Jump to content

L.yimg.com , cannot access yahoo


Recommended Posts

Hi there,
my name is Marius and I will assist you with your malware related problems.

Before we move on, please read the following points carefully.

  • First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
  • Perform everything in the correct order. Sometimes one step requires the previous one.
  • If you have any problems while following my instructions, Stop there and tell me the exact nature of your problem.
  • Do not run any other scans without instruction or add/remove software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
  • Post all logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
  • If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.
  • Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.
  • My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.

 
 
 
Scan with Gmer rootkit scanner

Please download Gmer from here by clicking on the "Download EXE" Button.
  • Double click on the randomly named GMER.exe. If asked to allow gmer.sys driver to load, please consent.
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • Sections
    • IAT/EAT
    • Show All ( should be unchecked by default )

    [*]Leave everything else as it is. [*]Close all other running programs as well as your Browser. [*]Click the Scan button & wait for it to finish. [*]Once done click on the Save.. button, and in the File name area, type in "ark.txt" or it will save as a .log file which cannot be uploaded to your post. [*]Save it where you can easily find it, such as your desktop. [*]Please post the content of the ark.txt here.


**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

Link to post
Share on other sites

GMER 2.1.19357 - http://www.gmer.net
Rootkit scan 2014-08-18 18:55:32
Windows 5.1.2600 Service Pack 3 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-e WDC_WD5000AAJS-22YFA0 rev.12.01C02 465.76GB
Running: jomvyxbd.exe; Driver: C:\DOCUME~1\HUMANU~1\LOCALS~1\Temp\uxtdipoc.sys

---- System - GMER 2.1 ----

SSDT            \SystemRoot\system32\DRIVERS\avgidsshimx.sys  ZwNotifyChangeKey [0xBA3A16E0]
SSDT            \SystemRoot\system32\DRIVERS\avgidsshimx.sys  ZwNotifyChangeMultipleKeys [0xBA3A1800]
SSDT            \SystemRoot\system32\DRIVERS\avgidsshimx.sys  ZwOpenProcess [0xBA3A1010]
SSDT            \SystemRoot\system32\DRIVERS\avgidsshimx.sys  ZwOpenThread [0xBA3A14D0]
SSDT            \??\C:\WINDOWS\system32\drivers\avgtpx86.sys  ZwQueryValueKey [0xBA1A91D6]
SSDT            \SystemRoot\system32\DRIVERS\avgidsshimx.sys  ZwSuspendProcess [0xBA3A1300]
SSDT            \SystemRoot\system32\DRIVERS\avgidsshimx.sys  ZwSuspendThread [0xBA3A13E0]
SSDT            \SystemRoot\system32\DRIVERS\avgidsshimx.sys  ZwTerminateProcess [0xBA3A1120]
SSDT            \SystemRoot\system32\DRIVERS\avgidsshimx.sys  ZwTerminateThread [0xBA3A1210]
SSDT            \SystemRoot\system32\DRIVERS\avgidsshimx.sys  ZwWriteVirtualMemory [0xBA3A15E0]

---- Devices - GMER 2.1 ----

AttachedDevice  \Driver\Tcpip \Device\Ip                      avgtdix.sys
AttachedDevice  \Driver\Tcpip \Device\Tcp                     avgtdix.sys
AttachedDevice  \Driver\Tcpip \Device\Udp                     avgtdix.sys
AttachedDevice  \Driver\Tcpip \Device\RawIp                   avgtdix.sys

---- EOF - GMER 2.1 ----

Link to post
Share on other sites

Add-/remove programms

Click on start-->control panel.

Vista/7: Open Programs and Features
XP: Open add/remove programs

Search for and remove the following programs
 

Media Player Codec Pack 4.3.2
 


Close the window.

 

 

 

Fix with FRST (normal mode)

WARNING: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system
 

  • Download the attached fixlist.txt and save it to the location where FRST is saved to.
  • Run FRST.exe (on 64bit, run FRST64.exe) and press the Fix button just once and wait.
  • The tool will make a log (Fixlog.txt) which you find where you saved FRST. Please post it to your reply.

 

 

 

Full System Scan with Malwarebytes Antimalware
 

  • If not existing, please download Malwarebytes Anti-Malware to your desktop.
  • Double-click mbam-setup-2.0.0.1000.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to the following:
    • Launch Malwarebytes Anti-Malware
    • A 14 day trial of the Premium features is pre-selected. You may deselect this if you wish, and it will not diminish the scanning and removal capabilities of the program.
  • Click Finish.

If the program is already installed:

  • Run Malwarebytes Antimalware
  • On the Dashboard, click the 'Update Now >>' link
  • After the update completes, click the 'Scan Now >>' button.
  • Or, on the Dashboard, click the Scan Now >> button.
  • If an update is available, click the Update Now button.
  • A Threat Scan will begin.
  • When the scan is complete, if there have been detections, click Apply Actions to allow MBAM to clean what was detected.
  • In most cases, a restart will be required.
  • Wait for the prompt to restart the computer to appear, then click on Yes.

  • After the restart once you are back at your desktop, open MBAM once more.
  • Click on the History tab > Application Logs.
  • Double click on the scan log which shows the Date and time of the scan just performed.
  • Click 'Copy to Clipboard'
  • Paste the contents of the clipboard into your reply.

 

fixlist.txt

Link to post
Share on other sites

program uninstalled

pc needed to reboot to uninstall files in use

pc rebooted

frst ran after placing fixlist in folder

pc rebooted per frst

 

fixlog below

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version:17-08-2014 01
Ran by Human User at 2014-08-19 18:33:47 Run:1
Running from C:\Documents and Settings\Human User\Desktop\Malware Tools
Boot Mode: Normal

==============================================

Content of fixlist:
*****************
Hosts:
EmptyTemp:
Task: C:\WINDOWS\Tasks\At1.job => C:\DOCUME~1\HUMANU~1\APPLIC~1\DSite\UPDATE~1\UPDATE~1.EXE <==== ATTENTION
AlternateDataStreams: C:\Documents and Settings\All Users\Application Data\TEMP:5C321E34
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
2014-08-17 17:31 - 2013-05-27 17:31 - 00000414 _____ () C:\WINDOWS\Tasks\At1.job

*****************

C:\Windows\System32\Drivers\etc\hosts => Moved successfully.
Hosts was reset successfully.
C:\WINDOWS\Tasks\At1.job => Moved successfully.
C:\Documents and Settings\All Users\Application Data\TEMP => ":5C321E34" ADS removed successfully.
"HKLM\SOFTWARE\Policies\Google" => Key deleted successfully.
"C:\WINDOWS\Tasks\At1.job" => File/Directory not found.
EmptyTemp: => Removed 1.3 GB temporary data.

The system needed a reboot.

==== End of Fixlog ====

Link to post
Share on other sites

The results of malwarebytes scan below

No threats detected

 

When i went to hostory tab to get the log, I noticed there are files in quarentine from previous scans, some dating back to Oct 2013, PUP Optional variants, mysearchdial being the most frequent. Should they be deleted?

 

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 8/19/2014
Scan Time: 6:48:23 PM
Logfile:
Administrator: Yes

Version: 2.00.2.1012
Malware Database: v2014.08.19.10
Rootkit Database: v2014.08.16.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows XP Service Pack 3
CPU: x86
File System: NTFS
User: Human User

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 267362
Time Elapsed: 9 min, 2 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Warn
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)

(end)

Link to post
Share on other sites

No, we´ll get rid of them soon.

 

Scan with ESET Online Scan

Please go to here to run the online scannner from ESET.

  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked
  • Click on Advanced Settings and ensure these options are ticked:
    • Scan for potentially unwanted applications
  • Scan for potentially unsafe applications
  • Enable Anti-Stealth Technology

[*]Click Scan[*]Wait for the scan to finish[*]If any threats were found, click the 'List of found threats' , then click Export to text file.... [*]Save it to your desktop, then please copy and paste that log as a reply to this topic.

Link to post
Share on other sites

C:\AdwCleaner\Quarantine\C\Program Files\File Type Assistant\ftacfg.exe.vir Win32/FileTypeAssistant.A potentially unwanted application
C:\AdwCleaner\Quarantine\C\Program Files\File Type Assistant\tsassist.exe.vir a variant of Win32/FileTypeAssistant.A potentially unwanted application
C:\Documents and Settings\Human User\My Documents\Downloads\media.player.codec.pack.v4.3.2.setup.exe a variant of Win32/Toolbar.Widgi.B potentially unwanted application
 

Link to post
Share on other sites

Then we can do the cleanup - if you are facing any issues, report that immediately.

Delete junk with adwCleaner


Please download AdwCleaner to your desktop.


  • Run adwcleaner.exe
  • Hit Scan and wait for the scan to finish.
  • Confirm the message but don´t uncheck anything.
  • Hit Clean
  • When the run is finished, it will open up a text file
  • Please post its contents within your next reply
  • You´ll find the log file at C:\AdwCleaner[s1].txt also




Delete junk with JRT

thisisujrt.gif Please download Junkware Removal Tool to your desktop.
  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.





SecurityCheck

Reboot your system before starting!

Please download SecurityCheck: LINK1 LINK2

  • Save it to your desktop, start it and follow the instructions in the window.
  • After the scan finished the (checkup.txt) will open. Copy its content to your thread.

Link to post
Share on other sites

# AdwCleaner v3.308 - Report created 21/08/2014 at 06:35:58
# Updated 20/08/2014 by Xplode
# Operating System : Microsoft Windows XP Service Pack 3 (32 bits)
# Username : Human User - HOUSE
# Running from : C:\Documents and Settings\Human User\Desktop\Malware Tools\adwcleaner_3.308.exe
# Option : Clean

***** [ Services ] *****

***** [ Files / Folders ] *****

***** [ Scheduled Tasks ] *****

***** [ Shortcuts ] *****

***** [ Registry ] *****

***** [ Browsers ] *****

-\\ Internet Explorer v8.0.6001.18702

-\\ Mozilla Firefox v31.0 (x86 en-US)

[ File : C:\Documents and Settings\Human User\Application Data\Mozilla\Firefox\Profiles\ufgs125h.default\prefs.js ]

-\\ Google Chrome v

*************************

AdwCleaner[R0].txt - [7153 octets] - [22/02/2014 21:43:35]
AdwCleaner[R1].txt - [1562 octets] - [17/08/2014 20:20:33]
AdwCleaner[R2].txt - [1140 octets] - [21/08/2014 06:34:49]
AdwCleaner[s0].txt - [7207 octets] - [22/02/2014 21:44:43]
AdwCleaner[s1].txt - [1639 octets] - [17/08/2014 20:21:35]
AdwCleaner[s2].txt - [1062 octets] - [21/08/2014 06:35:58]

########## EOF - C:\AdwCleaner\AdwCleaner[s2].txt - [1122 octets] ##########

Link to post
Share on other sites

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.1.4 (04.06.2014:1)
OS: Microsoft Windows XP x86
Ran by Human User on Thu 08/21/2014 at  6:40:05.17
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

~~~ Services

 

~~~ Registry Values

 

~~~ Registry Keys

 

~~~ Files

 

~~~ Folders

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Thu 08/21/2014 at  6:44:23.12
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Link to post
Share on other sites

 Results of screen317's Security Check version 0.99.87 
 Windows XP Service Pack 3 x86  
 Internet Explorer 8 
``````````````Antivirus/Firewall Check:``````````````
 Windows Firewall Enabled! 
Please wait while WMIC compiles updated MOF files.d
i
s
p
l
a
y
N
a
m
e
ECHO is off.
A
V
G
ECHO is off.
A
n
t
i
V
i
r
u
s
ECHO is off.
F
r
e
ECHO is off.
E
d
i
t
i
o
n
ECHO is off.
2
0
1
4
ECHO is off.
 Antivirus up to date! 
`````````Anti-malware/Other Utilities Check:`````````
 SpywareBlaster 5.0   
 Java 7 Update 67 
 Adobe Flash Player  14.0.0.145 
 Adobe Reader XI 
 Mozilla Firefox (31.0)
````````Process Check: objlist.exe by Laurent```````` 
 AVG avgwdsvc.exe
 AVG avgrsx.exe
 AVG avgnsx.exe
 AVG avgemc.exe
 Human User Desktop Malware Tools SecurityCheck.exe
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C:: 10%
````````````````````End of Log``````````````````````
 

Link to post
Share on other sites

Still cannot connect to yahoo.com. I have not checked any other sites.

When trying to go yahoo, browser says "waiting on s.yimg.com" and connection is constantly trasnmitting data, but page does not open.

 

I had added l.yimg.com to my hosts file before i came here, but I thought I saw one of the tools in this process we used overwrite the hosts file.

Should i replace the hosts file with a fresh copy from http://winhelp2002.mvps.org/hosts.zip when i get home tonight?

 

Have to go to work, check back this evening.

 

Thanks again

Link to post
Share on other sites

Combofix

Download ComboFix from one of these locations:

Link 1
Link 2


* IMPORTANT- Save ComboFix.exe to your Desktop

====================================================


Disable your AntiVirus and AntiSpyware applications as they will interfere with our tools and the removal. If you are unsure how to do this, please refer to our sticky topic How to disable your security applications


====================================================


Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.


**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


RC_update.png


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


cfRC_screen_2.png


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply for further review.

Link to post
Share on other sites

ComboFix 14-08-21.01 - Human User 08/21/2014  19:35:45.1.2 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.3447.2923 [GMT -4:00]
Running from: c:\documents and settings\Human User\Desktop\Malware Tools\ComboFix.exe
AV: AVG AntiVirus Free Edition 2014 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
 * Created a new restore point
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\All Users\Application Data\TEMP\1377740945\DSETUP.dll
c:\documents and settings\All Users\Application Data\TEMP\1377740945\dsetup32.dll
c:\documents and settings\All Users\Application Data\TEMP\1377740945\dxdllreg_x86.cab
c:\documents and settings\All Users\Application Data\TEMP\1377740945\DXSETUP.exe
c:\documents and settings\All Users\Application Data\TEMP\1377740945\dxupdate.cab
c:\documents and settings\All Users\Application Data\TEMP\1377740945\Jun2010_d3dx9_43_x64.cab
c:\documents and settings\All Users\Application Data\TEMP\1377740945\Jun2010_d3dx9_43_x86.cab
c:\windows\system32\Cache
c:\windows\system32\Cache\075884af680ff6dc.fb
c:\windows\system32\Cache\075884af680ff6dc__exp__1387391436
c:\windows\system32\Cache\1ee8b9cb7c89ea59.fb
c:\windows\system32\Cache\1ee8b9cb7c89ea59__exp__1371159073
c:\windows\system32\Cache\227113dfa1ca894d.fb
c:\windows\system32\Cache\3ba3f708870ce9d3.fb
c:\windows\system32\Cache\45d432c7a07ab3ed.fb
c:\windows\system32\Cache\49fbbc5a8678d502.fb
c:\windows\system32\Cache\49fbbc5a8678d502__exp__1387391436
c:\windows\system32\Cache\51f6fe2f8c4b7ff0.fb
c:\windows\system32\Cache\51f6fe2f8c4b7ff0__exp__1380324649
c:\windows\system32\Cache\5c54eb1a1655b076.fb
c:\windows\system32\Cache\5c54eb1a1655b076__exp__1380324650
c:\windows\system32\Cache\613e8ce7ab7106af.fb
c:\windows\system32\Cache\613e8ce7ab7106af__exp__1387391436
c:\windows\system32\Cache\633a76311867bd11.fb
c:\windows\system32\Cache\679accf73f33847d.fb
c:\windows\system32\Cache\691f14230153a9e1.fb
c:\windows\system32\Cache\691f14230153a9e1__exp__1387391437
c:\windows\system32\Cache\6cb409d7ac73d9f1.fb
c:\windows\system32\Cache\7614bd6cfa99e546.fb
c:\windows\system32\Cache\7614bd6cfa99e546__exp__1387391437
c:\windows\system32\Cache\77664b6ccc36be9f.fb
c:\windows\system32\Cache\77ee761af8161a9c.fb
c:\windows\system32\Cache\867784a1c4541f9a.fb
c:\windows\system32\Cache\881b3593316772f0.fb
c:\windows\system32\Cache\881b3593316772f0__exp__1387391436
c:\windows\system32\Cache\8aecda8d93e32a40.fb
c:\windows\system32\Cache\8aecda8d93e32a40__exp__1384554673
c:\windows\system32\Cache\98657d0579ae1930.fb
c:\windows\system32\Cache\a40e44c39c6fde08.fb
c:\windows\system32\Cache\a40e44c39c6fde08__exp__1387391435
c:\windows\system32\Cache\a60083fad62dfb46.fb
c:\windows\system32\Cache\c4e10d1be905349b.fb
c:\windows\system32\Cache\c4e10d1be905349b__exp__1387391436
c:\windows\system32\Cache\c8a51ba84752784f.fb
c:\windows\system32\Cache\c8a51ba84752784f__exp__1387391436
c:\windows\system32\Cache\d5c0f4e7bbe35bf3.fb
c:\windows\system32\Cache\d9ca663388d21ec0.fb
c:\windows\system32\Cache\dfea3f2d42bbf4c5.fb
c:\windows\system32\Cache\e4546f948bc40ba5.fb
c:\windows\system32\Cache\f2cda51fd108941f.fb
c:\windows\system32\Cache\f2cda51fd108941f__exp__1387391436
c:\windows\system32\Cache\f34d8db84131d925.fb
c:\windows\system32\SET1EE.tmp
c:\windows\system32\SET1F3.tmp
.
.
(((((((((((((((((((((((((   Files Created from 2014-07-21 to 2014-08-21  )))))))))))))))))))))))))))))))
.
.
2014-08-21 10:40 . 2014-08-21 10:40 -------- d-----w- c:\windows\ERUNT
2014-08-21 02:06 . 2014-08-21 02:06 -------- d-----w- c:\program files\ESET
2014-08-18 02:31 . 2014-08-19 22:36 -------- d-----w- C:\FRST
2014-08-18 00:20 . 2010-08-30 12:34 536576 ----a-w- c:\windows\system32\sqlite3.dll
2014-08-08 03:03 . 2014-08-08 03:03 -------- d-----w- c:\program files\Common Files\Java
2014-08-08 03:03 . 2014-08-08 03:02 145408 ----a-w- c:\windows\system32\javacpl.cpl
2014-08-08 03:03 . 2014-08-08 03:02 96680 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2014-08-05 23:16 . 2014-08-05 23:16 -------- d-----w- c:\documents and settings\Human User\Local Settings\Application Data\Adobe
2014-08-05 17:20 . 2014-08-05 17:20 227728 ----a-w- c:\program files\Internet Explorer\PLUGINS\nppdf32.dll
2014-08-01 02:35 . 2014-08-01 02:36 -------- d-----w- c:\documents and settings\Human User\Application Data\vlc
2014-08-01 02:34 . 2014-08-01 02:37 -------- d-----w- c:\program files\VideoLAN
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2014-08-19 23:04 . 2014-07-10 02:34 110296 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
2014-08-02 17:13 . 2013-02-28 04:34 71344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2014-08-02 17:13 . 2013-02-28 04:34 699056 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2014-06-30 16:43 . 2013-08-01 20:06 121624 ----a-w- c:\windows\system32\drivers\avgdiskx.sys
2014-06-17 20:22 . 2012-10-02 08:30 188696 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2014-06-17 20:21 . 2012-09-21 08:46 197400 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2014-06-17 20:18 . 2012-09-21 08:46 241944 ----a-w- c:\windows\system32\drivers\avglogx.sys
2014-06-17 20:17 . 2012-10-15 08:48 147736 ----a-w- c:\windows\system32\drivers\avgidshx.sys
2014-06-17 20:17 . 2014-06-17 20:17 190232 ----a-w- c:\windows\system32\drivers\avgidsdriverlx.sys
2014-06-17 20:06 . 2012-11-16 04:33 98584 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2014-06-17 20:06 . 2012-09-14 08:05 27416 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2014-06-17 20:06 . 2012-09-21 08:45 21272 ----a-w- c:\windows\system32\drivers\avgidsshimx.sys
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-11-08 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-11-08 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-11-08 137752]
"RTHDCPL"="RTHDCPL.EXE" [2009-07-29 18671104]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-11-21 959904]
"AVG_UI"="c:\program files\AVG\AVG2014\avgui.exe" [2014-08-11 5187088]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2014-07-25 256896]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ    autocheck autochk *\0c:\progra~1\AVG\AVG2014\avgrsx.exe /sync /restart
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office14\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office14\\ONENOTE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office14\\GROOVE.EXE"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\AVG\\AVG2014\\avgmfapx.exe"=
"c:\\Program Files\\AVG\\AVG2014\\avgnsx.exe"=
"c:\\Program Files\\AVG\\AVG2014\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG2014\\avgemcx.exe"=
.
R0 AVGIDSHX;AVGIDSHX;c:\windows\system32\drivers\avgidshx.sys [10/15/2012 4:48 AM 147736]
R0 Avglogx;AVG Logging Driver;c:\windows\system32\drivers\avglogx.sys [9/21/2012 4:46 AM 241944]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [9/14/2012 4:05 AM 27416]
R1 Avgdiskx;AVG Disk Driver;c:\windows\system32\drivers\avgdiskx.sys [8/1/2013 4:06 PM 121624]
R1 AVGIDSDriverl;AVGIDSDriverl;c:\windows\system32\drivers\avgidsdriverlx.sys [6/17/2014 4:17 PM 190232]
R1 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\avgidsshimx.sys [9/21/2012 4:45 AM 21272]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [10/2/2012 4:30 AM 188696]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [9/21/2012 4:46 AM 197400]
R1 avgtp;avgtp;c:\windows\system32\drivers\avgtpx86.sys [2/26/2013 10:47 PM 37664]
R2 avgwd;AVG WatchDog;c:\program files\AVG\AVG2014\avgwdsvc.exe [8/11/2014 2:36 PM 289328]
R2 HPSIService;HP SI Service;c:\windows\system32\HPSIsvc.exe [2/27/2013 3:39 PM 99896]
R2 Motorola Device Manager;Motorola Device Manager Service;c:\program files\Motorola Mobility\Motorola Device Manager\MotoHelperService.exe [3/25/2013 3:45 PM 121144]
R3 mvusbews;USB EWS Device;c:\windows\system32\drivers\mvusbews.sys [2/27/2013 3:26 PM 17408]
S2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG2014\avgidsagent.exe [8/11/2014 2:51 PM 3244048]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2/26/2013 10:10 PM 1684736]
S3 BTCFilterService;USB Networking Driver Filter Service;c:\windows\system32\drivers\motfilt.sys [5/27/2013 5:13 PM 6016]
S3 motandroidusb;Mot ADB Interface Driver;c:\windows\system32\drivers\motoandroid.sys [5/27/2013 5:13 PM 25856]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [5/27/2013 5:13 PM 20864]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [5/27/2013 5:13 PM 8448]
S3 Motousbnet;Motorola USB Networking Driver Service;c:\windows\system32\drivers\Motousbnet.sys [5/27/2013 5:13 PM 23808]
S3 motusbdevice;Motorola USB Dev Driver;c:\windows\system32\drivers\motusbdevice.sys [5/27/2013 5:13 PM 11008]
S3 NWUSBPort2;Novatel Wireless USB Status2 Port Driver;c:\windows\system32\drivers\nwusbser2.sys [6/3/2009 11:01 AM 174720]
S3 SMSIVZAM5;SMSIVZAM5 NDIS Protocol Driver;c:\progra~1\VERIZO~1\VZACCE~1\SMSIVZAM5.SYS [5/25/2009 4:43 PM 32408]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [5/6/2008 4:06 PM 11520]
.
Contents of the 'Scheduled Tasks' folder
.
2014-08-21 c:\windows\Tasks\Microsoft Windows XP End of Service Notification Logon.job
- c:\windows\system32\xp_eos.exe [2014-03-08 01:59]
.
2014-08-08 c:\windows\Tasks\Microsoft Windows XP End of Service Notification Monthly.job
- c:\windows\system32\xp_eos.exe [2014-03-08 01:59]
.
2014-08-17 c:\windows\Tasks\Motorola Device Manager Engine.job
- c:\program files\Motorola Mobility\Motorola Device Manager\MotorolaDeviceManagerUpdate.exe [2013-03-25 19:44]
.
2014-08-04 c:\windows\Tasks\Motorola Device Manager Update.job
- c:\program files\Motorola Mobility\Motorola Device Manager\MotorolaDeviceManagerUpdate.exe [2013-03-25 19:44]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.drudgereport.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office14\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.254 192.168.1.1 192.168.1.254
TCP: Interfaces\{44FCF4F3-07BE-4912-9F3F-A4D47C38109A}: NameServer = 8.8.8.8
FF - ProfilePath - c:\documents and settings\Human User\Application Data\Mozilla\Firefox\Profiles\ufgs125h.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.drudgereport.com/
FF - prefs.js: network.proxy.type - 4
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-AVG-Secure-Search-Update_0214c - c:\documents and settings\Human User\Application Data\AVG 0214c Campaign\AVG-Secure-Search-Update-0214c.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2014-08-21 19:39
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ...
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_12_0_0_38_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_12_0_0_38_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
Completion time: 2014-08-21  19:40:28
ComboFix-quarantined-files.txt  2014-08-21 23:40
.
Pre-Run: 385,049,751,552 bytes free
Post-Run: 385,082,736,640 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - 14888E02A5A6011346C10E6B1758DAA5
8F558EB6672622401DA993E1E865C861
 

Link to post
Share on other sites

Yes, generally there is less redirection occurring, meaning that less sites seem to be affected in the limited amount of checking I was able to do last night after running ComboFix, but the root problem of not being able to access any Yahoo site still exists. I do notice that the information bar at the bottom of the IE browser no longer shows an address that it is connected to when trying (where it stated l.yimg.com or s.yimg.com before) it just shows that whatever site I am trying to reach is "connecting". I also tried firefox and the results to affected sites is the same, extended delays "connecting" during which the network connection shows constant activity and the result is no page load.

My wife and I use Yahoo for email and unfortunately this going to be a big problem soon for her not being able access email and for me running a Fantasy football League. If uninstalling all browsers helps I do not have a problem dumping them, I have no problem resetting her shortcuts and favorites back up.

 

Thanks again for your help

 

Link to post
Share on other sites

Scan with Mini Toolbox 


Please download MiniToolBox, save it to your desktop and run it.
Checkmark the following checkboxes:
 

  • Flush DNS
  • Report IE Proxy Settings
  • Reset IE Proxy Settings
  • Report FF Proxy Settings
  • Reset FF Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List Winsock Entries
  • List last 10 Event Viewer log
  • List Installed Programs
  • List Users, Partitions and Memory size.
  • Click Go and post the result (Result.txt). A copy of Result.txt will be saved in the same directory the tool is run.


Note: When using "Reset FF Proxy Settings" option Firefox should be closed.

Link to post
Share on other sites

This machine was an old machine I built my mother 8 years ago, she gave it back to me when she upgraded 3 years ago. It came out of retirement last year when our normal PC had a hardware failure. I wiped the win2000 off of it and put a legit copy of win XP on it just so the wife and kids could get to email and do homework.

I am getting hardware to correct my old gaming rig tonight and will be building a win 7 machine this week so we can have a functioning machine for next week when school starts. I am out of time in messing with chasing an elusive pest around the guts of a machine I do not care about.

Thanks again for your help, but I will just format this drive once I get a few pictures off of it, the hardware is ancient and not worth repurposing to me. Win 2000 was current when this box was built ;)

Link to post
Share on other sites

  • 2 weeks later...
  • Root Admin

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.