Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Internet Browser Redirects when I click on search results


  • This topic is locked This topic is locked
17 replies to this topic

#1 BGK2010

BGK2010

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:03:49 PM

Posted 11 September 2010 - 01:23 PM

hi, my Google search results are redirected to ad sites. Pop-ups have started to crop up too.

I followed your initial preparation instructions, but I ran into some trouble with the GMER section, and an ARK file has not been created. I do have the DDS and Attach.txt information you requested, however when I do a GMER scan I get a blue screen with this information and the scan will not complete:

A problem has been detected and windows has been shut down to prevent damage to your computer. The problem seems to be caused by the following file: pwryqkow.sys

PAGE_FAULT_IN_NONPAGED_AREA

Technical Information:
*** STOP: 0x00000050 (0xFC116008, 0x00000000, 0xAFB7C53E, 0x00000000)
*** pwryqkow.sys - Address AFB7C53E base at AFB78000, datestamp 4B274f8d

Physical memory dump successful.






Here is the DDS:

DDS (Ver_10-03-17.01) - NTFSx86
Run by Justin at 12:38:48.70 on Sat 09/11/2010
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_21
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.510.94 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Microsoft Security Essentials *On-access scanning enabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\AskBarDis\bar\bin\AskService.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\HPZipm12.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\Program Files\Philips\Philips Songbird\extensions\philips-autoplay@philips.com\application\PhilipsSongbirdLauncher.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\WINDOWS\Zjoqob.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\DOCUME~1\Justin\LOCALS~1\Temp\Zpq.exe
C:\Documents and Settings\Justin\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AskBar BHO: {201f27d4-3704-41d6-89c1-aa35e39143ed} - c:\program files\askbardis\bar\bin\askBar.dll
BHO: WormRadar.com IESiteBlocker.NavFilter: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - AVG Safe Search
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn1\YTSingleInstance.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB: ZoneAlarm Spy Blocker Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [YXE7DXCQ37] c:\docume~1\justin\locals~1\temp\Zpq.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [WorksFUD] c:\program files\microsoft works\wkfud.exe
mRun: [Microsoft Works Portfolio] c:\program files\microsoft works\WksSb.exe /AllUsers
mRun: [Microsoft Works Update Detection] c:\program files\microsoft works\WkDetect.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide -runkey
mRun: [PhilipsSongbirdLauncher] c:\program files\philips\philips songbird\extensions\philips-autoplay@philips.com\application\PhilipsSongbirdLauncher.exe
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpimag~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~2.lnk - c:\program files\microsoft office\office\OSA9.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\common files\microsoft shared\works shared\wkcalrem.exe
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
LSP: c:\windows\system32\mclsp.dll
Trusted Zone: brockwaygun.com\www
Trusted Zone: justinbrockway.com\www
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: NameServer = 93.188.162.235,93.188.161.235
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\justin\applic~1\mozilla\firefox\profiles\y4dun7d0.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\documents and settings\justin\application data\mozilla\firefox\profiles\y4dun7d0.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: c:\documents and settings\justin\application data\mozilla\firefox\profiles\y4dun7d0.default\extensions\{e3f6c2cc-d8db-498c-af6c-499fb211db97}\platform\winnt_x86-msvc\components\pagespeed.dll
FF - plugin: c:\documents and settings\crystal\application data\move networks\plugins\npqmp071505000010.dll
FF - plugin: c:\documents and settings\crystal\application data\move networks\plugins\npqmp071505000011.dll
FF - plugin: c:\documents and settings\justin\application data\facebook\npfbplugin_1_0_1.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-8-25 29512]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-8-25 242896]
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2009-12-2 151216]
R2 ASKService;ASKService;c:\program files\askbardis\bar\bin\AskService.exe [2009-8-25 464264]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-8-25 216200]
S2 avg9emc;AVG Free E-mail Scanner; [x]
S2 avg9wd;AVG Free WatchDog; [x]

=============== Created Last 30 ================

2010-09-11 17:37:09 0 ----a-w- c:\documents and settings\justin\defogger_reenable
2010-09-11 15:22:01 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-09-11 15:21:58 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-09-11 15:21:58 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-09-11 15:21:57 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-09-11 05:11:58 0 d-----w- c:\program files\Trend Micro
2010-09-11 00:59:12 57600 ----a-w- c:\windows\system32\drivers\iybkiome.sys
2010-09-10 23:11:56 0 d-----w- C:\spoolerlogs
2010-09-10 23:11:27 219136 ----a-w- c:\windows\Zjoqob.exe
2010-09-10 21:51:47 872064 ----a-w- c:\windows\system32\drivers\IASTOR.SYS
2010-09-10 19:37:15 212480 ----a-w- c:\windows\Zjoqoa.exe
2010-08-23 19:23:29 423656 ----a-w- c:\windows\system32\deployJava1.dll

==================== Find3M ====================

2010-06-30 12:31:35 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-24 12:15:28 832512 ----a-w- c:\windows\system32\wininet.dll
2010-06-24 12:15:26 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-06-24 12:15:26 17408 ----a-w- c:\windows\system32\corpol.dll
2010-06-23 13:44:04 1851904 ----a-w- c:\windows\system32\win32k.sys
2010-06-17 14:03:00 80384 ----a-w- c:\windows\system32\iccvid.dll
2010-06-14 07:41:45 1172480 ----a-w- c:\windows\system32\msxml3.dll

============= FINISH: 12:40:12.14 ===============

I think everyone is overworked.

EDIT: Posts merged ~BP

Attached Files


Edited by Budapest, 14 September 2010 - 04:28 PM.


BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:49 PM

Posted 16 September 2010 - 06:46 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks thumbup2.gif
Posted Image
m0le is a proud member of UNITE

#3 BGK2010

BGK2010
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:03:49 PM

Posted 17 September 2010 - 11:03 PM

I'm here, thanks for helping me! smile.gif

#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:49 PM

Posted 18 September 2010 - 05:57 PM

There's malware evidence in the DDS and the fact that Gmer won't run looks like we have a rootkit.

Please run MBRCheck

Please download MBRCheck to your desktop.

1. Double click MBRCheck.exe to run it (Right click and run as Administrator for Vista).
2. It will open a black window, please do not fix anything (if it gives you an option).
3. Exit that window and it will produce a log (MBRCheck_date_time).
4. Please post that log when you reply.
Posted Image
m0le is a proud member of UNITE

#5 BGK2010

BGK2010
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:03:49 PM

Posted 18 September 2010 - 08:17 PM

MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows XP Professional
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0000001c

Kernel Drivers (total 131):
0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
0x806E4000 \WINDOWS\system32\hal.dll
0xF8B67000 \WINDOWS\system32\KDCOM.DLL
0xF8A77000 \WINDOWS\system32\BOOTVID.dll
0xF8538000 ACPI.sys
0xF8B69000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xF8527000 pci.sys
0xF8667000 isapnp.sys
0xF8C2F000 pciide.sys
0xF88E7000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xF8677000 MountMgr.sys
0xF8508000 ftdisk.sys
0xF8B6B000 dmload.sys
0xF84E2000 dmio.sys
0xF88EF000 PartMgr.sys
0xF8687000 VolSnap.sys
0xF840D000 IASTOR.SYS
0xF83F5000 atapi.sys
0xF88F7000 cercsr6.sys
0xF83DD000 \WINDOWS\System32\Drivers\SCSIPORT.SYS
0xF8697000 disk.sys
0xF86A7000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xF83BD000 fltmgr.sys
0xF83AB000 sr.sys
0xF88FF000 PxHelp20.sys
0xF8394000 KSecDD.sys
0xF8381000 WudfPf.sys
0xF82F4000 Ntfs.sys
0xF82C7000 NDIS.sys
0xF82AD000 Mup.sys
0xF8767000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xF785E000 \SystemRoot\system32\DRIVERS\ati2mtag.sys
0xF784A000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xF7822000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0xF77F5000 \SystemRoot\system32\DRIVERS\e1e5132.sys
0xF89C7000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xF77D1000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xF89CF000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xF8777000 \SystemRoot\system32\DRIVERS\IntelC53.sys
0xF77AE000 \SystemRoot\system32\DRIVERS\ks.sys
0xF7687000 \SystemRoot\system32\DRIVERS\IntelC51.sys
0xF75F2000 \SystemRoot\system32\DRIVERS\IntelC52.sys
0xF89D7000 \SystemRoot\system32\DRIVERS\mohfilt.sys
0xF89DF000 \SystemRoot\System32\Drivers\Modem.SYS
0xF8787000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xF8797000 \SystemRoot\SYSTEM32\DRIVERS\REDBOOK.SYS
0xF89E7000 \SystemRoot\System32\Drivers\GEARAspiWDM.sys
0xF87A7000 \SystemRoot\system32\DRIVERS\imapi.sys
0xF8DBC000 \SystemRoot\system32\DRIVERS\audstub.sys
0xF87B7000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xF812F000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xF75DB000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xF87C7000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xF87D7000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xF89EF000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xF75CA000 \SystemRoot\system32\DRIVERS\psched.sys
0xF87E7000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xF89F7000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xF89FF000 \SystemRoot\system32\DRIVERS\raspti.sys
0xF759A000 \SystemRoot\system32\DRIVERS\rdpdr.sys
0xF87F7000 \SystemRoot\system32\DRIVERS\termdd.sys
0xF8A07000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xF8A0F000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xF8BA5000 \SystemRoot\system32\DRIVERS\swenum.sys
0xF753C000 \SystemRoot\system32\DRIVERS\update.sys
0xF8B27000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xF750B000 \SystemRoot\system32\DRIVERS\TMPassthru.sys
0xF8B43000 \SystemRoot\system32\drivers\MODEMCSA.sys
0xF8817000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xEEFD9000 \SystemRoot\system32\drivers\sthda.sys
0xEEFB5000 \SystemRoot\system32\drivers\portcls.sys
0xF8847000 \SystemRoot\system32\drivers\drmk.sys
0xF8857000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xF8BAF000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xB8CCA000 \SystemRoot\system32\DRIVERS\MpFilter.sys
0xBA741000 \SystemRoot\system32\DRIVERS\hidusb.sys
0xBA63F000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0xEBB9F000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xF7B50000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xF8C9B000 \SystemRoot\System32\Drivers\Null.SYS
0xF7B4E000 \SystemRoot\System32\Drivers\Beep.SYS
0xEBB8F000 \SystemRoot\System32\drivers\vga.sys
0xF7B4C000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xF7B4A000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xF7DAC000 \SystemRoot\System32\Drivers\Msfs.SYS
0xF7DA4000 \SystemRoot\System32\Drivers\Npfs.SYS
0xB9F02000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xB877C000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xB8723000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xB86E9000 \SystemRoot\System32\Drivers\avgtdix.sys
0xB7752000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xF86E7000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xB559B000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0xB56EB000 \SystemRoot\system32\DRIVERS\kbdhid.sys
0xB3CFF000 \SystemRoot\system32\DRIVERS\netbt.sys
0xB5187000 \SystemRoot\System32\drivers\ws2ifsl.sys
0xB3CDD000 \SystemRoot\System32\drivers\afd.sys
0xB458D000 \SystemRoot\system32\DRIVERS\netbios.sys
0xB3CB2000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xB517F000 \SystemRoot\SYSTEM32\DRIVERS\OMCI.SYS
0xB3C42000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xB456D000 \SystemRoot\System32\Drivers\Fips.SYS
0xB517B000 \SystemRoot\system32\DRIVERS\mouhid.sys
0xB5593000 \SystemRoot\System32\Drivers\avgmfx86.sys
0xB453D000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xB5163000 \SystemRoot\system32\DRIVERS\usbscan.sys
0xB4C88000 \SystemRoot\system32\DRIVERS\usbprint.sys
0xB4C80000 \SystemRoot\system32\DRIVERS\HPZius12.sys
0xB452D000 \SystemRoot\system32\DRIVERS\HPZid412.sys
0xB4F20000 \SystemRoot\system32\DRIVERS\HPZipr12.sys
0xB3B6D000 \SystemRoot\System32\Drivers\dump_iastor.sys
0xBF800000 \SystemRoot\System32\win32k.sys
0xB4F08000 \SystemRoot\System32\drivers\Dxapi.sys
0xB4C68000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xF8CD1000 \SystemRoot\System32\drivers\dxgthk.sys
0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
0xF8B53000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xB1AA0000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xB1A0F000 \SystemRoot\System32\Drivers\HTTP.sys
0xB1968000 \SystemRoot\system32\DRIVERS\srv.sys
0xB1403000 \SystemRoot\system32\drivers\wdmaud.sys
0xB1540000 \SystemRoot\system32\drivers\sysaudio.sys
0xB13B5000 \SystemRoot\system32\drivers\kmixer.sys
0xBFF50000 \SystemRoot\System32\TSDDD.dll
0xBF012000 \SystemRoot\System32\ati2dvag.dll
0xBF04E000 \SystemRoot\System32\ati2cqag.dll
0xBF080000 \SystemRoot\System32\atikvmag.dll
0xBF0B2000 \SystemRoot\System32\ati3duag.dll
0xBF2E6000 \SystemRoot\System32\ativvaxx.dll
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 66):
0 System Idle Process
4 System
912 C:\WINDOWS\system32\smss.exe
960 csrss.exe
984 C:\WINDOWS\system32\winlogon.exe
1028 C:\WINDOWS\system32\services.exe
1040 C:\WINDOWS\system32\lsass.exe
1192 C:\WINDOWS\system32\ati2evxx.exe
1220 C:\WINDOWS\system32\svchost.exe
1316 svchost.exe
1452 C:\Program Files\Microsoft Security Essentials\MsMpEng.exe
1512 C:\WINDOWS\system32\svchost.exe
1560 C:\WINDOWS\system32\svchost.exe
1692 svchost.exe
1884 svchost.exe
2032 C:\WINDOWS\system32\spoolsv.exe
296 svchost.exe
336 C:\Program Files\AskBarDis\bar\bin\AskService.exe
388 C:\WINDOWS\ehome\ehrecvr.exe
420 C:\WINDOWS\ehome\ehSched.exe
492 C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
516 C:\Program Files\Java\jre6\bin\jqs.exe
572 C:\WINDOWS\system32\HPZipm12.exe
628 C:\Program Files\Trend Micro\RUBotted\TMRUBotted.exe
872 svchost.exe
952 C:\WINDOWS\system32\svchost.exe
1112 C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
1548 mcrdsvc.exe
2372 wmiprvse.exe
2464 C:\WINDOWS\system32\dllhost.exe
2596 alg.exe
3920 C:\WINDOWS\system32\svchost.exe
3532 explorer.exe
2256 ehtray.exe
3660 hpwuSchd2.exe
4044 stsystra.exe
3944 ehmsas.exe
528 IAAnotif.exe
4024 jusched.exe
1864 msseces.exe
2056 PhilipsSongbirdLauncher.exe
2768 TMRUBottedTray.exe
680 ctfmon.exe
3168 hpqtra08.exe
1804 WkCalRem.exe
3960 hprblog.exe
356 hpqimzone.exe
3396 csrss.exe
2304 C:\WINDOWS\system32\winlogon.exe
2796 C:\WINDOWS\explorer.exe
3352 C:\WINDOWS\ehome\ehtray.exe
2368 C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
3636 C:\WINDOWS\stsystra.exe
1356 C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
4060 C:\Program Files\Common Files\Java\Java Update\jusched.exe
3836 C:\Program Files\Microsoft Security Essentials\msseces.exe
1120 C:\Program Files\Philips\Philips Songbird\extensions\philips-autoplay@philips.com\application\PhilipsSongbirdLauncher.exe
3548 C:\WINDOWS\system32\ctfmon.exe
2276 C:\WINDOWS\ehome\ehmsas.exe
1776 C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
2028 C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
3940 C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
688 C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
3648 SSScheduler.exe
4052 C:\Program Files\Mozilla Firefox\firefox.exe
3984 C:\Documents and Settings\Justin\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)

PhysicalDrive0 Model Number: WDCWD2500JS-22NCB1, Rev: 10.02E02

Size Device Name MBR Status
--------------------------------------------
232 GB \\.\PhysicalDrive0 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A


Done!

#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:49 PM

Posted 18 September 2010 - 08:19 PM

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop making sure you rename it comfix.exe
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Comfix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Posted Image
m0le is a proud member of UNITE

#7 BGK2010

BGK2010
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:03:49 PM

Posted 19 September 2010 - 07:31 PM

Here is the ComboFix Log you requested. I apparently have some AVG remnants from the past, but I no longer use AVG software. Thanks for all your help!!!

Attached Files



#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:49 PM

Posted 19 September 2010 - 07:47 PM

Back to Combofix to do some work here.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the box below into it:

QUOTE
File::
c:\windows\system32\drivers\iybkiome.sys

RegLock::
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]


Save this as CFScript.txt, in the same location as Comfix.exe (called ComboFix.exe in the below graphic)




Refering to the picture above, drag CFScript into ComboFix.exe

If the program requests for you to update Combofix then click Yes.

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.


Can you tell me if the browser redirects are still there. Also, if so, which browser(s) are and aren't affected.

Thanks thumbup2.gif
Posted Image
m0le is a proud member of UNITE

#9 BGK2010

BGK2010
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:03:49 PM

Posted 20 September 2010 - 10:36 AM

Firefox and IE are no longer redirecting. Here is the new ComboFix log after using your script:





ComboFix 10-09-19.04 - Justin 09/20/2010 10:19:59.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.510.102 [GMT -5:00]
Running from: c:\documents and settings\Justin\Desktop\comfix.exe
Command switches used :: c:\documents and settings\Justin\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

FILE ::
"c:\windows\system32\drivers\iybkiome.sys"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\windows\system32\drivers\iybkiome.sys

.
((((((((((((((((((((((((( Files Created from 2010-08-20 to 2010-09-20 )))))))))))))))))))))))))))))))
.

2010-09-18 11:58 . 2010-09-18 11:58 -------- d-----w- c:\documents and settings\LocalService\Application Data\McAfee
2010-09-16 04:57 . 2010-09-16 04:57 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2010-09-16 04:57 . 2010-09-16 04:57 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee Security Scan
2010-09-16 04:57 . 2010-09-18 11:58 -------- d-----w- c:\program files\McAfee Security Scan
2010-09-14 16:36 . 2010-09-14 16:36 57600 ----a-w- c:\windows\system32\drivers\REDBOOK.SYS
2010-09-13 19:05 . 2010-08-30 19:34 1496064 ----a-w- c:\documents and settings\Justin\Application Data\Mozilla\Firefox\Profiles\y4dun7d0.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
2010-09-13 19:05 . 2010-08-30 19:33 43008 ----a-w- c:\documents and settings\Justin\Application Data\Mozilla\Firefox\Profiles\y4dun7d0.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
2010-09-13 19:05 . 2010-08-30 19:33 338944 ----a-w- c:\documents and settings\Justin\Application Data\Mozilla\Firefox\Profiles\y4dun7d0.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll
2010-09-13 19:05 . 2010-08-30 19:33 346112 ----a-w- c:\documents and settings\Justin\Application Data\Mozilla\Firefox\Profiles\y4dun7d0.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll
2010-09-11 21:54 . 2008-03-02 08:28 206608 ----a-w- c:\windows\system32\drivers\TMPassthru.sys
2010-09-11 15:22 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-09-11 15:21 . 2010-09-11 15:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-09-11 15:21 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-09-11 15:21 . 2010-09-11 15:22 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-09-11 05:12 . 2010-09-11 05:12 388096 ----a-r- c:\documents and settings\Justin\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-09-11 05:11 . 2010-09-11 21:54 -------- d-----w- c:\program files\Trend Micro
2010-09-11 02:37 . 2010-09-11 02:37 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Google
2010-09-11 02:36 . 2010-09-11 02:36 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2010-09-11 02:36 . 2010-09-11 02:36 38656 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-09-10 23:11 . 2010-09-10 23:11 -------- d-----w- C:\spoolerlogs
2010-09-10 21:51 . 2010-09-10 21:51 872064 ----a-w- c:\windows\system32\drivers\IASTOR.SYS
2010-09-05 16:50 . 2010-08-30 19:34 1496064 ----a-w- c:\documents and settings\Crystal\Application Data\Mozilla\Firefox\Profiles\0bfokqy2.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
2010-09-05 16:50 . 2010-08-30 19:33 43008 ----a-w- c:\documents and settings\Crystal\Application Data\Mozilla\Firefox\Profiles\0bfokqy2.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
2010-09-05 16:50 . 2010-08-30 19:33 338944 ----a-w- c:\documents and settings\Crystal\Application Data\Mozilla\Firefox\Profiles\0bfokqy2.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll
2010-09-05 16:50 . 2010-08-30 19:33 346112 ----a-w- c:\documents and settings\Crystal\Application Data\Mozilla\Firefox\Profiles\0bfokqy2.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll
2010-08-30 18:30 . 2010-08-30 18:30 503808 ----a-w- c:\documents and settings\Justin\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-2a474e28-n\msvcp71.dll
2010-08-30 18:30 . 2010-08-30 18:30 499712 ----a-w- c:\documents and settings\Justin\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-2a474e28-n\jmc.dll
2010-08-30 18:30 . 2010-08-30 18:30 348160 ----a-w- c:\documents and settings\Justin\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-2a474e28-n\msvcr71.dll
2010-08-30 18:30 . 2010-08-30 18:30 61440 ----a-w- c:\documents and settings\Justin\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-1326d986-n\decora-sse.dll
2010-08-30 18:30 . 2010-08-30 18:30 12800 ----a-w- c:\documents and settings\Justin\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-1326d986-n\decora-d3d.dll
2010-08-23 19:24 . 2010-08-23 19:24 -------- d-----w- c:\program files\Common Files\Java
2010-08-23 19:23 . 2010-08-23 19:23 503808 ----a-w- c:\documents and settings\Crystal\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-22c847a2-n\msvcp71.dll
2010-08-23 19:23 . 2010-08-23 19:23 499712 ----a-w- c:\documents and settings\Crystal\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-22c847a2-n\jmc.dll
2010-08-23 19:23 . 2010-08-23 19:23 348160 ----a-w- c:\documents and settings\Crystal\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-22c847a2-n\msvcr71.dll
2010-08-23 19:23 . 2010-08-23 19:23 61440 ----a-w- c:\documents and settings\Crystal\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-46c23621-n\decora-sse.dll
2010-08-23 19:23 . 2010-08-23 19:23 12800 ----a-w- c:\documents and settings\Crystal\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-46c23621-n\decora-d3d.dll
2010-08-23 19:23 . 2010-07-17 10:00 423656 ----a-w- c:\windows\system32\deployJava1.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-13 04:02 . 2010-03-23 16:00 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-09-12 22:58 . 2009-08-25 01:48 -------- d-----w- c:\program files\V CAST Music with Rhapsody
2010-09-11 21:54 . 2009-08-22 14:06 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-09-10 22:11 . 2010-08-13 04:07 -------- d-----w- c:\program files\Microsoft Silverlight
2010-09-04 20:53 . 2009-09-09 22:54 -------- d-----w- c:\program files\Eusing Free Registry Cleaner
2010-08-23 19:22 . 2009-08-22 22:53 -------- d-----w- c:\program files\Java
2010-08-17 13:17 . 2004-08-10 11:00 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-08-09 22:54 . 2010-08-09 22:54 -------- d-----w- c:\documents and settings\Crystal\Application Data\Apple Computer
2010-08-08 17:41 . 2010-08-08 17:41 365 ----a-w- c:\windows\EReg072.dat
2010-08-08 17:39 . 2010-08-08 17:39 -------- d-----w- c:\program files\Bullfrog
2010-07-30 19:20 . 2010-07-30 19:20 -------- d-----w- c:\documents and settings\Crystal\Application Data\Philips-Songbird
2010-07-30 19:18 . 2010-07-30 19:18 -------- d-----w- c:\program files\Philips
2010-07-30 02:13 . 2009-09-24 01:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2010-07-22 15:49 . 2004-08-10 11:00 590848 ----a-w- c:\windows\system32\rpcrt4.dll
2010-07-22 05:57 . 2009-08-22 17:04 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-07-20 00:00 . 2010-07-22 14:56 52224 ----a-w- c:\documents and settings\Crystal\Application Data\Mozilla\Firefox\Profiles\0bfokqy2.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\FFExternalAlert.dll
2010-07-20 00:00 . 2010-07-22 14:56 101376 ----a-w- c:\documents and settings\Crystal\Application Data\Mozilla\Firefox\Profiles\0bfokqy2.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\RadioWMPCore.dll
2010-06-30 12:31 . 2004-08-10 11:00 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-29 08:02 . 2010-06-29 08:02 38656 ----a-w- c:\documents and settings\NetworkService\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-06-24 12:15 . 2004-08-10 11:00 832512 ----a-w- c:\windows\system32\wininet.dll
2010-06-24 12:15 . 2004-08-10 11:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-06-24 12:15 . 2004-08-10 11:00 17408 ----a-w- c:\windows\system32\corpol.dll
2010-06-23 13:44 . 2004-08-10 11:00 1851904 ----a-w- c:\windows\system32\win32k.sys
.

((((((((((((((((((((((((((((( SnapShot@2010-09-20_00.17.55 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-09-20 15:08 . 2010-09-20 15:08 16384 c:\windows\Temp\Perflib_Perfdata_314.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2008-10-16 23:22 333192 ----a-w- c:\program files\AskBarDis\bar\bin\askBar.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-10-16 333192]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-12 49152]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 339968]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-04-15 344064]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-06-17 139264]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"WorksFUD"="c:\program files\Microsoft Works\wkfud.exe" [2000-08-08 24576]
"Microsoft Works Portfolio"="c:\program files\Microsoft Works\WksSb.exe" [2000-08-08 311350]
"Microsoft Works Update Detection"="c:\program files\Microsoft Works\WkDetect.exe" [2000-08-08 28739]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]
"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2010-06-01 1093208]
"PhilipsSongbirdLauncher"="c:\program files\Philips\Philips Songbird\extensions\philips-autoplay@philips.com\application\PhilipsSongbirdLauncher.exe" [2010-07-30 346624]
"TMRUBottedTray"="c:\program files\Trend Micro\RUBotted\TMRUBottedTray.exe" [2008-11-06 288088]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-11 282624]
HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2005-5-12 73728]
McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-8-8 65588]
Microsoft Works Calendar Reminders.lnk - c:\program files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe [2000-8-8 24633]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-03-17 14:58 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\V CAST Music with Rhapsody\\WiseUpd2.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires II\\EMPIRES2.ICD"=
"c:\\Program Files\\Microsoft Games\\Age of Empires II\\aoe20a_crk.exe"=
"c:\\WINDOWS\\system32\\dplaysvr.exe"=

R2 ASKService;ASKService;c:\program files\AskBarDis\bar\bin\AskService.exe [8/25/2009 3:49 PM 464264]
R3 TMPassthruMP;TMPassthruMP;c:\windows\system32\drivers\TMPassthru.sys [9/11/2010 4:54 PM 206608]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys --> c:\windows\system32\Drivers\avgldx86.sys [?]
S1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\Drivers\avgtdix.sys --> c:\windows\system32\Drivers\avgtdix.sys [?]
S2 avg9emc;AVG Free E-mail Scanner; [x]
S2 avg9wd;AVG Free WatchDog; [x]
S2 RUBotted;Trend Micro RUBotted Service;c:\program files\Trend Micro\RUBotted\TMRUBotted.exe [9/11/2010 4:54 PM 582992]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [1/15/2010 7:49 AM 227232]
S3 TMPassthru;Trend Micro Passthru Ndis Service;c:\windows\system32\drivers\TMPassthru.sys [9/11/2010 4:54 PM 206608]
.
Contents of the 'Scheduled Tasks' folder

2010-09-20 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Essentials\MpCmdRun.exe [2010-03-26 02:40]

2010-09-20 c:\windows\Tasks\User_Feed_Synchronization-{D14DCDB1-275F-4C1F-8394-49754245AD5B}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 23:36]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
LSP: c:\windows\system32\mclsp.dll
Trusted Zone: brockwaygun.com\www
Trusted Zone: justinbrockway.com\www
FF - ProfilePath - c:\documents and settings\Justin\Application Data\Mozilla\Firefox\Profiles\y4dun7d0.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\documents and settings\Justin\Application Data\Mozilla\Firefox\Profiles\y4dun7d0.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: c:\documents and settings\Justin\Application Data\Mozilla\Firefox\Profiles\y4dun7d0.default\extensions\{e3f6c2cc-d8db-498c-af6c-499fb211db97}\platform\WINNT_x86-msvc\components\pagespeed.dll
FF - plugin: c:\documents and settings\Crystal\Application Data\Move Networks\plugins\npqmp071505000010.dll
FF - plugin: c:\documents and settings\Crystal\Application Data\Move Networks\plugins\npqmp071505000011.dll
FF - plugin: c:\documents and settings\Justin\Application Data\Facebook\npfbplugin_1_0_1.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(1040)
c:\windows\system32\mclsp.dll
c:\windows\system32\SPORDER.dll
.
Completion time: 2010-09-20 10:27:26
ComboFix-quarantined-files.txt 2010-09-20 15:27
ComboFix2.txt 2010-09-20 00:26

Pre-Run: 212,790,136,832 bytes free
Post-Run: 212,784,414,720 bytes free

- - End Of File - - 404D68FE1BC082A9621CF8340B6FEB64

Attached Files



#10 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:49 PM

Posted 20 September 2010 - 10:45 AM

Looks good. thumbup2.gif

Use this uninstaller to clear out the rest of AVG


Next please run ESET's online scanner
  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    1. Click on to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the icon on your desktop.
  4. Check
  5. Click the button.
  6. Accept any security warnings from your browser.
  7. Leave the top box checked and then check
  8. Push the Start button.
  9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  10. When the scan completes, push
  11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  12. Push the button.
  13. Push
NOTE: If no malware is found then no log will be produced. Let me know if this is the case.


Posted Image
m0le is a proud member of UNITE

#11 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:49 PM

Posted 23 September 2010 - 06:17 PM

Hi,

I have not had a reply from you for 3 days. Can you please tell me if you still need help with your computer as I am unable to help other members with their problems while I have your topic still open. The time taken between posts can also change the situation with your PC making it more difficult to help you.

If you like you can PM me.

Thanks,


m0le
Posted Image
m0le is a proud member of UNITE

#12 BGK2010

BGK2010
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:03:49 PM

Posted 23 September 2010 - 11:03 PM

I'm still here, had some difficulties getting the ESET's online scanner to complete. I will post the log if it works this time, thanks again for all of your help!

#13 BGK2010

BGK2010
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:03:49 PM

Posted 24 September 2010 - 01:08 AM

Here is the ESETscan you requested. Also, when I run the AVG remover, an error says the AVGremoverx64 is not a valid win32 application. How important is it to remove the remnants, and should I try to remove the parts another way? Thanks!



C:\Documents and Settings\Crystal\Application Data\Sun\Java\Deployment\cache\6.0\17\2ebb9451-22ae2eb2 multiple threats deleted - quarantined

Attached Files



#14 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:49 PM

Posted 24 September 2010 - 02:10 PM

Try this link to remove AVG

The PC looks good from the logs, how is it running?

Posted Image
m0le is a proud member of UNITE

#15 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:49 PM

Posted 28 September 2010 - 06:51 PM

Hi,

I have not had a reply from you for 4 days. Can you please tell me if you still need help with your computer as I am unable to help other members with their problems while I have your topic still open. The time taken between posts can also change the situation with your PC making it more difficult to help you.

If you like you can PM me.

Thanks,


m0le
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users