Jesusfreak
Members-
Posts
15 -
Joined
-
Last visited
Reputation
0 NeutralAbout Jesusfreak
- Birthday 07/26/1962
Profile Information
-
Location
USA
-
Rootrepeal is not running as it should
Jesusfreak replied to Jesusfreak's topic in Resolved Malware Removal Logs
I plan on uninstalling my other resident software and going with the one I found through Malwarebytes. So my plan is to run Avira and Malwarebytes. Avira runs in realtime but Malwarebytes does not correct? I plan on purchasing Malwarebytes and I have been asked to write a review which I will most certainly do. Earlier in the thread you had mentioned giving me some additional tips or direction to avoid future problems so I am ready for that if you have the time. You have done an awesome job. Thank you very much for all your help and patience. -
Rootrepeal is not running as it should
Jesusfreak replied to Jesusfreak's topic in Resolved Malware Removal Logs
I found it...sorry. Here it is. ComboFix 09-08-04.02 - Billy 08/04/2009 18:44.1.4 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3071.2521 [GMT -5:00] Running from: i:\documents and settings\Billy\Desktop\ComboFix.exe AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7} AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF} . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . i:\windows\system32\UACetjmukeshaxivrtnk.db i:\windows\system32\UACpyqbitltmoiopjqga.dat i:\windows\system32\proquota.exe . . . is missing!! . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_6TO4 -------\Legacy_PCMSTUB -------\Service_6to4 -------\Service_UACd.sys ((((((((((((((((((((((((( Files Created from 2009-07-04 to 2009-08-04 ))))))))))))))))))))))))))))))) . 2009-07-29 20:26 . 2009-07-29 20:26 -------- d-----w- i:\program files\Trend Micro 2009-07-28 20:31 . 2009-07-03 17:09 594432 -c----w- i:\windows\system32\dllcache\msfeeds.dll 2009-07-28 20:31 . 2009-07-03 17:09 55296 -c----w- i:\windows\system32\dllcache\msfeedsbs.dll 2009-07-28 20:29 . 2009-07-28 20:29 -------- d-----w- i:\documents and settings\ADMIN\Application Data\Malwarebytes 2009-07-27 21:58 . 2009-07-29 00:21 15 ----a-w- i:\documents and settings\Billy\settings.dat 2009-07-27 00:43 . 2009-07-29 01:25 -------- d---a-w- i:\documents and settings\All Users\Application Data\TEMP 2009-07-25 21:09 . 2009-03-30 15:33 96104 ----a-w- i:\windows\system32\drivers\avipbb.sys 2009-07-25 21:09 . 2009-03-24 21:08 55640 ----a-w- i:\windows\system32\drivers\avgntflt.sys 2009-07-25 21:09 . 2009-02-13 17:29 22360 ----a-w- i:\windows\system32\drivers\avgntmgr.sys 2009-07-25 21:09 . 2009-02-13 17:17 45416 ----a-w- i:\windows\system32\drivers\avgntdd.sys 2009-07-25 21:09 . 2009-07-25 21:09 -------- d-----w- i:\program files\Avira 2009-07-25 21:09 . 2009-07-25 21:09 -------- d-----w- i:\documents and settings\All Users\Application Data\Avira 2009-07-25 13:33 . 2009-07-25 13:33 -------- d-----w- i:\documents and settings\ADMIN\Application Data\IObit 2009-07-25 13:24 . 2009-07-25 13:24 -------- d-sh--w- i:\documents and settings\ADMIN\PrivacIE 2009-07-24 22:00 . 2009-07-24 22:00 3775176 ----a-w- i:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe 2009-07-24 21:31 . 2001-08-23 12:00 4224 -c--a-w- i:\windows\system32\dllcache\beep.sys 2009-07-24 21:31 . 2001-08-23 12:00 4224 ----a-w- i:\windows\system32\drivers\beep.sys 2009-07-22 10:53 . 2009-07-25 22:51 -------- d-----w- i:\documents and settings\Billy\Application Data\IObit 2009-07-22 10:53 . 2009-07-22 10:53 -------- d-----w- i:\program files\IObit 2009-07-13 20:35 . 2009-07-13 20:35 -------- d-----w- i:\documents and settings\Billy\Application Data\Malwarebytes 2009-07-13 20:27 . 2009-07-13 20:27 3550592 ----a-w- I:\winlogon.exe.exe 2009-07-13 03:44 . 2009-07-13 03:44 3561752 ----a-w- I:\mbam-setup.exe 2009-07-13 03:06 . 2009-06-17 16:27 38160 ----a-w- i:\windows\system32\drivers\mbamswissarmy.sys 2009-07-13 03:06 . 2009-07-13 18:36 19096 ----a-w- i:\windows\system32\drivers\mbam.sys 2009-07-13 03:06 . 2009-07-13 03:06 -------- d-----w- i:\documents and settings\All Users\Application Data\Malwarebytes 2009-07-13 03:02 . 2009-07-13 03:02 -------- d-----w- i:\program files\FileASSASSIN 2009-07-13 00:55 . 2009-07-03 14:49 15688 ----a-w- i:\windows\system32\lsdelete.exe 2009-07-13 00:13 . 2009-07-03 14:49 64160 ----a-w- i:\windows\system32\drivers\Lbd.sys 2009-07-13 00:13 . 2009-07-13 00:13 -------- dc-h--w- i:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864} 2009-07-13 00:13 . 2009-07-08 17:28 2920112 -c--a-w- i:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}\Ad-AwareAE.exe 2009-07-13 00:13 . 2009-07-13 00:13 -------- d-----w- i:\program files\Lavasoft 2009-07-13 00:13 . 2009-07-13 00:13 -------- d-----w- i:\documents and settings\All Users\Application Data\Lavasoft 2009-07-12 23:11 . 2009-07-12 23:11 -------- d-----w- i:\documents and settings\Billy\Application Data\Yahoo! 2009-07-12 23:11 . 2009-07-25 17:38 -------- d-----w- i:\program files\Yahoo! 2009-07-12 23:06 . 2009-07-12 23:07 49492 ----a-w- I:\cc_20090712_180634.reg 2009-07-11 22:26 . 2009-07-12 22:28 -------- d-----w- i:\documents and settings\All Users\Application Data\4545 2009-07-11 22:25 . 2009-07-11 22:25 -------- d-sh--w- i:\windows\system32\config\systemprofile\IETldCache 2009-07-11 15:03 . 2009-07-11 15:04 -------- d-----w- i:\documents and settings\Billy\Local Settings\Application Data\Temp 2009-07-11 15:03 . 2009-07-11 15:03 -------- d-----w- i:\documents and settings\Billy\Local Settings\Application Data\Deployment . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-08-04 23:10 . 2009-04-11 03:27 -------- d-----w- i:\program files\Microsoft Silverlight 2009-07-25 16:26 . 2009-03-31 01:22 -------- d-----w- i:\documents and settings\Billy\Application Data\LimeWire 2009-07-25 13:12 . 2009-07-25 13:12 12720 ----a-w- i:\documents and settings\ADMIN\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-07-25 13:12 . 2009-07-25 13:12 -------- d-----w- i:\documents and settings\ADMIN\Application Data\Logitech 2009-07-25 13:12 . 2009-07-25 13:12 -------- d-----w- i:\documents and settings\ADMIN\Application Data\ATI 2009-07-19 12:40 . 2009-03-31 01:28 -------- d-----w- i:\documents and settings\All Users\Application Data\avg8 2009-07-17 13:49 . 2009-03-31 01:28 335752 ----a-w- i:\windows\system32\drivers\avgldx86.sys 2009-07-07 22:30 . 2009-03-27 21:39 12720 ----a-w- i:\documents and settings\Billy\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-07-05 15:04 . 2009-07-05 15:04 0 ----a-w- i:\windows\Infob.dat 2009-07-05 15:04 . 2009-07-05 15:04 0 ----a-w- i:\windows\Infoa.dat 2009-07-05 15:04 . 2009-07-05 14:34 -------- d-----w- i:\program files\Free MKV Video2Dvd 2009-07-05 14:12 . 2009-04-06 01:06 -------- d-----w- i:\documents and settings\All Users\Application Data\Apple Computer 2009-07-05 14:06 . 2009-07-05 14:06 -------- d-----w- i:\program files\Sonic Foundry 2009-07-05 14:06 . 2009-07-05 14:06 -------- d-----w- i:\program files\Pure Motion 2009-07-05 14:06 . 2009-07-05 14:06 -------- d-----w- i:\program files\DebugMode 2009-07-03 17:09 . 2008-04-14 10:42 915456 ----a-w- i:\windows\system32\wininet.dll 2009-06-24 20:51 . 2009-03-31 01:28 11952 ----a-w- i:\windows\system32\avgrsstx.dll 2009-06-24 20:51 . 2009-03-31 01:28 27784 ----a-w- i:\windows\system32\drivers\avgmfx86.sys 2009-06-19 14:56 . 2009-06-19 14:56 -------- d-----w- i:\documents and settings\Billy\Application Data\x3watch 2009-06-16 14:36 . 2008-04-14 10:42 119808 ----a-w- i:\windows\system32\t2embed.dll 2009-06-16 14:36 . 2008-04-14 10:41 81920 ----a-w- i:\windows\system32\fontsub.dll 2009-06-15 03:26 . 2009-03-28 07:26 -------- d-----w- i:\documents and settings\Billy\Application Data\AdobeUM 2009-06-03 19:09 . 2008-04-14 10:42 1291264 ----a-w- i:\windows\system32\quartz.dll 2009-06-01 14:29 . 2009-06-01 14:29 12328 ----a-w- i:\documents and settings\Florence\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-05-25 18:06 . 2009-05-25 18:06 79872 ----a-w- i:\documents and settings\Billy\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe 2009-05-25 18:06 . 2009-05-25 18:06 349184 ----a-w- i:\documents and settings\Billy\Application Data\SanDisk\Sansa Updater\SansaUpdaterInstall.exe 2009-05-25 18:06 . 2009-05-25 18:06 541696 ----a-w- i:\documents and settings\Billy\Application Data\SanDisk\Sansa Updater\SansaUpdater.exe 2009-05-07 15:32 . 2008-04-14 10:41 345600 ----a-w- i:\windows\system32\localspl.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SansaDispatch"="i:\documents and settings\Billy\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe" [2009-05-25 79872] "Nero PhotoShow Media Manager"="i:\progra~1\Nero\NEROPH~1\data\Xtras\mssysmgr.exe" [2006-05-10 249856] "BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="i:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-11-17 139264] "ccleaner"="i:\program files\CCleaner\CCleaner.exe" [2009-06-25 1578736] "Advanced SystemCare 3"="i:\program files\IObit\Advanced SystemCare 3\AWC.exe" [2009-06-30 2329224] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SunJavaUpdateSched"="i:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888] "StartCCC"="i:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-29 61440] "QuickTime Task"="i:\program files\QuickTime\qttask.exe" [2009-01-05 413696] "NeroFilterCheck"="i:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648] "LiveMonitor"="i:\program files\MSI\Live Update 3\LMonitor.exe" [2009-02-24 498688] "InCD"="i:\program files\Nero\Nero 7\InCD\InCD.exe" [2006-11-10 1051648] "AVG8_TRAY"="i:\progra~1\AVG\AVG8\avgtray.exe" [2009-06-24 1948440] "avgnt"="i:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153] "MSConfig"="i:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2008-04-14 169984] "RTHDCPL"="RTHDCPL.EXE" - i:\windows\RTHDCPL.exe [2008-07-03 16876032] "Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" - i:\windows\KHALMNPR.Exe [2004-10-21 29696] i:\documents and settings\All Users\Start Menu\Programs\Startup\ Adobe Reader Speed Launch.lnk - i:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696] Logitech SetPoint.lnk - i:\program files\Logitech\SetPoint\KEM.exe [2009-3-27 581632] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter] 2009-06-24 20:51 11952 ----a-w- i:\windows\system32\avgrsstx.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service] @="Service" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "avg8wd"=2 (0x2) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "%windir%\\system32\\sessmgr.exe"= "i:\\Program Files\\AVG\\AVG8\\avgupd.exe"= "i:\\Program Files\\AVG\\AVG8\\avgnsx.exe"= "j:\\Unreal Tournament 3\\Binaries\\UT3.exe"= R0 Lbd;Lbd;i:\windows\system32\drivers\Lbd.sys [7/12/2009 7:13 PM 64160] R1 AvgLdx86;AVG Free AVI Loader Driver x86;i:\windows\system32\drivers\avgldx86.sys [3/30/2009 8:28 PM 335752] R1 AvgTdiX;AVG Free8 Network Redirector;i:\windows\system32\drivers\avgtdix.sys [3/30/2009 8:28 PM 108552] R2 AntiVirSchedulerService;Avira AntiVir Scheduler;i:\program files\Avira\AntiVir Desktop\sched.exe [7/25/2009 4:09 PM 108289] R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;i:\program files\Lavasoft\Ad-Aware\AAWService.exe [7/3/2009 9:49 AM 1029456] R3 AtiHdmiService;ATI Function Driver for HDMI Service;i:\windows\system32\drivers\AtiHdmi.sys [3/27/2009 9:54 PM 93184] S2 bjftulks;bjftulks;i:\windows\system32\drivers\brrshma.sys --> i:\windows\system32\drivers\brrshma.sys [?] S2 rayar;rayar;\??\i:\windows\system32\drivers\skvelixtl.sys --> i:\windows\system32\drivers\skvelixtl.sys [?] S2 vkcyvsjbs;vkcyvsjbs;\??\i:\windows\system32\drivers\jkqtor.sys --> i:\windows\system32\drivers\jkqtor.sys [?] S4 avg8wd;AVG Free8 WatchDog;i:\progra~1\AVG\AVG8\avgwdsvc.exe [3/30/2009 8:28 PM 298776] [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}] "i:\windows\system32\rundll32.exe" "i:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP . Contents of the 'Scheduled Tasks' folder 2009-07-28 i:\windows\Tasks\Ad-Aware Update (Weekly).job - i:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-07-03 14:49] 2009-08-04 i:\windows\Tasks\WGASetup.job - i:\windows\system32\KB905474\wgasetup.exe [2009-04-30 03:18] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com mStart Page = hxxp://www.google.com IE: Add to Google Photos Screensa&ver - i:\windows\system32\GPhotos.scr/200 DPF: Microsoft XML Parser for Java - file://i:\windows\Java\classes\xmldso.cab . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-08-04 18:47 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(768) i:\windows\system32\Ati2evxx.dll - - - - - - - > 'explorer.exe'(2472) i:\windows\system32\WININET.dll i:\program files\Logitech\SetPoint\lgscroll.dll i:\windows\system32\ieframe.dll i:\windows\system32\webcheck.dll i:\windows\system32\WPDShServiceObj.dll i:\windows\system32\PortableDeviceTypes.dll i:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . i:\windows\system32\ati2evxx.exe i:\windows\system32\ati2evxx.exe i:\program files\AVG\AVG8\avgrsx.exe i:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe i:\program files\Avira\AntiVir Desktop\avguard.exe i:\program files\Nero\Nero 7\InCD\InCDsrv.exe i:\program files\Java\jre6\bin\jqs.exe i:\program files\Common Files\LightScribe\LSSrvc.exe i:\windows\system32\wbem\unsecapp.exe i:\program files\Lavasoft\Ad-Aware\AAWTray.exe i:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe i:\program files\AVG\AVG8\avgtray.exe i:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe i:\program files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe i:\program files\Logitech\SetPoint\KHALMNPR.exe . ************************************************************************** . Completion time: 2009-08-04 18:49 - machine was rebooted ComboFix-quarantined-files.txt 2009-08-04 23:49 Pre-Run: 94,835,458,048 bytes free Post-Run: 94,961,287,168 bytes free WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] i:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect 210 --- E O F --- 2009-08-04 23:09 -
Rootrepeal is not running as it should
Jesusfreak replied to Jesusfreak's topic in Resolved Malware Removal Logs
Hi! I'm back and ready to run ComboFix but when I run it, it says it may be a tainted version. Can you give me the safest location for the file. It says I should download another copy before I run it. Thanks -
Rootrepeal is not running as it should
Jesusfreak replied to Jesusfreak's topic in Resolved Malware Removal Logs
Well that's great news! I will run the other program when I get back in town. You rock!!! -
Rootrepeal is not running as it should
Jesusfreak replied to Jesusfreak's topic in Resolved Malware Removal Logs
I didn't have time for the Combofix but Hijackthis went fast. Here's the file. I'll try and check in during my trip. Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 3:26:32 PM, on 7/29/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v8.00 (8.00.6001.18702) Boot mode: Normal Running processes: I:\WINDOWS\System32\smss.exe I:\WINDOWS\system32\winlogon.exe I:\WINDOWS\system32\services.exe I:\WINDOWS\system32\lsass.exe I:\WINDOWS\system32\Ati2evxx.exe I:\WINDOWS\system32\svchost.exe I:\WINDOWS\System32\svchost.exe I:\WINDOWS\system32\svchost.exe I:\Program Files\Lavasoft\Ad-Aware\AAWService.exe I:\WINDOWS\system32\Ati2evxx.exe I:\WINDOWS\system32\spoolsv.exe I:\Program Files\Avira\AntiVir Desktop\sched.exe I:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe I:\Program Files\Avira\AntiVir Desktop\avguard.exe I:\PROGRA~1\AVG\AVG8\avgwdsvc.exe I:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe I:\Program Files\Java\jre6\bin\jqs.exe I:\Program Files\Common Files\LightScribe\LSSrvc.exe I:\PROGRA~1\AVG\AVG8\avgrsx.exe I:\PROGRA~1\AVG\AVG8\avgnsx.exe I:\WINDOWS\Explorer.EXE I:\Program Files\Java\jre6\bin\jusched.exe I:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe I:\WINDOWS\RTHDCPL.EXE I:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe I:\Program Files\MSI\Live Update 3\LMonitor.exe I:\Program Files\Nero\Nero 7\InCD\InCD.exe I:\PROGRA~1\AVG\AVG8\avgtray.exe I:\Program Files\Avira\AntiVir Desktop\avgnt.exe I:\WINDOWS\system32\ctfmon.exe I:\Documents and Settings\Billy\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe I:\PROGRA~1\Nero\NEROPH~1\data\Xtras\mssysmgr.exe I:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe I:\WINDOWS\system32\svchost.exe I:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe I:\Program Files\IObit\Advanced SystemCare 3\AWC.exe I:\Program Files\Logitech\SetPoint\KEM.exe I:\Program Files\Logitech\SetPoint\KHALMNPR.EXE I:\Program Files\Internet Explorer\iexplore.exe I:\Program Files\Internet Explorer\iexplore.exe I:\Program Files\Internet Explorer\iexplore.exe I:\Program Files\Internet Explorer\iexplore.exe I:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file) O3 - Toolbar: (no name) - {ED0E8CA5-42FB-4B18-997B-769E0408E79D} - (no file) O4 - HKLM\..\Run: [sunJavaUpdateSched] "I:\Program Files\Java\jre6\bin\jusched.exe" O4 - HKLM\..\Run: [startCCC] "I:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM\..\Run: [QuickTime Task] "I:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [NeroFilterCheck] I:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE O4 - HKLM\..\Run: [LiveMonitor] I:\Program Files\MSI\Live Update 3\LMonitor.exe O4 - HKLM\..\Run: [inCD] I:\Program Files\Nero\Nero 7\InCD\InCD.exe O4 - HKLM\..\Run: [AVG8_TRAY] I:\PROGRA~1\AVG\AVG8\avgtray.exe O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE O4 - HKLM\..\Run: [avgnt] "I:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min O4 - HKCU\..\Run: [ctfmon.exe] I:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [sansaDispatch] I:\Documents and Settings\Billy\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe O4 - HKCU\..\Run: [Nero PhotoShow Media Manager] I:\PROGRA~1\Nero\NEROPH~1\data\Xtras\mssysmgr.exe O4 - HKCU\..\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "I:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" O4 - HKCU\..\Run: [ccleaner] "I:\Program Files\CCleaner\CCleaner.exe" /AUTO O4 - HKCU\..\Run: [Advanced SystemCare 3] "I:\Program Files\IObit\Advanced SystemCare 3\AWC.exe" /startup O4 - Global Startup: Adobe Reader Speed Launch.lnk = I:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Logitech SetPoint.lnk = I:\Program Files\Logitech\SetPoint\KEM.exe O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://I:\WINDOWS\system32\GPhotos.scr/200 O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - I:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - I:\WINDOWS\Network Diagnostic\xpnetdiag.exe O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w3/resources/MSNPUpld.cab O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1238224748875 O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - I:\Program Files\AVG\AVG8\avgpp.dll O20 - Winlogon Notify: avgrsstarter - I:\WINDOWS\SYSTEM32\avgrsstx.dll O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft - I:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - I:\Program Files\Avira\AntiVir Desktop\sched.exe O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - I:\Program Files\Avira\AntiVir Desktop\avguard.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - I:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - I:\WINDOWS\system32\ati2sgag.exe O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - I:\PROGRA~1\AVG\AVG8\avgwdsvc.exe O23 - Service: Google Updater Service (gusvc) - Google - I:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InCD Helper (InCDsrv) - Nero AG - I:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - I:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - I:\Program Files\Lavasoft\Ad-Aware\AAWService.exe O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - I:\Program Files\Common Files\LightScribe\LSSrvc.exe -- End of file - 6495 bytes -
Rootrepeal is not running as it should
Jesusfreak replied to Jesusfreak's topic in Resolved Malware Removal Logs
Awesome. Look forward to the advice and tips. Will run tonight. Heading out of town on business so if not tonight next week when I return. Very impressed with the professional help here. -
Rootrepeal is not running as it should
Jesusfreak replied to Jesusfreak's topic in Resolved Malware Removal Logs
I have a few questions for you. Now I'm scared to death of fake viruses, etc. Where can I download HijackThis? Also, Combo fix is still resident on my desktop. It is ok to use that one? -
Rootrepeal is not running as it should
Jesusfreak replied to Jesusfreak's topic in Resolved Malware Removal Logs
Will do. -
Rootrepeal is not running as it should
Jesusfreak replied to Jesusfreak's topic in Resolved Malware Removal Logs
Success!!!!! You are the bomb! I ran Rootrepeal and the culprit was exposed. Here is the log. (I must add that when I rebooted Avira started killing files as Malwarebytes was finding them. I forgot to turn it off first. So this log might be incomplete.) I ran a second log after I rebooted. I thought you might want to see it as well. It had the Trojan.TDSS. I guess to be expected? I am running a deep scan right now with Malwarebytes. Malwarebytes' Anti-Malware 1.39 Database version: 2524 Windows 5.1.2600 Service Pack 3 7/28/2009 8:05:10 PM mbam-log-2009-07-28 (20-04-23).txt Scan type: Full Scan (I:\|) Objects scanned: 128550 Time elapsed: 20 minute(s), 47 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 3 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: i:\system volume information\_restore{6d0a4f50-0af5-451b-a8ad-b7da225f6477}\rp2\A0001009.dll (Trojan.TDSS) -> No action taken. i:\system volume information\_restore{6d0a4f50-0af5-451b-a8ad-b7da225f6477}\RP2\A0001010.dll (Trojan.TDSS) -> No action taken. i:\system volume information\_restore{6d0a4f50-0af5-451b-a8ad-b7da225f6477}\RP2\A0001012.dll (Trojan.TDSS) -> No action taken. Malwarebytes' Anti-Malware 1.39 Database version: 2523 Windows 5.1.2600 Service Pack 3 7/28/2009 7:33:17 PM mbam-log-2009-07-28 (19-32-59).txt Scan type: Quick Scan Objects scanned: 97520 Time elapsed: 3 minute(s), 41 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 4 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: i:\WINDOWS\system32\UACllrvxvkbwjpnbgpwy.dll (Trojan.TDSS) -> No action taken. i:\WINDOWS\system32\UACndjitmairulteppjw.dll (Trojan.TDSS) -> No action taken. i:\WINDOWS\system32\UACuniorjihvmwidjary.dll (Trojan.TDSS) -> No action taken. i:\WINDOWS\system32\drivers\UACvyxvkiqqhesrrradv.sys (Trojan.Agent) -> No action taken. If I have any major problems I will let you know. No more codecs for me. Hard lesson learned. My wife and I would like to contribute to your hard work. Where can we do that? -
Rootrepeal is not running as it should
Jesusfreak replied to Jesusfreak's topic in Resolved Malware Removal Logs
It worked Here is what I came up with. ROOTREPEAL © AD, 2007-2009 ================================================== Scan Start Time: 2009/07/28 17:37 Program Version: Version 1.3.3.0 Windows Version: Windows XP SP3 ================================================== Hidden/Locked Files ------------------- Path: I:\WINDOWS\system32\UACbqbrfwofmxdulhbxv.dll Status: Invisible to the Windows API! Path: I:\WINDOWS\system32\UACetjmukeshaxivrtnk.db Status: Invisible to the Windows API! Path: I:\WINDOWS\system32\UAChqipyiuwykltuqrdh.dll Status: Invisible to the Windows API! Path: I:\WINDOWS\system32\uacinit.dll Status: Invisible to the Windows API! Path: I:\WINDOWS\system32\UACllrvxvkbwjpnbgpwy.dll Status: Invisible to the Windows API! Path: I:\WINDOWS\system32\UACndjitmairulteppjw.dll Status: Invisible to the Windows API! Path: I:\WINDOWS\system32\UACpyqbitltmoiopjqga.dat Status: Invisible to the Windows API! Path: I:\WINDOWS\system32\UACuniorjihvmwidjary.dll Status: Invisible to the Windows API! Path: I:\WINDOWS\Temp\UACaf5a.tmp Status: Invisible to the Windows API! Path: I:\Program Files\ArcSoft\TotalMedia Extreme\uActivate.dll Status: Invisible to the Windows API! Path: I:\Program Files\ArcSoft\TotalMedia Extreme\uActivate.SET Status: Invisible to the Windows API! Path: I:\WINDOWS\system32\drivers\UACvyxvkiqqhesrrradv.sys Status: Invisible to the Windows API! Path: i:\documents and settings\admin\local settings\temp\~df41d9.tmp Status: Allocation size mismatch (API: 16384, Raw: 0) Path: I:\Program Files\ArcSoft\TotalMedia Extreme\Digital Theatre\uActivate.dll Status: Invisible to the Windows API! Path: I:\Program Files\ArcSoft\TotalMedia Extreme\Digital Theatre\uActivate.SET Status: Invisible to the Windows API! Path: I:\Documents and Settings\All Users\Application Data\avg8\Log\avgcore.log Status: Locked to the Windows API! Path: I:\Documents and Settings\All Users\Application Data\avg8\Log\avgsched.log Status: Locked to the Windows API! Path: I:\Documents and Settings\All Users\Application Data\avg8\Log\avgui.log Status: Locked to the Windows API! Path: I:\Documents and Settings\All Users\Application Data\avg8\Log\avgwd.log Status: Locked to the Windows API! Path: I:\Documents and Settings\All Users\Application Data\avg8\Log\avgldr.log Status: Locked to the Windows API! Path: I:\Documents and Settings\All Users\Application Data\avg8\Log\avgns.log Status: Locked to the Windows API! Path: I:\Documents and Settings\All Users\Application Data\avg8\Log\avgrs.log Status: Locked to the Windows API! Path: i:\documents and settings\admin\local settings\application data\ahead\nero home\is2.db-journal Status: Allocation size mismatch (API: 512, Raw: 0) Path: I:\Documents and Settings\Billy\Local Settings\Apps\2.0\389B0ZLN.GK6\PNKEV4VA.MLG\manifests\clickonce_bootstrap.exe.cdf-ms Status: Locked to the Windows API! Path: I:\Documents and Settings\Billy\Local Settings\Apps\2.0\389B0ZLN.GK6\PNKEV4VA.MLG\manifests\clickonce_bootstrap.exe.manifest Status: Locked to the Windows API! -
Rootrepeal is not running as it should
Jesusfreak replied to Jesusfreak's topic in Resolved Malware Removal Logs
Forgot to add this... Malwarebytes' Anti-Malware 1.39 Database version: 2523 Windows 5.1.2600 Service Pack 3 7/28/2009 4:26:56 PM mbam-log-2009-07-28 (16-26-56).txt Scan type: Quick Scan Objects scanned: 97312 Time elapsed: 1 minute(s), 32 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 1 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 1 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> Quarantined and deleted successfully. Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: I:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Delete on reboot. -
Rootrepeal is not running as it should
Jesusfreak replied to Jesusfreak's topic in Resolved Malware Removal Logs
I tried to boot to safe mode but as I thought my computer won't do that. I have updated Malwarebytes and still the only two things to show up are Trojan.agent and Rootkit.trace. Sometimes my computer boots, sometimes it locks up on the desktop and I need to reboot. Sometimes the browser will close by it's self. I'm open to suggestions. Thanks so much for the help. PS. I read some of the articles your forums point to. I know how I got this virus. Through a codec. What an idiot i was. :-( -
Rootrepeal is not running as it should
Jesusfreak replied to Jesusfreak's topic in Resolved Malware Removal Logs
I'm actually not sure I can boot in to safe mode. I haven't been able to but I will give it a try this evening. Again, my thanks. -
Rootrepeal is not running as it should
Jesusfreak replied to Jesusfreak's topic in Resolved Malware Removal Logs
Sorry for the confusion. I loaded Combofix on my Desktop, clicked on it, hit run....nothing happened for over 15 minutes.....I tried it again. Nothing. Any more suggestions? Everything is running but I know that Trojan.agent and Rootkit.trace are still there. My browser is running fine at this moment because before I turned everything off to run Combofix it had blocked something trying to get on my computer and I elected to have it permanantly blocked in the future. I have not rebooted though since then. That's the latest I can tell you. Any more suggestions? Thanks so much. -
I hope it's ok to ask you this. I didn't see anywhere else I could post. I finally got to a point where I could run Malwarebytes after several days. Upon running the software several times I noticed it kept coming up with two repeat offenders. Trojan.agent and some type of registry issue. I kept trying to remove them over a period of several days after getting rid of System Security 2009. My computer ran fine for a few days but then rebooted itself two days ago and although I have run several pieces of recommended software I still seem to be infected. Now the browser won't open or when it does I still get the virus software pop ups and redirects. There also seemed to be another search bar at the top of the browser with a little Microsoft symbol but it was never there before. I don't know what else to do. I still cannot boot to safe mode, I can't even reinstall Windows. Can you help me? Thanks so much!