Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google search redirect issue


  • This topic is locked This topic is locked
39 replies to this topic

#1 Bullcfd

Bullcfd

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:08:11 AM

Posted 14 December 2009 - 11:16 AM

I have just recently started having an issue with my google searches. When i search for something and then click on one of the search results i am immediately redirected to any one of a number of advertising services. I have run AVG and Malwarebytes both of which found trojans. I went through the process of deleting/removing infected files and numerous restarts but the problem persists. I even went to cmd and got around to the hosts file which showed no signs of being compromised. I also tried to disable system restore before rebooting in case the offending file was located there and i am not able to disable system restore. One window tells me it is already disabled so i assume that must be so. I have a pretty fair amount of knowledge of how computers work and this one has me completely stumped, any help would be greatly and enthusiastically appreciated


DDS (Ver_09-12-01.01) - NTFSx86
Run by bill at 11:01:30.53 on Mon 12/14/2009
Internet Explorer: 7.0.6001.18000 BrowserJavaVersion: 1.6.0_14
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.3070.1585 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
SP: AVG Anti-Virus Free *enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\Ati2evxx.exe
C:\Windows\system32\taskeng.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\rundll32.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Windows\System32\Ctxfihlp.exe
C:\Program Files\AVG\AVG9\avgtray.exe
C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe
C:\Program Files\Steam\Steam.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Windows\system32\PnkBstrA.exe
C:\Windows\system32\PnkBstrB.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Windows\SYSTEM32\CTXFISPI.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\AVG\AVG9\avgemc.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\Common Files\Steam\SteamService.exe
C:\Windows\explorer.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\wuauclt.exe
C:\Users\bill\Desktop\RootRepeal.exe
C:\Program Files\AVG\AVG9\avgui.exe
C:\Program Files\AVG\AVG9\avgcfgex.exe
C:\Windows\system32\notepad.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\bill\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.alienware.com/Mothership?Comp=%ALIENFACTORY_Company%&SysCode=%ALIENFACTORY_SystemCode%&ai=636E3D34393235393626706F3D36323930363641
uDefault_Page_URL = hxxp://www.alienware.com/Mothership?Comp=%ALIENFACTORY_Company%&SysCode=%ALIENFACTORY_SystemCode%&ai=636E3D34393235393626706F3D36323930363641
mStart Page = hxxp://www.alienware.com/mothership
mDefault_Page_URL = hxxp://www.alienware.com/mothership
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Veoh Web Player Video Finder: {0fbb9689-d3d7-4f7a-a2e2-585b10099bfc} - c:\program files\veoh networks\veohwebplayer\VeohIEToolbar.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
uRun: [Aim6] "c:\program files\aim6\aim6.exe" /d locale=en-US ee://aol/imApp
uRun: [VeohPlugin] "c:\program files\veoh networks\veohwebplayer\veohwebplayer.exe"
uRun: [Comrade.exe] c:\program files\gamespy\comrade\Comrade.exe
uRun: [Steam] "c:\program files\steam\Steam.exe" -silent
uRun: [Messenger (Yahoo!)] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [VolPanel] "c:\program files\creative\sound blaster x-fi\volume panel\VolPanlu.exe" /r
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [LanguageShortcut] "c:\program files\cyberlink\powerdvd\language\Language.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [CTxfiHlp] CTXFIHLP.EXE
mRun: [iRiver Updater] \Updater.exe
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
DPF: {362C56AA-6E4F-40C7-A0B5-85501DBDAD77} - hxxp://i.dell.com/images/global/js/scanner/SysProExe.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} - hxxp://www.yougamers.com/systeminfo/FMSI.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
AppInit_DLLs: avgrsstx.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\bill\appdata\roaming\mozilla\firefox\profiles\jprfb647.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.alienware.com/Mothership?Comp=%ALIENFACTORY_Company%&SysCode=%ALIENFACTORY_SystemCode%&ai=636E3D34393235393626706F3D36323930363641
FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll
FF - plugin: c:\program files\veoh networks\veohwebplayer\NPVeohTVPlugin.dll
FF - plugin: c:\program files\veoh networks\veohwebplayer\npWebPlayerVideoPluginATL.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 mv61xx;mv61xx;c:\windows\system32\drivers\mv61xx.sys [2008-4-10 143256]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-1-9 333192]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-1-9 28424]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-1-28 360584]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\avg\avg9\avgemc.exe [2009-12-14 906520]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2009-12-14 285392]
R3 CT20XUT.SYS;CT20XUT.SYS;c:\windows\system32\drivers\CT20XUT.sys [2009-2-19 198168]
R3 CTEXFIFX.SYS;CTEXFIFX.SYS;c:\windows\system32\drivers\CTEXFIFX.sys [2009-2-19 1353240]
R3 CTHWIUT.SYS;CTHWIUT.SYS;c:\windows\system32\drivers\CTHWIUT.sys [2009-2-19 73752]
S3 Creative ALchemy AL6 Licensing Service;Creative ALchemy AL6 Licensing Service;c:\program files\common files\creative labs shared\service\AL6Licensing.exe [2009-7-19 79360]
S3 CT20XUT;CT20XUT;c:\windows\system32\drivers\CT20XUT.sys [2009-2-19 198168]
S3 CTEXFIFX;CTEXFIFX;c:\windows\system32\drivers\CTEXFIFX.sys [2009-2-19 1353240]
S3 CTHWIUT;CTHWIUT;c:\windows\system32\drivers\CTHWIUT.sys [2009-2-19 73752]
S3 ha20x22k;Creative 20X2 HAL Driver;c:\windows\system32\drivers\ha20x22k.sys [2009-2-19 1222680]

=============== Created Last 30 ================

2009-12-14 12:47:38 0 d-----w- c:\users\bill\appdata\roaming\Malwarebytes
2009-12-14 12:47:33 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-14 12:47:32 0 d-----w- c:\programdata\Malwarebytes
2009-12-14 12:47:31 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-14 12:47:31 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-14 11:41:09 0 d--h--w- C:\$AVG
2009-12-14 11:40:18 0 d-----w- c:\programdata\avg9
2009-12-14 01:24:57 132096 --sha-r- c:\windows\system32\spbcd0.dll
2009-12-14 00:48:24 0 d-----w- c:\program files\VideoLAN
2009-11-25 13:25:27 0 d-----w- c:\windows\lhsp
2009-11-25 13:25:22 0 d-----w- c:\program files\CFS-Technologies
2009-11-25 13:21:19 0 d-----w- c:\program files\NaturalSoft
2009-11-25 13:03:05 0 d-----w- c:\program files\Microsoft Speech SDK 5.1
2009-11-17 13:38:14 0 d-----w- c:\program files\Total Video Player
2009-11-15 16:04:20 0 d-----w- c:\users\bill\appdata\roaming\Ludia
2009-11-15 16:04:20 0 d-----w- c:\programdata\Ludia

==================== Find3M ====================

2009-12-14 11:40:50 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-12-14 11:40:49 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-12-14 11:40:45 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2009-11-03 01:42:06 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-10-03 03:27:20 86016 ----a-w- c:\windows\inf\infstor.dat
2009-10-03 03:27:20 51200 ----a-w- c:\windows\inf\infpub.dat
2009-10-03 03:27:20 143360 ----a-w- c:\windows\inf\infstrng.dat
2009-01-10 02:56:45 665600 ----a-w- c:\windows\inf\drvindex.dat
2008-01-21 02:43:21 174 --sha-w- c:\program files\desktop.ini
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-01-06 20:00:59 22 --sha-w- c:\windows\sminst\HPCD.sys
2009-01-28 18:50:59 16384 --sha-w- c:\windows\temp\cookies\index.dat
2009-01-28 18:50:59 16384 --sha-w- c:\windows\temp\history\history.ie5\index.dat
2009-01-28 18:50:59 16384 --sha-w- c:\windows\temp\temporary internet files\content.ie5\index.dat

============= FINISH: 11:01:38.42 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Ried

Ried

  • Malware Response Team
  • 1,009 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:11 AM

Posted 15 December 2009 - 11:29 PM

Hello Bullcfd,

Please download gmer from here and save it to your desktop.

Double click to run it. If asked to allow a driver to load, please consent.
  • An initial scan will automatically begin.
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.


    Posted Image
    Click the image to enlarge it


  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • Sections
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in "ark2.txt" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop
**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries



Please attach the ark.txt in your next reply

Edited by Ried, 15 December 2009 - 11:30 PM.

Microsoft MVP - Consumer Security 2010, 2011, 2012

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."


#3 Bullcfd

Bullcfd
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:08:11 AM

Posted 19 December 2009 - 06:18 PM

I tried to run GMER twice and both times it caused a bluescreen. It's not on the screen long enough for me to get any info

#4 Ried

Ried

  • Malware Response Team
  • 1,009 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:11 AM

Posted 19 December 2009 - 07:27 PM

Please run gmer.exe again, but use the following configuration: (it is a bit different from the instructions I gave you earlier.)

Double click GMER.exe and it will begin an initial scan. If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO

In the right panel, you will see several boxes that have been checked. Uncheck the following ...
  • Devices
  • Sections
  • IAT/EAT
  • Drives/Partition other than Systemdrive (typically C:\)
  • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in "ark.txt" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop
**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries



Please attach the ark2.txt in your next reply

Microsoft MVP - Consumer Security 2010, 2011, 2012

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."


#5 Bullcfd

Bullcfd
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:08:11 AM

Posted 22 December 2009 - 03:07 AM

i would love to run it again but even opening it causes the comp to crash

#6 Ried

Ried

  • Malware Response Team
  • 1,009 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:11 AM

Posted 22 December 2009 - 05:04 PM

Delete your existing gmer.exe and download it again from here.

Disable AVG.

Try again to run the scan as outlined:
  • An initial scan will automatically begin.
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.

  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
  • Sections
  • IAT/EAT
  • Drives/Partition other than Systemdrive (typically C:\)
  • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in "ark.txt" or it will save as a .log file which cannot be uploaded to your post.
Save it where you can easily find it, such as your desktop


**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries



Please attach the ark.txt in your next reply

Microsoft MVP - Consumer Security 2010, 2011, 2012

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."


#7 Bullcfd

Bullcfd
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:08:11 AM

Posted 27 December 2009 - 09:27 PM

Tried all of that still no luck. causes the computer to freeze or bluescreen every time i run gmer

#8 Ried

Ried

  • Malware Response Team
  • 1,009 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:11 AM

Posted 31 December 2009 - 12:18 AM

Download ComboFix from here

* IMPORTANT- Save ComboFix.exe to your Desktop

====================================================


Disable your AntiVirus and AntiSpyware applications as they will interfere with our tools and the removal.


====================================================


Double click on combofix.exe & follow the prompts.


When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply for further review.

Edited by Ried, 01 January 2010 - 08:26 PM.

Microsoft MVP - Consumer Security 2010, 2011, 2012

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."


#9 Bullcfd

Bullcfd
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:08:11 AM

Posted 01 January 2010 - 06:40 PM

says file not found when i try to download

#10 Ried

Ried

  • Malware Response Team
  • 1,009 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:11 AM

Posted 01 January 2010 - 08:27 PM

It's working for me, please try again now.

Microsoft MVP - Consumer Security 2010, 2011, 2012

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."


#11 Bullcfd

Bullcfd
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:08:11 AM

Posted 05 January 2010 - 07:51 PM

I tried again and could not download. Sorry about the delayed replies as I've been very busy recently. Should I just keep trying to download at random times or is there some other way I can get it?

#12 Ried

Ried

  • Malware Response Team
  • 1,009 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:11 AM

Posted 05 January 2010 - 11:31 PM

Exactly what is happening when you try to download it? What browser are you using?

Microsoft MVP - Consumer Security 2010, 2011, 2012

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."


#13 Bullcfd

Bullcfd
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:08:11 AM

Posted 08 January 2010 - 11:45 PM

ok got her to work finally here ya go. Also i tried to disable AVG as well but the only option i saw that was able to be turned off was the resident shield

ComboFix 10-01-04.01 - bill 01/08/2010 23:30:29.1.4 - x86
Microsoft® Windows Vistaâ„¢ Home Premium 6.0.6001.1.1252.1.1033.18.3070.2006 [GMT -5:00]
Running from: c:\users\bill\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
SP: AVG Anti-Virus Free *enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-1091766115-1229109738-2673067461-500
c:\$recycle.bin\S-1-5-21-1140760227-2274017006-3562694238-500
c:\$recycle.bin\S-1-5-21-444466496-3202706199-801158547-500
c:\windows\system32\Data
c:\windows\system32\Data\ctd20x.dat
c:\windows\system32\Data\CTP0460W.DAT
c:\windows\system32\Data\CTP0462W.DAT
c:\windows\system32\Data\CTP0463W.DAT
c:\windows\system32\Data\CTP0464W.DAT
c:\windows\system32\Data\CTP0465W.DAT
c:\windows\system32\Data\CTP0466W.DAT
c:\windows\system32\Data\CTP0468W.DAT
c:\windows\system32\Data\CTP0469W.DAT
c:\windows\system32\Data\CTP046AW.DAT
c:\windows\system32\Data\CTP046BW.DAT
c:\windows\system32\Data\CTP046CW.DAT
c:\windows\system32\Data\CTP0550W.DAT
c:\windows\system32\Data\CTP055AW.DAT
c:\windows\system32\Data\CTP0678W.DAT
c:\windows\system32\Data\CTP0679W.DAT
c:\windows\system32\Data\CTP0730W.DAT
c:\windows\system32\Data\CTP073AW.DAT
c:\windows\system32\Data\CTP0760W.DAT
c:\windows\system32\Data\CTP0772V.DAT
c:\windows\system32\Data\CTP0772W.DAT
c:\windows\system32\Data\CTP0773V.DAT
c:\windows\system32\Data\CTP0773W.DAT
c:\windows\system32\Data\CTP0775V.DAT
c:\windows\system32\Data\CTP0775W.DAT
c:\windows\system32\Data\CTP0776V.DAT
c:\windows\system32\Data\CTP0776W.DAT
c:\windows\system32\Data\CTP0779V.DAT
c:\windows\system32\Data\CTP0779W.DAT
c:\windows\system32\Data\CTP0880V.DAT
c:\windows\system32\Data\CTP0880W.DAT
c:\windows\system32\Data\CTP0881V.DAT
c:\windows\system32\Data\CTP0881W.DAT
c:\windows\system32\Data\CTP0882V.DAT
c:\windows\system32\Data\CTP0882W.DAT
c:\windows\system32\Data\CTP0883V.DAT
c:\windows\system32\Data\CTP0883W.DAT
c:\windows\system32\Data\CTP0886V.DAT
c:\windows\system32\Data\CTP0886W.DAT
c:\windows\system32\Data\CTP0888V.DAT
c:\windows\system32\Data\CTP0888W.DAT
c:\windows\system32\Data\CTP0889V.DAT
c:\windows\system32\Data\CTP0889W.DAT
c:\windows\system32\Data\cts20x.dat
c:\windows\system32\Data\CTXFICBM.RFX
c:\windows\system32\Data\CTXFICM.RFX
c:\windows\system32\Data\CTXFIEM.RFX
c:\windows\system32\Data\CTXFIGM.RFX
c:\windows\system32\spbcd0.dll

.
((((((((((((((((((((((((( Files Created from 2009-12-09 to 2010-01-09 )))))))))))))))))))))))))))))))
.

2010-01-09 04:35 . 2010-01-09 04:35 -------- d-----w- c:\users\bill\AppData\Local\temp
2010-01-09 04:35 . 2010-01-09 04:35 -------- d-----w- c:\users\Default\AppData\Local\temp
2009-12-31 13:04 . 2009-12-14 11:40 2033432 ----a-w- c:\programdata\avg9\update\backup\avgtray.exe
2009-12-27 08:15 . 2009-12-27 08:15 -------- d-sh--w- c:\programdata\SecuROM
2009-12-24 07:11 . 2009-12-24 07:11 4043544 ----a-w- c:\programdata\avg9\update\backup\avgui.exe
2009-12-24 07:11 . 2009-12-24 07:11 3966744 ----a-w- c:\programdata\avg9\update\backup\avgcorex.dll
2009-12-24 07:11 . 2009-12-14 11:40 3776280 ----a-w- c:\programdata\avg9\update\backup\setup.exe
2009-12-19 23:01 . 2009-12-19 23:01 411928 ----a-w- c:\programdata\avg9\update\backup\avgresf.dll
2009-12-16 02:15 . 2010-01-08 23:31 0 ----a-w- c:\users\bill\AppData\Local\prvlcl.dat
2009-12-14 12:47 . 2009-12-14 12:47 -------- d-----w- c:\users\bill\AppData\Roaming\Malwarebytes
2009-12-14 12:47 . 2009-12-03 21:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-14 12:47 . 2009-12-14 12:47 -------- d-----w- c:\programdata\Malwarebytes
2009-12-14 12:47 . 2009-12-14 12:47 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-14 12:47 . 2009-12-03 21:13 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-14 11:41 . 2009-12-14 11:43 -------- d-----w- C:\$AVG
2009-12-14 11:40 . 2009-12-14 11:40 -------- d-----w- c:\programdata\avg9
2009-12-14 00:49 . 2009-12-14 00:52 -------- d-----w- c:\users\bill\AppData\Roaming\vlc
2009-12-14 00:48 . 2009-12-14 00:48 -------- d-----w- c:\program files\VideoLAN
2009-12-10 22:28 . 2009-12-11 00:16 -------- d-----w- c:\users\bill\AppData\Local\Deployment
2009-12-10 22:28 . 2009-12-10 22:28 -------- d-----w- c:\users\bill\AppData\Local\Apps

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-28 02:17 . 2009-07-14 05:26 -------- d-----w- c:\program files\Steam
2009-12-27 08:05 . 2009-12-27 08:05 -------- d-----w- c:\program files\2K Games
2009-12-27 08:05 . 2009-01-13 06:35 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-12-27 08:04 . 2009-01-13 06:35 -------- d-----w- c:\program files\AGEIA Technologies
2009-12-14 11:40 . 2009-01-10 04:26 -------- d-----w- c:\program files\AVG
2009-12-09 12:46 . 2009-07-10 06:12 -------- d-----w- c:\program files\Activision
2009-11-25 13:25 . 2009-11-25 13:25 -------- d-----w- c:\program files\CFS-Technologies
2009-11-25 13:21 . 2009-11-25 13:21 71152 ----a-r- c:\users\bill\AppData\Roaming\Microsoft\Installer\{1F2DF2C6-08F7-40BD-8E85-D16CB436E7F0}\NewShortcut21_C207166A39DE4B35B3CE8F35C423973B.exe
2009-11-25 13:21 . 2009-11-25 13:21 71152 ----a-r- c:\users\bill\AppData\Roaming\Microsoft\Installer\{1F2DF2C6-08F7-40BD-8E85-D16CB436E7F0}\NewShortcut2_8D2B9DEE2E7249CEB360F463F3370804.exe
2009-11-25 13:21 . 2009-11-25 13:21 71152 ----a-r- c:\users\bill\AppData\Roaming\Microsoft\Installer\{1F2DF2C6-08F7-40BD-8E85-D16CB436E7F0}\NewShortcut11_9D70A61FD7214BC585565549793FFA8A.exe
2009-11-25 13:21 . 2009-11-25 13:21 71152 ----a-r- c:\users\bill\AppData\Roaming\Microsoft\Installer\{1F2DF2C6-08F7-40BD-8E85-D16CB436E7F0}\NewShortcut1_9F88E99FAF234356849120C5725C6B5F.exe
2009-11-25 13:21 . 2009-11-25 13:21 58864 ----a-r- c:\users\bill\AppData\Roaming\Microsoft\Installer\{1F2DF2C6-08F7-40BD-8E85-D16CB436E7F0}\ARPPRODUCTICON.exe
2009-11-25 13:21 . 2009-11-25 13:21 54768 ----a-r- c:\users\bill\AppData\Roaming\Microsoft\Installer\{1F2DF2C6-08F7-40BD-8E85-D16CB436E7F0}\UNINST_Uninstall_F_CF49ABBD814F419BA60B0CCC15F0A1F0.exe
2009-11-25 13:21 . 2009-11-25 13:21 -------- d-----w- c:\program files\NaturalSoft
2009-11-25 13:03 . 2009-11-25 13:03 -------- d-----w- c:\program files\Microsoft Speech SDK 5.1
2009-11-21 09:53 . 2009-01-09 21:42 54624 ----a-w- c:\users\bill\AppData\Local\GDIPFONTCACHEV1.DAT
2009-11-17 13:39 . 2009-11-17 13:38 -------- d-----w- c:\program files\Total Video Player
2009-11-15 22:10 . 2009-01-19 17:49 680 ----a-w- c:\users\bill\AppData\Local\d3d9caps.dat
2009-11-15 16:04 . 2009-11-15 16:04 -------- d-----w- c:\users\bill\AppData\Roaming\Ludia
2009-11-15 16:04 . 2009-11-15 16:04 -------- d-----w- c:\programdata\Ludia
2009-11-15 16:03 . 2009-03-22 22:35 -------- d-----w- c:\program files\Ubisoft
2009-11-11 08:18 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2009-11-03 01:42 . 2009-10-03 02:52 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-01-06 20:00 . 2009-01-06 20:00 22 --sha-w- c:\windows\SMINST\HPCD.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-21 1233920]
"WindowsWelcomeCenter"="oobefldr.dll" [2008-01-21 2153472]
"Aim6"="c:\program files\AIM6\aim6.exe" [2009-05-19 49968]
"VeohPlugin"="c:\program files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe" [2009-08-12 1995512]
"Comrade.exe"="c:\program files\GameSpy\Comrade\Comrade.exe" [2007-06-29 36864]
"Steam"="c:\program files\Steam\Steam.exe" [2009-10-28 1217808]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-05-27 4351216]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 61440]
"VolPanel"="c:\program files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe" [2007-04-17 184320]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2006-11-23 56928]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2006-12-06 54832]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-10 148888]
"CTxfiHlp"="CTXFIHLP.EXE" [2009-02-19 24576]
"iRiver Updater"="\Updater.exe" [2004-07-01 212992]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2009-12-31 2033432]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

R0 mv61xx;mv61xx;c:\windows\System32\drivers\mv61xx.sys [4/10/2008 8:33 AM 143256]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\drivers\avgldx86.sys [1/9/2009 11:26 PM 333192]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\System32\drivers\avgtdix.sys [1/28/2009 1:13 PM 360584]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [12/14/2009 6:40 AM 906520]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [12/14/2009 6:40 AM 285392]
R3 CT20XUT.SYS;CT20XUT.SYS;c:\windows\System32\drivers\CT20XUT.sys [2/19/2009 9:42 AM 198168]
R3 CTEXFIFX.SYS;CTEXFIFX.SYS;c:\windows\System32\drivers\CTEXFIFX.sys [2/19/2009 9:43 AM 1353240]
R3 CTHWIUT.SYS;CTHWIUT.SYS;c:\windows\System32\drivers\CTHWIUT.sys [2/19/2009 9:43 AM 73752]
S3 Creative ALchemy AL6 Licensing Service;Creative ALchemy AL6 Licensing Service;c:\program files\Common Files\Creative Labs Shared\Service\AL6Licensing.exe [7/19/2009 12:43 PM 79360]
S3 CT20XUT;CT20XUT;c:\windows\System32\drivers\CT20XUT.sys [2/19/2009 9:42 AM 198168]
S3 CTEXFIFX;CTEXFIFX;c:\windows\System32\drivers\CTEXFIFX.sys [2/19/2009 9:43 AM 1353240]
S3 CTHWIUT;CTHWIUT;c:\windows\System32\drivers\CTHWIUT.sys [2/19/2009 9:43 AM 73752]
S3 ha20x22k;Creative 20X2 HAL Driver;c:\windows\System32\drivers\ha20x22k.sys [2/19/2009 9:54 AM 1222680]
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.alienware.com/Mothership?Comp=%ALIENFACTORY_Company%&SysCode=%ALIENFACTORY_SystemCode%&ai=636E3D34393235393626706F3D36323930363641
mStart Page = hxxp://www.alienware.com/mothership
FF - ProfilePath - c:\users\bill\AppData\Roaming\Mozilla\Firefox\Profiles\jprfb647.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.alienware.com/Mothership?Comp=%ALIENFACTORY_Company%&SysCode=%ALIENFACTORY_SystemCode%&ai=636E3D34393235393626706F3D36323930363641
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\NPVeohTVPlugin.dll
FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\npWebPlayerVideoPluginATL.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-08 23:35
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
CTxfiHlp = CTXFIHLP.EXE?

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1140760227-2274017006-3562694238-1000\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:13,38,79,2a,df,8c,93,05,b7,35,2f,32,8d,fe,fe,57,a3,ef,c8,da,d9,98,5e,
1e,f5,d3,07,46,6a,86,e1,0b,9b,96,31,ff,8c,e0,07,b0,77,dd,db,1b,5d,39,17,9c,\
"??"=hex:a1,5e,47,db,25,65,bb,27,8b,92,55,34,10,3f,d9,49

[HKEY_USERS\S-1-5-21-1140760227-2274017006-3562694238-1000\Software\SecuROM\License information*]
@Allowed: (Read) (RestrictedCode)
"datasecu"=hex:63,68,2f,ac,33,87,09,d9,d3,cf,ae,c1,bf,72,4b,35,93,66,3d,90,0a,
d4,ee,28,3c,7f,a3,c0,74,52,54,fc,70,5d,d1,4f,92,ba,1d,70,eb,f1,06,d6,f2,43,\
"rkeysecu"=hex:3a,09,e7,1a,0c,ca,40,7c,e4,86,81,98,2f,04,27,8a
.
Completion time: 2010-01-08 23:37:00
ComboFix-quarantined-files.txt 2010-01-09 04:36

Pre-Run: 789,106,143,232 bytes free
Post-Run: 800,073,285,632 bytes free

- - End Of File - - F77C80CFD684E5BA5B48452A533FC000

Attached Files


Edited by Ried, 09 January 2010 - 12:27 AM.


#14 Ried

Ried

  • Malware Response Team
  • 1,009 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:11 AM

Posted 10 January 2010 - 02:22 AM

What we need to do now is run this online scan to search for any remnants. It can take some time, so please be patient and allow it to run it's full course:

Establish an internet connection & perform an online scan with Firefox or Internet Explorer at Kaspersky Online Scanner

**Note**

To optimize scanning time and produce a more sensible report for review:
  • Close any open programs
  • Turn off the real time scanner of any existing antivirus program while performing the online scan.
Click Accept, when prompted to download and install the program files and database of malware definitions.
  • Click Run at the Security prompt.
  • The program will then begin downloading and installing and will also update the database.
  • Please be patient as this can take several minutes.
  • Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  • Click View scan report at the bottom.
  • Click the Save Report As... button.
  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.
Also - how is the system behaving now? What issues remain?

Microsoft MVP - Consumer Security 2010, 2011, 2012

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."


#15 Bullcfd

Bullcfd
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:08:11 AM

Posted 13 January 2010 - 01:57 AM

Ok the systen worked fine for a couple hours but before I could get around to posting the log I have gotten this very bogus looking "windows security center" thing that was designed to look like the real one complete with bogus virus and trpjan messages .didn't fool me but I guess it didn't matter. When I tried to close it it immidiately started downloading a program called malware defense. This in turn tried to delete my malwarebytes. As soon as I restared it comes back with a message saying windows defender user interface has stopped working followed by windows explorer has stopped working which comes up repeatedly. The thing that annoys me here is even though I didn't fall for the bogus windows security issues screen this thing has still managed to download stuff and has now totally disabled all my antivirus software including avg and malwarebytes I am posting this from my phone but I can get limited use out of the comp so I'm ready for whatever you can think of next. If you have any specific questions about these issues I will be keeping my phone nearby and checking the forums regularly now as I have a good week or so of not being busy




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users