Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Fraud.sysguard malware hijacking my browser


  • This topic is locked This topic is locked
23 replies to this topic

#1 userhw

userhw

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:01:23 PM

Posted 13 June 2010 - 01:02 PM

(After some posting trouble on my own computer I've managed to post my logs from a different computer. I accidentally submitted the post twice, but I have deleted the info from the other post. All the info is in this post. Please disregard the other one. Sorry. )

* * *

Hello,

I'm not an expert at dealing with these sorts of things, so apologies if my terminology is off, or if I have missed anything obvious. I haven't dealt with something like this before or posted to a site like this. Thanks!

My PC (running Windows XP) got infected earlier this week with some trojans online which introduced the malware fraud.sysguard. AVG and my built-in XP firewall did not stop the attack. The only evidence of attack was my computer slowed somewhat and then my browser windows were getting hijacked and redirected.

Scans with AVG first revealed nothing. Scans with Spybot S&D revealed Fraud.Sysguard which I then was able to "fix" using Spybot which I did.

The problems continued. Then there were some pop-ups which I manged to close/cancel. I continued to scan my computer and Spybot S&D picked up the infection two more times, and was able to "fix" it both times which I again did. AVG then picked up three trojans, two called "TROJAN HORSE GENERIC 18.GDB". I was able to remove these in AVG successfully (according to AVG).

All of my data is backed up on an external hard drive which was plugged in at the time of the attack, but which I have removed from the computer now. I had it unplugged during the running of these logs. If you want to see the logs with the hard drive plugged in, let me know. I'm hoping it's not compromised.

AT present, the pop-ups have stopped. Neither Spybot or AVG picks anything up in scans, but the hijack/redirect problem remains. I also finally downloaded and tried Malwarebytes, which did not pick up anything.

Thank you! :-)



DDS (Ver_10-03-17.01) - NTFSx86

Run by Administrator at 12:32:28.43 on Sat 06/12/2010

Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_17

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.766.174 [GMT -7:00]


AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}


============== Running Processes ===============


C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup

C:\Program Files\AVG\AVG9\avgchsvx.exe

C:\Program Files\AVG\AVG9\avgrsx.exe

C:\Program Files\AVG\AVG9\avgcsrvx.exe

svchost.exe

svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\AVG\AVG9\avgwdsvc.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe

C:\Program Files\Cobian Backup 10\cbVSCService.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\System32\svchost.exe -k imgsvc

C:\Program Files\AVG\AVG9\avgnsx.exe

C:\Program Files\AVG\AVG9\avgemc.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\AVG\AVG9\avgcsrvx.exe

C:\WINDOWS\System32\igfxpers.exe

C:\PROGRA~1\AVG\AVG9\avgtray.exe

C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe

C:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe

C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\WINDOWS\system32\devldr32.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Documents and Settings\Administrator\Desktop\dds.scr


============== Pseudo HJT Report ===============


uSearch Page = hxxp://www.google.com

uSearch Bar = hxxp://www.google.com/ie

uDefault_Search_URL = hxxp://www.google.com/ie

uInternet Settings,ProxyOverride = *.local

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll

uURLSearchHooks: H - No File

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll

BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll

BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll

BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll

BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg9\toolbar\IEToolbar.dll

EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe

mRun: [igfxtray] c:\windows\system32\igfxtray.exe

mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe

mRun: [igfxpers] c:\windows\system32\igfxpers.exe

mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe

mRun: [Carbonite Backup] c:\program files\carbonite\carbonite backup\CarboniteUI.exe

mRun: [NeroCheck] c:\windows\system32\NeroCheck.exe

mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop elements 6.0\apdproxy.exe"

mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup

mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot

mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC

mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC

mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll

DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab

DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1256535871437

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll

Notify: avgrsstarter - avgrsstx.dll

Notify: igfxcui - igfxdev.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

Hosts: 127.0.0.1 www.spywareinfo.com


================= FIREFOX ===================


FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\9l2820bh.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.igoogle.ca/

FF - component: c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll

FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll

FF - plugin: c:\program files\google\picasa3\npPicasa3.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}


---- FIREFOX POLICIES ----

FF - user.js: yahoo.homepage.dontask - truec:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);


============= SERVICES / DRIVERS ===============


R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-10-26 216200]

R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-10-26 29584]

R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-10-26 242896]

R2 avg9emc;AVG Free E-mail Scanner;c:\program files\avg\avg9\avgemc.exe [2010-3-15 916760]

R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-3-15 308064]

R2 cbVSCService;Cobian Backup 10 Volume Shadow Copy service;c:\program files\cobian backup 10\cbVSCService.exe [2010-6-12 67584]

S3 GoogleDesktopManager-093009-130223;Google Desktop Manager 5.9.909.30391;c:\program files\google\google desktop search\GoogleDesktop.exe [2009-10-29 30192]


=============== Created Last 30 ================


2010-06-12 18:22:22 0 d-----w- c:\program files\Cobian Backup 10

2010-06-12 17:10:01 0 d-----w- c:\program files\Runtime Software

2010-06-12 04:51:20 0 d-----w- c:\docume~1\admini~1\applic~1\Malwarebytes

2010-06-12 04:50:50 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-06-12 04:50:46 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes

2010-06-12 04:50:38 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-06-12 04:50:34 0 d-----w- c:\program files\Malwarebytes' Anti-Malware


==================== Find3M ====================


2010-06-02 16:35:02 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys

2010-04-16 00:51:25 7680 --sha-w- c:\program files\Thumbs.db

2010-03-21 03:13:18 24548 ---ha-w- c:\windows\system32\mlfcache.dat

2010-03-15 16:37:48 12464 ----a-w- c:\windows\system32\avgrsstx.dll

2010-02-28 21:10:00 14336 ----a-w- c:\program files\wmdmhelper.dll

2010-02-28 21:08:51 53248 ----a-w- c:\program files\rpau3260.dll

2010-02-28 21:06:46 716 ----a-w- c:\program files\CinemasterVideo.4.3.manifest

2010-02-28 21:06:46 572 ----a-w- c:\program files\CinemasterAudio.4.3.manifest

2010-02-28 21:06:46 488968 ----a-w- c:\program files\realplay.exe

2010-02-28 21:06:46 1559 ----a-w- c:\program files\realplay.exe.manifest

2010-02-28 21:06:44 23558 ----a-w- c:\program files\freeoffers.ico

2010-02-28 21:06:44 207 ----a-w- c:\program files\subscription.rnx

2010-02-28 21:06:44 17846 ----a-w- c:\program files\videotest.rm

2010-02-28 21:06:40 685 ----a-w- c:\program files\RecordingManager.exe.manifest

2010-02-28 21:06:40 398912 ----a-w- c:\program files\RecordingManager.exe

2001-03-28 19:02:58 122880 -c--a-w- c:\windows\inf\agfa\message.exe

2010-03-11 18:21:07 16384 --sha-w- c:\windows\temp\cookies\index.dat

2010-03-11 18:21:07 16384 --sha-w- c:\windows\temp\history\history.ie5\index.dat

2010-03-11 18:21:10 49152 --sha-w- c:\windows\temp\temporary internet files\content.ie5\index.dat


============= FINISH: 12:34:33.43 ===============






Here's the Gmer Log:



GMER 1.0.15.15281 - http://www.gmer.net

Rootkit scan 2010-06-12 19:44:48

Windows 5.1.2600 Service Pack 3

Running: gmer.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\fwrdipow.sys



---- User code sections - GMER 1.0.15 ----


.text C:\WINDOWS\System32\svchost.exe[1000] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0092000A

.text C:\WINDOWS\System32\svchost.exe[1000] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0093000A

.text C:\WINDOWS\System32\svchost.exe[1000] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0091000C

.text C:\WINDOWS\System32\svchost.exe[1000] ole32.dll!CoCreateInstance 7750057E 3 Bytes JMP 00DC000A

.text C:\WINDOWS\System32\svchost.exe[1000] ole32.dll!CoCreateInstance + 4 77500582 1 Byte [89]

.text C:\WINDOWS\Explorer.EXE[1696] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00B7000A

.text C:\WINDOWS\Explorer.EXE[1696] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00BD000A

.text C:\WINDOWS\Explorer.EXE[1696] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00B6000C

.text C:\WINDOWS\system32\wuauclt.exe[2232] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0092000A

.text C:\WINDOWS\system32\wuauclt.exe[2232] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0093000A

.text C:\WINDOWS\system32\wuauclt.exe[2232] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0091000C


---- Devices - GMER 1.0.15 ----


AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)


---- Registry - GMER 1.0.15 ----


Reg HKLM\SOFTWARE\Classes\CLSID\{3A3E28D3-EB64-3069-7009-7CA732C61B48}\InProcServer32

Reg HKLM\SOFTWARE\Classes\CLSID\{3A3E28D3-EB64-3069-7009-7CA732C61B48}\InProcServer32@kabcbfmmplhklkhbnomiif 0x62 0x61 0x62 0x64 ...

Reg HKLM\SOFTWARE\Classes\CLSID\{3A3E28D3-EB64-3069-7009-7CA732C61B48}\InProcServer32@jabcipeandjomdmloech 0x63 0x61 0x67 0x64 ...

Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{3A3E28D3-EB64-3069-7009-7CA732C61B48}


---- EOF - GMER 1.0.15 ----

Attached Files


Edited by userhw, 13 June 2010 - 01:40 PM.


BC AdBot (Login to Remove)

 


#2 userhw

userhw
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:01:23 PM

Posted 16 June 2010 - 04:21 PM

Please Someone Help--I don't know what to do.

It's my first time posting here but I've noticed people who posted after me with similar problems have received responses already. I'm wondering if I posted something wrong in my logs, or missed something obvious? If so, and you know what it is, please tell me what, so I can get started. I've been without my computer for more than a week now as I'm reluctant to use it while it has this problem ongoing. Sorry if I've missed something obvious.

I don't really want to try fiddling around based on other people's posts, expecially because of the big "DO NOT RUN Combo Fix unless requested to..." warning. But I'm getting really desperate.

Thanks!




#3 userhw

userhw
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:01:23 PM

Posted 18 June 2010 - 08:41 AM

I scanned with Sophos anti-rootkit and was able to remove some hidden files. I'm re-scanning with GMER now.

#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:23 PM

Posted 18 June 2010 - 07:16 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

----------------------------------------------
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


And

Please download DeFogger to your desktop.

Double click DeFogger to run the tool.
  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK
IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.


Then

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.
Posted Image
m0le is a proud member of UNITE

#5 userhw

userhw
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:01:23 PM

Posted 20 June 2010 - 01:53 PM

Thank you!!! I'll get to work on this immediately.

#6 userhw

userhw
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:01:23 PM

Posted 21 June 2010 - 11:03 AM


DDS (Ver_10-03-17.01) - NTFSx86
Run by Administrator at 12:36:37.42 on Sun 06/20/2010
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.766.258 [GMT -7:00]

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\AVG\AVG9\avgemc.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\System32\igfxpers.exe
C:\PROGRA~1\AVG\AV

#7 userhw

userhw
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:01:23 PM

Posted 21 June 2010 - 11:04 AM

Attachments.


DDS (Ver_10-03-17.01) - NTFSx86
Run by Administrator at 12:36:37.42 on Sun 06/20/2010
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.766.258 [GMT -7:00]

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\AVG\AVG9\avgemc.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\System32\igfxpers.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe

Attached Files



#8 userhw

userhw
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:01:23 PM

Posted 21 June 2010 - 11:07 AM

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-06-21 08:53:29
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\fwrdipow.sys


---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\System32\svchost.exe[1012] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0092000A
.text C:\WINDOWS\System32\svchost.exe[1012] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0093000A
.text C:\WINDOWS\System32\svchost.exe[1012] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0091000C
.text C:\WINDOWS\System32\svchost.exe[1012] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 0067000A
.text C:\WINDOWS\System32\svchost.exe[1012] ole32.dll!CoCreateInstance 7750057E 3 Bytes JMP 00DC000A
.text C:\WINDOWS\System32\svchost.exe[1012] ole32.dll!CoCreateInstance + 4 77500582 1 Byte [89]
.text C:\WINDOWS\Explorer.EXE[1668] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00B7000A
.text C:\WINDOWS\Explorer.EXE[1668] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00BD000A
.text C:\WINDOWS\Explorer.EXE[1668] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00B6000C

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Classes\CLSID\{3A3E28D3-EB64-3069-7009-7CA732C61B48}\InProcServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{3A3E28D3-EB64-3069-7009-7CA732C61B48}\InProcServer32@kabcbfmmplhklkhbnomiif 0x62 0x61 0x62 0x64 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{3A3E28D3-EB64-3069-7009-7CA732C61B48}\InProcServer32@jabcipeandjomdmloech 0x63 0x61 0x67 0x64 ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{3A3E28D3-EB64-3069-7009-7CA732C61B48}

---- EOF - GMER 1.0.15 ----


#9 userhw

userhw
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:01:23 PM

Posted 21 June 2010 - 11:10 AM

I'm having trouble posting the DDS log. The two attachments and the GMER log posted fine, but only part of the DDS log posted. Sorry I posted the same thing twice above, I'm getting error messages when I try and post sometimes. I can't seem to email the dds log to myself either to post from another computer but I'll keep trying.

#10 userhw

userhw
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:01:23 PM

Posted 21 June 2010 - 11:17 AM

DDS (Ver_10-03-17.01) - NTFSx86
Run by Administrator at 12:36:37.42 on Sun 06/20/2010
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.766.258 [GMT -7:00]

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\AVG\AVG9\avgemc.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\System32\igfxpers.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Search_URL = hxxp://www.google.com/


DDS (Ver_10-03-17.01) - NTFSx86
Run by Administrator at 12:36:37.42 on Sun 06/20/2010
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.766.258 [GMT -7:00]

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\AVG\AVG9\avgemc.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\System32\igfxpers.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Search_URL = hxxp://www.google.com/

#11 userhw

userhw
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:01:23 PM

Posted 21 June 2010 - 11:38 AM

I was able to follow all of your instructions except for I was unable to post the DDS log in full or upload it as an attachment (part of it has posted). Also, I created a new hotmail account to use from my infected computer, so I would not compromise my real email address by using the password on that computer. I tried to email myself the DDS log but was unable to, and also all the emails that came through to my real account which I'm accessing from another computer had been compromised with some kind of spam (I deleted them in full, unopened.)

I am currently leaving my infected computer disconnected from the internet and turned off until I receive more instructions.

(note: could transfer the DDS.txt document by a usb connection and post it from this computer, but I'm worried about infecting this computer.)

Thank you and fingers crossed!


#12 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:23 PM

Posted 21 June 2010 - 05:07 PM

There's undoubtedly something stopping your connection to security sites.

Please download and run Combofix. It is okay to download and transfer to the infected PC but keep the flashdrive plugged in to the infected PC after tranferring so Combofix cleans it too. thumbup2.gif

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop making sure you rename it comfix.exe
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Comfix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Posted Image
m0le is a proud member of UNITE

#13 userhw

userhw
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:01:23 PM

Posted 21 June 2010 - 06:34 PM

ComboFix 10-06-21.01 - Administrator 06/21/2010 16:22:31.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.766.419 [GMT -7:00]
Running from: c:\documents and settings\Administrator\Desktop\comfix.exe.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system\Color

Infected copy of c:\windows\system32\drivers\serial.sys was found and disinfected
Restored copy from - Kitty had a snack tongue.gif
.
((((((((((((((((((((((((( Files Created from 2010-05-21 to 2010-06-21 )))))))))))))))))))))))))))))))
.

2010-06-20 18:48 . 2010-06-20 18:48 -------- d-----w- C:\VritualRoot
2010-06-19 03:04 . 2010-06-19 04:10 63488 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-06-19 03:04 . 2010-06-19 03:04 52224 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-06-19 03:04 . 2010-06-19 04:09 117760 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-06-19 03:02 . 2010-06-19 03:02 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2010-06-18 23:29 . 2010-06-18 23:29 272 ----a-w- c:\windows\system32\drivers\sfi.dat
2010-06-18 22:59 . 2010-06-18 23:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Comodo Downloader
2010-06-18 20:09 . 2010-06-18 20:09 -------- d-----r- C:\comment.htt
2010-06-18 19:30 . 2010-06-18 19:30 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Help
2010-06-18 19:27 . 2010-06-18 21:05 24416 ----a-w- c:\windows\system32\drivers\regguard.sys
2010-06-18 19:20 . 2010-06-18 19:20 2 --shatr- c:\windows\winstart.bat
2010-06-18 19:20 . 2010-06-18 19:20 37600 ----a-w- c:\windows\system32\Partizan.exe
2010-06-18 19:20 . 2010-06-18 19:20 35816 ----a-w- c:\windows\system32\drivers\Partizan.sys
2010-06-18 19:20 . 2010-05-21 19:16 12808 ----a-w- c:\windows\system32\drivers\UnHackMeDrv.sys
2010-06-18 19:20 . 2010-06-18 23:13 -------- d-----w- c:\program files\UnHackMe
2010-06-18 17:50 . 2010-06-18 17:52 -------- d-----w- c:\documents and settings\Administrator\Application Data\SafeReturner
2010-06-18 17:50 . 2010-06-20 19:25 -------- d-----w- c:\program files\Safe Returner
2010-06-18 01:02 . 2010-06-20 19:26 -------- d-----w- c:\program files\Sophos
2010-06-12 18:25 . 2010-06-12 18:25 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Safe mirror
2010-06-12 18:22 . 2010-06-20 19:06 -------- d-----w- c:\program files\Cobian Backup 10
2010-06-12 17:10 . 2010-06-12 17:10 -------- d-----w- c:\program files\Runtime Software
2010-06-12 04:51 . 2010-06-12 04:51 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-06-12 04:50 . 2010-06-12 04:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-06-12 04:50 . 2010-06-20 19:29 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-08 16:41 . 2010-06-10 21:02 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\yjrrhtq
2010-06-03 17:21 . 2010-06-03 17:21 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Intuit
2010-05-29 23:21 . 2010-05-29 23:21 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Picmeta

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-18 18:19 . 2009-10-26 16:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-06-18 17:08 . 2009-10-27 22:34 1 ----a-w- c:\documents and settings\Administrator\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-06-11 04:51 . 2009-11-01 00:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Soulseek
2010-06-10 21:03 . 2009-10-26 07:16 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-06-10 19:41 . 2009-10-26 16:24 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-06-04 01:33 . 2010-02-13 20:55 -------- d-----w- c:\program files\Microsoft Silverlight
2010-06-02 16:35 . 2009-10-26 07:17 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-06-02 16:34 . 2009-10-26 07:17 29584 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-05-12 18:27 . 2009-10-26 06:22 34736 -c--a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-04-24 01:23 . 2010-04-24 01:23 -------- d-----w- c:\program files\FeedDemon
2010-04-16 00:51 . 2010-04-16 00:51 7680 --sha-w- c:\program files\Thumbs.db
2010-02-28 21:10 . 2010-02-28 21:10 14336 ----a-w- c:\program files\wmdmhelper.dll
2010-02-28 21:08 . 2010-02-28 21:08 53248 ----a-w- c:\program files\rpau3260.dll
2010-02-28 21:06 . 2010-02-28 21:06 716 ----a-w- c:\program files\CinemasterVideo.4.3.manifest
2010-02-28 21:06 . 2010-02-28 21:06 572 ----a-w- c:\program files\CinemasterAudio.4.3.manifest
2010-02-28 21:06 . 2010-02-28 21:06 488968 ----a-w- c:\program files\realplay.exe
2010-02-28 21:06 . 2010-02-28 21:06 1559 ----a-w- c:\program files\realplay.exe.manifest
2010-02-28 21:06 . 2010-02-28 21:06 23558 ----a-w- c:\program files\freeoffers.ico
2010-02-28 21:06 . 2010-02-28 21:06 207 ----a-w- c:\program files\subscription.rnx
2010-02-28 21:06 . 2010-02-28 21:06 17846 ----a-w- c:\program files\videotest.rm
2010-02-28 21:06 . 2010-02-28 21:06 685 ----a-w- c:\program files\RecordingManager.exe.manifest
2010-02-28 21:06 . 2010-02-28 21:06 398912 ----a-w- c:\program files\RecordingManager.exe
2009-10-29 19:57 . 2009-10-29 19:57 119808 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-09-18 1119488]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-09-18 20:27 1119488 ----a-w- c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-09-18 1119488]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-09-18 1119488]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Green]
@="{95A27763-F62A-4114-9072-E81D87DE3B68}"
[HKEY_CLASSES_ROOT\CLSID\{95A27763-F62A-4114-9072-E81D87DE3B68}]
2009-09-19 03:09 574096 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Partial]
@="{E300CD91-100F-4E67-9AF3-1384A6124015}"
[HKEY_CLASSES_ROOT\CLSID\{E300CD91-100F-4E67-9AF3-1384A6124015}]
2009-09-19 03:09 574096 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Yellow]
@="{5E529433-B50E-4bef-A63B-16A6B71B071A}"
[HKEY_CLASSES_ROOT\CLSID\{5E529433-B50E-4bef-A63B-16A6B71B071A}]
2009-09-19 03:09 574096 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"UnHackMe Monitor"="c:\program files\UnHackMe\hackmon.exe" [2010-05-21 594200]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\System32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="c:\windows\System32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="c:\windows\System32\igfxpers.exe" [2005-09-20 114688]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-06-02 2065248]
"Carbonite Backup"="c:\program files\Carbonite\Carbonite Backup\CarboniteUI.exe" [2009-09-19 670864]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-01-23 141608]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-02-28 202256]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2002-08-29 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2002-08-29 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2002-08-29 455168]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-03-15 16:37 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0Partizan

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"NeroCheck"=c:\windows\system32\NeroCheck.exe
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Elements 6.0\apdproxy.exe"
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe"
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\AVG\\AVG9\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\realplay.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [10/26/2009 12:17 AM 216200]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [10/26/2009 12:17 AM 242896]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [3/15/2010 9:36 AM 916760]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [3/15/2010 9:37 AM 308064]
R3 Partizan;Partizan;c:\windows\system32\drivers\Partizan.sys [6/18/2010 12:20 PM 35816]
S3 GoogleDesktopManager-093009-130223;Google Desktop Manager 5.9.909.30391;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [10/29/2009 12:57 PM 30192]
S3 RegGuard;RegGuard;c:\windows\system32\drivers\regguard.sys [6/18/2010 12:27 PM 24416]
S4 cbVSCService;Cobian Backup 10 Volume Shadow Copy service;c:\program files\Cobian Backup 10\cbVSCService.exe --> c:\program files\Cobian Backup 10\cbVSCService.exe [?]
.
Contents of the 'Scheduled Tasks' folder

2010-06-03 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]
.
.
------- Supplementary Scan -------
.
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\9l2820bh.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.igoogle.ca/
FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
.
- - - - ORPHANS REMOVED - - - -

Notify-!SASWinLogon - (no file)
AddRemove-PIE_is1 - d:\program files\Picmeta\PIE\unins000.exe
AddRemove-VUE - e:\program files\VUE\uninst.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-21 16:29
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1085031214-448539723-1801674531-500\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{3A3E28D3-EB64-3069-7009-7CA732C61B48}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{3A3E28D3-EB64-3069-7009-7CA732C61B48}\InProcServer32*]
"kabcbfmmplhklkhbnomiif"=hex:62,61,62,64,00,6f
"jabcipeandjomdmloech"=hex:63,61,67,64,65,67,00,00
.
Completion time: 2010-06-21 16:32:34
ComboFix-quarantined-files.txt 2010-06-21 23:32

Pre-Run: 2,878,865,408 bytes free
Post-Run: 3,156,328,448 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

- - End Of File - - 4D7E250843EF7EFB78BC03F0F838B3E1


#14 userhw

userhw
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:01:23 PM

Posted 21 June 2010 - 06:44 PM

Okay,
I was able to follow all the instructions without a problem (to my knowledge anyway)...
Fingers still crossed.


#15 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:23 PM

Posted 22 June 2010 - 07:32 PM

Looks like Combofix ran fine thumbup2.gif

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the box below into it:

QUOTE
Folder::
c:\documents and settings\Administrator\Local Settings\Application Data\yjrrhtq

RegNull::
[HKEY_USERS\S-1-5-21-1085031214-448539723-1801674531-500\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{3A3E28D3-EB64-3069-7009-7CA732C61B48}*]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{3A3E28D3-EB64-3069-7009-7CA732C61B48}\InProcServer32*]


Save this as CFScript.txt, in the same location as Comfix.exe (called ComboFix.exe in the below graphic)




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users