Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Browser Redirects


  • This topic is locked This topic is locked
8 replies to this topic

#1 c_raethke

c_raethke

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:33 AM

Posted 21 March 2010 - 02:07 PM

Hi, I keep getting redirected to ads when I click on links from search engines in Firefox 3.6. I have tried to remove it using anti-malware programs like GooredFix etc, and it won't go away. Here are the logs:

DDS Log:
QUOTE
DDS (Ver_10-03-17.01) - NTFSx86
Run by Owner at 12:54:37.84 on Sun 03/21/2010
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1430 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\Program Files\Linksys\Linksys Wireless Manager\LinksysWirelessManager.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AVG\AVG9\avgemc.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Pando Media Booster] c:\program files\pando networks\media booster\PMB.exe
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\cli.exe" runtime -Delay
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [nmctxth] "c:\program files\common files\pure networks shared\platform\nmctxth.exe"
mRun: [Linksys Wireless Manager] "c:\program files\linksys\linksys wireless manager\LinksysWirelessManager.exe" /cm /min /lcid 1033
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
StartupFolder: c:\documents and settings\owner\start menu\programs\startup\PowerReg Scheduler V3.exe
mPolicies-system: EnableLUA = 0 (0x0)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Trusted Zone: kuaiche.com\software
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {99CAAA27-FA0C-4FA4-B88A-4AB1CC7A17FE} - hxxp://www.netgame.com/mplugin/mglaunch_USAv1005.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CF84DAC5-A4F5-419E-A0BA-C01FFD71112F} - hxxp://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_intel_4.1.66.0.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: NameServer = 93.188.162.97,93.188.161.71
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Handler: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - c:\program files\common files\pure networks shared\platform\puresp4.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\euf8a1ui.default\
FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\all users\application data\nexonus\ngm\npNxGameUS.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npPandoWebInst.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-12-4 216200]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-12-4 29512]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-12-4 242696]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\avg\avg9\avgemc.exe [2010-3-16 916760]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-3-16 308064]
R3 WUSB54GCv3;Compact Wireless-G USB Network Adapter;c:\windows\system32\drivers\WUSB54GCv3.sys [2010-2-18 627072]
S3 cpudrv;cpudrv;\??\c:\program files\systemrequirementslab\cpudrv.sys --> c:\program files\systemrequirementslab\cpudrv.sys [?]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [2008-8-22 18688]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [2008-8-22 8320]
S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\drivers\motport.sys [2007-6-18 23680]
S3 PLCND532;PLCND532 NDIS Protocol Driver; [x]
S3 UltraMonMirror;UltraMonMirror; [x]

=============== Created Last 30 ================

2010-03-21 13:50:48 0 d-----w- c:\program files\MSXML 4.0
2010-03-20 12:46:48 0 ----a-w- c:\windows\PowerReg.dat
2010-03-17 23:27:31 598 ----a-w- c:\windows\system32\secushr.dat
2010-03-17 23:27:01 0 d-----w- C:\Downloads
2010-03-17 23:26:45 25 ----a-w- c:\windows\libem.INI
2010-03-17 23:26:31 0 d-----w- c:\docume~1\owner\applic~1\BITS
2010-03-17 23:26:29 0 d-----w- c:\docume~1\owner\applic~1\FlashGet
2010-03-17 23:26:22 0 d-----w- c:\docume~1\owner\applic~1\FlashGetBHO
2010-03-17 23:26:19 0 d-----w- c:\program files\FlashGet Network
2010-03-17 03:25:29 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-03-17 03:18:00 2821 ----a-w- c:\documents and settings\owner\.recently-used.xbel
2010-03-16 23:31:47 8192 --sha-w- c:\windows\system32\Thumbs.db
2010-03-16 23:31:45 7168 --sha-w- c:\windows\Thumbs.db
2010-03-15 08:18:02 135168 ----a-w- c:\windows\system32\igfxres.dll
2010-03-14 22:33:21 0 d-----w- c:\docume~1\alluse~1\applic~1\Blizzard
2010-03-12 22:20:00 0 d-----w- c:\docume~1\owner\applic~1\Simply Super Software
2010-03-12 17:52:23 0 d-----w- c:\program files\Xiph.Org
2010-03-10 22:01:03 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe
2010-03-09 23:38:18 0 d-----w- c:\docume~1\owner\applic~1\Sony Online Entertainment
2010-03-06 16:25:02 0 d-----w- c:\program files\Microsoft SQL Server
2010-03-06 16:19:02 0 d-----w- c:\program files\common files\Merge Modules
2010-03-06 16:13:37 45056 ----a-w- c:\windows\system32\rWinHook.dll
2010-03-06 16:13:37 303104 ----a-w- c:\windows\system32\rWindowManager.ocx
2010-02-27 23:57:59 83748 -c--a-w- c:\windows\system32\dllcache\prcp.nls
2010-02-27 23:56:55 66082 -c--a-w- c:\windows\system32\dllcache\c_10021.nls
2010-02-27 23:56:55 66082 ----a-w- c:\windows\system32\c_10021.nls
2010-02-27 23:56:55 6144 -c--a-w- c:\windows\system32\dllcache\kbdth3.dll
2010-02-27 23:56:55 6144 -c--a-w- c:\windows\system32\dllcache\kbdth2.dll
2010-02-27 23:56:55 6144 -c--a-w- c:\windows\system32\dllcache\ftlx041e.dll
2010-02-27 23:56:55 6144 ----a-w- c:\windows\system32\ftlx041e.dll
2010-02-27 23:56:55 6144 ----a-r- c:\windows\system32\kbdth3.dll
2010-02-27 23:56:55 6144 ----a-r- c:\windows\system32\kbdth2.dll
2010-02-27 23:56:55 5632 -c--a-w- c:\windows\system32\dllcache\kbdth1.dll
2010-02-27 23:56:55 5632 -c--a-w- c:\windows\system32\dllcache\kbdth0.dll
2010-02-27 23:56:55 5632 ----a-r- c:\windows\system32\kbdth1.dll
2010-02-27 23:56:55 5632 ----a-r- c:\windows\system32\kbdth0.dll
2010-02-24 00:55:01 0 d-----w- c:\docume~1\alluse~1\applic~1\NexonUS
2010-02-23 22:05:29 0 d-----w- c:\program files\Activision Value
2010-02-21 19:28:51 0 d-----w- c:\docume~1\owner\applic~1\OpenOffice.org
2010-02-21 19:26:03 0 d-----w- c:\program files\JRE
2010-02-21 19:25:22 0 d-----w- c:\program files\OpenOffice.org 3

==================== Find3M ====================

2010-03-17 03:25:31 242696 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-03-17 03:25:20 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-02-09 16:04:06 116037 ----a-w- c:\windows\fonts\save.rpg
2010-01-18 06:30:48 348160 ----a-w- c:\windows\system32\msvcr71.dll
2010-01-18 06:30:46 499712 ----a-w- c:\windows\system32\msvcp71.dll
2010-01-05 10:00:29 832512 ----a-w- c:\windows\system32\wininet.dll
2010-01-05 10:00:21 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-05 10:00:20 17408 ------w- c:\windows\system32\corpol.dll
2010-01-02 23:16:39 98304 ----a-w- c:\windows\system32\CmdLineExt.dll
2010-01-01 17:10:01 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-12-23 21:40:54 182784 ----a-w- c:\windows\system32\Ncs2Setp.dll
2009-12-23 21:17:06 733816 ----a-w- c:\windows\system32\ncs2dmix.dll
2009-12-23 21:17:04 518264 ----a-w- c:\windows\system32\accesor.dll
2009-12-23 20:56:14 128120 ----a-w- c:\windows\system32\ncs2instutility.dll
2009-12-23 20:39:48 1712248 ----a-w- c:\windows\system32\ncscolib.dll
2009-12-04 22:38:13 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009120420091205\index.dat

============= FINISH: 12:55:36.00 ===============


GMER Log:
QUOTE
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-03-21 14:07:05
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\Owner\LOCALS~1\Temp\ffliiaod.sys


---- Kernel code sections - GMER 1.0.15 ----

.rsrc C:\WINDOWS\system32\drivers\atapi.sys entry point in ".rsrc" section [0xF74D6780]
init C:\WINDOWS\system32\DRIVERS\mohfilt.sys entry point in "init" section [0xF77CA760]
init C:\WINDOWS\system32\drivers\senfilt.sys entry point in "init" section [0xBA483F80]

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Mozilla Firefox\firefox.exe[784] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 004013F0 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-17 [F74C9B3A] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]}
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 [F74C9B3A] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]}
Device \Driver\atapi \Device\Ide\IdePort0 [F74C9B3A] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]}
Device \Driver\atapi \Device\Ide\IdePort1 [F74C9B3A] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]}
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-f [F74C9B3A] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]}

AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Services - GMER 1.0.15 ----

Service C:\WINDOWS\system32\drivers\EagleNT.sys (*** hidden *** ) [MANUAL] EagleNT <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\EagleNT@Type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\EagleNT@Start 3
Reg HKLM\SYSTEM\CurrentControlSet\Services\EagleNT@ErrorControl 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\EagleNT@ImagePath \??\C:\WINDOWS\system32\drivers\EagleNT.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\EagleNT@DisplayName EagleNT
Reg HKLM\SYSTEM\CurrentControlSet\Services\EagleNT\Security
Reg HKLM\SYSTEM\CurrentControlSet\Services\EagleNT\Security@Security 0x01 0x00 0x14 0x80 ...
Reg HKLM\SYSTEM\ControlSet003\Services\EagleNT@Type 1
Reg HKLM\SYSTEM\ControlSet003\Services\EagleNT@Start 3
Reg HKLM\SYSTEM\ControlSet003\Services\EagleNT@ErrorControl 1
Reg HKLM\SYSTEM\ControlSet003\Services\EagleNT@ImagePath \??\C:\WINDOWS\system32\drivers\EagleNT.sys
Reg HKLM\SYSTEM\ControlSet003\Services\EagleNT@DisplayName EagleNT
Reg HKLM\SYSTEM\ControlSet003\Services\EagleNT\Security (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\EagleNT\Security@Security 0x01 0x00 0x14 0x80 ...

Attached Files



BC AdBot (Login to Remove)

 


#2 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:12:33 PM

Posted 24 March 2010 - 10:33 PM


Hello c_raethke smile.gif Welcome to the BC HijackThis Log and Analysis forum. I will be assisting you in cleaning up your system.


I ask that you refrain from running tools other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.



In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond the your topic and facilitate the cleaning of your machine.


Please keep in mind that we have a large backlog of users just like yourself waiting to be helped so try to be as timely as possible in your replies. Since we do this on a part-time voluntary basis we are limited on how many logs we can respond to and keep open due to time restraints. If you have to be away or can't answer for some other reason just let me know. Thank you for your understanding.



After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.





Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Instruction can be found HERE
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.




Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:





Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.













Note: Please post the log in the reply window and do not make it an attachment. Do this with all subsequent replies unless I ask otherwise.







Thanks,



thewall





If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#3 c_raethke

c_raethke
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:33 AM

Posted 25 March 2010 - 10:25 PM

Hi there, thanks for the reply. Here is the log:
QUOTE
ComboFix 10-03-24.03 - Owner 03/25/2010 17:27:23.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1613 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Owner\Application Data\BITS
c:\documents and settings\Owner\Application Data\BITS\BITS.ini
c:\documents and settings\Owner\Application Data\BITS\DHTTable.dat
c:\documents and settings\Owner\Application Data\BITS\UPnP.ini
c:\documents and settings\Owner\Application Data\FlashGetBHO
c:\documents and settings\Owner\Application Data\FlashGetBHO\FlashGetBHO3.dll
c:\documents and settings\Owner\Application Data\FlashGetBHO\FlashGetHook.dll
c:\documents and settings\Owner\Application Data\FlashGetBHO\GetAllUrl.htm
c:\documents and settings\Owner\Application Data\FlashGetBHO\GetUrl.htm
c:\program files\FlashGet Network
c:\windows\system32\spool\prtprocs\w32x86\000025e9.tmp
c:\windows\system32\spool\prtprocs\w32x86\0000365a.tmp
c:\windows\system32\spool\prtprocs\w32x86\00005961.tmp
c:\windows\system32\Thumbs.db
c:\windows\Temp\rdl1.tmp

Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\atapi.sys
.
((((((((((((((((((((((((( Files Created from 2010-02-25 to 2010-03-25 )))))))))))))))))))))))))))))))
.

2010-03-21 19:44 . 2010-03-21 19:44 -------- d-----w- c:\program files\Common Files\Java
2010-03-21 19:25 . 2010-03-21 19:25 -------- d-----w- c:\program files\Mozilla Developer Preview 3.7 Alpha 3
2010-03-21 13:50 . 2010-03-21 13:50 -------- d-----w- c:\program files\MSXML 4.0
2010-03-20 12:46 . 2010-03-20 12:46 0 ----a-w- c:\windows\PowerReg.dat
2010-03-17 23:27 . 2010-03-18 00:30 598 ----a-w- c:\windows\system32\secushr.dat
2010-03-17 23:27 . 2010-03-18 00:33 -------- d-----w- C:\Downloads
2010-03-17 23:26 . 2010-03-17 23:26 -------- d-----w- c:\documents and settings\Owner\Application Data\FlashGet
2010-03-17 03:25 . 2010-03-17 03:25 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-03-15 08:18 . 2005-09-20 14:31 135168 ----a-w- c:\windows\system32\igfxres.dll
2010-03-14 22:33 . 2010-03-14 22:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Blizzard
2010-03-14 21:19 . 2010-03-14 21:19 -------- d-----w- c:\documents and settings\Owner\Application Data\Talkback
2010-03-14 21:17 . 2010-03-14 21:17 -------- d-----w- c:\documents and settings\All Users\Application Data\RoboForm
2010-03-12 22:20 . 2010-03-12 22:20 -------- d-----w- c:\documents and settings\Owner\Application Data\Simply Super Software
2010-03-12 22:08 . 2010-03-12 22:50 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-03-12 17:52 . 2010-03-12 17:52 -------- d-----w- c:\program files\Xiph.Org
2010-03-10 22:01 . 2009-10-23 15:28 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe
2010-03-10 00:13 . 2010-03-10 00:13 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\SCE
2010-03-09 23:38 . 2010-03-09 23:38 -------- d-----w- c:\documents and settings\Owner\Application Data\Sony Online Entertainment
2010-03-06 16:25 . 2010-03-06 16:25 -------- d-----w- c:\program files\Microsoft SQL Server
2010-03-06 16:22 . 2010-03-06 16:22 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Microsoft Help
2010-03-06 16:19 . 2010-03-06 16:19 -------- d-----w- c:\program files\Microsoft.NET
2010-03-06 16:19 . 2010-03-06 16:29 -------- d-----w- c:\program files\Microsoft Visual Studio 9.0
2010-03-06 16:19 . 2010-03-06 16:20 -------- d-----w- c:\program files\Common Files\Merge Modules
2010-03-06 16:19 . 2010-03-06 16:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-03-06 16:17 . 2010-03-06 16:17 -------- d-----w- c:\program files\Microsoft SDKs
2010-03-06 16:13 . 2001-11-14 03:03 45056 ----a-w- c:\windows\system32\rWinHook.dll
2010-02-28 23:48 . 2010-02-28 23:49 -------- d-----w- c:\documents and settings\Owner\Application Data\Download Manager
2010-02-27 23:58 . 2004-08-04 12:00 838144 -c--a-w- c:\windows\system32\dllcache\chtbrkr.dll
2010-02-27 23:58 . 2004-08-04 12:00 838144 ----a-w- c:\windows\system32\chtbrkr.dll
2010-02-27 23:58 . 2004-08-04 12:00 70656 -c--a-w- c:\windows\system32\dllcache\korwbrkr.dll
2010-02-27 23:58 . 2004-08-04 12:00 70656 ----a-w- c:\windows\system32\korwbrkr.dll
2010-02-27 23:58 . 2004-08-04 12:00 1677824 -c--a-w- c:\windows\system32\dllcache\chsbrkr.dll
2010-02-27 23:58 . 2004-08-04 12:00 1677824 ----a-w- c:\windows\system32\chsbrkr.dll
2010-02-27 23:58 . 2004-08-04 12:00 98304 -c--a-w- c:\windows\system32\dllcache\msir3jp.dll
2010-02-27 23:58 . 2004-08-04 12:00 98304 ----a-w- c:\windows\system32\msir3jp.dll
2010-02-27 23:58 . 2004-08-04 12:00 10096640 -c--a-w- c:\windows\system32\dllcache\hwxcht.dll
2010-02-27 23:56 . 2004-08-04 12:00 6144 -c--a-w- c:\windows\system32\dllcache\kbdth3.dll
2010-02-27 23:56 . 2004-08-04 12:00 6144 -c--a-w- c:\windows\system32\dllcache\kbdth2.dll
2010-02-27 23:56 . 2004-08-04 12:00 6144 -c--a-w- c:\windows\system32\dllcache\ftlx041e.dll
2010-02-27 23:56 . 2004-08-04 12:00 6144 ----a-w- c:\windows\system32\ftlx041e.dll
2010-02-27 23:56 . 2004-08-04 12:00 6144 ----a-r- c:\windows\system32\kbdth3.dll
2010-02-27 23:56 . 2004-08-04 12:00 6144 ----a-r- c:\windows\system32\kbdth2.dll
2010-02-27 23:56 . 2004-08-04 12:00 5632 -c--a-w- c:\windows\system32\dllcache\kbdth1.dll
2010-02-27 23:56 . 2004-08-04 12:00 5632 -c--a-w- c:\windows\system32\dllcache\kbdth0.dll
2010-02-27 23:56 . 2004-08-04 12:00 5632 ----a-r- c:\windows\system32\kbdth1.dll
2010-02-27 23:56 . 2004-08-04 12:00 5632 ----a-r- c:\windows\system32\kbdth0.dll
2010-02-24 00:55 . 2010-02-24 03:09 -------- d-----w- c:\documents and settings\All Users\Application Data\NexonUS

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-25 00:44 . 2010-01-03 23:19 -------- d-s---w- c:\program files\Mabinogi
2010-03-21 19:44 . 2010-03-21 19:44 503808 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-16e2bbeb-n\msvcp71.dll
2010-03-21 19:44 . 2010-03-21 19:44 499712 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-16e2bbeb-n\jmc.dll
2010-03-21 19:44 . 2010-03-21 19:44 348160 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-16e2bbeb-n\msvcr71.dll
2010-03-21 19:43 . 2010-03-21 19:43 61440 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-22563d7b-n\decora-sse.dll
2010-03-21 19:43 . 2010-03-21 19:43 12800 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-22563d7b-n\decora-d3d.dll
2010-03-21 19:43 . 2010-01-01 17:09 -------- d-----w- c:\program files\Java
2010-03-21 17:11 . 2010-02-14 18:25 -------- d-----w- c:\program files\Image-Line
2010-03-21 13:48 . 2009-12-01 23:22 -------- d-----w- c:\program files\Microsoft Games
2010-03-21 13:28 . 2009-12-02 02:46 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-03-18 02:27 . 2010-02-21 19:29 1 ----a-w- c:\documents and settings\Owner\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-03-17 03:25 . 2010-03-17 03:25 360584 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtdix.sys
2010-03-17 03:25 . 2010-03-17 03:25 333192 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgldx86.sys
2010-03-17 03:25 . 2010-03-17 03:25 28424 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgmfx86.sys
2010-03-17 03:25 . 2009-12-04 23:42 242696 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-03-17 03:25 . 2009-12-04 23:42 29512 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-03-17 03:25 . 2009-12-04 23:42 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-03-09 23:38 . 2010-03-09 23:38 238905 ----a-w- c:\documents and settings\Owner\Application Data\Sony Online Entertainment\npsoeact.dll
2010-03-08 00:10 . 2009-12-30 00:10 -------- d-----w- c:\documents and settings\Owner\Application Data\gtk-2.0
2010-03-06 16:23 . 2010-03-06 16:23 112640 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\VCExpress\9.0\1033\ResourceCache.dll
2010-03-06 16:23 . 2010-03-06 16:23 416 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\MSDN\9.0\1033\ResourceCache.dll
2010-03-03 02:24 . 2009-12-01 03:24 45016 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-02-28 02:46 . 2010-03-12 22:21 3691384 ----a-w- c:\documents and settings\Owner\Application Data\Simply Super Software\Trojan Remover\cvi8.exe
2010-02-26 01:58 . 2010-02-24 00:55 98304 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
2010-02-26 01:58 . 2010-02-24 00:55 765952 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\NGMDll.dll
2010-02-26 01:58 . 2010-02-24 00:55 401408 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\NGMResource.dll
2010-02-26 01:58 . 2010-02-24 00:55 258352 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\unicows.dll
2010-02-26 01:58 . 2010-02-24 00:55 172032 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\NGM.exe
2010-02-26 01:58 . 2010-02-24 00:55 126976 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\nxgameus.dll
2010-02-24 05:10 . 2010-02-09 15:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2010-02-23 22:05 . 2010-02-23 22:05 -------- d-----w- c:\program files\Activision Value
2010-02-21 19:28 . 2010-02-21 19:28 -------- d-----w- c:\documents and settings\Owner\Application Data\OpenOffice.org
2010-02-21 19:26 . 2010-02-21 19:26 -------- d-----w- c:\program files\JRE
2010-02-21 19:26 . 2010-02-21 19:25 -------- d-----w- c:\program files\OpenOffice.org 3
2010-02-19 04:27 . 2010-02-16 01:21 -------- d-----w- c:\program files\NETGEAR XAV101 Configuration Utility
2010-02-19 03:57 . 2010-02-19 03:57 -------- d-----w- c:\program files\Linksys
2010-02-19 03:56 . 2010-02-19 03:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Pure Networks
2010-02-19 03:56 . 2010-02-19 03:56 -------- d-----w- c:\program files\Common Files\Pure Networks Shared
2010-02-18 22:18 . 2010-02-18 22:18 152576 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\jre1.6.0_16\lzma.dll
2010-02-17 23:26 . 2010-01-03 15:26 -------- d-----w- c:\documents and settings\All Users\Application Data\PMB Files
2010-02-16 02:31 . 2009-12-02 02:21 -------- d-----w- c:\documents and settings\Owner\Application Data\U3
2010-02-16 02:30 . 2010-02-16 02:30 -------- d-----w- c:\program files\Intel
2010-02-14 21:33 . 2010-02-14 21:33 -------- d-----w- c:\documents and settings\Owner\Application Data\SynthMaker
2010-02-14 18:29 . 2010-02-14 18:29 -------- d-----w- c:\program files\ASIO4ALL v2
2010-02-14 18:28 . 2010-02-14 18:28 -------- d-----w- c:\program files\VstPlugins
2010-02-14 18:28 . 2010-02-14 18:28 -------- d-----w- c:\program files\Outsim
2010-02-10 13:44 . 2010-02-09 18:42 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-02-10 00:03 . 2009-12-23 20:58 -------- d-----w- c:\program files\Game_Maker8
2010-02-09 19:01 . 2010-02-09 19:01 -------- d-----w- c:\documents and settings\Owner\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2010-02-09 18:55 . 2010-02-09 18:55 -------- d-----w- c:\program files\Common Files\Adobe
2010-02-09 18:49 . 2010-02-09 18:49 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-02-09 18:42 . 2010-02-09 18:42 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2010-02-09 18:13 . 2009-12-03 03:58 -------- d-----w- c:\program files\Windows Live
2010-02-09 18:09 . 2009-12-14 15:11 -------- d-----w- c:\program files\DNA
2010-02-09 18:09 . 2009-12-14 15:11 -------- d-----w- c:\documents and settings\Owner\Application Data\DNA
2010-02-09 15:33 . 2010-02-09 15:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2010-02-09 15:33 . 2010-02-09 15:33 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2010-01-27 23:15 . 2009-12-04 22:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Messenger Plus!
2010-01-18 06:30 . 2010-01-18 06:30 348160 ----a-w- c:\windows\system32\msvcr71.dll
2010-01-18 06:30 . 2010-01-18 06:30 499712 ----a-w- c:\windows\system32\msvcp71.dll
2010-01-05 10:00 . 2004-08-12 14:09 832512 ----a-w- c:\windows\system32\wininet.dll
2010-01-05 10:00 . 2004-08-12 13:58 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-05 10:00 . 2004-08-12 13:56 17408 ------w- c:\windows\system32\corpol.dll
2010-01-02 23:16 . 2010-01-02 23:16 98304 ----a-w- c:\windows\system32\CmdLineExt.dll
2010-01-01 16:50 . 2009-12-31 00:32 79488 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2009-12-31 16:50 . 2004-08-12 14:06 353792 ----a-w- c:\windows\system32\drivers\srv.sys
.

------- Sigcheck -------

[7] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
[7] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys
[7] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\system32\dllcache\tcpip.sys
[-] 2008-06-20 . 4AFB3B0919649F95C1964AA1FAD27D73 . 361600 . . [5.1.2600.5625] . . c:\windows\system32\drivers\tcpip.sys
[7] 2008-06-20 . 2A5554FC5B1E04E131230E3CE035C3F9 . 360320 . . [5.1.2600.3394] . . c:\windows\$NtServicePackUninstall$\tcpip.sys
[7] 2008-06-20 . 744E57C99232201AE98C49168B918F48 . 360960 . . [5.1.2600.3394] . . c:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys
[7] 2008-04-13 . 93EA8D04EC73A85DB02EB8805988F733 . 361344 . . [5.1.2600.5512] . . c:\windows\$NtUninstallKB951748$\tcpip.sys
[7] 2008-04-13 . 93EA8D04EC73A85DB02EB8805988F733 . 361344 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\tcpip.sys
[7] 2004-08-12 . 9F4B36614A0FC234525BA224957DE55C . 359040 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB951748_0$\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Pando Media Booster"="c:\program files\Pando Networks\Media Booster\PMB.exe" [2010-01-03 2935480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]
"nmctxth"="c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2008-12-13 642856]
"Linksys Wireless Manager"="c:\program files\Linksys\Linksys Wireless Manager\LinksysWirelessManager.exe" [2009-02-16 1358384]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-12 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-12 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-12 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-12 455168]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]

c:\documents and settings\Owner\Start Menu\Programs\Startup\
PowerReg Scheduler V3.exe [2010-3-20 225280]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-03-17 03:25 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\Program Files\\Netgame\\OPERATION7\\OPERATION7.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\helpctr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\\Program Files\\Activision Value\\Snowboarding Championship 2004\\Snowboard.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"14807:TCP"= 14807:TCP:Stasis Server
"14808:TCP"= 14808:TCP:Stasis Client
"56409:TCP"= 56409:TCP:Pando Media Booster

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [12/4/2009 6:42 PM 216200]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [12/4/2009 6:42 PM 242696]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [3/16/2010 10:25 PM 916760]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [3/16/2010 10:25 PM 308064]
R3 WUSB54GCv3;Compact Wireless-G USB Network Adapter;c:\windows\system32\drivers\WUSB54GCv3.sys [2/18/2010 10:31 PM 627072]
S3 cpudrv;cpudrv;\??\c:\program files\SystemRequirementsLab\cpudrv.sys --> c:\program files\SystemRequirementsLab\cpudrv.sys [?]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [8/22/2008 12:49 AM 18688]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [8/22/2008 12:49 AM 8320]
S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\drivers\motport.sys [6/18/2007 9:18 PM 23680]
S3 PLCND532;PLCND532 NDIS Protocol Driver; [x]
S3 UltraMonMirror;UltraMonMirror; [x]
.
.
------- Supplementary Scan -------
.
Trusted Zone: kuaiche.com\software
DPF: {CF84DAC5-A4F5-419E-A0BA-C01FFD71112F} - hxxp://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_intel_4.1.66.0.cab
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\euf8a1ui.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - plugin: c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-25 17:36
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(736)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(1988)
c:\windows\system32\WININET.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2010-03-25 17:44:27 - machine was rebooted
ComboFix-quarantined-files.txt 2010-03-25 22:44

Pre-Run: 48,262,426,624 bytes free
Post-Run: 48,324,677,632 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - 53D2DCAB05A5EF7A1E0602D1D814A525


#4 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:12:33 PM

Posted 26 March 2010 - 10:20 AM

OK, that was good. Let's do the following now:

Please download ATF Cleaner by Atribune & save it to your desktop.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".







It's important to run this online scan to search for any remnants. It can take some time, so please be patient and allow it to run it's full course:



Please do a scan with Kaspersky Online Scanner. Please note: Kaspersky requires Java Runtime Environment (JRE) be installed before scanning for malware, as ActiveX is no longer being used.)

If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.
  • Open the Kaspersky WebScanner
    page.
  • Click on the button on the main page.
  • The program will launch and fill in the Information section on the left.
  • Read the "Requirements and Limitations" then press the button.
  • The program will begin downloading the latest program and definition files. It may take a while so please be patient and let it finish.
  • Once the files have been downloaded, click on the ...button.
    In the scan settings make sure the following are selected:
    • Detect malicious programs of the following categories:
      Viruses, Worms, Trojan Horses, Rootkits
      Spyware, Adware, Dialers and other potentially dangerous programs
    • Scan compound files (doesn't apply to the File scan area):
      Archives
      Mail databases
      By default the above items should already be checked.
    • Click the button, if you made any changes.
  • Now under the Scan section on the left:

    Select My Computer
  • The program will now start and scan your system. This will run for a while, be patient and let it finish.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • In the drop down box labeled Files of type change the type to Text file.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
You can refer to this animation by sundavis if needed.



If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#5 c_raethke

c_raethke
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:33 AM

Posted 26 March 2010 - 08:39 PM

After running the ATF-Cleaner, the problem seems to be gone.. but now Firefox is not displaying most pages right, mostly missing images. There were also a few infections returned by the Kaspersky scanner, so I want to make sure there is nothing wrong with this computer. Here are the results:
QUOTE
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Friday, March 26, 2010
Operating system: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Friday, March 26, 2010 12:35:53
Records in database: 3878376
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\

Scan statistics:
Objects scanned: 76785
Threats found: 3
Infected objects found: 2
Suspicious objects found: 3
Scan duration: 02:45:29


File name / Threat / Threats count
C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\46\1862f8ee-429cfa7d Infected: Exploit.OSX.Smid.b 1
C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\56\4a4036b8-7a920a66 Infected: Trojan-Downloader.Java.Agent.al 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\spool\prtprocs\w32x86\000025e9.tmp.vir Suspicious: Packed.Win32.Morphine.a 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\spool\prtprocs\w32x86\0000365a.tmp.vir Suspicious: Packed.Win32.Morphine.a 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\spool\prtprocs\w32x86\00005961.tmp.vir Suspicious: Packed.Win32.Morphine.a 1

Selected area has been scanned.


#6 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:12:33 PM

Posted 26 March 2010 - 09:54 PM

I don't know why ATF would have affected Firefox in that manner. Never had that happen before. You might try rebooting and see if that helps, if it persists you may have to reinstall FF.

Most of what Kaspersky returned will be gone when we uninstall ComboFix . You do need to go to the following link and use the instructions to clean out your Java cache.

http://support.f-secure.com/enu/home/virus...javacache.shtml


I would also suggest you remove the following version of Java from Add/Remove:

Java™ 6 Update 16



When completed let me know how things are running.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#7 c_raethke

c_raethke
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:33 AM

Posted 26 March 2010 - 11:13 PM

I emptied the Java cache, uninstalled Java update 16, reinstalled Firefox, and restarted my computer. It still had problems displaying the images, so I deleted "Recent History" (Cache, cookies, active logins, and site preferences) and now it works fine.

Are there steps I have to take to uninstall ComboFix? It appears to be just an executable file, but I want to make sure everything is cleared up.

Thank you very much for your help.

#8 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:12:33 PM

Posted 26 March 2010 - 11:25 PM

Glad to be of help. thumbup2.gif

It's important we do an uninstall of ComboFix as it performs some necessary functions as it removes itself.


Uninstall Combofix
  • Press the Windows Key + R on your keyboard.
  • Now copy & paste the green bolded text in the run-box and click OK.

    ComboFix /Uninstall

    <Notice the space between the "x" and "/".>

  • The following will implement some very important cleanup procedures as well as reset System Restore points.


You can also go ahead and delete GMER and DDS as we won't need them again.



Below are some steps to follow in order to dramatically lower the chances of reinfection
You may have already implemented some of the steps below, however you should follow any steps that you have not already implemented
  1. Make sure you install all the security updates for Windows, Internet explorer & Microsoft Office
    Whenever a security problem in its software is found, Microsoft will usually create a patch for it to that after the patch is installed, attackers can't use the vulnerability to install malicious software on your PC, so keeping up with these patches will help to prevent malicious software being installed on your PC
    Go here to check for & install updates to Microsoft applications
    Note: The update process uses activex, so you will need to use internet explorer for it, and allow the activex control that it wants to install
  2. Keep your non-Microsoft applications updated as well
    Microsoft isn't the only company whose products can contain security vulnerabilities, to check for other vulnerable programs running on your PC that are in need of an update, you can use the Secunia Software Inspector - I suggest that you run it at least once a month
  3. Make Internet Explorer more secure
    Click Start > Run
    Type Inetcpl.cpl & click OK
    Click on the Security tab
    Click Reset all zones to default level
    Make sure the Internet Zone is selected & Click Custom level
    In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
    Next Click OK, then Apply button and then OK to exit the Internet Properties page.
  4. Install SpywareBlaster & make sure to update it regularly
    SpywareBlaster sets killbits in the registry to prevent known malicious activex controls from installing themselves on your computer.
    If you don't know what activex controls are, see here
    You can download SpywareBlaster from here
  5. Finally, this is very important. It is absolutely essential to keep all of your security programs up to date




If you have any other questions or issues feel free to ask as I will be checking back on this topic.



Other than that if there is nothing else I can do for you then I wish you good luck in the future and thank you for using our forum. smile.gif


thewall
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#9 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:12:33 PM

Posted 28 March 2010 - 10:51 AM

Since this issue appears to be resolved ... this Topic has been closed.

If your the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users