Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

extremely annoying search engine re-directs!


  • This topic is locked This topic is locked
18 replies to this topic

#1 Mr. Christopher

Mr. Christopher

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:11:33 PM

Posted 15 January 2010 - 03:05 AM

Whenever I'm trying to google something, I have to go through several re-directs to all sorts of annoying and useless pages. My wife was even assaulted with a pornographic one today. I've tried a few things, search and destroy, AVG, Glary, and no luck. grr!!

Here's the DDS


DDS (Ver_09-12-01.01) - NTFSx86
Run by Compaq_Administrator at 1:35:17.31 on Fri 01/15/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_15
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.958.191 [GMT -6:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\HP\KBD\KBD.EXE
svchost.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\arservice.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Compaq_Administrator\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uSearch Page = hxxp://www.google.com
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=presario&pf=desktop
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=presario&pf=desktop
uSearch Bar = hxxp://www.google.com/ie
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=presario&pf=desktop
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=presario&pf=desktop
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant =
uURLSearchHooks: H - No File
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
uURLSearchHooks: H - No File
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
TB: {D0523BB4-21E7-11DD-9AB7-415B56D89593} - No File
TB: {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - No File
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"
uRunOnce: [Shockwave Updater] c:\windows\system32\adobe\shockwave 11\SwHelper_1151601.exe -Update -1151601 -"Mozilla/5.0_(Windows;_U;_Windows_NT_5.1;_en-US;_rv:1.9.1.6)_Gecko/20091201_Firefox/3.5.6_(.NET_CLR_3.5.30729)" -"http://www.nickjr.com/playtime/cats/games/little_bear/bear_dressup.jhtml"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [KBD] c:\hp\kbd\KBD.EXE
mRun: [ps2] c:\windows\system32\ps2.exe
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [hpsysdrv] c:\windows\system\hpsysdrv.exe
mRun: [RECGUARD] c:\windows\sminst\RECGUARD.EXE
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office10\EXCEL.EXE/3000
IE: {53F6FCCD-9E22-4d71-86EA-6E43136192AB}
IE: {925DAB62-F9AC-4221-806A-057BFB1014AA}
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1146718487615
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1146718649428
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_05-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\compaq~1\applic~1\mozilla\firefox\profiles\i441wkuh.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://att.my.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://us.yhs.search.yahoo.com/avg/search?fr=yhs-avgb&type=yahoo_avg_hs2-tb-web_us&p=
FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll
FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\xpavgtbapi.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - true // Popupblocker control handled by McAfee Privacy Service
FF - user.js: yahoo.homepage.dontask - truec:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 Asapi;Asapi;c:\windows\system32\drivers\asapi.sys [2006-6-7 11264]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-4-8 333192]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-4-8 28424]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-4-8 360584]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2009-12-2 285392]
R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [2009-4-13 10384]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
S3 dalwdmservice;dal service;c:\windows\system32\drivers\Dalwdm.sys [2007-2-18 73216]
S3 UKS11LDR;M-Audio USB Keystation Loader;c:\windows\system32\drivers\uks11ldr.sys [2007-10-17 13504]
S3 USBKT1X1;M-Audio USB Keystation;c:\windows\system32\drivers\usbkt1x1.sys [2007-10-17 22304]

=============== Created Last 30 ================

2010-01-14 22:55:26 0 d-----w- c:\program files\ScenicReflections
2010-01-14 22:05:50 2262648 ----a-w- c:\windows\system32\Flash9b.ocx
2010-01-14 22:05:46 0 d-----w- c:\docume~1\compaq~1\applic~1\elefundesktops
2010-01-14 22:04:58 0 d-----w- c:\docume~1\compaq~1\applic~1\GetRightToGo
2010-01-12 22:58:05 471552 ------w- c:\windows\system32\dllcache\aclayers.dll

==================== Find3M ====================

2010-01-15 01:43:59 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-01-15 01:43:59 96512 ----a-w- c:\windows\system32\dllcache\atapi.sys
2009-12-22 05:04:12 39 ----a-w- c:\documents and settings\compaq_administrator\jagex_runescape_preferences.dat
2009-12-22 04:45:14 69 ----a-w- c:\documents and settings\compaq_administrator\jagex_runescape_preferences2.dat
2009-12-09 02:33:43 23362 ----a-w- c:\docume~1\compaq~1\applic~1\wklnhst.dat
2009-12-02 07:53:53 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-12-02 07:53:53 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2009-12-02 07:53:32 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-10-28 14:40:47 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2009-10-21 05:38:36 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38:36 75776 ------w- c:\windows\system32\dllcache\strmfilt.dll
2009-10-21 05:38:36 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-21 05:38:36 25088 ------w- c:\windows\system32\dllcache\httpapi.dll
2009-10-20 16:20:16 265728 ------w- c:\windows\system32\dllcache\http.sys

============= FINISH: 1:37:11.43 ===============

Enjoy!

Attached Files



BC AdBot (Login to Remove)

 


#2 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:12:33 AM

Posted 16 January 2010 - 11:46 PM


Hello Mr. Christopher smile.gif Welcome to the BC HijackThis Log and Analysis forum. I will be assisting you in cleaning up your system.


I ask that you refrain from running tools other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.



In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond the your topic and facilitate the cleaning of your machine.


Please keep in mind that we have a large backlog of users just like yourself waiting to be helped so try to be as timely as possible in your replies. Since we do this on a part-time voluntary basis we are limited on how many logs we can respond to and keep open due to time restraints. If you have to be away or can't answer for some other reason just let me know. Thank you for your understanding.



After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.





I need for you to run another scan for me:


Download GMER Rootkit Scanner from here to your desktop.
  • Double click the exe file.
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO, then use the following settings for a more complete scan.



    Click the image to enlarge it


  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • Sections
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
    • Registry
    • Files
  • Then click the Scan button & wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
Save it where you can easily find it, such as your desktop, and post it in reply.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries














Note: Please post the log in the reply window and do not make it an attachment. Do this with all subsequent replies unless I ask otherwise.







Thanks,



thewall





If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#3 Mr. Christopher

Mr. Christopher
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:11:33 PM

Posted 19 January 2010 - 12:47 PM

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-01-19 11:44:48
Windows 5.1.2600 Service Pack 3
Running: b96b6wrt.exe; Driver: C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\afddypog.sys


---- System - GMER 1.0.15 ----

SSDT \??\C:\WINDOWS\system32\windrvNT.sys ZwCreateFile [0xEC0D636A]
SSDT \??\C:\WINDOWS\system32\windrvNT.sys ZwOpenFile [0xEC0D6CD8]
SSDT \??\C:\WINDOWS\system32\windrvNT.sys ZwQueryDirectoryFile [0xEC0D6842]
SSDT \??\C:\WINDOWS\system32\windrvNT.sys ZwQueryInformationProcess [0xEC0D31E0]
SSDT \??\C:\WINDOWS\system32\windrvNT.sys ZwSetInformationFile [0xEC0D7142]

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs bb-run.sys (Promise Disk Accelerator/Promise Technology, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 arkbcfltr.sys (Microsoft AR PS/2 Keyboard Filter Driver (Beta 2 Release 2)/Microsoft Corporation)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 arkbcfltr.sys (Microsoft AR PS/2 Keyboard Filter Driver (Beta 2 Release 2)/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device -> \Driver\atapi \Device\Harddisk0\DR0 866F3618

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----


#4 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:12:33 AM

Posted 19 January 2010 - 01:17 PM

Appears you have a rootkit.


Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Instruction can be found HERE
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.




Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:





Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.





If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#5 Mr. Christopher

Mr. Christopher
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:11:33 PM

Posted 20 January 2010 - 12:23 PM

ComboFix 10-01-19.08 - Compaq_Administrator 01/20/2010 11:00:39.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.958.543 [GMT -6:00]
Running from: c:\documents and settings\Compaq_Administrator\My Documents\Downloads\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Compaq_Administrator\Application Data\.#
c:\windows\kb913800.exe
c:\windows\system32\bszip.dll
c:\windows\system32\Data
c:\windows\system32\Data\CT0060W.DAT
c:\windows\system32\Data\CTEAPSW.DAT
c:\windows\system32\Data\CTEDSP2W.DAT
c:\windows\system32\Data\CTEDSPKW.DAT
c:\windows\system32\Data\CTEDSPLW.DAT
c:\windows\system32\Data\CTEDSPPW.DAT
c:\windows\system32\Data\CTEDSPTW.DAT
c:\windows\system32\Data\CTEDSPUW.DAT
c:\windows\system32\Data\CTEDSPW.DAT
c:\windows\system32\Data\CTP0060W.DAT
c:\windows\system32\Data\CTP0061W.DAT
c:\windows\system32\Data\CTP0070W.DAT
c:\windows\system32\Data\CTP0073W.DAT
c:\windows\system32\Data\CTP0090W.DAT
c:\windows\system32\Data\CTP0091W.DAT
c:\windows\system32\Data\CTP0092W.DAT
c:\windows\system32\Data\CTP0095W.DAT
c:\windows\system32\Data\CTP0100W.DAT
c:\windows\system32\Data\CTP0101W.DAT
c:\windows\system32\Data\CTP0102W.DAT
c:\windows\system32\Data\CTP0103W.DAT
c:\windows\system32\Data\CTP0105W.DAT
c:\windows\system32\Data\CTP0150W.DAT
c:\windows\system32\Data\CTP0161W.DAT
c:\windows\system32\Data\CTP0162W.DAT
c:\windows\system32\Data\CTP0170W.DAT
c:\windows\system32\Data\CTP017AW.DAT
c:\windows\system32\Data\CTP017BW.DAT
c:\windows\system32\Data\CTP017CW.DAT
c:\windows\system32\Data\CTP017DW.DAT
c:\windows\system32\Data\CTP017EW.DAT
c:\windows\system32\Data\CTP017FW.DAT
c:\windows\system32\Data\CTP017GW.DAT
c:\windows\system32\Data\CTP017HW.DAT
c:\windows\system32\Data\CTP0191W.DAT
c:\windows\system32\Data\CTP0192W.DAT
c:\windows\system32\Data\CTP0221W.DAT
c:\windows\system32\Data\CTP0222W.DAT
c:\windows\system32\Data\CTP0230W.DAT
c:\windows\system32\Data\CTP0231W.DAT
c:\windows\system32\Data\CTP0232W.DAT
c:\windows\system32\Data\CTP0238W.DAT
c:\windows\system32\Data\CTP0240W.DAT
c:\windows\system32\Data\CTP0242W.DAT
c:\windows\system32\Data\CTP0243W.DAT
c:\windows\system32\Data\CTP0244W.DAT
c:\windows\system32\Data\CTP0245W.DAT
c:\windows\system32\Data\CTP0246W.DAT
c:\windows\system32\Data\CTP0249W.DAT
c:\windows\system32\Data\CTP0280W.DAT
c:\windows\system32\Data\CTP0320W.DAT
c:\windows\system32\Data\CTP0350W.DAT
c:\windows\system32\Data\CTP0352W.DAT
c:\windows\system32\Data\CTP0355W.DAT
c:\windows\system32\Data\CTP0358W.DAT
c:\windows\system32\Data\CTP0359W.DAT
c:\windows\system32\Data\CTP0360W.DAT
c:\windows\system32\Data\CTP0380W.DAT
c:\windows\system32\Data\CTP0400W.DAT
c:\windows\system32\Data\CTP0530L.DAT
c:\windows\system32\Data\CTP0530W.DAT
c:\windows\system32\Data\CTP0600W.DAT
c:\windows\system32\Data\CTP0610W.DAT
c:\windows\system32\Data\CTP0669W.DAT
c:\windows\system32\Data\CTP1140W.DAT
c:\windows\system32\Data\CTP4620W.DAT
c:\windows\system32\Data\CTP4670W.DAT
c:\windows\system32\Data\CTP4760W.DAT
c:\windows\system32\Data\CTP4780W.DAT
c:\windows\system32\Data\CTP4790W.DAT
c:\windows\system32\Data\CTP4820W.DAT
c:\windows\system32\Data\CTP4830W.DAT
c:\windows\system32\Data\CTP4831W.DAT
c:\windows\system32\Data\CTP4832W.DAT
c:\windows\system32\Data\CTP4840W.DAT
c:\windows\system32\Data\CTP4850W.DAT
c:\windows\system32\Data\CTP4870W.DAT
c:\windows\system32\Data\CTP4871W.DAT
c:\windows\system32\Data\CTP4872W.DAT
c:\windows\system32\Data\CTP4875W.DAT
c:\windows\system32\Data\CTP4890W.DAT
c:\windows\system32\Data\CTP4891W.DAT
c:\windows\system32\Data\CTP4893W.DAT
c:\windows\system32\Data\CTPDXW.DAT
c:\windows\system32\Data\CTPM002W.DAT
c:\windows\system32\ps2.bat
D:\Autorun.inf

Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected
Restored copy from - Kitty ate it tongue.gif
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MYWEBSEARCHSERVICE


((((((((((((((((((((((((( Files Created from 2009-12-20 to 2010-01-20 )))))))))))))))))))))))))))))))
.

2010-01-20 16:52 . 2010-01-20 16:52 -------- d-----w- c:\documents and settings\Compaq_Administrator\Application Data\AVG9
2010-01-14 22:55 . 2010-01-14 22:55 -------- d-----w- c:\program files\ScenicReflections
2010-01-14 22:05 . 2010-01-14 22:05 -------- d-----w- c:\documents and settings\Compaq_Administrator\Application Data\elefundesktops
2010-01-14 22:04 . 2010-01-14 22:05 -------- d-----w- c:\documents and settings\Compaq_Administrator\Application Data\GetRightToGo
2010-01-12 22:58 . 2009-11-21 15:51 471552 ------w- c:\windows\system32\dllcache\aclayers.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-20 16:48 . 2009-12-02 07:53 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-01-20 16:47 . 2006-03-03 09:21 -------- d-----w- c:\program files\Mozilla Thunderbird
2010-01-20 05:39 . 2009-12-05 18:20 0 ----a-w- c:\documents and settings\Compaq_Administrator\Local Settings\Application Data\prvlcl.dat
2010-01-20 05:19 . 2004-08-10 12:00 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-01-16 21:24 . 2004-08-10 12:00 96512 ----a-w- c:\windows\system32\drivers\atapi.sys.tmp
2010-01-15 05:56 . 2009-09-25 15:41 -------- d-----w- c:\program files\Glary Utilities
2010-01-15 05:47 . 2009-12-11 03:20 -------- d-----w- c:\program files\Spyware Terminator
2010-01-15 05:44 . 2007-10-18 01:39 -------- d-----w- c:\program files\Cakewalk
2010-01-15 05:39 . 2006-03-10 03:48 -------- d-----w- c:\program files\MadTracker
2010-01-15 05:38 . 2005-11-11 21:06 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-01-15 05:37 . 2005-11-11 21:41 -------- d-----w- c:\program files\Google
2010-01-15 05:37 . 2007-09-07 21:51 -------- d-----w- c:\program files\EAGLE-4.16r2
2010-01-14 22:05 . 2010-01-14 22:05 1609732 ----a-w- c:\documents and settings\Compaq_Administrator\Application Data\elefundesktops\gothicfireplace_wallpaper\swfplayer.exe
2010-01-08 06:01 . 2006-05-18 00:43 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-12-31 16:44 . 2009-12-02 14:26 3966744 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcorex.dll
2009-12-22 15:50 . 2009-12-12 17:14 4043544 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgui.exe
2009-12-22 15:50 . 2010-01-18 14:31 3776280 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\setup.exe
2009-12-22 05:04 . 2008-10-25 15:24 39 ----a-w- c:\documents and settings\Compaq_Administrator\jagex_runescape_preferences.dat
2009-12-22 04:45 . 2009-11-26 23:55 69 ----a-w- c:\documents and settings\Compaq_Administrator\jagex_runescape_preferences2.dat
2009-12-10 07:35 . 2007-04-23 21:53 -------- d-----w- c:\program files\Microsoft ActiveSync
2009-12-10 01:04 . 2005-11-11 21:15 76816 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-09 02:33 . 2006-05-04 04:44 23362 ----a-w- c:\documents and settings\Compaq_Administrator\Application Data\wklnhst.dat
2009-12-07 17:58 . 2009-12-07 17:58 -------- d-----w- c:\program files\Trend Micro
2009-12-02 08:04 . 2007-07-28 06:13 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-12-02 07:54 . 2009-04-08 16:02 -------- d-----w- c:\program files\AVG
2009-12-02 07:53 . 2009-04-08 16:02 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2009-12-02 07:53 . 2009-04-08 16:02 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-12-02 07:53 . 2009-04-08 16:02 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-12-02 07:53 . 2009-04-08 16:02 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-12-02 07:05 . 2007-07-28 06:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-12-02 06:39 . 2009-12-02 06:39 -------- d-----w- c:\program files\TeaTimer (Spybot - Search & Destroy)
2009-12-02 06:39 . 2009-12-02 06:39 -------- d-----w- c:\program files\SDHelper (Spybot - Search & Destroy)
2009-12-02 06:39 . 2009-12-02 06:39 -------- d-----w- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2009-12-02 06:39 . 2009-12-02 06:39 -------- d-----w- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2009-12-01 16:21 . 2009-12-01 16:21 -------- d-----w- c:\program files\MSXML 4.0
2009-12-01 03:35 . 2009-06-25 16:19 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2009-12-01 03:31 . 2005-11-11 21:22 -------- d-----w- c:\program files\Hewlett-Packard
2009-12-01 03:31 . 2005-11-11 21:11 -------- d-----w- c:\program files\HP
2009-12-01 03:29 . 2009-04-09 05:18 -------- d-----w- c:\documents and settings\Compaq_Administrator\Application Data\GlarySoft
2009-12-01 03:24 . 2005-11-11 21:12 -------- d-----w- c:\program files\Common Files\Sonic Shared
2009-12-01 03:04 . 2007-07-23 22:03 -------- d-----w- c:\program files\support.com
2009-12-01 03:04 . 2007-05-27 23:44 -------- d-----w- c:\program files\Winamp
2009-12-01 03:04 . 2009-03-24 21:26 -------- d-----w- c:\program files\QuickTime
2009-12-01 03:04 . 2007-08-21 19:21 -------- d-----w- c:\program files\Kyodai Mahjongg 2006
2009-12-01 03:04 . 2007-02-03 05:53 -------- d-----w- c:\documents and settings\All Users\Application Data\PACE Anti-Piracy
2009-12-01 03:04 . 2006-05-05 04:20 -------- d-----w- c:\documents and settings\All Users\Application Data\CA
2009-11-21 15:51 . 2004-08-10 12:00 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-10-29 07:45 . 2004-08-10 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-11-25 19:01 1230080 ----a-w- c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Shockwave Updater"="c:\windows\system32\Adobe\Shockwave 11\SwHelper_1151601.exe" [2009-07-31 468408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-03-13 342312]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2009-12-31 2033432]
"KBD"="c:\hp\KBD\KBD.EXE" [2005-02-02 61440]
"ps2"="c:\windows\system32\ps2.exe" [2004-10-25 90112]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-14 344064]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]

c:\documents and settings\Default User\Start Menu\Programs\Startup\
Pin.lnk - c:\hp\bin\CLOAKER.EXE [2005-11-11 27136]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-6-7 113664]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2009-4-13 809488]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-12-02 07:53 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2009-02-19 05:30 72208 ----a-w- c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"AlwaysReady Power Message APP"=ARPWRMSG.EXE
"CTHelper"=CTHELPER.EXE
"SunJavaUpdateSched"=c:\program files\Java\jre1.5.0_05\bin\jusched.exe
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime
"ehTray"=c:\windows\ehome\ehtray.exe
"HP Software Update"=c:\program files\HP\HP Software Update\HPwuSchd2.exe
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot
"ISUSPM Startup"=c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" -start
"Kernel and Hardware Abstraction Layer"=KHALMNPR.EXE
"RECGUARD"=c:\windows\SMINST\RECGUARD.EXE

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Intuit\\QuickBooks 2006\\QBDBMgrN.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Mozilla Thunderbird\\thunderbird.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R1 Asapi;Asapi;c:\windows\system32\drivers\asapi.sys [6/7/2006 1:20 PM 11264]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [4/8/2009 10:02 AM 333192]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [4/8/2009 10:02 AM 360584]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [12/2/2009 1:53 AM 285392]
R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [4/13/2009 5:39 PM 10384]
S3 dalwdmservice;dal service;c:\windows\system32\drivers\Dalwdm.sys [2/18/2007 9:42 PM 73216]
S3 UKS11LDR;M-Audio USB Keystation Loader;c:\windows\system32\drivers\uks11ldr.sys [10/17/2007 7:56 PM 13504]
S3 USBKT1X1;M-Audio USB Keystation;c:\windows\system32\drivers\usbkt1x1.sys [10/17/2007 7:56 PM 22304]
.
Contents of the 'Scheduled Tasks' folder

2010-01-13 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2010-01-20 c:\windows\Tasks\GlaryInitialize.job
- c:\program files\Glary Utilities\initialize.exe [2009-09-25 18:09]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=presario&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=presario&pf=desktop
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=presario&pf=desktop
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Compaq_Administrator\Application Data\Mozilla\Firefox\Profiles\i441wkuh.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://att.my.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://us.yhs.search.yahoo.com/avg/search?fr=yhs-avgb&type=yahoo_avg_hs2-tb-web_us&p=
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - true // Popupblocker control handled by McAfee Privacy Service
FF - user.js: yahoo.homepage.dontask - true.
- - - - ORPHANS REMOVED - - - -

URLSearchHooks-*{E38FA08E-F56A-4169-ABF5-5C71E3C153A1} - (no file)
WebBrowser-{D0523BB4-21E7-11DD-9AB7-415B56D89593} - (no file)
HKLM-Run-TkBellExe - c:\program files\Common Files\Real\Update_OB\realsched.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-20 11:11
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\sccfg.sys 1176 bytes

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-552205789-135633194-1869049786-1008\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID]
@Denied: (Full) (LocalSystem)
@SACL=

[HKEY_USERS\S-1-5-21-552205789-135633194-1869049786-1008\Software\SecuROM\License information*]
"datasecu"=hex:a7,8b,c4,93,9f,f2,b0,76,3e,5a,ae,5b,b0,33,ef,df,bc,e7,46,e7,4d,
6d,42,78,5f,7d,20,30,5d,4f,c7,df,20,00,69,09,6c,c7,cd,bd,7a,c8,0d,75,6d,ab,\
"rkeysecu"=hex:94,3c,ac,50,fa,ea,3f,00,ed,47,c8,cd,93,71,36,f5
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(524)
c:\windows\system32\Ati2evxx.dll
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
c:\program files\common files\logishrd\bluetooth\LBTServ.dll

- - - - - - - > 'explorer.exe'(3136)
c:\windows\system32\WININET.dll
c:\program files\Logitech\SetPoint\lgscroll.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\arservice.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wbem\wmiapsrv.exe
c:\windows\system32\wscntfy.exe
c:\program files\Microsoft ActiveSync\wcescomm.exe
c:\progra~1\MI3AA1~1\rapimgr.exe
c:\program files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2010-01-20 11:19:34 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-20 17:19

Pre-Run: 71,688,892,416 bytes free
Post-Run: 71,828,082,688 bytes free

- - End Of File - - C2A1E3B967941B0679912A9D480BE86A


#6 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:12:33 AM

Posted 20 January 2010 - 01:09 PM

I need for you have the following file checked. When you post the results also let me know if you are still getting redirects.



Go to http://www.virustotal.com/en/indexf.html
Copy the following line into the white textbox:
c:\documents and settings\Compaq_Administrator\Local Settings\Application Data\prvlcl.dat
Click Send.
Please post the results of this scan to this thread.







If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#7 Mr. Christopher

Mr. Christopher
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:11:33 PM

Posted 20 January 2010 - 10:59 PM

0 bytes size received / Se ha recibido un archivo vacio

it seems like it stopped, but did we do anything? I thought we were just doing diagnostic stuff...

#8 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:12:33 AM

Posted 20 January 2010 - 11:26 PM

Oh no, we did much more than just diagnostics. ComboFix is our foremost tool for removal and although it is a tool that should not be used except with those who have been trained in it's use it is a blessing to us who deal with this stuff day in and day out.

This is what it found and removed:

QUOTE
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Compaq_Administrator\Application Data\.#
c:\windows\kb913800.exe
c:\windows\system32\bszip.dll
c:\windows\system32\Data
c:\windows\system32\Data\CT0060W.DAT
c:\windows\system32\Data\CTEAPSW.DAT
c:\windows\system32\Data\CTEDSP2W.DAT
c:\windows\system32\Data\CTEDSPKW.DAT
c:\windows\system32\Data\CTEDSPLW.DAT
c:\windows\system32\Data\CTEDSPPW.DAT
c:\windows\system32\Data\CTEDSPTW.DAT
c:\windows\system32\Data\CTEDSPUW.DAT
c:\windows\system32\Data\CTEDSPW.DAT
c:\windows\system32\Data\CTP0060W.DAT
c:\windows\system32\Data\CTP0061W.DAT
c:\windows\system32\Data\CTP0070W.DAT
c:\windows\system32\Data\CTP0073W.DAT
c:\windows\system32\Data\CTP0090W.DAT
c:\windows\system32\Data\CTP0091W.DAT
c:\windows\system32\Data\CTP0092W.DAT
c:\windows\system32\Data\CTP0095W.DAT
c:\windows\system32\Data\CTP0100W.DAT
c:\windows\system32\Data\CTP0101W.DAT
c:\windows\system32\Data\CTP0102W.DAT
c:\windows\system32\Data\CTP0103W.DAT
c:\windows\system32\Data\CTP0105W.DAT
c:\windows\system32\Data\CTP0150W.DAT
c:\windows\system32\Data\CTP0161W.DAT
c:\windows\system32\Data\CTP0162W.DAT
c:\windows\system32\Data\CTP0170W.DAT
c:\windows\system32\Data\CTP017AW.DAT
c:\windows\system32\Data\CTP017BW.DAT
c:\windows\system32\Data\CTP017CW.DAT
c:\windows\system32\Data\CTP017DW.DAT
c:\windows\system32\Data\CTP017EW.DAT
c:\windows\system32\Data\CTP017FW.DAT
c:\windows\system32\Data\CTP017GW.DAT
c:\windows\system32\Data\CTP017HW.DAT
c:\windows\system32\Data\CTP0191W.DAT
c:\windows\system32\Data\CTP0192W.DAT
c:\windows\system32\Data\CTP0221W.DAT
c:\windows\system32\Data\CTP0222W.DAT
c:\windows\system32\Data\CTP0230W.DAT
c:\windows\system32\Data\CTP0231W.DAT
c:\windows\system32\Data\CTP0232W.DAT
c:\windows\system32\Data\CTP0238W.DAT
c:\windows\system32\Data\CTP0240W.DAT
c:\windows\system32\Data\CTP0242W.DAT
c:\windows\system32\Data\CTP0243W.DAT
c:\windows\system32\Data\CTP0244W.DAT
c:\windows\system32\Data\CTP0245W.DAT
c:\windows\system32\Data\CTP0246W.DAT
c:\windows\system32\Data\CTP0249W.DAT
c:\windows\system32\Data\CTP0280W.DAT
c:\windows\system32\Data\CTP0320W.DAT
c:\windows\system32\Data\CTP0350W.DAT
c:\windows\system32\Data\CTP0352W.DAT
c:\windows\system32\Data\CTP0355W.DAT
c:\windows\system32\Data\CTP0358W.DAT
c:\windows\system32\Data\CTP0359W.DAT
c:\windows\system32\Data\CTP0360W.DAT
c:\windows\system32\Data\CTP0380W.DAT
c:\windows\system32\Data\CTP0400W.DAT
c:\windows\system32\Data\CTP0530L.DAT
c:\windows\system32\Data\CTP0530W.DAT
c:\windows\system32\Data\CTP0600W.DAT
c:\windows\system32\Data\CTP0610W.DAT
c:\windows\system32\Data\CTP0669W.DAT
c:\windows\system32\Data\CTP1140W.DAT
c:\windows\system32\Data\CTP4620W.DAT
c:\windows\system32\Data\CTP4670W.DAT
c:\windows\system32\Data\CTP4760W.DAT
c:\windows\system32\Data\CTP4780W.DAT
c:\windows\system32\Data\CTP4790W.DAT
c:\windows\system32\Data\CTP4820W.DAT
c:\windows\system32\Data\CTP4830W.DAT
c:\windows\system32\Data\CTP4831W.DAT
c:\windows\system32\Data\CTP4832W.DAT
c:\windows\system32\Data\CTP4840W.DAT
c:\windows\system32\Data\CTP4850W.DAT
c:\windows\system32\Data\CTP4870W.DAT
c:\windows\system32\Data\CTP4871W.DAT
c:\windows\system32\Data\CTP4872W.DAT
c:\windows\system32\Data\CTP4875W.DAT
c:\windows\system32\Data\CTP4890W.DAT
c:\windows\system32\Data\CTP4891W.DAT
c:\windows\system32\Data\CTP4893W.DAT
c:\windows\system32\Data\CTPDXW.DAT
c:\windows\system32\Data\CTPM002W.DAT
c:\windows\system32\ps2.bat
D:\Autorun.inf

Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected
Restored copy from - Kitty ate it tongue.gif



The infected atapi.sys file was a rootkit and responsible for the redirection problems along with cloaking other things. Sometimes CF will remove it and sometimes we have to use other methods.



I would like for you to perform a scan to look for any remnants.



It's important to run this online scan to search for any remnants. It can take some time, so please be patient and allow it to run it's full course:



Please do a scan with Kaspersky Online Scanner. Please note: Kaspersky requires Java Runtime Environment (JRE) be installed before scanning for malware, as ActiveX is no longer being used.)

If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.
  • Open the Kaspersky WebScanner
    page.
  • Click on the button on the main page.
  • The program will launch and fill in the Information section on the left.
  • Read the "Requirements and Limitations" then press the button.
  • The program will begin downloading the latest program and definition files. It may take a while so please be patient and let it finish.
  • Once the files have been downloaded, click on the ...button.
    In the scan settings make sure the following are selected:
    • Detect malicious programs of the following categories:
      Viruses, Worms, Trojan Horses, Rootkits
      Spyware, Adware, Dialers and other potentially dangerous programs
    • Scan compound files (doesn't apply to the File scan area):
      Archives
      Mail databases
      By default the above items should already be checked.
    • Click the button, if you made any changes.
  • Now under the Scan section on the left:

    Select My Computer
  • The program will now start and scan your system. This will run for a while, be patient and let it finish.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • In the drop down box labeled Files of type change the type to Text file.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
You can refer to this animation by sundavis if needed.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#9 Mr. Christopher

Mr. Christopher
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:11:33 PM

Posted 21 January 2010 - 12:05 AM

can't seem to run the scan, and everything is incredibly slow...

#10 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:12:33 AM

Posted 21 January 2010 - 01:57 AM

Run GMER once again and post the log it produces.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#11 Mr. Christopher

Mr. Christopher
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:11:33 PM

Posted 21 January 2010 - 10:20 AM

GMER is going very slowly... I have to go to work, so I'm going to quit for now, I'll try again when I get home tonight.

#12 Mr. Christopher

Mr. Christopher
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:11:33 PM

Posted 21 January 2010 - 11:06 PM

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-01-21 22:03:23
Windows 5.1.2600 Service Pack 3
Running: jkhlb8zl.exe; Driver: C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\afddypog.sys


---- System - GMER 1.0.15 ----

SSDT \??\C:\WINDOWS\system32\windrvNT.sys ZwCreateFile [0xF787436A]
SSDT \??\C:\WINDOWS\system32\windrvNT.sys ZwOpenFile [0xF7874CD8]
SSDT \??\C:\WINDOWS\system32\windrvNT.sys ZwQueryDirectoryFile [0xF7874842]
SSDT \??\C:\WINDOWS\system32\windrvNT.sys ZwQueryInformationProcess [0xF78711E0]
SSDT \??\C:\WINDOWS\system32\windrvNT.sys ZwSetInformationFile [0xF7875142]

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs bb-run.sys (Promise Disk Accelerator/Promise Technology, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 arkbcfltr.sys (Microsoft AR PS/2 Keyboard Filter Driver (Beta 2 Release 2)/Microsoft Corporation)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 arkbcfltr.sys (Microsoft AR PS/2 Keyboard Filter Driver (Beta 2 Release 2)/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Threads - GMER 1.0.15 ----

Thread avgrsx.exe [1128:128] 003AC679
Thread avgrsx.exe [1128:3280] 0208C679
Thread avgrsx.exe [1128:2356] 020BC679
Thread avgcsrvx.exe [1352:2364] 066BC679
Thread avgcsrvx.exe [1352:3824] 066FC679
Thread avgcsrvx.exe [1352:3288] 0673C679

---- EOF - GMER 1.0.15 ----


#13 Mr. Christopher

Mr. Christopher
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:11:33 PM

Posted 21 January 2010 - 11:11 PM

this thing seems to be actively fighting back, the computer shut itself down twice as I was trying to post the gmer log

#14 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:12:33 AM

Posted 21 January 2010 - 11:28 PM

GMER log looks OK. I'm not sure what is happening here since the atapi.sys infection was removed and that was the main thing I saw. Go ahead and run ComboFix once more but before you do delete the version you have and download a new one from below:


Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Instruction can be found HERE
  • Double click on ComboFix.exe & follow the prompts.


When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#15 Mr. Christopher

Mr. Christopher
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:11:33 PM

Posted 22 January 2010 - 12:55 AM

ComboFix 10-01-21.02 - Compaq_Administrator 01/21/2010 23:35:40.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.958.667 [GMT -6:00]
Running from: c:\documents and settings\Compaq_Administrator\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\lowsec
c:\windows\system32\lowsec\local.ds
c:\windows\system32\lowsec\user.ds
c:\windows\system32\sdra64.exe

.
((((((((((((((((((((((((( Files Created from 2009-12-22 to 2010-01-22 )))))))))))))))))))))))))))))))
.

2010-01-20 16:52 . 2010-01-20 16:52 -------- d-----w- c:\documents and settings\Compaq_Administrator\Application Data\AVG9
2010-01-14 22:55 . 2010-01-14 22:55 -------- d-----w- c:\program files\ScenicReflections
2010-01-14 22:05 . 2010-01-14 22:05 -------- d-----w- c:\documents and settings\Compaq_Administrator\Application Data\elefundesktops
2010-01-14 22:04 . 2010-01-14 22:05 -------- d-----w- c:\documents and settings\Compaq_Administrator\Application Data\GetRightToGo
2010-01-12 22:58 . 2009-11-21 15:51 471552 ------w- c:\windows\system32\dllcache\aclayers.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-22 04:26 . 2009-12-02 07:53 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-01-22 04:07 . 2006-03-03 09:21 -------- d-----w- c:\program files\Mozilla Thunderbird
2010-01-21 04:49 . 2005-11-11 20:58 -------- d-----w- c:\program files\Common Files\Java
2010-01-21 04:49 . 2010-01-21 04:49 61440 ----a-w- c:\documents and settings\Compaq_Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\759e98ee-32c97d80-n\decora-sse.dll
2010-01-21 04:49 . 2010-01-21 04:49 503808 ----a-w- c:\documents and settings\Compaq_Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\759e98ee-32c97d80-n\msvcp71.dll
2010-01-21 04:49 . 2010-01-21 04:49 499712 ----a-w- c:\documents and settings\Compaq_Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\759e98ee-32c97d80-n\jmc.dll
2010-01-21 04:49 . 2010-01-21 04:49 348160 ----a-w- c:\documents and settings\Compaq_Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\759e98ee-32c97d80-n\msvcr71.dll
2010-01-21 04:49 . 2010-01-21 04:49 12800 ----a-w- c:\documents and settings\Compaq_Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\759e98ee-32c97d80-n\decora-d3d.dll
2010-01-21 04:49 . 2010-01-21 04:49 315392 ----a-w- c:\documents and settings\Compaq_Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\62\6baea4fe-433c4559-n\jogl.dll
2010-01-21 04:49 . 2010-01-21 04:49 20480 ----a-w- c:\documents and settings\Compaq_Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\62\6baea4fe-433c4559-n\jogl_awt.dll
2010-01-21 04:49 . 2010-01-21 04:49 114688 ----a-w- c:\documents and settings\Compaq_Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\62\6baea4fe-433c4559-n\jogl_cg.dll
2010-01-21 04:49 . 2010-01-21 04:49 20480 ----a-w- c:\documents and settings\Compaq_Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\45\4f710eed-7e820a68-n\gluegen-rt.dll
2010-01-21 04:47 . 2005-11-11 20:58 -------- d-----w- c:\program files\Java
2010-01-21 04:40 . 2009-12-05 18:20 0 ----a-w- c:\documents and settings\Compaq_Administrator\Local Settings\Application Data\prvlcl.dat
2010-01-20 05:19 . 2004-08-10 12:00 96512 ------w- c:\windows\system32\drivers\atapi.sys
2010-01-16 21:24 . 2004-08-10 12:00 96512 ----a-w- c:\windows\system32\drivers\atapi.sys.tmp
2010-01-15 05:56 . 2009-09-25 15:41 -------- d-----w- c:\program files\Glary Utilities
2010-01-15 05:47 . 2009-12-11 03:20 -------- d-----w- c:\program files\Spyware Terminator
2010-01-15 05:44 . 2007-10-18 01:39 -------- d-----w- c:\program files\Cakewalk
2010-01-15 05:39 . 2006-03-10 03:48 -------- d-----w- c:\program files\MadTracker
2010-01-15 05:38 . 2005-11-11 21:06 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-01-15 05:37 . 2005-11-11 21:41 -------- d-----w- c:\program files\Google
2010-01-15 05:37 . 2007-09-07 21:51 -------- d-----w- c:\program files\EAGLE-4.16r2
2010-01-14 22:05 . 2010-01-14 22:05 1609732 ----a-w- c:\documents and settings\Compaq_Administrator\Application Data\elefundesktops\gothicfireplace_wallpaper\swfplayer.exe
2010-01-08 06:01 . 2006-05-18 00:43 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-12-31 16:44 . 2009-12-02 14:26 3966744 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcorex.dll
2009-12-22 05:04 . 2008-10-25 15:24 39 ----a-w- c:\documents and settings\Compaq_Administrator\jagex_runescape_preferences.dat
2009-12-22 04:45 . 2009-11-26 23:55 69 ----a-w- c:\documents and settings\Compaq_Administrator\jagex_runescape_preferences2.dat
2009-12-17 23:14 . 2009-04-09 15:09 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-12-10 07:35 . 2007-04-23 21:53 -------- d-----w- c:\program files\Microsoft ActiveSync
2009-12-10 01:04 . 2005-11-11 21:15 76816 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-09 02:33 . 2006-05-04 04:44 23362 ----a-w- c:\documents and settings\Compaq_Administrator\Application Data\wklnhst.dat
2009-12-07 17:58 . 2009-12-07 17:58 -------- d-----w- c:\program files\Trend Micro
2009-12-02 08:04 . 2007-07-28 06:13 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-12-02 07:54 . 2009-04-08 16:02 -------- d-----w- c:\program files\AVG
2009-12-02 07:05 . 2007-07-28 06:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-12-02 06:39 . 2009-12-02 06:39 -------- d-----w- c:\program files\TeaTimer (Spybot - Search & Destroy)
2009-12-02 06:39 . 2009-12-02 06:39 -------- d-----w- c:\program files\SDHelper (Spybot - Search & Destroy)
2009-12-02 06:39 . 2009-12-02 06:39 -------- d-----w- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2009-12-02 06:39 . 2009-12-02 06:39 -------- d-----w- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2009-12-01 16:21 . 2009-12-01 16:21 -------- d-----w- c:\program files\MSXML 4.0
2009-12-01 03:31 . 2005-11-11 21:22 -------- d-----w- c:\program files\Hewlett-Packard
2009-12-01 03:31 . 2005-11-11 21:11 -------- d-----w- c:\program files\HP
2009-12-01 03:29 . 2009-04-09 05:18 -------- d-----w- c:\documents and settings\Compaq_Administrator\Application Data\GlarySoft
2009-12-01 03:24 . 2005-11-11 21:12 -------- d-----w- c:\program files\Common Files\Sonic Shared
2009-12-01 03:04 . 2007-07-23 22:03 -------- d-----w- c:\program files\support.com
2009-12-01 03:04 . 2007-05-27 23:44 -------- d-----w- c:\program files\Winamp
2009-12-01 03:04 . 2009-03-24 21:26 -------- d-----w- c:\program files\QuickTime
2009-12-01 03:04 . 2007-08-21 19:21 -------- d-----w- c:\program files\Kyodai Mahjongg 2006
2009-12-01 03:04 . 2007-02-03 05:53 -------- d-----w- c:\documents and settings\All Users\Application Data\PACE Anti-Piracy
2009-12-01 03:04 . 2006-05-05 04:20 -------- d-----w- c:\documents and settings\All Users\Application Data\CA
2009-11-21 15:51 . 2004-08-10 12:00 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-10-29 07:45 . 2004-08-10 12:00 916480 ------w- c:\windows\system32\wininet.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ps2"="c:\windows\system32\ps2.exe" [2004-10-25 90112]
"KBD"="c:\hp\KBD\KBD.EXE" [2005-02-02 61440]

c:\documents and settings\Default User\Start Menu\Programs\Startup\
Pin.lnk - c:\hp\bin\CLOAKER.EXE [2005-11-11 27136]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2009-02-19 05:30 72208 ----a-w- c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"AlwaysReady Power Message APP"=ARPWRMSG.EXE
"CTHelper"=CTHELPER.EXE
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe"
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime
"ehTray"=c:\windows\ehome\ehtray.exe
"HP Software Update"=c:\program files\HP\HP Software Update\HPwuSchd2.exe
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot
"ISUSPM Startup"=c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" -start
"Kernel and Hardware Abstraction Layer"=KHALMNPR.EXE
"RECGUARD"=c:\windows\SMINST\RECGUARD.EXE
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"
"AVG9_TRAY"=c:\progra~1\AVG\AVG9\avgtray.exe
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
"hpsysdrv"=c:\windows\system\hpsysdrv.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Intuit\\QuickBooks 2006\\QBDBMgrN.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Mozilla Thunderbird\\thunderbird.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R1 Asapi;Asapi;c:\windows\system32\drivers\asapi.sys [6/7/2006 1:20 PM 11264]
R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [4/13/2009 5:39 PM 10384]
S3 dalwdmservice;dal service;c:\windows\system32\drivers\Dalwdm.sys [2/18/2007 9:42 PM 73216]
S3 UKS11LDR;M-Audio USB Keystation Loader;c:\windows\system32\drivers\uks11ldr.sys [10/17/2007 7:56 PM 13504]
S3 USBKT1X1;M-Audio USB Keystation;c:\windows\system32\drivers\usbkt1x1.sys [10/17/2007 7:56 PM 22304]
.
Contents of the 'Scheduled Tasks' folder

2010-01-20 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2010-01-22 c:\windows\Tasks\GlaryInitialize.job
- c:\program files\Glary Utilities\initialize.exe [2009-09-25 18:09]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=presario&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=presario&pf=desktop
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=presario&pf=desktop
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Compaq_Administrator\Application Data\Mozilla\Firefox\Profiles\i441wkuh.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://att.my.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://us.yhs.search.yahoo.com/avg/search?fr=yhs-avgb&type=yahoo_avg_hs2-tb-web_us&p=
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - true // Popupblocker control handled by McAfee Privacy Service
FF - user.js: yahoo.homepage.dontask - true.
- - - - ORPHANS REMOVED - - - -

Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-21 23:46
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\sccfg.sys 1176 bytes

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-552205789-135633194-1869049786-1008\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID]
@Denied: (Full) (LocalSystem)
@SACL=

[HKEY_USERS\S-1-5-21-552205789-135633194-1869049786-1008\Software\SecuROM\License information*]
"datasecu"=hex:a7,8b,c4,93,9f,f2,b0,76,3e,5a,ae,5b,b0,33,ef,df,bc,e7,46,e7,4d,
6d,42,78,5f,7d,20,30,5d,4f,c7,df,20,00,69,09,6c,c7,cd,bd,7a,c8,0d,75,6d,ab,\
"rkeysecu"=hex:94,3c,ac,50,fa,ea,3f,00,ed,47,c8,cd,93,71,36,f5
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(572)
c:\windows\system32\Ati2evxx.dll
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
c:\program files\common files\logishrd\bluetooth\LBTServ.dll

- - - - - - - > 'explorer.exe'(764)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\arservice.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\wbem\wmiapsrv.exe
c:\windows\OLDFAS~1.SCR
.
**************************************************************************
.
Completion time: 2010-01-21 23:52:51 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-22 05:52
ComboFix2.txt 2010-01-20 17:19

Pre-Run: 71,656,632,320 bytes free
Post-Run: 71,883,919,360 bytes free

- - End Of File - - 14430D8B342A07A6DC6F9978FDD8C023





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users