Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Firefox/Google Search Redirection - Suspect Rootkit


  • This topic is locked This topic is locked
19 replies to this topic

#1 dorje

dorje

  • Members
  • 143 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portland, OR, USA
  • Local time:09:29 AM

Posted 11 April 2010 - 02:49 PM

HW/SW: Homebuilt PC, Win XP Pro SP2, Firefox 3.6.3, AVG 9.5, Malwarebytes Pro

Hi, and thanks in advance for your help,

Symptoms:
  • When I use Google from within Firefox, the search results come up looking legit, but sometimes clicking on those results takes me to ad sites, such as localpages.com and 7search.com.
  • Sometimes the ads simply pop-up or pop-under. Firefox is set to block all popups except from one site, and AdBlock doesn't seem to help.
  • If Malwarebytes active protection is enabled, it regularly reports: "Successfully blocked access to a potentially malicious website: [IP address]". Search redirects are fewer with MWB active protection, but still occur. I can supply logged IP addresses if needed.
  • After the system has been running for a while (20-30 minutes), CPU usage will creep or even jump up to 100% and stay there. Task manager shows process as "System". Nothing but a shutdown will fix it.

What I've done: (All scans run with both AVG Resident Shield and Malwarebytes Active Protection DISABLED.)
  • Multiple scans with Malwarebytes: Not finding anything since the first scan.
  • Scanned with Spybot: Found Fraud.XXX trojan, only once - removied.
  • Scanned with Adaware: only found cookies - removed.
  • Avg Resident Shield reported Neosploit exploit twice
  • Multiple HJT scans. I have removed several obvious baddies (Based on experience, and on Spywareinfoforum's guide).
  • Latest HJT scans show no obvious baddies.
  • Ran combofix twice - ( sad.gif - Before I read your warning not to. Sorry!) I have since uninstalled it, and reinstalled AVG, which it broke.
  • Search redirects/popups/MWB warnings are still coming up regularly, and the system still ramps up eventually to 100% and requires a shutdown.

Since there's so little evidence with scans, I suspect a rootkit, but don't know enough to remove it safely.

I look forward to your reply.

Requested logs attached.

Thank you!





Attached Files



BC AdBot (Login to Remove)

 


#2 Jat90

Jat90

  • Members
  • 1,515 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United Kingdom
  • Local time:06:29 PM

Posted 14 April 2010 - 11:30 AM

Hello, dorje

Welcome to the Bleeping Computer Forums. My name is Jat, and I will be helping you with your situation.

If you do not make a reply in 5 days, we will have to close your topic.


You may want to keep the link to this topic in your favourites. Alternatively, you can click the button at the top bar of this topic and Track this Topic. The topics you are tracking can be found here.

Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools. Doing so could cause changes to the directions I have to give you and prolong the time required. Further more, you should not be taking any advice relating to this computer from any other source throughout the course of this fix.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean". We do not want to clean you part-way, only to have the system re-infect itself.
  • Please reply using the button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Old topics are closed after 3 days with no reply, and working topics are closed after 5 days. If for any reason you cannot complete instructions within that time, that's fine, just post back here so that we know you're still here.


Yes, it is a rootkit, the TDL3 in fact. Let's do this:

SystemLook

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    CODE
    :filefind
    agp440.sys

  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
- Jat90 -

If I have not responded to you within 24 hours, then please feel free to send me a message.

Posted Image

#3 dorje

dorje
  • Topic Starter

  • Members
  • 143 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portland, OR, USA
  • Local time:09:29 AM

Posted 14 April 2010 - 04:00 PM

Hi Jat,

Thanks so much for your quick reply. thumbup.gif

This machine belongs to a friend of mine. I've put in a call to him to schedule a time to do the SystemLook scan. I'll do it as soon as he and I can connect, and send you the results.

Thanks again,

Dorje

#4 Jat90

Jat90

  • Members
  • 1,515 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United Kingdom
  • Local time:06:29 PM

Posted 14 April 2010 - 04:55 PM

Thats fine, I'll check periodically for a reply. smile.gif
- Jat90 -

If I have not responded to you within 24 hours, then please feel free to send me a message.

Posted Image

#5 dorje

dorje
  • Topic Starter

  • Members
  • 143 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portland, OR, USA
  • Local time:09:29 AM

Posted 14 April 2010 - 06:20 PM

Hi Jat,

I've posted the text of SystemLook.txt, as requested, below.

I should mention that I performed this scan remotely, via Citrix GoToAssistExpress.

If there's a problem with that, I can go to Greg's house if need be.

Thanks again for your help.

Dorje

===================================================
SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 16:15 on 14/04/2010 by Greg (Administrator - Elevation successful)

========== filefind ==========

Searching for "agp440.sys"
C:\WINDOWS.0\ERDNT\cache\AGP440.SYS --a--- 42368 bytes [03:29 11/04/2010] [23:07 03/08/2004] 2C428FA0C3E3A01ED93C9B2A27D8D4BB
C:\WINDOWS.0\system32\drivers\AGP440.SYS ------ 42368 bytes [07:43 20/04/2008] [23:07 03/08/2004] 2C428FA0C3E3A01ED93C9B2A27D8D4BB

-=End Of File=-
===================================================

Edited by dorje, 14 April 2010 - 06:41 PM.


#6 Jat90

Jat90

  • Members
  • 1,515 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United Kingdom
  • Local time:06:29 PM

Posted 14 April 2010 - 07:01 PM

I don't see why logs obtained via remote access should pose any problems, then again I have never dealt with that scenario but it should be the same in any case.

We need to copy a file now, so please locate:

C:\WINDOWS.0\ERDNT\cache\AGP440.sys
Right click that file and hit "copy"
Then paste it at C:\

Note -- Its highly important you get that right, let me know if you have any problems or questions.

File Replacement via Recovery Console

For this fix be sure you have the Recovery Console installed, if not then see HERE for instructions on how to install it.

We need to replace that file manually:
  1. Restart your computer
  2. Before Windows loads, you will be prompted to choose which Operating System to start
  3. Use the up and down arrow key to select Microsoft Windows Recovery Console
  4. You must enter which Windows installation to log onto. Type 1 and press enter.
  5. At the C:\Windows prompt, type the following bolded text, and press Enter:

    cd C:\windows.0\system32\drivers

  6. At the next prompt type the following bolded text, and press Enter:

    ren AGP440.sys AGP440.vir

  7. At the next prompt type the following bolded text, and press Enter:

    copy C:\AGP440.sys AGP440.sys

  8. The command should then show 1 file(s) copied
  9. At the next prompt type the following bolded text, and press Enter:

    exit
Windows will now begin loading.

Gmer

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.
-- If you encounter any problems, try running GMER in safe mode.
-- If GMER crashes or keeps resulting in a BSODs, uncheck Devices on the right side before scanning
.
- Jat90 -

If I have not responded to you within 24 hours, then please feel free to send me a message.

Posted Image

#7 dorje

dorje
  • Topic Starter

  • Members
  • 143 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portland, OR, USA
  • Local time:09:29 AM

Posted 14 April 2010 - 07:14 PM

Hi Jat,

Got your reply, thanks for the steps, they are very clear.

I obviously won't be able to do this remotely (I don't get remote access until after Windows and Firefox are loaded), so I'm heading over to Greg's house at 7pm PDT to do this next phase (about 1:45 from now).

I expect you'll want to see the results of the GMER scan, yes? Do you want me to attach or post the file?

Thanks!

Dorje

#8 Jat90

Jat90

  • Members
  • 1,515 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United Kingdom
  • Local time:06:29 PM

Posted 14 April 2010 - 07:23 PM

Yes, perform the scan after the manual file replacement and paste it (rather than attaching it) here, thanks.
- Jat90 -

If I have not responded to you within 24 hours, then please feel free to send me a message.

Posted Image

#9 dorje

dorje
  • Topic Starter

  • Members
  • 143 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portland, OR, USA
  • Local time:09:29 AM

Posted 15 April 2010 - 12:39 AM

Hi Jat,

I replaced the infected agp440.sys as instructed, and then ran the GMER scan.

The results are pasted just below.

I need to let you know that for some reason, Malwarebytes would not load automatically. Greg really needs that protection, so I reinstalled MWB and it now works fine. I didn't install anything new, just uninstalled and reinstalled MWB.

I did see in your instructions to refrain from uninstalls/reinstalls, but Greg had to use his computer tonight and tomorrow, and I didn't want him working without a net. If you need me to run another GMER scan, I'll be happy to.

Firefox was active for about 30 minutes during/after the file replacement and scan, and no pop-ups or search redirections occurred (I tested Google searching). Things are looking up! clapping.gif

Thanks again for your help, and I look forward to your reply.

Dorje
-------

GMER scan results here:

===================================
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-04-14 20:45:24
Windows 5.1.2600 Service Pack 2
Running: edy6bnj8.exe; Driver: C:\DOCUME~1\Greg\LOCALS~1\Temp\pfadrfod.sys


---- Kernel code sections - GMER 1.0.15 ----

.text C:\WINDOWS.0\system32\DRIVERS\ati2mtag.sys section is writeable [0xF71E7000, 0x1894F8, 0xE8000020]

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\WINDOWS.0\Explorer.EXE[124] @ C:\WINDOWS.0\Explorer.EXE [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINDOWS.0\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINDOWS.0\Explorer.EXE[124] @ C:\WINDOWS.0\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINDOWS.0\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINDOWS.0\Explorer.EXE[124] @ C:\WINDOWS.0\system32\RPCRT4.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINDOWS.0\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINDOWS.0\Explorer.EXE[124] @ C:\WINDOWS.0\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINDOWS.0\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINDOWS.0\Explorer.EXE[124] @ C:\WINDOWS.0\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINDOWS.0\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINDOWS.0\Explorer.EXE[124] @ C:\WINDOWS.0\system32\msvcrt.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINDOWS.0\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINDOWS.0\Explorer.EXE[124] @ C:\WINDOWS.0\system32\ole32.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINDOWS.0\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINDOWS.0\Explorer.EXE[124] @ C:\WINDOWS.0\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINDOWS.0\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINDOWS.0\Explorer.EXE[124] @ C:\WINDOWS.0\system32\CRYPT32.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINDOWS.0\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINDOWS.0\Explorer.EXE[124] @ C:\WINDOWS.0\system32\NETAPI32.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINDOWS.0\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINDOWS.0\Explorer.EXE[124] @ C:\WINDOWS.0\system32\WININET.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINDOWS.0\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINDOWS.0\Explorer.EXE[124] @ C:\WINDOWS.0\system32\SHELL32.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINDOWS.0\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINDOWS.0\Explorer.EXE[124] @ C:\WINDOWS.0\system32\USERENV.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINDOWS.0\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINDOWS.0\Explorer.EXE[124] @ C:\WINDOWS.0\system32\Secur32.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINDOWS.0\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINDOWS.0\Explorer.EXE[124] @ C:\WINDOWS.0\system32\PSAPI.DLL [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINDOWS.0\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINDOWS.0\Explorer.EXE[124] @ C:\WINDOWS.0\system32\iphlpapi.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINDOWS.0\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINDOWS.0\Explorer.EXE[124] @ C:\WINDOWS.0\system32\WS2_32.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINDOWS.0\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINDOWS.0\Explorer.EXE[124] @ C:\WINDOWS.0\system32\WS2HELP.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINDOWS.0\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----

Edited by dorje, 15 April 2010 - 12:43 AM.


#10 Jat90

Jat90

  • Members
  • 1,515 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United Kingdom
  • Local time:06:29 PM

Posted 15 April 2010 - 03:52 AM

Hello,

Good to see the redirects have stopped, let's now do this:

ComboFix

Please download ComboFix from one of these locations (If you already have it, delete it and download again):

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Instruction can be found here
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Note** ComboFix was designed only to be used under the supervision of a helper, not for general use.

Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.
- Jat90 -

If I have not responded to you within 24 hours, then please feel free to send me a message.

Posted Image

#11 dorje

dorje
  • Topic Starter

  • Members
  • 143 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portland, OR, USA
  • Local time:09:29 AM

Posted 15 April 2010 - 12:27 PM

Hi Jat,

Malwarebytes is still reporting that it "Successfully blocked access to potentially malicious website: xxx.xxx.xxx.xxx." The IP addresses are all the same - 83.133.119.139.

AVG reports infections occasionally, too. And the AVG system tray icon once again doesn't show up after reboot, though the AVG processes are all running.


Here's the combofix log:
================================

ComboFix 10-04-14.04 - Greg 04/15/2010 9:17.4.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.520 [GMT -7:00]
Running from: c:\documents and settings\Greg\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((( Files Created from 2010-03-15 to 2010-04-15 )))))))))))))))))))))))))))))))
.

2010-04-15 04:42 . 2010-03-30 07:46 38224 ----a-w- c:\windows.0\system32\drivers\mbamswissarmy.sys
2010-04-15 04:42 . 2010-03-30 07:45 20824 ----a-w- c:\windows.0\system32\drivers\mbam.sys
2010-04-15 04:39 . 2010-04-15 04:39 12464 ----a-w- c:\windows.0\system32\avgrsstx.dll
2010-04-15 04:39 . 2010-04-15 04:39 242696 ----a-w- c:\windows.0\system32\drivers\avgtdix.sys
2010-04-15 04:39 . 2010-04-15 04:39 216200 ----a-w- c:\windows.0\system32\drivers\avgldx86.sys
2010-04-15 04:39 . 2010-04-15 04:39 29512 ----a-w- c:\windows.0\system32\drivers\avgmfx86.sys
2010-04-15 04:39 . 2010-04-15 04:39 -------- d-----w- c:\windows.0\system32\drivers\Avg
2010-04-15 04:15 . 2010-04-15 04:15 -------- d-----w- c:\documents and settings\Greg\Application Data\AVG9
2010-04-15 02:52 . 2010-04-15 02:53 -------- d-----w- C:\saved boot.ini
2010-04-15 02:35 . 2004-08-03 23:07 42368 ----a-w- c:\windows.0\system32\drivers\agp440.sys
2010-04-15 02:35 . 2004-08-03 23:07 42368 ----a-w- C:\AGP440.SYS
2010-04-12 22:39 . 2010-04-15 02:33 71170 ----a-w- c:\documents and settings\All Users\Application Data\YhI670r2.exe
2010-04-11 01:44 . 2010-04-11 01:44 388096 ----a-r- c:\documents and settings\Greg\Application Data\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
2010-04-11 01:22 . 2010-04-11 01:44 -------- d-----w- C:\HJT
2010-04-11 01:13 . 2010-04-11 01:13 95024 ----a-w- c:\windows.0\system32\drivers\SBREDrv.sys
2010-04-11 01:05 . 2010-04-11 02:25 -------- d-----w- c:\program files\Lavasoft
2010-04-11 01:05 . 2010-04-11 02:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-04-10 23:25 . 2010-04-11 01:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-04-10 23:25 . 2010-04-10 23:26 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-04-10 00:38 . 2010-04-10 00:38 -------- d-----w- c:\program files\TrendMicro
2010-04-09 23:57 . 2010-04-09 23:57 8854 ----a-r- c:\documents and settings\Greg\Application Data\Microsoft\Installer\{0AB76F69-E761-4CFA-B9B0-A1906B4E9E4B}\Uninstall_WD_Diagnos_0AB76F69E7614CFAB9B0A1906B4E9E4B.exe
2010-04-09 23:57 . 2010-04-09 23:57 40960 ----a-r- c:\documents and settings\Greg\Application Data\Microsoft\Installer\{0AB76F69-E761-4CFA-B9B0-A1906B4E9E4B}\WinDlg.exe_0AB76F69E7614CFAB9B0A1906B4E9E4B_3.exe
2010-04-09 23:57 . 2010-04-09 23:57 10134 ----a-r- c:\documents and settings\Greg\Application Data\Microsoft\Installer\{0AB76F69-E761-4CFA-B9B0-A1906B4E9E4B}\ARPPRODUCTICON.exe
2010-04-09 23:57 . 2010-04-09 23:57 -------- d-----w- c:\program files\Western Digital Technologies
2010-04-06 13:51 . 2010-04-06 13:51 552 ----a-w- c:\windows.0\system32\d3d8caps.dat
2010-04-06 13:51 . 2010-04-06 13:51 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-04-06 13:51 . 2010-04-06 13:51 664 ----a-w- c:\windows.0\system32\d3d9caps.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-15 13:49 . 2010-04-12 22:39 112 ----a-w- c:\documents and settings\All Users\Application Data\JM0sUk361.dat
2010-04-15 13:48 . 2008-04-20 15:37 -------- d-----w- c:\program files\Mozilla Thunderbird
2010-04-15 04:42 . 2009-08-08 02:27 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-15 04:33 . 2010-02-28 22:33 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-04-15 03:54 . 2008-04-20 17:08 21952 ----a-w- c:\documents and settings\Greg\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-04-13 17:49 . 2010-03-13 04:53 0 ----a-w- c:\documents and settings\Greg\Local Settings\Application Data\prvlcl.dat
2010-04-07 16:56 . 2010-01-06 00:49 108920 ----a-w- c:\documents and settings\Greg\g2ax_customer_downloadhelper_win32_x86.exe
2010-04-07 02:26 . 2009-08-08 02:44 228 ----a-w- c:\windows.0\system32\decdeea_x.dat
2010-03-03 04:14 . 2010-03-03 04:14 -------- d-----w- c:\documents and settings\All Users\Application Data\TEMP
2010-02-28 22:50 . 2009-11-24 01:16 79488 ----a-w- c:\documents and settings\Greg\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-02-28 22:33 . 2009-04-01 00:56 -------- d-----w- c:\program files\AVG
2009-07-25 02:08 . 2009-07-25 02:08 12406 ----a-w- c:\program files\Common Files\utikeb.com
2010-02-24 17:39 . 2009-06-08 01:59 27960 ----a-w- c:\program files\mozilla firefox\plugins\atgpcdec.dll
2010-02-24 17:39 . 2009-06-08 01:59 126344 ----a-w- c:\program files\mozilla firefox\plugins\atgpcext.dll
2009-06-08 02:00 . 2009-06-08 02:00 46408 ----a-w- c:\program files\mozilla firefox\plugins\atmccli.dll
2009-06-08 02:00 . 2009-06-08 02:00 99216 ----a-w- c:\program files\mozilla firefox\plugins\ieatgpc.dll
.
CODE
<pre>
c:\program files\HP\HP Software Update\HPWuSchd2 .exe
c:\program files\Malwarebytes' Anti-Malware\mbamgui .exe
</pre>


((((((((((((((((((((((((((((( SnapShot_2010-04-11_03.28.39 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-04-15 13:47 . 2010-04-15 13:47 16384 c:\windows.0\Temp\Perflib_Perfdata_540.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2007-04-16 577536]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2010-04-12 41476]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2010-03-30 437584]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-3-11 210520]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-04-15 04:39 12464 ----a-w- c:\windows.0\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist Express Customer]
2010-04-07 16:57 147832 ----a-w- c:\program files\Citrix\GoToAssist Express Customer\223\g2ax_winlogon.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows.0\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=c:\windows.0\pss\QuickBooks Update Agent.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Web Connector.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Web Connector.lnk
backup=c:\windows.0\pss\QuickBooks Web Connector.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
2008-01-12 02:54 623992 ----a-w- c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2004-08-04 12:00 15360 ------w- c:\windows.0\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2004-10-13 15:21 1694208 ------w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
2008-01-21 10:17 61440 ----a-w- c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Foxit Software\\PDF Editor\\PDFEdit.exe"=
"c:\\Program Files\\Mozilla Thunderbird\\thunderbird.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows.0\system32\drivers\avgldx86.sys [4/14/2010 9:39 PM 216200]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows.0\system32\drivers\avgtdix.sys [4/14/2010 9:39 PM 242696]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [4/14/2010 9:36 PM 308064]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [4/14/2010 9:42 PM 303952]
R3 GoToAssist Express Customer;GoToAssist Express Customer;c:\program files\Citrix\GoToAssist Express Customer\223\g2ax_service.exe [4/7/2010 9:57 AM 161144]
R3 MBAMProtector;MBAMProtector;c:\windows.0\system32\drivers\mbam.sys [4/14/2010 9:42 PM 20824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
FF - ProfilePath - c:\documents and settings\Greg\Application Data\Mozilla\Firefox\Profiles\utlz5d2p.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.usatoday.com
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npatgpc.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-15 09:25
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(668)
c:\windows.0\system32\Ati2evxx.dll
c:\program files\Citrix\GoToAssist Express Customer\223\g2ax_winlogon.dll

- - - - - - - > 'explorer.exe'(14728)
c:\windows.0\system32\wpdshserviceobj.dll
c:\windows.0\system32\portabledevicetypes.dll
c:\windows.0\system32\portabledeviceapi.dll
.
Completion time: 2010-04-15 09:28:24
ComboFix-quarantined-files.txt 2010-04-15 16:28
ComboFix2.txt 2010-04-11 03:34

Pre-Run: 234,677,776,384 bytes free
Post-Run: 234,784,141,312 bytes free

- - End Of File - - 4B6EF044D4B62CB384DFC57BD65B1C1C


#12 Jat90

Jat90

  • Members
  • 1,515 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United Kingdom
  • Local time:06:29 PM

Posted 15 April 2010 - 02:22 PM

Hello,

Let's do this:

CFScript

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

QUOTE
File::
c:\documents and settings\All Users\Application Data\YhI670r2.exe
c:\windows.0\system32\decdeea_x.dat
c:\program files\Common Files\utikeb.com

RenV::
c:\program files\HP\HP Software Update\HPWuSchd2 .exe
c:\program files\Malwarebytes' Anti-Malware\mbamgui .exe


Save this as CFScript.txt, in the same location as ComboFix.exe



Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Suspicious Files

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Please click this link-->Jotti

When the jotti page has finished loading, click the browse button and navigate to the files listed below in bold, then click Submit. You will only be able to have one file scanned at a time.

c:\windows.0\system32\drivers\agp440.sys
c:\documents and settings\Greg\Local Settings\Application Data\prvlcl.dat

Please post back the results of the scan in your next post.

If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/

Malwarebytes Anti-Malware

Please download Malwarebytes Anti-Malware (v1.44) and save it to your desktop.MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
    For instructions with screenshots, please refer to the How to use Malwarebytes' Anti-Malware Guide.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.


In your next reply, please post:
  • ComboFix log
  • Jotti log
  • MBAM log

Edited by Jat90, 15 April 2010 - 05:23 PM.

- Jat90 -

If I have not responded to you within 24 hours, then please feel free to send me a message.

Posted Image

#13 dorje

dorje
  • Topic Starter

  • Members
  • 143 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portland, OR, USA
  • Local time:09:29 AM

Posted 15 April 2010 - 10:37 PM

Hi, Jat,

Here's the Combofix log

============================================================================
ComboFix 10-04-14.04 - Greg 04/15/2010 19:42:38.5.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.504 [GMT -7:00]
Running from: c:\documents and settings\Greg\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Greg\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

FILE ::
"c:\documents and settings\All Users\Application Data\YhI670r2.exe"
"c:\program files\Common Files\utikeb.com"
"c:\windows.0\system32\decdeea_x.dat"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\YhI670r2.exe
c:\program files\Common Files\utikeb.com
c:\windows.0\system32\decdeea_x.dat

.
((((((((((((((((((((((((( Files Created from 2010-03-16 to 2010-04-16 )))))))))))))))))))))))))))))))
.

2010-04-15 16:58 . 2010-04-15 16:58 1035032 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.exe
2010-04-15 16:58 . 2010-04-15 16:58 1685784 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.dll
2010-04-15 04:42 . 2010-03-30 07:46 38224 ----a-w- c:\windows.0\system32\drivers\mbamswissarmy.sys
2010-04-15 04:42 . 2010-03-30 07:45 20824 ----a-w- c:\windows.0\system32\drivers\mbam.sys
2010-04-15 04:39 . 2010-04-15 04:39 12464 ----a-w- c:\windows.0\system32\avgrsstx.dll
2010-04-15 04:39 . 2010-04-15 04:39 242696 ----a-w- c:\windows.0\system32\drivers\avgtdix.sys
2010-04-15 04:39 . 2010-04-15 04:39 216200 ----a-w- c:\windows.0\system32\drivers\avgldx86.sys
2010-04-15 04:39 . 2010-04-15 04:39 29512 ----a-w- c:\windows.0\system32\drivers\avgmfx86.sys
2010-04-15 04:39 . 2010-04-16 01:51 -------- d-----w- c:\windows.0\system32\drivers\Avg
2010-04-15 04:15 . 2010-04-15 04:15 -------- d-----w- c:\documents and settings\Greg\Application Data\AVG9
2010-04-15 02:52 . 2010-04-15 02:53 -------- d-----w- C:\saved boot.ini
2010-04-15 02:35 . 2004-08-03 23:07 42368 ----a-w- c:\windows.0\system32\drivers\agp440.sys
2010-04-15 02:35 . 2004-08-03 23:07 42368 ----a-w- C:\AGP440.SYS
2010-04-11 01:44 . 2010-04-11 01:44 388096 ----a-r- c:\documents and settings\Greg\Application Data\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
2010-04-11 01:22 . 2010-04-11 01:44 -------- d-----w- C:\HJT
2010-04-11 01:13 . 2010-04-11 01:13 95024 ----a-w- c:\windows.0\system32\drivers\SBREDrv.sys
2010-04-11 01:05 . 2010-04-11 02:25 -------- d-----w- c:\program files\Lavasoft
2010-04-11 01:05 . 2010-04-11 02:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-04-10 23:25 . 2010-04-11 01:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-04-10 23:25 . 2010-04-10 23:26 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-04-10 00:38 . 2010-04-10 00:38 -------- d-----w- c:\program files\TrendMicro
2010-04-09 23:57 . 2010-04-09 23:57 8854 ----a-r- c:\documents and settings\Greg\Application Data\Microsoft\Installer\{0AB76F69-E761-4CFA-B9B0-A1906B4E9E4B}\Uninstall_WD_Diagnos_0AB76F69E7614CFAB9B0A1906B4E9E4B.exe
2010-04-09 23:57 . 2010-04-09 23:57 40960 ----a-r- c:\documents and settings\Greg\Application Data\Microsoft\Installer\{0AB76F69-E761-4CFA-B9B0-A1906B4E9E4B}\WinDlg.exe_0AB76F69E7614CFAB9B0A1906B4E9E4B_3.exe
2010-04-09 23:57 . 2010-04-09 23:57 10134 ----a-r- c:\documents and settings\Greg\Application Data\Microsoft\Installer\{0AB76F69-E761-4CFA-B9B0-A1906B4E9E4B}\ARPPRODUCTICON.exe
2010-04-09 23:57 . 2010-04-09 23:57 -------- d-----w- c:\program files\Western Digital Technologies
2010-04-06 13:51 . 2010-04-06 13:51 552 ----a-w- c:\windows.0\system32\d3d8caps.dat
2010-04-06 13:51 . 2010-04-06 13:51 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-04-06 13:51 . 2010-04-06 13:51 664 ----a-w- c:\windows.0\system32\d3d9caps.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-16 02:42 . 2009-08-08 02:27 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-16 01:49 . 2010-03-13 04:53 0 ----a-w- c:\documents and settings\Greg\Local Settings\Application Data\prvlcl.dat
2010-04-15 17:38 . 2008-04-20 15:37 -------- d-----w- c:\program files\Mozilla Thunderbird
2010-04-15 17:18 . 2010-04-12 22:39 112 ----a-w- c:\documents and settings\All Users\Application Data\JM0sUk361.dat
2010-04-15 04:33 . 2010-02-28 22:33 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-04-15 03:54 . 2008-04-20 17:08 21952 ----a-w- c:\documents and settings\Greg\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-04-07 16:56 . 2010-01-06 00:49 108920 ----a-w- c:\documents and settings\Greg\g2ax_customer_downloadhelper_win32_x86.exe
2010-03-03 04:14 . 2010-03-03 04:14 -------- d-----w- c:\documents and settings\All Users\Application Data\TEMP
2010-02-28 22:50 . 2009-11-24 01:16 79488 ----a-w- c:\documents and settings\Greg\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-02-28 22:33 . 2009-04-01 00:56 -------- d-----w- c:\program files\AVG
2010-02-24 17:39 . 2009-06-08 01:59 27960 ----a-w- c:\program files\mozilla firefox\plugins\atgpcdec.dll
2010-02-24 17:39 . 2009-06-08 01:59 126344 ----a-w- c:\program files\mozilla firefox\plugins\atgpcext.dll
2009-06-08 02:00 . 2009-06-08 02:00 46408 ----a-w- c:\program files\mozilla firefox\plugins\atmccli.dll
2009-06-08 02:00 . 2009-06-08 02:00 99216 ----a-w- c:\program files\mozilla firefox\plugins\ieatgpc.dll
.

((((((((((((((((((((((((((((( SnapShot_2010-04-11_03.28.39 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-04-15 17:16 . 2010-04-15 17:16 16384 c:\windows.0\Temp\Perflib_Perfdata_690.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2007-04-16 577536]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-12 49152]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2010-03-30 437584]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-3-11 210520]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-04-15 04:39 12464 ----a-w- c:\windows.0\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist Express Customer]
2010-04-07 16:57 147832 ----a-w- c:\program files\Citrix\GoToAssist Express Customer\223\g2ax_winlogon.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows.0\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=c:\windows.0\pss\QuickBooks Update Agent.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Web Connector.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Web Connector.lnk
backup=c:\windows.0\pss\QuickBooks Web Connector.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
2008-01-12 02:54 623992 ----a-w- c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2004-08-04 12:00 15360 ------w- c:\windows.0\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2004-10-13 15:21 1694208 ------w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
2008-01-21 10:17 61440 ----a-w- c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Foxit Software\\PDF Editor\\PDFEdit.exe"=
"c:\\Program Files\\Mozilla Thunderbird\\thunderbird.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows.0\system32\drivers\avgldx86.sys [4/14/2010 9:39 PM 216200]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows.0\system32\drivers\avgtdix.sys [4/14/2010 9:39 PM 242696]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [4/14/2010 9:36 PM 308064]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [4/14/2010 9:42 PM 303952]
R3 GoToAssist Express Customer;GoToAssist Express Customer;c:\program files\Citrix\GoToAssist Express Customer\223\g2ax_service.exe [4/7/2010 9:57 AM 161144]
R3 MBAMProtector;MBAMProtector;c:\windows.0\system32\drivers\mbam.sys [4/14/2010 9:42 PM 20824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
FF - ProfilePath - c:\documents and settings\Greg\Application Data\Mozilla\Firefox\Profiles\utlz5d2p.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.usatoday.com
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npatgpc.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-15 19:52
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(668)
c:\windows.0\system32\Ati2evxx.dll
c:\program files\Citrix\GoToAssist Express Customer\223\g2ax_winlogon.dll
.
Completion time: 2010-04-15 19:54:59
ComboFix-quarantined-files.txt 2010-04-16 02:54
ComboFix2.txt 2010-04-15 16:28
ComboFix3.txt 2010-04-11 03:34

Pre-Run: 234,726,539,264 bytes free
Post-Run: 234,721,292,288 bytes free

- - End Of File - - 4468846A10146B290903E3F07B4F2B7D

=============================================================================



The Jotti scans found nothing, specifically:

c:\windows.0\system32\drivers\agp440.sys: All but 3 scanners said no issues found, 3 said no result available.

c:\documents and settings\Greg\Local Settings\Application Data\prvlcl.dat: "File is empty!"

I couldn't figure out if there was a log file available; I hope this info is sufficient.

==============================================================================



The current Malwarebytes version is 1.45, which Greg had just purchased a few days ago.

Here's the scan log (MBAM found nothing either)

===============

Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 3994

Windows 5.1.2600 Service Pack 2
Internet Explorer 7.0.5730.13

4/15/2010 8:31:19 PM
mbam-log-2010-04-15 (20-31-19).txt

Scan type: Quick scan
Objects scanned: 100324
Time elapsed: 4 minute(s), 30 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


==========================================================================

No reboot required, obviously.

Your turn!

Dorje


#14 Jat90

Jat90

  • Members
  • 1,515 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United Kingdom
  • Local time:06:29 PM

Posted 16 April 2010 - 06:26 AM

Hello,

I'm not seeing anything suspicious in your logs. How is your computer behaving now?
- Jat90 -

If I have not responded to you within 24 hours, then please feel free to send me a message.

Posted Image

#15 dorje

dorje
  • Topic Starter

  • Members
  • 143 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portland, OR, USA
  • Local time:09:29 AM

Posted 16 April 2010 - 01:23 PM

Hi Jat,

Everything looks really good. No pop-ups, no redirects, no AVG warnings an no warnings from MBAM.

Thanks so much for you help, Greg and I both really appreciate it.

Also, I'd love to attend the online school and join UNITE. I've got decades of experience in this field, including programming (13 years - OS internals, drivers, and network OS) and tons of tech experience.

I do lots of volunteer work anyway, and would love a chance to help folks with malware issues (I do that all the time, but rootkits are outside my area of expertise, except what I picked up from your help.)

I do check the school signup link regularly, but it's always busy. Any other way to get in?

In any case, thanks again for all the good work you do.

Dorje




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users