View Full Version : Web browser redirecting and fake anitvirus
Wildman0420
2010-03-14, 00:10
Hey guys, need some of your ninja like skills to help me out here. The problem lies here with my 80 year old grandfathers computer. He's pretty internet savvy for an old man, but seems to have gotten his pc pretty screwed up, dispite running AVGFree and Spybot S&D.
The first sign of any problems was when searching, he would be redirected to another page, and forced to research to get to the page he was searching for. Thas was annoying, but didn't stop him all together. However, last night a fake antivirus popped up called "Security Tool". He was smart enough to know that this wasn't his antivirus so he tried to run AVG scan to find that everyhing was locked out on him. When I got here to look at it I found that even taskmgr and regedit were blocked. This fake AV kept calling all .exe's viruses. Safe mode when I attempted it, just going into a reboot loop. Luckily after a short while, AVG seems to have noticed that this malicious program was running, and has stopped it from running. However I belive there is still something wrong here, as the web redirects still happen, and the fake AV is still listed in my start menu. I await your skilled advice guru's, please help a grandson help his grandpa!
HJT Log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:01:55 PM, on 3/13/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Corel\WordPerfect Office 2000\Register\Remind32.exe
C:\Program Files\Corel\WordPerfect Office 2000\programs\alarm.exe
C:\Program Files\Corel\WordPerfect Office 2000\programs\dad9.exe
C:\Program Files\LSI SoftModem\agrsmsvc.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AVG\AVG9\avgemc.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\AVG\AVG9\avgscanx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\AVG\AVG9\avgui.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ccleaner] "C:\Program Files\CCleaner\ccleaner.exe" /AUTO
O4 - Global Startup: Corel Registration.lnk = C:\Program Files\Corel\WordPerfect Office 2000\Register\Remind32.exe
O4 - Global Startup: CorelCENTRAL 9.LNK = C:\Program Files\Corel\WordPerfect Office 2000\programs\ccwin9.exe
O4 - Global Startup: CorelCENTRAL Alarms.LNK = C:\Program Files\Corel\WordPerfect Office 2000\programs\alarm.exe
O4 - Global Startup: Desktop Application Director 9.LNK = C:\Program Files\Corel\WordPerfect Office 2000\programs\dad9.exe
O8 - Extra context menu item: &Funband Serach - res://C:\Program Files\JuicyPalace Toolbar\2.3.0.9080\mvb0.dll/MENUSEARCH.HTM
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1256309585171
O17 - HKLM\System\CCS\Services\Tcpip\..\{0E766468-09B1-48D0-AC7C-161D2052E260}: NameServer = 93.188.162.178,93.188.161.103
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 93.188.162.178,93.188.161.103
O17 - HKLM\System\CS1\Services\Tcpip\..\{0E766468-09B1-48D0-AC7C-161D2052E260}: NameServer = 93.188.162.178,93.188.161.103
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 93.188.162.178,93.188.161.103
O17 - HKLM\System\CS2\Services\Tcpip\..\{0E766468-09B1-48D0-AC7C-161D2052E260}: NameServer = 93.188.162.178,93.188.161.103
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 93.188.162.178,93.188.161.103
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - LSI Corporation - C:\Program Files\LSI SoftModem\agrsmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG Free E-mail Scanner (avg9emc) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgemc.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: BrowserZinc Service - Unknown owner - C:\Documents and Settings\All Users\Application Data\BrowserZinc\browserzinc119.exe (file missing)
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
--
End of file - 6136 bytes
Hi,
Download DDS and save it to your desktop from here (http://www.techsupportforum.com/sectools/sUBs/dds) or here (http://download.bleepingcomputer.com/sUBs/dds.scr) or here (http://www.forospyware.com/sUBs/dds).
Disable any script blocker, and then double click dds.scr to run the tool.
When done, DDS will open two (2) logs:
DDS.txt
Attach.txt
Save both reports to your desktop. Post them back to your topic.
Download GMER (http://www.gmer.net) here by clicking download exe -button and then saving it your desktop:
Double-click .exe that you downloaded
Click rootkit-tab and then scan.
Don't check
Show All
box while scanning in progress!
When scanning is ready, click Copy.
This copies log to clipboard
Post log in your reply.
Wildman0420
2010-03-18, 21:07
Hi Blade, Thanks for getting around to help me.
I ran DDS and have both logs to post, however GMER kept locking up. I was going to try it in safemode but it seems I can't enter safemode. It just reboots itself after I select it.
DDS (Ver_09-09-29.01) - NTFSx86
Run by Owner at 20:36:15.12 on Wed 03/17/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.895.421 [GMT -4:00]
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
============== Running Processes ===============
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
svchost.exe
C:\Program Files\LSI SoftModem\agrsmsvc.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AVG\AVG9\avgemc.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Desktop\dds.com
============== Pseudo HJT Report ===============
uStart Page = hxxp://www.yahoo.com/
uInternet Connection Wizard,ShellNext = iexplore
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [ccleaner] "c:\program files\ccleaner\ccleaner.exe" /AUTO
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mPolicies-system: EnableLUA = 0 (0x0)
IE: &Funband Serach - c:\program files\juicypalace toolbar\2.3.0.9080\mvb0.dll/MENUSEARCH.HTM
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1256309585171
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
TCP: NameServer = 93.188.162.178,93.188.161.103
TCP: {0E766468-09B1-48D0-AC7C-161D2052E260} = 93.188.162.178,93.188.161.103
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
============= SERVICES / DRIVERS ===============
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-10-23 216200]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-10-23 29512]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-10-23 242696]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\avg\avg9\avgemc.exe [2010-3-17 916760]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-3-17 308064]
R3 EUCR;ENE USB Mass Storage;c:\windows\system32\drivers\EUCR6SK.sys [2009-10-22 42240]
S2 BrowserZinc Service;BrowserZinc Service;"c:\documents and settings\all users\application data\browserzinc\browserzinc119.exe" "c:\program files\browserzinc\browserzinc.dll" service --> c:\documents and settings\all users\application data\browserzinc\browserzinc119.exe [?]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2009-10-22 1684736]
=============== Created Last 30 ================
2010-03-17 13:10 12,464 a------- c:\windows\system32\avgrsstx.dll
2010-03-14 13:15 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-14 13:15 19,160 a------- c:\windows\system32\drivers\mbam.sys
2010-03-14 13:15 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2010-03-13 13:59 <DIR> --d----- c:\program files\Trend Micro
2010-03-12 23:29 <DIR> --d----- c:\docume~1\alluse~1\applic~1\97480230
2010-02-24 15:46 <DIR> --d----- c:\program files\CCleaner
==================== Find3M ====================
2010-03-17 13:10 242,696 a------- c:\windows\system32\drivers\avgtdix.sys
2010-03-17 13:09 216,200 a------- c:\windows\system32\drivers\avgldx86.sys
2009-12-21 15:14 916,480 a------- c:\windows\system32\wininet.dll
============= FINISH: 20:36:47.67 ===============
And the other
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
DDS (Ver_09-09-29.01)
Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 10/22/2009 10:56:46 AM
System Uptime: 3/17/2010 3:44:10 PM (5 hours ago)
Motherboard: MICRO-STAR INTERANTIONAL CO.,LTD | | MS-7327
Processor: AMD Athlon(tm) X2 Dual Core Processor BE-2350 | CPU 1 | 2094/200mhz
==== Disk Partitions =========================
A: is Removable
C: is FIXED (NTFS) - 153 GiB total, 132.063 GiB free.
D: is CDROM ()
E: is Removable
F: is Removable
G: is Removable
H: is Removable
==== Disabled Device Manager Items =============
==== System Restore Points ===================
RP90: 1/10/2010 8:40:03 PM - System Checkpoint
RP91: 1/11/2010 7:54:46 PM - System Checkpoint
RP92: 1/12/2010 9:57:39 PM - Software Distribution Service 3.0
RP93: 1/13/2010 9:48:13 PM - Software Distribution Service 3.0
RP94: 1/15/2010 1:29:04 PM - System Checkpoint
RP95: 1/16/2010 2:42:06 PM - System Checkpoint
RP96: 1/17/2010 3:05:29 PM - System Checkpoint
RP97: 1/18/2010 10:25:47 AM - Avg8 Update
RP98: 1/19/2010 12:44:08 PM - System Checkpoint
RP99: 1/20/2010 5:46:20 PM - System Checkpoint
RP100: 1/21/2010 5:55:29 PM - System Checkpoint
RP101: 1/22/2010 6:52:17 PM - System Checkpoint
RP102: 1/22/2010 8:20:39 PM - Software Distribution Service 3.0
RP103: 1/24/2010 12:24:57 PM - System Checkpoint
RP104: 1/25/2010 2:50:22 PM - System Checkpoint
RP105: 1/26/2010 11:47:39 AM - Avg8 Update
RP106: 1/27/2010 12:07:57 PM - System Checkpoint
RP107: 1/28/2010 5:38:30 PM - System Checkpoint
RP108: 1/29/2010 11:21:26 PM - System Checkpoint
RP109: 2/1/2010 12:57:32 PM - System Checkpoint
RP110: 2/2/2010 11:58:21 AM - Installed Java(TM) 6 Update 17
RP111: 2/3/2010 1:20:24 PM - System Checkpoint
RP112: 2/4/2010 1:29:21 PM - System Checkpoint
RP113: 2/5/2010 2:07:52 PM - System Checkpoint
RP114: 2/6/2010 2:48:54 PM - System Checkpoint
RP115: 2/7/2010 3:21:06 PM - System Checkpoint
RP116: 2/8/2010 4:23:07 PM - System Checkpoint
RP117: 2/9/2010 4:30:08 PM - System Checkpoint
RP118: 2/10/2010 5:15:18 PM - System Checkpoint
RP119: 2/11/2010 6:11:01 PM - System Checkpoint
RP120: 2/12/2010 6:58:54 PM - System Checkpoint
RP121: 2/14/2010 4:16:02 PM - System Checkpoint
RP122: 2/15/2010 4:26:36 PM - System Checkpoint
RP123: 2/17/2010 1:15:46 PM - System Checkpoint
RP124: 2/18/2010 4:35:15 PM - System Checkpoint
RP125: 2/19/2010 5:32:20 PM - System Checkpoint
RP126: 2/21/2010 11:48:41 AM - System Checkpoint
RP127: 2/23/2010 12:53:17 PM - System Checkpoint
RP128: 2/24/2010 1:05:53 PM - System Checkpoint
RP129: 2/25/2010 1:42:39 PM - System Checkpoint
RP130: 2/26/2010 4:40:35 PM - System Checkpoint
RP131: 2/27/2010 6:26:05 PM - System Checkpoint
RP132: 2/28/2010 7:18:03 PM - System Checkpoint
RP133: 3/1/2010 8:18:19 PM - System Checkpoint
RP134: 3/5/2010 3:58:59 PM - System Checkpoint
RP135: 3/6/2010 4:02:07 PM - System Checkpoint
RP136: 3/7/2010 5:39:02 PM - System Checkpoint
RP137: 3/11/2010 10:56:56 AM - System Checkpoint
RP138: 3/12/2010 12:35:18 PM - System Checkpoint
RP139: 3/13/2010 2:21:30 PM - System Checkpoint
RP140: 3/14/2010 3:45:03 PM - System Checkpoint
RP141: 3/15/2010 4:37:38 PM - System Checkpoint
RP142: 3/16/2010 4:51:24 PM - System Checkpoint
RP143: 3/17/2010 1:08:08 PM - Avg8 Update
RP144: 3/17/2010 1:10:43 PM - Avg Update
==== Installed Programs ======================
Adobe Flash Player 10 ActiveX
AnswerWorks Runtime
ATI - Software Uninstall Utility
ATI Display Driver
AVG Free 9.0
CCleaner
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Java(TM) 6 Update 17
LSI PCI-SV92PP Soft Modem
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
OpenOffice.org 3.1
REALTEK GbE & FE Ethernet PCI-E NIC Driver
Realtek High Definition Audio Driver
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371-v2)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974455)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Spybot - Search & Destroy
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB973874)
Update for Windows Internet Explorer 8 (KB976749)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
WebFldrs XP
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 3
==== Event Viewer Messages From Past Week ========
3/14/2010 9:14:24 PM, error: Srv [2019] - The server was unable to allocate from the system nonpaged pool because the pool was empty.
3/12/2010 8:09:05 PM, error: Dhcp [1002] - The IP address lease 24.236.238.186 for the Network Card with network address 0019DB6283A5 has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).
==== End Of File ===========================
Hi,
Could you try to run GMER by deselecting sections and devices first before pressing scan -button, please?
Wildman0420
2010-03-19, 21:57
Ok. GMER Ran for about 4 hours and finished, but as soon as I cliked my mouse is locked up again. I took a picture with my cell phone of what was in the white screen before I had to hard boot. All that came up was one entry
Type: IAT Name: C:\Program Files\Internet Explorer\iexplore.exe[2208] @ C:\WINDOWS...
Value: [451F1AC8] C:\Program Files\Internet...
And that's all that was showing when it finished.
Hi,
Please visit this webpage for download links, and instructions for running ComboFix tool:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Please ensure you read this guide carefully first.
Please continue as follows:
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link (http://www.bleepingcomputer.com/forums/topic114351.html)
Remember to re-enable them afterwards.
Click Yes to allow ComboFix to continue scanning for malware.
When the tool is finished, it will produce a report for you.
Please include the following reports for further review, and so we may continue cleansing the system:
C:\ComboFix.txt
New dds log.
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.
Wildman0420
2010-03-20, 23:53
ok, I followed the turorial on how to stop AVG free. I shut off the resident scanner like it said. However there is still anti-virus and anti-spyware running, and when I run combofix it says "Warning !! Combofix has detected the following realtime scanner(s) to be active:
AVG Antivirus Free
This may lead to unpredictable results or possible machine damage.
Please disable these scanners before clicking ok."
So what I need to know is how do I shut all of AVG free down, short of uninstalling it?
Does it offer an option to close down whole AVG if you right click its icon in traybar?
Wildman0420
2010-03-21, 19:31
Ok,
It didn't offer that option. However I went to close combofix by pushing the X insted of Ok, and it went ahead and ran. I was too scared to stop it at this point so I just went along and hoped that disabling the resident scanner would be enough. It went though all the steps and finished, so I have a log to post here. BUT it does seem to have stopped AVG from loading during startup, and when I click the shortcut to open it, it pulls up the settings screen, and I can re-enable all the settings, but it still isn't running down by the clock, so I'm pretty sure it isn't protecting anymore. Here is the combofix log:
ComboFix 10-03-20.01 - Owner 03/21/2010 3:22.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.895.523 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\All Users\Application Data\BrowserZinc
c:\documents and settings\Owner\Application Data\Control-Center
c:\documents and settings\Owner\Application Data\Control-Center\faq\guide.html
c:\documents and settings\Owner\Application Data\Control-Center\faq\images\05.png
c:\documents and settings\Owner\Application Data\Control-Center\faq\images\06.png
c:\documents and settings\Owner\Application Data\Control-Center\faq\images\07.png
c:\documents and settings\Owner\Application Data\Control-Center\faq\images\08.png
c:\documents and settings\Owner\Application Data\Control-Center\faq\images\09.png
c:\documents and settings\Owner\Application Data\Control-Center\faq\images\10.png
c:\documents and settings\Owner\Application Data\Control-Center\settings.ini
c:\documents and settings\Owner\Start Menu\Programs\Security Tool.lnk
c:\program files\BrowserZinc
c:\program files\BrowserZinc\browserzinc.dll
Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\atapi.sys
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_BROWSERZINC_SERVICE
-------\Legacy_SSHNAS
-------\Service_BrowserZinc Service
((((((((((((((((((((((((( Files Created from 2010-02-21 to 2010-03-21 )))))))))))))))))))))))))))))))
.
2010-03-17 17:10 . 2010-03-17 17:10 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-03-14 17:15 . 2010-01-07 20:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-14 17:15 . 2010-03-14 17:15 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-14 17:15 . 2010-01-07 20:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-13 17:59 . 2010-03-13 17:59 -------- d-----w- c:\program files\Trend Micro
2010-03-13 03:29 . 2010-03-13 17:47 -------- d-----w- c:\documents and settings\All Users\Application Data\97480230
2010-02-24 22:36 . 2010-02-24 22:36 101240 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-02-24 19:46 . 2010-02-24 19:46 -------- d-----w- c:\program files\CCleaner
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-17 17:10 . 2009-10-23 20:07 242696 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-03-17 17:10 . 2009-10-23 20:07 29512 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-03-17 17:09 . 2009-10-23 20:07 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-03-14 17:10 . 2009-10-29 17:21 -------- d-----w- c:\program files\Corel
2010-03-14 17:01 . 2009-10-29 17:19 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-03-10 22:37 . 2009-10-23 20:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-02-02 16:58 . 2009-10-24 15:29 -------- d-----w- c:\program files\Java
2010-02-02 16:57 . 2010-02-02 16:57 152576 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2010-02-02 16:57 . 2010-02-02 16:57 79488 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-01-12 22:02 . 2010-01-12 22:02 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-12-21 19:14 . 2002-08-29 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"ccleaner"="c:\program files\CCleaner\ccleaner.exe" [2010-01-26 1724728]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2009-07-20 18670592]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-03-17 17:10 12464 ----a-w- c:\windows\system32\avgrsstx.dll
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [10/23/2009 4:07 PM 216200]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [10/23/2009 4:07 PM 242696]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [3/17/2010 1:09 PM 916760]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [3/17/2010 1:10 PM 308064]
R3 EUCR;ENE USB Mass Storage;c:\windows\system32\drivers\EUCR6SK.sys [10/22/2009 3:30 PM 42240]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [10/22/2009 6:05 PM 1684736]
.
Contents of the 'Scheduled Tasks' folder
2010-03-20 c:\windows\Tasks\User_Feed_Synchronization-{133D5D26-D32B-4BCF-8634-453A8D44813A}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 08:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uInternet Connection Wizard,ShellNext = iexplore
IE: &Funband Serach - c:\program files\JuicyPalace Toolbar\2.3.0.9080\mvb0.dll/MENUSEARCH.HTM
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.
- - - - ORPHANS REMOVED - - - -
AddRemove-LSI Soft Modem - c:\windows\agrsmdel
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-21 03:27
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
c:\windows\setupapi.log 330 bytes
scan completed successfully
hidden files: 1
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Reinstall\�:õwjY�*]
"DisplayName"="???\17?\11\09"
"DeviceDesc"="???\17?\11\09"
"ProviderName"="???\11?\16?\11??"
"MFG"="???????"
"ReinstallString"=".10.1000.8"
"DeviceInstanceIds"=multi:"c:\\documents and settings\\owner\\desktop\\ati_system_drive_mb\\xp\\sbdrv\\smbus\\smbusati.inf\00"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(700)
c:\windows\system32\Ati2evxx.dll
- - - - - - - > 'explorer.exe'(3484)
c:\windows\system32\WININET.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\IEFRAME.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\program files\LSI SoftModem\agrsmsvc.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\windows\system32\wscntfy.exe
c:\windows\RTHDCPL.EXE
.
**************************************************************************
.
Completion time: 2010-03-21 03:29:19 - machine was rebooted
ComboFix-quarantined-files.txt 2010-03-21 07:29
Pre-Run: 141,603,295,232 bytes free
Post-Run: 141,581,029,376 bytes free
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn
- - End Of File - - 7FBF730DD8150871C7C73FE00BE2BB62
Hi,
You may reinstall AVG after we've finished here. Please post a fresh dds log too.
Wildman0420
2010-03-22, 00:55
Ok, fresh DDS coming right up. Let me know when it's ok and I'll re-install AVG. :)
DDS (Ver_09-09-29.01) - NTFSx86
Run by Owner at 19:50:48.98 on Sun 03/21/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.895.383 [GMT -4:00]
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
============== Running Processes ===============
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
svchost.exe
C:\Program Files\LSI SoftModem\agrsmsvc.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\AVG\AVG9\avgemc.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Owner\Desktop\dds.com
============== Pseudo HJT Report ===============
uStart Page = hxxp://www.yahoo.com/
uInternet Connection Wizard,ShellNext = iexplore
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [ccleaner] "c:\program files\ccleaner\ccleaner.exe" /AUTO
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
IE: &Funband Serach - c:\program files\juicypalace toolbar\2.3.0.9080\mvb0.dll/MENUSEARCH.HTM
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1256309585171
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
============= SERVICES / DRIVERS ===============
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-10-23 216200]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-10-23 29512]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-10-23 242696]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\avg\avg9\avgemc.exe [2010-3-17 916760]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-3-17 308064]
R3 EUCR;ENE USB Mass Storage;c:\windows\system32\drivers\EUCR6SK.sys [2009-10-22 42240]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2009-10-22 1684736]
=============== Created Last 30 ================
2010-03-21 03:08 <DIR> a-dshr-- C:\cmdcons
2010-03-20 18:54 261,632 a------- c:\windows\PEV.exe
2010-03-20 18:54 161,792 a------- c:\windows\SWREG.exe
2010-03-20 18:54 98,816 a------- c:\windows\sed.exe
2010-03-20 18:54 77,312 a------- c:\windows\MBR.exe
2010-03-17 13:10 12,464 a------- c:\windows\system32\avgrsstx.dll
2010-03-14 13:15 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-14 13:15 19,160 a------- c:\windows\system32\drivers\mbam.sys
2010-03-14 13:15 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2010-03-13 13:59 <DIR> --d----- c:\program files\Trend Micro
2010-03-12 23:29 <DIR> --d----- c:\docume~1\alluse~1\applic~1\97480230
2010-02-24 15:46 <DIR> --d----- c:\program files\CCleaner
==================== Find3M ====================
2010-03-17 13:10 242,696 a------- c:\windows\system32\drivers\avgtdix.sys
2010-03-17 13:09 216,200 a------- c:\windows\system32\drivers\avgldx86.sys
============= FINISH: 19:51:24.70 ===============
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
DDS (Ver_09-09-29.01)
Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 10/22/2009 10:56:46 AM
System Uptime: 3/21/2010 1:20:22 PM (6 hours ago)
Motherboard: MICRO-STAR INTERANTIONAL CO.,LTD | | MS-7327
Processor: AMD Athlon(tm) X2 Dual Core Processor BE-2350 | CPU 1 | 2094/200mhz
==== Disk Partitions =========================
A: is Removable
C: is FIXED (NTFS) - 153 GiB total, 131.784 GiB free.
D: is CDROM ()
E: is Removable
F: is Removable
G: is Removable
H: is Removable
==== Disabled Device Manager Items =============
==== System Restore Points ===================
RP90: 1/10/2010 8:40:03 PM - System Checkpoint
RP91: 1/11/2010 7:54:46 PM - System Checkpoint
RP92: 1/12/2010 9:57:39 PM - Software Distribution Service 3.0
RP93: 1/13/2010 9:48:13 PM - Software Distribution Service 3.0
RP94: 1/15/2010 1:29:04 PM - System Checkpoint
RP95: 1/16/2010 2:42:06 PM - System Checkpoint
RP96: 1/17/2010 3:05:29 PM - System Checkpoint
RP97: 1/18/2010 10:25:47 AM - Avg8 Update
RP98: 1/19/2010 12:44:08 PM - System Checkpoint
RP99: 1/20/2010 5:46:20 PM - System Checkpoint
RP100: 1/21/2010 5:55:29 PM - System Checkpoint
RP101: 1/22/2010 6:52:17 PM - System Checkpoint
RP102: 1/22/2010 8:20:39 PM - Software Distribution Service 3.0
RP103: 1/24/2010 12:24:57 PM - System Checkpoint
RP104: 1/25/2010 2:50:22 PM - System Checkpoint
RP105: 1/26/2010 11:47:39 AM - Avg8 Update
RP106: 1/27/2010 12:07:57 PM - System Checkpoint
RP107: 1/28/2010 5:38:30 PM - System Checkpoint
RP108: 1/29/2010 11:21:26 PM - System Checkpoint
RP109: 2/1/2010 12:57:32 PM - System Checkpoint
RP110: 2/2/2010 11:58:21 AM - Installed Java(TM) 6 Update 17
RP111: 2/3/2010 1:20:24 PM - System Checkpoint
RP112: 2/4/2010 1:29:21 PM - System Checkpoint
RP113: 2/5/2010 2:07:52 PM - System Checkpoint
RP114: 2/6/2010 2:48:54 PM - System Checkpoint
RP115: 2/7/2010 3:21:06 PM - System Checkpoint
RP116: 2/8/2010 4:23:07 PM - System Checkpoint
RP117: 2/9/2010 4:30:08 PM - System Checkpoint
RP118: 2/10/2010 5:15:18 PM - System Checkpoint
RP119: 2/11/2010 6:11:01 PM - System Checkpoint
RP120: 2/12/2010 6:58:54 PM - System Checkpoint
RP121: 2/14/2010 4:16:02 PM - System Checkpoint
RP122: 2/15/2010 4:26:36 PM - System Checkpoint
RP123: 2/17/2010 1:15:46 PM - System Checkpoint
RP124: 2/18/2010 4:35:15 PM - System Checkpoint
RP125: 2/19/2010 5:32:20 PM - System Checkpoint
RP126: 2/21/2010 11:48:41 AM - System Checkpoint
RP127: 2/23/2010 12:53:17 PM - System Checkpoint
RP128: 2/24/2010 1:05:53 PM - System Checkpoint
RP129: 2/25/2010 1:42:39 PM - System Checkpoint
RP130: 2/26/2010 4:40:35 PM - System Checkpoint
RP131: 2/27/2010 6:26:05 PM - System Checkpoint
RP132: 2/28/2010 7:18:03 PM - System Checkpoint
RP133: 3/1/2010 8:18:19 PM - System Checkpoint
RP134: 3/5/2010 3:58:59 PM - System Checkpoint
RP135: 3/6/2010 4:02:07 PM - System Checkpoint
RP136: 3/7/2010 5:39:02 PM - System Checkpoint
RP137: 3/11/2010 10:56:56 AM - System Checkpoint
RP138: 3/12/2010 12:35:18 PM - System Checkpoint
RP139: 3/13/2010 2:21:30 PM - System Checkpoint
RP140: 3/14/2010 3:45:03 PM - System Checkpoint
RP141: 3/15/2010 4:37:38 PM - System Checkpoint
RP142: 3/16/2010 4:51:24 PM - System Checkpoint
RP143: 3/17/2010 1:08:08 PM - Avg8 Update
RP144: 3/17/2010 1:10:43 PM - Avg Update
RP145: 3/18/2010 1:30:21 PM - System Checkpoint
RP146: 3/19/2010 4:29:59 PM - System Checkpoint
RP147: 3/20/2010 5:08:46 PM - System Checkpoint
RP148: 3/21/2010 5:24:21 PM - System Checkpoint
==== Installed Programs ======================
Adobe Flash Player 10 ActiveX
AnswerWorks Runtime
ATI - Software Uninstall Utility
ATI Display Driver
AVG Free 9.0
CCleaner
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Java(TM) 6 Update 17
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
OpenOffice.org 3.1
REALTEK GbE & FE Ethernet PCI-E NIC Driver
Realtek High Definition Audio Driver
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371-v2)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974455)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Spybot - Search & Destroy
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB973874)
Update for Windows Internet Explorer 8 (KB976749)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
WebFldrs XP
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 3
WinRAR archiver
==== Event Viewer Messages From Past Week ========
3/21/2010 3:22:23 AM, information: Windows File Protection [64004] - The protected system file atapi.sys could not be restored to its original, valid version. The file version of the bad file is 5.1.2600.5512 The specific error code is 0x000006b5 [The interface is unknown. ].
3/19/2010 3:52:35 PM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the AudioSrv service.
3/14/2010 9:38:24 PM, error: Srv [2019] - The server was unable to allocate from the system nonpaged pool because the pool was empty.
==== End Of File ===========================
Hi,
Delete c:\documents and settings\All Users\Application Data\97480230 folder. It's ok to reinstall AVG now :)
Wildman0420
2010-03-23, 00:05
Alright. Deleting folder and reinstalling AVG.
Good. Let me know how it goes.
Wildman0420
2010-03-24, 19:15
Well looks pretty good! All the annoying redirects seem to have stopped. The only one I'm getting now is the dang 11charter thing that my ISP forces my DNS to go to. I've been told that openDNS is a good program to solve that problem, so if you think I'm clean and clear I'll install that. I must say thank you. You've come through again and proven your mastery over malicious software. You rock Blade!!!
Wildman0420
2010-03-24, 19:57
Oh I'd love to make a donation to you guys. Always working so hard to help people you've never met. You're the true heroes of the internet. You have a link for making a donation?
Hi,
Oh I'd love to make a donation to you guys. Always working so hard to help people you've never met. You're the true heroes of the internet. You have a link for making a donation?
Yes, if you wish to donate you can do so here (http://www.spybot.info/en/donate/index.html) :)
Please find a list of the final steps in our cleaning process below.
THESE STEPS ARE VERY IMPORTANT
Let's reset system restore
Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: You will lose all previous restore points which are likely to be infected. Please note you need Administrator Access to do clean the restore points.
1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
2. Reboot.
3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
NOTE: only do this ONCE,NOT on a regular basis
Now lets uninstall ComboFix:
Click START then RUN
Now copy-paste Combofix /uninstall in the runbox and click OK
Please download OTC (http://oldtimer.geekstogo.com/OTC.exe) and save it to desktop.
Double-click OTC.exe.
Click the CleanUp! button.
Select Yes when the
Begin cleanup Process?
prompt appears.
If you are prompted to Reboot during the cleanup, select Yes.
The tool will delete itself once it finishes, if not delete it by yourself.
Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.
UPDATING WINDOWS AND INTERNET EXPLORER
IMPORTANT: You Need to Update Windows and Internet Explorer to protect your computer from the malware that is around on the Internet. Please go to the windows update site (http://windowsupdate.microsoft.com/) to get the critical updates.
If you are running Microsoft Office, or any portion thereof, go to the Microsoft's Office Update site and make sure you have at least all the critical updates installed (Free) Microsoft Office Update.
Make your Internet Explorer more secure
This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialize and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.
The following are recommended third party programs that are designed to keep your computer clean. A link as well as a brief description is included with each item.
hosts file:
Every version of windows has a hosts file as part of them. In a very basic sense, they are used to locate webpages. We can customize a hosts file so that it blocks certain webpages. However, it can slow down certain computers. This is why using a hosts file is optional!!
Download it here (http://www.mvps.org/winhelp2002/hosts.htm). Make sure you read the instructions on how to install the hosts file. There is a good tutorial here (http://www.bleepingcomputer.com/forums/tutorial51.html)
If you decide to download the hosts file, the slowdown problems can usually be avoided by following these steps:
Click the start button (at the lower left hand corner of your screen) Click run In the dialog box, type services.msc hit enter, then locate dns client Highlight it, then double-click it. On the dropdown box, change the setting from automatic to manual. Click ok
Run Secunia vulnerability check here (http://secunia.com/vulnerability_scanning/online/) and fix its findings.
Just a final reminder for you. I am trying to stress these two points.
UPDATE UPDATE UPDATE!!! Make sure you do this about every 1-2 weeks.
Make sure all of your security programs are up to date.
Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
Once again, please post and tell me how things are going with your system... problems etc.
Have a great day,
Blade :cool:
Wildman0420
2010-03-30, 21:31
Hey blade, sorry it took me so long to reply. Been a hectic week for the family. Again I have to say tank you so much for the help you've given us. The computer seems to be fine and all symptoms are no longer present. We will defenitly be donating to you, as soon as I can. (money's tight, car troubles, but I won't forget.) Also having worked with you before and seeing the good things you guys do here, I feel inspired to learn how to help people myself. Is there one of the online schools you'd recommend? I have alot of time this summer and feel like I could learn and be able to assist others.
One more time Blade, you are the best. If you didn't live so damn far away I'd for sure buy you a beer or something. When I donate to you, you'll have to buy yourself a beer from me. :-D
You're welcome :)
Is there one of the online schools you'd recommend? I have alot of time this summer and feel like I could learn and be able to assist others.
Here's a list (in alphabetical order) of sites that have malware removal school:
Bleeping Computer (http://www.bleepingcomputer.com/forums/topic86678.html)
Geeks to Go (http://www.geekstogo.com/forum/Would-you-like-to-learn-to-fight-malware-t4817.html)
Malware Removal (http://www.malwareremoval.com)
SpywareHammer (http://www.spywarehammer.com/)
Spyware Info (http://www.spywareinfoforum.com/index.php?showtopic=34)
Tech Support Forum (http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/294775-please-read-before-applying-join-academy.html)
What the Tech (http://forums.whatthetech.com/What_Tech_Classroom_t80368.html)
Training usually takes 6 months or more.
Since this issue appears to be resolved ... this Topic has been closed. Glad I could help. :)
Note:If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.
If it has been less than four days since your last response and you need the thread re-opened, please send me or MOD a private message (pm). A valid, working link to the closed topic is required.