Jump to content

cstuntz

Members
  • Posts

    7
  • Joined

  • Last visited

Everything posted by cstuntz

  1. OK- ComboFix is uninstalled. Do I need to run DeFogger again to re-enable CD emulation drivers? Thanks again for your help and the tips.
  2. You truly are a Jedi Malware Fighter For years I never put any P2P programs on my computers, but in the last couple years I have been using it to get music files for my library. I haven't had many problems but I am aware that is how I most likely got this infection. I have Shareaza also- I should get rid of that and close any open ports on my router. Maybe if I want to get shareware I should get an old computer and use it only for that and just wipe it clean if and when there are problems. Either that or back away from the whole shareware scene altogether. I most appreciate your help and will make a donation as soon as we are finished. thanks :-) Chip ....latest Malwarebytes scan log....... Malwarebytes' Anti-Malware 1.46 www.malwarebytes.org Database version: 4375 Windows 5.1.2600 Service Pack 3 Internet Explorer 8.0.6001.18702 7/31/2010 2:30:41 PM mbam-log-2010-07-31 (14-30-41).txt Scan type: Quick scan Objects scanned: 162871 Time elapsed: 7 minute(s), 44 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected)
  3. Ran ATF Cleaner Had to force a reboot to unlock ComboFix Reran script- Combofix.txt contents below...... ComboFix 10-07-31.01 - Chip 07/31/2010 13:16:28.2.1 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2498 [GMT -6:00] Running from: c:\documents and settings\Chip\Desktop\MB Programs\ComboFix\ComboFix.exe Command switches used :: c:\documents and settings\Chip\Desktop\MB Programs\ComboFix\CFScript.txt AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF} . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\Chip\Application Data\uTorrent c:\documents and settings\Chip\Application Data\uTorrent\Black Oak Arkansas - High On The Hog (1973) [MP3@320Kbps] [Rock City].torrent c:\documents and settings\Chip\Application Data\uTorrent\Black Oak Arkansas - The Wild Bunch (1999).torrent c:\documents and settings\Chip\Application Data\uTorrent\dht.dat c:\documents and settings\Chip\Application Data\uTorrent\dht.dat.old c:\documents and settings\Chip\Application Data\uTorrent\resume.dat c:\documents and settings\Chip\Application Data\uTorrent\resume.dat.old c:\documents and settings\Chip\Application Data\uTorrent\rss.dat c:\documents and settings\Chip\Application Data\uTorrent\rss.dat.old c:\documents and settings\Chip\Application Data\uTorrent\settings.dat c:\documents and settings\Chip\Application Data\uTorrent\settings.dat.1.bad c:\documents and settings\Chip\Application Data\uTorrent\settings.dat.old c:\documents and settings\Chip\Application Data\uTorrent\The Rolling Stone Magazines 500 Greatest Songs Of All Time.torrent c:\documents and settings\Chip\Application Data\uTorrent\utorrent.lng c:\program files\uTorrent c:\program files\uTorrent\Uninstall.exe c:\program files\uTorrent\utorrent.exe . ((((((((((((((((((((((((( Files Created from 2010-06-28 to 2010-07-31 ))))))))))))))))))))))))))))))) . 2010-07-30 00:08 . 2010-07-30 00:08 -------- d-----w- c:\windows\system32\wbem\Repository 2010-07-28 04:01 . 2010-07-28 04:01 -------- d-----w- c:\documents and settings\Chip\Local Settings\Application Data\Threat Expert 2010-07-28 02:20 . 2006-06-19 19:01 69632 ----a-w- c:\windows\system32\ztvcabinet.dll 2010-07-28 02:20 . 2006-05-25 21:52 162304 ----a-w- c:\windows\system32\ztvunrar36.dll 2010-07-28 02:20 . 2005-08-26 07:50 77312 ----a-w- c:\windows\system32\ztvunace26.dll 2010-07-28 02:20 . 2003-02-03 02:06 153088 ----a-w- c:\windows\system32\UNRAR3.dll 2010-07-28 02:20 . 2002-03-06 07:00 75264 ----a-w- c:\windows\system32\unacev2.dll 2010-07-23 21:53 . 2010-07-23 21:53 664 ----a-w- c:\windows\system32\d3d9caps.dat 2010-07-23 20:29 . 2010-07-23 20:29 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache 2010-07-20 23:48 . 2010-07-21 00:17 0 ----a-w- c:\windows\system32\drivers\qfgyfb.sys 2010-07-15 18:38 . 2010-07-15 18:38 12536 ----a-w- c:\windows\system32\avgrsstx.dll 2010-07-14 00:24 . 2010-06-14 14:31 744448 ------w- c:\windows\system32\dllcache\helpsvc.exe 2010-07-08 03:49 . 2010-07-08 03:49 -------- d-----w- c:\documents and settings\Chip\Application Data\CyberLink 2010-07-08 03:49 . 2010-07-08 03:49 -------- d-----w- c:\documents and settings\Chip\Local Settings\Application Data\DVDPlay 2010-07-02 02:25 . 2008-04-14 00:12 159232 ----a-w- c:\windows\system32\ptpusd.dll 2010-07-02 02:25 . 2001-08-18 04:36 5632 ----a-w- c:\windows\system32\ptpusb.dll . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-07-31 19:24 . 2009-05-17 22:36 -------- d-----w- c:\program files\Password Safe 2010-07-31 14:39 . 2006-05-07 03:17 36352 ----a-w- c:\windows\system32\drivers\AmdK8.sys 2010-07-31 03:49 . 2010-03-25 02:11 0 ----a-w- c:\documents and settings\Chip\Local Settings\Application Data\prvlcl.dat 2010-07-30 02:00 . 2010-03-13 22:27 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP 2010-07-29 23:53 . 2010-03-14 21:06 -------- d-----w- c:\documents and settings\Chip\Application Data\DMCache 2010-07-25 21:50 . 2009-05-17 22:54 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-07-22 01:01 . 2010-03-20 05:40 -------- d-----w- c:\program files\MPlayer for Windows 2010-07-21 00:30 . 2010-07-21 00:30 1373536 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgssff.dll 2010-07-21 00:30 . 2010-07-21 00:30 1107296 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgxpl.dll 2010-07-21 00:30 . 2010-07-21 00:30 921440 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgemc.exe 2010-07-21 00:30 . 2010-07-21 00:30 4368224 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcorex.dll 2010-07-15 18:39 . 2010-07-15 18:39 242896 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtdix.sys 2010-07-15 18:39 . 2010-07-15 18:39 216200 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgldx86.sys 2010-07-15 18:38 . 2008-08-24 20:29 243024 ----a-w- c:\windows\system32\drivers\avgtdix.sys 2010-07-15 18:38 . 2008-08-24 20:29 216400 ----a-w- c:\windows\system32\drivers\avgldx86.sys 2010-07-15 18:37 . 2010-07-15 18:37 813336 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avginet.dll 2010-07-15 18:37 . 2010-07-15 18:37 624920 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgiproxy.exe 2010-07-15 18:37 . 2010-07-15 18:37 1690464 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.dll 2010-07-15 18:37 . 2010-07-15 18:37 1038688 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.exe 2010-07-15 04:23 . 2010-04-17 20:29 -------- d-----w- c:\documents and settings\Chip\Application Data\ImgBurn 2010-07-06 00:53 . 2010-03-14 21:10 -------- d-----w- c:\documents and settings\Chip\Application Data\IDM 2010-06-22 05:19 . 2010-03-17 05:14 -------- d-----w- c:\documents and settings\Chip\Application Data\ClipMagic 2010-06-22 05:05 . 2010-03-17 05:14 -------- d-----w- c:\program files\ClipMagic 2010-06-17 01:18 . 2010-03-14 21:05 -------- d-----w- c:\program files\Internet Download Manager 2010-06-16 05:28 . 2010-03-14 21:10 218544 ----a-w- c:\documents and settings\Chip\Application Data\IDM\idmmzcc3\components\idmmzcc.dll 2010-06-16 05:28 . 2010-05-02 17:08 3205464 ----a-w- c:\documents and settings\Chip\Application Data\IDM\idmupdt.exe 2010-06-14 14:31 . 2004-08-10 04:00 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe 2010-06-12 20:38 . 2010-06-12 20:16 -------- d-----w- c:\documents and settings\Chip\Application Data\W Photo Studio Viewer 2010-06-10 00:28 . 2010-03-19 23:39 -------- d-----w- c:\program files\Glary Utilities 2010-06-02 23:50 . 2008-08-24 20:29 29584 ----a-w- c:\windows\system32\drivers\avgmfx86.sys 2010-06-02 03:30 . 2009-05-17 22:53 -------- d-----w- c:\program files\Allway Sync 2010-05-25 02:14 . 2010-05-25 02:14 3584 ----a-r- c:\documents and settings\Chip\Application Data\Microsoft\Installer\{121634B0-2F4B-11D3-ADA3-00C04F52DD52}\Icon386ED4E3.exe 2010-05-06 10:41 . 2004-08-10 04:00 916480 ----a-w- c:\windows\system32\wininet.dll 2006-11-16 02:07 . 2007-06-20 07:02 32 --sha-w- c:\windows\SMINST\HPCD.SYS . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-07-15 2065760] "KBD"="c:\hp\KBD\KBD.EXE" [2005-02-02 61440] "StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-03-03 98304] "ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-28 221184] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-02-16 417792] "Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2010-04-29 437584] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Password Safe.lnk - c:\program files\Password Safe\pwsafe.exe [2009-4-20 2162688] procexp.exe.lnk - c:\program files\Sysinternals\procexp.exe [2010-3-12 3550592] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter] 2010-07-15 18:38 12536 ----a-w- c:\windows\system32\avgrsstx.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime "MPlayerForWindows_UpdateReminder"="c:\program files\MPlayer for Windows\AutoUpdate.exe" /L=1033 /TASK "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" "NeroFilterCheck"=c:\program files\Common Files\Ahead\Lib\NeroCheck.exe [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"= "c:\\Program Files\\AVG\\AVG9\\avgemc.exe"= "c:\\Program Files\\AVG\\AVG9\\avgupd.exe"= "c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"= "c:\\Program Files\\Common Files\\HP\\Digital Imaging\\Bin\\hpqPhotoCrm.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxs08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgm.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgh.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfcCopy.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"= "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"= "c:\\Program Files\\Common Files\\Ahead\\Nero Web\\SetupX.exe"= "c:\\Program Files\\KCeasy\\giFT\\giFTl.exe"= "c:\\Program Files\\Shareaza\\Shareaza.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "3724:TCP"= 3724:TCP:Blizzard Downloader: 3724 "67:UDP"= 67:UDP:0.0.0.0/255.255.255.255:Enabled:DHCP Discovery Service R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [8/24/2008 2:29 PM 216400] R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [8/24/2008 2:29 PM 243024] R2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [7/20/2010 6:29 PM 921952] R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [7/15/2010 12:38 PM 308136] R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [5/17/2009 4:54 PM 304464] R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [5/17/2009 4:54 PM 20952] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12 HPService REG_MULTI_SZ HPSLPSVC hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}] 2008-07-30 16:39 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe . Contents of the 'Scheduled Tasks' folder 2010-07-31 c:\windows\Tasks\GlaryInitialize.job - c:\program files\Glary Utilities\initialize.exe [2010-03-19 16:01] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com/ uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PAVILION&pf=desktop mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PAVILION&pf=desktop uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=63&bd=PAVILION&pf=desktop IE: Copy Image To MM - file://c:\progra~1\MEDIAM~1\Scripts\WebNodesAA.htm IE: Download All Links with IDM - c:\program files\Internet Download Manager\IEGetAll.htm IE: Download FLV video content with IDM - c:\program files\Internet Download Manager\IEGetVL.htm IE: Download with &Shareaza - c:\program files\shareaza\razawebhook32.dll/3000 IE: Download with IDM - c:\program files\Internet Download Manager\IEExt.htm IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000 LSP: c:\windows\system32\idmmbc.dll TCP: {F688A8A2-5B48-4278-841A-4C12C538B393} = 24.56.133.69,67.217.18.29 FF - ProfilePath - c:\documents and settings\Chip\Application Data\Mozilla\Firefox\Profiles\absc8ilm.default\ FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q= FF - prefs.js: browser.search.selectedEngine - Google FF - prefs.js: browser.startup.homepage - hxxp://www.wunderground.com/cgi-bin/findweather/getForecast?query=80524&wuSelect=WEATHER FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q= FF - component: c:\documents and settings\Chip\Application Data\IDM\idmmzcc3\components\idmmzcc.dll FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll FF - plugin: c:\documents and settings\Chip\Application Data\Mozilla\plugins\np-mswmp.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ ---- FIREFOX POLICIES ---- c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096); c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45); c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false); c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr ef", true); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", ""); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false); . - - - - ORPHANS REMOVED - - - - AddRemove-uTorrent - c:\program files\uTorrent\uTorrent.exe ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-07-31 13:24 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{09b490dd-61e9-46ca-a590-60657a288004}] @Denied: (Full) (Everyone) "Model"=dword:000000ca "Therad"=dword:0000001a "MData"=hex(0):e0,ac,cd,3e,80,35,f2,a3,6e,41,7c,71,60,37,3a,9f,a8,4e,b2,c5,d2, 55,37,c8,46,8f,3c,f2,5c,68,ee,21,46,8f,3c,f2,5c,68,ee,21,46,8f,3c,f2,5c,68,\ [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}] @Denied: (Full) (Everyone) "scansk"=hex(0):8a,7f,f0,38,82,7f,14,56,c7,4c,f7,05,de,36,66,e7,5f,49,61,b5,47, 56,ca,b3,d8,e5,2c,9c,78,c6,2d,f5,8c,7e,af,7e,4e,0b,09,78,00,00,00,00,00,00,\ . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(800) c:\windows\system32\Ati2evxx.dll c:\windows\system32\atiadlxx.dll - - - - - - - > 'lsass.exe'(856) c:\windows\system32\idmmbc.dll - - - - - - - > 'explorer.exe'(640) c:\windows\system32\WININET.dll c:\windows\system32\ieframe.dll c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll c:\program files\WinZip\wzshlstb.dll c:\program files\Malwarebytes' Anti-Malware\mbamext.dll c:\progra~1\GLARYU~1\CONTEX~1.DLL c:\progra~1\GLARYU~1\vcl70.bpl c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll c:\program files\Internet Download Manager\IDMIECC.dll c:\program files\Internet Download Manager\idmmkb.dll . ------------------------ Other Running Processes ------------------------ . c:\windows\system32\Ati2evxx.exe c:\windows\system32\Ati2evxx.exe c:\program files\AVG\AVG9\avgchsvx.exe c:\program files\AVG\AVG9\avgrsx.exe c:\program files\AVG\AVG9\avgcsrvx.exe c:\windows\arservice.exe c:\windows\eHome\ehRecvr.exe c:\windows\eHome\ehSched.exe c:\program files\Java\jre6\bin\jqs.exe c:\program files\Common Files\LightScribe\LSSrvc.exe c:\program files\AVG\AVG9\avgnsx.exe c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE c:\windows\ehome\mcrdsvc.exe c:\program files\AVG\AVG9\avgcsrvx.exe c:\windows\system32\dllhost.exe c:\windows\system32\wscntfy.exe c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe c:\program files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe . ************************************************************************** . Completion time: 2010-07-31 13:30:30 - machine was rebooted ComboFix-quarantined-files.txt 2010-07-31 19:30 ComboFix2.txt 2010-07-31 15:59 Pre-Run: 94,175,105,024 bytes free Post-Run: 94,194,143,232 bytes free - - End Of File - - 6261051B5DA9AB2B4548A025F853781E
  4. I ran ComboFix again as you said, but it has been scanning for over an hour and a half now. I wonder if it is locked. The ComboFix curser and hard drive lights are blinking like it is still scanning, but ComboFix says the scan usually takes only about 10 min (but could be double that). The first scan we did only took about 10 min. What should I do........
  5. ----contents of ComboFix.txt ComboFix 10-07-30.04 - Chip 07/31/2010 9:48.1.1 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2375 [GMT -6:00] Running from: c:\documents and settings\Chip\Desktop\MB Programs\ComboFix\ComboFix.exe Command switches used :: c:\documents and settings\Chip\Desktop\MB Programs\ComboFix\CFScript.txt AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF} . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\windows\Downloaded Program Files\f3initialsetup1.0.1.0.inf c:\windows\system32\msconfig.exe D:\Autorun.inf . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_6TO4 -------\Legacy_MYWEBSEARCHSERVICE ((((((((((((((((((((((((( Files Created from 2010-06-28 to 2010-07-31 ))))))))))))))))))))))))))))))) . 2010-07-30 00:08 . 2010-07-30 00:08 -------- d-----w- c:\windows\system32\wbem\Repository 2010-07-28 04:01 . 2010-07-28 04:01 -------- d-----w- c:\documents and settings\Chip\Local Settings\Application Data\Threat Expert 2010-07-28 02:20 . 2006-06-19 19:01 69632 ----a-w- c:\windows\system32\ztvcabinet.dll 2010-07-28 02:20 . 2006-05-25 21:52 162304 ----a-w- c:\windows\system32\ztvunrar36.dll 2010-07-28 02:20 . 2005-08-26 07:50 77312 ----a-w- c:\windows\system32\ztvunace26.dll 2010-07-28 02:20 . 2003-02-03 02:06 153088 ----a-w- c:\windows\system32\UNRAR3.dll 2010-07-28 02:20 . 2002-03-06 07:00 75264 ----a-w- c:\windows\system32\unacev2.dll 2010-07-23 21:53 . 2010-07-23 21:53 664 ----a-w- c:\windows\system32\d3d9caps.dat 2010-07-23 20:29 . 2010-07-23 20:29 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache 2010-07-20 23:48 . 2010-07-21 00:17 0 ----a-w- c:\windows\system32\drivers\qfgyfb.sys 2010-07-15 18:38 . 2010-07-15 18:38 12536 ----a-w- c:\windows\system32\avgrsstx.dll 2010-07-14 00:24 . 2010-06-14 14:31 744448 ------w- c:\windows\system32\dllcache\helpsvc.exe 2010-07-08 03:49 . 2010-07-08 03:49 -------- d-----w- c:\documents and settings\Chip\Application Data\CyberLink 2010-07-08 03:49 . 2010-07-08 03:49 -------- d-----w- c:\documents and settings\Chip\Local Settings\Application Data\DVDPlay 2010-07-02 02:25 . 2008-04-14 00:12 159232 ----a-w- c:\windows\system32\ptpusd.dll 2010-07-02 02:25 . 2001-08-18 04:36 5632 ----a-w- c:\windows\system32\ptpusb.dll . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-07-31 15:53 . 2009-05-17 22:36 -------- d-----w- c:\program files\Password Safe 2010-07-31 14:39 . 2006-05-07 03:17 36352 ----a-w- c:\windows\system32\drivers\AmdK8.sys 2010-07-31 03:49 . 2010-03-25 02:11 0 ----a-w- c:\documents and settings\Chip\Local Settings\Application Data\prvlcl.dat 2010-07-30 02:00 . 2010-03-13 22:27 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP 2010-07-29 23:53 . 2010-03-14 21:06 -------- d-----w- c:\documents and settings\Chip\Application Data\DMCache 2010-07-25 21:50 . 2010-03-13 05:13 -------- d-----w- c:\documents and settings\Chip\Application Data\uTorrent 2010-07-25 21:50 . 2009-05-17 22:54 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-07-25 21:50 . 2007-06-22 22:41 -------- d-----w- c:\program files\uTorrent 2010-07-22 01:01 . 2010-03-20 05:40 -------- d-----w- c:\program files\MPlayer for Windows 2010-07-21 00:30 . 2010-07-21 00:30 1373536 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgssff.dll 2010-07-21 00:30 . 2010-07-21 00:30 1107296 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgxpl.dll 2010-07-21 00:30 . 2010-07-21 00:30 921440 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgemc.exe 2010-07-21 00:30 . 2010-07-21 00:30 4368224 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcorex.dll 2010-07-15 18:39 . 2010-07-15 18:39 242896 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtdix.sys 2010-07-15 18:39 . 2010-07-15 18:39 216200 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgldx86.sys 2010-07-15 18:38 . 2008-08-24 20:29 243024 ----a-w- c:\windows\system32\drivers\avgtdix.sys 2010-07-15 18:38 . 2008-08-24 20:29 216400 ----a-w- c:\windows\system32\drivers\avgldx86.sys 2010-07-15 18:37 . 2010-07-15 18:37 813336 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avginet.dll 2010-07-15 18:37 . 2010-07-15 18:37 624920 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgiproxy.exe 2010-07-15 18:37 . 2010-07-15 18:37 1690464 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.dll 2010-07-15 18:37 . 2010-07-15 18:37 1038688 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.exe 2010-07-15 04:23 . 2010-04-17 20:29 -------- d-----w- c:\documents and settings\Chip\Application Data\ImgBurn 2010-07-06 00:53 . 2010-03-14 21:10 -------- d-----w- c:\documents and settings\Chip\Application Data\IDM 2010-06-22 05:19 . 2010-03-17 05:14 -------- d-----w- c:\documents and settings\Chip\Application Data\ClipMagic 2010-06-22 05:05 . 2010-03-17 05:14 -------- d-----w- c:\program files\ClipMagic 2010-06-17 01:18 . 2010-03-14 21:05 -------- d-----w- c:\program files\Internet Download Manager 2010-06-16 05:28 . 2010-03-14 21:10 218544 ----a-w- c:\documents and settings\Chip\Application Data\IDM\idmmzcc3\components\idmmzcc.dll 2010-06-16 05:28 . 2010-05-02 17:08 3205464 ----a-w- c:\documents and settings\Chip\Application Data\IDM\idmupdt.exe 2010-06-14 14:31 . 2004-08-10 04:00 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe 2010-06-12 20:38 . 2010-06-12 20:16 -------- d-----w- c:\documents and settings\Chip\Application Data\W Photo Studio Viewer 2010-06-10 00:28 . 2010-03-19 23:39 -------- d-----w- c:\program files\Glary Utilities 2010-06-02 23:50 . 2008-08-24 20:29 29584 ----a-w- c:\windows\system32\drivers\avgmfx86.sys 2010-06-02 03:30 . 2009-05-17 22:53 -------- d-----w- c:\program files\Allway Sync 2010-05-25 02:14 . 2010-05-25 02:14 3584 ----a-r- c:\documents and settings\Chip\Application Data\Microsoft\Installer\{121634B0-2F4B-11D3-ADA3-00C04F52DD52}\Icon386ED4E3.exe 2010-05-06 10:41 . 2004-08-10 04:00 916480 ----a-w- c:\windows\system32\wininet.dll 2006-11-16 02:07 . 2007-06-20 07:02 32 --sha-w- c:\windows\SMINST\HPCD.SYS . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-07-15 2065760] "KBD"="c:\hp\KBD\KBD.EXE" [2005-02-02 61440] "StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-03-03 98304] "ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-28 221184] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-02-16 417792] "Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2010-04-29 437584] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Password Safe.lnk - c:\program files\Password Safe\pwsafe.exe [2009-4-20 2162688] procexp.exe.lnk - c:\program files\Sysinternals\procexp.exe [2010-3-12 3550592] c:\documents and settings\Default User\Start Menu\Programs\Startup\ Pin.lnk - c:\hp\bin\CLOAKER.EXE [2006-5-6 27136] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter] 2010-07-15 18:38 12536 ----a-w- c:\windows\system32\avgrsstx.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime "MPlayerForWindows_UpdateReminder"="c:\program files\MPlayer for Windows\AutoUpdate.exe" /L=1033 /TASK "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" "NeroFilterCheck"=c:\program files\Common Files\Ahead\Lib\NeroCheck.exe [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\uTorrent\\utorrent.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"= "c:\\Program Files\\AVG\\AVG9\\avgemc.exe"= "c:\\Program Files\\AVG\\AVG9\\avgupd.exe"= "c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"= "c:\\Program Files\\Common Files\\HP\\Digital Imaging\\Bin\\hpqPhotoCrm.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxs08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgm.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgh.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfcCopy.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"= "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"= "c:\\Program Files\\Common Files\\Ahead\\Nero Web\\SetupX.exe"= "c:\\Program Files\\KCeasy\\giFT\\giFTl.exe"= "c:\\Program Files\\Shareaza\\Shareaza.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "3724:TCP"= 3724:TCP:Blizzard Downloader: 3724 "67:UDP"= 67:UDP:0.0.0.0/255.255.255.255:Enabled:DHCP Discovery Service R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [8/24/2008 2:29 PM 216400] R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [8/24/2008 2:29 PM 243024] R2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [7/20/2010 6:29 PM 921952] R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [7/15/2010 12:38 PM 308136] R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [5/17/2009 4:54 PM 304464] R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [5/17/2009 4:54 PM 20952] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12 HPService REG_MULTI_SZ HPSLPSVC hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}] 2008-07-30 16:39 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe . Contents of the 'Scheduled Tasks' folder 2010-07-31 c:\windows\Tasks\GlaryInitialize.job - c:\program files\Glary Utilities\initialize.exe [2010-03-19 16:01] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com/ uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PAVILION&pf=desktop mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PAVILION&pf=desktop uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=63&bd=PAVILION&pf=desktop IE: Copy Image To MM - file://c:\progra~1\MEDIAM~1\Scripts\WebNodesAA.htm IE: Download All Links with IDM - c:\program files\Internet Download Manager\IEGetAll.htm IE: Download FLV video content with IDM - c:\program files\Internet Download Manager\IEGetVL.htm IE: Download with &Shareaza - c:\program files\shareaza\razawebhook32.dll/3000 IE: Download with IDM - c:\program files\Internet Download Manager\IEExt.htm IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000 LSP: c:\windows\system32\idmmbc.dll TCP: {F688A8A2-5B48-4278-841A-4C12C538B393} = 24.56.133.69,67.217.18.29 FF - ProfilePath - c:\documents and settings\Chip\Application Data\Mozilla\Firefox\Profiles\absc8ilm.default\ FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q= FF - prefs.js: browser.search.selectedEngine - Google FF - prefs.js: browser.startup.homepage - hxxp://www.wunderground.com/cgi-bin/findweather/getForecast?query=80524&wuSelect=WEATHER FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q= FF - component: c:\documents and settings\Chip\Application Data\IDM\idmmzcc3\components\idmmzcc.dll FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll FF - plugin: c:\documents and settings\Chip\Application Data\Mozilla\plugins\np-mswmp.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ ---- FIREFOX POLICIES ---- c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096); c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45); c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false); c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr ef", true); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", ""); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false); . - - - - ORPHANS REMOVED - - - - SafeBoot-klmdb.sys ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-07-31 09:53 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{09b490dd-61e9-46ca-a590-60657a288004}] @Denied: (Full) (Everyone) "Model"=dword:000000ca "Therad"=dword:0000001a "MData"=hex(0):e0,ac,cd,3e,80,35,f2,a3,6e,41,7c,71,60,37,3a,9f,a8,4e,b2,c5,d2, 55,37,c8,46,8f,3c,f2,5c,68,ee,21,46,8f,3c,f2,5c,68,ee,21,46,8f,3c,f2,5c,68,\ [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}] @Denied: (Full) (Everyone) "scansk"=hex(0):8a,7f,f0,38,82,7f,14,56,c7,4c,f7,05,de,36,66,e7,5f,49,61,b5,47, 56,ca,b3,d8,e5,2c,9c,78,c6,2d,f5,8c,7e,af,7e,4e,0b,09,78,00,00,00,00,00,00,\ . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(796) c:\windows\system32\Ati2evxx.dll c:\windows\system32\atiadlxx.dll - - - - - - - > 'lsass.exe'(856) c:\windows\system32\idmmbc.dll - - - - - - - > 'explorer.exe'(3632) c:\windows\system32\WININET.dll c:\windows\system32\ieframe.dll c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\windows\system32\Ati2evxx.exe c:\windows\system32\Ati2evxx.exe c:\program files\AVG\AVG9\avgchsvx.exe c:\program files\AVG\AVG9\avgrsx.exe c:\program files\AVG\AVG9\avgcsrvx.exe c:\windows\arservice.exe c:\windows\eHome\ehRecvr.exe c:\windows\eHome\ehSched.exe c:\program files\Java\jre6\bin\jqs.exe c:\program files\Common Files\LightScribe\LSSrvc.exe c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE c:\program files\AVG\AVG9\avgnsx.exe c:\windows\ehome\mcrdsvc.exe c:\program files\AVG\AVG9\avgcsrvx.exe c:\windows\system32\dllhost.exe c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe c:\windows\system32\wscntfy.exe c:\program files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe c:\windows\system32\rundll32.exe . ************************************************************************** . Completion time: 2010-07-31 09:59:22 - machine was rebooted ComboFix-quarantined-files.txt 2010-07-31 15:59 Pre-Run: 93,984,780,288 bytes free Post-Run: 94,191,046,656 bytes free WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect - - End Of File - - 2ED3194F62C63AFE1A2FE4D8307020DA
  6. Thank you so much for your attention It found one infection and cured it. Here is the contents of the log file. 2010/07/31 08:34:53.0796 TDSS rootkit removing tool 2.4.0.0 Jul 22 2010 16:09:49 2010/07/31 08:34:53.0796 ================================================================================ 2010/07/31 08:34:53.0796 SystemInfo: 2010/07/31 08:34:53.0796 2010/07/31 08:34:53.0796 OS Version: 5.1.2600 ServicePack: 3.0 2010/07/31 08:34:53.0796 Product type: Workstation 2010/07/31 08:34:53.0796 ComputerName: CPDESKTOP 2010/07/31 08:34:53.0796 UserName: Chip 2010/07/31 08:34:53.0796 Windows directory: C:\WINDOWS 2010/07/31 08:34:53.0796 System windows directory: C:\WINDOWS 2010/07/31 08:34:53.0796 Processor architecture: Intel x86 2010/07/31 08:34:53.0796 Number of processors: 1 2010/07/31 08:34:53.0796 Page size: 0x1000 2010/07/31 08:34:53.0796 Boot type: Normal boot 2010/07/31 08:34:53.0796 ================================================================================ 2010/07/31 08:34:54.0093 Initialize success 2010/07/31 08:37:19.0359 ================================================================================ 2010/07/31 08:37:19.0359 Scan started 2010/07/31 08:37:19.0359 Mode: Manual; 2010/07/31 08:37:19.0359 ================================================================================ 2010/07/31 08:37:19.0593 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys 2010/07/31 08:37:19.0625 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys 2010/07/31 08:37:19.0687 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys 2010/07/31 08:37:19.0734 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys 2010/07/31 08:37:19.0796 AgereSoftModem (994a42d273c35b43ee9d1e8a5d8bc639) C:\WINDOWS\system32\DRIVERS\AGRSM.sys 2010/07/31 08:37:19.0968 AmdK8 (274dd853d6652c2777b8c5e41ecb0fd8) C:\WINDOWS\system32\DRIVERS\AmdK8.sys 2010/07/31 08:37:19.0968 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\AmdK8.sys. Real md5: 274dd853d6652c2777b8c5e41ecb0fd8, Fake md5: 59301936898ae62245a6f09c0aba9475 2010/07/31 08:37:19.0968 AmdK8 - detected Rootkit.Win32.TDSS.tdl3 (0) 2010/07/31 08:37:20.0062 aracpi (00523019e3579c8f8a94457fe25f0f24) C:\WINDOWS\system32\DRIVERS\aracpi.sys 2010/07/31 08:37:20.0109 arhidfltr (9fedaa46eb1a572ac4d9ee6b5f123cf2) C:\WINDOWS\system32\DRIVERS\arhidfltr.sys 2010/07/31 08:37:20.0156 arkbcfltr (82969576093cd983dd559f5a86f382b4) C:\WINDOWS\system32\DRIVERS\arkbcfltr.sys 2010/07/31 08:37:20.0187 armoucfltr (9b21791d8a78faece999fadbebda6c22) C:\WINDOWS\system32\DRIVERS\armoucfltr.sys 2010/07/31 08:37:20.0234 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys 2010/07/31 08:37:20.0281 ARPolicy (7a2da7c7b0c524ef26a79f17a5c69fde) C:\WINDOWS\system32\DRIVERS\arpolicy.sys 2010/07/31 08:37:20.0406 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys 2010/07/31 08:37:20.0437 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys 2010/07/31 08:37:20.0609 ati2mtag (e43a7639be410b67059e48d3dd0ad405) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys 2010/07/31 08:37:20.0687 AtiHdmiService (dc6957811ff95f2dd3004361b20d8d3f) C:\WINDOWS\system32\drivers\AtiHdmi.sys 2010/07/31 08:37:20.0750 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys 2010/07/31 08:37:20.0812 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys 2010/07/31 08:37:20.0875 AvgLdx86 (b8c187439d27aba430dd69fdcf1fa657) C:\WINDOWS\system32\Drivers\avgldx86.sys 2010/07/31 08:37:20.0953 AvgMfx86 (53b3f979930a786a614d29cafe99f645) C:\WINDOWS\system32\Drivers\avgmfx86.sys 2010/07/31 08:37:21.0046 AvgTdiX (22e3b793c3e61720f03d3a22351af410) C:\WINDOWS\system32\Drivers\avgtdix.sys 2010/07/31 08:37:21.0093 bb-run (7270d070173b20ac9487ea16bb08b45f) C:\WINDOWS\system32\DRIVERS\bb-run.sys 2010/07/31 08:37:21.0156 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys 2010/07/31 08:37:21.0187 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys 2010/07/31 08:37:21.0250 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys 2010/07/31 08:37:21.0312 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys 2010/07/31 08:37:21.0375 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys 2010/07/31 08:37:21.0421 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys 2010/07/31 08:37:21.0500 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys 2010/07/31 08:37:21.0593 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys 2010/07/31 08:37:21.0656 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys 2010/07/31 08:37:21.0703 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys 2010/07/31 08:37:21.0734 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys 2010/07/31 08:37:21.0812 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys 2010/07/31 08:37:21.0859 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys 2010/07/31 08:37:21.0890 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys 2010/07/31 08:37:21.0921 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys 2010/07/31 08:37:21.0953 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys 2010/07/31 08:37:22.0000 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys 2010/07/31 08:37:22.0062 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys 2010/07/31 08:37:22.0125 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys 2010/07/31 08:37:22.0140 ftsata2 (22399d3ce5840c6082844679cca5d2fc) C:\WINDOWS\system32\DRIVERS\ftsata2.sys 2010/07/31 08:37:22.0187 GEARAspiWDM (f2f431d1573ee632975c524418655b84) C:\WINDOWS\system32\Drivers\GEARAspiWDM.sys 2010/07/31 08:37:22.0250 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys 2010/07/31 08:37:22.0296 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys 2010/07/31 08:37:22.0359 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys 2010/07/31 08:37:22.0453 HPZid412 (d03d10f7ded688fecf50f8fbf1ea9b8a) C:\WINDOWS\system32\DRIVERS\HPZid412.sys 2010/07/31 08:37:22.0468 HPZipr12 (89f41658929393487b6b7d13c8528ce3) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys 2010/07/31 08:37:22.0515 HPZius12 (abcb05ccdbf03000354b9553820e39f8) C:\WINDOWS\system32\DRIVERS\HPZius12.sys 2010/07/31 08:37:22.0562 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys 2010/07/31 08:37:22.0625 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys 2010/07/31 08:37:22.0687 iaStor (9a65e42664d1534b68512caad0efe963) C:\WINDOWS\system32\DRIVERS\iaStor.sys 2010/07/31 08:37:22.0750 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys 2010/07/31 08:37:22.0890 IntcAzAudAddService (64be56b8858ca0153c725c720ffd194f) C:\WINDOWS\system32\drivers\RtkHDAud.sys 2010/07/31 08:37:23.0000 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys 2010/07/31 08:37:23.0046 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys 2010/07/31 08:37:23.0093 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys 2010/07/31 08:37:23.0125 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys 2010/07/31 08:37:23.0171 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys 2010/07/31 08:37:23.0218 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys 2010/07/31 08:37:23.0250 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys 2010/07/31 08:37:23.0296 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys 2010/07/31 08:37:23.0343 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys 2010/07/31 08:37:23.0390 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys 2010/07/31 08:37:23.0406 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys 2010/07/31 08:37:23.0453 klmd24 (6485ad0a17a0d6286b4d44c652adabb2) C:\WINDOWS\system32\drivers\klmd.sys 2010/07/31 08:37:23.0500 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys 2010/07/31 08:37:23.0546 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys 2010/07/31 08:37:23.0593 MBAMProtector (67b48a903430c6d4fb58cbaca1866601) C:\WINDOWS\system32\drivers\mbam.sys 2010/07/31 08:37:23.0640 MHNDRV (7f2f1d2815a6449d346fcccbc569fbd6) C:\WINDOWS\system32\DRIVERS\mhndrv.sys 2010/07/31 08:37:23.0671 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys 2010/07/31 08:37:23.0718 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys 2010/07/31 08:37:23.0781 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys 2010/07/31 08:37:23.0812 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys 2010/07/31 08:37:23.0859 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys 2010/07/31 08:37:23.0937 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys 2010/07/31 08:37:24.0015 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys 2010/07/31 08:37:24.0093 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys 2010/07/31 08:37:24.0125 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys 2010/07/31 08:37:24.0171 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys 2010/07/31 08:37:24.0234 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys 2010/07/31 08:37:24.0281 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys 2010/07/31 08:37:24.0328 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys 2010/07/31 08:37:24.0375 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys 2010/07/31 08:37:24.0437 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys 2010/07/31 08:37:24.0484 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys 2010/07/31 08:37:24.0531 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys 2010/07/31 08:37:24.0578 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys 2010/07/31 08:37:24.0625 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys 2010/07/31 08:37:24.0656 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys 2010/07/31 08:37:24.0703 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys 2010/07/31 08:37:24.0734 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys 2010/07/31 08:37:24.0765 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys 2010/07/31 08:37:24.0812 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys 2010/07/31 08:37:24.0843 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys 2010/07/31 08:37:24.0906 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys 2010/07/31 08:37:24.0953 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys 2010/07/31 08:37:25.0031 NVENETFD (22eedb34c4d7613a25b10c347c6c4c21) C:\WINDOWS\system32\DRIVERS\NVENETFD.sys 2010/07/31 08:37:25.0078 nvnetbus (5e3f6ad5cad0f12d3cccd06fd964087a) C:\WINDOWS\system32\DRIVERS\nvnetbus.sys 2010/07/31 08:37:25.0109 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys 2010/07/31 08:37:25.0125 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys 2010/07/31 08:37:25.0156 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys 2010/07/31 08:37:25.0218 PalmUSBD (240c0d4049a833b16b63b636acf01672) C:\WINDOWS\system32\drivers\PalmUSBD.sys 2010/07/31 08:37:25.0265 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys 2010/07/31 08:37:25.0281 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys 2010/07/31 08:37:25.0312 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys 2010/07/31 08:37:25.0328 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys 2010/07/31 08:37:25.0375 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys 2010/07/31 08:37:25.0421 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys 2010/07/31 08:37:25.0531 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys 2010/07/31 08:37:25.0578 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys 2010/07/31 08:37:25.0640 Ps2 (390c204ced3785609ab24e9c52054a84) C:\WINDOWS\system32\DRIVERS\PS2.sys 2010/07/31 08:37:25.0687 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys 2010/07/31 08:37:25.0734 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys 2010/07/31 08:37:25.0781 PxHelp20 (d86b4a68565e444d76457f14172c875a) C:\WINDOWS\system32\Drivers\PxHelp20.sys 2010/07/31 08:37:26.0171 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys 2010/07/31 08:37:26.0218 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys 2010/07/31 08:37:26.0250 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys 2010/07/31 08:37:26.0265 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys 2010/07/31 08:37:26.0312 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys 2010/07/31 08:37:26.0343 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys 2010/07/31 08:37:26.0375 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys 2010/07/31 08:37:26.0406 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys 2010/07/31 08:37:26.0437 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys 2010/07/31 08:37:26.0468 RimUsb (f17713d108aca124a139fde877eef68a) C:\WINDOWS\system32\Drivers\RimUsb.sys 2010/07/31 08:37:26.0515 rtl8139 (d507c1400284176573224903819ffda3) C:\WINDOWS\system32\DRIVERS\RTL8139.SYS 2010/07/31 08:37:26.0578 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys 2010/07/31 08:37:26.0640 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\drivers\Serial.sys 2010/07/31 08:37:26.0671 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys 2010/07/31 08:37:26.0750 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys 2010/07/31 08:37:26.0812 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys 2010/07/31 08:37:26.0875 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys 2010/07/31 08:37:26.0921 Srv (89220b427890aa1dffd1a02648ae51c3) C:\WINDOWS\system32\DRIVERS\srv.sys 2010/07/31 08:37:27.0000 StillCam (a9573045baa16eab9b1085205b82f1ed) C:\WINDOWS\system32\DRIVERS\serscan.sys 2010/07/31 08:37:27.0046 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys 2010/07/31 08:37:27.0093 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys 2010/07/31 08:37:27.0140 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys 2010/07/31 08:37:27.0234 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys 2010/07/31 08:37:27.0265 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys 2010/07/31 08:37:27.0296 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys 2010/07/31 08:37:27.0343 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys 2010/07/31 08:37:27.0390 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys 2010/07/31 08:37:27.0484 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys 2010/07/31 08:37:27.0578 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys 2010/07/31 08:37:27.0656 USBAAPL (c1ca131f4e3ed63d6bc89a35ffad4cda) C:\WINDOWS\system32\Drivers\usbaapl.sys 2010/07/31 08:37:27.0734 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys 2010/07/31 08:37:27.0781 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys 2010/07/31 08:37:27.0812 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys 2010/07/31 08:37:27.0843 usbohci (0daecce65366ea32b162f85f07c6753b) C:\WINDOWS\system32\DRIVERS\usbohci.sys 2010/07/31 08:37:27.0875 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys 2010/07/31 08:37:27.0890 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys 2010/07/31 08:37:27.0921 usbstor (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS 2010/07/31 08:37:27.0968 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys 2010/07/31 08:37:28.0031 usb_rndisx (b6cc50279d6cd28e090a5d33244adc9a) C:\WINDOWS\system32\DRIVERS\usb8023x.sys 2010/07/31 08:37:28.0078 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys 2010/07/31 08:37:28.0109 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys 2010/07/31 08:37:28.0140 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys 2010/07/31 08:37:28.0218 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys 2010/07/31 08:37:28.0250 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys 2010/07/31 08:37:28.0312 WpdUsb (cf4def1bf66f06964dc0d91844239104) C:\WINDOWS\system32\DRIVERS\wpdusb.sys 2010/07/31 08:37:28.0359 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys 2010/07/31 08:37:28.0421 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS 2010/07/31 08:37:28.0484 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys 2010/07/31 08:37:28.0531 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys 2010/07/31 08:37:28.0562 ================================================================================ 2010/07/31 08:37:28.0562 Scan finished 2010/07/31 08:37:28.0562 ================================================================================ 2010/07/31 08:37:28.0578 Detected object count: 1 2010/07/31 08:38:06.0187 AmdK8 (274dd853d6652c2777b8c5e41ecb0fd8) C:\WINDOWS\system32\DRIVERS\AmdK8.sys 2010/07/31 08:38:06.0187 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\AmdK8.sys. Real md5: 274dd853d6652c2777b8c5e41ecb0fd8, Fake md5: 59301936898ae62245a6f09c0aba9475 2010/07/31 08:38:07.0093 Backup copy found, using it.. 2010/07/31 08:38:07.0093 C:\WINDOWS\system32\DRIVERS\AmdK8.sys - will be cured after reboot 2010/07/31 08:38:07.0093 Rootkit.Win32.TDSS.tdl3(AmdK8) - User select action: Cure 2010/07/31 08:38:12.0281 Deinitialize success
  7. For the last several years I have used a combination of Malwarebytes, AVG free, and Sysinternals Process Explorer and Autoruns, to track down and remove occasional malware that would get onto my computers, then run a system restore to a point before the attack, to get rid of it. However last week I got one of those bogus antivirus malwares that jumped onto my desktop computer (HP Pavilion a1510n, XP SP3), started scanning and telling me I needed their product, starting to make programs inoperable, sites getting redirected, etc. I immediately shut down, rebooted to safe mode, ran Malwarebytes and AVG scans and they removed several infections. Even after I got clean scan reports (and still do) from MBAM and AVG I still noticed redirections while browsing and computer locking up occasionally with certain svhost processes and other buggy stuff. I tried to do a system restore but it would not let me restore to any earlier point. Also my C and D hard drive partitions were no longer visible in /Computer Management/Disc Management. I turned off System Restore, rebooted and turned it back on and system restore now works again, but of course I lost access to previous restore points. I figured it was time to buy Malwarebytes full version and get some help (thanks so much for your awesome product). The protection module is now running full time on my desktop (and laptop). It is keeping my computer running, but is continually blocking connection to mainly these three sites (sometimes the last digit will vary by one or two): 213.163.89.104 61.61.20.132 91.212.226.7 I have attached the MBAM and AVG logs in a zip file in case they are of value. Also here are the contents of DDS.txt and the attach.zip and ark.zip are attached as requested. I greatly appreciate you being here- I hope you can help me track it down and get it gone. thanks Chip ............................... DDS (Ver_10-03-17.01) - NTFSx86 Run by Chip at 20:04:49.81 on Thu 07/29/2010 Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_13 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2401 [GMT -6:00] AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF} ============== Running Processes =============== C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup C:\WINDOWS\system32\Ati2evxx.exe C:\Program Files\AVG\AVG9\avgchsvx.exe C:\Program Files\AVG\AVG9\avgrsx.exe svchost.exe C:\WINDOWS\Explorer.EXE C:\Program Files\AVG\AVG9\avgcsrvx.exe svchost.exe C:\WINDOWS\system32\spoolsv.exe svchost.exe C:\WINDOWS\arservice.exe C:\Program Files\AVG\AVG9\avgwdsvc.exe C:\WINDOWS\eHome\ehRecvr.exe C:\WINDOWS\eHome\ehSched.exe C:\WINDOWS\system32\svchost.exe -k hpdevmgmt C:\WINDOWS\system32\svchost.exe -k HPService C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\Program Files\AVG\AVG9\avgnsx.exe C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\WINDOWS\System32\svchost.exe -k HPZ12 C:\WINDOWS\System32\svchost.exe -k HPZ12 svchost.exe C:\WINDOWS\system32\svchost.exe -k imgsvc C:\Program Files\AVG\AVG9\avgemc.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\AVG\AVG9\avgcsrvx.exe C:\WINDOWS\system32\dllhost.exe C:\PROGRA~1\AVG\AVG9\avgtray.exe C:\HP\KBD\KBD.EXE C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe C:\Program Files\Password Safe\pwsafe.exe C:\Program Files\Sysinternals\procexp.exe C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe C:\Documents and Settings\Chip\Desktop\MB Programs\DDS\dds.scr C:\Program Files\AVG\AVG9\avgcmgr.exe ============== Pseudo HJT Report =============== uStart Page = hxxp://www.google.com/ uSearch Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PAVILION&pf=desktop uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=63&bd=PAVILION&pf=desktop uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PAVILION&pf=desktop uSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PAVILION&pf=desktop mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PAVILION&pf=desktop uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=63&bd=PAVILION&pf=desktop mSearchAssistant = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PAVILION&pf=desktop BHO: IDMIEHlprObj Class: {0055c089-8582-441b-a0bf-17b458c2a3a8} - c:\program files\internet download manager\IDMIECC.dll BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File BHO: Shareaza Web Download Hook: {0eedb912-c5fa-486f-8334-57288578c627} - c:\program files\shareaza\razawebhook32.dll BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-b attach.zip ark.zip MBAM_AVG_Logs.zip
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.