Jump to content

keld

Members
  • Posts

    5
  • Joined

  • Last visited

Everything posted by keld

  1. Elise, thanks again. I ran ESET and it found 5 errors. I am aware of a couple of the keygen stuff. I think I got messed up this time because of garmin stuff. Oh well, live and learn. See attached report from ESET. After this scan, is my computer 'safe'? Can I assume that I got hit in just 1 computer and the rest on the home network is safe? Thank you again for your help. ... David ESETScan.txt
  2. Elise, thanks for the response. I followed your instructions to update JRE, ran Malwarebytes and encountered no problems. I shall use the computer for casual surfing and stay off sensitive processing until I reformat and reinstall everything. I have been using my computer for a few days now and have been running AVG, Malwarebytes etc. Thus far everything seems to be working fine. Again thank you very much for your help ... it is very much appreciated. ... David
  3. Elise, thank you for your help. I waited a bit to respond so I can (a) try surfing at various times to see if the re-direct is still happening ... and I am happy to report that I have not had a single re-direct yet; ( run various anti-virus, anti-malware etc. to see if there is anything left ... AVG found two things and isolated them. The things that bothered me a bit were - (1) there were 2 infections - when I was shutting down after successfully running Combofix, there was a Windows Update and I said YES to it. Now that may not have anything to do with the infections, but I don't think I did much in between the time I ran Combofix and the time I ran AVG and ran into those 2 infections. I had no idea of what those infections were, but .... I copied the two items from the AVG log. "C:\System Volume Information\_restore{6B13CE98-07D8-48C2-A853-CAA1DB5CB881}\RP638\A0155465.sys";"Virus identified Win32/Patched.DX";"Moved to Virus Vault" "C:\Qoobox\32788R22FWJFW\dmio.sys";"Virus identified Win32/Patched.DX";"Moved to Virus Vault" The other thing is the comment re Backdoor - " is very likely compromised and there is no way to be sure your computer can ever again be trusted". Does that mean I should stop using the computer until I reformat and reinstall everything? What can I do to prevent this from happening again? Thanks a million ... David
  4. Elise, thank you very much for your help. I followed the instructions and ran Combofix. Maybe I did not shut down AVG properly, the 1st run took over an hour, produced nothing on the screen and the system hung. Listed below are the results of the 2nd run. I hope I did not mess it up. Thanks again ... David *********************************************************************** ComboFix 10-08-04.04 - David 08/04/2010 23:26:42.1.4 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.2.1033.18.3071.2320 [GMT -4:00] Running from: d:\documents and settings\David\My Documents\Downloads\ComboFix.exe AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF} . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\David\Start Menu\Programs\Antimalware Doctor c:\documents and settings\David\Start Menu\Programs\Antimalware Doctor\Antimalware Doctor.lnk c:\documents and settings\David\Start Menu\Programs\Antimalware Doctor\Uninstall.lnk c:\windows\system32\Cache c:\windows\system32\VB6KO.DLL . ((((((((((((((((((((((((( Files Created from 2010-07-05 to 2010-08-05 ))))))))))))))))))))))))))))))) . 2010-08-01 21:20 . 2010-08-01 22:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2010-08-01 08:32 . 2010-08-01 22:32 63488 ----a-w- c:\documents and settings\David\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll 2010-08-01 08:32 . 2010-08-01 08:32 52224 ----a-w- c:\documents and settings\David\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll 2010-08-01 08:32 . 2010-08-01 22:32 117760 ----a-w- c:\documents and settings\David\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL 2010-08-01 08:32 . 2010-08-01 08:32 -------- d-----w- c:\documents and settings\David\Application Data\SUPERAntiSpyware.com 2010-08-01 08:32 . 2010-08-01 08:32 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com 2010-07-31 20:16 . 2010-07-31 20:16 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe 2010-07-16 13:33 . 2010-07-16 13:33 12536 ----a-w- c:\windows\system32\avgrsstx.dll 2010-07-15 16:13 . 2010-07-15 16:13 -------- d-----w- c:\program files\iPod 2010-07-15 16:13 . 2010-07-15 16:13 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521} 2010-07-15 16:10 . 2010-07-15 16:10 -------- d-----w- c:\program files\QuickTime 2010-07-15 16:07 . 2010-07-15 16:07 -------- d-----w- c:\program files\Bonjour 2010-07-15 16:05 . 2010-07-15 16:05 72504 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.2.0.61\SetupAdmin.exe 2010-07-14 14:42 . 2010-06-14 14:31 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-08-05 03:16 . 2008-12-13 23:37 -------- d-----w- c:\documents and settings\David\Application Data\WTablet 2010-08-05 01:52 . 2009-05-05 23:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater 2010-08-05 01:48 . 2008-12-14 01:02 -------- d-----w- c:\documents and settings\LocalService\Application Data\WTablet 2010-08-02 03:40 . 2008-11-30 03:05 -------- d-----w- c:\documents and settings\David\Application Data\uTorrent 2010-07-27 09:45 . 2010-03-01 02:41 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9 2010-07-16 16:03 . 2008-12-01 04:43 -------- d-----w- c:\program files\Photodex 2010-07-16 13:33 . 2008-11-29 19:05 243024 ----a-w- c:\windows\system32\drivers\avgtdix.sys 2010-07-16 13:32 . 2008-11-29 19:05 216400 ----a-w- c:\windows\system32\drivers\avgldx86.sys 2010-07-16 05:06 . 2008-11-30 15:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help 2010-07-16 04:25 . 2008-12-04 18:59 -------- d-----w- c:\documents and settings\David\Application Data\foobar2000 2010-07-15 16:13 . 2008-12-01 05:28 -------- d-----w- c:\program files\Common Files\Apple 2010-06-23 03:58 . 2010-06-14 04:36 251736 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat 2010-06-14 14:31 . 2008-11-29 00:21 744448 ----a-w- c:\windows\PCHealth\HelpCtr\Binaries\helpsvc.exe 2010-06-11 22:42 . 2008-12-23 22:23 -------- d-----w- c:\documents and settings\David\Application Data\dvdcss 2010-06-11 20:51 . 2010-06-11 20:51 3055600 ----a-w- c:\documents and settings\David\Application Data\Mozilla\plugins\npgtpo3dautoplugin.dll 2010-06-11 20:36 . 2010-06-11 20:36 275952 ----a-w- c:\documents and settings\David\Application Data\Mozilla\plugins\npgoogletalk.dll 2010-06-06 01:39 . 2008-11-29 00:36 82792 ----a-w- c:\documents and settings\David\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2010-06-05 02:08 . 2010-06-05 02:08 292878 ----a-r- c:\documents and settings\David\Application Data\Microsoft\Installer\{A212E6C2-20F7-4A8E-BD8E-DC3EE7483FA2}\ARPPRODUCTICON.exe 2010-06-03 02:41 . 2010-06-03 02:41 3600384 ----a-w- c:\windows\system32\GPhotos.scr 2010-06-03 01:44 . 2008-11-29 19:05 29584 ----a-w- c:\windows\system32\drivers\avgmfx86.sys 2010-05-18 20:35 . 2010-05-18 20:35 91424 ----a-w- c:\windows\system32\dnssd.dll 2010-05-18 20:35 . 2010-05-18 20:35 197920 ----a-w- c:\windows\system32\dnssdX.dll 2010-05-18 20:35 . 2010-05-18 20:35 107808 ----a-w- c:\windows\system32\dns-sd.exe 2006-05-03 10:06 . 2010-03-31 02:20 163328 --sh--r- c:\windows\system32\flvDX.dll 2007-02-21 11:47 . 2010-03-31 02:20 31232 --sh--r- c:\windows\system32\msfDX.dll 2008-03-16 13:30 . 2010-03-31 02:20 216064 --sh--r- c:\windows\system32\nbDX.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks] "{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080] [HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}] [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}] 2009-11-25 18:01 1230080 ----a-w- c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar] "{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080] [HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}] [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser] "{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080] [HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Google Update"="c:\documents and settings\David\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-11-30 133104] "Directory Opus Desktop Dblclk"="d:\program files\Directory Opus\dopusrt.exe" [2007-09-13 275984] "DOpus"="d:\program files\Directory Opus\dopus.exe" [2007-09-13 7005680] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-05-05 39408] "SUPERAntiSpyware"="d:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-07-19 2403568] "SpybotSD TeaTimer"="d:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-29 61440] "RTHDCPL"="RTHDCPL.EXE" [2008-07-03 16876032] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672] "IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-14 208952] "MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2008-04-14 59392] "PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168] "PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168] "Acrobat Assistant 8.0"="d:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-10-15 623992] "Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-10-10 69632] "SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-09-30 155648] "OpwareSE4"="d:\program files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe" [2006-03-21 69632] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888] "AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-06-15 47408] "AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-07-16 2065760] "Reader Library Launcher"="d:\program files\Sony\Reader\Data\bin\launcher\Reader Library Launcher.exe" [2010-05-10 906656] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-19 421888] "iTunesHelper"="d:\program files\iTunes\iTunesHelper.exe" [2010-06-15 141624] c:\documents and settings\David\Start Menu\Programs\Startup\ OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Logitech SetPoint.lnk - d:\program files\Logitech\SetPoint\SetPoint.exe [2008-12-3 809488] Microsoft Office.lnk - d:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360] Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{3CF9ECE0-1A9F-11D2-8C73-00C06C2005DE}"= "d:\program files\Directory Opus\dopuslib.dll" [2007-09-13 693760] "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "d:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 2009-09-03 22:21 548352 ----a-w- d:\program files\SUPERAntiSpyware\SASWINLO.DLL [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter] 2010-07-16 13:33 12536 ----a-w- c:\windows\system32\avgrsstx.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn] 2008-11-07 21:41 72208 ----a-w- c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup] @="" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr] 2008-06-19 21:20 57344 ----a-r- c:\windows\Alcmtr.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor] 2008-10-25 16:44 31072 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"= "c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"= "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"= "d:\\Program Files\\uTorrent\\utorrent.exe"= "d:\\Program Files\\Nero\\Nero 9\\Nero ShowTime\\ShowTime.exe"= "c:\\Documents and Settings\\David\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"= "c:\\Documents and Settings\\David\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "d:\\Program Files\\River Past\\Video Cleaner Pro\\VideoCleanerPro.exe"= d:\\Program Files\\River Past\\Video Cleaner Pro\\VideoCleanerPro.exe "c:\\Program Files\\PPLive\\PPLive.exe"= "c:\\Program Files\\Java\\jre6\\bin\\javaws.exe"= "c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"= "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= "c:\\Program Files\\AVG\\AVG9\\avgupd.exe"= "c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"= "c:\\Program Files\\AVG\\AVG9\\avgemc.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "d:\\Program Files\\iTunes\\iTunes.exe"= R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [11/29/2008 3:05 PM 216400] R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [11/29/2008 3:05 PM 243024] R1 SASDIFSV;SASDIFSV;d:\program files\SUPERAntiSpyware\sasdifsv.sys [02/17/2010 2:25 PM 12872] R1 SASKUTIL;SASKUTIL;d:\program files\SUPERAntiSpyware\SASKUTIL.SYS [05/10/2010 2:41 PM 67656] R2 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;d:\program files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe [09/16/2008 1:03 PM 169312] R2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [07/16/2010 9:32 AM 921952] R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [07/16/2010 9:32 AM 308136] R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [12/03/2008 1:12 PM 10384] R2 TabletServiceWacom;TabletServiceWacom;c:\windows\system32\Wacom_Tablet.exe [12/13/2008 7:36 PM 2749224] S2 gupdate1c9cdd87b1e9a0;Google Update Service (gupdate1c9cdd87b1e9a0);c:\program files\Google\Update\GoogleUpdate.exe [05/05/2009 7:20 PM 133104] S3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\drivers\wacmoumonitor.sys [12/13/2008 8:58 PM 15656] . Contents of the 'Scheduled Tasks' folder 2010-08-05 c:\windows\Tasks\Google Software Updater.job - c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-12-01 23:19] 2010-08-05 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2009-05-05 23:20] 2010-08-05 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2009-05-05 23:20] 2010-08-01 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-507921405-602162358-725345543-1003Core.job - c:\documents and settings\David\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-11-30 18:08] 2010-08-05 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-507921405-602162358-725345543-1003UA.job - c:\documents and settings\David\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-11-30 18:08] 2010-08-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-507921405-602162358-725345543-1005Core.job - c:\documents and settings\Emily\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-09-09 12:32] 2010-08-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-507921405-602162358-725345543-1005UA.job - c:\documents and settings\Emily\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-09-09 12:32] . . ------- Supplementary Scan ------- . uStart Page = about:blank uInternet Settings,ProxyOverride = *.local IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200 IE: Append to existing PDF - d:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert link target to Adobe PDF - d:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: Convert link target to existing PDF - d:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert selected links to Adobe PDF - d:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html IE: Convert selected links to existing PDF - d:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html IE: Convert selection to Adobe PDF - d:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: Convert selection to existing PDF - d:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert to Adobe PDF - d:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000 IE: {{C8CE29C5-7589-11D3-B81B-0080C8DC5DC8} - {C8CE29C5-7589-11D3-B81B-0080C8DC5DC8} - Trusted Zone: interactivebrokers.ca\www Trusted Zone: interactivebrokers.com\individuals Trusted Zone: interactivebrokers.com\www DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab DPF: {05C1004E-2596-48E5-8E26-39362985EEB9} - hxxp://p3p.sogou.com/new_MMCShell.cab . - - - - ORPHANS REMOVED - - - - AddRemove-_{53A908D4-99C6-469B-BC13-F4189F260742} - d:\program files\Corel\Corel Painter Essentials 4\MSILauncher {53A908D4-99C6-469B-BC13-F4189F260742} ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-08-04 23:32 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(816) d:\program files\SUPERAntiSpyware\SASWINLO.DLL c:\windows\system32\WININET.dll c:\windows\system32\Ati2evxx.dll c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll c:\program files\common files\logishrd\bluetooth\LBTServ.dll . Completion time: 2010-08-04 23:34:23 ComboFix-quarantined-files.txt 2010-08-05 03:34 Pre-Run: 34,045,554,688 bytes free Post-Run: 34,531,467,264 bytes free - - End Of File - - 7288569E68551A71DB4A072F21FF5F8E
  5. I've been having problems for the last few days - being redirected randomly to ad sites while using Google Chrome. If I right click and open the pages in a new tab, I seem to get the correct pages all the time. I have used AVG Anti-virus, Malwarebytes' Anti-Malware, Spybot, SUPERAntiSpyware and CCleaner to no avail. I came across this forum and hopefully somebody can help me get rid of the stupid bug. I followed the instructions to get the various log files - although I managed to get them, I did run into several problems along the way ... so I am not sure if I am providing the right info. The problems I ran into include: (1) DeFogger did not ask me to reboot (see attached defogger_disable), I ran it a second time, rebooted and ... (2) Ran GMER several times. First time, it locked out after a long time. Second time, the machine rebooted after running for a long time. Third time, it produced a huge listing (online) and then hung. BTW, the SVCHOST program failed almost every time when I reboot the machine. The attached files are from the last successful run. Note that I did not reboot after running DeFogger. Attached are the ARK and ATTACH txt files and the DeFogger_disable files. Here's the DDS.txt THANK YOU very much for your help. DDS (Ver_10-03-17.01) - NTFSx86 Run by David at 20:26:06.81 on 08/02/2010 Internet Explorer: 7.0.5730.13 Microsoft Windows XP Professional 5.1.2600.3.1252.2.1033.18.3071.2150 [GMT -4:00] AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF} ============== Running Processes =============== C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs svchost.exe svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\Ati2evxx.exe C:\Program Files\AVG\AVG9\avgchsvx.exe C:\Program Files\AVG\AVG9\avgrsx.exe svchost.exe C:\Program Files\AVG\AVG9\avgcsrvx.exe D:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe C:\Program Files\AVG\AVG9\avgwdsvc.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\AVG\AVG9\avgnsx.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\inetsrv\inetinfo.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe C:\WINDOWS\system32\PSIService.exe C:\Program Files\Photodex\ProShowProducer\ScsiAccess.exe C:\WINDOWS\System32\svchost.exe -k imgsvc C:\WINDOWS\system32\Wacom_Tablet.exe C:\Program Files\AVG\AVG9\avgemc.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\system32\SearchIndexer.exe C:\Program Files\AVG\AVG9\avgcsrvx.exe C:\WINDOWS\system32\WTablet\Wacom_TabletUser.exe C:\WINDOWS\system32\Wacom_Tablet.exe C:\WINDOWS\RTHDCPL.EXE C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe D:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe D:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe C:\Program Files\Java\jre6\bin\jusched.exe C:\PROGRA~1\AVG\AVG9\avgtray.exe D:\Program Files\Sony\Reader\Data\bin\launcher\Reader Library Launcher.exe D:\Program Files\iTunes\iTunesHelper.exe C:\WINDOWS\system32\ctfmon.exe D:\Program Files\Directory Opus\dopusrt.exe D:\Program Files\Directory Opus\dopus.exe D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe D:\Program Files\Logitech\SetPoint\SetPoint.exe C:\Program Files\Windows Desktop Search\WindowsSearch.exe C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe D:\Documents and Settings\David\My Documents\Downloads\dds.scr ============== Pseudo HJT Report =============== uStart Page = about:blank uInternet Settings,ProxyOverride = *.local uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - d:\progra~1\spybot~1\SDHelper.dll BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - d:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.15642\swg.dll BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn\YTSingleInstance.dll TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - d:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg9\toolbar\IEToolbar.dll EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - d:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe uRun: [Google Update] "c:\documents and settings\david\local settings\application data\google\update\GoogleUpdate.exe" /c uRun: [Directory Opus Desktop Dblclk] "d:\program files\directory opus\dopusrt.exe" /dblclk uRun: [DOpus] d:\program files\directory opus\dopus.exe uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe uRun: [sUPERAntiSpyware] d:\program files\superantispyware\SUPERAntiSpyware.exe uRun: [spybotSD TeaTimer] d:\program files\spybot - search & destroy\TeaTimer.exe mRun: [startCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun mRun: [RTHDCPL] RTHDCPL.EXE mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe" mRun: [iMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32 mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName mRun: [Acrobat Assistant 8.0] "d:\program files\adobe\acrobat 8.0\acrobat\Acrotray.exe" mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE mRun: [sSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot mRun: [OpwareSE4] "d:\program files\scansoft\omnipagese4.0\OpwareSE4.exe" mRun: [sunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe" mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe mRun: [Reader Library Launcher] d:\program files\sony\reader\data\bin\launcher\Reader Library Launcher.exe mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime mRun: [iTunesHelper] "d:\program files\itunes\iTunesHelper.exe" StartupFolder: c:\docume~1\david\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - d:\program files\logitech\setpoint\SetPoint.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - d:\program files\microsoft office\office10\OSA.EXE StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200 IE: Append to existing PDF - d:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert link target to Adobe PDF - d:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: Convert link target to existing PDF - d:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert selected links to Adobe PDF - d:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html IE: Convert selected links to existing PDF - d:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html IE: Convert selection to Adobe PDF - d:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: Convert selection to existing PDF - d:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert to Adobe PDF - d:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000 IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL IE: {C8CE29C5-7589-11D3-B81B-0080C8DC5DC8} - {C8CE29C5-7589-11D3-B81B-0080C8DC5DC8} IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - d:\progra~1\spybot~1\SDHelper.dll Trusted Zone: interactivebrokers.ca\www Trusted Zone: interactivebrokers.com\individuals Trusted Zone: interactivebrokers.com\www DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/sites/production/ieawsdc32.cab DPF: {05C1004E-2596-48E5-8E26-39362985EEB9} - hxxp://p3p.sogou.com/new_MMCShell.cab DPF: {6F750203-1362-4815-A476-88533DE61D0C} - hxxp://www.kodakgallery.ca/downloads/BUM/BUM_WIN_IE_2/axofupld.cab DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab DPF: {B1647320-9EC8-4B0F-BF53-93D4A43FA614} - hxxps://mydesk-pi02.morganstanley.com/prx/000/http/rc.ms.com:8180/md/1.2/common/htdocs/SPX/2.0.3.17/TerminalSvcsTCS.cab DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://interactivebrokers.webex.com/client/T26L/nbr/ieatgpc.cab Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL Notify: !SASWinLogon - d:\program files\superantispyware\SASWINLO.DLL Notify: AtiExtEvent - Ati2evxx.dll Notify: avgrsstarter - avgrsstx.dll Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll SEH: Directory Opus Shell Execute Hook: {3cf9ece0-1a9f-11d2-8c73-00c06c2005de} - d:\program files\directory opus\dopuslib.dll SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - d:\program files\superantispyware\SASSEH.DLL Hosts: 127.0.0.1 www.spywareinfo.com ============= SERVICES / DRIVERS =============== R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-11-29 216400] R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-11-29 29584] R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-11-29 243024] R1 SASDIFSV;SASDIFSV;d:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872] R1 SASKUTIL;SASKUTIL;d:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656] R2 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;d:\program files\adobe\photoshop elements 7.0\PhotoshopElementsFileAgent.exe [2008-9-16 169312] R2 avg9emc;AVG Free E-mail Scanner;c:\program files\avg\avg9\avgemc.exe [2010-7-16 921952] R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-7-16 308136] R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [2008-12-3 10384] R2 TabletServiceWacom;TabletServiceWacom;c:\windows\system32\Wacom_Tablet.exe [2008-12-13 2749224] S2 gupdate1c9cdd87b1e9a0;Google Update Service (gupdate1c9cdd87b1e9a0);c:\program files\google\update\GoogleUpdate.exe [2009-5-5 133104] S3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\drivers\wacmoumonitor.sys [2008-12-13 15656] =============== Created Last 30 ================ 2010-08-02 19:07:58 0 ----a-w- c:\documents and settings\david\defogger_reenable 2010-08-01 21:20:22 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy 2010-08-01 08:32:07 0 d-----w- c:\docume~1\david\applic~1\SUPERAntiSpyware.com 2010-08-01 08:32:07 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com 2010-07-27 03:17:25 150 ----a-w- C:\zrpt.xml 2010-07-16 13:33:00 12536 ----a-w- c:\windows\system32\avgrsstx.dll 2010-07-15 16:13:07 0 d-----w- c:\program files\iPod 2010-07-15 16:13:02 0 d-----w- c:\docume~1\alluse~1\applic~1\{429CAD59-35B1-4DBC-BB6D-1DB246563521} 2010-07-15 16:07:59 0 d-----w- c:\program files\Bonjour 2010-07-14 14:42:22 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe ==================== Find3M ==================== 2010-07-16 13:33:01 243024 ----a-w- c:\windows\system32\drivers\avgtdix.sys 2010-07-16 13:32:34 216400 ----a-w- c:\windows\system32\drivers\avgldx86.sys 2010-06-03 02:41:44 3600384 ----a-w- c:\windows\system32\GPhotos.scr 2010-05-18 20:35:16 91424 ----a-w- c:\windows\system32\dnssd.dll 2010-05-18 20:35:16 197920 ----a-w- c:\windows\system32\dnssdX.dll 2010-05-18 20:35:16 107808 ----a-w- c:\windows\system32\dns-sd.exe 2006-05-03 10:06:54 163328 --sh--r- c:\windows\system32\flvDX.dll 2007-02-21 11:47:16 31232 --sh--r- c:\windows\system32\msfDX.dll 2008-03-16 13:30:52 216064 --sh--r- c:\windows\system32\nbDX.dll ============= FINISH: 20:27:37.57 =============== ark.zip
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.