Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google redirect virus


  • This topic is locked This topic is locked
6 replies to this topic

#1 sparkstergal

sparkstergal

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:02:36 PM

Posted 22 February 2011 - 03:29 PM

I've been trying to cleanup my father's netbook, but I cannot get rid of this virus. With both Google and Yahoo search, in IE and Firefox, the same thing happens (click on a link, redirects through spam sites, end up on some junk website). I've run AVG 2011 + Malwarebytes with no success.

I followed the prep guide, and ran DDS & GMER. Any help is greatly appreciated. :)



DDS (Ver_10-12-12.02) - NTFSx86
Run by Eugene Wang at 14:54:59.67 on Wed 02/23/2011
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1012.375 [GMT -5:00]

AV: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\PROGRA~1\AVG\AVG10\avgchsvx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\AVG\AVG10\avgwdsvc.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
C:\Program Files\AVG\AVG10\avgnsx.exe
C:\Program Files\AVG\AVG10\avgemcx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Google\Google Pinyin 2\GooglePinyinDaemon.exe
C:\Program Files\AVG\AVG10\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\igfxext.exe
C:\Program Files\Google\Google Pinyin 2\GooglePinyinService.exe
C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
C:\DOCUME~1\EUGENE~1\LOCALS~1\Temp\RtkBtMnt.exe
C:\PROGRA~1\AVG\AVG10\avgrsx.exe
C:\Program Files\AVG\AVG10\avgcsrvx.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Eugene Wang\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
uSearch Page = hxxp://www.google.com
uDefault_Page_URL = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&s=0&o=xph&d=0309&m=aoa150
uSearch Bar = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
mSearchAssistant = hxxp://www.google.com/ie
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg10\avgssie.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
BHO: WOT Helper: {c920e44a-7f78-4e64-bdd7-a57026e7feb7} - c:\program files\wot\WOT.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
TB: WOT: {71576546-354d-41c9-aae8-31f2ec22bf0d} - c:\program files\wot\WOT.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [LaunchApp] Alaunch
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [AzMixerSel] c:\program files\realtek\audio\drivers\AzMixerSel.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [LManager] c:\progra~1\launch~1\QtZgAcer.EXE
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [PLFSetL] c:\windows\PLFSetL.exe
mRun: [eRecoveryService] c:\acer\empowering technology\erecovery\eRAgent.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Google Pinyin 2 Autoupdater] "c:\program files\google\google pinyin 2\GooglePinyinDaemon.exe"
mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll
Handler: wot - {C2A44D6B-CB9F-4663-88A6-DF2F26E4D952} - c:\program files\wot\WOT.dll
Notify: igfxcui - igfxdev.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\eugene~1\applic~1\mozilla\firefox\profiles\bqi83yya.default\
FF - component: c:\program files\avg\avg10\firefox\components\avgssff.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: AVG Safe Search: {3f963a5b-e555-4543-90e2-c3908898db71} - c:\program files\avg\avg10\Firefox

============= SERVICES / DRIVERS ===============

R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2010-9-13 25680]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2010-9-7 26064]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2010-12-8 251728]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2010-9-7 34384]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2010-11-12 299984]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [2011-1-6 6128720]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg10\avgwdsvc.exe [2010-10-22 265400]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2010-8-3 123472]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2010-8-3 30288]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2010-8-3 26192]
S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\avg\avg10\toolbar\ToolbarBroker.exe [2011-2-22 517448]

=============== Created Last 30 ================

2011-02-23 19:29:38 -------- d-----w- c:\docume~1\eugene~1\locals~1\applic~1\Mozilla
2011-02-23 18:56:29 -------- dc-h--w- c:\windows\ie8
2011-02-23 06:26:42 -------- d-----w- c:\docume~1\eugene~1\applic~1\Malwarebytes
2011-02-23 06:26:30 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-02-23 06:26:29 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2011-02-23 06:26:25 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-02-23 06:26:24 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-02-23 05:23:58 -------- d--h--w- C:\$AVG
2011-02-23 04:38:11 -------- d-----w- c:\program files\WOT
2011-02-23 04:31:01 -------- d-----w- c:\docume~1\eugene~1\applic~1\AVG
2011-02-23 04:13:48 -------- d-----w- c:\docume~1\eugene~1\applic~1\AVG10
2011-02-23 04:12:09 -------- d--h--w- c:\docume~1\alluse~1\applic~1\Common Files
2011-02-23 04:11:45 -------- d-----w- c:\docume~1\alluse~1\applic~1\AVG Security Toolbar
2011-02-23 04:09:55 -------- d-----w- c:\windows\system32\drivers\AVG
2011-02-23 04:09:55 -------- d-----w- c:\docume~1\alluse~1\applic~1\AVG10
2011-02-23 04:08:54 -------- d-----w- c:\program files\AVG
2011-02-23 04:07:26 -------- d-----w- c:\docume~1\alluse~1\applic~1\MFAData
2011-02-23 04:06:03 26368 -c--a-w- c:\windows\system32\dllcache\usbstor.sys
2011-02-23 03:01:19 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-02-23 02:37:46 21504 -c--a-w- c:\windows\system32\dllcache\hidserv.dll
2011-02-23 02:37:46 21504 ----a-w- c:\windows\system32\hidserv.dll
2011-02-23 02:37:34 12160 -c--a-w- c:\windows\system32\dllcache\mouhid.sys
2011-02-23 02:37:34 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys
2011-02-23 02:37:30 14592 -c--a-w- c:\windows\system32\dllcache\kbdhid.sys
2011-02-23 02:37:30 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys
2011-02-23 02:37:19 10368 -c--a-w- c:\windows\system32\dllcache\hidusb.sys
2011-02-23 02:37:19 10368 ----a-w- c:\windows\system32\drivers\hidusb.sys
2011-02-23 02:37:15 32128 -c--a-w- c:\windows\system32\dllcache\usbccgp.sys
2011-02-23 02:37:15 32128 ----a-w- c:\windows\system32\drivers\usbccgp.sys
2011-02-23 02:34:19 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-02-23 02:34:19 -------- d-----w- c:\windows\system32\wbem\Repository
2011-02-23 02:32:17 -------- d-----w- c:\program files\InterVideo
2011-02-23 02:32:17 -------- d-----w- c:\program files\common files\InterVideo

==================== Find3M ====================

2011-02-23 05:52:01 221184 ----a-w- c:\windows\system32\wmpns.dll
2011-02-23 05:52:00 712704 ----a-w- c:\windows\system32\windowscodecs.dll
2011-02-23 05:50:57 83554304 ----a-w- c:\windows\system32\acer.scr
2011-02-23 05:50:57 278528 ----a-w- c:\windows\system32\ALSNDMGR.CPL
2011-02-23 05:50:43 94208 ----a-w- c:\windows\PLFSetL.exe
2011-02-23 05:49:35 57344 ----a-w- c:\windows\ALCMTR.EXE
2011-02-23 05:49:34 524288 ----a-w- c:\windows\Alaunch.exe
2011-02-23 02:24:56 0 ----a-w- c:\windows\Gtovev.bin

=================== ROOTKIT ====================

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: TOSHIBA_MK1652GSX rev.LV020J -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-3

device: opened successfully
user: MBR read successfully

Disk trace:
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV DI, 0x5; XOR AX, AX; MOV DL, 0x80; INT 0x13; JAE 0x2d; DEC DI; }
detected disk devices:
\Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskTOSHIBA_MK1652GSX_______________________LV020J__#5&1f6eb729&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x8632939B
user & kernel MBR OK

============= FINISH: 15:02:37.14 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:07:36 PM

Posted 22 February 2011 - 05:03 PM

Good evening. :)

The tool that you will be using has had various parts incorrectly identified by AVG as malicious and as such you will need to temporarily uninstall AVG before you follow the instructions below. I suggest you download ComboFix, disconnect from the internet, uninstall AVG, reboot, run CF, and then reinstall AVG once CF has completed.
If you didn't save the installation file for AVG when you installed it, I suggest you download one before you continue - linky.

Take a trip to this webpage for download links and instructions for running Combofix by sUBs: http://www.bleepingcomputer.com/combofix/how-to-use-combofix *

  • When prompted to save Combofix, change the filename BEFORE saving it - any name will do, as long as it has .exe at the end.
  • Please be aware that this tool may require the PC to be rebooted so close any programs you have open before you start.
  • When CF has finished, it will produce a log - C:\ComboFix.txt - copy and paste
  • Let me know how the PC is behaving.
* There are two points to note from the instructions page:

1) The Recovery Console.

It is recommended that you install this as, in certain circumstances, it may be the difference between a successful repair and a reformat. If you are uncertain as to whether or not you already have the Recovery Console installed, simply run CF and it will prompt you if it does not detect it.
CF will complete some, but not all, of it's removal tasks without the installation of the Console, so you are free to choose whether you want to complete this step, but it is in your interests to do so.

2) Disabling your Anti-Virus.

CF has been the victim of false-positive detections on occasion and a resident AV may incorrectly identify and delete part of the tool which won't do it much good. If you don't disable your AV, you may not get the results you hoped for!

So long, and thanks for all the fish.

 

 


#3 sparkstergal

sparkstergal
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:02:36 PM

Posted 22 February 2011 - 07:40 PM

Yay! It seems like the computer is working properly now, no more redirects. Here is the ComboFix log, let me know if anything more needs to be done. Thank you!


ComboFix 11-02-22.01 - Eugene Wang 02/23/2011 18:46:26.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1012.763 [GMT -5:00]
Running from: c:\documents and settings\Eugene Wang\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Eugene Wang\Local Settings\Application Data\{8452491D-C391-4F2B-9C9D-90E5056599E6}
c:\documents and settings\Eugene Wang\Local Settings\Application Data\{8452491D-C391-4F2B-9C9D-90E5056599E6}\chrome\content\_cfg.js
c:\documents and settings\Eugene Wang\Local Settings\Application Data\{8452491D-C391-4F2B-9C9D-90E5056599E6}\chrome\content\overlay.xul
c:\documents and settings\Eugene Wang\Local Settings\Application Data\{8452491D-C391-4F2B-9C9D-90E5056599E6}\install.rdf

.
\\.\PhysicalDrive0 - Bootkit TDL4 was found and disinfected
.
((((((((((((((((((((((((( Files Created from 2011-01-23 to 2011-02-23 )))))))))))))))))))))))))))))))
.

2011-02-23 23:36 . 2011-02-23 23:37 -------- d-----w- C:\32788R22FWJFW
2011-02-23 19:29 . 2011-02-23 19:29 -------- d-----w- c:\documents and settings\Eugene Wang\Local Settings\Application Data\Mozilla
2011-02-23 18:56 . 2011-02-23 18:59 -------- dc-h--w- c:\windows\ie8
2011-02-23 06:26 . 2011-02-23 06:26 -------- d-----w- c:\documents and settings\Eugene Wang\Application Data\Malwarebytes
2011-02-23 06:26 . 2010-12-20 23:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-02-23 06:26 . 2011-02-23 06:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-02-23 06:26 . 2010-12-20 23:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-02-23 06:26 . 2011-02-23 06:26 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-02-23 05:23 . 2011-02-23 05:23 -------- d-----w- C:\$AVG
2011-02-23 04:38 . 2011-02-23 04:38 -------- d-----w- c:\program files\WOT
2011-02-23 04:30 . 2011-02-23 23:33 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2011-02-23 04:13 . 2011-02-23 04:13 -------- d-----w- c:\documents and settings\Eugene Wang\Application Data\AVG10
2011-02-23 04:12 . 2011-02-23 04:12 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files
2011-02-23 04:09 . 2011-02-23 23:25 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG10
2011-02-23 04:08 . 2011-02-23 23:26 -------- d-----w- c:\program files\AVG
2011-02-23 04:07 . 2011-02-23 04:09 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
2011-02-23 04:06 . 2008-04-14 20:00 26368 -c--a-w- c:\windows\system32\dllcache\usbstor.sys
2011-02-23 03:02 . 2011-02-23 03:02 -------- d-----w- c:\program files\Common Files\Java
2011-02-23 03:01 . 2011-02-03 02:40 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-02-23 02:37 . 2008-04-14 10:41 21504 -c--a-w- c:\windows\system32\dllcache\hidserv.dll
2011-02-23 02:37 . 2008-04-14 10:41 21504 ----a-w- c:\windows\system32\hidserv.dll
2011-02-23 02:37 . 2001-08-17 18:48 12160 -c--a-w- c:\windows\system32\dllcache\mouhid.sys
2011-02-23 02:37 . 2001-08-17 18:48 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys
2011-02-23 02:37 . 2008-04-14 20:00 14592 -c--a-w- c:\windows\system32\dllcache\kbdhid.sys
2011-02-23 02:37 . 2008-04-14 20:00 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys
2011-02-23 02:37 . 2008-04-14 20:00 10368 -c--a-w- c:\windows\system32\dllcache\hidusb.sys
2011-02-23 02:37 . 2008-04-14 20:00 10368 ----a-w- c:\windows\system32\drivers\hidusb.sys
2011-02-23 02:37 . 2008-04-14 20:00 32128 -c--a-w- c:\windows\system32\dllcache\usbccgp.sys
2011-02-23 02:37 . 2008-04-14 20:00 32128 ----a-w- c:\windows\system32\drivers\usbccgp.sys
2011-02-23 02:34 . 2011-02-23 02:34 -------- d-----w- c:\windows\system32\wbem\Repository
2011-02-23 02:32 . 2011-02-23 02:32 -------- d-----w- c:\program files\InterVideo
2011-02-23 02:32 . 2011-02-23 02:32 -------- d-----w- c:\program files\Common Files\InterVideo
2011-02-06 04:17 . 2011-02-23 02:32 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-23 05:52 . 2009-08-13 03:33 221184 ----a-w- c:\windows\system32\wmpns.dll
2011-02-23 05:52 . 2008-07-11 08:55 712704 ----a-w- c:\windows\system32\windowscodecs.dll
2011-02-23 05:51 . 2008-04-14 20:00 28672 ----a-w- c:\windows\system32\verclsid.exe
2011-02-23 05:51 . 2006-11-07 16:17 286720 ----a-w- c:\windows\system32\vsnp2uvc.dll
2011-02-23 05:51 . 2009-03-22 18:44 258048 ----a-w- c:\windows\system32\Uninstall_eRecovery.exe
2011-02-23 05:51 . 2008-04-14 20:00 8192 ----a-w- c:\windows\system32\tssoft32.acm
2011-02-23 05:51 . 2008-04-25 17:07 110592 ----a-w- c:\windows\system32\SynTPCo4.dll
2011-02-23 05:51 . 2008-04-25 16:19 200704 ----a-w- c:\windows\system32\SynCtrl.dll
2011-02-23 05:51 . 2008-04-14 20:00 90112 ----a-w- c:\windows\system32\sqlsrv32.rll
2011-02-23 05:51 . 2008-04-14 20:00 442368 ----a-w- c:\windows\system32\sqlsrv32.dll
2011-02-23 05:51 . 2008-04-14 20:00 86016 ----a-w- c:\windows\system32\sl_anet.acm
2011-02-23 05:51 . 2008-03-13 21:52 266240 ----a-w- c:\windows\system32\RTSndMgr.CPL
2011-02-23 05:51 . 2007-04-02 19:40 172032 ----a-w- c:\windows\system32\rsnp2uvc.dll
2011-02-23 05:51 . 2008-04-14 20:00 1355776 ----a-w- c:\windows\system32\msvbvm50.dll
2011-02-23 05:51 . 2008-04-14 20:00 294912 ----a-w- c:\windows\system32\msh263.drv
2011-02-23 05:51 . 2008-04-14 20:00 188416 ----a-w- c:\windows\system32\msh261.drv
2011-02-23 05:51 . 2008-04-14 20:00 118784 ----a-w- c:\windows\system32\msg723.acm
2011-02-23 05:51 . 2008-04-14 20:00 65536 ----a-w- c:\windows\system32\jgsh400.dll
2011-02-23 05:51 . 2009-04-21 17:18 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-02-23 05:51 . 2002-11-22 10:57 204800 ----a-w- c:\windows\system32\IVIresizeW7.dll
2011-02-23 05:51 . 2002-11-22 10:57 200704 ----a-w- c:\windows\system32\IVIresizeA6.dll
2011-02-23 05:51 . 2002-11-22 10:57 192512 ----a-w- c:\windows\system32\IVIresizeP6.dll
2011-02-23 05:51 . 2002-11-22 10:57 192512 ----a-w- c:\windows\system32\IVIresizeM6.dll
2011-02-23 05:51 . 2002-11-22 10:57 188416 ----a-w- c:\windows\system32\IVIresizePX.dll
2011-02-23 05:51 . 2002-11-22 10:57 20480 ----a-w- c:\windows\system32\IVIresize.dll
2011-02-23 05:51 . 2008-04-14 20:00 16384 ----a-w- c:\windows\system32\imaadp32.acm
2011-02-23 05:51 . 2008-02-15 20:01 294912 ----a-w- c:\windows\system32\igldev32.dll
2011-02-23 05:51 . 2008-02-15 20:00 2334720 ----a-w- c:\windows\system32\iglicd32.dll
2011-02-23 05:51 . 2008-02-15 19:49 180224 ----a-w- c:\windows\system32\igfxrrus.lrc
2011-02-23 05:51 . 2008-02-15 19:49 176128 ----a-w- c:\windows\system32\igfxrsky.lrc
2011-02-23 05:51 . 2008-02-15 19:49 172032 ----a-w- c:\windows\system32\igfxrtrk.lrc
2011-02-23 05:51 . 2008-02-15 19:49 172032 ----a-w- c:\windows\system32\igfxrsve.lrc
2011-02-23 05:51 . 2008-02-15 19:49 172032 ----a-w- c:\windows\system32\igfxrslv.lrc
2011-02-23 05:51 . 2008-02-15 19:49 163840 ----a-w- c:\windows\system32\igfxrtha.lrc
2011-02-23 05:51 . 2008-02-15 19:49 188416 ----a-w- c:\windows\system32\igfxrnld.lrc
2011-02-23 05:51 . 2008-02-15 19:49 180224 ----a-w- c:\windows\system32\igfxrptg.lrc
2011-02-23 05:51 . 2008-02-15 19:49 180224 ----a-w- c:\windows\system32\igfxrptb.lrc
2011-02-23 05:51 . 2008-02-15 19:49 180224 ----a-w- c:\windows\system32\igfxrplk.lrc
2011-02-23 05:51 . 2008-02-15 19:49 176128 ----a-w- c:\windows\system32\igfxrnor.lrc
2011-02-23 05:51 . 2008-02-15 19:49 126976 ----a-w- c:\windows\system32\igfxrkor.lrc
2011-02-23 05:51 . 2008-02-15 19:49 188416 ----a-w- c:\windows\system32\igfxrita.lrc
2011-02-23 05:51 . 2008-02-15 19:49 180224 ----a-w- c:\windows\system32\igfxrhun.lrc
2011-02-23 05:51 . 2008-02-15 19:49 131072 ----a-w- c:\windows\system32\igfxrjpn.lrc
2011-02-23 05:51 . 2008-02-15 19:49 184320 ----a-w- c:\windows\system32\igfxrfra.lrc
2011-02-23 05:51 . 2008-02-15 19:49 176128 ----a-w- c:\windows\system32\igfxrfin.lrc
2011-02-23 05:51 . 2008-02-15 19:49 155648 ----a-w- c:\windows\system32\igfxrheb.lrc
2011-02-23 05:51 . 2008-02-15 19:45 3293184 ----a-w- c:\windows\system32\igfxress.dll
2011-02-23 05:51 . 2008-02-15 20:21 147456 ----a-w- c:\windows\system32\igfxCoIn_v4926.dll
2011-02-23 05:51 . 2008-02-15 19:49 192512 ----a-w- c:\windows\system32\igfxrell.lrc
2011-02-23 05:51 . 2008-02-15 19:49 188416 ----a-w- c:\windows\system32\igfxresp.lrc
2011-02-23 05:51 . 2008-02-15 19:49 192512 ----a-w- c:\windows\system32\igfxrdeu.lrc
2011-02-23 05:51 . 2008-02-15 19:49 176128 ----a-w- c:\windows\system32\igfxrcsy.lrc
2011-02-23 05:51 . 2008-02-15 19:49 172032 ----a-w- c:\windows\system32\igfxrdan.lrc
2011-02-23 05:51 . 2008-02-15 19:49 159744 ----a-w- c:\windows\system32\igfxrara.lrc
2011-02-23 05:51 . 2008-02-15 19:49 110592 ----a-w- c:\windows\system32\igfxrcht.lrc
2011-02-23 05:51 . 2008-02-15 19:49 110592 ----a-w- c:\windows\system32\igfxrchs.lrc
2011-02-23 05:51 . 2008-02-15 19:46 122880 ----a-w- c:\windows\system32\igfxcpl.cpl
2011-02-23 05:51 . 2008-02-15 19:46 204800 ----a-w- c:\windows\system32\igfxpph.dll
2011-02-23 05:51 . 2008-02-15 19:46 135168 ----a-w- c:\windows\system32\igfxdo.dll
2011-02-23 05:51 . 2008-02-15 19:45 172032 ----a-w- c:\windows\system32\igfxrenu.lrc
2011-02-23 05:51 . 2009-01-07 02:00 4968448 ----a-w- c:\windows\system32\drivers\RtkHDAud.sys
2011-02-23 05:51 . 2008-04-14 20:00 20480 ----a-w- c:\windows\system32\drivers\secdrv.sys
2011-02-23 05:51 . 2008-04-14 20:00 28672 ----a-w- c:\windows\system32\dbnmpntw.dll
2011-02-23 05:51 . 2008-04-14 20:00 24576 ----a-w- c:\windows\system32\dbmsrpcn.dll
2011-02-23 05:51 . 2008-03-27 03:23 53248 ----a-w- c:\windows\system32\CSVer.dll
2011-02-23 05:51 . 2005-11-23 14:55 53248 ----a-w- c:\windows\system32\csnp2uvc.dll
2011-02-23 05:51 . 2009-03-22 18:44 258048 ----a-w- c:\windows\system32\CheckD2DSystem.exe
2011-02-23 05:51 . 2009-03-22 18:44 16384 ----a-w- c:\windows\system32\ClearEvent.exe
2011-02-23 05:51 . 2009-03-22 18:44 159744 ----a-w- c:\windows\system32\CloseProcessWindow.dll
2011-02-23 05:51 . 2008-04-14 20:00 77824 ----a-w- c:\windows\system32\cliconfg.dll
2011-02-23 05:51 . 2008-04-14 20:00 24576 ----a-w- c:\windows\system32\cliconfg.rll
2011-02-23 05:51 . 2008-04-14 20:00 20480 ----a-w- c:\windows\system32\cliconfg.exe
2011-02-23 05:50 . 2008-06-19 23:24 278528 ----a-w- c:\windows\system32\ALSNDMGR.CPL
2011-02-23 05:50 . 2007-04-19 21:41 83554304 ----a-w- c:\windows\system32\acer.scr
2011-02-23 05:50 . 2007-07-05 19:35 94208 ----a-w- c:\windows\PLFSetL.exe
2011-02-23 05:49 . 2008-06-19 23:20 57344 ----a-w- c:\windows\ALCMTR.EXE
2011-02-23 05:49 . 2006-03-16 20:56 524288 ----a-w- c:\windows\Alaunch.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LaunchApp"="Alaunch" [X]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-28 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-28 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-28 137752]
"RTHDCPL"="RTHDCPL.EXE" [2008-12-30 18082304]
"AzMixerSel"="c:\program files\Realtek\Audio\Drivers\AzMixerSel.exe" [2011-02-23 53248]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-04-25 1044480]
"LManager"="c:\progra~1\LAUNCH~1\QtZgAcer.EXE" [2008-05-14 821768]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-14 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2008-04-14 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"PLFSetL"="c:\windows\PLFSetL.exe" [2011-02-23 94208]
"eRecoveryService"="c:\acer\Empowering Technology\eRecovery\eRAgent.exe" [2011-02-23 425984]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
"Google Pinyin 2 Autoupdater"="c:\program files\Google\Google Pinyin 2\GooglePinyinDaemon.exe" [2010-06-26 1214520]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\keyboard layouts\e0200804]
Ime File REG_SZ GOOGLEPINYIN2.IME

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

.
Contents of the 'Scheduled Tasks' folder

2011-02-23 c:\windows\Tasks\User_Feed_Synchronization-{86B47C67-8E5D-47C9-91AE-B0C5F898F8CE}.job
- c:\windows\system32\msfeedssync.exe [2007-08-14 09:31]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
FF - ProfilePath - c:\documents and settings\Eugene Wang\Application Data\Mozilla\Firefox\Profiles\bqi83yya.default\
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
.
- - - - ORPHANS REMOVED - - - -

Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-02-23 18:52
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2011-02-23 18:54:28
ComboFix-quarantined-files.txt 2011-02-23 23:54

Pre-Run: 141,864,353,792 bytes free
Post-Run: 142,136,578,048 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - BE33C5A99B50D8179C401E30E2EAC9B0

#4 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:07:36 PM

Posted 23 February 2011 - 03:18 PM

Good evening. :)

A quick second opinion and then a tidy-up and bye-bye it is. Download Malwarebytes' Anti-Malware from here and save it to your Desktop - unless you already have it, in which case skip to the "updating" bit below.

  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • Ensure a checkmark is placed next to both Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware and then click Finish.
  • If an update is found, it will download and install the latest version - you'll need to clear it with your firewall.
  • Once the program has loaded, select Perform full scan and then Scan.
  • When the scan has finished, click OK and then Show Results to view the results - no surprise there!
  • If MBAM finds anything, check the box(es) and click Remove Selected.
  • Please note - Leave unchecked any boxes that have \System Volume Information\ in the filepath. These pose no immediate risk to your PC unless you use System Restore and will be dealt with later.
  • When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
Let me have the MBAM log, a fresh DDS log AND a description of how your PC is behaving.

So long, and thanks for all the fish.

 

 


#5 sparkstergal

sparkstergal
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:02:36 PM

Posted 23 February 2011 - 04:43 PM

As far as I can tell, the computer is working normally - no more redirects, good speed, all programs are working well. Here are the requested scans, Malwarebytes in-text, and the DDS logs attached. :)


Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5854

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

2/24/2011 4:25:45 PM
mbam-log-2011-02-24 (16-25-45).txt

Scan type: Full scan (C:\|)
Objects scanned: 174075
Time elapsed: 52 minute(s), 50 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


DDS (Ver_10-12-12.02) - NTFSx86
Run by Eugene Wang at 16:29:52.32 on Thu 02/24/2011
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1012.395 [GMT -5:00]

AV: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\PROGRA~1\AVG\AVG10\avgchsvx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\AVG\AVG10\avgwdsvc.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
C:\Program Files\AVG\AVG10\avgnsx.exe
C:\Program Files\AVG\AVG10\avgemcx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE
C:\Acer\Empowering Technology\eRecovery\eRAgent.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Google\Google Pinyin 2\GooglePinyinDaemon.exe
C:\Program Files\AVG\AVG10\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\igfxext.exe
C:\Program Files\Google\Google Pinyin 2\GooglePinyinService.exe
C:\DOCUME~1\EUGENE~1\LOCALS~1\Temp\RtkBtMnt.exe
C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
C:\PROGRA~1\AVG\AVG10\avgrsx.exe
C:\Program Files\AVG\AVG10\avgcsrvx.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Documents and Settings\Eugene Wang\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg10\avgssie.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
BHO: WOT Helper: {c920e44a-7f78-4e64-bdd7-a57026e7feb7} - c:\program files\wot\WOT.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SimpleAdblock Class: {ffcb3198-32f3-4e8b-9539-4324694ed664} - c:\program files\common files\simple adblock\SimpleAdblock.dll
TB: WOT: {71576546-354d-41c9-aae8-31f2ec22bf0d} - c:\program files\wot\WOT.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [LaunchApp] Alaunch
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [AzMixerSel] c:\program files\realtek\audio\drivers\AzMixerSel.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [LManager] c:\progra~1\launch~1\QtZgAcer.EXE
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [PLFSetL] c:\windows\PLFSetL.exe
mRun: [eRecoveryService] c:\acer\empowering technology\erecovery\eRAgent.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Google Pinyin 2 Autoupdater] "c:\program files\google\google pinyin 2\GooglePinyinDaemon.exe"
mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1298518058921
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll
Handler: wot - {C2A44D6B-CB9F-4663-88A6-DF2F26E4D952} - c:\program files\wot\WOT.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

============= SERVICES / DRIVERS ===============

R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2010-9-13 25680]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2010-9-7 26064]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2010-12-8 251728]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2010-9-7 34384]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2010-11-12 299984]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [2011-1-6 6128720]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg10\avgwdsvc.exe [2010-10-22 265400]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2010-8-3 123472]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2010-8-3 30288]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2010-8-3 26192]
S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\avg\avg10\toolbar\ToolbarBroker.exe [2011-2-23 517448]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2008-4-14 14336]

=============== Created Last 30 ================

2011-02-24 20:33:06 274288 ----a-w- c:\windows\system32\mucltui.dll
2011-02-24 20:33:06 16736 ----a-w- c:\windows\system32\mucltui.dll.mui
2011-02-24 05:28:18 -------- d--h--w- c:\windows\PIF
2011-02-24 05:23:34 -------- d-----w- c:\windows\pss
2011-02-24 03:22:07 -------- d-----w- c:\windows\system32\winrm
2011-02-24 03:21:58 -------- dc-h--w- c:\windows\$968930Uinstall_KB968930$
2011-02-24 03:21:07 -------- d-----w- c:\docume~1\eugene~1\applic~1\Windows Desktop Search
2011-02-24 03:20:20 -------- d-----w- c:\windows\system32\GroupPolicy
2011-02-24 03:20:20 -------- d-----w- c:\program files\Windows Desktop Search
2011-02-24 03:18:34 -------- d-----w- c:\program files\Windows Media Connect 2
2011-02-24 03:16:29 -------- d-----w- c:\windows\system32\LogFiles
2011-02-24 02:25:16 -------- d-----w- c:\docume~1\eugene~1\applic~1\Simple Adblock
2011-02-24 02:25:14 -------- d-----w- c:\program files\common files\Simple Adblock
2011-02-24 00:23:41 -------- d-----w- c:\docume~1\alluse~1\applic~1\AVG Security Toolbar
2011-02-24 00:22:01 -------- d-----w- c:\windows\system32\drivers\AVG
2011-02-23 23:40:17 -------- d-sha-r- C:\cmdcons
2011-02-23 23:37:51 98816 ----a-w- c:\windows\sed.exe
2011-02-23 23:37:51 89088 ----a-w- c:\windows\MBR.exe
2011-02-23 23:37:51 256512 ----a-w- c:\windows\PEV.exe
2011-02-23 23:37:51 161792 ----a-w- c:\windows\SWREG.exe
2011-02-23 23:35:57 -------- d-----w- C:\32788R22FWJFW.0.tmp
2011-02-23 19:29:38 -------- d-----w- c:\docume~1\eugene~1\locals~1\applic~1\Mozilla
2011-02-23 18:56:29 -------- dc-h--w- c:\windows\ie8
2011-02-23 06:26:42 -------- d-----w- c:\docume~1\eugene~1\applic~1\Malwarebytes
2011-02-23 06:26:30 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-02-23 06:26:29 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2011-02-23 06:26:25 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-02-23 06:26:24 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-02-23 05:23:58 -------- d-----w- C:\$AVG
2011-02-23 04:38:11 -------- d-----w- c:\program files\WOT
2011-02-23 04:13:48 -------- d-----w- c:\docume~1\eugene~1\applic~1\AVG10
2011-02-23 04:12:09 -------- d--h--w- c:\docume~1\alluse~1\applic~1\Common Files
2011-02-23 04:09:55 -------- d-----w- c:\docume~1\alluse~1\applic~1\AVG10
2011-02-23 04:08:54 -------- d-----w- c:\program files\AVG
2011-02-23 04:07:26 -------- d-----w- c:\docume~1\alluse~1\applic~1\MFAData
2011-02-23 04:06:03 26368 -c--a-w- c:\windows\system32\dllcache\usbstor.sys
2011-02-23 03:01:19 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-02-23 02:37:46 21504 -c--a-w- c:\windows\system32\dllcache\hidserv.dll
2011-02-23 02:37:46 21504 ----a-w- c:\windows\system32\hidserv.dll
2011-02-23 02:37:34 12160 -c--a-w- c:\windows\system32\dllcache\mouhid.sys
2011-02-23 02:37:34 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys
2011-02-23 02:37:30 14592 -c--a-w- c:\windows\system32\dllcache\kbdhid.sys
2011-02-23 02:37:30 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys
2011-02-23 02:37:19 10368 -c--a-w- c:\windows\system32\dllcache\hidusb.sys
2011-02-23 02:37:19 10368 ----a-w- c:\windows\system32\drivers\hidusb.sys
2011-02-23 02:37:15 32128 -c--a-w- c:\windows\system32\dllcache\usbccgp.sys
2011-02-23 02:37:15 32128 ----a-w- c:\windows\system32\drivers\usbccgp.sys
2011-02-23 02:34:19 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-02-23 02:34:19 -------- d-----w- c:\windows\system32\wbem\Repository
2011-02-23 02:32:17 -------- d-----w- c:\program files\InterVideo
2011-02-23 02:32:17 -------- d-----w- c:\program files\common files\InterVideo

==================== Find3M ====================

2011-02-23 05:52:01 221184 ----a-w- c:\windows\system32\wmpns.dll
2011-02-23 05:52:00 712704 ----a-w- c:\windows\system32\windowscodecs.dll
2011-02-23 05:50:57 83554304 ----a-w- c:\windows\system32\acer.scr
2011-02-23 05:50:57 278528 ----a-w- c:\windows\system32\ALSNDMGR.CPL
2011-02-23 05:50:43 94208 ----a-w- c:\windows\PLFSetL.exe
2011-02-23 05:49:35 57344 ----a-w- c:\windows\ALCMTR.EXE
2011-02-23 05:49:34 524288 ----a-w- c:\windows\Alaunch.exe
2011-02-23 02:24:56 0 ----a-w- c:\windows\Gtovev.bin
2011-01-21 14:44:37 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-07 14:09:02 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:10:33 1854976 ----a-w- c:\windows\system32\win32k.sys
2010-12-22 12:34:28 301568 ----a-w- c:\windows\system32\kerberos.dll
2010-12-20 23:59:20 916480 ----a-w- c:\windows\system32\wininet.dll
2010-12-20 23:59:19 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-12-20 23:59:19 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2010-12-20 17:26:00 730112 ----a-w- c:\windows\system32\lsasrv.dll
2010-12-20 12:55:26 385024 ----a-w- c:\windows\system32\html.iec
2010-12-09 15:15:09 718336 ----a-w- c:\windows\system32\ntdll.dll
2010-12-09 14:30:22 33280 ----a-w- c:\windows\system32\csrsrv.dll
2010-12-09 13:42:26 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-12-09 13:07:07 2027008 ----a-w- c:\windows\system32\ntkrnlpa.exe

============= FINISH: 16:30:43.75 ===============

Attached Files


Edited by Noviciate, 24 February 2011 - 03:50 PM.
Add DDS.


#6 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:07:36 PM

Posted 24 February 2011 - 04:07 PM

Good evening. :)

As all seems to be well your end and I can't see anything of note, you're done.

Your copy of Adobe Reader is out of date. You can get the latest version here, feel free to uncheck the McAfee download first, or you can update from within the program itself: Help > Check for Updates...

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Your version of Sun Java needs updating:

1) Go here and click on the Windows XP/Vista/2000/2003/2008 Offline link in the Windows section near the top and save it to your Desktop.

2) Download JavaRa from here and save it to your Desktop.
You will need to extract the file(s):

Right click on the zipped folder and from the menu that appears, click on Extract All...
In the 'Extraction Wizard' window that opens, click on Next> and in the next window that appears, click on Next> again.
In the final window, click on Finish


***Please close any instances of Internet Explorer before continuing!***

  • Double-click JavaRa.exe to begin.
  • Pick your preferred language from the drop-down menu and click Select.
  • Click on Remove Older Versions to remove older version of Java - obvious really, isn't it!
  • Click Yes when prompted. When JavaRa is done, a notice will appear that a logfile has been produced. Click OK.
  • A logfile will pop up. Please save it to a convenient location, just in case you have any problems with Java afterwards.
3) Run the installer that you downloaded earlier.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Your log doesn't appear to show a third-party software firewall installed - if you have one, and i've missed it, please ignore this.
If you are relying the firewall that comes with Service Pack 2, then you need to install one. While the SP2 firewall is better than nothing, it doesn't monitor outgoing traffic, so anything malicious on your computer can 'phone home' at will.
If you are using a wireless router that comes with a NAT hardware firewall, this also doesn't monitor outgoing connections.

There are a few free firewalls available, of which the following are just three (all of which i've used at one time or another) :

Comodo Firewall Pro, available here.
PC Tools Firewall Plus, available here.
Online Armor Free, available here.

It is important to note that you should only have one firewall installed at a time, but you can download them all to your Desktop and install each in turn to see which one you prefer.

Understanding and Using Firewalls: http://www.bleepingcomputer.com/tutorials/understanding-and-using-firewalls/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

I want you to run your PC as normal for a few days and when you are happy that everything is fine, do the following:

Go to Start > Run, enter the following into the textbox and click OK: ComboFix /Uninstall
This will uninstall Combofix and do a little housework besides.

Create a new Restore Point with a memorable name - this will give a clean one should you need it in the future. If you use a Restore Point from before this point you may reinstall any infection that was present at the time, so only do so if using this latest one doesn't solve any issues.
A tutorial for System Restore is available here.

Some bedtime reading: This is a very good tutorial about keeping your computer safe and secure on the internet. It's a little old, but still contains some good ideas.

So long, and thanks for all the fish.

 

 


#7 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:07:36 PM

Posted 28 February 2011 - 03:13 PM

As this issue appears to have been resolved, this thread is now closed.

So long, and thanks for all the fish.

 

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users