1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

Solved IE random pages

Discussion in 'Malware and Virus Removal Archive' started by KRB, 2010/07/27.

Page 1 of 3
  1. 2010/07/27
    KRB

    KRB Inactive Thread Starter

    Joined:
    2010/07/27
    Messages:
    98
    Likes Received:
    0
    [Resolved] IE random pages

    At my house theres 2 computers, my laptop and my familys computer which both my parents and 2 younger brothers use. Normaly I can get rid of any problems on them, but recently my familys computer on IE8 has been randomly redirecting google search links. So if I google hotmail it comes up with hotmail but when i click it it takes me to a casio site or some random other site hopefully you can help me fix this please.

    computer is windows xp media center

    dds log is attached
     
    Last edited: 2010/07/27
    KRB,
    #1
  2. 2010/07/27
    KRB

    KRB Inactive Thread Starter

    Joined:
    2010/07/27
    Messages:
    98
    Likes Received:
    0
    DDS (Ver_10-03-17.01) - NTFSx86
    Run by Bahuaud at 4:25:19.62 on 27/07/2010
    Internet Explorer: 8.0.6001.18702
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.958.262 [GMT -5:00]

    AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

    ============== Running Processes ===============

    C:\WINDOWS\system32\svchost -k DcomLaunch
    C:\WINDOWS\system32\svchost -k rpcss
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    C:\WINDOWS\system32\svchost.exe -k NetworkService
    C:\WINDOWS\system32\svchost.exe -k LocalService
    C:\Program Files\AVG\AVG9\avgchsvx.exe
    C:\Program Files\AVG\AVG9\avgrsx.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\AVG\AVG9\avgcsrvx.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\svchost.exe -k LocalService
    C:\Program Files\AVG\AVG9\avgwdsvc.exe
    C:\WINDOWS\eHome\ehRecvr.exe
    C:\WINDOWS\ehome\ehtray.exe
    C:\WINDOWS\eHome\ehSched.exe
    C:\WINDOWS\RTHDCPL.EXE
    C:\Program Files\Java\jre6\bin\jusched.exe
    C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    C:\PROGRA~1\AVG\AVG9\avgtray.exe
    C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\PrinterShare\paConsole.exe
    C:\WINDOWS\ehome\RMSysTry.exe
    C:\Program Files\Hp\Digital Imaging\bin\hpqtra08.exe
    C:\WINDOWS\System32\svchost.exe -k HTTPFilter
    C:\Program Files\AVG\AVG9\avgnsx.exe
    C:\Program Files\Xfire\Xfire.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\OpenOffice.org 3\program\soffice.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\Program Files\OpenOffice.org 3\program\soffice.bin
    C:\Program Files\IncrediMail\Bin\ImApp.exe
    C:\Program Files\O2Micro Oz128 Driver\o2flash.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
    C:\WINDOWS\system32\HPZipm12.exe
    C:\WINDOWS\ehome\RMSvc.exe
    C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
    C:\WINDOWS\system32\svchost.exe -k LocalService
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\Program Files\AVG\AVG9\avgemc.exe
    C:\WINDOWS\ehome\McrdSvc.exe
    C:\Program Files\AVG\AVG9\avgcsrvx.exe
    C:\Program Files\Windows Media Player\WMPNetwk.exe
    C:\WINDOWS\system32\dllhost.exe
    C:\WINDOWS\eHome\ehmsas.exe
    C:\Program Files\Java\jre6\bin\jucheck.exe
    C:\Program Files\IncrediMail\Bin\IncMail.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Windows Live\Messenger\msnmsgr.exe
    C:\WINDOWS\system32\msiexec.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\Windows Live\Contacts\wlcomm.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Apple Software Update\SoftwareUpdate.exe
    C:\WINDOWS\system32\wbem\wmiprvse.exe
    C:\Documents and Settings\Bahuaud\My Documents\KYLES STUFF\vremove\dds.scr

    ============== Pseudo HJT Report ===============

    uStart Page = hxxp://google.ca/
    uInternet Settings,ProxyOverride = *.local
    uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
    BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
    BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
    BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
    BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
    BHO: moigh Object: {ac844c3f-8d4e-4e98-a03e-606aa493c465} - c:\windows\system32\lnsop.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
    TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
    uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
    uRun: [IncrediMail] c:\program files\incredimail\bin\IncMail.exe /c
    uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
    uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
    uRun: [SmileboxTray] "c:\documents and settings\bahuaud\application data\smilebox\SmileboxTray.exe "
    uRun: [PrinterShare] c:\program files\printershare\paConsole.exe -minimized
    uRun: [skypexxxxx.exe] c:\skypexxxxx.exe\skypexxxxx.exe
    uRun: [xgukxzrvux.exe]

    c:\xgukxzrvux.exe\xgukxzrvux.exe
    mRun: [ehTray] c:\windows\ehome\ehtray.exe
    mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
    mRun: [nwiz] nwiz.exe /install
    mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
    mRun: [RTHDCPL] RTHDCPL.EXE
    mRun: [Alcmtr] ALCMTR.EXE
    mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe "
    mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
    mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe "
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe "
    mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
    mRun: [sta] rundll32 "pnsop.dll ",,Run
    mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe "
    dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
    mExplorerRun: [tcyz46] c:\docume~1\bahuaud\locals~1\temp\l84alx.exe
    StartupFolder: c:\docume~1\bahuaud\startm~1\programs\startup\limewi~1.lnk - c:\program files\limewire\LimeWire.exe
    StartupFolder: c:\docume~1\bahuaud\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
    StartupFolder: c:\docume~1\bahuaud\startm~1\programs\startup\xfire.lnk - c:\program files\xfire\Xfire.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\extend~1.lnk - c:\windows\ehome\RMSysTry.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
    DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} - hxxp://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
     
    Last edited: 2010/07/27
    KRB,
    #2


  3. to hide this advert.

  4. 2010/07/27
    KRB

    KRB Inactive Thread Starter

    Joined:
    2010/07/27
    Messages:
    98
    Likes Received:
    0
    it wont let me post the rest for some reason
     
    KRB,
    #3
  5. 2010/07/27
    PeteC

    PeteC SuperGeek Staff

    Joined:
    2002/05/10
    Messages:
    28,896
    Likes Received:
    389
    Copy/paste the contents of attach.txt - you cannot attach it .....
    If you run over the limit on post characters split the log(s) between 2 posts.
     
    PeteC,
    #4
  6. 2010/07/27
    KRB

    KRB Inactive Thread Starter

    Joined:
    2010/07/27
    Messages:
    98
    Likes Received:
    0
    well seems running malware bytes has fixed the problem for now

    malware bytes log

    Malwarebytes' Anti-Malware 1.46
    www.malwarebytes.org

    Database version: 4356

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    27/07/2010 5:10:43 PM
    mbam-log-2010-07-27 (17-10-43).txt

    Scan type: Full scan (C:\|)
    Objects scanned: 214601
    Time elapsed: 1 hour(s), 12 minute(s), 1 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 11
    Registry Values Infected: 4
    Registry Data Items Infected: 0
    Folders Infected: 4
    Files Infected: 8

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    HKEY_CLASSES_ROOT\AppID\{84c3c236-f588-4c93-84f4-147b2abbe67b} (Adware.Adrotator) -> No action taken.
    HKEY_CLASSES_ROOT\AppID\{38061edc-40bb-4618-a8da-e56353347e6d} (Adware.EZlife) -> No action taken.
    HKEY_CLASSES_ROOT\AppID\{7b6a2552-e65b-4a9e-add4-c45577ffd8fd} (Adware.EZLife) -> No action taken.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup.exe (Malware.Packer.Gen) -> No action taken.
    HKEY_CLASSES_ROOT\adgj.aghlp (Adware.EZLife) -> No action taken.
    HKEY_CLASSES_ROOT\adgj.aghlp.1 (Adware.EZLife) -> No action taken.
    HKEY_CURRENT_USER\Software\Street-Ads (Adware.Adrotator) -> No action taken.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\$NtUninstallMTF1011$ (Adware.Adrotator) -> No action taken.
    HKEY_LOCAL_MACHINE\SOFTWARE\Street-Ads (Adware.Adrotator) -> No action taken.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ac844c3f-8d4e-4e98-a03e-606aa493c465} (Adware.AdRotator) -> No action taken.
    HKEY_CLASSES_ROOT\CLSID\{ac844c3f-8d4e-4e98-a03e-606aa493c465} (Adware.AdRotator) -> No action taken.

    Registry Values Infected:
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\skypexxxxx.exe (Malware.Packer.Gen) -> No action taken.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xgukxzrvux.exe (Malware.Packer.Gen) -> No action taken.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sta (Trojan.Agent.Gen) -> No action taken.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tcyz46 (Trojan.Agent) -> No action taken.

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    C:\Documents and Settings\Bahuaud\Application Data\Street-Ads (Adware.Adrotator) -> No action taken.
    C:\Documents and Settings\Bahuaud\Application Data\Street-Ads\sta (Adware.Adrotator) -> No action taken.
    C:\WINDOWS\$NtUninstallMTF1011$ (Adware.Adrotator) -> No action taken.
    C:\xgukxzrvux.exe (Trojan.SpyEyes) -> No action taken.

    Files Infected:
    C:\skypexxxxx.exe\skypexxxxx.exe (Malware.Packer.Gen) -> No action taken.
    C:\xgukxzrvux.exe\xgukxzrvux.exe (Malware.Packer.Gen) -> No action taken.
    C:\Documents and Settings\Bahuaud\Local Settings\Temp\upd16A.tmp (Malware.Packer.Gen) -> No action taken.
    C:\WINDOWS\Temp\kmki.tmp\setup.exe (Malware.Packer.Gen) -> No action taken.
    C:\WINDOWS\Temp\erif.tmp\setup.exe (Malware.Packer.Gen) -> No action taken.
    C:\WINDOWS\$NtUninstallMTF1011$\apUninstall.exe (Adware.Adrotator) -> No action taken.
    C:\WINDOWS\$NtUninstallMTF1011$\zrpt.xml (Adware.Adrotator) -> No action taken.
    C:\xgukxzrvux.exe\config.bin (Trojan.SpyEyes) -> No action taken.
     
    KRB,
    #5
  7. 2010/07/27
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Malwarebytes might have fixed visible issues, but I can assure you, your computer is still infected.

    Attach.txt file is still needed and Malwarebytes log shows "No action taken." after each line.
    Post new log AFTER fixing all issues.
     
    broni,
    #6
  8. 2010/07/28
    KRB

    KRB Inactive Thread Starter

    Joined:
    2010/07/27
    Messages:
    98
    Likes Received:
    0
    after running malwarebytes the computer has no sound

    attach.txt after running malwaarebytes is below


    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS

    LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT

    DDS (Ver_10-03-17.01)

    Microsoft Windows XP Professional
    Boot Device: \Device\HarddiskVolume1
    Install Date: 31/12/2009 12:40:43 AM
    System Uptime: 27/07/2010 5:13:21 PM (8 hours ago)

    Motherboard: ASUSTek Computer INC. | | NODUSM3
    Processor: AMD Athlon(tm) 64 X2 Dual Core Processor

    4200+ | Socket AM2 | 2204/200mhz

    ==== Disk Partitions =========================

    C: is FIXED (NTFS) - 116 GiB total, 62.911 GiB

    free.
    D: is FIXED (NTFS) - 116 GiB total, 97.248 GiB

    free.
    E: is Removable
    F: is Removable
    G: is Removable
    H: is Removable
    I: is CDROM ()

    ==== Disabled Device Manager Items =============

    Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
    Description: AVG miniport driver
    Device ID: ROOT\GR_AVGFWMP\0000
    Manufacturer: AVG Technologies
    Name: NVIDIA nForce Networking Controller - AVG

    miniport driver
    PNP Device ID: ROOT\GR_AVGFWMP\0000
    Service: Avgfwdx

    Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
    Description: AVG miniport driver
    Device ID: ROOT\GR_AVGFWMP\0001
    Manufacturer: AVG Technologies
    Name: WAN Miniport (IP) - AVG miniport driver
    PNP Device ID: ROOT\GR_AVGFWMP\0001
    Service: Avgfwdx

    ==== System Restore Points ===================

    RP149: 29/04/2010 10:25:51 PM - System Checkpoint
    RP150: 01/05/2010 3:32:13 PM - System Checkpoint
    RP151: 05/05/2010 4:23:56 PM - Avg Update
    RP152: 06/05/2010 5:56:00 PM - System Checkpoint
    RP153: 07/05/2010 2:40:57 AM - Removed PrinterShare

    2.1.03
    RP154: 07/05/2010 2:41:11 AM - Installed

    PrinterShare 2.2.02
    RP155: 08/05/2010 4:34:18 AM - System Checkpoint
    RP156: 09/05/2010 6:59:20 AM - System Checkpoint
    RP157: 10/05/2010 10:02:43 AM - System Checkpoint
    RP158: 11/05/2010 1:12:23 PM - System Checkpoint
    RP159: 12/05/2010 1:25:14 PM - System Checkpoint
    RP160: 13/05/2010 1:43:55 PM - System Checkpoint
    RP161: 14/05/2010 2:56:27 PM - System Checkpoint
    RP162: 15/05/2010 3:44:58 PM - System Checkpoint
    RP163: 16/05/2010 3:00:17 AM - Software

    Distribution Service 3.0
    RP164: 17/05/2010 11:15:30 AM - System Checkpoint
    RP165: 18/05/2010 11:55:49 AM - System Checkpoint
    RP166: 19/05/2010 5:08:56 PM - System Checkpoint
    RP167: 20/05/2010 6:04:07 PM - System Checkpoint
    RP168: 21/05/2010 6:38:00 PM - System Checkpoint
    RP169: 22/05/2010 7:45:40 PM - System Checkpoint
    RP170: 23/05/2010 8:57:20 PM - System Checkpoint
    RP171: 24/05/2010 10:30:12 PM - System Checkpoint
    RP172: 25/05/2010 10:40:38 PM - System Checkpoint
    RP173: 26/05/2010 11:16:13 PM - System Checkpoint
    RP174: 27/05/2010 11:11:34 PM - Software

    Distribution Service 3.0
    RP175: 28/05/2010 11:56:45 PM - System Checkpoint
    RP176: 30/05/2010 12:15:44 AM - System Checkpoint
    RP177: 31/05/2010 5:11:41 AM - System Checkpoint
    RP178: 01/06/2010 5:11:57 AM - System Checkpoint
    RP179: 02/06/2010 5:40:49 AM - System Checkpoint
    RP180: 02/06/2010 8:12:03 AM - Avg Update
    RP181: 03/06/2010 8:40:51 AM - System Checkpoint
    RP182: 04/06/2010 9:38:41 AM - System Checkpoint
    RP183: 05/06/2010 10:18:35 AM - System Checkpoint
    RP184: 06/06/2010 3:00:21 AM - Software

    Distribution Service 3.0
    RP185: 07/06/2010 4:36:52 AM - System Checkpoint
    RP186: 08/06/2010 4:38:46 AM - System Checkpoint
    RP187: 09/06/2010 5:05:16 AM - System Checkpoint
    RP188: 10/06/2010 5:38:51 AM - System Checkpoint
    RP189: 11/06/2010 6:38:53 AM - System Checkpoint
    RP190: 12/06/2010 7:38:56 AM - System Checkpoint
    RP191: 13/06/2010 3:00:36 AM - Software

    Distribution Service 3.0
    RP192: 13/06/2010 5:31:11 AM - Removed PrinterShare

    2.2.02
    RP193: 13/06/2010 5:31:33 AM - Installed

    PrinterShare 2.3.00
    RP194: 14/06/2010 5:56:12 AM - System Checkpoint
    RP195: 15/06/2010 6:11:54 AM - System Checkpoint
    RP196: 16/06/2010 7:20:13 AM - System Checkpoint
    RP197: 17/06/2010 7:56:16 AM - System Checkpoint
    RP198: 18/06/2010 8:38:07 AM - System Checkpoint
    RP199: 19/06/2010 9:38:09 AM - System Checkpoint
    RP200: 20/06/2010 12:25:58 AM - Installed DirectX
    RP201: 20/06/2010 1:09:33 AM - Installed DirectX
    RP202: 21/06/2010 4:14:10 AM - System Checkpoint
    RP203: 22/06/2010 4:38:10 AM - System Checkpoint
    RP204: 23/06/2010 5:38:09 AM - System Checkpoint
    RP205: 24/06/2010 6:38:10 AM - System Checkpoint
    RP206: 24/06/2010 9:55:56 AM - Avg Update
    RP207: 25/06/2010 11:43:12 AM - System Checkpoint
    RP208: 26/06/2010 12:38:11 PM - System Checkpoint
    RP209: 27/06/2010 3:00:23 AM - Software

    Distribution Service 3.0
    RP210: 28/06/2010 4:35:53 AM - System Checkpoint
    RP211: 29/06/2010 4:38:25 AM - System Checkpoint
    RP212: 30/06/2010 5:21:15 AM - System Checkpoint
    RP213: 01/07/2010 5:43:45 AM - System Checkpoint
    RP214: 02/07/2010 6:43:46 AM - System Checkpoint
    RP215: 03/07/2010 7:43:48 AM - System Checkpoint
    RP216: 04/07/2010 3:00:20 AM - Software

    Distribution Service 3.0
    RP217: 05/07/2010 5:48:54 AM - System Checkpoint
    RP218: 06/07/2010 6:43:52 AM - System Checkpoint
    RP219: 07/07/2010 7:44:58 AM - System Checkpoint
    RP220: 08/07/2010 8:43:55 AM - System Checkpoint
    RP221: 09/07/2010 9:43:56 AM - System Checkpoint
    RP222: 10/07/2010 10:47:34 AM - System Checkpoint
    RP223: 11/07/2010 11:43:58 AM - System Checkpoint
    RP224: 12/07/2010 1:12:55 PM - System Checkpoint
    RP225: 13/07/2010 6:14:59 PM - System Checkpoint
    RP226: 14/07/2010 8:29:41 PM - System Checkpoint
    RP227: 15/07/2010 8:18:26 AM - Avg Update
    RP228: 15/07/2010 8:20:29 AM - Avg Update
    RP229: 16/07/2010 8:45:11 AM - System Checkpoint
    RP230: 17/07/2010 9:44:08 AM - System Checkpoint
    RP231: 18/07/2010 3:00:47 AM - Software

    Distribution Service 3.0
    RP232: 19/07/2010 3:44:14 AM - System Checkpoint
    RP233: 20/07/2010 4:44:14 AM - System Checkpoint
    RP234: 21/07/2010 5:14:54 AM - System Checkpoint
    RP235: 21/07/2010 8:15:10 AM - Avg Update
    RP236: 22/07/2010 9:14:56 AM - System Checkpoint
    RP237: 23/07/2010 4:36:21 PM - System Checkpoint
    RP238: 24/07/2010 4:41:08 PM - System Checkpoint
    RP239: 25/07/2010 5:40:10 PM - System Checkpoint
    RP240: 26/07/2010 6:20:33 PM - System Checkpoint
    RP241: 27/07/2010 6:30:22 PM - System Checkpoint
    RP242: 27/07/2010 7:37:31 PM - Removed PrinterShare

    2.3.00
    RP243: 27/07/2010 7:37:47 PM - Installed

    PrinterShare 2.3.03

    ==== Installed Programs ======================

    Acrobat.com
    Adobe AIR
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 10 Plugin
    Adobe Reader 9.3.1
    AiO_Scan_CDA
    AiOSoftwareNPI
    Apple Application Support
    Apple Mobile Device Support
    Apple Software Update
    AVG Free 9.0
    BarGenie
    Bonjour
    BufferChm
    CCleaner
    CP_Package_Variety1
    CP_Package_Variety2
    CP_Package_Variety3
    Data Fax SoftModem with SmartCP
    Destinations
    DeviceManagementQFolder
    DigimonBattle Beta
    DocProc
    eSupportQFolder
    F300
    F300_Help
    F300Trb
    Facebook Plug-In
    Fax_CDA
    GIMP 2.6.4
    High Definition Audio Driver Package - KB888111
    Hotfix for Microsoft .NET Framework 3.5 SP1

    (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1

    (KB958484)
    Hotfix for Windows Media Format 11 SDK (KB929399)
    Hotfix for Windows Media Player 10 (KB903157)
    Hotfix for Windows Media Player 11 (KB939683)
    Hotfix for Windows XP (KB895961-v4)
    Hotfix for Windows XP (KB952287)
    Hotfix for Windows XP (KB954550-v5)
    Hotfix for Windows XP (KB954708)
    Hotfix for Windows XP (KB961118)
    Hotfix for Windows XP (KB976098-v2)
    Hotfix for Windows XP (KB979306)
    Hotfix for Windows XP (KB981793)
    HP Driver Diagnostics
    HP Imaging Device Functions 6.1
    HP Photosmart Essential
    HP PSC & OfficeJet 6.1.A
    HP Software Update
    HP Solution Center and Imaging Support Tools 6.1
    HPProductAssistant
    IncrediMail
    IncrediMail 2.0
    IrfanView (remove only)
    iTunes
    Java(TM) 6 Update 17
    LimeWire 5.5.8
    Malwarebytes' Anti-Malware
    MCEBrowser
    Media Center Extender
    Messenger Plus! Live
    Microsoft .NET Framework 1.0 Hotfix (KB953295)
    Microsoft .NET Framework 1.0 Hotfix (KB979904)
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1 Security Update

    (KB979906)
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 SP1
    Microsoft Application Error Reporting
    Microsoft Choice Guard
    Microsoft Compression Client Pack 1.0 for Windows

    XP
    Microsoft Search Enhancement Pack
    Microsoft Silverlight
    Microsoft SQL Server 2005 Compact Edition [ENU]
    Microsoft Sync Framework Runtime Native v1.0 (x86)
    Microsoft Sync Framework Services Native v1.0 (x86)
    Microsoft User-Mode Driver Framework Feature Pack

    1.0
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Redistributable - x86

    9.0.30729.4148
    MobileMe Control Panel
    Mozilla Firefox (3.5.7)
    MSVCRT
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    NewCopy_CDA
    Notepad++
    NVIDIA Drivers
    O2Micro Flash Memory Card Reader Driver

    Installer(x86)
    OpenOffice.org 3.1
    PhotoMail Maker
    PrinterShare 2.3.03
    ProductContextNPI
    QuickTime
    Readme
    Realtek High Definition Audio Driver
    Scan
    ScannerCopy
    Security Update for Windows Internet Explorer 8

    (KB971961)
    Security Update for Windows Internet Explorer 8

    (KB976325)
    Security Update for Windows Internet Explorer 8

    (KB978207)
    Security Update for Windows Internet Explorer 8

    (KB981332)
    Security Update for Windows Internet Explorer 8

    (KB982381)
    Security Update for Windows Media Player (KB952069)
    Security Update for Windows Media Player (KB954155)
    Security Update for Windows Media Player (KB968816)
    Security Update for Windows Media Player (KB973540)
    Security Update for Windows Media Player (KB978695)
    Security Update for Windows Media Player 11

    (KB954154)
    Security Update for Windows XP (KB2229593)
    Security Update for Windows XP (KB923561)
    Security Update for Windows XP (KB923789)
    Security Update for Windows XP (KB941569)
    Security Update for Windows XP (KB946648)
    Security Update for Windows XP (KB950762)
    Security Update for Windows XP (KB950974)
    Security Update for Windows XP (KB951066)
    Security Update for Windows XP (KB951376-v2)
    Security Update for Windows XP (KB951748)
    Security Update for Windows XP (KB952004)
    Security Update for Windows XP (KB952954)
    Security Update for Windows XP (KB954459)
    Security Update for Windows XP (KB955069)
    Security Update for Windows XP (KB956572)
    Security Update for Windows XP (KB956744)
    Security Update for Windows XP (KB956802)
    Security Update for Windows XP (KB956803)
    Security Update for Windows XP (KB956844)
    Security Update for Windows XP (KB957097)
    Security Update for Windows XP (KB958644)
    Security Update for Windows XP (KB958687)
    Security Update for Windows XP (KB958869)
    Security Update for Windows XP (KB959426)
    Security Update for Windows XP (KB960225)
    Security Update for Windows XP (KB960803)
    Security Update for Windows XP (KB960859)
    Security Update for Windows XP (KB961371-v2)
    Security Update for Windows XP (KB961501)
    Security Update for Windows XP (KB969059)
    Security Update for Windows XP (KB969947)
    Security Update for Windows XP (KB970238)
    Security Update for Windows XP (KB970430)
    Security Update for Windows XP (KB971468)
    Security Update for Windows XP (KB971486)
    Security Update for Windows XP (KB971557)
    Security Update for Windows XP (KB971633)
    Security Update for Windows XP (KB971657)
    Security Update for Windows XP (KB971961)
    Security Update for Windows XP (KB972270)
    Security Update for Windows XP (KB973354)
    Security Update for Windows XP (KB973507)
    Security Update for Windows XP (KB973525)
    Security Update for Windows XP (KB973869)
    Security Update for Windows XP (KB973904)
    Security Update for Windows XP (KB974112)
    Security Update for Windows XP (KB974318)
    Security Update for Windows XP (KB974392)
    Security Update for Windows XP (KB974571)
    Security Update for Windows XP (KB975025)
    Security Update for Windows XP (KB975467)
    Security Update for Windows XP (KB975560)
    Security Update for Windows XP (KB975561)
    Security Update for Windows XP (KB975562)
    Security Update for Windows XP (KB975713)
    Security Update for Windows XP (KB976325)
    Security Update for Windows XP (KB977165)
    Security Update for Windows XP (KB977816)
    Security Update for Windows XP (KB977914)
    Security Update for Windows XP (KB978037)
    Security Update for Windows XP (KB978251)
    Security Update for Windows XP (KB978262)
    Security Update for Windows XP (KB978338)
    Security Update for Windows XP (KB978542)
    Security Update for Windows XP (KB978601)
    Security Update for Windows XP (KB978706)
    Security Update for Windows XP (KB979309)
    Security Update for Windows XP (KB979482)
    Security Update for Windows XP (KB979559)
    Security Update for Windows XP (KB979683)
    Security Update for Windows XP (KB980195)
    Security Update for Windows XP (KB980218)
    Security Update for Windows XP (KB980232)
    Segoe UI
    Smilebox
    SolutionCenter
    Status
    TapiRex Reverse Lookup Plugin for WhitePages.ca®

    1.7.2
    Toolbox
    TrayApp
    Tweak UI
    Unload
    Update for Microsoft .NET Framework 3.5 SP1

    (KB963707)
    Update for Windows Internet Explorer 8 (KB975364)
    Update for Windows Internet Explorer 8 (KB976662)
    Update for Windows Internet Explorer 8 (KB980182)
    Update for Windows XP (KB951978)
    Update for Windows XP (KB955759)
    Update for Windows XP (KB961503)
    Update for Windows XP (KB967715)
    Update for Windows XP (KB968389)
    Update for Windows XP (KB971737)
    Update for Windows XP (KB973687)
    Update for Windows XP (KB973815)
    Update Rollup 2 for Windows XP Media Center Edition

    2005
    WebFldrs XP
    WebReg
    Windows Genuine Advantage Validation Tool

    (KB892130)
    Windows Internet Explorer 8
    Windows Live Call
    Windows Live Communications Platform
    Windows Live Essentials
    Windows Live Messenger
    Windows Live Photo Gallery
    Windows Live Sign-in Assistant
    Windows Live Sync
    Windows Live Toolbar
    Windows Live Upload Tool
    Windows Media Format 11 runtime
    Windows Media Player 11
    Windows XP Media Center Edition 2005 KB905589
    Windows XP Media Center Edition 2005 KB925766
    Windows XP Media Center Edition 2005 KB973768
    Windows XP Service Pack 3
    WinRAR archiver
    World of Warcraft
    Xfire (remove only)

    ==== Event Viewer Messages From Past Week ========

    27/07/2010 3:58:35 AM, error: Service Control

    Manager [7031] - The Apple Mobile Device service

    terminated unexpectedly. It has done this 2

    time(s). The following corrective action will be

    taken in 60000 milliseconds: Restart the service.
    27/07/2010 3:58:10 AM, error: Service Control

    Manager [7032] - The Service Control Manager tried

    to take a corrective action (Restart the service)

    after the unexpected termination of the Apple

    Mobile Device service, but this action failed with

    the following error: An instance of the service is

    already running.
    27/07/2010 3:57:12 AM, error: Service Control

    Manager [7031] - The Apple Mobile Device service

    terminated unexpectedly. It has done this 1

    time(s). The following corrective action will be

    taken in 60000 milliseconds: Restart the service.
    24/07/2010 10:00:12 AM, error: Ftdisk [49] -

    Configuring the Page file for crash dump failed.

    Make sure there is a page file on the boot

    partition and that is large enough to contain all

    physical memory.
    24/07/2010 10:00:12 AM, error: Ftdisk [45] - The

    system could not sucessfully load the crash dump

    driver.
    22/07/2010 11:02:27 PM, error: Service Control

    Manager [7000] - The Microsoft Kernel Acoustic

    Echo Canceller service failed to start due to the

    following error: A device attached to the system

    is not functioning.

    ==== End Of File ===========================
     
    KRB,
    #7
  9. 2010/07/28
    KRB

    KRB Inactive Thread Starter

    Joined:
    2010/07/27
    Messages:
    98
    Likes Received:
    0
    well you are right it is still infected as the random redirecting has started again
     
    KRB,
    #8
  10. 2010/07/28
    PeteC

    PeteC SuperGeek Staff

    Joined:
    2002/05/10
    Messages:
    28,896
    Likes Received:
    389
    I see you have P2P software ( Azures, Limewire, BitTorrent, uTorrent etc…) installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It may be contributing to your current situation. This page will give you further information.

    Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares and their infections.

    References for the risk of these programs are here, and here.

    I would strongly recommend that you uninstall them, and read the links above for educational value!

    Note: Please be advised that continued use of these programs after being warned of the danger of infections from them, may result in the discontinued help of future cleaning of your system here at WindowsBBS Malware and Virus removal.

    A Malware expert will have a look at your log in due course.
     
    PeteC,
    #9
  11. 2010/07/28
    KRB

    KRB Inactive Thread Starter

    Joined:
    2010/07/27
    Messages:
    98
    Likes Received:
    0
    I will unistall the program when I get home from work, as mentioned this is a family computer so anyone of the family could have installed it
     
    KRB,
    #10
  12. 2010/07/28
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Please, disable "word wrap" in Notepad, because your logs are hard to read.

    I still would like to see latest Malwarebytes log.

    Then...

    Download GMER: http://www.gmer.net/files.php, by clicking on Download EXE button.
    Alternative downloads:
    - http://majorgeeks.com/GMER_d5198.html
    - http://www.softpedia.com/get/Interne...ers/GMER.shtml
    Double click on downloaded .exe file, select Rootkit tab and click the Scan button.
    Do NOT use the computer while GMER is running!
    When scan is completed, click Save button, and save the results as gmer.log
    Warning ! Please, do not select the "Show all" checkbox during the scan.
    Post the log.

    IMPORTANT! If for some reason GMER refuses to run, try again.
    If it still fails, try to UN-check "Devices" in right pane.
    If still no joy, try to run it from Safe Mode.

    =============================================================

    Please download ComboFix from [color= "Red"]Here[/color] or [color= "#FF0000"]Here[/color] to your Desktop.

    [color= "Blue"]**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**[/color]
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results ".
      • Click on [color= "Red"]this link[/color] to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
      • Close any open browsers.
      • [color= "Red"]WARNING:[/color] Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt"
    **Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

    Make sure, you re-enable your security programs, when you're done with Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
    broni,
    #11
  13. 2010/07/29
    KRB

    KRB Inactive Thread Starter

    Joined:
    2010/07/27
    Messages:
    98
    Likes Received:
    0
    limewire has been removed, and heres the latest malware bytes log, and i will run those programs after they finnsish downloading

    redirecting is still happening in ie8

    Malwarebytes' Anti-Malware 1.46
    www.malwarebytes.org

    Database version: 4356

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    29/07/2010 1:24:43 AM
    mbam-log-2010-07-29 (01-24-43).txt

    Scan type: Full scan (C:\|)
    Objects scanned: 212650
    Time elapsed: 55 minute(s), 40 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)
     
    Last edited: 2010/07/29
    KRB,
    #12
  14. 2010/07/29
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Go on...
     
    broni,
    #13
  15. 2010/07/30
    KRB

    KRB Inactive Thread Starter

    Joined:
    2010/07/27
    Messages:
    98
    Likes Received:
    0
    Sorry about that fought with GMER and got it to run just before I had to run to work, had to run combofix twice as it didnt give me a log the first time

    heres GMER log

    GMER 1.0.15.15281 - http://www.gmer.net
    Rootkit scan 2010-07-29 13:47:44
    Windows 5.1.2600 Service Pack 3
    Running: wg1h6v7c.exe; Driver: C:\DOCUME~1\Bahuaud\LOCALS~1\Temp\ugdcyaog.sys


    ---- Kernel code sections - GMER 1.0.15 ----

    .rsrc C:\WINDOWS\system32\drivers\isapnp.sys entry point in ".rsrc" section [0xF75AB014]

    ---- User code sections - GMER 1.0.15 ----

    .text C:\WINDOWS\system32\svchost.exe[576] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 009A000A
    .text C:\WINDOWS\system32\svchost.exe[576] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 009B000A
    .text C:\WINDOWS\system32\svchost.exe[576] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0099000C
    .text C:\WINDOWS\system32\svchost.exe[576] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 013A000A
    .text C:\WINDOWS\Explorer.EXE[944] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00B7000A
    .text C:\WINDOWS\Explorer.EXE[944] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00C1000A
    .text C:\WINDOWS\Explorer.EXE[944] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00B6000C

    ---- Devices - GMER 1.0.15 ----

    Device -> \Driver\atapi \Device\Harddisk0\DR0 85647EC5

    ---- Disk sectors - GMER 1.0.15 ----

    Disk \Device\Harddisk0\DR0 sector 01: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 02: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 03: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 04: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 05: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 06: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 07: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 08: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 09: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 10: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 11: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 12: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 13: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 14: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 15: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 16: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 17: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 18: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 19: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 20: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 21: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 22: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 23: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 24: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 25: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 26: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 27: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 28: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 29: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 30: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 31: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 32: rootkit-like behavior; copy of MBR
    Disk \Device\Harddisk0\DR0 sector 33: rootkit-like behavior; copy of MBR
    Disk \Device\Harddisk0\DR0 sector 34: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 35: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 36: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 37: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 38: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 39: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 40: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 41: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 42: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 43: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 44: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 45: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 46: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 47: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 48: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 49: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 50: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 51: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 52: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 53: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 54: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 55: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 56: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 57: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 58: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 59: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 60: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 61: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 62: rootkit-like behavior; copy of MBR
    Disk \Device\Harddisk0\DR0 sector 63: rootkit-like behavior; copy of MBR

    ---- Files - GMER 1.0.15 ----

    File C:\WINDOWS\system32\drivers\isapnp.sys suspicious modification
    File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

    ---- EOF - GMER 1.0.15 ----
     
    KRB,
    #14
  16. 2010/07/30
    KRB

    KRB Inactive Thread Starter

    Joined:
    2010/07/27
    Messages:
    98
    Likes Received:
    0
    heres the combo fix log, oh and ie8 seems to be fixed now

    ComboFix 10-07-29.02 - Bahuaud 30/07/2010 6:13.1.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.958.343 [GMT -5:00]
    Running from: c:\documents and settings\Bahuaud\My Documents\KYLES STUFF\vremove\ComboFix.exe
    AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\documents and settings\Antivir Nov 2009\avira_antivir_personal_en.exe
    c:\windows\system32\driVERs\nvueeo.sys

    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    -------\Legacy_nvueeo
    -------\Service_nvueeo


    ((((((((((((((((((((((((( Files Created from 2010-06-28 to 2010-07-30 )))))))))))))))))))))))))))))))
    .

    2010-07-28 00:37 . 2010-07-28 00:37 -------- d-----w- c:\program files\PrinterShare
    2010-07-28 00:36 . 2010-07-28 00:37 1935360 ----a-w- c:\documents and settings\All Users\Application Data\PrinterShare\PrinterShare2303.exe
    2010-07-27 10:02 . 2010-07-27 10:02 -------- d-----w- c:\documents and settings\Bahuaud\Application Data\Malwarebytes
    2010-07-27 10:02 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-07-27 10:02 . 2010-07-27 10:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2010-07-27 10:02 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-07-27 10:02 . 2010-07-27 10:02 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-07-27 09:13 . 2010-07-27 09:13 -------- d-----w- c:\program files\iPod
    2010-07-27 09:13 . 2010-07-27 09:14 -------- d-----w- c:\program files\iTunes
    2010-07-27 09:13 . 2010-07-27 09:14 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
    2010-07-27 09:02 . 2010-07-27 09:03 -------- d-----w- c:\program files\QuickTime
    2010-07-27 08:56 . 2010-07-27 08:56 -------- d-----w- c:\program files\Bonjour
    2010-07-27 08:39 . 2010-07-27 08:39 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.2.1.5\SetupAdmin.exe
    2010-07-26 00:07 . 2009-11-25 19:01 1230080 ----a-w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar\IEToolbar.dll
    2010-07-23 17:51 . 2005-01-03 06:43 4682 ----a-w- c:\windows\system32\npptNT2.sys
    2010-07-23 17:50 . 2010-07-23 17:50 -------- d-----w- c:\program files\Common Files\INCA Shared
    2010-07-23 04:01 . 2010-07-23 08:04 -------- d-----w- c:\documents and settings\Bahuaud\Application Data\6C9FE140494AFBD8666C1E543F54F786
    2010-07-21 13:15 . 2010-07-21 13:15 1615200 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgssie.dll
    2010-07-21 13:15 . 2010-07-21 13:15 1373536 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgssff.dll
    2010-07-21 13:15 . 2010-07-21 13:15 1107296 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgxpl.dll
    2010-07-21 13:15 . 2010-07-21 13:15 921440 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgemc.exe
    2010-07-21 13:15 . 2010-07-21 13:15 4368224 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcorex.dll
    2010-07-15 13:20 . 2010-07-15 13:20 242896 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtdix.sys
    2010-07-15 13:20 . 2010-07-15 13:20 216200 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgldx86.sys
    2010-07-15 13:20 . 2010-07-15 13:20 12536 ----a-w- c:\windows\system32\avgrsstx.dll
    2010-07-15 13:18 . 2010-07-15 13:18 1038688 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.exe
    2010-07-15 13:18 . 2010-07-15 13:18 813336 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avginet.dll
    2010-07-15 13:18 . 2010-07-15 13:18 624920 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgiproxy.exe
    2010-07-15 13:18 . 2010-07-15 13:18 1690464 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.dll
    2010-07-13 20:43 . 2010-06-14 14:31 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe
    2010-07-09 19:04 . 2010-07-09 19:04 41872 ----a-w- c:\windows\system32\xfcodec.dll

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-07-30 06:26 . 2010-01-03 19:33 -------- d-----w- c:\program files\Xfire
    2010-07-28 00:37 . 2010-02-25 00:32 -------- d-----w- c:\documents and settings\All Users\Application Data\PrinterShare
    2010-07-27 09:13 . 2010-01-03 19:07 -------- d-----w- c:\program files\Common Files\Apple
    2010-07-26 00:07 . 2010-02-03 04:13 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
    2010-07-24 15:02 . 2010-01-03 18:08 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
    2010-07-21 20:58 . 2010-01-01 00:27 1 ----a-w- c:\documents and settings\Bahuaud\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
    2010-07-18 05:59 . 2010-01-03 19:33 -------- d-----w- c:\documents and settings\Bahuaud\Application Data\Xfire
    2010-07-18 05:29 . 2010-03-31 19:33 -------- d-----w- c:\program files\World of Warcraft
    2010-07-15 13:20 . 2010-01-03 18:09 243024 ----a-w- c:\windows\system32\drivers\avgtdix.sys
    2010-07-15 13:19 . 2010-01-03 18:09 216400 ----a-w- c:\windows\system32\drivers\avgldx86.sys
    2010-07-12 05:50 . 2010-01-03 19:33 -------- d-----w- c:\program files\Messenger Plus! Live
    2010-07-01 07:30 . 2010-06-08 15:10 -------- d-----w- c:\documents and settings\Bahuaud\Application Data\Smilebox
    2010-06-28 20:01 . 2010-06-28 20:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Blizzard Entertainment
    2010-06-14 14:31 . 2009-12-31 06:36 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
    2010-06-13 10:29 . 2010-06-13 10:29 1930752 ----a-w- c:\documents and settings\All Users\Application Data\PrinterShare\PrinterShare2300.exe
    2010-06-13 10:27 . 2010-01-03 18:41 -------- d-----w- c:\program files\Microsoft Silverlight
    2010-06-08 15:10 . 2010-06-08 15:10 -------- d-----w- c:\program files\Smilebox
    2010-06-08 15:10 . 2010-06-08 15:10 59313 ----a-w- c:\documents and settings\Bahuaud\Application Data\Smilebox\uninstall.exe
    2010-06-02 13:11 . 2010-01-03 18:09 29584 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
    2010-06-02 07:39 . 2010-01-03 19:10 -------- d-----w- c:\documents and settings\Bahuaud\Application Data\Apple Computer
    2010-06-02 07:38 . 2010-01-03 19:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
    2010-05-25 15:04 . 2010-05-25 15:04 503808 ----a-w- c:\documents and settings\Bahuaud\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-2c6414ef-n\msvcp71.dll
    2010-05-25 15:04 . 2010-05-25 15:04 499712 ----a-w- c:\documents and settings\Bahuaud\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-2c6414ef-n\jmc.dll
    2010-05-25 15:04 . 2010-05-25 15:04 348160 ----a-w- c:\documents and settings\Bahuaud\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-2c6414ef-n\msvcr71.dll
    2010-05-20 09:11 . 2010-05-14 04:24 304448 ----a-w- c:\documents and settings\Bahuaud\Application Data\Smilebox\SmileboxTray.exe
    2010-05-18 21:35 . 2010-05-18 21:35 91424 ----a-w- c:\windows\system32\dnssd.dll
    2010-05-18 21:35 . 2010-05-18 21:35 197920 ----a-w- c:\windows\system32\dnssdX.dll
    2010-05-18 21:35 . 2010-05-18 21:35 107808 ----a-w- c:\windows\system32\dns-sd.exe
    2010-05-14 04:24 . 2010-05-14 04:24 230720 ----a-w- c:\documents and settings\Bahuaud\Application Data\Smilebox\SmileboxDvd.exe
    2010-05-14 04:24 . 2010-05-13 23:09 410944 ----a-w- c:\documents and settings\Bahuaud\Application Data\Smilebox\SmileboxStarter.exe
    2010-05-14 04:24 . 2010-05-13 22:21 169280 ----a-w- c:\documents and settings\Bahuaud\Application Data\Smilebox\SmileboxBrowserEngine.dll
    2010-05-14 04:09 . 2010-05-14 04:09 1635648 ----a-w- c:\documents and settings\Bahuaud\Application Data\Smilebox\SmileboxClient.exe
    2010-05-14 03:21 . 2010-05-14 03:21 365888 ----a-w- c:\documents and settings\Bahuaud\Application Data\Smilebox\SmileboxDvdEngine.dll
    2010-05-14 03:21 . 2010-05-14 03:21 140608 ----a-w- c:\documents and settings\Bahuaud\Application Data\Smilebox\SmileboxUpdater.exe
    2010-05-07 07:40 . 2010-05-07 07:40 982016 ----a-w- c:\documents and settings\All Users\Application Data\PrinterShare\PrinterShare2202.exe
    2010-05-06 10:41 . 2004-08-10 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-05-02 05:22 . 2004-08-10 12:00 1851264 ----a-w- c:\windows\system32\win32k.sys
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
    "{A3BC75A2-1F87-4686-AA43-5347D756017C} "= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

    [HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
    2009-11-25 19:01 1230080 ----a-w- c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{CCC7A320-B3CA-4199-B1A6-9F516DD69829} "= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

    [HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
    "{CCC7A320-B3CA-4199-B1A6-9F516DD69829} "= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

    [HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IncrediMail "= "c:\program files\IncrediMail\bin\IncMail.exe" [2010-06-17 353736]
    "msnmsgr "= "c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
    "SmileboxTray "= "c:\documents and settings\Bahuaud\Application Data\Smilebox\SmileboxTray.exe" [2010-05-20 304448]
    "PrinterShare "= "c:\program files\PrinterShare\paConsole.exe" [2010-06-28 1103360]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ehTray "= "c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
    "NvCplDaemon "= "c:\windows\system32\NvCpl.dll" [2006-05-09 7311360]
    "nwiz "= "nwiz.exe" [2006-05-09 1519616]
    "NvMediaCenter "= "c:\windows\system32\NvMcTray.dll" [2006-05-09 86016]
    "RTHDCPL "= "RTHDCPL.EXE" [2006-07-21 16261632]
    "SunJavaUpdateSched "= "c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
    "HP Software Update "= "c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-12-15 49152]
    "AVG9_TRAY "= "c:\progra~1\AVG\AVG9\avgtray.exe" [2010-07-15 2065760]
    "Adobe Reader Speed Launcher "= "c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
    "Adobe ARM "= "c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
    "AppleSyncNotifier "= "c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
    "QuickTime Task "= "c:\program files\QuickTime\qttask.exe" [2010-03-19 421888]
    "iTunesHelper "= "c:\program files\iTunes\iTunesHelper.exe" [2010-07-21 141608]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE "= "c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

    c:\documents and settings\Bahuaud\Start Menu\Programs\Startup\
    OpenOffice.org 3.1.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2009-8-18 384000]
    Xfire.lnk - c:\program files\Xfire\Xfire.exe [2010-7-9 3493776]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Extender Resource Monitor.lnk - c:\windows\ehome\RMSysTry.exe [2005-10-20 18432]
    HP Digital Imaging Monitor.lnk - c:\program files\Hp\Digital Imaging\bin\hpqtra08.exe [2005-12-15 282624]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
    2010-07-15 13:20 12536 ----a-w- c:\windows\system32\avgrsstx.dll

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe "=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe "=
    "c:\\Program Files\\IncrediMail\\Bin\\IncMail.exe "=
    "c:\\Program Files\\IncrediMail\\Bin\\ImApp.exe "=
    "c:\\Program Files\\IncrediMail\\Bin\\ImpCnt.exe "=
    "c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqtra08.exe "=
    "c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqste08.exe "=
    "c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpofxm08.exe "=
    "c:\\Program Files\\Hp\\Digital Imaging\\bin\\hposfx08.exe "=
    "c:\\Program Files\\Hp\\Digital Imaging\\bin\\hposid01.exe "=
    "c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqscnvw.exe "=
    "c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqkygrp.exe "=
    "c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqCopy.exe "=
    "c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpfccopy.exe "=
    "c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpzwiz01.exe "=
    "c:\\Program Files\\Hp\\Digital Imaging\\Unload\\HpqPhUnl.exe "=
    "c:\\Program Files\\Hp\\Digital Imaging\\Unload\\HpqDIA.exe "=
    "c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpoews01.exe "=
    "c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqnrs08.exe "=
    "c:\\Program Files\\AVG\\AVG9\\avgemc.exe "=
    "c:\\Program Files\\AVG\\AVG9\\avgupd.exe "=
    "c:\\Program Files\\AVG\\AVG9\\avgnsx.exe "=
    "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe "=
    "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe "=
    "c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe "=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe "=
    "c:\\Program Files\\Messenger\\msmsgs.exe "=
    "c:\\Program Files\\Xfire\\Xfire.exe "=
    "c:\\Program Files\\iTunes\\iTunes.exe "=
    "c:\\Program Files\\Mozilla Firefox\\firefox.exe "=
    "c:\\Program Files\\PrinterShare\\paConsole.exe "=
    "c:\\Program Files\\World of Warcraft\\Launcher.exe "=
    "c:\\Program Files\\World of Warcraft\\WoW-3.1.3.9947-to-3.2.0.10192-enUS-downloader.exe "=
    "c:\\Program Files\\PrinterShare\\paProgress.exe "=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "3776:UDP "= 3776:UDP:Media Center Extender Service
    "3390:TCP "= 3390:TCP:Remote Media Center Experience

    R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [03/01/2010 1:09 PM 216400]
    R1 AvgTdiX;AVG Network Redirector;c:\windows\system32\drivers\avgtdix.sys [03/01/2010 1:09 PM 243024]
    R2 avg9emc;AVG E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [15/07/2010 8:19 AM 921952]
    R2 avg9wd;AVG WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [15/07/2010 8:20 AM 308136]
    S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    QWAVE REG_MULTI_SZ QWAVE
    .
    Contents of the 'Scheduled Tasks' folder

    2010-07-27 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]

    2010-07-30 c:\windows\Tasks\User_Feed_Synchronization-{92D47641-43EB-461A-B2A8-17FB1147D5B3}.job
    - c:\windows\system32\msfeedssync.exe [2009-03-08 10:31]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://google.ca/
    uInternet Settings,ProxyOverride = *.local
    FF - ProfilePath - c:\documents and settings\Bahuaud\Application Data\Mozilla\Firefox\Profiles\gmxg6yvr.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2304157&SearchSource=3&q={searchTerms}
    FF - prefs.js: browser.search.selectedEngine - Google
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca/firefox?client=firefox-a&rls=org.mozilla:en-US:eek:fficial
    FF - prefs.js: keyword.URL - hxxp://mystart.incredimail.com/?loc=ff_address_bar_im2_test_v2&search=
    FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
    FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
    FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
    FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
    FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll
    FF - plugin: c:\documents and settings\Bahuaud\Application Data\Facebook\npfbplugin_1_0_3.dll
    FF - plugin: c:\documents and settings\Bahuaud\Application Data\Mozilla\Firefox\Profiles\gmxg6yvr.default\extensions\ietab@ip.cn\plugins\npCoralIETab.dll
    FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
    .
    - - - - ORPHANS REMOVED - - - -

    Toolbar-Locked - (no file)



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-07-30 06:22
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************

    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]
    "ImagePath "= "c:\windows\system32\GameMon.des -service "
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'explorer.exe'(4976)
    c:\windows\system32\WININET.dll
    c:\program files\Xfire\xfire_toucan_43094.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\AVG\AVG9\avgchsvx.exe
    c:\program files\AVG\AVG9\avgrsx.exe
    c:\program files\AVG\AVG9\avgcsrvx.exe
    c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    c:\program files\Bonjour\mDNSResponder.exe
    c:\windows\eHome\ehRecvr.exe
    c:\windows\eHome\ehSched.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\windows\system32\nvsvc32.exe
    c:\program files\O2Micro Oz128 Driver\o2flash.exe
    c:\windows\system32\HPZipm12.exe
    c:\windows\ehome\RMSvc.exe
    c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
    c:\windows\ehome\McrdSvc.exe
    c:\program files\Windows Media Player\WMPNetwk.exe
    c:\program files\AVG\AVG9\avgnsx.exe
    c:\program files\AVG\AVG9\avgcsrvx.exe
    c:\windows\RTHDCPL.EXE
    c:\windows\system32\dllhost.exe
    c:\windows\system32\wscntfy.exe
    c:\windows\eHome\ehmsas.exe
    c:\program files\IncrediMail\Bin\ImApp.exe
    c:\program files\OpenOffice.org 3\program\soffice.exe
    c:\program files\OpenOffice.org 3\program\soffice.bin
    c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
    c:\program files\iPod\bin\iPodService.exe
    .
    **************************************************************************
    .
    Completion time: 2010-07-30 06:25:51 - machine was rebooted
    ComboFix-quarantined-files.txt 2010-07-30 11:25

    Pre-Run: 69,890,736,128 bytes free
    Post-Run: 70,152,638,464 bytes free

    - - End Of File - - E3104D4BC02F89B2C9657F0A219FC0EA
     
    KRB,
    #15
  17. 2010/07/30
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Good :)

    Please, delete your GMER file, download new one and post fresh log.
     
    broni,
    #16
  18. 2010/07/31
    KRB

    KRB Inactive Thread Starter

    Joined:
    2010/07/27
    Messages:
    98
    Likes Received:
    0
    GMER found nothing, the log was blank

    but i did have to run it in safe mode with devices unchecked to make it run
     
    KRB,
    #17
  19. 2010/07/31
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Very good then :)

    How is computer doing at the moment?

    Uninstall Combofix:
    Go Start > Run [Vista users, go Start> "Start search"]
    Type in:
    Combofix /Uninstall
    Note the space between the "Combofix" and the "/Uninstall "
    Click OK (Vista users - press Enter).
    Restart computer.

    =============================================================

    Download OTL to your Desktop.

    * Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    * Under the Custom Scan box paste this in:



    netsvcs
    drivers32 /all
    %SYSTEMDRIVE%\*.*
    %systemroot%\system32\Spool\prtprocs\w32x86\*.dll
    %systemroot%\system32\*.wt
    %systemroot%\system32\*.ruy
    %systemroot%\Fonts\*.com
    %systemroot%\Fonts\*.dll
    %systemroot%\system32\spool\prtprocs\w32x86\*.tmp
    %systemroot%\*. /mp /s
    /md5start
    /md5stop
    CREATERESTOREPOINT
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\System32\config\*.sav
    %systemroot%\system32\user32.dll /md5
    %systemroot%\system32\ws2_32.dll /md5
    %systemroot%\system32\ws2help.dll /md5
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs



    * Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
     
    broni,
    #18
  20. 2010/07/31
    KRB

    KRB Inactive Thread Starter

    Joined:
    2010/07/27
    Messages:
    98
    Likes Received:
    0
    Well the computer has its sound back and it doesnt redirect searches any more
    but since combofix and malware bytes were run I have been getting the pic below when starting up, i will download otl now

    [​IMG]
     
    KRB,
    #19
  21. 2010/07/31
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Good news :)

    Don't worry about that message for now.
     
    broni,
    #20
    KRB likes this.
Page 1 of 3

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...