Jump to content

Can't get rid of files/registry entries on reboot


Recommended Posts

Can't get rid of files/registry entries on reboot. I have run malwarebytes several time and the entries that are marked as delete on reboot never get deleted. Any help you can provide will be appreciated.

I have read previous entries on this so I ran combofix and autruns, here are all the log files. I ran the processes in the followin order,

malwarebytes

combofix

autoruns

hijackthis

and here are the results...

malwarebytes logofile

Malwarebytes' Anti-Malware 1.35

Database version: 1912

Windows 5.1.2600 Service Pack 2

3/29/2009 3:51:39 PM

mbam-log-2009-03-29 (15-51-39).txt

Scan type: Quick Scan

Objects scanned: 113016

Time elapsed: 14 minute(s), 38 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 3

Registry Values Infected: 8

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 2

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4d979721-5df7-4e9e-b6f2-ab0de572b097} (Trojan.BHO.H) -> Delete on reboot.

HKEY_CLASSES_ROOT\CLSID\{4d979721-5df7-4e9e-b6f2-ab0de572b097} (Trojan.BHO.H) -> Delete on reboot.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\cs41275 (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\UpdateWin (Backdoor.Bot) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\UpdateWin (Backdoor.Bot) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bf (Trojan.Agent) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bk (Trojan.Agent) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\iu (Trojan.Agent) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\mu (Trojan.Agent) -> Delete on reboot.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\OLE\UpdateWin (Worm.Sdbot) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SYSTEM\CurrentControlSet\Control\Lsa\UpdateWin (Worm.Sdbot) -> Quarantined and deleted successfully.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\system32\avwa.dll (Trojan.BHO.H) -> Delete on reboot.

C:\Documents and Settings\Olivita\Local Settings\Temp\nalizmau.dat (Rootkit.Agent) -> Delete on reboot.

Combofix:

ComboFix 09-03-29.02 - HP_Administrator 2009-03-29 16:15:33.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.958.546 [GMT -4:00]

Running from: c:\documents and settings\HP_Administrator\Desktop\ComboFix.exe

AV: AVG 7.5.557 *On-access scanning disabled* (Updated)

FW: Norton Internet Worm Protection *disabled*

* Created a new restore point

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\Olivita\Local Settings\Temporary Internet Files\fbk.sts

c:\windows\IE4 Error Log.txt

c:\windows\system32\_000006_.tmp.dll

c:\windows\system32\_000007_.tmp.dll

c:\windows\system32\_000010_.tmp.dll

c:\windows\system32\rsoirmva.ini

c:\windows\system32\TDSSosvd.dat

c:\windows\system32\winsrc.dll.tmp

c:\windows\system32\xslimghw.ini

c:\windows\wiaserviv.log

D:\Autorun.inf

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_TDSSSERV.SYS

-------\Service_TDSSserv.sys

-------\Service_UACd.sys

((((((((((((((((((((((((( Files Created from 2009-02-28 to 2009-03-29 )))))))))))))))))))))))))))))))

.

2009-03-28 20:04 . 2009-03-28 20:04 <DIR> d-------- c:\program files\Trend Micro

2009-03-28 18:45 . 2009-03-26 16:49 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys

2009-03-28 18:45 . 2009-03-26 16:49 15,504 --a------ c:\windows\system32\drivers\mbam.sys

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-03-29 14:31 --------- d-----w c:\documents and settings\Olivita\Application Data\AVG7

2009-03-29 12:00 --------- d-----w c:\documents and settings\HP_Administrator\Application Data\AVG7

2009-03-28 23:38 --------- d-----w c:\program files\Malwarebytes' Anti-Malware

2009-03-22 03:10 --------- d-----w c:\documents and settings\McHugh\Application Data\AVG7

2009-02-26 23:52 --------- d-----w c:\documents and settings\Olivita\Application Data\Malwarebytes

2009-02-26 23:48 --------- d-----w c:\program files\m

2009-02-26 23:48 --------- d-----w c:\documents and settings\Olivita\Application Data\U3

2009-02-24 01:13 --------- d-----w c:\windows\system32\config\systemprofile\Application Data\AdobeUM

2009-01-08 21:39 0 ----a-w c:\documents and settings\Olivita\Application Data\wklnhst.dat

.

------- Sigcheck -------

2005-03-14 04:17 359936 6129e70f3d2f1e60860c930ebeaf92c2 c:\windows\$hf_mig$\KB893066\SP2QFE\tcpip.sys

2006-04-20 08:18 360576 b2220c618b42a2212a59d91ebd6fc4b4 c:\windows\$hf_mig$\KB917953\SP2QFE\tcpip.sys

2007-10-30 12:53 360832 64798ecfa43d78c7178375fcdd16d8c8 c:\windows\$hf_mig$\KB941644\SP2QFE\tcpip.sys

2008-06-20 06:44 360960 744e57c99232201ae98c49168b918f48 c:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys

2008-06-20 07:51 361600 9aefa14bd6b182d61e3119fa5f436d3d c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys

2008-06-20 07:59 361600 ad978a1b783b5719720cff204b666c8e c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys

2004-08-10 00:00 359040 9f4b36614a0fc234525ba224957de55c c:\windows\$NtUninstallKB893066$\tcpip.sys

2005-03-14 03:55 359808 0e66b538096a6529d1ac66e78eb0d5c8 c:\windows\$NtUninstallKB917953$\tcpip.sys

2006-04-20 07:51 359808 1dbf125862891817f374f407626967f4 c:\windows\$NtUninstallKB941644$\tcpip.sys

2007-10-30 13:20 360064 90caff4b094573449a0872a0f919b178 c:\windows\$NtUninstallKB951748$\tcpip.sys

2008-04-13 15:20 361344 93ea8d04ec73a85db02eb8805988f733 c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\tcpip.sys

2008-06-20 06:45 360320 1cc09561e21a48a7f649a40f18235860 c:\windows\system32\dllcache\tcpip.sys

2008-06-20 06:45 360320 1cc09561e21a48a7f649a40f18235860 c:\windows\system32\drivers\tcpip.sys

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4D979721-5DF7-4E9E-B6F2-AB0DE572B097}]

2004-08-10 00:00 96256 --a------ c:\windows\system32\avwa.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-10 15360]

"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-30 67584]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-01-24 7311360]

"HPHUPD08"="c:\program files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [2005-06-02 49152]

"DMAScheduler"="c:\program files\HP DigitalMedia Archive\DMAScheduler.exe" [2006-03-20 90112]

"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2005-07-23 237568]

"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2006-02-16 249856]

"HP Software Update"="c:\program files\HP\HP Software Update\HPwuSchd2.exe" [2005-12-15 49152]

"A Verizon App"="c:\progra~1\VERIZO~1\HELPSU~1\VERIZO~1.EXE" [2005-05-23 50744]

"Verizon_McciTrayApp"="c:\program files\Verizon\McciTrayApp.exe" [2007-03-11 936960]

"KBD"="c:\hp\KBD\KBD.EXE" [2005-02-02 61440]

"DISCover"="c:\program files\DISC\DISCover.exe" [2007-10-30 1095256]

"AVG7_CC"="c:\progra~1\Grisoft\AVG7\avgcc.exe" [2009-02-24 590848]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-06-18 180269]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-03-22 282624]

"RTHDCPL"="RTHDCPL.EXE" [2006-03-08 c:\windows\RTHDCPL.EXE]

"nwiz"="nwiz.exe" [2006-01-24 c:\windows\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"AVG7_Run"="c:\progra~1\Grisoft\AVG7\avgw.exe" [2008-02-01 219136]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

HotSync Manager.lnk - c:\palm\HOTSYNC.EXE [2007-01-15 282624]

HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-12-15 282624]

LUMIX Simple Viewer.lnk - c:\program files\Panasonic\LUMIXSimpleViewer\PhLeAutoRun.exe [2007-03-22 57344]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"AppInit_DLLs"=kcyrpi.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]

"AlwaysReady Power Message APP"=ARPWRMSG.EXE

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"FirewallOverride"=dword:00000001

"AntiVirusDisableNotify"=dword:00000001

"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=

"c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=

"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\DISC\\DISCover.exe"=

"c:\\Program Files\\DISC\\DiscStreamHub.exe"=

"c:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=

"c:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=

"c:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=

"c:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=

R0 oxyjsqmo;oxyjsqmo;c:\windows\system32\drivers\oxyjsqmo.sys [2004-08-10 23424]

.

Contents of the 'Scheduled Tasks' folder

2009-03-29 c:\windows\Tasks\bxedsquz.job

- c:\windows\system32\urqOFwwv.dll []

.

- - - - ORPHANS REMOVED - - - -

BHO-{C66C1D5E-7D8F-45A7-8A90-C5EAEE1DB043} - (no file)

SharedTaskScheduler-IPC Configuration Utility - (no file)

Notify-awtQhFvs - awtQhFvs.dll

SafeBoot-Winqy74.sys

.

------- Supplementary Scan -------

.

uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=63&bd=PAVILION&pf=desktop

uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PAVILION&pf=desktop

mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=63&bd=PAVILION&pf=desktop

mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PAVILION&pf=desktop

uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=63&bd=PAVILION&pf=desktop

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000

Trusted Zone: trymedia.com

.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-03-29 16:26:37

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Lavasoft\Ad-Aware 2007\aawservice.exe

c:\windows\arservice.exe

c:\progra~1\Grisoft\AVG7\avgamsvr.exe

c:\progra~1\Grisoft\AVG7\avgupsvc.exe

c:\progra~1\Grisoft\AVG7\avgemc.exe

c:\windows\ehome\ehrecvr.exe

c:\windows\ehome\ehSched.exe

c:\program files\Common Files\LightScribe\LSSrvc.exe

c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

c:\windows\system32\nvsvc32.exe

c:\windows\ehome\mcrdsvc.exe

c:\windows\system32\dllhost.exe

c:\windows\ehome\ehmsas.exe

c:\program files\Common Files\Verizon Online\ConnMgr\cmisrv.exe

c:\program files\DISC\DiscStreamHub.exe

c:\program files\Common Files\Verizon Online\AppMgr\vzOpenUIServer.exe

.

**************************************************************************

.

Completion time: 2009-03-29 16:29:51 - machine was rebooted

ComboFix-quarantined-files.txt 2009-03-29 20:29:48

Pre-Run: 219,573,886,976 bytes free

Post-Run: 222,289,571,840 bytes free

Current=2 Default=2 Failed=3 LastKnownGood=4 Sets=,1,2,3,4

190 --- E O F --- 2009-03-14 02:28:09

Autoruns:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

+ A Verizon App VerizonAppManager (Verified) Verizon Communications c:\program files\verizon online\help support\verizonsupport.exe

+ AVG7_CC AVG Control Center (Not verified) GRISOFT, s.r.o. c:\program files\grisoft\avg7\avgcc.exe

+ DISCover DISCover Drop & Play System Executable (Verified) Digital Interactive Systems Corporation c:\program files\disc\discover.exe

+ DMAScheduler DMAScheduler (Not verified) Sonic Solutions c:\program files\hp digitalmedia archive\dmascheduler.exe

+ HP Software Update Hewlett-Packard Product Assistant (Not verified) Hewlett-Packard Development Company, L.P. c:\program files\hp\hp software update\hpwuschd2.exe

+ HPBootOp HP Boot Optimizer (Not verified) Hewlett-Packard Company c:\program files\hewlett-packard\hp boot optimizer\hpbootop.exe

+ HPHUPD08 HPHupd08 (Not verified) Hewlett-Packard c:\program files\hp\digital imaging\{33d6cc28-9f75-4d1b-a11d-98895b3a3729}\hphupd08.exe

+ KBD KBD EXE (Not verified) Hewlett-Packard Company c:\hp\kbd\kbd.exe

+ nwiz NVIDIA nView Wizard, Version 110.19 (Not verified) NVIDIA Corporation c:\windows\system32\nwiz.exe

+ QuickTime Task QuickTime Task (Not verified) Apple Computer, Inc. c:\program files\quicktime\qttask.exe

+ Recguard Recguard Application c:\windows\sminst\recguard.exe

+ TkBellExe RealNetworks Scheduler (Not verified) RealNetworks, Inc. c:\program files\common files\real\update_ob\realsched.exe

+ Verizon_McciTrayApp mcci+McciTrayApp (Not verified) Motive Communications, Inc. c:\program files\verizon\mccitrayapp.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup

+ HotSync Manager.lnk HotSync

Link to post
Share on other sites

  • Staff

Hi,

You need to update your AVG afterwards to AVG8, because the version you are currently using is outdated.

* Open notepad - don't use any other texteditor than notepad or the script will fail.

Copy/paste the text in the quotebox below into notepad:

File::

c:\windows\system32\drivers\oxyjsqmo.sys

c:\windows\Tasks\bxedsquz.job

c:\windows\system32\avwa.dll

Driver::

oxyjsqmo

Registry::

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4D979721-5DF7-4E9E-B6F2-AB0DE572B097}]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"AppInit_DLLs"=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusDisableNotify"=dword:00000000

"UpdatesDisableNotify"=dword:00000000

Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

CFScript.gif

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

Link to post
Share on other sites

ComboFix 09-03-30.04 - HP_Administrator 2009-03-31 13:15:36.3 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.958.459 [GMT -4:00]

Running from: c:\documents and settings\HP_Administrator\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\HP_Administrator\Desktop\CFScript.txt

AV: AVG 7.5.557 *On-access scanning disabled* (Updated)

FW: Norton Internet Worm Protection *disabled*

* Created a new restore point

FILE ::

c:\windows\system32\avwa.dll

c:\windows\system32\drivers\oxyjsqmo.sys

c:\windows\Tasks\bxedsquz.job

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_OXYJSQMO

((((((((((((((((((((((((( Files Created from 2009-02-28 to 2009-03-31 )))))))))))))))))))))))))))))))

.

2009-03-28 20:04 . 2009-03-28 20:04 <DIR> d-------- c:\program files\Trend Micro

2009-03-28 18:45 . 2009-03-26 16:49 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys

2009-03-28 18:45 . 2009-03-26 16:49 15,504 --a------ c:\windows\system32\drivers\mbam.sys

2009-02-26 21:57 . 2009-03-28 19:38 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware

2009-02-26 19:52 . 2009-02-26 19:52 <DIR> d-------- c:\documents and settings\Olivita\Application Data\Malwarebytes

2009-02-26 19:48 . 2009-02-26 19:48 <DIR> d-------- c:\program files\m

2009-02-26 19:47 . 2009-02-26 19:47 0 --a------ C:\LOG61.tmp

2009-02-23 21:13 . 2009-02-23 21:13 <DIR> d-------- c:\windows\system32\config\systemprofile\Application Data\AdobeUM

2009-02-19 13:53 . 2009-03-27 14:29 54,156 --ah----- c:\windows\QTFont.qfn

2009-02-19 13:53 . 2009-02-19 13:53 1,409 --a------ c:\windows\QTFont.for

2009-02-19 11:58 . 2009-02-19 11:59 109 --ahs---- c:\windows\system32\4163043254.dat

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-03-31 17:10 --------- d-----w c:\documents and settings\HP_Administrator\Application Data\AVG7

2009-03-31 17:09 --------- d-----w c:\documents and settings\Olivita\Application Data\AVG7

2009-03-30 22:12 23,424 ----a-w c:\windows\system32\drivers\amezlaox.sys

2009-03-22 03:10 --------- d-----w c:\documents and settings\McHugh\Application Data\AVG7

2009-02-26 23:48 --------- d-----w c:\documents and settings\Olivita\Application Data\U3

2009-01-08 21:39 0 ----a-w c:\documents and settings\Olivita\Application Data\wklnhst.dat

.

------- Sigcheck -------

2005-03-14 04:17 359936 6129e70f3d2f1e60860c930ebeaf92c2 c:\windows\$hf_mig$\KB893066\SP2QFE\tcpip.sys

2006-04-20 08:18 360576 b2220c618b42a2212a59d91ebd6fc4b4 c:\windows\$hf_mig$\KB917953\SP2QFE\tcpip.sys

2007-10-30 12:53 360832 64798ecfa43d78c7178375fcdd16d8c8 c:\windows\$hf_mig$\KB941644\SP2QFE\tcpip.sys

2008-06-20 06:44 360960 744e57c99232201ae98c49168b918f48 c:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys

2008-06-20 07:51 361600 9aefa14bd6b182d61e3119fa5f436d3d c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys

2008-06-20 07:59 361600 ad978a1b783b5719720cff204b666c8e c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys

2004-08-10 00:00 359040 9f4b36614a0fc234525ba224957de55c c:\windows\$NtUninstallKB893066$\tcpip.sys

2005-03-14 03:55 359808 0e66b538096a6529d1ac66e78eb0d5c8 c:\windows\$NtUninstallKB917953$\tcpip.sys

2006-04-20 07:51 359808 1dbf125862891817f374f407626967f4 c:\windows\$NtUninstallKB941644$\tcpip.sys

2007-10-30 13:20 360064 90caff4b094573449a0872a0f919b178 c:\windows\$NtUninstallKB951748$\tcpip.sys

2008-04-13 15:20 361344 93ea8d04ec73a85db02eb8805988f733 c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\tcpip.sys

2008-06-20 06:45 360320 1cc09561e21a48a7f649a40f18235860 c:\windows\system32\dllcache\tcpip.sys

2008-06-20 06:45 360320 1cc09561e21a48a7f649a40f18235860 c:\windows\system32\drivers\tcpip.sys

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-10 15360]

"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-30 67584]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-01-24 7311360]

"HPHUPD08"="c:\program files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [2005-06-02 49152]

"DMAScheduler"="c:\program files\HP DigitalMedia Archive\DMAScheduler.exe" [2006-03-20 90112]

"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2005-07-23 237568]

"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2006-02-16 249856]

"HP Software Update"="c:\program files\HP\HP Software Update\HPwuSchd2.exe" [2005-12-15 49152]

"A Verizon App"="c:\progra~1\VERIZO~1\HELPSU~1\VERIZO~1.EXE" [2005-05-23 50744]

"Verizon_McciTrayApp"="c:\program files\Verizon\McciTrayApp.exe" [2007-03-11 936960]

"KBD"="c:\hp\KBD\KBD.EXE" [2005-02-02 61440]

"DISCover"="c:\program files\DISC\DISCover.exe" [2007-10-30 1095256]

"AVG7_CC"="c:\progra~1\Grisoft\AVG7\avgcc.exe" [2009-02-24 590848]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-06-18 180269]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-03-22 282624]

"RTHDCPL"="RTHDCPL.EXE" [2006-03-08 c:\windows\RTHDCPL.EXE]

"nwiz"="nwiz.exe" [2006-01-24 c:\windows\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"AVG7_Run"="c:\progra~1\Grisoft\AVG7\avgw.exe" [2008-02-01 219136]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

HotSync Manager.lnk - c:\palm\HOTSYNC.EXE [2007-01-15 282624]

HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-12-15 282624]

LUMIX Simple Viewer.lnk - c:\program files\Panasonic\LUMIXSimpleViewer\PhLeAutoRun.exe [2007-03-22 57344]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]

"AlwaysReady Power Message APP"=ARPWRMSG.EXE

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=

"c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=

"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\DISC\\DISCover.exe"=

"c:\\Program Files\\DISC\\DiscStreamHub.exe"=

"c:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=

"c:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=

"c:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=

"c:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=63&bd=PAVILION&pf=desktop

uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PAVILION&pf=desktop

mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=63&bd=PAVILION&pf=desktop

mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PAVILION&pf=desktop

uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=63&bd=PAVILION&pf=desktop

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000

Trusted Zone: trymedia.com

.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-03-31 13:21:31

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Lavasoft\Ad-Aware 2007\aawservice.exe

c:\windows\arservice.exe

c:\progra~1\Grisoft\AVG7\avgamsvr.exe

c:\progra~1\Grisoft\AVG7\avgupsvc.exe

c:\progra~1\Grisoft\AVG7\avgemc.exe

c:\windows\ehome\ehrecvr.exe

c:\windows\ehome\ehSched.exe

c:\program files\Common Files\LightScribe\LSSrvc.exe

c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

c:\windows\system32\nvsvc32.exe

c:\windows\ehome\mcrdsvc.exe

c:\windows\system32\dllhost.exe

c:\windows\system32\wscntfy.exe

c:\windows\ehome\ehmsas.exe

c:\program files\Common Files\Verizon Online\ConnMgr\cmisrv.exe

c:\program files\DISC\DiscStreamHub.exe

c:\program files\Common Files\Verizon Online\AppMgr\vzOpenUIServer.exe

.

**************************************************************************

.

Completion time: 2009-03-31 13:24:17 - machine was rebooted

ComboFix-quarantined-files.txt 2009-03-31 17:24:15

ComboFix2.txt 2009-03-30 22:21:27

ComboFix3.txt 2009-03-29 20:29:53

Pre-Run: 222,202,023,936 bytes free

Post-Run: 222,187,089,920 bytes free

Current=2 Default=2 Failed=3 LastKnownGood=4 Sets=,1,2,3,4

174 --- E O F --- 2009-03-14 02:28:09

Link to post
Share on other sites

  • Staff

Hi,

This looks OK again.

* Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /

Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Then, uninstall AVG7 and download and install AVG8

Let me know in your next reply how things are now.

Link to post
Share on other sites

  • Staff

Glad I could help. :)

Please read my Prevention page with lots of info and tips how to prevent this in the future.

And if you want to improve speed/system performance after malware removal, take a look here.

Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!

Link to post
Share on other sites

  • Staff

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.