Jump to content

Possible Virut infection, but unsure


Recommended Posts

Carried on from this thread (http://www.malwarebytes.org/forums/index.php?showtopic=15198&st=0&gopid=79224entry79224). It has been fine for all of today, no new viruses. But I haven't used it or connected to the internet at all. No virus scanners have specifically found a 'Virut' infection, just various Trojans and Spyware which seem to be symptoms of Virut. Malware Log and HijackThis Log are both here.

If it looks like there is NO infection.. should I keep on using it or be rather wary? I have an external HD with ALL my data on it. So I don't mind reformatting, but I REALLY don't want the external HD to get infected.

Malwarebytes' Anti-Malware 1.36

Database version: 2091

Windows 5.1.2600 Service Pack 3

9/05/2009 6:18:33 PM

mbam-log-2009-05-09 (18-18-33).txt

Scan type: Quick Scan

Objects scanned: 102953

Time elapsed: 5 minute(s), 36 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 6:34:47 PM, on 9/05/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16827)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Windows Defender\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe

C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\PROGRA~1\AVG8\avgwdsvc.exe

C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\PnkBstrA.exe

C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

D:\Program Files\Sandboxie\SbieSvc.exe

C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\PROGRA~1\AVG8\avgrsx.exe

C:\PROGRA~1\AVG8\avgemc.exe

C:\PROGRA~1\AVG8\avgnsx.exe

C:\Program Files\AVG8\avgcsrvx.exe

C:\Program Files\Apoint\Apoint.exe

C:\Program Files\Apoint\Apntex.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\ICO.EXE

C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe

C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe

C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe

C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\D-Link\SharePort\SharePort Network USB Utility.exe

C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe

C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\WINDOWS\system32\ctfmon.exe

D:\Program Files\Sandboxie\SbieCtrl.exe

C:\Documents and Settings\Nic\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

C:\Program Files\Brother\ControlCenter3\brccMCtl.exe

C:\Program Files\PreSonus\1394AudioDriver_FP10\FP10.exe

D:\Program Files\Dropbox\Dropbox.exe

C:\Program Files\Brother\Brmfcmon\BrMfcmon.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\explorer.exe

D:\Program Files\Avira\AntiVir Desktop\avguard.exe

D:\Program Files\Avira\AntiVir Desktop\sched.exe

D:\Program Files\Avira\AntiVir Desktop\avgnt.exe

C:\Program Files\Windows Live\Messenger\msnmsgr.exe

C:\Program Files\Windows Live\Messenger\usnsvc.exe

C:\WINDOWS\system32\dllhost.exe

C:\Program Files\iTunes\iTunes.exe

C:\Program Files\VLCPlayer\vlc.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Documents and Settings\Nic\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

C:\Documents and Settings\Nic\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\Nic\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\Nic\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

D:\Program Files\HijackThis\HijackThis.exe

C:\WINDOWS\system32\NOTEPAD.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://vaio-online.sony.com/

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://localhost:9100/proxy.pac

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG8\avgssie.dll

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG8\AVGTOO~1.DLL

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: NetXfer - {C16CBAAC-A75C-4DB5-A0DD-CDF5CAFCDD3A} - C:\Program Files\Xi\NetXfer\NXToolBar.dll

O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG8\AVGTOO~1.DLL

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe

O4 - HKLM\..\Run: [iMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC

O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC

O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName

O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE

O4 - HKLM\..\Run: [iSBMgr.exe] C:\Program Files\Sony\ISB Utility\ISBMgr.exe

O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe

O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe

O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [KONICA MINOLTA magicolor 2500W STD] C:\WINDOWS\system32\MSTMON02.EXE STARTUP

O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG8\avgtray.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [MaxMenuMgr] "C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe"

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [D-Link Network USB Utility] C:\Program Files\D-Link\SharePort\SharePort Network USB Utility.exe -mini

O4 - HKLM\..\Run: [sSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot

O4 - HKLM\..\Run: [PaperPort PTD] "C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe"

O4 - HKLM\..\Run: [indexSearch] "C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe"

O4 - HKLM\..\Run: [PPort11reminder] "C:\Program Files\ScanSoft\PaperPort\Ereg\Ereg.exe" -r "C:\Documents and Settings\All Users\Application Data\ScanSoft\PaperPort\11\Config\Ereg\Ereg.ini"

O4 - HKLM\..\Run: [brMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN

O4 - HKLM\..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [avgnt] "D:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [ssAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe

O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background

O4 - HKCU\..\Run: [sandboxieControl] "D:\Program Files\Sandboxie\SbieCtrl.exe"

O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Nic\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c

O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - .DEFAULT User Startup: E-Flyer.lnk = C:\Program Files\Sony\E-Flyer\E-Flyer.exe (User 'Default user')

O4 - .DEFAULT User Startup: VAIO Launcher.lnk = C:\Program Files\Sony\VAIO Launcher\Launcher.exe (User 'Default user')

O4 - Startup: Dropbox.lnk = D:\Program Files\Dropbox\Dropbox.exe

O4 - Global Startup: FP10 Control Panel.lnk = C:\Program Files\PreSonus\1394AudioDriver_FP10\FP10.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000

O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM

O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM

O9 - Extra button: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IEPro\iepro.dll

O9 - Extra 'Tools' menuitem: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IEPro\iepro.dll

O9 - Extra button: (no name) - {1fb575b2-eb1c-431b-8873-9fb454379b62} - mscoree.dll (file missing)

O9 - Extra 'Tools' menuitem: MuvExToE - IE Aliases Setup - {1fb575b2-eb1c-431b-8873-9fb454379b62} - mscoree.dll (file missing)

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL

O9 - Extra button: Open Last Closed Tab - {e05e75e9-a653-42a3-8d05-f2f7e309bdca} - mscoree.dll (file missing)

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O14 - IERESET.INF: START_PAGE_URL=http://vaio-online.sony.com/

O15 - Trusted Zone: http://web.iress.com.au

O15 - Trusted Zone: *.line6.net

O15 - Trusted Zone: www.macquariecfd.com.au

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/200612...ex/qtplugin.cab

O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813

O16 - DPF: {15A02B79-60BB-42B8-814E-BF8364106B9E} (Pco3 Window (Commsec) Control) - http://images.commsec.com.au/downloads/pco...o3X_Commsec.cab

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo.../sysreqlab3.cab

O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.4.2.cab

O16 - DPF: {5727FF4C-EF4E-4d96-A96C-03AD91910448} (System Requirements Lab) - http://www.srtest.com/srl_bin/sysreqlab_ind.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1171615652593

O16 - DPF: {72C23FEC-3AF9-48FC-9597-241A8EBDFE0A} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetupml.cab

O16 - DPF: {D00E9550-440D-4EF8-BFCE-174300890C05} (DMList Class) - http://www.gomusic.ru/cabs/xdownloader.cab

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG8\avgpp.dll

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O18 - Protocol: ssp - {1E8068DE-05AD-11D4-ACC8-EF447469245C} - C:\Program Files\WebArchiver\SSP.DLL

O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll

O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe

O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe

O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - D:\Program Files\Avira\AntiVir Desktop\sched.exe

O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - D:\Program Files\Avira\AntiVir Desktop\avguard.exe

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG8\avgemc.exe

O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG8\avgwdsvc.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: Seagate Service (FreeAgentGoNext Service) - Seagate Technology LLC - C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe

O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe

O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

O23 - Service: Sandboxie Service (SbieSvc) - tzuk - D:\Program Files\Sandboxie\SbieSvc.exe

O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe

O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--

End of file - 15499 bytes

Link to post
Share on other sites

  • Staff

Hi,

I guess you were indeed lucky - and took action immediately after being infected and took your PC offline. If you had it stew a few hours, leaving it online, then I guess this was a lost case. :mellow:

Note...

I notice from your log that there's more than 1 Antivirus installed. Avira and AVG

Never install more than one Antivirus and Firewall! Rather than giving you extra protection, it will decrease the reliability of it seriously!

The reason for this is that if both products have their automatic (Real-Time) protection switched on, your system may lock up due to both software products attempting to access the same file at the same time.

Also because more than one Antivirus and Firewall installed are not compatible with eachother, it can cause system performance problems and a serious system slowdown.

So you have to make a decision here and keep the Antivirus you prefer and uninstall the other one.

Then reboot after uninstalling.

Then, to see if there's still something lurking there..

* Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the log from ComboFix in your next reply.

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix..This because Security Software may see some components ComboFix uses (prep.com for example) as suspicious and blocks the tool, or even deletes it. Please visit HERE if you don't know how.

Link to post
Share on other sites

I didn't take action immediately.. I had the virus for at least a couple of days while using it. I didn't think it was anything serious.

AVG was my old one. Avira is the one I've just downloaded because this site recommended it. Thanks for the link on how to turn off AVG... I tried right-clicking and exiting, as well as disabling all the Task Manager files but it kept coming back on.

I did run ComboFix yesterday. Didn't totally work. Will run it later tonight.

Link to post
Share on other sites

  • Staff

If you want to keep Avira, then you have to UNINSTALL AVG, not disabling it, because that won't make a difference.

I did run ComboFix yesterday. Didn't totally work.
You are actually not supposed to run Combofix on your own. This because we really need to review the logs. Also, please explain what you mean with "Didn't totally work"

Did it run? Did it not run?

Above log looks clean, but that's no guarantee that Virut isn't present. Especially the latest variant is badly detected by MANY scanners.

That's why the Combofix log is important. If Combofix won't run, not even in safe mode, then I'm already 99% sure you have Virut.

Link to post
Share on other sites

Sorry, didn't know I wasn't meant to run it. Hope it wont affect things too badly.

I'm uninstalling AVG as I speak, then I'll run ComboFix.

What I mean that ComboFix 'not totally working', in that the virus was still present afterwards. It ran fine.

Link to post
Share on other sites

  • Staff

What I mean that ComboFix 'not totally working', in that the virus was still present afterwards. It ran fine.
Combofix is mainly an analysis tool. That's why it produces logs and that's also why we don't recommend people to run it on their own since we really need to see these logs to see what malware is still present. :mellow:
Link to post
Share on other sites

Here's the ComboFix log.

ComboFix 09-05-08.03 - Nic 09/05/2009 21:27.2 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.61.1033.18.2046.1468 [GMT 10:00]

Running from: c:\documents and settings\Nic\Desktop\ComboFix.exe

AV: AntiVir Desktop *On-access scanning disabled* (Updated)

.

((((((((((((((((((((((((( Files Created from 2009-04-09 to 2009-05-09 )))))))))))))))))))))))))))))))

.

2009-05-08 11:33 . 2009-03-24 06:08 55640 ----a-w c:\windows\system32\drivers\avgntflt.sys

2009-05-08 11:32 . 2009-05-08 11:32 -------- d-----w c:\documents and settings\All Users\Application Data\Avira

2009-05-07 20:36 . 2009-05-07 20:36 664 ----a-w c:\windows\system32\d3d9caps.dat

2009-04-30 09:48 . 2009-04-30 09:48 1025 ----a-w c:\windows\system32\clauth1.dll

2009-04-30 09:48 . 2009-04-30 09:48 1025 ----a-w c:\windows\system32\clauth2.dll

2009-04-30 09:48 . 2009-04-30 09:48 1025 ----a-w c:\windows\system32\sysprs7.dll

2009-04-30 09:48 . 2009-04-30 09:48 -------- d-----w c:\documents and settings\All Users\Application Data\Minnetonka Audio Software

2009-04-27 07:10 . 2009-04-27 07:10 -------- d-----w c:\documents and settings\Danica\Application Data\SmartCom

2009-04-24 11:49 . 2008-04-13 14:16 51200 -c--a-w c:\windows\system32\dllcache\msdv.sys

2009-04-24 11:49 . 2008-04-13 14:16 51200 ----a-w c:\windows\system32\drivers\msdv.sys

2009-04-23 12:48 . 2008-04-13 14:09 5376 ----a-w c:\windows\system32\MSPCLOCK.sys

2009-04-23 12:48 . 2001-11-04 23:23 299923 ----a-w c:\windows\system32\drivers\sonyhcs.sys

2009-04-23 12:48 . 2001-11-04 23:23 38739 ----a-w c:\windows\system32\drivers\sonyhcc.sys

2009-04-23 12:48 . 2001-07-03 10:39 3654 ----a-w c:\windows\system32\drivers\Sonyhcp.dll

2009-04-23 12:48 . 2001-11-04 23:23 6097 ----a-w c:\windows\system32\drivers\sonyhcb.sys

2009-04-23 12:48 . 2001-07-03 10:33 53248 ----a-w c:\windows\system32\SONYHCY.DLL

2009-04-23 12:48 . 2002-10-15 12:41 102220 ----a-w c:\windows\system32\drivers\sonypvs1.sys

2009-04-23 12:36 . 2008-04-13 14:15 60032 -c--a-w c:\windows\system32\dllcache\usbaudio.sys

2009-04-23 12:36 . 2008-04-13 14:15 60032 ----a-w c:\windows\system32\drivers\USBAUDIO.sys

2009-04-23 12:25 . 2009-04-23 12:25 -------- d-----w c:\program files\Adobe Media Player

2009-04-23 12:23 . 2009-04-23 12:23 -------- d-----w c:\program files\Common Files\Adobe AIR

2009-04-19 07:18 . 2009-04-19 07:18 -------- d-----w c:\documents and settings\All Users\Application Data\id Software

2009-04-19 00:03 . 2009-03-06 14:22 284160 -c----w c:\windows\system32\dllcache\pdh.dll

2009-04-19 00:03 . 2009-02-06 10:39 35328 -c----w c:\windows\system32\dllcache\sc.exe

2009-04-19 00:03 . 2009-02-09 12:10 401408 -c----w c:\windows\system32\dllcache\rpcss.dll

2009-04-19 00:03 . 2009-02-06 11:11 110592 -c----w c:\windows\system32\dllcache\services.exe

2009-04-19 00:03 . 2009-02-09 12:10 473600 -c----w c:\windows\system32\dllcache\fastprox.dll

2009-04-19 00:03 . 2009-02-06 10:10 227840 -c----w c:\windows\system32\dllcache\wmiprvse.exe

2009-04-19 00:02 . 2009-02-09 12:10 453120 -c----w c:\windows\system32\dllcache\wmiprvsd.dll

2009-04-19 00:02 . 2009-02-09 12:10 729088 -c----w c:\windows\system32\dllcache\lsasrv.dll

2009-04-19 00:02 . 2009-02-09 12:10 617472 -c----w c:\windows\system32\dllcache\advapi32.dll

2009-04-19 00:02 . 2009-02-09 12:10 714752 -c----w c:\windows\system32\dllcache\ntdll.dll

2009-04-18 23:57 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll

2009-04-18 23:57 . 2008-04-21 12:08 215552 -c----w c:\windows\system32\dllcache\wordpad.exe

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-05-09 11:17 . 2008-09-14 03:27 -------- d-----w c:\program files\AVG8

2009-05-09 00:28 . 2006-10-29 18:00 -------- d-----w c:\program files\Microsoft SQL Server

2009-05-08 08:31 . 2009-03-30 07:46 -------- d-----w c:\program files\Malwarebytes' Anti-Malware

2009-04-27 04:06 . 2009-04-08 05:46 96456 ----a-w c:\documents and settings\Danica\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-04-23 12:48 . 2006-08-28 20:42 -------- d--h--w c:\program files\InstallShield Installation Information

2009-04-23 12:35 . 2007-02-15 12:39 96456 ----a-w c:\documents and settings\Nic\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-04-23 12:28 . 2006-08-28 22:35 -------- d-----w c:\program files\Common Files\Adobe

2009-04-22 07:02 . 2009-03-14 04:53 138944 ----a-w c:\windows\system32\drivers\PnkBstrK.sys

2009-04-22 07:02 . 2009-03-14 04:53 189784 ----a-w c:\windows\system32\PnkBstrB.exe

2009-04-19 07:19 . 2009-03-14 04:53 22328 ----a-w c:\documents and settings\Nic\Application Data\PnkBstrK.sys

2009-04-19 07:19 . 2009-03-14 04:52 2246144 ----a-w c:\windows\system32\pbsvc.exe

2009-04-08 07:40 . 2009-02-20 02:51 77446 ----a-w c:\windows\War3Unin.dat

2009-04-06 05:32 . 2009-03-30 07:46 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys

2009-04-06 05:32 . 2009-03-30 07:46 15504 ----a-w c:\windows\system32\drivers\mbam.sys

2009-04-05 08:00 . 2009-04-05 08:00 410984 ----a-w c:\windows\system32\deploytk.dll

2009-04-05 08:00 . 2006-08-28 22:33 -------- d-----w c:\program files\Java

2009-03-30 08:16 . 2007-03-11 22:56 -------- d-----w c:\program files\CommSec Professional Trader

2009-03-30 08:15 . 2007-02-21 19:41 -------- d-----w c:\program files\Siber Systems

2009-03-27 21:59 . 2009-03-27 21:59 50 ----a-w c:\windows\system32\bridf08b.dat

2009-03-27 21:59 . 2009-03-27 21:58 -------- d-----w c:\program files\Brother

2009-03-27 21:58 . 2009-03-27 21:58 -------- d-----w c:\program files\Nuance

2009-03-27 21:55 . 2009-03-27 21:55 -------- d-----w c:\program files\Common Files\ScanSoft Shared

2009-03-27 21:55 . 2006-08-28 20:42 -------- d-----w c:\program files\Common Files\InstallShield

2009-03-27 21:55 . 2009-03-27 21:55 -------- d-----w c:\program files\ScanSoft

2009-03-26 08:35 . 2009-03-14 04:52 75064 ----a-w c:\windows\system32\PnkBstrA.exe

2009-03-21 10:22 . 2009-03-21 10:22 -------- d-----w c:\program files\D-Link

2009-03-21 00:26 . 2009-03-21 00:26 -------- d-----w c:\program files\iTunes

2009-03-21 00:26 . 2009-03-21 00:26 -------- d-----w c:\program files\iPod

2009-03-21 00:26 . 2008-09-14 03:30 -------- d-----w c:\program files\Common Files\Apple

2009-03-20 08:40 . 2009-03-20 05:54 -------- d-----w c:\program files\Canon

2009-03-20 04:39 . 2009-03-20 04:39 -------- d-----w c:\program files\Common Files\Canon

2009-03-17 20:08 . 2007-04-15 06:39 -------- d-----w c:\program files\Notebook Hardware Control

2009-03-17 20:06 . 2009-03-17 20:06 -------- d-----w c:\program files\DIY DataRecovery iRecover

2009-03-17 19:59 . 2009-03-17 19:59 -------- d-----w c:\program files\Recover Files

2009-03-17 10:44 . 2009-03-17 10:44 -------- d-----w c:\program files\DiskInternals

2009-03-15 08:07 . 2009-03-15 08:07 -------- d-----w c:\program files\AbleMP3

2009-03-15 05:46 . 2009-03-15 05:46 -------- d-----w c:\program files\Seagate

2009-03-13 07:33 . 2009-03-13 07:33 -------- d-----w c:\program files\Common Files\PACE Anti-Piracy

2009-03-12 09:21 . 2009-03-12 09:21 -------- d-----w c:\program files\Antares Audio Technologies

2009-03-11 00:52 . 2008-05-21 01:47 -------- d-----w c:\program files\Microsoft Silverlight

2009-03-08 08:10 . 2009-03-08 08:10 356352 ----a-w c:\windows\eSellerateEngine.dll

2009-03-06 14:22 . 2006-08-28 01:45 284160 ----a-w c:\windows\system32\pdh.dll

2009-03-03 00:18 . 2006-08-28 01:45 826368 ----a-w c:\windows\system32\wininet.dll

2009-02-20 18:09 . 2006-08-28 01:45 78336 ----a-w c:\windows\system32\ieencode.dll

2009-02-20 03:03 . 2009-02-20 02:51 2829 ----a-w c:\windows\War3Unin.pif

2009-02-20 03:03 . 2009-02-20 02:51 139264 ----a-w c:\windows\War3Unin.exe

2009-02-09 12:10 . 2006-08-28 01:45 729088 ----a-w c:\windows\system32\lsasrv.dll

2009-02-09 12:10 . 2006-08-28 01:45 401408 ----a-w c:\windows\system32\rpcss.dll

2009-02-09 12:10 . 2006-08-28 01:45 714752 ----a-w c:\windows\system32\ntdll.dll

2009-02-09 12:10 . 2006-08-28 01:45 617472 ----a-w c:\windows\system32\advapi32.dll

2009-02-09 11:13 . 2006-08-28 01:45 1846784 ----a-w c:\windows\system32\win32k.sys

2008-11-12 04:04 . 2008-11-12 04:04 17209 ----a-w c:\program files\Common Files\yzuzaluqu.lib

2008-11-12 04:04 . 2008-11-12 04:04 14491 ----a-w c:\program files\Common Files\jyquhaq._dl

2008-10-21 02:39 . 2008-10-21 02:39 604 ---ha-w c:\program files\STLL Notifier

2007-07-16 11:26 . 2007-03-27 21:25 135680 ----a-w c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll

.

((((((((((((((((((((((((((((( SnapShot@2009-05-08_09.11.55 )))))))))))))))))))))))))))))))))))))))))

.

+ 2007-11-06 16:19 . 2007-11-06 16:19 54272 c:\windows\WinSxS\x86_Microsoft.VC90.OpenMP_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_ecc42bd1\vcomp90.dll

+ 2008-07-28 22:05 . 2008-07-28 22:05 62976 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90rus.dll

+ 2008-07-28 22:05 . 2008-07-28 22:05 46080 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90kor.dll

+ 2008-07-28 22:05 . 2008-07-28 22:05 46592 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90jpn.dll

+ 2008-07-28 22:05 . 2008-07-28 22:05 64512 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90ita.dll

+ 2008-07-28 22:05 . 2008-07-28 22:05 66048 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90fra.dll

+ 2008-07-28 22:05 . 2008-07-28 22:05 65024 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90esp.dll

+ 2008-07-28 22:05 . 2008-07-28 22:05 65024 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90esn.dll

+ 2008-07-28 22:05 . 2008-07-28 22:05 56832 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90enu.dll

+ 2008-07-28 22:05 . 2008-07-28 22:05 66560 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90deu.dll

+ 2008-07-28 22:05 . 2008-07-28 22:05 39936 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90cht.dll

+ 2008-07-28 22:05 . 2008-07-28 22:05 38912 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90chs.dll

+ 2008-07-28 20:07 . 2008-07-28 20:07 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfcm90u.dll

+ 2008-07-28 20:07 . 2008-07-28 20:07 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfcm90.dll

+ 2009-05-09 11:17 . 2009-05-09 11:17 16384 c:\windows\Temp\Perflib_Perfdata_594.dat

+ 2009-05-09 11:17 . 2009-05-09 11:17 16384 c:\windows\Temp\Perflib_Perfdata_344.dat

+ 2009-05-08 11:33 . 2009-02-13 02:50 28376 c:\windows\system32\drivers\ssmdrv.sys

+ 2009-05-08 11:33 . 2009-03-30 00:33 96104 c:\windows\system32\drivers\avipbb.sys

+ 2009-05-08 11:33 . 2009-02-13 02:29 22360 c:\windows\system32\drivers\avgntmgr.sys

+ 2009-05-08 11:33 . 2009-02-13 02:17 45416 c:\windows\system32\drivers\avgntdd.sys

+ 2008-07-28 22:05 . 2008-07-28 22:05 655872 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcr90.dll

+ 2008-07-28 22:05 . 2008-07-28 22:05 572928 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcp90.dll

+ 2008-07-28 17:54 . 2008-07-28 17:54 225280 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcm90.dll

+ 2008-07-28 22:05 . 2008-07-28 22:05 161784 c:\windows\WinSxS\x86_Microsoft.VC90.ATL_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_d01483b2\atl90.dll

+ 2008-07-28 22:05 . 2008-07-28 22:05 3783672 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfc90u.dll

+ 2008-07-28 22:05 . 2008-07-28 22:05 3768312 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfc90.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]

@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]

2008-09-07 07:20 143360 ----a-w d:\program files\Dropbox\DropboxExt.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]

@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]

2008-09-07 07:20 143360 ----a-w d:\program files\Dropbox\DropboxExt.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]

@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]

2008-09-07 07:20 143360 ----a-w d:\program files\Dropbox\DropboxExt.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

"SsAAD.exe"="c:\progra~1\Sony\SONICS~1\SsAAD.exe" [2006-05-08 81920]

"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]

"SandboxieControl"="d:\program files\Sandboxie\SbieCtrl.exe" [2009-04-13 365568]

"Google Update"="c:\documents and settings\Nic\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-04-08 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-05-08 7561216]

"Apoint"="c:\program files\Apoint\Apoint.exe" [2004-11-17 118784]

"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]

"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]

"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]

"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]

"ISBMgr.exe"="c:\program files\Sony\ISB Utility\ISBMgr.exe" [2004-02-20 32768]

"TrueImageMonitor.exe"="c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe" [2006-10-16 1164912]

"AcronisTimounterMonitor"="c:\program files\Acronis\TrueImageHome\TimounterMonitor.exe" [2006-10-16 1941784]

"Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2006-10-16 87584]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]

"KONICA MINOLTA magicolor 2500W STD"="c:\windows\system32\MSTMON02.EXE" [2006-03-08 192512]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]

"MaxMenuMgr"="c:\program files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe" [2008-10-28 181544]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-03-12 342312]

"D-Link Network USB Utility"="c:\program files\D-Link\SharePort\SharePort Network USB Utility.exe" [2008-12-26 2605312]

"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-24 210472]

"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2007-10-11 29984]

"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2007-10-11 46368]

"PPort11reminder"="c:\program files\ScanSoft\PaperPort\Ereg\Ereg.exe" [2007-08-30 328992]

"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2008-02-18 1089536]

"ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2007-12-21 86016]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-04-05 148888]

"avgnt"="d:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

"Mouse Suite 98 Daemon"="ICO.EXE" - c:\windows\system32\ico.exe [2002-03-14 45056]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\CTFMON.EXE" [2008-04-13 15360]

"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-08-23 437160]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\

E-Flyer.lnk - c:\program files\Sony\E-Flyer\E-Flyer.exe [2006-8-29 491520]

c:\documents and settings\Guest\Start Menu\Programs\Startup\

E-Flyer.lnk - c:\program files\Sony\E-Flyer\E-Flyer.exe [2006-8-29 491520]

c:\documents and settings\Nic\Start Menu\Programs\Startup\

Dropbox.lnk - d:\program files\Dropbox\Dropbox.exe [2008-9-26 24096981]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

FP10 Control Panel.lnk - c:\program files\PreSonus\1394AudioDriver_FP10\FP10.exe [2009-3-10 1126400]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ati6jqxx.sys]

@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\MusicBrainz Picard\\picard.exe"=

"c:\\Program Files\\Laplink\\PCmover\\PCmover.exe"=

"c:\\Program Files\\Xi\\NetXfer\\NetTransport.exe"=

"c:\\Program Files\\IEPro\\MiniDM.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\uTorrent\\uTorrent.exe"=

"c:\\WINDOWS\\system32\\winver.exe"=

"d:\\Program Files\\Ventrilo\\Ventrilo.exe"=

"c:\\WINDOWS\\system32\\PnkBstrA.exe"=

"c:\\WINDOWS\\system32\\PnkBstrB.exe"=

"c:\\Program Files\\Cakewalk Sonar\\SONAR 6 Producer Edition\\Shared Utilities\\VstScan.exe"=

"d:\\Program Files\\Cakewalk\\Sonar 8 Studio\\SONARSTD.EXE"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\D-Link\\SharePort\\SharePort Network USB Utility.exe"=

"d:\\Program Files\\Adobe\\Adobe After Effects CS4\\Support Files\\AfterFX.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"67:UDP"= 67:UDP:DHCP Discovery Service

"9303:UDP"= 9303:UDP:SharePort Network USB Utility UDP Port

"4602:TCP"= 4602:TCP:Akamai NetSession Interface

"5000:UDP"= 5000:UDP:Akamai NetSession Interface

"3592:TCP"= 3592:TCP:Akamai NetSession Interface

"1822:TCP"= 1822:TCP:Akamai NetSession Interface

"2467:TCP"= 2467:TCP:Akamai NetSession Interface

"3181:TCP"= 3181:TCP:Akamai NetSession Interface

"3847:TCP"= 3847:TCP:Akamai NetSession Interface

"3906:TCP"= 3906:TCP:Akamai NetSession Interface

"1037:TCP"= 1037:TCP:Akamai NetSession Interface

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]

"AllowInboundTimestampRequest"= 1 (0x1)

"AllowInboundMaskRequest"= 1 (0x1)

"AllowInboundRouterRequest"= 1 (0x1)

"AllowOutboundDestinationUnreachable"= 1 (0x1)

"AllowOutboundSourceQuench"= 1 (0x1)

"AllowOutboundParameterProblem"= 1 (0x1)

"AllowOutboundTimeExceeded"= 1 (0x1)

"AllowRedirect"= 1 (0x1)

"AllowOutboundPacketTooBig"= 1 (0x1)

R0 sonyhcb;Sony Digital Imaging Base;c:\windows\system32\drivers\sonyhcb.sys [23/04/2009 10:48 PM 6097]

R0 WPXT;WinPcap Packet Driver (WPXT);c:\windows\system32\drivers\wpxt.sys [19/12/2007 5:34 PM 35328]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;d:\program files\Avira\AntiVir Desktop\sched.exe [8/05/2009 9:33 PM 108289]

R2 BcmSqlStartupSvc;Business Contact Manager SQL Server Startup Service;c:\program files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe [11/01/2008 5:50 PM 30312]

R2 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [28/10/2008 3:42 PM 156968]

R2 MSSQL$VAIO_VEDB;MSSQL$VAIO_VEDB;c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe -sVAIO_VEDB --> c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe -sVAIO_VEDB [?]

R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [3/11/2006 6:19 PM 13592]

R3 DlinkUDSMBus;UDS Master Bus of Kernel USB Software Bus by TCP;c:\windows\system32\drivers\DlinkUDSMBus.sys [11/11/2008 2:01 PM 74624]

R3 L6DP;L6DP;c:\windows\system32\drivers\l6dp.sys [30/09/2006 2:05 AM 29312]

R3 SbieDrv;SbieDrv;d:\program files\Sandboxie\SbieDrv.sys [14/04/2009 2:51 AM 107520]

R3 SonyImgF;Sony Image Conversion Filter Driver;c:\windows\system32\drivers\SonyImgF.sys [28/08/2006 11:46 AM 30080]

R3 ti21sony;ti21sony;c:\windows\system32\drivers\ti21sony.sys [28/08/2006 11:46 AM 808448]

S0 ati6jqxx;ati6jqxx;c:\windows\system32\Drivers\ati6jqxx.sys --> c:\windows\system32\Drivers\ati6jqxx.sys [?]

S3 DlinkUDSTcpBus;DlinkUDSTcpBus;c:\windows\system32\drivers\DlinkUDSTcpBus.sys [11/11/2008 2:01 PM 97664]

S3 L6PODX3LV;POD X3 Live Service;c:\windows\system32\drivers\L6PODX3LV.sys [25/08/2008 7:30 PM 530560]

S3 L6TPortB;Service - Line 6 TonePort UX2;c:\windows\system32\drivers\L6TPortB.sys [30/09/2006 2:01 AM 530560]

S3 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [26/02/2008 10:08 PM 29183504]

S3 sonyhcs;Sony Digital Imaging Video;c:\windows\system32\drivers\sonyhcs.sys [23/04/2009 10:48 PM 299923]

S3 SQLAgent$VAIO_VEDB;SQLAgent$VAIO_VEDB;c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlagent.EXE -i VAIO_VEDB --> c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlagent.EXE -i VAIO_VEDB [?]

.

Contents of the 'Scheduled Tasks' folder

2009-05-09 c:\windows\Tasks\Google Software Updater.job

- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-12-30 06:56]

2009-05-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-449545699-1370044024-995057197-1005.job

- c:\documents and settings\Nic\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-04-08 02:00]

2009-05-09 c:\windows\Tasks\MP Scheduled Scan.job

- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 08:20]

2009-05-09 c:\windows\Tasks\OGADaily.job

- c:\windows\system32\OGAVerify.exe [2008-12-31 06:04]

2009-05-09 c:\windows\Tasks\OGALogon.job

- c:\windows\system32\OGAVerify.exe [2008-12-31 06:04]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

mStart Page = hxxp://www.google.com

uInternet Connection Wizard,ShellNext = hxxp://vaio-online.sony.com/

uInternet Settings,ProxyOverride = *.local

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000

IE: Lookup on Merriam Webster - file://c:\program files\ieSpell\Merriam Webster.HTM

IE: Lookup on Wikipedia - file://c:\program files\ieSpell\wikipedia.HTM

IE: {{1fb575b2-eb1c-431b-8873-9fb454379b62} - {1fb575b2-eb1c-431b-8873-9fb454379b62} - mscoree.dll

IE: {{e05e75e9-a653-42a3-8d05-f2f7e309bdca} - {e05e75e9-a653-42a3-8d05-f2f7e309bdca} - mscoree.dll

Trusted Zone: iress.com.au\web

Trusted Zone: line6.net

Trusted Zone: macquarie.com.au\www

Trusted Zone: macquariecfd.com.au\www

Handler: ssp - {1E8068DE-05AD-11D4-ACC8-EF447469245C} - c:\program files\WebArchiver\ssp.dll

DPF: {15A02B79-60BB-42B8-814E-BF8364106B9E} - hxxp://images.commsec.com.au/downloads/pco3/Pco3X_Commsec.cab

DPF: {D00E9550-440D-4EF8-BFCE-174300890C05} - hxxp://www.gomusic.ru/cabs/xdownloader.cab

FF - ProfilePath - c:\documents and settings\Nic\Application Data\Mozilla\Firefox\Profiles\musrczsx.default\

FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage - hxxp://www.quakelive.com/#home

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-05-09 21:31

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version*Version]

"Version"=hex:02,25,ec,9f,c6,da,40,46,45,5c,73,e9,4a,d4,7b,32,2c,e9,05,30,06,

dc,cd,1f,1f,90,30,5e,ac,c9,d7,a4,34,2a,8b,6f,bd,7a,ab,b3,a0,22,b5,6f,65,57,\

[HKEY_LOCAL_MACHINE\software\Minnetonka Audio Software\SurCode Dolby Digital Premiere\Version*Version]

"Version"=hex:02,25,ec,9f,c6,da,40,46,45,5c,73,e9,4a,d4,7b,32,2c,e9,05,30,06,

dc,cd,1f,1f,90,30,5e,ac,c9,d7,a4,34,2a,8b,6f,bd,7a,ab,b3,a0,22,b5,6f,65,57,\

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(1404)

c:\windows\system32\relog_ap.dll

- - - - - - - > 'explorer.exe'(1000)

d:\program files\Dropbox\DropboxExt.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

Completion time: 2009-05-09 21:34

ComboFix-quarantined-files.txt 2009-05-09 11:33

ComboFix2.txt 2009-05-08 09:19

Pre-Run: 2,702,573,568 bytes free

Post-Run: 2,720,911,360 bytes free

Current=3 Default=3 Failed=2 LastKnownGood=4 Sets=1,2,3,4

332 --- E O F --- 2009-05-09 00:28

Link to post
Share on other sites

  • Staff

Hi,

Go to start > run and copy and paste next command:

sc delete ati6jqxx

Hit enter.

Then Open notepad and copy and paste next present in the quotebox below in it:

(don't forget to copy and paste REGEDIT4)

REGEDIT4

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ati6jqxx.sys]

Save this as fix.reg Choose to save as *all files and place it on your desktop.

It should look like this: reg.gif

Doubleclick on it and when it asks you if you want to merge the contents to the registry, click yes/ok.

You also need to change all your passwords, because you were dealing with a Password Stealer.

I need to see the previous logs from Combofix. They are present in the C:\Qoobox folder.

Can you attach the logs Combofix2.txt and Combofix3.txt in your next reply?

Also attach the ComboFix-quarantined-files.txt

Link to post
Share on other sites

Did both of those things.

Attached are Combofix2.txt and ComoFix-quarantined-files.txt.

There was no ComboFix3.txt.

COMBOFIX2.txt:

ComboFix 09-05-07.06 - Nic 08/05/2009 19:03.1 - NTFSx86Microsoft Windows XP Professional  5.1.2600.3.1252.61.1033.18.2046.1414 [GMT 10:00]Running from: g:\downloads\ComboFix.exeAV: AVG Anti-Virus Free *On-access scanning enabled* (Updated).
(((((((((((((((((((((((((((((((((((((((   Other Deletions   ))))))))))))))))))))))))))))))))))))))))))))))))).
c:\docume~1\Nic\LOCALS~1\Temp\catchme.dllc:\documents and settings\Nic\Local Settings\Temp\catchme.dllc:\documents and settings\Nic\Local Settings\Temporary Internet Files\bestwiner.sttc:\documents and settings\Nic\Local Settings\Temporary Internet Files\Cpvff.sttc:\documents and settings\Nic\Local Settings\Temporary Internet Files\fbk.stsc:\documents and settings\Nic\Local Settings\Temporary Internet Files\yvawa._syc:\windows\IE4 Error Log.txtc:\windows\system32\lsprst7.dllc:\windows\system32\ssprs.dllc:\windows\system32\TDSSiero.datG:\Autorun.inf
.(((((((((((((((((((((((((((((((((((((((   Drivers/Services   ))))))))))))))))))))))))))))))))))))))))))))))))).
-------\Legacy_PACKET-------\Legacy_tdssserv.sys-------\Service_tdssserv.sys
(((((((((((((((((((((((((   Files Created from 2009-04-08 to 2009-05-08  ))))))))))))))))))))))))))))))).
2009-05-07 20:36 . 2009-05-07 20:36	664	----a-w	c:\windows\system32\d3d9caps.dat2009-04-30 09:48 . 2009-04-30 09:48	1025	----a-w	c:\windows\system32\clauth1.dll2009-04-30 09:48 . 2009-04-30 09:48	1025	----a-w	c:\windows\system32\clauth2.dll2009-04-30 09:48 . 2009-04-30 09:48	1025	----a-w	c:\windows\system32\sysprs7.dll2009-04-30 09:48 . 2009-04-30 09:48	--------	d-----w	c:\documents and settings\All Users\Application Data\Minnetonka Audio Software2009-04-27 07:10 . 2009-04-27 07:10	--------	d-----w	c:\documents and settings\Danica\Application Data\SmartCom2009-04-24 11:49 . 2008-04-13 14:16	51200	-c--a-w	c:\windows\system32\dllcache\msdv.sys2009-04-24 11:49 . 2008-04-13 14:16	51200	----a-w	c:\windows\system32\drivers\msdv.sys2009-04-23 12:48 . 2008-04-13 14:09	5376	----a-w	c:\windows\system32\MSPCLOCK.sys2009-04-23 12:48 . 2001-11-04 23:23	299923	----a-w	c:\windows\system32\drivers\sonyhcs.sys2009-04-23 12:48 . 2001-11-04 23:23	38739	----a-w	c:\windows\system32\drivers\sonyhcc.sys2009-04-23 12:48 . 2001-07-03 10:39	3654	----a-w	c:\windows\system32\drivers\Sonyhcp.dll2009-04-23 12:48 . 2001-11-04 23:23	6097	----a-w	c:\windows\system32\drivers\sonyhcb.sys2009-04-23 12:48 . 2001-07-03 10:33	53248	----a-w	c:\windows\system32\SONYHCY.DLL2009-04-23 12:48 . 2002-10-15 12:41	102220	----a-w	c:\windows\system32\drivers\sonypvs1.sys2009-04-23 12:36 . 2008-04-13 14:15	60032	-c--a-w	c:\windows\system32\dllcache\usbaudio.sys2009-04-23 12:36 . 2008-04-13 14:15	60032	----a-w	c:\windows\system32\drivers\USBAUDIO.sys2009-04-23 12:25 . 2009-04-23 12:25	--------	d-----w	c:\program files\Adobe Media Player2009-04-23 12:23 . 2009-04-23 12:23	--------	d-----w	c:\program files\Common Files\Adobe AIR2009-04-19 07:18 . 2009-04-19 07:18	--------	d-----w	c:\documents and settings\All Users\Application Data\id Software2009-04-19 00:03 . 2009-03-06 14:22	284160	-c----w	c:\windows\system32\dllcache\pdh.dll2009-04-19 00:03 . 2009-02-06 10:39	35328	-c----w	c:\windows\system32\dllcache\sc.exe2009-04-19 00:03 . 2009-02-09 12:10	401408	-c----w	c:\windows\system32\dllcache\rpcss.dll2009-04-19 00:03 . 2009-02-06 11:11	110592	-c----w	c:\windows\system32\dllcache\services.exe2009-04-19 00:03 . 2009-02-09 12:10	473600	-c----w	c:\windows\system32\dllcache\fastprox.dll2009-04-19 00:03 . 2009-02-06 10:10	227840	-c----w	c:\windows\system32\dllcache\wmiprvse.exe2009-04-19 00:02 . 2009-02-09 12:10	453120	-c----w	c:\windows\system32\dllcache\wmiprvsd.dll2009-04-19 00:02 . 2009-02-09 12:10	729088	-c----w	c:\windows\system32\dllcache\lsasrv.dll2009-04-19 00:02 . 2009-02-09 12:10	617472	-c----w	c:\windows\system32\dllcache\advapi32.dll2009-04-19 00:02 . 2009-02-09 12:10	714752	-c----w	c:\windows\system32\dllcache\ntdll.dll2009-04-18 23:57 . 2008-05-03 11:55	2560	------w	c:\windows\system32\xpsp4res.dll2009-04-18 23:57 . 2008-04-21 12:08	215552	-c----w	c:\windows\system32\dllcache\wordpad.exe
.((((((((((((((((((((((((((((((((((((((((   Find3M Report   )))))))))))))))))))))))))))))))))))))))))))))))))))).2009-05-08 09:09 . 2008-09-14 03:27	--------	d-----w	c:\program files\AVG82009-05-08 08:31 . 2009-03-30 07:46	--------	d-----w	c:\program files\Malwarebytes' Anti-Malware2009-05-08 04:51 . 2008-11-12 08:40	11952	----a-w	c:\windows\system32\avgrsstx.dll2009-05-08 04:51 . 2008-11-12 08:40	325896	----a-w	c:\windows\system32\drivers\avgldx86.sys2009-05-08 04:51 . 2008-11-12 08:40	108552	----a-w	c:\windows\system32\drivers\avgtdix.sys2009-05-07 20:52 . 2006-10-29 18:00	--------	d-----w	c:\program files\Microsoft SQL Server2009-04-27 04:06 . 2009-04-08 05:46	96456	----a-w	c:\documents and settings\Danica\Local Settings\Application Data\GDIPFONTCACHEV1.DAT2009-04-23 12:48 . 2006-08-28 20:42	--------	d--h--w	c:\program files\InstallShield Installation Information2009-04-23 12:35 . 2007-02-15 12:39	96456	----a-w	c:\documents and settings\Nic\Local Settings\Application Data\GDIPFONTCACHEV1.DAT2009-04-23 12:28 . 2006-08-28 22:35	--------	d-----w	c:\program files\Common Files\Adobe2009-04-22 07:02 . 2009-03-14 04:53	138944	----a-w	c:\windows\system32\drivers\PnkBstrK.sys2009-04-22 07:02 . 2009-03-14 04:53	189784	----a-w	c:\windows\system32\PnkBstrB.exe2009-04-19 07:19 . 2009-03-14 04:53	22328	----a-w	c:\documents and settings\Nic\Application Data\PnkBstrK.sys2009-04-19 07:19 . 2009-03-14 04:52	2246144	----a-w	c:\windows\system32\pbsvc.exe2009-04-08 07:40 . 2009-02-20 02:51	77446	----a-w	c:\windows\War3Unin.dat2009-04-06 05:32 . 2009-03-30 07:46	38496	----a-w	c:\windows\system32\drivers\mbamswissarmy.sys2009-04-06 05:32 . 2009-03-30 07:46	15504	----a-w	c:\windows\system32\drivers\mbam.sys2009-04-05 08:00 . 2009-04-05 08:00	410984	----a-w	c:\windows\system32\deploytk.dll2009-04-05 08:00 . 2006-08-28 22:33	--------	d-----w	c:\program files\Java2009-03-30 08:16 . 2007-03-11 22:56	--------	d-----w	c:\program files\CommSec Professional Trader2009-03-30 08:15 . 2007-02-21 19:41	--------	d-----w	c:\program files\Siber Systems2009-03-27 21:59 . 2009-03-27 21:59	50	----a-w	c:\windows\system32\bridf08b.dat2009-03-27 21:59 . 2009-03-27 21:58	--------	d-----w	c:\program files\Brother2009-03-27 21:58 . 2009-03-27 21:58	--------	d-----w	c:\program files\Nuance2009-03-27 21:55 . 2009-03-27 21:55	--------	d-----w	c:\program files\Common Files\ScanSoft Shared2009-03-27 21:55 . 2006-08-28 20:42	--------	d-----w	c:\program files\Common Files\InstallShield2009-03-27 21:55 . 2009-03-27 21:55	--------	d-----w	c:\program files\ScanSoft2009-03-26 08:35 . 2009-03-14 04:52	75064	----a-w	c:\windows\system32\PnkBstrA.exe2009-03-21 10:22 . 2009-03-21 10:22	--------	d-----w	c:\program files\D-Link2009-03-21 00:26 . 2009-03-21 00:26	--------	d-----w	c:\program files\iTunes2009-03-21 00:26 . 2009-03-21 00:26	--------	d-----w	c:\program files\iPod2009-03-21 00:26 . 2008-09-14 03:30	--------	d-----w	c:\program files\Common Files\Apple2009-03-20 08:40 . 2009-03-20 05:54	--------	d-----w	c:\program files\Canon2009-03-20 04:39 . 2009-03-20 04:39	--------	d-----w	c:\program files\Common Files\Canon2009-03-17 20:08 . 2007-04-15 06:39	--------	d-----w	c:\program files\Notebook Hardware Control2009-03-17 20:06 . 2009-03-17 20:06	--------	d-----w	c:\program files\DIY DataRecovery iRecover2009-03-17 19:59 . 2009-03-17 19:59	--------	d-----w	c:\program files\Recover Files2009-03-17 10:44 . 2009-03-17 10:44	--------	d-----w	c:\program files\DiskInternals2009-03-15 08:07 . 2009-03-15 08:07	--------	d-----w	c:\program files\AbleMP32009-03-15 05:46 . 2009-03-15 05:46	--------	d-----w	c:\program files\Seagate2009-03-13 07:33 . 2009-03-13 07:33	--------	d-----w	c:\program files\Common Files\PACE Anti-Piracy2009-03-12 09:21 . 2009-03-12 09:21	--------	d-----w	c:\program files\Antares Audio Technologies2009-03-11 00:52 . 2008-05-21 01:47	--------	d-----w	c:\program files\Microsoft Silverlight2009-03-10 07:18 . 2009-03-10 07:18	--------	d-----w	c:\program files\PreSonus2009-03-08 08:10 . 2009-03-08 08:10	356352	----a-w	c:\windows\eSellerateEngine.dll2009-03-06 14:22 . 2006-08-28 01:45	284160	----a-w	c:\windows\system32\pdh.dll2009-03-03 00:18 . 2006-08-28 01:45	826368	----a-w	c:\windows\system32\wininet.dll2009-02-20 18:09 . 2006-08-28 01:45	78336	----a-w	c:\windows\system32\ieencode.dll2009-02-20 03:03 . 2009-02-20 02:51	2829	----a-w	c:\windows\War3Unin.pif2009-02-20 03:03 . 2009-02-20 02:51	139264	----a-w	c:\windows\War3Unin.exe2009-02-09 12:10 . 2006-08-28 01:45	729088	----a-w	c:\windows\system32\lsasrv.dll2009-02-09 12:10 . 2006-08-28 01:45	401408	----a-w	c:\windows\system32\rpcss.dll2009-02-09 12:10 . 2006-08-28 01:45	714752	----a-w	c:\windows\system32\ntdll.dll2009-02-09 12:10 . 2006-08-28 01:45	617472	----a-w	c:\windows\system32\advapi32.dll2009-02-09 11:13 . 2006-08-28 01:45	1846784	----a-w	c:\windows\system32\win32k.sys2008-11-12 04:04 . 2008-11-12 04:04	17209	----a-w	c:\program files\Common Files\yzuzaluqu.lib2008-11-12 04:04 . 2008-11-12 04:04	14491	----a-w	c:\program files\Common Files\jyquhaq._dl2008-10-21 02:39 . 2008-10-21 02:39	604	---ha-w	c:\program files\STLL Notifier2007-07-16 11:26 . 2007-03-27 21:25	135680	----a-w	c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))..*Note* empty entries & legit default entries are not shown REGEDIT4
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]2008-09-07 07:20	143360	----a-w	d:\program files\Dropbox\DropboxExt.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]2008-09-07 07:20	143360	----a-w	d:\program files\Dropbox\DropboxExt.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]2008-09-07 07:20	143360	----a-w	d:\program files\Dropbox\DropboxExt.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]"SsAAD.exe"="c:\progra~1\Sony\SONICS~1\SsAAD.exe" [2006-05-08 81920]"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]"SandboxieControl"="d:\program files\Sandboxie\SbieCtrl.exe" [2009-04-13 365568]"Google Update"="c:\documents and settings\Nic\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-04-08 133104]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-05-08 7561216]"Apoint"="c:\program files\Apoint\Apoint.exe" [2004-11-17 118784]"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]"ISBMgr.exe"="c:\program files\Sony\ISB Utility\ISBMgr.exe" [2004-02-20 32768]"TrueImageMonitor.exe"="c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe" [2006-10-16 1164912]"AcronisTimounterMonitor"="c:\program files\Acronis\TrueImageHome\TimounterMonitor.exe" [2006-10-16 1941784]"Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2006-10-16 87584]"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]"KONICA MINOLTA magicolor 2500W STD"="c:\windows\system32\MSTMON02.EXE" [2006-03-08 192512]"AVG8_TRAY"="c:\progra~1\AVG8\avgtray.exe" [2009-05-08 1947928]"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]"MaxMenuMgr"="c:\program files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe" [2008-10-28 181544]"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-03-12 342312]"D-Link Network USB Utility"="c:\program files\D-Link\SharePort\SharePort Network USB Utility.exe" [2008-12-26 2605312]"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-24 210472]"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2007-10-11 29984]"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2007-10-11 46368]"PPort11reminder"="c:\program files\ScanSoft\PaperPort\Ereg\Ereg.exe" [2007-08-30 328992]"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2008-02-18 1089536]"ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2007-12-21 86016]"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-04-05 148888]"Mouse Suite 98 Daemon"="ICO.EXE" - c:\windows\system32\ico.exe [2002-03-14 45056]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]"ctfmon.exe"="c:\windows\system32\CTFMON.EXE" [2008-04-13 15360]"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-08-23 437160]
c:\documents and settings\Administrator\Start Menu\Programs\Startup\E-Flyer.lnk - c:\program files\Sony\E-Flyer\E-Flyer.exe [2006-8-29 491520]
c:\documents and settings\Guest\Start Menu\Programs\Startup\E-Flyer.lnk - c:\program files\Sony\E-Flyer\E-Flyer.exe [2006-8-29 491520]
c:\documents and settings\Nic\Start Menu\Programs\Startup\Dropbox.lnk - d:\program files\Dropbox\Dropbox.exe [2008-9-26 24096981]
c:\documents and settings\All Users\Start Menu\Programs\Startup\FP10 Control Panel.lnk - c:\program files\PreSonus\1394AudioDriver_FP10\FP10.exe [2009-3-10 1126400]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]2009-05-08 04:51	11952	----a-w	c:\windows\system32\avgrsstx.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ati6jqxx.sys]@="Driver"
[HKEY_LOCAL_MACHINE\software\microsoft\security center]"AntiVirusOverride"=dword:00000001"FirewallOverride"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]"%windir%\\system32\\sessmgr.exe"="c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"="%windir%\\Network Diagnostic\\xpnetdiag.exe"="c:\\Program Files\\Messenger\\msmsgs.exe"="c:\\Program Files\\MusicBrainz Picard\\picard.exe"="c:\\Program Files\\Laplink\\PCmover\\PCmover.exe"="c:\\Program Files\\Xi\\NetXfer\\NetTransport.exe"="c:\\Program Files\\IEPro\\MiniDM.exe"="c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="c:\\Program Files\\Bonjour\\mDNSResponder.exe"="c:\\Program Files\\uTorrent\\uTorrent.exe"="c:\\WINDOWS\\system32\\winver.exe"="c:\\Program Files\\AVG8\\avgemc.exe"="c:\\Program Files\\AVG8\\avgupd.exe"="d:\\Program Files\\Ventrilo\\Ventrilo.exe"="c:\\WINDOWS\\system32\\PnkBstrA.exe"="c:\\WINDOWS\\system32\\PnkBstrB.exe"="c:\\Program Files\\Cakewalk Sonar\\SONAR 6 Producer Edition\\Shared Utilities\\VstScan.exe"="d:\\Program Files\\Cakewalk\\Sonar 8 Studio\\SONARSTD.EXE"="c:\\Program Files\\Mozilla Firefox\\firefox.exe"="c:\\Program Files\\iTunes\\iTunes.exe"="c:\\Program Files\\D-Link\\SharePort\\SharePort Network USB Utility.exe"="d:\\Program Files\\Adobe\\Adobe After Effects CS4\\Support Files\\AfterFX.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]"67:UDP"= 67:UDP:DHCP Discovery Service"9303:UDP"= 9303:UDP:SharePort Network USB Utility UDP Port"4602:TCP"= 4602:TCP:Akamai NetSession Interface"5000:UDP"= 5000:UDP:Akamai NetSession Interface"3592:TCP"= 3592:TCP:Akamai NetSession Interface"1822:TCP"= 1822:TCP:Akamai NetSession Interface"2467:TCP"= 2467:TCP:Akamai NetSession Interface"3181:TCP"= 3181:TCP:Akamai NetSession Interface"3847:TCP"= 3847:TCP:Akamai NetSession Interface"3906:TCP"= 3906:TCP:Akamai NetSession Interface"1037:TCP"= 1037:TCP:Akamai NetSession Interface
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]"AllowInboundTimestampRequest"= 1 (0x1)"AllowInboundMaskRequest"= 1 (0x1)"AllowInboundRouterRequest"= 1 (0x1)"AllowOutboundDestinationUnreachable"= 1 (0x1)"AllowOutboundSourceQuench"= 1 (0x1)"AllowOutboundParameterProblem"= 1 (0x1)"AllowOutboundTimeExceeded"= 1 (0x1)"AllowRedirect"= 1 (0x1)"AllowOutboundPacketTooBig"= 1 (0x1)
R0 WPXT;WinPcap Packet Driver (WPXT);c:\windows\system32\drivers\wpxt.sys [19/12/2007 5:34 PM 35328]R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [12/11/2008 6:40 PM 325896]R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [12/11/2008 6:40 PM 108552]R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG8\avgemc.exe [12/11/2008 6:40 PM 908568]R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG8\avgwdsvc.exe [12/11/2008 6:40 PM 298776]R2 BcmSqlStartupSvc;Business Contact Manager SQL Server Startup Service;c:\program files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe [11/01/2008 5:50 PM 30312]R2 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [28/10/2008 3:42 PM 156968]R2 MSSQL$VAIO_VEDB;MSSQL$VAIO_VEDB;c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe -sVAIO_VEDB --> c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe -sVAIO_VEDB [?]R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [3/11/2006 6:19 PM 13592]R3 DlinkUDSMBus;UDS Master Bus of Kernel USB Software Bus by TCP;c:\windows\system32\drivers\DlinkUDSMBus.sys [11/11/2008 2:01 PM 74624]R3 DlinkUDSTcpBus;DlinkUDSTcpBus;c:\windows\system32\drivers\DlinkUDSTcpBus.sys [11/11/2008 2:01 PM 97664]R3 L6DP;L6DP;c:\windows\system32\drivers\l6dp.sys [30/09/2006 2:05 AM 29312]R3 SbieDrv;SbieDrv;d:\program files\Sandboxie\SbieDrv.sys [14/04/2009 2:51 AM 107520]R3 SonyImgF;Sony Image Conversion Filter Driver;c:\windows\system32\drivers\SonyImgF.sys [28/08/2006 11:46 AM 30080]R3 ti21sony;ti21sony;c:\windows\system32\drivers\ti21sony.sys [28/08/2006 11:46 AM 808448]S0 ati6jqxx;ati6jqxx;c:\windows\system32\Drivers\ati6jqxx.sys --> c:\windows\system32\Drivers\ati6jqxx.sys [?]S0 sonyhcb;Sony Digital Imaging Base;c:\windows\system32\drivers\sonyhcb.sys [23/04/2009 10:48 PM 6097]S3 L6PODX3LV;POD X3 Live Service;c:\windows\system32\drivers\L6PODX3LV.sys [25/08/2008 7:30 PM 530560]S3 L6TPortB;Service - Line 6 TonePort UX2;c:\windows\system32\drivers\L6TPortB.sys [30/09/2006 2:01 AM 530560]S3 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [26/02/2008 10:08 PM 29183504]S3 sonyhcs;Sony Digital Imaging Video;c:\windows\system32\drivers\sonyhcs.sys [23/04/2009 10:48 PM 299923]S3 SQLAgent$VAIO_VEDB;SQLAgent$VAIO_VEDB;c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlagent.EXE -i VAIO_VEDB --> c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlagent.EXE -i VAIO_VEDB [?].Contents of the 'Scheduled Tasks' folder
2009-05-08 c:\windows\Tasks\Google Software Updater.job- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-12-30 06:56]
2009-05-08 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-449545699-1370044024-995057197-1005.job- c:\documents and settings\Nic\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-04-08 02:00]
2009-05-08 c:\windows\Tasks\MP Scheduled Scan.job- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 08:20]
2009-05-07 c:\windows\Tasks\OGADaily.job- c:\windows\system32\OGAVerify.exe [2008-12-31 06:04]
2009-05-08 c:\windows\Tasks\OGALogon.job- c:\windows\system32\OGAVerify.exe [2008-12-31 06:04].- - - - ORPHANS REMOVED - - - -
HKCU-Run-AdobeBridge - (no file)HKU-Default-Run-RoboForm - c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exeSafeBoot-ati7vexx.sys
.------- Supplementary Scan -------.uStart Page = hxxp://www.google.comuSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8mStart Page = hxxp://www.google.comuInternet Connection Wizard,ShellNext = hxxp://vaio-online.sony.com/uInternet Settings,ProxyOverride = *.localIE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000IE: Lookup on Merriam Webster - file://c:\program files\ieSpell\Merriam Webster.HTMIE: Lookup on Wikipedia - file://c:\program files\ieSpell\wikipedia.HTMIE: {{1fb575b2-eb1c-431b-8873-9fb454379b62} - {1fb575b2-eb1c-431b-8873-9fb454379b62} - mscoree.dllIE: {{e05e75e9-a653-42a3-8d05-f2f7e309bdca} - {e05e75e9-a653-42a3-8d05-f2f7e309bdca} - mscoree.dllTrusted Zone: iress.com.au\webTrusted Zone: line6.netTrusted Zone: macquarie.com.au\wwwTrusted Zone: macquariecfd.com.au\wwwHandler: ssp - {1E8068DE-05AD-11D4-ACC8-EF447469245C} - c:\program files\WebArchiver\ssp.dllDPF: {15A02B79-60BB-42B8-814E-BF8364106B9E} - hxxp://images.commsec.com.au/downloads/pco3/Pco3X_Commsec.cabDPF: {D00E9550-440D-4EF8-BFCE-174300890C05} - hxxp://www.gomusic.ru/cabs/xdownloader.cabFF - ProfilePath - c:\documents and settings\Nic\Application Data\Mozilla\Firefox\Profiles\musrczsx.default\FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=FF - prefs.js: browser.search.selectedEngine - GoogleFF - prefs.js: browser.startup.homepage - hxxp://www.quakelive.com/#homeFF - plugin: c:\documents and settings\All Users\Application Data\id Software\QuakeLive\npquakezero.dllFF - plugin: c:\documents and settings\Nic\Local Settings\Application Data\Google\Update\1.2.145.5\npGoogleOneClick8.dllFF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dllFF - plugin: c:\program files\Mozilla Firefox\plugins\NPPco3_Commsec.dll.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.netRootkit scan 2009-05-08 19:11Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...  
scanning hidden autostart entries ... 
scanning hidden files ...  
scan completed successfullyhidden files: 0
**************************************************************************.--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version*Version]"Version"=hex:02,25,ec,9f,c6,da,40,46,45,5c,73,e9,4a,d4,7b,32,2c,e9,05,30,06,   dc,cd,1f,1f,90,30,5e,ac,c9,d7,a4,34,2a,8b,6f,bd,7a,ab,b3,a0,22,b5,6f,65,57,\
[HKEY_LOCAL_MACHINE\software\Minnetonka Audio Software\SurCode Dolby Digital Premiere\Version*Version]"Version"=hex:02,25,ec,9f,c6,da,40,46,45,5c,73,e9,4a,d4,7b,32,2c,e9,05,30,06,   dc,cd,1f,1f,90,30,5e,ac,c9,d7,a4,34,2a,8b,6f,bd,7a,ab,b3,a0,22,b5,6f,65,57,\.--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'lsass.exe'(1388)c:\windows\system32\relog_ap.dll
- - - - - - - > 'explorer.exe'(1608)d:\program files\Dropbox\DropboxExt.dllc:\windows\system32\WPDShServiceObj.dllc:\program files\Common Files\SmartCom\DragnDropCopyHook.dllc:\windows\system32\PortableDeviceTypes.dllc:\windows\system32\PortableDeviceApi.dll.------------------------ Other Running Processes ------------------------.c:\program files\Intel\Wireless\Bin\EvtEng.exec:\program files\Intel\Wireless\Bin\S24EvMon.exec:\windows\system32\scardsvr.exec:\program files\Common Files\Acronis\Schedule2\schedul2.exec:\program files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exec:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exec:\program files\Bonjour\mDNSResponder.exec:\program files\Java\jre6\bin\jqs.exec:\windows\system32\msiexec.exec:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exec:\windows\system32\nvsvc32.exec:\windows\system32\PnkBstrA.exec:\program files\Intel\Wireless\Bin\RegSrvc.exed:\program files\Sandboxie\SbieSvc.exec:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exec:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exec:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exec:\program files\AVG8\avgrsx.exec:\progra~1\AVG8\avgnsx.exec:\program files\AVG8\avgcsrvx.exec:\program files\Apoint\ApntEx.exec:\program files\Brother\ControlCenter3\BrccMCtl.exec:\program files\Brother\Brmfcmon\BrMfcMon.exec:\program files\iPod\bin\iPodService.exe.**************************************************************************.Completion time: 2009-05-08 19:19 - machine was rebootedComboFix-quarantined-files.txt  2009-05-08 09:18
Pre-Run: 2,400,960,512 bytes freePost-Run: 3,247,828,992 bytes free
Current=3 Default=3 Failed=2 LastKnownGood=4 Sets=1,2,3,4370	--- E O F ---	2009-05-07 20:53

COMBOFIX-QUARANTINED-FILES.txt:

2009-05-08 09:17:22 . 2009-05-08 09:17:22			  558 ----a-w  C:\Qoobox\Quarantine\Registry_backups\SafeBoot-ati7vexx.sys.reg.dat2009-05-08 09:17:13 . 2009-05-08 09:17:13			  166 ----a-w  C:\Qoobox\Quarantine\Registry_backups\HKU-Default-Run-RoboForm.reg.dat2009-05-08 09:17:11 . 2009-05-08 09:17:11			   98 ----a-w  C:\Qoobox\Quarantine\Registry_backups\HKCU-Run-AdobeBridge.reg.dat2009-05-08 09:11:53 . 2009-05-08 09:11:53		   53,248 ----a-w  C:\Qoobox\Quarantine\C\Documents and Settings\Nic\Local Settings\Temp\catchme.dll.vir2009-05-08 09:05:14 . 2009-05-08 09:05:14			2,432 ----a-w  C:\Qoobox\Quarantine\Registry_backups\Service_tdssserv.sys.reg.dat2009-05-08 09:05:13 . 2009-05-08 09:05:13			1,084 ----a-w  C:\Qoobox\Quarantine\Registry_backups\Legacy_tdssserv.sys.reg.dat2009-05-08 09:05:13 . 2009-05-08 09:05:13			  282 ----a-w  C:\Qoobox\Quarantine\Registry_backups\Legacy_PACKET.reg.dat2009-05-08 09:05:05 . 2009-05-09 11:30:57			9,257 ----a-w  C:\Qoobox\Quarantine\Registry_backups\tcpip.reg2009-05-08 08:58:21 . 2009-05-09 11:26:59			  153 ----a-w  C:\Qoobox\Quarantine\catchme.log2009-05-07 09:35:41 . 2009-05-07 09:35:41			4,095 ----a-w  C:\Qoobox\Quarantine\C\Documents and Settings\Nic\Local Settings\Temporary Internet Files\Cpvff.stt.vir2009-05-06 22:40:12 . 2009-05-06 22:40:12			4,095 ----a-w  C:\Qoobox\Quarantine\C\Documents and Settings\Nic\Local Settings\Temporary Internet Files\bestwiner.stt.vir2009-05-05 12:46:26 . 2009-05-05 12:46:26			4,095 ----a-w  C:\Qoobox\Quarantine\C\Documents and Settings\Nic\Local Settings\Temporary Internet Files\fbk.sts.vir2009-04-30 09:48:00 . 2009-05-07 13:10:44			   73 ----a-w  C:\Qoobox\Quarantine\C\WINDOWS\system32\ssprs.dll.vir2009-04-30 09:48:00 . 2009-05-07 13:10:44			  205 ----a-w  C:\Qoobox\Quarantine\C\WINDOWS\system32\lsprst7.dll.vir2008-11-12 04:04:21 . 2008-11-12 04:04:21		   13,228 ----a-w  C:\Qoobox\Quarantine\C\Documents and Settings\Nic\Local Settings\Temporary Internet Files\yvawa._sy.vir2008-11-12 00:40:42 . 2008-11-12 03:58:39			  527 -c--a-w  C:\Qoobox\Quarantine\C\WINDOWS\system32\TDSSiero.dat.vir2007-07-22 21:26:02 . 2007-07-22 21:26:03			1,316 ----a-w  C:\Qoobox\Quarantine\C\WINDOWS\IE4 Error Log.txt.vir
Link to post
Share on other sites

  • Staff

Ok.

* Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /

Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Then, Please run this online scan to help look for remnants.

Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner

Click Accept, when prompted to download and install the program files and database of malware definitions.

  • Click Run at the Security prompt.
  • The program will then begin downloading and installing and will also update the database.
  • Please be patient as this can take several minutes.
  • Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  • Click View scan report at the bottom.
  • Click the Save Report As... button.
  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

**Note**

To optimize scanning time and produce a more sensible report for review:

  • Close any open programs.
  • Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.

Link to post
Share on other sites

Here's the scan report. Took AGES to update and scan. the Z: and W: drives are external harddrives connected via the network. NOT the external HD I was talking about before, which I am yet to scan (will do that later on).

--------------------------------------------------------------------------------

KASPERSKY ONLINE SCANNER 7.0 REPORT

Sunday, May 10, 2009

Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)

Kaspersky Online Scanner version: 7.0.26.13

Program database last update: Saturday, May 09, 2009 14:42:48

Records in database: 2151052

--------------------------------------------------------------------------------

Scan settings:

Scan using the following database: extended

Scan archives: yes

Scan mail databases: yes

Scan area - My Computer:

C:\

D:\

E:\

F:\

W:\

Z:\

Scan statistics:

Files scanned: 214040

Threat name: 2

Infected objects: 3

Suspicious objects: 0

Duration of the scan: 04:04:17

File name / Threat name / Threats count

C:\Documents and Settings\Nic\Local Settings\Application Data\Microsoft\Outlook\backup.pst Infected: Trojan.Win32.Pakes.bmo 1

C:\Documents and Settings\Nic\My Documents\My Music\sspro_48.exe Infected: not-a-virus:Downloader.Win32.Agent.r 1

Z:\Nic\Downloads\sspro_48.exe Infected: not-a-virus:Downloader.Win32.Agent.r 1

The selected area was scanned.

Link to post
Share on other sites

I disabled Autorun with TweakUI and then scanned my USB stick with Malware and Avira and the Kaspersky Online Scanner and neither one found any traces of a virus. I'm still a little concerned as I never found the root virus so it hid itself quite well and could still be lurking.

I'm scanning my external HD atm with Malware and then with Kaspersky.

Link to post
Share on other sites

  • Staff

Hi,

Delete the following two files manually:

C:\Documents and Settings\Nic\My Documents\My Music\sspro_48.exe

Z:\Nic\Downloads\sspro_48.exe

The other one that Kaspersky found is an infected mail present in an outlook backup. You can delete that backup.pst file and create a new backup if you want.

Let me know in your next reply how things are now.

Link to post
Share on other sites

Have done as you said.

Strangely, the sspro_48.exe files were over a year old. And I haven't used Outlook on this computer ever.. so thats also from over a year ago. May just be dormant viruses.

I have scanned the whole system, as well as my USB and external HD multiple times with Malwarebytes, Kaspersky and Avira. Nothing has been detected. I don't know if the virus is still there as the only 'symptom' was the AV's popping up all the time. So it looks like I've cured it. I'm installing Windows 7 tomorrow afternoon though, a clean install, just to be safe.

Thanks so much for your help. I'll resurrect this thread later on if the infection comes back.

For scanning my external HD, will any scanner be 'better' than another at picking up hard-to-find infections? Just want to be totally sure before I go reinstalling everything. I have scanned it with Malwarebytes and Kaspersky (which seems to be quite good), and will scan with Avira now. Probably overkill but considering I still don't know how I got the virus I think its warranted. I'll also be switching to Mozilla with NoScript, from GoogleChrome (even though Google has a warning page when you enter a risky website, it seems this isn't enough).

Link to post
Share on other sites

  • Staff

I'm pretty sure you're OK now. You used a combination of the best scanners and they all come up clean now.

To prevent this in the future...

Please read my Prevention page with lots of info and tips how to prevent this in the future.

And if you want to improve speed/system performance after malware removal, take a look here.

Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!

Link to post
Share on other sites

  • Staff

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.