Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Win32/Patched.CG


  • This topic is locked This topic is locked
17 replies to this topic

#1 erin79

erin79

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:11:24 AM

Posted 14 March 2010 - 08:26 PM

Hi there,

I run AVG free, and the resident shield is telling me I have a threat detected called:

Win32/Patched.CG

located in:

C:\WINDOWS\system32\drivers\atapi.sys

Usually resident shield has an option button to delete or heal the infection, but this time there is none. There is only an IGNORE button. I checked AVG's site and there are no fixes for this specific virus.

Pages are opening by themselves on my browser and all my searches are being redirected.


Can someone please help?

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:24 AM

Posted 14 March 2010 - 08:47 PM

Hello and welcome.. Let's start here and see what the logs show.


First run RKill....

Please download Rkill by Grinler and save it to your desktop.Link 2
Link 3
Link 4
  • Double-click on the Rkill desktop icon to run the tool.
  • If using Vista, right-click on it and Run As Administrator.
  • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  • If not, delete the file, then download and use the one provided in Link 2.
  • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
  • If the tool does not run from any of the links provided, please let me know.
You will need to run the application again if rebooting the computer occurs along the way as the malware programs will start again.


Next run MBAM (MalwareBytes):

Please download Malwarebytes Anti-Malware (v1.44) and save it to your desktop.Download Link 1
Download Link 2
MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
    For instructions with screenshots, please refer to the How to use Malwarebytes' Anti-Malware Guide.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 erin79

erin79
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:11:24 AM

Posted 14 March 2010 - 09:49 PM

Ok, I ran Rkill, and it seems to show nothing. Here is the log in case you need to see it:

This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.
Ran as E on 03/14/2010 at 22:34:32.


Processes terminated by Rkill or while it was running:


C:\Documents and Settings\E\Desktop\rkill.pif


Rkill completed on 03/14/2010 at 22:34:39.



Then I disable Spybot's teatimer as shown in the link you posted and ran MBAM, which is also showing 'no malicious items found.' Here is the MBAM log:



Malwarebytes' Anti-Malware 1.44
Database version: 3868
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

3/14/2010 10:44:04 PM
mbam-log-2010-03-14 (22-44-04).txt

Scan type: Quick Scan
Objects scanned: 133589
Time elapsed: 5 minute(s), 12 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)




I also ran an AVG scan earlier and it found nothing. Only that resident shield warning seems to have detected the problem, but there is definitely something. Like i said earlier, all my searches are being redirected and I'm running really slow.

Also, earlier today a friend had suggested that i do a Windows System Restore to a few weeks ago before these problems were going on, and I did, but it doesn't seem to have helped at all.


Any other suggestions?

PS- thanks for the help.

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:24 AM

Posted 14 March 2010 - 09:58 PM

OK, yes sometimes it requires a few tools.
Note: I'll probably have to review these tomorrow.

Next run ATF and SAS: If you cannot access Safe Mode,run in normal ,but let me know.

Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

From your regular user account..
Download Attribune's ATF Cleaner and then SUPERAntiSpyware , Free Home Version. Save both to desktop ..
DO NOT run yet.
Open SUPER from icon and install and Update it
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining
.
Click the "Close" button to leave the control center screen and exit the program. DO NOT run yet.

Now reboot into Safe Mode: How to enter safe mode(XP)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode
.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.

If you use Firefox or Opera browser click that browser at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program
.

NOW Scan with SUPER
Open from the desktop icon or the program Files list
On the left, make sure you check C:\Fixed Drive.
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.


We Need to check for Rootkits with RootRepeal
  • Download RootRepeal from the following location and save it to your desktop.
  • Extract RootRepeal.exe from the archive (If you did not use the "Direct Download" mirror).
  • Open Posted Image on your desktop.
  • Click the Posted Image tab.
  • Click the Posted Image button.
  • Check all seven boxes: Posted Image
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.
Please ask any needed questions,post logs and Let us know how the PC is running now.

Edited by boopme, 14 March 2010 - 10:00 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 erin79

erin79
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:11:24 AM

Posted 15 March 2010 - 09:28 PM

Hi there,

I followed all the instructions in that last post. Here are the results from the SUPER run

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 03/15/2010 at 10:08 PM

Application Version : 4.34.1000

Core Rules Database Version : 4678
Trace Rules Database Version: 2490

Scan type : Complete Scan
Total Scan Time : 01:32:05

Memory items scanned : 256
Memory threats detected : 0
Registry items scanned : 6138
Registry threats detected : 0
File items scanned : 60665
File threats detected : 1

Trojan.Agent/Gen
C:\Program Files\skynet.dat





And is the rootrepeal log





ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2010/03/15 22:15
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB755A000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: c:\documents and settings\networkservice\cookies\system@advertise[1].txt
Status: Size mismatch (API: 176, Raw: 161)

Path: C:\Documents and Settings\NetworkService\Cookies\system@adblade[2].txt
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\NetworkService\Cookies\system@affgold8.91469.blueseek[1].txt
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\NetworkService\Cookies\system@atlas.entrepreneur[1].txt
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\NetworkService\Cookies\system@ct.areaconnect[1].txt
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\NetworkService\Cookies\system@dr.areaconnect[1].txt
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\NetworkService\Cookies\system@entrepreneur.122.2o7[1].txt
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\NetworkService\Cookies\system@quantserve[1].txt
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\NetworkService\Cookies\system@scorecardresearch[1].txt
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\NetworkService\Cookies\system@ylwbook.areaconnect.addresses[1].txt
Status: Visible to the Windows API, but not on disk.

SSDT
-------------------
#: 257 Function Name: NtTerminateProcess
Status: Hooked by "C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS" at address 0xee926320

==EOF==




So that's everything. But my searches are still all being redirected. Is there anything else I can do? Is there something in the above logs that you see?

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:24 AM

Posted 15 March 2010 - 09:45 PM

Hello there is still the possibility of another rootkit shown there. Now we need to confirm.

By the way a System Restore may restore functionality to the PC and fix some problems the malware creatred ,but it will not kill the malware.

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.
-- If you encounter any problems, try running GMER in safe mode.
-- If GMER crashes or keeps resulting in a BSODs, uncheck Devices on the right side before scanning
.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 erin79

erin79
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:11:24 AM

Posted 17 March 2010 - 01:58 PM

Hi,

I am able to run gmer, but it always seems to freeze up and crash when I try to save at the end. Are there any specific columns on the right that are less important that I should uncheck? Or should i maybe do two scans, one with half the items checked and another with the other half?

or if worse came to worse, could i take a "printscreen" shot of the list shown at the end of the scan, and post that here? Either way i will try again. It's just that as soon as i try to save it freezes up and crashes.

Thanks

post edit---whoops--it says right there to uncheck Devices. Sorry, i didnt see that. I will try that and reply afterwards.

Edited by erin79, 17 March 2010 - 02:02 PM.


#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:24 AM

Posted 17 March 2010 - 02:15 PM

Ok,good also try safe mode if needee.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 erin79

erin79
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:11:24 AM

Posted 17 March 2010 - 10:38 PM

Ok, finished running gmer with Devices unchecked, in normal mode, not safe mode.

Here is the log:


GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-03-17 23:16:54
Windows 5.1.2600 Service Pack 3
Running: jjxqk1j6.exe; Driver: C:\DOCUME~1\E\LOCALS~1\Temp\uxtdapoc.sys


---- Kernel code sections - GMER 1.0.15 ----

.rsrc C:\WINDOWS\system32\drivers\atapi.sys entry point in ".rsrc" section [0xF75C7794]
.text C:\WINDOWS\system32\DRIVERS\ati2mtag.sys section is writeable [0xF63C7000, 0x1C5D38, 0xE8000020]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\wuauclt.exe[992] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0099000A
.text C:\WINDOWS\system32\wuauclt.exe[992] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 009A000A
.text C:\WINDOWS\system32\wuauclt.exe[992] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0098000C
.text C:\WINDOWS\System32\svchost.exe[1128] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0099000A
.text C:\WINDOWS\System32\svchost.exe[1128] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 009A000A
.text C:\WINDOWS\System32\svchost.exe[1128] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0098000C
.text C:\WINDOWS\Explorer.EXE[1164] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00B6000A
.text C:\WINDOWS\Explorer.EXE[1164] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00C0000A
.text C:\WINDOWS\Explorer.EXE[1164] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00B5000C

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----



Please let me know what to do next.

Thanks!

#10 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:24 AM

Posted 18 March 2010 - 10:48 AM

Hello, there are some modified/suspicious atapi.sys files here. We need a deeper look. Please follow these instructions to post needed logs.

Preparation Guide . proceed to steps 6 through 9.
If you cannot perform a step move on to the next. Post all required logs and the complete log.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#11 erin79

erin79
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:11:24 AM

Posted 21 March 2010 - 09:11 AM

post edit- I seem to be having trouble getting these logs to post. I dont know if your site is just a bit slow right now or if the logs are too long. I guess I'll try again a bit later. Do you think the logs may be too long? Should i try zipping them or something of that sort, or should I be able to post them normally? DDS and ATTACH arent even that long, only GMER log is long.



Ok, I went through steps 6 - 9

Used Defogger to disable,

then i ran DDS, here are the DDS and Attach logs:



DDS

Edited by erin79, 21 March 2010 - 09:24 AM.


#12 erin79

erin79
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:11:24 AM

Posted 21 March 2010 - 09:11 AM

Ok, I went through steps 6 - 9

Used Defogger to disable,

then i ran DDS, here are the DDS and Attach logs:



DDS



DDS (Ver_10-03-17.01) - NTFSx86
Run by E at 23:52:50.79 on Thu 03/18/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.231 [GMT -4:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\WINDOWS\System32\M-AudioTaskBarIcon.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\E\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uURLSearchHooks: AIM Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll
mURLSearchHooks: AIM Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEH

Edited by erin79, 21 March 2010 - 12:18 PM.


#13 erin79

erin79
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:11:24 AM

Posted 21 March 2010 - 09:11 AM

Ok, I went through steps 6 - 9

Used Defogger to disable,

then i ran DDS, here are the DDS and Attach logs:



DDS


[b]DDS (Ver_10-03-17.01) - NTFSx86
Run by E at 23:52:50.79 on Thu 03/18/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.231 [GMT -4:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\WINDOWS\System32\M-AudioTaskBarIcon.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\E\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uURLSearchHooks: AIM Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll
mURLSearchHooks: AIM Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\a

#14 erin79

erin79
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:11:24 AM

Posted 21 March 2010 - 09:12 AM

Ok, I went through steps 6 - 9

Used Defogger to disable,

then i ran DDS, here are the DDS and Attach logs:



DDS


[b]DDS (Ver_10-03-17.01) - NTFSx86
Run by E at 23:52:50.79 on Thu 03/18/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.231 [GMT -4:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\WINDOWS\System32\M-AudioTaskBarIcon.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\E\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uURLSearchHooks: AIM Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll
mURLSearchHooks: AIM Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\a

#15 erin79

erin79
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:11:24 AM

Posted 21 March 2010 - 12:32 PM

Ok, I have tried several times to post the logs but it is not working. I'm assuming the logs are too long to post.

Should i post them piecemeal in a bunch of consecutive replies, or will that make it difficult for you to read? Or is there another way? Zipping or emailing logs to you or something?

Please let me know what the best way is.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users