Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan Horse patched_c.JED


  • This topic is locked This topic is locked
10 replies to this topic

#1 smidget8403

smidget8403

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:05:48 PM

Posted 05 October 2010 - 12:32 PM

Hello, I'm back with another infection on my parent's computer. They seem to have been infected with what AVG is calling patched_c.JED. It appears to have infected the explorer.exe file. AVG would pop up with an alert every 10-15 seconds, but since the file is whitelisted, nothing could be done. I have disabled the alerts, so I could work without interruption. The only other thing I have noticed that it's doing is redirecting links from google searches in Firefox. Google Chrome does not seem to be affected and they don't use IE. I have run Hitman Pro 3.5, and it did find the infection, but i am wary of having it fix the infection since it is a critical file. The computer is probably a good 8-10 years old and I'm not sure if the disks are still around.

Computer is running XP Home w/ SP3. DDS logs attached. Tried running GMER twice, both times it caused the computer to restart before it was finished. When the computer came back on, a message popped up saying the system had recovered from a blue screen error.



DDS (Ver_10-03-17.01) - NTFSx86
Run by Owner at 13:56:40.46 on Mon 10/04/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_20
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.179 [GMT -7:00]

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe
C:\Program Files\Nero\Update\NASvc.exe
C:\Program Files\Google\Update\1.2.183.29\GoogleCrashHandler.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\PCSecurityShield\The Shield Firewall\FireWall.exe
C:\Program Files\LeapFrog\LeapFrog Connect\Monitor.exe
C:\WINDOWS\System32\igfxtray.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Southwest Airlines\Ding\Ding.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\AVG\AVG9\avgtray.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Owner\Desktop\Clean Up Tools\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
mSearch Bar =
uInternet Settings,ProxyServer = http=127.0.0.1:6522
uInternet Settings,ProxyOverride = <local>;*.local
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
BHO: Inbox Toolbar: {d3d233d5-9f6d-436c-b6c7-e63f77503b30} - c:\progra~1\inboxt~1\Inbox.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Google Gears Helper: {e0fefe40-fbf9-42ae-ba58-794ca7e3fb53} - c:\program files\google\google gears\internet explorer\0.5.36.0\gears.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
TB: &Inbox Toolbar: {d7e97865-918f-41e4-9cd0-25ab1c574ce8} - c:\progra~1\inboxt~1\Inbox.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
uRun: [Creative Detector] c:\program files\creative\mediasource\detector\CTDetect.exe /R
uRun: [Google Update] "c:\documents and settings\owner\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [RegistryBooster] "c:\program files\uniblue\registrybooster\launcher.exe" delay 20000
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [dwStart] c:\program files\pcsecurityshield\the shield firewall\FireWall.exe
mRun: [Monitor] "c:\program files\leapfrog\leapfrog connect\Monitor.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [HitmanPro35] "c:\program files\hitman pro 3.5\HitmanPro35.exe" /scan:boot
StartupFolder: c:\docume~1\owner\startm~1\programs\startup\ding!.lnk - c:\program files\southwest airlines\ding\Ding.exe
mPolicies-system: HideShutdownScripts = 0 (0x0)
IE: &AIM Search - c:\program files\aim toolbar\AIMBar.dll/aimsearch.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: Send Image to Photo Library - file://c:\program files\mgi\mgi photosuite iii se\temp\MGI00000.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - {0B4350D1-055F-47A3-B112-5F2F2B0D6F08} - c:\program files\google\google gears\internet explorer\0.5.36.0\gears.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~4\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL
LSP: FarLsp.dll
Trusted Zone: intuit.com\ttlc
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {2CA2C9B8-E4F6-4BE9-8601-52ED0AFBA79D} - hxxp://asp.mathxl.com/books/_Players/AccountingPlayer.cab
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {37A273C2-5129-11D5-BF37-00A0CCE8754B} - hxxp://asp.mathxl.com/wizmodules/testgen/installers/TestGenXInstall.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {95D88B35-A521-472B-A182-BB1A98356421} - hxxp://asp.mathxl.com/books/_Players/PearsonInstallAsst2.cab
DPF: {A4639D2F-774E-11D3-A490-00C04F6843FB} - hxxp://download.microsoft.com/download/PowerPoint2002/Install/10.0.2609/WIN98MeXP/EN-US/msorun.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://zone.msn.com/binFramework/v10/ZIntro.cab27513.cab
DPF: {CAFEEFAC-0014-0002-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: inbox - {37540F19-DD4C-478B-B2DF-C19281BCAF27} - c:\progra~1\inboxt~1\Inbox.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxsrvc.dll
Notify: LMIinit - LMIinit.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, ntoskrnl.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\4dh50322.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - prefs.js: keyword.URL - hxxp://us.yhs.search.yahoo.com/avg/search?fr=yhs-avgb&type=yahoo_avg_hs2-tb-web_us&p=
FF - component: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordext.dll
FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll
FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\xpavgtbapi.dll
FF - component: c:\program files\google\google gears\firefox\lib\ff35\gears.dll
FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
FF - plugin: c:\documents and settings\all users\application data\realarcade\npraclient.dll
FF - plugin: c:\documents and settings\owner\application data\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\owner\application data\mozilla\plugins\npgtpo3dautoplugin.dll
FF - plugin: c:\documents and settings\owner\local settings\application data\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npraclient.dll
FF - plugin: c:\program files\virtools\3d life player\npvirtools.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2010-4-26 216400]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2010-4-26 29584]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-4-26 243024]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-2-17 67656]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-7-15 308136]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2010-4-17 47640]
R2 NAUpdate;@c:\program files\nero\update\nasvc.exe,-200;c:\program files\nero\update\NASvc.exe [2010-5-4 503080]
R3 FarStoneFireWallDrive;FarStoneFireWallDrive;c:\windows\system32\drivers\FarDrive.sys [2004-5-19 142169]
R3 hitmanpro35;Hitman Pro 3.5 Support Driver;c:\windows\system32\drivers\hitmanpro35.sys [2010-10-2 16968]
S1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
S2 gupdate1c98b218951a742;Google Update Service (gupdate1c98b218951a742);c:\program files\google\update\GoogleUpdate.exe [2009-2-9 133104]
S2 LMIInfo;LogMeIn Kernel Information Provider; [x]
S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\avg\avg9\toolbar\ToolbarBroker.exe [2010-4-26 430152]
S3 DCamUSBVeo532;Veo Stingray/Connect Web Camera;c:\windows\system32\drivers\ubVeo532.sys [2002-7-1 95232]
S3 DVC;USB DVC Svc;c:\windows\system32\drivers\DVC.sys [2004-4-18 44003]
S3 FlyUsb;FLY Fusion;c:\windows\system32\drivers\FlyUsb.sys [2010-4-9 18560]
S3 iscFlash;iscFlash; [x]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2010-2-17 12872]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]

=============== Created Last 30 ================

2010-10-02 21:00:38 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-10-02 21:00:14 0 d-----w- c:\docume~1\alluse~1\applic~1\Hitman Pro
2010-10-02 21:00:12 0 d-----w- c:\program files\Hitman Pro 3.5
2010-09-25 18:06:31 0 d-----w- c:\program files\iPod
2010-09-25 18:06:06 0 d-----w- c:\program files\iTunes
2010-09-25 18:06:06 0 d-----w- c:\docume~1\alluse~1\applic~1\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-09-25 17:44:17 0 d-----w- c:\program files\Bonjour
2010-09-09 20:25:01 0 d-----w- c:\docume~1\owner\applic~1\Inbox Toolbar
2010-09-09 20:24:57 0 d-----w- c:\program files\Inbox Toolbar
2010-09-04 22:22:45 3727720 ----a-w- c:\windows\system32\d3dx9_35.dll
2010-09-04 22:22:40 2414360 ----a-w- c:\windows\system32\d3dx9_31.dll
2010-09-04 22:22:15 0 d-----w- c:\windows\Logs
2010-09-04 22:22:01 0 d-----w- c:\program files\Virtools

==================== Find3M ====================

2010-08-17 13:17:06 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-07-28 01:44:10 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-07-28 01:44:10 75040 ----a-w- c:\windows\system32\jdns_sd.dll
2010-07-28 01:44:10 197920 ----a-w- c:\windows\system32\dnssdX.dll
2010-07-28 01:44:10 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-07-22 15:49:15 590848 ----a-w- c:\windows\system32\rpcrt4.dll
2010-07-22 05:57:20 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-07-15 15:59:28 12536 ----a-w- c:\windows\system32\avgrsstx.dll
2004-05-13 18:14:25 477888 ----a-w- c:\program files\GoogleToolbarInstaller.exe

============= FINISH: 13:57:56.54 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:11:48 PM

Posted 05 October 2010 - 04:15 PM

Good evening. smile.gif

Take a trip to this webpage for download links and instructions for running Combofix by sUBs.*
  • Please be aware that this tool may require the PC to be rebooted so close any programs you have open before you start.
  • When CF has finished, it will produce a log - C:\ComboFix.txt - copy and paste it into your next reply.
  • Let me know how the PC is behaving.
* There are two points to note from the instructions page:

1) The Recovery Console.

It is recommended that you install this as, in certain circumstances, it may be the difference between a successful repair and a reformat. If you are uncertain as to whether or not you already have the Recovery Console installed, simply run CF and it will prompt you if it does not detect it.
CF will complete some, but not all, of it's removal tasks without the installation of the Console so, should you choose not to allow the installation, you may not get the results you hoped for.

2) Disabling your Anti-Virus.

CF has been the victim of false-positive detections on occasion and a resident AV may incorrectly identify and delete part of the tool which won't do it much good. If you don't disable your AV, you may not get the results you hoped for either.

So long, and thanks for all the fish.

 

 


#3 smidget8403

smidget8403
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:05:48 PM

Posted 05 October 2010 - 09:30 PM

Thanks for getting to me so quickly. ComboFix log is below. When the computer restarted, some programs started up automatically so I hope that didn't affect the scan. I tried a few different Google searches in Firefox and they appear to be working now, no longer redirecting me. Also I enabled AVG's Resident Shield and I haven't had any pop-ups in the last 10-15 mins.


ComboFix 10-10-05.01 - Owner 10/05/2010 18:25:54.3.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.211 [GMT -7:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Documents\Server\admin.txt
c:\documents and settings\All Users\Documents\Server\server.dat
c:\documents and settings\Owner\Favorites\Thumbs.db

Infected copy of c:\windows\system32\winlogon.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\winlogon.exe

Infected copy of c:\windows\explorer.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\explorer.exe

.
((((((((((((((((((((((((( Files Created from 2010-09-06 to 2010-10-06 )))))))))))))))))))))))))))))))
.

2010-10-04 15:23 . 2010-10-04 15:23 4100960 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgui.exe
2010-10-04 15:23 . 2010-10-04 15:23 2065760 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtray.exe
2010-10-04 15:23 . 2010-10-04 15:23 4394336 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcorex.dll
2010-10-02 21:00 . 2010-10-05 01:37 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-10-02 21:00 . 2010-10-02 21:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2010-10-02 21:00 . 2010-10-02 21:00 -------- d-----w- c:\program files\Hitman Pro 3.5
2010-10-01 00:28 . 2010-10-01 00:28 63488 ----a-w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-09-30 03:02 . 2010-09-30 03:02 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple
2010-09-25 18:06 . 2010-09-25 18:06 -------- d-----w- c:\program files\iPod
2010-09-25 18:06 . 2010-09-25 18:08 -------- d-----w- c:\program files\iTunes
2010-09-25 18:06 . 2010-09-25 18:08 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-09-25 17:46 . 2010-09-25 17:46 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Apple
2010-09-25 17:46 . 2010-09-25 17:46 -------- d-----w- c:\program files\Apple Software Update
2010-09-25 17:44 . 2010-09-25 17:44 -------- d-----w- c:\program files\Bonjour
2010-09-25 17:43 . 2010-09-25 18:06 -------- d-----w- c:\program files\Common Files\Apple
2010-09-25 17:43 . 2010-09-25 17:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2010-09-23 15:05 . 2010-09-23 15:05 3586912 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\setup.exe
2010-09-23 15:05 . 2010-09-23 15:05 620896 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgnsx.exe
2010-09-23 15:05 . 2010-09-23 15:05 1619296 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgssie.dll
2010-09-23 15:05 . 2010-09-23 15:05 1377632 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgssff.dll
2010-09-23 15:05 . 2010-09-23 15:05 942432 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcfgx.dll
2010-09-23 15:05 . 2010-09-23 15:05 598368 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgsrmx.dll
2010-09-23 15:05 . 2010-09-23 15:05 300896 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgchclx.dll
2010-09-23 15:02 . 2010-09-23 15:02 1690952 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.dll
2010-09-09 20:25 . 2010-09-09 20:25 -------- d-----w- c:\documents and settings\Owner\Application Data\Inbox Toolbar
2010-09-09 20:24 . 2010-09-09 20:25 -------- d-----w- c:\program files\Inbox Toolbar

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-10-04 23:17 . 2010-05-01 23:11 0 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\prvlcl.dat
2010-10-04 02:11 . 2006-09-30 18:15 -------- d-----w- c:\documents and settings\Owner\Application Data\Apple Computer
2010-10-02 20:35 . 2004-03-08 02:11 -------- d-----w- c:\program files\Common Files\Adobe
2010-10-02 20:29 . 2010-04-25 23:10 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-10-02 20:28 . 2010-08-09 21:41 5272616 ----a-w- c:\documents and settings\Owner\Application Data\Uniblue\RegistryBooster\_temp\ub.exe
2010-10-02 18:50 . 2008-09-25 00:07 -------- d-----w- c:\program files\Microsoft Silverlight
2010-10-01 00:28 . 2010-04-25 23:13 117760 ----a-w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-09-25 17:58 . 2004-05-19 22:14 -------- d-----w- c:\program files\QuickTime
2010-09-25 16:22 . 2007-01-13 20:18 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-09-15 10:12 . 2009-10-20 03:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-09-04 22:22 . 2010-09-04 22:22 -------- d-----w- c:\program files\Virtools
2010-09-01 16:12 . 2010-09-01 16:12 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 10.0.0.68\SetupAdmin.exe
2010-08-31 19:11 . 2010-08-31 19:11 3401880 ----a-w- c:\documents and settings\Owner\Application Data\Mozilla\plugins\npgtpo3dautoplugin.dll
2010-08-31 18:55 . 2010-08-31 18:55 275096 ----a-w- c:\documents and settings\Owner\Application Data\Mozilla\plugins\npgoogletalk.dll
2010-08-31 18:39 . 2010-08-31 18:39 3734536 ----a-w- c:\documents and settings\Owner\Application Data\Mozilla\plugins\Google Talk Plugin Extras\d3dx9_36.dll
2010-08-29 02:45 . 2010-08-29 02:16 -------- d-----w- c:\program files\Shockwave.com
2010-08-25 18:06 . 2005-12-25 20:41 -------- d-----w- c:\program files\Audible
2010-08-21 22:39 . 2010-08-21 22:39 227520 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-08-17 23:13 . 2006-05-07 23:14 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-08-17 13:17 . 2001-08-30 10:30 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-08-16 18:09 . 2010-08-16 18:09 -------- d-----w- c:\documents and settings\Owner\Application Data\Nero
2010-08-15 22:10 . 2010-08-15 22:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Nero
2010-08-15 22:10 . 2010-08-15 22:08 -------- d-----w- c:\program files\Nero
2010-08-15 22:08 . 2010-08-15 22:08 -------- d-----w- c:\program files\Common Files\Nero
2010-08-15 20:52 . 2004-03-08 01:48 89639 ----a-w- c:\windows\pchealth\HELPCTR\OfflineCache\index.dat
2010-08-13 02:46 . 2008-12-21 04:22 -------- d-----w- c:\program files\Common Files\Logitech
2010-08-12 18:02 . 2010-04-18 19:18 -------- d-----w- c:\program files\Cobian Backup 10
2010-08-06 13:45 . 2010-08-06 13:45 503808 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-5a3e59d8-n\msvcp71.dll
2010-08-06 13:45 . 2010-08-06 13:45 12800 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-11204101-n\decora-d3d.dll
2010-08-06 13:45 . 2010-08-06 13:45 61440 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-11204101-n\decora-sse.dll
2010-08-06 13:45 . 2010-08-06 13:45 499712 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-5a3e59d8-n\jmc.dll
2010-08-06 13:45 . 2010-08-06 13:45 348160 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-5a3e59d8-n\msvcr71.dll
2010-07-29 17:12 . 2010-04-14 20:58 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-07-28 01:44 . 2010-07-28 01:44 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-07-28 01:44 . 2010-07-28 01:44 75040 ----a-w- c:\windows\system32\jdns_sd.dll
2010-07-28 01:44 . 2010-07-28 01:44 197920 ----a-w- c:\windows\system32\dnssdX.dll
2010-07-28 01:44 . 2010-07-28 01:44 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-07-22 15:49 . 2004-07-21 17:03 590848 ----a-w- c:\windows\system32\rpcrt4.dll
2010-07-22 05:57 . 2009-04-17 03:46 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-07-15 15:59 . 2010-04-26 23:20 243024 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-07-15 15:59 . 2010-07-15 15:59 12536 ----a-w- c:\windows\system32\avgrsstx.dll
2010-07-15 15:56 . 2010-04-26 23:19 216400 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2004-05-13 18:14 . 2004-05-13 18:14 477888 ----a-w- c:\program files\GoogleToolbarInstaller.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-04-19 2117704]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2010-04-19 17:25 2117704 ----a-w- c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-04-19 2117704]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-04-19 2117704]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Creative Detector"="c:\program files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-03 102400]
"Google Update"="c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-12-26 133104]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-10-02 2424560]
"RegistryBooster"="c:\program files\Uniblue\RegistryBooster\launcher.exe" [2010-08-30 67448]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"dwStart"="c:\program files\PCSecurityShield\The Shield Firewall\FireWall.exe" [2004-08-05 405504]
"Monitor"="c:\program files\LeapFrog\LeapFrog Connect\Monitor.exe" [2009-11-10 443728]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-04-12 202256]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-10-04 2067808]
"IgfxTray"="c:\windows\System32\igfxtray.exe" [2002-03-27 155648]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2002-03-27 106496]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-08-10 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-01 421160]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"HitmanPro35"="c:\program files\Hitman Pro 3.5\HitmanPro35.exe" [2010-10-02 6305088]

c:\documents and settings\Owner\Start Menu\Programs\Startup\
DING!.lnk - c:\program files\Southwest Airlines\Ding\Ding.exe [2006-6-22 462848]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"HideShutdownScripts"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-07-15 15:59 12536 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2010-06-10 06:44 87424 ----a-w- c:\windows\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, ntoskrnl.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Event Reminder.lnk]
backup=c:\windows\pss\Event Reminder.lnkCommon Startup
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Event Reminder.lnk

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Install Pending Files.LNK]
backup=c:\windows\pss\Install Pending Files.LNKCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk]
backup=c:\windows\pss\Microsoft Works Calendar Reminders.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Microsoft Office Groove.lnk]
path=c:\documents and settings\Owner\Start Menu\Programs\Startup\Microsoft Office Groove.lnk
backup=c:\windows\pss\Microsoft Office Groove.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\documents and settings\Owner\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-06-20 02:04 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2008-10-25 18:44 31072 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-09-01 15:32 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 10:50 155648 ----a-r- c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OM2_Monitor]
2009-04-17 21:33 54576 ----a-w- c:\program files\OLYMPUS\OLYMPUS Master 2\FirstStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RegistryBooster]
2010-08-30 15:25 67448 ----a-w- c:\program files\Uniblue\RegistryBooster\Launcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Trillian\\trillian.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Documents and Settings\\Owner\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\Owner\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8085:TCP"= 8085:TCP:Berezovsky

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [4/26/2010 4:19 PM 216400]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [4/26/2010 4:20 PM 243024]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 11:25 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/17/2010 11:15 AM 67656]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [7/15/2010 8:59 AM 308136]
R2 NAUpdate;@c:\program files\Nero\Update\NASvc.exe,-200;c:\program files\Nero\Update\NASvc.exe [5/4/2010 12:07 PM 503080]
S2 gupdate1c98b218951a742;Google Update Service (gupdate1c98b218951a742);c:\program files\Google\Update\GoogleUpdate.exe [2/9/2009 6:46 PM 133104]
S2 LMIInfo;LogMeIn Kernel Information Provider; [x]
S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\AVG\AVG9\Toolbar\ToolbarBroker.exe [4/26/2010 4:19 PM 430152]
S3 DCamUSBVeo532;Veo Stingray/Connect Web Camera;c:\windows\system32\drivers\ubVeo532.sys [7/1/2002 6:30 PM 95232]
S3 DVC;USB DVC Svc;c:\windows\system32\drivers\DVC.sys [4/18/2004 4:40 PM 44003]
S3 FarStoneFireWallDrive;FarStoneFireWallDrive;c:\windows\system32\drivers\FarDrive.sys [5/19/2004 11:53 PM 142169]
S3 FlyUsb;FLY Fusion;c:\windows\system32\drivers\FlyUsb.sys [4/9/2010 5:22 PM 18560]
S3 iscFlash;iscFlash; [x]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/17/2010 11:15 AM 12872]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
termsv REG_MULTI_SZ dpti3o
.
Contents of the 'Scheduled Tasks' folder

2010-09-30 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 18:50]

2010-10-06 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-10 01:46]

2010-10-06 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-10 01:46]

2010-10-05 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1177238915-1275210071-725345543-1003Core.job
- c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-12-26 03:05]

2010-10-06 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1177238915-1275210071-725345543-1003UA.job
- c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-12-26 03:05]

2010-10-06 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1177238915-1275210071-725345543-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 05:09]

2010-10-06 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1177238915-1275210071-725345543-500.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 05:09]

2010-10-06 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1177238915-1275210071-725345543-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 05:09]

2010-10-02 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1177238915-1275210071-725345543-500.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 05:09]

2010-10-06 c:\windows\Tasks\RegistryBooster.job
- c:\program files\Uniblue\RegistryBooster\rbmonitor.exe [2010-10-02 15:25]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
mSearch Bar =
uInternet Settings,ProxyServer = http=127.0.0.1:6522
uInternet Settings,ProxyOverride = <local>;*.local
IE: &AIM Search - c:\program files\AIM Toolbar\AIMBar.dll/aimsearch.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
IE: Send Image to Photo Library - file://c:\program files\MGI\MGI PhotoSuite III SE\Temp\MGI00000.html
LSP: FarLsp.dll
Trusted Zone: intuit.com\ttlc
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {2CA2C9B8-E4F6-4BE9-8601-52ED0AFBA79D} - hxxp://asp.mathxl.com/books/_Players/AccountingPlayer.cab
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\4dh50322.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - prefs.js: keyword.URL - hxxp://us.yhs.search.yahoo.com/avg/search?fr=yhs-avgb&type=yahoo_avg_hs2-tb-web_us&p=
FF - component: c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\components\nprpffbrowserrecordext.dll
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll
FF - component: c:\program files\Google\Google Gears\Firefox\lib\ff35\gears.dll
FF - plugin: c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll
FF - plugin: c:\documents and settings\All Users\Application Data\RealArcade\npraclient.dll
FF - plugin: c:\documents and settings\Owner\Application Data\Mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\Owner\Application Data\Mozilla\plugins\npgtpo3dautoplugin.dll
FF - plugin: c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npraclient.dll
FF - plugin: c:\program files\Virtools\3D Life Player\npvirtools.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-LogMeIn GUI - c:\program files\LogMeIn\x86\LogMeInSystray.exe


.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{14C53E87-1B45-BBEA-F3D9-0FD445E6C02B}\InProcServer32*]
"jagjbihhleonjdibopgc"=hex:6a,61,6d,65,6b,66,6b,65,6a,6e,62,62,6c,64,6d,6e,67,
62,65,6f,00,67
"iagjdgnfmfnoappmag"=hex:6a,61,66,65,64,66,6a,63,70,68,65,62,62,65,6e,63,66,64,
69,6a,00,f2
"dbgjbihhleonjdibopgclgdfagodecnaedimddmh"=hex:6a,61,62,67,62,6a,6b,6d,6f,6b,
6d,64,62,67,65,63,70,66,68,6f,00,1d
"lagjmkbakdnpejnoliagoogl"=hex:6d,61,66,6a,70,64,6c,6d,67,6f,6b,6e,63,63,66,70,
68,69,62,61,6e,6f,67,63,6e,69,00,00
"lagjmkbakdnpejnoliagcncn"=hex:6f,61,6c,67,63,65,70,69,6d,63,66,6f,6d,70,68,65,
6a,69,6c,62,61,67,66,62,61,68,6e,70,6b,6a,00,7c
"cbgjckbpalppnkhfjcgmcijdhimipdckmkfeha"=hex:66,61,6d,6a,69,66,6b,70,61,63,66,
62,00,00
"bbgjckbpalppnkhfjcgmampeghoobbfbnpop"=hex:65,61,6c,6a,6a,67,70,68,62,68,00,00
"magjckbpalppnkhfjcgmoigabl"=hex:66,61,6f,65,6b,67,6f,65,62,6b,6a,64,00,00
"fbgjckbpalppnkhfjcgmdialjienmodchhfldpdhmnfh"=hex:70,61,6d,64,62,6d,6f,6d,69,
6b,66,68,62,6b,6f,65,65,65,63,62,6b,63,61,64,69,6d,6a,67,63,6d,66,64,00,8b
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(640)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\windows\system32\LMIinit.dll
c:\windows\system32\LMIRfsClientNP.dll

- - - - - - - > 'lsass.exe'(696)
c:\windows\system32\FarLsp.dll

- - - - - - - > 'Explorer.EXE'(1316)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\program files\Windows Media Player\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\msi.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\LMIRfsClientNP.dll
c:\program files\PCSecurityShield\The Shield Firewall\FWIdle.dll
.
Completion time: 2010-10-05 19:10:46 - machine was rebooted
ComboFix-quarantined-files.txt 2010-10-06 02:10

Pre-Run: 65,899,925,504 bytes free
Post-Run: 66,416,447,488 bytes free

- - End Of File - - 76721B80F73A0AAF4CD499EDE4290B5E


#4 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:11:48 PM

Posted 06 October 2010 - 02:18 PM

Good evening. smile.gif

Please download MBRCheck.exe by a_d_13 from here and save it to your Desktop.
  • Double click the file to begin the scan.
  • A Command Window will open and after the scan has completed you will be prompted to select further action - please exit in the stated manner.
  • A text file called MBRCheck_date/time.txt can be found on the Desktop. I'd like you to post the contents in your next reply.

So long, and thanks for all the fish.

 

 


#5 smidget8403

smidget8403
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:05:48 PM

Posted 06 October 2010 - 11:26 PM

Hello, please see the log of MBRCheck below.

MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows XP Home Edition
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0000001d

Kernel Drivers (total 135):
0x804D7000 \WINDOWS\system32\ntoskrnl.exe
0x806EE000 \WINDOWS\system32\hal.dll
0xF8CB8000 \WINDOWS\system32\KDCOM.DLL
0xF8BC8000 \WINDOWS\system32\BOOTVID.dll
0xF8769000 ACPI.sys
0xF8CBA000 \WINDOWS\System32\DRIVERS\WMILIB.SYS
0xF8758000 pci.sys
0xF87B8000 isapnp.sys
0xF8D80000 pciide.sys
0xF8A38000 \WINDOWS\System32\DRIVERS\PCIIDEX.SYS
0xF87C8000 MountMgr.sys
0xF8739000 ftdisk.sys
0xF8A40000 PartMgr.sys
0xF87D8000 VolSnap.sys
0xF8721000 atapi.sys
0xF87E8000 disk.sys
0xF87F8000 \WINDOWS\System32\DRIVERS\CLASSPNP.SYS
0xF8701000 fltmgr.sys
0xF86EF000 sr.sys
0xF8A48000 PxHelp20.sys
0xF86D8000 KSecDD.sys
0xF864B000 Ntfs.sys
0xF861E000 NDIS.sys
0xF8604000 Mup.sys
0xF8A08000 \SystemRoot\System32\DRIVERS\processr.sys
0xF7C57000 \SystemRoot\System32\DRIVERS\ialmnt5.sys
0xF7C43000 \SystemRoot\System32\DRIVERS\VIDEOPRT.SYS
0xF8AE8000 \SystemRoot\System32\DRIVERS\usbuhci.sys
0xF7C1F000 \SystemRoot\System32\DRIVERS\USBPORT.SYS
0xF8AF0000 \SystemRoot\System32\DRIVERS\usbehci.sys
0xF7B01000 \SystemRoot\System32\DRIVERS\GWMDM.sys
0xF7ADE000 \SystemRoot\System32\DRIVERS\ks.sys
0xF8AF8000 \SystemRoot\System32\Drivers\Modem.SYS
0xF7ABB000 \SystemRoot\System32\DRIVERS\e100b325.sys
0xF8B00000 \SystemRoot\System32\DRIVERS\fdc.sys
0xF8A18000 \SystemRoot\System32\DRIVERS\serial.sys
0xF8C9C000 \SystemRoot\System32\DRIVERS\serenum.sys
0xF7AA7000 \SystemRoot\System32\DRIVERS\parport.sys
0xF8A28000 \SystemRoot\System32\DRIVERS\i8042prt.sys
0xF8CDE000 \SystemRoot\System32\DRIVERS\Sk99202k.sys
0xF8B08000 \SystemRoot\System32\DRIVERS\kbdclass.sys
0xF8828000 \SystemRoot\System32\Drivers\Imapi.SYS
0xF8838000 \SystemRoot\System32\DRIVERS\cdrom.sys
0xF8848000 \SystemRoot\System32\DRIVERS\redbook.sys
0xF8B10000 \SystemRoot\System32\Drivers\GEARAspiWDM.sys
0xF7A3B000 \SystemRoot\system32\drivers\smwdm.sys
0xF8ED2000 \SystemRoot\system32\drivers\SENSUPGD.SYS
0xF7A17000 \SystemRoot\system32\drivers\portcls.sys
0xF8858000 \SystemRoot\system32\drivers\drmk.sys
0xF8ED5000 \SystemRoot\system32\DRIVERS\lmimirr.sys
0xF8CE2000 \SystemRoot\system32\DRIVERS\serscan.sys
0xF8ED9000 \SystemRoot\System32\DRIVERS\audstub.sys
0xF8878000 \SystemRoot\System32\DRIVERS\rasl2tp.sys
0xF8CA8000 \SystemRoot\System32\DRIVERS\ndistapi.sys
0xF7A00000 \SystemRoot\System32\DRIVERS\ndiswan.sys
0xF8888000 \SystemRoot\System32\DRIVERS\raspppoe.sys
0xF8898000 \SystemRoot\System32\DRIVERS\raspptp.sys
0xF8B18000 \SystemRoot\System32\DRIVERS\TDI.SYS
0xF79EF000 \SystemRoot\System32\DRIVERS\psched.sys
0xF88A8000 \SystemRoot\System32\DRIVERS\msgpc.sys
0xF8B20000 \SystemRoot\System32\DRIVERS\ptilink.sys
0xF8B28000 \SystemRoot\System32\DRIVERS\raspti.sys
0xF88B8000 \SystemRoot\System32\DRIVERS\termdd.sys
0xF8B30000 \SystemRoot\System32\DRIVERS\mouclass.sys
0xF8CE4000 \SystemRoot\System32\DRIVERS\swenum.sys
0xF7991000 \SystemRoot\System32\DRIVERS\update.sys
0xF819E000 \SystemRoot\System32\DRIVERS\mssmbios.sys
0xF88C8000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xEF8D3000 \SystemRoot\system32\drivers\ialmsbw.sys
0xEF8C2000 \SystemRoot\system32\drivers\ialmkchw.sys
0xF7CEA000 \SystemRoot\System32\DRIVERS\usbhub.sys
0xF8CE8000 \SystemRoot\System32\DRIVERS\USBD.SYS
0xF8182000 \SystemRoot\system32\drivers\MODEMCSA.sys
0xF8B40000 \SystemRoot\System32\DRIVERS\flpydisk.sys
0xF8CEA000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xF8DED000 \SystemRoot\System32\Drivers\Null.SYS
0xF8CEC000 \SystemRoot\System32\Drivers\Beep.SYS
0xF8CEE000 \SystemRoot\System32\DRIVERS\Sk9920nt.sys
0xF8B50000 \SystemRoot\System32\drivers\vga.sys
0xF8CF0000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xF8CF2000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xF8B58000 \SystemRoot\System32\Drivers\Msfs.SYS
0xF8B60000 \SystemRoot\System32\Drivers\Npfs.SYS
0xF8C40000 \SystemRoot\System32\DRIVERS\rasacd.sys
0xEE6CA000 \SystemRoot\System32\DRIVERS\ipsec.sys
0xEE671000 \SystemRoot\System32\DRIVERS\tcpip.sys
0xEE637000 \SystemRoot\System32\Drivers\avgtdix.sys
0xEE611000 \SystemRoot\System32\DRIVERS\ipnat.sys
0xF7CCA000 \SystemRoot\System32\DRIVERS\wanarp.sys
0xF8B68000 \SystemRoot\System32\DRIVERS\dot4usb.sys
0xEE5C1000 \SystemRoot\System32\DRIVERS\netbt.sys
0xF8C60000 \SystemRoot\System32\drivers\ws2ifsl.sys
0xEE59F000 \SystemRoot\System32\drivers\afd.sys
0xF7CBA000 \SystemRoot\System32\DRIVERS\netbios.sys
0xEE57D000 \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
0xF8B70000 \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
0xEE552000 \SystemRoot\System32\DRIVERS\rdbss.sys
0xEE4E2000 \SystemRoot\System32\DRIVERS\mrxsmb.sys
0xF7CAA000 \SystemRoot\System32\Drivers\Fips.SYS
0xEE4AF000 \SystemRoot\System32\DRIVERS\Dot4.sys
0xF8C64000 \SystemRoot\System32\DRIVERS\hidusb.sys
0xF7C9A000 \SystemRoot\System32\DRIVERS\HIDCLASS.SYS
0xF8B78000 \SystemRoot\System32\DRIVERS\HIDPARSE.SYS
0xF8C68000 \SystemRoot\System32\DRIVERS\Dot4Scan.sys
0xF8C6C000 \SystemRoot\System32\DRIVERS\Dot4Prt.sys
0xF8C70000 \SystemRoot\System32\DRIVERS\mouhid.sys
0xF8B80000 \SystemRoot\System32\Drivers\avgmfx86.sys
0xEE47B000 \SystemRoot\System32\Drivers\avgldx86.sys
0xF88D8000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xEE43B000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xF8D14000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xF7975000 \SystemRoot\System32\drivers\Dxapi.sys
0xF8BA0000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xF8DDC000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF01E000 \SystemRoot\System32\ialmdnt5.dll
0xBF012000 \SystemRoot\System32\ialmrnt5.dll
0xBF036000 \SystemRoot\System32\ialmdev5.DLL
0xBF05F000 \SystemRoot\System32\ialmdd5.DLL
0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
0xEE33B000 \SystemRoot\System32\DRIVERS\ndisuio.sys
0xEDFD6000 \SystemRoot\System32\DRIVERS\mrxdav.sys
0xF8D6E000 \SystemRoot\System32\Drivers\ParVdm.SYS
0xEDDC7000 \SystemRoot\System32\DRIVERS\srv.sys
0xEDFC6000 \??\C:\WINDOWS\system32\drivers\LMIRfsDriver.sys
0xEDA83000 \SystemRoot\System32\Drivers\Fastfat.SYS
0xED9A6000 \SystemRoot\system32\drivers\wdmaud.sys
0xEDBD7000 \SystemRoot\system32\drivers\sysaudio.sys
0xF8AD8000 \??\C:\DOCUME~1\Owner\LOCALS~1\Temp\mbr.sys
0xED6BF000 \SystemRoot\System32\Drivers\HTTP.sys
0xF8D4A000 \??\C:\WINDOWS\system32\Drivers\PROCEXP113.SYS
0xED407000 \SystemRoot\System32\DRIVERS\ipfltdrv.sys
0xED150000 \SystemRoot\System32\Drivers\FarDrive.sys
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 235):
0 System Idle Process
4 System
552 C:\WINDOWS\system32\smss.exe
616 csrss.exe
640 C:\WINDOWS\system32\winlogon.exe
684 C:\WINDOWS\system32\services.exe
696 C:\WINDOWS\system32\lsass.exe
852 C:\WINDOWS\system32\svchost.exe
928 svchost.exe
1032 C:\WINDOWS\system32\svchost.exe
1104 svchost.exe
1224 svchost.exe
1252 C:\Program Files\AVG\AVG9\avgchsvx.exe
1260 C:\Program Files\AVG\AVG9\avgrsx.exe
1416 C:\Program Files\AVG\AVG9\avgcsrvx.exe
1488 C:\WINDOWS\system32\spoolsv.exe
260 svchost.exe
308 C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
320 C:\Program Files\AVG\AVG9\avgwdsvc.exe
416 C:\WINDOWS\system32\CTSVCCDA.EXE
572 C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
620 C:\Program Files\Java\jre6\bin\jqs.exe
812 C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe
744 C:\Program Files\Nero\Update\NASvc.exe
1188 C:\WINDOWS\system32\svchost.exe
1324 C:\Program Files\Google\Update\1.2.183.29\GoogleCrashHandler.exe
872 C:\Program Files\AVG\AVG9\avgnsx.exe
2084 alg.exe
188 C:\Program Files\Uniblue\RegistryBooster\rbmonitor.exe
1316 C:\WINDOWS\explorer.exe
2752 C:\Program Files\Common Files\Java\Java Update\jusched.exe
2648 C:\Program Files\PCSecurityShield\The Shield Firewall\FireWall.exe
2772 C:\Program Files\LeapFrog\LeapFrog Connect\Monitor.exe
2848 C:\PROGRA~1\AVG\AVG9\avgtray.exe
2888 C:\WINDOWS\system32\igfxtray.exe
3056 C:\WINDOWS\system32\hkcmd.exe
2036 C:\Program Files\QuickTime\QTTask.exe
3500 C:\Program Files\iTunes\iTunesHelper.exe
3660 C:\WINDOWS\system32\svchost.exe
3776 C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
2220 C:\Program Files\Uniblue\RegistryBooster\registrybooster.exe
2304 C:\Program Files\Southwest Airlines\Ding\Ding.exe
3832 C:\WINDOWS\system32\ctfmon.exe
484 C:\Program Files\iPod\bin\iPodService.exe
3892 C:\Program Files\Common Files\Real\Update_OB\realsched.exe
3804 C:\Program Files\Google\Chrome\Application\chrome.exe
3912 C:\Program Files\Google\Chrome\Application\chrome.exe
3172 C:\Program Files\Google\Chrome\Application\chrome.exe
740 C:\Program Files\Google\Chrome\Application\chrome.exe
3616 C:\Program Files\Google\Chrome\Application\chrome.exe
2536 C:\Program Files\Google\Chrome\Application\chrome.exe
4068 C:\Documents and Settings\Owner\My Documents\Downloads\MBRCheck.exe
1840 C:\Program Files\Real\realplayer\realplay.exe
2964 C:\Program Files\Real\realplayer\realplay.exe
3904 C:\Program Files\Real\realplayer\realplay.exe
3320 C:\Program Files\Real\realplayer\realplay.exe
3276 C:\Program Files\Real\realplayer\realplay.exe
4076 C:\Program Files\Real\realplayer\realplay.exe
2004 C:\Program Files\Real\realplayer\realplay.exe
2160 C:\Program Files\Real\realplayer\realplay.exe
3364 C:\Program Files\Real\realplayer\realplay.exe
3576 C:\Program Files\Real\realplayer\realplay.exe
2996 C:\Program Files\Real\realplayer\realplay.exe
2092 C:\Program Files\Real\realplayer\realplay.exe
996 C:\Program Files\Real\realplayer\realplay.exe
2280 C:\Program Files\Real\realplayer\realplay.exe
3564 C:\Program Files\Real\realplayer\realplay.exe
2352 C:\Program Files\Real\realplayer\realplay.exe
2684 C:\Program Files\Real\realplayer\realplay.exe
2328 C:\Program Files\Real\realplayer\realplay.exe
108 C:\Program Files\Real\realplayer\realplay.exe
1460 C:\Program Files\Real\realplayer\realplay.exe
1860 C:\Program Files\Real\realplayer\realplay.exe
3644 C:\Program Files\Real\realplayer\realplay.exe
3432 C:\Program Files\Real\realplayer\realplay.exe
1784 C:\Program Files\Real\realplayer\realplay.exe
3656 C:\Program Files\Real\realplayer\realplay.exe
3816 C:\Program Files\Real\realplayer\realplay.exe
3700 <unknown>
3608 C:\Program Files\Real\realplayer\realplay.exe
3968 C:\Program Files\Real\realplayer\realplay.exe
1556 C:\Program Files\Real\realplayer\realplay.exe
1380 C:\Program Files\Real\realplayer\realplay.exe
2676 C:\Program Files\Real\realplayer\realplay.exe
3908 <unknown>
436 <unknown>
3652 C:\Program Files\Real\realplayer\realplay.exe
4044 C:\Program Files\Real\realplayer\realplay.exe
1120 C:\Program Files\Real\realplayer\realplay.exe
3984 C:\Program Files\Real\realplayer\realplay.exe
1272 C:\Program Files\Real\realplayer\realplay.exe
2844 C:\Program Files\Real\realplayer\realplay.exe
2628 C:\Program Files\Real\realplayer\realplay.exe
3296 C:\Program Files\Real\realplayer\realplay.exe
2080 C:\Program Files\Real\realplayer\realplay.exe
2972 C:\Program Files\Real\realplayer\realplay.exe
2724 C:\Program Files\Real\realplayer\realplay.exe
2532 C:\Program Files\Real\realplayer\realplay.exe
2584 C:\Program Files\Real\realplayer\realplay.exe
3464 C:\Program Files\Real\realplayer\realplay.exe
380 <unknown>
748 C:\Program Files\Real\realplayer\realplay.exe
3504 C:\Program Files\Real\realplayer\realplay.exe
3232 <unknown>
3288 <unknown>
2616 C:\Program Files\Real\realplayer\realplay.exe
3280 <unknown>
2852 <unknown>
3524 <unknown>
3496 <unknown>
2748 <unknown>
2360 <unknown>
3808 <unknown>
2908 <unknown>
1296 <unknown>
2412 <unknown>
3212 <unknown>
1352 <unknown>
1392 <unknown>
2200 <unknown>
3304 <unknown>
2620 <unknown>
2808 <unknown>
3640 <unknown>
2720 <unknown>
2420 <unknown>
1916 <unknown>
1456 <unknown>
3592 <unknown>
3688 <unknown>
3516 <unknown>
988 <unknown>
1828 <unknown>
1508 <unknown>
3152 <unknown>
2788 <unknown>
3580 <unknown>
2324 <unknown>
1932 <unknown>
3484 <unknown>
2520 <unknown>
3572 <unknown>
2348 <unknown>
3040 <unknown>
452 <unknown>
2356 <unknown>
3544 <unknown>
196 <unknown>
3676 <unknown>
2668 <unknown>
532 <unknown>
216 <unknown>
3376 <unknown>
3760 <unknown>
3924 <unknown>
576 <unknown>
3352 <unknown>
1288 <unknown>
2416 <unknown>
3340 <unknown>
976 <unknown>
1984 <unknown>
1804 <unknown>
4088 <unknown>
3940 <unknown>
3028 <unknown>
1856 <unknown>
1968 <unknown>
3252 <unknown>
3144 <unknown>
3272 <unknown>
2760 <unknown>
2624 <unknown>
1156 <unknown>
3384 <unknown>
2376 <unknown>
1964 <unknown>
3416 <unknown>
3248 <unknown>
1536 <unknown>
3256 <unknown>
2156 <unknown>
2976 <unknown>
3756 <unknown>
404 <unknown>
2028 <unknown>
2292 <unknown>
1836 <unknown>
2816 <unknown>
3024 <unknown>
2576 <unknown>
1144 <unknown>
2924 <unknown>
3692 <unknown>
664 <unknown>
1756 <unknown>
3860 <unknown>
3944 <unknown>
1096 <unknown>
2016 <unknown>
3600 <unknown>
2944 <unknown>
176 <unknown>
4104 <unknown>
4120 <unknown>
4128 <unknown>
4136 <unknown>
4144 <unknown>
4152 <unknown>
4160 <unknown>
4168 <unknown>
4176 <unknown>
4184 <unknown>
4192 <unknown>
4200 <unknown>
4208 <unknown>
4216 <unknown>
4228 <unknown>
4236 <unknown>
4244 <unknown>
4252 <unknown>
4260 <unknown>
4268 <unknown>
4276 <unknown>
4284 <unknown>
4292 <unknown>
4300 <unknown>
4308 <unknown>
4316 <unknown>
4324 <unknown>
4336 <unknown>
4344 <unknown>
4352 <unknown>
4360 <unknown>
4368 <unknown>

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)

PhysicalDrive0 Model Number: Maxtor6Y120P0, Rev: YAR41BW0

Size Device Name MBR Status
--------------------------------------------
114 GB \\.\PhysicalDrive0 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A


Done!

#6 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:11:48 PM

Posted 07 October 2010 - 02:33 PM

Good evening. smile.gif

I'd like one last scan, just to double check that all is well, and then we'll tidy up and you're done.

Download Malwarebytes' Anti-Malware from here and save it to your Desktop - unless you already have it, in which case skip to the "updating" bit below.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • Ensure a checkmark is placed next to both Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware and then click Finish.
  • If an update is found, it will download and install the latest version - you'll need to clear it with your firewall.
  • Once the program has loaded, select Perform full scan and then Scan.
  • When the scan has finished, click OK and then Show Results to view the results - no surprise there!
  • If MBAM finds anything, check the box(es) and click Remove Selected.
  • Please note - Leave unchecked any boxes that have \System Volume Information\ in the filepath. These pose no immediate risk to your PC unless you use System Restore and will be dealt with later.
  • When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
Let me have the MBAM log, a fresh DDS log AND a description of how your PC is behaving.

So long, and thanks for all the fish.

 

 


#7 smidget8403

smidget8403
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:05:48 PM

Posted 08 October 2010 - 08:07 AM

Hello, please see logs below. PC seems to be acting ok now. Firefox search redirects appear to be gone, and that was the only real symptom I noticed, aside from the AVG pop ups which are also gone.


Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4052

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

10/8/2010 5:53:44 AM
mbam-log-2010-10-08 (05-53-44).txt

Scan type: Full scan (C:\|)
Objects scanned: 335058
Time elapsed: 2 hour(s), 38 minute(s), 13 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\termsv (Worm.KoobFace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)






DDS (Ver_10-03-17.01) - NTFSx86
Run by Owner at 6:06:54.98 on Fri 10/08/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_20
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.178 [GMT -7:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe
C:\Program Files\Nero\Update\NASvc.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Google\Update\1.2.183.29\GoogleCrashHandler.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\Uniblue\RegistryBooster\rbmonitor.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\PCSecurityShield\The Shield Firewall\FireWall.exe
C:\Program Files\LeapFrog\LeapFrog Connect\Monitor.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\WINDOWS\System32\igfxtray.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Uniblue\RegistryBooster\registrybooster.exe
C:\Program Files\Southwest Airlines\Ding\Ding.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Owner\Desktop\Clean Up Tools\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
mSearch Bar =
uInternet Settings,ProxyServer = http=127.0.0.1:6522
uInternet Settings,ProxyOverride = <local>;*.local
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
BHO: Inbox Toolbar: {d3d233d5-9f6d-436c-b6c7-e63f77503b30} - c:\progra~1\inboxt~1\Inbox.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Google Gears Helper: {e0fefe40-fbf9-42ae-ba58-794ca7e3fb53} - c:\program files\google\google gears\internet explorer\0.5.36.0\gears.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
TB: &Inbox Toolbar: {d7e97865-918f-41e4-9cd0-25ab1c574ce8} - c:\progra~1\inboxt~1\Inbox.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
uRun: [Creative Detector] c:\program files\creative\mediasource\detector\CTDetect.exe /R
uRun: [Google Update] "c:\documents and settings\owner\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [RegistryBooster] "c:\program files\uniblue\registrybooster\launcher.exe" delay 20000
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [dwStart] c:\program files\pcsecurityshield\the shield firewall\FireWall.exe
mRun: [Monitor] "c:\program files\leapfrog\leapfrog connect\Monitor.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [HitmanPro35] "c:\program files\hitman pro 3.5\HitmanPro35.exe" /scan:boot
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
StartupFolder: c:\docume~1\owner\startm~1\programs\startup\ding!.lnk - c:\program files\southwest airlines\ding\Ding.exe
mPolicies-system: HideShutdownScripts = 0 (0x0)
IE: &AIM Search - c:\program files\aim toolbar\AIMBar.dll/aimsearch.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: Send Image to Photo Library - file://c:\program files\mgi\mgi photosuite iii se\temp\MGI00000.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - {0B4350D1-055F-47A3-B112-5F2F2B0D6F08} - c:\program files\google\google gears\internet explorer\0.5.36.0\gears.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~4\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL
LSP: FarLsp.dll
Trusted Zone: intuit.com\ttlc
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {2CA2C9B8-E4F6-4BE9-8601-52ED0AFBA79D} - hxxp://asp.mathxl.com/books/_Players/AccountingPlayer.cab
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {37A273C2-5129-11D5-BF37-00A0CCE8754B} - hxxp://asp.mathxl.com/wizmodules/testgen/installers/TestGenXInstall.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {95D88B35-A521-472B-A182-BB1A98356421} - hxxp://asp.mathxl.com/books/_Players/PearsonInstallAsst2.cab
DPF: {A4639D2F-774E-11D3-A490-00C04F6843FB} - hxxp://download.microsoft.com/download/PowerPoint2002/Install/10.0.2609/WIN98MeXP/EN-US/msorun.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://zone.msn.com/binFramework/v10/ZIntro.cab27513.cab
DPF: {CAFEEFAC-0014-0002-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: inbox - {37540F19-DD4C-478B-B2DF-C19281BCAF27} - c:\progra~1\inboxt~1\Inbox.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxsrvc.dll
Notify: LMIinit - LMIinit.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, ntoskrnl.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\4dh50322.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - prefs.js: keyword.URL - hxxp://us.yhs.search.yahoo.com/avg/search?fr=yhs-avgb&type=yahoo_avg_hs2-tb-web_us&p=
FF - component: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordext.dll
FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll
FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\xpavgtbapi.dll
FF - component: c:\program files\google\google gears\firefox\lib\ff35\gears.dll
FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
FF - plugin: c:\documents and settings\all users\application data\realarcade\npraclient.dll
FF - plugin: c:\documents and settings\owner\application data\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\owner\application data\mozilla\plugins\npgtpo3dautoplugin.dll
FF - plugin: c:\documents and settings\owner\local settings\application data\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npraclient.dll
FF - plugin: c:\program files\virtools\3d life player\npvirtools.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2010-4-26 216400]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2010-4-26 29584]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-4-26 243024]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-2-17 67656]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-7-15 308136]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2010-4-17 47640]
R2 NAUpdate;@c:\program files\nero\update\nasvc.exe,-200;c:\program files\nero\update\NASvc.exe [2010-5-4 503080]
R3 FarStoneFireWallDrive;FarStoneFireWallDrive;c:\windows\system32\drivers\FarDrive.sys [2004-5-19 142169]
S2 gupdate1c98b218951a742;Google Update Service (gupdate1c98b218951a742);c:\program files\google\update\GoogleUpdate.exe [2009-2-9 133104]
S2 LMIInfo;LogMeIn Kernel Information Provider; [x]
S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\avg\avg9\toolbar\ToolbarBroker.exe [2010-4-26 430152]
S3 DCamUSBVeo532;Veo Stingray/Connect Web Camera;c:\windows\system32\drivers\ubVeo532.sys [2002-7-1 95232]
S3 DVC;USB DVC Svc;c:\windows\system32\drivers\DVC.sys [2004-4-18 44003]
S3 FlyUsb;FLY Fusion;c:\windows\system32\drivers\FlyUsb.sys [2010-4-9 18560]
S3 iscFlash;iscFlash; [x]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2010-2-17 12872]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]

=============== Created Last 30 ================

2010-10-06 01:20:42 98816 ----a-w- c:\windows\sed.exe
2010-10-06 01:20:42 77312 ----a-w- c:\windows\MBR.exe
2010-10-06 01:20:42 256512 ----a-w- c:\windows\PEV.exe
2010-10-06 01:20:42 161792 ----a-w- c:\windows\SWREG.exe
2010-10-02 21:00:38 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-10-02 21:00:14 0 d-----w- c:\docume~1\alluse~1\applic~1\Hitman Pro
2010-10-02 21:00:12 0 d-----w- c:\program files\Hitman Pro 3.5
2010-09-25 18:06:31 0 d-----w- c:\program files\iPod
2010-09-25 18:06:06 0 d-----w- c:\program files\iTunes
2010-09-25 18:06:06 0 d-----w- c:\docume~1\alluse~1\applic~1\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-09-25 17:44:17 0 d-----w- c:\program files\Bonjour
2010-09-09 20:25:01 0 d-----w- c:\docume~1\owner\applic~1\Inbox Toolbar
2010-09-09 20:24:57 0 d-----w- c:\program files\Inbox Toolbar

==================== Find3M ====================

2010-08-17 13:17:06 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-07-28 01:44:10 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-07-28 01:44:10 75040 ----a-w- c:\windows\system32\jdns_sd.dll
2010-07-28 01:44:10 197920 ----a-w- c:\windows\system32\dnssdX.dll
2010-07-28 01:44:10 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-07-22 15:49:15 590848 ----a-w- c:\windows\system32\rpcrt4.dll
2010-07-22 05:57:20 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-07-15 15:59:28 12536 ----a-w- c:\windows\system32\avgrsstx.dll
2004-05-13 18:14:25 477888 ----a-w- c:\program files\GoogleToolbarInstaller.exe

============= FINISH: 6:08:20.53 ===============


#8 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:11:48 PM

Posted 09 October 2010 - 01:18 PM

Good evening. smile.gif

We'll start with what look to me like some leftovers from a previous infection.

Copy and paste the following into Notepad (Start > All Programs > Accessories > Notepad):

REGNULL::
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{14C53E87-1B45-BBEA-F3D9-0FD445E6C02B}\InProcServer32*]


Save it to your Desktop with the following filename: CFScript
Drag and drop CFScript.txt onto your copy of Combofix and let it do it's thing.
Let me have the log produced, as before.

So long, and thanks for all the fish.

 

 


#9 smidget8403

smidget8403
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:05:48 PM

Posted 13 October 2010 - 08:56 PM

I apologize for the delay. I was out of town over the weekend. The log is below.





ComboFix 10-10-05.01 - Owner 10/09/2010 16:25:10.4.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.145 [GMT -7:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((( Files Created from 2010-09-09 to 2010-10-09 )))))))))))))))))))))))))))))))
.

2010-10-04 15:23 . 2010-10-04 15:23 4100960 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgui.exe
2010-10-04 15:23 . 2010-10-04 15:23 2065760 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtray.exe
2010-10-04 15:23 . 2010-10-04 15:23 4394336 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcorex.dll
2010-10-02 21:00 . 2010-10-06 02:06 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-10-02 21:00 . 2010-10-02 21:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2010-10-02 21:00 . 2010-10-02 21:00 -------- d-----w- c:\program files\Hitman Pro 3.5
2010-10-01 00:28 . 2010-10-01 00:28 63488 ----a-w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-09-30 03:02 . 2010-09-30 03:02 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple
2010-09-25 18:06 . 2010-09-25 18:06 -------- d-----w- c:\program files\iPod
2010-09-25 18:06 . 2010-09-25 18:08 -------- d-----w- c:\program files\iTunes
2010-09-25 18:06 . 2010-09-25 18:08 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-09-25 17:46 . 2010-09-25 17:46 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Apple
2010-09-25 17:46 . 2010-09-25 17:46 -------- d-----w- c:\program files\Apple Software Update
2010-09-25 17:44 . 2010-09-25 17:44 -------- d-----w- c:\program files\Bonjour
2010-09-25 17:43 . 2010-09-25 18:06 -------- d-----w- c:\program files\Common Files\Apple
2010-09-25 17:43 . 2010-09-25 17:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2010-09-23 15:05 . 2010-09-23 15:05 3586912 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\setup.exe
2010-09-23 15:05 . 2010-09-23 15:05 620896 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgnsx.exe
2010-09-23 15:05 . 2010-09-23 15:05 1619296 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgssie.dll
2010-09-23 15:05 . 2010-09-23 15:05 1377632 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgssff.dll
2010-09-23 15:05 . 2010-09-23 15:05 942432 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcfgx.dll
2010-09-23 15:05 . 2010-09-23 15:05 598368 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgsrmx.dll
2010-09-23 15:05 . 2010-09-23 15:05 300896 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgchclx.dll
2010-09-23 15:02 . 2010-09-23 15:02 1690952 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-10-08 04:38 . 2009-07-21 01:14 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-10-04 23:17 . 2010-05-01 23:11 0 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\prvlcl.dat
2010-10-04 02:11 . 2006-09-30 18:15 -------- d-----w- c:\documents and settings\Owner\Application Data\Apple Computer
2010-10-02 20:35 . 2004-03-08 02:11 -------- d-----w- c:\program files\Common Files\Adobe
2010-10-02 20:29 . 2010-04-25 23:10 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-10-02 20:28 . 2010-08-09 21:41 5272616 ----a-w- c:\documents and settings\Owner\Application Data\Uniblue\RegistryBooster\_temp\ub.exe
2010-10-02 18:50 . 2008-09-25 00:07 -------- d-----w- c:\program files\Microsoft Silverlight
2010-10-01 00:28 . 2010-04-25 23:13 117760 ----a-w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-09-25 17:58 . 2004-05-19 22:14 -------- d-----w- c:\program files\QuickTime
2010-09-25 16:22 . 2007-01-13 20:18 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-09-15 10:12 . 2009-10-20 03:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-09-09 20:25 . 2010-09-09 20:25 -------- d-----w- c:\documents and settings\Owner\Application Data\Inbox Toolbar
2010-09-09 20:25 . 2010-09-09 20:24 -------- d-----w- c:\program files\Inbox Toolbar
2010-09-04 22:22 . 2010-09-04 22:22 -------- d-----w- c:\program files\Virtools
2010-09-01 16:12 . 2010-09-01 16:12 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 10.0.0.68\SetupAdmin.exe
2010-08-31 19:11 . 2010-08-31 19:11 3401880 ----a-w- c:\documents and settings\Owner\Application Data\Mozilla\plugins\npgtpo3dautoplugin.dll
2010-08-31 18:55 . 2010-08-31 18:55 275096 ----a-w- c:\documents and settings\Owner\Application Data\Mozilla\plugins\npgoogletalk.dll
2010-08-31 18:39 . 2010-08-31 18:39 3734536 ----a-w- c:\documents and settings\Owner\Application Data\Mozilla\plugins\Google Talk Plugin Extras\d3dx9_36.dll
2010-08-29 02:45 . 2010-08-29 02:16 -------- d-----w- c:\program files\Shockwave.com
2010-08-25 18:06 . 2005-12-25 20:41 -------- d-----w- c:\program files\Audible
2010-08-21 22:39 . 2010-08-21 22:39 227520 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-08-17 23:13 . 2006-05-07 23:14 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-08-17 13:17 . 2001-08-30 10:30 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-08-16 18:09 . 2010-08-16 18:09 -------- d-----w- c:\documents and settings\Owner\Application Data\Nero
2010-08-15 22:10 . 2010-08-15 22:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Nero
2010-08-15 22:10 . 2010-08-15 22:08 -------- d-----w- c:\program files\Nero
2010-08-15 22:08 . 2010-08-15 22:08 -------- d-----w- c:\program files\Common Files\Nero
2010-08-15 20:52 . 2004-03-08 01:48 89639 ----a-w- c:\windows\pchealth\HELPCTR\OfflineCache\index.dat
2010-08-13 02:46 . 2008-12-21 04:22 -------- d-----w- c:\program files\Common Files\Logitech
2010-08-12 18:02 . 2010-04-18 19:18 -------- d-----w- c:\program files\Cobian Backup 10
2010-08-06 13:45 . 2010-08-06 13:45 503808 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-5a3e59d8-n\msvcp71.dll
2010-08-06 13:45 . 2010-08-06 13:45 12800 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-11204101-n\decora-d3d.dll
2010-08-06 13:45 . 2010-08-06 13:45 61440 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-11204101-n\decora-sse.dll
2010-08-06 13:45 . 2010-08-06 13:45 499712 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-5a3e59d8-n\jmc.dll
2010-08-06 13:45 . 2010-08-06 13:45 348160 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-5a3e59d8-n\msvcr71.dll
2010-07-29 17:12 . 2010-04-14 20:58 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-07-28 01:44 . 2010-07-28 01:44 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-07-28 01:44 . 2010-07-28 01:44 75040 ----a-w- c:\windows\system32\jdns_sd.dll
2010-07-28 01:44 . 2010-07-28 01:44 197920 ----a-w- c:\windows\system32\dnssdX.dll
2010-07-28 01:44 . 2010-07-28 01:44 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-07-22 15:49 . 2004-07-21 17:03 590848 ----a-w- c:\windows\system32\rpcrt4.dll
2010-07-22 05:57 . 2009-04-17 03:46 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-07-15 15:59 . 2010-04-26 23:20 243024 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-07-15 15:59 . 2010-07-15 15:59 12536 ----a-w- c:\windows\system32\avgrsstx.dll
2010-07-15 15:56 . 2010-04-26 23:19 216400 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2004-05-13 18:14 . 2004-05-13 18:14 477888 ----a-w- c:\program files\GoogleToolbarInstaller.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-04-19 2117704]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2010-04-19 17:25 2117704 ----a-w- c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-04-19 2117704]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-04-19 2117704]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Creative Detector"="c:\program files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-03 102400]
"Google Update"="c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-12-26 133104]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-10-02 2424560]
"RegistryBooster"="c:\program files\Uniblue\RegistryBooster\launcher.exe" [2010-08-30 67448]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"dwStart"="c:\program files\PCSecurityShield\The Shield Firewall\FireWall.exe" [2004-08-05 405504]
"Monitor"="c:\program files\LeapFrog\LeapFrog Connect\Monitor.exe" [2009-11-10 443728]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-04-12 202256]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-10-04 2067808]
"IgfxTray"="c:\windows\System32\igfxtray.exe" [2002-03-27 155648]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2002-03-27 106496]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-08-10 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-01 421160]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"HitmanPro35"="c:\program files\Hitman Pro 3.5\HitmanPro35.exe" [2010-10-02 6305088]

c:\documents and settings\Owner\Start Menu\Programs\Startup\
DING!.lnk - c:\program files\Southwest Airlines\Ding\Ding.exe [2006-6-22 462848]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"HideShutdownScripts"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-07-15 15:59 12536 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2010-06-10 06:44 87424 ----a-w- c:\windows\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, ntoskrnl.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Event Reminder.lnk]
backup=c:\windows\pss\Event Reminder.lnkCommon Startup
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Event Reminder.lnk

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Install Pending Files.LNK]
backup=c:\windows\pss\Install Pending Files.LNKCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk]
backup=c:\windows\pss\Microsoft Works Calendar Reminders.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Microsoft Office Groove.lnk]
path=c:\documents and settings\Owner\Start Menu\Programs\Startup\Microsoft Office Groove.lnk
backup=c:\windows\pss\Microsoft Office Groove.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\documents and settings\Owner\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-06-20 02:04 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2008-10-25 18:44 31072 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-09-01 15:32 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 10:50 155648 ----a-r- c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OM2_Monitor]
2009-04-17 21:33 54576 ----a-w- c:\program files\OLYMPUS\OLYMPUS Master 2\FirstStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RegistryBooster]
2010-08-30 15:25 67448 ----a-w- c:\program files\Uniblue\RegistryBooster\Launcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Trillian\\trillian.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Documents and Settings\\Owner\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\Owner\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8085:TCP"= 8085:TCP:Berezovsky

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [4/26/2010 4:19 PM 216400]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [4/26/2010 4:20 PM 243024]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 11:25 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/17/2010 11:15 AM 67656]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [7/15/2010 8:59 AM 308136]
R2 NAUpdate;@c:\program files\Nero\Update\NASvc.exe,-200;c:\program files\Nero\Update\NASvc.exe [5/4/2010 12:07 PM 503080]
R3 FarStoneFireWallDrive;FarStoneFireWallDrive;c:\windows\system32\drivers\FarDrive.sys [5/19/2004 11:53 PM 142169]
S2 gupdate1c98b218951a742;Google Update Service (gupdate1c98b218951a742);c:\program files\Google\Update\GoogleUpdate.exe [2/9/2009 6:46 PM 133104]
S2 LMIInfo;LogMeIn Kernel Information Provider; [x]
S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\AVG\AVG9\Toolbar\ToolbarBroker.exe [4/26/2010 4:19 PM 430152]
S3 DCamUSBVeo532;Veo Stingray/Connect Web Camera;c:\windows\system32\drivers\ubVeo532.sys [7/1/2002 6:30 PM 95232]
S3 DVC;USB DVC Svc;c:\windows\system32\drivers\DVC.sys [4/18/2004 4:40 PM 44003]
S3 FlyUsb;FLY Fusion;c:\windows\system32\drivers\FlyUsb.sys [4/9/2010 5:22 PM 18560]
S3 iscFlash;iscFlash; [x]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/17/2010 11:15 AM 12872]
.
Contents of the 'Scheduled Tasks' folder

2010-10-07 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 18:50]

2010-10-09 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-10 01:46]

2010-10-09 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-10 01:46]

2010-10-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1177238915-1275210071-725345543-1003Core.job
- c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-12-26 03:05]

2010-10-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1177238915-1275210071-725345543-1003UA.job
- c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-12-26 03:05]

2010-10-09 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1177238915-1275210071-725345543-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 05:09]

2010-10-06 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1177238915-1275210071-725345543-500.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 05:09]

2010-10-09 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1177238915-1275210071-725345543-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 05:09]

2010-10-09 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1177238915-1275210071-725345543-500.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 05:09]

2010-10-09 c:\windows\Tasks\RegistryBooster.job
- c:\program files\Uniblue\RegistryBooster\rbmonitor.exe [2010-10-02 15:25]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
mSearch Bar =
uInternet Settings,ProxyServer = http=127.0.0.1:6522
uInternet Settings,ProxyOverride = <local>;*.local
IE: &AIM Search - c:\program files\AIM Toolbar\AIMBar.dll/aimsearch.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
IE: Send Image to Photo Library - file://c:\program files\MGI\MGI PhotoSuite III SE\Temp\MGI00000.html
LSP: FarLsp.dll
Trusted Zone: intuit.com\ttlc
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {2CA2C9B8-E4F6-4BE9-8601-52ED0AFBA79D} - hxxp://asp.mathxl.com/books/_Players/AccountingPlayer.cab
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\4dh50322.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - prefs.js: keyword.URL - hxxp://us.yhs.search.yahoo.com/avg/search?fr=yhs-avgb&type=yahoo_avg_hs2-tb-web_us&p=
FF - component: c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\components\nprpffbrowserrecordext.dll
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll
FF - component: c:\program files\Google\Google Gears\Firefox\lib\ff35\gears.dll
FF - plugin: c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll
FF - plugin: c:\documents and settings\All Users\Application Data\RealArcade\npraclient.dll
FF - plugin: c:\documents and settings\Owner\Application Data\Mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\Owner\Application Data\Mozilla\plugins\npgtpo3dautoplugin.dll
FF - plugin: c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npraclient.dll
FF - plugin: c:\program files\Virtools\3D Life Player\npvirtools.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{14C53E87-1B45-BBEA-F3D9-0FD445E6C02B}\InProcServer32*]
"jagjbihhleonjdibopgc"=hex:6a,61,6d,65,6b,66,6b,65,6a,6e,62,62,6c,64,6d,6e,67,
62,65,6f,00,67
"iagjdgnfmfnoappmag"=hex:6a,61,66,65,64,66,6a,63,70,68,65,62,62,65,6e,63,66,64,
69,6a,00,f2
"dbgjbihhleonjdibopgclgdfagodecnaedimddmh"=hex:6a,61,62,67,62,6a,6b,6d,6f,6b,
6d,64,62,67,65,63,70,66,68,6f,00,1d
"lagjmkbakdnpejnoliagoogl"=hex:6d,61,66,6a,70,64,6c,6d,67,6f,6b,6e,63,63,66,70,
68,69,62,61,6e,6f,67,63,6e,69,00,00
"lagjmkbakdnpejnoliagcncn"=hex:6f,61,6c,67,63,65,70,69,6d,63,66,6f,6d,70,68,65,
6a,69,6c,62,61,67,66,62,61,68,6e,70,6b,6a,00,7c
"cbgjckbpalppnkhfjcgmcijdhimipdckmkfeha"=hex:66,61,6d,6a,69,66,6b,70,61,63,66,
62,00,00
"bbgjckbpalppnkhfjcgmampeghoobbfbnpop"=hex:65,61,6c,6a,6a,67,70,68,62,68,00,00
"magjckbpalppnkhfjcgmoigabl"=hex:66,61,6f,65,6b,67,6f,65,62,6b,6a,64,00,00
"fbgjckbpalppnkhfjcgmdialjienmodchhfldpdhmnfh"=hex:70,61,6d,64,62,6d,6f,6d,69,
6b,66,68,62,6b,6f,65,65,65,63,62,6b,63,61,64,69,6d,6a,67,63,6d,66,64,00,8b
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(640)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\windows\system32\LMIinit.dll
c:\windows\system32\LMIRfsClientNP.dll
c:\windows\system32\igfxsrvc.dll
c:\windows\system32\hccutils.DLL

- - - - - - - > 'lsass.exe'(696)
c:\windows\system32\FarLsp.dll
.
Completion time: 2010-10-09 16:51:52
ComboFix-quarantined-files.txt 2010-10-09 23:51
ComboFix2.txt 2010-10-06 02:10

Pre-Run: 66,239,397,888 bytes free
Post-Run: 66,214,096,896 bytes free

- - End Of File - - F454288ED9A45E60E9120842A342DF32

#10 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:11:48 PM

Posted 14 October 2010 - 03:13 PM

Good evening. smile.gif

Your copy of Adobe Reader is out of date. You can get the latest version here, feel free to uncheck the McAfee download first, or you can update from within the program itself: Help > Check for Updates...

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Your version of Sun Java needs updating:

1) Go here and click on the Windows XP/Vista/2000/2003/2008 Offline link in the Windows section near the top and save it to your Desktop.

2) Download JavaRa from here and save it to your Desktop.
You will need to extract the file(s):
Right click on the zipped folder and from the menu that appears, click on Extract All...
In the 'Extraction Wizard' window that opens, click on Next> and in the next window that appears, click on Next> again.
In the final window, click on Finish


***Please close any instances of Internet Explorer before continuing!***
  • Double-click JavaRa.exe to begin.
  • Pick your preferred language from the drop-down menu and click Select.
  • Click on Remove Older Versions to remove older version of Java - obvious really, isn't it!
  • Click Yes when prompted. When JavaRa is done, a notice will appear that a logfile has been produced. Click OK.
  • A logfile will pop up. Please save it to a convenient location, just in case you have any problems with Java afterwards.
3) Run the installer that you downloaded earlier.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Your log doesn't appear to show a third-party software firewall installed - if you have one, and i've missed it, please ignore this.
If you are relying the firewall that comes with Service Pack 2, then you need to install one. While the SP2 firewall is better than nothing, it doesn't monitor outgoing traffic, so anything malicious on your computer can 'phone home' at will.
If you are using a wireless router that comes with a NAT hardware firewall, this also doesn't monitor outgoing connections.

There are a few free firewalls available, of which the following are just three:

Comodo Firewall Pro, available here.
PC Tools Firewall Plus, available here.
Online Armor Free, available here.

It is important to note that you should only have one firewall installed at a time, but you can download them all to your Desktop and install each in turn to see which one you prefer.

Understanding and Using Firewalls: http://www.bleepingcomputer.com/tutorials/understanding-and-using-firewalls/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

I want you to run your PC as normal for a few days and when you are happy that everything is fine, do the following:

Go to Start > Run, enter the following into the textbox and click OK: ComboFix /Uninstall
This will uninstall Combofix and do a little housework besides.

Create a new Restore Point with a memorable name - this will give a clean one should you need it in the future. If you use a Restore Point from before this point you may reinstall any infection that was present at the time, so only do so if using this latest one doesn't solve any issues.
A tutorial for System Restore is available here.

Some bedtime reading: This is a very good tutorial about keeping your computer safe and secure on the internet.
It's a little old, but still contains some good ideas.

So long, and thanks for all the fish.

 

 


#11 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:11:48 PM

Posted 19 October 2010 - 03:42 PM

As this issue appears to have been resolved, this thread is now closed.

So long, and thanks for all the fish.

 

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users