Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

High jacked browser with HJT log


  • This topic is locked This topic is locked
18 replies to this topic

#1 Crixe

Crixe

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:58 PM

Posted 25 December 2009 - 10:43 PM

DDS LOG FILE


DDS (Ver_09-12-01.01) - NTFSx86
Run by Steve at 20:51:06.79 on Fri 12/25/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2558.1701 [GMT -7:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\System32\svchost.exe -k Akamai
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\AVG\AVG9\avgfws9.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Autodesk\3ds Max 2008\mentalray\satellite\raysat_3dsMax2008_32server.exe
C:\Program Files\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
c:\WINDOWS\system32\ZuneBusEnum.exe
C:\Program Files\AVG\AVG9\avgemc.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Linksys\WUSB600N\WUSB600N.exe
C:\Documents and Settings\Steve.STEVENSPC\Application Data\IMVUClient\IMVUQualityAgent.exe
C:\Documents and Settings\Steve.STEVENSPC\Application Data\IMVUClient\IMVUClient.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Steve.STEVENSPC\Desktop\dds.scr

============== Pseudo HJT Report ===============

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [SoundMan] SOUNDMAN.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\wirele~1.lnk - c:\program files\linksys\wusb600n\WUSB600N.exe
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {9122D757-5A4F-4768-82C5-B4171D8556A7} - hxxp://appdirectory.messenger.msn.com/AppDirectory/P4Apps/PhotoSwap/PhtPkMSN.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0014-0002-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\steve~1.ste\applic~1\mozilla\firefox\profiles\frlg72n2.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.live.com/results.aspx?FORM=IEFM1&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - www.google.com
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?btnI=I%27m+Feeling+Lucky&q=
FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npbittorrent.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R0 AVGIDSErHrxpx;AVG9IDSErHr;c:\windows\system32\drivers\AVGIDSxx.sys [2009-11-23 25608]
R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2009-11-23 161800]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-11-23 333192]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-11-23 28424]
R1 AvgTdiX;AVG Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-11-23 360584]
R2 Akamai;Akamai NetSession Interface;c:\windows\system32\svchost.exe -k Akamai [2003-3-31 14336]
R2 avg9emc;AVG E-mail Scanner;c:\program files\avg\avg9\avgemc.exe [2009-12-21 906520]
R2 avg9wd;AVG WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2009-12-21 285392]
R2 avgfws9;AVG Firewall;c:\program files\avg\avg9\avgfws9.exe [2009-12-21 2303680]
R2 SSHNAS;SSHNAS;c:\windows\system32\svchost.exe -k netsvcs [2003-3-31 14336]
R3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [2009-11-23 30104]
R3 AVGIDSDriverxpx;AVG9IDSDriver;c:\program files\avg\avg9\identity protection\agent\driver\platform_xp\AVGIDSDriver.sys [2009-11-23 122376]
R3 AVGIDSFilterxpx;AVG9IDSFilter;c:\program files\avg\avg9\identity protection\agent\driver\platform_xp\AVGIDSFilter.sys [2009-11-23 30216]
R3 AVGIDSShimxpx;AVG9IDSShim;c:\program files\avg\avg9\identity protection\agent\driver\platform_xp\AVGIDSShim.sys [2009-11-23 25736]
R3 rt2870;Linksys 802.11n USB Wireless LAN Card Driver;c:\windows\system32\drivers\rt2870.sys [2007-12-14 551680]
S2 AVGIDSAgent;AVG9IDSAgent;c:\program files\avg\avg9\identity protection\agent\bin\AVGIDSAgent.exe [2009-12-21 5832712]
S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\system32\drivers\ASPI32.SYS [2009-5-7 16512]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [2009-11-23 30104]

=============== Created Last 30 ================


==================== Find3M ====================

2009-12-23 03:27:18 9220 ----a-w- c:\windows\system32\d3d9caps.dat
2009-12-21 23:18:53 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-12-21 23:18:52 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2009-12-21 23:18:46 25608 ----a-w- c:\windows\system32\drivers\AVGIDSxx.sys
2009-12-21 23:18:42 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-12-21 23:18:41 161800 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2009-11-25 03:50:16 4463104 ----a-w- c:\windows\system32\drivers\ati2mtag.sys
2009-11-25 03:27:54 446464 ----a-w- c:\windows\system32\ATIDEMGX.dll
2009-11-25 03:26:52 300032 ----a-w- c:\windows\system32\ati2dvag.dll
2009-11-25 03:11:24 208896 ----a-w- c:\windows\system32\atipdlxx.dll
2009-11-25 03:11:06 155648 ----a-w- c:\windows\system32\Oemdspif.dll
2009-11-25 03:10:54 26112 ----a-w- c:\windows\system32\Ati2mdxx.exe
2009-11-25 03:10:42 43520 ----a-w- c:\windows\system32\ati2edxx.dll
2009-11-25 03:10:28 155648 ----a-w- c:\windows\system32\ati2evxx.dll
2009-11-25 03:09:04 602112 ----a-w- c:\windows\system32\ati2evxx.exe
2009-11-25 03:07:36 53248 ----a-w- c:\windows\system32\ATIDDC.DLL
2009-11-25 02:59:54 311296 ----a-w- c:\windows\system32\atiiiexx.dll
2009-11-25 02:59:04 3538496 ----a-w- c:\windows\system32\ati3duag.dll
2009-11-25 02:44:28 13533184 ----a-w- c:\windows\system32\atioglxx.dll
2009-11-25 02:43:18 2142848 ----a-w- c:\windows\system32\ativvaxx.dll
2009-11-25 02:42:54 887724 ----a-w- c:\windows\system32\ativva6x.dat
2009-11-25 02:26:08 65024 ----a-w- c:\windows\system32\atimpc32.dll
2009-11-25 02:26:08 65024 ----a-w- c:\windows\system32\amdpcom32.dll
2009-11-25 02:21:40 565248 ----a-w- c:\windows\system32\atikvmag.dll
2009-11-25 02:20:16 45056 ----a-w- c:\windows\system32\aticalrt.dll
2009-11-25 02:20:02 45056 ----a-w- c:\windows\system32\aticalcl.dll
2009-11-25 02:19:26 176128 ----a-w- c:\windows\system32\atiadlxx.dll
2009-11-25 02:18:58 17408 ----a-w- c:\windows\system32\atitvo32.dll
2009-11-25 02:18:26 3612672 ----a-w- c:\windows\system32\aticaldd.dll
2009-11-25 02:18:14 53248 ----a-w- c:\windows\system32\drivers\ati2erec.dll
2009-11-25 02:17:22 397312 ----a-w- c:\windows\system32\atiok3x2.dll
2009-11-25 02:12:38 638976 ----a-w- c:\windows\system32\ati2cqag.dll
2009-11-23 21:13:54 50968 ----a-w- c:\windows\system32\avgfwdx.dll
2009-11-23 21:13:54 30104 ----a-w- c:\windows\system32\drivers\avgfwdx.sys
2009-11-21 03:32:14 278120 ----a-w- c:\windows\system32\nvmccs.dll
2009-11-21 03:32:14 154216 ----a-w- c:\windows\system32\nvsvc32.exe
2009-11-21 03:32:14 145000 ----a-w- c:\windows\system32\nvcolor.exe
2009-11-21 03:32:14 12669544 ----a-w- c:\windows\system32\nvcpl.dll
2009-11-21 03:32:14 110184 ----a-w- c:\windows\system32\nvmctray.dll
2009-11-21 03:32:10 81920 ----a-w- c:\windows\system32\nvwddi.dll
2009-11-21 02:34:54 6282752 ----a-w- c:\windows\system32\nv4_disp.dll
2009-11-21 02:34:54 592488 ----a-w- c:\windows\system32\nvudisp.exe
2009-11-21 02:34:54 4038656 ----a-w- c:\windows\system32\nvcuda.dll
2009-11-21 02:34:54 2293286 ----a-w- c:\windows\system32\nvdata.bin
2009-11-21 02:34:54 2259560 ----a-w- c:\windows\system32\nvcuvid.dll
2009-11-21 02:34:54 1989224 ----a-w- c:\windows\system32\nvcuvenc.dll
2009-11-21 02:34:54 182888 ----a-w- c:\windows\system32\nvcodins.dll
2009-11-21 02:34:54 182888 ----a-w- c:\windows\system32\nvcod.dll
2009-11-21 02:34:54 13602816 ----a-w- c:\windows\system32\nvoglnt.dll
2009-11-21 02:34:54 1056768 ----a-w- c:\windows\system32\nvapi.dll
2009-11-21 02:34:54 10235968 ----a-w- c:\windows\system32\drivers\nv4_mini.sys
2009-11-20 04:42:56 592488 ----a-w- c:\windows\system32\NVUNINST.EXE
2009-10-29 07:46:59 832512 ----a-w- c:\windows\system32\wininet.dll
2009-10-29 07:46:52 78336 ------w- c:\windows\system32\ieencode.dll
2009-10-29 07:46:50 17408 ----a-w- c:\windows\system32\corpol.dll
2009-10-22 15:59:00 196565 ----a-w- c:\windows\system32\atiicdxx.dat
2009-10-21 05:38:36 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38:36 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-13 10:30:16 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:38:19 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38:18 79872 ----a-w- c:\windows\system32\raschap.dll
2009-10-11 11:17:27 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-09-28 01:20:04 2173544 ----a-w- c:\windows\system32\nvcplui.exe
2009-09-28 01:19:52 3166208 ----a-w- c:\windows\system32\nvwss.dll
2009-09-28 01:19:50 4026368 ----a-w- c:\windows\system32\nvvitvs.dll
2009-09-28 01:19:48 3547136 ----a-w- c:\windows\system32\nvgames.dll
2009-09-28 01:19:48 188416 ----a-w- c:\windows\system32\nvmccss.dll
2009-09-28 01:19:48 1286144 ----a-w- c:\windows\system32\nvmobls.dll
2009-09-28 01:19:46 4935680 ----a-w- c:\windows\system32\nvdisps.dll

============= FINISH: 20:51:46.01 ===============


ROOT REPEAL LOG FILE

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/12/25 20:55
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xAC3CA000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7A09000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xAC658000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: c:\windows\system32\config\aceevent.evt
Status: Size mismatch (API: 327680, Raw: 262144)

Path: c:\documents and settings\steve.stevenspc\application data\imvu\_buddystate.pickle
Status: Size mismatch (API: 956, Raw: 960)

Path: C:\Documents and Settings\Steve.STEVENSPC\Application Data\IMVU\Cache\product4398889_0074491e8ea2cb69dcf223ad2ff64479
Status: Visible to the Windows API, but not on disk.

SSDT
-------------------
#: 122 Function Name: NtOpenProcess
Status: Hooked by "C:\Program Files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSShim.sys" at address 0xf7858470

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "C:\Program Files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSShim.sys" at address 0xf7858520

#: 258 Function Name: NtTerminateThread
Status: Hooked by "C:\Program Files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSShim.sys" at address 0xf78585c0

#: 277 Function Name: NtWriteVirtualMemory
Status: Hooked by "C:\Program Files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSShim.sys" at address 0xf7858660

Stealth Objects
-------------------
Object: Hidden Handle [Index: 836, Type: Port]
Process: 1VivoxVoice.exe (PID: 5788) Address: 0xe5f3abb8 Size: -

Object: Hidden Handle [Index: 848, Type: Event]
Process: 1VivoxVoice.exe (PID: 5788) Address: 0x8975ea48 Size: -

==EOF==


HIGHJACKTHIS LOG FILE

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:33:34 PM, on 12/25/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16945)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\AVG\AVG9\avgfws9.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Autodesk\3ds Max 2008\mentalray\satellite\raysat_3dsMax2008_32server.exe
C:\Program Files\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe
C:\WINDOWS\System32\svchost.exe
c:\WINDOWS\system32\ZuneBusEnum.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\AVG\AVG9\avgemc.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Linksys\WUSB600N\WUSB600N.exe
C:\Documents and Settings\Steve.STEVENSPC\Application Data\IMVUClient\IMVUQualityAgent.exe
C:\Documents and Settings\Steve.STEVENSPC\Application Data\IMVUClient\IMVUClient.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - Global Startup: Wireless Network Monitor.lnk = C:\Program Files\Linksys\WUSB600N\WUSB600N.exe
O16 - DPF: {9122D757-5A4F-4768-82C5-B4171D8556A7} (PhotoPickConvert Class) - http://appdirectory.messenger.msn.com/AppD...ap/PhtPkMSN.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG E-mail Scanner (avg9emc) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgemc.exe
O23 - Service: AVG WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: AVG Firewall (avgfws9) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgfws9.exe
O23 - Service: AVG9IDSAgent (AVGIDSAgent) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\Identity Protection\Agent\Bin\AVGIDSAgent.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: mental ray 3.6 Satellite for Autodesk 3ds Max 2008 32-bit 32-bit (mi-raysat_3dsMax2008_32) - Unknown owner - C:\Program Files\Autodesk\3ds Max 2008\mentalray\satellite\raysat_3dsMax2008_32server.exe
O23 - Service: RaySat_3dsmax8 Server (mi-raysat_3dsmax8) - Unknown owner - C:\Program Files\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 5368 bytes


I hope this covers everything.

Edited by Crixe, 25 December 2009 - 11:13 PM.
Moved to a more appropriate forum ~ rigel


BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:05:58 AM

Posted 05 January 2010 - 07:38 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below I will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


And

We Need to check for Rootkits with RootRepeal
  • Download RootRepeal from the following location and save it to your desktop.

    First Location
    Second Location
    Third Location

  • Open Posted Image on your desktop.
  • Click the Posted Image tab.
  • Click the Posted Image button.
  • Check all seven boxes: Posted Image
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

Posted Image
m0le is a proud member of UNITE

#3 Crixe

Crixe
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:58 PM

Posted 05 January 2010 - 10:41 PM

DDS (Ver_09-12-01.01) - NTFSx86
Run by Steve at 19:56:25.46 on Tue 01/05/2010
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2558.1826 [GMT -7:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\System32\svchost.exe -k Akamai
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\AVG\AVG9\avgfws9.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Autodesk\3ds Max 2008\mentalray\satellite\raysat_3dsMax2008_32server.exe
C:\Program Files\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\AVG\AVG9\avgnsx.exe
c:\WINDOWS\system32\ZuneBusEnum.exe
C:\Program Files\AVG\AVG9\avgemc.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\Winamp\winamp.exe
C:\Documents and Settings\Steve.STEVENSPC\Desktop\dds.scr

============== Pseudo HJT Report ===============

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {9122D757-5A4F-4768-82C5-B4171D8556A7} - hxxp://appdirectory.messenger.msn.com/AppDirectory/P4Apps/PhotoSwap/PhtPkMSN.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0014-0002-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\steve~1.ste\applic~1\mozilla\firefox\profiles\frlg72n2.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.live.com/results.aspx?FORM=IEFM1&q=
FF - prefs.js: browser.search.selectedEngine - Wowhead
FF - prefs.js: browser.startup.homepage - www.google.com
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?btnI=I%27m+Feeling+Lucky&q=
FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npbittorrent.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R0 AVGIDSErHrxpx;AVG9IDSErHr;c:\windows\system32\drivers\AVGIDSxx.sys [2009-11-23 25608]
R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2009-11-23 161800]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-11-23 333192]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-11-23 28424]
R1 AvgTdiX;AVG Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-11-23 360584]
R2 Akamai;Akamai NetSession Interface;c:\windows\system32\svchost.exe -k Akamai [2003-3-31 14336]
R2 avg9emc;AVG E-mail Scanner;c:\program files\avg\avg9\avgemc.exe [2009-12-21 906520]
R2 avg9wd;AVG WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2009-12-21 285392]
R2 avgfws9;AVG Firewall;c:\program files\avg\avg9\avgfws9.exe [2009-12-21 2303680]
R3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [2009-11-23 30104]
R3 AVGIDSDriverxpx;AVG9IDSDriver;c:\program files\avg\avg9\identity protection\agent\driver\platform_xp\AVGIDSDriver.sys [2009-11-23 122376]
R3 AVGIDSFilterxpx;AVG9IDSFilter;c:\program files\avg\avg9\identity protection\agent\driver\platform_xp\AVGIDSFilter.sys [2009-11-23 30216]
R3 AVGIDSShimxpx;AVG9IDSShim;c:\program files\avg\avg9\identity protection\agent\driver\platform_xp\AVGIDSShim.sys [2009-11-23 25736]
R3 rt2870;Linksys 802.11n USB Wireless LAN Card Driver;c:\windows\system32\drivers\rt2870.sys [2007-12-14 551680]
S2 AVGIDSAgent;AVG9IDSAgent;c:\program files\avg\avg9\identity protection\agent\bin\AVGIDSAgent.exe [2009-12-21 5832712]
S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\system32\drivers\ASPI32.SYS [2009-5-7 16512]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [2009-11-23 30104]

=============== Created Last 30 ================

2010-01-02 03:15:49 0 d-----w- c:\program files\common files\DivX Shared
2010-01-02 03:05:05 0 d-----w- c:\program files\Seekapp
2010-01-02 03:05:05 0 d-----w- c:\docume~1\alluse~1\applic~1\Seekapp
2010-01-02 03:04:59 0 d-----w- c:\program files\Cliprex DVD Player Professional
2010-01-01 08:25:52 230424 ----a-w- C:\img2-001.raw
2010-01-01 04:25:35 0 d-----w- c:\documents and settings\steve.stevenspc\dwhelper
2010-01-01 03:15:48 676720 ----a-w- c:\windows\system32\LCCoin30.dll
2010-01-01 03:15:47 762208 ----a-w- c:\windows\vVX3000.exe
2010-01-01 03:15:47 524144 ----a-w- c:\windows\system32\LcProxy.ax
2010-01-01 03:15:47 227680 ----a-w- c:\windows\vVX3000.dll
2010-01-01 03:15:47 1961328 ----a-w- c:\windows\system32\drivers\VX3000.sys
2010-01-01 03:15:47 175456 ----a-w- c:\windows\system32\cVX3000.dll
2010-01-01 03:15:47 15498 ----a-w- c:\windows\VX3000.ini
2010-01-01 03:15:47 13023 ----a-w- c:\windows\VX3000.src
2010-01-01 03:15:47 101232 ----a-w- c:\windows\VX3000.dll
2010-01-01 03:15:33 0 d-----w- c:\program files\Microsoft LifeCam
2009-12-31 04:39:51 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2009-12-31 04:35:51 0 d-----r- c:\program files\Skype
2009-12-26 04:36:03 0 d-sha-r- C:\cmdcons
2009-12-26 04:34:22 98816 ----a-w- c:\windows\sed.exe
2009-12-26 04:34:22 77312 ----a-w- c:\windows\MBR.exe
2009-12-26 04:34:22 261632 ----a-w- c:\windows\PEV.exe
2009-12-26 04:34:22 161792 ----a-w- c:\windows\SWREG.exe
2009-12-26 03:05:00 0 d-----w- c:\program files\Trend Micro
2009-12-26 00:45:34 21419 ----a-w- c:\windows\system32\drivers\AegisP.sys
2009-12-26 00:43:18 0 d-----w- c:\windows\{52CD4715-C7FD-4197-9423-88C14C834450}
2009-12-23 05:35:07 0 d-----w- c:\docume~1\steve~1.ste\applic~1\Bump Technologies, Inc
2009-12-23 05:32:28 0 d-----w- c:\program files\BumpTop
2009-12-23 05:27:50 0 d-----w- c:\program files\ATI
2009-12-23 04:08:03 164 ----a-w- c:\windows\avrack.ini
2009-12-23 04:07:57 0 d-----w- c:\program files\Realtek AC97
2009-12-23 03:33:14 0 d-----w- c:\program files\common files\ATI Technologies
2009-12-23 03:31:37 0 d-----w- c:\program files\ATI Technologies
2009-12-23 00:39:46 0 d-----w- c:\docume~1\steve~1.ste\applic~1\Vivox
2009-12-23 00:37:10 0 d-----w- c:\docume~1\steve~1.ste\applic~1\IMVUClient
2009-12-23 00:05:26 36352 ----a-w- c:\windows\system32\drivers\AmdK8.sys
2009-12-23 00:05:26 0 d-----w- c:\program files\AMD
2009-12-22 04:59:28 0 d-----w- c:\program files\common files\NSV
2009-12-22 01:41:41 0 d-----w- c:\program files\Ace Utilities
2009-12-22 01:38:35 0 d-----w- c:\documents and settings\steve.stevenspc\Library
2009-12-22 01:38:35 0 d-----w- c:\docume~1\steve~1.ste\applic~1\com.adobe.ExMan
2009-12-18 03:28:07 0 d-----w- c:\docume~1\steve~1.ste\applic~1\BitTorrent
2009-12-15 01:04:54 0 ---ha-w- c:\windows\system32\drivers\Msft_User_ZuneDriver_01_09_00.Wdf
2009-12-15 01:04:54 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_WinUSB_01009.Wdf
2009-12-15 01:03:47 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_user_01_09_00.Wdf
2009-12-13 20:38:54 5504 -c--a-w- c:\windows\system32\dllcache\mstee.sys
2009-12-13 20:37:43 81920 ----a-w- c:\windows\amcap.exe
2009-12-13 20:37:43 270336 ----a-w- c:\windows\tsnp2std.exe
2009-12-13 20:37:43 23502 ----a-w- c:\windows\Clique.ico
2009-12-13 20:37:43 20480 ----a-w- c:\windows\FWnSM.exe
2009-12-13 20:37:43 20480 ----a-w- c:\windows\AutoGo.exe
2009-12-13 20:37:43 1406 ----a-w- c:\windows\help.ico
2009-12-13 20:29:46 60032 -c--a-w- c:\windows\system32\dllcache\usbaudio.sys
2009-12-13 20:29:46 60032 ----a-w- c:\windows\system32\drivers\USBAUDIO.sys
2009-12-13 18:44:26 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_zumbus_01009.Wdf
2009-12-13 18:44:25 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01009_Coinstaller_Critical.Wdf
2009-12-12 18:39:50 8743 ----a-w- c:\windows\system32\nvinfo.pb
2009-12-12 18:39:50 69632 ----a-w- c:\windows\system32\OpenCL.dll
2009-12-12 18:39:48 11374592 ----a-w- c:\windows\system32\nvcompiler.dll
2009-12-12 17:10:42 0 d-----w- c:\program files\common files\Akamai
2009-12-09 01:44:42 0 d-----w- c:\program files\Yahoo!
2009-12-09 00:45:58 0 d-----w- c:\docume~1\steve~1.ste\applic~1\IMVU

==================== Find3M ====================

2009-12-23 03:27:18 9220 ----a-w- c:\windows\system32\d3d9caps.dat
2009-12-21 23:18:53 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-12-21 23:18:52 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2009-12-21 23:18:46 25608 ----a-w- c:\windows\system32\drivers\AVGIDSxx.sys
2009-12-21 23:18:42 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-12-21 23:18:41 161800 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2009-11-25 03:50:16 4463104 ----a-w- c:\windows\system32\drivers\ati2mtag.sys
2009-11-25 03:27:54 446464 ----a-w- c:\windows\system32\ATIDEMGX.dll
2009-11-25 03:26:52 300032 ----a-w- c:\windows\system32\ati2dvag.dll
2009-11-25 03:11:24 208896 ----a-w- c:\windows\system32\atipdlxx.dll
2009-11-25 03:11:06 155648 ----a-w- c:\windows\system32\Oemdspif.dll
2009-11-25 03:10:54 26112 ----a-w- c:\windows\system32\Ati2mdxx.exe
2009-11-25 03:10:42 43520 ----a-w- c:\windows\system32\ati2edxx.dll
2009-11-25 03:10:28 155648 ----a-w- c:\windows\system32\ati2evxx.dll
2009-11-25 03:09:04 602112 ----a-w- c:\windows\system32\ati2evxx.exe
2009-11-25 03:07:36 53248 ----a-w- c:\windows\system32\ATIDDC.DLL
2009-11-25 02:59:54 311296 ----a-w- c:\windows\system32\atiiiexx.dll
2009-11-25 02:59:04 3538496 ----a-w- c:\windows\system32\ati3duag.dll
2009-11-25 02:44:28 13533184 ----a-w- c:\windows\system32\atioglxx.dll
2009-11-25 02:43:18 2142848 ----a-w- c:\windows\system32\ativvaxx.dll
2009-11-25 02:42:54 887724 ----a-w- c:\windows\system32\ativva6x.dat
2009-11-25 02:26:08 65024 ----a-w- c:\windows\system32\atimpc32.dll
2009-11-25 02:26:08 65024 ----a-w- c:\windows\system32\amdpcom32.dll
2009-11-25 02:21:40 565248 ----a-w- c:\windows\system32\atikvmag.dll
2009-11-25 02:20:16 45056 ----a-w- c:\windows\system32\aticalrt.dll
2009-11-25 02:20:02 45056 ----a-w- c:\windows\system32\aticalcl.dll
2009-11-25 02:19:26 176128 ----a-w- c:\windows\system32\atiadlxx.dll
2009-11-25 02:18:58 17408 ----a-w- c:\windows\system32\atitvo32.dll
2009-11-25 02:18:26 3612672 ----a-w- c:\windows\system32\aticaldd.dll
2009-11-25 02:18:14 53248 ----a-w- c:\windows\system32\drivers\ati2erec.dll
2009-11-25 02:17:22 397312 ----a-w- c:\windows\system32\atiok3x2.dll
2009-11-25 02:12:38 638976 ----a-w- c:\windows\system32\ati2cqag.dll
2009-11-23 21:13:54 50968 ----a-w- c:\windows\system32\avgfwdx.dll
2009-11-23 21:13:54 30104 ----a-w- c:\windows\system32\drivers\avgfwdx.sys
2009-11-21 03:32:14 278120 ----a-w- c:\windows\system32\nvmccs.dll
2009-11-21 03:32:14 154216 ----a-w- c:\windows\system32\nvsvc32.exe
2009-11-21 03:32:14 145000 ----a-w- c:\windows\system32\nvcolor.exe
2009-11-21 03:32:14 12669544 ----a-w- c:\windows\system32\nvcpl.dll
2009-11-21 03:32:14 110184 ----a-w- c:\windows\system32\nvmctray.dll
2009-11-21 03:32:10 81920 ----a-w- c:\windows\system32\nvwddi.dll
2009-11-21 02:34:54 6282752 ----a-w- c:\windows\system32\nv4_disp.dll
2009-11-21 02:34:54 592488 ----a-w- c:\windows\system32\nvudisp.exe
2009-11-21 02:34:54 4038656 ----a-w- c:\windows\system32\nvcuda.dll
2009-11-21 02:34:54 2293286 ----a-w- c:\windows\system32\nvdata.bin
2009-11-21 02:34:54 2259560 ----a-w- c:\windows\system32\nvcuvid.dll
2009-11-21 02:34:54 1989224 ----a-w- c:\windows\system32\nvcuvenc.dll
2009-11-21 02:34:54 182888 ----a-w- c:\windows\system32\nvcodins.dll
2009-11-21 02:34:54 182888 ----a-w- c:\windows\system32\nvcod.dll
2009-11-21 02:34:54 13602816 ----a-w- c:\windows\system32\nvoglnt.dll
2009-11-21 02:34:54 1056768 ----a-w- c:\windows\system32\nvapi.dll
2009-11-21 02:34:54 10235968 ----a-w- c:\windows\system32\drivers\nv4_mini.sys
2009-11-20 04:42:56 592488 ----a-w- c:\windows\system32\NVUNINST.EXE
2009-11-14 00:47:32 90112 ----a-w- c:\windows\system32\dpl100.dll
2009-11-14 00:47:28 856064 ----a-w- c:\windows\system32\divx_xx0c.dll
2009-11-14 00:47:28 856064 ----a-w- c:\windows\system32\divx_xx07.dll
2009-11-14 00:47:28 847872 ----a-w- c:\windows\system32\divx_xx0a.dll
2009-11-14 00:47:28 843776 ----a-w- c:\windows\system32\divx_xx16.dll
2009-11-14 00:47:28 839680 ----a-w- c:\windows\system32\divx_xx11.dll
2009-11-14 00:47:28 696320 ----a-w- c:\windows\system32\DivX.dll
2009-10-29 07:46:59 832512 ------w- c:\windows\system32\wininet.dll
2009-10-29 07:46:52 78336 ------w- c:\windows\system32\ieencode.dll
2009-10-29 07:46:50 17408 ----a-w- c:\windows\system32\corpol.dll
2009-10-22 15:59:00 196565 ----a-w- c:\windows\system32\atiicdxx.dat
2009-10-21 05:38:36 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38:36 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-13 10:30:16 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:38:19 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38:18 79872 ----a-w- c:\windows\system32\raschap.dll
2009-10-11 11:17:27 411368 ----a-w- c:\windows\system32\deploytk.dll

============= FINISH: 19:57:13.04 ===============


I would like to add I've been getting A LOT of input lag lately both in the web/games and windows, I even have trouble highlighting objects properly. . I found a way around the hijack by coping the link and THEN opening it in a new tab as a copy pasted URL. I'd still like the issue fixed.

Attached Files


Edited by Crixe, 05 January 2010 - 10:42 PM.


#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:05:58 AM

Posted 06 January 2010 - 04:24 PM

Nothing immediately obvious is coming up. I see that Combofix has been run on the PC. Was this done under supervision? Please post any logs that were generated - they are found by doing the following:

Please go to Start >Run > and copy/paste the following, then press Enter

C:\QooBox\ComboFix-quarantined-files.txt

A log file should open. Please post that in your next reply.
Posted Image
m0le is a proud member of UNITE

#5 Crixe

Crixe
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:58 PM

Posted 06 January 2010 - 04:38 PM

2009-12-26 04:59:02 . 2009-12-26 04:59:02 534 ----a-w- C:\Qoobox\Quarantine\Registry_backups\SafeBoot-WudfRd.reg.dat
2009-12-26 04:59:02 . 2009-12-26 04:59:02 534 ----a-w- C:\Qoobox\Quarantine\Registry_backups\SafeBoot-WudfPf.reg.dat
2009-12-26 04:38:43 . 2009-12-26 04:38:43 3,224 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Service_SSHNAS.reg.dat
2009-12-26 04:38:42 . 2009-12-26 04:38:42 1,014 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Legacy_SSHNAS.reg.dat
2009-12-26 04:38:32 . 2009-12-26 04:38:32 10,106 ----a-w- C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2009-12-26 04:34:17 . 2009-12-26 04:34:17 51 ----a-w- C:\Qoobox\Quarantine\catchme.log
2009-12-25 21:32:09 . 2009-12-25 21:32:10 221,696 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\sshnas.dll.vir
2009-01-16 01:25:49 . 2008-09-30 00:24:06 90,112 ----a-w- C:\Qoobox\Quarantine\C\Program Files\AskSearch\bin\DefaultSearch.dll.vir

#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:05:58 AM

Posted 06 January 2010 - 04:55 PM

Thanks. Let's reset your hosts file.

Please download HostsXpert 4.3
  • Extract (unzip) HostsXpert.zip to a permanent folder on your hard drive such as C:\HostsXpert
  • Double-click HostsXpert.exe to run the program.
  • Click "Restore MS Hosts File".
  • Click OK at the confirmation box.
  • Click "Make Read Only".
  • Click the X to exit the program.
-- Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.


Now please run Gmer

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

Finally let me know if the redirections stop.

Thanks :(
Posted Image
m0le is a proud member of UNITE

#7 Crixe

Crixe
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:58 PM

Posted 06 January 2010 - 05:01 PM

Any advice for the horrible Input lag? Or do I just need more ram?

#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:05:58 AM

Posted 06 January 2010 - 06:40 PM

Input lag can be caused by malware or bad or insufficient RAM...or software or hardware incompatibility.

Let's see what Gmer finds.
Posted Image
m0le is a proud member of UNITE

#9 Crixe

Crixe
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:58 PM

Posted 06 January 2010 - 07:20 PM

I've run the program a few times and it keeps freezing up my system first time I ran it it crashed my system and rebooted it, second time, I ran it it came back with some results after doing the scan, I tried to save it to my desktop and it didn't let me save the file before it froze. I'm going to try again and go away I've left the computer on its own while running it and then coming back when it finishes but this is becoming a bad joke.

#10 Crixe

Crixe
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:58 PM

Posted 06 January 2010 - 10:33 PM

What the hell is this program! My God this thing is worse then a Worm! It compeletely freezes up my system the first time it runs and I can't do anything after it. I am about to reformat my PC because it would be better then the headache your little virus/malwaer searcher does. The amount of damage that little thing does to my computer is a joke. How can you send me this crap? YOU THINK THAT'S GONNA HELP ME?! It Locks up my windows when I even try to post a reply in a WEB BROWSER!

#11 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:05:58 AM

Posted 07 January 2010 - 05:41 AM

Gmer is an excellent rootkit scanner. It is NOT the problem, the problem is the malicious software in your PC which is affecting the way these programs work.

Gmer does NOT damage your computer, it only scans in the same way that HijackThis or DDS does.

We need to find out what it is that is causing these programs to lock up. Let's try these two simple files.

Please save this file to your desktop. Click on Start->Run, and copy-paste the following command (the bolded text) into the "Open" box, and click OK.

"%userprofile%\desktop\win32kdiag.exe" -f -r

When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here.


Then

Please copy the contents of the code box below, open notepad and paste it there. On the top toolbar in notepad select file, then save as. In the box that opens type in peek.bat for the file name. Right below that click the down arrow in the line for save as and select all files. Save this to your desktop and close notepad.

@ECHO OFF
DIR /a/s C:\WINDOWS\scecli.dll C:\WINDOWS\netlogon.dll C:\WINDOWS\eventlog.dll C:\Windows\cngaudit.dll >Log.txt
START Log.txt
DEL %0

Locate the peek.bat icon on your desktop and double click it. Then copy and paste the resulting log in your next reply.
Posted Image
m0le is a proud member of UNITE

#12 Crixe

Crixe
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:58 PM

Posted 07 January 2010 - 01:23 PM

~~win32kdiag Log~~

Running from: C:\Documents and Settings\Steve.STEVENSPC\desktop\win32kdiag.exe

Log file at : C:\Documents and Settings\Steve.STEVENSPC\Desktop\Win32kDiag.txt

Removing all found mount points.

Attempting to reset file permissions.

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...





Finished!


~~Peek.bat log~~

Volume in drive C has no label.
Volume Serial Number is 781B-4AF3

Directory of C:\WINDOWS\$NtServicePackUninstall$

08/04/2004 12:56 AM 180,224 scecli.dll

Directory of C:\WINDOWS\$NtServicePackUninstall$

08/04/2004 12:56 AM 407,040 netlogon.dll

Directory of C:\WINDOWS\$NtServicePackUninstall$

08/04/2004 12:56 AM 55,808 eventlog.dll
3 File(s) 643,072 bytes

Directory of C:\WINDOWS\ERDNT\cache

04/14/2008 05:42 AM 181,248 scecli.dll

Directory of C:\WINDOWS\ERDNT\cache

04/14/2008 05:42 AM 407,040 netlogon.dll

Directory of C:\WINDOWS\ERDNT\cache

04/14/2008 05:41 AM 56,320 eventlog.dll
3 File(s) 644,608 bytes

Directory of C:\WINDOWS\ServicePackFiles\i386

04/14/2008 05:42 AM 181,248 scecli.dll

Directory of C:\WINDOWS\ServicePackFiles\i386

04/14/2008 05:42 AM 407,040 netlogon.dll

Directory of C:\WINDOWS\ServicePackFiles\i386

04/14/2008 05:41 AM 56,320 eventlog.dll
3 File(s) 644,608 bytes

Directory of C:\WINDOWS\system32

04/14/2008 05:42 AM 181,248 scecli.dll

Directory of C:\WINDOWS\system32

04/14/2008 05:42 AM 407,040 netlogon.dll

Directory of C:\WINDOWS\system32

04/14/2008 05:41 AM 56,320 eventlog.dll
3 File(s) 644,608 bytes

Total Files Listed:
12 File(s) 2,576,896 bytes
0 Dir(s) 112,727,949,312 bytes free

#13 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:05:58 AM

Posted 07 January 2010 - 01:33 PM

Nothing there but we're still looking for a rootkit here...

Can you keep a record of any sites you get redirected to or any new symptoms. Thanks.


Please run Dr Web, this runs in safe mode so should complete.

Before we start fixing anything you should print out these instructions or copy them to a NotePad file so they will be accessible. Some steps will require you to disconnect from the Internet or use Safe Mode and you will not have access to this page.

Please download DrWeb-CureIt and save it to your desktop. DO NOT perform a scan yet.

Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with Dr.Web CureIt as follows:
  • Double-click on launch.exe to open the program and click Start. (There is no need to update if you just downloaded the most current version
  • Read the Virus check by DrWeb scanner prompt and click Ok where asked to Start scan now? Allow the setup.exe to load if asked by any of your security programs.
  • The Express scan will automatically begin.
    (This is a short scan of files currently running in memory, boot sectors, and targeted folders).
  • If prompted to dowload the Full version Free Trial, ignore and click the X to close the window.
  • If an infected object is found, you will be prompted to move anything that cannot be cured. Click Yes to All. (This will move any detected files to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if they can't be cured)
  • After the Express Scan is finished, put a check next to Complete scan to scan all local disks and removable media.
  • In the top menu, click Settings > Change settings, and uncheck "Heuristic analysis" under the "Scanning" tab, then click Apply, Ok.
  • Back at the main window, click the green arrow "Start Scanning" button on the right under the Dr.Web logo.
  • Please be patient as this scan could take a long time to complete.
  • When the scan has finished, a message will be displayed at the bottom indicating if any viruses were found.
  • Click Select All, then choose Cure > Move incurable.
  • In the top menu, click file and choose save report list.
  • Save the DrWeb.csv report to your desktop.
  • Exit Dr.Web Cureit when done.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)

Posted Image
m0le is a proud member of UNITE

#14 Crixe

Crixe
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:58 PM

Posted 07 January 2010 - 01:50 PM

I'm about to run the restart it appears that the redirect problem is gone, I've run some test, I think I might have gotten rid of it with spy bot S&D/AVG scans. But the possibility of something else seems high so I'll run this and post the log after this reboot.

#15 Crixe

Crixe
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:58 PM

Posted 07 January 2010 - 02:45 PM

Nothing was found with Dr. Web. however on reboot my computer booted much faster and I only noticed two icons in my task bard (though there should be three volume disappeared so I'll need to restore that). But beyond that the performance of the system was much better. I use Ace utilities a lot to manage my start up programs but I've never been able to make it boot this fast.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users