Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

search engine redirects to ads virus


  • This topic is locked This topic is locked
12 replies to this topic

#1 Williamx11373

Williamx11373

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:18 PM

Posted 16 April 2010 - 11:12 AM

Mod EDIT: Moved from AII ~~boopmeAfter being infected with one of those fake "Antivirus", I used rkill and malwarebytes and combo fix to get rid of it. The fake antivirus is gone, but what is left behind is the fact that my search engine redirects to bogus and advertisement websites........AVG/MALWAREBYTES does not detect the redirect virus.

When I turned my PC on today I got this


http://s44.photobucket.com/albums/f46/maxi...=untitled-1.jpg



Those seem like the redirect links Ive been getting, so I clicked restore but I dont know if that did anything.




heres my hijack log


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:50:44 AM, on 4/16/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\PROGRA~1\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\AVG\AVG9\avgemc.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter4.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\William\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe /boot
O4 - HKLM\..\Run: [SpyHunter Security Suite] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter4.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG Free E-mail Scanner (avg9emc) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgemc.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: Intel PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Intel PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SpyHunter 4 Service - Enigma Software Group USA, LLC. - C:\PROGRA~1\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE

--
End of file - 6011 bytes



any help would be appreciated....thanks in advance.

Edited by boopme, 16 April 2010 - 11:37 AM.


BC AdBot (Login to Remove)

 


#2 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:09:18 PM

Posted 20 April 2010 - 12:33 AM

Hi,

Download DDS and save it to your desktop from here or here or here.
Disable any script blocker, and then double click dds.scr to run the tool.
  • When done, DDS will open two (2) logs:
    1. DDS.txt
    2. Attach.txt
  • Save both reports to your desktop. Post them back to your topic.

  • ---

    Download GMER here by clicking download exe -button and then saving it your desktop:
    • Double-click .exe that you downloaded
    • Click rootkit-tab, uncheck files option and then click scan.
    • Don't check
      Show All
      box while scanning in progress!
    • When scanning is ready, click Copy.
    • This copies log to clipboard
    • Post log (if the log is long, archive it into a zip file and attach instead of posting) in your reply.

    Microsoft Windows Insider MVP 2016-2017

    Microsoft MVP Consumer Security 2008-2015
    UNITE member since 2006
    unite_blue.png

    Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


    #3 Williamx11373

    Williamx11373
    • Topic Starter

    • Members
    • 8 posts
    • OFFLINE
    •  
    • Local time:02:18 PM

    Posted 20 April 2010 - 10:13 PM

    DDS (Ver_10-03-17.01) - NTFSx86
    Run by William at 22:57:16.20 on Tue 04/20/2010
    Internet Explorer: 8.0.6001.18702
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.502.80 [GMT -4:00]

    AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

    ============== Running Processes ===============

    C:\PROGRA~1\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    C:\Program Files\AVG\AVG9\avgchsvx.exe
    C:\Program Files\AVG\AVG9\avgrsx.exe
    C:\Program Files\AVG\AVG9\avgcsrvx.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    svchost.exe
    svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    svchost.exe
    C:\Program Files\AVG\AVG9\avgwdsvc.exe
    C:\WINDOWS\eHome\ehRecvr.exe
    C:\WINDOWS\eHome\ehSched.exe
    C:\Program Files\AVG\AVG9\avgnsx.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    svchost.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\Program Files\AVG\AVG9\avgemc.exe
    C:\Program Files\AVG\AVG9\avgcsrvx.exe
    C:\WINDOWS\system32\dllhost.exe
    C:\WINDOWS\ehome\ehtray.exe
    C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
    C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
    C:\WINDOWS\RTHDCPL.EXE
    C:\WINDOWS\system32\igfxtray.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\Program Files\ltmoh\Ltmoh.exe
    C:\WINDOWS\AGRSMMSG.exe
    C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
    C:\WINDOWS\eHome\ehmsas.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter4.exe
    C:\Program Files\Google\Gmail Notifier\gnotify.exe
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
    C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Documents and Settings\William\My Documents\Downloads\dds.com

    ============== Pseudo HJT Report ===============

    uStart Page = www.google.com
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
    BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    mRun: [ehTray] c:\windows\ehome\ehtray.exe
    mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
    mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
    mRun: [RTHDCPL] RTHDCPL.EXE
    mRun: [igfxtray] c:\windows\system32\igfxtray.exe
    mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
    mRun: [igfxpers] c:\windows\system32\igfxpers.exe
    mRun: [LtMoh] c:\program files\ltmoh\Ltmoh.exe
    mRun: [AGRSMMSG] AGRSMMSG.exe
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
    mRun: [TrojanScanner] c:\program files\trojan remover\Trjscan.exe /boot
    mRun: [SpyHunter Security Suite] c:\program files\enigma software group\spyhunter\SpyHunter4.exe
    mRun: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] c:\program files\google\gmail notifier\gnotify.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\interv~1.lnk - c:\program files\intervideo\common\bin\WinCinemaMgr.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
    Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
    Notify: avgrsstarter - avgrsstx.dll
    Notify: igfxcui - igfxdev.dll
    SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

    ================= FIREFOX ===================

    FF - ProfilePath - c:\docume~1\william\applic~1\mozilla\firefox\profiles\u9uhxlh6.default\
    FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dll

    ---- FIREFOX POLICIES ----
    c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
    c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
    c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
    c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
    c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
    c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

    ============= SERVICES / DRIVERS ===============

    R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2010-4-13 216200]
    R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2010-4-13 29512]
    R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-4-13 242696]
    R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
    R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-2-17 66632]
    R2 avg9emc;AVG Free E-mail Scanner;c:\program files\avg\avg9\avgemc.exe [2010-4-13 916760]
    R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-4-13 308064]
    R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
    R2 SpyHunter 4 Service;SpyHunter 4 Service;c:\progra~1\enigma~1\spyhun~1\SH4SER~1.EXE [2010-3-24 323992]
    R3 esgiguard;esgiguard;c:\program files\enigma software group\spyhunter\esgiguard.sys [2010-1-27 5248]
    R3 ManyCam;ManyCam Virtual Webcam, WDM Video Capture Driver;c:\windows\system32\drivers\ManyCam.sys [2008-1-14 21632]
    R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2010-2-17 12872]

    =============== Created Last 30 ================

    2010-04-20 14:47:16 552 ----a-w- c:\windows\system32\d3d8caps.dat
    2010-04-20 14:47:14 664 ----a-w- c:\windows\system32\d3d9caps.dat
    2010-04-20 01:31:51 2136064 -c----w- c:\windows\system32\dllcache\ntkrnlmp.exe
    2010-04-20 01:31:41 2180480 -c----w- c:\windows\system32\dllcache\ntoskrnl.exe
    2010-04-20 01:31:17 2015744 -c----w- c:\windows\system32\dllcache\ntkrpamp.exe
    2010-04-20 01:31:15 2057728 -c----w- c:\windows\system32\dllcache\ntkrnlpa.exe
    2010-04-19 21:34:06 0 d-----w- c:\windows\ie8updates
    2010-04-19 21:31:32 0 d-----w- c:\windows\ServicePackFiles
    2010-04-19 05:28:40 0 d-----w- c:\windows\system32\PreInstall
    2010-04-17 23:08:38 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
    2010-04-17 23:08:25 0 d-----w- c:\docume~1\alluse~1\applic~1\Hitman Pro
    2010-04-17 23:08:22 0 d-----w- c:\program files\Hitman Pro 3.5
    2010-04-17 15:11:11 0 d-----w- c:\windows\system32\SoftwareDistribution
    2010-04-15 18:51:56 0 d-----w- c:\program files\Spybot - Search & Destroy
    2010-04-15 18:51:56 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
    2010-04-15 18:41:35 0 d-----w- C:\VundoFix Backups
    2010-04-15 18:31:40 0 d-----w- C:\sh4ldr
    2010-04-15 18:31:40 0 d-----w- c:\program files\Enigma Software Group
    2010-04-15 18:23:29 0 d-----w- c:\program files\CCleaner
    2010-04-15 17:52:45 77312 ----a-w- c:\windows\system32\ztvunace26.dll
    2010-04-15 17:52:45 75264 ----a-w- c:\windows\system32\unacev2.dll
    2010-04-15 17:52:45 69632 ----a-w- c:\windows\system32\ztvcabinet.dll
    2010-04-15 17:52:45 162304 ----a-w- c:\windows\system32\ztvunrar36.dll
    2010-04-15 17:52:45 153088 ----a-w- c:\windows\system32\UNRAR3.dll
    2010-04-15 17:52:41 0 d-----w- c:\program files\Trojan Remover
    2010-04-15 17:52:41 0 d-----w- c:\docume~1\william\applic~1\Simply Super Software
    2010-04-15 17:52:41 0 d-----w- c:\docume~1\alluse~1\applic~1\Simply Super Software
    2010-04-15 02:18:01 0 d-----w- c:\windows\pss
    2010-04-14 20:41:42 0 d-----w- C:\$AVG
    2010-04-13 15:52:14 0 d-----w- c:\windows\system32\appmgmt
    2010-04-13 15:01:27 12464 ----a-w- c:\windows\system32\avgrsstx.dll
    2010-04-13 15:01:24 242696 ----a-w- c:\windows\system32\drivers\avgtdix.sys
    2010-04-13 15:01:18 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
    2010-04-13 15:01:03 0 d-----w- c:\windows\system32\drivers\Avg
    2010-04-13 14:57:24 0 d-----w- c:\program files\AVG
    2010-04-13 14:57:00 0 d-----w- c:\docume~1\alluse~1\applic~1\avg9
    2010-04-13 14:41:50 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
    2010-04-13 14:41:36 0 d-----w- c:\program files\SUPERAntiSpyware
    2010-04-13 14:41:35 0 d-----w- c:\docume~1\william\applic~1\SUPERAntiSpyware.com
    2010-04-13 14:41:12 0 d-----w- c:\program files\common files\Wise Installation Wizard
    2010-04-13 04:18:22 0 d-sha-r- C:\cmdcons
    2010-04-13 04:16:29 98816 ----a-w- c:\windows\sed.exe
    2010-04-13 04:16:29 77312 ----a-w- c:\windows\MBR.exe
    2010-04-13 04:16:29 261632 ----a-w- c:\windows\PEV.exe
    2010-04-13 04:16:29 161792 ----a-w- c:\windows\SWREG.exe
    2010-04-13 02:53:21 0 d-----w- c:\docume~1\william\applic~1\Malwarebytes
    2010-04-13 02:53:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-04-13 02:53:05 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-04-13 02:53:05 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-04-13 02:53:05 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
    2010-04-09 11:31:31 0 d-----w- c:\program files\VideoLAN
    2010-04-08 13:45:29 0 d-----w- c:\program files\CPU Thermometer
    2010-04-08 01:41:35 0 d-----w- c:\program files\common files\DivX Shared
    2010-04-08 01:36:18 0 d-----w- c:\windows\SxsCaPendDel
    2010-04-07 01:45:58 17024 -c--a-w- c:\windows\system32\dllcache\ccdecode.sys
    2010-04-07 01:45:58 17024 ----a-w- c:\windows\system32\drivers\CCDECODE.sys
    2010-04-07 01:45:44 90624 -c--a-w- c:\windows\system32\dllcache\kswdmcap.ax
    2010-04-07 01:45:44 90624 ----a-w- c:\windows\system32\kswdmcap.ax
    2010-04-07 01:45:44 61952 -c--a-w- c:\windows\system32\dllcache\kstvtune.ax
    2010-04-07 01:45:44 61952 ----a-w- c:\windows\system32\kstvtune.ax
    2010-04-07 01:45:44 53760 -c--a-w- c:\windows\system32\dllcache\vfwwdm32.dll
    2010-04-07 01:45:44 53760 ----a-w- c:\windows\system32\vfwwdm32.dll
    2010-04-07 01:45:44 43008 -c--a-w- c:\windows\system32\dllcache\ksxbar.ax
    2010-04-07 01:45:44 43008 ----a-w- c:\windows\system32\ksxbar.ax
    2010-04-07 01:45:44 28672 -c--a-w- c:\windows\system32\dllcache\vidcap.ax
    2010-04-07 01:45:44 28672 ----a-w- c:\windows\system32\vidcap.ax
    2010-04-07 01:45:37 0 d-----w- c:\docume~1\william\applic~1\ManyCam
    2010-04-07 01:45:36 0 d-----w- c:\program files\ManyCam 2.4
    2010-04-07 01:16:43 116 ----a-w- c:\windows\NeroDigital.ini
    2010-04-07 01:16:09 5632 ----a-w- c:\windows\system32\ptpusb.dll
    2010-04-07 01:16:08 159232 ----a-w- c:\windows\system32\ptpusd.dll
    2010-04-07 01:16:08 15104 -c--a-w- c:\windows\system32\dllcache\usbscan.sys
    2010-04-07 01:16:08 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
    2010-04-06 01:55:08 75 ----a-w- c:\documents and settings\william\jagex_runescape_preferences2.dat
    2010-04-06 01:55:08 0 ----a-w- c:\documents and settings\william\jagex__preferences3.dat
    2010-04-06 01:53:39 41 ----a-w- c:\documents and settings\william\jagex_runescape_preferences.dat
    2010-04-06 01:48:39 0 d-----w- c:\program files\DivX
    2010-04-06 01:48:16 0 d-----w- c:\docume~1\alluse~1\applic~1\DivX
    2010-04-06 01:40:56 0 d-----w- c:\docume~1\alluse~1\applic~1\AIM
    2010-04-06 01:40:51 0 d-----w- c:\program files\common files\Software Update Utility
    2010-04-06 01:40:51 0 d-----w- c:\program files\AIM
    2010-04-06 01:40:50 0 d-----w- c:\program files\common files\AOL
    2010-04-06 01:40:43 441 ---ha-w- C:\IPH.PH
    2010-04-06 01:31:42 0 d-----w- c:\windows\.jagex_cache_32
    2010-04-06 01:03:13 12160 -c--a-w- c:\windows\system32\dllcache\mouhid.sys
    2010-04-06 01:03:13 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys
    2010-04-06 01:03:11 21504 -c--a-w- c:\windows\system32\dllcache\hidserv.dll
    2010-04-06 01:03:11 21504 ----a-w- c:\windows\system32\hidserv.dll
    2010-04-06 01:03:06 9600 -c--a-w- c:\windows\system32\dllcache\hidusb.sys
    2010-04-06 01:03:06 9600 ----a-w- c:\windows\system32\drivers\hidusb.sys
    2010-04-05 23:30:20 0 d-sh--w- c:\documents and settings\william\IECompatCache
    2010-04-05 23:30:06 0 d-sh--w- c:\documents and settings\william\PrivacIE
    2010-04-05 23:29:04 0 d-sh--w- c:\documents and settings\william\IETldCache
    2010-04-05 23:26:00 0 dc-h--w- c:\windows\ie8
    2010-04-05 23:25:06 0 d--h--w- c:\windows\$hf_mig$
    2010-04-05 23:20:57 0 d-----w- c:\program files\InterVideo
    2010-04-05 23:17:55 106496 ----a-w- c:\windows\system32\TwnLib20.dll
    2010-04-05 23:17:53 476320 ------w- c:\windows\system32\ImagXpr7.dll
    2010-04-05 23:17:53 471040 ------w- c:\windows\system32\ImagXRA7.dll
    2010-04-05 23:17:53 262144 ------w- c:\windows\system32\ImagXR7.dll
    2010-04-05 23:17:53 1568768 ------w- c:\windows\system32\ImagX7.dll
    2010-04-05 23:17:51 155648 ----a-w- c:\windows\system32\NeroCheck.exe
    2010-04-05 23:14:59 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2010-04-05 23:14:59 411368 ----a-w- c:\windows\system32\deploytk.dll
    2010-04-05 23:13:33 13646 ----a-w- c:\windows\system32\wpa.bak
    2010-04-05 22:56:14 88203 ----a-w- c:\windows\agrsmmsg.exe
    2010-04-05 22:56:14 77824 ----a-w- c:\windows\system32\tosmreg.exe
    2010-04-05 22:56:14 7671 ----a-w- c:\windows\system32\cseltbl.ini
    2010-04-05 22:56:14 68096 ------w- c:\windows\agrsmdel.exe
    2010-04-05 22:56:14 45056 ----a-w- c:\windows\system32\csellang.dll
    2010-04-05 22:56:14 128113 ----a-w- c:\windows\system32\csellang.ini
    2010-04-05 22:56:14 110592 ----a-w- c:\windows\system32\cselect.exe
    2010-04-05 22:56:14 10165 ----a-w- c:\windows\system32\tosmreg.ini
    2010-04-05 22:56:14 0 d-----w- c:\program files\ltmoh
    2010-04-05 22:56:02 0 d-----w- c:\windows\Options
    2010-04-05 22:55:59 0 d-----w- C:\Modem.temp
    2010-04-05 22:52:55 135168 ----a-w- c:\windows\system32\igfxres.dll
    2010-04-05 22:50:45 0 d-----w- C:\Intel Display.temp
    2010-04-05 22:47:48 146650 ----a-w- c:\windows\system32\BuzzingBee.wav
    2010-04-05 22:47:47 940794 ----a-w- c:\windows\system32\LoopyMusic.wav
    2010-04-05 22:47:46 0 d-----w- c:\windows\system32\Lang
    2010-04-05 22:46:01 176 ----a-w- c:\windows\system32\drivers\RTHDAEQ1.dat
    2010-04-05 22:46:01 176 ----a-w- c:\windows\system32\drivers\RTHDAEQ0.dat
    2010-04-05 22:44:46 86016 ----a-w- c:\windows\SoundMan.exe
    2010-04-05 22:44:46 364544 ----a-w- c:\windows\RtlUpd.exe
    2010-04-05 22:44:46 266240 ----a-w- c:\windows\system32\RTSndMgr.Cpl
    2010-04-05 22:44:43 9709568 ----a-w- c:\windows\RTLCPL.exe
    2010-04-05 22:44:43 4271616 ----a-w- c:\windows\system32\drivers\RtkHDAud.Sys
    2010-04-05 22:44:41 69632 ----a-w- c:\windows\Alcmtr.exe
    2010-04-05 22:44:41 299008 ----a-w- c:\windows\system32\ALSndMgr.Cpl
    2010-04-05 22:44:41 2808832 ----a-w- c:\windows\alcwzrd.exe
    2010-04-05 22:44:41 2158592 ----a-w- c:\windows\MicCal.exe
    2010-04-05 22:44:41 16206848 ----a-w- c:\windows\RTHDCPL.exe
    2010-04-05 22:44:41 0 d-----w- c:\program files\Realtek
    2010-04-05 22:44:34 487424 ----a-w- c:\windows\RtlExUpd.dll
    2010-04-05 22:44:23 0 d-----w- C:\toshibatemp
    2010-04-05 22:42:15 0 d-----w- c:\windows\tiinst
    2010-04-05 22:41:54 0 d-----w- C:\PCMCIA Driver.temp
    2010-04-05 22:40:14 0 d-----w- c:\docume~1\william\applic~1\Intel
    2010-04-05 22:40:08 21419 ----a-w- c:\windows\system32\drivers\AegisP.sys
    2010-04-05 22:39:10 561152 ----a-w- c:\windows\system32\NETw3c32.dll
    2010-04-05 22:39:10 2732032 ----a-w- c:\windows\system32\NETw3r32.dll
    2010-04-05 22:39:10 1707776 ----a-w- c:\windows\system32\drivers\NETw3x32.sys
    2010-04-05 22:38:55 0 d-----w- C:\inteltemp
    2010-04-05 21:17:30 36864 ----a-r- c:\windows\system32\e100bmsg.dll
    2010-04-05 21:17:30 21504 ----a-r- c:\windows\system32\NicCo.dll
    2010-04-05 21:17:30 20992 ----a-r- c:\windows\system32\NicInst.dll
    2010-04-05 21:17:29 5242 ----a-r- c:\windows\system32\e100b325.din
    2010-04-05 21:17:29 163328 -c--a-w- c:\windows\system32\dllcache\e100b325.sys
    2010-04-05 21:17:29 163328 ----a-r- c:\windows\system32\drivers\e100b325.sys
    2010-04-05 21:17:29 126976 ----a-r- c:\windows\system32\Prounstl.exe
    2010-04-05 21:07:35 0 d-----w- c:\windows\RegisteredPackages
    2010-04-05 21:04:54 46592 ------w- c:\windows\system32\drivers\irbus.sys
    2010-04-05 21:04:54 19200 ------w- c:\windows\system32\drivers\hidir.sys
    2010-04-05 21:03:52 26144 ----a-w- c:\windows\system32\spupdsvc.exe
    2010-04-05 21:01:14 0 d-----w- c:\windows\system32\URTTemp
    2010-04-05 21:00:45 0 d-----w- c:\program files\RGB
    2010-04-05 20:57:19 0 d-----w- c:\program files\DIGStream
    2010-04-05 20:57:17 0 d-----w- c:\program files\ESPNMotion
    2010-04-05 20:57:13 0 d-----w- c:\program files\GemMaster
    2010-04-05 20:57:08 0 d-----w- c:\program files\EnglishOtto
    2010-04-05 20:34:10 0 d-sh--w- c:\documents and settings\all users\DRM
    2010-0

    Attached Files


    Edited by Williamx11373, 20 April 2010 - 10:18 PM.


    #4 Blade81

    Blade81

      Bleepin' Rocker


    • Malware Response Team
    • 6,465 posts
    • OFFLINE
    •  
    • Gender:Male
    • Location:Finland
    • Local time:09:18 PM

    Posted 21 April 2010 - 01:22 AM

    Hi,

    Were you able to run GMER yet?

    Microsoft Windows Insider MVP 2016-2017

    Microsoft MVP Consumer Security 2008-2015
    UNITE member since 2006
    unite_blue.png

    Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


    #5 Williamx11373

    Williamx11373
    • Topic Starter

    • Members
    • 8 posts
    • OFFLINE
    •  
    • Local time:02:18 PM

    Posted 21 April 2010 - 10:10 AM

    for some reason whenever i post it says \" connection lost server was reset \"





    2010-04-05 20:57:17 0 d-----w- c:\\program files\\ESPNMotio

    2010-04-05 20:57:17 0 d-----w- c:\\program files\\ESPNMotion
    2010-04-05 20:57:13 0 d-----w- c:\\program files\\GemMaster
    2010-04-05 20:57:08 0 d---

    #6 Blade81

    Blade81

      Bleepin' Rocker


    • Malware Response Team
    • 6,465 posts
    • OFFLINE
    •  
    • Gender:Male
    • Location:Finland
    • Local time:09:18 PM

    Posted 21 April 2010 - 10:41 AM

    Hi,

    Try to attach the log files (like you did with attach.txt) to see if that helps.

    Microsoft Windows Insider MVP 2016-2017

    Microsoft MVP Consumer Security 2008-2015
    UNITE member since 2006
    unite_blue.png

    Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


    #7 Williamx11373

    Williamx11373
    • Topic Starter

    • Members
    • 8 posts
    • OFFLINE
    •  
    • Local time:02:18 PM

    Posted 21 April 2010 - 03:09 PM

    2010-04-05 20:57:17 0 d-----w- c:\program files\ESPNMotion
    2010-04-05 20:57:13 0 d-----w- c:\program files\GemMaster
    2010-04-05 20:57:08 0 d-----w- c:\program files\EnglishOtto
    2010-04-05 20:34:10 0 d-sh--w- c:\documents and settings\all users\DRM
    2010-04-05 20:33:47 0 d--h--w- c:\program files\WindowsUpdate
    2010-04-05 20:32:38 0 d-----w- c:\program files\common files\MSSoap
    2010-04-05 20:30:07 0 d-----w- c:\program files\Online Services
    2010-04-05 20:29:19 0 d-----w- c:\program files\Windows Plus
    2010-04-05 20:27:40 0 d-----w- c:\program files\Messenger
    2010-04-05 20:27:35 0 d-----w- c:\program files\MSN Gaming Zone
    2010-04-05 20:26:46 0 d-----w- c:\program files\Windows NT
    2010-04-05 17:21:02 0 d-----w- c:\program files\common files\ODBC
    2010-04-05 17:20:58 0 d-----w- c:\program files\common files\SpeechEngines
    2010-04-05 17:20:29 0 d-----r- c:\documents and settings\all users\Documents

    ==================== Find3M ====================

    2010-04-20 21:40:54 61056 ----a-w- c:\windows\system32\drivers\ohci1394.sys
    2010-04-05 20:30:41 21640 ----a-w- c:\windows\system32\emptyregdb.dat

    ============= FINISH: 22:59:20.95 ===============







    GMER 1.0.15.15281 - http://www.gmer.net
    Rootkit scan 2010-04-20 23:11:38
    Windows 5.1.2600 Service Pack 2
    Running: pjfey74y.exe; Driver: C:\DOCUME~1\William\LOCALS~1\Temp\fwtiafod.sys


    ---- System - GMER 1.0.15 ----

    SSDT \??\C:\Program Files\Enigma Software Group\SpyHunter\esgiguard.sys ZwCreateSection [0xA4695700]
    SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xA4080320]

    ---- Kernel code sections - GMER 1.0.15 ----

    .rsrc C:\WINDOWS\system32\drivers\ohci1394.sys entry point in ".rsrc" section [0xF855EE94]
    init C:\WINDOWS\system32\drivers\tifm21.sys entry point in "init" section [0xF7FA0EBF]

    ---- User code sections - GMER 1.0.15 ----

    .text C:\Program Files\Mozilla Firefox\firefox.exe[188] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 011C000A
    .text C:\Program Files\Mozilla Firefox\firefox.exe[188] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 011D000A
    .text C:\Program Files\Mozilla Firefox\firefox.exe[188] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 011B000C
    .text C:\WINDOWS\System32\svchost.exe[1236] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 008F000A
    .text C:\WINDOWS\System32\svchost.exe[1236] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0090000A
    .text C:\WINDOWS\System32\svchost.exe[1236] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 008E000C
    .text C:\WINDOWS\System32\svchost.exe[1236] USER32.dll!GetCursorPos 77D4C566 5 Bytes JMP 015C000A
    .text C:\WINDOWS\System32\svchost.exe[1236] ole32.dll!CoCreateInstance 77526009 5 Bytes JMP 015B000A
    .text C:\WINDOWS\Explorer.EXE[1872] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00B9000A
    .text C:\WINDOWS\Explorer.EXE[1872] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00BA000A
    .text C:\WINDOWS\Explorer.EXE[1872] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00B8000C
    .text C:\WINDOWS\system32\wuauclt.exe[3676] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0090000A
    .text C:\WINDOWS\system32\wuauclt.exe[3676] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 3 Bytes JMP 0091000A
    .text C:\WINDOWS\system32\wuauclt.exe[3676] ntdll.dll!NtWriteVirtualMemory + 4 7C90DFB2 1 Byte [84]
    .text C:\WINDOWS\system32\wuauclt.exe[3676] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 008F000C

    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

    Device -> \Driver\atapi \Device\Harddisk0\DR0 82220AC8

    ---- Files - GMER 1.0.15 ----

    File C:\WINDOWS\system32\drivers\ohci1394.sys suspicious modification
    File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

    ---- EOF - GMER 1.0.15 ----


    #8 Blade81

    Blade81

      Bleepin' Rocker


    • Malware Response Team
    • 6,465 posts
    • OFFLINE
    •  
    • Gender:Male
    • Location:Finland
    • Local time:09:18 PM

    Posted 21 April 2010 - 03:15 PM

    Hi,

    First part of DDS seems to be missing. Please attach dds.txt file instead of copy pasting its contents. Maybe we'll get whole content that way smile.gif

    Microsoft Windows Insider MVP 2016-2017

    Microsoft MVP Consumer Security 2008-2015
    UNITE member since 2006
    unite_blue.png

    Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


    #9 Williamx11373

    Williamx11373
    • Topic Starter

    • Members
    • 8 posts
    • OFFLINE
    •  
    • Local time:02:18 PM

    Posted 21 April 2010 - 08:18 PM

    the full dds is there, my last post is a continue of my second post. I am currently using my friends pc. For some strange reason my pc can't post.


    DDS (Ver_10-03-17.01) - NTFSx86
    Run by William at 22:57:16.20 on Tue 04/20/2010
    Internet Explorer: 8.0.6001.18702
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.502.80 [GMT -4:00]

    AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

    ============== Running Processes ===============

    C:\PROGRA~1\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    C:\Program Files\AVG\AVG9\avgchsvx.exe
    C:\Program Files\AVG\AVG9\avgrsx.exe
    C:\Program Files\AVG\AVG9\avgcsrvx.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    svchost.exe
    svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    svchost.exe
    C:\Program Files\AVG\AVG9\avgwdsvc.exe
    C:\WINDOWS\eHome\ehRecvr.exe
    C:\WINDOWS\eHome\ehSched.exe
    C:\Program Files\AVG\AVG9\avgnsx.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    svchost.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\Program Files\AVG\AVG9\avgemc.exe
    C:\Program Files\AVG\AVG9\avgcsrvx.exe
    C:\WINDOWS\system32\dllhost.exe
    C:\WINDOWS\ehome\ehtray.exe
    C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
    C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
    C:\WINDOWS\RTHDCPL.EXE
    C:\WINDOWS\system32\igfxtray.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\Program Files\ltmoh\Ltmoh.exe
    C:\WINDOWS\AGRSMMSG.exe
    C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
    C:\WINDOWS\eHome\ehmsas.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter4.exe
    C:\Program Files\Google\Gmail Notifier\gnotify.exe
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
    C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Documents and Settings\William\My Documents\Downloads\dds.com

    ============== Pseudo HJT Report ===============

    uStart Page = www.google.com
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
    BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    mRun: [ehTray] c:\windows\ehome\ehtray.exe
    mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
    mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
    mRun: [RTHDCPL] RTHDCPL.EXE
    mRun: [igfxtray] c:\windows\system32\igfxtray.exe
    mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
    mRun: [igfxpers] c:\windows\system32\igfxpers.exe
    mRun: [LtMoh] c:\program files\ltmoh\Ltmoh.exe
    mRun: [AGRSMMSG] AGRSMMSG.exe
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
    mRun: [TrojanScanner] c:\program files\trojan remover\Trjscan.exe /boot
    mRun: [SpyHunter Security Suite] c:\program files\enigma software group\spyhunter\SpyHunter4.exe
    mRun: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] c:\program files\google\gmail notifier\gnotify.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\interv~1.lnk - c:\program files\intervideo\common\bin\WinCinemaMgr.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
    Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
    Notify: avgrsstarter - avgrsstx.dll
    Notify: igfxcui - igfxdev.dll
    SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

    ================= FIREFOX ===================

    FF - ProfilePath - c:\docume~1\william\applic~1\mozilla\firefox\profiles\u9uhxlh6.default\
    FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dll

    ---- FIREFOX POLICIES ----
    c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
    c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
    c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
    c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
    c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
    c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

    ============= SERVICES / DRIVERS ===============

    R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2010-4-13 216200]
    R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2010-4-13 29512]
    R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-4-13 242696]
    R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
    R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-2-17 66632]
    R2 avg9emc;AVG Free E-mail Scanner;c:\program files\avg\avg9\avgemc.exe [2010-4-13 916760]
    R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-4-13 308064]
    R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
    R2 SpyHunter 4 Service;SpyHunter 4 Service;c:\progra~1\enigma~1\spyhun~1\SH4SER~1.EXE [2010-3-24 323992]
    R3 esgiguard;esgiguard;c:\program files\enigma software group\spyhunter\esgiguard.sys [2010-1-27 5248]
    R3 ManyCam;ManyCam Virtual Webcam, WDM Video Capture Driver;c:\windows\system32\drivers\ManyCam.sys [2008-1-14 21632]
    R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2010-2-17 12872]

    =============== Created Last 30 ================

    2010-04-20 14:47:16 552 ----a-w- c:\windows\system32\d3d8caps.dat
    2010-04-20 14:47:14 664 ----a-w- c:\windows\system32\d3d9caps.dat
    2010-04-20 01:31:51 2136064 -c----w- c:\windows\system32\dllcache\ntkrnlmp.exe
    2010-04-20 01:31:41 2180480 -c----w- c:\windows\system32\dllcache\ntoskrnl.exe
    2010-04-20 01:31:17 2015744 -c----w- c:\windows\system32\dllcache\ntkrpamp.exe
    2010-04-20 01:31:15 2057728 -c----w- c:\windows\system32\dllcache\ntkrnlpa.exe
    2010-04-19 21:34:06 0 d-----w- c:\windows\ie8updates
    2010-04-19 21:31:32 0 d-----w- c:\windows\ServicePackFiles
    2010-04-19 05:28:40 0 d-----w- c:\windows\system32\PreInstall
    2010-04-17 23:08:38 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
    2010-04-17 23:08:25 0 d-----w- c:\docume~1\alluse~1\applic~1\Hitman Pro
    2010-04-17 23:08:22 0 d-----w- c:\program files\Hitman Pro 3.5
    2010-04-17 15:11:11 0 d-----w- c:\windows\system32\SoftwareDistribution
    2010-04-15 18:51:56 0 d-----w- c:\program files\Spybot - Search & Destroy
    2010-04-15 18:51:56 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
    2010-04-15 18:41:35 0 d-----w- C:\VundoFix Backups
    2010-04-15 18:31:40 0 d-----w- C:\sh4ldr
    2010-04-15 18:31:40 0 d-----w- c:\program files\Enigma Software Group
    2010-04-15 18:23:29 0 d-----w- c:\program files\CCleaner
    2010-04-15 17:52:45 77312 ----a-w- c:\windows\system32\ztvunace26.dll
    2010-04-15 17:52:45 75264 ----a-w- c:\windows\system32\unacev2.dll
    2010-04-15 17:52:45 69632 ----a-w- c:\windows\system32\ztvcabinet.dll
    2010-04-15 17:52:45 162304 ----a-w- c:\windows\system32\ztvunrar36.dll
    2010-04-15 17:52:45 153088 ----a-w- c:\windows\system32\UNRAR3.dll
    2010-04-15 17:52:41 0 d-----w- c:\program files\Trojan Remover
    2010-04-15 17:52:41 0 d-----w- c:\docume~1\william\applic~1\Simply Super Software
    2010-04-15 17:52:41 0 d-----w- c:\docume~1\alluse~1\applic~1\Simply Super Software
    2010-04-15 02:18:01 0 d-----w- c:\windows\pss
    2010-04-14 20:41:42 0 d-----w- C:\$AVG
    2010-04-13 15:52:14 0 d-----w- c:\windows\system32\appmgmt
    2010-04-13 15:01:27 12464 ----a-w- c:\windows\system32\avgrsstx.dll
    2010-04-13 15:01:24 242696 ----a-w- c:\windows\system32\drivers\avgtdix.sys
    2010-04-13 15:01:18 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
    2010-04-13 15:01:03 0 d-----w- c:\windows\system32\drivers\Avg
    2010-04-13 14:57:24 0 d-----w- c:\program files\AVG
    2010-04-13 14:57:00 0 d-----w- c:\docume~1\alluse~1\applic~1\avg9
    2010-04-13 14:41:50 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
    2010-04-13 14:41:36 0 d-----w- c:\program files\SUPERAntiSpyware
    2010-04-13 14:41:35 0 d-----w- c:\docume~1\william\applic~1\SUPERAntiSpyware.com
    2010-04-13 14:41:12 0 d-----w- c:\program files\common files\Wise Installation Wizard
    2010-04-13 04:18:22 0 d-sha-r- C:\cmdcons
    2010-04-13 04:16:29 98816 ----a-w- c:\windows\sed.exe
    2010-04-13 04:16:29 77312 ----a-w- c:\windows\MBR.exe
    2010-04-13 04:16:29 261632 ----a-w- c:\windows\PEV.exe
    2010-04-13 04:16:29 161792 ----a-w- c:\windows\SWREG.exe
    2010-04-13 02:53:21 0 d-----w- c:\docume~1\william\applic~1\Malwarebytes
    2010-04-13 02:53:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-04-13 02:53:05 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-04-13 02:53:05 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-04-13 02:53:05 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
    2010-04-09 11:31:31 0 d-----w- c:\program files\VideoLAN
    2010-04-08 13:45:29 0 d-----w- c:\program files\CPU Thermometer
    2010-04-08 01:41:35 0 d-----w- c:\program files\common files\DivX Shared
    2010-04-08 01:36:18 0 d-----w- c:\windows\SxsCaPendDel
    2010-04-07 01:45:58 17024 -c--a-w- c:\windows\system32\dllcache\ccdecode.sys
    2010-04-07 01:45:58 17024 ----a-w- c:\windows\system32\drivers\CCDECODE.sys
    2010-04-07 01:45:44 90624 -c--a-w- c:\windows\system32\dllcache\kswdmcap.ax
    2010-04-07 01:45:44 90624 ----a-w- c:\windows\system32\kswdmcap.ax
    2010-04-07 01:45:44 61952 -c--a-w- c:\windows\system32\dllcache\kstvtune.ax
    2010-04-07 01:45:44 61952 ----a-w- c:\windows\system32\kstvtune.ax
    2010-04-07 01:45:44 53760 -c--a-w- c:\windows\system32\dllcache\vfwwdm32.dll
    2010-04-07 01:45:44 53760 ----a-w- c:\windows\system32\vfwwdm32.dll
    2010-04-07 01:45:44 43008 -c--a-w- c:\windows\system32\dllcache\ksxbar.ax
    2010-04-07 01:45:44 43008 ----a-w- c:\windows\system32\ksxbar.ax
    2010-04-07 01:45:44 28672 -c--a-w- c:\windows\system32\dllcache\vidcap.ax
    2010-04-07 01:45:44 28672 ----a-w- c:\windows\system32\vidcap.ax
    2010-04-07 01:45:37 0 d-----w- c:\docume~1\william\applic~1\ManyCam
    2010-04-07 01:45:36 0 d-----w- c:\program files\ManyCam 2.4
    2010-04-07 01:16:43 116 ----a-w- c:\windows\NeroDigital.ini
    2010-04-07 01:16:09 5632 ----a-w- c:\windows\system32\ptpusb.dll
    2010-04-07 01:16:08 159232 ----a-w- c:\windows\system32\ptpusd.dll
    2010-04-07 01:16:08 15104 -c--a-w- c:\windows\system32\dllcache\usbscan.sys
    2010-04-07 01:16:08 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
    2010-04-06 01:55:08 75 ----a-w- c:\documents and settings\william\jagex_runescape_preferences2.dat
    2010-04-06 01:55:08 0 ----a-w- c:\documents and settings\william\jagex__preferences3.dat
    2010-04-06 01:53:39 41 ----a-w- c:\documents and settings\william\jagex_runescape_preferences.dat
    2010-04-06 01:48:39 0 d-----w- c:\program files\DivX
    2010-04-06 01:48:16 0 d-----w- c:\docume~1\alluse~1\applic~1\DivX
    2010-04-06 01:40:56 0 d-----w- c:\docume~1\alluse~1\applic~1\AIM
    2010-04-06 01:40:51 0 d-----w- c:\program files\common files\Software Update Utility
    2010-04-06 01:40:51 0 d-----w- c:\program files\AIM
    2010-04-06 01:40:50 0 d-----w- c:\program files\common files\AOL
    2010-04-06 01:40:43 441 ---ha-w- C:\IPH.PH
    2010-04-06 01:31:42 0 d-----w- c:\windows\.jagex_cache_32
    2010-04-06 01:03:13 12160 -c--a-w- c:\windows\system32\dllcache\mouhid.sys
    2010-04-06 01:03:13 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys
    2010-04-06 01:03:11 21504 -c--a-w- c:\windows\system32\dllcache\hidserv.dll
    2010-04-06 01:03:11 21504 ----a-w- c:\windows\system32\hidserv.dll
    2010-04-06 01:03:06 9600 -c--a-w- c:\windows\system32\dllcache\hidusb.sys
    2010-04-06 01:03:06 9600 ----a-w- c:\windows\system32\drivers\hidusb.sys
    2010-04-05 23:30:20 0 d-sh--w- c:\documents and settings\william\IECompatCache
    2010-04-05 23:30:06 0 d-sh--w- c:\documents and settings\william\PrivacIE
    2010-04-05 23:29:04 0 d-sh--w- c:\documents and settings\william\IETldCache
    2010-04-05 23:26:00 0 dc-h--w- c:\windows\ie8
    2010-04-05 23:25:06 0 d--h--w- c:\windows\$hf_mig$
    2010-04-05 23:20:57 0 d-----w- c:\program files\InterVideo
    2010-04-05 23:17:55 106496 ----a-w- c:\windows\system32\TwnLib20.dll
    2010-04-05 23:17:53 476320 ------w- c:\windows\system32\ImagXpr7.dll
    2010-04-05 23:17:53 471040 ------w- c:\windows\system32\ImagXRA7.dll
    2010-04-05 23:17:53 262144 ------w- c:\windows\system32\ImagXR7.dll
    2010-04-05 23:17:53 1568768 ------w- c:\windows\system32\ImagX7.dll
    2010-04-05 23:17:51 155648 ----a-w- c:\windows\system32\NeroCheck.exe
    2010-04-05 23:14:59 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2010-04-05 23:14:59 411368 ----a-w- c:\windows\system32\deploytk.dll
    2010-04-05 23:13:33 13646 ----a-w- c:\windows\system32\wpa.bak
    2010-04-05 22:56:14 88203 ----a-w- c:\windows\agrsmmsg.exe
    2010-04-05 22:56:14 77824 ----a-w- c:\windows\system32\tosmreg.exe
    2010-04-05 22:56:14 7671 ----a-w- c:\windows\system32\cseltbl.ini
    2010-04-05 22:56:14 68096 ------w- c:\windows\agrsmdel.exe
    2010-04-05 22:56:14 45056 ----a-w- c:\windows\system32\csellang.dll
    2010-04-05 22:56:14 128113 ----a-w- c:\windows\system32\csellang.ini
    2010-04-05 22:56:14 110592 ----a-w- c:\windows\system32\cselect.exe
    2010-04-05 22:56:14 10165 ----a-w- c:\windows\system32\tosmreg.ini
    2010-04-05 22:56:14 0 d-----w- c:\program files\ltmoh
    2010-04-05 22:56:02 0 d-----w- c:\windows\Options
    2010-04-05 22:55:59 0 d-----w- C:\Modem.temp
    2010-04-05 22:52:55 135168 ----a-w- c:\windows\system32\igfxres.dll
    2010-04-05 22:50:45 0 d-----w- C:\Intel Display.temp
    2010-04-05 22:47:48 146650 ----a-w- c:\windows\system32\BuzzingBee.wav
    2010-04-05 22:47:47 940794 ----a-w- c:\windows\system32\LoopyMusic.wav
    2010-04-05 22:47:46 0 d-----w- c:\windows\system32\Lang
    2010-04-05 22:46:01 176 ----a-w- c:\windows\system32\drivers\RTHDAEQ1.dat
    2010-04-05 22:46:01 176 ----a-w- c:\windows\system32\drivers\RTHDAEQ0.dat
    2010-04-05 22:44:46 86016 ----a-w- c:\windows\SoundMan.exe
    2010-04-05 22:44:46 364544 ----a-w- c:\windows\RtlUpd.exe
    2010-04-05 22:44:46 266240 ----a-w- c:\windows\system32\RTSndMgr.Cpl
    2010-04-05 22:44:43 9709568 ----a-w- c:\windows\RTLCPL.exe
    2010-04-05 22:44:43 4271616 ----a-w- c:\windows\system32\drivers\RtkHDAud.Sys
    2010-04-05 22:44:41 69632 ----a-w- c:\windows\Alcmtr.exe
    2010-04-05 22:44:41 299008 ----a-w- c:\windows\system32\ALSndMgr.Cpl
    2010-04-05 22:44:41 2808832 ----a-w- c:\windows\alcwzrd.exe
    2010-04-05 22:44:41 2158592 ----a-w- c:\windows\MicCal.exe
    2010-04-05 22:44:41 16206848 ----a-w- c:\windows\RTHDCPL.exe
    2010-04-05 22:44:41 0 d-----w- c:\program files\Realtek
    2010-04-05 22:44:34 487424 ----a-w- c:\windows\RtlExUpd.dll
    2010-04-05 22:44:23 0 d-----w- C:\toshibatemp
    2010-04-05 22:42:15 0 d-----w- c:\windows\tiinst
    2010-04-05 22:41:54 0 d-----w- C:\PCMCIA Driver.temp
    2010-04-05 22:40:14 0 d-----w- c:\docume~1\william\applic~1\Intel
    2010-04-05 22:40:08 21419 ----a-w- c:\windows\system32\drivers\AegisP.sys
    2010-04-05 22:39:10 561152 ----a-w- c:\windows\system32\NETw3c32.dll
    2010-04-05 22:39:10 2732032 ----a-w- c:\windows\system32\NETw3r32.dll
    2010-04-05 22:39:10 1707776 ----a-w- c:\windows\system32\drivers\NETw3x32.sys
    2010-04-05 22:38:55 0 d-----w- C:\inteltemp
    2010-04-05 21:17:30 36864 ----a-r- c:\windows\system32\e100bmsg.dll
    2010-04-05 21:17:30 21504 ----a-r- c:\windows\system32\NicCo.dll
    2010-04-05 21:17:30 20992 ----a-r- c:\windows\system32\NicInst.dll
    2010-04-05 21:17:29 5242 ----a-r- c:\windows\system32\e100b325.din
    2010-04-05 21:17:29 163328 -c--a-w- c:\windows\system32\dllcache\e100b325.sys
    2010-04-05 21:17:29 163328 ----a-r- c:\windows\system32\drivers\e100b325.sys
    2010-04-05 21:17:29 126976 ----a-r- c:\windows\system32\Prounstl.exe
    2010-04-05 21:07:35 0 d-----w- c:\windows\RegisteredPackages
    2010-04-05 21:04:54 46592 ------w- c:\windows\system32\drivers\irbus.sys
    2010-04-05 21:04:54 19200 ------w- c:\windows\system32\drivers\hidir.sys
    2010-04-05 21:03:52 26144 ----a-w- c:\windows\system32\spupdsvc.exe
    2010-04-05 21:01:14 0 d-----w- c:\windows\system32\URTTemp
    2010-04-05 21:00:45 0 d-----w- c:\program files\RGB
    2010-04-05 20:57:19 0 d-----w- c:\program files\DIGStream
    2010-04-05 20:57:17 0 d-----w- c:\program files\ESPNMotion
    2010-04-05 20:57:13 0 d-----w- c:\program files\GemMaster
    2010-04-05 20:57:08 0 d-----w- c:\program files\EnglishOtto
    2010-04-05 20:34:10 0 d-sh--w- c:\documents and settings\all users\DRM
    2010-04-05 20:33:47 0 d--h--w- c:\program files\WindowsUpdate
    2010-04-05 20:32:38 0 d-----w- c:\program files\common files\MSSoap
    2010-04-05 20:30:07 0 d-----w- c:\program files\Online Services
    2010-04-05 20:29:19 0 d-----w- c:\program files\Windows Plus
    2010-04-05 20:27:40 0 d-----w- c:\program files\Messenger
    2010-04-05 20:27:35 0 d-----w- c:\program files\MSN Gaming Zone
    2010-04-05 20:26:46 0 d-----w- c:\program files\Windows NT
    2010-04-05 17:21:02 0 d-----w- c:\program files\common files\ODBC
    2010-04-05 17:20:58 0 d-----w- c:\program files\common files\SpeechEngines
    2010-04-05 17:20:29 0 d-----r- c:\documents and settings\all users\Documents

    ==================== Find3M ====================

    2010-04-20 21:40:54 61056 ----a-w- c:\windows\system32\drivers\ohci1394.sys
    2010-04-05 20:30:41 21640 ----a-w- c:\windows\system32\emptyregdb.dat

    ============= FINISH: 22:59:20.95 ===============

    Edited by Williamx11373, 21 April 2010 - 08:29 PM.


    #10 Blade81

    Blade81

      Bleepin' Rocker


    • Malware Response Team
    • 6,465 posts
    • OFFLINE
    •  
    • Gender:Male
    • Location:Finland
    • Local time:09:18 PM

    Posted 22 April 2010 - 12:21 AM

    Thanks for the log.

    Please visit this webpage for download links, and instructions for running ComboFix tool:

    http://www.bleepingcomputer.com/combofix/how-to-use-combofix

    Please ensure you read this guide carefully first.


    Please continue as follows:
    1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link
      Remember to re-enable them afterwards.

    2. Click Yes to allow ComboFix to continue scanning for malware.

    When the tool is finished, it will produce a report for you.

    Please include the following reports for further review, and so we may continue cleansing the system:

    C:\ComboFix.txt
    New dds log.


    A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.

    Microsoft Windows Insider MVP 2016-2017

    Microsoft MVP Consumer Security 2008-2015
    UNITE member since 2006
    unite_blue.png

    Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


    #11 Williamx11373

    Williamx11373
    • Topic Starter

    • Members
    • 8 posts
    • OFFLINE
    •  
    • Local time:02:18 PM

    Posted 22 April 2010 - 10:37 AM

    AMAZING !!! Redirect virus is gone !!!
    thanks

    #12 Blade81

    Blade81

      Bleepin' Rocker


    • Malware Response Team
    • 6,465 posts
    • OFFLINE
    •  
    • Gender:Male
    • Location:Finland
    • Local time:09:18 PM

    Posted 22 April 2010 - 12:03 PM

    Hi,

    Good to hear. However, could you still post those requested logs so we can take further steps if necessary, please? smile.gif

    Microsoft Windows Insider MVP 2016-2017

    Microsoft MVP Consumer Security 2008-2015
    UNITE member since 2006
    unite_blue.png

    Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


    #13 Blade81

    Blade81

      Bleepin' Rocker


    • Malware Response Team
    • 6,465 posts
    • OFFLINE
    •  
    • Gender:Male
    • Location:Finland
    • Local time:09:18 PM

    Posted 29 April 2010 - 12:46 AM

    Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. smile.gif

    If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

    Everyone else please begin a New Topic.

    Microsoft Windows Insider MVP 2016-2017

    Microsoft MVP Consumer Security 2008-2015
    UNITE member since 2006
    unite_blue.png

    Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.





    0 user(s) are reading this topic

    0 members, 0 guests, 0 anonymous users