Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Redirect Malware (and GMER Issues)


  • This topic is locked This topic is locked
11 replies to this topic

#1 Chongo

Chongo

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:54 AM

Posted 20 April 2010 - 12:17 PM

First off - thank you very much for maintaining this site. It's awesome.

General Issues:

- Google searches redirect to random sites
- Random sites pop up every once in a while.
- AVG (9.0) has been picking up multiple viruses with online shield (and sometimes resident shield), most of the time this is when I'm redirected. It seems to 'fix' all the problems, but rootkit scans nor virus scans pick up much of anything, and I'm still having issues.
- I've been seeing quirky things happen like itunes wierding out (says audio settings have been altered, and it becomes unplayable until I restart). These issues generally crop up when the computer has been on for a long period of time. Sometimes the computer won't shut down when prompted, sometimes I get sys32 error messages, etc etc. Everything generally functions fine, it's just random oddities with the occasional meltdown.
- GMER crashes the computer about an hour or so into the scan, every time. I'll walk in and it will have restarted on it's own. I caught it in the act once - blue screen of death and then a restart. I'm not sure if it saves a log of what it found up to that point... I've been unable to get it going.
- General computer performance seems shoddy at times.

Basically, I run the computer as tightly as I can, I've got an external firewall, I run AVG cleans every few days, and I keep my internet usage to very defined safe sources. Then my 60 year old mother visited, used the computer, and all of a sudden I am getting virus messages and this google redirect issue. Now - I'm not saying it's her fault (it could be me... who knows), but heh, I'm never letting anyone else on this computer again.

I've tried GMER 5 times now, it always crashes the machine toward the end. I apologize that I can't get it to run through - and I'd appreciate any help you can give. Please let me know what additional information I can put on here. (AVG logs, etc)


DDS Log


DDS (Ver_10-03-17.01) - NTFSx86
Run by Dan at 9:19:58.15 on Tue 04/20/2010
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2047.1394 [GMT -6:00]

AV: AVG Internet Security *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: AVG Firewall *enabled* {8decf618-9569-4340-b34a-d78d28969b66}

============== Running Processes ===============

C:WINDOWSsystem32svchost -k DcomLaunch
svchost.exe
C:WINDOWSSystem32svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:Program FilesAVGAVG9avgchsvx.exe
C:Program FilesAVGAVG9avgrsx.exe
C:Program FilesAVGAVG9avgcsrvx.exe
C:WINDOWSsystem32spoolsv.exe
C:Program FilesAVGAVG9Identity ProtectionAgentBinAVGIDSAgent.exe
svchost.exe
C:Program FilesCommon FilesAppleMobile Device SupportbinAppleMobileDeviceService.exe
C:Program FilesAVGAVG9avgwdsvc.exe
C:Program FilesAVGAVG9avgfws9.exe
C:Program FilesBonjourmDNSResponder.exe
C:Program FilesAVGAVG9avgam.exe
C:Program FilesAVGAVG9avgnsx.exe
C:Program FilesCommon FilesLightScribeLSSrvc.exe
C:WINDOWSsystem32nvsvc32.exe
C:WINDOWSsystem32svchost.exe -k imgsvc
C:Program FilesAVGAVG9avgemc.exe
C:Program FilesAVGAVG9avgcsrvx.exe
C:Program FilesAVGAVG9avgcsrvx.exe
C:WINDOWSSystem32svchost.exe -k HTTPFilter
C:WINDOWSExplorer.EXE
C:Program FilesTortoiseSVNbinTSVNCache.exe
C:Program FilesAlienwareAlienware AlienFXAlienwareAlienFXController.exe
C:WINDOWSsystem32RUNDLL32.EXE
C:WINDOWSRTHDCPL.EXE
C:Program FilesiTunesiTunesHelper.exe
C:PROGRA~1AVGAVG9avgtray.exe
C:Program FilesCommon FilesAheadLibNMBgMonitor.exe
C:Program FilesCommon FilesAheadLibNMIndexStoreSvr.exe
C:Program FilesAVGAVG9Identity Protectionagentbinavgidsmonitor.exe
C:Program FilesiPodbiniPodService.exe
C:WINDOWSsystem32wuauclt.exe
C:Program FilesMozilla Firefoxfirefox.exe
C:Documents and SettingsDanDesktopdds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.alienware.com/Mothership?Comp=AWC&SysCode=PC-AURORA-7500-A&ai=636E3D34333538353526706F3D35323433393641
mDefault_Page_URL = hxxp://www.alienware.com
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:program filesavgavg9toolbarIEToolbar.dll
uURLSearchHooks: H - No File
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:program filesadobeacrobat 7.0activexAcroIEHelper.dll
BHO: {348FE907-249E-4C65-A838-F34A193FE1D1} - No File
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:program filesavgavg9avgssie.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:program filesavgavg9toolbarIEToolbar.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:program filesavgavg9toolbarIEToolbar.dll
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:program filescommon filesaheadlibNMBgMonitor.exe"
mRun: [AlienFX Controller] "c:program filesalienwarealienware alienfxAlienwareAlienFXController.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:windowssystem32NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:windowssystem32NvMcTray.dll,NvTaskbarInit
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [NeroFilterCheck] c:program filescommon filesaheadlibNeroCheck.exe
mRun: [QuickTime Task] "c:program filesquicktimeQTTask.exe" -atboottime
mRun: [iTunesHelper] "c:program filesitunesiTunesHelper.exe"
mRun: [AVG9_TRAY] c:progra~1avgavg9avgtray.exe
StartupFolder: c:docume~1alluse~1startm~1programsstartupadober~1.lnk - c:program filesadobeacrobat 7.0readerreader_sl.exe
StartupFolder: c:docume~1alluse~1startm~1programsstartuposcust.lnk - c:windowssystem32oemOSCust.exe
IE: E&xport to Microsoft Excel - c:progra~1micros~2office12EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:program filesmessengermsmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:progra~1micros~2office12REFIEBAR.DLL
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:program filesavgavg9avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: WB - c:program filesalienguisefastload.dll
AppInit_DLLs: wbsys.dll

================= FIREFOX ===================

FF - ProfilePath - c:docume~1danapplic~1mozillafirefoxprofilesfimeg6v6.default
FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
FF - prefs.js: keyword.URL - hxxp://us.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_us&p=
FF - component: c:program filesavgavg9firefoxcomponentsavgssff.dll
FF - component: c:program filesavgavg9toolbarfirefoxavg@igearedcomponentsIGeared_tavgp_xputils2.dll
FF - component: c:program filesavgavg9toolbarfirefoxavg@igearedcomponentsIGeared_tavgp_xputils3.dll
FF - component: c:program filesavgavg9toolbarfirefoxavg@igearedcomponentsIGeared_tavgp_xputils35.dll
FF - component: c:program filesavgavg9toolbarfirefoxavg@igearedcomponentsxpavgtbapi.dll
FF - plugin: c:documents and settingsdanapplication datamozillapluginsnpgoogletalk.dll
FF - plugin: c:documents and settingsdanlocal settingsapplication datagoogleupdate1.2.183.23npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:windowsmicrosoft.netframeworkv3.5windows presentation foundationdotnetassistantextension

---- FIREFOX POLICIES ----
c:program filesmozilla firefoxgreprefssecurity-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:program filesmozilla firefoxgreprefssecurity-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:program filesmozilla firefoxgreprefssecurity-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:program filesmozilla firefoxgreprefssecurity-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:program filesmozilla firefoxgreprefssecurity-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 AVGIDSErHrxpx;AVG9IDSErHr;c:windowssystem32driversAVGIDSxx.sys [2010-4-15 25096]
R0 AvgRkx86;avgrkx86.sys;c:windowssystem32driversavgrkx86.sys [2009-8-27 52872]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:windowssystem32driversavgldx86.sys [2009-8-27 216200]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:windowssystem32driversavgmfx86.sys [2009-8-27 29512]
R1 AvgTdiX;AVG8 Network Redirector;c:windowssystem32driversavgtdix.sys [2009-8-27 242896]
R2 avg9emc;AVG E-mail Scanner;c:program filesavgavg9avgemc.exe [2010-4-15 916760]
R2 avg9wd;AVG WatchDog;c:program filesavgavg9avgwdsvc.exe [2010-4-15 308064]
R2 avgfws9;AVG Firewall;c:program filesavgavg9avgfws9.exe [2010-4-15 2325816]
R2 AVGIDSAgent;AVG9IDSAgent;c:program filesavgavg9identity protectionagentbinAVGIDSAgent.exe [2010-4-15 5888008]
R3 Avgfwdx;Avgfwdx;c:windowssystem32driversavgfwdx.sys [2009-8-27 30104]
R3 AVGIDSDriverxpx;AVG9IDSDriver;c:program filesavgavg9identity protectionagentdriverplatform_xpAVGIDSDriver.sys [2010-4-15 122376]
R3 AVGIDSFilterxpx;AVG9IDSFilter;c:program filesavgavg9identity protectionagentdriverplatform_xpAVGIDSFilter.sys [2010-4-15 30216]
R3 AVGIDSShimxpx;AVG9IDSShim;c:program filesavgavg9identity protectionagentdriverplatform_xpAVGIDSShim.sys [2010-4-15 26120]
S3 Avgfwfd;AVG network filter service;c:windowssystem32driversavgfwdx.sys [2009-8-27 30104]

=============== Created Last 30 ================

2010-04-16 03:21:07 0 d-----w- c:docume~1danapplic~1AVG9
2010-04-15 17:07:03 12464 ----a-w- c:windowssystem32avgrsstx.dll
2010-04-15 17:01:22 0 d--h--w- C:$AVG
2010-04-15 17:01:09 25096 ----a-w- c:windowssystem32driversAVGIDSxx.sys
2010-04-15 17:00:56 0 d-----w- c:docume~1alluse~1applic~1avg9
2010-04-15 17:00:39 0 d-----w- c:windowsSxsCaPendDel
2010-04-15 04:47:53 0 d-s---w- c:documents and settingsdanUserData
2010-04-15 04:44:45 0 d-----w- c:windowssystem32appmgmt

==================== Find3M ====================

2010-04-19 15:25:19 242896 ----a-w- c:windowssystem32driversavgtdix.sys
2010-04-17 19:57:52 3328 ----a-w- c:windowssystem32driverspciide.sys
2010-04-15 17:06:33 216200 ----a-w- c:windowssystem32driversavgldx86.sys
2010-04-15 17:06:32 52872 ----a-w- c:windowssystem32driversavgrkx86.sys
2010-04-15 17:00:56 50968 ----a-w- c:windowssystem32avgfwdx.dll
2010-04-15 17:00:56 30104 ----a-w- c:windowssystem32driversavgfwdx.sys
2010-03-10 08:02:04 417792 ----a-w- c:windowssystem32vbscript.dll
2010-02-26 06:05:09 668672 ----a-w- c:windowssystem32wininet.dll
2010-02-26 06:05:05 81920 ----a-w- c:windowssystem32ieencode.dll
2010-02-24 12:31:30 454016 ----a-w- c:windowssystem32driversmrxsmb.sys
2010-02-16 13:17:38 2137088 ----a-w- c:windowssystem32ntoskrnl.exe
2010-02-16 12:39:04 2016768 ----a-w- c:windowssystem32ntkrnlpa.exe
2010-02-12 04:47:05 100864 ----a-w- c:windowssystem326to4svc.dll

============= FINISH: 9:20:49.18 ===============

AVG is also seeing a virus in a white-listed system file: c:windowssystem32pciide.sys

...which it apparently can't do anything about.

Attached Files


Edited by Budapest, 22 April 2010 - 06:48 PM.
Posts merged ~BP


BC AdBot (Login to Remove)

 


#2 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:06:54 AM

Posted 25 April 2010 - 02:33 PM

Hello, and welcome.gif to the Malware Removal forum! My online alias is Blade Zephon, or Blade for short, and I will be assisting you with your malware issues!

If you have since resolved the original problem you were having, we would appreciate you letting us know.

In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond to your topic and facilitate the cleaning of your machine.

Before we begin cleaning your machine, I'd like to lay out some guidelines for us to follow while we are working together.
  • I will be assisting you with your malware issues. This may or may not resolve other problems you are having with your computer. If you are still having problems after your machine has been determined clean, I will be glad to direct you to the proper forum for assistance.
  • Even if things appear better, that does not mean we are finished. Please continue to follow my instructions until I give you the all clean. Absence of symptoms does not mean that all the malware has been removed. If a piece of the infection is left, it can regenerate and reinfect your machine.
  • Attention to detail is important! Since I cannot see or directly interact with your computer I am dependent on you to "be my eyes" and provide as much information as you can regarding the current state of your computer.
  • I ask that you please refrain from running tools other than those I suggest to you while I am cleaning up your computer. The reason for this is so I know what is going on with the machine at any time. If you act independently it will cause changes to your system that I will not be aware of, which will make the process of cleaning the machine a much slower and more difficult process. Additionally, some programs can interfere with others and hamper the recovery process.
  • Please perform all steps in the order received. If you are unsure or confused about any instructions I give you, you should ask me to clarify before doing anything. Additionally, if you run into any problems while carrying out instructions, you should STOP and reply back here explaining what happened.
  • After 5 days if a topic is not replied to we assume it has been abandoned and it is closed. If you need additional time, that is perfectly alright; you just need to let us know beforehand. smile.gif

***************************************************

Please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

~Blade

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#3 Chongo

Chongo
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:54 AM

Posted 25 April 2010 - 03:29 PM

Hello Blade and thanks! Let's hope I can keep up and make this easy.

I outlined the general details in the initial post, but here is the updated/ simplified version.

Problems and Steps Taken:

- Any search engine search redirects me to random websites
- Random popup sites appear without prompting it. These generally have a yes/no style popup asking me if I want to accept something or win something.
- When the computer is left on for an extended period of time, I am seeing fairly random issues like itunes saying it's audio is disabled, or the shutdown process not responding and/or failing.
- AVG resident and online shield are picking up viruses and correcting them. This is great except for the frequency of it. Before two weeks ago I never had any viruses.
- Viruses have been detected in places that AVG can not fix due to them being whitelisted. The area of the computer is c:windowssystem32pciide.sys, and the detected virus is win32/Patched.DO
- Generic processes for system32 have been trying to connect with the internet, I've been blocking them via AVG. AVG is naming them exploit rogue scanners and exploit neosploit toolkit
- AVG has detected or quarantined malware: win32/fakespypro, win32/trojandownloader.unruy.bn These have come from a variety of executables. Let me know if you need their names.


Let me know if you want the AVG logs.



DDS

DDS (Ver_10-03-17.01) - NTFSx86
Run by Dan at 13:59:35.06 on Sun 04/25/2010
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2047.1367 [GMT -6:00]

AV: AVG Internet Security *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: AVG Firewall *enabled* {8decf618-9569-4340-b34a-d78d28969b66}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG\AVG9\Identity Protection\Agent\Bin\AVGIDSAgent.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\Program Files\Alienware\Alienware AlienFX\AlienwareAlienFXController.exe
svchost.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\AVG\AVG9\avgfws9.exe
C:\Program Files\AVG\AVG9\Identity Protection\agent\bin\avgidsmonitor.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\AVG\AVG9\avgam.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\AVG\AVG9\avgemc.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Dan\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.alienware.com/Mothership?Comp=AWC&SysCode=PC-AURORA-7500-A&ai=636E3D34333538353526706F3D35323433393641
mDefault_Page_URL = hxxp://www.alienware.com
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
uURLSearchHooks: H - No File
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: {348FE907-249E-4C65-A838-F34A193FE1D1} - No File
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [AlienFX Controller] "c:\program files\alienware\alienware alienfx\AlienwareAlienFXController.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\oscust.lnk - c:\windows\system32\oem\OSCust.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: WB - c:\program files\alienguise\fastload.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\dan\applic~1\mozilla\firefox\profiles\fimeg6v6.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
FF - prefs.js: keyword.URL - hxxp://us.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_us&p=
FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll
FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\xpavgtbapi.dll
FF - plugin: c:\documents and settings\dan\application data\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\dan\local settings\application data\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 AVGIDSErHrxpx;AVG9IDSErHr;c:\windows\system32\drivers\AVGIDSxx.sys [2010-4-15 25096]
R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2009-8-27 52872]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-8-27 216200]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-8-27 29512]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-8-27 242896]
R2 avg9emc;AVG E-mail Scanner;c:\program files\avg\avg9\avgemc.exe [2010-4-15 916760]
R2 avg9wd;AVG WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-4-15 308064]
R2 avgfws9;AVG Firewall;c:\program files\avg\avg9\avgfws9.exe [2010-4-15 2325816]
R2 AVGIDSAgent;AVG9IDSAgent;c:\program files\avg\avg9\identity protection\agent\bin\AVGIDSAgent.exe [2010-4-15 5888008]
R3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [2009-8-27 30104]
R3 AVGIDSDriverxpx;AVG9IDSDriver;c:\program files\avg\avg9\identity protection\agent\driver\platform_xp\AVGIDSDriver.sys [2010-4-15 122376]
R3 AVGIDSFilterxpx;AVG9IDSFilter;c:\program files\avg\avg9\identity protection\agent\driver\platform_xp\AVGIDSFilter.sys [2010-4-15 30216]
R3 AVGIDSShimxpx;AVG9IDSShim;c:\program files\avg\avg9\identity protection\agent\driver\platform_xp\AVGIDSShim.sys [2010-4-15 26120]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [2009-8-27 30104]

=============== Created Last 30 ================

2010-04-25 04:47:30 3255 ----a-w- c:\windows\system32\wbem\Outlook_01cae43269a871a8.mof
2010-04-16 03:21:07 0 d-----w- c:\docume~1\dan\applic~1\AVG9
2010-04-15 17:07:03 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-04-15 17:01:22 0 d--h--w- C:\$AVG
2010-04-15 17:01:09 25096 ----a-w- c:\windows\system32\drivers\AVGIDSxx.sys
2010-04-15 17:00:56 0 d-----w- c:\docume~1\alluse~1\applic~1\avg9
2010-04-15 17:00:39 0 d-----w- c:\windows\SxsCaPendDel
2010-04-15 04:47:53 0 d-s---w- c:\documents and settings\dan\UserData
2010-04-15 04:44:45 0 d-----w- c:\windows\system32\appmgmt

==================== Find3M ====================

2010-04-25 00:45:12 3328 ----a-w- c:\windows\system32\drivers\pciide.sys
2010-04-19 15:25:19 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-04-15 17:06:33 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-04-15 17:06:32 52872 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2010-04-15 17:00:56 50968 ----a-w- c:\windows\system32\avgfwdx.dll
2010-04-15 17:00:56 30104 ----a-w- c:\windows\system32\drivers\avgfwdx.sys
2010-03-10 08:02:04 417792 ----a-w- c:\windows\system32\vbscript.dll
2010-02-26 06:05:09 668672 ----a-w- c:\windows\system32\wininet.dll
2010-02-26 06:05:05 81920 ----a-w- c:\windows\system32\ieencode.dll
2010-02-16 13:17:38 2137088 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 12:39:04 2016768 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:47:05 100864 ----a-w- c:\windows\system32\6to4svc.dll

============= FINISH: 14:00:17.25 ===============

Attached Files



#4 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:06:54 AM

Posted 26 April 2010 - 06:50 PM

Hello Chongo.

Download Combofix from any of the links below but rename it to renamed.exe before saving it to your desktop.


Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • VERY IMPORTANT: Disable all running antivirus, antimalware and firewall programs as they may interfere with the proper running of ComboFix. Click on this link to see a list of programs that should be disabled. NOTE: This list is not all-inclusive. If yours is not listed and you do not know how to disable it, please ask.
  • Double click on renamed.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


~Blade


In your next reply, please include the following:
ComboFix Log

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#5 Chongo

Chongo
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:54 AM

Posted 26 April 2010 - 08:28 PM

ComboFix 10-04-26.02 - Dan 04/26/2010 19:10:02.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2047.1605 [GMT -6:00]
Running from: c:\documents and settings\Dan\Desktop\Renamed.exe.exe
AV: AVG Internet Security *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: AVG Firewall *disabled* {8decf618-9569-4340-b34a-d78d28969b66}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\Thumbs.db

Infected copy of c:\windows\system32\drivers\pciide.sys was found and disinfected
Restored copy from - Kitty had a snack tongue.gif
.
((((((((((((((((((((((((( Files Created from 2010-03-27 to 2010-04-27 )))))))))))))))))))))))))))))))
.

2010-04-23 22:14 . 2010-04-23 22:16 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\vuaneqxdb
2010-04-19 20:59 . 2010-04-19 20:59 255472 ----a-w- c:\documents and settings\Dan\Application Data\Mozilla\plugins\npgoogletalk.dll
2010-04-19 15:25 . 2010-04-19 15:25 242696 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtdix.sys
2010-04-19 15:24 . 2010-04-19 15:24 1689952 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.dll
2010-04-16 15:51 . 2010-04-16 15:51 -------- d-----w- c:\documents and settings\NetworkService\Application Data\AdobeUM
2010-04-16 15:50 . 2010-04-16 15:50 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-04-16 03:21 . 2010-04-16 03:21 -------- d-----w- c:\documents and settings\Dan\Application Data\AVG9
2010-04-15 17:07 . 2010-04-15 17:07 74760 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\UniversalDD.sys
2010-04-15 17:07 . 2010-04-15 17:07 333192 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgldx86.sys
2010-04-15 17:07 . 2010-04-15 17:07 30216 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\AVGIDSFilter.sys
2010-04-15 17:07 . 2010-04-15 17:07 28424 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgmfx86.sys
2010-04-15 17:07 . 2010-04-15 17:07 25736 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\AVGIDSShim.sys
2010-04-15 17:07 . 2010-04-15 17:07 25608 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\AVGIDSxx.sys
2010-04-15 17:07 . 2010-04-15 17:07 161800 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgrkx86.sys
2010-04-15 17:07 . 2010-04-15 17:07 122376 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\AVGIDSDriver.sys
2010-04-15 17:07 . 2010-04-15 17:07 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-04-15 17:05 . 2010-04-15 17:00 800536 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avginet.dll
2010-04-15 17:05 . 2010-04-15 17:00 613656 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgiproxy.exe
2010-04-15 17:05 . 2010-04-15 17:00 1007896 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.exe
2010-04-15 17:01 . 2010-04-15 17:09 -------- d-----w- C:\$AVG
2010-04-15 17:01 . 2010-04-15 17:06 25096 ----a-w- c:\windows\system32\drivers\AVGIDSxx.sys
2010-04-15 17:00 . 2010-04-15 23:50 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-04-15 17:00 . 2010-04-15 17:00 -------- d-----w- c:\windows\SxsCaPendDel
2010-04-15 16:58 . 2010-01-25 13:28 3777816 ----a-w- c:\documents and settings\All Users\Application Data\Temp\AVG\setup.exe
2010-04-15 16:58 . 2010-04-15 16:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Temp
2010-04-15 04:47 . 2010-04-15 04:47 -------- d-s---w- c:\documents and settings\Dan\UserData
2010-04-15 04:38 . 2010-04-15 04:38 -------- d-----w- c:\documents and settings\Ash\Local Settings\Application Data\Apple
2010-04-15 00:58 . 2010-04-27 01:03 -------- d-----w- c:\documents and settings\Dan\Local Settings\Application Data\Temp
2010-04-15 00:58 . 2010-04-15 00:58 -------- d-----w- c:\documents and settings\Dan\Local Settings\Application Data\Google
2010-04-13 16:16 . 2010-04-13 16:16 -------- d-s---w- c:\documents and settings\NetworkService\UserData

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-25 00:45 . 2005-08-31 15:58 3328 ----a-w- c:\windows\system32\drivers\pciide.sys
2010-04-19 15:25 . 2009-08-27 23:57 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-04-16 03:33 . 2006-05-18 23:13 -------- d-----w- c:\program files\Common Files\InstallShield
2010-04-16 03:33 . 2007-10-05 13:39 -------- d-----w- c:\program files\CyberLink
2010-04-16 03:33 . 2007-10-05 13:36 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-04-15 17:07 . 2009-08-27 23:57 29512 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-04-15 17:06 . 2009-08-27 23:57 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-04-15 17:06 . 2009-08-27 23:57 52872 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2010-04-15 17:01 . 2009-08-27 23:57 -------- d-----w- c:\program files\AVG
2010-04-15 17:00 . 2009-08-27 23:57 50968 ----a-w- c:\windows\system32\avgfwdx.dll
2010-04-15 17:00 . 2009-08-27 23:57 30104 ----a-w- c:\windows\system32\drivers\avgfwdx.sys
2010-03-10 08:02 . 2005-08-31 15:58 417792 ----a-w- c:\windows\system32\vbscript.dll
2010-03-06 14:12 . 2009-08-29 14:14 23968 ----a-w- c:\documents and settings\Ash\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-04 05:15 . 2006-05-18 20:26 23968 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-04 03:20 . 2010-03-04 03:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-03-04 03:20 . 2010-03-04 03:20 -------- d-----w- c:\program files\Microsoft Works
2010-03-04 03:19 . 2010-03-04 03:19 -------- d-----w- c:\program files\Microsoft.NET
2010-02-26 06:05 . 2005-08-31 15:58 668672 ----a-w- c:\windows\system32\wininet.dll
2010-02-26 06:05 . 2005-08-31 15:57 81920 ----a-w- c:\windows\system32\ieencode.dll
2010-02-24 12:31 . 2005-08-31 15:58 454016 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-16 13:17 . 2005-08-31 15:58 2137088 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 12:39 . 2004-08-03 22:59 2016768 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:47 . 2005-08-31 15:56 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-11 12:01 . 2005-08-31 15:58 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
2010-02-05 17:39 . 2010-02-05 17:39 251376 ----a-w- c:\documents and settings\Ash\Application Data\Mozilla\plugins\npgoogletalk.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseNormal]
@="{C5994560-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}]
2009-08-14 01:55 85768 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseModified]
@="{C5994561-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}]
2009-08-14 01:55 85768 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseConflict]
@="{C5994562-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}]
2009-08-14 01:55 85768 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseLocked]
@="{C5994563-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}]
2009-08-14 01:55 85768 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseReadOnly]
@="{C5994564-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}]
2009-08-14 01:55 85768 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseDeleted]
@="{C5994565-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}]
2009-08-14 01:55 85768 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseAdded]
@="{C5994566-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}]
2009-08-14 01:55 85768 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\8TortoiseIgnored]
@="{C5994567-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}]
2009-08-14 01:55 85768 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\9TortoiseUnversioned]
@="{C5994568-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}]
2009-08-14 01:55 85768 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-11-16 139264]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AlienFX Controller"="c:\program files\Alienware\Alienware AlienFX\AlienwareAlienFXController.exe" [2007-01-29 327680]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-02-23 7774208]
"nwiz"="nwiz.exe" [2007-02-23 1622016]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-02-23 81920]
"RTHDCPL"="RTHDCPL.EXE" [2006-02-27 16005120]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
OSCust.lnk - c:\windows\system32\OEM\OSCust.exe [2007-8-17 67072]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-04-15 17:07 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB]
2001-12-21 03:34 24576 ----a-w- c:\program files\AlienGUIse\fastload.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2main.exe"=
"c:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2main_amdxp.exe"=
"c:\\Program Files\\Atari\\Neverwinter Nights 2\\nwupdate.exe"=
"c:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2server.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Documents and Settings\\Ash\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\Ash\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

R0 AVGIDSErHrxpx;AVG9IDSErHr;c:\windows\system32\drivers\AVGIDSxx.sys [4/15/2010 11:01 AM 25096]
R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [8/27/2009 5:57 PM 52872]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [8/27/2009 5:57 PM 216200]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [8/27/2009 5:57 PM 242896]
R2 avg9emc;AVG E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [4/15/2010 11:06 AM 916760]
R2 avg9wd;AVG WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [4/15/2010 11:07 AM 308064]
R2 avgfws9;AVG Firewall;c:\program files\AVG\AVG9\avgfws9.exe [4/15/2010 11:06 AM 2325816]
R3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [8/27/2009 5:57 PM 30104]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [8/27/2009 5:57 PM 30104]
S3 AVGIDSAgent;AVG9IDSAgent;c:\program files\AVG\AVG9\Identity Protection\Agent\Bin\AVGIDSAgent.exe [4/15/2010 11:06 AM 5888008]
S3 AVGIDSDriverxpx;AVG9IDSDriver;c:\program files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSDriver.sys [4/15/2010 11:00 AM 122376]
S3 AVGIDSFilterxpx;AVG9IDSFilter;c:\program files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSFilter.sys [4/15/2010 11:00 AM 30216]
S3 AVGIDSShimxpx;AVG9IDSShim;c:\program files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSShim.sys [4/15/2010 11:00 AM 26120]
.
Contents of the 'Scheduled Tasks' folder

2010-04-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2965007827-3232202577-881718252-1005Core.job
- c:\documents and settings\Dan\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-04-15 00:58]

2010-04-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2965007827-3232202577-881718252-1005UA.job
- c:\documents and settings\Dan\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-04-15 00:58]

2010-04-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2965007827-3232202577-881718252-1006Core.job
- c:\documents and settings\Ash\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-10-03 23:20]

2010-04-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2965007827-3232202577-881718252-1006UA.job
- c:\documents and settings\Ash\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-10-03 23:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.alienware.com/Mothership?Comp=AWC&SysCode=PC-AURORA-7500-A&ai=636E3D34333538353526706F3D35323433393641
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Dan\Application Data\Mozilla\Firefox\Profiles\fimeg6v6.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
FF - prefs.js: keyword.URL - hxxp://us.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_us&p=
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll
FF - plugin: c:\documents and settings\Dan\Application Data\Mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\Dan\Local Settings\Application Data\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
.
- - - - ORPHANS REMOVED - - - -

AddRemove-Misery Stone - c:\documents and settings\Dan\My Documents\Neverwinter Nights 2\uninst.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-26 19:16
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1328)
c:\program files\AlienGUIse\fastload.dll
.
Completion time: 2010-04-26 19:16:53
ComboFix-quarantined-files.txt 2010-04-27 01:16

Pre-Run: 150,497,439,744 bytes free
Post-Run: 156,696,489,984 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /usepmtimer

- - End Of File - - BAFA02F58A80DA9D36D6D8E9D237A18F

#6 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:06:54 AM

Posted 27 April 2010 - 12:56 PM

Hello Chongo.

1. Open notepad and copy/paste the text in the codebox below into it:

CODE
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=-
"FirewallOverride"=-

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"=-
"DisableNotifications"=-


Save this as CFScript.txt, in the same location as ComboFix.exe

2. Close any open browsers.

3. VERY IMPORTANT: Disable all running antivirus, antimalware and firewall programs as they may interfere with the proper running of ComboFix. Click on this link to see a list of programs that should be disabled. NOTE: This list is not all-inclusive. If yours is not listed and you do not know how to disable it, please ask.



Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

~Blade


In your next reply, please include the following:
ComboFix Log
How is the computer running now?

Edited by Blade Zephon, 27 April 2010 - 12:56 PM.

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#7 Chongo

Chongo
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:54 AM

Posted 27 April 2010 - 04:09 PM

ComboFix 10-04-26.02 - Dan 04/27/2010 14:12:51.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2047.1524 [GMT -6:00]
Running from: c:\documents and settings\Dan\Desktop\Renamed.exe.exe
Command switches used :: c:\documents and settings\Dan\Desktop\CFScript.txt
AV: AVG Internet Security *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: AVG Firewall *disabled* {8decf618-9569-4340-b34a-d78d28969b66}
.

((((((((((((((((((((((((( Files Created from 2010-03-27 to 2010-04-27 )))))))))))))))))))))))))))))))
.

2010-04-23 22:14 . 2010-04-23 22:16 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\vuaneqxdb
2010-04-19 20:59 . 2010-04-19 20:59 255472 ----a-w- c:\documents and settings\Dan\Application Data\Mozilla\plugins\npgoogletalk.dll
2010-04-19 15:25 . 2010-04-19 15:25 242696 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtdix.sys
2010-04-19 15:24 . 2010-04-19 15:24 1689952 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.dll
2010-04-16 15:51 . 2010-04-16 15:51 -------- d-----w- c:\documents and settings\NetworkService\Application Data\AdobeUM
2010-04-16 15:50 . 2010-04-16 15:50 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-04-16 03:21 . 2010-04-16 03:21 -------- d-----w- c:\documents and settings\Dan\Application Data\AVG9
2010-04-15 17:07 . 2010-04-15 17:07 74760 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\UniversalDD.sys
2010-04-15 17:07 . 2010-04-15 17:07 333192 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgldx86.sys
2010-04-15 17:07 . 2010-04-15 17:07 30216 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\AVGIDSFilter.sys
2010-04-15 17:07 . 2010-04-15 17:07 28424 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgmfx86.sys
2010-04-15 17:07 . 2010-04-15 17:07 25736 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\AVGIDSShim.sys
2010-04-15 17:07 . 2010-04-15 17:07 25608 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\AVGIDSxx.sys
2010-04-15 17:07 . 2010-04-15 17:07 161800 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgrkx86.sys
2010-04-15 17:07 . 2010-04-15 17:07 122376 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\AVGIDSDriver.sys
2010-04-15 17:07 . 2010-04-15 17:07 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-04-15 17:05 . 2010-04-15 17:00 800536 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avginet.dll
2010-04-15 17:05 . 2010-04-15 17:00 613656 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgiproxy.exe
2010-04-15 17:05 . 2010-04-15 17:00 1007896 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.exe
2010-04-15 17:01 . 2010-04-15 17:09 -------- d-----w- C:\$AVG
2010-04-15 17:01 . 2010-04-15 17:06 25096 ----a-w- c:\windows\system32\drivers\AVGIDSxx.sys
2010-04-15 17:00 . 2010-04-15 23:50 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-04-15 17:00 . 2010-04-15 17:00 -------- d-----w- c:\windows\SxsCaPendDel
2010-04-15 16:58 . 2010-01-25 13:28 3777816 ----a-w- c:\documents and settings\All Users\Application Data\Temp\AVG\setup.exe
2010-04-15 16:58 . 2010-04-15 16:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Temp
2010-04-15 04:47 . 2010-04-15 04:47 -------- d-s---w- c:\documents and settings\Dan\UserData
2010-04-15 04:38 . 2010-04-15 04:38 -------- d-----w- c:\documents and settings\Ash\Local Settings\Application Data\Apple
2010-04-15 00:58 . 2010-04-27 01:03 -------- d-----w- c:\documents and settings\Dan\Local Settings\Application Data\Temp
2010-04-15 00:58 . 2010-04-15 00:58 -------- d-----w- c:\documents and settings\Dan\Local Settings\Application Data\Google
2010-04-13 16:16 . 2010-04-13 16:16 -------- d-s---w- c:\documents and settings\NetworkService\UserData

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-25 00:45 . 2005-08-31 15:58 3328 ----a-w- c:\windows\system32\drivers\pciide.sys
2010-04-19 15:25 . 2009-08-27 23:57 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-04-16 03:33 . 2006-05-18 23:13 -------- d-----w- c:\program files\Common Files\InstallShield
2010-04-16 03:33 . 2007-10-05 13:39 -------- d-----w- c:\program files\CyberLink
2010-04-16 03:33 . 2007-10-05 13:36 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-04-15 17:07 . 2009-08-27 23:57 29512 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-04-15 17:06 . 2009-08-27 23:57 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-04-15 17:06 . 2009-08-27 23:57 52872 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2010-04-15 17:01 . 2009-08-27 23:57 -------- d-----w- c:\program files\AVG
2010-04-15 17:00 . 2009-08-27 23:57 50968 ----a-w- c:\windows\system32\avgfwdx.dll
2010-04-15 17:00 . 2009-08-27 23:57 30104 ----a-w- c:\windows\system32\drivers\avgfwdx.sys
2010-03-10 08:02 . 2005-08-31 15:58 417792 ----a-w- c:\windows\system32\vbscript.dll
2010-03-06 14:12 . 2009-08-29 14:14 23968 ----a-w- c:\documents and settings\Ash\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-04 05:15 . 2006-05-18 20:26 23968 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-04 03:20 . 2010-03-04 03:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-03-04 03:20 . 2010-03-04 03:20 -------- d-----w- c:\program files\Microsoft Works
2010-03-04 03:19 . 2010-03-04 03:19 -------- d-----w- c:\program files\Microsoft.NET
2010-02-26 06:05 . 2005-08-31 15:58 668672 ----a-w- c:\windows\system32\wininet.dll
2010-02-26 06:05 . 2005-08-31 15:57 81920 ----a-w- c:\windows\system32\ieencode.dll
2010-02-24 12:31 . 2005-08-31 15:58 454016 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-16 13:17 . 2005-08-31 15:58 2137088 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 12:39 . 2004-08-03 22:59 2016768 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:47 . 2005-08-31 15:56 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-11 12:01 . 2005-08-31 15:58 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
2010-02-05 17:39 . 2010-02-05 17:39 251376 ----a-w- c:\documents and settings\Ash\Application Data\Mozilla\plugins\npgoogletalk.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseNormal]
@="{C5994560-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}]
2009-08-14 01:55 85768 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseModified]
@="{C5994561-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}]
2009-08-14 01:55 85768 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseConflict]
@="{C5994562-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}]
2009-08-14 01:55 85768 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseLocked]
@="{C5994563-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}]
2009-08-14 01:55 85768 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseReadOnly]
@="{C5994564-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}]
2009-08-14 01:55 85768 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseDeleted]
@="{C5994565-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}]
2009-08-14 01:55 85768 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseAdded]
@="{C5994566-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}]
2009-08-14 01:55 85768 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\8TortoiseIgnored]
@="{C5994567-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}]
2009-08-14 01:55 85768 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\9TortoiseUnversioned]
@="{C5994568-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}]
2009-08-14 01:55 85768 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-11-16 139264]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AlienFX Controller"="c:\program files\Alienware\Alienware AlienFX\AlienwareAlienFXController.exe" [2007-01-29 327680]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-02-23 7774208]
"nwiz"="nwiz.exe" [2007-02-23 1622016]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-02-23 81920]
"RTHDCPL"="RTHDCPL.EXE" [2006-02-27 16005120]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
OSCust.lnk - c:\windows\system32\OEM\OSCust.exe [2007-8-17 67072]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-04-15 17:07 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB]
2001-12-21 03:34 24576 ----a-w- c:\program files\AlienGUIse\fastload.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2main.exe"=
"c:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2main_amdxp.exe"=
"c:\\Program Files\\Atari\\Neverwinter Nights 2\\nwupdate.exe"=
"c:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2server.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Documents and Settings\\Ash\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\Ash\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Documents and Settings\\Dan\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=

R0 AVGIDSErHrxpx;AVG9IDSErHr;c:\windows\system32\drivers\AVGIDSxx.sys [4/15/2010 11:01 AM 25096]
R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [8/27/2009 5:57 PM 52872]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [8/27/2009 5:57 PM 216200]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [8/27/2009 5:57 PM 242896]
R2 avg9emc;AVG E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [4/15/2010 11:06 AM 916760]
R2 avg9wd;AVG WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [4/15/2010 11:07 AM 308064]
R2 avgfws9;AVG Firewall;c:\program files\AVG\AVG9\avgfws9.exe [4/15/2010 11:06 AM 2325816]
R3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [8/27/2009 5:57 PM 30104]
R3 AVGIDSDriverxpx;AVG9IDSDriver;c:\program files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSDriver.sys [4/15/2010 11:00 AM 122376]
R3 AVGIDSFilterxpx;AVG9IDSFilter;c:\program files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSFilter.sys [4/15/2010 11:00 AM 30216]
R3 AVGIDSShimxpx;AVG9IDSShim;c:\program files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSShim.sys [4/15/2010 11:00 AM 26120]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [8/27/2009 5:57 PM 30104]
S3 AVGIDSAgent;AVG9IDSAgent;c:\program files\AVG\AVG9\Identity Protection\Agent\Bin\AVGIDSAgent.exe [4/15/2010 11:06 AM 5888008]
.
Contents of the 'Scheduled Tasks' folder

2010-04-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2965007827-3232202577-881718252-1005Core.job
- c:\documents and settings\Dan\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-04-15 00:58]

2010-04-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2965007827-3232202577-881718252-1005UA.job
- c:\documents and settings\Dan\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-04-15 00:58]

2010-04-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2965007827-3232202577-881718252-1006Core.job
- c:\documents and settings\Ash\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-10-03 23:20]

2010-04-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2965007827-3232202577-881718252-1006UA.job
- c:\documents and settings\Ash\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-10-03 23:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.alienware.com/Mothership?Comp=AWC&SysCode=PC-AURORA-7500-A&ai=636E3D34333538353526706F3D35323433393641
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Dan\Application Data\Mozilla\Firefox\Profiles\fimeg6v6.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
FF - prefs.js: keyword.URL - hxxp://us.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_us&p=
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll
FF - plugin: c:\documents and settings\Dan\Application Data\Mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\Dan\Local Settings\Application Data\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-27 14:17
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1328)
c:\program files\AlienGUIse\fastload.dll

- - - - - - - > 'explorer.exe'(1744)
c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
c:\program files\TortoiseSVN\bin\TortoiseStub.dll
c:\program files\TortoiseSVN\bin\TortoiseSVN.dll
c:\program files\TortoiseSVN\bin\intl3_tsvn.dll
.
Completion time: 2010-04-27 14:17:52
ComboFix-quarantined-files.txt 2010-04-27 20:17
ComboFix2.txt 2010-04-27 01:16

Pre-Run: 156,647,190,528 bytes free
Post-Run: 156,610,801,664 bytes free

- - End Of File - - C90E458E00E50E2F427115968CDCAEAE


Computer seems to be running fine! No redirects, no funkiness. Out of curiousity, what did that last step you had me perform do?

#8 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:06:54 AM

Posted 30 April 2010 - 08:07 AM

Hi Chongo.

Sorry for the delay, finals are this week >.<

the last step we did just reset some registry settings that were changed by the malware.

Please go to the Kaspersky website and perform an online antivirus scan.
  1. Read through the requirements and privacy statement and click on Accept button.
  2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  3. When the downloads have finished, click on Settings.
  4. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
      Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
  5. Click on My Computer under Scan.
  6. Once the scan is complete, it will display the results. Click on View Scan Report.
  7. You will see a list of infected items there. Click on Save Report As....
  8. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  9. Please post this log in your next reply .

~Blade


In your next reply, please include the following:
Kaspersky Log

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#9 Chongo

Chongo
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:54 AM

Posted 08 May 2010 - 12:03 PM

Firefox won't allow the javascript to run. I've changed the options on it to allow, deactivated AVG... still not working. Any ideas on what easy step I'm missing?

#10 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:06:54 AM

Posted 09 May 2010 - 03:55 AM

Hi Chongo.

Please try doing the Kaspersky Scan using Internet Explorer. If that fails as well let me know.

~Blade

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#11 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:06:54 AM

Posted 17 May 2010 - 08:25 PM

Are you still there?

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#12 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:06:54 AM

Posted 19 May 2010 - 06:14 PM

Due to lack of feedback, this topic is now Closed

If you need this topic reopened, please send me a PM.
Please include the address of this thread in your request.
This applies only to the original topic starter.

Everyone else please start a new topic.

~Blade

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users