-
Linabbs's blog- ZA采用升級安裝或者導入舊版ZA的配置文件到新版導致程序列表假死的Bug。
- 裝了ZA,如何使你的開機速度快點
- 如何設置查看局域網內被設入internet區機器的共享資源
- ZA也可以做到低資源占用!
- 關于za for vista(在VISTA下用ZA的人過來看看)
- CheckPoint Integrity Desktop v6.5.063.207 KeyGen
- 戰術攻防之近距離搏擊篇(ARP)攻擊
- 還在使用老版ZA的朋友們注意:ZoneAlarm防火墻產品有多個本地權限提升存在漏洞
- Knowledge Base / KB Extended (KE) 內容列表及說明
- 關于《利用ZA專家規則,允許/禁止端口》的一點補充和說明
Jan
31
Search engine hijack w/ security update blocking
Filed Under Virus |
Using any search engine, from the tool bar or from direct site, valid results are shown but when clicking the link a new window opens with unrelated websites and advertisement.
First thing I tried was Spybot. The program installed but would not open or update. Then tried Ad-aware, it scanned but didnt find anything. It also updated but only after the scan completed. Then installed AVG, it would scan with zero results and would not update either.
Found this forum and tried to use RSIT but would not allow the file to be saved or opened. Then I tried to copy RSIT from another computer. Once pasted on the desktop, double clicked the icon and received an error: Autolt Error-Unable to open the script file.
Not sure where to go from here. Just to let you know I am running Windows XP. Any direction would be greatly appreciated.
Hi adamsmw
Welcome to linabbs.
Lets see if you can get this one.
Download DDS and save it to your desktop from here or here or here.
Disable any script blocker, and then double click dds.scr to run the tool.When done, DDS will open two (2) logs:
DDS.txt
Attach.txt
Save both reports to your desktop & post them here.
Thanks
Geri
I was able to get DDS to work by copying from another computer. None of the links worked from the hijacked computer. I wasnt sure about the script blocking but ran DDS anyways. Here is the DDS log:
DDS (Ver_09-01-07.01) - NTFSx86
Run by Owner at 21:33:42.79 on Tue 01/13/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2039.1642 [GMT -7:00]
AV: AVG Anti-Virus Free *On-access scanning enabled* (Outdated)
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Novatel Wireless\Sprint\Sprint PCS Connection Manager\OSCMUtilityService.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Desktop\dds.com
============== Pseudo HJT Report ===============
uStart Page = hxxp://www.supermotojunkie.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\reader\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: {549B5CA7-4A86-11D7-A4DF-000874180BB3} - No File
BHO: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\3.1.807.1746\swg.dll
BHO: {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - No File
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
TB: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [e�������������������������] c:\program files\xp antivirus\xpa.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
TCP: {AEFDC890-3F45-4685-BE56-874E9C3C555D} = 68.28.90.91 68.28.82.91
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Handler: x-excid - {9D6CC632-1337-4a33-9214-2DA092E776F4} - c:\windows\downloaded program files\mimectl.dll
Notify: igfxcui - igfxsrvc.dll
AppInit_DLLs: avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
================= FIREFOX ===================
FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\n1h8i5js.default\
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - component: c:\program files\avg\avg8\toolbarff\components\vmAVGConnector.dll
============= SERVICES / DRIVERS ===============
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-1-11 97928]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-1-11 26824]
R3 NWUSBPort2;Novatel Wireless USB Status2 Port Driver;c:\windows\system32\drivers\nwusbser2.sys [2007-10-12 99200]
R4 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-9-10 611664]
R4 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-1-11 875288]
R4 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-1-11 231704]
R4 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-1-11 76040]
R4 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
S3 NWUSBCDFIL;Novatel Wireless Installation CD;c:\windows\system32\drivers\NwUsbCdFil.sys [2007-9-6 13824]
=============== Created Last 30 ================
2009-01-11 23:12 25,856 ac—— c:\windows\system32\dllcache\usbprint.sys
2009-01-11 23:12 25,856 a——- c:\windows\system32\drivers\usbprint.sys
2009-01-11 18:08 10,520 a——- c:\windows\system32\avgrsstx.dll
2009-01-11 18:08 76,040 a——- c:\windows\system32\drivers\avgtdix.sys
2009-01-11 18:08 97,928 a——- c:\windows\system32\drivers\avgldx86.sys
2009-01-11 18:08 <DIR> –d—– c:\windows\system32\drivers\Avg
2009-01-11 18:08 <DIR> –d—– c:\docume~1\owner\applic~1\AVGTOOLBAR
2009-01-11 18:08 <DIR> –d—– c:\program files\AVG
2009-01-11 18:08 <DIR> –d—– c:\docume~1\alluse~1\applic~1\avg8
2009-01-11 16:28 <DIR> –d—– c:\program files\Lavasoft
2009-01-11 16:27 <DIR> –d—– c:\program files\common files\Wise Installation Wizard
2009-01-11 15:32 <DIR> –d—– c:\windows\Downloaded Installations
2009-01-11 15:00 <DIR> –d—– c:\program files\Spybot - Search & Destroy
2009-01-11 15:00 <DIR> –d—– c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-01-11 13:51 <DIR> –d—– c:\program files\Novatel Wireless
==================== Find3M ====================
2008-12-11 03:57 333,952 a——- c:\windows\system32\drivers\srv.sys
2008-10-23 05:36 286,720 a——- c:\windows\system32\gdi32.dll
2008-10-16 13:38 826,368 a——- c:\windows\system32\wininet.dll
2008-08-24 14:21 32,768 a–sh— c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008082420080825\index.dat
============= FINISH: 21:35:04.53 ===============
Here is the Attach log:
UNLESS SPECIFICALLY INSTRUCTED, DO NOT
POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
DDS (Ver_09-01-07.01)
Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 9/5/2007 3:42:33 PM
System Uptime: 1/13/2009 9:13:31 PM (0
hours ago)
Motherboard: Intel Corporation
| | D845GVSR
Processor: Intel(R)
Celeron(R) CPU 2.80GHz | J2E1 |
2800/133mhz
==== Disk Partitions
=========================
C: is FIXED (NTFS) - 37 GiB total, 27.013
GiB free.
D: is FIXED (NTFS) - 37 GiB total, 37.148
GiB free.
E: is CDROM ()
F: is Removable
G: is Removable
H: is Removable
I: is Removable
J: is Removable
K: is Removable
==== Disabled Device Manager Items
=============
Class GUID: {4D36E972-E325-11CE-BFC1-
08002BE10318}
Description: Linksys NC100 Fast Ethernet
Adapter
Device ID:
PCI\VEN_1317&DEV_0985&SUBSYS_05701317&REV_
11\4&29817089&0&00F0
Manufacturer: Linksys
Name: Linksys NC100 Fast Ethernet Adapter
PNP Device ID:
PCI\VEN_1317&DEV_0985&SUBSYS_05701317&REV_
11\4&29817089&0&00F0
Service: AN983
==== System Restore Points
===================
RP245: 10/16/2008 5:40:38 PM - Software
Distribution Service 3.0
RP246: 10/18/2008 4:12:30 AM - System
Checkpoint
RP247: 10/19/2008 4:42:35 AM - System
Checkpoint
RP248: 10/20/2008 7:52:49 AM - System
Checkpoint
RP249: 10/21/2008 8:45:55 AM - System
Checkpoint
RP250: 10/22/2008 11:42:17 AM - System
Checkpoint
RP251: 10/24/2008 11:46:26 AM - Software
Distribution Service 3.0
RP252: 10/24/2008 3:22:10 PM - Software
Distribution Service 3.0
RP253: 10/27/2008 4:27:31 AM - System
Checkpoint
RP254: 10/28/2008 5:29:35 AM - System
Checkpoint
RP255: 10/29/2008 5:33:19 AM - System
Checkpoint
RP256: 10/30/2008 3:38:10 AM - Software
Distribution Service 3.0
RP257: 10/31/2008 4:21:33 PM - System
Checkpoint
RP258: 11/1/2008 4:09:41 AM - Software
Distribution Service 3.0
RP259: 11/2/2008 4:46:18 AM - System
Checkpoint
RP260: 11/3/2008 5:26:22 AM - System
Checkpoint
RP261: 11/4/2008 6:13:14 AM - System
Checkpoint
RP262: 11/5/2008 12:40:10 AM - Software
Distribution Service 3.0
RP263: 11/6/2008 5:40:23 AM - System
Checkpoint
RP264: 11/7/2008 3:15:07 AM - Software
Distribution Service 3.0
RP265: 11/8/2008 4:26:33 AM - System
Checkpoint
RP266: 11/9/2008 4:52:43 AM - System
Checkpoint
RP267: 11/10/2008 4:58:09 AM - System
Checkpoint
RP268: 11/10/2008 2:37:49 PM - Windows
Defender Checkpoint
RP269: 11/13/2008 3:13:35 AM - System
Checkpoint
RP270: 1/11/2009 3:19:25 PM - System
Checkpoint
RP271: 1/11/2009 4:27:55 PM - Installed
Ad-Aware
RP272: 1/11/2009 6:08:34 PM - Installed
AVG Free 8.0
RP273: 1/13/2009 6:22:56 PM - System
Checkpoint
==== Installed Programs
======================
Ad-Aware
Adobe Flash Player 10 Plugin
Adobe Flash Player ActiveX
Adobe Reader 6.0
Adobe Shockwave Player
AnswerWorks Runtime
AutoCAD LT 2002
AVG Free 8.0
Google Toolbar for Internet Explorer
Hotfix for Microsoft .NET Framework 3.0
(KB932471)
Hotfix for Windows Internet Explorer 7
(KB947864)
Hotfix for Windows Media Format 11 SDK
(KB929399)
Hotfix for Windows Media Player 11
(KB939683)
Hotfix for Windows XP (KB952287)
Intel(R) Extreme Graphics Driver
Intel(R) PRO Network Connections Drivers
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix
(KB928366)
Microsoft .NET Framework 2.0 Service Pack
1
Microsoft .NET Framework 3.0
Microsoft Base Smart Card Cryptographic
Service Provider Package
Microsoft Compression Client Pack 1.0 for
Windows XP
Microsoft Internationalized Domain Names
Mitigation APIs
Microsoft Money 2004
Microsoft Money 2004 System Pack
Microsoft National Language Support
Downlevel APIs
Microsoft Outlook Web Access S/MIME
Microsoft User-Mode Driver Framework
Feature Pack 1.0
Microsoft Visual C 2005 Redistributable
Mobile Broadband Generic Drivers
Mozilla Firefox (3.0.5)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 6.0 Parser (KB933579)
Nero 7
neroxml
Scientific-Atlanta WebSTAR 2000 series
Cable Modem
Security Update for Windows Internet
Explorer 7 (KB937143)
Security Update for Windows Internet
Explorer 7 (KB938127)
Security Update for Windows Internet
Explorer 7 (KB942615)
Security Update for Windows Internet
Explorer 7 (KB944533)
Security Update for Windows Internet
Explorer 7 (KB950759)
Security Update for Windows Internet
Explorer 7 (KB953838)
Security Update for Windows Internet
Explorer 7 (KB956390)
Security Update for Windows Internet
Explorer 7 (KB958215)
Security Update for Windows Internet
Explorer 7 (KB960714)
Security Update for Windows Media Player
(KB911564)
Security Update for Windows Media Player
(KB952069)
Security Update for Windows Media Player
11 (KB936782)
Security Update for Windows Media Player
11 (KB954154)
Security Update for Windows Media Player
6.4 (KB925398)
Security Update for Windows Media Player 9
(KB936782)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-
v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Soft Data Fax Modem with SmartCP
Sprint Mobile Broadband (Novatel Wireless)
- Lite
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Volo View Express
WebFldrs XP
Windows Backup Utility
Windows Communication Foundation
Windows Defender
Windows Genuine Advantage Validation Tool
(KB892130)
Windows Imaging Component
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Format SDK Hotfix - KB891122
Windows Media Player 11
Windows Presentation Foundation
Windows Workflow Foundation
Windows XP Service Pack 3
XML Paper Specification Shared Components
Pack 1.0
==== Event Viewer Messages From Past Week
========
1/11/2009 6:08:01 PM, error: Service
Control Manager [7034] - The AVG Free8
WatchDog service terminated unexpectedly.
It has done this 1 time(s).
1/11/2009 4:16:55 PM, error: W32Time [17]
- Time Provider NtpClient: An error
occurred during DNS lookup of the manually
configured peer ‘time.windows.com,0×1′.
NtpClient will try the DNS lookup again in
15 minutes. The error was: A socket
operation was attempted to an unreachable
host. (0×80072751)
1/11/2009 9:13:13 PM, error: Server [2505]
- The server could not bind to the
transport \Device\NetBT_Tcpip_{3B664EC7-
8962-44E0-86D6-8DC264388033} because
another computer on the network has the
same name. The server could not start.
1/11/2009 9:17:35 PM, error: Dhcp [1002]
- The IP address lease 192.168.1.100 for
the Network Card with network address
00121752E050 has been denied by the DHCP
server 192.168.0.254 (The DHCP Server sent
a DHCPNACK message).
1/12/2009 9:49:47 PM, error: ipnathlp
[31008] - The DNS proxy agent was unable
to read the local list of name-resolution
servers from the registry. The data is the
error code.
1/13/2009 7:03:12 AM, error: Service
Control Manager [7031] - The AVG Free8
WatchDog service terminated unexpectedly.
It has done this 1 time(s). The following
corrective action will be taken in 0
milliseconds: Restart the service.
==== End Of File
===========================
Hi
OK we need to download and transfer a tool to the infected machine.
Please rename the tool before saving it to "Fombocix.exe" or anything of your choosing. transfer it to the infected machine and run it as instructed.
Download ComboFix from Here to your Desktop.
It’s best to disable realtime protection applications as they sometimes interfere with the tool.
Check this link for any applicable programs you may have.Close all open programs and windows
Double click combofix.exe and follow the prompts.
Vista users right click Combofix.exe and select Run As Administrator.
When finished, it shall produce a log for you. Post the Combofix log
Note: Do not mouseclick combofix’s window while its running. That may cause it to stall
**NOTE - Allow ComboFix to update if prompted.
Thanks
Geri
Here is the ComboFix log. Thanks for the help. When the scan started it asked me to write down some files. Here they are:
C:\WINDOWS\system32\drivers\TDSSpqlt.sys
\TDSSoiqh.dll
\ " osvd.dat
\ " brsr.dll
\ " riqp.dll
\ " cfum.dll
\ " tkdv.log
\ " nmxh.log
\ " sihc.dll
\ " rhym.log
ComboFix 09-01-13.04 - Owner 2009-01-15 21:30:13.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2039.1617 [GMT -7:00]
Running from: c:\documents and settings\Owner\Desktop\FomboCix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Outdated)
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\program files\Antivirus 2009
c:\windows\system32\drivers\TDSSpqlt.sys
c:\windows\system32\ieupdates.exe
c:\windows\system32\TDSSbrsr.dll
c:\windows\system32\TDSScfum.dll
c:\windows\system32\TDSSlxwp.dll
c:\windows\system32\TDSSnmxh.log
c:\windows\system32\TDSSoiqh.dll
c:\windows\system32\TDSSosvd.dat
c:\windows\system32\TDSSrhym.log
c:\windows\system32\TDSSriqp.dll
c:\windows\system32\TDSSsihc.dll
c:\windows\system32\TDSStkdv.log
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
——-\Service_TDSSserv.sys
——-\Legacy_TDSSserv.sys
((((((((((((((((((((((((( Files Created from 2008-12-16 to 2009-01-16 )))))))))))))))))))))))))))))))
.
2009-01-13 22:11 . 2009-01-13 22:30 <DIR> d——– c:\windows\system32\NtmsData
2009-01-13 22:00 . 2006-01-06 12:07 185,344 –a—— c:\windows\system32\hpfinst.dll
2009-01-13 22:00 . 2006-01-06 12:07 69,632 ——— c:\windows\system32\hpodinet.dll
2009-01-13 22:00 . 2006-01-06 12:07 36,864 –a—— c:\windows\hpfsched.exe
2009-01-13 21:59 . 2009-01-13 22:20 <DIR> d——– c:\temp\photosmart
2009-01-11 23:12 . 2008-04-13 11:47 25,856 –a—— c:\windows\system32\drivers\usbprint.sys
2009-01-11 23:12 . 2008-04-13 11:47 25,856 –a–c— c:\windows\system32\dllcache\usbprint.sys
2009-01-11 18:08 . 2009-01-15 21:31 <DIR> d——– c:\windows\system32\drivers\Avg
2009-01-11 18:08 . 2009-01-11 18:08 <DIR> d——– c:\program files\AVG
2009-01-11 18:08 . 2009-01-11 18:40 <DIR> d——– c:\documents and settings\Owner\Application Data\AVGTOOLBAR
2009-01-11 18:08 . 2009-01-11 18:07 <DIR> d——– c:\documents and settings\All Users\Application Data\avg8
2009-01-11 18:08 . 2009-01-11 18:08 97,928 –a—— c:\windows\system32\drivers\avgldx86.sys
2009-01-11 18:08 . 2009-01-11 18:08 76,040 –a—— c:\windows\system32\drivers\avgtdix.sys
2009-01-11 18:08 . 2009-01-11 18:08 10,520 –a—— c:\windows\system32\avgrsstx.dll
2009-01-11 16:28 . 2009-01-11 16:28 <DIR> d——– c:\program files\Lavasoft
2009-01-11 16:28 . 2009-01-11 16:28 <DIR> d——– c:\documents and settings\All Users\Application Data\Lavasoft
2009-01-11 16:27 . 2009-01-11 16:27 <DIR> d——– c:\program files\Common Files\Wise Installation Wizard
2009-01-11 15:32 . 2009-01-11 15:32 <DIR> d——– c:\windows\Downloaded Installations
2009-01-11 15:00 . 2009-01-11 16:15 <DIR> d——– c:\program files\Spybot - Search & Destroy
2009-01-11 15:00 . 2009-01-11 16:14 <DIR> d——– c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-11 14:51 . 2009-01-11 14:51 0 –a—— c:\windows\nsreg.dat
2009-01-11 13:51 . 2009-01-11 13:51 <DIR> d——– c:\program files\Novatel Wireless
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-12 01:06 ——— d—–w c:\documents and settings\All Users\Application Data\McAfee
2008-12-11 10:57 333,952 —-a-w c:\windows\system32\drivers\srv.sys
2008-11-17 11:58 ——— d—–w c:\documents and settings\LocalService\Application Data\SACore
2008-10-23 12:36 286,720 —-a-w c:\windows\system32\gdi32.dll
2008-10-16 21:13 202,776 —-a-w c:\windows\system32\wuweb.dll
2008-10-16 21:13 1,809,944 —-a-w c:\windows\system32\wuaueng.dll
2008-10-16 21:12 561,688 —-a-w c:\windows\system32\wuapi.dll
2008-10-16 21:12 323,608 —-a-w c:\windows\system32\wucltui.dll
2008-10-16 21:09 92,696 —-a-w c:\windows\system32\cdm.dll
2008-10-16 21:09 51,224 —-a-w c:\windows\system32\wuauclt.exe
2008-10-16 21:09 43,544 —-a-w c:\windows\system32\wups2.dll
2008-10-16 21:08 34,328 —-a-w c:\windows\system32\wups.dll
2008-10-16 20:38 826,368 —-a-w c:\windows\system32\wininet.dll
2008-08-24 21:21 32,768 –sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008082420080825\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-06-27 152872]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-05-02 68856]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-01-23 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-01-23 126976]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-07-03 413696]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-01-11 1261336]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0×0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-01-11 97928]
R3 NWUSBPort2;Novatel Wireless USB Status2 Port Driver;c:\windows\system32\drivers\nwusbser2.sys [2007-10-12 99200]
R4 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2009-01-11 875288]
R4 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-01-11 231704]
R4 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-01-11 76040]
R4 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
S3 NWUSBCDFIL;Novatel Wireless Installation CD;c:\windows\system32\drivers\NwUsbCdFil.sys [2007-09-06 13824]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountp oints2\{838f189e-e021-11dd-ac16-001111b0457e}]
\Shell\AutoRun\command - J:\LiteAuto.exe
.
Contents of the ‘Scheduled Tasks’ folder
2009-01-16 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 16:20]
.
- - - - ORPHANS REMOVED - - - -
BHO-{549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
.
——- Supplementary Scan ——-
.
uStart Page = hxxp://www.supermotojunkie.com/
TCP: {AEFDC890-3F45-4685-BE56-874E9C3C555D} = 68.28.90.91 68.28.82.91
c:\windows\system32\msstkprp.dll - c:\windows\system32\msvbvm60.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\olepro32.dll
c:\windows\system32\asycfilt.dll
c:\windows\system32\stdole2.tlb
c:\windows\system32\comcat.dll
c:\windows\system32\objsafe.tlb
c:\windows\system32\DLGOBJS.DLL
c:\windows\Downloaded Program Files\RraainAX.ocx
O16 -: {297DE2B6-509A-4B36-93C5-A65276606900}
hxxp://www.in.honda.com/rraaapps/rraasec/codebase/RRAAINAX/RraainAX.CAB
c:\windows\Downloaded Program Files\RraainAX.INF
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\n1h8i5js.default\
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG8\ToolbarFF\components\vmAVGConnector.dll
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-15 21:32:37
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes …
scanning hidden autostart entries …
scanning hidden files …
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2009-01-15 21:35:01
ComboFix-quarantined-files.txt 2009-01-16 04:34:40
Pre-Run: 28,825,202,688 bytes free
Post-Run: 28,927,864,832 bytes free
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINNT="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
153 — E O F — 2009-01-14 01:01:19
Ran Combofix and it deleted some files. The problem seems to be fixed at this time. Here is the log. Please let me know if I need to do anything else. Thanks a bunch.
ComboFix 09-01-13.04 - Owner 2009-01-15 21:30:13.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2039.1617 [GMT -7:00]
Running from: c:\documents and settings\Owner\Desktop\FomboCix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Outdated)
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\program files\Antivirus 2009
c:\windows\system32\drivers\TDSSpqlt.sys
c:\windows\system32\ieupdates.exe
c:\windows\system32\TDSSbrsr.dll
c:\windows\system32\TDSScfum.dll
c:\windows\system32\TDSSlxwp.dll
c:\windows\system32\TDSSnmxh.log
c:\windows\system32\TDSSoiqh.dll
c:\windows\system32\TDSSosvd.dat
c:\windows\system32\TDSSrhym.log
c:\windows\system32\TDSSriqp.dll
c:\windows\system32\TDSSsihc.dll
c:\windows\system32\TDSStkdv.log
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
——-\Service_TDSSserv.sys
——-\Legacy_TDSSserv.sys
((((((((((((((((((((((((( Files Created from 2008-12-16 to 2009-01-16 )))))))))))))))))))))))))))))))
.
2009-01-13 22:11 . 2009-01-13 22:30 <DIR> d——– c:\windows\system32\NtmsData
2009-01-13 22:00 . 2006-01-06 12:07 185,344 –a—— c:\windows\system32\hpfinst.dll
2009-01-13 22:00 . 2006-01-06 12:07 69,632 ——— c:\windows\system32\hpodinet.dll
2009-01-13 22:00 . 2006-01-06 12:07 36,864 –a—— c:\windows\hpfsched.exe
2009-01-13 21:59 . 2009-01-13 22:20 <DIR> d——– c:\temp\photosmart
2009-01-11 23:12 . 2008-04-13 11:47 25,856 –a—— c:\windows\system32\drivers\usbprint.sys
2009-01-11 23:12 . 2008-04-13 11:47 25,856 –a–c— c:\windows\system32\dllcache\usbprint.sys
2009-01-11 18:08 . 2009-01-15 21:31 <DIR> d——– c:\windows\system32\drivers\Avg
2009-01-11 18:08 . 2009-01-11 18:08 <DIR> d——– c:\program files\AVG
2009-01-11 18:08 . 2009-01-11 18:40 <DIR> d——– c:\documents and settings\Owner\Application Data\AVGTOOLBAR
2009-01-11 18:08 . 2009-01-11 18:07 <DIR> d——– c:\documents and settings\All Users\Application Data\avg8
2009-01-11 18:08 . 2009-01-11 18:08 97,928 –a—— c:\windows\system32\drivers\avgldx86.sys
2009-01-11 18:08 . 2009-01-11 18:08 76,040 –a—— c:\windows\system32\drivers\avgtdix.sys
2009-01-11 18:08 . 2009-01-11 18:08 10,520 –a—— c:\windows\system32\avgrsstx.dll
2009-01-11 16:28 . 2009-01-11 16:28 <DIR> d——– c:\program files\Lavasoft
2009-01-11 16:28 . 2009-01-11 16:28 <DIR> d——– c:\documents and settings\All Users\Application Data\Lavasoft
2009-01-11 16:27 . 2009-01-11 16:27 <DIR> d——– c:\program files\Common Files\Wise Installation Wizard
2009-01-11 15:32 . 2009-01-11 15:32 <DIR> d——– c:\windows\Downloaded Installations
2009-01-11 15:00 . 2009-01-11 16:15 <DIR> d——– c:\program files\Spybot - Search & Destroy
2009-01-11 15:00 . 2009-01-11 16:14 <DIR> d——– c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-11 14:51 . 2009-01-11 14:51 0 –a—— c:\windows\nsreg.dat
2009-01-11 13:51 . 2009-01-11 13:51 <DIR> d——– c:\program files\Novatel Wireless
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-12 01:06 ——— d—–w c:\documents and settings\All Users\Application Data\McAfee
2008-12-11 10:57 333,952 —-a-w c:\windows\system32\drivers\srv.sys
2008-11-17 11:58 ——— d—–w c:\documents and settings\LocalService\Application Data\SACore
2008-10-23 12:36 286,720 —-a-w c:\windows\system32\gdi32.dll
2008-10-16 21:13 202,776 —-a-w c:\windows\system32\wuweb.dll
2008-10-16 21:13 1,809,944 —-a-w c:\windows\system32\wuaueng.dll
2008-10-16 21:12 561,688 —-a-w c:\windows\system32\wuapi.dll
2008-10-16 21:12 323,608 —-a-w c:\windows\system32\wucltui.dll
2008-10-16 21:09 92,696 —-a-w c:\windows\system32\cdm.dll
2008-10-16 21:09 51,224 —-a-w c:\windows\system32\wuauclt.exe
2008-10-16 21:09 43,544 —-a-w c:\windows\system32\wups2.dll
2008-10-16 21:08 34,328 —-a-w c:\windows\system32\wups.dll
2008-10-16 20:38 826,368 —-a-w c:\windows\system32\wininet.dll
2008-08-24 21:21 32,768 –sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008082420080825\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-06-27 152872]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-05-02 68856]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-01-23 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-01-23 126976]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-07-03 413696]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-01-11 1261336]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0×0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-01-11 97928]
R3 NWUSBPort2;Novatel Wireless USB Status2 Port Driver;c:\windows\system32\drivers\nwusbser2.sys [2007-10-12 99200]
R4 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2009-01-11 875288]
R4 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-01-11 231704]
R4 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-01-11 76040]
R4 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
S3 NWUSBCDFIL;Novatel Wireless Installation CD;c:\windows\system32\drivers\NwUsbCdFil.sys [2007-09-06 13824]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountp oints2\{838f189e-e021-11dd-ac16-001111b0457e}]
\Shell\AutoRun\command - J:\LiteAuto.exe
.
Contents of the ‘Scheduled Tasks’ folder
2009-01-16 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 16:20]
.
- - - - ORPHANS REMOVED - - - -
BHO-{549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
.
——- Supplementary Scan ——-
.
uStart Page = hxxp://www.supermotojunkie.com/
TCP: {AEFDC890-3F45-4685-BE56-874E9C3C555D} = 68.28.90.91 68.28.82.91
c:\windows\system32\msstkprp.dll - c:\windows\system32\msvbvm60.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\olepro32.dll
c:\windows\system32\asycfilt.dll
c:\windows\system32\stdole2.tlb
c:\windows\system32\comcat.dll
c:\windows\system32\objsafe.tlb
c:\windows\system32\DLGOBJS.DLL
c:\windows\Downloaded Program Files\RraainAX.ocx
O16 -: {297DE2B6-509A-4B36-93C5-A65276606900}
hxxp://www.in.honda.com/rraaapps/rraasec/codebase/RRAAINAX/RraainAX.CAB
c:\windows\Downloaded Program Files\RraainAX.INF
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\n1h8i5js.default\
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG8\ToolbarFF\components\vmAVGConnector.dll
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-15 21:32:37
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes …
scanning hidden autostart entries …
scanning hidden files …
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2009-01-15 21:35:01
ComboFix-quarantined-files.txt 2009-01-16 04:34:40
Pre-Run: 28,825,202,688 bytes free
Post-Run: 28,927,864,832 bytes free
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINNT="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
153 — E O F — 2009-01-14 01:01:19
Hi
OK looks good.
Lets get a on line scan.
Download ATF Cleaner by Atribune and save it to your Desktop.
This is a good tool to get rid of the temporary garbage you pick up while surfing the net.
Double click ATF-Cleaner.exe to run the program.
Check the boxes to the left of:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
Recycle bin
The rest are optional - if you want it to remove everything check "Select All".
Finally, click Empty Selected. When you get the "Done Cleaning" message, click OK.
Please do an online scan with Kaspersky WebScanner
It’s best to disable real time protection applications as they sometimes interfere with the scan.
Check this link for any applicable programs you may have.
Click on “Accept” If your pop –up blocker blocks any windows from opening.
Click Run on the window that opens.
Windows Vista users you must open the web browser using the Run as Administrator command.The program will launch and then begin downloading the latest definition files:
Under Scan on the left side.Click on My Computer
This will start the program and scan your system.
Click the “Scan Report” On the left side.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected. Click the Save Report As button, and in the Browse dialog box, type a name for the scan report file that you want to create and select its type Text file. Click OK to save the file.:
Save the text file to your desktop.
Copy and paste that information in your next post.
Please post the Kaspersky results.
Thanks
Geri
Related Posts:
Comments
Leave a Reply
You must be logged in to post a comment.