Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Redirect?


  • This topic is locked This topic is locked
8 replies to this topic

#1 Sofare3

Sofare3

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:06:05 PM

Posted 21 July 2010 - 12:41 AM

I have been getting odd websites coming up. Logs attached.

DDS (Ver_10-03-17.01) - FAT32x86
Run by Jim Elliott at 0:16:21.41 on Wed 07/21/2010
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_21
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.459 [GMT -5:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
SVCHOST.EXE
C:\WINDOWS\System32\svchost.exe -k netsvcs
SVCHOST.EXE
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
SVCHOST.EXE
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\U.S. Robotics 802.11g WLAN\USRWLANG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O:\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe
D:\Program Files\SuperantiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Jim Elliott\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = https://members.har.com/indexr.cfm
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - o:\adobe\acrobat 5.0\acrobat\activex\AcroIEHelper.ocx
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: PDF-XChange Viewer IE-Plugin: {c5d07eb6-bbce-4dae-acbb-d13a8d28cb1f} - p:\tracker software\pdf viewer\PDFXCviewIEPlugin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [Logitech Utility] Logi_MwX.Exe
mRun: [PMXInit] c:\windows\system32\pmxinit.exe -SetupRunOnce
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRunOnce: [PMXInit] c:\windows\system32\pmxinit.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\usrobo~1.lnk - c:\program files\u.s. robotics 802.11g wlan\USRWLANG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\acroba~1.lnk - o:\adobe\acrobat 5.0\distillr\AcroTray.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: !SASWinLogon - d:\program files\superantispyware\SASWINLO.DLL
Notify: Antiwpa - antiwpa.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - d:\program files\superantispyware\SASSEH.DLL
Hosts: 192.168.123.107 HP00215A052FEF

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\jimell~1\applic~1\mozilla\firefox\profiles\wv7d0yy9.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://my.yahoo.com/
FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: o:\adobe\acrobat 5.0\acrobat\browser\nppdf32.dll
FF - plugin: p:\tracker software\pdf viewer\npPDFXCviewNPPlugin.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2010-1-18 216400]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2010-1-18 29584]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-1-18 243024]
R1 SASDIFSV;SASDIFSV;d:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;d:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-7-15 308136]
R3 powervr;powervr;c:\windows\system32\drivers\powervr.sys [2009-6-5 675984]
S3 cpuz128;cpuz128;\??\c:\docume~1\jimell~1\locals~1\temp\cpuz_x32.sys --> c:\docume~1\jimell~1\locals~1\temp\cpuz_x32.sys [?]
S3 cpuz132;cpuz132;\??\c:\docume~1\jimell~1\locals~1\temp\cpuz132\cpuz132_x32.sys --> c:\docume~1\jimell~1\locals~1\temp\cpuz132\cpuz132_x32.sys [?]

=============== Created Last 30 ================

2010-07-21 05:15:07 0 ----a-w- c:\documents and settings\jim elliott\defogger_reenable
2010-07-20 22:08:06 0 d-----w- c:\docume~1\jimell~1\applic~1\SUPERAntiSpyware.com
2010-07-20 22:08:06 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-07-20 16:23:19 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-20 03:58:00 0 d-sh--w- C:\FOUND.032
2010-07-15 14:31:51 12536 ----a-w- c:\windows\system32\avgrsstx.dll
2010-07-13 03:53:56 40 ----a-w- c:\windows\EP2000.INI

==================== Find3M ====================

2010-07-20 16:17:20 2500 ----a-w- c:\windows\system32\d3d9caps.dat
2010-07-15 14:31:58 243024 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-07-15 14:28:48 216400 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-06-07 03:07:32 34520 ----a-w- C:\stream.bin
2010-04-24 02:32:14 59812 ----a-w- c:\windows\fonts\AdobeFnt.lst
2000-07-17 13:58:52 89600 ----a-w- c:\windows\inf\Colprofs.exe
2009-12-23 14:12:00 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009122320091224\index.dat

============= FINISH: 0:18:13.34 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:05 PM

Posted 27 July 2010 - 06:24 PM

Hello. I am PropagandaPanda (Panda or PP for short), and I will be helping you.

Your GMER log shows signs of a rootkit infection.

Disable Realtime Protection
Antimalware programs can interfere with ComboFix and other tools we need to run. Please temporarily disable all realtime protections you have enabled. Refer to this page, if you are unsure how.

Download and Run ComboFix
Download Combofix by sUBs from any of the links below, and save it to your desktop. If you have already run ComboFix, delete your old copy and download a new one.
Link 1, Link 2, Link 3
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Double click on ComboFix.exe and follow the prompts. If you are using Windows Vista, right click the icon and select "Run as Administrator". You will not recieve the prompts below if you are not using Windows XP. ComboFix will check to see if you have the Windows Recovery Console installed.
  • If you did not have it installed, you will see the prompt below. Choose YES.


  • When the Recovery Console has been installed, you will see the prompt below. Choose YES.
  • When finished, ComboFix will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running. ComboFix will restart your computer if malware is found; allow it to do so.

Download and Run Scan with GMER
We will use GMER to scan for rootkits.

Please download GMER to your desktop. Note that the file will be randomly named to prevent active malware from stopping the download.
  • Close all other open programs as there is a slight chance your computer will crash.
  • Double click the GMER program ******.exe. Your security programs may detect GMER's driver trying to load. Allow it.
  • You may see a warning saying "GMER has detected rootkit activity". If so, select NO.
  • Leaving the settings at default, click Scan.
  • When the scan is complete, click Save and save the log onto your desktop.
Please include the log in your next reply.

In your next reply include:
-the ComboFix log
-the GMER scan log

Please also tell me of any changes you have made to your computer since you started your topic.

With Regards,
The Panda

#3 Sofare3

Sofare3
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:06:05 PM

Posted 27 July 2010 - 10:59 PM

Combofix hung after the DOS window showed it was scanning. I waited 2 hours - nothing so I closed the window. I rebooted into Safe Mode and ran Combofix and GMER in Safe Mode.
Combofix Log:
ComboFix 10-07-27.01 - Jim Elliott 07/27/2010 23:11:37.1.1 - FAT32x86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.833 [GMT -5:00]
Running from: c:\documents and settings\Jim Elliott\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system\Color
c:\windows\system\Color\17PS-2.icm
c:\windows\system\Color\a110-2.icm
c:\windows\system\Color\A110.icm
c:\windows\system\Color\A50.icm
c:\windows\system\Color\a70-2.icm
c:\windows\system\Color\A70.icm
c:\windows\system\Color\A75f-2.icm
c:\windows\system\Color\A75f.icm
c:\windows\system\Color\A75S-2.icm
c:\windows\system\Color\A75S.icm
c:\windows\system\Color\a90-2.icm
c:\windows\system\Color\A90.icm
c:\windows\system\Color\A95F.icm
c:\windows\system\Color\AL750.icm
c:\windows\system\Color\AL950.icm
c:\windows\system\Color\E40-2.icm
c:\windows\system\Color\E40-3.icm
c:\windows\system\Color\E40-4.icm
c:\windows\system\Color\E40-5.icm
c:\windows\system\Color\E40.icm
c:\windows\system\Color\e50-2.icm
c:\windows\system\Color\E50.icm
c:\windows\system\Color\e55.icm
c:\windows\system\Color\E641-2.ICM
c:\windows\system\Color\E641-3.icm
c:\windows\system\Color\E651-2.icm
c:\windows\system\Color\E651-3.icm
c:\windows\system\Color\E651.icm
c:\windows\system\Color\E653-2.icm
c:\windows\system\Color\E653-3.icm
c:\windows\system\Color\E653-4.icm
c:\windows\system\Color\E653.icm
c:\windows\system\Color\E655-2.icm
c:\windows\system\Color\E655-3.icm
c:\windows\system\Color\E655-4.icm
c:\windows\system\Color\E70-2.icm
c:\windows\system\Color\E70-3.icm
c:\windows\system\Color\E70-4.icm
c:\windows\system\Color\e70-5.icm
c:\windows\system\Color\E70.icm
c:\windows\system\Color\E70f.icm
c:\windows\system\Color\e71-2.icm
c:\windows\system\Color\E771-2.icm
c:\windows\system\Color\E771-4.icm
c:\windows\system\Color\E771.ICM
c:\windows\system\Color\E771tc.icm
c:\windows\system\Color\E771tr.icm
c:\windows\system\Color\E773.icm
c:\windows\system\Color\E790-3.icm
c:\windows\system\Color\E790.icm
c:\windows\system\Color\E790b-4.icm
c:\windows\system\Color\E790B.icm
c:\windows\system\Color\E810.icm
c:\windows\system\Color\E90.icm
c:\windows\system\Color\EA771.icm
c:\windows\system\Color\EA771B.icm
c:\windows\system\Color\EF70.icm
c:\windows\system\Color\finish.txt
c:\windows\system\Color\G50m.icm
c:\windows\system\Color\G653-2.icm
c:\windows\system\Color\G653.icm
c:\windows\system\Color\G655-3.icm
c:\windows\system\Color\G655.icm
c:\windows\system\Color\G655TR.icm
c:\windows\system\Color\G70m.icm
c:\windows\system\Color\G70mb.icm
c:\windows\system\Color\G773-2.icm
c:\windows\system\Color\G773-3.icm
c:\windows\system\Color\G773.icm
c:\windows\system\Color\G790-2.icm
c:\windows\system\Color\G790.icm
c:\windows\system\Color\G810-2.ICM
c:\windows\system\Color\G810-3EP.icm
c:\windows\system\Color\G810-4.icm
c:\windows\system\Color\g810-5.icm
c:\windows\system\Color\G90f.icm
c:\windows\system\Color\G90m.icm
c:\windows\system\Color\GA655.icm
c:\windows\system\Color\GA771.icm
c:\windows\system\Color\GF775.icm
c:\windows\system\Color\GS771.icm
c:\windows\system\Color\GS773-2.icm
c:\windows\system\Color\GS773.icm
c:\windows\system\Color\GS790.icm
c:\windows\system\Color\GS790TC.icm
c:\windows\system\Color\GS815.icm
c:\windows\system\Color\GT775-3.icm
c:\windows\system\Color\M50.icm
c:\windows\system\Color\M70.icm
c:\windows\system\Color\M70B.icm
c:\windows\system\Color\MB110.icm
c:\windows\system\Color\MB50.icm
c:\windows\system\Color\MB70.icm
c:\windows\system\Color\MB90.icm
c:\windows\system\Color\P220f.icm
c:\windows\system\Color\P225f.icm
c:\windows\system\Color\P655.ICM
c:\windows\system\Color\P775.icm
c:\windows\system\Color\P795.icm
c:\windows\system\Color\P810-3.ICM
c:\windows\system\Color\P810-4.icm
c:\windows\system\Color\P810.icm
c:\windows\system\Color\P815-4.icm
c:\windows\system\Color\P817-E.icm
c:\windows\system\Color\P817.icm
c:\windows\system\Color\P95f.icm
c:\windows\system\Color\PF77.icm
c:\windows\system\Color\PF775.icm
c:\windows\system\Color\pf790-2.icm
c:\windows\system\Color\PF790.icm
c:\windows\system\Color\PF795.icm
c:\windows\system\Color\PF815.icm
c:\windows\system\Color\PF817.icm
c:\windows\system\Color\PF97.icm
c:\windows\system\Color\PJ1000.icm
c:\windows\system\Color\pj1060-2.icm
c:\windows\system\Color\PJ1060.icm
c:\windows\system\Color\PJ1200.icm
c:\windows\system\Color\PJ800.icm
c:\windows\system\Color\PJ820.icm
c:\windows\system\Color\PJ850.icm
c:\windows\system\Color\pj853.icm
c:\windows\system\Color\PJ860-2.icm
c:\windows\system\Color\PJ860.icm
c:\windows\system\Color\PJL1005.icm
c:\windows\system\Color\PJL1035-2.icm
c:\windows\system\Color\PJL1035.icm
c:\windows\system\Color\PJL802.icm
c:\windows\system\Color\pjl850.icm
c:\windows\system\Color\PJL855.icm
c:\windows\system\Color\PS775-2.icm
c:\windows\system\Color\PS775.icm
c:\windows\system\Color\PS790-2.icm
c:\windows\system\Color\PS790.icm
c:\windows\system\Color\PS795.icm
c:\windows\system\Color\PT771.icm
c:\windows\system\Color\PT775-6.icm
c:\windows\system\Color\PT795.icm
c:\windows\system\Color\va800.icm
c:\windows\system\Color\ve150-2.icm
c:\windows\system\Color\VE150.icm
c:\windows\system\Color\VE150b-2.icm
c:\windows\system\Color\VE150b.icm
c:\windows\system\Color\VE151.icm
c:\windows\system\Color\ve170.icm
c:\windows\system\Color\VE170b.icm
c:\windows\system\Color\VG150.icm
c:\windows\system\Color\VG151.icm
c:\windows\system\Color\VG151TR.icm
c:\windows\system\Color\vg175.icm
c:\windows\system\Color\VG180-2.icm
c:\windows\system\Color\VG180.icm
c:\windows\system\Color\VG181.icm
c:\windows\system\Color\VGD150.icm
c:\windows\system\Color\VP140-2.icm
c:\windows\system\Color\VP140-3.icm
c:\windows\system\Color\VP140.icm
c:\windows\system\Color\VP140TR.icm
c:\windows\system\Color\VP150.icm
c:\windows\system\Color\VP150m.icm
c:\windows\system\Color\VP151.icm
c:\windows\system\Color\VP181.icm
c:\windows\system\Color\VP190.icm
c:\windows\system\Color\vp211hd.icm
c:\windows\system\Color\VPA138.icm
c:\windows\system\Color\VPA145.icm
c:\windows\system\Color\VPA150-2.icm
c:\windows\system\Color\VPA150.icm
c:\windows\system\Color\VPD150.icm
c:\windows\system\Color\VPD180.icm
c:\windows\system\Color\Z50-2.icm
c:\windows\system\Color\Z70.icm
c:\windows\system\Color\Z90.icm

.
((((((((((((((((((((((((( Files Created from 2010-06-28 to 2010-07-28 )))))))))))))))))))))))))))))))
.

2010-07-26 20:36 . 2010-07-26 20:36 -------- d-----w- C:\FOUND.034
2010-07-22 17:13 . 2010-07-22 17:13 -------- d-----w- C:\FOUND.033
2010-07-20 22:09 . 2010-07-20 22:09 63488 ----a-w- c:\documents and settings\Jim Elliott\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-07-20 22:08 . 2010-07-20 22:08 52224 ----a-w- c:\documents and settings\Jim Elliott\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-07-20 22:08 . 2010-07-20 22:08 117760 ----a-w- c:\documents and settings\Jim Elliott\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-07-20 22:08 . 2010-07-20 22:08 -------- d-----w- c:\documents and settings\Jim Elliott\Application Data\SUPERAntiSpyware.com
2010-07-20 22:08 . 2010-07-20 22:08 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-07-20 16:23 . 2010-06-22 09:36 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-20 16:22 . 2010-07-20 16:22 1615200 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgssie.dll
2010-07-20 16:22 . 2010-07-20 16:22 1373536 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgssff.dll
2010-07-20 16:22 . 2010-07-20 16:22 1107296 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgxpl.dll
2010-07-20 16:22 . 2010-07-20 16:22 4368224 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcorex.dll
2010-07-20 16:18 . 2010-07-20 16:19 79488 ----a-w- c:\documents and settings\Jim Elliott\Application Data\Sun\Java\jre1.6.0_21\gtapi.dll
2010-07-20 03:58 . 2010-07-20 03:58 -------- d-----w- C:\FOUND.032
2010-07-15 14:31 . 2010-07-15 14:31 12536 ----a-w- c:\windows\system32\avgrsstx.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-26 19:14 . 2009-09-14 15:48 1039174 ----a-w- C:\stream.bin
2010-07-21 05:18 . 2009-08-26 16:18 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-07-15 14:31 . 2010-01-18 16:43 243024 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-07-15 14:28 . 2010-01-18 16:43 216400 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-06-02 14:41 . 2010-01-18 16:43 29584 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-04-29 20:39 . 2009-10-28 20:28 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 20:39 . 2009-10-28 20:28 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Logitech Utility"="Logi_MwX.Exe" [2003-12-17 19968]
"PMXInit"="c:\windows\system32\pmxinit.exe" [2001-04-19 700176]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-07-15 2065760]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
U.S. Robotics 802.11g Wireless Network Utility.lnk - c:\program files\U.S. Robotics 802.11g WLAN\USRWLANG.exe [2009-6-5 290816]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]
Acrobat Assistant.lnk - o:\adobe\Acrobat 5.0\Distillr\AcroTray.exe [2009-12-11 49254]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "d:\program files\SuperantiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- d:\program files\SuperantiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-07-15 14:31 12536 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Location Finder]
2005-08-24 23:25 101080 ----a-w- c:\program files\Microsoft Location Finder\LocationFinder.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PMXInit]
2001-04-19 23:00 700176 ----a-r- c:\windows\system32\pmxinit.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wuauserv"=2 (0x2)
"wscsvc"=2 (0x2)
"ERSvc"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\HP\\Digital Imaging\\BIN\\hpqnrs08.exe"=
"c:\\Program Files\\Mozilla Firefox\\FIREFOX.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=

S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [1/18/2010 11:43 AM 216400]
S1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [1/18/2010 11:43 AM 243024]
S1 SASDIFSV;SASDIFSV;d:\program files\SuperantiSpyware\sasdifsv.sys [2/17/2010 1:25 PM 12872]
S1 SASKUTIL;SASKUTIL;d:\program files\SuperantiSpyware\SASKUTIL.SYS [5/10/2010 1:41 PM 67656]
S2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [7/15/2010 9:31 AM 308136]
S3 cpuz128;cpuz128;\??\c:\docume~1\JIMELL~1\LOCALS~1\Temp\cpuz_x32.sys --> c:\docume~1\JIMELL~1\LOCALS~1\Temp\cpuz_x32.sys [?]
S3 powervr;powervr;c:\windows\system32\drivers\powervr.sys [6/5/2009 6:07 PM 675984]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
.
------- Supplementary Scan -------
.
uStart Page = https://members.har.com/indexr.cfm
FF - ProfilePath - c:\documents and settings\Jim Elliott\Application Data\Mozilla\Firefox\Profiles\wv7d0yy9.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://my.yahoo.com/
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: o:\adobe\Acrobat 5.0\Acrobat\browser\nppdf32.dll
FF - plugin: p:\tracker software\PDF Viewer\npPDFXCviewNPPlugin.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe
MSConfigStartUp-AVG8_TRAY - c:\progra~1\AVG\AVG8\avgtray.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-27 23:17
Windows 5.1.2600 Service Pack 3 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1220945662-1708537768-1957994488-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(236)
d:\program files\SuperantiSpyware\SASWINLO.DLL
c:\windows\system32\antiwpa.dll
.
Completion time: 2010-07-27 23:20:16
ComboFix-quarantined-files.txt 2010-07-28 04:20

Pre-Run: 4,064,305,152 bytes free
Post-Run: 4,094,345,216 bytes free

- - End Of File - - EC0299306DDE66C38DDBFCD793F5D2EA

GMER Log:
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit quick scan 2010-07-27 23:25:52
Windows 5.1.2600 Service Pack 3
Running: gx0u9ekw.exe; Driver: C:\DOCUME~1\JIMELL~1\LOCALS~1\Temp\uxtdapow.sys


---- System - GMER 1.0.15 ----

Code \??\C:\DOCUME~1\JIMELL~1\LOCALS~1\Temp\catchme.sys pIofCallDriver

---- EOF - GMER 1.0.15 ----

Edited by Sofare3, 27 July 2010 - 11:44 PM.


#4 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:05 PM

Posted 28 July 2010 - 09:56 AM

Hello.

Please scan again with GMER in normal mode. Also give me an update on the symtoms. Are the redirects still occuring?

With Regards,
The Panda

#5 Sofare3

Sofare3
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:06:05 PM

Posted 28 July 2010 - 03:31 PM

Panda,
It seems good so far. I have only had it connected to the internet 30 minutes, but nothing has popped up. I ran GMER in normal mode:

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-07-28 15:21:23
Windows 5.1.2600 Service Pack 3
Running: gx0u9ekw.exe; Driver: C:\DOCUME~1\JIMELL~1\LOCALS~1\Temp\uxtdapow.sys


---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----


#6 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:05 PM

Posted 28 July 2010 - 05:07 PM

Hello.

Let's run an online scan to check for left overs. Keep me updated if any thing comes up.

Run Scan with Kaspersky
Please do a scan with Kaspersky Online Scanner.

If you are using Windows Vista, open your browser by right-clicking on its icon and select Run as administrator to perform this scan.
  • Please disable your realtime protection software before proceeding. Refer to this page if you are unsure how.
  • Open the Kaspersky Scanner page.
  • Click on Accept and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select Critical Areas.
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
You can refer to this animation by sundavis.

This scanner will only scan. It does not remove any malware it finds.


With Regards,
The Panda

#7 Sofare3

Sofare3
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:06:05 PM

Posted 29 July 2010 - 01:53 PM

Well, I had Kaspersky scan the whole computer, which took 2.5 hours. It found nothing, but I can't copy the report, it is blank. I left it too long I guess.

#8 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:05 PM

Posted 29 July 2010 - 04:09 PM

Hello.

Looks good. Unless there are any issues, we can wrap up.

Set New System Restore Point
Now you should set a Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, tools cannot access it to delete these bad files, which sometimes can reinfect your system. Setting a new restore point after cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click System Restore.
  • Choose the radio button marked Create a Restore Point on the first screen then click Next. Give the Restore Point a name then click Create.
  • Then, click on Start > Run and type:
    CODE
    cleanmgr
  • Click OK > More Options tab.
  • Click Clean Up in the System Restore section to remove all previous restore points except the newly created one.

Please re-enable any antimalware programs that were disabled during the fix.

Preventing Malware Infection in the Future
Please take some time to look at the following links, giving some advice and suggestions for preventing future infections: For general slowness problems that you may have, take a look at Slow Computer/browser? It May Not Be Malware. Read How to use the Startup Database to identify and disable uneeded processes and increase the amount of available resources.

Do you have any questions or concerns?

With Regards,
The Panda

#9 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:05 PM

Posted 08 August 2010 - 10:01 AM

Hello.

Since this issue appears to be resolved, this topic is now closed.
If you are the topic starter and need this topic reopened, send me a message.

Everyone else, please begin a new topic.

With Regards,
The Panda




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users