1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Security hole somewhere

Discussion in 'Virus & Other Malware Removal' started by Buscuit, May 29, 2009.

Thread Status:
Not open for further replies.
Advertisement
  1. Buscuit

    Buscuit Thread Starter

    Joined:
    May 28, 2009
    Messages:
    3
    for the most part, ive tried to fix problems when the arise on my computer, but recently, ive been bombarded with numerous, hard to remove spyware. now, i did get rid of a lot of it myself, and even overcame having Ad-Aware delete me userinit.exe. but not even Malwarebyts as been able to get rid of the elusive google-redirect.com or find how all this spyware just suddenly showed up. so im breaking down and asking for assistance.

    i think that somewhere in the depths of this issue, it will also fix the classic "you dont have flash or java" problem that plagues YouTube, and the "Gmail loading freeze" problems. i tried some other program that screwed up my proxy settings, and while Firefox didnt seem to mind, my IE and MSN have yet to recover. someoen told me to try Combofix, but the internet says it has some seriously potential to ruin my system inadvertantly, so im not going to touch that without someone telling me how to use it.

    here is the Hijackthis log. take note, no i do not have anti-virus installed, but ive been running this rig since 2001 (with upgrades in 2004, including the change to XP) without anti-virus, and with minimal, to no problems at all.
    ----
    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 11:46:12 PM, on 5/28/2009
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16827)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\Program Files\PopUp Killer\PopUpKiller.EXE
    C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
    C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
    C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
    C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Pidgin\pidgin.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\WINDOWS\explorer.exe
    \?\globalroot\C:\WINDOWS\system32\rundll32.exe
    C:\Documents and Settings\buscuit\Desktop\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.flpfszxzpvzoxwlrsdhkgjfg...6LZz8TUbBZiREnOl/GQj6esBQwxjnBfrbQDxx8FP.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:7171
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local>
    O3 - Toolbar: Pop-Up Stopper &Companion - {8F05B1A8-9D77-4B8F-AF54-6B2202066F95} - C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER COMPANION\POPUPUS.DLL
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: LiveInfoPro - {3E9D340B-D614-4854-AE06-4218201F6AAE} - C:\Program Files\Internet Explorer\LiveInfoPro\toolbar_v0.9.5_w-jsinside-affid-1002.dll
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [PopUpKiller] C:\Program Files\PopUp Killer\PopUpKiller.EXE
    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
    O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
    O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033 -noicon
    O4 - HKLM\..\Run: [Noun Date Rule Axis] C:\Documents and Settings\All Users\Application Data\blue shim axis memo\corn third poke.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
    O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
    O4 - HKLM\..\Run: [autochk] rundll32.exe C:\WINDOWS\system32\autochk.dll,[email protected]
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
    O4 - HKCU\..\Run: [autochk] rundll32.exe C:\DOCUME~1\buscuit\protect.dll,[email protected]
    O4 - HKUS\S-1-5-18\..\Run: [Diagnostic Manager] C:\WINDOWS\TEMP\3322688036.exe (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\Run: [SYSDLL] SYSDLL (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\Run: [autochk] rundll32.exe C:\WINDOWS\system32\config\SYSTEM~1\protect.dll,[email protected] (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [Diagnostic Manager] C:\WINDOWS\TEMP\3322688036.exe (User 'Default user')
    O4 - S-1-5-18 Startup: ChkDisk.lnk = ? (User 'SYSTEM')
    O4 - .DEFAULT Startup: ChkDisk.lnk = ? (User 'Default user')
    O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Startup: ChkDisk.dll
    O4 - Startup: ChkDisk.lnk = ?
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...le.com/samantha/us/win/QuickTimeInstaller.exe
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1096492651265
    O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
    O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {FE5D6722-826F-11D5-A24E-0060B0F1A5AE} (Tukati Launcher) - http://www.tukati.com/software/4/1.7.20.20/tukati.cab
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
    O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
    O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

    --
    End of file - 7023 bytes
     
  2. emeraldnzl

    emeraldnzl Malware Specialist

    Joined:
    Nov 3, 2007
    Messages:
    2,570
    Hello Buscuit,

    Welcome to TSG.

    Number of issues showing in that log but firstly lets do that Combofix one.

    Please download ComboFix from one of these locations:

    NOTE: If you are guest watching this topic. ComboFix is a very powerful tool. The disclaimer clearly states that you should not use it without supervision. There is good reason for this as ComboFix can, and sometimes does, run into conflict on a computer and render it unusable.

    Link 1
    Link 2
    Link 3

    * IMPORTANT !!! Save ComboFix.exe to your Desktop
    • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools.
    • Double click on ComboFix.exe & follow the prompts.
    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

    [​IMG]

    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    [​IMG]

    Click on Yes, to continue scanning for malware.

    When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a new HijackThis log.
     
  3. Buscuit

    Buscuit Thread Starter

    Joined:
    May 28, 2009
    Messages:
    3
    uh...

    The text that you have entered is too long (179370 characters). Please shorten it to 30000 characters long.

    so heres the post combofix HJT log.
    -------------
    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 11:42:33 PM, on 5/29/2009
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16827)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\Program Files\PopUp Killer\PopUpKiller.EXE
    C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
    C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Documents and Settings\buscuit\Desktop\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:7171
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local>
    O3 - Toolbar: Pop-Up Stopper &Companion - {8F05B1A8-9D77-4B8F-AF54-6B2202066F95} - C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER COMPANION\POPUPUS.DLL
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: LiveInfoPro - {3E9D340B-D614-4854-AE06-4218201F6AAE} - C:\Program Files\Internet Explorer\LiveInfoPro\toolbar_v0.9.5_w-jsinside-affid-1002.dll
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [PopUpKiller] C:\Program Files\PopUp Killer\PopUpKiller.EXE
    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
    O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
    O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033 -noicon
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
    O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
    O4 - HKUS\S-1-5-18\..\Run: [SYSDLL] SYSDLL (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [SYSDLL] SYSDLL (User 'Default user')
    O4 - S-1-5-18 Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (User 'SYSTEM')
    O4 - .DEFAULT Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (User 'Default user')
    O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...le.com/samantha/us/win/QuickTimeInstaller.exe
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1096492651265
    O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
    O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {FE5D6722-826F-11D5-A24E-0060B0F1A5AE} (Tukati Launcher) - http://www.tukati.com/software/4/1.7.20.20/tukati.cab
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
    O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
    O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

    --
    End of file - 5953 bytes

    --------------
    things are running better already!
     
  4. emeraldnzl

    emeraldnzl Malware Specialist

    Joined:
    Nov 3, 2007
    Messages:
    2,570
    You can split the log and post in multiple posts or

    alternatively

    Upload to Mediafire and post the sharing link.
     
  5. Buscuit

    Buscuit Thread Starter

    Joined:
    May 28, 2009
    Messages:
    3
    ComboFix 09-05-29.01 - buscuit 05/29/2009 23:29.1 - FAT32x86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.762 [GMT -4:00]
    Running from: c:\documents and settings\buscuit\Desktop\ComboFix.exe
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\documents and settings\buscuit\Application Data\wiaserva.log
    c:\windows\IE4 Error Log.txt
    c:\windows\patch.exe
    c:\windows\start.exe
    c:\windows\system32\8241_1.exe
    c:\windows\system32\config\systemprofile\protect.dll
    c:\windows\system32\drivers\ovfsthfktetymxbfdibphewflufmdhrrubhskd.sys
    c:\windows\system32\jhxm32.dll
    c:\windows\system32\lklf32.dll
    c:\windows\system32\ovfsthbchfudjkoixuvpxmhrqndrltdibonftq.dll
    c:\windows\system32\ovfsthdedixoimrllotujocldmvyhdqeeaolko.dat
    c:\windows\system32\ovfsthfolksmnpyxssbxuxgmbrwrvklnovbspa.dat
    c:\windows\system32\ovfsthmgwmohefcrxgpyyrjcwmqppparjyevcg.dll
    c:\windows\system32\ovfsthsumeataswpxyqwviukjuxvmfvigkeowb.dll
    c:\windows\system32\sysloc
    c:\windows\system32\uniq.tll
    c:\windows\system32\win32x.exe
    c:\windows\TEMP\3244094286.exe
    c:\windows\TEMP\3244250536.exe
    c:\windows\TEMP\3322688036.exe
    c:\windows\Web\default.htt

    Infected copy of c:\windows\system32\userinit.exe was found and disinfected
    Restored copy from - c:\windows\ServicePackFiles\i386\userinit.exe

    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    -------\Service_ovfsthkbxrsysovhbrnvpiqwhplvrebmylyxuw
    -------\Legacy_AVAST!ANTIVIRUS
    -------\Legacy_WIN32X


    ((((((((((((((((((((((((( Files Created from 2009-04-28 to 2009-05-30 )))))))))))))))))))))))))))))))
    .

    2009-05-29 18:22 . 2009-05-29 18:22 2087 ----a-w c:\documents and settings\buscuit\Application Data\.purple\certificates\x509\tls_peers\omega.contacts.msn.com
    2009-05-29 01:11 . 2009-05-29 01:11 1 ----a-w c:\windows\system32\xd.dat
    2009-05-29 01:11 . 2009-05-29 01:11 65 ----a-w c:\windows\system32\nk.dat
    2009-05-29 01:11 . 2009-05-29 01:11 1 ----a-w c:\windows\system32\q1.dat
    2009-05-29 01:11 . 2009-05-29 01:11 1 ----a-w c:\windows\system32\idm.dat
    2009-05-29 01:11 . 2009-05-29 01:11 1 ----a-w c:\windows\system32\ck.dat
    2009-05-29 01:11 . 2009-05-29 01:11 1 ----a-w c:\windows\system32\c2d.dat
    2009-05-29 00:59 . 2009-05-29 00:59 40448 ----a-w c:\windows\system32\bekbn.dll
    2009-05-28 16:58 . 2009-05-26 08:18 105 ----a-w C:\tj.vbs
    2009-05-28 16:58 . 2009-05-28 16:58 107148 ----a-w c:\windows\system32\vic_setup.exe
    2009-05-28 16:16 . 2009-05-28 16:16 -------- d-----w c:\documents and settings\buscuit\Application Data\MSN6
    2009-05-28 16:16 . 2009-05-28 16:16 -------- d-----w c:\documents and settings\All Users\Application Data\MSN6
    2009-05-27 19:01 . 2009-05-27 19:01 -------- d-----w C:\fixwareout
    2009-05-26 18:28 . 2009-05-26 18:28 2 ---h--w c:\windows\sonce122730.dat
    2009-05-26 18:26 . 2009-05-26 18:26 3371383 ----a-w c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
    2009-05-26 02:18 . 2009-05-26 02:18 -------- d--h--w c:\windows\system32\GroupPolicy
    2009-05-26 00:42 . 2004-08-04 07:56 24576 ----a-w c:\windows\system32\userinit.exe
    2009-05-26 00:42 . 2004-08-04 07:56 24576 ----a-w c:\windows\system32\dllcache\userinit.exe
    2009-05-26 00:30 . 2009-05-26 00:30 -------- d-----w C:\FOUND.000
    2009-05-20 21:29 . 2009-05-20 20:19 15688 ----a-w c:\windows\system32\lsdelete.exe
    2009-05-20 20:18 . 2009-05-20 20:18 953168 ----a-w c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWService.exe
    2009-05-20 20:18 . 2009-05-20 20:18 516440 ----a-w c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWTray.exe
    2009-05-20 20:17 . 2009-05-20 20:17 -------- d--h--w c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
    2009-05-20 20:17 . 2009-03-12 08:17 2902048 ----a-w c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}\Ad-AwareAE.exe
    2009-05-20 20:17 . 2009-05-20 20:17 -------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
    2009-05-14 02:04 . 2009-05-14 02:04 -------- d-----w c:\documents and settings\buscuit\Application Data\Malwarebytes
    2009-05-14 02:04 . 2009-05-26 17:19 19096 ----a-w c:\windows\system32\drivers\mbam.sys
    2009-05-14 02:04 . 2009-05-26 17:20 40160 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
    2009-05-14 02:04 . 2009-05-14 02:04 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
    2009-05-14 02:04 . 2009-05-14 02:04 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
    2009-05-13 21:22 . 2009-05-13 21:22 -------- d-----w c:\documents and settings\buscuit\Application Data\GetRightToGo
    2009-05-13 21:15 . 2009-05-13 21:15 -------- d-----w c:\windows\system32\config\systemprofile\Application Data\Babylon
    2009-05-13 21:15 . 2009-05-13 21:15 -------- d-----w c:\documents and settings\All Users\Application Data\Babylon

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2009-05-30 03:32 . 2004-10-02 01:36 24 ----a-w c:\windows\system32\DVCStateBkp-{00000002-00000000-0000000A-00001102-00000002-80641102}.dat
    2009-05-30 03:32 . 2004-10-02 01:36 24 ----a-w c:\windows\system32\DVCState-{00000002-00000000-0000000A-00001102-00000002-80641102}.dat
    2009-04-06 00:47 . 2009-04-06 00:47 -------- d-----w c:\documents and settings\buscuit\Application Data\DivX
    2009-04-06 00:44 . 2009-04-06 00:44 -------- d-----w c:\program files\DivX
    2009-04-06 00:44 . 2009-04-06 00:44 -------- d-----w c:\program files\Common Files\DivX Shared
    2009-04-05 19:24 . 2009-04-05 19:24 -------- d-----w c:\documents and settings\All Users\Application Data\TEMP
    2009-04-05 19:24 . 2009-04-05 19:24 -------- d-----w c:\program files\Fraps
    2009-04-04 15:50 . 2009-04-04 15:50 -------- d-----w c:\program files\Common Files\Windows Live
    2009-03-06 14:44 . 2004-09-28 23:25 283648 ----a-w c:\windows\system32\pdh.dll
    2009-03-03 00:18 . 2004-09-28 23:27 826368 ----a-w c:\windows\system32\wininet.dll
    2002-03-17 17:55 . 2002-03-17 17:55 9170690 ------w c:\program files\wme-ref-7-70-020418m-003892c.exe
    2002-02-22 00:59 . 2002-02-22 00:59 6907024 ------w c:\program files\SWGameEN.exe
    2001-11-14 04:31 . 2001-11-14 04:31 11079 ---h--w c:\program files\folder.htt
    2007-01-14 01:31 . 2007-01-14 01:31 0 --sha-w c:\windows\All Users\DRM\Cache\Indiv01.tmp
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SlowFile Icon Overlay]
    @="{7D688A77-C613-11D0-999B-00C04FD655E1}"
    [HKEY_CLASSES_ROOT\CLSID\{7D688A77-C613-11D0-999B-00C04FD655E1}]
    2008-07-03 12:03 8460800 ----a-w c:\windows\SYSTEM32\shell32.dll

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "msnmsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
    "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
    "BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-06-27 152872]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-06-05 335872]
    "PopUpKiller"="c:\program files\PopUp Killer\PopUpKiller.EXE" [2001-12-24 108032]
    "UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
    "Jet Detection"="c:\program files\Creative\SBLive\PROGRAM\ADGJDet.exe" [2001-11-29 28672]
    "DAEMON Tools"="c:\program files\DAEMON Tools\daemon.exe" [2005-11-08 128920]
    "SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 144784]
    "NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]
    "Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-05-20 516440]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "SYSDLL"="SYSDLL" [X]

    c:\documents and settings\buscuit\Start Menu\Programs\Startup\
    Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
    @="Service"

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PowerReg Scheduler.exe]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\PowerReg Scheduler.exe
    backup=c:\windows\pss\PowerReg Scheduler.exeCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
    "PTSNOOP"=ptsnoop.exe
    "LoadQM"=loadqm.exe
    "Creative Launcher"=c:\program files\Creative\SBLive\Launcher\CTLauncher.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
    "LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    "CountrySelection"=pctptt.exe
    "HydarVisionDesktopManager"=desk98.exe
    "ATIPTA"=c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    "TkBellExe"=c:\program files\Common Files\Real\Update_OB\evntsvc.exe -osboot
    "Configuration printer"=rundl1.exe
    "QuickTime Task"=c:\windows\SYSTEM32\qttask.exe
    "PopUpKiller"=c:\program files\POPUP KILLER\POPUPKILLER.EXE
    "NAV Agent"=c:\progra~1\NORTON~1\NAVAPW32.EXE
    "DownloadAccelerator"=c:\progra~1\DAP\DAP.EXE /STARTUP
    "Microsoft Tray"=c:\program files\KAZAA\MY SHARED FOLDER\GRAND THEFT AUTO VICE CITY SETUP LAUNCHER.EXE
    "KAZAA"="c:\program files\KAZAA LITE\KPP.EXE" "c:\program files\KAZAA LITE\KAZAALITE.KPP" /SYSTRAY
    "LoadQM"=loadqm.exe
    "InCD"=c:\program files\Ahead\InCD\InCD.exe
    "POINTER"=point32.exe
    "Wait Lies"=c:\progra~1\HEARTR~1\flapone.exe
    "four for blue safe"=c:\documents and settings\buscuit\Application Data\Thunk body four for\ooze proc.exe

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Messenger\\MSMSGS.EXE"=
    "c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
    "c:\\Program Files\\BitTorrent\\btdownloadgui.exe"=
    "c:\\Program Files\\TmSunriseDemoMag\\TmSunriseDemoMag.exe"=
    "c:\\Program Files\\Macromedia\\Fireworks MX\\Fireworks.exe"=
    "c:\\Program Files\\Fox\\Aliens vs. Predator 2 Multiplayer Demo\\lithtech.exe"=
    "c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
    "c:\\Program Files\\Valve\\Steam\\SteamApps\\buscuit28\\half-life 2\\hl2.exe"=
    "c:\\Program Files\\Valve\\Steam\\SteamApps\\buscuit28\\half-life 2 deathmatch\\hl2.exe"=
    "c:\\Program Files\\Valve\\Steam\\SteamApps\\buscuit28\\counter-strike source\\hl2.exe"=
    "c:\\Program Files\\Valve\\Steam\\SteamApps\\buscuit28\\lostcoast\\hl2.exe"=
    "c:\\Program Files\\Skype\\Phone\\Skype.exe"=
    "c:\\Program Files\\Valve\\Steam\\SteamApps\\buscuit28\\source sdk base\\hl2.exe"=
    "c:\\Program Files\\LimeWire\\LimeWire.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
    "c:\\Program Files\\Pidgin\\PIDGIN.EXE"=
    "c:\\Program Files\\Valve\\Steam\\SteamApps\\buscuit28\\source sdk base 2007\\hl2.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "6881:TCP"= 6881:TCP:BT
    "6882:TCP"= 6882:TCP:BT
    "6883:TCP"= 6883:TCP:BT
    "6884:TCP"= 6884:TCP:BT
    "6885:TCP"= 6885:TCP:BT
    "6886:TCP"= 6886:TCP:BT
    "6887:TCP"= 6887:TCP:BT
    "6888:TCP"= 6888:TCP:BT
    "6889:TCP"= 6889:TCP:BT

    R0 Lbd;Lbd;c:\windows\SYSTEM32\DRIVERS\Lbd.sys [5/20/2009 4:19 PM 64160]
    R1 totalio;TotalIO;c:\windows\SYSTEM32\DRIVERS\totalio.sys [11/22/2007 8:46 PM 2358]
    S3 dsreader;MaxDrive Driver (dsreader.sys);c:\windows\SYSTEM32\DRIVERS\dsreader.sys [2/24/2008 10:55 PM 19677]
    S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [3/9/2009 3:06 PM 953168]

    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}]
    c:\windows\SYSTEM32\updcrl.exe -e -u c:\windows\SYSTEM\verisignpub1.crl
    .
    Contents of the 'Scheduled Tasks' folder

    2009-05-30 c:\windows\Tasks\Symantec NetDetect.job
    - c:\program files\SYMANTEC\LIVEUPDATE\NDETECT.EXE [2002-09-23 13:04]

    2009-05-26 c:\windows\Tasks\Ad-Aware Update (Weekly).job
    - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 20:19]
    .
    - - - - ORPHANS REMOVED - - - -

    HKCU-Run-Steam - (no file)
    HKLM-Run-Noun Date Rule Axis - c:\documents and settings\All Users\Application Data\blue shim axis memo\corn third poke.exe
    HKU-Default-Run-autochk - c:\windows\system32\config\SYSTEM~1\protect.dll
    SafeBoot-procexp90.Sys


    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/
    uInternet Settings,ProxyOverride = *.local;<local>
    uInternet Settings,ProxyServer = http=localhost:7171
    DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
    DPF: Internet Explorer Classes for Java - file://c:\windows\SYSTEM\iejava.cab
    DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
    FF - ProfilePath - c:\documents and settings\buscuit\Application Data\Mozilla\Firefox\Profiles\f0mu2123.default\
    FF - prefs.js: browser.search.selectedEngine - Google
    FF - prefs.js: browser.startup.homepage - hxxp://www.hyperboard.co.uk/
    FF - prefs.js: network.proxy.http - localhost
    FF - prefs.js: network.proxy.http_port - 7171
    FF - prefs.js: network.proxy.type - 2
    FF - plugin: c:\program files\Mozilla Firefox\plugins\NPStreamPlug.dll
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2009-05-29 23:34
    Windows 5.1.2600 Service Pack 2 FAT NTAPI

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    ***DELETED INFO BY USER***

    scan completed successfully
    hidden files: 3692

    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(560)
    c:\windows\system32\Ati2evxx.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\SYSTEM32\ATI2EVXX.EXE
    c:\windows\SYSTEM32\ATI2EVXX.EXE
    c:\windows\SYSTEM32\WDFMGR.EXE
    c:\program files\COMMON FILES\AHEAD\LIB\NMINDEXINGSERVICE.EXE
    c:\windows\SYSTEM32\WSCNTFY.EXE
    c:\program files\COMMON FILES\AHEAD\LIB\NMINDEXSTORESVR.EXE
    .
    **************************************************************************
    .
    Completion time: 2009-05-30 23:38 - machine was rebooted
    ComboFix-quarantined-files.txt 2009-05-30 03:38

    Pre-Run: 2,474,016,768 bytes free
    Post-Run: 4,006,608,896 bytes free

    WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    [boot loader]
    timeout = 30
    default = multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS = "Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

    3936 --- E O F --- 2009-05-06 05:29
     
  6. emeraldnzl

    emeraldnzl Malware Specialist

    Joined:
    Nov 3, 2007
    Messages:
    2,570
    I see Norton Anti-Virus toolbar there. If you were under the impression this wasn't there or that Norton was no longer on your machine and you don't want it please do this:

    Go to Add or Remove Programs and, if they are there, remove any items with Norton or Symantec in the name.

    After that

    Go here Norton Removal Tool to remove left over bits of the Norton AntiVirus Program. Choose the link for the version you had and then download and run the removal progam. It may be that you do not know the version you had. Just continue and the program should still remove the left overs of Norton.

    Now

    1. Close any open browsers.

    2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    3. Open notepad and copy/paste the text in the quotebox below into it:

    Save this as CFScript.txt, in the same location as ComboFix.exe

    [​IMG]

    Refering to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt Please post that here for further review.
     
  7. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/830859

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice