Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with trojans/ rootkit helper (?)/google redirect


  • This topic is locked This topic is locked
20 replies to this topic

#1 mrssmith

mrssmith

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:45 PM

Posted 20 December 2011 - 02:50 PM

Hi, I am using AVG 2012 and Malwarebytes on WindowsXP... today my google searches started redirecting to 63.209.69.107 and random websites, and I am getting misc. popups from AVG about trojans. Followed the Prep Guide here. any help would be GREATLY appreciated. :) Thanks!
My logs are as follows.

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Laura at 13:13:40 on 2011-12-20
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.958.222 [GMT -6:00]
.
AV: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
============== Running Processes ===============
.
C:\PROGRA~1\AVG\AVG2012\avgrsx.exe
C:\Program Files\AVG\AVG2012\avgcsrvx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\AVG\AVG2012\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe
C:\Program Files\AVG\AVG2012\avgnsx.exe
C:\Program Files\AVG\AVG2012\avgemcx.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\AVG\AVG2012\avgtray.exe
C:\program files\real\realplayer\update\realsched.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Java\Java Update\jucheck.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\WINDOWS\System32\ping.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
uSearch Page = hxxp://www.live.com
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg2012\avgssie.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Wishpot Button: {9e40f4a8-6896-4b67-91f5-f6f287ecb5d9} - c:\program files\wishpot\ietb.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: Wishpot Button: {7daaffd0-5a88-447d-96c6-e6ca06af0758} - c:\program files\wishpot\ietb.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [dellsupportcenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P dellsupportcenter
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [CarboniteSetupLite] "c:\program files\carbonite\CarbonitePreinstaller.exe" /preinstalled /showonfirst /reshowat=1800
mRun: [AVG_TRAY] "c:\program files\avg\avg2012\avgtray.exe"
mRun: [TkBellExe] "c:\program files\real\realplayer\update\realsched.exe" -osboot
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
LSP: mswsock.dll
DPF: {036F8A56-0BC8-4607-8F98-D3231E6FF5ED} - hxxp://mt205.centra.com/SiteRoots/main/Install/win32/CentraUpdaterAx.cab
DPF: {233918BC-7BC6-49CA-9A26-046A3FD93438} - hxxp://www.petsalon.dns2go.com/WebCamX.cab
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: DhcpNameServer = 192.168.240.5
TCP: Interfaces\{DCB52FCF-89E0-4121-A3D7-33241C987119} : DhcpNameServer = 192.168.240.5
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg2012\avgpp.dll
Notify: GoToAssist - c:\program files\citrix\gotoassist\514\G2AWinLogon.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2010-9-13 23120]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2010-9-7 32592]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2010-9-7 230608]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2010-9-7 40016]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2010-11-9 295248]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg2012\AVGIDSAgent.exe [2011-10-12 4433248]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg2012\avgwdsvc.exe [2011-8-2 192776]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2010-8-19 134608]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2010-8-19 24272]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2010-8-19 16720]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
S3 NPF;WinPcap Packet Driver (NPF);c:\windows\system32\drivers\npf.sys [2011-12-20 50704]
.
=============== Created Last 30 ================
.
.
==================== Find3M ====================
.
2011-11-09 14:20:50 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-10-10 14:22:41 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-10-07 11:23:48 230608 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2011-10-04 11:21:42 16720 ----a-w- c:\windows\system32\drivers\AVGIDSShim.sys
2011-09-28 07:06:50 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-26 16:41:20 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 16:41:20 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 16:41:14 20480 ----a-w- c:\windows\system32\oleaccrc.dll
.
============= FINISH: 13:15:06.01 ===============




GMER {this cut off before it could finish but this is what was saved. Do I need to re-run?}
GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-12-20 13:48:18
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-5 WDC_WD1600AAJS-75M0A0 rev.01.03E01
Running: gmer.exe; Driver: C:\DOCUME~1\Laura\LOCALS~1\Temp\pwlyapod.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwOpenProcess [0xBA5A8F3C]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateProcess [0xBA5A8FE4]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateThread [0xBA5A9080]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwWriteVirtualMemory [0xBA5A911C]

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwCallbackReturn + 27D8 80502010 2 Bytes [1C, 91] {SBB AL, 0x91}
.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xF6A06380, 0x300577, 0xE8000020]
? C:\DOCUME~1\Laura\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\System32\svchost.exe[1228] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00FD000A
.text C:\WINDOWS\System32\svchost.exe[1228] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00FE000A
.text C:\WINDOWS\System32\svchost.exe[1228] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00F5000C
.text C:\WINDOWS\system32\SearchIndexer.exe[1328] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2024] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E2154D5 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2024] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB44 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2024] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E5397 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2024] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E52C9 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2024] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E5334 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2024] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E519A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2024] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E51FC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2024] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E53FA C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2024] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E525E C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\WINDOWS\System32\ping.exe[2112] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00B4000A
.text C:\WINDOWS\System32\ping.exe[2112] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes JMP 00B5000A
.text C:\WINDOWS\System32\ping.exe[2112] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 009F000A
.text C:\WINDOWS\System32\ping.exe[2112] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00A0000A
.text C:\WINDOWS\System32\ping.exe[2112] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 009E000C
.text C:\WINDOWS\System32\ping.exe[2112] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 00B8000A
.text C:\WINDOWS\System32\ping.exe[2112] USER32.dll!WindowFromPoint 7E429766 5 Bytes JMP 00B9000A
.text C:\WINDOWS\System32\ping.exe[2112] USER32.dll!GetForegroundWindow 7E429823 5 Bytes JMP 00BA000A
.text C:\WINDOWS\System32\ping.exe[2112] ole32.dll!CoCreateInstance 774FF1AC 5 Bytes JMP 00B7000A
.text C:\Program Files\Internet Explorer\iexplore.exe[2560] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 02D9000A
.text C:\Program Files\Internet Explorer\iexplore.exe[2560] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 02DD000A
.text C:\Program Files\Internet Explorer\iexplore.exe[2560] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 02D8000C
.text C:\Program Files\Internet Explorer\iexplore.exe[2560] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E2154D5 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2560] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E9AD1 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2560] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DD10D C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2560] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB44 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2560] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E25464E C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2560] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E5397 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2560] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E52C9 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2560] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E5334 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2560] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E519A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2560] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E51FC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2560] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E53FA C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2560] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E525E C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2560] ole32.dll!CoCreateInstance 774FF1AC 5 Bytes JMP 3E2EDBA0 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2560] ole32.dll!OleLoadFromStream 7752981B 5 Bytes JMP 3E3E56FF C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2872] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 031A000A
.text C:\Program Files\Internet Explorer\iexplore.exe[2872] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 031B000A
.text C:\Program Files\Internet Explorer\iexplore.exe[2872] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0319000C
.text C:\Program Files\Internet Explorer\iexplore.exe[2872] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E2154D5 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2872] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E9AD1 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2872] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DD10D C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2872] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB44 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2872] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E25464E C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2872] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E5397 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2872] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E52C9 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2872] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E5334 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2872] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E519A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2872] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E51FC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2872] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E53FA C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2872] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E525E C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2872] ole32.dll!CoCreateInstance 774FF1AC 5 Bytes JMP 3E2EDBA0 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2872] ole32.dll!OleLoadFromStream 7752981B 5 Bytes JMP 3E3E56FF C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\program files\real\realplayer\update\realsched.exe[2912] kernel32.dll!SetUnhandledExceptionFilter 7C84495D 5 Bytes [33, C0, C2, 04, 00] {XOR EAX, EAX; RET 0x4}
.text C:\Program Files\Internet Explorer\iexplore.exe[3684] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 031A000A
.text C:\Program Files\Internet Explorer\iexplore.exe[3684] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 031B000A
.text C:\Program Files\Internet Explorer\iexplore.exe[3684] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 02E9000C
.text C:\Program Files\Internet Explorer\iexplore.exe[3684] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E2154D5 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3684] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E9AD1 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3684] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DD10D C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3684] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB44 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3684] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E25464E C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3684] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E5397 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3684] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E52C9 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3684] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E5334 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3684] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E519A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3684] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E51FC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3684] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E53FA C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3684] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E525E C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3684] ole32.dll!CoCreateInstance 774FF1AC 5 Bytes JMP 3E2EDBA0 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3684] ole32.dll!OleLoadFromStream 7752981B 5 Bytes JMP 3E3E56FF C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs AVGIDSFilter.Sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )
AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \FileSystem\Fastfat \Fat B7A37D20

AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat AVGIDSFilter.Sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )

---- Modules - GMER 1.0.15 ----

Module (noname) (*** hidden *** ) F3971000-F398B000 (106496 bytes)

---- Files - GMER 1.0.15 ----

File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\6VKXGBCJ\bestofyoutube[1].jpg 0 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\6VKXGBCJ\284781[1].png 0 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\6VKXGBCJ\p_21478_128_72[1].jpg 0 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\6VKXGBCJ\recette_encodesc22r01512K_[1].jpg 0 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\6VKXGBCJ\diet-supplement-rules-thumb[1].jpg 0 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\AVFTSJJB\small[2].jpg 5908 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\AVFTSJJB\small[4].jpg 0 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\AVFTSJJB\91b326b5230a5c6d88fe7c0ddb0d26fc[1].gif 0 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\AVFTSJJB\AdaptvAdserverVastVideoVPR[1].swf 0 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\AVFTSJJB\crackle_com[1].txt 0 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\AVFTSJJB\4dcd9a26e8704_p[1].js 1797 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\AVFTSJJB\beacon[1].js 1230 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\KHWFKXOZ\beacon.js[1].htm 0 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\KHWFKXOZ\movie_player[1].php 21601 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\KHWFKXOZ\pattern[1].gif 0 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\PRK7YZCJ\ar_728_90[1].htm 801 bytes

Attached Files



BC AdBot (Login to Remove)

 


#2 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:08:45 PM

Posted 26 December 2011 - 11:23 AM

Hi,

Please do the following:

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
  • Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

  • Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#3 mrssmith

mrssmith
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:45 PM

Posted 27 December 2011 - 10:26 AM

Thanks. I ran combofix and have the log on the infected computer, however...it will no longer connect to the internet. It sees the connection but will not connect.

Not sure where to go from here or how to get you the log. If its safe for me to put the log on a CD or flash drive and open it on a clean computer let me know and I will.

Thank you.

#4 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:08:45 PM

Posted 27 December 2011 - 10:38 AM

Hi

Yes, transfer the log over to a USB

Please re-run Combofix

it will try and restore the connection

please post both logs (the older log will be saved at C:\qoobox\combofix2.txt)

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#5 mrssmith

mrssmith
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:45 PM

Posted 27 December 2011 - 01:50 PM


The internet is still not connecting after a second combofix run. Thanks. Logs:


ComboFix 11-12-27.01 - Laura 12/27/2011 8:49.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.958.608 [GMT -6:00]
Running from: c:\documents and settings\Laura\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\821510t1p066d640j276j2dgj5x6
c:\documents and settings\All Users\Application Data\qppmdm4s2ppv2enw6xwj2s200x6w
c:\documents and settings\Laura\g2mdlhlpx.exe
c:\documents and settings\Laura\Templates\821510t1p066d640j276j2dgj5x6
c:\documents and settings\Laura\Templates\qppmdm4s2ppv2enw6xwj2s200x6w
c:\windows\$NtUninstallKB4507$\2147380837\@
c:\windows\$NtUninstallKB4507$\2147380837\bckfg.tmp
c:\windows\$NtUninstallKB4507$\2147380837\cfg.ini
c:\windows\$NtUninstallKB4507$\2147380837\Desktop.ini
c:\windows\$NtUninstallKB4507$\2147380837\keywords
c:\windows\$NtUninstallKB4507$\2147380837\kwrd.dll
c:\windows\$NtUninstallKB4507$\2147380837\L\eaoyrryi
c:\windows\$NtUninstallKB4507$\2147380837\lsflt7.ver
c:\windows\$NtUninstallKB4507$\2147380837\U\00000001.@
c:\windows\$NtUninstallKB4507$\2147380837\U\00000002.@
c:\windows\$NtUninstallKB4507$\2147380837\U\00000004.@
c:\windows\$NtUninstallKB4507$\2147380837\U\80000000.@
c:\windows\$NtUninstallKB4507$\2147380837\U\80000004.@
c:\windows\$NtUninstallKB4507$\2147380837\U\80000032.@
c:\windows\$NtUninstallKB4507$\3687233877
c:\windows\system32\drivers\npf.sys
c:\windows\system32\Packet.dll
c:\windows\system32\wpcap.dll
c:\windows\$NtUninstallKB4507$ . . . . Failed to delete
.
c:\windows\system32\drivers\i8042prt.sys . . . is missing!!
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_NPF
-------\Service_NPF
.
.
((((((((((((((((((((((((( Files Created from 2011-11-27 to 2011-12-27 )))))))))))))))))))))))))))))))
.
.
2011-12-16 18:47 . 2011-12-16 18:47 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-09 14:20 . 2011-06-22 13:55 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-10-10 14:22 . 2008-04-26 01:44 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-10-07 11:23 . 2010-09-07 09:48 230608 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2011-10-04 11:21 . 2010-08-20 02:42 16720 ----a-w- c:\windows\system32\drivers\AVGIDSShim.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2008-04-07 16859648]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-04-07 8466432]
"nwiz"="nwiz.exe" [2008-04-07 1626112]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-04-07 81920]
"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-01-30 206064]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-09-07 37296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"CarboniteSetupLite"="c:\program files\Carbonite\CarbonitePreinstaller.exe" [2010-11-21 283792]
"AVG_TRAY"="c:\program files\AVG\AVG2012\avgtray.exe" [2011-12-03 2415456]
"TkBellExe"="c:\program files\real\realplayer\update\realsched.exe" [2011-06-03 273544]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2009-06-21 15:46 10536 ----a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG2012\avgrsx.exe /sync /restart
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Documents and Settings\\Laura\\Application Data\\Macromedia\\Flash Player\\www.macromedia.com\\bin\\octoshape\\octoshape.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgmfapx.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgnsx.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgemcx.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [9/13/2010 3:27 PM 23120]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [9/7/2010 3:48 AM 32592]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [9/7/2010 3:48 AM 230608]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [11/9/2010 10:20 PM 295248]
R2 avgwd;AVG WatchDog;c:\program files\AVG\AVG2012\avgwdsvc.exe [8/2/2011 5:09 AM 192776]
S3 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG2012\AVGIDSAgent.exe [10/12/2011 5:25 AM 4433248]
S3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [8/19/2010 8:42 PM 134608]
S3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [8/19/2010 8:42 PM 24272]
S3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [8/19/2010 8:42 PM 16720]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
.
Contents of the 'Scheduled Tasks' folder
.
2011-12-27 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1360091639-2714770893-1544834412-1007.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-03-29 15:47]
.
2011-12-27 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1360091639-2714770893-1544834412-1007.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-03-29 15:47]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
DPF: {233918BC-7BC6-49CA-9A26-046A3FD93438} - hxxp://www.petsalon.dns2go.com/WebCamX.cab
.
- - - - ORPHANS REMOVED - - - -
.
SafeBoot-mcmscsvc
SafeBoot-MCODS
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-12-27 09:01
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(860)
c:\program files\Citrix\GoToAssist\514\G2AWinLogon.dll
.
- - - - - - - > 'explorer.exe'(304)
c:\windows\system32\WININET.dll
c:\program files\Windows Desktop Search\deskbar.dll
c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
c:\program files\Windows Desktop Search\dbres.dll
c:\program files\Windows Desktop Search\wordwheel.dll
c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
c:\program files\Windows Desktop Search\msnlExtRes.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\progra~1\AVG\AVG2012\avgrsx.exe
c:\program files\AVG\AVG2012\avgcsrvx.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\windows\system32\SearchIndexer.exe
c:\program files\AVG\AVG2012\avgnsx.exe
c:\program files\AVG\AVG2012\avgemcx.exe
c:\windows\RTHDCPL.EXE
c:\windows\system32\RUNDLL32.EXE
c:\windows\system32\SearchProtocolHost.exe
c:\windows\system32\SearchFilterHost.exe
.
**************************************************************************
.
Completion time: 2011-12-27 09:04:06 - machine was rebooted
ComboFix-quarantined-files.txt 2011-12-27 15:04
.
Pre-Run: 135,370,829,824 bytes free
Post-Run: 136,323,592,192 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
.
- - End Of File - - D1C3692A4020E3F4C9F832A2051D7357


and

ComboFix 11-12-27.01 - Laura 12/27/2011 11:45:34.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.958.476 [GMT -6:00]
Running from: c:\documents and settings\Laura\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\drivers\i8042prt.sys . . . is missing!!
.
.
((((((((((((((((((((((((( Files Created from 2011-11-27 to 2011-12-27 )))))))))))))))))))))))))))))))
.
.
2011-12-16 18:47 . 2011-12-16 18:47 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-09 14:20 . 2011-06-22 13:55 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-10-10 14:22 . 2008-04-26 01:44 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-10-07 11:23 . 2010-09-07 09:48 230608 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2011-10-04 11:21 . 2010-08-20 02:42 16720 ----a-w- c:\windows\system32\drivers\AVGIDSShim.sys
.
.
((((((((((((((((((((((((((((( SnapShot@2011-12-27_15.01.30 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-12-27 15:19 . 2011-12-27 15:19 16384 c:\windows\Temp\Perflib_Perfdata_98.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2008-04-07 16859648]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-04-07 8466432]
"nwiz"="nwiz.exe" [2008-04-07 1626112]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-04-07 81920]
"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-01-30 206064]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-09-07 37296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"CarboniteSetupLite"="c:\program files\Carbonite\CarbonitePreinstaller.exe" [2010-11-21 283792]
"AVG_TRAY"="c:\program files\AVG\AVG2012\avgtray.exe" [2011-12-03 2415456]
"TkBellExe"="c:\program files\real\realplayer\update\realsched.exe" [2011-06-03 273544]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2009-06-21 15:46 10536 ----a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG2012\avgrsx.exe /sync /restart
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Documents and Settings\\Laura\\Application Data\\Macromedia\\Flash Player\\www.macromedia.com\\bin\\octoshape\\octoshape.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgmfapx.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgnsx.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgemcx.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [9/13/2010 3:27 PM 23120]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [9/7/2010 3:48 AM 32592]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [9/7/2010 3:48 AM 230608]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [11/9/2010 10:20 PM 295248]
R2 avgwd;AVG WatchDog;c:\program files\AVG\AVG2012\avgwdsvc.exe [8/2/2011 5:09 AM 192776]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [8/19/2010 8:42 PM 134608]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [8/19/2010 8:42 PM 24272]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [8/19/2010 8:42 PM 16720]
S3 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG2012\AVGIDSAgent.exe [10/12/2011 5:25 AM 4433248]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - 32526341
*Deregistered* - 32526341
.
Contents of the 'Scheduled Tasks' folder
.
2011-12-27 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1360091639-2714770893-1544834412-1007.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-03-29 15:47]
.
2011-12-27 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1360091639-2714770893-1544834412-1007.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-03-29 15:47]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
DPF: {233918BC-7BC6-49CA-9A26-046A3FD93438} - hxxp://www.petsalon.dns2go.com/WebCamX.cab
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-12-27 11:50
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(860)
c:\program files\Citrix\GoToAssist\514\G2AWinLogon.dll
.
- - - - - - - > 'explorer.exe'(3952)
c:\windows\system32\WININET.dll
c:\program files\Windows Desktop Search\deskbar.dll
c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
c:\program files\Windows Desktop Search\dbres.dll
c:\program files\Windows Desktop Search\wordwheel.dll
c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
c:\program files\Windows Desktop Search\msnlExtRes.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
Completion time: 2011-12-27 11:51:30
ComboFix-quarantined-files.txt 2011-12-27 17:51
ComboFix2.txt 2011-12-27 15:04
.
Pre-Run: 136,352,473,088 bytes free
Post-Run: 136,339,247,104 bytes free
.
- - End Of File - - 0DEA73C6A647D5E4B1BC8993B4D9993B

#6 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:08:45 PM

Posted 27 December 2011 - 03:32 PM

Hi

Please run the following:

Please download Farbar Service Scanner and run it on the computer with the issue.
  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.


NEXT



Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:

    :filefind
    *i8042prt*
    
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#7 mrssmith

mrssmith
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:45 PM

Posted 28 December 2011 - 09:40 AM

Farbar Service Scanner
Ran by Laura (administrator) on 27-12-2011 at 16:19:45
Microsoft Windows XP Home Edition Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
There is no connection to network.
Attempt to access Google IP returned error: Google IP is unreachable
Attempt to access Yahoo IP returend error: Yahoo IP is unreachable


Windows Firewall:
=============
sharedaccess Service is not running. Checking service configuration:
The start type of sharedaccess service is OK.
The ImagePath of sharedaccess service is OK.
The ServiceDll of sharedaccess service is OK.


Firewall Disabled Policy:
==================
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall"=DWORD:0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall"=DWORD:0


System Restore:
============

System Restore Disabled Policy:
========================


File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys
[2008-04-25 14:33] - [2011-08-17 07:49] - 0138496 ____A () 18E83C3FFECDEEDA041D1F4E96072AC9

C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
C:\WINDOWS\system32\netman.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\srsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit

Extra List:
=======
Avgtdix(10) Gpc(6) IPSec(4) NetBT(5) PSched(7) Tcpip(3)
0x0A0000000400000001000000020000000300000009000000080000000A000000050000000600000007000000

**** End of log ****


SystemLook 30.07.11 by jpshortstuff
Log created at 16:21 on 27/12/2011 by Laura
Administrator - Elevation successful

========== filefind ==========

Searching for "*i8042prt*"
C:\cmdcons\I8042PRT.SY_ --a---- 26025 bytes [05:14 04/08/2004] [05:14 04/08/2004] 819D427AB9DBE6AC2960A585087CB766
C:\I386\I8042PRT.SY_ --a--c- 26045 bytes [20:28 25/04/2008] [12:00 14/04/2008] 154711EFD90752614F99C49A17B4F821

-= EOF =-

#8 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:08:45 PM

Posted 28 December 2011 - 10:36 AM

Hi

looks like the afd.sys file is patched as well, we will need to replace that too,

Please do the following > run Farbar service scanner once again and type

afd.sys
into the search window

now click the "find files" button > post the resulting log



next please do the following:


Go to Start > Run > type cmd into the open run box to open a command window

now copy / paste the following command at the command prompt:

expand -r C:\I386\I8042PRT.SY_ C:\Windows\System32\drivers

Press enter

you should see a message that the file expanded and it will give you the file size it expanded to.

Now type exit.

please post the FSS.txt in your next reply

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#9 mrssmith

mrssmith
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:45 PM

Posted 28 December 2011 - 10:52 AM

thanks so much for sticking with me, I really REALLY appreciate you...

Farbar Service Scanner
Ran by Laura (administrator) on 28-12-2011 at 09:48:48
Microsoft Windows XP Service Pack 3 (X86)

************************************************
================== Search: "afd.sys" ===================

C:\WINDOWS\system32\drivers\afd.sys
[2008-04-25 14:33] - [2011-08-17 07:49] - 0138496 ____A () 18E83C3FFECDEEDA041D1F4E96072AC9

C:\WINDOWS\system32\dllcache\afd.sys
[2009-06-21 09:36] - [2011-08-17 07:49] - 0138496 ____C (Microsoft Corporation) 1E44BC1E83D8FD2305F8D452DB109CF9

C:\WINDOWS\$NtUninstallKB2592799$\afd.sys
[2011-10-13 14:03] - [2011-02-16 07:22] - 0138496 ____C (Microsoft Corporation) 355556D9E580915118CD7EF736653A89

C:\WINDOWS\$NtUninstallKB2509553$\afd.sys
[2011-04-18 13:28] - [2008-08-14 04:04] - 0138496 ____C (Microsoft Corporation) 7E775010EF291DA96AD17CA4B17137D7

C:\WINDOWS\$NtUninstallKB2503665$\afd.sys
[2011-06-16 15:53] - [2008-10-16 08:43] - 0138496 ____C (Microsoft Corporation) 7618D5218F2A614672EC61A80D854A37

C:\WINDOWS\$hf_mig$\KB956803\SP3QFE\afd.sys
[2009-06-21 09:36] - [2008-08-14 04:34] - 0138496 ___AC (Microsoft Corporation) 4D43E74F2A1239D53929B82600F1971C

C:\WINDOWS\$hf_mig$\KB951748\SP3QFE\afd.sys
[2008-06-20 05:48] - [2008-06-20 05:48] - 0138496 ___AC (Microsoft Corporation) D6EE6014241D034E63C49A50CB2B442A

C:\WINDOWS\$hf_mig$\KB2592799\SP3QFE\afd.sys
[2011-10-13 07:25] - [2011-08-17 07:41] - 0138496 ____A (Microsoft Corporation) F6B7B1ECD7B41736BDB6FF4B092BCB79

C:\WINDOWS\$hf_mig$\KB2509553\SP3QFE\afd.sys
[2008-10-16 09:07] - [2008-10-16 09:07] - 0138496 ____A (Microsoft Corporation) 38D7B715504DA4741DF35E3594FE2099

C:\WINDOWS\$hf_mig$\KB2503665\SP3QFE\afd.sys
[2011-06-16 08:09] - [2011-02-16 07:25] - 0138496 ____A (Microsoft Corporation) 8D499B1276012EB907E7A9E0F4D8FDA4

====== End Of Search ======



Microsoft Windows XP [Version 5.1.2600]
© Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\Laura>expand -r C:\I386\I8042PRT.SY_ C:\Windows\System
32\drivers
Microsoft ® File Expansion Utility Version 5.1.2600.0
Copyright © Microsoft Corp 1990-1999. All rights reserved.

Expanding c:\i386\i8042prt.sy_ to c:\windows\system32\drivers\i8042prt.sys.
c:\i386\i8042prt.sy_: 26045 bytes expanded to 52480 bytes, 101% increase.


C:\Documents and Settings\Laura>

#10 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:08:45 PM

Posted 28 December 2011 - 02:22 PM

Hi

Please do the following:

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

FCopy::
C:\WINDOWS\system32\dllcache\afd.sys | C:\WINDOWS\system32\drivers\afd.sys

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"


Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix may request an update; please allow it.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#11 mrssmith

mrssmith
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:45 PM

Posted 28 December 2011 - 03:29 PM

ComboFix 11-12-27.01 - Laura 12/28/2011 14:19:40.3.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.958.614 [GMT -6:00]
Running from: c:\documents and settings\Laura\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Laura\Desktop\CFScript.txt
AV: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
--------------- FCopy ---------------
.
c:\windows\system32\dllcache\afd.sys --> c:\windows\system32\drivers\afd.sys
.
((((((((((((((((((((((((( Files Created from 2011-11-28 to 2011-12-28 )))))))))))))))))))))))))))))))
.
.
2011-12-28 15:50 . 2008-04-14 06:48 52480 -c--a-w- c:\windows\system32\dllcache\i8042prt.sys
2011-12-28 15:50 . 2008-04-14 06:48 52480 ----a-w- c:\windows\system32\drivers\i8042prt.sys
2011-12-16 18:47 . 2011-12-16 18:47 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-09 14:20 . 2011-06-22 13:55 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-10-10 14:22 . 2008-04-26 01:44 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-10-07 11:23 . 2010-09-07 09:48 230608 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2011-10-04 11:21 . 2010-08-20 02:42 16720 ----a-w- c:\windows\system32\drivers\AVGIDSShim.sys
.
.
((((((((((((((((((((((((((((( SnapShot@2011-12-27_15.01.30 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-12-28 15:46 . 2011-12-28 15:46 16384 c:\windows\Temp\Perflib_Perfdata_6f8.dat
+ 2008-04-25 20:33 . 2011-08-17 13:49 138496 c:\windows\system32\dllcache\afd.sys
- 2009-06-21 15:36 . 2011-08-17 13:49 138496 c:\windows\system32\dllcache\afd.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2008-04-07 16859648]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-04-07 8466432]
"nwiz"="nwiz.exe" [2008-04-07 1626112]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-04-07 81920]
"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-01-30 206064]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-09-07 37296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"CarboniteSetupLite"="c:\program files\Carbonite\CarbonitePreinstaller.exe" [2010-11-21 283792]
"AVG_TRAY"="c:\program files\AVG\AVG2012\avgtray.exe" [2011-12-03 2415456]
"TkBellExe"="c:\program files\real\realplayer\update\realsched.exe" [2011-06-03 273544]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2009-06-21 15:46 10536 ----a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG2012\avgrsx.exe /sync /restart
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Documents and Settings\\Laura\\Application Data\\Macromedia\\Flash Player\\www.macromedia.com\\bin\\octoshape\\octoshape.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgmfapx.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgnsx.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgemcx.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [9/13/2010 3:27 PM 23120]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [9/7/2010 3:48 AM 32592]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [9/7/2010 3:48 AM 230608]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [11/9/2010 10:20 PM 295248]
R2 avgwd;AVG WatchDog;c:\program files\AVG\AVG2012\avgwdsvc.exe [8/2/2011 5:09 AM 192776]
S3 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG2012\AVGIDSAgent.exe [10/12/2011 5:25 AM 4433248]
S3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [8/19/2010 8:42 PM 134608]
S3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [8/19/2010 8:42 PM 24272]
S3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [8/19/2010 8:42 PM 16720]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
.
Contents of the 'Scheduled Tasks' folder
.
2011-12-28 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1360091639-2714770893-1544834412-1007.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-03-29 15:47]
.
2011-12-27 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1360091639-2714770893-1544834412-1007.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-03-29 15:47]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
DPF: {233918BC-7BC6-49CA-9A26-046A3FD93438} - hxxp://www.petsalon.dns2go.com/WebCamX.cab
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-12-28 14:23
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(852)
c:\program files\Citrix\GoToAssist\514\G2AWinLogon.dll
.
- - - - - - - > 'explorer.exe'(2372)
c:\windows\system32\WININET.dll
c:\program files\Windows Desktop Search\deskbar.dll
c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
c:\program files\Windows Desktop Search\dbres.dll
c:\program files\Windows Desktop Search\wordwheel.dll
c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
c:\program files\Windows Desktop Search\msnlExtRes.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
Completion time: 2011-12-28 14:25:17
ComboFix-quarantined-files.txt 2011-12-28 20:25
ComboFix2.txt 2011-12-27 17:51
ComboFix3.txt 2011-12-27 15:04
.
Pre-Run: 136,428,122,112 bytes free
Post-Run: 136,422,895,616 bytes free
.
- - End Of File - - F39B863D8BAECF57D1409BF87B3C313E

#12 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:08:45 PM

Posted 28 December 2011 - 04:01 PM

Are you now able to connect?

Please run a fresh scan with Farbar Service Scanner

post the resulting log

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#13 mrssmith

mrssmith
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:45 PM

Posted 28 December 2011 - 04:20 PM

I just restarted and I CAN CONNECT! You are awesome. Here's the log...am I good to go?

Farbar Service Scanner
Ran by Laura (administrator) on 28-12-2011 at 15:18:50
Microsoft Windows XP Home Edition Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Yahoo IP is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall"=DWORD:0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall"=DWORD:0


System Restore:
============

System Restore Disabled Policy:
========================


File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
C:\WINDOWS\system32\netman.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\srsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit

Extra List:
=======
Avgtdix(10) Gpc(6) IPSec(4) NetBT(5) PSched(7) Tcpip(3)
0x0A0000000400000001000000020000000300000009000000080000000A000000050000000600000007000000

**** End of log ****

#14 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:08:45 PM

Posted 28 December 2011 - 04:27 PM

Hi,

I just want to make sure there is no leftover infection

Please run the following, also, do you use a third party firewall, if not, are you able to turn on the Windows Firewall?

  • Please open your MalwareBytes AntiMalware Program
  • Click the Update Tab and search for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected. <-- very important
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



NEXT


Go here to run an online scanner from ESET.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activeX control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • When the scan completes, press the LIST OF THREATS FOUND button
  • Press EXPORT TO TEXT FILE , name the file ESETSCAN and save it to your desktop
  • Include the contents of this report in your next reply.
  • Press the BACK button.
  • Press Finish

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#15 mrssmith

mrssmith
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:45 PM

Posted 28 December 2011 - 05:25 PM

I just was able to turn on the Windows Firewall. And here are the MB and ESET logs:

Malwarebytes Anti-Malware 1.60.0.1800
www.malwarebytes.org

Database version: v2011.12.28.05

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Laura :: D6KG4BK1 [administrator]

12/28/2011 3:31:25 PM
mbam-log-2011-12-28 (15-31-25).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 173837
Time elapsed: 5 minute(s), 15 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)




----


list of threats:
C:\Documents and Settings\Laura\Application Data\Sun\Java\Deployment\cache\6.0\27\7a9d5d5b-6fcc4e26 Java/Exploit.CVE-2011-3544.F trojan
C:\Documents and Settings\Laura\Application Data\Sun\Java\Deployment\cache\6.0\40\6c6c0728-15e7623d Java/Agent.DY trojan
C:\Documents and Settings\Laura\Application Data\Sun\Java\Deployment\cache\6.0\45\68c15ced-6d7ba18e Java/TrojanDownloader.OpenStream.NBN trojan
C:\Documents and Settings\Laura\Application Data\Sun\Java\Deployment\cache\6.0\8\60babc48-3283cfba multiple threats
C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\12\6488884c-55384375 Java/Exploit.CVE-2011-3544.D trojan
C:\Program Files\Wishpot\~ietb.dll probably a variant of Win32/Adware.BHO.NHL application
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\afd.sys.vir Win32/Sirefef.DA trojan
C:\System Volume Information\_restore{64534B76-601D-4598-8429-4DF73C537AF3}\RP393\A0032650.sys Win32/Sirefef.DA trojan
C:\System Volume Information\_restore{64534B76-601D-4598-8429-4DF73C537AF3}\RP395\A0033224.sys Win32/Sirefef.DA trojan




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users