Jump to content

RustyNail

Members
  • Posts

    9
  • Joined

  • Last visited

Reputation

0 Neutral

Profile Information

  • Location
    Seattle
  1. Looks like we got bit good. This computer was running and online for at least 24 hours after it got hit. It belongs to a friend. I took it offline as soon as I discovered the problem. I used another computer to get the scan software and transfer it with a USB stick. It's been shutdown since I scanned it, waiting for you report. We have changed any passwords that might have been compromised. This computer is on a small Win XP workgroup network and I am wondering if this bug would have traveled over the network to the other computers? None of them are showing any signs and they have all passed a scan with mbam. I'm going to wipe the hard drive and do a fresh os install like you recommended. Should I use one of those secure delete programs or will a partition delete and re-format do the trick? From now on I will suggest to my friend that he only only log on as a user type account rather than as an admin type. Hopefully this will keep these bugs out of his computer. Sincerely appreciate your help in reviewing our problem. Art
  2. After the problem first appeared I ran mbam and it found and fixed it, I thought. Problem reappeared a bit later. Ran mbam again and it found and fixed more problems. Ran mbam again and it could not find any more problems. Suppose to be clean, but computer is still having issues so I have run the other scans you requested and am hoping you can fix this. Have attached the logs requested plus the logs from the two times mbam found problems. Thank you for all your help. Here's the DDS log: DDS (Ver_09-12-01.01) - NTFSx86 Run by owner at 14:44:39.03 on Wed 01/20/2010 Internet Explorer: 8.0.6001.18702 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3071.2560 [GMT -8:00] AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF} ============== Running Processes =============== C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs svchost.exe svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\spoolsv.exe svchost.exe C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\WINDOWS\System32\svchost.exe -k HPZ12 C:\PROGRA~1\AVG\AVG8\avgrsx.exe C:\WINDOWS\System32\svchost.exe -k HPZ12 C:\WINDOWS\system32\PnkBstrA.exe C:\WINDOWS\system32\PnkBstrB.exe C:\WINDOWS\System32\svchost.exe -k imgsvc C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe C:\WINDOWS\system32\wuauclt.exe C:\PROGRA~1\AVG\AVG8\avgemc.exe C:\Program Files\AVG\AVG8\avgcsrvx.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\CTHELPER.EXE C:\Program Files\Yahoo!\Common\YMailAdvisor.exe C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe C:\PROGRA~1\AVG\AVG8\avgtray.exe C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe C:\Program Files\Java\jre6\bin\jusched.exe C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe C:\WINDOWS\system32\wscntfy.exe C:\Documents and Settings\owner\Desktop\dds.scr ============== Pseudo HJT Report =============== uSearch Page = hxxp://www.google.com uStart Page = hxxp://www.yahoo.com uSearch Bar = hxxp://www.google.com/ie mDefault_Page_URL = hxxp://www.yahoo.com mDefault_Search_URL = hxxp://www.google.com/ie mSearch Page = hxxp://www.google.com mStart Page = hxxp://www.yahoo.com uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com mSearchAssistant = hxxp://www.google.com BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn\YTSingleInstance.dll TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll uRun: [search Protection] c:\program files\yahoo!\search protection\SearchProtection.exe uRun: [YSearchProtection] c:\program files\yahoo!\search protection\SearchProtection.exe mRun: [CTHelper] CTHELPER.EXE mRun: [startCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun mRun: [DelReg] c:\program files\msi\dualcorecenter\DelReg.exe mRun: [YMailAdvisor] "c:\program files\yahoo!\common\YMailAdvisor.exe" mRun: [YSearchProtection] "c:\program files\yahoo!\search protection\SearchProtection.exe" mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe" mRun: [sunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe" StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\dualco~1.lnk - c:\program files\msi\dualcorecenter\StartUpDualCoreCenter.exe uPolicies-system: EnableProfileQuota = 1 (0x1) IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - hxxp://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.9.113.cab DPF: {6C269571-C6D7-4818-BCA4-32A035E8C884} - hxxp://www.creative.com/softwareupdate/su/ocx/15101/CTSUEng.cab DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - hxxp://www.creative.com/softwareupdate/su/ocx/15106/CTPID.cab Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll Notify: AtiExtEvent - Ati2evxx.dll Notify: avgrsstarter - avgrsstx.dll AppInit_DLLs: c:\windows\system32\avgrsstx.dll SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll ============= SERVICES / DRIVERS =============== R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-12-10 335240] R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-12-10 27784] R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2008-12-10 908056] R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-12-10 297752] R3 COMMONFX.SYS;COMMONFX.SYS;c:\windows\system32\drivers\COMMONFX.sys [2008-6-27 99352] R3 CTAUDFX.SYS;CTAUDFX.SYS;c:\windows\system32\drivers\CTAUDFX.sys [2008-6-27 555032] R3 CTSBLFX.SYS;CTSBLFX.SYS;c:\windows\system32\drivers\CTSBLFX.sys [2008-6-27 566296] S1 242355B7F;242355B7F;c:\windows\system32\drivers\242355B7F.sys [2010-1-16 72192] S1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-12-10 108552] S1 SASDIFSV;SASDIFSV;\??\e:\superantispyware\sasdifsv.sys --> e:\superantispyware\SASDIFSV.SYS [?] S1 SASKUTIL;SASKUTIL;\??\e:\superantispyware\saskutil.sys --> e:\superantispyware\SASKUTIL.sys [?] S1 Udp;Udp;c:\windows\system32\drivers\Udp.sys [2010-1-19 0] S3 COMMONFX;COMMONFX;c:\windows\system32\drivers\COMMONFX.sys [2008-6-27 99352] S3 CTAUDFX;CTAUDFX;c:\windows\system32\drivers\CTAUDFX.sys [2008-6-27 555032] S3 CTERFXFX.SYS;CTERFXFX.SYS;c:\windows\system32\drivers\CTERFXFX.sys [2008-6-27 100888] S3 CTERFXFX;CTERFXFX;c:\windows\system32\drivers\CTERFXFX.sys [2008-6-27 100888] S3 CTSBLFX;CTSBLFX;c:\windows\system32\drivers\CTSBLFX.sys [2008-6-27 566296] S3 SASENUM;SASENUM;\??\e:\superantispyware\sasenum.sys --> e:\superantispyware\SASENUM.SYS [?] =============== Created Last 30 ================ 2010-01-20 22:40:20 0 ----a-w- c:\documents and settings\owner\defogger_reenable 2010-01-20 20:50:35 0 ----a-w- c:\windows\system32\drivers\??.sys 2010-01-20 14:11:36 0 ----a-w- c:\windows\system32\drivers\.sys 2010-01-19 22:10:55 0 d-----w- c:\docume~1\owner\applic~1\SUPERAntiSpyware.com 2010-01-19 22:10:55 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com 2010-01-19 22:08:15 0 ----a-w- c:\windows\system32\drivers\Udp.sys 2010-01-17 06:13:13 72192 ----a-w- c:\windows\system32\drivers\242355B7F.sys 2010-01-16 22:03:43 212 ----a-w- c:\windows\system32\16827.exe 2010-01-16 21:43:42 212 ----a-w- c:\windows\system32\23281.exe 2010-01-16 21:23:41 212 ----a-w- c:\windows\system32\28145.exe 2010-01-16 21:03:41 212 ----a-w- c:\windows\system32\5705.exe 2010-01-16 20:43:40 212 ----a-w- c:\windows\system32\24464.exe 2010-01-16 20:23:40 0 ----a-w- c:\windows\system32\26962.exe 2010-01-16 20:03:09 212 ----a-w- c:\windows\system32\29358.exe 2010-01-16 19:43:09 0 ----a-w- c:\windows\system32\11478.exe 2010-01-16 19:23:08 166 ----a-w- c:\windows\system32\15724.exe 2010-01-16 18:43:00 0 ----a-w- c:\windows\system32\26500.exe 2010-01-16 16:45:17 1 ----a-w- C:\s 2010-01-13 00:53:51 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll ==================== Find3M ==================== 2010-01-18 21:45:44 96512 ----a-w- c:\windows\system32\drivers\atapi.sys 2010-01-17 06:13:12 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys 2010-01-08 00:07:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-01-08 00:07:04 19160 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-10-29 21:34:50 262144 ----a-w- C:\ntuser.dat 2009-10-29 07:45:38 916480 ----a-w- c:\windows\system32\wininet.dll 2009-07-24 09:16:39 15193 ----a-w- c:\program files\common files\ejab.lib 2009-07-24 09:16:39 12383 ----a-w- c:\program files\common files\udapok.dat 2008-10-03 07:14:50 420144 ----a-w- c:\program files\GPU-Z.0.2.8.exe 2008-06-28 19:57:58 6602240 ----a-w- c:\program files\mplayerc.exe ============= FINISH: 14:45:46.28 =============== Attach.zip mbam_logs.zip
  3. Hi Ron, No buggies in this scan either. Sweet. Computer is working great too. Looks like you did it. Excellent service. Thank you very much for all your help. Rusty ---------------------------------------------------------------- ESETSmartInstaller@High as CAB hook log: OnlineScanner.ocx - registred OK # version=6 # IEXPLORE.EXE=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339) # OnlineScanner.ocx=1.0.0.5886 # api_version=3.0.2 # EOSSerial=b448aba9f9faf04f9d7a51d80b935baa # end=finished # remove_checked=false # archives_checked=false # unwanted_checked=true # unsafe_checked=false # antistealth_checked=true # utc_time=2009-07-18 05:13:05 # local_time=2009-07-17 10:13:05 (-0800, Pacific Daylight Time) # country="United States" # lang=9 # osver=5.1.2600 NT Service Pack 3 # compatibility_mode=1026 37 83 100 356913437500 # scanned=52369 # found=0 # cleaned=0 # scan_time=612
  4. All done as instructed. ComboFix 09-07-14.08 - owner 07/17/2009 12:35.2.4 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3071.2590 [GMT -7:00] Running from: c:\documents and settings\owner\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\owner\Desktop\CFscript.txt AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF} FILE :: "c:\windows\system32\drivers\ggfytv.sys" "c:\windows\system32\drivers\kcasxkngzxp.sys" "c:\windows\system32\drivers\nqqggtqch.sys" . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_CGBNPAS -------\Legacy_CNOKIKWL -------\Legacy_MNTBNIMHXCA -------\Service_cgbnpas -------\Service_cnokikwl -------\Service_mntbnimhxca ((((((((((((((((((((((((( Files Created from 2009-06-17 to 2009-07-17 ))))))))))))))))))))))))))))))) . 2009-07-17 19:18 . 2009-06-22 16:55 353048 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgxch32.dll 2009-07-17 19:18 . 2009-06-22 16:55 2301208 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avguiadv.dll 2009-07-16 19:12 . 2008-04-14 12:42 50176 -c--a-w- c:\windows\system32\dllcache\proquota.exe 2009-07-16 19:12 . 2008-04-14 12:42 50176 ----a-w- c:\windows\system32\proquota.exe 2009-07-16 04:47 . 2009-07-16 04:47 -------- d-----w- c:\program files\Trend Micro 2009-07-15 19:42 . 2009-07-13 20:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-07-15 19:42 . 2009-07-15 19:42 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2009-07-15 19:42 . 2009-07-13 20:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-07-11 07:58 . 2009-07-11 07:58 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache 2009-07-11 03:53 . 2009-07-11 03:53 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache 2009-07-04 17:00 . 2009-07-04 17:00 2054424 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcorex.dll 2009-07-04 17:00 . 2009-06-22 16:55 327688 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgldx86.sys 2009-07-04 17:00 . 2009-07-04 17:00 3403032 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgui.exe 2009-07-04 17:00 . 2009-07-04 17:00 2167576 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgresf.dll 2009-07-04 17:00 . 2009-06-22 16:55 906520 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgemc.exe 2009-07-04 17:00 . 2009-06-22 16:55 1204504 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgabout.dll 2009-07-04 17:00 . 2009-06-22 16:55 337176 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avglogx.dll 2009-07-04 17:00 . 2009-06-22 16:55 829208 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcfgx.dll 2009-07-04 17:00 . 2009-06-22 16:55 3298072 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\setup.exe 2009-07-04 16:59 . 2009-06-22 16:53 1454360 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgupd.dll 2009-07-04 16:59 . 2009-06-22 16:53 1085208 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgupd.exe 2009-07-02 15:36 . 2009-07-02 15:36 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache 2009-07-01 07:42 . 2009-07-01 07:42 -------- d-sh--w- c:\documents and settings\owner\IECompatCache 2009-07-01 07:40 . 2009-07-01 07:40 -------- d-sh--w- c:\documents and settings\owner\PrivacIE 2009-07-01 07:40 . 2009-07-01 07:40 -------- d-sh--w- c:\documents and settings\owner\IETldCache 2009-07-01 07:37 . 2009-06-02 10:12 102912 -c----w- c:\windows\system32\dllcache\iecompat.dll 2009-07-01 07:37 . 2009-07-01 07:37 -------- d-----w- c:\windows\ie8updates 2009-07-01 07:37 . 2009-04-30 21:22 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll 2009-07-01 07:37 . 2009-04-30 21:22 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll 2009-07-01 07:35 . 2009-07-01 07:36 -------- dc-h--w- c:\windows\ie8 2009-06-29 07:33 . 2009-03-06 14:22 284160 -c----w- c:\windows\system32\dllcache\pdh.dll 2009-06-29 07:33 . 2009-02-09 12:10 473600 -c----w- c:\windows\system32\dllcache\fastprox.dll 2009-06-29 07:33 . 2009-02-09 12:10 453120 -c----w- c:\windows\system32\dllcache\wmiprvsd.dll 2009-06-29 07:33 . 2009-02-09 12:10 401408 -c----w- c:\windows\system32\dllcache\rpcss.dll 2009-06-29 07:33 . 2009-02-06 11:11 110592 -c----w- c:\windows\system32\dllcache\services.exe 2009-06-29 07:33 . 2009-02-06 10:10 227840 -c----w- c:\windows\system32\dllcache\wmiprvse.exe 2009-06-29 07:32 . 2009-02-09 12:10 729088 -c----w- c:\windows\system32\dllcache\lsasrv.dll 2009-06-29 07:32 . 2009-02-09 12:10 714752 -c----w- c:\windows\system32\dllcache\ntdll.dll 2009-06-29 07:32 . 2009-02-09 12:10 617472 -c----w- c:\windows\system32\dllcache\advapi32.dll 2009-06-29 07:32 . 2008-05-03 11:55 2560 ------w- c:\windows\system32\xpsp4res.dll 2009-06-29 07:32 . 2008-04-21 12:08 215552 -c----w- c:\windows\system32\dllcache\wordpad.exe 2009-06-27 04:28 . 2009-06-27 04:28 -------- d-----w- c:\program files\uTorrent 2009-06-18 20:56 . 2009-06-18 20:56 -------- d-----w- c:\documents and settings\owner\Application Data\DVDFab . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-07-17 04:23 . 2009-01-03 06:39 -------- d-----w- c:\documents and settings\owner\Application Data\uTorrent 2009-07-15 05:54 . 2009-01-06 06:25 -------- d-----w- c:\documents and settings\owner\Application Data\dvdcss 2009-07-04 17:00 . 2008-12-11 02:07 335752 ----a-w- c:\windows\system32\drivers\avgldx86.sys 2009-06-22 16:55 . 2008-12-11 02:07 11952 ----a-w- c:\windows\system32\avgrsstx.dll 2009-06-22 16:55 . 2008-12-11 02:07 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys 2009-06-17 03:08 . 2009-06-17 03:08 -------- d-----w- c:\program files\AskBarDis 2009-06-16 14:36 . 2003-03-31 12:00 81920 ----a-w- c:\windows\system32\fontsub.dll 2009-06-16 14:36 . 2003-03-31 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll 2009-06-03 19:09 . 2008-10-01 08:43 1291264 ----a-w- c:\windows\system32\quartz.dll 2009-05-31 04:35 . 2009-01-21 01:57 -------- d-----w- c:\documents and settings\owner\Application Data\Vso 2009-05-31 04:35 . 2009-05-31 04:35 -------- d-----w- c:\program files\DVDFab 6 2009-05-13 05:15 . 2003-03-31 12:00 915456 ----a-w- c:\windows\system32\wininet.dll 2009-05-10 16:19 . 2008-12-11 02:07 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys 2009-05-07 15:32 . 2003-03-31 12:00 345600 ----a-w- c:\windows\system32\localspl.dll 2008-10-03 07:14 . 2008-10-03 07:17 420144 ----a-w- c:\program files\GPU-Z.0.2.8.exe 2008-06-28 19:57 . 2008-11-01 06:52 6602240 ----a-w- c:\program files\mplayerc.exe . ((((((((((((((((((((((((((((( SnapShot@2009-07-16_19.14.31 ))))))))))))))))))))))))))))))))))))))))) . - 2003-03-31 12:00 . 2009-07-15 23:54 63674 c:\windows\system32\perfc009.dat + 2003-03-31 12:00 . 2009-07-17 19:20 63674 c:\windows\system32\perfc009.dat + 2003-03-31 12:00 . 2009-07-17 19:20 406218 c:\windows\system32\perfh009.dat - 2003-03-31 12:00 . 2009-07-15 23:54 406218 c:\windows\system32\perfh009.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}] 2008-09-30 00:24 325000 ----a-w- c:\program files\AskBarDis\bar\bin\askBar.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar] "{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-09-30 325000] [HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}] [HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}] [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser] "{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-09-30 325000] [HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}] [HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Search Protection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-01 61440] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792] "DelReg"="c:\program files\MSI\DualCoreCenter\DelReg.exe" [2008-05-14 196608] "YMailAdvisor"="c:\program files\Yahoo!\Common\YMailAdvisor.exe" [2008-06-05 125208] "YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856] "ThrustTSR"="c:\program files\Thrustmaster\Thrustmapper\TMTMTSR.exe" [2003-04-10 217088] "AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-06-22 1948440] "CTHelper"="CTHELPER.EXE" - c:\windows\system32\CtHelper.exe [2008-06-28 19456] c:\documents and settings\All Users\Start Menu\Programs\Startup\ DualCoreCenter.lnk - c:\program files\MSI\DualCoreCenter\StartUpDualCoreCenter.exe [2008-10-2 192512] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter] 2009-06-22 16:55 11952 ----a-w- c:\windows\system32\avgrsstx.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=c:\windows\system32\avgrsstx.dll [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "c:\\WINDOWS\\system32\\sessmgr.exe"= "c:\\Program Files\\AVG\\AVG8\\avgtray.exe"= "c:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"= "c:\\Program Files\\AVG\\AVG8\\avgui.exe"= "c:\\Program Files\\uTorrent\\uTorrent.exe"= R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [12/10/2008 7:07 PM 335752] R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [12/10/2008 7:07 PM 108552] R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [12/10/2008 7:07 PM 907032] R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [12/10/2008 7:07 PM 298776] R3 AtiHdmiService;ATI Function Driver for HDMI Service;c:\windows\system32\drivers\AtiHdmi.sys [7/20/2007 6:40 PM 84992] R3 COMMONFX.SYS;COMMONFX.SYS;c:\windows\system32\drivers\COMMONFX.sys [6/27/2008 7:21 PM 99352] R3 CTAUDFX.SYS;CTAUDFX.SYS;c:\windows\system32\drivers\CTAUDFX.sys [6/27/2008 7:21 PM 555032] R3 CTSBLFX.SYS;CTSBLFX.SYS;c:\windows\system32\drivers\CTSBLFX.sys [6/27/2008 7:21 PM 566296] S3 COMMONFX;COMMONFX;c:\windows\system32\drivers\COMMONFX.sys [6/27/2008 7:21 PM 99352] S3 CTAUDFX;CTAUDFX;c:\windows\system32\drivers\CTAUDFX.sys [6/27/2008 7:21 PM 555032] S3 CTERFXFX.SYS;CTERFXFX.SYS;c:\windows\system32\drivers\CTERFXFX.sys [6/27/2008 7:21 PM 100888] S3 CTERFXFX;CTERFXFX;c:\windows\system32\drivers\CTERFXFX.sys [6/27/2008 7:21 PM 100888] S3 CTSBLFX;CTSBLFX;c:\windows\system32\drivers\CTSBLFX.sys [6/27/2008 7:21 PM 566296] S3 MSIGreenPower;MSIGreenPower;c:\program files\MSI\DualCoreCenter\Green Power Center\NTGLM7X.sys [10/2/2008 11:25 PM 28160] S3 MSIGreenPowerRushTop;MSIGreenPowerRushTop;c:\program files\MSI\DualCoreCenter\Green Power Center\RushTop.sys [10/2/2008 11:25 PM 55296] S3 RushTopDevice_J;RushTopDevice_J;c:\program files\MSI\DualCoreCenter\Green Power Center\RushJ.sys [10/2/2008 11:25 PM 22528] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12 hpdevmgmt REG_MULTI_SZ hpqcxs08 [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}] "c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.yahoo.com/ uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-07-17 12:38 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... HKLM\Software\Microsoft\Windows\CurrentVersion\Run CTHelper = CTHELPER.EXE? scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_USERS\S-1-5-21-1547161642-884357618-839522115-1003\Software\SecuROM\License information*] "datasecu"=hex:90,9a,78,f2,b3,33,45,dd,12,3d,a7,48,a6,29,37,5a,2b,7f,99,ee,fb, 98,94,fe,26,ff,be,37,88,ed,3d,b5,4c,09,87,f6,27,97,56,bd,21,13,b9,5f,c0,45,\ "rkeysecu"=hex:07,73,66,d6,da,43,57,20,e7,a2,f1,71,da,55,73,5a . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(720) c:\windows\system32\Ati2evxx.dll - - - - - - - > 'explorer.exe'(2224) c:\windows\system32\WININET.dll c:\windows\system32\ieframe.dll c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2\MSVCR80.dll c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\windows\system32\ati2evxx.exe c:\windows\system32\ati2evxx.exe c:\windows\system32\PnkBstrA.exe c:\windows\system32\PnkBstrB.exe c:\program files\AVG\AVG8\avgrsx.exe c:\progra~1\AVG\AVG8\avgnsx.exe c:\program files\AVG\AVG8\avgcsrvx.exe c:\windows\system32\wscntfy.exe c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe . ************************************************************************** . Completion time: 2009-07-17 12:40 - machine was rebooted ComboFix-quarantined-files.txt 2009-07-17 19:40 ComboFix2.txt 2009-07-16 19:16 Pre-Run: 532,701,798,400 bytes free Post-Run: 532,723,400,704 bytes free 211 --- E O F --- 2009-07-15 07:49 -------------------------------------------------------------- Malwarebytes' Anti-Malware 1.39 Database version: 2452 Windows 5.1.2600 Service Pack 3 7/17/2009 1:05:56 PM mbam-log-2009-07-17 (13-05-56).txt Scan type: Quick Scan Objects scanned: 80619 Time elapsed: 1 minute(s), 35 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) ------------------------------------------------------------------ Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 1:09:03 PM, on 7/17/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v8.00 (8.00.6001.18702) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\PnkBstrA.exe C:\WINDOWS\system32\PnkBstrB.exe C:\WINDOWS\System32\svchost.exe C:\PROGRA~1\AVG\AVG8\avgemc.exe C:\PROGRA~1\AVG\AVG8\avgrsx.exe C:\PROGRA~1\AVG\AVG8\avgnsx.exe C:\Program Files\AVG\AVG8\avgcsrvx.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe C:\Program Files\Yahoo!\Common\YMailAdvisor.exe C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe C:\PROGRA~1\AVG\AVG8\avgtray.exe C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe C:\WINDOWS\explorer.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE O4 - HKLM\..\Run: [startCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [DelReg] C:\Program Files\MSI\DualCoreCenter\DelReg.exe O4 - HKLM\..\Run: [YMailAdvisor] "C:\Program Files\Yahoo!\Common\YMailAdvisor.exe" O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" O4 - HKLM\..\Run: [ThrustTSR] C:\Program Files\Thrustmaster\Thrustmapper\TMTMTSR.exe O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent O4 - HKCU\..\Run: [search Protection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe O4 - Global Startup: DualCoreCenter.lnk = C:\Program Files\MSI\DualCoreCenter\StartUpDualCoreCenter.exe O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll O16 - DPF: {6C269571-C6D7-4818-BCA4-32A035E8C884} (Creative Software AutoUpdate) - http://www.creative.com/softwareupdate/su/...101/CTSUEng.cab O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/softwareupdate/su/...15106/CTPID.cab O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll O20 - AppInit_DLLs: C:\WINDOWS\system32\avgrsstx.dll O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe -- End of file - 5497 bytes
  5. Ok, here are the 2 logs after running Combofix... ComboFix 09-07-14.08 - owner 07/16/2009 12:10.1.4 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3071.2479 [GMT -7:00] Running from: c:\documents and settings\owner\Desktop\ComboFix.exe AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF} . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\owner\Application Data\inst.exe c:\program files\driver c:\windows\system32\hjgruimpfqapbp.dat c:\windows\system32\hjgruipetenbai.dat c:\windows\Tasks\aoteiidg.job c:\windows\system32\proquota.exe was missing Restored copy from - c:\windows\ServicePackFiles\i386\proquota.exe . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_DRIVER -------\Legacy_DRIVERDRV -------\Legacy_TDSSSERV.SYS -------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED} -------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE} -------\Service_hjgruikxymovnr ((((((((((((((((((((((((( Files Created from 2009-06-16 to 2009-07-16 ))))))))))))))))))))))))))))))) . 2009-07-16 04:47 . 2009-07-16 04:47 -------- d-----w- c:\program files\Trend Micro 2009-07-15 19:42 . 2009-07-13 20:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-07-15 19:42 . 2009-07-15 19:42 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2009-07-15 19:42 . 2009-07-13 20:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-07-11 07:58 . 2009-07-11 07:58 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache 2009-07-11 03:53 . 2009-07-11 03:53 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache 2009-07-04 17:00 . 2009-07-04 17:00 2054424 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcorex.dll 2009-07-04 17:00 . 2009-06-22 16:55 327688 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgldx86.sys 2009-07-04 17:00 . 2009-07-04 17:00 2167576 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgresf.dll 2009-07-04 17:00 . 2009-06-22 16:55 906520 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgemc.exe 2009-07-04 17:00 . 2009-06-22 16:55 3402008 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgui.exe 2009-07-04 17:00 . 2009-06-22 16:55 1204504 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgabout.dll 2009-07-04 17:00 . 2009-06-22 16:55 337176 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avglogx.dll 2009-07-04 17:00 . 2009-06-22 16:55 829208 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcfgx.dll 2009-07-04 17:00 . 2009-06-22 16:55 3298072 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\setup.exe 2009-07-04 16:59 . 2009-06-22 16:53 1454360 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgupd.dll 2009-07-04 16:59 . 2009-06-22 16:53 1085208 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgupd.exe 2009-07-02 15:36 . 2009-07-02 15:36 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache 2009-07-01 07:42 . 2009-07-01 07:42 -------- d-sh--w- c:\documents and settings\owner\IECompatCache 2009-07-01 07:40 . 2009-07-01 07:40 -------- d-sh--w- c:\documents and settings\owner\PrivacIE 2009-07-01 07:40 . 2009-07-01 07:40 -------- d-sh--w- c:\documents and settings\owner\IETldCache 2009-07-01 07:37 . 2009-06-02 10:12 102912 -c----w- c:\windows\system32\dllcache\iecompat.dll 2009-07-01 07:37 . 2009-07-01 07:37 -------- d-----w- c:\windows\ie8updates 2009-07-01 07:37 . 2009-04-30 21:22 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll 2009-07-01 07:37 . 2009-04-30 21:22 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll 2009-07-01 07:35 . 2009-07-01 07:36 -------- dc-h--w- c:\windows\ie8 2009-06-29 07:33 . 2009-03-06 14:22 284160 -c----w- c:\windows\system32\dllcache\pdh.dll 2009-06-29 07:33 . 2009-02-09 12:10 473600 -c----w- c:\windows\system32\dllcache\fastprox.dll 2009-06-29 07:33 . 2009-02-09 12:10 453120 -c----w- c:\windows\system32\dllcache\wmiprvsd.dll 2009-06-29 07:33 . 2009-02-09 12:10 401408 -c----w- c:\windows\system32\dllcache\rpcss.dll 2009-06-29 07:33 . 2009-02-06 11:11 110592 -c----w- c:\windows\system32\dllcache\services.exe 2009-06-29 07:33 . 2009-02-06 10:10 227840 -c----w- c:\windows\system32\dllcache\wmiprvse.exe 2009-06-29 07:32 . 2009-02-09 12:10 729088 -c----w- c:\windows\system32\dllcache\lsasrv.dll 2009-06-29 07:32 . 2009-02-09 12:10 714752 -c----w- c:\windows\system32\dllcache\ntdll.dll 2009-06-29 07:32 . 2009-02-09 12:10 617472 -c----w- c:\windows\system32\dllcache\advapi32.dll 2009-06-29 07:32 . 2008-05-03 11:55 2560 ------w- c:\windows\system32\xpsp4res.dll 2009-06-29 07:32 . 2008-04-21 12:08 215552 -c----w- c:\windows\system32\dllcache\wordpad.exe 2009-06-27 04:28 . 2009-06-27 04:28 -------- d-----w- c:\program files\uTorrent 2009-06-18 20:56 . 2009-06-18 20:56 -------- d-----w- c:\documents and settings\owner\Application Data\DVDFab 2009-06-17 03:08 . 2009-06-17 03:08 -------- d-----w- c:\program files\AskBarDis . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-07-16 15:43 . 2009-01-03 06:39 -------- d-----w- c:\documents and settings\owner\Application Data\uTorrent 2009-07-15 05:54 . 2009-01-06 06:25 -------- d-----w- c:\documents and settings\owner\Application Data\dvdcss 2009-07-04 17:00 . 2008-12-11 02:07 335752 ----a-w- c:\windows\system32\drivers\avgldx86.sys 2009-06-22 16:55 . 2008-12-11 02:07 11952 ----a-w- c:\windows\system32\avgrsstx.dll 2009-06-22 16:55 . 2008-12-11 02:07 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys 2009-06-16 14:36 . 2003-03-31 12:00 81920 ----a-w- c:\windows\system32\fontsub.dll 2009-06-16 14:36 . 2003-03-31 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll 2009-06-03 19:09 . 2008-10-01 08:43 1291264 ----a-w- c:\windows\system32\quartz.dll 2009-05-31 04:35 . 2009-01-21 01:57 -------- d-----w- c:\documents and settings\owner\Application Data\Vso 2009-05-31 04:35 . 2009-05-31 04:35 -------- d-----w- c:\program files\DVDFab 6 2009-05-13 05:15 . 2003-03-31 12:00 915456 ----a-w- c:\windows\system32\wininet.dll 2009-05-10 16:19 . 2008-12-11 02:07 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys 2009-05-07 15:32 . 2003-03-31 12:00 345600 ----a-w- c:\windows\system32\localspl.dll 2008-10-03 07:14 . 2008-10-03 07:17 420144 ----a-w- c:\program files\GPU-Z.0.2.8.exe 2008-06-28 19:57 . 2008-11-01 06:52 6602240 ----a-w- c:\program files\mplayerc.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}] 2008-09-30 00:24 325000 ----a-w- c:\program files\AskBarDis\bar\bin\askBar.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar] "{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-09-30 325000] [HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}] [HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}] [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser] "{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-09-30 325000] [HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}] [HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Search Protection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-01 61440] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792] "DelReg"="c:\program files\MSI\DualCoreCenter\DelReg.exe" [2008-05-14 196608] "YMailAdvisor"="c:\program files\Yahoo!\Common\YMailAdvisor.exe" [2008-06-05 125208] "YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856] "ThrustTSR"="c:\program files\Thrustmaster\Thrustmapper\TMTMTSR.exe" [2003-04-10 217088] "AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-06-22 1948440] "CTHelper"="CTHELPER.EXE" - c:\windows\system32\CtHelper.exe [2008-06-28 19456] c:\documents and settings\All Users\Start Menu\Programs\Startup\ DualCoreCenter.lnk - c:\program files\MSI\DualCoreCenter\StartUpDualCoreCenter.exe [2008-10-2 192512] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter] 2009-06-22 16:55 11952 ----a-w- c:\windows\system32\avgrsstx.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=c:\windows\system32\avgrsstx.dll [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "c:\\WINDOWS\\system32\\sessmgr.exe"= "c:\\Program Files\\AVG\\AVG8\\avgtray.exe"= "c:\\Program Files\\uTorrent\\uTorrent.exe"= "c:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"= "c:\\Program Files\\AVG\\AVG8\\avgui.exe"= R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [12/10/2008 7:07 PM 335752] R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [12/10/2008 7:07 PM 108552] R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [12/10/2008 7:07 PM 907032] R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [12/10/2008 7:07 PM 298776] R3 AtiHdmiService;ATI Function Driver for HDMI Service;c:\windows\system32\drivers\AtiHdmi.sys [7/20/2007 6:40 PM 84992] R3 COMMONFX.SYS;COMMONFX.SYS;c:\windows\system32\drivers\COMMONFX.sys [6/27/2008 7:21 PM 99352] R3 CTAUDFX.SYS;CTAUDFX.SYS;c:\windows\system32\drivers\CTAUDFX.sys [6/27/2008 7:21 PM 555032] R3 CTSBLFX.SYS;CTSBLFX.SYS;c:\windows\system32\drivers\CTSBLFX.sys [6/27/2008 7:21 PM 566296] S2 cgbnpas;cgbnpas;\??\c:\windows\system32\drivers\nqqggtqch.sys --> c:\windows\system32\drivers\nqqggtqch.sys [?] S2 cnokikwl;cnokikwl;\??\c:\windows\system32\drivers\ggfytv.sys --> c:\windows\system32\drivers\ggfytv.sys [?] S2 mntbnimhxca;mntbnimhxca;\??\c:\windows\system32\drivers\kcasxkngzxp.sys --> c:\windows\system32\drivers\kcasxkngzxp.sys [?] S3 COMMONFX;COMMONFX;c:\windows\system32\drivers\COMMONFX.sys [6/27/2008 7:21 PM 99352] S3 CTAUDFX;CTAUDFX;c:\windows\system32\drivers\CTAUDFX.sys [6/27/2008 7:21 PM 555032] S3 CTERFXFX.SYS;CTERFXFX.SYS;c:\windows\system32\drivers\CTERFXFX.sys [6/27/2008 7:21 PM 100888] S3 CTERFXFX;CTERFXFX;c:\windows\system32\drivers\CTERFXFX.sys [6/27/2008 7:21 PM 100888] S3 CTSBLFX;CTSBLFX;c:\windows\system32\drivers\CTSBLFX.sys [6/27/2008 7:21 PM 566296] S3 DualCoreCenter;DualCoreCenter;c:\program files\MSI\DualCoreCenter\NTGLM7X.sys [10/2/2008 11:25 PM 28160] S3 MSIGreenPower;MSIGreenPower;c:\program files\MSI\DualCoreCenter\Green Power Center\NTGLM7X.sys [10/2/2008 11:25 PM 28160] S3 MSIGreenPowerRushTop;MSIGreenPowerRushTop;c:\program files\MSI\DualCoreCenter\Green Power Center\RushTop.sys [10/2/2008 11:25 PM 55296] S3 RushTopDevice_J;RushTopDevice_J;c:\program files\MSI\DualCoreCenter\Green Power Center\RushJ.sys [10/2/2008 11:25 PM 22528] S3 RushTopDevice2;RushTopDevice2;c:\program files\MSI\DualCoreCenter\RushTop.sys [10/2/2008 11:25 PM 54784] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12 hpdevmgmt REG_MULTI_SZ hpqcxs08 [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}] "c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP . - - - - ORPHANS REMOVED - - - - HKCU-Run-Uniblue RegistryBooster 2009 - c:\program files\Uniblue\RegistryBooster\RegistryBooster.exe . ------- Supplementary Scan ------- . uStart Page = hxxp://www.yahoo.com/ uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-07-16 12:14 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... HKLM\Software\Microsoft\Windows\CurrentVersion\Run CTHelper = CTHELPER.EXE? scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_USERS\S-1-5-21-1547161642-884357618-839522115-1003\Software\SecuROM\License information*] "datasecu"=hex:90,9a,78,f2,b3,33,45,dd,12,3d,a7,48,a6,29,37,5a,2b,7f,99,ee,fb, 98,94,fe,26,ff,be,37,88,ed,3d,b5,4c,09,87,f6,27,97,56,bd,21,13,b9,5f,c0,45,\ "rkeysecu"=hex:07,73,66,d6,da,43,57,20,e7,a2,f1,71,da,55,73,5a . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(736) c:\windows\system32\Ati2evxx.dll - - - - - - - > 'explorer.exe'(236) c:\windows\system32\WININET.dll c:\windows\system32\ieframe.dll c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\windows\system32\ati2evxx.exe c:\windows\system32\ati2evxx.exe c:\windows\system32\PnkBstrA.exe c:\windows\system32\PnkBstrB.exe c:\program files\AVG\AVG8\avgrsx.exe c:\progra~1\AVG\AVG8\avgnsx.exe c:\program files\AVG\AVG8\avgcsrvx.exe c:\windows\system32\wscntfy.exe c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe . ************************************************************************** . Completion time: 2009-07-16 12:16 - machine was rebooted ComboFix-quarantined-files.txt 2009-07-16 19:16 Pre-Run: 533,170,647,040 bytes free Post-Run: 533,198,508,032 bytes free WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn 213 --- E O F --- 2009-07-15 07:49 ---------------------------------------------------------- Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 12:21:03 PM, on 7/16/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v8.00 (8.00.6001.18702) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\PnkBstrA.exe C:\WINDOWS\system32\PnkBstrB.exe C:\WINDOWS\System32\svchost.exe C:\PROGRA~1\AVG\AVG8\avgrsx.exe C:\PROGRA~1\AVG\AVG8\avgnsx.exe C:\PROGRA~1\AVG\AVG8\avgemc.exe C:\Program Files\AVG\AVG8\avgcsrvx.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe C:\Program Files\Yahoo!\Common\YMailAdvisor.exe C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe C:\PROGRA~1\AVG\AVG8\avgtray.exe C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe C:\WINDOWS\explorer.exe C:\WINDOWS\system32\notepad.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE O4 - HKLM\..\Run: [startCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [DelReg] C:\Program Files\MSI\DualCoreCenter\DelReg.exe O4 - HKLM\..\Run: [YMailAdvisor] "C:\Program Files\Yahoo!\Common\YMailAdvisor.exe" O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" O4 - HKLM\..\Run: [ThrustTSR] C:\Program Files\Thrustmaster\Thrustmapper\TMTMTSR.exe O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe O4 - HKCU\..\Run: [search Protection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe O4 - Global Startup: DualCoreCenter.lnk = C:\Program Files\MSI\DualCoreCenter\StartUpDualCoreCenter.exe O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll O16 - DPF: {6C269571-C6D7-4818-BCA4-32A035E8C884} (Creative Software AutoUpdate) - http://www.creative.com/softwareupdate/su/...101/CTSUEng.cab O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/softwareupdate/su/...15106/CTPID.cab O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll O20 - AppInit_DLLs: C:\WINDOWS\system32\avgrsstx.dll O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe -- End of file - 5373 bytes
  6. Have done a few safe mode scans with Malwarebytes. Work for a bit but then trouble come back. Here are our logs... starting with oldest Malware log. Malwarebytes' Anti-Malware 1.39 Database version: 2421 Windows 5.1.2600 Service Pack 3 7/14/2009 2:31:01 PM mbam-log-2009-07-14 (14-31-01).txt Scan type: Full Scan (C:\|J:\|) Objects scanned: 131060 Time elapsed: 28 minute(s), 14 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 1 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 12 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\driver (Trojan.Agent) -> Quarantined and deleted successfully. Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: c:\documents and settings\owner\local settings\Temp\~TMC0.tmp (Worm.KoobFace) -> Quarantined and deleted successfully. c:\WINDOWS\system32\wbem\proquota.exe (Worm.KoobFace) -> Quarantined and deleted successfully. C:\WINDOWS\system32\drivers\str.sys (Rootkit.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\010112010146118114.dat (Worm.KoobFace) -> Quarantined and deleted successfully. C:\WINDOWS\010112010146118114.lso (Worm.KoobFace) -> Quarantined and deleted successfully. C:\WINDOWS\jmmark2.dat (Worm.KoobFace) -> Quarantined and deleted successfully. c:\WINDOWS\0101120101465452.lso (Worm.KoobFace) -> Quarantined and deleted successfully. c:\WINDOWS\0101120101465749.lso (Worm.KoobFace) -> Quarantined and deleted successfully. c:\WINDOWS\0101120101464849.dat (Worm.KoobFace) -> Quarantined and deleted successfully. c:\WINDOWS\0101120101465452.dat (Worm.KoobFace) -> Quarantined and deleted successfully. c:\WINDOWS\0101120101465749.dat (Worm.KoobFace) -> Quarantined and deleted successfully. C:\Documents and Settings\All Users\Documents\gifnoc.xtx (Trojan.Agent) -> Quarantined and deleted successfully. -------------------------------------------------------------------------------------------- Malwarebytes' Anti-Malware 1.39 Database version: 2421 Windows 5.1.2600 Service Pack 3 7/15/2009 4:46:58 PM mbam-log-2009-07-15 (16-46-58).txt Scan type: Full Scan (C:\|J:\|) Objects scanned: 130962 Time elapsed: 28 minute(s), 29 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 2 Registry Values Infected: 1 Registry Data Items Infected: 3 Folders Infected: 1 Files Infected: 7 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully. HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully. Registry Values Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) -> Quarantined and deleted successfully. Registry Data Items Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.FakeAlert) -> Data: c:\windows\system32\sdra64.exe -> Delete on reboot. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.FakeAlert) -> Data: system32\sdra64.exe -> Delete on reboot. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.Userinit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,) Good: (Userinit.exe) -> Quarantined and deleted successfully. Folders Infected: C:\WINDOWS\system32\lowsec (Stolen.data) -> Delete on reboot. Files Infected: c:\WINDOWS\system32\hjgruijriuijsf.dll (Trojan.TDSS) -> Quarantined and deleted successfully. c:\WINDOWS\system32\lowsec\local.ds (Stolen.data) -> Delete on reboot. c:\WINDOWS\system32\lowsec\user.ds (Stolen.data) -> Delete on reboot. c:\WINDOWS\system32\lowsec\user.ds.lll (Stolen.data) -> Quarantined and deleted successfully. C:\WINDOWS\system32\sdra64.exe (Trojan.FakeAlert) -> Delete on reboot. c:\WINDOWS\system32\hjgruivxjelcbo.dll (Trojan.Agent) -> Quarantined and deleted successfully. c:\WINDOWS\system32\drivers\hjgruiwospyxgf.sys (Trojan.Agent) -> Quarantined and deleted successfully. --------------------------------------------------------------------------- Malwarebytes' Anti-Malware 1.39 Database version: 2421 Windows 5.1.2600 Service Pack 3 7/15/2009 10:05:51 PM mbam-log-2009-07-15 (22-05-51).txt Scan type: Full Scan (C:\|J:\|) Objects scanned: 132156 Time elapsed: 17 minute(s), 25 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) ------------------------------------------------------------------------ Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 9:47:19 PM, on 7/15/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v8.00 (8.00.6001.18702) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\PnkBstrA.exe C:\WINDOWS\system32\PnkBstrB.exe C:\WINDOWS\System32\svchost.exe C:\PROGRA~1\AVG\AVG8\avgemc.exe C:\PROGRA~1\AVG\AVG8\avgrsx.exe C:\PROGRA~1\AVG\AVG8\avgnsx.exe C:\Program Files\AVG\AVG8\avgcsrvx.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\CTHELPER.EXE C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe C:\Program Files\Yahoo!\Common\YMailAdvisor.exe C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe C:\Program Files\Thrustmaster\Thrustmapper\TMTMTSR.exe C:\PROGRA~1\AVG\AVG8\avgtray.exe C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe C:\Program Files\MSI\DualCoreCenter\DualCoreCenter.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com O1 - Hosts: ::1 localhost O1 - Hosts: 209.44.111.62 private.microsoft.com O1 - Hosts: 209.44.111.62 aviremover-2009.com O1 - Hosts: 209.44.111.62 www.aviremover-2009.com O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE O4 - HKLM\..\Run: [startCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [DelReg] C:\Program Files\MSI\DualCoreCenter\DelReg.exe O4 - HKLM\..\Run: [YMailAdvisor] "C:\Program Files\Yahoo!\Common\YMailAdvisor.exe" O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" O4 - HKLM\..\Run: [ThrustTSR] C:\Program Files\Thrustmaster\Thrustmapper\TMTMTSR.exe O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe O4 - HKCU\..\Run: [search Protection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe O4 - HKCU\..\Run: [uniblue RegistryBooster 2009] C:\Program Files\Uniblue\RegistryBooster\RegistryBooster.exe /S O4 - Global Startup: DualCoreCenter.lnk = C:\Program Files\MSI\DualCoreCenter\StartUpDualCoreCenter.exe O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll O16 - DPF: {6C269571-C6D7-4818-BCA4-32A035E8C884} (Creative Software AutoUpdate) - http://www.creative.com/softwareupdate/su/...101/CTSUEng.cab O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/softwareupdate/su/...15106/CTPID.cab O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll O20 - AppInit_DLLs: avgrsstx.dll seyamj.dll , O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe -- End of file - 6194 bytes Sincerely appreciate any help you can offer. Rusty
  7. Here are the logs you requested. I noticed we got a new version of Anti-Malware along with our Db update. We have been using the computer and have not had any problems. It looks like we're good to go. Really appreciate your help. Thanks again. ~ Rusty ---------------------------------------------------- Malwarebytes' Anti-Malware 1.32 Database version: 1621 Windows 5.1.2600 Service Pack 3 1/5/2009 6:22:01 PM mbam-log-2009-01-05 (18-22-01).txt Scan type: Quick Scan Objects scanned: 50307 Time elapsed: 1 minute(s), 58 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) -------------------------------------------------- Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 6:27:27 PM, on 1/5/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16762) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\PnkBstrA.exe C:\WINDOWS\system32\PnkBstrB.exe C:\WINDOWS\System32\svchost.exe C:\PROGRA~1\AVG\AVG8\avgrsx.exe C:\PROGRA~1\AVG\AVG8\avgemc.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\CTHELPER.EXE C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe C:\Program Files\Yahoo!\Common\YMailAdvisor.exe C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe C:\Program Files\Thrustmaster\Thrustmapper\TMTMTSR.exe C:\PROGRA~1\AVG\AVG8\avgtray.exe C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe C:\Program Files\MSI\DualCoreCenter\DualCoreCenter.exe C:\WINDOWS\system32\wuauclt.exe C:\Documents and Settings\owner\Desktop\HiJackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE O4 - HKLM\..\Run: [startCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [DelReg] C:\Program Files\MSI\DualCoreCenter\DelReg.exe O4 - HKLM\..\Run: [YMailAdvisor] "C:\Program Files\Yahoo!\Common\YMailAdvisor.exe" O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" O4 - HKLM\..\Run: [ThrustTSR] C:\Program Files\Thrustmaster\Thrustmapper\TMTMTSR.exe O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe O4 - HKCU\..\Run: [search Protection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe O4 - HKCU\..\Run: [uniblue RegistryBooster 2009] C:\Program Files\Uniblue\RegistryBooster\RegistryBooster.exe /S O4 - Global Startup: DualCoreCenter.lnk = C:\Program Files\MSI\DualCoreCenter\StartUpDualCoreCenter.exe O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll O16 - DPF: {6C269571-C6D7-4818-BCA4-32A035E8C884} (Creative Software AutoUpdate) - http://www.creative.com/softwareupdate/su/...101/CTSUEng.cab O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/softwareupdate/su/...15106/CTPID.cab O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll O20 - AppInit_DLLs: avgrsstx.dll O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe -- End of file - 5839 bytes
  8. Happy New Year! - Hope you and your family had a wonderful Holiday. I've been out for a few days of vacation myself and did not expect your first reply to be so quick. In less than 8 hours you answered my initial post AND gave me the tools to fix our problem. I consider that to be Excellent Service. Thank you. It appears that the Double Wham-O of Dr. Web Cureit and Anti-Malware has done the job. Both programs found problems and fixed them. I have rebooted again and ran another full scan with Anti-Malware and the only thing it found was a file quarantined by Dr Web. I will delete these the quarantined files in Anti-Malware after I hear back from you. My AVG program has been able to update itself, and I can get to those support web sites just fine. Looks like the re-direct problem is fixed. I am posting the logs you requested and the final HJT scan. (I had put combofix and sdfix on my desktop but never ran them). I look forward to your comments on how they look. Hopefully, this puppy is fixed. Thanks again for your help and have a great 2009. ~ Rusty 1) DrWeb.csv tdssmqlt.sys;c:\windows\system32\drivers;BackDoor.Tdss.29;Deleted.; data002\32788R22FWJFW\psexec.cfexe;C:\Documents and Settings\owner\Desktop\ComboFix.exe\data002;Program.PsExec.171;; data002;C:\Documents and Settings\owner\Desktop\ComboFix.exe;Archive contains infected objects;; ComboFix.exe;C:\Documents and Settings\owner\Desktop;Archive contains infected objects;Moved.; SDFix.exe\SDFix\apps\Process.exe;C:\Documents and Settings\owner\Desktop\SDFix.exe;Tool.Prockill;; SDFix.exe;C:\Documents and Settings\owner\Desktop;Archive contains infected objects;Moved.; TDSSc624.tmp;C:\Documents and Settings\owner\Local Settings\Temp;Trojan.Starter.896;Incurable.Moved.; TDSShrxm.dll;C:\WINDOWS\system32;BackDoor.Tdss.22;Deleted.; TDSSoiqt.dll;C:\WINDOWS\system32;BackDoor.Tdss.29;Deleted.; TDSSvkql.dll;C:\WINDOWS\system32;BackDoor.Tdss.21;Deleted.; TDSSxfum.dll;C:\WINDOWS\system32;BackDoor.Tdss.30;Deleted.; -------------------------------------------------------------------------------------- 2) mbam-log-2009-01-02 (14-23-37) Malwarebytes' Anti-Malware 1.31 Database version: 1597 Windows 5.1.2600 Service Pack 3 1/2/2009 2:23:37 PM mbam-log-2009-01-02 (14-23-37).txt Scan type: Quick Scan Objects scanned: 47731 Time elapsed: 2 minute(s), 7 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 3 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 1 Files Infected: 4 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{037c7b8a-151a-49e6-baed-cc05fcb50328} (Trojan.BHO) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\tdss (Trojan.Agent) -> Quarantined and deleted successfully. Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: C:\Documents and Settings\owner\Start Menu\Programs\System Security (Rogue.SystemSecurity) -> Quarantined and deleted successfully. Files Infected: C:\Documents and Settings\owner\Start Menu\Programs\System Security\System Security.lnk (Rogue.SystemSecurity) -> Quarantined and deleted successfully. C:\WINDOWS\system32\TDSSlxwp.dll (Trojan.Agent) -> Quarantined and deleted successfully. C:\Documents and Settings\owner\Local Settings\Temp\TDSSc614.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\WINDOWS\system32\TDSSkkbi.log (Trojan.TDSS) -> Quarantined and deleted successfully. ----------------------------------------------------------------------------- hijackthis.log Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 2:24:44 PM, on 1/2/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16762) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\PnkBstrA.exe C:\WINDOWS\system32\PnkBstrB.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\PROGRA~1\AVG\AVG8\avgrsx.exe C:\PROGRA~1\AVG\AVG8\avgemc.exe C:\WINDOWS\system32\CTHELPER.EXE C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe C:\Program Files\Yahoo!\Common\YMailAdvisor.exe C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe C:\PROGRA~1\AVG\AVG8\avgtray.exe C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe C:\Documents and Settings\owner\Desktop\HiJackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE O4 - HKLM\..\Run: [startCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [DelReg] C:\Program Files\MSI\DualCoreCenter\DelReg.exe O4 - HKLM\..\Run: [YMailAdvisor] "C:\Program Files\Yahoo!\Common\YMailAdvisor.exe" O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" O4 - HKLM\..\Run: [ThrustTSR] C:\Program Files\Thrustmaster\Thrustmapper\TMTMTSR.exe O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent O4 - HKCU\..\Run: [search Protection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe O4 - HKCU\..\Run: [uniblue RegistryBooster 2009] C:\Program Files\Uniblue\RegistryBooster\RegistryBooster.exe /S O4 - Global Startup: DualCoreCenter.lnk = C:\Program Files\MSI\DualCoreCenter\StartUpDualCoreCenter.exe O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll O16 - DPF: {6C269571-C6D7-4818-BCA4-32A035E8C884} (Creative Software AutoUpdate) - http://www.creative.com/softwareupdate/su/...101/CTSUEng.cab O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/softwareupdate/su/...15106/CTPID.cab O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll O20 - AppInit_DLLs: avgrsstx.dll O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe -- End of file - 5763 bytes
  9. Came back from Christmas break and my roommate had unintentionally installed Antivirus 2009. It had a phony virus checker popping up windows all the time. He thinks it happened while he was watching a video on youtube. He had a popup warning of a virus and thinking it was from the legit AVG software he runs, he clicked YES. Things only got worse from there on. Now the browser can't go to any legit sites to effect a repair. I'm using my computer (which is on a local lan, but fortunately, was turned off while I was gone) to help find a solution short of a an XP re-install. I found info on bleepingcomputer.com and was able to manually delete the problem files on the hard drive and the offending entries in the registry. These are the files I found in the system32 folder and deleted: winsrc.dll ieupdates.exe explorer32.exe and on the desktop I deleted: InstallAVv_77075616.exe RegCureSetup_RW.exe System Security - a shortcut The phony virus popups are gone, but the browser is still screwed. Tried running your Malwarebytes' Anti-Malware that was installed before we caught the bug, but it hangs after loading and does nothing. Tried to install a new copy and it just hangs too. Tried to install SpyBot and it failed with the error message "Could not connect with server...". The install progress window also said it was trying to connect to 127.0.0.1 to update. Not good. I suspect a re-direct is going on as the browser cannot connect to avg.com or support.microsoft.com. Even my AVG auto update fails and is popping up that it could not connect. I can get to Craigslist and Yahoo, but any search in Yahoo brings what looks to be a normal search result page except that all the links on it go to the same place: one of those spam dropping, fake search pages. I looked at the host file and it's ok. I looked at the browser helper add-ons and disabled or deleted a couple that didn't look right. Still no worky. I can ping my DNS (I use opendns) just fine. Where the heck is this thing diverting my IP requests? Just read your Pre-HJT Post Instructions page and this could not be completed: "You will post three logs. 1. MBAM scan. 2. Panda Active Scan. 3. HiJack This scan. You will finish the MBAM first so go ahead and post that log, then move on to Panda and so forth." As I mentioned above, I am unable to get to websites for you, Panda. or ESET so no scans or logs could be made. I was able to run HJT and have posted it's log. Sincerely appreciate any help you can offer. ------------------------------------------------------ ------------------------------------------------------ Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 4:04:46 PM, on 12/30/2008 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16762) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\PnkBstrA.exe C:\WINDOWS\system32\PnkBstrB.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\PROGRA~1\AVG\AVG8\avgrsx.exe C:\WINDOWS\system32\CTHELPER.EXE C:\Program Files\Yahoo!\Common\YMailAdvisor.exe C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe C:\PROGRA~1\AVG\AVG8\avgtray.exe C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe C:\PROGRA~1\AVG\AVG8\avgemc.exe C:\WINDOWS\system32\wscntfy.exe C:\Documents and Settings\owner\Desktop\HiJackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE O4 - HKLM\..\Run: [startCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [DelReg] C:\Program Files\MSI\DualCoreCenter\DelReg.exe O4 - HKLM\..\Run: [YMailAdvisor] "C:\Program Files\Yahoo!\Common\YMailAdvisor.exe" O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" O4 - HKLM\..\Run: [ThrustTSR] C:\Program Files\Thrustmaster\Thrustmapper\TMTMTSR.exe O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe O4 - HKCU\..\Run: [search Protection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe O4 - HKCU\..\Run: [uniblue RegistryBooster 2009] C:\Program Files\Uniblue\RegistryBooster\RegistryBooster.exe /S O4 - Global Startup: DualCoreCenter.lnk = C:\Program Files\MSI\DualCoreCenter\StartUpDualCoreCenter.exe O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll O16 - DPF: {6C269571-C6D7-4818-BCA4-32A035E8C884} (Creative Software AutoUpdate) - http://www.creative.com/softwareupdate/su/...101/CTSUEng.cab O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/softwareupdate/su/...15106/CTPID.cab O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll O20 - AppInit_DLLs: avgrsstx.dll O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe -- End of file - 5673 bytes
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.