Jump to content

mj8498

Members
 View Profile  See their activity

  • Posts

    5

  • Joined

  • Last visited

Reputation

0 Neutral
  1. mj8498
    Hi, I think it is OK now but I won't know for sure until I have another day or two of regular usage. The Google search symptoms I was experiencing before were kind of random so I don't have a way to definitively test. I'll just wait to see if they re-occur in the next few days. Thanks again for your quick help - it is much appreciated!
  2. mj8498
    Hi, This time I wasn't prompted to reboot and PEV.exe didn't crash. Here is the latest Combofix log: ComboFix 10-06-30.03 - Justin 07/01/2010 0:25.2.1 - x86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.491 [GMT -7:00] Running from: c:\documents and settings\Justin\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\Justin\Desktop\CFscript.txt AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF} FILE :: "c:\windows\Mnato.dat" "c:\windows\Xpaqahigusudiho.bin" . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\windows\Mnato.dat c:\windows\Xpaqahigusudiho.bin . ((((((((((((((((((((((((( Files Created from 2010-06-01 to 2010-07-01 ))))))))))))))))))))))))))))))) . 2010-06-30 02:32 . 2010-06-30 02:32 -------- d-----w- c:\program files\URUSoft 2010-06-29 18:55 . 2010-06-29 18:55 -------- d-----w- c:\documents and settings\Justin\Application Data\Bitrix Security 2010-06-29 13:44 . 2010-06-29 13:44 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Bitrix Security 2010-06-29 12:33 . 2010-06-29 20:31 -------- d-----w- c:\documents and settings\Justin\Application Data\AE44686EE3C391E9A7BE88708BF334A0 2010-06-02 22:54 . 2010-06-02 22:55 -------- d-----w- c:\documents and settings\Justin\Application Data\avidemux 2010-06-02 22:18 . 2010-06-02 22:18 29512 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgmfx86.sys 2010-06-02 22:18 . 2010-06-02 22:18 242896 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtdix.sys . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-07-01 06:05 . 2010-05-22 11:58 -------- d-----w- c:\documents and settings\Justin\Application Data\vlc 2010-06-30 22:04 . 2006-09-29 22:17 -------- d-----w- c:\program files\Mozilla Thunderbird 2010-06-30 09:23 . 2006-10-06 05:42 -------- d-----w- c:\documents and settings\Justin\Application Data\uTorrent 2010-06-30 01:21 . 2006-09-29 21:31 22968 ----a-w- c:\documents and settings\Justin\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2010-06-29 18:54 . 2010-03-01 13:56 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-06-29 13:43 . 2009-04-19 09:27 1324 ----a-w- c:\windows\system32\d3d9caps.dat 2010-06-24 23:40 . 2007-08-13 03:09 -------- d-----w- c:\program files\foobar2000 2010-06-23 04:52 . 2006-09-29 21:57 -------- d-----w- c:\program files\Microsoft ActiveSync 2010-06-16 05:14 . 2010-03-03 09:39 15880 ----a-w- c:\windows\system32\lsdelete.exe 2010-06-16 05:02 . 2006-09-30 00:30 -------- d--h--r- c:\documents and settings\Justin\Application Data\SendTo 2010-06-05 16:33 . 2008-06-17 05:31 -------- d-----w- c:\program files\Microsoft Silverlight 2010-06-05 05:15 . 2010-03-03 06:13 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys 2010-06-02 22:18 . 2008-05-27 03:41 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys 2010-06-02 22:18 . 2006-11-25 00:38 29584 ----a-w- c:\windows\system32\drivers\avgmfx86.sys 2010-05-28 12:59 . 2006-12-03 02:55 -------- d-----w- c:\program files\PokerStars 2010-05-23 04:03 . 2010-05-23 03:58 -------- d-----w- c:\program files\Icons 2010-05-22 15:16 . 2010-05-22 15:16 249856 ------w- c:\windows\Setup1.exe 2010-05-22 15:16 . 2010-05-22 15:16 73216 ----a-w- c:\windows\ST6UNST.EXE 2010-05-22 14:26 . 2007-04-01 15:07 -------- d-----w- c:\documents and settings\Justin\Application Data\dvdcss 2010-05-22 12:00 . 2010-05-22 11:40 -------- d-----w- c:\program files\Gabest 2010-05-16 21:56 . 2010-05-16 21:56 -------- d-----w- c:\program files\bobyte 2010-05-09 18:56 . 2006-09-29 21:34 -------- d--h--w- c:\program files\InstallShield Installation Information 2010-05-02 05:56 . 2001-08-23 15:00 1850880 ----a-w- c:\windows\system32\win32k.sys 2010-04-29 22:39 . 2010-03-01 13:56 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-04-29 22:39 . 2010-03-01 13:56 20952 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-04-20 05:51 . 2001-08-23 15:00 285696 ----a-w- c:\windows\system32\atmfd.dll 2010-04-16 15:36 . 2006-09-29 20:54 662016 ----a-w- c:\windows\system32\wininet.dll 2010-04-16 15:36 . 2006-09-29 21:25 81920 ------w- c:\windows\system32\ieencode.dll . (((((((((((((((((((((((((((((((((((((((((((( Look ))))))))))))))))))))))))))))))))))))))))))))))))))))))))) . ---- Directory of c:\documents and settings\Justin\Application Data\AE44686EE3C391E9A7BE88708BF334A0 ---- ---- Directory of c:\documents and settings\Justin\Application Data\avidemux ---- 2010-06-02 22:55 . 2010-06-02 23:29 1074 ----a-w- c:\documents and settings\Justin\Application Data\avidemux\config 2010-06-02 22:54 . 2010-06-02 23:29 27942 ----a-w- c:\documents and settings\Justin\Application Data\avidemux\admlog.txt ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SoundMan"="SOUNDMAN.EXE" [2005-10-24 90112] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-09-17 8491008] "nwiz"="nwiz.exe" [2007-09-17 1626112] "zBrowser Launcher"="c:\program files\Logitech\iTouch\iTouch.exe" [2002-07-22 577602] "EM_EXEC"="c:\progra~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE" [2002-07-09 28672] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-09-01 282624] "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-09-17 81920] "NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136] "SecurDisc"="c:\program files\Nero\Nero 7\InCD\NBHGui.exe" [2007-11-26 1629480] "InCD"="c:\program files\Nero\Nero 7\InCD\InCD.exe" [2007-11-26 1057064] "Samsung PanelMgr"="c:\windows\Samsung\PanelMgr\SSMMgr.exe" [2008-09-03 536576] "AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-06-02 2065248] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Acrobat Assistant (2).lnk - c:\program files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe [2006-9-29 49254] Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe [2006-9-29 49254] Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-9-29 113664] Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter] 2010-03-13 22:06 12464 ----a-w- c:\windows\system32\avgrsstx.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service] @="Service" [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Mozilla Firefox\\firefox.exe"= "c:\\Program Files\\utorrent\\utorrent.exe"= "c:\\Program Files\\Mozilla Thunderbird\\thunderbird.exe"= "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"= "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "c:\\Program Files\\Java\\jre6\\bin\\java.exe"= "c:\\Program Files\\AVG\\AVG9\\avgemc.exe"= "c:\\Program Files\\AVG\\AVG9\\avgupd.exe"= "c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "18564:TCP"= 18564:TCP:BitComet 18564 TCP "18564:UDP"= 18564:UDP:BitComet 18564 UDP R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [3/2/2010 11:13 PM 64288] R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [5/26/2008 8:41 PM 216200] R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [5/26/2008 8:41 PM 242896] R2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [3/13/2010 3:06 PM 916760] R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [3/13/2010 3:06 PM 308064] S2 SSPORT;SSPORT;\??\c:\windows\system32\Drivers\SSPORT.sys --> c:\windows\system32\Drivers\SSPORT.sys [?] S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2/4/2010 8:52 AM 1352832] . Contents of the 'Scheduled Tasks' folder 2010-07-01 c:\windows\Tasks\Ad-Aware Update (Weekly).job - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 05:13] . . ------- Supplementary Scan ------- . uStart Page = hxxp://google.ca/ uInternet Connection Wizard,ShellNext = iexplore IE: Download All Files by HiDownload - c:\program files\HiDownload\HDGetAll.htm IE: Download by HiDownload - c:\program files\HiDownload\HDGet.htm IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000 FF - ProfilePath - c:\documents and settings\Justin\Application Data\Mozilla\Firefox\Profiles\615a0a7p.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca/webhp?complete=0 FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll FF - plugin: c:\documents and settings\Justin\Application Data\Facebook\npfbplugin_1_0_1.dll FF - plugin: c:\documents and settings\Justin\Application Data\Facebook\npfbplugin_1_0_3.dll FF - plugin: c:\program files\Veetle\Player\npvlc.dll FF - plugin: c:\program files\Veetle\plugins\npVeetle.dll FF - plugin: c:\program files\Veetle\VLCBroadcast\npvbp.dll ---- FIREFOX POLICIES ---- FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr ef", true); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", ""); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false); . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-07-01 00:28 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2010-07-01 00:29:32 ComboFix-quarantined-files.txt 2010-07-01 07:29 ComboFix2.txt 2010-07-01 07:01 Pre-Run: 16,756,428,800 bytes free Post-Run: 16,742,805,504 bytes free - - End Of File - - F810898EFD1DFEADC399621733F9CC57
  3. mj8498
    Hi, the combofix log is below. A few notes: When it first began scanning, there was a prompt that indicated Combofix detected Rootkit activity and needed to be restarted. I did so, my computer restarted and then the scan started. Around when Stage 5 was completed of the scan, there was a prompt that said "PEV.exe has encountered a problem and needs to close. If you were in the middle of something, the information you were working on might be lost." I clicked close and it continued to scan. ComboFix 10-06-30.03 - Justin 06/30/2010 23:55:12.1.1 - x86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.637 [GMT -7:00] Running from: c:\documents and settings\Justin\Desktop\ComboFix.exe AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF} . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\Justin\Local Settings\Application Data\{C5BA2969-4C4A-454B-B55D-FCF8CED12623} c:\documents and settings\Justin\Local Settings\Application Data\{C5BA2969-4C4A-454B-B55D-FCF8CED12623}\chrome.manifest c:\documents and settings\Justin\Local Settings\Application Data\{C5BA2969-4C4A-454B-B55D-FCF8CED12623}\chrome\content\_cfg.js c:\documents and settings\Justin\Local Settings\Application Data\{C5BA2969-4C4A-454B-B55D-FCF8CED12623}\chrome\content\overlay.xul c:\documents and settings\Justin\Local Settings\Application Data\{C5BA2969-4C4A-454B-B55D-FCF8CED12623}\install.rdf c:\windows\iyococuwus.dll c:\windows\xpsp1hfm.log Infected copy of c:\windows\system32\drivers\mouclass.sys was found and disinfected Restored copy from - Kitty had a snack . ((((((((((((((((((((((((( Files Created from 2010-06-01 to 2010-07-01 ))))))))))))))))))))))))))))))) . 2010-06-30 02:32 . 2010-06-30 02:32 -------- d-----w- c:\program files\URUSoft 2010-06-29 18:55 . 2010-06-29 18:55 -------- d-----w- c:\documents and settings\Justin\Application Data\Bitrix Security 2010-06-29 14:41 . 2010-07-01 06:17 120 ----a-w- c:\windows\Mnato.dat 2010-06-29 14:41 . 2010-06-30 10:15 0 ----a-w- c:\windows\Xpaqahigusudiho.bin 2010-06-29 13:44 . 2010-06-29 13:44 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Bitrix Security 2010-06-29 12:33 . 2010-06-29 20:31 -------- d-----w- c:\documents and settings\Justin\Application Data\AE44686EE3C391E9A7BE88708BF334A0 2010-06-02 22:54 . 2010-06-02 22:55 -------- d-----w- c:\documents and settings\Justin\Application Data\avidemux 2010-06-02 22:18 . 2010-06-02 22:18 29512 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgmfx86.sys 2010-06-02 22:18 . 2010-06-02 22:18 242896 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtdix.sys . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-07-01 06:05 . 2010-05-22 11:58 -------- d-----w- c:\documents and settings\Justin\Application Data\vlc 2010-06-30 22:04 . 2006-09-29 22:17 -------- d-----w- c:\program files\Mozilla Thunderbird 2010-06-30 09:23 . 2006-10-06 05:42 -------- d-----w- c:\documents and settings\Justin\Application Data\uTorrent 2010-06-30 01:21 . 2006-09-29 21:31 22968 ----a-w- c:\documents and settings\Justin\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2010-06-29 18:54 . 2010-03-01 13:56 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-06-29 13:43 . 2009-04-19 09:27 1324 ----a-w- c:\windows\system32\d3d9caps.dat 2010-06-24 23:40 . 2007-08-13 03:09 -------- d-----w- c:\program files\foobar2000 2010-06-23 04:52 . 2006-09-29 21:57 -------- d-----w- c:\program files\Microsoft ActiveSync 2010-06-16 05:14 . 2010-03-03 09:39 15880 ----a-w- c:\windows\system32\lsdelete.exe 2010-06-16 05:02 . 2006-09-30 00:30 -------- d--h--r- c:\documents and settings\Justin\Application Data\SendTo 2010-06-05 16:33 . 2008-06-17 05:31 -------- d-----w- c:\program files\Microsoft Silverlight 2010-06-05 05:15 . 2010-03-03 06:13 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys 2010-06-02 22:18 . 2008-05-27 03:41 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys 2010-06-02 22:18 . 2006-11-25 00:38 29584 ----a-w- c:\windows\system32\drivers\avgmfx86.sys 2010-05-28 12:59 . 2006-12-03 02:55 -------- d-----w- c:\program files\PokerStars 2010-05-23 04:03 . 2010-05-23 03:58 -------- d-----w- c:\program files\Icons 2010-05-22 15:16 . 2010-05-22 15:16 249856 ------w- c:\windows\Setup1.exe 2010-05-22 15:16 . 2010-05-22 15:16 73216 ----a-w- c:\windows\ST6UNST.EXE 2010-05-22 14:26 . 2007-04-01 15:07 -------- d-----w- c:\documents and settings\Justin\Application Data\dvdcss 2010-05-22 12:00 . 2010-05-22 11:40 -------- d-----w- c:\program files\Gabest 2010-05-16 21:56 . 2010-05-16 21:56 -------- d-----w- c:\program files\bobyte 2010-05-09 18:56 . 2006-09-29 21:34 -------- d--h--w- c:\program files\InstallShield Installation Information 2010-05-02 05:56 . 2001-08-23 15:00 1850880 ----a-w- c:\windows\system32\win32k.sys 2010-04-29 22:39 . 2010-03-01 13:56 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-04-29 22:39 . 2010-03-01 13:56 20952 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-04-20 05:51 . 2001-08-23 15:00 285696 ----a-w- c:\windows\system32\atmfd.dll 2010-04-16 15:36 . 2006-09-29 20:54 662016 ----a-w- c:\windows\system32\wininet.dll 2010-04-16 15:36 . 2006-09-29 21:25 81920 ------w- c:\windows\system32\ieencode.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SoundMan"="SOUNDMAN.EXE" [2005-10-24 90112] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-09-17 8491008] "nwiz"="nwiz.exe" [2007-09-17 1626112] "zBrowser Launcher"="c:\program files\Logitech\iTouch\iTouch.exe" [2002-07-22 577602] "EM_EXEC"="c:\progra~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE" [2002-07-09 28672] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-09-01 282624] "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-09-17 81920] "NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136] "SecurDisc"="c:\program files\Nero\Nero 7\InCD\NBHGui.exe" [2007-11-26 1629480] "InCD"="c:\program files\Nero\Nero 7\InCD\InCD.exe" [2007-11-26 1057064] "Samsung PanelMgr"="c:\windows\Samsung\PanelMgr\SSMMgr.exe" [2008-09-03 536576] "AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-06-02 2065248] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Acrobat Assistant (2).lnk - c:\program files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe [2006-9-29 49254] Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe [2006-9-29 49254] Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-9-29 113664] Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter] 2010-03-13 22:06 12464 ----a-w- c:\windows\system32\avgrsstx.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service] @="Service" [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Mozilla Firefox\\firefox.exe"= "c:\\Program Files\\utorrent\\utorrent.exe"= "c:\\Program Files\\Mozilla Thunderbird\\thunderbird.exe"= "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"= "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "c:\\Program Files\\Java\\jre6\\bin\\java.exe"= "c:\\Program Files\\AVG\\AVG9\\avgemc.exe"= "c:\\Program Files\\AVG\\AVG9\\avgupd.exe"= "c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "18564:TCP"= 18564:TCP:BitComet 18564 TCP "18564:UDP"= 18564:UDP:BitComet 18564 UDP R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [3/2/2010 11:13 PM 64288] R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [5/26/2008 8:41 PM 216200] R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [5/26/2008 8:41 PM 242896] R2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [3/13/2010 3:06 PM 916760] R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [3/13/2010 3:06 PM 308064] S2 SSPORT;SSPORT;\??\c:\windows\system32\Drivers\SSPORT.sys --> c:\windows\system32\Drivers\SSPORT.sys [?] S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2/4/2010 8:52 AM 1352832] . Contents of the 'Scheduled Tasks' folder 2010-07-01 c:\windows\Tasks\Ad-Aware Update (Weekly).job - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 05:13] . . ------- Supplementary Scan ------- . uStart Page = hxxp://google.ca/ uInternet Connection Wizard,ShellNext = iexplore IE: Download All Files by HiDownload - c:\program files\HiDownload\HDGetAll.htm IE: Download by HiDownload - c:\program files\HiDownload\HDGet.htm IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000 FF - ProfilePath - c:\documents and settings\Justin\Application Data\Mozilla\Firefox\Profiles\615a0a7p.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca/webhp?complete=0 FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll FF - plugin: c:\documents and settings\Justin\Application Data\Facebook\npfbplugin_1_0_1.dll FF - plugin: c:\documents and settings\Justin\Application Data\Facebook\npfbplugin_1_0_3.dll FF - plugin: c:\program files\Veetle\Player\npvlc.dll FF - plugin: c:\program files\Veetle\plugins\npVeetle.dll FF - plugin: c:\program files\Veetle\VLCBroadcast\npvbp.dll ---- FIREFOX POLICIES ---- FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr ef", true); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", ""); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false); . - - - - ORPHANS REMOVED - - - - HKCU-Run-ResChanger 2005 - c:\program files\ResChanger 2005\ResChanger2005.exe HKLM-Run-Lrekokilo - c:\windows\iyococuwus.dll Notify-WgaLogon - (no file) AddRemove-ShockwaveFlash - c:\windows\system32\Macromed\Flash\FlashUtil9b.exe ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-07-01 00:00 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2010-07-01 00:01:30 ComboFix-quarantined-files.txt 2010-07-01 07:01 Pre-Run: 16,676,925,440 bytes free Post-Run: 16,740,802,560 bytes free WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn - - End Of File - - 1152726BA6516B91EAE0106A6EEFFFDB
  4. mj8498
    Hi thanks for your reply. I updated the database and did another scan. This time nothing was found but I know I am still infected. Logs as follows: ======================================================================== Malwarebytes' Anti-Malware 1.46 www.malwarebytes.org Database version: 4263 Windows 5.1.2600 Service Pack 2 Internet Explorer 6.0.2900.2180 6/30/2010 11:25:34 PM mbam-log-2010-06-30 (23-25-34).txt Scan type: Quick scan Objects scanned: 133902 Time elapsed: 5 minute(s), 8 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) ======================================================================== Logfile of Trend Micro HijackThis v2.0.4 Scan saved at 11:27:41 PM, on 6/30/2010 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\AVG\AVG9\avgchsvx.exe C:\Program Files\AVG\AVG9\avgrsx.exe C:\Program Files\AVG\AVG9\avgcsrvx.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\AVG\AVG9\avgwdsvc.exe C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\AVG\AVG9\avgemc.exe C:\Program Files\AVG\AVG9\avgnsx.exe C:\Program Files\AVG\AVG9\avgcsrvx.exe C:\WINDOWS\SOUNDMAN.EXE C:\Program Files\Logitech\iTouch\iTouch.exe C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE C:\WINDOWS\system32\RUNDLL32.EXE C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe C:\Program Files\Nero\Nero 7\InCD\InCD.exe C:\WINDOWS\Samsung\PanelMgr\SSMMgr.exe C:\PROGRA~1\AVG\AVG9\avgtray.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Documents and Settings\Justin\Desktop\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.ca/ O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe O4 - HKLM\..\Run: [securDisc] C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe O4 - HKLM\..\Run: [inCD] C:\Program Files\Nero\Nero 7\InCD\InCD.exe O4 - HKLM\..\Run: [samsung PanelMgr] C:\WINDOWS\Samsung\PanelMgr\SSMMgr.exe /autorun O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe O4 - HKLM\..\Run: [Lrekokilo] rundll32.exe "C:\WINDOWS\iyococuwus.dll",Startup O4 - HKCU\..\Run: [ResChanger 2005] C:\Program Files\ResChanger 2005\ResChanger2005.exe O4 - Global Startup: Acrobat Assistant (2).lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: Download All Files by HiDownload - C:\Program Files\HiDownload\HDGetAll.htm O8 - Extra context menu item: Download by HiDownload - C:\Program Files\HiDownload\HDGet.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: HiDownload - {F4FBA929-A891-492C-A0F6-5C79CC4F1742} - C:\Program Files\HiDownload\hidownload.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - https://extraweb-americas.ey.com/home/extraweb/iNotes6.cab O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} - https://luckynugget.microgaming.com/luckynugget/FlashAX.cab O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll O20 - Winlogon Notify: avgrsstarter - avgrsstx.dll (file missing) O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll O23 - Service: AVG Free E-mail Scanner (avg9emc) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgemc.exe O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Unknown owner - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe (file missing) -- End of file - 6442 bytes
  5. mj8498
    Hello all, hopefully someone can help me out. I'm infected with something, not sure what or how it happened as I am normally very careful with what I click/install. In any case, the only visible symptom is that occasionally a new tab will open in Firefox while I am browsing, usually with some sort of search. For instance, last night I did a Google search and then this morning a new tab opened with the Google search terms entered in a search at "shopica.com". There is probably something more nefarious going on behind the scenes but the search thing is the only symptom that is visible to me. The most recent Malwarebytes search classified some of the items as "Stolen.Data" so hopefully no passwords or personal data have been compromised. I've updated/scanned/removed/quarantined with Malwarebytes, AVG and Ad Aware but still this remains. I will include all of the MBAM, DDS and GMER logs as inline text or attached. Thanks in advance for any assistance! ======================================================================== Malwarebytes' Anti-Malware 1.46 www.malwarebytes.org Database version: 4258 Windows 5.1.2600 Service Pack 2 Internet Explorer 6.0.2900.2180 6/29/2010 12:03:41 PM mbam-log-2010-06-29 (12-03-41).txt Scan type: Quick scan Objects scanned: 134421 Time elapsed: 6 minute(s), 1 second(s) Memory Processes Infected: 0 Memory Modules Infected: 1 Registry Keys Infected: 2 Registry Values Infected: 2 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 8 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: C:\WINDOWS\ociorp.dll (Trojan.Hiloti.Gen) -> Delete on reboot. Registry Keys Infected: HKEY_CLASSES_ROOT\AppID\{38061edc-40bb-4618-a8da-e56353347e6d} (Adware.EZlife) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\Software\avsoft (Trojan.Fraudpack) -> Quarantined and deleted successfully. Registry Values Infected: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vnucaka (Trojan.Hiloti.Gen) -> Delete on reboot. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bcydiolh (Trojan.FakeAlert.Gen) -> Quarantined and deleted successfully. Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: C:\WINDOWS\ociorp.dll (Trojan.Hiloti.Gen) -> Delete on reboot. C:\RECYCLER\S-1-5-21-1757981266-1383384898-725345543-1003\Dc3.tmp (Trojan.Agent) -> Quarantined and deleted successfully. C:\RECYCLER\S-1-5-21-1757981266-1383384898-725345543-1003\Dc4.exe (Trojan.Hiloti.Gen) -> Quarantined and deleted successfully. C:\RECYCLER\S-1-5-21-1757981266-1383384898-725345543-1003\Dc8.exe (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\net.net (Trojan.Downloader) -> Quarantined and deleted successfully. C:\Documents and Settings\Justin\Local Settings\Temporary Internet Files\Content.IE5\0HA3W5IR\uiptnmgovj[1].htm (Trojan.Hiloti.Gen) -> Quarantined and deleted successfully. C:\Documents and Settings\Justin\Local Settings\Temporary Internet Files\Content.IE5\MXM309A7\kksahc[1].htm (Trojan.Agent) -> Quarantined and deleted successfully. C:\Documents and Settings\Justin\Local Settings\Temporary Internet Files\Content.IE5\WJJF6KXP\070700Setup[1].exe (Malware.Packer.Gen) -> Quarantined and deleted successfully. ======================================================================== Malwarebytes' Anti-Malware 1.46 www.malwarebytes.org Database version: 4258 Windows 5.1.2600 Service Pack 2 Internet Explorer 6.0.2900.2180 6/29/2010 1:31:29 PM mbam-log-2010-06-29 (13-31-29).txt Scan type: Full scan (C:\|D:\|E:\|) Objects scanned: 222200 Time elapsed: 1 hour(s), 3 minute(s), 37 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 28 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: C:\Documents and Settings\Justin\Application Data\AE44686EE3C391E9A7BE88708BF334A0\070700Setup.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully. C:\Documents and Settings\NetworkService\Application Data\Bitrix Security\ysloiyiy6.dll (Malware.Packer.Gen) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{009115BA-081F-47FE-BFD4-EA3B22D01B23}\RP1260\A0133497.dll (Malware.Packer.Gen) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{009115BA-081F-47FE-BFD4-EA3B22D01B23}\RP1260\A0133498.dll (Malware.Packer.Gen) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{009115BA-081F-47FE-BFD4-EA3B22D01B23}\RP1260\A0133501.dll (Malware.Packer.Gen) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{009115BA-081F-47FE-BFD4-EA3B22D01B23}\RP1260\A0133506.dll (Malware.Packer.Gen) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{009115BA-081F-47FE-BFD4-EA3B22D01B23}\RP1260\A0133642.DLL (Malware.Packer.Gen) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{009115BA-081F-47FE-BFD4-EA3B22D01B23}\RP1260\A0133679.dll (Malware.Packer.Gen) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{009115BA-081F-47FE-BFD4-EA3B22D01B23}\RP1260\A0133683.dll (Malware.Packer.Gen) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{009115BA-081F-47FE-BFD4-EA3B22D01B23}\RP1260\A0133684.dll (Malware.Packer.Gen) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{009115BA-081F-47FE-BFD4-EA3B22D01B23}\RP1260\A0133686.dll (Malware.Packer.Gen) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{009115BA-081F-47FE-BFD4-EA3B22D01B23}\RP1260\A0133687.dll (Malware.Packer.Gen) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{009115BA-081F-47FE-BFD4-EA3B22D01B23}\RP1260\A0133688.dll (Malware.Packer.Gen) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{009115BA-081F-47FE-BFD4-EA3B22D01B23}\RP1260\A0133689.dll (Malware.Packer.Gen) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{009115BA-081F-47FE-BFD4-EA3B22D01B23}\RP1260\A0133690.dll (Malware.Packer.Gen) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{009115BA-081F-47FE-BFD4-EA3B22D01B23}\RP1260\A0133701.dll (Malware.Packer.Gen) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{009115BA-081F-47FE-BFD4-EA3B22D01B23}\RP1260\A0133705.dll (Malware.Packer.Gen) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{009115BA-081F-47FE-BFD4-EA3B22D01B23}\RP1260\A0133706.dll (Malware.Packer.Gen) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{009115BA-081F-47FE-BFD4-EA3B22D01B23}\RP1260\A0133708.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{009115BA-081F-47FE-BFD4-EA3B22D01B23}\RP1260\A0133709.dll (Malware.Packer.Gen) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{009115BA-081F-47FE-BFD4-EA3B22D01B23}\RP1260\A0133711.dll (Malware.Packer.Gen) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{009115BA-081F-47FE-BFD4-EA3B22D01B23}\RP1260\A0133680.dll (Malware.Packer.Gen) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{009115BA-081F-47FE-BFD4-EA3B22D01B23}\RP1260\A0133744.dll (Malware.Packer.Gen) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{009115BA-081F-47FE-BFD4-EA3B22D01B23}\RP1260\A0133745.dll (Malware.Packer.Gen) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{009115BA-081F-47FE-BFD4-EA3B22D01B23}\RP1264\A0136359.exe (Trojan.Dropper) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{009115BA-081F-47FE-BFD4-EA3B22D01B23}\RP1264\A0136362.exe (Trojan.Agent) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{009115BA-081F-47FE-BFD4-EA3B22D01B23}\RP1264\A0136363.exe (Trojan.Hiloti.Gen) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{009115BA-081F-47FE-BFD4-EA3B22D01B23}\RP1264\A0136393.dll (Adware.AdShot) -> Quarantined and deleted successfully. ======================================================================== Malwarebytes' Anti-Malware 1.46 www.malwarebytes.org Database version: 4258 Windows 5.1.2600 Service Pack 2 Internet Explorer 6.0.2900.2180 6/30/2010 1:08:51 PM mbam-log-2010-06-30 (13-08-51).txt Scan type: Quick scan Objects scanned: 134657 Time elapsed: 5 minute(s), 46 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 4 Registry Values Infected: 1 Registry Data Items Infected: 3 Folders Infected: 1 Files Infected: 3 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully. HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully. HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully. HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully. Registry Values Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\uid (Malware.Trace) -> Quarantined and deleted successfully. Registry Data Items Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Spyware.Zbot) -> Data: c:\windows\system32\sdra64.exe -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Spyware.Zbot) -> Data: system32\sdra64.exe -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.UserInit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,) Good: (userinit.exe) -> Quarantined and deleted successfully. Folders Infected: C:\WINDOWS\system32\lowsec (Stolen.data) -> Delete on reboot. Files Infected: C:\WINDOWS\system32\lowsec\local.ds (Stolen.data) -> Delete on reboot. C:\WINDOWS\system32\lowsec\user.ds (Stolen.data) -> Delete on reboot. C:\WINDOWS\system32\sdra64.exe (Spyware.Zbot) -> Delete on reboot. ======================================================================== DDS (Ver_10-03-17.01) - NTFSx86 Run by at 3:16:41.89 on Wed 06/30/2010 Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_11 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.609 [GMT -7:00] AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF} ============== Running Processes =============== C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs svchost.exe C:\Program Files\AVG\AVG9\avgchsvx.exe C:\Program Files\AVG\AVG9\avgrsx.exe svchost.exe C:\Program Files\AVG\AVG9\avgcsrvx.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe svchost.exe C:\WINDOWS\SOUNDMAN.EXE C:\Program Files\Logitech\iTouch\iTouch.exe C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE C:\WINDOWS\system32\RUNDLL32.EXE C:\Program Files\AVG\AVG9\avgwdsvc.exe C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe C:\Program Files\Nero\Nero 7\InCD\InCD.exe C:\WINDOWS\Samsung\PanelMgr\SSMMgr.exe C:\PROGRA~1\AVG\AVG9\avgtray.exe C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe -k imgsvc C:\Program Files\AVG\AVG9\avgnsx.exe C:\Program Files\AVG\AVG9\avgemc.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\AVG\AVG9\avgcsrvx.exe C:\WINDOWS\system32\wscntfy.exe C:\Documents and Settings\Justin\Desktop\dds.scr ============== Pseudo HJT Report =============== uStart Page = hxxp://google.ca/ uInternet Connection Wizard,ShellNext = iexplore BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 5.0\acrobat\activex\AcroIEHelper.ocx BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll BHO: Java Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File uRun: [ResChanger 2005] c:\program files\reschanger 2005\ResChanger2005.exe mRun: [soundMan] SOUNDMAN.EXE mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup mRun: [nwiz] nwiz.exe /install mRun: [zBrowser Launcher] c:\program files\logitech\itouch\iTouch.exe mRun: [EM_EXEC] c:\progra~1\logitech\mousew~1\system\EM_EXEC.EXE mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe mRun: [securDisc] c:\program files\nero\nero 7\incd\NBHGui.exe mRun: [inCD] c:\program files\nero\nero 7\incd\InCD.exe mRun: [samsung PanelMgr] c:\windows\samsung\panelmgr\SSMMgr.exe /autorun mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe mRun: [Lrekokilo] rundll32.exe "c:\windows\iyococuwus.dll",Startup StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\acroba~2.lnk - c:\program files\adobe\acrobat 5.0\distillr\AcroTray.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\acroba~1.lnk - c:\program files\adobe\acrobat 5.0\distillr\AcroTray.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE IE: Download All Files by HiDownload - c:\program files\hidownload\HDGetAll.htm IE: Download by HiDownload - c:\program files\hidownload\HDGet.htm IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000 IE: {F4FBA929-A891-492C-A0F6-5C79CC4F1742} - c:\program files\hidownload\hidownload.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} - hxxps://extraweb-americas.ey.com/home/extraweb/iNotes6.cab DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} - hxxps://luckynugget.microgaming.com/luckynugget/FlashAX.cab Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll Notify: avgrsstarter - avgrsstx.dll mASetup: {E268A72F-2A5C-4FD0-BD82-94A6E42ACA0E} - rundll32.exe "c:\documents and settings\networkservice\application data\bitrix security\ysloiyiy6.dll", DllUnregister ================= FIREFOX =================== FF - ProfilePath - c:\docume~1\justin\applic~1\mozilla\firefox\profiles\615a0a7p.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca/webhp?complete=0 FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll FF - plugin: c:\documents and settings\justin\application data\facebook\npfbplugin_1_0_1.dll FF - plugin: c:\documents and settings\justin\application data\facebook\npfbplugin_1_0_3.dll FF - plugin: c:\program files\veetle\player\npvlc.dll FF - plugin: c:\program files\veetle\plugins\npVeetle.dll FF - plugin: c:\program files\veetle\vlcbroadcast\npvbp.dll FF - HiddenExtension: XULRunner: {C5BA2969-4C4A-454B-B55D-FCF8CED12623} - c:\documents and settings\justin\local settings\application data\{C5BA2969-4C4A-454B-B55D-FCF8CED12623} FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} ---- FIREFOX POLICIES ---- FF - user.js: yahoo.homepage.dontask - truec:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr ef", true); c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", ""); c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false); c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false); c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true); c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com"); ============= SERVICES / DRIVERS =============== R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-3-2 64288] R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-5-26 216200] R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2006-11-24 29584] R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-5-26 242896] R2 avg9emc;AVG Free E-mail Scanner;c:\program files\avg\avg9\avgemc.exe [2010-3-13 916760] R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-3-13 308064] S2 SSPORT;SSPORT;\??\c:\windows\system32\drivers\ssport.sys --> c:\windows\system32\drivers\SSPORT.sys [?] S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-2-4 1352832] =============== Created Last 30 ================ 2010-06-30 02:32:01 0 d-----w- c:\program files\URUSoft 2010-06-29 18:55:06 0 d-----w- c:\docume~1\justin\applic~1\Bitrix Security 2010-06-29 14:41:25 120 ----a-w- c:\windows\Mnato.dat 2010-06-29 14:41:25 0 ----a-w- c:\windows\Xpaqahigusudiho.bin 2010-06-29 12:33:52 0 d-----w- c:\docume~1\justin\applic~1\AE44686EE3C391E9A7BE88708BF334A0 2010-06-02 22:54:27 0 d-----w- c:\docume~1\justin\applic~1\avidemux ==================== Find3M ==================== 2010-06-16 05:14:25 15880 ----a-w- c:\windows\system32\lsdelete.exe 2010-06-05 05:15:20 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys 2010-06-02 22:18:04 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys 2010-05-22 15:16:12 249856 ------w- c:\windows\Setup1.exe 2010-05-22 15:16:08 73216 ----a-w- c:\windows\ST6UNST.EXE 2010-05-07 22:56:11 21616 ----a-w- c:\docume~1\justin\applic~1\GDIPFONTCACHEV1.DAT 2010-05-02 05:56:34 1850880 ----a-w- c:\windows\system32\win32k.sys 2010-04-20 05:51:20 285696 ----a-w- c:\windows\system32\atmfd.dll 2010-04-16 15:36:49 662016 ----a-w- c:\windows\system32\wininet.dll 2010-04-16 15:36:45 81920 ------w- c:\windows\system32\ieencode.dll ============= FINISH: 3:17:19.60 =============== attach.zip
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.