I think I am in deep trouble

goudewolf · February 9, 2009

Hello AdvancedSetup,

I can not really install the VB6 files because I cannot copy or move on the infected computer, I can run them from the cd or from the a USB stick but that doesn't solve the problem.

I ran Evira again with the command of renaming the infected files. (the alert ones). After that I couln't start the MBAM either also reinstalling the vb file under DOs doesn't help.

I am very sorry that i have to bother you that much, as far as I can see you do an incredible job on this forum!!!

Rolf

AdvancedSetup · February 9, 2009

You may have corrupted files on your disk. Please try running the following.

First close ALL Applications as this routine will automatically restart your computer.

Click on START - RUN and copy / paste the following entry into the box and click OK

CMD /C ECHO Y|CHKDSK C: /F | SHUTDOWN /R /T 30

You can type this into the infected computer instead of copy/paste.

Then in a DOS console (click on START - RUN and type in CMD) you should be able to copy a new version of Combofix.exe from the CD.

Assuming your CD ROM is the D: drive

COPY D:\Combofix.exe %HOMEPATH%\Desktop

Let me know how that goes. If you can then run a new HJT.

Take a look at running one or all of these fixes to try to restore the Network.

There are various issues that can cause loss of Internet activity. It could be Malware that is on your system that needs to be removed first, however it could also be from the removal of Malware or similar issues. Step one should be to ensure you remove any Malware from your system first.

Depending on what is wrong there are 3 methods of repair that you can try to re-establish connectivity.

METHOD 1

LSP-Fix

Repairs Winsock 2 settings, caused by buggy or improperly-removed Internet software, that result in loss of Internet access

LSP-Fix Home Page

Using LSP-Fix to remove Spyware & Hijackers

METHOD 2

WinSock XP Fix 1.2

It can often cure the problem of lost connections after the removal of Adware components or improper uninstall of firewall applications or other tools that modify the XP network and Winsock settings.

If you encounter connection problems after removing network related software, Adware or after registry clean-up; and all other ways fail, then give WinSock XP Fix a try.

Download WinSock XP Fix 1.2

METHOD 3

Microsoft KB article to reset TCP/IP

One of the components of the Internet connection on your computer is a built-in set of instructions called TCP/IP. TCP/IP can sometimes become corrupted. If you cannot connect to the Internet and you have tried all other methods to resolve the problem, TCP/IP might be causing it.

Because TCP/IP is a core component of Windows, you cannot remove it. However, you can reset TCP/IP to its original state by using the NetShell utility (netsh)

How to reset Internet Protocol (TCP/IP) in Windows XP

goudewolf · February 10, 2009

Hello AdvancedSetup,

Sorry for the delay, but i had other bussines to do.

I did run the DOS command and the computer did shut down.

After this I was able to copy a new version of Combofix directly on the infected computer.

But it gives the following error message: "an error in prep.com occured" So I think it has no use to run an new HJT (I did it anyway but i will not attach this now.

Then I tried the LSP fix and it stated that there are no problems found

I downloaded Winsock XP Fix 1.2 (regcure) and runned it : it found 1078 problems, all in sections it will not repair without a registry key.

Finally I reset the TCp/IP manually as mentioned in the Microsoft article, but after the command line in DOS was executed it came back with the message that the RPC server is not available (and I can not start it in the services)

Rolf

AdvancedSetup · February 11, 2009

Yes you appear to have an active infection blocking it. Please try to run the following. Use a friends computer or work computer if you have to in order to burn the CD.

Please try to rename Combofix.exe to something else like BLOKE.EXE or something. Then try to run it again (make sure any AV is disabled)

If that does not work then try to run it in SAFE MODE and renaming it.

If it still will not run then try the Avira again, this time choosing the options shown below.

Avira AntiVir Rescue System

Requires access to a working computer with a CD/DVD burner to create a bootable CD.

Download the
Avira AntiVir Rescue System
from
here
Place a blank CD in your burner and double-click on the downloaded file.
The program will automatically burn the CD for you.
Place the burned CD into the affected computer and start the computer from this CD.
On the bottom left side of the screen there are 2 flags. Using your mouse click on the British flag to use English.
Click on the
Configuration
button.
- Select
  Scan all files
- Select
  Try to repair infected files
  and
  Rename files, if they cannot be removed
- Select
  Scan for dialers
- Select
  Scan for joke programs (Jokes)
- Select
  Scan for games
- Select
  Scan for spyware (SPR)
[*]
Click on
Virus scanner
[*]
Click on
Start scanner
at the bottom of the screen
[*]
Currently the program does not support saving a log. Write down the amount of items for Records, Suspect files, and Warnings

The Avira AntiVir Rescue System is a Linux-based application that allows accessing computers that cannot be booted anymore and is updated several times a day so that the most recent security updates are always available.

Screen resolution problems

Please see the post

here

if you're unable to view the entire screen of Avira.

goudewolf · February 11, 2009

Hey AdvancedSetup,

I think we are making progress now.

I renamed Combofix and tried to run it in the normal mode the error prep.com again.

I started the computer in safe mode and could run Combofix no problem.

Then I checked the computer in normal mode services are still not all there (and I can't restart them), MBAM doesn't work either because the vbalgrid problem.

BUT I could run Combofix now!! (in the normal mode). By the way MBAM still doesn't work.

So I add the log here:

ComboFix 09-02-10.03 - Rolf van den Berg 2009-02-11 10:17:56.2 - NTFSx86

Gestart vanuit: C:\rolfComboFix.exe

.

(((((((((((((((((((( Bestanden Gemaakt van 2009-01-11 to 2009-02-11 ))))))))))))))))))))))))))))))

.

2009-02-11 09:37 . 2009-02-11 09:37 2,920,236 -ra------ C:\rolfComboFix.exe

2009-02-10 09:03 . 2009-02-11 10:04 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP

2009-02-10 09:02 . 2009-02-10 09:03 <DIR> d-------- c:\program files\Registry Mechanic1

2009-02-10 09:02 . 2009-02-10 09:02 <DIR> d-------- c:\program files\ACW

2009-02-10 07:55 . 2009-02-09 12:04 186,880 --a------ C:\LSPFix.exe

2009-02-09 11:52 . 2009-02-10 08:54 <DIR> d-------- c:\program files\RegCure

2009-02-09 11:11 . 2009-02-03 14:56 3,126,530 --a------ C:\ComboFix.exe

2009-02-07 10:54 . 2009-02-09 12:21 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware1

2009-02-04 09:11 . 2009-02-04 09:11 <DIR> d-------- c:\program files\Nieuwe map

2009-01-31 12:15 . 2009-02-10 09:19 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware

2009-01-31 12:15 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys

2009-01-31 12:15 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys

2009-01-28 18:41 . 2009-01-28 18:41 <DIR> d-------- C:\rescued

2009-01-28 14:44 . 2009-01-29 09:18 250 --a------ c:\windows\gmer.ini

2009-01-22 14:44 . 2009-01-22 14:44 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard

2009-01-20 08:41 . 2009-01-20 08:41 408,674 --a------ C:\_skey_20-01-2009__08-41-06.zip

.

((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-02-08 10:42 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec

2009-01-22 14:00 --------- d-----w c:\program files\Common Files\Symantec Shared

2009-01-20 13:48 97,928 ----a-w c:\windows\system32\drivers\avgldx86.sys

2009-01-02 17:48 388,009 ----a-w C:\_skey_02-01-2009__12-48-14.zip

2008-11-20 02:59 320,068 ----a-w C:\_skey_19-11-2008__21-59-07.zip

2005-11-14 16:21 23,826,720 ----a-w c:\documents and settings\All Users\AdbeRdr705_nld_full.exe

2005-11-14 16:19 7,221,384 ----a-w c:\documents and settings\All Users\psa30se_nl_nl.exe

2005-11-14 16:18 16,706,160 ----a-w c:\documents and settings\All Users\AdbeRdr60_enu_full.exe

2005-03-28 21:03 4,386,176 ----a-w c:\program files\WinXP_EN_HOM_BF.EXE

2005-03-28 21:02 518,888 ----a-w c:\program files\WindowsXP-KB884020-x86-enu.exe

2003-09-10 08:01 429,264 ----a-w c:\program files\AdbeRdr60_DLM_enu_full.exe

2002-06-05 09:01 9,804,495 ----a-w c:\program files\bksetupE.EXE

2002-06-05 08:17 3,614,764 ----a-w c:\program files\bkupdate.EXE

.

------- Sigcheck -------

md5deep: c:\windows\$NtServicePackUninstall$\svchost.exe: Permission denied

2004-08-04 03:03 14336 ab8c6d89a897bacba4657fdf00e344a6 c:\windows\ServicePackFiles\i386\svchost.exe

2004-08-04 03:03 14336 ab8c6d89a897bacba4657fdf00e344a6 c:\windows\system32\svchost.exe

2005-03-02 13:21 578560 0b62745ce93e8c6f56547f70269dbabc c:\windows\$hf_mig$\KB890859\SP2QFE\user32.dll

2007-03-08 10:51 579584 fa35431e333943f4b2a6d33fa4ee3ce9 c:\windows\$hf_mig$\KB925902\SP2QFE\user32.dll

md5deep: c:\windows\$NtServicePackUninstall$\user32.dll: Permission denied

md5deep: c:\windows\$NtUninstallKB824141$\user32.dll: Permission denied

md5deep: c:\windows\$NtUninstallKB824141_RTM$\user32.dll: Permission denied

2004-08-04 03:03 578560 8e5d344fd717d35ee7ed1c8e0ad0cbe6 c:\windows\$NtUninstallKB890859$\user32.dll

2003-09-25 12:11 561664 7e3c22f61da66b2e91197f0cc166d09b c:\windows\$NtUninstallKB891711$\user32.dll

2005-03-02 13:19 578560 a9f2ebfc6ef9c1fb38cedcf747162b6c c:\windows\$NtUninstallKB925902$\user32.dll

2002-09-09 16:08 561664 2e8cec28be4d9b830ba0aff73c9279f7 c:\windows\$NtUninstallQ328310$\user32.dll

2001-09-07 07:00 562688 67641e3974a5ca6247c3dfc498bc9d1b c:\windows\$NtUninstallQ328310_RTM$\user32.dll

2003-09-25 12:11 561664 7e3c22f61da66b2e91197f0cc166d09b c:\windows\$xpsp1hfm$\KB824141\user32.dll

2002-11-22 05:32 530432 b7a7c40c3c8c9c155cd1d9952e82e833 c:\windows\$xpsp1hfm$\Q328310\user32.dll

2004-08-04 03:03 578560 8e5d344fd717d35ee7ed1c8e0ad0cbe6 c:\windows\ServicePackFiles\i386\user32.dll

2007-03-08 10:39 579072 cb18f701a5d55a6308fab8d18322c060 c:\windows\system32\user32.dll

md5deep: c:\windows\$NtServicePackUninstall$\ws2_32.dll: Permission denied

2004-08-04 03:03 82944 06ebcbe58321e924980148b7e3dbd753 c:\windows\ServicePackFiles\i386\ws2_32.dll

2004-08-04 03:03 82944 06ebcbe58321e924980148b7e3dbd753 c:\windows\system32\ws2_32.dll

2005-01-27 12:13 660992 35c432675828491688b75e8782871a11 c:\windows\$hf_mig$\KB867282\SP2QFE\wininet.dll

2005-05-02 15:59 662016 c048c90ce1ce329ab9e1e412dec87920 c:\windows\$hf_mig$\KB883939\SP2QFE\wininet.dll

2005-03-10 02:50 660992 8010eece634e0f3d6ff176457df63619 c:\windows\$hf_mig$\KB890923\SP2QFE\wininet.dll

2005-09-02 18:55 663552 632629b24eb816fe354f66b48513e104 c:\windows\$hf_mig$\KB896688\SP2QFE\wininet.dll

2005-07-02 21:11 662528 c167930aeef3c1739f340d5758834b01 c:\windows\$hf_mig$\KB896727\SP2QFE\wininet.dll

2005-10-20 22:40 664576 06ae5bd6363190e622f1aa91591f41c4 c:\windows\$hf_mig$\KB905915\SP2QFE\wininet.dll

2006-03-03 23:01 666624 b81cf479b43ed1ca2df12c878b596b2e c:\windows\$hf_mig$\KB912812\SP2QFE\wininet.dll

2006-10-23 10:36 667648 7693ccdd13b082985ca0ac2862cbcaf7 c:\windows\$hf_mig$\KB925454\SP2QFE\wininet.dll

2007-01-04 09:05 668160 243988bb76262d72a48e8312bf8a0231 c:\windows\$hf_mig$\KB928090\SP2QFE\wininet.dll

2007-02-19 10:23 668672 48e1c53ba8c6267bb97925ef729bde90 c:\windows\$hf_mig$\KB931768\SP2QFE\wininet.dll

2007-03-07 12:40 823296 296b479402ef4c4c48f2d90a8bcc66d5 c:\windows\$hf_mig$\KB931768-IE7\SP2QFE\wininet.dll

2007-04-25 03:35 823808 b0a373678205f1aac179eb084e0f9f55 c:\windows\$hf_mig$\KB933566-IE7\SP2QFE\wininet.dll

2007-06-27 09:15 824320 1e9d35ba9240592a68bb5980aa23fdb9 c:\windows\$hf_mig$\KB937143-IE7\SP2QFE\wininet.dll

2007-08-20 04:52 825344 077b22b5febaa055aac0406413f53a5f c:\windows\$hf_mig$\KB939653-IE7\SP2QFE\wininet.dll

md5deep: c:\windows\$NtServicePackUninstall$\wininet.dll: Permission denied

2004-08-04 03:03 659456 6c7e1322898378c30bcd9f779a2621ee c:\windows\$NtUninstallKB867282$\wininet.dll

2004-02-06 11:09 591872 90341f714a4804c9103387a7d9968e4a c:\windows\$NtUninstallKB867282-IE6SP1-20050127.163319$\wininet.dll

2005-03-10 03:06 659968 810bbd0592b40908c5d88b9e7823b54d c:\windows\$NtUninstallKB883939$\wininet.dll

2005-01-27 12:14 659968 5d2ffb9d94d9fdc5304b4783999bf43e c:\windows\$NtUninstallKB890923$\wininet.dll

2005-07-02 21:17 661504 c9567d2cd2441dff60814e721ef6eb43 c:\windows\$NtUninstallKB896688$\wininet.dll

2005-05-02 15:57 660992 2d9bccc29c0f34794dade5e4c95e9239 c:\windows\$NtUninstallKB896727$\wininet.dll

2005-09-02 18:55 661504 fbc6550971ed432f77e35dd376d573b0 c:\windows\$NtUninstallKB905915$\wininet.dll

2005-10-20 22:41 661504 24059da5b7131cb82c2b8a39701d93f9 c:\windows\$NtUninstallKB912812$\wininet.dll

2006-03-03 22:35 661504 7dcc79c2de609f74aa67e16e8e77af4c c:\windows\$NtUninstallKB925454$\wininet.dll

2006-10-23 10:19 662016 e30ad3b3927b33d894486efaccd48014 c:\windows\$NtUninstallKB928090$\wininet.dll

2007-01-04 08:57 662016 366ec67e75f81d891adfcc9941f1de45 c:\windows\$NtUninstallKB931768$\wininet.dll

md5deep: c:\windows\$NtUninstallQ309521$\wininet.dll: Permission denied

2007-02-19 10:05 662016 55be69a43120fda4cfb7c0c1f305db1a c:\windows\ie7\wininet.dll

2007-03-07 12:43 822784 1bf0d2b31d2d651f0eaf8491cd6ce193 c:\windows\ie7updates\KB933566-IE7\wininet.dll

2004-08-04 03:03 659456 6c7e1322898378c30bcd9f779a2621ee c:\windows\ServicePackFiles\i386\wininet.dll

2007-08-13 18:54 818688 a4a0fc92358f39538a6494c42ef99fe9 c:\windows\system32\wininet.dll

2005-05-25 14:07 359936 63fdfea54eb53de2d863ee454937ce1e c:\windows\$hf_mig$\KB893066\SP2QFE\tcpip.sys

2006-01-13 12:07 360448 5562cc0a47b2aef06d3417b733f3c195 c:\windows\$hf_mig$\KB913446\SP2QFE\tcpip.sys

2006-04-20 07:18 360576 b2220c618b42a2212a59d91ebd6fc4b4 c:\windows\$hf_mig$\KB917953\SP2QFE\tcpip.sys

md5deep: c:\windows\$NtServicePackUninstall$\tcpip.sys: Permission denied

2004-08-04 01:14 359040 9f4b36614a0fc234525ba224957de55c c:\windows\$NtUninstallKB893066$\tcpip.sys

2005-05-25 14:04 359808 88763a98a4c26c409741b4aa162720c9 c:\windows\$NtUninstallKB913446$\tcpip.sys

2006-01-12 21:28 359808 583e063fdc888ca30d05c2724b0d7ef4 c:\windows\$NtUninstallKB917953$\tcpip.sys

2004-08-04 01:14 359040 9f4b36614a0fc234525ba224957de55c c:\windows\ServicePackFiles\i386\tcpip.sys

2006-04-20 06:51 359808 1dbf125862891817f374f407626967f4 c:\windows\system32\drivers\tcpip.sys

md5deep: c:\windows\$NtServicePackUninstall$\winlogon.exe: Permission denied

2004-08-04 03:03 504832 732ed791711df9c9dd15e5515bc681b8 c:\windows\ServicePackFiles\i386\winlogon.exe

2004-08-04 03:03 504832 732ed791711df9c9dd15e5515bc681b8 c:\windows\system32\winlogon.exe

md5deep: c:\windows\$NtServicePackUninstall$\ndis.sys: Permission denied

2004-08-04 01:14 182912 558635d3af1c7546d26067d5d9b6959e c:\windows\ServicePackFiles\i386\ndis.sys

2004-08-04 01:14 182912 558635d3af1c7546d26067d5d9b6959e c:\windows\system32\drivers\ndis.sys

2004-08-04 01:00 29056 4448006b6bc60e6c027932cfc38d6855 c:\windows\ServicePackFiles\i386\ip6fw.sys

2004-08-04 01:00 29056 4448006b6bc60e6c027932cfc38d6855 c:\windows\system32\drivers\ip6fw.sys

2005-03-02 13:14 2061312 c26d84b802567e629d42861a11c7ec04 c:\windows\$hf_mig$\KB890859\SP2QFE\ntkrnlpa.exe

2006-12-19 13:47 2063744 4bf54c0431a9bb0bce6c821cd4018f7d c:\windows\$hf_mig$\KB929338\SP2QFE\ntkrnlpa.exe

2007-02-28 11:09 2063744 f51b8d8b0703518349096604e788b83e c:\windows\$hf_mig$\KB931784\SP2QFE\ntkrnlpa.exe

md5deep: c:\windows\$NtServicePackUninstall$\ntkrnlpa.exe: Permission denied

2003-04-24 03:19 1953664 743e0ab93a1cd6e7e33833aa4a8b1cdd c:\windows\$NtUninstallKB885835_0$\ntkrnlpa.exe

2004-08-04 02:58 2061184 e0399688d466b7c3afdffb5a2ed9f351 c:\windows\$NtUninstallKB890859$\ntkrnlpa.exe

2005-03-02 13:09 2061184 c6cf1974acdb8329daf9d001c0937cb0 c:\windows\$NtUninstallKB929338$\ntkrnlpa.exe

2006-12-19 13:25 2061952 6d080ddc482e83a69c9a862c247fa50d c:\windows\$NtUninstallKB931784$\ntkrnlpa.exe

2001-09-07 07:00 1901056 4a50338a962a84e1bb692090c704c32d c:\windows\$NtUninstallQ317277$\ntkrnlpa.exe

2002-09-09 15:17 1952128 13c45289c0e4f23cf129417dca1f2f6e c:\windows\$NtUninstallQ811493$\ntkrnlpa.exe

2002-02-25 09:51 1902080 09f960c46026a351603e81079aaf764e c:\windows\$NtUninstallQ811493_RTM$\ntkrnlpa.exe

2003-04-24 03:19 1953664 743e0ab93a1cd6e7e33833aa4a8b1cdd c:\windows\$xpsp1hfm$\Q811493\ntkrnlpa.exe

2007-02-28 11:05 2061952 57b09ad681c1d8db77ccc3e92d8f5d14 c:\windows\Driver Cache\i386\ntkrnlpa.exe

2004-08-04 02:58 2061184 e0399688d466b7c3afdffb5a2ed9f351 c:\windows\ServicePackFiles\i386\ntkrnlpa.exe

2007-02-28 11:05 2061952 57b09ad681c1d8db77ccc3e92d8f5d14 c:\windows\system32\ntkrnlpa.exe

2005-03-02 13:15 2183936 5db3e8dec987b5d350e4a105dceaee6a c:\windows\$hf_mig$\KB890859\SP2QFE\ntoskrnl.exe

2006-12-19 13:47 2186368 4cb6c3b16587971c56aaa8a9b0511bc7 c:\windows\$hf_mig$\KB929338\SP2QFE\ntoskrnl.exe

2007-02-28 11:09 2186496 59dca97dc201792c1ccf9fe621ee5ed7 c:\windows\$hf_mig$\KB931784\SP2QFE\ntoskrnl.exe

md5deep: c:\windows\$NtServicePackUninstall$\ntoskrnl.exe: Permission denied

2003-04-24 03:20 1929984 42136718606f3b8c651f390ecba343fe c:\windows\$NtUninstallKB885835_0$\ntoskrnl.exe

2004-08-04 02:58 2185344 87aaea3908e069fb1be37380c895dfb8 c:\windows\$NtUninstallKB890859$\ntoskrnl.exe

2005-03-02 13:09 2183680 281a1e82f5f8fc0b2f4b57ef296a4240 c:\windows\$NtUninstallKB929338$\ntoskrnl.exe

2006-12-19 13:25 2184704 f609063bae4d058a4019c4d99a1fd8dd c:\windows\$NtUninstallKB931784$\ntoskrnl.exe

2001-09-07 07:00 1986560 c97bd142ee63e0bc97ddc1f61cdd1b86 c:\windows\$NtUninstallQ317277$\ntoskrnl.exe

2002-09-09 15:18 2046464 ed3086cf7c835d8a3fd0e6fbd95c0f53 c:\windows\$NtUninstallQ811493$\ntoskrnl.exe

2002-02-25 09:51 1879808 ffebcc999717bc4a00a34e725b7a71da c:\windows\$NtUninstallQ811493_RTM$\ntoskrnl.exe

2003-04-24 03:20 1929984 42136718606f3b8c651f390ecba343fe c:\windows\$xpsp1hfm$\Q811493\ntoskrnl.exe

2007-02-28 11:05 2184704 caaa8fd3c034a227691a43b60873f097 c:\windows\Driver Cache\i386\ntoskrnl.exe

2004-08-04 02:58 2185344 87aaea3908e069fb1be37380c895dfb8 c:\windows\ServicePackFiles\i386\ntoskrnl.exe

2007-02-28 11:05 2184704 caaa8fd3c034a227691a43b60873f097 c:\windows\system32\ntoskrnl.exe

2007-06-13 08:24 1036800 147e95a42a58ce99e403f7f57656bbeb c:\windows\explorer.exe

2007-06-13 08:12 1036800 1d6245afbd3faabc16a885116be1874d c:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe

md5deep: c:\windows\$NtServicePackUninstall$\explorer.exe: Permission denied

2002-09-09 16:08 1007616 040cc36796bba354b678bce9dcb25a3a c:\windows\$NtUninstallKB820291$\explorer.exe

2004-08-04 03:03 1035776 a1d7304a87fc3093150f5e3cc7b0f338 c:\windows\$NtUninstallKB938828$\explorer.exe

2004-08-04 03:03 1035776 a1d7304a87fc3093150f5e3cc7b0f338 c:\windows\ServicePackFiles\i386\explorer.exe

md5deep: c:\windows\$NtServicePackUninstall$\services.exe: Permission denied

2004-08-04 03:03 108544 39991cd3c17b7529d039151a88e84499 c:\windows\ServicePackFiles\i386\services.exe

2004-08-04 03:03 108544 39991cd3c17b7529d039151a88e84499 c:\windows\system32\services.exe

md5deep: c:\windows\$NtServicePackUninstall$\lsass.exe: Permission denied

2004-08-04 03:03 13312 34a82debefb057fcccbe15f619fc98a7 c:\windows\ServicePackFiles\i386\lsass.exe

2004-08-04 03:03 13312 34a82debefb057fcccbe15f619fc98a7 c:\windows\system32\lsass.exe

md5deep: c:\windows\$NtServicePackUninstall$\ctfmon.exe: Permission denied

2004-08-04 03:03 15360 7de46c9c40abb58c8fdfe0212a3bf2b4 c:\windows\ServicePackFiles\i386\ctfmon.exe

2004-08-04 03:03 15360 7de46c9c40abb58c8fdfe0212a3bf2b4 c:\windows\system32\ctfmon.exe

2005-06-10 19:17 57856 ad3d9d191aea7b5445fe1d82ffbb4788 c:\windows\$hf_mig$\KB896423\SP2QFE\spoolsv.exe

md5deep: c:\windows\$NtServicePackUninstall$\spoolsv.exe: Permission denied

2004-08-04 03:03 57856 cccb8b94b17466efb9dc27f42625b0e5 c:\windows\$NtUninstallKB896423$\spoolsv.exe

2004-08-04 03:03 57856 cccb8b94b17466efb9dc27f42625b0e5 c:\windows\ServicePackFiles\i386\spoolsv.exe

2004-08-04 03:03 57856 cccb8b94b17466efb9dc27f42625b0e5 c:\windows\system32\spoolsv.exe

md5deep: c:\windows\$NtServicePackUninstall$\userinit.exe: Permission denied

2004-08-04 03:03 24576 de7a0ee4a6a28e6dfe3118eb22468da6 c:\windows\ServicePackFiles\i386\userinit.exe

2004-08-04 03:03 24576 de7a0ee4a6a28e6dfe3118eb22468da6 c:\windows\system32\userinit.exe

md5deep: c:\windows\$NtServicePackUninstall$\termsrv.dll: Permission denied

md5deep: c:\windows\$NtUninstallQ311889$\termsrv.dll: Permission denied

2004-08-04 03:03 297472 e2ce999886a4636026f157deb886aa94 c:\windows\ServicePackFiles\i386\termsrv.dll

2004-08-04 03:03 297472 e2ce999886a4636026f157deb886aa94 c:\windows\system32\termsrv.dll

2006-07-05 05:58 1026048 8672ce1e9baf84ec0665d73db8849edb c:\windows\$hf_mig$\KB917422\SP2QFE\kernel32.dll

2007-04-16 11:11 1027072 68757f5935d6d76dd10975b7b7a9751d c:\windows\$hf_mig$\KB935839\SP2QFE\kernel32.dll

md5deep: c:\windows\$NtServicePackUninstall$\kernel32.dll: Permission denied

2004-08-04 03:03 1024512 54379bd67780fdbbe1590eec142a659c c:\windows\$NtUninstallKB917422$\kernel32.dll

2006-07-05 05:56 1025024 f2352fb7d9e5c70374568724a32b5cb7 c:\windows\$NtUninstallKB935839$\kernel32.dll

2004-08-04 03:03 1024512 54379bd67780fdbbe1590eec142a659c c:\windows\ServicePackFiles\i386\kernel32.dll

2007-04-16 10:54 1025536 6557ea471552bb9af16b66902d572bd5 c:\windows\system32\kernel32.dll

md5deep: c:\windows\$NtServicePackUninstall$\powrprof.dll: Permission denied

2004-08-04 03:03 17408 d5a792db732622a393a0469fe6eaa728 c:\windows\ServicePackFiles\i386\powrprof.dll

2004-08-04 03:03 17408 d5a792db732622a393a0469fe6eaa728 c:\windows\system32\powrprof.dll

.

((((((((((((((((((((((((((((( snapshot@2009-02-03_15.50.04.82 )))))))))))))))))))))))))))))))))))))))))

.

- 2004-02-20 23:16:12 94,480 ----a-w c:\windows\system32\ctxsetup.exe

+ 2004-02-21 05:16:12 94,480 ----a-w c:\windows\system32\ctxsetup.exe

- 2009-02-01 17:24:02 52,150 ----a-w c:\windows\system32\perfc009.dat

+ 2009-02-05 18:49:18 52,150 ----a-w c:\windows\system32\perfc009.dat

- 2009-02-01 17:24:02 68,500 ----a-w c:\windows\system32\perfc013.dat

+ 2009-02-05 18:49:18 68,500 ----a-w c:\windows\system32\perfc013.dat

- 2009-02-01 17:24:02 377,498 ----a-w c:\windows\system32\perfh009.dat

+ 2009-02-05 18:49:18 377,498 ----a-w c:\windows\system32\perfh009.dat

- 2009-02-01 17:24:02 439,422 ----a-w c:\windows\system32\perfh013.dat

+ 2009-02-05 18:49:18 439,422 ----a-w c:\windows\system32\perfh013.dat

- 2004-02-20 22:53:20 24,848 ----a-w c:\windows\system32\Resource\en\ctxsetUI.dll

+ 2004-02-21 04:53:20 24,848 ----a-w c:\windows\system32\Resource\en\ctxsetUI.dll

+ 1996-01-12 23:00:00 24,576 ----a-w c:\windows\system32\STKIT432.DLL

+ 2009-02-11 15:00:52 16,384 ----atw c:\windows\temp\Perflib_Perfdata_254.dat

.

((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\ypager.exe" [2005-08-19 3084288]

"msnmsgr"="c:\program files\MSN Messenger\msnmsgr.exe" [2005-10-12 7086080]

"Mozilla Quick Launch"="c:\program files\mozilla.org\Mozilla\Mozilla.exe" [2004-09-10 100752]

"RegistryMechanic"="c:\program files\Registry Mechanic1\RegMech.exe" [2008-07-08 2828184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-07-14 57344]

"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-09-03 84640]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2004-09-25 98304]

"Picasa Media Detector"="c:\program files\Picasa2\PicasaMediaDetector.exe" [2007-09-27 443968]

"osCheck"="c:\program files\Norton Internet Security\osCheck.exe" [2006-09-05 26248]

"MimBoot"="c:\progra~1\MUSICM~1\MUSICM~1\mimboot.exe" [2005-05-10 11776]

"PicasaNet"="c:\program files\Hello\Hello.exe" [2005-01-11 2572288]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2004-08-04 15360]

"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2003-07-15 34880]

"Picasa Media Detector"="c:\program files\Picasa2\PicasaMediaDetector.exe" [2007-09-27 443968]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"vidc.iv41"= IR41_32.DLL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ahM38.sys]

@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\bhM28.sys]

@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ciN62.sys]

@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ekP62.sys]

@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ekP73.sys]

@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ekP84.sys]

@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\gmR05.sys]

@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\gmR73.sys]

@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hnT16.sys]

@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ioT84.sys]

@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\jpU38.sys]

@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\msY38.sys]

@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\pvB62.sys]

@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\pvB73.sys]

@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\syE16.sys]

@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\taF05.sys]

@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\xeJ38.sys]

@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG8_TRAY]

--a------ 2009-01-20 08:48 1261336 c:\progra~1\AVG\AVG8\avgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"msupdate"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2009-01-20 875288]

R2 AvgCore;AVG6 Kernel;c:\progra~1\Grisoft\AVG6\avgcore.sys [2004-09-12 456416]

R2 AvgFsh;AVG6 Rezident Driver;c:\progra~1\Grisoft\AVG6\avgfsh.sys [2004-09-12 19136]

R2 AvgServ;AvgServ; [x]

R3 Camdrv30;Philips ToUcam XS;c:\windows\system32\Drivers\camdrv30.sys [2001-08-17 171264]

S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2009-01-20 97928]

S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-01-20 231704]

S2 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2008-08-18 76040]

S3 ham50;V9X HAM 1394V;c:\windows\system32\DRIVERS\CTXH51.sys [2001-08-04 454815]

--- Andere Services/Drivers In Geheugen ---

*NewlyCreated* - COMHOST

*Deregistered* - AFD

*Deregistered* - Alerter

*Deregistered* - ALG

*Deregistered* - AppMgmt

*Deregistered* - Arp1394

*Deregistered* - aspnet_state

*Deregistered* - audstub

*Deregistered* - avg8wd

*Deregistered* - AvgLdx86

*Deregistered* - AvgMfx86

*Deregistered* - AvgTdiX

*Deregistered* - Beep

*Deregistered* - Browser

*Deregistered* - Cdfs

*Deregistered* - ClipSrv

*Deregistered* - CLTNetCnService

*Deregistered* - comHost

*Deregistered* - DcomLaunch

*Deregistered* - Dhcp

*Deregistered* - Dnscache

*Deregistered* - eeCtrl

*Deregistered* - Fastfat

*Deregistered* - Fips

*Deregistered* - FltMgr

*Deregistered* - Ftdisk

*Deregistered* - Gpc

*Deregistered* - HTTP

*Deregistered* - HTTPFilter

*Deregistered* - IpNat

*Deregistered* - IPSec

*Deregistered* - KSecDD

*Deregistered* - lanmanserver

*Deregistered* - lanmanworkstation

*Deregistered* - LiveUpdate Notice Ex

*Deregistered* - LiveUpdate Notice Service

*Deregistered* - LmHosts

*Deregistered* - mnmdd

*Deregistered* - MountMgr

*Deregistered* - MRxDAV

*Deregistered* - MRxSmb

*Deregistered* - Msfs

*Deregistered* - mssmbios

*Deregistered* - Mup

*Deregistered* - NDIS

*Deregistered* - NdisTapi

*Deregistered* - Ndisuio

*Deregistered* - NdisWan

*Deregistered* - NDProxy

*Deregistered* - NetBIOS

*Deregistered* - NetBT

*Deregistered* - NetDDE

*Deregistered* - NetDDEdsdm

*Deregistered* - Netlogon

*Deregistered* - Nla

*Deregistered* - Npfs

*Deregistered* - Ntfs

*Deregistered* - NtLmSsp

*Deregistered* - Null

*Deregistered* - PartMgr

*Deregistered* - ParVdm

*Deregistered* - PptpMiniport

*Deregistered* - RasAcd

*Deregistered* - Rasl2tp

*Deregistered* - RasPppoe

*Deregistered* - Raspti

*Deregistered* - Rdbss

*Deregistered* - RDPCDD

*Deregistered* - seclogon

*Deregistered* - SNMP

*Deregistered* - sr

*Deregistered* - SRTSPX

*Deregistered* - Srv

*Deregistered* - SSDPSRV

*Deregistered* - swenum

*Deregistered* - SYMDNS

*Deregistered* - SymEvent

*Deregistered* - SYMFW

*Deregistered* - SYMIDS

*Deregistered* - SYMIDSCO

*Deregistered* - symlcbrd

*Deregistered* - SYMNDIS

*Deregistered* - SYMREDRV

*Deregistered* - SYMTDI

*Deregistered* - Tcpip

*Deregistered* - Tcpip6

*Deregistered* - TermDD

*Deregistered* - tunmp

*Deregistered* - Update

*Deregistered* - VgaSave

*Deregistered* - VolSnap

*Deregistered* - W32Time

*Deregistered* - Wanarp

*Deregistered* - WebClient

*Deregistered* - WmdmPmSN

*Deregistered* - WS2IFSL

*Deregistered* - wuauserv

*Deregistered* - WudfSvc

.

Inhoud van de 'Gedeelde Taken' map

2009-01-22 c:\windows\Tasks\MP Scheduled Scan.job

- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 17:20]

2008-05-31 c:\windows\Tasks\Norton Internet Security - Run Full System Scan - Rolf van den Berg.job

- c:\progra~1\NORTON~1\NORTON~1\Navw32.exe [2006-09-07 01:38]

2009-02-09 c:\windows\Tasks\RegCure Program Check.job

- c:\program files\RegCure\RegCure.exe [2008-12-29 12:58]

2009-02-09 c:\windows\Tasks\RegCure.job

- c:\program files\RegCure\RegCure.exe [2008-12-29 12:58]

.

------- Bijkomende Scan -------

.

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uInternet Settings,ProxyOverride = <local>

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-02-11 10:25:34

Windows 5.1.2600 Service Pack 2 NTFS

scannen van verborgen processen ...

scannen van verborgen autostart items ...

scannen van verborgen bestanden ...

Scan succesvol afgerond

verborgen bestanden: 0

**************************************************************************

.

--------------------- VERGRENDELDE REGISTER SLEUTELS ---------------------

[HKEY_USERS\S-1-5-21-375612493-2163411867-2876842818-1007\Software\Microsoft\SystemCertificates\AddressBook*]

@Allowed: (Read) (RestrictedCode)

.

Voltooingstijd: 2009-02-11 10:32:15

ComboFix-quarantined-files.txt 2009-02-11 15:32:07

ComboFix2.txt 2009-02-11 14:46:53

ComboFix3.txt 2009-02-03 21:57:54

ComboFix4.txt 2009-02-03 20:51:51

Pre-Run: 23,879,327,744 bytes beschikbaar

Post-Run: 23,864,303,616 bytes beschikbaar

411 --- E O F --- 2007-11-18 01:10:08

AdvancedSetup · February 12, 2009

STEP 1

Did you create these files? If not then best to probably delete it.

C:\_skey_20-01-2009__08-41-06.zip

C:\_skey_02-01-2009__12-48-14.zip

C:\_skey_19-11-2008__21-59-07.zip

Also delete this copy of C:\ComboFix.exe

STEP 2

Please download and run the following file to repair file and registry permissions

fixacl.exe

STEP 3

CCleaner

CCleaner
Double-click on the downloaded file "ccsetup216.exe" and install the application.
Keep the default installation folder "C:\Program Files\CCleaner"
Uncheck "Add CCleaner Yahoo! Toolbar and use CCleaner from your browser"
Click finish when done and close ALL PROGRAMS
Start the CCleaner program.
Click on Registry and Uncheck Registry Integrity so that it does not run (basically the very top, uncheck it)
Click on Options - Advanced and Uncheck "Only delete files in Windows Temp folders older than 48 hours"
Click back to Cleaner and under SYSTEM uncheck the Memory Dumps and Windows Log Files
Click on Run Cleaner button on the bottom right side of the program.
Click OK to any prompts

STEP 4

Disable and Enable System Restore-WINDOWS XP

This is a good time to clear your existing system restore points and establish a new clean restore point:

Turn off System Restore

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
Reboot.

Turn ON System Restore

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.

This will remove all restore points except the new one you just created.

STEP 4

Download to the desktop: Dr.Web CureIt

Doubleclick the drweb-cureit.exe file and Allow to run the express scan
This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
Once the short scan has finished, Click Options > Change settings
Choose the "Scan"-tab, remove the mark at "Heuristic analysis".
Back at the main window, mark the drives that you want to scan.
Select all drives. A red dot shows which drives have been chosen.
Click the green arrow at the right, and the scan will start.
Click 'Yes to all' if it asks if you want to cure/move the file.
When the scan has finished, look if you can click next icon next to the files found:

If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:

This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
Save the report to your desktop. The report will be called DrWeb.csv
Close Dr.Web Cureit.
Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
After reboot, post the contents of the log from Dr.Web you saved previously in your next reply with a new hijackthis log.

goudewolf · February 12, 2009

Hello AdvancedSetup,

Step 1

I removed the zip files your mentioned (I laso removed 2 extra zip files which where not mentioned in the log file they where also from 2008 and I don't know where they are coming from.

Next I deleted Combofix.exe from the C drive

Step 2

I ran fixacl.exe, there is something going wrong it mentiones in the C:\aclreset.txt with a loop account name that the structure of the safety ID is invalid andthe object will not be processed.

Step 3

I installed the CCleaner and followed your instuctions that went O.K.

Step 4

I can not turn the system restore of (or on) I do not have a restore tab and when I do it with the bureau accessoires go to system workset and system restore function I get the following message: The computer cannot be safeguarded with system restore, restat the computer (which I didn't do)

Step 5

I downloaded Dr.Web Cureit

First I ran the express scan that didn't find any problems.

Than I did the a complete system scan of all the drives with the heuristic analysis turned off

A couple of times I had to cure the files found but at the end it didn't give an icon next to the files found. Actually the last file I saw coming by was deleted (some runos.exe file).

Nothing had to be moved!!

I rebooted the computer, after saving the dr Web log (see below)

And finally ran HJK (see below)

I cannot run the exel file on this good computer (I am missing a file) On the infected computer I could view what it says and it has only one entry which I will type here:

runos.exe;C:\WINDOWS;Trojan.Muldrop.4313;Deleted.;

Than the HJK file:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 4:06:52 PM, on 2/12/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.5730.0013)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\netdde.exe

C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

C:\WINDOWS\system32\clipsrv.exe

C:\WINDOWS\System32\svchost.exe

C:\PROGRA~1\AVG\AVG8\avgrsx.exe

C:\WINDOWS\System32\snmp.exe

C:\Program Files\QuickTime\qttask.exe

C:\WINDOWS\system32\ctfmon.exe

H:\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen

O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll

O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll

O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll

O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL

O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"

O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe

O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"

O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe

O4 - HKLM\..\Run: [PicasaNet] "C:\Program Files\Hello\Hello.exe" -b

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet

O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background

O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\mozilla.org\Mozilla\Mozilla.exe" -turbo

O4 - HKUS\S-1-5-21-375612493-2163411867-2876842818-1007\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')

O4 - HKUS\S-1-5-21-375612493-2163411867-2876842818-1007\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet (User '?')

O4 - HKUS\S-1-5-21-375612493-2163411867-2876842818-1007\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User '?')

O4 - HKUS\S-1-5-21-375612493-2163411867-2876842818-1007\..\Run: [Mozilla Quick Launch] "C:\Program Files\mozilla.org\Mozilla\Mozilla.exe" -turbo (User '?')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User '?')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll

O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} (AlternaTIFF ActiveX) - http://www.polkrod.com/view/tiffx.cab

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1179088510531

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll

O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe

O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

O23 - Service: AvgServ - Unknown owner - C:\PROGRA~1\Grisoft\AVG6\avgserv.exe (file missing)

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe

O23 - Service: dmadmin - Unknown owner - C:\WINDOWS\TEMP\130265.exe (file missing)

O23 - Service: gusvc - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe

O23 - Service: NVSvc - Unknown owner - C:\WINDOWS\System32\nvsvc32.exe (file missing)

O23 - Service: RasMan - Unknown owner - C:\WINDOWS\TEMP\14958937.exe (file missing)

O23 - Service: RDSessMgr - Unknown owner - C:\WINDOWS\TEMP\124781.exe (file missing)

O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

--

End of file - 7558 bytes

I think it is already much better isn't it?

Rolf

AdvancedSetup · February 13, 2009

Yeah, you probably got errors on the FixACL because this is not an English OS. Sorry about that.

Please clear out all your Quarantine files and try an online Kaspersky scan.

Are you still having any signs of infection?

Java Version

Run Kaspersky Online AV Scanner

Please go to Kaspersky website and perform an online antivirus scan.

Read through the requirements and privacy statement and click on Accept button.
It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
When the downloads have finished, click on Settings.
Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
[*]Click on My Computer under Scan and then put the kettle on!
[*]Once the scan is complete, it will display the results. Click on View Scan Report.
[*]You will see a list of infected items there. Click on Save Report As....
[*]Save this report to a convenient place like your Desktop. Change the Files of type to Text file (.txt) before clicking on the Save button.
[*]Copy and paste the report into your next reply along with a fresh HJT log and a description of how your PC is behaving.

ActiveX version

Run Kaspersky Online AV Scanner

Using Internet Explorer Go to http://www.kaspersky.com/kos/eng/partner/d...kavwebscan.html and click the Accept button at the end of the page.

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

Read the Requirements and limitations before you click Accept.
Allow the ActiveX download if necessary.
Once the database has downloaded, click Next.
Click Scan Settings and change the "Scan using the following antivirus database" from standard to extended and then click OK.
Click on "My Computer" and then put the kettle on!
When the scan has completed, click Save Report As...
Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.

Copy and paste the report into your next reply along with a fresh HJT log and a description of how your PC is behaving.

goudewolf · February 13, 2009

Hey AdvancedSetup,

Thanks so much for your assistance!!

I cleaned out all the quarantine files as you asked.

You might be right that in FixAcl program Dutch translations are used and that gives the problem, I add the aclreset text file below.

I think the translation of the Dutch will be something like this: restricted 1337 the security ID structure is invalid.

I think it migth also be possible that this was introduced when we applied the SubInAcl program??

Besides f this I think the problem computer is also getting slower!

I cannot run the AV Karspersky online scanner because my services I can't start so I don't have internet on that computer.

I think that you are right that there maybe not any signs of infection, but that this becoming now a different problem (which has not to much to do with the original question, besides of the internet connection)

Do I have to start a new topic?

By the way it is funny to see that in the safe mode Combofix is able to make contact to their website and update the program (their are still alot of thinks I do not understand or know).

ACLRESET TEXT:

LookupAccountName : HKEY_CLASSES_ROOT\CLSID\{d5bf49a2-94f1-42bd-f434-3604812c807d}:restricted 1337 De structuur van de beveiligings-ID is ongeldig.

Current object HKEY_CLASSES_ROOT\CLSID\{d5bf49a2-94f1-42bd-f434-3604812c807d} will not be processed

LookupAccountName : HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D5BF49A2-94F1-42BD-F434-3604812C807D}\InProcServer32:restricted 1337 De structuur van de beveiligings-ID is ongeldig.

Current object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D5BF49A2-94F1-42BD-F434-3604812C807D}\InProcServer32 will not be processed

LookupAccountName : HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser:restricted 1337 De structuur van de beveiligings-ID is ongeldig.

Current object HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser will not be processed

LookupAccountName : HKEY_CLASSES_ROOT\MBAMExt.MBAMShlExt:restricted 1337 De structuur van de beveiligings-ID is ongeldig.

Current object HKEY_CLASSES_ROOT\MBAMExt.MBAMShlExt will not be processed

LookupAccountName : HKEY_CLASSES_ROOT\MBAMExt.MBAMShlExt.1:restricted 1337 De structuur van de beveiligings-ID is ongeldig.

Current object HKEY_CLASSES_ROOT\MBAMExt.MBAMShlExt.1 will not be processed

LookupAccountName : HKEY_CLASSES_ROOT\SSubTimer6.CTimer:restricted 1337 De structuur van de beveiligings-ID is ongeldig.

Current object HKEY_CLASSES_ROOT\SSubTimer6.CTimer will not be processed

LookupAccountName : HKEY_CLASSES_ROOT\SSubTimer6.GSubclass:restricted 1337 De structuur van de beveiligings-ID is ongeldig.

Current object HKEY_CLASSES_ROOT\SSubTimer6.GSubclass will not be processed

LookupAccountName : HKEY_CLASSES_ROOT\SSubTimer6.ISubclass:restricted 1337 De structuur van de beveiligings-ID is ongeldig.

Current object HKEY_CLASSES_ROOT\SSubTimer6.ISubclass will not be processed

LookupAccountName : HKEY_CLASSES_ROOT\vbAcceleratorSGrid6.cGridCell:restricted 1337 De structuur van de beveiligings-ID is ongeldig.

Current object HKEY_CLASSES_ROOT\vbAcceleratorSGrid6.cGridCell will not be processed

LookupAccountName : HKEY_CLASSES_ROOT\vbAcceleratorSGrid6.cGridSortObject:restricted 1337 De structuur van de beveiligings-ID is ongeldig.

Current object HKEY_CLASSES_ROOT\vbAcceleratorSGrid6.cGridSortObject will not be processed

LookupAccountName : HKEY_CLASSES_ROOT\vbAcceleratorSGrid6.IGridCellOwnerDraw:restricted 1337 De structuur van de beveiligings-ID is ongeldig.

Current object HKEY_CLASSES_ROOT\vbAcceleratorSGrid6.IGridCellOwnerDraw will not be processed

LookupAccountName : HKEY_CLASSES_ROOT\vbAcceleratorSGrid6.vbalGrid:restricted 1337 De structuur van de beveiligings-ID is ongeldig.

Current object HKEY_CLASSES_ROOT\vbAcceleratorSGrid6.vbalGrid will not be processed