Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Windows Update not working, Random Pages Hijacking...


  • This topic is locked This topic is locked
9 replies to this topic

#1 tonst

tonst

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:08:25 AM

Posted 08 September 2010 - 05:42 AM

Hi all

Thanks for reading, hope you can help.... at the tearing my hair out stage now...


Been looking at my dad's PC (WinXP), it had Avast on it but that was unable to update - couldn't find server.
That got removed and switched for AVG. Also Trend's online scanner, bitdefender online, avg anti-spyware, spybot, superantispyware, hijackthis.. probably some others have been run... they found a few bits and have removed them. I also manually removed several dodgy looking startup processes living in temp folders with dodgy names. I think something had got in via and old java runtime so unsintalled java cleaned it up and installed the latest version.

NSlookup gives me my router ip (192.168.1.254) as the dns address, and i've checked control panel and registry for dns settings so satisfied it's not a dns hijack. Hosts files look clean also.

So current situation as far as i've seen is that:
1) Windows Update not connecting, through IE it gives a Internet Explorer Cannot Display this Webpage
NSLookup windowsupdate.microsoft.com resolves as 207.46.18.94
http://207.46.18.94/ redirects to http://update.microsoft.com/windowsupdate/v6/default.aspx which also says the above error (but its a page further)
NSLookup update.microsoft.com resolves as 65.55.25.60
http://65.55.25.60/windowsupdate/v6/default.aspx gives the same error.

It seems though that anything in IE *OR Firefox* mentioning windows update (in the title bar?) gets this error, eg:
http://www.google.co.uk/search?hl=en&s...q=&gs_rfai= gives the error

Windows Defender not updating which i think is the same or similar issue.

2) Random hijacking of redirects
So I search and get to:
http://www.google.co.uk/search?hl=en&c...rum&spell=1

I click on the bleeping computer link that's 2nd down. The bleepingcomputer url flashes up in the url textbox, but then im quickly to a redirect site and then to something like ebay, as if there's some adsense profitting being done by the creator of this hijack.

However the link, or right click copy url and paste to the url bar and I get what I want though.
This is IE and Firefox.

Seems to happen more when looking at security sites, but then that's all i've really been looking at on this. lol.

3) Random IE windows start with these random pages as in 2

4) Had to post this from another machine as kept getting 'connection reset' upon posting

DDS/GMER/Hijackthis Logs attached

Main DDS log:

DDS (Ver_10-03-17.01) - NTFSx86
Run by Martin at 10:52:08.59 on 08/09/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1052 [GMT 1:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
svchost.exe
C:\Program Files\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\VM_STI.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\Logitech\Profiler\lwemon.exe
E:\TomTom HOME 2\TomTomHOMERunner.exe
C:\WINDOWS\system32\ctfmon.exe
E:\VirusCleaners\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
E:\GammaTray.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
svchost.exe
E:\MagicTuneEngine.exe
C:\Program Files\Motorola\MotoConnectService\MotoConnectService.exe
C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
C:\Program Files\Motorola\MotoConnectService\MotoConnect.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
E:\TomTom HOME 2\TomTomHOMEService.exe
C:\Program Files\AVG\AVG9\avgemc.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
E:\MagicTune.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Martin\My Documents\Downloads\dds.scr
C:\WINDOWS\system32\SearchProtocolHost.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyServer = http=127.0.0.1:5577;
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - e:\viruscleaners\spybot - search & destroy\SDHelper.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [Start WingMan Profiler] "c:\program files\logitech\profiler\lwemon.exe" /noui
uRun: [TomTomHOME.exe] "e:\tomtom home 2\TomTomHOMERunner.exe" -s
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SpybotSD TeaTimer] e:\viruscleaners\spybot - search & destroy\TeaTimer.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [BigDogPath] c:\windows\VM_STI.EXE Philips SPC210NC Webcam
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb10.exe
mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [itype] "c:\program files\microsoft intellitype pro\itype.exe"
mRun: [HP Software Update] c:\program files\hewlett-packard\hp software update\HPWuSchd2.exe
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\martin\startm~1\programs\startup\regist~1.lnk - c:\program files\pinnacle\dv500\eregister\RegTool.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\gammat~1.lnk - e:\GammaTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: &ieSpell Options
IE: Check &Spelling
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office10\EXCEL.EXE/3000
IE: Lookup on Merriam Webster
IE: Lookup on Wikipedia
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - e:\viruscleaners\spybot - search & destroy\SDHelper.dll
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/F/D/9/FD9E437D-5BC8-4264-A093-DFA2C39D197E/LegitCheckControl.cab
DPF: {55963676-2F5E-4BAF-AC28-CF26AA587566} - hxxps://vpn.galatheasts.com/CACHE/stc/1/binaries/vpnweb.cab
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93}
DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\martin\applic~1\mozilla\firefox\profiles\d8n3xr4i.default\
FF - component: c:\documents and settings\martin\application data\mozilla\firefox\profiles\d8n3xr4i.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\qscanff.dll
FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll
FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\xpavgtbapi.dll
FF - plugin: c:\documents and settings\martin\application data\mozilla\firefox\profiles\d8n3xr4i.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: XULRunner: {4EA0BBB2-9441-45CE-BABB-F4855BFB3978} - c:\documents and settings\martin\local settings\application data\{4EA0BBB2-9441-45CE-BABB-F4855BFB3978}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2010-8-27 216400]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2010-8-27 29584]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-8-27 243024]
R1 lstone;Pinnacle Systems DV500 Overlay;c:\windows\system32\drivers\LStone2k.sys [2009-6-20 256113]
R1 MemAlloc;MemAlloc;c:\windows\system32\drivers\MemAlloc.sys [2009-6-20 5543]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\avg\avg9\avgemc.exe [2010-8-27 921952]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-8-27 308136]
R2 MicroGuard;MicroGuard Copy Protection;c:\windows\system32\drivers\mgnt.sys [2004-9-19 40392]
R2 MotoConnect Service;MotoConnect Service;c:\program files\motorola\motoconnectservice\MotoConnectService.exe [2010-1-7 91392]
R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2010-6-25 35088]
R2 TomTomHOMEService;TomTomHOMEService;e:\tomtom home 2\TomTomHOMEService.exe [2009-11-13 92008]
R2 V7;V7;c:\windows\system32\drivers\V7.SYS [2004-9-19 7196]
R2 vpnagent;Cisco AnyConnect VPN Agent;c:\program files\cisco\cisco anyconnect vpn client\vpnagent.exe [2008-3-28 370360]
S2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\avg\avg9\toolbar\ToolbarBroker.exe [2010-8-27 431432]
S3 rootrepeal;rootrepeal;\??\c:\windows\system32\drivers\rootrepeal.sys --> c:\windows\system32\drivers\rootrepeal.sys [?]
S4 MioNet;MioNet Service; [x]

=============== Created Last 30 ================

2010-08-27 08:57:12 0 d-----w- c:\docume~1\martin\applic~1\Malwarebytes
2010-08-27 08:56:40 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-08-27 08:56:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-08-27 08:56:39 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-08-27 08:56:34 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-08-27 08:54:49 0 d-----w- c:\temp\cbc
2010-08-27 08:29:14 12536 ----a-w- c:\windows\system32\avgrsstx.dll
2010-08-27 08:29:11 243024 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-08-27 08:29:11 216400 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-08-27 08:29:04 0 d-----w- c:\windows\system32\drivers\Avg
2010-08-27 08:28:56 0 d-----w- c:\docume~1\alluse~1\applic~1\AVG Security Toolbar
2010-08-27 08:25:38 0 d-----w- c:\program files\AVG
2010-08-27 08:25:21 0 d-----w- c:\docume~1\alluse~1\applic~1\avg9
2010-08-25 07:58:29 0 d-----w- c:\docume~1\martin\applic~1\QuickScan
2010-08-25 07:06:57 0 d-----w- c:\windows\Internet Logs
2010-08-24 16:23:36 0 d-----w- c:\program files\Fiddler2
2010-08-24 16:23:16 0 d-----w- c:\docume~1\martin\applic~1\Wireshark
2010-08-24 16:13:47 73 ----a-w- c:\windows\system32\-1
2010-08-24 16:13:44 0 d-----w- c:\program files\WinPcap
2010-08-24 16:13:16 0 d-----w- c:\program files\Wireshark
2010-08-24 16:13:01 0 d-----w- c:\windows\system32\MpEngineStore
2010-08-24 14:40:04 0 d-----w- c:\docume~1\martin\applic~1\Grisoft
2010-08-24 14:39:45 0 d-----w- c:\docume~1\alluse~1\applic~1\Grisoft
2010-08-24 08:52:34 0 d-----w- c:\docume~1\martin\applic~1\SUPERAntiSpyware.com
2010-08-24 08:52:34 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-08-24 08:52:10 0 d-----w- c:\program files\SUPERAntiSpyware
2010-08-24 08:08:19 0 d-----w- c:\program files\Trend Micro
2010-08-23 17:33:07 423656 ----a-w- c:\windows\system32\deployJava1.dll

==================== Find3M ====================

2010-07-10 09:43:54 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2010-07-04 07:44:08 7480 ----a-w- c:\windows\system32\d3d9caps.dat
2010-06-25 17:07:24 281104 ----a-w- c:\windows\system32\wpcap.dll
2010-06-25 17:07:18 100880 ----a-w- c:\windows\system32\Packet.dll
2010-06-25 17:03:12 53299 ----a-w- c:\windows\system32\pthreadVC.dll

============= FINISH: 10:53:24.28 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:03:25 AM

Posted 08 September 2010 - 08:40 AM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

  1. Do not run any other tool untill instructed to do so!
  2. Do not Attach logs unless I ask you to.
  3. Tell me about any problems that have occurred during the fix.
  4. Tell me of any other symptoms you may be having as these can help also.
  5. Do not run anything while running a fix.
  6. Do not run any other tool untill instructed to do so!


In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond to your topic and facilitate the cleaning of your machine.

Note** If you are having problems posting the complete log into this thread upload them here http://www.rapidshare.com/ and post the links in this thread

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.


:run combofix:
    Please visit this webpage for download links, and instructions for running the tool:

    http://www.bleepingcomputer.com/combofix/how-to-use-combofix

    Please ensure you read this guide carefully and install the Recovery Console first.

    The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode.
    This allows us to more easily help you should your computer have a problem after an attempted removal of malware.
    It is a simple procedure that will only take a few moments of your time.


    Once installed, you should see a blue screen prompt that says:
      The Recovery Console was successfully installed.
    Please continue as follows:
    • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Click Yes to allow ComboFix to continue scanning for malware.

    When the tool is finished, it will produce a report for you.

    Please include the report in your next post:

    C:\ComboFix.txt

"information and logs"
    In your next post I need the following
    1. Log From Combofix
    2. let me know of any problems you may have had
    3. How is the computer doing now?

Gringo


I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 tonst

tonst
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:08:25 AM

Posted 09 September 2010 - 04:19 AM

Thanks Gringo thumbup.gif

It seemed to do the trick. Process went smoothy, it found rootkit activity, and looking at the log it was all down to netbt.sys which it replaced
Lovely tool! Log attached.

So windows update and defender now all happy and working smile.gif
Not had any reoccurance of windows popping up or having my navigation hijacked yet, so looking good - will post back if it reoccurs.

Thank you very much! thumbup2.gif

Attached Files

  • Attached File  log.txt   19.52KB   2 downloads


#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:03:25 AM

Posted 09 September 2010 - 04:30 AM

I need you to post the log into the thread and turn off wordwrap I can't read the report as it is


Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 tonst

tonst
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:08:25 AM

Posted 09 September 2010 - 12:06 PM

ComboFix 10-09-08.01 - Martin 09/09/2010 9:57.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1572 [GMT 1:00]
Running from: c:\documents and settings\Martin\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Martin\Application Data\Yxhos
c:\documents and settings\Martin\Application Data\Yxhos\kofa.tmp
c:\documents and settings\Martin\Application Data\Yxhos\kofa.xae
c:\documents and settings\Martin\GoToAssistDownloadHelper.exe
c:\documents and settings\Martin\Local Settings\Application Data\{4EA0BBB2-9441-45CE-BABB-F4855BFB3978}
c:\documents and settings\Martin\Local Settings\Application Data\{4EA0BBB2-9441-45CE-BABB-F4855BFB3978}\chrome.manifest
c:\documents and settings\Martin\Local Settings\Application Data\{4EA0BBB2-9441-45CE-BABB-F4855BFB3978}\chrome\content\_cfg.js
c:\documents and settings\Martin\Local Settings\Application Data\{4EA0BBB2-9441-45CE-BABB-F4855BFB3978}\chrome\content\overlay.xul
c:\documents and settings\Martin\Local Settings\Application Data\{4EA0BBB2-9441-45CE-BABB-F4855BFB3978}\install.rdf
c:\documents and settings\Martin\Local Settings\Application Data\Windows Server
c:\documents and settings\Martin\Local Settings\Application Data\Windows Server\flags.ini
c:\documents and settings\Martin\Local Settings\Application Data\Windows Server\uses32.dat
c:\windows\system32\ndisapi.dll

Infected copy of c:\windows\system32\drivers\netbt.sys was found and disinfected
Restored copy from - Kitty had a snack tongue.gif
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NDISRD


((((((((((((((((((((((((( Files Created from 2010-08-09 to 2010-09-09 )))))))))))))))))))))))))))))))
.

2010-09-08 08:30 . 2010-07-26 21:30 705208 ----a-w- c:\documents and settings\Martin\Application Data\Mozilla\Firefox\Profiles\d8n3xr4i.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\qscanff.dll
2010-09-08 08:30 . 2010-07-26 21:30 978664 ----a-w- c:\documents and settings\Martin\Application Data\Mozilla\Firefox\Profiles\d8n3xr4i.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll
2010-08-27 09:48 . 2010-09-09 07:42 0 ----a-w- c:\documents and settings\Martin\Local Settings\Application Data\prvlcl.dat
2010-08-27 09:31 . 2010-08-27 09:31 -------- d-----w- c:\documents and settings\Martin\Local Settings\Application Data\AVG Security Toolbar
2010-08-27 08:25 . 2010-08-27 08:25 -------- d-----w- c:\program files\AVG
2010-08-27 08:25 . 2010-08-27 08:25 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-08-25 07:58 . 2010-08-25 08:01 -------- d-----w- c:\documents and settings\Martin\Application Data\QuickScan
2010-08-25 07:06 . 2010-08-25 07:06 -------- d-----w- c:\windows\Internet Logs
2010-08-24 16:23 . 2010-09-08 08:32 -------- d-----w- c:\program files\Fiddler2
2010-08-24 16:23 . 2010-08-24 16:23 -------- d-----w- c:\documents and settings\Martin\Application Data\Wireshark
2010-08-24 16:13 . 2010-08-24 16:13 -------- d-----w- c:\program files\WinPcap
2010-08-24 16:13 . 2010-08-24 16:14 -------- d-----w- c:\program files\Wireshark
2010-08-24 16:13 . 2010-08-25 08:18 -------- d-----w- c:\windows\system32\MpEngineStore
2010-08-24 14:40 . 2010-08-24 14:40 -------- d-----w- c:\documents and settings\Martin\Application Data\Grisoft
2010-08-24 14:39 . 2010-08-24 14:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Grisoft
2010-08-24 08:53 . 2010-08-24 08:53 63488 ----a-w- c:\documents and settings\Martin\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-08-24 08:53 . 2010-08-24 08:53 52224 ----a-w- c:\documents and settings\Martin\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-08-24 08:53 . 2010-08-24 08:53 117760 ----a-w- c:\documents and settings\Martin\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-08-24 08:52 . 2010-08-24 08:52 -------- d-----w- c:\documents and settings\Martin\Application Data\SUPERAntiSpyware.com
2010-08-24 08:52 . 2010-08-24 08:52 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-08-24 08:52 . 2010-08-27 07:30 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-08-24 08:08 . 2010-08-24 08:08 388096 ----a-r- c:\documents and settings\Martin\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-08-24 08:08 . 2010-08-24 08:08 -------- d-----w- c:\program files\Trend Micro
2010-08-23 17:33 . 2010-08-23 17:33 503808 ----a-w- c:\documents and settings\Martin\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-1709c1c2-n\msvcp71.dll
2010-08-23 17:33 . 2010-08-23 17:33 61440 ----a-w- c:\documents and settings\Martin\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-175cc6df-n\decora-sse.dll
2010-08-23 17:33 . 2010-08-23 17:33 499712 ----a-w- c:\documents and settings\Martin\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-1709c1c2-n\jmc.dll
2010-08-23 17:33 . 2010-08-23 17:33 348160 ----a-w- c:\documents and settings\Martin\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-1709c1c2-n\msvcr71.dll
2010-08-23 17:33 . 2010-08-23 17:33 12800 ----a-w- c:\documents and settings\Martin\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-175cc6df-n\decora-d3d.dll
2010-08-23 17:33 . 2010-07-17 04:00 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-08-23 17:13 . 2010-08-24 06:41 -------- d-----w- c:\windows\BDOSCAN8

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-08 08:48 . 2009-08-23 08:16 -------- d-----w- c:\program files\Essentials Codec Pack
2010-09-08 08:33 . 2006-01-23 18:57 -------- d-----w- c:\program files\Google
2010-09-08 08:31 . 2006-12-03 10:53 -------- d-----w- c:\documents and settings\All Users\Application Data\BVRP Software
2010-09-08 08:31 . 2004-09-18 18:04 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-08-27 09:23 . 2010-08-27 08:28 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2010-08-27 08:57 . 2010-08-27 08:57 -------- d-----w- c:\documents and settings\Martin\Application Data\Malwarebytes
2010-08-27 08:56 . 2010-08-27 08:56 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-08-27 08:56 . 2010-08-27 08:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-08-27 08:29 . 2010-08-27 08:29 12536 ----a-w- c:\windows\system32\avgrsstx.dll
2010-08-27 08:29 . 2010-08-27 08:29 243024 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-08-27 08:29 . 2010-08-27 08:29 216400 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-08-27 08:29 . 2010-08-27 08:29 29584 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-08-25 07:27 . 2004-09-19 08:51 -------- d-----w- c:\program files\Common Files\Java
2010-08-25 07:05 . 2010-07-10 09:44 -------- d-----w- c:\program files\ZoneAlarm
2010-08-02 09:40 . 2006-11-07 18:47 -------- d-----w- c:\program files\Talex update utility
2010-07-10 09:43 . 2004-09-19 08:10 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2010-07-04 07:44 . 2007-12-08 13:31 7480 ----a-w- c:\windows\system32\d3d9caps.dat
2010-06-30 13:22 . 2010-08-27 09:23 2102600 ----a-w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar\IEToolbar.dll
2010-06-27 08:20 . 2010-06-27 08:20 0 ----a-w- c:\windows\Lromuzitohapuv.bin
2010-06-25 17:07 . 2010-06-25 17:07 281104 ----a-w- c:\windows\system32\wpcap.dll
2010-06-25 17:07 . 2010-06-25 17:07 100880 ----a-w- c:\windows\system32\Packet.dll
2010-06-25 17:07 . 2010-06-25 17:07 35088 ----a-w- c:\windows\system32\drivers\npf.sys
2010-06-25 17:03 . 2010-06-25 17:03 53299 ----a-w- c:\windows\system32\pthreadVC.dll
2006-02-23 08:16 . 2009-01-25 12:10 34048 ----a-w- c:\program files\mozilla firefox\plugins\upd62i9x.dll
2006-02-23 08:16 . 2009-01-25 12:10 45056 ----a-w- c:\program files\mozilla firefox\plugins\upd62int.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-06-30 2102600]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2010-06-30 13:22 2102600 ----a-w- c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-06-30 2102600]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-06-30 2102600]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Start WingMan Profiler"="c:\program files\Logitech\Profiler\lwemon.exe" [2005-04-18 73728]
"TomTomHOME.exe"="e:\tomtom home 2\TomTomHOMERunner.exe" [2009-11-13 247144]
"SpybotSD TeaTimer"="e:\viruscleaners\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-08-27 2424560]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BigDogPath"="c:\windows\VM_STI.EXE" [2004-06-09 40960]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-03 866584]
"SoundMan"="SOUNDMAN.EXE" [2005-06-20 77824]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-01-15 13680640]
"nwiz"="nwiz.exe" [2009-01-15 1657376]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-01-15 86016]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb10.exe" [2005-07-23 172032]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 241664]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2008-06-10 1406024]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2008-06-10 1442888]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-08-27 2065760]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

c:\documents and settings\Martin\Start Menu\Programs\Startup\
Registration-Pinnacle Systems DV500.lnk - c:\program files\Pinnacle\DV500\ERegister\RegTool.exe [2009-6-20 245760]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
GammaTray.lnk - E:\GammaTray.exe [2009-2-4 36864]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-24 304128]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-08-27 08:29 12536 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AVG Anti-Spyware Driver]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AVG Anti-Spyware Guard]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"d:\\Battlefield 2\\BF2.exe"=
"c:\\Program Files\\SmartFTP\\SmartFTP.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"e:\\MagicTune.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgemc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1700:TCP"= 1700:TCP:MioNet Remote Drive Access
"1641:TCP"= 1641:TCP:MioNet Remote Drive Verification

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [27/08/2010 09:29 216400]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [27/08/2010 09:29 243024]
R1 lstone;Pinnacle Systems DV500 Overlay;c:\windows\system32\drivers\LStone2k.sys [20/06/2009 18:03 256113]
R1 MemAlloc;MemAlloc;c:\windows\system32\drivers\MemAlloc.sys [20/06/2009 18:03 5543]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [17/02/2010 19:25 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [10/05/2010 19:41 67656]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [27/08/2010 09:27 921952]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [27/08/2010 09:27 308136]
R2 MicroGuard;MicroGuard Copy Protection;c:\windows\system32\drivers\mgnt.sys [19/09/2004 14:48 40392]
R2 MotoConnect Service;MotoConnect Service;c:\program files\Motorola\MotoConnectService\MotoConnectService.exe [07/01/2010 18:45 91392]
R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [25/06/2010 18:07 35088]
R2 TomTomHOMEService;TomTomHOMEService;e:\tomtom home 2\TomTomHOMEService.exe [13/11/2009 12:31 92008]
R2 V7;V7;c:\windows\system32\drivers\V7.SYS [19/09/2004 15:02 7196]
R2 vpnagent;Cisco AnyConnect VPN Agent;c:\program files\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe [28/03/2008 23:39 370360]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [03/11/2006 19:19 13592]
S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\AVG\AVG9\Toolbar\ToolbarBroker.exe [27/08/2010 09:28 431432]
S4 MioNet;MioNet Service; [x]
.
Contents of the 'Scheduled Tasks' folder

2009-02-15 c:\windows\Tasks\Microsoft_Hardware_Launch_IPoint_exe.job
- c:\program files\Microsoft IntelliPoint\ipoint.exe [2008-06-10 12:56]

2009-02-15 c:\windows\Tasks\Microsoft_Hardware_Launch_IType_exe.job
- c:\program files\Microsoft IntelliType Pro\itype.exe [2008-06-10 12:56]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyServer = http=127.0.0.1:5577;
IE: &ieSpell Options
IE: Check &Spelling
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000
IE: Lookup on Merriam Webster
IE: Lookup on Wikipedia
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll
DPF: {55963676-2F5E-4BAF-AC28-CF26AA587566} - hxxps://vpn.galatheasts.com/CACHE/stc/1/binaries/vpnweb.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - ProfilePath - c:\documents and settings\Martin\Application Data\Mozilla\Firefox\Profiles\d8n3xr4i.default\
FF - component: c:\documents and settings\Martin\Application Data\Mozilla\Firefox\Profiles\d8n3xr4i.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\qscanff.dll
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll
FF - plugin: c:\documents and settings\Martin\Application Data\Mozilla\Firefox\Profiles\d8n3xr4i.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

Notify-AtiExtEvent - (no file)
AddRemove-SLABCOMM&10C4&EA60 - c:\windows\system32\Silabs\DriverUninstaller.exe VCP CP210x Cardinal\SLABCOMM&10C4&EA60



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-09 10:05
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(744)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(2848)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\SmartFTP\smarthook.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
E:\MagicTuneEngine.exe
c:\program files\Common Files\Nero\Nero BackItUp 4\NBService.exe
c:\windows\SOUNDMAN.EXE
c:\windows\system32\RUNDLL32.EXE
c:\windows\system32\rundll32.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\SearchIndexer.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\windows\system32\wscntfy.exe
c:\program files\Motorola\MotoConnectService\MotoConnect.exe
E:\MagicTune.exe
.
**************************************************************************
.
Completion time: 2010-09-09 10:08:54 - machine was rebooted
ComboFix-quarantined-files.txt 2010-09-09 09:08

Pre-Run: 857,567,232 bytes free
Post-Run: 807,067,648 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

Current=1 Default=1 Failed=0 LastKnownGood=9 Sets=1,2,3,9
- - End Of File - - 77448D2F1C4439995076E6DDDE245208


#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:03:25 AM

Posted 09 September 2010 - 12:09 PM

Greetings

Good That cleaned up some bad guys but I see some other stuff that we need to go after, so I want you to run this custom script for me.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

CODE
DDS::
uInternet Settings,ProxyServer = http=127.0.0.1:5577;


Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe

This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

"information and logs"
    In your next post I need the following
    1. report from Combofix
    2. let me know of any problems you may have had
    3. How is the computer doing now after running the script?

Gringo


I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 tonst

tonst
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:08:25 AM

Posted 11 September 2010 - 05:42 AM

Thanks again, everything seems to be working as it should.


ComboFix 10-09-09.04 - Martin 11/09/2010 11:31:55.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1430 [GMT 1:00]
Running from: c:\documents and settings\Martin\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Martin\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((( Files Created from 2010-08-11 to 2010-09-11 )))))))))))))))))))))))))))))))
.

2010-09-09 11:00 . 2010-09-09 11:00 -------- d-----w- C:\$AVG
2010-09-09 09:14 . 2010-06-14 14:31 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe
2010-09-08 08:30 . 2010-07-26 21:30 705208 ----a-w- c:\documents and settings\Martin\Application Data\Mozilla\Firefox\Profiles\d8n3xr4i.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\qscanff.dll
2010-09-08 08:30 . 2010-07-26 21:30 978664 ----a-w- c:\documents and settings\Martin\Application Data\Mozilla\Firefox\Profiles\d8n3xr4i.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll
2010-08-27 09:48 . 2010-09-11 10:27 0 ----a-w- c:\documents and settings\Martin\Local Settings\Application Data\prvlcl.dat
2010-08-27 09:31 . 2010-08-27 09:31 -------- d-----w- c:\documents and settings\Martin\Local Settings\Application Data\AVG Security Toolbar
2010-08-27 09:23 . 2010-06-30 13:22 2102600 ----a-w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar\IEToolbar.dll
2010-08-27 08:57 . 2010-08-27 08:57 -------- d-----w- c:\documents and settings\Martin\Application Data\Malwarebytes
2010-08-27 08:56 . 2010-04-29 14:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-08-27 08:56 . 2010-08-27 08:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-08-27 08:56 . 2010-04-29 14:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-08-27 08:56 . 2010-08-27 08:56 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-08-27 08:29 . 2010-08-27 08:29 12536 ----a-w- c:\windows\system32\avgrsstx.dll
2010-08-27 08:29 . 2010-08-27 08:29 243024 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-08-27 08:29 . 2010-08-27 08:29 216400 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-08-27 08:29 . 2010-09-11 10:27 -------- d-----w- c:\windows\system32\drivers\Avg
2010-08-27 08:29 . 2010-08-27 08:29 29584 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-08-27 08:28 . 2010-08-27 09:23 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2010-08-27 08:25 . 2010-08-27 08:25 -------- d-----w- c:\program files\AVG
2010-08-27 08:25 . 2010-08-27 08:25 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-08-25 07:58 . 2010-08-25 08:01 -------- d-----w- c:\documents and settings\Martin\Application Data\QuickScan
2010-08-25 07:06 . 2010-08-25 07:06 -------- d-----w- c:\windows\Internet Logs
2010-08-24 16:23 . 2010-08-24 16:23 -------- d-----w- c:\documents and settings\Martin\Application Data\Wireshark
2010-08-24 16:13 . 2010-08-24 16:13 -------- d-----w- c:\program files\WinPcap
2010-08-24 16:13 . 2010-08-24 16:14 -------- d-----w- c:\program files\Wireshark
2010-08-24 16:13 . 2010-08-25 08:18 -------- d-----w- c:\windows\system32\MpEngineStore
2010-08-24 14:40 . 2010-08-24 14:40 -------- d-----w- c:\documents and settings\Martin\Application Data\Grisoft
2010-08-24 14:39 . 2010-08-24 14:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Grisoft
2010-08-24 08:52 . 2010-08-24 08:52 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-08-24 08:08 . 2010-08-24 08:08 388096 ----a-r- c:\documents and settings\Martin\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-08-24 08:08 . 2010-08-24 08:08 -------- d-----w- c:\program files\Trend Micro
2010-08-23 17:33 . 2010-08-23 17:33 503808 ----a-w- c:\documents and settings\Martin\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-1709c1c2-n\msvcp71.dll
2010-08-23 17:33 . 2010-08-23 17:33 61440 ----a-w- c:\documents and settings\Martin\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-175cc6df-n\decora-sse.dll
2010-08-23 17:33 . 2010-08-23 17:33 499712 ----a-w- c:\documents and settings\Martin\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-1709c1c2-n\jmc.dll
2010-08-23 17:33 . 2010-08-23 17:33 348160 ----a-w- c:\documents and settings\Martin\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-1709c1c2-n\msvcr71.dll
2010-08-23 17:33 . 2010-08-23 17:33 12800 ----a-w- c:\documents and settings\Martin\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-175cc6df-n\decora-d3d.dll
2010-08-23 17:33 . 2010-07-17 04:00 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-08-23 17:13 . 2010-08-24 06:41 -------- d-----w- c:\windows\BDOSCAN8

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-09 11:37 . 2010-01-07 17:44 -------- d-----w- c:\program files\Motorola
2010-09-09 11:36 . 2006-12-03 10:53 -------- d-----w- c:\program files\Motorola Phone Tools
2010-09-09 11:35 . 2004-09-18 18:04 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-09-09 11:35 . 2006-12-03 10:53 -------- d-----w- c:\documents and settings\All Users\Application Data\BVRP Software
2010-09-09 11:20 . 2010-07-04 07:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-09-08 08:48 . 2009-08-23 08:16 -------- d-----w- c:\program files\Essentials Codec Pack
2010-09-08 08:33 . 2006-01-23 18:57 -------- d-----w- c:\program files\Google
2010-08-25 07:27 . 2004-09-19 08:51 -------- d-----w- c:\program files\Common Files\Java
2010-08-25 07:05 . 2010-07-10 09:44 -------- d-----w- c:\program files\ZoneAlarm
2010-08-02 09:40 . 2006-11-07 18:47 -------- d-----w- c:\program files\Talex update utility
2010-07-10 09:43 . 2004-09-19 08:10 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2010-07-04 07:44 . 2007-12-08 13:31 7480 ----a-w- c:\windows\system32\d3d9caps.dat
2010-06-30 12:31 . 2001-08-18 12:00 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-27 08:20 . 2010-06-27 08:20 0 ----a-w- c:\windows\Lromuzitohapuv.bin
2010-06-25 17:07 . 2010-06-25 17:07 281104 ----a-w- c:\windows\system32\wpcap.dll
2010-06-25 17:07 . 2010-06-25 17:07 100880 ----a-w- c:\windows\system32\Packet.dll
2010-06-25 17:07 . 2010-06-25 17:07 35088 ----a-w- c:\windows\system32\drivers\npf.sys
2010-06-25 17:03 . 2010-06-25 17:03 53299 ----a-w- c:\windows\system32\pthreadVC.dll
2010-06-24 12:22 . 2009-01-25 13:31 916480 ----a-w- c:\windows\system32\wininet.dll
2010-06-23 13:44 . 2001-08-18 12:00 1851904 ----a-w- c:\windows\system32\win32k.sys
2010-06-21 15:27 . 2001-08-18 12:00 354304 ----a-w- c:\windows\system32\drivers\srv.sys
2010-06-17 14:03 . 2001-08-18 12:00 80384 ----a-w- c:\windows\system32\iccvid.dll
2010-06-14 14:31 . 2009-01-25 13:32 744448 ----a-w- c:\windows\PCHEALTH\HELPCTR\Binaries\helpsvc.exe
2010-06-14 07:41 . 2009-01-25 13:31 1172480 ----a-w- c:\windows\system32\msxml3.dll
2006-02-23 08:16 . 2009-01-25 12:10 34048 ----a-w- c:\program files\mozilla firefox\plugins\upd62i9x.dll
2006-02-23 08:16 . 2009-01-25 12:10 45056 ----a-w- c:\program files\mozilla firefox\plugins\upd62int.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-06-30 2102600]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2010-06-30 13:22 2102600 ----a-w- c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-06-30 2102600]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-06-30 2102600]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Start WingMan Profiler"="c:\program files\Logitech\Profiler\lwemon.exe" [2005-04-18 73728]
"TomTomHOME.exe"="e:\tomtom home 2\TomTomHOMERunner.exe" [2009-11-13 247144]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BigDogPath"="c:\windows\VM_STI.EXE" [2004-06-09 40960]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-03 866584]
"SoundMan"="SOUNDMAN.EXE" [2005-06-20 77824]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-01-15 13680640]
"nwiz"="nwiz.exe" [2009-01-15 1657376]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-01-15 86016]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb10.exe" [2005-07-23 172032]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 241664]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2008-06-10 1406024]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2008-06-10 1442888]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-08-27 2065760]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

c:\documents and settings\Martin\Start Menu\Programs\Startup\
Registration-Pinnacle Systems DV500.lnk - c:\program files\Pinnacle\DV500\ERegister\RegTool.exe [2009-6-20 245760]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-24 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-08-27 08:29 12536 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AVG Anti-Spyware Driver]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AVG Anti-Spyware Guard]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"d:\\Battlefield 2\\BF2.exe"=
"c:\\Program Files\\SmartFTP\\SmartFTP.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgemc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1700:TCP"= 1700:TCP:MioNet Remote Drive Access
"1641:TCP"= 1641:TCP:MioNet Remote Drive Verification

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [27/08/2010 09:29 216400]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [27/08/2010 09:29 243024]
R1 lstone;Pinnacle Systems DV500 Overlay;c:\windows\system32\drivers\LStone2k.sys [20/06/2009 18:03 256113]
R1 MemAlloc;MemAlloc;c:\windows\system32\drivers\MemAlloc.sys [20/06/2009 18:03 5543]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [27/08/2010 09:27 921952]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [27/08/2010 09:27 308136]
R2 MicroGuard;MicroGuard Copy Protection;c:\windows\system32\drivers\mgnt.sys [19/09/2004 14:48 40392]
R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [25/06/2010 18:07 35088]
R2 TomTomHOMEService;TomTomHOMEService;e:\tomtom home 2\TomTomHOMEService.exe [13/11/2009 12:31 92008]
R2 V7;V7;c:\windows\system32\drivers\V7.SYS [19/09/2004 15:02 7196]
R2 vpnagent;Cisco AnyConnect VPN Agent;c:\program files\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe [28/03/2008 23:39 370360]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [03/11/2006 19:19 13592]
S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\AVG\AVG9\Toolbar\ToolbarBroker.exe [27/08/2010 09:28 431432]
S4 MioNet;MioNet Service; [x]
.
Contents of the 'Scheduled Tasks' folder

2009-02-15 c:\windows\Tasks\Microsoft_Hardware_Launch_IPoint_exe.job
- c:\program files\Microsoft IntelliPoint\ipoint.exe [2008-06-10 12:56]

2009-02-15 c:\windows\Tasks\Microsoft_Hardware_Launch_IType_exe.job
- c:\program files\Microsoft IntelliType Pro\itype.exe [2008-06-10 12:56]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: &ieSpell Options
IE: Check &Spelling
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000
IE: Lookup on Merriam Webster
IE: Lookup on Wikipedia
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll
DPF: {55963676-2F5E-4BAF-AC28-CF26AA587566} - hxxps://vpn.galatheasts.com/CACHE/stc/1/binaries/vpnweb.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - ProfilePath - c:\documents and settings\Martin\Application Data\Mozilla\Firefox\Profiles\d8n3xr4i.default\
FF - component: c:\documents and settings\Martin\Application Data\Mozilla\Firefox\Profiles\d8n3xr4i.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\qscanff.dll
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll
FF - plugin: c:\documents and settings\Martin\Application Data\Mozilla\Firefox\Profiles\d8n3xr4i.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

ShellExecuteHooks-{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - (no file)
Notify-AtiExtEvent - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-11 11:35
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2308)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-09-11 11:37:02
ComboFix-quarantined-files.txt 2010-09-11 10:36

Pre-Run: 2,446,761,984 bytes free
Post-Run: 2,459,557,888 bytes free

- - End Of File - - C3BD0978CD76BC5E4D0C823F92615376


#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:03:25 AM

Posted 11 September 2010 - 01:07 PM

Hello

extra combofix report

I need to see one of the extra reports combofix makes
  • push the "windows key" + "R" (between the "Ctrl" button and "Alt" Button)
  • please copy and past the following into the box
CODE
C:\Qoobox\Add-Remove Programs.txt
  • click ok
  • copy and paste the report into this topic for me to review


Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:03:25 AM

Posted 14 September 2010 - 02:49 AM

Hello

three day bump

It has been Three days since my last post.
  • do you still need help with this?
  • do you need more time?
  • are you having problems following my instructions?
  • if after 48hrs you have not replied to this thread then it will have to be closed!

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:03:25 AM

Posted 17 September 2010 - 02:28 PM

Due to lack of feedback, this topic is now Closed

If you need this topic reopened, please send me a PM.
Please include the address of this thread in your request.
This applies only to the original topic starter.

Everyone else please start a new topic.

The fixes and advice in this thread are for this machine only.
Do not apply the instructions from this thread to your own machine.
Please start a new thread describing your issue and someone will be along to assist you.


With Regards,
Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users