Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Web pages redirected as well as several other problems


  • This topic is locked This topic is locked
5 replies to this topic

#1 cichlidnut

cichlidnut

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:05:02 PM

Posted 12 April 2010 - 12:29 PM

April 4th, tried to download some software, shouldn't have... long story short, picked up a virus.

When doing a google search, I was almost always redirected to a different site than what is listed. A shopping site, gambling site, porn site what have you.

Only Bitdefender and MicroTrend could find the virus which they both listed as volmgrx.sys in my Windows>system32>drivers folder. All other scans were clean. MicroTrend "fixed" the problem but in doing so deleted the file. Windows could no longer start after rebooting.

As fate would have it, I couldn't find my Vista installation disc anywhere! After turning the house upside down with no luck, I had my old XP discs so I installed XP, had a friend email a copy of his volmgrx.sys to me, I replaced it in Windows>system32>drivers folder and rebooted to Vista.

I thought my problems were solved, however when trying to start IE I get this error:

The application failed to initialize properly (0xc0000142). Click OK to terminate application.

I tried to reinstall IE but no luck.

Windows mail also will not start. I get these errors:

The procedure entry point StrTokEx could not be located in the dynamic link library MSOERT2.dll

followed by...

Contacts failed to load.

followed by...

Windows mail could not be started. The application was unable to initialize the Windows Contacts. Your computer may be out of memory or your disk is full. (0x8004104E)

followed by...

Windows mail could not be started because MSOE.DLL could not be initialized.

Windows Media Player will also not load. I get this error:

The file wmplayer.exe has a version number of 10.0.0.3646 where 11.0.6002.18111 was expected.

Windows Media Player is not installed properly and must reinstalled.

Do you want to install the Player from the Microsoft website?


When I select "Yes" it takes me to the site but I cannot download, it just keeps flipping from one download site to another each time I click "download" on either page.

There may be other errors with other programs I haven't tried yet.

I have run Spybot, Bitdefender and TrendMicro and all say my computer is clean. I ran a Hijack This scan and deleted a few Registry entries and a host file ":: 1" that thought was the redirecting culprit but it did nothing.

I am still being redirected to rogue websites, when using google.

Here's the latest Hijack this log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:28:30 PM, on 4/12/2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v6.00 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:Windowssystem32taskeng.exe
C:Windowssystem32Dwm.exe
C:WindowsExplorer.EXE
C:Program FilesWindows Media Playerwmpnscfg.exe
C:Program FilesMozilla Firefoxfirefox.exe
C:UsersJoeDesktopHiJackThis.exe

O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Unknown owner - C:Program FilesAviraAntiVir PersonalEdition Classicsched.exe (file missing)
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Unknown owner - C:Program FilesAviraAntiVir PersonalEdition Classicavguard.exe (file missing)
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:Windowssystem32Ati2evxx.exe
O23 - Service: AVG Free E-mail Scanner (avg9emc) - AVG Technologies CZ, s.r.o. - C:Program FilesAVGAVG9avgemc.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:Program FilesAVGAVG9avgwdsvc.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:Program FilesGoogleUpdateGoogleUpdate.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:Windowssystem32nvvsvc.exe

--
End of file - 1508 bytes

EDIT: Moved from Vista to more appropriate malware forum ~ Hamluis.

Sorry, forgot about procedure.

Here's the log and attached files.

The folder "XP Delete" is the folder Windows XP was installed in. I'm running Vista but needed to install an OS to get to my mail to replace the system file.






DDS log
-------------------


DDS (Ver_10-03-17.01) - NTFSx86
Run by Joe at 23:19:19.23 on Mon 04/12/2010
Internet Explorer: 8.0.6001.18904 BrowserJavaVersion: 1.6.0_13
Microsoft® Windows Vistaâ„¢ Home Premium 6.0.6002.2.1252.2.1033.18.1982.891 [GMT -4:00]

SP: Spybot - Search and Destroy *disabled* (Outdated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}

============== Running Processes ===============

C:Windowssystem32wininit.exe
C:Windowssystem32lsm.exe
C:Windowssystem32svchost.exe -k DcomLaunch
C:Windowssystem32nvvsvc.exe
C:Windowssystem32svchost.exe -k rpcss
C:Windowssystem32Ati2evxx.exe
C:WindowsSystem32svchost.exe -k LocalServiceNetworkRestricted
C:WindowsSystem32svchost.exe -k LocalSystemNetworkRestricted
C:Windowssystem32svchost.exe -k netsvcs
C:Windowssystem32svchost.exe -k GPSvcGroup
C:Windowssystem32SLsvc.exe
C:Windowssystem32svchost.exe -k LocalService
C:Windowssystem32svchost.exe -k NetworkService
C:WindowsSystem32spoolsv.exe
C:Windowssystem32svchost.exe -k LocalServiceNoNetwork
C:Program FilesAVGAVG9avgwdsvc.exe
C:Windowssystem32svchost.exe -k NetworkServiceNetworkRestricted
C:Program FilesMicrosoftSearch Enhancement PackSeaPortSeaPort.exe
C:Windowssystem32svchost.exe -k imgsvc
C:WindowsSystem32svchost.exe -k WerSvcGroup
C:Windowssystem32SearchIndexer.exe
C:Program FilesAVGAVG9avgemc.exe
C:Program FilesAVGAVG9avgnsx.exe
C:Program FilesAVGAVG9avgcsrvx.exe
C:Windowssystem32taskeng.exe
C:Program FilesAVGAVG9avgrsx.exe
C:Program FilesAVGAVG9avgchsvx.exe
C:Program FilesAVGAVG9avgcsrvx.exe
C:Program FilesWindows Media Playerwmpnetwk.exe
C:Program FilesiPodbiniPodService.exe
C:Windowssystem32Ati2evxx.exe
C:Windowssystem32rundll32.exe
C:Windowssystem32Dwm.exe
C:WindowsExplorer.EXE
C:Windowssystem32taskeng.exe
C:Program FilesWindows Media Playerwmpnscfg.exe
C:Program FilesiTunesiTunes.exe
C:Program FilesLogitechSetPointSetPoint.exe
C:Program FilesCommon FilesLogishrdKHAL2KHALMNPR.EXE
C:Program FilesMozilla Firefoxfirefox.exe
C:Windowssystem32conime.exe
C:Program FilesCommon FilesPC ToolssMonitorStartManSvc.exe
C:Program FilesRegistry Mechanicregmech.exe
C:Windowssystem32SearchProtocolHost.exe
C:UsersJoeDownloadsdds.scr
C:Windowssystem32wbemwmiprvse.exe

============== Pseudo HJT Report ===============

uSearch Page =
uSearch Bar =
TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File
TB: {E67C74F4-A00A-4F2C-9FEC-FD9DC004A67F} - No File
TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
uRun: [RegistryMechanic] c:program filesregistry mechanicRMTray.exe /H
mRun: [SSDMonitor] c:program filescommon filespc toolssmonitorSSDMonitor.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
DPF: {5D6F45B3-9043-443D-A792-115447494D24} - hxxp://messenger.zone.msn.com/MessengerGamesContent/GameContent/Default/uno1/GAME_UNO1.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:usersjoeappdataroamingmozillafirefoxprofilesnkp75t4a.default
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2124320&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - Messenger Plus Live Customized Web Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2124320&q=
FF - component: c:program filesavgavg9firefoxcomponentsavgssff.dll
FF - component: c:program filesrealrealplayerbrowserrecordcomponentsnprpbrowserrecordplugin.dll
FF - component: c:usersjoeappdataroamingmozillafirefoxprofilesnkp75t4a.defaultextensions{3112ca9c-de6d-4884-a869-9855de68056c}componentsfrozen.dll
FF - component: c:usersjoeappdataroamingmozillafirefoxprofilesnkp75t4a.defaultextensions{9b339f6e-ddcd-401b-8764-230adbd01761}componentsFFExternalAlert.dll
FF - component: c:usersjoeappdataroamingmozillafirefoxprofilesnkp75t4a.defaultextensions{9b339f6e-ddcd-401b-8764-230adbd01761}componentsRadioWMPCore.dll
FF - component: c:usersjoeappdataroamingmozillafirefoxprofilesnkp75t4a.defaultextensions{a7c6cf7f-112c-4500-a7ea-39801a327e5f}platformwinnt_x86-msvccomponentsipc.dll
FF - component: c:usersjoeappdataroamingmozillafirefoxprofilesnkp75t4a.defaultextensions{e001c731-5e37-4538-a5cb-8168736a2360}componentsqscanff.dll
FF - plugin: c:program filesgooglegoogle earthpluginnpgeplugin.dll
FF - plugin: c:program filesgoogleupdate1.2.183.23npGoogleOneClick8.dll
FF - plugin: c:usersjoeappdataroamingmozillafirefoxprofilesnkp75t4a.defaultextensions{e001c731-5e37-4538-a5cb-8168736a2360}pluginsnpqscan.dll
FF - plugin: c:usersjoeappdataroamingmozillafirefoxprofilesnkp75t4a.defaultextensionsmoveplayer@movenetworks.complatformwinnt_x86-msvcpluginsnpmnqmp07076007.dll
FF - plugin: c:usersjoeappdataroamingmozillapluginsnpcoolirisplugin.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:windowsmicrosoft.netframeworkv3.5windows presentation foundationdotnetassistantextension
FF - HiddenExtension: Java Console: No Registry Reference - c:program filesmozilla firefoxextensions{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:program filesmozilla firefoxextensions{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:program filesmozilla firefoxextensions{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:program filesmozilla firefoxextensions{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:program filesmozilla firefoxextensions{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:program filesmozilla firefoxgreprefsall.js - pref("ui.use_native_colors", true);
c:program filesmozilla firefoxgreprefsall.js - pref("ui.use_native_popup_windows", false);
c:program filesmozilla firefoxgreprefsall.js - pref("browser.enable_click_image_resizing", true);
c:program filesmozilla firefoxgreprefsall.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:program filesmozilla firefoxgreprefsall.js - pref("javascript.options.mem.high_water_mark", 32);
c:program filesmozilla firefoxgreprefsall.js - pref("javascript.options.mem.gc_frequency", 1600);
c:program filesmozilla firefoxgreprefsall.js - pref("network.auth.force-generic-ntlm", false);
c:program filesmozilla firefoxgreprefsall.js - pref("svg.smil.enabled", false);
c:program filesmozilla firefoxgreprefsall.js - pref("ui.trackpoint_hack.enabled", -1);
c:program filesmozilla firefoxgreprefsall.js - pref("browser.formfill.debug", false);
c:program filesmozilla firefoxgreprefsall.js - pref("browser.formfill.agedWeight", 2);
c:program filesmozilla firefoxgreprefsall.js - pref("browser.formfill.bucketSize", 1);
c:program filesmozilla firefoxgreprefsall.js - pref("browser.formfill.maxTimeGroupings", 25);
c:program filesmozilla firefoxgreprefsall.js - pref("browser.formfill.timeGroupingSize", 604800);
c:program filesmozilla firefoxgreprefsall.js - pref("browser.formfill.boundaryWeight", 25);
c:program filesmozilla firefoxgreprefsall.js - pref("browser.formfill.prefixWeight", 5);
c:program filesmozilla firefoxgreprefsall.js - pref("html5.enable", false);
c:program filesmozilla firefoxgreprefssecurity-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:program filesmozilla firefoxgreprefssecurity-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:program filesmozilla firefoxgreprefssecurity-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:program filesmozilla firefoxgreprefssecurity-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:program filesmozilla firefoxgreprefssecurity-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:program filesmozilla firefoxdefaultspreffirefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:program filesmozilla firefoxdefaultspreffirefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:program filesmozilla firefoxdefaultspreffirefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("lightweightThemes.update.enabled", true);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("browser.allTabs.previews", false);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("plugins.update.notifyUser", false);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("toolbar.customization.usesheet", false);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("browser.taskbar.previews.enable", false);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("browser.taskbar.previews.max", 20);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:windowssystem32driversavgldx86.sys [2009-12-30 216200]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:windowssystem32driversavgmfx86.sys [2009-12-30 29512]
R1 AvgTdiX;AVG Free Network Redirector;c:windowssystem32driversavgtdix.sys [2009-12-30 242696]
R2 avg9emc;AVG Free E-mail Scanner;c:program filesavgavg9avgemc.exe [2010-3-14 916760]
R2 avg9wd;AVG Free WatchDog;c:program filesavgavg9avgwdsvc.exe [2010-3-14 308064]
R2 PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service;c:program filescommon filespc toolssmonitorStartManSvc.exe [2010-4-12 632792]
S2 AntiVirScheduler;Avira AntiVir Personal - Free Antivirus Scheduler;"c:program filesaviraantivir personaledition classicsched.exe" --> c:program filesaviraantivir personaledition classicsched.exe [?]
S2 AntiVirService;Avira AntiVir Personal - Free Antivirus Guard;"c:program filesaviraantivir personaledition classicavguard.exe" --> c:program filesaviraantivir personaledition classicavguard.exe [?]
S2 gupdate;Google Update Service (gupdate);c:program filesgoogleupdateGoogleUpdate.exe [2010-2-10 135664]
S3 FontCache;Windows Font Cache Service;c:windowssystem32svchost.exe -k LocalServiceAndNoImpersonation [2008-6-9 21504]
S4 SBSDWSCService;SBSD Security Center Service;c:program filesspybot - search & destroySDWinSec.exe [2008-2-21 810320]

=============== Created Last 30 ================

2010-04-13 03:17:50 0 ----a-w- c:usersjoedefogger_reenable
2010-04-13 03:11:12 880640 ----a-w- c:windowssystem32UniBox10.ocx
2010-04-13 03:11:12 506368 ----a-w- c:windowssystem32msxml.dll
2010-04-13 03:11:12 212992 ----a-w- c:windowssystem32UniBoxVB12.ocx
2010-04-13 03:11:12 1101824 ----a-w- c:windowssystem32UniBox210.ocx
2010-04-13 03:11:11 0 d-----w- c:program filescommon filesPC Tools
2010-04-12 05:59:59 0 d-----w- c:program filesNeoSmart Technologies
2010-04-12 05:55:38 292840 ----a-w- c:windowssystem32driversvolmgrx.sys
2010-04-12 05:31:44 35465 ----a-w- c:programdatanvModes.dat
2010-04-12 05:26:28 0 d--h--w- c:program filesWindowsUpdate
2010-04-12 05:25:14 0 d-----w- c:program filescommon filesMSSoap
2010-04-12 05:19:10 0 d-----w- c:program filesOnline Services
2010-04-12 05:15:16 0 d-----w- c:program filesWindows Plus
2010-04-12 05:11:59 0 d-----w- c:program filesNVIDIA Corporation
2010-04-12 05:10:51 0 d-----w- c:program filesMessenger
2010-04-12 05:10:46 0 d-----w- c:program filesMSN Gaming Zone
2010-04-11 21:54:45 0 d-----w- c:program filescommon filesODBC
2010-04-11 21:39:58 0 d-----w- C:XP DELETE
2010-04-09 05:08:37 0 d-----w- c:programdataF-Secure
2010-04-08 04:16:30 0 d-----w- c:program filesiPod
2010-04-08 04:16:18 0 d-----w- c:programdata{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-04-08 04:05:36 0 d-----w- c:program filesBonjour
2010-04-07 12:10:33 45056 ----a-w- c:windowsuaaa7673.exe
2010-03-18 01:53:42 94208 ----a-w- c:windowssystem32QuickTimeVR.qtx
2010-03-18 01:53:42 69632 ----a-w- c:windowssystem32QuickTime.qts
2010-03-14 13:46:54 12464 ----a-w- c:windowssystem32avgrsstx.dll

==================== Find3M ====================

2010-04-08 04:08:05 86016 ----a-w- c:windowsinfinfstor.dat
2010-04-08 04:08:05 51200 ----a-w- c:windowsinfinfpub.dat
2010-04-08 04:08:05 143360 ----a-w- c:windowsinfinfstrng.dat
2010-03-14 13:46:55 242696 ----a-w- c:windowssystem32driversavgtdix.sys
2010-03-14 13:46:06 216200 ----a-w- c:windowssystem32driversavgldx86.sys
2010-02-23 06:39:13 916480 ----a-w- c:windowssystem32wininet.dll
2010-02-23 06:33:45 71680 ----a-w- c:windowssystem32iesetup.dll
2010-02-23 06:33:45 109056 ----a-w- c:windowssystem32iesysprep.dll
2010-02-23 04:55:36 133632 ----a-w- c:windowssystem32ieUnatt.exe
2010-02-20 23:06:41 24064 ----a-w- c:windowssystem32nshhttp.dll
2010-02-20 23:05:14 30720 ----a-w- c:windowssystem32httpapi.dll
2010-02-20 20:53:34 411648 ----a-w- c:windowssystem32drivershttp.sys
2010-02-12 15:46:14 91424 ----a-w- c:windowssystem32dnssd.dll
2010-02-12 15:46:14 107808 ----a-w- c:windowssystem32dns-sd.exe
2010-01-25 12:00:35 471552 ----a-w- c:windowssystem32secproc_isv.dll
2010-01-25 12:00:35 152576 ----a-w- c:windowssystem32secproc_ssp_isv.dll
2010-01-25 12:00:35 152064 ----a-w- c:windowssystem32secproc_ssp.dll
2010-01-25 12:00:22 471552 ----a-w- c:windowssystem32secproc.dll
2010-01-25 11:58:52 332288 ----a-w- c:windowssystem32msdrm.dll
2010-01-25 08:21:20 526336 ----a-w- c:windowssystem32RMActivate_isv.exe
2010-01-25 08:21:20 346624 ----a-w- c:windowssystem32RMActivate_ssp_isv.exe
2010-01-25 08:21:18 518144 ----a-w- c:windowssystem32RMActivate.exe
2010-01-25 08:21:18 347136 ----a-w- c:windowssystem32RMActivate_ssp.exe
2010-01-23 09:26:13 2048 ----a-w- c:windowssystem32tzres.dll
2009-11-18 12:49:00 665600 ----a-w- c:windowsinfdrvindex.dat
2008-06-10 07:23:48 174 --sh--w- c:program filesdesktop.ini
2006-11-02 12:42:02 30674 ----a-w- c:windowsinfperflib0409perfd.dat
2006-11-02 12:42:02 30674 ----a-w- c:windowsinfperflib0409perfc.dat
2006-11-02 12:42:02 287440 ----a-w- c:windowsinfperflib0409perfi.dat
2006-11-02 12:42:02 287440 ----a-w- c:windowsinfperflib0409perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:windowsinfperflib0000perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:windowsinfperflib0000perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:windowsinfperflib0000perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:windowsinfperflib0000perfc.dat
2009-10-16 22:27:06 245760 --sha-w- c:windowsserviceprofilesnetworkserviceappdataroamingmicrosoftwindowsietldcacheindex.dat
2008-04-05 12:39:25 32768 --sha-w- c:windowssystem32configsystemprofileappdatalocalmicrosoftwindowshistoryhistory.ie5mshist012008031720080324index.dat
2008-04-05 12:39:25 32768 --sha-w- c:windowssystem32configsystemprofileappdatalocalmicrosoftwindowshistoryhistory.ie5mshist012008040520080406index.dat
2009-11-25 14:03:37 16384 --sha-w- c:windowssystem32configsystemprofileappdatalocalmicrosoftwindowshistorylowhistory.ie5index.dat
2009-11-25 14:03:37 32768 --sha-w- c:windowssystem32configsystemprofileappdatalocalmicrosoftwindowstemporary internet fileslowcontent.ie5index.dat
2008-04-05 12:39:25 32768 --sha-w- c:windowssystem32configsystemprofileappdataroamingmicrosoftinternet exploreruserdataindex.dat
2009-11-25 14:03:37 16384 --sha-w- c:windowssystem32configsystemprofileappdataroamingmicrosoftwindowscookieslowindex.dat

============= FINISH: 23:21:59.99 ===============

Edit: Posts merged ~BP

Attached Files


Edited by Budapest, 13 April 2010 - 12:22 AM.


BC AdBot (Login to Remove)

 


#2 Blind Faith

Blind Faith

  • Malware Response Team
  • 4,101 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:12:02 AM

Posted 16 April 2010 - 01:53 PM

Hello and welcome to Bleeping Computer! welcome.gif

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log





Elle
Can you hear it?It's all around!

Tomar ki manè acchè?
Yadi thakè, tahalè
Ki kshama kartè paro
?



If I haven't replied in 48 hours, please feel free to send me a PM.



Posted Image

#3 cichlidnut

cichlidnut
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:05:02 PM

Posted 17 April 2010 - 10:44 AM

Problems listed above are still present.

I've solved the IE problem by uninstalling and reinstalling. IE works but Windows Mail errors are the same and Media Player will not load.

I continuously receive a Windows Update notice that will not install.

Security Update for Windows Vista (KB979683)

I am still being redirected but scans find no virus or spyware. I suspect the virus changed a setting which is causing the redirection. My other problems may have to do with installing the XP operating system in order to access the Vista System32 folder to replace volmgrx.sys. Along with deleting a few Hijack This entries that I probably shouldn't have.

Latest DDS. file.

-----------------------------------------


DDS (Ver_10-03-17.01) - NTFSx86
Run by Joe at 8:33:42.89 on Sat 04/17/2010
Internet Explorer: 8.0.6001.18904 BrowserJavaVersion: 1.6.0_13
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.2.1033.18.1982.1041 [GMT -4:00]

SP: Spybot - Search and Destroy *disabled* (Outdated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\rundll32.exe
C:\Windows\system32\Ati2evxx.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\AVG\AVG9\avgemc.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Search Guard PlusU\sgpupdaters.exe
C:\Program Files\Common Files\PC Tools\sMonitor\SSDMonitor.exe
C:\Program Files\Logitech\SetPointP\SetPoint.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE
C:\Windows\system32\wbem\wmiprvse.exe
C:\Users\Joe\Downloads\dds(2).scr
C:\Windows\system32\conime.exe
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uSearch Page =
uStart Page = hxxp://www.google.ca/
uSearch Bar =
TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File
TB: {E67C74F4-A00A-4F2C-9FEC-FD9DC004A67F} - No File
TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
mRun: [SSDMonitor] c:\program files\common files\pc tools\smonitor\SSDMonitor.exe
mRun: [EvtMgr6] c:\program files\logitech\setpointp\SetPoint.exe /launchGaming
StartupFolder: c:\users\joe\appdata\roaming\micros~1\windows\startm~1\programs\startup\logite~1.lnk - c:\program files\common files\logishrd\ereg\setpoint\eReg.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
DPF: {5D6F45B3-9043-443D-A792-115447494D24} - hxxp://messenger.zone.msn.com/MessengerGamesContent/GameContent/Default/uno1/GAME_UNO1.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\users\joe\appdata\roaming\mozilla\firefox\profiles\nkp75t4a.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2124320&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - Messenger Plus Live Customized Web Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2124320&q=
FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll
FF - component: c:\program files\real\realplayer\browserrecord\components\nprpbrowserrecordplugin.dll
FF - component: c:\users\joe\appdata\roaming\mozilla\firefox\profiles\nkp75t4a.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: c:\users\joe\appdata\roaming\mozilla\firefox\profiles\nkp75t4a.default\extensions\{9b339f6e-ddcd-401b-8764-230adbd01761}\components\FFExternalAlert.dll
FF - component: c:\users\joe\appdata\roaming\mozilla\firefox\profiles\nkp75t4a.default\extensions\{9b339f6e-ddcd-401b-8764-230adbd01761}\components\RadioWMPCore.dll
FF - component: c:\users\joe\appdata\roaming\mozilla\firefox\profiles\nkp75t4a.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\winnt_x86-msvc\components\ipc.dll
FF - component: c:\users\joe\appdata\roaming\mozilla\firefox\profiles\nkp75t4a.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\qscanff.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\users\joe\appdata\roaming\mozilla\firefox\profiles\nkp75t4a.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll
FF - plugin: c:\users\joe\appdata\roaming\mozilla\firefox\profiles\nkp75t4a.default\extensions\devicedetection@logitech.com\plugins\npLogitechDeviceDetection.dll
FF - plugin: c:\users\joe\appdata\roaming\mozilla\firefox\profiles\nkp75t4a.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp07076007.dll
FF - plugin: c:\users\joe\appdata\roaming\mozilla\plugins\npcoolirisplugin.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-12-30 216200]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-12-30 29512]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-12-30 242696]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\avg\avg9\avgemc.exe [2010-3-14 916760]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-3-14 308064]
R2 PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service;c:\program files\common files\pc tools\smonitor\StartManSvc.exe [2010-4-12 632792]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-10 135664]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-6-9 21504]
S4 AntiVirScheduler;Avira AntiVir Personal - Free Antivirus Scheduler;"c:\program files\avira\antivir personaledition classic\sched.exe" --> c:\program files\avira\antivir personaledition classic\sched.exe [?]
S4 AntiVirService;Avira AntiVir Personal - Free Antivirus Guard;"c:\program files\avira\antivir personaledition classic\avguard.exe" --> c:\program files\avira\antivir personaledition classic\avguard.exe [?]
S4 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2008-2-21 810320]

=============== Created Last 30 ================

2010-04-16 16:37:32 16400 ----a-w- c:\windows\system32\drivers\LNonPnP.sys
2010-04-16 16:35:35 0 d-----w- c:\programdata\Logishrd
2010-04-16 16:28:47 0 d-----w- c:\users\joe\appdata\roaming\Logishrd
2010-04-16 05:30:12 1056768 ----a-w- c:\windows\system32\defltbase.sdb
2010-04-14 20:33:13 0 d-----w- c:\windows\system32\MpEngineStore
2010-04-14 19:43:16 360 ----a-w- c:\windows\system32\MRT.INI
2010-04-14 19:39:28 0 d-----w- C:\afb6a121b6e2abbd0e569b53701c94e3
2010-04-14 19:34:37 79360 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2010-04-14 19:34:37 212992 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2010-04-14 19:34:37 106496 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-04-14 19:34:29 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-04-14 19:34:23 62464 ----a-w- c:\windows\system32\l3codeca.acm
2010-04-14 19:34:23 220672 ----a-w- c:\windows\system32\l3codecp.acm
2010-04-14 19:34:20 904576 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-04-14 19:34:20 25088 ----a-w- c:\windows\system32\drivers\tunnel.sys
2010-04-14 19:34:20 200704 ----a-w- c:\windows\system32\iphlpsvc.dll
2010-04-14 11:37:51 172032 ----a-w- c:\windows\system32\wintrust.dll
2010-04-14 11:37:38 98304 ----a-w- c:\windows\system32\cabview.dll
2010-04-13 15:43:10 0 d-----w- C:\ignore
2010-04-13 03:17:50 0 ----a-w- c:\users\joe\defogger_reenable
2010-04-13 03:11:12 880640 ----a-w- c:\windows\system32\UniBox10.ocx
2010-04-13 03:11:12 506368 ----a-w- c:\windows\system32\msxml.dll
2010-04-13 03:11:12 212992 ----a-w- c:\windows\system32\UniBoxVB12.ocx
2010-04-13 03:11:12 1101824 ----a-w- c:\windows\system32\UniBox210.ocx
2010-04-13 03:11:11 0 d-----w- c:\program files\common files\PC Tools
2010-04-12 05:59:59 0 d-----w- c:\program files\NeoSmart Technologies
2010-04-12 05:55:38 292840 ----a-w- c:\windows\system32\drivers\volmgrx.sys
2010-04-12 05:31:44 35465 ----a-w- c:\programdata\nvModes.dat
2010-04-12 05:26:28 0 d--h--w- c:\program files\WindowsUpdate
2010-04-12 05:25:14 0 d-----w- c:\program files\common files\MSSoap
2010-04-12 05:19:10 0 d-----w- c:\program files\Online Services
2010-04-12 05:15:16 0 d-----w- c:\program files\Windows Plus
2010-04-12 05:11:59 0 d-----w- c:\program files\NVIDIA Corporation
2010-04-12 05:10:51 0 d-----w- c:\program files\Messenger
2010-04-12 05:10:46 0 d-----w- c:\program files\MSN Gaming Zone
2010-04-11 21:54:45 0 d-----w- c:\program files\common files\ODBC
2010-04-11 21:39:58 0 d-----w- C:\XP DELETE
2010-04-09 05:08:37 0 d-----w- c:\programdata\F-Secure
2010-04-08 04:16:30 0 d-----w- c:\program files\iPod
2010-04-08 04:16:18 0 d-----w- c:\programdata\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-04-08 04:05:36 0 d-----w- c:\program files\Bonjour
2010-04-07 12:10:33 45056 ----a-w- c:\windows\uaaa7673.exe

==================== Find3M ====================

2010-04-16 16:37:35 51200 ----a-w- c:\windows\inf\infpub.dat
2010-04-16 16:37:35 143360 ----a-w- c:\windows\inf\infstrng.dat
2010-04-16 16:37:29 143360 ----a-w- c:\windows\inf\infstor.dat
2010-03-14 13:46:55 242696 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-03-14 13:46:54 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-03-14 13:46:06 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-02-23 06:39:13 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-23 06:33:45 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-02-23 06:33:45 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-02-23 04:55:36 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-02-20 23:06:41 24064 ----a-w- c:\windows\system32\nshhttp.dll
2010-02-20 23:05:14 30720 ----a-w- c:\windows\system32\httpapi.dll
2010-02-20 20:53:34 411648 ----a-w- c:\windows\system32\drivers\http.sys
2010-02-12 15:46:14 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-02-12 15:46:14 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-01-25 12:00:35 471552 ----a-w- c:\windows\system32\secproc_isv.dll
2010-01-25 12:00:35 152576 ----a-w- c:\windows\system32\secproc_ssp_isv.dll
2010-01-25 12:00:35 152064 ----a-w- c:\windows\system32\secproc_ssp.dll
2010-01-25 12:00:22 471552 ----a-w- c:\windows\system32\secproc.dll
2010-01-25 11:58:52 332288 ----a-w- c:\windows\system32\msdrm.dll
2010-01-25 08:21:20 526336 ----a-w- c:\windows\system32\RMActivate_isv.exe
2010-01-25 08:21:20 346624 ----a-w- c:\windows\system32\RMActivate_ssp_isv.exe
2010-01-25 08:21:18 518144 ----a-w- c:\windows\system32\RMActivate.exe
2010-01-25 08:21:18 347136 ----a-w- c:\windows\system32\RMActivate_ssp.exe
2010-01-23 09:26:13 2048 ----a-w- c:\windows\system32\tzres.dll
2009-11-18 12:49:00 665600 ----a-w- c:\windows\inf\drvindex.dat
2008-06-10 07:23:48 174 --sh--w- c:\program files\desktop.ini
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-10-16 22:27:06 245760 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\ietldcache\index.dat
2008-04-05 12:39:25 32768 --sha-w- c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\history\history.ie5\mshist012008031720080324\index.dat
2008-04-05 12:39:25 32768 --sha-w- c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\history\history.ie5\mshist012008040520080406\index.dat
2009-11-25 14:03:37 16384 --sha-w- c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\history\low\history.ie5\index.dat
2009-11-25 14:03:37 32768 --sha-w- c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\temporary internet files\low\content.ie5\index.dat
2008-04-05 12:39:25 32768 --sha-w- c:\windows\system32\config\systemprofile\appdata\roaming\microsoft\internet explorer\userdata\index.dat
2009-11-25 14:03:37 16384 --sha-w- c:\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\cookies\low\index.dat

============= FINISH: 8:35:21.20 ===============

Attached Files



#4 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:04:02 PM

Posted 17 April 2010 - 06:38 PM

Hello cichlidnut,
  • Welcome to Bleeping Computer.
  • My name is fireman4it and I will be helping you with your Malware problem.

    Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean".
  • Finally, please reply using the button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply, unless they do not fit into the post

1.
One or more of the identified infections is a Backdoor trojan and/or Rootkit.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. "If you would like to continue, then follow the steps below, otherwise please let me know"

2.
We need to disable Spybot S&D's "TeaTimer"
TeaTimer works by preventing ANY changes to the system. It will attempt to undo any fixes we run, because it blocks these fixes from running.

In order to safeguard your system from problems that can be brought on by a half finished fix, we need to disable TeaTimer. We can reenable it when we're done if you like.
  1. Open SpyBot Search and Destroy by going to Start -> All Programs -> Spybot Search and Destroy -> Spybot Search and Destroy.
  2. If prompted with a legal dialog, accept the warning.
  3. Click and then on "Advanced Mode"
  4. You may be presented with a warning dialog. If so, press
  5. Click on
  6. Click on
  7. Uncheck this checkbox:
  8. Close/Exit Spybot Search and Destroy

3.
Your log(s) show that you are using so called peer-to-peer or file-sharing programmes (in your case Limewire). These programmes allow to share files between users as the name(s) suggest. In today's world the cyber crime has come to an enormous dimension and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of the malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: "File-Sharing, otherwise known as Peer To Peer" and "Risks of File-Sharing Technology."

It is also important to note that sharing entertainment files and proprietary software infringes the copyright laws in many countries over the world and you are putting yourself at risk of being indicted through organisations watching over the rights of the authors of such files (i.e. the RIAA for music files, or the MPAA for movie files in the USA) or the authors of the files themselves.

Naturally there are also legal ways to use these services, such as downloading Linux distributions or office suites such as "Open Office."

4.
The following is referring to Registry Mechanic 9.0
Please be aware that bleepingcomputer staff do not recommend the usage of registry cleaners / tools due to the following facts:
  • Registry tools can cause irreparable damage to your Operating System
  • Registry tools can, as a result of the above, render your pc to be inoperable.
This is done, assuming that the major audience here at this board might be inexperienced users and thus a suggested safeguard from our side.
If you feel you have the need for a registry cleaner, then you are just as welcome to keep it. This is what we refer to an "optional fix" and is up to the user, so just take this as a recommendation from my side.

5.
Install Recovery Console and Run ComboFix

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

Download Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • If you did not have it installed, you will see the prompt below. Choose YES.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Note:The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you
should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.
  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running.
ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may cause it to stall.

Things to include in your next reply:
Combofix.txt
How is your machine running now?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#5 cichlidnut

cichlidnut
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:05:02 PM

Posted 17 April 2010 - 07:32 PM

Thank you fireman4it, this was the answer I feared.

I'm going to forego the treatment and take the harder yet more secure route of transferring files from my HD, wiping it clean and installing a new OS. Start from scratch as it were.

Thank you for your advice, I'll take care of the security issues as well.

You can close this topic.

#6 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:04:02 PM

Posted 17 April 2010 - 11:29 PM

This thread will now be closed since the issue seems to be resolved.

If you need this topic reopened, please send a Private Message to any one of the moderating team member or myself. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

The fixes and advice in this thread are for this machine only. Do not apply the instructions from this thread to your own machine. Please start a new thread describing your issue and someone will be along to assist you.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users