Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

IE/FF: Redirection Error


  • This topic is locked This topic is locked
26 replies to this topic

#1 Misk

Misk

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:03:26 AM

Posted 20 April 2010 - 06:55 PM

I am becoming desperate. My computer has something that causes my two browsers, FireFox and Internet Explorer, top be redirected to different pages, some harmful.

The general cycle is: Google search -> Google results -> click a result -> redirect ->Completely unrelated search engine with the same search query.

Also, there is the rare occasion when I'm not using the search engine, a new tab suddenly opens up to an ad site of some kind, and usually one that AVG screams an alert over.


This all seemed to begin this past Saturday. I don't remember when it exactly started, but it was on Saturday I downloaded and installed a trial version of MagicISO. (A little detail about that later)


Programs downloaded/used to combat the infection:
==================================
-Spyware Doctor (deleted after learning the trial version doesn't delete spyware)
-MalwareByte's Anti-Malware
-Security Task Manager (Status unknown; file lost)
-HiJackThis



Actions I have already taken (in order):
====================
-Deleting Zwunzi file in C:\Program Files
-AVG Virus Scan (Little to no results)
-MalwareByte's Scan (Zwunzi found and deleted)
-Add/Remove Programs (Zwunzi uninstalled)
-Deleting every file possible relevant to MagicISO
-Add/Remove Programs (MagicISO uninstalled)
-MalwareByte's FileASSASSIN (Used on a .dll extension file for MagicISO that refused to be deleted manually)
-System Restore to the previous Tuesday (FAILED).

Here is the most recent HiJackThis log:
=========================
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:57:41 PM, on 4/20/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\AVG\AVG9\avgemc.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\TrendMicro\HiJackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://elounge.invisionzone.com/index.php?
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Internet Explorer Plugin - {92109E9C-D153-4288-B749-6BB009EFC319} - fycwdn11.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.4723.1820\swg.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NVMCTRAY.DLL,NvTaskbarInit
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG Free E-mail Scanner (avg9emc) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgemc.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 5189 bytes

Please, any advice at all would be appreciated. I really want to avoid having to reinstall the Operating System again unless I have no other choice.

BC AdBot (Login to Remove)

 


#2 Misk

Misk
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:03:26 AM

Posted 20 April 2010 - 09:23 PM

UPDATE: FireFox is brittle. It continually crashes at random places. Now, I can't speak for everyone else, but FireFox has a very rare history of crashing for me...A crash once, maybe twice every month or so...Never three times in a day. It just strikes me as odd...

(Also, I apologize for the unintentional bump. For whatever reason, FF crashed if I tried to edit...)

#3 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:05:26 AM

Posted 25 April 2010 - 06:08 PM

Hello Misk smile.gif Welcome to the BC HijackThis Log and Analysis forum. I will be assisting you in cleaning up your system.


I ask that you refrain from running tools other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.



In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond the your topic and facilitate the cleaning of your machine.


Please keep in mind that we have a large backlog of users just like yourself waiting to be helped so try to be as timely as possible in your replies. Since we do this on a part-time voluntary basis we are limited on how many logs we can respond to and keep open due to time restraints. If you have to be away or can't answer for some other reason just let me know. Thank you for your understanding.



After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.



In order to better assist you I will need the following:




Download DDS and save it to your desktop from here or here.
Disable any script blocker, and then double click dds.scr to run the tool.
  • When done, DDS will open two (2) logs:
    1. DDS.txt
    2. Attach.txt
  • Save both reports to your desktop, post the DDS.txt in the reply window and attach the Attach.txt









  • If you have any CD emulation software such as Daemon or Alcohol please run the following before you run GMER. If you do not skip DeFogger and go right on to GMER. If you do use it let me know so we can reenable when we finish up.



    Disable:


    Please download DeFogger to your desktop.

    Double click DeFogger to run the tool.
    • The application window will appear
    • Click the Disable button to disable your CD Emulation drivers.
    • Click Yes to continue
    • A 'Finished!' message will appear
    • Click OK
    • DeFogger will now ask to reboot the machine - click OK
    IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

    Do not re-enable these drivers until otherwise instructed.



    Disable your antivirus along with other security programs such as Windows Defender or TeaTimer before running the following. Instructions can be found Here.



    Download GMER Rootkit Scanner from here to your desktop.
    • Double click the exe file.
    • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO, then use the following settings for a more complete scan.



      Click the image to enlarge it


    • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
      • Sections
      • IAT/EAT
      • Drives/Partition other than Systemdrive (typically C:\)
      • Show All (don't miss this one)
    • Then click the Scan button & wait for it to finish.
    • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
    Save it where you can easily find it, such as your desktop, and post it in reply.

    **Caution**
    Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries




    If GMER does not want to run add the following to those that you unchecked and try it again:

    • Registry
    • Files












    Note: Please make only the Attach.txt from DDS an attachment, post the other logs directly into the reply window.



    Thanks,



    thewall



    If I have helped you then please consider donating so I can continue the fight against malware Posted Image
    All donations go directly to the helper

    Posted Image

    Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

    #4 Misk

    Misk
    • Topic Starter

    • Members
    • 39 posts
    • OFFLINE
    •  
    • Local time:03:26 AM

    Posted 25 April 2010 - 10:30 PM

    I apologize if replies are late; however the infection spread to the point where even going online has become dangerous, let alone downloading from even the safest of sites. I am posting this message from another computer, one with more restrictive access.

    Edited by Misk, 25 April 2010 - 10:30 PM.


    #5 thewall

    thewall

    • Malware Response Team
    • 6,425 posts
    • OFFLINE
    •  
    • Gender:Male
    • Location:Florida
    • Local time:05:26 AM

    Posted 25 April 2010 - 10:57 PM

    Not sure exactly what you mean that is has become dangerous to download from safe sites. What are you concerned about happening?
    If I have helped you then please consider donating so I can continue the fight against malware Posted Image
    All donations go directly to the helper

    Posted Image

    Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

    #6 Misk

    Misk
    • Topic Starter

    • Members
    • 39 posts
    • OFFLINE
    •  
    • Local time:03:26 AM

    Posted 26 April 2010 - 08:02 PM

    It's what has already happened. From the sites I was redirected to, I'm quite certain I caught a far more malicious virus, as I've been locked out of several functions, including volume control. Also note I am the administrator of the computer.

    #7 thewall

    thewall

    • Malware Response Team
    • 6,425 posts
    • OFFLINE
    •  
    • Gender:Male
    • Location:Florida
    • Local time:05:26 AM

    Posted 26 April 2010 - 08:25 PM

    If you have the use of a flash drive then try copying the programs to it from a clean computer then transfer over to the infected computer and run them from there. You can then copy the logs back onto the flash drive and do the opposite. Just keep in mind if you do it that way to hold down your shift key on the clean computer before inserting the flash drive in it once it has bee used in the infected one. This disables the autorun feature and prevents infections from getting into the clean unit.
    If I have helped you then please consider donating so I can continue the fight against malware Posted Image
    All donations go directly to the helper

    Posted Image

    Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

    #8 Misk

    Misk
    • Topic Starter

    • Members
    • 39 posts
    • OFFLINE
    •  
    • Local time:03:26 AM

    Posted 27 April 2010 - 05:37 PM

    It took some doing, but I managed to procure a flash drive as per suggestion.

    As requested, here is the DDS log:


    DDS (Ver_10-03-17.01) - NTFSx86
    Run by Lord Misk at 16:00:03.70 on Tue 04/27/2010
    Internet Explorer: 8.0.6001.18702
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.202 [GMT -6:00]

    AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

    ============== Running Processes ===============

    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    C:\Program Files\AVG\AVG9\avgchsvx.exe
    C:\Program Files\AVG\AVG9\avgrsx.exe
    svchost.exe
    svchost.exe
    C:\Program Files\AVG\AVG9\avgcsrvx.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    svchost.exe
    C:\Program Files\AVG\AVG9\avgwdsvc.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\Program Files\Java\jre6\bin\jusched.exe
    C:\PROGRA~1\AVG\AVG9\avgtray.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\AVG\AVG9\avgemc.exe
    C:\Program Files\AVG\AVG9\avgnsx.exe
    C:\Program Files\AVG\AVG9\avgcsrvx.exe
    C:\WINDOWS\system32\devldr32.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Documents and Settings\Lord Misk\Application Data\U3\000018809A607EDD\LaunchPad.exe
    C:\Documents and Settings\Lord Misk\Desktop\dds.scr

    ============== Pseudo HJT Report ===============

    uStart Page = hxxp://elounge.invisionzone.com/index.php?
    uSearch Page = hxxp://www.google.com
    uDefault_Page_URL = hxxp://www.msn.com
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    mSearchAssistant = hxxp://www.google.com/ie
    BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
    BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
    BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
    BHO: Internet Explorer Plugin: {92109e9c-d153-4288-b749-6bb009efc319} - fycwdn11.dll
    BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.4723.1820\swg.dll
    BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
    EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
    uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    uRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NVMCTRAY.DLL,NvTaskbarInit
    mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
    mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
    mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
    mRun: [nwiz] nwiz.exe /install
    IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
    DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
    Notify: avgrsstarter - avgrsstx.dll
    mASetup: {EC5738BF-72C3-416F-9D09-24A21222BE58} - rundll32 fycwdn11.dll,laspi

    ================= FIREFOX ===================

    FF - ProfilePath - c:\docume~1\lordmi~1\applic~1\mozilla\firefox\profiles\1p2yx4uz.default\
    FF - prefs.js: browser.startup.homepage - hxxp://elounge.invisionzone.com/index.php?
    FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll
    FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
    FF - plugin: d:\divx\divx player\npDivxPlayerPlugin.dll
    FF - plugin: d:\divx\divx web player\npdivx32.dll

    ---- FIREFOX POLICIES ----
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

    ============= SERVICES / DRIVERS ===============

    R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-10-8 216200]
    R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-10-8 29512]
    R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-10-8 242896]
    R2 avg9emc;AVG Free E-mail Scanner;c:\program files\avg\avg9\avgemc.exe [2010-3-16 916760]
    R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-3-16 308064]
    S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-3-21 135664]

    =============== Created Last 30 ================

    2010-04-20 23:16:17 3519 ----a-w- c:\windows\system32\gzdjl
    2010-04-20 23:16:16 46080 ----a-w- c:\windows\system32\fycwdn11.dll
    2010-04-20 23:16:15 60928 ----a-w- c:\windows\system32\klgd.bmp
    2010-04-20 04:05:48 0 d-----w- C:\TrendMicro
    2010-04-20 03:50:44 0 d-----w- c:\docume~1\alluse~1\applic~1\SecTaskMan
    2010-04-20 03:50:27 0 d-----w- C:\Security Task Manager
    2010-04-19 06:24:29 0 d-----w- c:\docume~1\lordmi~1\applic~1\Malwarebytes
    2010-04-19 06:24:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-04-19 06:24:04 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
    2010-04-19 06:24:03 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-04-19 06:24:02 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-04-19 06:04:54 767952 ----a-w- c:\windows\BDTSupport.dll.old
    2010-04-19 06:04:53 1640400 ----a-w- c:\windows\PCTBDCore.dll.old
    2010-04-18 10:43:08 299520 ----a-w- c:\windows\uninst.exe
    2010-04-18 09:17:38 0 d-----w- c:\windows\nview
    2010-04-02 08:17:10 108733 ----a-w- C:\Vader_breathing.ogg

    ==================== Find3M ====================

    2010-04-27 21:58:21 42112 ----a-w- c:\windows\system32\drivers\imapi.sys
    2010-04-20 23:17:03 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys
    2010-03-25 11:58:04 18499623 ----a-w- C:\vlc-1.0.5-win32.exe
    2010-03-25 08:07:22 5147589 ----a-w- C:\realalt190lite.exe
    2010-03-25 07:53:14 6908749 ----a-w- C:\rmvbconvertersetup.exe
    2010-03-16 22:36:04 12464 ----a-w- c:\windows\system32\avgrsstx.dll
    2010-03-16 22:33:49 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
    2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\vbscript.dll
    2010-02-25 06:24:37 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-02-17 15:10:28 2189952 ----a-w- c:\windows\system32\ntoskrnl.exe
    2010-02-16 13:25:04 2066816 ----a-w- c:\windows\system32\ntkrnlpa.exe
    2010-02-12 04:33:11 100864 ----a-w- c:\windows\system32\6to4svc.dll

    ============= FINISH: 16:01:43.46 ===============


    And the Attach file:

    Attached File  Attach.txt   9.17KB   7 downloads

    And the GMER log...

    GMER 1.0.15.15281 - http://www.gmer.net
    Rootkit scan 2010-04-27 17:30:59
    Windows 5.1.2600 Service Pack 3
    Running: onbd8ehs.exe; Driver: C:\DOCUME~1\LORDMI~1\LOCALS~1\Temp\axxdypod.sys


    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

    Device -> \Driver\atapi \Device\Harddisk0\DR0 8210EAC8

    ---- Files - GMER 1.0.15 ----

    File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

    ---- EOF - GMER 1.0.15 ----

    #9 thewall

    thewall

    • Malware Response Team
    • 6,425 posts
    • OFFLINE
    •  
    • Gender:Male
    • Location:Florida
    • Local time:05:26 AM

    Posted 27 April 2010 - 06:06 PM

    Good job. Looks like you are infected with a TDL3 rootkit so we are going to have to try to run ComboFix. You will need to do the same thing as before and it would be better if you could transfer it to the desktop of your infected computer once you get it on the flash drive but if you can't then run it directly from the FD. It you have any problem with it installing the Recovery Console which it usually does itself let me know.


    Please download ComboFix from one of these locations:

    Link 1
    Link 2

    * IMPORTANT !!! Save ComboFix.exe to your Desktop
    • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Instruction can be found HERE
    • Double click on ComboFix.exe & follow the prompts.
    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.




    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:





    Click on Yes, to continue scanning for malware.

    When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.





    If I have helped you then please consider donating so I can continue the fight against malware Posted Image
    All donations go directly to the helper

    Posted Image

    Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

    #10 Misk

    Misk
    • Topic Starter

    • Members
    • 39 posts
    • OFFLINE
    •  
    • Local time:03:26 AM

    Posted 27 April 2010 - 07:02 PM

    ComboFix is telling me it has detected rootkit activity and is asking if I wish to reboot.

    How do I answer?

    #11 thewall

    thewall

    • Malware Response Team
    • 6,425 posts
    • OFFLINE
    •  
    • Gender:Male
    • Location:Florida
    • Local time:05:26 AM

    Posted 27 April 2010 - 07:22 PM

    Yes, if it wants to reboot allow it to do so.
    If I have helped you then please consider donating so I can continue the fight against malware Posted Image
    All donations go directly to the helper

    Posted Image

    Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

    #12 Misk

    Misk
    • Topic Starter

    • Members
    • 39 posts
    • OFFLINE
    •  
    • Local time:03:26 AM

    Posted 27 April 2010 - 08:17 PM

    Very well; I have done so. And for the first time since I was first infected, it worked out exactly the way it was supposed to.

    Here is the ComboFix log:

    ComboFix 10-04-26.05 - Lord Misk 04/27/2010 19:44:52.1.1 - x86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.245 [GMT -6:00]
    Running from: c:\documents and settings\Lord Misk\Desktop\ComboFix.exe
    AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\windows\system32\klgd.bmp

    Infected copy of c:\windows\system32\drivers\imapi.sys was found and disinfected
    Restored copy from - Kitty had a snack tongue.gif
    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    -------\Legacy_ZWUNZI_SERVICE


    ((((((((((((((((((((((((( Files Created from 2010-03-28 to 2010-04-28 )))))))))))))))))))))))))))))))
    .

    2010-04-21 00:19 . 2010-04-21 00:19 -------- d-----w- c:\documents and settings\Lord Misk\Local Settings\Application Data\Help
    2010-04-21 00:19 . 2010-04-21 00:19 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
    2010-04-20 23:17 . 2010-04-20 23:17 242696 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtdix.sys
    2010-04-20 23:16 . 2010-04-20 23:16 46080 ----a-w- c:\windows\system32\fycwdn11.dll
    2010-04-20 23:08 . 2010-04-20 23:08 1689952 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.dll
    2010-04-20 04:05 . 2010-04-20 04:05 388096 ----a-r- c:\documents and settings\Lord Misk\Application Data\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
    2010-04-20 04:05 . 2010-04-20 04:05 -------- d-----w- C:\TrendMicro
    2010-04-20 03:51 . 2009-02-09 12:10 617472 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\_entreelist.dll
    2010-04-20 03:51 . 2009-02-09 12:10 714752 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\_enviewlist.dll
    2010-04-19 23:34 . 2010-04-19 23:34 -------- d-----w- c:\documents and settings\Lord Misk\Local Settings\Application Data\Threat Expert
    2010-04-19 23:21 . 2010-04-19 23:21 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
    2010-04-19 06:24 . 2010-04-19 06:24 -------- d-----w- c:\documents and settings\Lord Misk\Application Data\Malwarebytes
    2010-04-19 06:24 . 2010-03-30 06:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-04-19 06:24 . 2010-04-19 06:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2010-04-19 06:24 . 2010-03-30 06:45 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-04-19 06:24 . 2010-04-21 00:19 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-04-18 10:43 . 1997-01-18 16:40 299520 ----a-w- c:\windows\uninst.exe
    2010-04-18 09:17 . 2010-04-18 09:17 -------- d-----w- c:\windows\nview
    2010-04-08 02:31 . 2010-04-08 02:31 4255072 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcorex.dll
    2010-04-01 21:57 . 2010-04-01 21:57 4076824 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgui.exe
    2010-04-01 21:57 . 2010-04-01 21:57 2059544 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtray.exe
    2010-04-01 21:57 . 2010-04-01 21:57 1598744 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgssie.dll
    2010-04-01 21:57 . 2010-04-01 21:57 1274136 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgfrw.exe
    2010-04-01 21:57 . 2010-04-01 21:57 598296 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgsrmx.dll
    2010-04-01 21:57 . 2010-04-01 21:57 313112 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avglogx.dll
    2010-04-01 21:57 . 2010-04-01 21:57 1515224 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgwd.dll
    2010-04-01 21:56 . 2010-04-01 21:56 459544 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcclix.dll
    2010-04-01 21:56 . 2010-04-01 21:56 1086744 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgchsvx.exe
    2010-04-01 21:56 . 2010-04-01 21:56 556824 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgchjwx.dll
    2010-04-01 21:56 . 2010-04-01 21:56 301336 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgchclx.dll
    2010-04-01 21:51 . 2010-04-01 21:51 1035032 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.exe

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-04-28 00:32 . 2009-10-27 23:41 -------- d-----w- c:\documents and settings\Lord Misk\Application Data\U3
    2010-04-27 21:58 . 2002-08-29 12:00 42112 ----a-w- c:\windows\system32\drivers\imapi.sys
    2010-04-21 23:56 . 2010-03-22 06:52 0 ----a-w- c:\documents and settings\Lord Misk\Local Settings\Application Data\prvlcl.dat
    2010-04-21 23:18 . 2010-03-25 12:13 -------- d-----w- c:\documents and settings\Lord Misk\Application Data\vlc
    2010-04-21 00:17 . 2010-04-20 03:50 -------- d-----w- c:\documents and settings\All Users\Application Data\SecTaskMan
    2010-04-20 23:17 . 2009-10-09 01:30 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys
    2010-04-19 01:13 . 2010-01-06 02:37 -------- d-----w- c:\documents and settings\Lord Misk\Application Data\BitTorrent
    2010-03-28 09:10 . 2010-03-28 09:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Disney Imagineering
    2010-03-25 11:59 . 2010-03-25 11:59 -------- d-----w- c:\program files\VideoLAN
    2010-03-25 11:58 . 2010-03-25 11:57 18499623 ----a-w- C:\vlc-1.0.5-win32.exe
    2010-03-25 08:09 . 2010-03-25 08:08 -------- d-----w- c:\program files\Real Alternative
    2010-03-25 08:07 . 2010-03-25 08:07 5147589 ----a-w- C:\realalt190lite.exe
    2010-03-25 07:53 . 2010-03-25 07:53 6908749 ----a-w- C:\rmvbconvertersetup.exe
    2010-03-22 04:58 . 2009-10-09 00:42 -------- d-----w- c:\program files\Google
    2010-03-16 22:36 . 2010-03-16 22:36 12464 ----a-w- c:\windows\system32\avgrsstx.dll
    2010-03-16 22:36 . 2009-10-09 01:30 29512 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
    2010-03-16 22:33 . 2009-10-09 01:30 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
    2010-03-10 06:15 . 2002-08-29 12:00 420352 ----a-w- c:\windows\system32\vbscript.dll
    2010-02-25 06:24 . 2002-08-29 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-02-24 13:11 . 2002-08-29 12:00 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
    2010-02-17 15:10 . 2002-08-29 12:00 2189952 ----a-w- c:\windows\system32\ntoskrnl.exe
    2010-02-16 13:25 . 2002-08-29 01:04 2066816 ----a-w- c:\windows\system32\ntkrnlpa.exe
    2010-02-15 01:59 . 2009-10-09 01:26 21432 ----a-w- c:\documents and settings\Lord Misk\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
    2010-02-12 04:33 . 2002-08-29 12:00 100864 ----a-w- c:\windows\system32\6to4svc.dll
    2010-02-11 12:02 . 2002-08-29 12:00 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-10-09 39408]
    "NvMediaCenter"="c:\windows\system32\NVMCTRAY.DLL" [2003-07-28 49152]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-09 149280]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2003-07-28 4841472]
    "nwiz"="nwiz.exe" [2003-07-28 323584]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
    2010-03-16 22:36 12464 ----a-w- c:\windows\system32\avgrsstx.dll

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "%windir%\\system32\\sessmgr.exe"=
    "d:\\Sierra\\Whole-Life\\Whole-Life\\Half-Life\\hl.exe"=
    "d:\\Sierra\\Half-Life - Co-op\\HALF-LIFE\\HL.EXE"=
    "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
    "c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
    "d:\\SAGE 09\\srb2win.exe"=
    "c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
    "c:\\Program Files\\BitTorrent\\bittorrent.exe"=
    "c:\\Program Files\\AVG\\AVG9\\avgemc.exe"=
    "c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
    "c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

    R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [10/8/2009 7:30 PM 216200]
    R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [10/8/2009 7:30 PM 242896]
    R2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [3/16/2010 4:33 PM 916760]
    R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [3/16/2010 4:35 PM 308064]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [3/21/2010 10:58 PM 135664]

    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{EC5738BF-72C3-416F-9D09-24A21222BE58}]
    2010-04-20 23:16 46080 ----a-w- c:\windows\system32\fycwdn11.dll
    .
    Contents of the 'Scheduled Tasks' folder

    2010-04-28 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-03-22 04:57]

    2010-04-28 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-03-22 04:57]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://elounge.invisionzone.com/index.php?
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
    DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
    DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
    FF - ProfilePath - c:\documents and settings\Lord Misk\Application Data\Mozilla\Firefox\Profiles\1p2yx4uz.default\
    FF - prefs.js: browser.startup.homepage - hxxp://elounge.invisionzone.com/index.php?
    FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
    FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
    FF - plugin: d:\divx\DivX Player\npDivxPlayerPlugin.dll
    FF - plugin: d:\divx\DivX Web Player\npdivx32.dll

    ---- FIREFOX POLICIES ----
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
    .
    - - - - ORPHANS REMOVED - - - -

    BHO-{92109E9C-D153-4288-B749-6BB009EFC319} - (no file)



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-04-27 19:57
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'explorer.exe'(2204)
    c:\windows\system32\WININET.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\AVG\AVG9\avgchsvx.exe
    c:\program files\AVG\AVG9\avgrsx.exe
    c:\program files\AVG\AVG9\avgcsrvx.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\windows\system32\nvsvc32.exe
    c:\program files\AVG\AVG9\avgnsx.exe
    c:\program files\AVG\AVG9\avgcsrvx.exe
    c:\windows\system32\wscntfy.exe
    c:\windows\system32\RUNDLL32.EXE
    c:\windows\system32\rundll32.exe
    c:\windows\system32\devldr32.exe
    .
    **************************************************************************
    .
    Completion time: 2010-04-27 20:05:23 - machine was rebooted
    ComboFix-quarantined-files.txt 2010-04-28 02:05

    Pre-Run: 28,872,511,488 bytes free
    Post-Run: 30,922,870,784 bytes free

    WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

    - - End Of File - - 30592CE57DBAD84217EE75FD6D306D6D


    #13 thewall

    thewall

    • Malware Response Team
    • 6,425 posts
    • OFFLINE
    •  
    • Gender:Male
    • Location:Florida
    • Local time:05:26 AM

    Posted 27 April 2010 - 08:42 PM

    Great! See if you can get me another GMER log now.
    If I have helped you then please consider donating so I can continue the fight against malware Posted Image
    All donations go directly to the helper

    Posted Image

    Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

    #14 Misk

    Misk
    • Topic Starter

    • Members
    • 39 posts
    • OFFLINE
    •  
    • Local time:03:26 AM

    Posted 27 April 2010 - 09:34 PM

    Understood.

    GMER 1.0.15.15281 - http://www.gmer.net
    Rootkit scan 2010-04-27 21:35:08
    Windows 5.1.2600 Service Pack 3
    Running: onbd8ehs.exe; Driver: C:\DOCUME~1\LORDMI~1\LOCALS~1\Temp\axxdypod.sys


    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

    ---- EOF - GMER 1.0.15 ----


    #15 thewall

    thewall

    • Malware Response Team
    • 6,425 posts
    • OFFLINE
    •  
    • Gender:Male
    • Location:Florida
    • Local time:05:26 AM

    Posted 27 April 2010 - 10:15 PM

    That looks much better. Let's look for leftovers now:



    It's important to run this online scan to search for any remnants. It can take some time, so please be patient and allow it to run it's full course:



    Please perform a scan with Kaspersky Online Virus Scanner.
    -- Requires free Java Runtime Environment (JRE) to be installed before scanning for malware as ActiveX is no longer being used.
    -- This scan will not remove any detected file threats but it will show where they are located so they can be cleaned with other tools.
    • Vista users need to right-click the IE or FF Start Menu or Quick Launch Bar icons and Run As Administrator from the context menu.
    • Read the "Advantages - Requirements and Limitations" then press the ... button.
    • You will be prompted to install an application from Kaspersky. Click the Run button. It will start downloading and installing the scanner and virus definitions.
    • When the downloads have finished, you should see 'Database is updated. Ready to scan'. Click on the ... button.
    • Make sure these boxes are checked. By default, they should be. If not, please check them and click on the ... button afterwards:
      • Detect malicious programs of the following categories:
        Viruses, Worms, Trojan Horses, Rootkits
        Spyware, Adware, Dialers and other potentially dangerous programs
      • Scan compound files (doesn't apply to the File scan area):
        Archives
        Mail databases
    • Click on My Computer under the Scan section. OK any warnings from your protection programs.
    • The scan will take a while so be patient and do NOT use the computer while the scan is running. Keep all other programs and windows closed.
    • Once the scan is complete (the 'status' will show complete), click on View Scan Report and any infected objects will be shown.
    • Click on Save Report As... and change the Files of type to Text file (.txt)
    • Name the file KAVScan_ddmmyy (day, month, year) before clicking on the Save button and save it to your Desktop.
    • Copy and paste (Ctrl+C) the saved scan results from that file in your next reply.
    -- Note: Some online scanners will detect existing anti-virus software and refuse to cooperate. You may have to disable the real-time protection components of your existing anti-virus and try running the scan again. If you do this, remember to turn them back on after you are finished.


    If I have helped you then please consider donating so I can continue the fight against malware Posted Image
    All donations go directly to the helper

    Posted Image

    Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you




    0 user(s) are reading this topic

    0 members, 0 guests, 0 anonymous users