View Full Version : Am I still infected?
Adrian McNair
2010-12-26, 04:34
Hello. My system was recently infected with some particularly malicious trojans. They were causing slow-downs and generally impeding system performance. I removed most of them with Malwarebytes' Anti-Malware or moved infected files to AVG's Virus Vault. Then I performed a scan with Spybot and it found two strains- Win32.Agent.ws and Win32.Autorun.tmp
I got rid of them with Spybot and system performance has seemed to generally improve. I just want to know if my system is clean now.
Here is my DDS log and attached file.
DDS (Ver_10-12-12.02) - NTFSx86
Run by Owner at 13:28:53.34 on Sun 12/26/2010
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_14
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.279 [GMT 11:00]
AV: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
============== Running Processes ===============
C:\PROGRA~1\AVG\AVG10\avgchsvx.exe
C:\windows\system32\Ati2evxx.exe
C:\windows\system32\svchost -k DcomLaunch
svchost.exe
C:\windows\System32\svchost.exe -k netsvcs
svchost.exe
C:\windows\system32\Ati2evxx.exe
svchost.exe
C:\windows\system32\spoolsv.exe
C:\windows\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\AVG\AVG10\avgwdsvc.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\windows\system32\svchost.exe -k imgsvc
C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
C:\Program Files\Nero\Nero 7\InCD\InCD.exe
C:\Program Files\AVG\AVG10\avgtray.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\AVG\AVG10\avgnsx.exe
C:\Program Files\AVG\AVG10\avgemcx.exe
C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\AVG\AVG10\avgrsx.exe
C:\Program Files\AVG\AVG10\avgcsrvx.exe
C:\windows\system32\ctfmon.exe
C:\Program Files\DAEMON Tools Lite\DTLite.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Documents and Settings\Owner\Desktop\dds.com
============== Pseudo HJT Report ===============
uLocal Page = \blank.htm
uStart Page = hxxp://www.google.com.au/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg10\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
EB: {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - No File
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [InCD] c:\program files\nero\nero 7\incd\InCD.exe
mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exe
uPolicies-explorer: NoResolveTrack = 1 (0x1)
uPolicies-system: EnableLUA = 0 (0x0)
mPolicies-explorer: NoResolveTrack = 1 (0x1)
mPolicies-system: EnableLUA = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} - hxxp://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
Hosts: 127.0.0.1 www.spywareinfo.com
============= SERVICES / DRIVERS ===============
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2010-9-13 25680]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2010-9-7 26064]
R0 d347bus;d347bus;c:\windows\system32\drivers\d347bus.sys [2008-3-2 155136]
R0 d347prt;d347prt;c:\windows\system32\drivers\d347prt.sys [2008-3-2 5248]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2010-9-7 249424]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2010-9-7 34384]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2010-11-9 299984]
R1 crlscsi;crlscsi;c:\windows\system32\drivers\crlscsi.sys [2009-11-24 6144]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [2010-11-10 6127184]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg10\avgwdsvc.exe [2010-10-22 265400]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2010-8-19 123472]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2010-8-19 30288]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2010-8-19 26192]
=============== Created Last 30 ================
2010-12-25 01:54:16 -------- d-----w- C:\VLC
2010-12-25 01:15:05 -------- d-----w- c:\docume~1\owner\applic~1\AVG10
2010-12-25 01:11:15 -------- d--h--w- c:\docume~1\alluse~1\applic~1\Common Files
2010-12-25 01:07:31 -------- d-----w- c:\windows\system32\drivers\AVG
2010-12-25 01:07:31 -------- d-----w- c:\docume~1\alluse~1\applic~1\AVG10
2010-12-25 01:03:07 -------- d-----w- c:\docume~1\alluse~1\applic~1\MFAData
2010-12-25 00:25:04 0 ----a-w- c:\windows\ativpsrm.bin
2010-12-24 22:41:29 2951802 ----a-w- C:\EClea2_0.exe
2010-12-24 12:04:09 -------- d-----w- c:\docume~1\owner\applic~1\GlarySoft
2010-12-24 11:57:52 -------- d-----w- c:\program files\Glary Utilities
2010-12-15 04:48:21 -------- d-----w- c:\documents and settings\owner\Revenge of the Titans 1.6
2010-12-15 04:48:12 -------- d-sh--w- c:\docume~1\owner\locals~1\applic~1\.#
2010-12-15 04:46:16 -------- d-----w- c:\program files\Games
2010-12-09 21:59:23 -------- d-----w- c:\program files\Radical Games
2010-11-29 00:17:52 -------- d-----w- c:\program files\DreamCatcher
2010-11-26 13:08:36 -------- d-----w- c:\docume~1\owner\applic~1\Activision
2010-11-26 12:44:08 -------- d-----w- C:\Marvel Ultimate Alliance
==================== Find3M ====================
2010-11-04 03:29:52 1409 ----a-w- c:\windows\QTFont.for
============= FINISH: 13:30:02.40 ===============
Hi,
Looks otherwise ok but some programs need updating. Download and run Secunia Personal Software Inspector (PSI) (http://secunia.com/vulnerability_scanning/personal/) and fix its findings.
Adrian McNair
2010-12-30, 22:52
Hi,
Looks otherwise ok but some programs need updating. Download and run Secunia Personal Software Inspector (PSI) (http://secunia.com/vulnerability_scanning/personal/) and fix its findings.
Hello. Thanks for the reply. So it's not a virus or any form of malware? I wonder what could be causing the strain on my system? I downloaded RootAlyzer recently in the hopes of narrowing down my problem. Here are the various logs.
Spybot - Search & Destroy Include File:
// info: Rootkit removal help file
// copyright: (c) 2008-2009 Safer-Networking Ltd. All rights reserved.
:: RootAlyzer Results
File:"Unknown ADS","C:\Documents and Settings\All Users\Application Data\AVG10\Chjw\68c0509cc0507274.dat:86244741-2e85-420d-ba0e-fd1355d95848:$DATA"
RegyKey:"Invisible to Win32","HKEY_LOCAL_MACHINE","\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\","0Jf40"
RegyKey:"Invisible to Win32","HKEY_LOCAL_MACHINE","\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\","0Jf41"
RegyKey:"Invisible to Win32","HKEY_LOCAL_MACHINE","\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\","0Jf42"
RegyKey:"Invisible to Win32","HKEY_LOCAL_MACHINE","\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\","0Jf43"
RegyKey:"Invisible to Win32","HKEY_LOCAL_MACHINE","\SYSTEM\ControlSet005\Services\d347prt\Cfg\","0Jf40"
RegyKey:"Invisible to Win32","HKEY_LOCAL_MACHINE","\SYSTEM\ControlSet005\Services\d347prt\Cfg\","0Jf41"
RegyKey:"Invisible to Win32","HKEY_LOCAL_MACHINE","\SYSTEM\ControlSet005\Services\d347prt\Cfg\","0Jf42"
RegyKey:"Invisible to Win32","HKEY_LOCAL_MACHINE","\SYSTEM\ControlSet005\Services\d347prt\Cfg\","0Jf43"
Avenger Script:
Comment:
File created using RootAlyzer to help your get rid of a rootkit.
Files to delete:
C:\Documents and Settings\All Users\Application Data\AVG10\Chjw\68c0509cc0507274.dat:86244741-2e85-420d-ba0e-fd1355d95848:$DATA
Folders to delete:
Registry keys to delete:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf40
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf41
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf42
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf43
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Services\d347prt\Cfg\0Jf40
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Services\d347prt\Cfg\0Jf41
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Services\d347prt\Cfg\0Jf42
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Services\d347prt\Cfg\0Jf43
Registry values to delete:
ComboFix script:
File::
C:\Documents and Settings\All Users\Application Data\AVG10\Chjw\68c0509cc0507274.dat:86244741-2e85-420d-ba0e-fd1355d95848:$DATA
Folder::
Registry::
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf40]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf41]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf42]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf43]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Services\d347prt\Cfg\0Jf40]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Services\d347prt\Cfg\0Jf41]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Services\d347prt\Cfg\0Jf42]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Services\d347prt\Cfg\0Jf43]
Could this be the cause?
Hi,
You shouldn't run Avenger and ComboFix to nuke something that may not be bad item (this shouldn't be done for bad items either unless trained to use those tools).
Adrian McNair
2010-12-31, 10:49
Hi,
You shouldn't run Avenger and ComboFix to nuke something that may not be bad item (this shouldn't be done for bad items either unless trained to use those tools).
I haven't done anything yet. Are the items that RootAlyzer found via the deep scan bad ones? They came up as hidden files. What should my next action be? There is a definite problem. Not only am I experiencing slow-downs but something is draining my disk space. I had 9.77 GB worth of hard drive space earlier today and after a while it was reduced to 9.45 GB.
Hi,
Those RootAlyzer findings can be ignored. Please post fresh dds logs after taking action PSI suggests.
Adrian McNair
2011-01-02, 10:15
Hi,
Those RootAlyzer findings can be ignored. Please post fresh dds logs after taking action PSI suggests.
Okay, I've updated everything that I could with PSI but there has been no change. The problem continues to persist, continuing to cause periodic slow-downs and eat my hard-drive space. When I did the updates via PSI my space went down from 9.451 GB to 8.35 GB (despite the updates not being very large at all). With system restore I was able to reclaim some space, bringing it up to 9.07 GB. It seems that even basic activities drain it.
No matter what I've done the issue is still there. I've tried defragmenting, disk checking. All to no avail. If it isn't Malware or a virus, how can I narrow the problem down?
Here is my DDS log and attached file.
DDS (Ver_10-12-12.02) - NTFSx86
Run by Owner at 19:06:22.57 on Sun 01/02/2011
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_22
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.333 [GMT 11:00]
AV: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
============== Running Processes ===============
C:\PROGRA~1\AVG\AVG10\avgchsvx.exe
C:\windows\system32\Ati2evxx.exe
C:\windows\system32\svchost -k DcomLaunch
svchost.exe
C:\windows\System32\svchost.exe -k netsvcs
svchost.exe
C:\windows\system32\Ati2evxx.exe
svchost.exe
C:\windows\system32\spoolsv.exe
C:\windows\Explorer.EXE
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\AVG\AVG10\avgwdsvc.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\Program Files\Nero\Nero 7\InCD\InCD.exe
C:\Program Files\AVG\AVG10\avgtray.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\windows\system32\svchost.exe -k imgsvc
C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
C:\Program Files\AVG\AVG10\avgnsx.exe
C:\windows\System32\svchost.exe -k HTTPFilter
C:\PROGRA~1\AVG\AVG10\avgrsx.exe
C:\Program Files\AVG\AVG10\avgcsrvx.exe
C:\windows\system32\ctfmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\DivX\DivX Plus Web Player\DDMService.exe
c:\program files\real\realplayer\update\realsched.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Documents and Settings\Owner\Desktop\dds.com
============== Pseudo HJT Report ===============
uLocal Page = \blank.htm
uStart Page = hxxp://www.google.com.au/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common
files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all
users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: DivX Plus Web Player HTML5 <video>: {326e768d-4182-46fd-9c16-1449a49795f4} - c:\program files\divx\divx plus web player\npdivx32.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg10\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: DivX HiQ: {593ddec6-7468-4cdd-90e1-42dadaa222e9} - c:\program files\divx\divx plus web player\npdivx32.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows
live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
EB: {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - No File
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
mRun: [InCD] c:\program files\nero\nero 7\incd\InCD.exe
mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
mRun: [DivX Download Manager] "c:\program files\divx\divx plus web player\DDmService.exe" start
mRun: [TkBellExe] "c:\program files\real\realplayer\update\realsched.exe" -osboot
uPolicies-explorer: NoResolveTrack = 1 (0x1)
uPolicies-system: EnableLUA = 0 (0x0)
mPolicies-explorer: NoResolveTrack = 1 (0x1)
mPolicies-system: EnableLUA = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} - hxxp://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?
1293948596578
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?
1293948578093
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
Hosts: 127.0.0.1 www.spywareinfo.com
============= SERVICES / DRIVERS ===============
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2010-9-13 25680]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2010-9-7 26064]
R0 d347bus;d347bus;c:\windows\system32\drivers\d347bus.sys [2008-3-2 155136]
R0 d347prt;d347prt;c:\windows\system32\drivers\d347prt.sys [2008-3-2 5248]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2010-9-7 251728]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2010-9-7 34384]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2010-11-9 299984]
R1 crlscsi;crlscsi;c:\windows\system32\drivers\crlscsi.sys [2009-11-24 6144]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [2010-11-23 6128208]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg10\avgwdsvc.exe [2010-10-22 265400]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2010-8-19 123472]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2010-8-19 30288]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2010-8-19 26192]
S2 Secunia Update Agent;Secunia Update Agent;c:\program files\secunia\psi\sua.exe [2010-12-21 399416]
S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2010-9-1 15544]
S3 Secunia PSI Agent;Secunia PSI Agent;c:\program files\secunia\psi\psia.exe [2010-12-21 987704]
=============== Created Last 30 ================
2011-01-02 07:41:35 11776 ----a-w- c:\program files\mozilla firefox\plugins\nprjplug.dll
2011-01-02 07:41:09 -------- d-----w- c:\program files\common files\xing shared
2011-01-02 07:40:43 151776 ----a-w- c:\program files\mozilla firefox\plugins\nppl3260.dll
2011-01-02 07:40:32 100352 ----a-w- c:\program files\mozilla firefox\plugins\nprpjplug.dll
2011-01-02 07:13:38 -------- d-----w- c:\docume~1\owner\applic~1\Local
2011-01-02 07:09:53 -------- d-----w- c:\program files\common files\DivX Shared
2011-01-02 07:07:48 -------- d-----w- c:\docume~1\alluse~1\applic~1\DivX
2011-01-02 07:01:20 -------- d-----w- c:\program files\iPod
2011-01-02 07:00:26 -------- d-----w- c:\docume~1\alluse~1\applic~1\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2011-01-02 07:00:25 -------- d-----w- c:\program files\iTunes
2011-01-02 06:52:40 -------- d-----w- c:\program files\Bonjour
2011-01-02 06:29:53 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-01-02 06:29:53 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-01-02 06:29:53 472808 ----a-w- c:\program files\mozilla firefox\plugins\npdeployJava1.dll
2011-01-02 06:24:23 -------- d-----r- c:\program files\Skype
2010-12-30 19:13:47 -------- d-----w- c:\docume~1\owner\locals~1\applic~1\Secunia PSI
2010-12-30 19:11:11 -------- d-----w- c:\program files\Secunia
2010-12-26 04:34:43 -------- d--h--w- C:\$AVG
2010-12-25 01:54:16 -------- d-----w- C:\VLC
2010-12-25 01:15:05 -------- d-----w- c:\docume~1\owner\applic~1\AVG10
2010-12-25 01:11:15 -------- d--h--w- c:\docume~1\alluse~1\applic~1\Common Files
2010-12-25 01:07:31 -------- d-----w- c:\windows\system32\drivers\AVG
2010-12-25 01:07:31 -------- d-----w- c:\docume~1\alluse~1\applic~1\AVG10
2010-12-25 01:03:07 -------- d-----w- c:\docume~1\alluse~1\applic~1\MFAData
2010-12-25 00:25:04 0 ----a-w- c:\windows\ativpsrm.bin
2010-12-24 22:41:29 2951802 ----a-w- C:\EClea2_0.exe
2010-12-24 12:04:09 -------- d-----w- c:\docume~1\owner\applic~1\GlarySoft
2010-12-15 04:48:21 -------- d-----w- c:\documents and settings\owner\Revenge of the Titans 1.6
2010-12-15 04:48:12 -------- d-sh--w- c:\docume~1\owner\locals~1\applic~1\.#
2010-12-15 04:46:16 -------- d-----w- c:\program files\Games
2010-12-09 21:59:23 -------- d-----w- c:\program files\Radical Games
==================== Find3M ====================
2011-01-02 07:40:16 348160 ----a-w- c:\windows\system32\msvcr71.dll
2010-11-29 06:38:30 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-11-29 06:38:30 69632 ----a-w- c:\windows\system32\QuickTime.qts
2010-11-12 00:44:54 94208 ----a-w- c:\windows\system32\dpl100.dll
2010-11-08 22:57:04 353592 ----a-w- c:\windows\system32\DivXControlPanelApplet.cpl
2010-10-07 01:23:02 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-10-07 01:23:02 75040 ----a-w- c:\windows\system32\jdns_sd.dll
2010-10-07 01:23:02 197920 ----a-w- c:\windows\system32\dnssdX.dll
2010-10-07 01:23:02 107808 ----a-w- c:\windows\system32\dns-sd.exe
============= FINISH: 19:07:32.10 ===============
Hi,
Disable word wrap in notepad.
Please visit this webpage for download links, and instructions for running ComboFix tool:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Please ensure you read this guide carefully first.
Please continue as follows:
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link (http://www.bleepingcomputer.com/forums/topic114351.html)
Remember to re-enable them afterwards.
Click Yes to allow ComboFix to continue scanning for malware.
When the tool is finished, it will produce a report for you.
Please include the following reports for further review, and so we may continue cleansing the system:
C:\ComboFix.txt
New dds log.
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.
Adrian McNair
2011-01-03, 01:16
Unfortunately, ComboFix refused to go to the scanning and cleaning stage even after I disabled AVG and Spybot's Teatimer utility. According to the prompt I got, I needed to uninstall AVG. When I tried to do that, AVG gave me a prompt indicating that I did not have sufficient privileges to remove it (despite being the administrator). It seems that I'm at an impasse.
Hi,
Let's see if AVG own remover does the trick.
Download AVG Remover from here (http://download.avg.com/filedir/util/avg_arm_sup_____.dir/avgremover.exe) and save it to your Desktop.
Close all open programs Double click on avgremover.exe (if running Vista or Windows 7, right click on it and choose to run as an Administrator) Follow the prompts to run the tool If after running the tool it prompts you to reboot the computer, please allow it to do so. If you are not prompted, please manually reboot the computer.
Adrian McNair
2011-01-04, 02:12
Well, I tried using the AVG Remover program. It doesn't seem to have removed AVG 2011 (even after I restarted my system several times). Now AVG has performed an automatic update and it keeps asking me to restart my machine (. It's become a nuisance and I can't get rid of it. This issue seems to be limited only to AVG. I was able to uninstall other programs that I didn't have a use for but AVG 2011 stubbornly refuses to be removed.
I've attached the AVG remover log for clarification purposes. This whole situation is like a never-ending nightmare.
Hi again,
Reboot to make AVG finish its update. Then try to uninstall it in add/remove programs. If it still fails try AppRemover (http://www.appremover.com/appremover/avg/AppRemover.exe).
Adrian McNair
2011-01-04, 11:54
Hi again,
Reboot to make AVG finish its update. Then try to uninstall it in add/remove programs. If it still fails try AppRemover (http://www.appremover.com/appremover/avg/AppRemover.exe).
Hello again. I was able to use AppRemover to uninstall AVG 2011. I then utilised ComboFix afterward. However, the problem is still there. Personally, rather than being Malware or a virus, I think it's connected with my hard-drive's bad sectors (there have been many crashes and forced restarts over the years) or some part of Windows being missing (when my Virus-related troubles I was forced to move two System Volume Information files to AVG's virus vault).
For what it's worth here is the Combo Fix log (I tried to install the Windows Recovery Console. but I got an error message).
ComboFix 11-01-03.03 - Owner 01/04/2011 18:02:42.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.575 [GMT 11:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Owner\Application Data\Local
c:\documents and settings\Owner\Application Data\Local\Temp\DDM\Settings\.ddr
c:\documents and settings\Owner\Application Data\Local\Temp\DDM\Settings\0.ddi
c:\documents and settings\Owner\Application Data\Local\Temp\DDM\Settings\1.ddi
c:\documents and settings\Owner\Application Data\Local\Temp\DDM\Settings\Post_Install_RB_HiQ_en.divx.ddr
c:\documents and settings\Owner\Application Data\Local\Temp\DDM\Settings\settings.ddi
c:\documents and settings\Owner\Application Data\Local\Temp\DDM\Settings\Temporary Downloaded Files\.ddp
c:\documents and settings\Owner\Application Data\Local\Temp\DDM\Settings\Temporary Downloaded Files\Post_Install_RB_HiQ_en.divx
C:\install.exe
c:\windows\daemon.dll
c:\windows\system\qtim32.dll
.
((((((((((((((((((((((((( Files Created from 2010-12-04 to 2011-01-04 )))))))))))))))))))))))))))))))
.
2011-01-03 23:37 . 2011-01-04 06:49 -------- d-----w- c:\windows\system32\drivers\avg
2011-01-03 23:14 . 2011-01-03 23:14 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\VS Revo Group
2011-01-02 07:41 . 2011-01-02 07:41 11776 ----a-w- c:\program files\Mozilla Firefox\plugins\nprjplug.dll
2011-01-02 07:41 . 2011-01-02 07:41 -------- d-----w- c:\program files\Common Files\xing shared
2011-01-02 07:40 . 2011-01-02 07:40 151776 ----a-w- c:\program files\Mozilla Firefox\plugins\nppl3260.dll
2011-01-02 07:40 . 2011-01-02 07:40 100352 ----a-w- c:\program files\Mozilla Firefox\plugins\nprpjplug.dll
2011-01-02 07:09 . 2011-01-02 07:10 -------- d-----w- c:\program files\Common Files\DivX Shared
2011-01-02 07:07 . 2011-01-02 07:13 -------- d-----w- c:\documents and settings\All Users\Application Data\DivX
2011-01-02 07:01 . 2011-01-02 07:01 -------- d-----w- c:\program files\iPod
2011-01-02 07:00 . 2011-01-02 07:03 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2011-01-02 07:00 . 2011-01-02 07:03 -------- d-----w- c:\program files\iTunes
2011-01-02 06:57 . 2011-01-02 06:57 -------- d-----w- c:\program files\Apple Software Update
2011-01-02 06:52 . 2011-01-02 06:52 -------- d-----w- c:\program files\Bonjour
2011-01-02 06:30 . 2011-01-02 06:30 -------- d-----w- c:\program files\Common Files\Java
2011-01-02 06:29 . 2010-11-12 07:53 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-01-02 06:29 . 2010-11-12 07:53 472808 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
2011-01-02 06:29 . 2010-11-12 05:34 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-01-02 06:10 . 2009-08-06 08:24 15064 ----a-w- c:\windows\system32\wuapi.dll.mui
2010-12-30 19:13 . 2010-12-30 19:13 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Secunia PSI
2010-12-30 19:11 . 2010-12-30 19:11 -------- d-----w- c:\program files\Secunia
2010-12-26 04:34 . 2010-12-26 04:34 -------- d-----w- C:\$AVG
2010-12-26 01:49 . 2010-12-26 01:50 -------- d-----w- c:\program files\ERUNT
2010-12-25 01:59 . 2010-12-25 01:59 -------- d-----w- c:\documents and settings\Owner\Application Data\vlc
2010-12-25 01:54 . 2010-12-25 01:54 -------- d-----w- C:\VLC
2010-12-25 01:11 . 2010-12-25 01:11 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files
2010-12-25 00:25 . 2010-12-25 00:25 0 ----a-w- c:\windows\ativpsrm.bin
2010-12-24 22:41 . 2010-12-24 22:41 2951802 ----a-w- C:\EClea2_0.exe
2010-12-24 12:04 . 2010-12-24 12:04 -------- d-----w- c:\documents and settings\Owner\Application Data\GlarySoft
2010-12-15 04:48 . 2010-12-15 08:06 -------- d-----w- c:\documents and settings\Owner\Revenge of the Titans 1.6
2010-12-15 04:48 . 2010-12-23 00:31 -------- d-sh--w- c:\documents and settings\Owner\Local Settings\Application Data\.#
2010-12-15 04:46 . 2010-12-15 04:46 -------- d-----w- c:\program files\Games
2010-12-09 21:59 . 2010-12-09 21:59 -------- d-----w- c:\program files\Radical Games
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-01-02 07:40 . 2007-11-16 06:57 348160 ----a-w- c:\windows\system32\msvcr71.dll
2010-12-20 07:09 . 2010-10-26 03:27 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-20 07:08 . 2010-10-26 03:27 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-11-29 06:38 . 2010-11-29 06:38 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-11-29 06:38 . 2010-11-29 06:38 69632 ----a-w- c:\windows\system32\QuickTime.qts
2010-11-12 00:44 . 2010-11-12 00:44 94208 ----a-w- c:\windows\system32\dpl100.dll
2010-11-08 22:57 . 2010-11-08 22:57 353592 ----a-w- c:\windows\system32\DivXControlPanelApplet.cpl
2010-10-07 01:23 . 2010-10-07 01:23 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-10-07 01:23 . 2010-10-07 01:23 75040 ----a-w- c:\windows\system32\jdns_sd.dll
2010-10-07 01:23 . 2010-10-07 01:23 197920 ----a-w- c:\windows\system32\dnssdX.dll
2010-10-07 01:23 . 2010-10-07 01:23 107808 ----a-w- c:\windows\system32\dns-sd.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"InCD"="c:\program files\Nero\Nero 7\InCD\InCD.exe" [2007-05-15 1057328]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-12-13 421160]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-12-09 1226608]
"DivX Download Manager"="c:\program files\DivX\DivX Plus Web Player\DDmService.exe" [2010-12-08 63360]
"TkBellExe"="c:\program files\real\realplayer\update\realsched.exe" [2011-01-02 274608]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\NavLogon]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG10\avgchsvx.exe /sync\0c:\progra~1\AVG\AVG10\avgrsx.exe /sync /restart
[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Yahoo! Widget Engine.lnk]
backup=c:\windows\pss\Yahoo! Widget Engine.lnkStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
2007-03-09 00:09 63712 -c--a-w- c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-12-13 06:16 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2007-03-01 04:57 153136 -c--a-w- c:\program files\Common Files\Ahead\Lib\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 06:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Alias\\Maya8.0\\bin\\maya.exe"=
"c:\\3dsmax7\\3dsmax.exe"=
"c:\\Program Files\\backburner 2\\monitor.exe"=
"c:\\Program Files\\backburner 2\\manager.exe"=
"c:\\Program Files\\backburner 2\\server.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Documents and Settings\\Owner\\My Documents\\Extracted-1A\\uTorrent\\utorrent.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
R0 d347bus;d347bus;c:\windows\system32\drivers\d347bus.sys [3/2/2008 4:05 PM 155136]
R0 d347prt;d347prt;c:\windows\system32\drivers\d347prt.sys [3/2/2008 4:05 PM 5248]
R1 crlscsi;crlscsi;c:\windows\system32\drivers\crlscsi.sys [11/24/2009 1:24 PM 6144]
R2 Secunia Update Agent;Secunia Update Agent;c:\program files\Secunia\PSI\sua.exe [12/21/2010 11:04 PM 399416]
S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [9/1/2010 7:30 PM 15544]
S3 Secunia PSI Agent;Secunia PSI Agent;c:\program files\Secunia\PSI\psia.exe [12/21/2010 11:04 PM 987704]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [5/13/2010 3:15 PM 691696]
.
Contents of the 'Scheduled Tasks' folder
2011-01-04 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1220945662-1035525444-682003330-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 00:33]
2011-01-04 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1220945662-1035525444-682003330-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 00:33]
2011-01-04 c:\windows\Tasks\XoftSpySE 2.job
- c:\program files\XoftSpySE\XoftSpy.exe [2007-10-24 04:22]
2009-12-18 c:\windows\Tasks\XoftSpySE.job
- c:\program files\XoftSpySE\XoftSpy.exe [2007-10-24 04:22]
.
.
------- Supplementary Scan -------
.
uLocal Page = \blank.htm
uStart Page = hxxp://www.google.com.au/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
.
- - - - ORPHANS REMOVED - - - -
MSConfigStartUp-TkBellExe - c:\program files\Common Files\Real\Update_OB\realsched.exe
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-01-04 18:11
Windows 5.1.2600 Service Pack 3, v.3264 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-1220945662-1035525444-682003330-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"??"=hex:99,51,a8,19,83,d6,4b,41,4d,fe,69,19,fa,9f,ed,ac,8f,06,bc,31,ec,b3,d8,
67,b0,89,df,af,d7,3d,d9,6a,6f,07,2d,df,03,44,82,ee,2d,a0,00,92,ba,4f,a7,3d,\
"??"=hex:d5,ca,29,05,79,32,36,4d,92,58,b4,49,7f,2e,99,a3
[HKEY_USERS\S-1-5-21-1220945662-1035525444-682003330-1003\Software\SecuROM\License information*]
"datasecu"=hex:6c,12,53,41,67,2b,8f,92,f1,a6,08,c4,b2,61,c7,5d,7d,c0,00,c4,97,
cf,1c,72,88,13,70,8f,b3,3e,36,28,eb,c4,44,27,b2,5f,f0,f2,2f,ad,1b,a5,70,e4,\
"rkeysecu"=hex:a4,06,1c,5a,92,c5,86,63,dc,f5,10,bd,2f,1e,6e,53
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\windows\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\windows\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(544)
c:\windows\system32\Ati2evxx.dll
- - - - - - - > 'explorer.exe'(704)
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\System32\SCardSvr.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Diskeeper Corporation\Diskeeper\DkService.exe
c:\windows\system32\inetsrv\inetinfo.exe
c:\program files\Nero\Nero 7\InCD\InCDsrv.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2011-01-04 18:18:09 - machine was rebooted
ComboFix-quarantined-files.txt 2011-01-04 07:18
ComboFix2.txt 2010-01-02 00:32
Pre-Run: 10,710,192,128 bytes free
Post-Run: 10,691,952,640 bytes free
Current=5 Default=5 Failed=2 LastKnownGood=4 Sets=1,2,3,4,5
- - End Of File - - 054F1EC359942928EDA9A894C7E82B07
[B]And the DDS log.
DDS (Ver_10-12-12.02) - NTFSx86
Run by Owner at 20:49:17.31 on Tue 01/04/2011
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_23
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.154 [GMT 11:00]
AV: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
============== Running Processes ===============
C:\windows\system32\Ati2evxx.exe
C:\windows\system32\svchost -k DcomLaunch
svchost.exe
C:\windows\System32\svchost.exe -k netsvcs
svchost.exe
C:\windows\system32\Ati2evxx.exe
svchost.exe
C:\windows\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Secunia\PSI\sua.exe
C:\windows\system32\svchost.exe -k imgsvc
C:\Program Files\Nero\Nero 7\InCD\InCD.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\Program Files\DivX\DivX Plus Web Player\DDmService.exe
C:\program files\real\realplayer\update\realsched.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\windows\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\windows\System32\svchost.exe -k HTTPFilter
C:\Program Files\AVG\AVG10\avgwdsvc.exe
C:\Program Files\AVG\AVG10\avgrsx.exe
C:\Program Files\AVG\AVG10\avgcsrvx.exe
C:\Program Files\AVG\AVG10\avgchsvx.exe
C:\Program Files\AVG\AVG10\avgnsx.exe
C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
C:\Program Files\AVG\AVG10\avgtray.exe
C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
C:\windows\system32\ctfmon.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Documents and Settings\Owner\Desktop\dds.com
============== Pseudo HJT Report ===============
uLocal Page = \blank.htm
uStart Page = hxxp://www.google.com.au/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: DivX Plus Web Player HTML5 <video>: {326e768d-4182-46fd-9c16-1449a49795f4} - c:\program files\divx\divx plus web player\npdivx32.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg10\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: DivX HiQ: {593ddec6-7468-4cdd-90e1-42dadaa222e9} - c:\program files\divx\divx plus web player\npdivx32.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
EB: {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - No File
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [InCD] c:\program files\nero\nero 7\incd\InCD.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
mRun: [DivX Download Manager] "c:\program files\divx\divx plus web player\DDmService.exe" start
mRun: [TkBellExe] "c:\program files\real\realplayer\update\realsched.exe" -osboot
mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exe
uPolicies-explorer: NoResolveTrack = 1 (0x1)
uPolicies-system: EnableLUA = 0 (0x0)
mPolicies-explorer: NoResolveTrack = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} - hxxp://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1293948596578
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1293948578093
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
============= SERVICES / DRIVERS ===============
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2010-9-13 25680]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2010-9-7 26064]
R0 d347bus;d347bus;c:\windows\system32\drivers\d347bus.sys [2008-3-2 155136]
R0 d347prt;d347prt;c:\windows\system32\drivers\d347prt.sys [2008-3-2 5248]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2010-12-8 251728]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2010-9-7 34384]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2010-11-12 299984]
R1 crlscsi;crlscsi;c:\windows\system32\drivers\crlscsi.sys [2009-11-24 6144]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [2010-11-23 6128208]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg10\avgwdsvc.exe [2010-10-22 265400]
R2 Secunia Update Agent;Secunia Update Agent;c:\program files\secunia\psi\sua.exe [2010-12-21 399416]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2010-8-19 123472]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2010-8-19 30288]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2010-8-19 26192]
S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2010-9-1 15544]
S3 Secunia PSI Agent;Secunia PSI Agent;c:\program files\secunia\psi\psia.exe [2010-12-21 987704]
=============== Created Last 30 ================
2011-01-04 07:32:53 -------- d-----w- c:\docume~1\owner\applic~1\AVG10
2011-01-04 07:26:48 -------- d-----w- c:\docume~1\alluse~1\applic~1\AVG10
2011-01-04 07:24:55 -------- d-----w- c:\program files\AVG
(I tried to install the Windows Recovery Console. but I got an error message)
What error message did you get?
Adrian McNair
2011-01-05, 04:04
What error message did you get?
"Boot Partition cannot be enumerated correctly." I have no idea what that's supposed to mean.
Outside of this I did perform scans in safe mode with my various anti-virus/anti-malware programs and nothing came up. So that's something.
Hi,
Open notepad and then copy and paste the bolded lines below into it. Go to File > save as and name the file fixes.bat, change the Save as type to all files and save it to your desktop.
@ECHO OFF
dir /s/a c:\boot.ini >logit.txt
start logit.txt
del %0
Double-click on fixes.bat file to execute it. Notepad should open up. Post back its contents, please.
Adrian McNair
2011-01-05, 12:58
Hi,
Open notepad and then copy and paste the bolded lines below into it. Go to File > save as and name the file fixes.bat, change the Save as type to all files and save it to your desktop.
@ECHO OFF
dir /s/a c:\boot.ini >logit.txt
start logit.txt
del %0
Double-click on fixes.bat file to execute it. Notepad should open up. Post back its contents, please.
This is what came up.
Volume in drive C has no label.
Volume Serial Number is C050-7274
Ok. We have to create boot.ini file.
Open notepad and then copy and paste the bolded lines below into it. Go to File > save as and name the file "c:\boot.ini", change the Save as type to all files and save it.
[boot loader]
timeout=3
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home" /fastdetect
When done, open notepad and then copy and paste the bolded lines below into it. Go to File > save as and name the file fixes.bat, change the Save as type to all files and save it to your desktop.
type c:\boot.ini >logit.txt 2>&1
start logit.txt
del %0
Double-click on fixes.bat file to execute it. Notepad should open up. Post back its contents, please.
Adrian McNair
2011-01-05, 23:11
Double-click on fixes.bat file to execute it. Notepad should open up. Post back its contents, please.
Here you go.
[boot loader]
timeout=3
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home" /fastdetect
Edit:
Actually open c:\boot.ini with notepad and change this part:
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home" /fastdetect
to:
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect
Save, close the file and do this:
Open notepad and then copy and paste the bolded lines below into it. Go to File > save as and name the file fixes.bat, change the Save as type to all files and save it to your desktop.
type c:\boot.ini >logit.txt 2>&1
start logit.txt
del %0
Double-click on fixes.bat file to execute it. Notepad should open up. Post back its contents, please.
Adrian McNair
2011-01-07, 01:43
Uh, I already ran ComboFix before you made that edit, sorry. It hasn't solved the problem but at least I was able to install the Home Recovery Console. From what I can tell it hasn't removed any files this time.
I can't find a boot.ini within the C: drive. There's only a boot.bak file now. What should I do now? Should I post the log (the forum's character restrictions prevented me from adding it to this post) and then run that fixes.bat file you just posted?
Hi,
Do this part:
Open notepad and then copy and paste the bolded lines below into it. Go to File > save as and name the file fixes.bat, change the Save as type to all files and save it to your desktop.
type c:\boot.ini >logit.txt 2>&1
start logit.txt
del %0
Double-click on fixes.bat file to execute it. Notepad should open up. Post back its contents, please.
Adrian McNair
2011-01-07, 13:15
Here it is.
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home" /fastdetect
Hi,
Click start -> run write cmd.exe and press enter. Give following commands (press enter after each one):
attrib -r -s -h c:\boot.ini
exit
Then open c:\boot.ini in notepad and change bolded Home word in notepad to Professional:
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home" /fastdetect
Save and close notepad. Then do the following:
Click start -> run write cmd.exe and press enter. Give following commands (press enter after each one):
attrib +r +s +h c:\boot.ini
exit
Open notepad and then copy and paste the bolded lines below into it. Go to File > save as and name the file fixes.bat, change the Save as type to all files and save it to your desktop.
type c:\boot.ini >logit.txt 2>&1
start logit.txt
del %0
Double-click on fixes.bat file to execute it. Notepad should open up. Post back its contents, please.
Adrian McNair
2011-01-08, 12:07
Double-click on fixes.bat file to execute it. Notepad should open up. Post back its contents, please.
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect
Hi,
Run disk check on your hard drive by following instructions here (http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/kbtip.mspx).
Adrian McNair
2011-01-09, 13:36
Hi,
Run disk check on your hard drive by following instructions here (http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/kbtip.mspx).
Apologies for sounding like a broken record here but once again it didn't accomplish anything. Plus no bad sectors were found. I'm thinking that perhaps when I dealt with the virus some important registry files may have been lost and that's the reason for the slow-downs. Would re-installing Windows XP be a viable option?
Hi,
If it's software caused slowdown then reinstall would likely work. If you decide to reinstall then you should back up important things first and then reformat & reinstall XP (remember to get all available updates after that).
Adrian McNair
2011-01-10, 12:17
Hi,
If it's software caused slowdown then reinstall would likely work. If you decide to reinstall then you should back up important things first and then reformat & reinstall XP (remember to get all available updates after that).
Hello,
Well, I'm happy to say that system performance is back to normal after the re-install. On that note I'd like to thank you for taking the time to assist me with my problems. Your assistance was invaluable in narrowing down the issue. Thank you.
You're welcome and glad to hear that solved the issue :)