Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Computer Issue...Virus? Trojan? Malware? Who knows.


  • This topic is locked This topic is locked
30 replies to this topic

#1 thegracelet

thegracelet

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:11:06 AM

Posted 24 January 2010 - 12:39 AM

Hi folks!

I have a poor 5-year-old Dell that's having some severe problems. Here's a list of what I can see is wrong. I have AVG Free installed on my computer and occasionally try to sweep the computer of Malware by using Malwarebytes, but it doesn't seem to be doing the trick right now. (Currently, AVG Free has been catching some Trojans, but I know there's something else going on.)

-My PC's running extremely slowly, and has been for a while. I tried some techniques for speeding up Firefox and my PC, to no avail. From time to time I have had virus issues and have dealt with them all myself by researching troubleshooting techniques online, with reasonable success until now.

-When I search topics on google and click the links, my browser is redirecting me to other websites the first time I click on them. If I realize the error and then go back and click again, this doesn't happen again. It's sporadic about when it does this - sometimes I get to go where I want to, sometimes I get redirected.

-A few days ago I got infected by Antivirus Live, which popped up irritating ads saying I was "infected" every few minutes. I got rid of this using this tutorial - http://www.bleepingcomputer.com/virus-remo...-antivirus-live

-Then, however, I couldn't get out of the "safe mode with networking" that I used to fix that. Nothing I tried got me out of it, so I'm still using my PC in safe mode.

-After that, my Skype started sending me weird messages (from diplomas_here and some registry_? users) - like Spam. I blocked the offenders and this has stopped.

-Then, internet explorer has started opening on its own and spawning more and more webpages. This slows down my computer ridiculously much. Nothing I have done has helped me to close IE, and it keeps opening.

-When following the preliminary steps detailed by this forum, I had some difficulty with RootRepeal:

When I open RootRepeal, it shows this error:

FOPS - DeviceIoControl Error! Error Code = 0xc0000024
Extended Info(0x000000e4)

I press OK, click "Report," select what files to scan and the C drive, and get this error message:

Could not initialize driver! Please contact author!

I press OK, then get - Error dumping SSDT (oxc0000024)!

I press OK, the program attempts to scan, then I get the error - Attempt to read from address: 0x00000004

Press OK, another error: - DeviceIoControl Error! Error Code = 0x0

And then it crashes. I've tried a few times but have had no success with using RootRepeal.


Thanks so much for your help!!

<3 Grace


--

DDS (Ver_09-12-01.01) - NTFSx86
Run by Grace at 18:03:33.06 on Sat 01/23/2010
Internet Explorer: 7.0.6000.16982 BrowserJavaVersion: 1.6.0_17
Microsoft® Windows Vista™ Home Basic 6.0.6000.0.1252.1.1033.18.893.236 [GMT -8:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
SP: AVG Anti-Virus Free *enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Windows\system32\lsm.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\Ati2evxx.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\WLTRYSVC.EXE
C:\Windows\System32\bcmwltry.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\STacSV.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\AVG\AVG9\avgemc.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\sttray.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Windows\System32\WLTRAY.EXE
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\logishrd\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\Program Files\Google\Google Pinyin 2\GooglePinyinDaemon.exe
C:\Program Files\AVG\AVG9\avgtray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Users\Grace\AppData\Local\Google\Update\GoogleUpdate.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Grace\Downloads\dds.scr
C:\Windows\system32\conime.exe
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=4070508
uWindow Title = Internet Explorer provided by Dell
uDefault_Page_URL = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=4070508
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\bae\BAE.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [Google Update] "c:\users\grace\appdata\local\google\update\GoogleUpdate.exe" /c
uRun: [yekemariv] Rundll32.exe "c:\progra~2\kokuluga\kokuluga.dll",a
uRun: [jegoyutoti] Rundll32.exe "c:\programdata\nuyimuto\nuyimuto.dll",s
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\CLIStart.exe"
mRun: [SigmatelSysTrayApp] sttray.exe
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [Corel Photo Downloader] c:\program files\corel\corel snapfire plus\PhotoDownloader.exe
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [<NO NAME>]
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [LogitechCommunicationsManager] "c:\program files\common files\logishrd\lcommgr\Communications_Helper.exe"
mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\quickcam\Quickcam.exe" /hide
mRun: [Google Pinyin 2 Autoupdater] "c:\program files\google\google pinyin 2\GooglePinyinDaemon.exe"
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
StartupFolder: c:\users\grace\appdata\roaming\micros~1\windows\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\quickset.lnk - c:\windows\installer\{53a01cc6-14b0-4512-a2e7-10d39bf83dc4}\NewShortcut2_53A01CC614B04512A2E710D39BF83DC4.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
DPF: {0249ED44-B640-45BD-8066-17F81BFDC050} - hxxp://etv.pomona.edu/STREAMPLAYER1.cab
DPF: {5459BAF4-09A9-422A-AB5C-5F114A7287B5} - hxxp://etv.pomona.edu/VBPLAYER.cab
DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cab
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {85887165-031A-4297-BC4E-6B246C120B9C} - hxxp://etv.pomona.edu/STREAMPLAYER4.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {F50B3F13-19C4-11CF-AA9A-02608C9BABA2} - hxxp://etv.pomona.edu/STREAMPLAYER2.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
AppInit_DLLs: avgrsstx.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\grace\appdata\roaming\mozilla\firefox\profiles\m2p0fmz1.default\
FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npvbplayer.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - plugin: c:\users\grace\appdata\local\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\users\grace\appdata\roaming\mozilla\plugins\npcoolirisplugin.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-4-4 333192]
R1 AvgMfx86;AVG Minifilter x86 Resident Driver;c:\windows\system32\drivers\avgmfx86.sys [2007-6-18 28424]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-4-4 360584]

=============== Created Last 30 ================

2010-01-23 22:30:27 0 d-----w- c:\programdata\wekenopo
2010-01-23 22:30:27 0 d-----w- c:\programdata\nuyimuto
2010-01-23 22:30:27 0 d-----w- c:\programdata\joyiyoja
2010-01-23 22:28:20 0 d-----w- c:\programdata\zugovela
2010-01-23 22:28:20 0 d-----w- c:\programdata\yavaneyu
2010-01-23 22:28:20 0 d-----w- c:\programdata\litugesi
2010-01-23 22:28:20 0 d-----w- c:\programdata\kokuluga
2010-01-22 21:53:35 0 d-----w- c:\programdata\nafugizu
2010-01-22 21:53:35 0 d-----w- c:\programdata\dumavuja
2010-01-22 21:47:59 0 d-----w- c:\programdata\jefosodi
2010-01-22 21:47:59 0 d-----w- c:\programdata\higesila
2010-01-22 21:47:58 0 d-----w- c:\programdata\gupeluju
2010-01-20 09:12:43 0 d-----w- c:\windows\pss
2010-01-20 06:07:37 0 dc----w- C:\a3ed6c568c1cabd7ec1effc8
2010-01-18 23:37:53 0 d-----w- c:\program files\MediaCoder
2010-01-15 07:33:36 0 dc----w- C:\b1604e9a36c5681968f7
2010-01-14 19:26:14 156672 ----a-w- c:\windows\system32\t2embed.dll
2010-01-14 19:26:11 72704 ----a-w- c:\windows\system32\fontsub.dll
2010-01-14 19:26:07 24064 ----a-w- c:\windows\system32\lpk.dll
2010-01-14 19:26:07 10240 ----a-w- c:\windows\system32\dciman32.dll
2010-01-14 19:26:05 289792 ----a-w- c:\windows\system32\atmfd.dll
2010-01-14 19:26:03 34304 ----a-w- c:\windows\system32\atmlib.dll

==================== Find3M ====================

2010-01-08 00:07:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-08 00:07:04 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-18 12:52:36 832512 ----a-w- c:\windows\system32\wininet.dll
2009-12-18 12:48:23 56320 ----a-w- c:\windows\system32\iesetup.dll
2009-12-18 12:48:19 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-12-18 12:46:10 72704 ----a-w- c:\windows\system32\admparse.dll
2009-12-18 10:18:14 26624 ----a-w- c:\windows\system32\ieUnatt.exe
2009-12-18 08:45:07 48128 ----a-w- c:\windows\system32\mshtmler.dll
2009-11-03 19:05:29 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2009-11-03 13:01:14 24064 ----a-w- c:\windows\system32\nshhttp.dll
2009-11-03 12:57:03 31232 ----a-w- c:\windows\system32\httpapi.dll
2009-10-29 07:59:17 2048 ----a-w- c:\windows\system32\tzres.dll
2009-08-07 11:12:53 86016 ----a-w- c:\windows\inf\infstrng.dat
2009-08-07 11:12:53 86016 ----a-w- c:\windows\inf\infstor.dat
2009-08-07 11:12:53 51200 ----a-w- c:\windows\inf\infpub.dat
2008-12-10 17:49:51 174 --sha-w- c:\program files\desktop.ini
2008-06-11 17:49:44 665600 ----a-w- c:\windows\inf\drvindex.dat
2006-11-02 12:39:34 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:39:34 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:39:34 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:39:34 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2007-06-06 18:10:55 16384 --sha-w- c:\windows\temp\cookies\index.dat
2007-06-06 18:10:55 16384 --sha-w- c:\windows\temp\history\history.ie5\index.dat
2007-06-06 18:10:55 32768 --sha-w- c:\windows\temp\temporary internet files\content.ie5\index.dat
2007-05-08 02:51:56 8192 --sha-w- c:\windows\users\default\NTUSER.DAT

============= FINISH: 18:07:44.36 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:07:06 PM

Posted 26 January 2010 - 05:36 PM

Hi thegracelet,

Welcome to Virus/Trojan/Spyware/Malware Removal (VTSMR) forum. I am going to assist you with your problem.

Please refrain from making any changes to your system (scanning or running other tools, updating Windows, installing applications, removing files, etc.) from now on as it might interfere with our fixes. Please let me know in your next reply if you agree with this.

Your log(s) show that you are using so called peer-to-peer or file-sharing programs. These programs allow to share files between users as the name(s) suggest. In today's world the cyber crime has come to an enormous dimension and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of the malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: "File-Sharing, otherwise known as Peer To Peer" and "Risks of File-Sharing Technology."


Removal Instructions
  1. The DDS log doesn't show you have run it Safe Mode, could you give me feedback about this comment:
    QUOTE
    Then, however, I couldn't get out of the "safe mode with networking" that I used to fix that. Nothing I tried got me out of it, so I'm still using my PC in safe mode.


  2. We need to disable your Windows Defender Real-time Protection as it may interfere with the fixes that we need to make.
    • Go to Start > Control Panel > Windows Defender.
    • Open Windows Defender.
    • Click on Tools, Options.
    • At the bottom of the Window Defender's page, under Administrator Options uncheck "use Windows Defender" and then Save.
    • Click Close.

    Note:When everything is done and your log is clean again, you can enable it again.

  3. I see the traces of URL Assistant on the log. This is usually preinstalled on Dell computer without the consent of the user. You may uninstall via Add/Remove programs. If you decide to uninstall it also remove the following folder: C:\Program Files\BAE

  4. If you don't use a Dial-up connection you may uninstall the following program:

    NetWaiting

  5. Optional:Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This changed from what we know in 2006 read this article:

    http://www.clickz.com/news/article.php/3561546

    I suggest you uninstall the following program if your are using it:

    Viewpoint Media Player.

    If you uninstalled it also remove the folder in bold: C:\Program Files\Viewpoint

  6. Open your Malwarebytes' Anti-Malware.
    • First update it, to do that under the Update tab press "Check for Updates".
    • Under Scanner tab select "Perform Quick Scan", then click Scan.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked, and click Remove Selected.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • Copy&Paste the MBAM log.

    Extra Note:
    If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.


  7. Download the GMER Rootkit Scanner exe file from here and save it to your desktop.
    • Temporarily disable any real-time active protection so your security program drivers will not conflict with gmer's driver.
    • Click on this link to see a list of programs that should be disabled.
    • Disconnect from the Internet and close all running programs.
    • Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .
    • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
    • In the right panel, you will see several boxes that have been checked. Make sure the following are unchecked:
      • Sections
      • IAT/EAT
      • Drives/Partition other than C:\ drive (C:\ drive should remain checked)
      • Show All (this one also should be unchecked)
    • Then click the Scan button & wait for it to begin. (Please be patient as it can take some time to complete).
    • When the scan is finished, you will see the scan button appears again. Click Save to save the scan results to your Desktop.
    • Save the file as gmer.log and copy/paste the contents in your next reply.


#3 thegracelet

thegracelet
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:11:06 AM

Posted 28 January 2010 - 02:03 AM

Hi there,

I agree to refrain from making changes on my computer.

1 – When my system was infected with Antivirus Live, I looked up a post on bleepingcomputer.com which instructed me to enter safe mode with networking, by restarting and pressing F8 while the PC was starting up. I did so and followed instructions to remove Antivirus Live. Afterwards, I tried to return tonormal mode, but did not seem to be able to. It looks as if my PC is still in safe mode, because the Vista display is very simple-looking (the bottom start bar does not look blue and large as usual, but is gray). Otherwise, my computer does seem to be running as normal…that’s as far as I can explain.

2 – When I checked, Windows Defender had already been turned off. I don’t remember doing this.

6 – Malwarebytes
Malwarebytes' Anti-Malware 1.44
Database version: 3601
Windows 6.0.6000
Internet Explorer 7.0.6000.16982

1/27/2010 10:19:04 PM
mbam-log-2010-01-27 (22-19-04).txt

Scan type: Quick Scan
Objects scanned: 120527
Time elapsed: 13 minute(s), 12 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jegoyutoti (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

7 – I downloaded the GMER files (.exe), did as directed, and tried to run it three times. Each time there was an error.

First time – started scanning and it stopped, showed a white screen with vertical black lines.
(I restarted the PC)
Second time – said there was an error and program wasn’t working.
Third time – tried again, started scanning and then showed blue screen with yellow and white squiggly lines.

Restarted the PC again and it is running fine, but I don’t think the GMER program will run right now.


#4 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:07:06 PM

Posted 28 January 2010 - 06:27 AM

QUOTE
6 – Malwarebytes
Malwarebytes' Anti-Malware 1.44
Database version: 3601

MBAM is not updated. Please follow the instruction to update it and run it again.

Try to run GMER while the Devices section is not selected and see if it runs. In case it didn't run boot to Safe Mode by using F8 key and run it from there.

#5 thegracelet

thegracelet
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:11:06 AM

Posted 28 January 2010 - 02:12 PM

Here's the updated log from Malwarebytes. It didn't find anything:

Malwarebytes' Anti-Malware 1.44
Database version: 3651
Windows 6.0.6000
Internet Explorer 7.0.6000.16982

1/28/2010 7:53:38 AM
mbam-log-2010-01-28 (07-53-38).txt

Scan type: Quick Scan
Objects scanned: 122019
Time elapsed: 12 minute(s), 11 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#6 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:07:06 PM

Posted 28 January 2010 - 02:37 PM

Okay I'll wait for the GMER log.

#7 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:07:06 PM

Posted 02 February 2010 - 05:20 PM

This thread will now be closed due to lack of activity.



#8 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:07:06 PM

Posted 03 February 2010 - 02:04 AM

T topic reopened per request.

#9 thegracelet

thegracelet
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:11:06 AM

Posted 03 February 2010 - 08:53 PM

Running GMER log soon.


Malwarebytes' Anti-Malware 1.44
Database version: 3686
Windows 6.0.6000
Internet Explorer 7.0.6000.16982

2/3/2010 5:50:11 PM
mbam-log-2010-02-03 (17-50-11).txt

Scan type: Quick Scan
Objects scanned: 123006
Time elapsed: 9 minute(s), 39 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\ProgramData\sysReserve.ini (Malware.Trace) -> Quarantined and deleted successfully.

#10 thegracelet

thegracelet
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:11:06 AM

Posted 03 February 2010 - 09:46 PM

Two things:

1) Every time I turn on my computer (since last week) I get this error message:

Error loading c:\progra~2\pawasonu\pawasonu.dll

The specified module could not be found.


2) I tried running GMER with my PC in safe mode. It ran, and eventually seemed to stop, but nowhere could I find a button to save the log. On the left part of the screen, this is what was showing:

Attached... \Driver\kbdclass\Device\KeyboardClass0

Attached... \Driver\kbdclass\Device\KeyboardClass1

Attached... \FileSystem\fastfat\Fat

#11 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:07:06 PM

Posted 04 February 2010 - 02:10 AM

The error at startup will be taken care of when we start cleaning.
  1. Please download MBR.EXE by GMER. Save the file in your Root directory (C:\).

    Please run Notepad (start > All Programs > Accessories > Notepad) and copy and paste the text in the code box into a new file:


    CODE
    @ECHO OFF
    cd\
    mbr.exe -t
    sc query type= driver group= "SCSI Miniport" > Log.txt
    type mbr.log >>log.txt
    Start Log.txt
    • Go to the File menu at the top of the Notepad and select Save as.
    • Select Save in: desktop
    • Fill in File name: look.bat
    • Save as type: All file types (*.*)
    • Click save.
    • Close the Notepad.
    • Locate and right-click look.bat and select "Run as Administrator".
    • A notepad opens, copy and paste the content (log.txt) to your reply.

  2. Please run DDS and post a fresh DDS.txt to your reply. No need for the Attach.txt


#12 thegracelet

thegracelet
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:11:06 AM

Posted 04 February 2010 - 02:54 AM

I use Vista - just to clarify, should I save MBR.EXE into Computer\OS(C:)\ - or should I do it under a particular user?

#13 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:07:06 PM

Posted 04 February 2010 - 12:10 PM

I know you use Vista. When you download the file you can select C drive to save it. that is all.

#14 thegracelet

thegracelet
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:11:06 AM

Posted 06 February 2010 - 06:39 PM

1. LOG.TXT

--


SERVICE_NAME: atapi
DISPLAY_NAME: IDE Channel
TYPE : 1 KERNEL_DRIVER
STATE : 4 RUNNING
(STOPPABLE, NOT_PAUSABLE,

IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer,

http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ataport.SYS

hal.dll pciide.sys PCIIDEX.SYS atapi.sys
kernel: MBR read successfully
user & kernel MBR OK


--




2. DDS

--

DDS (Ver_09-12-01.01) - NTFSx86
Run by Grace at 15:33:52.34 on Sat 02/06/2010
Internet Explorer: 7.0.6000.16982 BrowserJavaVersion: 1.6.0_17
Microsoft® Windows Vista™ Home Basic 6.0.6000.0.1252.1.1033.18.893.127 [GMT -8:00]

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
SP: AVG Anti-Virus Free *enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
SP: Windows Defender *disabled* (Outdated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Windows\system32\lsm.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\WLTRYSVC.EXE
C:\Windows\System32\bcmwltry.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\STacSV.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\AVG\AVG9\avgemc.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\sttray.exe
C:\Windows\System32\WLTRAY.EXE
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\logishrd\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\Program Files\Google\Google Pinyin 2\GooglePinyinDaemon.exe
C:\Program Files\AVG\AVG9\avgtray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Users\Grace\AppData\Local\Google\Update\GoogleUpdate.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Windows\system32\wuauclt.exe
C:\Users\Grace\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\Users\Grace\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Novell\GroupWise\grpwise.exe
C:\Users\Grace\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\taskeng.exe
C:\Users\Grace\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Grace\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Grace\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\conime.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Grace\Documents\Downloads\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=4070508
uWindow Title = Internet Explorer provided by Dell
uDefault_Page_URL = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=4070508
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [Google Update] "c:\users\grace\appdata\local\google\update\GoogleUpdate.exe" /c
uRun: [yekemariv] Rundll32.exe "c:\progra~2\pawasonu\pawasonu.dll",a
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\CLIStart.exe"
mRun: [SigmatelSysTrayApp] sttray.exe
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [Corel Photo Downloader] c:\program files\corel\corel snapfire plus\PhotoDownloader.exe
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [<NO NAME>]
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [LogitechCommunicationsManager] "c:\program files\common files\logishrd\lcommgr\Communications_Helper.exe"
mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\quickcam\Quickcam.exe" /hide
mRun: [Google Pinyin 2 Autoupdater] "c:\program files\google\google pinyin 2\GooglePinyinDaemon.exe"
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
StartupFolder: c:\users\grace\appdata\roaming\micros~1\windows\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\quickset.lnk - c:\windows\installer\{53a01cc6-14b0-4512-a2e7-10d39bf83dc4}\NewShortcut2_53A01CC614B04512A2E710D39BF83DC4.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
DPF: {0249ED44-B640-45BD-8066-17F81BFDC050} - hxxp://etv.pomona.edu/STREAMPLAYER1.cab
DPF: {5459BAF4-09A9-422A-AB5C-5F114A7287B5} - hxxp://etv.pomona.edu/VBPLAYER.cab
DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cab
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {85887165-031A-4297-BC4E-6B246C120B9C} - hxxp://etv.pomona.edu/STREAMPLAYER4.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {F50B3F13-19C4-11CF-AA9A-02608C9BABA2} - hxxp://etv.pomona.edu/STREAMPLAYER2.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
AppInit_DLLs: avgrsstx.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\grace\appdata\roaming\mozilla\firefox\profiles\m2p0fmz1.default\
FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npvbplayer.dll
FF - plugin: c:\users\grace\appdata\local\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\users\grace\appdata\roaming\mozilla\plugins\npcoolirisplugin.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-4-4 333192]
R1 AvgMfx86;AVG Minifilter x86 Resident Driver;c:\windows\system32\drivers\avgmfx86.sys [2007-6-18 28424]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-4-4 360584]
R2 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-5-12 611664]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\avg\avg9\avgemc.exe [2009-11-3 906520]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2009-11-3 285392]

=============== Created Last 30 ================

2010-02-04 07:51:42 77312 ----a-w- C:\mbr.exe
2010-01-27 19:22:11 0 d-----w- c:\programdata\kofelifu
2010-01-27 19:22:11 0 d-----w- c:\programdata\fotobike
2010-01-27 07:21:46 0 d-----w- c:\programdata\pawasonu
2010-01-27 07:21:46 0 d-----w- c:\programdata\mibawabo
2010-01-26 19:21:33 0 d-----w- c:\programdata\surujesu
2010-01-26 19:21:33 0 d-----w- c:\programdata\heyejopo
2010-01-26 05:46:42 0 d-----w- c:\programdata\nuboyune
2010-01-26 05:46:42 0 d-----w- c:\programdata\jadejebu
2010-01-25 17:46:32 0 d-----w- c:\programdata\popiwoba
2010-01-25 17:46:32 0 d-----w- c:\programdata\huvehibi
2010-01-25 03:02:45 0 d-----w- c:\programdata\rugawaba
2010-01-25 03:02:45 0 d-----w- c:\programdata\piyuniha
2010-01-25 03:02:45 0 d-----w- c:\programdata\fagometo
2010-01-24 10:28:14 0 d-----w- c:\programdata\wimuhafo
2010-01-24 10:28:14 0 d-----w- c:\programdata\tivefize
2010-01-24 10:28:14 0 d-----w- c:\programdata\julobeta
2010-01-24 05:20:38 0 d-----w- c:\programdata\WinZip
2010-01-23 22:30:27 0 d-----w- c:\programdata\wekenopo
2010-01-23 22:30:27 0 d-----w- c:\programdata\nuyimuto
2010-01-23 22:30:27 0 d-----w- c:\programdata\joyiyoja
2010-01-23 22:28:20 0 d-----w- c:\programdata\zugovela
2010-01-23 22:28:20 0 d-----w- c:\programdata\yavaneyu
2010-01-23 22:28:20 0 d-----w- c:\programdata\litugesi
2010-01-23 22:28:20 0 d-----w- c:\programdata\kokuluga
2010-01-22 21:53:35 0 d-----w- c:\programdata\nafugizu
2010-01-22 21:53:35 0 d-----w- c:\programdata\dumavuja
2010-01-22 21:47:59 0 d-----w- c:\programdata\jefosodi
2010-01-22 21:47:59 0 d-----w- c:\programdata\higesila
2010-01-22 21:47:58 0 d-----w- c:\programdata\gupeluju
2010-01-20 09:12:43 0 d-----w- c:\windows\pss
2010-01-20 06:07:37 0 dc----w- C:\a3ed6c568c1cabd7ec1effc8
2010-01-18 23:37:53 0 d-----w- c:\program files\MediaCoder
2010-01-15 07:33:36 0 dc----w- C:\b1604e9a36c5681968f7
2010-01-14 19:26:14 156672 ----a-w- c:\windows\system32\t2embed.dll
2010-01-14 19:26:11 72704 ----a-w- c:\windows\system32\fontsub.dll
2010-01-14 19:26:07 24064 ----a-w- c:\windows\system32\lpk.dll
2010-01-14 19:26:07 10240 ----a-w- c:\windows\system32\dciman32.dll
2010-01-14 19:26:05 289792 ----a-w- c:\windows\system32\atmfd.dll
2010-01-14 19:26:03 34304 ----a-w- c:\windows\system32\atmlib.dll

==================== Find3M ====================

2010-01-08 00:07:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-08 00:07:04 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-18 12:52:36 832512 ----a-w- c:\windows\system32\wininet.dll
2009-12-18 12:48:23 56320 ----a-w- c:\windows\system32\iesetup.dll
2009-12-18 12:48:19 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-12-18 12:46:10 72704 ----a-w- c:\windows\system32\admparse.dll
2009-12-18 10:18:14 26624 ----a-w- c:\windows\system32\ieUnatt.exe
2009-12-18 08:45:07 48128 ----a-w- c:\windows\system32\mshtmler.dll
2009-08-07 11:12:53 86016 ----a-w- c:\windows\inf\infstrng.dat
2009-08-07 11:12:53 86016 ----a-w- c:\windows\inf\infstor.dat
2009-08-07 11:12:53 51200 ----a-w- c:\windows\inf\infpub.dat
2008-12-10 17:49:51 174 --sha-w- c:\program files\desktop.ini
2008-06-11 17:49:44 665600 ----a-w- c:\windows\inf\drvindex.dat
2006-11-02 12:39:34 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:39:34 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:39:34 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:39:34 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2007-06-06 18:10:55 16384 --sha-w- c:\windows\temp\cookies\index.dat
2007-06-06 18:10:55 16384 --sha-w- c:\windows\temp\history\history.ie5\index.dat
2007-06-06 18:10:55 32768 --sha-w- c:\windows\temp\temporary internet files\content.ie5\index.dat
2007-05-08 02:51:56 8192 --sha-w- c:\windows\users\default\NTUSER.DAT

============= FINISH: 15:37:00.92 ===============


#15 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:07:06 PM

Posted 06 February 2010 - 08:06 PM

  1. Disable AVG Resident Shield:
    • Double click AVG system tray icon to open AVG.
    • In Overview section double click Resident Shield.
    • Uncheck Resident Shield Active.
    • Press Save Changes.

      Note: It is important to activate the resident shield immediately after ComboFix produced its log.

  2. Download ComboFix from one of these locations:

    Link 1
    Link 2
    Link 3

    * IMPORTANT !!! Save ComboFix.exe to your Desktop

    • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Information on A/V control HERE)
    • Double click on ComboFix.exe & follow the prompts.

    When finished, it shall produce a log for you. Please copy and paste the C:\ComboFix.txt in your next reply.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users