Jump to content

Maxxam

Members
  • Posts

    9
  • Joined

  • Last visited

Posts posted by Maxxam

  1. I believe the MBAM issue has to do with Windows being on Drive H.

    Check out this post in our FAQ; I believe it applies here:

    http://forums.malwar...ndpost&p=497675

    Let me know how it goes.

    That did the trick. I update and ran a full scan ~ nothing found so I guess I should have some piece of mind at this point and trust my free edition AVG. Any thoughts or recommendations on what is the best free antivirus? Any any case: Thank You Chris!

  2. ComboFix is not a threat. Please ignore it so it can finish running...

    Here is the log report:

    ComboFix 12-01-06.03 - Greg 01/07/2012 9:49.2.2 - x86

    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2468 [GMT -8:00]

    Running from: h:\documents and settings\Greg\Desktop\ComboFix.exe

    AV: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}

    .

    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

    .

    .

    ---- Previous Run -------

    .

    h:\documents and settings\Greg\g2mdlhlpx.exe

    h:\windows\kb913800.exe

    h:\windows\system32\drivers\etc\hosts.ics

    h:\windows\system32\SET3FC.tmp

    h:\windows\system32\SET3FD.tmp

    h:\windows\system32\SET3FF.tmp

    I:\Autorun.inf

    I:\Setup.exe

    .

    -- Previous Run --

    .

    h:\windows\system32\drivers\i8042prt.sys was missing

    Restored copy from - h:\windows\ServicePackFiles\i386\i8042prt.sys

    .

    --------

    .

    .

    ((((((((((((((((((((((((( Files Created from 2011-12-07 to 2012-01-07 )))))))))))))))))))))))))))))))

    .

    .

    2012-01-04 18:27 . 2012-01-04 18:27 -------- d-----w- h:\documents and settings\Greg\Local Settings\Application Data\Quark

    2012-01-04 18:26 . 2012-01-04 18:26 -------- d-----w- h:\windows\system32\Quark ShapeMaker Presets

    2012-01-04 18:11 . 2012-01-04 18:11 -------- d-----w- h:\documents and settings\Greg\Application Data\Quark

    2012-01-04 18:04 . 2012-01-04 18:04 -------- d-----w- h:\windows\system32\QuickTime

    2012-01-04 17:37 . 2012-01-04 18:04 -------- d-----w- h:\documents and settings\All Users\Application Data\Quark

    2012-01-04 17:37 . 2012-01-04 18:03 -------- d-----w- h:\program files\Quark

    2012-01-02 20:15 . 2008-04-13 19:18 52480 -c--a-w- h:\windows\system32\dllcache\i8042prt.sys

    2012-01-02 05:37 . 2012-01-02 05:37 -------- d-----w- h:\program files\DIFX

    2012-01-02 05:37 . 2011-11-12 19:18 33792 ----a-w- h:\windows\system32\drivers\btblan.sys

    2012-01-02 05:12 . 2012-01-02 05:37 -------- d-----w- h:\program files\LeapFrog

    2012-01-02 05:12 . 2012-01-02 05:12 -------- d-----w- h:\documents and settings\All Users\Application Data\Leapfrog

    2011-12-29 20:30 . 2012-01-02 20:36 40776 ----a-w- h:\windows\system32\drivers\mbamswissarmy.sys

    2011-12-29 20:30 . 2011-12-29 20:30 -------- d-----w- h:\documents and settings\Greg\Application Data\Malwarebytes

    2011-12-29 20:30 . 2011-12-29 20:30 -------- d-----w- h:\documents and settings\All Users\Application Data\Malwarebytes

    2011-12-29 20:30 . 2011-12-29 20:30 -------- d-----w- h:\program files\Malwarebytes' Anti-Malware

    2011-12-29 20:30 . 2011-12-10 23:24 20464 ----a-w- h:\windows\system32\drivers\mbam.sys

    2011-12-09 21:26 . 2011-12-09 22:15 -------- d-----w- h:\documents and settings\Greg\Local Settings\Application Data\PhotoChannel

    2011-12-09 18:48 . 2011-12-13 18:58 -------- d-----w- h:\documents and settings\Greg\Local Settings\Application Data\CutePDF Writer

    2011-12-09 18:46 . 2011-12-09 18:46 -------- d-----w- h:\program files\GPLGS

    2011-12-09 18:46 . 2009-11-05 16:39 87552 ----a-w- h:\windows\system32\cpwmon2k.dll

    2011-12-09 18:45 . 2011-12-09 18:45 -------- d-----w- h:\program files\Acro Software

    .

    .

    .

    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

    .

    2012-01-02 05:39 . 2011-06-06 17:51 414368 ----a-w- h:\windows\system32\FlashPlayerCPLApp.cpl

    2011-11-23 13:25 . 2004-08-10 11:00 1859584 ------w- h:\windows\system32\win32k.sys

    2011-11-04 19:20 . 2006-03-04 03:33 916992 ----a-w- h:\windows\system32\wininet.dll

    2011-11-04 19:20 . 2004-08-10 11:00 43520 ------w- h:\windows\system32\licmgr10.dll

    2011-11-04 19:20 . 2004-08-10 11:00 1469440 ------w- h:\windows\system32\inetcpl.cpl

    2011-11-04 11:23 . 2004-08-10 11:00 385024 ------w- h:\windows\system32\html.iec

    2011-11-01 16:07 . 2004-08-10 11:00 1288704 ----a-w- h:\windows\system32\ole32.dll

    2011-10-28 05:31 . 2004-08-10 11:00 33280 ------w- h:\windows\system32\csrsrv.dll

    2011-10-26 18:41 . 2011-10-26 18:41 667256 ----a-w- h:\windows\system32\ncs2dmix.dll

    2011-10-26 18:41 . 2011-10-26 18:41 517752 ----a-w- h:\windows\system32\accesor.dll

    2011-10-26 18:01 . 2011-10-26 18:01 142456 ----a-w- h:\windows\system32\ncs2instutility.dll

    2011-10-26 17:31 . 2011-10-26 17:31 2208888 ----a-w- h:\windows\system32\ncscolib.dll

    2011-10-25 19:04 . 2011-10-25 19:04 193536 ----a-w- h:\windows\system32\Ncs2Setp.dll

    2011-10-25 13:37 . 2005-03-30 01:21 2148864 ------w- h:\windows\system32\ntoskrnl.exe

    2011-10-25 12:52 . 2005-03-30 01:01 2027008 ------w- h:\windows\system32\ntkrnlpa.exe

    2011-10-15 01:38 . 2004-08-10 11:00 456192 ----a-w- h:\windows\system32\encdec.dll

    2011-10-14 18:40 . 2011-01-16 05:13 253656 ----a-w- h:\windows\system32\drivers\e1e5132.sys

    2011-10-10 14:22 . 2011-01-16 04:42 692736 ------w- h:\windows\system32\inetcomm.dll

    .

    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

    .

    .

    *Note* empty entries & legit default entries are not shown

    REGEDIT4

    .

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]

    @="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"

    [HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]

    2011-02-18 05:12 94208 ----a-w- h:\documents and settings\Greg\Application Data\Dropbox\bin\DropboxExt.14.dll

    .

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]

    @="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"

    [HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]

    2011-02-18 05:12 94208 ----a-w- h:\documents and settings\Greg\Application Data\Dropbox\bin\DropboxExt.14.dll

    .

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]

    @="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"

    [HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]

    2011-02-18 05:12 94208 ----a-w- h:\documents and settings\Greg\Application Data\Dropbox\bin\DropboxExt.14.dll

    .

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]

    @="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"

    [HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]

    2011-02-18 05:12 94208 ----a-w- h:\documents and settings\Greg\Application Data\Dropbox\bin\DropboxExt.14.dll

    .

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

    "BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="h:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-10-09 139264]

    "LogitechSoftwareUpdate"="h:\program files\Logitech\Video\ManifestEngine.exe" [2005-06-08 196608]

    .

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

    "zBrowser Launcher"="h:\program files\Logitech\iTouch\iTouch.exe" [2004-03-18 892928]

    "SigmatelSysTrayApp"="stsystra.exe" [2006-03-21 282624]

    "NvMediaCenter"="h:\windows\system32\NvMcTray.dll" [2010-10-16 110696]

    "AVG_TRAY"="h:\program files\AVG\AVG2012\avgtray.exe" [2011-12-03 2415456]

    "NvCplDaemon"="h:\windows\system32\NvCpl.dll" [2010-10-16 13851752]

    "QuickTime Task"="h:\program files\QuickTime\qttask.exe" [2010-11-30 421888]

    "Adobe ARM"="h:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]

    "SunJavaUpdateSched"="h:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]

    "IAAnotif"="h:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-02-12 174872]

    "LVCOMSX"="h:\windows\system32\LVCOMSX.EXE" [2005-07-20 221184]

    "LogitechVideoRepair"="h:\program files\Logitech\Video\ISStart.exe" [2005-06-08 458752]

    "LogitechVideoTray"="h:\program files\Logitech\Video\LogiTray.exe" [2005-06-08 217088]

    "Monitor"="h:\program files\LeapFrog\LeapFrog Connect\Monitor.exe" [2011-11-12 268640]

    .

    h:\documents and settings\Greg\Start Menu\Programs\Startup\

    E-mail.lnk - [N/A]

    .

    h:\documents and settings\All Users\Start Menu\Programs\Startup\

    Microsoft Office.lnk - h:\program files\Microsoft Office\Office\OSA9.EXE [2002-3-3 65588]

    .

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "h:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]

    .

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

    2011-05-04 17:54 551296 ----a-w- h:\program files\SUPERAntiSpyware\SASWINLO.DLL

    .

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]

    BootExecute REG_MULTI_SZ autocheck autochk *\0h:\progra~1\AVG\AVG2012\avgrsx.exe /sync /restart

    .

    [HKLM\~\startupfolder\H:^Documents and Settings^All Users^Start Menu^Programs^Startup^BounceBack Launcher.lnk]

    path=h:\documents and settings\All Users\Start Menu\Programs\Startup\BounceBack Launcher.lnk

    backup=h:\windows\pss\BounceBack Launcher.lnkCommon Startup

    .

    [HKLM\~\startupfolder\H:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]

    path=h:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk

    backup=h:\windows\pss\Microsoft Office.lnkCommon Startup

    .

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BYR_AGENT]

    2011-06-14 07:45 392280 ----a-w- h:\documents and settings\All Users\Application Data\LGMOBILEAX\BYR_Client\VZWNotiAgent.exe

    .

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMXLauncher]

    2005-10-05 11:12 94208 ------w- h:\program files\Dell\Media Experience\DMXLauncher.exe

    .

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]

    2005-08-05 21:56 64512 ------w- h:\windows\ehome\ehtray.exe

    .

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IDTSysTrayApp]

    2007-09-06 05:24 405504 ------w- h:\windows\sttray.exe

    .

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

    2006-01-13 00:40 155648 ------w- h:\program files\Common Files\Ahead\Lib\NeroCheck.exe

    .

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]

    2010-10-16 20:04 13851752 ------w- h:\windows\system32\nvcpl.dll

    .

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]

    2008-05-14 18:31 244208 ------w- h:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatchTray10.exe

    .

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

    "YahooAUService"=2 (0x2)

    "WMPNetworkSvc"=3 (0x3)

    "STacSV"=2 (0x2)

    "idsvc"=3 (0x3)

    "stllssvr"=3 (0x3)

    "SessionLauncher"=2 (0x2)

    "RoxWatch10"=2 (0x2)

    "RoxMediaDB10"=3 (0x3)

    "RoxLiveShare10"=2 (0x2)

    "NBService"=3 (0x3)

    "MBAMService"=2 (0x2)

    .

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=

    "h:\\Program Files\\Bonjour\\mDNSResponder.exe"=

    "h:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=

    "h:\\Documents and Settings\\Greg\\Application Data\\Dropbox\\bin\\Dropbox.exe"=

    "h:\\Program Files\\AVG\\AVG2012\\avgmfapx.exe"=

    "h:\\Program Files\\Skype\\Phone\\Skype.exe"=

    "h:\\WINDOWS\\system32\\sessmgr.exe"=

    "h:\\Program Files\\AVG\\AVG2012\\avgnsx.exe"=

    "h:\\Program Files\\AVG\\AVG2012\\avgdiagex.exe"=

    "h:\\Program Files\\AVG\\AVG2012\\avgemcx.exe"=

    "h:\\Program Files\\RealFlightG3\\RealFlight.exe"=

    "h:\\Program Files\\LeapFrog\\LeapFrog Connect\\LeapFrogConnect.exe"=

    .

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

    "5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management

    "24726:TCP"= 24726:TCP:FlipShareServer

    "24727:TCP"= 24727:TCP:FlipShareServer

    .

    R0 AVGIDSEH;AVGIDSEH;h:\windows\system32\drivers\AVGIDSEH.sys [9/13/2010 3:27 PM 23120]

    R0 Avgrkx86;AVG Anti-Rootkit Driver;h:\windows\system32\drivers\avgrkx86.sys [9/7/2010 3:48 AM 32592]

    R1 Avgldx86;AVG AVI Loader Driver;h:\windows\system32\drivers\avgldx86.sys [12/8/2010 4:12 AM 230608]

    R1 Avgtdix;AVG TDI Driver;h:\windows\system32\drivers\avgtdix.sys [11/12/2010 1:19 PM 295248]

    R1 SASDIFSV;SASDIFSV;h:\program files\SUPERAntiSpyware\sasdifsv.sys [7/22/2011 8:27 AM 12880]

    R1 SASKUTIL;SASKUTIL;h:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/12/2011 1:55 PM 67664]

    R2 avgwd;AVG WatchDog;h:\program files\AVG\AVG2012\avgwdsvc.exe [8/2/2011 5:09 AM 192776]

    R2 FlipShareServer;FlipShare Server;h:\program files\Flip Video\FlipShareServer\FlipShareServer.exe [5/6/2011 11:58 AM 1085440]

    R2 Intel® PROSet Monitoring Service;Intel® PROSet Monitoring Service;h:\windows\system32\IPROSetMonitor.exe [12/2/2011 4:13 PM 117920]

    R2 ReplicaSysMon;Seagate Replica System Monitor;h:\program files\Seagate Replica\bin\ReplicaSysMon.exe [8/4/2011 1:53 PM 416208]

    R2 Seagate-Replica-Svc;Seagate Replica Service;h:\program files\Seagate Replica\bin\Seagate-Replica-Svc.exe [8/4/2011 1:53 PM 1947600]

    R3 AVGIDSDriver;AVGIDSDriver;h:\windows\system32\drivers\AVGIDSDriver.sys [8/19/2010 8:42 PM 134608]

    R3 AVGIDSFilter;AVGIDSFilter;h:\windows\system32\drivers\AVGIDSFilter.sys [8/19/2010 8:42 PM 24272]

    R3 AVGIDSShim;AVGIDSShim;h:\windows\system32\drivers\AVGIDSShim.sys [8/19/2010 8:42 PM 16720]

    S2 AVGIDSAgent;AVGIDSAgent;h:\program files\AVG\AVG2012\AVGIDSAgent.exe [10/12/2011 5:25 AM 4433248]

    S2 gupdate;Google Update Service (gupdate);h:\program files\Google\Update\GoogleUpdate.exe [1/16/2011 1:57 PM 136176]

    S2 portD;CMS PortIO Service;h:\windows\system32\DRIVERS\portd2k.sys --> h:\windows\system32\DRIVERS\portd2k.sys [?]

    S3 cpudrv;cpudrv;h:\program files\SystemRequirementsLab\cpudrv.sys [12/18/2009 11:58 AM 11336]

    S3 gupdatem;Google Update Service (gupdatem);h:\program files\Google\Update\GoogleUpdate.exe [1/16/2011 1:57 PM 136176]

    S3 Leapfrog-USBLAN;Leapfrog-USBLAN;h:\windows\system32\drivers\btblan.sys [1/1/2012 9:37 PM 33792]

    S3 MBAMSwissArmy;MBAMSwissArmy;h:\windows\system32\drivers\mbamswissarmy.sys [12/29/2011 12:30 PM 40776]

    S3 nosGetPlusHelper;getPlus® Helper 3004;h:\windows\System32\svchost.exe -k nosGetPlusHelper [8/10/2004 3:00 AM 14336]

    S3 WinRM;Windows Remote Management (WS-Management);h:\windows\system32\svchost.exe -k WINRM [8/10/2004 3:00 AM 14336]

    S3 yeddef;YEDDEF driver;h:\windows\system32\Drivers\yeddef.sys --> h:\windows\system32\Drivers\yeddef.sys [?]

    S4 RoxLiveShare10;LiveShare P2P Server 10;h:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe [5/14/2008 10:32 AM 309744]

    S4 RoxMediaDB10;RoxMediaDB10;h:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe [5/14/2008 10:31 AM 1120752]

    S4 RoxWatch10;Roxio Hard Drive Watcher 10;h:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe [5/14/2008 10:32 AM 166384]

    S4 SessionLauncher;SessionLauncher;h:\docume~1\Greg\LOCALS~1\Temp\DX9\SessionLauncher.exe --> h:\docume~1\Greg\LOCALS~1\Temp\DX9\SessionLauncher.exe [?]

    .

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

    WINRM REG_MULTI_SZ WINRM

    nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper

    .

    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]

    2009-03-08 12:32 128512 ------w- h:\windows\system32\advpack.dll

    .

    Contents of the 'Scheduled Tasks' folder

    .

    2012-01-07 h:\windows\Tasks\GoogleUpdateTaskMachineCore.job

    - h:\program files\Google\Update\GoogleUpdate.exe [2011-01-16 21:57]

    .

    2012-01-07 h:\windows\Tasks\GoogleUpdateTaskMachineUA.job

    - h:\program files\Google\Update\GoogleUpdate.exe [2011-01-16 21:57]

    .

    2012-01-04 h:\windows\Tasks\Quark Updater.job

    - h:\program files\Quark\Quark Update\AutoUpdate.exe [2011-08-23 22:58]

    .

    2012-01-07 h:\windows\Tasks\User_Feed_Synchronization-{A9FB54A0-6167-4899-AD3E-1389577E334B}.job

    - h:\windows\system32\msfeedssync.exe [2009-03-08 12:31]

    .

    .

    ------- Supplementary Scan -------

    .

    uStart Page = hxxp://att.my.yahoo.com/

    uInternet Settings,ProxyOverride = *.local

    uSearchAssistant =

    IE: Google Sidewiki... - h:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html

    TCP: DhcpNameServer = 192.168.1.254

    DPF: {F375116A-793C-11D2-BFE1-444553540001} - hxxp://realist2.firstamres.com/mapviewer/mapviewer.cab

    .

    - - - - ORPHANS REMOVED - - - -

    .

    WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)

    HKLM-Run-BounceBack Setup - h:\program files\CMS Peripherals\BounceBack Express\AppLaunch.exe

    MSConfigStartUp-AVG_TRAY - h:\program files\AVG\AVG10\avgtray.exe

    AddRemove-{E2883E8F-472F-4fb0-9522-AC9BF37916A7} - h:\program files\NOS\bin\getPlusUninst_Adobe.exe

    .

    .

    .

    **************************************************************************

    .

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

    Rootkit scan 2012-01-07 10:03

    Windows 5.1.2600 Service Pack 3 NTFS

    .

    scanning hidden processes ...

    .

    scanning hidden autostart entries ...

    .

    scanning hidden files ...

    .

    .

    h:\documents and settings\Greg\Application Data\Dropbox\shellext\l\4f08895a 124 bytes

    .

    scan completed successfully

    hidden files: 1

    .

    **************************************************************************

    .

    Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net

    Windows 5.1.2600 Disk: TEAC____ rev.4.08 -> Harddisk1\DR2 -> \Device\0000007f

    .

    device: opened successfully

    user: error reading MBR

    kernel: MBR read successfully

    user != kernel MBR !!!

    .

    **************************************************************************

    .

    [HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Seagate-Replica-Svc]

    "ImagePath"="h:\program files\Seagate Replica\bin\Seagate-Replica-Svc.exe /startedbyscm:FE2355B7-40E2EE35-RebitSvcModule"

    .

    --------------------- DLLs Loaded Under Running Processes ---------------------

    .

    - - - - - - - > 'winlogon.exe'(972)

    h:\program files\SUPERAntiSpyware\SASWINLO.DLL

    h:\windows\system32\WININET.dll

    .

    - - - - - - - > 'explorer.exe'(3136)

    h:\windows\system32\WININET.dll

    h:\documents and settings\Greg\Application Data\Dropbox\bin\DropboxExt.14.dll

    h:\program files\Logitech\iTouch\iTchHk.dll

    h:\windows\system32\msi.dll

    h:\program files\Common Files\Logitech\Scrolling\LgMsgHk.dll

    h:\windows\system32\ieframe.dll

    h:\windows\system32\webcheck.dll

    h:\windows\system32\WPDShServiceObj.dll

    h:\windows\system32\PortableDeviceTypes.dll

    h:\windows\system32\PortableDeviceApi.dll

    .

    Completion time: 2012-01-07 10:06:33

    ComboFix-quarantined-files.txt 2012-01-07 18:06

    .

    Pre-Run: 576,745,201,664 bytes free

    Post-Run: 576,975,855,616 bytes free

    .

    - - End Of File - - 1327FCCCD9D86A5D9BF097DEFCB59741

  3. Update: I still could not run MB in safe mode. The console will open, but will then immediately shut down if I try to run a scan.

    I disabled my AVG antivirus and ran ComboFix. After Combofix was finished and I was prompted to reboot, my AVG automatically is reactivated and it found a Combofix.exe which it id'ed as a malware threat and quarentined/removed it. Was that a mistake? Was it really a malware threat or should I let AVG ignore it?

  4. AVG did quarantine something (sorry - I do not have the info), but Malwarebytes will not run after following all instructions. DDX text log below:

    ------------------

    DDS (Ver_2011-08-26.01) - NTFSx86 NETWORK

    Internet Explorer: 8.0.6001.18702

    Run by Greg at 0:24:42 on 2011-12-01

    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2327 [GMT -8:00]

    .

    AV: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}

    .

    ============== Running Processes ===============

    .

    H:\WINDOWS\system32\svchost -k DcomLaunch

    svchost.exe

    H:\WINDOWS\system32\svchost.exe -k netsvcs

    svchost.exe

    svchost.exe

    H:\WINDOWS\Explorer.EXE

    H:\WINDOWS\system32\ctfmon.exe

    H:\Program Files\SUPERAntiSpyware\SASCORE.EXE

    H:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

    H:\Program Files\Internet Explorer\iexplore.exe

    H:\Program Files\Internet Explorer\iexplore.exe

    H:\Program Files\Internet Explorer\iexplore.exe

    H:\Program Files\Internet Explorer\iexplore.exe

    H:\Program Files\Internet Explorer\iexplore.exe

    .

    ============== Pseudo HJT Report ===============

    .

    uStart Page = hxxp://att.my.yahoo.com/

    uSearch Page =

    uWindow Title = Windows Internet Explorer provided by Yahoo!

    uDefault_Page_URL = hxxp://att.net

    uInternet Settings,ProxyOverride = *.local

    uSearchAssistant =

    mSearchAssistant =

    BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - h:\program files\yahoo!\companion\installs\cpn\yt.dll

    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - h:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

    BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - h:\program files\avg\avg2012\avgssie.dll

    BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - h:\program files\google\google toolbar\GoogleToolbar_32.dll

    BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - h:\program files\google\googletoolbarnotifier\5.7.7018.1622\swg.dll

    BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - h:\program files\java\jre6\bin\jp2ssv.dll

    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - h:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

    BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - h:\program files\yahoo!\companion\installs\cpn\YTSingleInstance.dll

    TB: att.net Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - h:\program files\yahoo!\companion\installs\cpn\yt.dll

    TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - h:\program files\google\google toolbar\GoogleToolbar_32.dll

    uRun: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "h:\program files\common files\ahead\lib\NMBgMonitor.exe"

    uRun: [ctfmon.exe] h:\windows\system32\ctfmon.exe

    uRun: [sUPERAntiSpyware] h:\program files\superantispyware\SUPERAntiSpyware.exe

    mRun: [zBrowser Launcher] h:\program files\logitech\itouch\iTouch.exe

    mRun: [sigmatelSysTrayApp] stsystra.exe

    mRun: [NvMediaCenter] RUNDLL32.EXE h:\windows\system32\NvMcTray.dll,NvTaskbarInit

    mRun: [bounceBack Setup] "h:\program files\cms peripherals\bounceback express\AppLaunch.exe" /Launchit

    mRun: [AVG_TRAY] "h:\program files\avg\avg2012\avgtray.exe"

    mRun: [NvCplDaemon] RUNDLL32.EXE h:\windows\system32\NvCpl.dll,NvStartup

    mRun: [QuickTime Task] "h:\program files\quicktime\qttask.exe" -atboottime

    mRun: [Adobe ARM] "h:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

    mRun: [sunJavaUpdateSched] "h:\program files\common files\java\java update\jusched.exe"

    mRunOnce: [Malwarebytes' Anti-Malware] h:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent

    IE: Google Sidewiki... - h:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html

    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - h:\program files\messenger\msmsgs.exe

    IE: {7F9DB11C-E358-4ca6-A83D-ACC663939424} - {9999A076-A9E2-4C99-8A2B-632FC9429223} - h:\program files\bonjour\ExplorerPlugin.dll

    DPF: {0067DBFC-A752-458C-AE6E-B9C7E63D4824} - hxxp://www.logitech.com/devicedetector/plugins/LogitechDeviceDetection32.cab

    DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab

    DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1295157489250

    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab

    DPF: {C1FDEE68-98D5-4F42-A4DD-D0BECF5077EB} - hxxp://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-31-0.cab

    DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab

    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab

    DPF: {CF84DAC5-A4F5-419E-A0BA-C01FFD71112F} - hxxp://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_intel_4.3.16.0.cab

    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

    DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://akamaicdn.webex.com/client/WBXclient-T27L10NSP28-11263/event/ieatgpc.cab

    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

    DPF: {F375116A-793C-11D2-BFE1-444553540001} - hxxp://realist2.firstamres.com/mapviewer/mapviewer.cab

    TCP: DhcpNameServer = 192.168.1.254

    TCP: Interfaces\{7BBAE8E6-C17E-49F4-8173-CC78B0BCD9B4} : DhcpNameServer = 192.168.1.254

    Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - h:\program files\avg\avg2012\avgpp.dll

    Notify: !SASWinLogon - h:\program files\superantispyware\SASWINLO.DLL

    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - h:\windows\system32\WPDShServiceObj.dll

    SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - h:\program files\superantispyware\SASSEH.DLL

    mASetup: {A509B1FF-37FF-4bFF-8CFF-4F3A747040FF} - h:\windows\system32\rundll32.exe h:\windows\system32\advpack.dll,launchinfsectionex h:\program files\internet explorer\clrtour.inf,DefaultInstall.ResetTour,,12

    .

    ============= SERVICES / DRIVERS ===============

    .

    R0 AVGIDSEH;AVGIDSEH;h:\windows\system32\drivers\AVGIDSEH.sys [2010-9-13 23120]

    R0 Avgrkx86;AVG Anti-Rootkit Driver;h:\windows\system32\drivers\avgrkx86.sys [2010-9-7 32592]

    R1 Avgtdix;AVG TDI Driver;h:\windows\system32\drivers\avgtdix.sys [2010-11-12 295248]

    R2 !SASCORE;SAS Core Service;h:\program files\superantispyware\SASCore.exe [2011-8-11 116608]

    S1 Avgldx86;AVG AVI Loader Driver;h:\windows\system32\drivers\avgldx86.sys [2010-12-8 230608]

    S1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;h:\windows\system32\drivers\avgmfx86.sys [2010-9-7 40016]

    S1 SASDIFSV;SASDIFSV;h:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]

    S1 SASKUTIL;SASKUTIL;h:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]

    S2 AVGIDSAgent;AVGIDSAgent;h:\program files\avg\avg2012\AVGIDSAgent.exe [2011-10-12 4433248]

    S2 avgwd;AVG WatchDog;h:\program files\avg\avg2012\avgwdsvc.exe [2011-8-2 192776]

    S2 FlipShareServer;FlipShare Server;h:\program files\flip video\flipshareserver\FlipShareServer.exe [2011-5-6 1085440]

    S2 gupdate;Google Update Service (gupdate);h:\program files\google\update\GoogleUpdate.exe [2011-1-16 136176]

    S2 McrdSvc;Media Center Extender Service;h:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]

    S2 portD;CMS PortIO Service;h:\windows\system32\drivers\portd2k.sys --> h:\windows\system32\drivers\portd2k.sys [?]

    S2 ReplicaSysMon;Seagate Replica System Monitor;h:\program files\seagate replica\bin\ReplicaSysMon.exe [2011-8-4 416208]

    S2 Seagate-Replica-Svc;Seagate Replica Service;h:\program files\seagate replica\bin\Seagate-Replica-Svc.exe [2011-8-4 1947600]

    S3 AVGIDSDriver;AVGIDSDriver;h:\windows\system32\drivers\AVGIDSDriver.sys [2010-8-19 134608]

    S3 AVGIDSFilter;AVGIDSFilter;h:\windows\system32\drivers\AVGIDSFilter.sys [2010-8-19 24272]

    S3 AVGIDSShim;AVGIDSShim;h:\windows\system32\drivers\AVGIDSShim.sys [2010-8-19 16720]

    S3 gupdatem;Google Update Service (gupdatem);h:\program files\google\update\GoogleUpdate.exe [2011-1-16 136176]

    S3 nosGetPlusHelper;getPlus® Helper 3004;h:\windows\system32\svchost.exe -k nosGetPlusHelper [2004-8-10 14336]

    S3 WinRM;Windows Remote Management (WS-Management);h:\windows\system32\svchost.exe -k WINRM [2004-8-10 14336]

    S3 yeddef;YEDDEF driver;h:\windows\system32\drivers\yeddef.sys --> h:\windows\system32\drivers\yeddef.sys [?]

    S4 RoxLiveShare10;LiveShare P2P Server 10;h:\program files\common files\roxio shared\10.0\sharedcom\RoxLiveShare10.exe [2008-5-14 309744]

    S4 RoxMediaDB10;RoxMediaDB10;h:\program files\common files\roxio shared\10.0\sharedcom\RoxMediaDB10.exe [2008-5-14 1120752]

    S4 RoxWatch10;Roxio Hard Drive Watcher 10;h:\program files\common files\roxio shared\10.0\sharedcom\RoxWatch10.exe [2008-5-14 166384]

    S4 SessionLauncher;SessionLauncher;h:\docume~1\greg\locals~1\temp\dx9\sessionlauncher.exe --> h:\docume~1\greg\locals~1\temp\dx9\SessionLauncher.exe [?]

    .

    =============== Created Last 30 ================

    .

    2011-12-01 08:20:24 22216 ----a-w- h:\windows\system32\drivers\mbam.sys

    2011-12-01 07:56:37 -------- d-----w- h:\program files\Malwarebytes' Anti-Malware

    2011-12-01 07:31:50 -------- d-----w- h:\documents and settings\greg\application data\SUPERAntiSpyware.com

    2011-12-01 07:31:24 -------- d-----w- h:\program files\SUPERAntiSpyware

    2011-12-01 07:31:24 -------- d-----w- h:\documents and settings\all users\application data\SUPERAntiSpyware.com

    2011-12-01 07:12:36 -------- d-----w- h:\documents and settings\all users\application data\Malwarebytes

    2011-11-12 20:33:00 -------- d-----w- h:\documents and settings\greg\application data\FileMaker Pro Advanced

    .

    ==================== Find3M ====================

    .

    2011-11-15 16:05:33 414368 ----a-w- h:\windows\system32\FlashPlayerCPLApp.cpl

    2011-10-10 14:22:41 692736 ------w- h:\windows\system32\inetcomm.dll

    2011-10-07 13:23:48 230608 ----a-w- h:\windows\system32\drivers\avgldx86.sys

    2011-10-04 13:21:42 16720 ----a-w- h:\windows\system32\drivers\AVGIDSShim.sys

    2011-10-03 12:06:03 472808 ----a-w- h:\windows\system32\deployJava1.dll

    2011-10-03 09:37:52 73728 ----a-w- h:\windows\system32\javacpl.cpl

    2011-09-30 16:53:36 72080 ----a-w- h:\documents and settings\greg\g2mdlhlpx.exe

    2011-09-28 07:06:50 599040 ----a-w- h:\windows\system32\crypt32.dll

    2011-09-26 18:41:20 611328 ----a-w- h:\windows\system32\uiautomationcore.dll

    2011-09-26 18:41:20 220160 ----a-w- h:\windows\system32\oleacc.dll

    2011-09-26 18:41:14 20480 ----a-w- h:\windows\system32\oleaccrc.dll

    2011-09-13 13:30:10 32592 ----a-w- h:\windows\system32\drivers\avgrkx86.sys

    2011-09-06 13:20:51 1858944 ------w- h:\windows\system32\win32k.sys

    .

    =================== ROOTKIT ====================

    .

    Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net

    Windows 5.1.2600 Disk: TEAC____ rev.4.08 -> Harddisk1\DR2 -> \Device\00000077

    .

    device: opened successfully

    user: error reading MBR

    .

    Disk trace:

    called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys hal.dll

    1 nt!IofCallDriver[0x804E13B9] -> \Device\Harddisk1\DR2[0x89417680]

    kernel: MBR read successfully

    _asm { ADD [bX+SI], AL; ADD [bX+SI], AL; ADD [bX+SI], AL; ADD [bX+SI], AL; ADD [bX+SI], AL; ADD [bX+SI], AL; ADD [bX+SI], AL; ADD [bX+SI], AL; ADD [bX+SI], AL; ADD [bX+SI], AL; ADD [bX+SI], AL; ADD [bX+SI], AL; ADD [bX+SI], AL; ADD [bX+SI], AL; ADD [bX+SI], AL; ADD [bX+SI], AL; ADD [bX+SI], AL; ADD [bX+SI], AL; ADD [bX+SI], AL; ADD [bX+SI], AL; }

    user != kernel MBR !!!

    .

    ============= FINISH: 0:26:10.71 ===============

    Thank You

    Can I still request some help - Malwarebytes will not run so I am sure my PC is infected.

    Thank You

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.