windows\system32\drivers\AVerTun.sys [2007-1-3 162304]
R3 IntelDH;IntelDH Driver;c:\windows\system32\drivers\IntelDH.sys [2007-1-3 5504]
R3 SMCWGU(SMC);SMCWUSB-G 802.11g Wireless USB 2.0 Adapter(SMC);c:\windows\system32\drivers\SMCWGU.sys [2008-1-2 408064]
S2 IntelDHSvcConf;Intel DH Service;c:\program files\intel\inteldh\intel media server\tools\IntelDHSvcConf.exe [2006-11-18 36312]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-9-24 21504]
S3 MCLServiceATL;Intel® Application Tracker;c:\program files\intel\inteldh\intel media server\shells\MCLServiceATL.exe [2006-11-18 174552]
S3 NETw2v32;Intel® PRO/Wireless 2200BG Network Connection Driver for Windows Vista;c:\windows\system32\drivers\NETw2v32.sys [2006-11-2 2589184]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-6-23 7408]
S4 BGAELPJSP;BGAELPJSP;c:\users\ashley\appdata\local\temp\bgaelpjsp.exe --> c:\users\ashley\appdata\local\temp\BGAELPJSP.exe [?]
S4 HIPV;HIPV;c:\users\ashley\appdata\local\temp\hipv.exe --> c:\users\ashley\appdata\local\temp\HIPV.exe [?]
S4 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\viewpoint\common\viewpointservice.exe" --> c:\program files\viewpoint\common\ViewpointService.exe [?]

=============== Created Last 30 ================

2009-12-09 23:08:22 411648 ----a-w- c:\windows\system32\drivers\http.sys
2009-12-09 23:08:22 30720 ----a-w- c:\windows\system32\httpapi.dll
2009-12-09 23:08:22 24064 ----a-w- c:\windows\system32\nshhttp.dll
2009-12-09 23:08:11 834048 ----a-w- c:\windows\system32\wininet.dll
2009-12-09 23:08:07 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-12-09 23:08:04 377344 ----a-w- c:\windows\system32\winhttp.dll
2009-12-09 23:07:36 243712 ----a-w- c:\windows\system32\rastls.dll
2009-12-08 10:08:30 0 d-----w- c:\program files\Trend Micro
2009-12-07 20:04:46 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys
2009-12-07 20:04:34 0 d-----w- c:\program files\Panda Security
2009-12-07 19:44:44 0 d-----w- c:\program files\NVIDIA nTune Performance Application
2009-12-07 15:32:37 0 d-----w- c:\program files\The Sims Resource
2009-12-07 13:48:35 34990 ----a-w- c:\programdata\nvModes.dat
2009-12-07 10:16:59 696832 ----a-w- c:\windows\isRS-000.tmp
2009-12-05 20:51:52 0 d-----w- c:\program files\SpywareBlaster
2009-12-05 20:50:49 499712 ----a-w- c:\windows\system32\kerberos.dll
2009-12-05 20:50:48 270848 ----a-w- c:\windows\system32\schannel.dll
2009-12-05 20:45:49 87552 ----a-w- c:\windows\system32\VACFix.exe
2009-12-05 20:45:47 82944 ----a-w- c:\windows\system32\IEDFix.exe
2009-12-05 20:45:45 75776 ----a-w- c:\windows\system32\WS2Fix.exe
2009-12-05 20:45:44 289144 ----a-w- c:\windows\system32\VCCLSID.exe
2009-12-05 20:45:42 79360 ----a-w- c:\windows\system32\swxcacls.exe
2009-12-05 20:45:41 51200 ----a-w- c:\windows\system32\dumphive.exe
2009-12-05 20:45:41 288417 ----a-w- c:\windows\system32\SrchSTS.exe
2009-12-05 20:45:39 135168 ----a-w- c:\windows\system32\swreg.exe
2009-12-05 20:45:36 53248 ----a-w- c:\windows\system32\Process.exe
2009-12-05 20:45:20 0 d-----w- c:\windows\system32\SmitfraudFix
2009-12-03 04:11:37 0 d-----w- c:\users\ashley\appdata\roaming\Foxit
2009-12-03 04:11:26 0 d-----w- c:\program files\Foxit Software
2009-12-01 00:21:51 15880 ----a-w- c:\windows\system32\lsdelete.exe
2009-11-30 23:21:18 0 d-----w- c:\program files\Buildalot 2 Town Of The Year
2009-11-30 22:07:37 93360 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2009-11-30 21:58:57 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-11-30 21:40:11 0 dc-h--w- c:\programdata\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}
2009-11-30 21:39:51 0 d-----w- c:\programdata\Lavasoft
2009-11-30 21:39:51 0 d-----w- c:\program files\Lavasoft
2009-11-30 21:08:44 0 d--h--w- C:\$AVG
2009-11-30 21:08:36 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-11-30 21:08:36 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2009-11-30 21:08:30 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-11-30 21:08:29 0 d-----w- c:\windows\system32\drivers\Avg
2009-11-30 21:08:27 0 d-----w- c:\programdata\AVG Security Toolbar
2009-11-30 21:08:04 0 d-----w- c:\programdata\avg9
2009-11-30 16:09:49 0 d-----w- c:\programdata\SITEguard
2009-11-30 16:09:08 0 d-----w- c:\program files\STOPzilla!
2009-11-30 16:09:06 0 d-----w- c:\program files\common files\iS3
2009-11-30 16:09:05 0 d-----w- c:\programdata\STOPzilla!
2009-11-26 03:56:30 2048 ----a-w- c:\windows\system32\tzres.dll
2009-11-25 13:47:25 1401856 ----a-w- c:\windows\system32\msxml6.dll
2009-11-25 13:47:24 1248768 ----a-w- c:\windows\system32\msxml3.dll
2009-11-25 13:47:18 714240 ----a-w- c:\windows\system32\timedate.cpl
2009-11-21 01:33:30 64882 ----a-w- c:\windows\system32\NvwsApps.xml
2009-11-21 01:33:30 272278 ----a-w- c:\windows\system32\NvApps.xml
2009-11-21 01:33:00 812648 ----a-w- c:\windows\system32\nvsvc.dll
2009-11-21 01:33:00 66664 ----a-w- c:\windows\system32\nvshext.dll
2009-11-21 01:33:00 12685928 ----a-w- c:\windows\system32\nvcpl.dll
2009-11-21 01:33:00 122984 ----a-w- c:\windows\system32\nvvsvc.exe
2009-11-21 01:33:00 110184 ----a-w- c:\windows\system32\nvmctray.dll
2009-11-18 14:31:27 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-11-17 11:49:42 0 d-----w- c:\program files\Windows Portable Devices
2009-11-17 11:49:31 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_07_00.Wdf
2009-11-17 08:03:01 92672 ----a-w- c:\windows\system32\UIAnimation.dll
2009-11-17 08:03:00 1164800 ----a-w- c:\windows\system32\UIRibbonRes.dll
2009-11-17 08:01:58 81920 ----a-w- c:\windows\system32\wpdbusenum.dll
2009-11-17 08:00:21 555520 ----a-w- c:\windows\system32\UIAutomationCore.dll
2009-11-17 08:00:21 4096 ----a-w- c:\windows\system32\oleaccrc.dll
2009-11-17 08:00:21 234496 ----a-w- c:\windows\system32\oleacc.dll
2009-11-14 18:28:09 2036736 ----a-w- c:\windows\system32\win32k.sys
2009-11-14 18:28:00 355328 ----a-w- c:\windows\system32\WSDApi.dll
2009-11-14 17:28:04 0 d-----w- c:\users\ashley\appdata\roaming\DeviceDoctorSoftware
2009-11-14 17:28:01 0 d-----w- c:\program files\Device Doctor
2009-11-14 17:25:55 0 d-----w- C:\rei
2009-11-14 17:25:53 0 d-----w- c:\program files\Reimage
2009-11-14 17:18:29 0 d-----w- c:\program files\RadarSync
2009-11-14 17:11:03 0 d-----w- c:\windows\system32\eu-ES
2009-11-14 17:11:03 0 d-----w- c:\windows\system32\ca-ES
2009-11-14 17:11:02 0 d-----w- c:\windows\system32\vi-VN
2009-11-14 17:05:25 0 d-----w- c:\programdata\UAB
2009-11-14 17:04:31 0 d-----w- c:\program files\PC Drivers HeadQuarters
2009-11-14 16:56:27 0 d-----w- c:\windows\system32\EventProviders
2009-11-13 20:39:37 0 d-----w- c:\program files\Alarm Clock

==================== Find3M ====================

2009-12-07 14:32:58 86016 ----a-w- c:\windows\inf\infstor.dat
2009-12-07 14:32:58 51200 ----a-w- c:\windows\inf\infpub.dat
2009-12-07 14:32:58 143360 ----a-w- c:\windows\inf\infstrng.dat
2009-12-03 21:14:06 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-03 21:13:56 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-30 20:34:47 235064 ----a-w- c:\windows\system32\drivers\iaStorV.sys
2009-11-20 02:42:56 592488 ----a-w- c:\windows\system32\nvuninst.exe
2009-11-17 11:49:39 665600 ----a-w- c:\windows\inf\drvindex.dat
2009-11-14 17:07:04 37665 ----a-w- c:\windows\fonts\GlobalUserInterface.CompositeFont
2009-11-03 01:42:06 195456 ----a-w- c:\windows\system32\MpSigStub.exe
2009-10-28 10:25:56 82774 ----a-w- c:\windows\Uninstall Jade Empire.exe
2009-10-01 01:02:17 2537472 ----a-w- c:\windows\system32\wpdshext.dll
2009-10-01 01:02:05 30208 ----a-w- c:\windows\system32\WPDShextAutoplay.exe
2009-10-01 01:02:04 334848 ----a-w- c:\windows\system32\PortableDeviceApi.dll
2009-10-01 01:02:02 87552 ----a-w- c:\windows\system32\WPDShServiceObj.dll
2009-10-01 01:02:00 31232 ----a-w- c:\windows\system32\BthMtpContextHandler.dll
2009-10-01 01:01:59 546816 ----a-w- c:\windows\system32\wpd_ci.dll
2009-10-01 01:01:59 160256 ----a-w- c:\windows\system32\PortableDeviceTypes.dll
2009-10-01 01:01:56 60928 ----a-w- c:\windows\system32\PortableDeviceConnectApi.dll
2009-10-01 01:01:56 350208 ----a-w- c:\windows\system32\WPDSp.dll
2009-10-01 01:01:56 196608 ----a-w- c:\windows\system32\PortableDeviceWMDRM.dll
2009-10-01 01:01:56 100864 ----a-w- c:\windows\system32\PortableDeviceClassExtension.dll
2009-09-27 20:12:22 170600 ----a-w- c:\windows\system32\nvcod167.dll
2009-09-25 02:10:10 974848 ----a-w- c:\windows\system32\WindowsCodecs.dll
2009-09-25 02:07:08 189440 ----a-w- c:\windows\system32\WindowsCodecsExt.dll
2009-09-25 02:04:32 321024 ----a-w- c:\windows\system32\PhotoMetadataHandler.dll
2009-09-25 01:49:22 1554432 ----a-w- c:\windows\system32\xpsservices.dll
2009-09-25 01:48:08 351232 ----a-w- c:\windows\system32\XpsPrint.dll
2009-09-25 01:38:29 847360 ----a-w- c:\windows\system32\OpcServices.dll
2009-09-25 01:36:13 280064 ----a-w- c:\windows\system32\XpsGdiConverter.dll
2009-09-25 01:35:31 135680 ----a-w- c:\windows\system32\XpsRasterService.dll
2009-09-25 01:33:25 195584 ----a-w- c:\windows\system32\dxdiagn.dll
2009-09-25 01:33:15 829440 ----a-w- c:\windows\system32\d3d10warp.dll
2009-09-25 01:33:01 369664 ----a-w- c:\windows\system32\WMPhoto.dll
2009-09-25 01:32:59 252928 ----a-w- c:\windows\system32\dxdiag.exe
2009-09-25 01:31:53 519680 ----a-w- c:\windows\system32\d3d11.dll
2009-09-25 01:31:26 486912 ----a-w- c:\windows\system32\d3d10level9.dll
2009-09-25 01:31:21 161280 ----a-w- c:\windows\system32\d3d10_1.dll
2009-09-25 01:31:19 218112 ----a-w- c:\windows\system32\d3d10_1core.dll
2009-09-25 01:31:16 1030144 ----a-w- c:\windows\system32\d3d10.dll
2009-09-25 01:31:15 828928 ----a-w- c:\windows\system32\d2d1.dll
2009-09-25 01:30:23 481792 ----a-w- c:\windows\system32\dxgi.dll
2009-09-25 01:30:23 190464 ----a-w- c:\windows\system32\d3d10core.dll
2009-09-25 01:27:04 793088 ----a-w- c:\windows\system32\FntCache.dll
2009-09-25 01:27:04 37888 ----a-w- c:\windows\system32\cdd.dll
2009-09-25 01:27:04 1064448 ----a-w- c:\windows\system32\DWrite.dll
2009-09-24 22:54:55 258048 ----a-w- c:\windows\system32\winspool.drv
2009-09-24 22:54:53 667648 ----a-w- c:\windows\system32\printfilterpipelinesvc.exe
2009-09-24 22:54:52 26112 ----a-w- c:\windows\system32\printfilterpipelineprxy.dll
2009-07-01 16:40:24 174 --sha-w- c:\program files\desktop.ini
2008-09-20 16:58:30 75646 ---ha-w- c:\program files\peggle nights.jpg
2008-09-01 14:29:10 23 ---ha-w- c:\program files\tracked_by_h33t_com.txt
2008-09-01 14:29:10 226 ---ha-w- c:\program files\Important read this before opening files.txt
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat

============= FINISH: 4:15:19.03 ===============

Attached Files


Edited by Orange Blossom, 11 December 2009 - 08:01 PM.
Merged topics. ~ OB


#3 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:55 AM

Posted 20 December 2009 - 05:30 PM

Hi,

My name is Extremeboy (or EB for short), and I will be helping you with your log.

We apologize for the delay of response.

If you still require assistance we would like to see the current condition of your system so please post a new set of DDS Logs as well as a RootRepeal log and a description of any remaining problems or symptoms you may still have please.

If for any reason you did not post a DDS log or RootRepeal log please refer to this page and in step #6 and Step #7 for further instructions on downloading and running DDS & RootRepeal. If you have any problems just let me know in your next reply or simply post a Hijackthis log.


For your next reply I would like to see:
-The DDS logs
---DDS.txt and Attach logs
-RootRepeal logs
-Description of any remaining problems you may still have.


Thanks again and we apologize for the delay.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#4 Astrella

Astrella
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:55 AM

Posted 23 December 2009 - 10:21 PM

Hello EB, Thanks for the reply. I am still experiencing the same problems. A random website will open in a new tab. It is usually a site asking me to take a survey. Here is my DDS log. I tried running rootrepeal but it gets stuck on C:\Windows\winsxs\Manifests\



DDS (Ver_09-12-01.01) - NTFSx86
Run by Ashley at 21:53:27.23 on Wed 12/23/2009
Internet Explorer: 7.0.6002.18005 BrowserJavaVersion: 1.6.0_17
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3325.2020 [GMT -5:00]

SP: Avira AntiVir PersonalEdition *enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Windows\system32\lsm.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskeng.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Windows\Explorer.EXE
C:\Program Files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\AVG\AVG9\avgtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\NMSAccess.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Windows\system32\STacSV.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\AVG\AVG9\avgemc.exe
C:\Windows\system32\WUDFHost.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\System32\mobsync.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Last.fm\LastFM.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Ashley\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
mStart Page = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=DTP&M=GM5416E
mDefault_Page_URL = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=DTP&M=GM5416E
uInternet Settings,ProxyOverride = <local>
mSearchAssistant = hxxp://www.gateway.com/g/sidepanel.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=DTP&M=GM5416E
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: StumbleUpon Launcher: {145b29f4-a56b-4b90-bbac-45784ebebbb7} - c:\program files\stumbleupon\StumbleUponIEBar.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\google\BAE.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: StumbleUpon Toolbar: {5093eb4c-3e93-40ab-9266-b607ba87bdc8} - c:\program files\stumbleupon\StumbleUponIEBar.dll
TB: Veoh Web Player Video Finder: {0fbb9689-d3d7-4f7a-a2e2-585b10099bfc} - c:\program files\veoh networks\veohwebplayer\VeohIEToolbar.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
uRun: [<NO NAME>]
uRun: [Google Update] "c:\users\ashley\appdata\local\google\update\GoogleUpdate.exe" /c
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [NVIDIA nTune] "c:\program files\nvidia corporation\ntune\nTuneCmd.exe" clear
mRun: [c:\program files\free video zilla\FVZilla.exe]
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [combofix] "c:\comfix.exe\cf21907.cfxxe" /c "c:\comfix.exe\C.bat"
dRun: [MySpaceIM] c:\program files\myspace\im\MySpaceIM.exe
dRun: [Picasa Media Detector] c:\program files\picasa2\PicasaMediaDetector.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: StumbleUpon PhotoBlog It! - StumbleUponIEBar.dll/blogimage
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim95\aim.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {75C9223A-409A-4795-A3CA-08DE6B075B4B} - {145B29F4-A56B-4b90-BBAC-45784EBEBBB7} - c:\program files\stumbleupon\StumbleUponIEBar.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
AppInit_DLLs: avgrsstx.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\users\ashley\appdata\roaming\mozilla\firefox\profiles\ah3wmhg2.default\
FF - prefs.js: browser.startup.homepage - google.com
FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll
FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\xpavgtbapi.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\unity\webplayer\loader\npUnity3D32.dll
FF - plugin: c:\program files\veoh networks\veoh\plugins\noreg\NPVeohVersion.dll
FF - plugin: c:\program files\veoh networks\veohwebplayer\NPVeohTVPlugin.dll
FF - plugin: c:\program files\veoh networks\veohwebplayer\npWebPlayerVideoPluginATL.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - plugin: c:\programdata\zylom\zylomgamesplayer\npzylomgamesplayer.dll
FF - plugin: c:\users\ashley\appdata\local\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-11-30 64288]
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-12-7 28552]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-11-30 333192]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-11-30 28424]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-11-30 360584]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-6-23 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-6-23 74480]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\avg\avg9\avgemc.exe [2009-11-30 906520]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2009-11-30 285392]
R2 DQLWinService;DQLWinService;c:\program files\common files\intel\inteldh\nms\adpplugins\DQLWinService.exe [2006-10-29 208896]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-9-24 1181328]
R2 nmsgopro;GoProto Protocol Driver for NMS;c:\windows\system32\drivers\nmsgopro.sys [2006-9-27 28672]
R2 nmsunidr;UniDriver for NMS;c:\windows\system32\drivers\nmsunidr.sys [2006-10-19 7424]
R3 AVMNgBasM780;AVerMedia M780 Base Driver;c:\windows\system32\drivers\AVerBas.sys [2007-1-3 51584]
R3 AVMNgCapM780;AVerMedia M780 Audio/Video Capture Driver;c:\windows\system32\drivers\AVerCap.sys [2007-1-3 364544]
R3 AVMNgTunM780;AVerMedia M780 TVTuner Driver;c:\windows\system32\drivers\AVerTun.sys [2007-1-3 162304]
R3 IntelDH;IntelDH Driver;c:\windows\system32\drivers\IntelDH.sys [2007-1-3 5504]
R3 SMCWGU(SMC);SMCWUSB-G 802.11g Wireless USB 2.0 Adapter(SMC);c:\windows\system32\drivers\SMCWGU.sys [2008-1-2 408064]
S2 IntelDHSvcConf;Intel DH Service;c:\program files\intel\inteldh\intel media server\tools\IntelDHSvcConf.exe [2006-11-18 36312]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-9-24 21504]
S3 MCLServiceATL;Intel® Application Tracker;c:\program files\intel\inteldh\intel media server\shells\MCLServiceATL.exe [2006-11-18 174552]
S3 NETw2v32;Intel® PRO/Wireless 2200BG Network Connection Driver for Windows Vista;c:\windows\system32\drivers\NETw2v32.sys [2006-11-2 2589184]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-6-23 7408]
S4 BGAELPJSP;BGAELPJSP;c:\users\ashley\appdata\local\temp\bgaelpjsp.exe --> c:\users\ashley\appdata\local\temp\BGAELPJSP.exe [?]
S4 HIPV;HIPV;c:\users\ashley\appdata\local\temp\hipv.exe --> c:\users\ashley\appdata\local\temp\HIPV.exe [?]
S4 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\viewpoint\common\viewpointservice.exe" --> c:\program files\viewpoint\common\ViewpointService.exe [?]

=============== Created Last 30 ================

2009-12-18 15:24:21 286350198 ----a-w- c:\windows\MEMORY.DMP
2009-12-09 23:08:22 411648 ----a-w- c:\windows\system32\drivers\http.sys
2009-12-09 23:08:22 30720 ----a-w- c:\windows\system32\httpapi.dll
2009-12-09 23:08:22 24064 ----a-w- c:\windows\system32\nshhttp.dll
2009-12-09 23:08:11 834048 ----a-w- c:\windows\system32\wininet.dll
2009-12-09 23:08:07 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-12-09 23:08:04 377344 ----a-w- c:\windows\system32\winhttp.dll
2009-12-09 23:07:36 243712 ----a-w- c:\windows\system32\rastls.dll
2009-12-08 10:08:30 0 d-----w- c:\program files\Trend Micro
2009-12-07 20:04:46 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys
2009-12-07 20:04:34 0 d-----w- c:\program files\Panda Security
2009-12-07 19:44:44 0 d-----w- c:\program files\NVIDIA nTune Performance Application
2009-12-07 15:32:37 0 d-----w- c:\program files\The Sims Resource
2009-12-07 13:48:35 34990 ----a-w- c:\programdata\nvModes.dat
2009-12-07 10:16:59 696832 ----a-w- c:\windows\isRS-000.tmp
2009-12-05 20:51:52 0 d-----w- c:\program files\SpywareBlaster
2009-12-05 20:50:49 499712 ----a-w- c:\windows\system32\kerberos.dll
2009-12-05 20:50:48 270848 ----a-w- c:\windows\system32\schannel.dll
2009-12-05 20:45:49 87552 ----a-w- c:\windows\system32\VACFix.exe
2009-12-05 20:45:47 82944 ----a-w- c:\windows\system32\IEDFix.exe
2009-12-05 20:45:45 75776 ----a-w- c:\windows\system32\WS2Fix.exe
2009-12-05 20:45:44 289144 ----a-w- c:\windows\system32\VCCLSID.exe
2009-12-05 20:45:42 79360 ----a-w- c:\windows\system32\swxcacls.exe
2009-12-05 20:45:41 51200 ----a-w- c:\windows\system32\dumphive.exe
2009-12-05 20:45:41 288417 ----a-w- c:\windows\system32\SrchSTS.exe
2009-12-05 20:45:39 135168 ----a-w- c:\windows\system32\swreg.exe
2009-12-05 20:45:36 53248 ----a-w- c:\windows\system32\Process.exe
2009-12-05 20:45:20 0 d-----w- c:\windows\system32\SmitfraudFix
2009-12-03 04:11:37 0 d-----w- c:\users\ashley\appdata\roaming\Foxit
2009-12-03 04:11:26 0 d-----w- c:\program files\Foxit Software
2009-12-01 00:21:51 15880 ----a-w- c:\windows\system32\lsdelete.exe
2009-11-30 23:21:18 0 d-----w- c:\program files\Buildalot 2 Town Of The Year
2009-11-30 22:07:37 93360 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2009-11-30 21:58:57 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-11-30 21:40:11 0 dc-h--w- c:\programdata\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}
2009-11-30 21:39:51 0 d-----w- c:\programdata\Lavasoft
2009-11-30 21:39:51 0 d-----w- c:\program files\Lavasoft
2009-11-30 21:08:44 0 d--h--w- C:\$AVG
2009-11-30 21:08:36 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-11-30 21:08:36 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2009-11-30 21:08:30 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-11-30 21:08:29 0 d-----w- c:\windows\system32\drivers\Avg
2009-11-30 21:08:27 0 d-----w- c:\programdata\AVG Security Toolbar
2009-11-30 21:08:04 0 d-----w- c:\programdata\avg9
2009-11-30 16:09:49 0 d-----w- c:\programdata\SITEguard
2009-11-30 16:09:08 0 d-----w- c:\program files\STOPzilla!
2009-11-30 16:09:06 0 d-----w- c:\program files\common files\iS3
2009-11-30 16:09:05 0 d-----w- c:\programdata\STOPzilla!
2009-11-26 03:56:30 2048 ----a-w- c:\windows\system32\tzres.dll
2009-11-25 13:47:25 1401856 ----a-w- c:\windows\system32\msxml6.dll
2009-11-25 13:47:24 1248768 ----a-w- c:\windows\system32\msxml3.dll
2009-11-25 13:47:18 714240 ----a-w- c:\windows\system32\timedate.cpl

==================== Find3M ====================

2009-12-07 14:32:58 86016 ----a-w- c:\windows\inf\infstor.dat
2009-12-07 14:32:58 51200 ----a-w- c:\windows\inf\infpub.dat
2009-12-07 14:32:58 143360 ----a-w- c:\windows\inf\infstrng.dat
2009-12-03 21:14:06 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-03 21:13:56 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-30 20:34:47 235064 ----a-w- c:\windows\system32\drivers\iaStorV.sys
2009-11-21 01:33:00 812648 ----a-w- c:\windows\system32\nvsvc.dll
2009-11-21 01:33:00 66664 ----a-w- c:\windows\system32\nvshext.dll
2009-11-21 01:33:00 12685928 ----a-w- c:\windows\system32\nvcpl.dll
2009-11-21 01:33:00 122984 ----a-w- c:\windows\system32\nvvsvc.exe
2009-11-21 01:33:00 110184 ----a-w- c:\windows\system32\nvmctray.dll
2009-11-20 02:42:56 592488 ----a-w- c:\windows\system32\nvuninst.exe
2009-11-18 14:31:12 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-11-17 11:49:39 665600 ----a-w- c:\windows\inf\drvindex.dat
2009-11-17 11:49:31 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_07_00.Wdf
2009-11-14 17:07:04 37665 ----a-w- c:\windows\fonts\GlobalUserInterface.CompositeFont
2009-11-03 01:42:06 195456 ----a-w- c:\windows\system32\MpSigStub.exe
2009-10-28 10:25:56 82774 ----a-w- c:\windows\Uninstall Jade Empire.exe
2009-10-08 21:08:01 555520 ----a-w- c:\windows\system32\UIAutomationCore.dll
2009-10-08 21:08:01 234496 ----a-w- c:\windows\system32\oleacc.dll
2009-10-08 21:07:59 4096 ----a-w- c:\windows\system32\oleaccrc.dll
2009-10-01 01:02:17 2537472 ----a-w- c:\windows\system32\wpdshext.dll
2009-10-01 01:02:05 30208 ----a-w- c:\windows\system32\WPDShextAutoplay.exe
2009-10-01 01:02:04 334848 ----a-w- c:\windows\system32\PortableDeviceApi.dll
2009-10-01 01:02:02 87552 ----a-w- c:\windows\system32\WPDShServiceObj.dll
2009-10-01 01:02:00 31232 ----a-w- c:\windows\system32\BthMtpContextHandler.dll
2009-10-01 01:01:59 546816 ----a-w- c:\windows\system32\wpd_ci.dll
2009-10-01 01:01:59 160256 ----a-w- c:\windows\system32\PortableDeviceTypes.dll
2009-10-01 01:01:56 60928 ----a-w- c:\windows\system32\PortableDeviceConnectApi.dll
2009-10-01 01:01:56 350208 ----a-w- c:\windows\system32\WPDSp.dll
2009-10-01 01:01:56 196608 ----a-w- c:\windows\system32\PortableDeviceWMDRM.dll
2009-10-01 01:01:56 100864 ----a-w- c:\windows\system32\PortableDeviceClassExtension.dll
2009-10-01 01:01:54 81920 ----a-w- c:\windows\system32\wpdbusenum.dll
2009-09-27 20:12:22 170600 ----a-w- c:\windows\system32\nvcod167.dll
2009-07-01 16:40:24 174 --sha-w- c:\program files\desktop.ini
2008-09-20 16:58:30 75646 ---ha-w- c:\program files\peggle nights.jpg
2008-09-01 14:29:10 23 ---ha-w- c:\program files\tracked_by_h33t_com.txt
2008-09-01 14:29:10 226 ---ha-w- c:\program files\Important read this before opening files.txt
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat

============= FINISH: 21:56:33.00 ===============

Attached Files



#5 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:55 AM

Posted 24 December 2009 - 11:05 AM

Try GMER...

Download and Run GMER

We will use GMER to scan for rootkits.This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop. Unzip/extract the file to its own folder. (Click here for information on how to do this if not sure. Win 2000 users click here.

  • Close any and all open programs, as this process may crash your computer.
  • Double click Posted Image or Posted Image on your desktop.
  • When you have done this, close all running programs.
    There is a small chance this application may crash your computer so save any work you have open.
  • Double-click on Gmer.exe to start the program. Right-click and select Run As Administrator... if you are using Vista
  • Allow the gmer.sys driver to load if asked.

    If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system... Click NO.
  • In the right panel, you will see several boxes that have been checked. Please UNCHECK the following:
    • Sections
    • IAT/EAT
    • Registry
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show all (Don't miss this one!)
  • Click on Posted Image and wait for the scan to finish.
  • If you see a rootkit warning window, click OK.
  • Push Posted Image and save the logfile to your desktop.
  • Copy and Paste the contents of that file in your next post.

If GMER doesn't work in Normal Mode try running it in Safe Mode

Note: Do Not run any program while GMER is running
*Note*: Rootkit scans often produce false positives. Do NOT take any actions on "<--- ROOKIT" entries
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#6 Astrella

Astrella
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:55 AM

Posted 24 December 2009 - 12:09 PM

Here is my Gmer log:


GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2009-12-24 12:07:24
Windows 6.0.6002 Service Pack 2
Running: t7iqs0ht.exe; Driver: C:\Users\Ashley\AppData\Local\Temp\uxryqpod.sys


---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\tdx \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\tdx \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\tdx \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \FileSystem\cdfs \Cdfs 80E2205C
Device -> \Driver\iaStorV \Device\Harddisk0\DR0 85AE9618

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 60: copy of MBR

---- Files - GMER 1.0.15 ----

File C:\Users\Ashley\AppData\Local\Temp\fla1039.tmp 0 bytes
File C:\Windows\system32\drivers\iaStorV.sys suspicious modification

---- EOF - GMER 1.0.15 ----

#7 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:55 AM

Posted 24 December 2009 - 12:12 PM

Hello,

Thanks for that GMER log, that's quite helpful. We will start with Combofix and continue from there.

Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page on instructions on doing so.

Please include the C:\ComboFix.txt in your next reply for further review.
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#8 Astrella

Astrella
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:55 AM

Posted 24 December 2009 - 03:02 PM

Hi, I disabled ad-aware and avg and tried running combofix but it told me that Avira was still running but I don't even use Avira nor do I have it installed on my computer. I was afraid of messing things up so I closed the program. What should I do?

#9 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:55 AM

Posted 24 December 2009 - 03:12 PM

Just press OK and continue on. Combofix is detecting that because Avira was not de-registered from the WMI. No need to worry.

Post the logs upon completion.
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#10 Astrella

Astrella
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:55 AM

Posted 24 December 2009 - 04:19 PM

Hey EB, thanks for all your help so far. I was able to run combofix. I have attached my log.

Attached Files



#11 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:55 AM

Posted 24 December 2009 - 06:01 PM

Hello.

Regarding one of the infections removed.

Posted ImageBackdoor Threat

IMPORTANT NOTE: Unfortunatly One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do if you wish to continue with the disinfection process or not.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#12 Astrella

Astrella
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:55 AM

Posted 24 December 2009 - 07:25 PM

I would like to clean the machine. I plan on reformatting in the near future, though and luckily I don't do any sort of online banking.

#13 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:55 AM

Posted 24 December 2009 - 07:36 PM

Sure. We will continue then.

Please run a scan with Malwarebytes.

Download and run MalwareBytes Anti-Malware

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

For complete or visual instructions on installing and running Malwarebytes Anti-Malware please read this link

Take a new DDS run afterward and post back with both the DDS and Attach logs in your next reply. Also, let me know how your computer is running now. Please run GMER again and post that log too for me to review.

Thanks.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#14 Astrella

Astrella
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:55 AM

Posted 25 December 2009 - 02:17 PM

Sorry for the delayed response. My computer seems to running fine. I haven't had any popups so far. Malwarebytes found 0 infections. Here is my DDS report:


DDS (Ver_09-12-01.01) - NTFSx86
Run by Ashley at 13:20:22.95 on Fri 12/25/2009
Internet Explorer: 7.0.6002.18005 BrowserJavaVersion: 1.6.0_17
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3325.1874 [GMT -5:00]

SP: Avira AntiVir PersonalEdition *enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe
C:\Windows\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\NMSAccess.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Windows\system32\STacSV.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\AVG\AVG9\avgemc.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Windows\system32\WUDFHost.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\AVG\AVG9\avgtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\Explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Trillian\trillian.exe
C:\Program Files\Microsoft Reader\MSReader.exe
C:\Program Files\Last.fm\LastFM.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Windows\system32\taskeng.exe
C:\Users\Ashley\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
mStart Page = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=DTP&M=GM5416E
uInternet Settings,ProxyOverride = <local>
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: StumbleUpon Launcher: {145b29f4-a56b-4b90-bbac-45784ebebbb7} - c:\program files\stumbleupon\StumbleUponIEBar.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\google\BAE.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: StumbleUpon Toolbar: {5093eb4c-3e93-40ab-9266-b607ba87bdc8} - c:\program files\stumbleupon\StumbleUponIEBar.dll
TB: Veoh Web Player Video Finder: {0fbb9689-d3d7-4f7a-a2e2-585b10099bfc} - c:\program files\veoh networks\veohwebplayer\VeohIEToolbar.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
uRun: [Google Update] "c:\users\ashley\appdata\local\google\update\GoogleUpdate.exe" /c
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [NVIDIA nTune] "c:\program files\nvidia corporation\ntune\nTuneCmd.exe" clear
uRun: [Aim6] "c:\program files\aim6\aim6.exe" /d locale=en-US ee://aol/imApp
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
dRun: [MySpaceIM] c:\program files\myspace\im\MySpaceIM.exe
dRun: [Picasa Media Detector] c:\program files\picasa2\PicasaMediaDetector.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: StumbleUpon PhotoBlog It! - StumbleUponIEBar.dll/blogimage
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim95\aim.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {75C9223A-409A-4795-A3CA-08DE6B075B4B} - {145B29F4-A56B-4b90-BBAC-45784EBEBBB7} - c:\program files\stumbleupon\StumbleUponIEBar.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
AppInit_DLLs: c:\windows\system32\avgrsstx.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\users\ashley\appdata\roaming\mozilla\firefox\profiles\ah3wmhg2.default\
FF - prefs.js: browser.startup.homepage - google.com
FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll
FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\xpavgtbapi.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\unity\webplayer\loader\npUnity3D32.dll
FF - plugin: c:\program files\veoh networks\veoh\plugins\noreg\NPVeohVersion.dll
FF - plugin: c:\program files\veoh networks\veohwebplayer\NPVeohTVPlugin.dll
FF - plugin: c:\program files\veoh networks\veohwebplayer\npWebPlayerVideoPluginATL.dll
FF - plugin: c:\users\ashley\appdata\local\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-11-30 64288]
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-12-7 28552]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-11-30 333192]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-11-30 28424]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-11-30 360584]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-6-23 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-6-23 74480]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\avg\avg9\avgemc.exe [2009-11-30 906520]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2009-11-30 285392]
R2 DQLWinService;DQLWinService;c:\program files\common files\intel\inteldh\nms\adpplugins\DQLWinService.exe [2006-10-29 208896]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-9-24 1181328]
R2 nmsgopro;GoProto Protocol Driver for NMS;c:\windows\system32\drivers\nmsgopro.sys [2006-9-27 28672]
R2 nmsunidr;UniDriver for NMS;c:\windows\system32\drivers\nmsunidr.sys [2006-10-19 7424]
R3 AVMNgBasM780;AVerMedia M780 Base Driver;c:\windows\system32\drivers\AVerBas.sys [2007-1-3 51584]
R3 AVMNgCapM780;AVerMedia M780 Audio/Video Capture Driver;c:\windows\system32\drivers\AVerCap.sys [2007-1-3 364544]
R3 AVMNgTunM780;AVerMedia M780 TVTuner Driver;c:\windows\system32\drivers\AVerTun.sys [2007-1-3 162304]
R3 IntelDH;IntelDH Driver;c:\windows\system32\drivers\IntelDH.sys [2007-1-3 5504]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-6-30 38224]
R3 SMCWGU(SMC);SMCWUSB-G 802.11g Wireless USB 2.0 Adapter(SMC);c:\windows\system32\drivers\SMCWGU.sys [2008-1-2 408064]
S2 IntelDHSvcConf;Intel DH Service;c:\program files\intel\inteldh\intel media server\tools\IntelDHSvcConf.exe [2006-11-18 36312]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-9-24 21504]
S3 MCLServiceATL;Intel® Application Tracker;c:\program files\intel\inteldh\intel media server\shells\MCLServiceATL.exe [2006-11-18 174552]
S3 NETw2v32;Intel® PRO/Wireless 2200BG Network Connection Driver for Windows Vista;c:\windows\system32\drivers\NETw2v32.sys [2006-11-2 2589184]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-6-23 7408]
S4 BGAELPJSP;BGAELPJSP;c:\users\ashley\appdata\local\temp\bgaelpjsp.exe --> c:\users\ashley\appdata\local\temp\BGAELPJSP.exe [?]
S4 HIPV;HIPV;c:\users\ashley\appdata\local\temp\hipv.exe --> c:\users\ashley\appdata\local\temp\HIPV.exe [?]
S4 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\viewpoint\common\viewpointservice.exe" --> c:\program files\viewpoint\common\ViewpointService.exe [?]

=============== Created Last 30 ================

2009-12-24 21:11:00 0 d-sh--w- C:\$RECYCLE.BIN
2009-12-24 20:40:34 98816 ----a-w- c:\windows\sed.exe
2009-12-24 20:40:34 77312 ----a-w- c:\windows\MBR.exe
2009-12-24 20:40:34 261632 ----a-w- c:\windows\PEV.exe
2009-12-24 20:40:34 161792 ----a-w- c:\windows\SWREG.exe
2009-12-18 15:24:21 286350198 ----a-w- c:\windows\MEMORY.DMP
2009-12-09 23:08:22 411648 ----a-w- c:\windows\system32\drivers\http.sys
2009-12-09 23:08:22 30720 ----a-w- c:\windows\system32\httpapi.dll
2009-12-09 23:08:22 24064 ----a-w- c:\windows\system32\nshhttp.dll
2009-12-09 23:08:11 834048 ----a-w- c:\windows\system32\wininet.dll
2009-12-09 23:08:07 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-12-09 23:08:04 377344 ----a-w- c:\windows\system32\winhttp.dll
2009-12-09 23:07:36 243712 ----a-w- c:\windows\system32\rastls.dll
2009-12-08 10:08:30 0 d-----w- c:\program files\Trend Micro
2009-12-07 20:04:46 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys
2009-12-07 20:04:34 0 d-----w- c:\program files\Panda Security
2009-12-07 19:44:44 0 d-----w- c:\program files\NVIDIA nTune Performance Application
2009-12-07 15:32:37 0 d-----w- c:\program files\The Sims Resource
2009-12-07 13:48:35 34990 ----a-w- c:\programdata\nvModes.dat
2009-12-07 10:16:59 696832 ----a-w- c:\windows\isRS-000.tmp
2009-12-05 20:51:52 0 d-----w- c:\program files\SpywareBlaster
2009-12-05 20:50:49 499712 ----a-w- c:\windows\system32\kerberos.dll
2009-12-05 20:50:48 270848 ----a-w- c:\windows\system32\schannel.dll
2009-12-05 20:45:20 0 d-----w- c:\windows\system32\SmitfraudFix
2009-12-03 04:11:37 0 d-----w- c:\users\ashley\appdata\roaming\Foxit
2009-12-03 04:11:26 0 d-----w- c:\program files\Foxit Software
2009-12-01 00:21:51 15880 ----a-w- c:\windows\system32\lsdelete.exe
2009-11-30 23:21:18 0 d-----w- c:\program files\Buildalot 2 Town Of The Year
2009-11-30 22:07:37 93360 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2009-11-30 21:58:57 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-11-30 21:40:11 0 dc-h--w- c:\programdata\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}
2009-11-30 21:39:51 0 d-----w- c:\programdata\Lavasoft
2009-11-30 21:39:51 0 d-----w- c:\program files\Lavasoft
2009-11-30 21:08:44 0 d-----w- C:\$AVG
2009-11-30 21:08:36 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-11-30 21:08:36 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2009-11-30 21:08:30 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-11-30 21:08:29 0 d-----w- c:\windows\system32\drivers\Avg
2009-11-30 21:08:27 0 d-----w- c:\programdata\AVG Security Toolbar
2009-11-30 21:08:04 0 d-----w- c:\programdata\avg9
2009-11-30 16:09:49 0 d-----w- c:\programdata\SITEguard
2009-11-30 16:09:08 0 d-----w- c:\program files\STOPzilla!
2009-11-30 16:09:06 0 d-----w- c:\program files\common files\iS3
2009-11-30 16:09:05 0 d-----w- c:\programdata\STOPzilla!
2009-11-26 03:56:30 2048 ----a-w- c:\windows\system32\tzres.dll

==================== Find3M ====================

2009-12-07 14:32:58 86016 ----a-w- c:\windows\inf\infstor.dat
2009-12-07 14:32:58 51200 ----a-w- c:\windows\inf\infpub.dat
2009-12-07 14:32:58 143360 ----a-w- c:\windows\inf\infstrng.dat
2009-12-03 21:14:06 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-03 21:13:56 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-30 20:34:47 235064 ----a-w- c:\windows\system32\drivers\iastorv.sys
2009-11-21 01:33:00 812648 ----a-w- c:\windows\system32\nvsvc.dll
2009-11-21 01:33:00 66664 ----a-w- c:\windows\system32\nvshext.dll
2009-11-21 01:33:00 12685928 ----a-w- c:\windows\system32\nvcpl.dll
2009-11-21 01:33:00 122984 ----a-w- c:\windows\system32\nvvsvc.exe
2009-11-21 01:33:00 110184 ----a-w- c:\windows\system32\nvmctray.dll
2009-11-20 02:42:56 592488 ----a-w- c:\windows\system32\nvuninst.exe
2009-11-18 14:31:12 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-11-17 11:49:39 665600 ----a-w- c:\windows\inf\drvindex.dat
2009-11-17 11:49:31 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_07_00.Wdf
2009-11-14 17:07:04 37665 ----a-w- c:\windows\fonts\GlobalUserInterface.CompositeFont
2009-11-03 01:42:06 195456 ----a-w- c:\windows\system32\MpSigStub.exe
2009-10-28 10:25:56 82774 ----a-w- c:\windows\Uninstall Jade Empire.exe
2009-10-08 21:08:01 555520 ----a-w- c:\windows\system32\UIAutomationCore.dll
2009-10-08 21:08:01 234496 ----a-w- c:\windows\system32\oleacc.dll
2009-10-08 21:07:59 4096 ----a-w- c:\windows\system32\oleaccrc.dll
2009-10-01 01:02:17 2537472 ----a-w- c:\windows\system32\wpdshext.dll
2009-10-01 01:02:05 30208 ----a-w- c:\windows\system32\WPDShextAutoplay.exe
2009-10-01 01:02:04 334848 ----a-w- c:\windows\system32\PortableDeviceApi.dll
2009-10-01 01:02:02 87552 ----a-w- c:\windows\system32\WPDShServiceObj.dll
2009-10-01 01:02:00 31232 ----a-w- c:\windows\system32\BthMtpContextHandler.dll
2009-10-01 01:01:59 546816 ----a-w- c:\windows\system32\wpd_ci.dll
2009-10-01 01:01:59 160256 ----a-w- c:\windows\system32\PortableDeviceTypes.dll
2009-10-01 01:01:56 60928 ----a-w- c:\windows\system32\PortableDeviceConnectApi.dll
2009-10-01 01:01:56 350208 ----a-w- c:\windows\system32\WPDSp.dll
2009-10-01 01:01:56 196608 ----a-w- c:\windows\system32\PortableDeviceWMDRM.dll
2009-10-01 01:01:56 100864 ----a-w- c:\windows\system32\PortableDeviceClassExtension.dll
2009-10-01 01:01:54 81920 ----a-w- c:\windows\system32\wpdbusenum.dll
2009-09-27 20:12:22 170600 ----a-w- c:\windows\system32\nvcod167.dll
2009-07-01 16:40:24 174 --sha-w- c:\program files\desktop.ini
2008-09-20 16:58:30 75646 ---ha-w- c:\program files\peggle nights.jpg
2008-09-01 14:29:10 23 ---ha-w- c:\program files\tracked_by_h33t_com.txt
2008-09-01 14:29:10 226 ---ha-w- c:\program files\Important read this before opening files.txt
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat

============= FINISH: 13:22:03.40 ===============



Gmer log:

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2009-12-25 14:15:51
Windows 6.0.6002 Service Pack 2
Running: t7iqs0ht.exe; Driver: C:\Users\Ashley\AppData\Local\Temp\uxryqpod.sys


---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\tdx \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\tdx \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\tdx \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \FileSystem\cdfs \Cdfs 907D705C

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 60: copy of MBR

---- EOF - GMER 1.0.15 ----

Attached Files



#15 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:55 AM

Posted 25 December 2009 - 03:07 PM

Run Scan with Kaspersky

Please do a scan with Kaspersky Online Scanner. Please note: Kaspersky requires Java Runtime Environment (JRE) be installed before scanning for malware, as ActiveX is no longer being used.)

If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

  • Open the Kaspersky WebScanner
    page.
  • Click on the Posted Image button on the main page.
  • The program will launch and fill in the Information section on the left.
  • Read the "Requirements and Limitations" then press the Posted Image button.
  • The program will begin downloading the latest program and definition files. It may take a while so please be patient and let it finish.
  • Once the files have been downloaded, click on the Posted Image ...button.
    In the scan settings make sure the following are selected:
    • Detect malicious programs of the following categories:
      Viruses, Worms, Trojan Horses, Rootkits
      Spyware, Adware, Dialers and other potentially dangerous programs
    • Scan compound files (doesn't apply to the File scan area):
      Archives
      Mail databases
      By default the above items should already be checked.
    • Click the Posted Image button, if you made any changes.
  • Now under the Scan section on the left:

    Select My Computer
  • The program will now start and scan your system. This will run for a while, be patient and let it finish.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
You can refer to this animation by sundavis if needed.
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users