Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

IE popups, google redirects, and AVSoft


  • This topic is locked This topic is locked
9 replies to this topic

#1 Nibiru666

Nibiru666

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:43 PM

Posted 02 February 2010 - 08:38 AM

Hello.
I have AVG Free AntiVirus and use Microsoft Defender for my firewall.
I started having problems with my computer running Vista home edition a few days ago after clicking on a link from myspace.
Ever since i've been getting annoying pop ups on Internet Explorer, even though i never use IE and usually use Firefox.
Then i started noticing that some of the google searches i was doing was redirecting me to different pages.
So i ran my AVG Free virus scan, found nothing. I tried Malwarebytes, Trend Micro House Call, and Kasperskys Online Scanner, and they found a few problems, but it didnt get rid of the original problems i was having.
So, all of a sudden today i started getting popups saying that my computer is infected and to run my antivirus software, and a program called Antivirus Soft opened up showing it trying to scan my computer. I know i didnt install this program and did a search about it and ended up here on this webpage.
I found a tutorial to remove AVSoft and did as it said, and Malwarebytes found it and seemed to of deleted this fake virus scan software, but when i reboot, the AVsoft is back saying I'm infected and I'm still having the same problems with the popups and the redirecting.
I also tried to install and run ComboFix but even in safe mode, it just freezes and then reboots my computer on its own. So i deleted Combofix.

Below is my DDS log. I also have the attach.txt file if needed.
I downloaded and tried to run RootRepeal, but it just crashes my computer.
Thanks for any help!!



DDS (Ver_09-12-01.01) - NTFSx86 NETWORK
Run by Overlord at 5:13:06.87 on Tue 02/02/2010
Internet Explorer: 7.0.6001.18000 BrowserJavaVersion: 1.6.0_17
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.767.196 [GMT -8:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
SP: AVG Anti-Virus Free *enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
SP: AVG Anti-Spyware *disabled* (Outdated) {48F2E28D-ED66-4646-9C11-B3055B0AF604}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\Explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Users\Overlord\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page =
uSEARCH PAGE = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
uSearch Bar = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mStart Page = hxxp://en.us.acer.yahoo.com
mDefault_Page_URL = hxxp://en.us.acer.yahoo.com
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
TB: Acer eDataSecurity Management: {5cbe3b7c-1e47-477e-a7dd-396db0476e29} - c:\windows\system32\eDStoolbar.dll
TB: Veoh Browser Plug-in: {d0943516-5076-4020-a3b5-aefaf26ab263} - c:\program files\veoh networks\veoh\plugins\reg\VeohToolbar.dll
TB: Veoh Web Player Video Finder: {0fbb9689-d3d7-4f7a-a2e2-585b10099bfc} - c:\program files\veoh networks\veohwebplayer\VeohIEToolbar.dll
TB: {4E7BD74F-2B8D-469E-8DA9-FD60BB9AAE33} - No File
uRun: [????r]
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [updateMgr] c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe AcRdB7_0_0
uRun: [<NO NAME>]
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [keyosodef] Rundll32.exe "c:\progra~2\mozuzubi\mozuzubi.dll",a
uRun: [gptbcvji] c:\users\overlord\appdata\local\syupww\gfbqsftav.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [Acer Tour]
mRun: [Acer Product Registration] "c:\program files\acer registration\ACE1.exe" /startup
mRun: [Acer Assist Launcher] c:\program files\acer assist\launcher.exe
mRun: [eDataSecurity Loader] c:\acer\empowering technology\edatasecurity\eDSloader.exe
mRun: [eRecoveryService]
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [LanguageShortcut] "c:\program files\cyberlink\powerdvd\language\Language.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [VX3000] c:\windows\vVX3000.exe
mRun: [Live! Central] "c:\program files\creative\creative live! cam\live! central\CTLVCentral.exe" /mode2
mRun: [V0415Mon.exe] c:\windows\V0415Mon.exe
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
StartupFolder: c:\users\overlord\appdata\roaming\micros~1\windows\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\empowe~1.lnk - c:\acer\empowering technology\eAPLauncher.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\users\overlord\appdata\roaming\mozilla\firefox\profiles\arhwu4v4.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/firefox
FF - prefs.js: network.proxy.type - 4
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - plugin: c:\program files\veoh networks\veoh\plugins\noreg\NPVeohVersion.dll
FF - plugin: c:\program files\veoh networks\veohwebplayer\NPVeohTVPlugin.dll
FF - plugin: c:\program files\veoh networks\veohwebplayer\npWebPlayerVideoPluginATL.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-1-30 108552]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-12-2 335240]
S1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-12-2 27784]
S2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2008-12-2 908056]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-12-7 297752]
S3 CtClsFlt;Creative Camera Class Upper Filter Driver;c:\windows\system32\drivers\CtClsFlt.sys [2009-12-9 135616]
S3 RLDesignVirtualAudioCableWdm;Live! Cam Virtual;c:\windows\system32\drivers\livecamv.sys [2009-12-9 31616]
S3 V0415Vid;Creative Live! Cam Video IM Ultra Driver;c:\windows\system32\drivers\V0415Vid.sys [2009-12-9 282464]

=============== Created Last 30 ================

2010-02-02 13:12:56 54016 ----a-w- c:\windows\system32\drivers\ujmjfl.sys
2010-01-31 06:24:34 0 d-----w- c:\programdata\pufidihu
2010-01-31 06:24:34 0 d-----w- c:\programdata\jezumusa
2010-01-31 06:24:34 0 d-----w- c:\programdata\himepepu
2010-01-30 18:24:55 0 d-----w- c:\programdata\zugotike
2010-01-30 18:24:55 0 d-----w- c:\programdata\zehifoze
2010-01-30 18:24:55 0 d-----w- c:\programdata\ruzomivu
2010-01-30 18:24:21 0 d-----w- c:\programdata\mozuzubi
2010-01-30 18:24:21 0 d-----w- c:\programdata\jewonere
2010-01-30 18:24:21 0 d-----w- c:\programdata\jawabile
2010-01-30 18:24:21 0 d-----w- c:\programdata\bagahone
2010-01-30 06:24:19 0 d-----w- c:\programdata\neluzori
2010-01-30 06:24:19 0 d-----w- c:\programdata\hojazipo
2010-01-30 06:18:58 0 d-----w- c:\programdata\ripayoli
2010-01-30 06:18:58 0 d-----w- c:\programdata\jepehude
2010-01-30 06:18:57 0 d-----w- c:\programdata\dofopajo

==================== Find3M ====================

2010-01-14 19:12:06 181120 ------w- c:\windows\system32\MpSigStub.exe
2010-01-08 00:07:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-08 00:07:04 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-09 21:01:33 86016 ----a-w- c:\windows\inf\infstor.dat
2009-12-09 21:01:33 51200 ----a-w- c:\windows\inf\infpub.dat
2009-12-09 21:01:33 143360 ----a-w- c:\windows\inf\infstrng.dat
2009-12-08 00:31:06 56 ---ha-w- c:\programdata\ezsidmv.dat
2009-12-07 08:15:04 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-12-07 08:15:03 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2008-08-04 19:05:29 174 --sha-w- c:\program files\desktop.ini
2008-08-04 18:50:19 665600 ----a-w- c:\windows\inf\drvindex.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2007-04-16 08:34:08 16384 --sha-w- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\history\history.ie5\index.dat
2007-04-16 08:34:08 32768 --sha-w- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat
2007-04-16 08:34:08 16384 --sha-w- c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows\cookies\index.dat
2009-02-13 22:51:14 16384 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\windows\history\history.ie5\index.dat
2009-02-13 22:51:14 32768 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat
2009-02-13 22:51:14 16384 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\cookies\index.dat
2008-12-02 08:50:29 16384 --sha-w- c:\windows\temp\cookies\index.dat
2008-12-02 08:50:29 16384 --sha-w- c:\windows\temp\history\history.ie5\index.dat
2008-12-02 08:50:29 32768 --sha-w- c:\windows\temp\temporary internet files\content.ie5\index.dat

============= FINISH: 5:14:05.52 ===============







BC AdBot (Login to Remove)

 


#2 Rosty

Rosty

    Skydive junkie


  • Malware Response Team
  • 1,220 posts
  • OFFLINE
  •  
  • Local time:10:43 PM

Posted 02 February 2010 - 09:11 AM

Hi and welcome to BleepingComputer.

My name is Rosty and I'm going to help you with your log.
I see you have already MBAM, please do the next:

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Open Malwarebytes' Anti-Malware and go to the tab "update".
  • Update Malwarebytes' Anti-Malware
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.
Posted Image
Proud member of ASAP since 2007

#3 Nibiru666

Nibiru666
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:43 PM

Posted 02 February 2010 - 03:36 PM

Hi Rosty and thanks for your help and time!

I tried to update MBAM today in safe mode, after updating it successfully last night, and now instead of updating I'm getting an "error code 732 (12029, 0)".
So i went to normal mode to see if the update would work there, and it seemed to of updated correctly. I was getting a lot of pop ups still from AVSoft in normal mode and having problems running the scanner in MBAM, so i went back into Safe Mode. I tried to see if i could update MBAM in safe mode now, and i still get the same error message. It did run the scan though, and here are the results below. After the scan MBAM asked to restart the computer and i did (in normal mode), and i finally seem to of gotten rid of AVSoft as far as i can tell. The google redirecting is still happening though. Haven't had any IE pop ups yet, but not sure if that problem is completly gone or not.


Malwarebytes' Anti-Malware 1.44
Database version: 3680
Windows 6.0.6001 Service Pack 1 (Safe Mode)
Internet Explorer 7.0.6001.18000

2/2/2010 12:27:22 PM
mbam-log-2010-02-02 (12-27-22).txt

Scan type: Quick Scan
Objects scanned: 100724
Time elapsed: 4 minute(s), 39 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\Software\avsoft (Trojan.FakeAV) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gptbcvji (Trojan.FakeAlert.Gen) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Users\Overlord\AppData\Local\syupww\gfbqsftav.exe (Trojan.FakeAlert.Gen) -> Quarantined and deleted successfully.

Edited by Nibiru666, 02 February 2010 - 03:40 PM.


#4 Rosty

Rosty

    Skydive junkie


  • Malware Response Team
  • 1,220 posts
  • OFFLINE
  •  
  • Local time:10:43 PM

Posted 03 February 2010 - 12:42 AM

Hi,

thanks for the log I asked about!

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review.

Please download the self-extracting version of HijackThis from here:

HijackThis Installer Download

Save HJTInstall.exe to your desktop.

Double-click the file then click the Install button.

The file will be extracted to C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
A shortcut for future use will also be created on your desktop and the Intro Frame of HijackThis will open.

Click Do a system scan and save a log file. Copy the entire contents of that log and post it here by clicking the Add Reply button.




Posted Image
Proud member of ASAP since 2007

#5 Nibiru666

Nibiru666
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:43 PM

Posted 03 February 2010 - 02:20 AM

a quick update since my last post.
Antivirus Soft still seems to be gone.
I was still having problems with redirects from google, and popups opening by themselves on Internet Explorer.
I got Combofix to work finally and below is the log.
Then I ran Highjackthis and below is the log from that as well.
So far my computer seems to be running smoother.
No popups yet. Havent checked the redirect problem.


ComboFix 10-02-02.02 - Overlord 02/02/2010 22:41:40.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.767.131 [GMT -8:00]
Running from: c:\users\Overlord\Desktop\Combo-Fix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
SP: AVG Anti-Spyware *disabled* (Outdated) {48F2E28D-ED66-4646-9C11-B3055B0AF604}
SP: AVG Anti-Virus Free *enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\progra~2\mozuzubi\mozuzubi.dll
c:\users\Overlord\AppData\Local\Microsoft\Windows\Temporary Internet Files\fbk.sts
c:\users\Overlord\Music\Bruce Dickinson\Tyranny_Of_Souls\_desktop.ini
c:\windows\system32\bszip.dll
c:\windows\Tasks\mbpsrvtk.job

.
((((((((((((((((((((((((( Files Created from 2010-01-03 to 2010-02-03 )))))))))))))))))))))))))))))))
.

2010-02-03 06:59 . 2010-02-03 06:59 -------- d-----w- c:\users\Overlord\AppData\Local\temp
2010-02-03 06:59 . 2010-02-03 06:59 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-02-02 09:58 . 2010-02-02 20:27 -------- d-----w- c:\users\Overlord\AppData\Local\syupww
2010-01-31 06:24 . 2010-01-31 07:49 -------- d-----w- c:\programdata\pufidihu
2010-01-31 06:24 . 2010-01-31 07:49 -------- d-----w- c:\programdata\himepepu
2010-01-31 06:24 . 2010-01-31 06:24 -------- d-----w- c:\programdata\jezumusa
2010-01-30 18:24 . 2010-01-31 07:49 -------- d-----w- c:\programdata\zugotike
2010-01-30 18:24 . 2010-01-31 07:49 -------- d-----w- c:\programdata\zehifoze
2010-01-30 18:24 . 2010-01-31 07:49 -------- d-----w- c:\programdata\ruzomivu
2010-01-30 18:24 . 2010-02-03 06:58 -------- d-----w- c:\programdata\mozuzubi
2010-01-30 18:24 . 2010-01-31 07:49 -------- d-----w- c:\programdata\jawabile
2010-01-30 18:24 . 2010-01-30 18:24 -------- d-----w- c:\programdata\jewonere
2010-01-30 18:24 . 2010-01-30 18:24 -------- d-----w- c:\programdata\bagahone
2010-01-30 06:24 . 2010-01-31 07:49 -------- d-----w- c:\programdata\neluzori
2010-01-30 06:24 . 2010-01-31 07:49 -------- d-----w- c:\programdata\hojazipo
2010-01-30 06:18 . 2010-01-31 07:49 -------- d-----w- c:\programdata\ripayoli
2010-01-30 06:18 . 2010-01-31 07:49 -------- d-----w- c:\programdata\jepehude
2010-01-30 06:18 . 2010-01-31 07:49 -------- d-----w- c:\programdata\dofopajo

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-03 06:34 . 2009-12-08 00:19 -------- d-----w- c:\users\Overlord\AppData\Roaming\Skype
2010-02-02 19:50 . 2007-06-28 16:44 1356 ----a-w- c:\users\Overlord\AppData\Local\d3d9caps.dat
2010-01-30 09:27 . 2009-04-04 23:48 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-26 06:38 . 2009-12-17 00:15 -------- d-----w- c:\program files\JDownloader
2010-01-14 19:12 . 2009-12-07 08:31 181120 ------w- c:\windows\system32\MpSigStub.exe
2010-01-12 16:04 . 2009-12-08 00:31 -------- d-----w- c:\users\Overlord\AppData\Roaming\skypePM
2010-01-08 00:07 . 2009-04-04 23:48 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-08 00:07 . 2009-04-04 23:49 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-04 16:16 . 2010-02-02 20:03 2066200 ----a-w- c:\programdata\avg8\update\backup\avgcorex.dll
2009-12-25 01:29 . 2009-12-25 01:29 658184 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2009-12-22 09:45 . 2008-07-13 23:41 -------- d-----w- c:\programdata\ArcSoft
2009-12-22 09:44 . 2008-07-13 23:37 -------- d-----w- c:\users\Overlord\AppData\Roaming\Arcsoft
2009-12-18 01:07 . 2007-04-16 09:18 -------- d-----w- c:\users\Overlord\AppData\Roaming\uTorrent
2009-12-13 20:25 . 2007-04-16 10:51 -------- d-----w- c:\program files\DivX
2009-12-13 18:27 . 2009-12-13 18:27 -------- d-----w- c:\program files\Common Files\DivX Shared
2009-12-12 23:48 . 2009-12-12 23:48 -------- d-----w- c:\program files\WBFS
2009-12-09 21:41 . 2009-12-09 21:41 -------- d-----w- c:\users\Overlord\AppData\Roaming\Creative
2009-12-09 21:41 . 2009-12-09 21:35 -------- d-----w- c:\programdata\Creative
2009-12-09 21:04 . 2006-01-07 04:22 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-12-09 21:04 . 2009-12-09 20:51 -------- d-----w- c:\program files\Creative
2009-12-08 05:53 . 2009-12-08 00:17 -------- d-----r- c:\program files\Skype
2009-12-08 00:31 . 2009-12-08 00:31 56 ---ha-w- c:\programdata\ezsidmv.dat
2009-12-08 00:17 . 2009-12-08 00:17 -------- d-----w- c:\program files\Common Files\Skype
2009-12-08 00:17 . 2009-12-08 00:16 -------- d-----w- c:\programdata\Skype
2009-12-07 09:47 . 2007-04-20 01:37 -------- d-----w- c:\program files\Java
2009-12-07 09:16 . 2009-12-07 09:16 -------- d-----w- c:\program files\Microsoft
2009-12-07 09:16 . 2009-12-07 09:15 -------- d-----w- c:\program files\Windows Live
2009-12-07 09:15 . 2009-12-07 09:15 -------- d-----w- c:\program files\Windows Live SkyDrive
2009-12-07 09:11 . 2009-12-07 09:11 -------- d-----w- c:\program files\Common Files\Windows Live
2009-12-07 08:15 . 2008-12-02 08:51 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-12-07 08:15 . 2008-12-02 08:51 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-12-07 08:15 . 2008-12-02 08:51 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"????r"="" [?]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2004-11-22 307200]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-27 3883856]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-10-09 25623336]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"RtHDVCpl"="RtHDVCpl.exe" [2006-11-09 3784704]
"Acer Product Registration"="c:\program files\Acer Registration\ACE1.exe" [2006-12-13 3166208]
"Acer Assist Launcher"="c:\program files\Acer Assist\launcher.exe" [2006-12-04 1261568]
"eDataSecurity Loader"="c:\acer\Empowering Technology\eDataSecurity\eDSloader.exe" [2006-11-17 453120]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2005-12-08 30208]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2006-05-18 49152]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-09-25 185632]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2008-01-17 72192]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-06-20 13535776]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-06-20 92704]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-12-11 2043160]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-27 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-06-05 292136]
"VX3000"="c:\windows\vVX3000.exe" [2009-07-24 762208]
"Live! Central"="c:\program files\Creative\Creative Live! Cam\Live! Central\CTLVCentral.exe" [2008-08-22 438399]
"V0415Mon.exe"="c:\windows\V0415Mon.exe" [2008-08-07 28672]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-01-08 1394000]

c:\users\Overlord\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 110592]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 110592]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Empowering Technology Launcher.lnk - c:\acer\Empowering Technology\eAPLauncher.exe [2006-1-6 528384]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2005-10-26 811008]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\drivers\avgldx86.sys [12/2/2008 12:51 AM 335240]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\System32\drivers\avgtdix.sys [1/30/2009 6:55 PM 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [12/2/2008 12:50 AM 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [12/7/2009 12:48 AM 297752]
R3 RLDesignVirtualAudioCableWdm;Live! Cam Virtual;c:\windows\System32\drivers\livecamv.sys [12/9/2009 12:54 PM 31616]
S0 sptd;sptd;c:\windows\System32\drivers\sptd.sys [4/16/2007 1:03 AM 682232]
S3 CtClsFlt;Creative Camera Class Upper Filter Driver;c:\windows\System32\drivers\CtClsFlt.sys [12/9/2009 12:52 PM 135616]
S3 V0415Vid;Creative Live! Cam Video IM Ultra Driver;c:\windows\System32\drivers\V0415Vid.sys [12/9/2009 12:59 PM 282464]
.
.
------- Supplementary Scan -------
.
uStart Page =
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mStart Page = hxxp://en.us.acer.yahoo.com
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
FF - ProfilePath - c:\users\Overlord\AppData\Roaming\Mozilla\Firefox\Profiles\arhwu4v4.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/firefox
FF - prefs.js: network.proxy.type - 4
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll
FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\NPVeohTVPlugin.dll
FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\npWebPlayerVideoPluginATL.dll
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-keyosodef - c:\progra~2\mozuzubi\mozuzubi.dll
HKLM-Run-Acer Tour - (no file)
HKLM-Run-eRecoveryService - (no file)
AddRemove-HijackThis - c:\program files\Trend Micro\HijackThis\HijackThis.exe
AddRemove-Sonar Producer Edition v4.0.3 - c:\progra~1\Cakewalk\SONAR4~1\UNWISE.EXE



**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
Completion time: 2010-02-02 23:06:15
ComboFix-quarantined-files.txt 2010-02-03 07:06

Pre-Run: 33,418,035,200 bytes free
Post-Run: 39,199,711,232 bytes free

- - End Of File - - EEFF68A556936222DB361BE9D4BD38F8










Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:08:14 PM, on 2/2/2010
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18226)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\explorer.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Acer\Empowering Technology\eRecovery\ERAGENT.EXE
C:\Program Files\Trend Micro\HijackThis\HJ_This.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://en.us.acer.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\Windows\system32\eDStoolbar.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O3 - Toolbar: Veoh Web Player Video Finder - {0FBB9689-D3D7-4f7a-A2E2-585B10099BFC} - C:\Program Files\Veoh Networks\VeohWebPlayer\VeohIEToolbar.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [Acer Product Registration] "C:\Program Files\Acer Registration\ACE1.exe" /startup
O4 - HKLM\..\Run: [Acer Assist Launcher] C:\Program Files\Acer Assist\launcher.exe
O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [VX3000] C:\Windows\vVX3000.exe
O4 - HKLM\..\Run: [Live! Central] "C:\Program Files\Creative\Creative Live! Cam\Live! Central\CTLVCentral.exe" /mode2
O4 - HKLM\..\Run: [V0415Mon.exe] C:\Windows\V0415Mon.exe
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_0
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Empowering Technology Launcher.lnk = ?
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: eRecovery Service (eRecoveryService) - Acer Inc. - C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe

--
End of file - 6380 bytes


#6 Rosty

Rosty

    Skydive junkie


  • Malware Response Team
  • 1,220 posts
  • OFFLINE
  •  
  • Local time:10:43 PM

Posted 03 February 2010 - 02:43 AM

Hi again,

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

QUOTE
Folder::
c:\users\Overlord\AppData\Local\syupww
c:\programdata\pufidihu
c:\programdata\himepepu
c:\programdata\jezumusa
c:\programdata\zugotike
c:\programdata\zehifoze
c:\programdata\ruzomivu
c:\programdata\mozuzubi
c:\programdata\jawabile
c:\programdata\jewonere
c:\programdata\bagahone
c:\programdata\neluzori
c:\programdata\hojazipo
c:\programdata\ripayoli
c:\programdata\jepehude
c:\programdata\dofopajo
c:\programdata\ezsidmv.dat

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"????r"=-


Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in
Posted Image
Proud member of ASAP since 2007

#7 Nibiru666

Nibiru666
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:43 PM

Posted 03 February 2010 - 03:24 AM

update since my last post:
Antivirus Soft seems to be gone still.
Also no popups on IE yet. And the google redirecting seems to of stopped as well!
Thanks! I ran Combofix again as suggested and here is my new log.



ComboFix 10-02-02.02 - Overlord 02/02/2010 23:55:04.2.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.767.175 [GMT -8:00]
Running from: c:\users\Overlord\Desktop\Combo-Fix.exe
Command switches used :: c:\users\Overlord\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning enabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
SP: AVG Anti-Spyware *disabled* (Outdated) {48F2E28D-ED66-4646-9C11-B3055B0AF604}
SP: AVG Anti-Virus Free *enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\programdata\bagahone
c:\programdata\bagahone\bagahone.dll
c:\programdata\dofopajo
c:\programdata\himepepu
c:\programdata\hojazipo
c:\programdata\jawabile
c:\programdata\jepehude
c:\programdata\jewonere
c:\programdata\jewonere\jewonere.dll
c:\programdata\jezumusa
c:\programdata\jezumusa\jezumusa.dll
c:\programdata\mozuzubi
c:\programdata\neluzori
c:\programdata\pufidihu
c:\programdata\ripayoli
c:\programdata\ruzomivu
c:\programdata\zehifoze
c:\programdata\zugotike
c:\users\Overlord\AppData\Local\syupww

.
((((((((((((((((((((((((( Files Created from 2010-01-03 to 2010-02-03 )))))))))))))))))))))))))))))))
.

2010-02-03 08:06 . 2010-02-03 08:07 -------- d-----w- c:\users\Overlord\AppData\Local\temp
2010-02-03 08:06 . 2010-02-03 08:06 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-02-03 08:06 . 2010-02-03 08:06 -------- d-----w- c:\users\Desktop\AppData\Local\temp
2010-02-03 08:06 . 2010-02-03 08:06 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-02-02 20:03 . 2010-01-04 16:16 2066200 ----a-w- c:\programdata\avg8\update\backup\avgcorex.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-03 07:48 . 2009-12-08 00:19 -------- d-----w- c:\users\Overlord\AppData\Roaming\Skype
2010-02-02 19:50 . 2007-06-28 16:44 1356 ----a-w- c:\users\Overlord\AppData\Local\d3d9caps.dat
2010-01-30 09:27 . 2009-04-04 23:48 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-26 06:38 . 2009-12-17 00:15 -------- d-----w- c:\program files\JDownloader
2010-01-14 19:12 . 2009-12-07 08:31 181120 ------w- c:\windows\system32\MpSigStub.exe
2010-01-12 16:04 . 2009-12-08 00:31 -------- d-----w- c:\users\Overlord\AppData\Roaming\skypePM
2010-01-08 00:07 . 2009-04-04 23:48 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-08 00:07 . 2009-04-04 23:49 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-25 01:29 . 2009-12-25 01:29 658184 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2009-12-22 09:45 . 2008-07-13 23:41 -------- d-----w- c:\programdata\ArcSoft
2009-12-22 09:44 . 2008-07-13 23:37 -------- d-----w- c:\users\Overlord\AppData\Roaming\Arcsoft
2009-12-18 01:07 . 2007-04-16 09:18 -------- d-----w- c:\users\Overlord\AppData\Roaming\uTorrent
2009-12-13 20:25 . 2007-04-16 10:51 -------- d-----w- c:\program files\DivX
2009-12-13 18:27 . 2009-12-13 18:27 -------- d-----w- c:\program files\Common Files\DivX Shared
2009-12-12 23:48 . 2009-12-12 23:48 -------- d-----w- c:\program files\WBFS
2009-12-09 21:41 . 2009-12-09 21:41 -------- d-----w- c:\users\Overlord\AppData\Roaming\Creative
2009-12-09 21:41 . 2009-12-09 21:35 -------- d-----w- c:\programdata\Creative
2009-12-09 21:04 . 2006-01-07 04:22 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-12-09 21:04 . 2009-12-09 20:51 -------- d-----w- c:\program files\Creative
2009-12-08 05:53 . 2009-12-08 00:17 -------- d-----r- c:\program files\Skype
2009-12-08 00:31 . 2009-12-08 00:31 56 ---ha-w- c:\programdata\ezsidmv.dat
2009-12-08 00:17 . 2009-12-08 00:17 -------- d-----w- c:\program files\Common Files\Skype
2009-12-08 00:17 . 2009-12-08 00:16 -------- d-----w- c:\programdata\Skype
2009-12-07 09:47 . 2007-04-20 01:37 -------- d-----w- c:\program files\Java
2009-12-07 09:16 . 2009-12-07 09:16 -------- d-----w- c:\program files\Microsoft
2009-12-07 09:16 . 2009-12-07 09:15 -------- d-----w- c:\program files\Windows Live
2009-12-07 09:15 . 2009-12-07 09:15 -------- d-----w- c:\program files\Windows Live SkyDrive
2009-12-07 09:11 . 2009-12-07 09:11 -------- d-----w- c:\program files\Common Files\Windows Live
2009-12-07 08:15 . 2008-12-02 08:51 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-12-07 08:15 . 2008-12-02 08:51 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-12-07 08:15 . 2008-12-02 08:51 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.

((((((((((((((((((((((((((((( SnapShot@2010-02-03_07.00.18 )))))))))))))))))))))))))))))))))))))))))
.
+ 2006-01-07 04:27 . 2010-02-03 07:54 55904 c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2006-11-02 13:05 . 2010-02-03 07:54 86888 c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2007-04-14 08:15 . 2010-02-03 07:54 13568 c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3199359086-2728845653-943004515-1000_UserData.bin
+ 2006-01-07 04:53 . 2010-02-03 07:10 16384 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2006-01-07 04:53 . 2010-02-02 20:01 16384 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2006-01-07 04:53 . 2010-02-03 07:10 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2006-01-07 04:53 . 2010-02-02 20:01 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2006-01-07 04:53 . 2010-02-02 20:01 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2006-01-07 04:53 . 2010-02-03 07:10 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2007-04-14 19:11 . 2010-02-03 06:38 2784 c:\windows\System32\WDI\ERCQueuedResolutions.dat
+ 2007-04-14 19:11 . 2010-02-03 07:51 2784 c:\windows\System32\WDI\ERCQueuedResolutions.dat
+ 2010-02-03 07:52 . 2010-02-03 07:52 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2010-02-03 06:39 . 2010-02-03 06:39 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2010-02-03 07:52 . 2010-02-03 07:52 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2010-02-03 06:39 . 2010-02-03 06:39 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"????r"="" [?]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2004-11-22 307200]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-27 3883856]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-10-09 25623336]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"RtHDVCpl"="RtHDVCpl.exe" [2006-11-09 3784704]
"Acer Product Registration"="c:\program files\Acer Registration\ACE1.exe" [2006-12-13 3166208]
"Acer Assist Launcher"="c:\program files\Acer Assist\launcher.exe" [2006-12-04 1261568]
"eDataSecurity Loader"="c:\acer\Empowering Technology\eDataSecurity\eDSloader.exe" [2006-11-17 453120]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2005-12-08 30208]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2006-05-18 49152]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-09-25 185632]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2008-01-17 72192]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-06-20 13535776]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-06-20 92704]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-12-11 2043160]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-27 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-06-05 292136]
"VX3000"="c:\windows\vVX3000.exe" [2009-07-24 762208]
"Live! Central"="c:\program files\Creative\Creative Live! Cam\Live! Central\CTLVCentral.exe" [2008-08-22 438399]
"V0415Mon.exe"="c:\windows\V0415Mon.exe" [2008-08-07 28672]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-01-08 1394000]

c:\users\Overlord\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 110592]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 110592]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Empowering Technology Launcher.lnk - c:\acer\Empowering Technology\eAPLauncher.exe [2006-1-6 528384]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2005-10-26 811008]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\drivers\avgldx86.sys [12/2/2008 12:51 AM 335240]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\System32\drivers\avgtdix.sys [1/30/2009 6:55 PM 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [12/2/2008 12:50 AM 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [12/7/2009 12:48 AM 297752]
R3 RLDesignVirtualAudioCableWdm;Live! Cam Virtual;c:\windows\System32\drivers\livecamv.sys [12/9/2009 12:54 PM 31616]
S0 sptd;sptd;c:\windows\System32\drivers\sptd.sys [4/16/2007 1:03 AM 682232]
S3 CtClsFlt;Creative Camera Class Upper Filter Driver;c:\windows\System32\drivers\CtClsFlt.sys [12/9/2009 12:52 PM 135616]
S3 V0415Vid;Creative Live! Cam Video IM Ultra Driver;c:\windows\System32\drivers\V0415Vid.sys [12/9/2009 12:59 PM 282464]
.
.
------- Supplementary Scan -------
.
uStart Page =
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mStart Page = hxxp://en.us.acer.yahoo.com
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
FF - ProfilePath - c:\users\Overlord\AppData\Roaming\Mozilla\Firefox\Profiles\arhwu4v4.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/firefox
FF - prefs.js: network.proxy.type - 4
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll
FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\NPVeohTVPlugin.dll
FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\npWebPlayerVideoPluginATL.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-03 00:07
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
Completion time: 2010-02-03 00:13:10
ComboFix-quarantined-files.txt 2010-02-03 08:13
ComboFix2.txt 2010-02-03 07:06

Pre-Run: 39,373,963,264 bytes free
Post-Run: 39,118,331,904 bytes free

- - End Of File - - B3BCEDBCF10388CE814BE01EFB5BB81B


#8 Rosty

Rosty

    Skydive junkie


  • Malware Response Team
  • 1,220 posts
  • OFFLINE
  •  
  • Local time:10:43 PM

Posted 03 February 2010 - 03:39 AM

Hi,

those logs looks cleanto me!!

Uninstall ComboFix

Remove Combofix now that we're done with it.
  • Please press the Windows Key and R on your keyboard. This will bring up the Run... command.
  • Now type in Combofix /Uninstall in the runbox and click OK. (Notice the space between the "x" and "/")
  • Please follow the prompts to uninstall Combofix.
  • You will then recieve a message saying Combofix was uninstalled successfully once it's done uninstalling itself.
This will uninstall Combofix and anything assoicated with it.

Here's some advice on how you can keep your PC clean

Update your AntiVirus Software

It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out. If you use a commercial antivirus program you must make sure you keep renewing your subscription. Otherwise, once your subscription runs out, you may not be able to update the programs virus definitions.


Make sure your applications have all of their updates

It is also possible for other programs on your computer to have security vulnerability that can allow malware to infect you. Therefore, it is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.


Use a Firewall

I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

For a tutorial on Firewalls and a listing of some available ones see the link below:

Understanding and Using Firewalls


Install an AntiSpyware Program

A highly recommended AntiSpyware program is SuperAntiSpyware. You can download the free Home Version. or the Pro version for a 15 day trial period.

Other recommended, and free, AntiSpyware programs are Spybot - Search and Destroy and Ad-Aware Personal.

Installing these programs will provide spyware & hijacker protection on your computer alongside your virus protection. You should scan your computer with an AntiSpyware program on a regular basis just as you would an antivirus software.

Tutorials on using these programs can be found below:

Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers

Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer


[color="#008000"][b]That's it, happy surfing!

Regards,

Rosty.
Posted Image
Proud member of ASAP since 2007

#9 Nibiru666

Nibiru666
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:43 PM

Posted 03 February 2010 - 03:48 AM

Thanks alot for your time and answers Rosty!
Feel free to close this thread.
Cheers!

#10 Rosty

Rosty

    Skydive junkie


  • Malware Response Team
  • 1,220 posts
  • OFFLINE
  •  
  • Local time:10:43 PM

Posted 03 February 2010 - 04:12 AM

Yo're welcome. Glad I could help.
Since this issue is resolved this topic is closed, everyone else please start a new topic.

Regards,

Rosty.
Posted Image
Proud member of ASAP since 2007




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users