Jump to content

Jesusfreak

Members
  • Posts

    15
  • Joined

  • Last visited

Reputation

0 Neutral

About Jesusfreak

  • Birthday 07/26/1962

Profile Information

  • Location
    USA
  1. I plan on uninstalling my other resident software and going with the one I found through Malwarebytes. So my plan is to run Avira and Malwarebytes. Avira runs in realtime but Malwarebytes does not correct? I plan on purchasing Malwarebytes and I have been asked to write a review which I will most certainly do. Earlier in the thread you had mentioned giving me some additional tips or direction to avoid future problems so I am ready for that if you have the time. You have done an awesome job. Thank you very much for all your help and patience.
  2. I found it...sorry. Here it is. ComboFix 09-08-04.02 - Billy 08/04/2009 18:44.1.4 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3071.2521 [GMT -5:00] Running from: i:\documents and settings\Billy\Desktop\ComboFix.exe AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7} AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF} . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . i:\windows\system32\UACetjmukeshaxivrtnk.db i:\windows\system32\UACpyqbitltmoiopjqga.dat i:\windows\system32\proquota.exe . . . is missing!! . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_6TO4 -------\Legacy_PCMSTUB -------\Service_6to4 -------\Service_UACd.sys ((((((((((((((((((((((((( Files Created from 2009-07-04 to 2009-08-04 ))))))))))))))))))))))))))))))) . 2009-07-29 20:26 . 2009-07-29 20:26 -------- d-----w- i:\program files\Trend Micro 2009-07-28 20:31 . 2009-07-03 17:09 594432 -c----w- i:\windows\system32\dllcache\msfeeds.dll 2009-07-28 20:31 . 2009-07-03 17:09 55296 -c----w- i:\windows\system32\dllcache\msfeedsbs.dll 2009-07-28 20:29 . 2009-07-28 20:29 -------- d-----w- i:\documents and settings\ADMIN\Application Data\Malwarebytes 2009-07-27 21:58 . 2009-07-29 00:21 15 ----a-w- i:\documents and settings\Billy\settings.dat 2009-07-27 00:43 . 2009-07-29 01:25 -------- d---a-w- i:\documents and settings\All Users\Application Data\TEMP 2009-07-25 21:09 . 2009-03-30 15:33 96104 ----a-w- i:\windows\system32\drivers\avipbb.sys 2009-07-25 21:09 . 2009-03-24 21:08 55640 ----a-w- i:\windows\system32\drivers\avgntflt.sys 2009-07-25 21:09 . 2009-02-13 17:29 22360 ----a-w- i:\windows\system32\drivers\avgntmgr.sys 2009-07-25 21:09 . 2009-02-13 17:17 45416 ----a-w- i:\windows\system32\drivers\avgntdd.sys 2009-07-25 21:09 . 2009-07-25 21:09 -------- d-----w- i:\program files\Avira 2009-07-25 21:09 . 2009-07-25 21:09 -------- d-----w- i:\documents and settings\All Users\Application Data\Avira 2009-07-25 13:33 . 2009-07-25 13:33 -------- d-----w- i:\documents and settings\ADMIN\Application Data\IObit 2009-07-25 13:24 . 2009-07-25 13:24 -------- d-sh--w- i:\documents and settings\ADMIN\PrivacIE 2009-07-24 22:00 . 2009-07-24 22:00 3775176 ----a-w- i:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe 2009-07-24 21:31 . 2001-08-23 12:00 4224 -c--a-w- i:\windows\system32\dllcache\beep.sys 2009-07-24 21:31 . 2001-08-23 12:00 4224 ----a-w- i:\windows\system32\drivers\beep.sys 2009-07-22 10:53 . 2009-07-25 22:51 -------- d-----w- i:\documents and settings\Billy\Application Data\IObit 2009-07-22 10:53 . 2009-07-22 10:53 -------- d-----w- i:\program files\IObit 2009-07-13 20:35 . 2009-07-13 20:35 -------- d-----w- i:\documents and settings\Billy\Application Data\Malwarebytes 2009-07-13 20:27 . 2009-07-13 20:27 3550592 ----a-w- I:\winlogon.exe.exe 2009-07-13 03:44 . 2009-07-13 03:44 3561752 ----a-w- I:\mbam-setup.exe 2009-07-13 03:06 . 2009-06-17 16:27 38160 ----a-w- i:\windows\system32\drivers\mbamswissarmy.sys 2009-07-13 03:06 . 2009-07-13 18:36 19096 ----a-w- i:\windows\system32\drivers\mbam.sys 2009-07-13 03:06 . 2009-07-13 03:06 -------- d-----w- i:\documents and settings\All Users\Application Data\Malwarebytes 2009-07-13 03:02 . 2009-07-13 03:02 -------- d-----w- i:\program files\FileASSASSIN 2009-07-13 00:55 . 2009-07-03 14:49 15688 ----a-w- i:\windows\system32\lsdelete.exe 2009-07-13 00:13 . 2009-07-03 14:49 64160 ----a-w- i:\windows\system32\drivers\Lbd.sys 2009-07-13 00:13 . 2009-07-13 00:13 -------- dc-h--w- i:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864} 2009-07-13 00:13 . 2009-07-08 17:28 2920112 -c--a-w- i:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}\Ad-AwareAE.exe 2009-07-13 00:13 . 2009-07-13 00:13 -------- d-----w- i:\program files\Lavasoft 2009-07-13 00:13 . 2009-07-13 00:13 -------- d-----w- i:\documents and settings\All Users\Application Data\Lavasoft 2009-07-12 23:11 . 2009-07-12 23:11 -------- d-----w- i:\documents and settings\Billy\Application Data\Yahoo! 2009-07-12 23:11 . 2009-07-25 17:38 -------- d-----w- i:\program files\Yahoo! 2009-07-12 23:06 . 2009-07-12 23:07 49492 ----a-w- I:\cc_20090712_180634.reg 2009-07-11 22:26 . 2009-07-12 22:28 -------- d-----w- i:\documents and settings\All Users\Application Data\4545 2009-07-11 22:25 . 2009-07-11 22:25 -------- d-sh--w- i:\windows\system32\config\systemprofile\IETldCache 2009-07-11 15:03 . 2009-07-11 15:04 -------- d-----w- i:\documents and settings\Billy\Local Settings\Application Data\Temp 2009-07-11 15:03 . 2009-07-11 15:03 -------- d-----w- i:\documents and settings\Billy\Local Settings\Application Data\Deployment . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-08-04 23:10 . 2009-04-11 03:27 -------- d-----w- i:\program files\Microsoft Silverlight 2009-07-25 16:26 . 2009-03-31 01:22 -------- d-----w- i:\documents and settings\Billy\Application Data\LimeWire 2009-07-25 13:12 . 2009-07-25 13:12 12720 ----a-w- i:\documents and settings\ADMIN\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-07-25 13:12 . 2009-07-25 13:12 -------- d-----w- i:\documents and settings\ADMIN\Application Data\Logitech 2009-07-25 13:12 . 2009-07-25 13:12 -------- d-----w- i:\documents and settings\ADMIN\Application Data\ATI 2009-07-19 12:40 . 2009-03-31 01:28 -------- d-----w- i:\documents and settings\All Users\Application Data\avg8 2009-07-17 13:49 . 2009-03-31 01:28 335752 ----a-w- i:\windows\system32\drivers\avgldx86.sys 2009-07-07 22:30 . 2009-03-27 21:39 12720 ----a-w- i:\documents and settings\Billy\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-07-05 15:04 . 2009-07-05 15:04 0 ----a-w- i:\windows\Infob.dat 2009-07-05 15:04 . 2009-07-05 15:04 0 ----a-w- i:\windows\Infoa.dat 2009-07-05 15:04 . 2009-07-05 14:34 -------- d-----w- i:\program files\Free MKV Video2Dvd 2009-07-05 14:12 . 2009-04-06 01:06 -------- d-----w- i:\documents and settings\All Users\Application Data\Apple Computer 2009-07-05 14:06 . 2009-07-05 14:06 -------- d-----w- i:\program files\Sonic Foundry 2009-07-05 14:06 . 2009-07-05 14:06 -------- d-----w- i:\program files\Pure Motion 2009-07-05 14:06 . 2009-07-05 14:06 -------- d-----w- i:\program files\DebugMode 2009-07-03 17:09 . 2008-04-14 10:42 915456 ----a-w- i:\windows\system32\wininet.dll 2009-06-24 20:51 . 2009-03-31 01:28 11952 ----a-w- i:\windows\system32\avgrsstx.dll 2009-06-24 20:51 . 2009-03-31 01:28 27784 ----a-w- i:\windows\system32\drivers\avgmfx86.sys 2009-06-19 14:56 . 2009-06-19 14:56 -------- d-----w- i:\documents and settings\Billy\Application Data\x3watch 2009-06-16 14:36 . 2008-04-14 10:42 119808 ----a-w- i:\windows\system32\t2embed.dll 2009-06-16 14:36 . 2008-04-14 10:41 81920 ----a-w- i:\windows\system32\fontsub.dll 2009-06-15 03:26 . 2009-03-28 07:26 -------- d-----w- i:\documents and settings\Billy\Application Data\AdobeUM 2009-06-03 19:09 . 2008-04-14 10:42 1291264 ----a-w- i:\windows\system32\quartz.dll 2009-06-01 14:29 . 2009-06-01 14:29 12328 ----a-w- i:\documents and settings\Florence\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-05-25 18:06 . 2009-05-25 18:06 79872 ----a-w- i:\documents and settings\Billy\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe 2009-05-25 18:06 . 2009-05-25 18:06 349184 ----a-w- i:\documents and settings\Billy\Application Data\SanDisk\Sansa Updater\SansaUpdaterInstall.exe 2009-05-25 18:06 . 2009-05-25 18:06 541696 ----a-w- i:\documents and settings\Billy\Application Data\SanDisk\Sansa Updater\SansaUpdater.exe 2009-05-07 15:32 . 2008-04-14 10:41 345600 ----a-w- i:\windows\system32\localspl.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SansaDispatch"="i:\documents and settings\Billy\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe" [2009-05-25 79872] "Nero PhotoShow Media Manager"="i:\progra~1\Nero\NEROPH~1\data\Xtras\mssysmgr.exe" [2006-05-10 249856] "BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="i:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-11-17 139264] "ccleaner"="i:\program files\CCleaner\CCleaner.exe" [2009-06-25 1578736] "Advanced SystemCare 3"="i:\program files\IObit\Advanced SystemCare 3\AWC.exe" [2009-06-30 2329224] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SunJavaUpdateSched"="i:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888] "StartCCC"="i:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-29 61440] "QuickTime Task"="i:\program files\QuickTime\qttask.exe" [2009-01-05 413696] "NeroFilterCheck"="i:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648] "LiveMonitor"="i:\program files\MSI\Live Update 3\LMonitor.exe" [2009-02-24 498688] "InCD"="i:\program files\Nero\Nero 7\InCD\InCD.exe" [2006-11-10 1051648] "AVG8_TRAY"="i:\progra~1\AVG\AVG8\avgtray.exe" [2009-06-24 1948440] "avgnt"="i:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153] "MSConfig"="i:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2008-04-14 169984] "RTHDCPL"="RTHDCPL.EXE" - i:\windows\RTHDCPL.exe [2008-07-03 16876032] "Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" - i:\windows\KHALMNPR.Exe [2004-10-21 29696] i:\documents and settings\All Users\Start Menu\Programs\Startup\ Adobe Reader Speed Launch.lnk - i:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696] Logitech SetPoint.lnk - i:\program files\Logitech\SetPoint\KEM.exe [2009-3-27 581632] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter] 2009-06-24 20:51 11952 ----a-w- i:\windows\system32\avgrsstx.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service] @="Service" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "avg8wd"=2 (0x2) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "%windir%\\system32\\sessmgr.exe"= "i:\\Program Files\\AVG\\AVG8\\avgupd.exe"= "i:\\Program Files\\AVG\\AVG8\\avgnsx.exe"= "j:\\Unreal Tournament 3\\Binaries\\UT3.exe"= R0 Lbd;Lbd;i:\windows\system32\drivers\Lbd.sys [7/12/2009 7:13 PM 64160] R1 AvgLdx86;AVG Free AVI Loader Driver x86;i:\windows\system32\drivers\avgldx86.sys [3/30/2009 8:28 PM 335752] R1 AvgTdiX;AVG Free8 Network Redirector;i:\windows\system32\drivers\avgtdix.sys [3/30/2009 8:28 PM 108552] R2 AntiVirSchedulerService;Avira AntiVir Scheduler;i:\program files\Avira\AntiVir Desktop\sched.exe [7/25/2009 4:09 PM 108289] R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;i:\program files\Lavasoft\Ad-Aware\AAWService.exe [7/3/2009 9:49 AM 1029456] R3 AtiHdmiService;ATI Function Driver for HDMI Service;i:\windows\system32\drivers\AtiHdmi.sys [3/27/2009 9:54 PM 93184] S2 bjftulks;bjftulks;i:\windows\system32\drivers\brrshma.sys --> i:\windows\system32\drivers\brrshma.sys [?] S2 rayar;rayar;\??\i:\windows\system32\drivers\skvelixtl.sys --> i:\windows\system32\drivers\skvelixtl.sys [?] S2 vkcyvsjbs;vkcyvsjbs;\??\i:\windows\system32\drivers\jkqtor.sys --> i:\windows\system32\drivers\jkqtor.sys [?] S4 avg8wd;AVG Free8 WatchDog;i:\progra~1\AVG\AVG8\avgwdsvc.exe [3/30/2009 8:28 PM 298776] [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}] "i:\windows\system32\rundll32.exe" "i:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP . Contents of the 'Scheduled Tasks' folder 2009-07-28 i:\windows\Tasks\Ad-Aware Update (Weekly).job - i:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-07-03 14:49] 2009-08-04 i:\windows\Tasks\WGASetup.job - i:\windows\system32\KB905474\wgasetup.exe [2009-04-30 03:18] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com mStart Page = hxxp://www.google.com IE: Add to Google Photos Screensa&ver - i:\windows\system32\GPhotos.scr/200 DPF: Microsoft XML Parser for Java - file://i:\windows\Java\classes\xmldso.cab . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-08-04 18:47 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(768) i:\windows\system32\Ati2evxx.dll - - - - - - - > 'explorer.exe'(2472) i:\windows\system32\WININET.dll i:\program files\Logitech\SetPoint\lgscroll.dll i:\windows\system32\ieframe.dll i:\windows\system32\webcheck.dll i:\windows\system32\WPDShServiceObj.dll i:\windows\system32\PortableDeviceTypes.dll i:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . i:\windows\system32\ati2evxx.exe i:\windows\system32\ati2evxx.exe i:\program files\AVG\AVG8\avgrsx.exe i:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe i:\program files\Avira\AntiVir Desktop\avguard.exe i:\program files\Nero\Nero 7\InCD\InCDsrv.exe i:\program files\Java\jre6\bin\jqs.exe i:\program files\Common Files\LightScribe\LSSrvc.exe i:\windows\system32\wbem\unsecapp.exe i:\program files\Lavasoft\Ad-Aware\AAWTray.exe i:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe i:\program files\AVG\AVG8\avgtray.exe i:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe i:\program files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe i:\program files\Logitech\SetPoint\KHALMNPR.exe . ************************************************************************** . Completion time: 2009-08-04 18:49 - machine was rebooted ComboFix-quarantined-files.txt 2009-08-04 23:49 Pre-Run: 94,835,458,048 bytes free Post-Run: 94,961,287,168 bytes free WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] i:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect 210 --- E O F --- 2009-08-04 23:09
  3. Hi! I'm back and ready to run ComboFix but when I run it, it says it may be a tainted version. Can you give me the safest location for the file. It says I should download another copy before I run it. Thanks
  4. Well that's great news! I will run the other program when I get back in town. You rock!!!
  5. I didn't have time for the Combofix but Hijackthis went fast. Here's the file. I'll try and check in during my trip. Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 3:26:32 PM, on 7/29/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v8.00 (8.00.6001.18702) Boot mode: Normal Running processes: I:\WINDOWS\System32\smss.exe I:\WINDOWS\system32\winlogon.exe I:\WINDOWS\system32\services.exe I:\WINDOWS\system32\lsass.exe I:\WINDOWS\system32\Ati2evxx.exe I:\WINDOWS\system32\svchost.exe I:\WINDOWS\System32\svchost.exe I:\WINDOWS\system32\svchost.exe I:\Program Files\Lavasoft\Ad-Aware\AAWService.exe I:\WINDOWS\system32\Ati2evxx.exe I:\WINDOWS\system32\spoolsv.exe I:\Program Files\Avira\AntiVir Desktop\sched.exe I:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe I:\Program Files\Avira\AntiVir Desktop\avguard.exe I:\PROGRA~1\AVG\AVG8\avgwdsvc.exe I:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe I:\Program Files\Java\jre6\bin\jqs.exe I:\Program Files\Common Files\LightScribe\LSSrvc.exe I:\PROGRA~1\AVG\AVG8\avgrsx.exe I:\PROGRA~1\AVG\AVG8\avgnsx.exe I:\WINDOWS\Explorer.EXE I:\Program Files\Java\jre6\bin\jusched.exe I:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe I:\WINDOWS\RTHDCPL.EXE I:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe I:\Program Files\MSI\Live Update 3\LMonitor.exe I:\Program Files\Nero\Nero 7\InCD\InCD.exe I:\PROGRA~1\AVG\AVG8\avgtray.exe I:\Program Files\Avira\AntiVir Desktop\avgnt.exe I:\WINDOWS\system32\ctfmon.exe I:\Documents and Settings\Billy\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe I:\PROGRA~1\Nero\NEROPH~1\data\Xtras\mssysmgr.exe I:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe I:\WINDOWS\system32\svchost.exe I:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe I:\Program Files\IObit\Advanced SystemCare 3\AWC.exe I:\Program Files\Logitech\SetPoint\KEM.exe I:\Program Files\Logitech\SetPoint\KHALMNPR.EXE I:\Program Files\Internet Explorer\iexplore.exe I:\Program Files\Internet Explorer\iexplore.exe I:\Program Files\Internet Explorer\iexplore.exe I:\Program Files\Internet Explorer\iexplore.exe I:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file) O3 - Toolbar: (no name) - {ED0E8CA5-42FB-4B18-997B-769E0408E79D} - (no file) O4 - HKLM\..\Run: [sunJavaUpdateSched] "I:\Program Files\Java\jre6\bin\jusched.exe" O4 - HKLM\..\Run: [startCCC] "I:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM\..\Run: [QuickTime Task] "I:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [NeroFilterCheck] I:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE O4 - HKLM\..\Run: [LiveMonitor] I:\Program Files\MSI\Live Update 3\LMonitor.exe O4 - HKLM\..\Run: [inCD] I:\Program Files\Nero\Nero 7\InCD\InCD.exe O4 - HKLM\..\Run: [AVG8_TRAY] I:\PROGRA~1\AVG\AVG8\avgtray.exe O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE O4 - HKLM\..\Run: [avgnt] "I:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min O4 - HKCU\..\Run: [ctfmon.exe] I:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [sansaDispatch] I:\Documents and Settings\Billy\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe O4 - HKCU\..\Run: [Nero PhotoShow Media Manager] I:\PROGRA~1\Nero\NEROPH~1\data\Xtras\mssysmgr.exe O4 - HKCU\..\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "I:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" O4 - HKCU\..\Run: [ccleaner] "I:\Program Files\CCleaner\CCleaner.exe" /AUTO O4 - HKCU\..\Run: [Advanced SystemCare 3] "I:\Program Files\IObit\Advanced SystemCare 3\AWC.exe" /startup O4 - Global Startup: Adobe Reader Speed Launch.lnk = I:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Logitech SetPoint.lnk = I:\Program Files\Logitech\SetPoint\KEM.exe O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://I:\WINDOWS\system32\GPhotos.scr/200 O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - I:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - I:\WINDOWS\Network Diagnostic\xpnetdiag.exe O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w3/resources/MSNPUpld.cab O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1238224748875 O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - I:\Program Files\AVG\AVG8\avgpp.dll O20 - Winlogon Notify: avgrsstarter - I:\WINDOWS\SYSTEM32\avgrsstx.dll O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft - I:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - I:\Program Files\Avira\AntiVir Desktop\sched.exe O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - I:\Program Files\Avira\AntiVir Desktop\avguard.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - I:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - I:\WINDOWS\system32\ati2sgag.exe O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - I:\PROGRA~1\AVG\AVG8\avgwdsvc.exe O23 - Service: Google Updater Service (gusvc) - Google - I:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InCD Helper (InCDsrv) - Nero AG - I:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - I:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - I:\Program Files\Lavasoft\Ad-Aware\AAWService.exe O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - I:\Program Files\Common Files\LightScribe\LSSrvc.exe -- End of file - 6495 bytes
  6. Awesome. Look forward to the advice and tips. Will run tonight. Heading out of town on business so if not tonight next week when I return. Very impressed with the professional help here.
  7. I have a few questions for you. Now I'm scared to death of fake viruses, etc. Where can I download HijackThis? Also, Combo fix is still resident on my desktop. It is ok to use that one?
  8. Success!!!!! You are the bomb! I ran Rootrepeal and the culprit was exposed. Here is the log. (I must add that when I rebooted Avira started killing files as Malwarebytes was finding them. I forgot to turn it off first. So this log might be incomplete.) I ran a second log after I rebooted. I thought you might want to see it as well. It had the Trojan.TDSS. I guess to be expected? I am running a deep scan right now with Malwarebytes. Malwarebytes' Anti-Malware 1.39 Database version: 2524 Windows 5.1.2600 Service Pack 3 7/28/2009 8:05:10 PM mbam-log-2009-07-28 (20-04-23).txt Scan type: Full Scan (I:\|) Objects scanned: 128550 Time elapsed: 20 minute(s), 47 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 3 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: i:\system volume information\_restore{6d0a4f50-0af5-451b-a8ad-b7da225f6477}\rp2\A0001009.dll (Trojan.TDSS) -> No action taken. i:\system volume information\_restore{6d0a4f50-0af5-451b-a8ad-b7da225f6477}\RP2\A0001010.dll (Trojan.TDSS) -> No action taken. i:\system volume information\_restore{6d0a4f50-0af5-451b-a8ad-b7da225f6477}\RP2\A0001012.dll (Trojan.TDSS) -> No action taken. Malwarebytes' Anti-Malware 1.39 Database version: 2523 Windows 5.1.2600 Service Pack 3 7/28/2009 7:33:17 PM mbam-log-2009-07-28 (19-32-59).txt Scan type: Quick Scan Objects scanned: 97520 Time elapsed: 3 minute(s), 41 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 4 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: i:\WINDOWS\system32\UACllrvxvkbwjpnbgpwy.dll (Trojan.TDSS) -> No action taken. i:\WINDOWS\system32\UACndjitmairulteppjw.dll (Trojan.TDSS) -> No action taken. i:\WINDOWS\system32\UACuniorjihvmwidjary.dll (Trojan.TDSS) -> No action taken. i:\WINDOWS\system32\drivers\UACvyxvkiqqhesrrradv.sys (Trojan.Agent) -> No action taken. If I have any major problems I will let you know. No more codecs for me. Hard lesson learned. My wife and I would like to contribute to your hard work. Where can we do that?
  9. It worked Here is what I came up with. ROOTREPEAL © AD, 2007-2009 ================================================== Scan Start Time: 2009/07/28 17:37 Program Version: Version 1.3.3.0 Windows Version: Windows XP SP3 ================================================== Hidden/Locked Files ------------------- Path: I:\WINDOWS\system32\UACbqbrfwofmxdulhbxv.dll Status: Invisible to the Windows API! Path: I:\WINDOWS\system32\UACetjmukeshaxivrtnk.db Status: Invisible to the Windows API! Path: I:\WINDOWS\system32\UAChqipyiuwykltuqrdh.dll Status: Invisible to the Windows API! Path: I:\WINDOWS\system32\uacinit.dll Status: Invisible to the Windows API! Path: I:\WINDOWS\system32\UACllrvxvkbwjpnbgpwy.dll Status: Invisible to the Windows API! Path: I:\WINDOWS\system32\UACndjitmairulteppjw.dll Status: Invisible to the Windows API! Path: I:\WINDOWS\system32\UACpyqbitltmoiopjqga.dat Status: Invisible to the Windows API! Path: I:\WINDOWS\system32\UACuniorjihvmwidjary.dll Status: Invisible to the Windows API! Path: I:\WINDOWS\Temp\UACaf5a.tmp Status: Invisible to the Windows API! Path: I:\Program Files\ArcSoft\TotalMedia Extreme\uActivate.dll Status: Invisible to the Windows API! Path: I:\Program Files\ArcSoft\TotalMedia Extreme\uActivate.SET Status: Invisible to the Windows API! Path: I:\WINDOWS\system32\drivers\UACvyxvkiqqhesrrradv.sys Status: Invisible to the Windows API! Path: i:\documents and settings\admin\local settings\temp\~df41d9.tmp Status: Allocation size mismatch (API: 16384, Raw: 0) Path: I:\Program Files\ArcSoft\TotalMedia Extreme\Digital Theatre\uActivate.dll Status: Invisible to the Windows API! Path: I:\Program Files\ArcSoft\TotalMedia Extreme\Digital Theatre\uActivate.SET Status: Invisible to the Windows API! Path: I:\Documents and Settings\All Users\Application Data\avg8\Log\avgcore.log Status: Locked to the Windows API! Path: I:\Documents and Settings\All Users\Application Data\avg8\Log\avgsched.log Status: Locked to the Windows API! Path: I:\Documents and Settings\All Users\Application Data\avg8\Log\avgui.log Status: Locked to the Windows API! Path: I:\Documents and Settings\All Users\Application Data\avg8\Log\avgwd.log Status: Locked to the Windows API! Path: I:\Documents and Settings\All Users\Application Data\avg8\Log\avgldr.log Status: Locked to the Windows API! Path: I:\Documents and Settings\All Users\Application Data\avg8\Log\avgns.log Status: Locked to the Windows API! Path: I:\Documents and Settings\All Users\Application Data\avg8\Log\avgrs.log Status: Locked to the Windows API! Path: i:\documents and settings\admin\local settings\application data\ahead\nero home\is2.db-journal Status: Allocation size mismatch (API: 512, Raw: 0) Path: I:\Documents and Settings\Billy\Local Settings\Apps\2.0\389B0ZLN.GK6\PNKEV4VA.MLG\manifests\clickonce_bootstrap.exe.cdf-ms Status: Locked to the Windows API! Path: I:\Documents and Settings\Billy\Local Settings\Apps\2.0\389B0ZLN.GK6\PNKEV4VA.MLG\manifests\clickonce_bootstrap.exe.manifest Status: Locked to the Windows API!
  10. Forgot to add this... Malwarebytes' Anti-Malware 1.39 Database version: 2523 Windows 5.1.2600 Service Pack 3 7/28/2009 4:26:56 PM mbam-log-2009-07-28 (16-26-56).txt Scan type: Quick Scan Objects scanned: 97312 Time elapsed: 1 minute(s), 32 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 1 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 1 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> Quarantined and deleted successfully. Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: I:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Delete on reboot.
  11. I tried to boot to safe mode but as I thought my computer won't do that. I have updated Malwarebytes and still the only two things to show up are Trojan.agent and Rootkit.trace. Sometimes my computer boots, sometimes it locks up on the desktop and I need to reboot. Sometimes the browser will close by it's self. I'm open to suggestions. Thanks so much for the help. PS. I read some of the articles your forums point to. I know how I got this virus. Through a codec. What an idiot i was. :-(
  12. I'm actually not sure I can boot in to safe mode. I haven't been able to but I will give it a try this evening. Again, my thanks.
  13. Sorry for the confusion. I loaded Combofix on my Desktop, clicked on it, hit run....nothing happened for over 15 minutes.....I tried it again. Nothing. Any more suggestions? Everything is running but I know that Trojan.agent and Rootkit.trace are still there. My browser is running fine at this moment because before I turned everything off to run Combofix it had blocked something trying to get on my computer and I elected to have it permanantly blocked in the future. I have not rebooted though since then. That's the latest I can tell you. Any more suggestions? Thanks so much.
  14. I hope it's ok to ask you this. I didn't see anywhere else I could post. I finally got to a point where I could run Malwarebytes after several days. Upon running the software several times I noticed it kept coming up with two repeat offenders. Trojan.agent and some type of registry issue. I kept trying to remove them over a period of several days after getting rid of System Security 2009. My computer ran fine for a few days but then rebooted itself two days ago and although I have run several pieces of recommended software I still seem to be infected. Now the browser won't open or when it does I still get the virus software pop ups and redirects. There also seemed to be another search bar at the top of the browser with a little Microsoft symbol but it was never there before. I don't know what else to do. I still cannot boot to safe mode, I can't even reinstall Windows. Can you help me? Thanks so much!
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.