Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Browser Redirect Virus I can't disinfect


  • This topic is locked This topic is locked
8 replies to this topic

#1 ruggedlyuglyal

ruggedlyuglyal

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:09 PM

Posted 15 December 2009 - 01:11 PM

I have a virus and need some help getting rid of it. I have loaded and run AGV free 9.x, Malwarebytes Anti-Malware, and Spybot Search&Destroy. My XP Home system won't boot to safe mode but boots to normal mode XP home fine. I assume that's a virus causing the errors that don't allow it to boot in safe mode.

I have run the various programs multiple times and sometimes get viruses and sometimes don't.

It is at the very least a browser-redirect virus. It keeps redirecting to sites that contain malicious code. At least that's what I assume as my firefox NoScript plugin is preventing at least some of these redirect pages from loading. I have run HiJack this and have a log file. I don't have the experience to debug the log. Can someone help?

Thanks in advance.

Here is the log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:42:52 AM, on 12/15/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:WINDOWSSystem32smss.exe
C:WINDOWSsystem32winlogon.exe
C:WINDOWSsystem32services.exe
C:WINDOWSsystem32lsass.exe
C:WINDOWSsystem32svchost.exe
C:WINDOWSSystem32svchost.exe
C:WINDOWSsystem32svchost.exe
C:Program FilesAVGAVG9avgchsvx.exe
C:Program FilesAVGAVG9avgrsx.exe
C:Program FilesAVGAVG9avgcsrvx.exe
C:WINDOWSExplorer.EXE
C:WINDOWSsystem32spoolsv.exe
C:Program FilesAVGAVG9avgwdsvc.exe
C:Program FilesBonjourmDNSResponder.exe
C:Program FilesHP DVDUmbrellaDVDTray.exe
C:WINDOWSLTMSG.exe
C:HPKBDKBD.EXE
C:windowssystemhpsysdrv.exe
C:Program FilesMultimedia Card Readershwicon2k.exe
C:WINDOWSsystem32spooldriversw32x863hpztsb12.exe
C:Program FilesHPHP Software UpdateHPWuSchd2.exe
C:Program FilesJavajre1.6.0_07binjusched.exe
C:Program FilesMaxtorOneTouch Statusmaxmenumgr.exe
C:Program FilesSupport.combintgcmd.exe
C:Program FilesQuickTimeqttask.exe
C:PROGRA~1AVGAVG9avgtray.exe
C:WINDOWSsystem32ctfmon.exe
C:Program FilesMSN Messengermsnmsgr.exe
C:Program FilesMicrosoft ActiveSyncwcescomm.exe
C:PROGRA~1MI3AA1~1rapimgr.exe
C:Program FilesAdobeAcrobat 6.0Distillracrotray.exe
C:Program FilesHPDigital Imagingbinhpqtra08.exe
C:Program FilesYahoo!Yahoo! Music Jukeboxymetray.exe
C:Program FilesAVGAVG9avgnsx.exe
C:Program FilesYahoo!Messengerymsgr_tray.exe
C:WINDOWSsystem32driversKodakCCS.exe
C:Program FilesMaxtorSyncSyncServices.exe
C:Program FilesCommon FilesMicrosoft SharedVS7Debugmdm.exe
C:WINDOWSSystem32nvsvc32.exe
C:WINDOWSsystem32HPZipm12.exe
C:WINDOWSSystem32svchost.exe
C:WINDOWSSystem32svchost.exe
C:Program FilesJavajre1.6.0_07binjucheck.exe
C:WINDOWSSystem32spoolDRIVERSW32X863HPZSTC12.exe
C:WINDOWSsystem32rundll32.exe
C:WINDOWSsystem32wuauclt.exe
C:Program FilesTrend MicroHijackThisHijackThis.exe

R1 - HKCUSoftwareMicrosoftInternet ExplorerMain,Default_Page_URL = http://us10.hpwis.com/
R1 - HKCUSoftwareMicrosoftInternet ExplorerMain,Default_Search_URL = http://srch-us10.hpwis.com/
R1 - HKCUSoftwareMicrosoftInternet ExplorerMain,Search Bar = http://srch-us10.hpwis.com/
R1 - HKCUSoftwareMicrosoftInternet ExplorerMain,Search Page = http://srch-us10.hpwis.com/
R0 - HKCUSoftwareMicrosoftInternet ExplorerMain,Start Page = http://www.maynesphoto.com/
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Search Bar = http://srch-us10.hpwis.com/
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLMSoftwareMicrosoftInternet ExplorerMain,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settings,ProxyOverride = localhost;*.local
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:Program FilesAVGAVG9ToolbarIEToolbar.dll
F2 - REG:system.ini: Shell=Explorer.exe
N3 - Netscape 7: # Mozilla User Preferences

/* Do not edit this file.
*
* If you make changes to this file while the browser is running,
* the changes will be overwritten when the browser exits.
*
* To make a manual change to preferences, you can visit the URL about:config
* For more information, see http://www.mozilla.org/unix/customizing.html#prefs
*/

user_pref("aim.session.screenname", "cgmaynes");
user_pref("browser.activation.checkedNNFlag", true);
user_pref("browser.bookmarks.added_static_root", true);
user_pref("browser.cache.disk.parent_directory", "C:DOCUMENTS AND SETTINGSOWNERAPPLICATION DATAMozillaProfilesdefaultmz188zyt.slt");
user_pref("browser.download.dir", "C:Documents and SettingsOwnerMy DocumentsA.J. Stuff");
user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRA%7E1%5CNETSCAPE%5CNETSCAPE%5Csearchplugins%5CSBWeb_02.src");
user_pref("browser.startup.homepage", "http://www.yahoo.com/");
user_pref("browser.startup.homepage_override.mstone", "rv:1.4");
u
N3 - Netscape 7: # Mozilla User Preferences

/* Do not edit this file.
*
* If you make changes to this file while the browser is running,
* the changes will be overwritten when the browser exits.
*
* To make a manual change to preferences, you can visit the URL about:config
* For more information, see http://www.mozilla.org/unix/customizing.html#prefs
*/

user_pref("aim.session.screenname", "cgmaynes");
user_pref("browser.activation.checkedNNFlag", true);
user_pref("browser.bookmarks.added_static_root", true);
user_pref("browser.cache.disk.parent_directory", "C:DOCUMENTS AND SETTINGSOWNERAPPLICATION DATAMozillaProfilesdefaultmz188zyt.slt");
user_pref("browser.download.dir", "C:Documents and SettingsOwnerMy DocumentsA.J. Stuff");
user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRA%7E1%5CNETSCAPE%5CNETSCAPE%5Csearchplugins%5CSBWeb_02.src");
user_pref("browser.startup.homepage", "http://www.yahoo.com/");
user_pref("browser.startup.homepage_override.mstone", "rv:1.4");
u
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:Program FilesCommon FilesAdobeAcrobatActiveXAcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:Program FilesAVGAVG9avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:PROGRA~1SPYBOT~1SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:Program FilesJavajre1.6.0_07binssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:Program FilesCommon FilesMicrosoft SharedWindows LiveWindowsLiveLogin.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:Program FilesAVGAVG9ToolbarIEToolbar.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:Program FilesAdobeAcrobat 6.0AcrobatAcroIEFavClient.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:Program FilesHPDigital Imagingbinhpdtlk02.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:Program FilesAdobeAcrobat 6.0AcrobatAcroIEFavClient.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:Program FilesAVGAVG9ToolbarIEToolbar.dll
O4 - HKLM..Run: [DVDTray] "C:Program FilesHP DVDUmbrellaDVDTray.exe"
O4 - HKLM..Run: [NvCplDaemon] RUNDLL32.EXE C:WINDOWSSystem32NvCpl.dll,NvStartup
O4 - HKLM..Run: [VTTimer] VTTimer.exe
O4 - HKLM..Run: [UpdateManager] "C:Program FilesCommon FilesSonicUpdate Managersgtray.exe" /r
O4 - HKLM..Run: [LTMSG] LTMSG.exe 7
O4 - HKLM..Run: [KBD] C:HPKBDKBD.EXE
O4 - HKLM..Run: [hpsysdrv] c:windowssystemhpsysdrv.exe
O4 - HKLM..Run: [Sunkist2k] C:Program FilesMultimedia Card Readershwicon2k.exe
O4 - HKLM..Run: [HPDJ Taskbar Utility] C:WINDOWSsystem32spooldriversw32x863hpztsb12.exe
O4 - HKLM..Run: [HP Software Update] C:Program FilesHPHP Software UpdateHPWuSchd2.exe
O4 - HKLM..Run: [KernelFaultCheck] %systemroot%system32dumprep 0 -k
O4 - HKLM..Run: [Windows Defender] "C:Program FilesWindows DefenderMSASCui.exe" -hide
O4 - HKLM..Run: [SunJavaUpdateSched] "C:Program FilesJavajre1.6.0_07binjusched.exe"
O4 - HKLM..Run: [mxomssmenu] "C:Program FilesMaxtorOneTouch Statusmaxmenumgr.exe"
O4 - HKLM..Run: [tgcmd] "C:Program FilesSupport.combintgcmd.exe" /server /startmonitor /deaf
O4 - HKLM..Run: [Adobe Reader Speed Launcher] "C:Program FilesAdobeReader 9.0ReaderReader_sl.exe"
O4 - HKLM..Run: [QuickTime Task] "C:Program FilesQuickTimeqttask.exe" -atboottime
O4 - HKLM..Run: [AVG9_TRAY] C:PROGRA~1AVGAVG9avgtray.exe
O4 - HKCU..Run: [ctfmon.exe] C:WINDOWSsystem32ctfmon.exe
O4 - HKCU..Run: [msnmsgr] "C:Program FilesMSN Messengermsnmsgr.exe" /background
O4 - HKCU..Run: [Yahoo! Pager] "C:Program FilesYahoo!MessengerYahooMessenger.exe" -quiet
O4 - HKCU..Run: [H/PC Connection Agent] "C:Program FilesMicrosoft ActiveSyncwcescomm.exe"
O4 - HKUSS-1-5-18..Run: [agent.exe] C:Documents and SettingsLocalServiceApplication DataPCagent.exe (User 'SYSTEM')
O4 - HKUS.DEFAULT..Run: [agent.exe] C:Documents and SettingsLocalServiceApplication DataPCagent.exe (User 'Default user')
O4 - Global Startup: Acrobat Assistant.lnk = C:Program FilesAdobeAcrobat 6.0Distillracrotray.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:Program FilesCommon FilesAdobeCalibrationAdobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:Program FilesHPDigital Imagingbinhpqtra08.exe
O4 - Global Startup: Logo Calibration Loader.lnk = C:Program FilesGretagMacbethi1Eye-One Match 3CalibrationLoaderCalibrationLoader.exe
O4 - Global Startup: ProfileReminder.lnk = C:Program FilesGretagMacbethi1Eye-One Match 3ProfileReminder.exe
O4 - Global Startup: ymetray.lnk = C:Program FilesYahoo!Yahoo! Music Jukeboxymetray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:PROGRA~1MICROS~4Office10EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:Program FilesJavajre1.6.0_07binssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:Program FilesJavajre1.6.0_07binssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:PROGRA~1MI3AA1~1INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:PROGRA~1MI3AA1~1INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:PROGRA~1MI3AA1~1INetRepl.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:Program FilesYahoo!Messengeryhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:Program FilesYahoo!Messengeryhexbmes0521.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:PROGRA~1SPYBOT~1SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:PROGRA~1SPYBOT~1SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:WINDOWSNetwork Diagnosticxpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:WINDOWSNetwork Diagnosticxpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:Program FilesMessengermsmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:Program FilesMessengermsmsgs.exe
O12 - Plugin for .spop: C:Program FilesInternet ExplorerPluginsNPDocBox.dll
O16 - DPF: {0C92900E-4D5A-4F04-ACC9-729E1767BBAE} (Image Uploader Control) - http://www.ritzpix.com/net/Uploader/LPUploader45.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:Program FilesYahoo!Commonyinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.costcophotocenter.com/CostcoActivia.cab
O16 - DPF: {5D637FAD-E202-48D1-8F18-5B9C459BD1E3} (Image Uploader Control) - http://www.myfamily.com/Controls/Upload/ImageUploader5.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/...tiveXPlugin.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:Program FilesAVGAVG9avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:WINDOWSSYSTEM32avgrsstx.dll
O23 - Service: Windows Audio AudioSrvwuauserv (AudioSrvwuauserv) - Unknown owner - C:WINDOWSsystem323076c.exe (file missing)
O23 - Service: Automatic LiveUpdate Scheduler - Unknown owner - C:Program FilesSymantecLiveUpdateALUSchedulerSvc.exe (file missing)
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:Program FilesAVGAVG9avgwdsvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:Program FilesBonjourmDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:Program FilesCommon FilesMacrovision SharedFLEXnet PublisherFNPLicensingService.exe
O23 - Service: Imapi Helper - Alex Feinman - C:Program FilesAlex FeinmanISO RecorderImapiHelper.exe
O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:Program FilesCommon FilesIntuitUpdate ServiceIntuitUpdateService.exe
O23 - Service: Intuit Update Service IntuitUpdateServiceRSVP (IntuitUpdateServiceRSVP) - Unknown owner - C:WINDOWSsystem321037y.exe (file missing)
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:WINDOWSsystem32driversKodakCCS.exe
O23 - Service: LiveUpdate - Unknown owner - C:PROGRA~1SymantecLIVEUP~1LUCOMS~1.EXE (file missing)
O23 - Service: Maxtor Service (Maxtor Sync Service) - Seagate Technology LLC - C:Program FilesMaxtorSyncSyncServices.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:WINDOWSSystem32nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:WINDOWSsystem32HPZipm12.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Unknown owner - C:Program FilesCommon FilesSymantec SharedSNDSrvc.exe (file missing)

--
End of file - 14313 bytes

Edit: Moved topic from XP to the more appropriate forum. ~ Animal

Here are my dds.txt and Attach.txt zip file. The RootRepeal tool hung when I tried to run it.



DDS (Ver_09-12-01.01) - NTFSx86
Run by Owner at 10:19:32.45 on Tue 12/15/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_07
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1053 [GMT -8:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:WINDOWSsystem32svchost -k DcomLaunch
svchost.exe
C:WINDOWSSystem32svchost.exe -k netsvcs
C:WINDOWSsystem32svchost.exe -k WudfServiceGroup
C:Program FilesAVGAVG9avgchsvx.exe
C:Program FilesAVGAVG9avgrsx.exe
svchost.exe
C:Program FilesAVGAVG9avgcsrvx.exe
svchost.exe
C:WINDOWSExplorer.EXE
C:WINDOWSsystem32spoolsv.exe
svchost.exe
C:Program FilesAVGAVG9avgwdsvc.exe
C:Program FilesBonjourmDNSResponder.exe
C:Program FilesHP DVDUmbrellaDVDTray.exe
C:WINDOWSLTMSG.exe
C:HPKBDKBD.EXE
C:windowssystemhpsysdrv.exe
C:Program FilesMultimedia Card Readershwicon2k.exe
C:WINDOWSsystem32spooldriversw32x863hpztsb12.exe
C:Program FilesHPHP Software UpdateHPWuSchd2.exe
C:Program FilesJavajre1.6.0_07binjusched.exe
C:Program FilesMaxtorOneTouch Statusmaxmenumgr.exe
C:Program FilesQuickTimeqttask.exe
C:PROGRA~1AVGAVG9avgtray.exe
C:WINDOWSsystem32ctfmon.exe
C:Program FilesMSN Messengermsnmsgr.exe
C:Program FilesMicrosoft ActiveSyncwcescomm.exe
C:PROGRA~1MI3AA1~1rapimgr.exe
C:Program FilesAdobeAcrobat 6.0Distillracrotray.exe
C:Program FilesHPDigital Imagingbinhpqtra08.exe
C:Program FilesYahoo!Yahoo! Music Jukeboxymetray.exe
C:Program FilesAVGAVG9avgnsx.exe
C:Program FilesYahoo!Messengerymsgr_tray.exe
C:WINDOWSsystem32driversKodakCCS.exe
C:Program FilesCommon FilesMicrosoft SharedVS7Debugmdm.exe
C:WINDOWSSystem32nvsvc32.exe
C:WINDOWSsystem32HPZipm12.exe
C:WINDOWSSystem32svchost.exe -k imgsvc
C:WINDOWSSystem32svchost.exe -k HTTPFilter
C:Program FilesJavajre1.6.0_07binjucheck.exe
C:WINDOWSSystem32spoolDRIVERSW32X863HPZSTC12.exe
C:Program FilesTrend MicroHijackThisHijackThis.exe
C:WINDOWSsystem32NOTEPAD.EXE
C:Program FilesMozilla Firefoxfirefox.exe
C:Documents and SettingsOwnerDesktopdds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.maynesphoto.com/
uSearch Page = hxxp://srch-us10.hpwis.com/
uDefault_Page_URL = hxxp://us10.hpwis.com/
uDefault_Search_URL = hxxp://srch-us10.hpwis.com/
uSearch Bar = hxxp://srch-us10.hpwis.com/
mSearch Bar = hxxp://srch-us10.hpwis.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = localhost;*.local
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:program filesavgavg9toolbarIEToolbar.dll
mWinlogon: Shell=Explorer.exe
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:program filescommon filesadobeacrobatactivexAcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:program filesavgavg9avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:progra~1spybot~1SDHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:program filesjavajre1.6.0_07binssv.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:program filescommon filesmicrosoft sharedwindows liveWindowsLiveLogin.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:program filesavgavg9toolbarIEToolbar.dll
BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:program filesadobeacrobat 6.0acrobatAcroIEFavClient.dll
BHO: {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - No File
TB: HP View: {b2847e28-5d7d-4deb-8b67-05d28bcf79f5} - c:program fileshpdigital imagingbinhpdtlk02.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:program filesadobeacrobat 6.0acrobatAcroIEFavClient.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:program filesavgavg9toolbarIEToolbar.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:program filesadobeacrobat 6.0acrobatAcroIEFavClient.dll
EB: &Yahoo! Messenger: {4528bbe0-4e08-11d5-ad55-00010333d0ad} - c:program filesyahoo!messengeryhexbmes0521.dll
EB: hp view: {8f4902b6-6c04-4ade-8052-aa58578a21bd} - c:windowssystem32Shdocvw.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:windowssystem32ctfmon.exe
uRun: [msnmsgr] "c:program filesmsn messengermsnmsgr.exe" /background
uRun: [Yahoo! Pager] "c:program filesyahoo!messengerYahooMessenger.exe" -quiet
uRun: [H/PC Connection Agent] "c:program filesmicrosoft activesyncwcescomm.exe"
mRun: [DVDTray] "c:program fileshp dvdumbrellaDVDTray.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:windowssystem32NvCpl.dll,NvStartup
mRun: [VTTimer] VTTimer.exe
mRun: [UpdateManager] "c:program filescommon filessonicupdate managersgtray.exe" /r
mRun: [LTMSG] LTMSG.exe 7
mRun: [KBD] c:hpkbdKBD.EXE
mRun: [hpsysdrv] c:windowssystemhpsysdrv.exe
mRun: [Sunkist2k] c:program filesmultimedia card readershwicon2k.exe
mRun: [HPDJ Taskbar Utility] c:windowssystem32spooldriversw32x863hpztsb12.exe
mRun: [HP Software Update] c:program fileshphp software updateHPWuSchd2.exe
mRun: [KernelFaultCheck] %systemroot%system32dumprep 0 -k
mRun: [Windows Defender] "c:program fileswindows defenderMSASCui.exe" -hide
mRun: [SunJavaUpdateSched] "c:program filesjavajre1.6.0_07binjusched.exe"
mRun: [mxomssmenu] "c:program filesmaxtoronetouch statusmaxmenumgr.exe"
mRun: [tgcmd] "c:program filessupport.combintgcmd.exe" /server /startmonitor /deaf
mRun: [Adobe Reader Speed Launcher] "c:program filesadobereader 9.0readerReader_sl.exe"
mRun: [QuickTime Task] "c:program filesquicktimeqttask.exe" -atboottime
mRun: [<NO NAME>]
mRun: [AVG9_TRAY] c:progra~1avgavg9avgtray.exe
dRun: [agent.exe] c:documents and settingslocalserviceapplication datapcagent.exe
StartupFolder: c:docume~1alluse~1startm~1programsstartupacroba~1.lnk - c:program filesadobeacrobat 6.0distillracrotray.exe
StartupFolder: c:docume~1alluse~1startm~1programsstartupadobeg~1.lnk - c:program filescommon filesadobecalibrationAdobe Gamma Loader.exe
StartupFolder: c:docume~1alluse~1startm~1programsstartuphpdigi~1.lnk - c:program fileshpdigital imagingbinhpqtra08.exe
StartupFolder: c:docume~1alluse~1startm~1programsstartuplogoca~1.lnk - c:program filesgretagmacbethi1eye-one match 3calibrationloaderCalibrationLoader.exe
StartupFolder: c:docume~1alluse~1startm~1programsstartupprofil~1.lnk - c:program filesgretagmacbethi1eye-one match 3ProfileReminder.exe
StartupFolder: c:docume~1alluse~1startm~1programsstartupymetray.lnk - c:program filesyahoo!yahoo! music jukeboxymetray.exe
IE: E&xport to Microsoft Excel - c:progra~1micros~4office10EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%Network Diagnosticxpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:program filesmessengermsmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:program filesjavajre1.6.0_07binssv.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:progra~1mi3aa1~1INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:progra~1mi3aa1~1INetRepl.dll
IE: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - {4C171D40-8277-11D5-AD55-00010333D0AD} - c:program filesyahoo!messengeryhexbmes0521.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:progra~1spybot~1SDHelper.dll
Trusted Zone: turbotax.com
Trusted Zone: musicmatch.comonline
DPF: {0C92900E-4D5A-4F04-ACC9-729E1767BBAE} - hxxp://www.ritzpix.com/net/Uploader/LPUploader45.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/8/b/d/8bd77752-5704-4d68-a152-f7252adaa4f2/LegitCheckControl.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:program filesyahoo!commonyinsthelper.dll
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://www.costcophotocenter.com/CostcoActivia.cab
DPF: {5D637FAD-E202-48D1-8F18-5B9C459BD1E3} - hxxp://www.myfamily.com/Controls/Upload/ImageUploader5.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} - hxxp://www.sibelius.com/download/software/win/ActiveXPlugin.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:program filescommon filesmicrosoft sharedweb foldersPKMCDO.DLL
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:program fileshphpcoretechcomphpuiprot.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:program filesavgavg9avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:windowssystem32WPDShServiceObj.dll
SEH: Eudora's Shell Extension: {edb0e980-90bd-11d4-8599-0008c7d3b6f8} - c:program filesqualcommeudoraEuShlExt.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:progra~1window~4MpShHook.dll
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:docume~1ownerapplic~1mozillafirefoxprofilesf81pygk6.default
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - component: c:documents and settingsownerapplication datamozillafirefoxprofilesf81pygk6.defaultextensions{463f6ca5-ee3c-4be1-b7e6-7fee11953374}platformwinntcomponentsFoxyTunes.dll
FF - component: c:program filesavgavg9firefoxcomponentsavgssff.dll
FF - component: c:program filesavgavg9toolbarfirefoxavg@igearedcomponentsIGeared_tavgp_xputils2.dll
FF - component: c:program filesavgavg9toolbarfirefoxavg@igearedcomponentsIGeared_tavgp_xputils3.dll
FF - component: c:program filesavgavg9toolbarfirefoxavg@igearedcomponentsIGeared_tavgp_xputils35.dll
FF - component: c:program filesavgavg9toolbarfirefoxavg@igearedcomponentsxpavgtbapi.dll
FF - plugin: c:documents and settingsownerapplication datamove networkspluginsnpqmp071503000010.dll
FF - plugin: c:documents and settingsownerapplication datamove networkspluginsnpqmp071701000002.dll
FF - plugin: c:program filesmozilla firefoxpluginsNPAdbESD.dll
FF - plugin: c:program filesmozilla firefoxpluginsnpatgpc.dll
FF - plugin: c:program filesmozilla firefoxpluginsnpmozax.dll
FF - plugin: c:program filesoperaprogrampluginsnpdrmv2.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:windowsmicrosoft.netframeworkv3.5windows presentation foundationdotnetassistantextension
FF - HiddenExtension: XULRunner: {EA1EB25A-5344-4DF1-B98F-44EA409F37E8} - c:documents and settingsownerlocal settingsapplication data{EA1EB25A-5344-4DF1-B98F-44EA409F37E8}
FF - HiddenExtension: Java Console: No Registry Reference - c:program filesmozilla firefoxextensions{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:program filesmozilla firefoxgreprefssecurity-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:windowssystem32driversavgldx86.sys [2009-12-9 333192]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:windowssystem32driversavgmfx86.sys [2009-12-9 28424]
R1 AvgTdiX;AVG Free Network Redirector;c:windowssystem32driversavgtdix.sys [2009-12-9 360584]
R2 avg9wd;AVG Free WatchDog;c:program filesavgavg9avgwdsvc.exe [2009-12-9 285392]
R2 PDIHWCTL;PDIHWCTL;c:windowssystem32driverspdihwctl.sys [2007-11-10 14416]
R3 LNE100;Linksys LNE100TX(v5) Fast Ethernet Adapter;c:windowssystem32driverslne100v5.sys [2006-9-23 36224]
S2 AudioSrvwuauserv;Windows Audio AudioSrvwuauserv;c:windowssystem323076c.exe srv --> c:windowssystem323076c.exe srv [?]
S2 IntuitUpdateServiceRSVP;Intuit Update Service IntuitUpdateServiceRSVP;c:windowssystem321037y.exe srv --> c:windowssystem321037y.exe srv [?]
S2 mrtRate;mrtRate; [x]
S2 WinDefend;Windows Defender;c:program fileswindows defenderMsMpEng.exe [2006-11-3 13592]
S3 camvid20;Philips ToUcam Camera; Video;c:windowssystem32driverscamdrv21.sys [2004-4-23 223232]
S3 eyeonedp;eye-one display;c:windowssystem32driversEyeOneDp.sys [2007-11-10 44344]

=============== Created Last 30 ================

2009-12-12 07:40:19 54156 ---ha-w- c:windowsQTFont.qfn
2009-12-12 07:40:19 1409 ----a-w- c:windowsQTFont.for
2009-12-11 20:38:39 471552 -c----w- c:windowssystem32dllcacheaclayers.dll
2009-12-11 19:45:03 0 d-----w- c:program filesSpybot - Search & Destroy
2009-12-11 19:45:03 0 d-----w- c:docume~1alluse~1applic~1Spybot - Search & Destroy
2009-12-10 16:39:04 0 d-----w- c:docume~1ownerapplic~1Malwarebytes
2009-12-10 16:38:59 38224 ----a-w- c:windowssystem32driversmbamswissarmy.sys
2009-12-10 16:38:58 0 d-----w- c:docume~1alluse~1applic~1Malwarebytes
2009-12-10 16:38:57 19160 ----a-w- c:windowssystem32driversmbam.sys
2009-12-10 16:38:57 0 d-----w- c:program filesMalwarebytes' Anti-Malware
2009-12-10 16:16:59 0 d-----w- c:docume~1ownerapplic~1AVG9
2009-12-10 03:59:16 0 d--h--w- C:$AVG
2009-12-10 03:59:04 360584 ----a-w- c:windowssystem32driversavgtdix.sys
2009-12-10 03:59:04 12464 ----a-w- c:windowssystem32avgrsstx.dll
2009-12-10 03:58:59 333192 ----a-w- c:windowssystem32driversavgldx86.sys
2009-12-10 03:58:48 0 d-----w- c:windowssystem32driversAvg
2009-12-10 03:58:43 0 d-----w- c:docume~1alluse~1applic~1AVG Security Toolbar
2009-12-10 03:58:26 0 d-----w- c:program filesAVG
2009-12-10 03:58:22 0 d-----w- c:docume~1alluse~1applic~1avg9
2009-12-08 14:50:38 470 --s-a-w- c:windowssystem322126700920.dat
2009-12-05 17:05:27 120 ----a-w- c:windowsYjiroledun.dat
2009-12-05 17:05:27 0 ----a-w- c:windowsKwanexexex.bin

==================== Find3M ====================

2009-11-03 04:42:06 195456 ------w- c:windowssystem32MpSigStub.exe
2009-10-29 07:45:38 916480 ----a-w- c:windowssystem32wininet.dll
2009-10-21 05:38:36 75776 ----a-w- c:windowssystem32strmfilt.dll
2009-10-21 05:38:36 25088 ----a-w- c:windowssystem32httpapi.dll
2009-10-20 16:20:16 265728 ------w- c:windowssystem32drivershttp.sys
2009-10-13 10:30:16 270336 ----a-w- c:windowssystem32oakley.dll
2009-10-12 13:38:19 149504 ----a-w- c:windowssystem32rastls.dll
2009-10-12 13:38:18 79872 ----a-w- c:windowssystem32raschap.dll
2004-04-18 19:03:23 0 --sha-w- c:windowssminstHPCD.sys

============= FINISH: 10:21:51.85 ===============

Merged posts. ~ OB

Attached Files


Edited by Orange Blossom, 17 December 2009 - 11:45 PM.


BC AdBot (Login to Remove)

 


#2 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:12:09 AM

Posted 27 December 2009 - 05:08 PM

Hi,

My name is Syler and I will be helping you to solve your Malware issues. If you have since resolved your issues I would appreciate if you
would let me no so I can close this topic, if you still need help please let me no what issues you are still having, in your next reply.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and
we are trying our best to keep up.


We need to create an OTL Report
  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Under the Custom Scans/Fixes box at the bottom, paste in the following bold text.
    %SYSTEMDRIVE%\*.exe
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    /md5stop
    CREATERESTOREPOINT

  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

Then please post back here with the following logs:
  • OTL.txt
  • Extra.txt
Thanks

unite.jpg


#3 ruggedlyuglyal

ruggedlyuglyal
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:09 PM

Posted 27 December 2009 - 11:33 PM

Syler,

Thanks for your response. I started the app as directed and it seems to have hung. The progress field at the bottom of the app says "Scanning Session Manager AppCertDlls key ..." and it has been stuck there for an hour. Not sure if I should terminate the process or if it will eventually complete the scan.

Edited by ruggedlyuglyal, 27 December 2009 - 11:34 PM.


#4 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:12:09 AM

Posted 28 December 2009 - 12:26 PM

Hi ruggedlyuglyal,

Please run this scan instead.
  • Please download GMER from one of the following locations, and save it to your desktop:
    • Main Mirror
      This version will download a randomly named file (Recommended)
    • Zip Mirror
      This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs, as this process may crash your computer.
  • Temporarily disable any real-time active protection so your security program drivers will not conflict with gmer's driver.
  • Double click on Gmer to run it.
  • Allow the gmer.sys driver to load if asked.
  • You may see a rootkit warning window, If you do, click No.
  • Untick the following boxes on the right side of the Gmer screen.
    Sections
    IAT/EAT
    Show All
  • Click on Posted Image and wait for the scan to finish.
  • If you see a rootkit warning window, click OK.
  • Push Posted Image and save the logfile to your desktop.
  • Copy and Paste the contents of that file in your next post.

unite.jpg


#5 ruggedlyuglyal

ruggedlyuglyal
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:09 PM

Posted 28 December 2009 - 10:01 PM

Here is the GMER log:

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2009-12-28 18:52:05
Windows 5.1.2600 Service Pack 3
Running: zggqs07b.exe; Driver: C:\DOCUME~1\Owner\LOCALS~1\Temp\axlcapow.sys


---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device -> \Driver\atapi \Device\Harddisk0\DR0
8A705618

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@ C:\WINDOWS\System32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@cd042efbbd7f7af1647644e76e06692b 0xE2 0x63 0x26 0xF1 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@ C:\WINDOWS\System32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@bca643cdc5c2726b20d2ecedcc62c59b 0x71 0x3B 0x04 0x66 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@ C:\WINDOWS\System32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@2c81e34222e8052573023a60d06dd016 0x25 0xDA 0xEC 0x7E ...
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@ C:\WINDOWS\System32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@2582ae41fb52324423be06337561aa48 0x86 0x8C 0x21 0x01 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@ C:\WINDOWS\System32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@caaeda5fd7a9ed7697d9686d4b818472 0xCD 0x44 0xCD 0xB9 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@ C:\WINDOWS\System32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@a4a1bcf2cc2b8bc3716b74b2b4522f5d 0xDF 0x20 0x58 0x62 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@ C:\WINDOWS\System32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@4d370831d2c43cd13623e232fed27b7b 0xFB 0xA7 0x78 0xE6 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@ C:\WINDOWS\System32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@1d68fe701cdea33e477eb204b76f993d 0xAA 0x52 0xC6 0x00 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@ C:\WINDOWS\System32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@1fac81b91d8e3c5aa4b0a51804d844a3 0xF6 0x0F 0x4E 0x58 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@ C:\WINDOWS\System32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@f5f62a6129303efb32fbe080bb27835b 0xB1 0xCD 0x45 0x5A ...
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@ C:\WINDOWS\System32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@fd4e2e1a3940b94dceb5a6a021f2e3c6 0x2A 0xB7 0xCC 0xB5 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@ C:\WINDOWS\System32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@8a8aec57dd6508a385616fbc86791ec2 0x6C 0x43 0x2D 0x1E ...

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----

#6 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:12:09 AM

Posted 29 December 2009 - 10:43 AM

Unfortunately your logs show signs of a rootkit so you should be aware of the following information.

One or more of the identified infections is a backdoor trojan/Rootkit.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:
How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.

If you decide you want to proceed with trying to clean your machine please follow these next steps.



Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed, click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

unite.jpg


#7 ruggedlyuglyal

ruggedlyuglyal
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:09 PM

Posted 29 December 2009 - 05:28 PM

Syler,

I think I am going to re-format and re-install. I don't want to have a system I don't trust. I have an external drive that I have a backup of my "My Documents" folder on. Can the rootkit have affected this drive as well? Can I reconnect it to a new system with current anti-virus protection and scan and clean it from there? What precautions do I need to take with this drive? Any advice on this would be very much appreciated.

Thanks.

#8 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:12:09 AM

Posted 31 December 2009 - 12:47 PM

This rootkit won't affect your external drive but I can't guarantee that no other malware has got on to it, if you want to hook it up to another computer
and scan it then run flash disinfector on that computer first, this will stop any malware from being able to load when it is plugged in on that computer.

Download and Run FlashDisinfector
  • Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: Flash_Disinfector will create a hidden file named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder. It will help protect your drives from future infection.

unite.jpg


#9 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:12:09 AM

Posted 02 January 2010 - 09:09 PM

Since this issue appears resolved ... this Topic is closed. Glad we could help.

If you need this topic reopened, please request this by sending me a PM
with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.

unite.jpg





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users