View Full Version : bit by a tdss rootkit?
llamatreat
2010-04-28, 09:18
hi guys, i originally had something nasty that posed as various antispyware programs, gave me numerous popups, trojans and put porn on my desktop...i don't download any warez, cracks or keygens, so not sure how it happened.
before coming on this forum (i'm brand new to this) i booted up in safe mode, reverted back to a system restore point. then i ran malwarebytes' anti-malware, trojan remover, unhack me, avg free and TDSSKiller, which tells me that nvata.sys is infected, but the cure fails.
right now my compy seems almost normal, except maybe once or twice a night my browser gets a tab opened and redirected to sketchy looking url trying to sell me a belgian brides or show me its bewbies.
thanks in advance for your help!!! :)
-k
-----------------------------------------
DDS (Ver_10-03-17.01) - NTFSx86
Run by Kai-Wen at 22:48:44.45 on Tue 04/27/2010
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2047.1517 [GMT -7:00]
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\Wacom_Tablet.exe
C:\Program Files\AVG\AVG9\avgemc.exe
C:\WINDOWS\system32\WTablet\Wacom_TabletUser.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\Wacom_Tablet.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Turtle Beach\Turtle Beach USB MIDI 1x1\TBUM11.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\D-Link AirPlus\AirPlus.exe
C:\Program Files\MMTaskbar\MultiMon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\Java\jre6\bin\jucheck.exe
C:\Documents and Settings\Kai-Wen\Desktop\dds.scr
============== Pseudo HJT Report ===============
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
uRun: [Google Update] "c:\documents and settings\kai-wen\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [UnHackMe Monitor] c:\program files\unhackme\hackmon.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [WinampAgent] "c:\program files\winamp\winampa.exe"
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 8.0\acrobat\Acrotray.exe"
mRun: [<NO NAME>]
mRun: [Turtle Beach USB MIDI 1x1] c:\program files\turtle beach\turtle beach usb midi 1x1\TBUM11.exe
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [TrojanScanner] c:\program files\trojan remover\Trjscan.exe /boot
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobea~1.lnk - c:\windows\installer\{ac76ba86-1033-0000-7760-000000000003}\_SC_Acrobat.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobea~2.lnk - c:\program files\adobe\acrobat 8.0\acrobat\AdobeCollabSync.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\d-link~1.lnk - c:\program files\d-link airplus\AirPlus.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\multim~1.lnk - c:\program files\mmtaskbar\MultiMon.exe
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
================= FIREFOX ===================
FF - ProfilePath - c:\docume~1\kai-wen\applic~1\mozilla\firefox\profiles\9r35im7q.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\kai-wen\application data\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\kai-wen\local settings\application data\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
============= SERVICES / DRIVERS ===============
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-3-21 216200]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-3-21 29512]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-3-21 242696]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\avg\avg9\avgemc.exe [2010-3-31 916760]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-3-31 308064]
R2 TabletServiceWacom;TabletServiceWacom;c:\windows\system32\Wacom_Tablet.exe [2009-4-6 1373480]
S0 Partizan;Partizan;c:\windows\system32\drivers\Partizan.sys [2010-4-18 35816]
S3 TBU11;Turtle Beach USB MIDI 1x1 Driver;c:\windows\system32\drivers\tbu11.sys [2009-5-6 13824]
S3 UltraMonMirror;UltraMonMirror;c:\windows\system32\drivers\ultramonmirror.sys --> c:\windows\system32\drivers\UltraMonMirror.sys [?]
=============== Created Last 30 ================
2010-04-19 02:34:20 2 --shatr- c:\windows\winstart.bat
2010-04-19 02:34:06 37600 ----a-w- c:\windows\system32\Partizan.exe
2010-04-19 02:34:06 35816 ----a-w- c:\windows\system32\drivers\Partizan.sys
2010-04-19 02:34:00 12752 ----a-w- c:\windows\system32\drivers\UnHackMeDrv.sys
2010-04-19 02:33:56 0 d-----w- c:\program files\UnHackMe
2010-04-18 17:44:14 0 d-----w- c:\docume~1\kai-wen\applic~1\Malwarebytes
2010-04-18 17:44:08 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-18 17:44:07 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-18 17:44:07 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-04-18 17:44:06 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-18 17:27:14 0 d-----w- c:\program files\Trojan Remover
2010-04-18 17:24:59 77312 ----a-w- c:\windows\system32\ztvunace26.dll
2010-04-18 17:24:59 162304 ----a-w- c:\windows\system32\ztvunrar36.dll
2010-04-18 17:24:58 75264 ----a-w- c:\windows\system32\unacev2.dll
2010-04-18 17:24:58 69632 ----a-w- c:\windows\system32\ztvcabinet.dll
2010-04-18 17:24:58 153088 ----a-w- c:\windows\system32\unrar3.dll
2010-04-18 17:24:57 0 d-----w- c:\docume~1\kai-wen\applic~1\Simply Super Software
2010-04-18 17:24:57 0 d-----w- c:\docume~1\alluse~1\applic~1\Simply Super Software
2010-04-14 02:00:20 0 d-----w- c:\windows\system32\wbem\Repository
2010-04-01 05:43:22 0 d--h--w- C:\$AVG
2010-04-01 05:40:53 0 d-----w- c:\docume~1\alluse~1\applic~1\avg9
2010-04-01 05:40:36 0 d-----w- c:\windows\SxsCaPendDel
==================== Find3M ====================
2010-04-22 04:32:56 49536 ----a-w- c:\windows\system32\drivers\Cdrom.sys
2010-04-01 05:43:18 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-04-01 05:43:17 242696 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-04-01 05:43:12 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-03-10 08:02:04 417792 ----a-w- c:\windows\system32\vbscript.dll
2010-02-26 06:12:23 662016 ----a-w- c:\windows\system32\wininet.dll
2010-02-26 06:12:17 81920 ----a-w- c:\windows\system32\ieencode.dll
2010-02-16 13:17:38 2137088 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 12:39:04 2016768 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:47:05 100864 ----a-w- c:\windows\system32\6to4svc.dll
============= FINISH: 22:49:19.09 ===============
IndiGenus
2010-04-28, 23:12
Hello llamatreat and welcome to the forums.
:snwelcome:
We need to get a rootkit scan done here.
Download This file (http://www.gmer.net/download.php). Note its name and save it to your root folder, such as C:\.
Disconnect from the Internet and close all running programs.
Temporarily disable any real-time active protection so your security program drivers will not conflict with this file.
Click on this link (http://www.bleepingcomputer.com/forums/topic114351.html) to see a list of programs that should be disabled.
Double-click on the downloaded file to start the program. (If running Vista, right click on it and select "Run as an Administrator")
Allow the driver to load if asked.
You may be prompted to scan immediately if it detects rootkit activity.
If you are prompted to scan your system click "Yes" to begin the scan.
If not prompted, click the "Rootkit/Malware" tab.
On the right-side, all items to be scanned should be checked by default except for "Show All". Leave that box unchecked.
Select the drive that Windows is installed on, typically C:\, and uncheck the rest.
Click the Scan button to begin. (Please be patient as it can take some time to complete)
When the scan is finished, click Save to save the scan results to your Desktop.
Save the file as Results.txt and copy/paste the contents in your next reply. If the file is too large to copy and paste you can upload it.
Exit the program and re-enable all active protection when done.
llamatreat
2010-04-30, 18:41
...it's taken me 2 days to get this, and i don't think it's a complete one. but i've been saving at regular intervals, because it always crashes the program (and usually at my computer) at some point, even though i think i've disabled all of my anti-malware.
thanks so much for your help again, and let me know if this isn't complete if there is anything else i can do.
-k
---------------------------------------------
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-04-30 02:16:29
Windows 5.1.2600 Service Pack 2
Running: 9lq6iddl.exe; Driver: C:\DOCUME~1\Kai-Wen\LOCALS~1\Temp\axtdqpow.sys
---- Kernel code sections - GMER 1.0.15 ----
.rsrc C:\WINDOWS\system32\DRIVERS\cdrom.sys entry point in ".rsrc" section [0xBA143194]
.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB860C360, 0x35483F, 0xE8000020]
---- User code sections - GMER 1.0.15 ----
.text C:\WINDOWS\Explorer.EXE[288] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 009F000A
.text C:\WINDOWS\Explorer.EXE[288] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00AD000A
.text C:\WINDOWS\Explorer.EXE[288] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 009E000C
.text C:\WINDOWS\System32\svchost.exe[1148] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0081000A
.text C:\WINDOWS\System32\svchost.exe[1148] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0082000A
.text C:\WINDOWS\System32\svchost.exe[1148] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0080000C
.text C:\WINDOWS\System32\svchost.exe[1148] USER32.dll!GetCursorPos 77D4C566 5 Bytes JMP 0116000A
.text C:\WINDOWS\System32\svchost.exe[1148] ole32.dll!CoCreateInstance 77526009 5 Bytes JMP 0115000A
.text C:\WINDOWS\system32\wuauclt.exe[3032] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00AA000A
.text C:\WINDOWS\system32\wuauclt.exe[3032] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00AB000A
.text C:\WINDOWS\system32\wuauclt.exe[3032] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 003C000C
.text C:\Program Files\Mozilla Firefox\firefox.exe[3340] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0100000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[3340] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0101000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[3340] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00FF000C
---- Devices - GMER 1.0.15 ----
AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
Device -> \Driver\nvata \Device\Harddisk0\DR0 89BC6AC8
IndiGenus
2010-04-30, 18:47
Great job, fantastic! :bigthumb: The following line tells me what I need to know.
.rsrc C:\WINDOWS\system32\DRIVERS\cdrom.sys entry point in ".rsrc" section [0xBA143194]
We'll run combofix here first without any script. Then we will likely need to run it one more time to finish it off.
Download ComboFix from one of these locations:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
* IMPORTANT !!! Save ComboFix.exe to your Desktop
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : How to Disable your Security Programs (http://forums.whatthetech.com/How_to_Disable_your_Security_Programs_t96260.html)
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
http://img.photobucket.com/albums/v706/ried7/whatnext.png
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply. Please also post an updated HijackThis log and let me know how it's running.
Notes:
1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
llamatreat
2010-05-01, 07:12
ComboFix 10-04-30.03 - Kai-Wen 04/30/2010 20:59:19.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2047.1612 [GMT -7:00]
Running from: c:\documents and settings\Kai-Wen\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\program files\WindowsUpdate
Infected copy of c:\windows\system32\drivers\Cdrom.sys was found and disinfected
Restored copy from - Kitty had a snack :p
.
((((((((((((((((((((((((( Files Created from 2010-04-01 to 2010-05-01 )))))))))))))))))))))))))))))))
.
2010-04-28 05:47 . 2010-04-28 05:47 -------- d-----w- c:\program files\ERUNT
2010-04-22 02:59 . 2010-04-22 02:59 -------- d-----w- c:\documents and settings\Administrator.KAREN\Application Data\Malwarebytes
2010-04-22 02:58 . 2010-02-28 03:46 3691384 ----a-w- c:\documents and settings\Administrator.KAREN\Application Data\Simply Super Software\Trojan Remover\hyh4.exe
2010-04-22 02:53 . 2010-04-22 02:53 -------- d-----w- c:\documents and settings\Administrator.KAREN\Application Data\Simply Super Software
2010-04-19 21:59 . 2010-04-19 21:59 255472 ----a-w- c:\documents and settings\Kai-Wen\Application Data\Mozilla\plugins\npgoogletalk.dll
2010-04-19 02:36 . 2010-04-19 02:46 -------- d-----w- c:\documents and settings\LocalService\Application Data\WTablet
2010-04-19 02:34 . 2010-04-19 02:34 -------- d-----w- c:\documents and settings\Kai-Wen\Local Settings\Application Data\Help
2010-04-19 02:34 . 2010-04-19 02:34 2 --shatr- c:\windows\winstart.bat
2010-04-18 17:44 . 2010-04-18 17:44 -------- d-----w- c:\documents and settings\Kai-Wen\Application Data\Malwarebytes
2010-04-18 17:44 . 2010-03-30 07:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-18 17:44 . 2010-04-18 17:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-04-18 17:44 . 2010-03-30 07:45 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-18 17:44 . 2010-04-18 17:44 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-18 17:24 . 2006-05-25 22:52 162304 ----a-w- c:\windows\system32\ztvunrar36.dll
2010-04-18 17:24 . 2005-08-26 08:50 77312 ----a-w- c:\windows\system32\ztvunace26.dll
2010-04-18 17:24 . 2006-06-19 20:01 69632 ----a-w- c:\windows\system32\ztvcabinet.dll
2010-04-18 17:24 . 2003-02-03 03:06 153088 ----a-w- c:\windows\system32\unrar3.dll
2010-04-18 17:24 . 2002-03-06 08:00 75264 ----a-w- c:\windows\system32\unacev2.dll
2010-04-14 02:19 . 2010-04-14 02:19 -------- d-s---w- c:\documents and settings\NetworkService\UserData
2010-04-14 02:00 . 2010-04-14 02:00 -------- d-----w- c:\windows\system32\wbem\Repository
2010-04-13 06:18 . 2010-04-14 02:00 -------- d-s---w- c:\documents and settings\Administrator
2010-04-13 06:18 . 2010-04-14 02:00 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Microsoft
2010-04-01 05:43 . 2010-04-01 05:43 -------- d-----w- C:\$AVG
2010-04-01 05:40 . 2010-04-13 06:00 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-04-01 05:40 . 2010-04-02 05:23 -------- d-----w- c:\windows\SxsCaPendDel
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-01 03:59 . 2009-04-07 04:14 -------- d-----w- c:\documents and settings\Kai-Wen\Application Data\WTablet
2010-04-30 15:42 . 2010-04-30 15:42 1689952 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.dll
2010-04-30 05:27 . 2004-08-04 07:59 49536 ----a-r- c:\windows\system32\drivers\Cdrom.sys
2010-04-29 08:28 . 2010-04-29 08:28 293376 ----a-w- C:\9lq6iddl.exe
2010-04-22 02:59 . 2009-12-02 01:47 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-04-01 05:43 . 2009-03-21 16:18 -------- d-----w- c:\program files\AVG
2010-04-01 05:43 . 2009-03-21 16:19 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-04-01 05:43 . 2009-03-21 16:19 29512 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-04-01 05:43 . 2009-03-21 16:19 242696 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-04-01 05:43 . 2009-03-21 16:19 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-03-30 05:33 . 2009-12-01 22:16 79488 ----a-w- c:\documents and settings\Kai-Wen\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-03-10 08:02 . 2004-08-04 09:56 417792 ----a-w- c:\windows\system32\vbscript.dll
2010-02-26 06:12 . 2004-08-04 09:56 662016 ----a-w- c:\windows\system32\wininet.dll
2010-02-26 06:12 . 2004-08-04 09:56 81920 ----a-w- c:\windows\system32\ieencode.dll
2010-02-24 12:31 . 2004-08-04 08:15 454016 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-16 13:17 . 2004-08-04 08:18 2137088 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 12:39 . 2004-08-03 22:59 2016768 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:47 . 2004-08-04 09:56 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-11 12:01 . 2004-08-04 08:07 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\Kai-Wen\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-08-06 133104]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2006-11-17 577536]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-02-18 13680640]
"nwiz"="nwiz.exe" [2009-02-18 1657376]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-02-18 86016]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-30 148888]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2009-03-09 37888]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2006-10-23 620152]
"Turtle Beach USB MIDI 1x1"="c:\program files\Turtle Beach\Turtle Beach USB MIDI 1x1\TBUM11.exe" [2006-08-02 1839104]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000003}\_SC_Acrobat.exe [2009-4-18 295606]
Adobe Acrobat Synchronizer.lnk - c:\program files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe [2006-10-23 734872]
D-Link AirPlus.lnk - c:\program files\D-Link AirPlus\AirPlus.exe [2009-3-15 262144]
MultiMon Taskbar.lnk - c:\program files\MMTaskbar\MultiMon.exe [2009-4-15 294912]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-04-01 05:43 12464 ----a-w- c:\windows\system32\avgrsstx.dll
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Documents and Settings\\Kai-Wen\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\Kai-Wen\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [3/21/2009 9:19 AM 216200]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [3/21/2009 9:19 AM 242696]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [3/31/2010 10:42 PM 916760]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [3/31/2010 10:42 PM 308064]
R2 TabletServiceWacom;TabletServiceWacom;c:\windows\system32\Wacom_Tablet.exe [4/6/2009 9:14 PM 1373480]
S3 TBU11;Turtle Beach USB MIDI 1x1 Driver;c:\windows\system32\drivers\tbu11.sys [5/6/2009 11:55 PM 13824]
S3 UltraMonMirror;UltraMonMirror;c:\windows\system32\DRIVERS\UltraMonMirror.sys --> c:\windows\system32\DRIVERS\UltraMonMirror.sys [?]
.
Contents of the 'Scheduled Tasks' folder
2010-04-30 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-861567501-1682526488-725345543-1003Core.job
- c:\documents and settings\Kai-Wen\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-08-06 05:18]
2010-04-30 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-861567501-1682526488-725345543-1003UA.job
- c:\documents and settings\Kai-Wen\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-08-06 05:18]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
FF - ProfilePath - c:\documents and settings\Kai-Wen\Application Data\Mozilla\Firefox\Profiles\9r35im7q.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\Kai-Wen\Application Data\Mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\Kai-Wen\Local Settings\Application Data\Google\Update\1.2.183.23\npGoogleOneClick8.dll
---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-30 21:04
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Turtle Beach USB MIDI 1x1 = c:\program files\Turtle Beach\Turtle Beach USB MIDI 1x1\TBUM11.exe??????????????H???K??wx???????????????????X??????w???w?????????????}F?????????P>&?????????????????????????????????????????????4rG??????????????????>&?????????p?A?P>&?P>&?P>&??????aG?d????????aG
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2010-04-30 21:06:04
ComboFix-quarantined-files.txt 2010-05-01 04:06
Pre-Run: 148,517,994,496 bytes free
Post-Run: 148,731,498,496 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
- - End Of File - - 40EB727F50811BF86D5CB5B5AA32CAE9
##############################################
i never had hijack this, so i attached an updated dds report instead.
-llamatreat
##############################################
DDS (Ver_10-03-17.01) - NTFSx86
Run by Kai-Wen at 21:08:48.87 on Fri 04/30/2010
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2047.1422 [GMT -7:00]
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\Wacom_Tablet.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\AVG\AVG9\avgemc.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\WTablet\Wacom_TabletUser.exe
C:\WINDOWS\system32\Wacom_Tablet.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Kai-Wen\Desktop\dds.scr
============== Pseudo HJT Report ===============
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
uRun: [Google Update] "c:\documents and settings\kai-wen\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [WinampAgent] "c:\program files\winamp\winampa.exe"
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 8.0\acrobat\Acrotray.exe"
mRun: [Turtle Beach USB MIDI 1x1] c:\program files\turtle beach\turtle beach usb midi 1x1\TBUM11.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobea~1.lnk - c:\windows\installer\{ac76ba86-1033-0000-7760-000000000003}\_SC_Acrobat.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobea~2.lnk - c:\program files\adobe\acrobat 8.0\acrobat\AdobeCollabSync.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\d-link~1.lnk - c:\program files\d-link airplus\AirPlus.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\multim~1.lnk - c:\program files\mmtaskbar\MultiMon.exe
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
================= FIREFOX ===================
FF - ProfilePath - c:\docume~1\kai-wen\applic~1\mozilla\firefox\profiles\9r35im7q.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\kai-wen\application data\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\kai-wen\local settings\application data\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
============= SERVICES / DRIVERS ===============
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-3-21 216200]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-3-21 29512]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-3-21 242696]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\avg\avg9\avgemc.exe [2010-3-31 916760]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-3-31 308064]
R2 TabletServiceWacom;TabletServiceWacom;c:\windows\system32\Wacom_Tablet.exe [2009-4-6 1373480]
S3 TBU11;Turtle Beach USB MIDI 1x1 Driver;c:\windows\system32\drivers\tbu11.sys [2009-5-6 13824]
S3 UltraMonMirror;UltraMonMirror;c:\windows\system32\drivers\ultramonmirror.sys --> c:\windows\system32\drivers\UltraMonMirror.sys [?]
=============== Created Last 30 ================
2010-05-01 03:53:24 0 d-sha-r- C:\cmdcons
2010-05-01 03:51:57 98816 ----a-w- c:\windows\sed.exe
2010-05-01 03:51:57 77312 ----a-w- c:\windows\MBR.exe
2010-05-01 03:51:57 256512 ----a-w- c:\windows\PEV.exe
2010-05-01 03:51:57 161792 ----a-w- c:\windows\SWREG.exe
2010-04-29 08:28:43 293376 ----a-w- C:\9lq6iddl.exe
2010-04-19 02:34:20 2 --shatr- c:\windows\winstart.bat
2010-04-18 17:44:14 0 d-----w- c:\docume~1\kai-wen\applic~1\Malwarebytes
2010-04-18 17:44:08 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-18 17:44:07 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-18 17:44:07 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-04-18 17:44:06 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-18 17:24:59 77312 ----a-w- c:\windows\system32\ztvunace26.dll
2010-04-18 17:24:59 162304 ----a-w- c:\windows\system32\ztvunrar36.dll
2010-04-18 17:24:58 75264 ----a-w- c:\windows\system32\unacev2.dll
2010-04-18 17:24:58 69632 ----a-w- c:\windows\system32\ztvcabinet.dll
2010-04-18 17:24:58 153088 ----a-w- c:\windows\system32\unrar3.dll
2010-04-14 02:00:20 0 d-----w- c:\windows\system32\wbem\Repository
2010-04-01 05:43:22 0 d-----w- C:\$AVG
2010-04-01 05:40:53 0 d-----w- c:\docume~1\alluse~1\applic~1\avg9
2010-04-01 05:40:36 0 d-----w- c:\windows\SxsCaPendDel
==================== Find3M ====================
2010-04-30 05:27:42 49536 ----a-r- c:\windows\system32\drivers\Cdrom.sys
2010-04-01 05:43:18 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-04-01 05:43:17 242696 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-04-01 05:43:12 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-03-10 08:02:04 417792 ----a-w- c:\windows\system32\vbscript.dll
2010-02-26 06:12:23 662016 ----a-w- c:\windows\system32\wininet.dll
2010-02-26 06:12:17 81920 ----a-w- c:\windows\system32\ieencode.dll
2010-02-16 13:17:38 2137088 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 12:39:04 2016768 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:47:05 100864 ----a-w- c:\windows\system32\6to4svc.dll
============= FINISH: 21:08:53.62 ===============
IndiGenus
2010-05-01, 16:54
Looking pretty good. We need to check a file.
Go to My Computer-> Tools-> Folder Options-> View tab:
Under the Hidden files and folders heading:
Select - Show hidden files and folders.
Uncheck- Hide protected operating system files (recommended) option.
Also, make sure there is no checkmark beside Hide file extensions for known file types.
Please go to http://www.virustotal.com/en/indexf.html
click on Browse, and upload the following file for analysis:
C:\WINDOWS\winstart.bat
Then click Submit. Allow the file to be scanned, and then please copy and paste the results here for me to see. Or you can copy the link to the VT results page if that is easier.
llamatreat
2010-05-01, 20:31
hmm, i'm not sure how much of this to copy/paste, so here is the link:
http://www.virustotal.com/analisis/7eb70257593da06f682a3ddda54a9d260d4fc514f645237f5ca74b08f8da61a6-1272647795
IndiGenus
2010-05-01, 21:12
How's it running?
Use ATF Cleaner to remove temp files, cookies, cache, ect...
Please download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune.
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.
Please download Malwarebytes' Anti-Malware from Here (http://www.malwarebytes.org/mbam-download.php)
Double Click mbam-setup.exe to install the application.
Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy and Paste the entire report in your next reply along with a DDS log.
llamatreat
2010-05-02, 02:26
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org
Database version: 4052
Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180
5/1/2010 4:23:51 PM
mbam-log-2010-05-01 (16-23-51).txt
Scan type: Quick scan
Objects scanned: 119246
Time elapsed: 2 minute(s), 43 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
######################################
DDS (Ver_10-03-17.01) - NTFSx86
Run by Kai-Wen at 16:24:35.04 on Sat 05/01/2010
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2047.1380 [GMT -7:00]
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Turtle Beach\Turtle Beach USB MIDI 1x1\TBUM11.exe
C:\Program Files\D-Link AirPlus\AirPlus.exe
C:\Program Files\MMTaskbar\MultiMon.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\Wacom_Tablet.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\WINDOWS\system32\WTablet\Wacom_TabletUser.exe
C:\Program Files\AVG\AVG9\avgemc.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\Wacom_Tablet.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Kai-Wen\Desktop\dds.scr
============== Pseudo HJT Report ===============
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
uRun: [Google Update] "c:\documents and settings\kai-wen\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [WinampAgent] "c:\program files\winamp\winampa.exe"
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 8.0\acrobat\Acrotray.exe"
mRun: [Turtle Beach USB MIDI 1x1] c:\program files\turtle beach\turtle beach usb midi 1x1\TBUM11.exe
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobea~1.lnk - c:\windows\installer\{ac76ba86-1033-0000-7760-000000000003}\_SC_Acrobat.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobea~2.lnk - c:\program files\adobe\acrobat 8.0\acrobat\AdobeCollabSync.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\d-link~1.lnk - c:\program files\d-link airplus\AirPlus.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\multim~1.lnk - c:\program files\mmtaskbar\MultiMon.exe
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
================= FIREFOX ===================
FF - ProfilePath - c:\docume~1\kai-wen\applic~1\mozilla\firefox\profiles\9r35im7q.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\kai-wen\application data\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\kai-wen\local settings\application data\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
============= SERVICES / DRIVERS ===============
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-3-21 216200]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-3-21 29512]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-3-21 242896]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\avg\avg9\avgemc.exe [2010-3-31 916760]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-3-31 308064]
R2 TabletServiceWacom;TabletServiceWacom;c:\windows\system32\Wacom_Tablet.exe [2009-4-6 1373480]
S3 TBU11;Turtle Beach USB MIDI 1x1 Driver;c:\windows\system32\drivers\tbu11.sys [2009-5-6 13824]
S3 UltraMonMirror;UltraMonMirror;c:\windows\system32\drivers\ultramonmirror.sys --> c:\windows\system32\drivers\UltraMonMirror.sys [?]
=============== Created Last 30 ================
2010-05-01 03:53:24 0 d-sha-r- C:\cmdcons
2010-05-01 03:51:57 98816 ----a-w- c:\windows\sed.exe
2010-05-01 03:51:57 77312 ----a-w- c:\windows\MBR.exe
2010-05-01 03:51:57 256512 ----a-w- c:\windows\PEV.exe
2010-05-01 03:51:57 161792 ----a-w- c:\windows\SWREG.exe
2010-04-29 08:28:43 293376 ----a-w- C:\9lq6iddl.exe
2010-04-19 02:34:20 2 --shatr- c:\windows\winstart.bat
2010-04-18 17:44:14 0 d-----w- c:\docume~1\kai-wen\applic~1\Malwarebytes
2010-04-18 17:44:08 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-18 17:44:07 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-18 17:44:07 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-04-18 17:44:06 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-18 17:24:59 77312 ----a-w- c:\windows\system32\ztvunace26.dll
2010-04-18 17:24:59 162304 ----a-w- c:\windows\system32\ztvunrar36.dll
2010-04-18 17:24:58 75264 ----a-w- c:\windows\system32\unacev2.dll
2010-04-18 17:24:58 69632 ----a-w- c:\windows\system32\ztvcabinet.dll
2010-04-18 17:24:58 153088 ----a-w- c:\windows\system32\unrar3.dll
2010-04-14 02:00:20 0 d-----w- c:\windows\system32\wbem\Repository
==================== Find3M ====================
2010-05-01 17:26:45 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-04-30 05:27:42 49536 ----a-r- c:\windows\system32\drivers\Cdrom.sys
2010-04-01 05:43:18 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-04-01 05:43:12 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-03-10 08:02:04 417792 ----a-w- c:\windows\system32\vbscript.dll
2010-02-26 06:12:23 662016 ----a-w- c:\windows\system32\wininet.dll
2010-02-26 06:12:17 81920 ----a-w- c:\windows\system32\ieencode.dll
2010-02-16 13:17:38 2137088 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 12:39:04 2016768 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:47:05 100864 ----a-w- c:\windows\system32\6to4svc.dll
============= FINISH: 16:24:59.04 ===============
IndiGenus
2010-05-02, 03:01
Go to Kaspersky website (http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html) and perform an online antivirus scan.
Read through the requirements and privacy statement and click on Accept button.
It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
When the downloads have finished, click on Settings.
Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button: Spyware, Adware, Dialers, and other potentially dangerous programs
Archives
Mail databases
Click on My Computer under Scan.
Once the scan is complete, it will display the results. Click on View Scan Report.
You will see a list of infected items there. Click on Save Report As....
Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.
Download Security Check by screen317 from here (http://screen317.spywareinfoforum.org/SecurityCheck.exe) or here (http://screen317.changelog.fr/SecurityCheck.exe).
Save it to your Desktop.
Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
A Notepad document should open automatically called checkup.txt; please post the contents of that document.
llamatreat
2010-05-02, 05:54
...everything seems to be running okay, i'm not getting any popups in firefox anymore.
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Saturday, May 1, 2010
Operating system: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Saturday, May 01, 2010 22:24:58
Records in database: 4027239
--------------------------------------------------------------------------------
Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes
Scan area - My Computer:
C:\
D:\
E:\
Scan statistics:
Objects scanned: 132184
Threats found: 1
Infected objects found: 1
Suspicious objects found: 0
Scan duration: 02:08:14
File name / Threat / Threats count
C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\Cdrom.sys.vir Infected: Rootkit.Win32.TDSS.ap 1
Selected area has been scanned.
##############################################
Results of screen317's Security Check version 0.99.4
Windows XP Service Pack 2
Out of date service pack!! (http://windows.microsoft.com/en-us/windows/help/learn-how-to-install-windows-xp-service-pack-3-sp3)
Internet Explorer 6 Out of date!
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Enabled!
AVG Free 9.0
Antivirus up to date!
```````````````````````````````
Anti-malware/Other Utilities Check:
Malwarebytes' Anti-Malware
Java(TM) 6 Update 13
Out of date Java installed!
Adobe Flash Player 9 (Out of date Flash Player installed!)
Adobe Flash Player 10.0.32.18
Mozilla Firefox (3.5.9) Firefox Out of Date!
````````````````````````````````
Process Check:
objlist.exe by Laurent
AVG avgwdsvc.exe
AVG avgrsx.exe
AVG avgnsx.exe
AVG avgemc.exe
````````````````````````````````
DNS Vulnerability Check:
GREAT! (Not vulnerable to DNS cache poisoning)
``````````End of Log````````````
IndiGenus
2010-05-02, 16:44
Uninstall Combofix
Click START then RUN
Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the /U, it needs to be there.
The above procedure will:
Delete the following: ComboFix and its associated files and folders.
Reset the clock settings.
Hide file extensions, if required.
Hide System/Hidden files, if required.
Reset System Restore.
~~~~~~~~~~~~~~~~~~~~~~
You need to do some serious updating. Your OS and browser are both way behind on updates, leaving you vulnerable to more malware. I would suggest you update to SP3 and bring IE up to at least version 7 (if not 8).
http://windows.microsoft.com/en-us/windows/help/learn-how-to-install-windows-xp-service-pack-3-sp3
Updating Java:
Download the latest version of Java Runtime Environment (JRE) 6 (http://java.sun.com/javase/downloads/index.jsp).
Scroll down to where it says "Java Runtime Environment (JRE) 6u20 allows end-users to run Java applications".
Click the "Download" button to the right.
Check the box that says: "Accept License Agreement".
The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
Check any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on jre-6u20-windows-i586-p.exe to install the newest version.
Update Adobe Flash Player:
http://get.adobe.com/flashplayer/
You can update Firefox from within the program. Click on Help, then Check for updates... it should download and install the latest.
Let me know how you make out with the updates and post a new DDS log.
llamatreat
2010-05-06, 10:27
everything updated okay, and I'm not seeing any further signs of infection. thanks so much! i would bake you some cookies if you were anywhere nearby. :P
here is tonight's dds log:
-k
------------------------------------------------------------------
DDS (Ver_10-03-17.01) - NTFSx86
Run by Kai-Wen at 0:25:06.70 on Thu 05/06/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_20
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1403 [GMT -7:00]
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Turtle Beach\Turtle Beach USB MIDI 1x1\TBUM11.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\D-Link AirPlus\AirPlus.exe
C:\Program Files\MMTaskbar\MultiMon.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\WINDOWS\system32\Wacom_Tablet.exe
C:\Program Files\AVG\AVG9\avgemc.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\WTablet\Wacom_TabletUser.exe
C:\WINDOWS\system32\Wacom_Tablet.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\msiexec.exe
C:\Documents and Settings\Kai-Wen\Local Settings\Application Data\Google\Google Talk Plugin\googletalkplugin.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\AVG\AVG9\avgtray.exe
C:\Documents and Settings\Kai-Wen\Desktop\dds.scr
============== Pseudo HJT Report ===============
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
uRun: [Google Update] "c:\documents and settings\kai-wen\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [WinampAgent] "c:\program files\winamp\winampa.exe"
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 8.0\acrobat\Acrotray.exe"
mRun: [Turtle Beach USB MIDI 1x1] c:\program files\turtle beach\turtle beach usb midi 1x1\TBUM11.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRunOnce: [Uninstall Adobe Download Manager] "c:\windows\system32\rundll32.exe" "c:\program files\nos\bin\getPlus_Helper.dll",Uninstall /IE2883E8F-472F-4fb0-9522-AC9BF37916A7 /Get1noarp
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobea~1.lnk - c:\windows\installer\{ac76ba86-1033-0000-7760-000000000003}\_SC_Acrobat.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobea~2.lnk - c:\program files\adobe\acrobat 8.0\acrobat\AdobeCollabSync.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\d-link~1.lnk - c:\program files\d-link airplus\AirPlus.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\multim~1.lnk - c:\program files\mmtaskbar\MultiMon.exe
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
================= FIREFOX ===================
FF - ProfilePath - c:\docume~1\kai-wen\applic~1\mozilla\firefox\profiles\9r35im7q.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\kai-wen\application data\mozilla\firefox\profiles\9r35im7q.default\extensions\{e2883e8f-472f-4fb0-9522-ac9bf37916a7}\plugins\np_gp.dll
FF - plugin: c:\documents and settings\kai-wen\application data\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\kai-wen\local settings\application data\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
============= SERVICES / DRIVERS ===============
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-3-21 216200]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-3-21 29512]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-3-21 242896]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\avg\avg9\avgemc.exe [2010-3-31 916760]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-3-31 308064]
R2 TabletServiceWacom;TabletServiceWacom;c:\windows\system32\Wacom_Tablet.exe [2009-4-6 1373480]
S3 TBU11;Turtle Beach USB MIDI 1x1 Driver;c:\windows\system32\drivers\tbu11.sys [2009-5-6 13824]
S3 UltraMonMirror;UltraMonMirror;c:\windows\system32\drivers\ultramonmirror.sys --> c:\windows\system32\drivers\UltraMonMirror.sys [?]
=============== Created Last 30 ================
2010-05-06 07:21:30 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-05-06 07:21:30 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-05-02 18:40:48 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2010-05-02 18:40:48 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2010-05-02 18:40:19 0 d-----w- c:\program files\iPod
2010-05-02 18:40:15 0 d-----w- c:\program files\iTunes
2010-05-02 18:40:15 0 d-----w- c:\docume~1\alluse~1\applic~1\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-05-02 18:39:32 41472 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2010-05-02 18:39:32 3003680 ----a-w- c:\windows\system32\usbaaplrc.dll
2010-05-02 18:38:17 5632 ----a-w- c:\windows\system32\ptpusb.dll
2010-05-02 18:38:08 159232 ----a-w- c:\windows\system32\ptpusd.dll
2010-05-02 18:18:44 0 d-----w- c:\windows\system32\scripting
2010-05-02 18:18:44 0 d-----w- c:\windows\system32\en
2010-05-02 18:18:44 0 d-----w- c:\windows\system32\bits
2010-05-02 18:18:44 0 d-----w- c:\windows\l2schemas
2010-05-02 18:16:13 0 d-----w- c:\windows\network diagnostic
2010-05-02 18:07:46 0 d-sh--w- c:\documents and settings\kai-wen\IETldCache
2010-05-02 18:03:18 594432 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2010-05-02 18:03:18 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2010-05-02 18:03:18 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2010-05-02 18:03:18 1985536 -c----w- c:\windows\system32\dllcache\iertutil.dll
2010-05-02 18:03:18 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2010-05-02 18:03:18 11070976 -c----w- c:\windows\system32\dllcache\ieframe.dll
2010-05-02 18:03:16 0 d-----w- c:\windows\ie8updates
2010-05-02 18:03:14 64000 -c----w- c:\windows\system32\dllcache\iecompat.dll
2010-05-02 18:02:55 0 dc-h--w- c:\windows\ie8
2010-05-01 03:53:24 0 d-sha-r- C:\cmdcons
2010-04-29 08:28:43 293376 ----a-w- C:\9lq6iddl.exe
2010-04-19 02:34:20 2 --shatr- c:\windows\winstart.bat
2010-04-18 17:44:14 0 d-----w- c:\docume~1\kai-wen\applic~1\Malwarebytes
2010-04-18 17:44:08 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-18 17:44:07 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-18 17:44:07 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-04-18 17:44:06 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-18 17:24:59 77312 ----a-w- c:\windows\system32\ztvunace26.dll
2010-04-18 17:24:59 162304 ----a-w- c:\windows\system32\ztvunrar36.dll
2010-04-18 17:24:58 75264 ----a-w- c:\windows\system32\unacev2.dll
2010-04-18 17:24:58 69632 ----a-w- c:\windows\system32\ztvcabinet.dll
2010-04-18 17:24:58 153088 ----a-w- c:\windows\system32\unrar3.dll
2010-04-14 02:00:20 0 d-----w- c:\windows\system32\wbem\Repository
2010-04-08 20:20:02 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-04-08 20:20:02 107808 ----a-w- c:\windows\system32\dns-sd.exe
==================== Find3M ====================
2010-05-01 17:26:45 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-04-01 05:43:18 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-04-01 05:43:12 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-02-25 06:24:37 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-16 14:08:49 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25:04 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:33:11 100864 ----a-w- c:\windows\system32\6to4svc.dll
============= FINISH: 0:25:28.12 ===============
IndiGenus
2010-05-06, 18:30
thanks so much! i would bake you some cookies if you were anywhere nearby. :P
You're welcome and in the words of a famous Sesame Street character....me like cooookkkkiiiieeeeees!!!:oreo:
Just need to wrap up then. You can delete both DDS and GMER.
Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
In addition to updating and using what you currently have you may want to consider the following:
Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. Here are some free and evalutation versions that provide
better security than the Windows Firewall.
Online-Armor (http://www.tallemu.com/free-firewall-protection-software.html)
Outpost Firewall (http://www.agnitum.com/products/outpostfree/)
For a tutorial on Firewalls and a listing of some other available ones see the link below:
Understanding and Using Firewalls (http://www.bleepingcomputer.com/forums/index.php?showtutorial=60)
Install SpywareBlaster - SpywareBlaster (http://www.javacoolsoftware.com/spywareblaster.html) will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.
A tutorial on installing & using this product can be found here:
Using SpywareBlaster to protect your computer from Spyware and Malware (http://www.bleepingcomputer.com/forums/index.php?showtutorial=49)
Install Winpatrol -
Use Winpatrol (http://www.winpatrol.com/) to take control of your PC and provide another layer of security.
Help file and tutorial can be found Here (http://www.winpatrol.com/features.html)
Block unwanted parasites with a custom hosts file -
http://www.mvps.org/winhelp2002/hosts.htm
Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly or set your computer to receive automatic updates. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
Update all of your Anti-Malware programs regularly - Make sure you update all the programs I have listed and the ones you are currently running regularly. Without regular updates you Will Not be protected when new malicious programs are released.
Keep your applications up to date -
Use Secunia Personal Software Inspector (http://secunia.com/vulnerability_scanning/personal/) to help stay on top of application updates that could leave your PC vulnerable to attack.
I'll leave the thread open a few days in case you have questions or issues.
Regards,
Dave