Jump to content

Same 93 Infected Registry Keys keep appearing


Recommended Posts

Hi,

Whenever i run MBAM as a quick scan, i keep getting the same 90 "Registry Keys Infected:" and the same 3 "Registry Data Items Infected:"

I choose the option to "remove selected" and than asks me to restart my computer.

If i run MBAM right after i restart, the same thing shows up.

I have downloaded HJT to my computer but it will not load up and i can not figure out y.

Malwarebytes' Anti-Malware 1.37

Database version: 2218

Windows 5.1.2600 Service Pack 3

6/3/2009 12:14:06 PM

mbam-log-2009-06-03 (12-13-57).txt

Scan type: Quick Scan

Objects scanned: 108053

Time elapsed: 9 minute(s), 40 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 90

Registry Values Infected: 0

Registry Data Items Infected: 3

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe (Security.Hijack) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVCONSOL.EXE (Security.Hijack) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVP32.EXE (Security.Hijack) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAV32.exe (Security.Hijack) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVPFW.EXE (Security.Hijack) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Navapsvc.exe (Security.Hijack) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Navapw32.exe (Security.Hijack) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NAVNT.EXE (Security.Hijack) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\navw32.EXE (Security.Hijack) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NAVWNT.EXE (Security.Hijack) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SCAN32.EXE (Security.Hijack) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ZONEALARM.EXE (Security.Hijack) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\filemon.exe (Security.Hijack) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\outpost.exe (Security.Hijack) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regmon.exe (Security.Hijack) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zapro.exe (Security.Hijack) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autoruns.exe (Security.Hijack) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgrssvc.exe (Security.Hijack) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvMonitor.exe (Security.Hijack) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.com (Security.Hijack) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CCenter.exe (Security.Hijack) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HijackThis.exe (Security.Hijack) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KASMain.exe (Security.Hijack) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KASTask.exe (Security.Hijack) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVDX.exe (Security.Hijack) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVStart.exe (Security.Hijack) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPFW32.exe (Security.Hijack) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPFW32X.exe (Security.Hijack) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32krn.exe (Security.Hijack) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe (Security.Hijack) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVPF.exe (Security.Hijack) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\OllyDBG.EXE (Security.Hijack) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe (Security.Hijack) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regtool.exe (Security.Hijack) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32.exe (Security.Hijack) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\niu.exe (Security.Hijack) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\A2SERVICE.exe (Security.Hijack) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVGNT.exe (Security.Hijack) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVGUARD.exe (Security.Hijack) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVSCAN.exe (Security.Hijack) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bdagent.exe (Security.Hijack) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CASECURITYCENTER.exe (Security.Hijack) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EKRN.exe (Security.Hijack) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FAMEH32.exe (Security.Hijack) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FPAVSERVER.exe (Security.Hijack) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FPWIN.exe (Security.Hijack) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FSAV32.exe (Security.Hijack) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FSGK32ST.exe (Security.Hijack) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FSMA32.exe (Security.Hijack) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vsserv.exe (Security.Hijack) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\drwadins.exe (Security.Hijack) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\drwebupw.exe (Security.Hijack) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GFRing3.exe (Security.Hijack) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ArcaCheck.exe (Security.Hijack) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\arcavir.exe (Security.Hijack) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashDisp.exe (Security.Hijack) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashEnhcd.exe (Security.Hijack) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashServ.exe (Security.Hijack) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashUpd.exe (Security.Hijack) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\aswUpdSv.exe (Security.Hijack) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avadmin.exe (Security.Hijack) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avcenter.exe (Security.Hijack) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avcls.exe (Security.Hijack) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avconfig.exe (Security.Hijack) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avz.exe (Security.Hijack) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avz4.exe (Security.Hijack) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avz_se.exe (Security.Hijack) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bdinit.exe (Security.Hijack) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\caav.exe (Security.Hijack) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\caavguiscan.exe (Security.Hijack) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccupdate.exe (Security.Hijack) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cfp.exe (Security.Hijack) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cfpupdat.exe (Security.Hijack) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmdagent.exe (Security.Hijack) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DRWEB32.EXE (Security.Hijack) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fpscan.exe (Security.Hijack) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\guardgui.exe (Security.Hijack) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\guardxservice.exe (Security.Hijack) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\guardxup.exe (Security.Hijack) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\navigator.exe (Security.Hijack) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NAVSTUB.EXE (Security.Hijack) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nvcc.exe (Security.Hijack) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\preupd.exe (Security.Hijack) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pskdr.exe (Security.Hijack) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SfFnUp.exe (Security.Hijack) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Vba32arkit.exe (Security.Hijack) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vba32ldr.exe (Security.Hijack) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Zanda.exe (Security.Hijack) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Zlh.exe (Security.Hijack) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zoneband.dll (Security.Hijack) -> No action taken.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites

  • Staff

Hi,

* Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the log from ComboFix in your next reply.

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix..This because Security Software may see some components ComboFix uses (prep.com for example) as suspicious and blocks the tool, or even deletes it. Please visit HERE if you don't know how.

Link to post
Share on other sites

ComboFix 09-06-01.03 - Ernesto 06/03/2009 13:49.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.569 [GMT -4:00]

Running from: c:\documents and settings\Ernesto\Desktop\ComboFix.exe

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\Jorge\Application Data\inst.exe

c:\windows\system32\drivers\Msft_Kernel_zumbus_01005.Wdf

c:\windows\system32\drivers\Msft_Kernel_zumbus_01007.Wdf

c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf

c:\windows\system32\drivers\MsftWdf_Kernel_01007_Coinstaller_Critical.Wdf

c:\windows\Tasks\oyshypzb.job

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_NEW_DRV

((((((((((((((((((((((((( Files Created from 2009-05-03 to 2009-06-03 )))))))))))))))))))))))))))))))

.

2009-06-03 16:49 . 2009-06-03 16:49 -------- d-----w- c:\program files\Trend Micro

2009-05-27 16:35 . 2009-06-03 18:02 97216 ----a-w- c:\windows\system32\drivers\e23c2d92.sys

2009-05-27 16:22 . 2009-06-03 03:59 155 --s-a-w- c:\windows\system32\2289676192.dat

2009-05-27 16:21 . 2009-05-27 16:20 51712 --sh--r- c:\windows\system32\amstreaml.exe

2009-05-20 06:58 . 2005-10-15 02:42 46592 ----a-w- c:\windows\system32\hpzll43a.dll

2009-05-20 06:55 . 2009-05-20 06:59 103167 ----a-w- c:\windows\hpoins08.dat

2009-05-20 06:55 . 2006-01-24 21:03 4445 ------w- c:\windows\hpomdl08.dat

2009-05-20 05:27 . 2009-05-20 05:27 45056 ----a-r- c:\documents and settings\Jorge\Application Data\Microsoft\Installer\{E14B8A08-42B3-4676-9E91-1D39F8158DA1}\NewShortcut2_E14B8A0842B346769E911D39F8158DA1.exe

2009-05-20 05:27 . 2009-05-20 05:27 45056 ----a-r- c:\documents and settings\Jorge\Application Data\Microsoft\Installer\{E14B8A08-42B3-4676-9E91-1D39F8158DA1}\NewShortcut1_E14B8A0842B346769E911D39F8158DA1.exe

2009-05-05 22:20 . 2009-03-06 14:22 284160 -c----w- c:\windows\system32\dllcache\pdh.dll

2009-05-05 22:19 . 2009-02-09 12:10 401408 -c----w- c:\windows\system32\dllcache\rpcss.dll

2009-05-05 22:19 . 2009-02-06 11:11 110592 -c----w- c:\windows\system32\dllcache\services.exe

2009-05-05 22:19 . 2009-02-09 12:10 473600 -c----w- c:\windows\system32\dllcache\fastprox.dll

2009-05-05 22:19 . 2009-02-09 12:10 453120 -c----w- c:\windows\system32\dllcache\wmiprvsd.dll

2009-05-05 22:19 . 2009-02-06 10:10 227840 -c----w- c:\windows\system32\dllcache\wmiprvse.exe

2009-05-05 22:19 . 2009-02-09 12:10 729088 -c----w- c:\windows\system32\dllcache\lsasrv.dll

2009-05-05 22:19 . 2009-02-09 12:10 714752 -c----w- c:\windows\system32\dllcache\ntdll.dll

2009-05-05 22:19 . 2009-02-09 12:10 617472 -c----w- c:\windows\system32\dllcache\advapi32.dll

2009-05-05 22:19 . 2008-05-03 11:55 2560 ------w- c:\windows\system32\xpsp4res.dll

2009-05-05 22:19 . 2008-04-21 12:08 215552 -c----w- c:\windows\system32\dllcache\wordpad.exe

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-06-03 18:02 . 2007-03-03 19:56 -------- d-----w- c:\documents and settings\All Users\Application Data\DIGStream

2009-06-03 15:23 . 2007-06-29 17:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater

2009-05-29 20:47 . 2008-12-28 18:16 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-05-29 20:46 . 2009-03-10 03:42 3371383 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe

2009-05-26 17:20 . 2008-12-28 18:16 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-05-26 17:19 . 2008-12-28 18:16 19096 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-05-20 06:56 . 2007-03-03 21:41 -------- d-----w- c:\program files\HP

2009-05-20 01:54 . 2007-03-04 21:33 -------- d-----w- c:\documents and settings\Jorge\Application Data\Image Zone Express

2009-05-13 07:03 . 2008-02-27 03:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help

2009-05-01 18:30 . 2009-05-01 18:30 3366912 ----a-w- c:\windows\system32\GPhotos.scr

2009-04-23 01:17 . 2009-04-23 01:17 64160 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Drivers\32\lbd.sys

2009-04-23 01:17 . 2009-03-26 01:17 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys

2009-04-17 20:58 . 2009-05-04 17:12 954368 ----a-w- c:\documents and settings\Jorge\Application Data\Mozilla\Firefox\Profiles\y9q4jibc.default\extensions\piclens@cooliris.com\libs\PicLensHelper.exe

2009-04-17 20:58 . 2009-05-04 17:12 103424 ----a-w- c:\documents and settings\Jorge\Application Data\Mozilla\Firefox\Profiles\y9q4jibc.default\extensions\piclens@cooliris.com\libs\pixomatic.dll

2009-04-17 20:58 . 2009-05-04 17:12 344064 ----a-w- c:\documents and settings\Jorge\Application Data\Mozilla\Firefox\Profiles\y9q4jibc.default\extensions\piclens@cooliris.com\libs\LaunchCooliris.exe

2009-04-17 20:58 . 2009-05-04 17:12 71652 ----a-w- c:\documents and settings\Jorge\Application Data\Mozilla\Firefox\Profiles\y9q4jibc.default\extensions\piclens@cooliris.com\libs\avutil-49.dll

2009-04-17 20:58 . 2009-05-04 17:12 65536 ----a-w- c:\documents and settings\Jorge\Application Data\Mozilla\Firefox\Profiles\y9q4jibc.default\extensions\piclens@cooliris.com\components\coolirisstub.dll

2009-04-17 20:58 . 2009-05-04 17:12 4579328 ----a-w- c:\documents and settings\Jorge\Application Data\Mozilla\Firefox\Profiles\y9q4jibc.default\extensions\piclens@cooliris.com\libs\cooliris18.dll

2009-04-17 20:58 . 2009-05-04 17:12 1161626 ----a-w- c:\documents and settings\Jorge\Application Data\Mozilla\Firefox\Profiles\y9q4jibc.default\extensions\piclens@cooliris.com\libs\avcodec-51.dll

2009-04-17 20:58 . 2009-05-04 17:12 4534272 ----a-w- c:\documents and settings\Jorge\Application Data\Mozilla\Firefox\Profiles\y9q4jibc.default\extensions\piclens@cooliris.com\libs\cooliris19.dll

2009-04-17 20:58 . 2009-05-04 17:12 131868 ----a-w- c:\documents and settings\Jorge\Application Data\Mozilla\Firefox\Profiles\y9q4jibc.default\extensions\piclens@cooliris.com\libs\avformat-52.dll

2009-03-24 22:33 . 2009-03-24 22:33 237264 ----a-w- c:\documents and settings\Jorge\Application Data\Mozilla\plugins\npgoogletalk.dll

2009-03-12 22:45 . 2009-03-12 22:45 348160 ----a-w- c:\documents and settings\Jorge\Application Data\Sun\Java\Deployment\cache\6.0\38\39ba6e6-72572e4c-n\msvcr71.dll

2009-03-12 22:45 . 2009-03-12 22:45 503808 ----a-w- c:\documents and settings\Jorge\Application Data\Sun\Java\Deployment\cache\6.0\38\39ba6e6-72572e4c-n\msvcp71.dll

2009-03-12 22:45 . 2009-03-12 22:45 499712 ----a-w- c:\documents and settings\Jorge\Application Data\Sun\Java\Deployment\cache\6.0\38\39ba6e6-72572e4c-n\jmc.dll

2009-03-12 22:45 . 2008-12-25 06:56 410984 ----a-w- c:\windows\system32\deploytk.dll

2009-03-12 22:44 . 2009-03-12 22:44 152576 ----a-w- c:\documents and settings\Jorge\Application Data\Sun\Java\jre1.6.0_12\lzma.dll

2009-03-12 08:17 . 2009-03-26 01:16 2902048 -c--a-w- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}\Ad-AwareAE.exe

2009-03-06 14:22 . 2004-08-10 11:00 284160 ----a-w- c:\windows\system32\pdh.dll

2003-01-30 05:42 . 2008-03-05 01:48 435 ----a-w- c:\program files\LAYOUT.BIN

2003-01-30 05:42 . 2008-03-05 01:48 34921746 ----a-w- c:\program files\DATA2.CAB

2003-01-30 05:41 . 2008-03-05 01:48 37248 ----a-w- c:\program files\DATA1.HDR

2003-01-30 05:41 . 2008-03-05 01:48 1510073 ----a-w- c:\program files\DATA1.CAB

2003-01-30 05:41 . 2008-03-05 01:48 214 ----a-w- c:\program files\Setup.ini

2003-01-30 05:41 . 2008-03-05 01:48 167462 ----a-w- c:\program files\SETUP.INX

2002-03-10 22:11 . 2008-03-05 01:48 437238 ----a-w- c:\program files\SETUP.BMP

2001-09-05 00:24 . 2008-03-05 01:48 344923 ----a-w- c:\program files\IKERNEL.EX_

2008-05-26 02:15 . 2008-05-26 01:07 848 --sha-w- c:\windows\system32\KGyGaAvL.sys

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"AWMON"="c:\progra~1\Lavasoft\AD-AWA~1\Ad-Watch.exe" [2005-05-25 517632]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]

"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2006-02-10 344064]

"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-11-01 94208]

"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]

"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]

"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]

"DeadAIM"="c:\progra~1\AIM\\DeadAIM.ocm" [2004-02-28 144896]

"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]

"DIGStream"="c:\program files\DIGStream\digstream.exe" [2005-05-18 282624]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-02-01 385024]

"Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2008-09-12 160160]

"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_11\bin\jusched.exe" [2006-12-15 75520]

"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2005-03-22 339968]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"RunNarrator"="Narrator.exe" - c:\windows\system32\narrator.exe [2008-04-14 53760]

c:\documents and settings\Jorge\Start Menu\Programs\Startup\

OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-7 101440]

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32

"wave1"= serwvdrv.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]

@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]

@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]

@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusDisableNotify"=dword:00000001

"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\AIM\\aim.exe"=

"c:\\Program Files\\Azureus\\Azureus.exe"=

"c:\\Program Files\\LimeWire\\LimeWire.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager

"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager

"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application

"c:\\Program Files\\Participatory Culture Foundation\\Miro\\xulrunner\\python\\Miro_Downloader.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

"c:\\Documents and Settings\\Jorge\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=

"c:\\Documents and Settings\\Jorge\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\Starcraft\\StarCraft.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

"67:UDP"= 67:UDP:0.0.0.0/255.255.255.255:Enabled:DHCP Discovery Service

"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [3/25/2009 9:17 PM 64160]

R2 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [10/10/2008 6:45 AM 13088]

R2 LcSvrAdm;ELSA Administration Service;c:\elsawin\bin\LcSvrAdm.exe [4/7/2008 8:34 PM 147456]

R2 LcSvrDba;ELSA DBA Server;c:\elsawin\bin\LcSvrDba.exe [4/7/2008 8:34 PM 233472]

R2 LcSvrHis;ELSA Historie Server;c:\elsawin\bin\LcSvrHis.exe [4/7/2008 8:34 PM 217088]

R2 LcSvrPAS;ELSA PASS Server;c:\elsawin\bin\LcSvrPas.exe [4/7/2008 8:34 PM 368640]

R2 VSGate;ELSA Vaudis Service;c:\elsawin\bin\VSGate.exe [4/7/2008 8:34 PM 81920]

R3 LcSvrAuf;ELSA Auftragsverwaltungs Service;c:\elsawin\bin\LcSvrAuf.exe [4/7/2008 8:34 PM 1302528]

S2 asiugqtieq;asiugqtieq;c:\windows\System32\svchost.exe -k netsvcs [8/10/2004 7:00 AM 14336]

S2 WmiBITS;Windows Management Instrumentation Driver Extensions WmiBITS;c:\windows\system32\amstreaml.exe srv --> c:\windows\system32\amstreaml.exe srv [?]

S3 getPlus® Helper;getPlus® Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [10/29/2008 3:20 PM 33752]

S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [3/9/2009 3:06 PM 1005904]

S3 rt2870;Linksys 802.11n USB Wireless LAN Card Driver;c:\windows\system32\DRIVERS\rt2870.sys --> c:\windows\system32\DRIVERS\rt2870.sys [?]

S3 sdAuxService;Spyware Doctor Auxiliary Service;c:\program files\Spyware Doctor\svcntaux.exe [6/29/2007 1:36 PM 708688]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs

asiugqtieq

.

Contents of the 'Scheduled Tasks' folder

2009-05-28 c:\windows\Tasks\Ad-Aware Update (Weekly).job

- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 01:17]

2009-05-29 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 19:57]

2009-05-29 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job

- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 15:20]

2009-06-03 c:\windows\Tasks\Google Software Updater.job

- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-03-03 23:53]

2009-05-29 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-839522115-1383384898-2147053123-1003.job

- c:\documents and settings\Jorge\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-12-31 16:51]

.

- - - - ORPHANS REMOVED - - - -

HKLM-Run-MskAgentexe - c:\program files\McAfee\MSK\MskAgent.exe

HKLM-Run-DLA - c:\windows\System32\DLA\DLACTRLW.EXE

SafeBoot-procexp90.sys

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.yahoo.com/

mDefault_Page_URL = hxxp://www.yahoo.com

mStart Page = hxxp://www.yahoo.com

uInternet Connection Wizard,ShellNext = hxxp://downloads.yahoo.com/internetexplorer/welcome.php

IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

Trusted Zone: turbotax.com

Handler: vw-wi - {0F3C833F-FB28-40EA-8CB9-6A55B996C3F6} - c:\elsawin\bin\wiprot.dll

FF - ProfilePath - c:\documents and settings\Ernesto\Application Data\Mozilla\Firefox\Profiles\nx6jujtw.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/

FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll

FF - plugin: c:\program files\Google\Picasa3\npPicasa2.dll

FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll

FF - plugin: c:\program files\Virtual Earth 3D\npVE3D.dll

---- FIREFOX POLICIES ----

FF - user.js: dom.disable_open_during_load - true // Popupblocker control handled by McAfee Privacy Service

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-06-03 14:02

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\e23c2d92]

"ImagePath"="\SystemRoot\System32\drivers\e23c2d92.sys"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2004)

c:\progra~1\WINDOW~3\wmpband.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\ati2evxx.exe

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\windows\system32\HPZipm12.exe

c:\windows\system32\ZuneBusEnum.exe

c:\windows\ehome\mcrdsvc.exe

.

**************************************************************************

.

Completion time: 2009-06-03 14:09 - machine was rebooted

ComboFix-quarantined-files.txt 2009-06-03 18:09

Pre-Run: 108,441,927,680 bytes free

Post-Run: 109,839,372,288 bytes free

240 --- E O F --- 2009-05-28 07:01

Link to post
Share on other sites

  • Staff

Hi,

I see you are running AdWatch.

I suggest you disable it because it can interfere with the fixes.

To disable AdWatch:

* Right click on the Ad-Watch icon in the system tray.

* At the bottom of the screen there will be two checkable items called Active and Automatic.

o Active: This will turn Ad-Watch On\Off without closing it.

o Automatic: Suspicious activity will be blocked automatically.

* Uncheck both of those boxes.

* (When done, you can re-enable it using the same steps but this time check both boxes.)

Then,

* Open notepad - don't use any other texteditor than notepad or the script will fail.

Copy/paste the text in the quotebox below into notepad:

File::

C:\Windows\System32\drivers\e23c2d92.sys

c:\windows\system32\2289676192.dat

Collect::[8]

C:\Windows\system32\amstreaml.exe

NetSvc::

asiugqtieq

Driver::

WmiBITS

e23c2d92

asiugqtieq

Registry::

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusDisableNotify"=dword:00000000

"UpdatesDisableNotify"=dword:00000000

Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

CFScript.gif

This will start ComboFix again.

Then, please visit this site:

http://www.bleepingcomputer.com/submit-malware.php?channel=8

Where it says: "Browse to the file you want to submit", use the Browse button to navigate to the following file: C:\Qoobox\Quarantine\[8]-Submit_date_time.zip (date_time will be replaced with the date and time when this file was created)

Then click the "Send File" button below in order to upload it.

After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

By the way, is there any reason why you don't have an Antivirus installed?

Link to post
Share on other sites

This is my parents computer that im working on n i did notice that they didnt have an antivirius program installed. i figured i'd install one that u could recommend to me

Here is the combofix log

ComboFix 09-06-01.03 - Ernesto 06/03/2009 14:27.2 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.571 [GMT -4:00]

Running from: c:\documents and settings\Ernesto\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Ernesto\Desktop\CFScript.txt

FILE ::

"c:\windows\System32\drivers\e23c2d92.sys"

file zipped: c:\windows\system32\amstreaml.exe

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\system32\amstreaml.exe

c:\windows\System32\drivers\e23c2d92.sys

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_ASIUGQTIEQ

-------\Legacy_WMIBITS

-------\Service_asiugqtieq

-------\Service_e23c2d92

-------\Service_WmiBITS

((((((((((((((((((((((((( Files Created from 2009-05-03 to 2009-06-03 )))))))))))))))))))))))))))))))

.

2009-06-03 16:49 . 2009-06-03 16:49 -------- d-----w- c:\program files\Trend Micro

2009-05-27 16:22 . 2009-06-03 03:59 155 --s-a-w- c:\windows\system32\2289676192.dat

2009-05-20 06:58 . 2005-10-15 02:42 46592 ----a-w- c:\windows\system32\hpzll43a.dll

2009-05-20 06:55 . 2009-05-20 06:59 103167 ----a-w- c:\windows\hpoins08.dat

2009-05-20 06:55 . 2006-01-24 21:03 4445 ------w- c:\windows\hpomdl08.dat

2009-05-20 05:27 . 2009-05-20 05:27 45056 ----a-r- c:\documents and settings\Jorge\Application Data\Microsoft\Installer\{E14B8A08-42B3-4676-9E91-1D39F8158DA1}\NewShortcut2_E14B8A0842B346769E911D39F8158DA1.exe

2009-05-20 05:27 . 2009-05-20 05:27 45056 ----a-r- c:\documents and settings\Jorge\Application Data\Microsoft\Installer\{E14B8A08-42B3-4676-9E91-1D39F8158DA1}\NewShortcut1_E14B8A0842B346769E911D39F8158DA1.exe

2009-05-05 22:20 . 2009-03-06 14:22 284160 -c----w- c:\windows\system32\dllcache\pdh.dll

2009-05-05 22:19 . 2009-02-09 12:10 401408 -c----w- c:\windows\system32\dllcache\rpcss.dll

2009-05-05 22:19 . 2009-02-06 11:11 110592 -c----w- c:\windows\system32\dllcache\services.exe

2009-05-05 22:19 . 2009-02-09 12:10 473600 -c----w- c:\windows\system32\dllcache\fastprox.dll

2009-05-05 22:19 . 2009-02-09 12:10 453120 -c----w- c:\windows\system32\dllcache\wmiprvsd.dll

2009-05-05 22:19 . 2009-02-06 10:10 227840 -c----w- c:\windows\system32\dllcache\wmiprvse.exe

2009-05-05 22:19 . 2009-02-09 12:10 729088 -c----w- c:\windows\system32\dllcache\lsasrv.dll

2009-05-05 22:19 . 2009-02-09 12:10 714752 -c----w- c:\windows\system32\dllcache\ntdll.dll

2009-05-05 22:19 . 2009-02-09 12:10 617472 -c----w- c:\windows\system32\dllcache\advapi32.dll

2009-05-05 22:19 . 2008-05-03 11:55 2560 ------w- c:\windows\system32\xpsp4res.dll

2009-05-05 22:19 . 2008-04-21 12:08 215552 -c----w- c:\windows\system32\dllcache\wordpad.exe

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-06-03 18:34 . 2007-03-03 19:56 -------- d-----w- c:\documents and settings\All Users\Application Data\DIGStream

2009-06-03 15:23 . 2007-06-29 17:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater

2009-05-29 20:47 . 2008-12-28 18:16 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-05-29 20:46 . 2009-03-10 03:42 3371383 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe

2009-05-26 17:20 . 2008-12-28 18:16 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-05-26 17:19 . 2008-12-28 18:16 19096 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-05-20 06:56 . 2007-03-03 21:41 -------- d-----w- c:\program files\HP

2009-05-20 01:54 . 2007-03-04 21:33 -------- d-----w- c:\documents and settings\Jorge\Application Data\Image Zone Express

2009-05-13 07:03 . 2008-02-27 03:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help

2009-05-01 18:30 . 2009-05-01 18:30 3366912 ----a-w- c:\windows\system32\GPhotos.scr

2009-04-23 01:17 . 2009-04-23 01:17 64160 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Drivers\32\lbd.sys

2009-04-23 01:17 . 2009-03-26 01:17 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys

2009-04-17 20:58 . 2009-05-04 17:12 954368 ----a-w- c:\documents and settings\Jorge\Application Data\Mozilla\Firefox\Profiles\y9q4jibc.default\extensions\piclens@cooliris.com\libs\PicLensHelper.exe

2009-04-17 20:58 . 2009-05-04 17:12 103424 ----a-w- c:\documents and settings\Jorge\Application Data\Mozilla\Firefox\Profiles\y9q4jibc.default\extensions\piclens@cooliris.com\libs\pixomatic.dll

2009-04-17 20:58 . 2009-05-04 17:12 344064 ----a-w- c:\documents and settings\Jorge\Application Data\Mozilla\Firefox\Profiles\y9q4jibc.default\extensions\piclens@cooliris.com\libs\LaunchCooliris.exe

2009-04-17 20:58 . 2009-05-04 17:12 71652 ----a-w- c:\documents and settings\Jorge\Application Data\Mozilla\Firefox\Profiles\y9q4jibc.default\extensions\piclens@cooliris.com\libs\avutil-49.dll

2009-04-17 20:58 . 2009-05-04 17:12 65536 ----a-w- c:\documents and settings\Jorge\Application Data\Mozilla\Firefox\Profiles\y9q4jibc.default\extensions\piclens@cooliris.com\components\coolirisstub.dll

2009-04-17 20:58 . 2009-05-04 17:12 4579328 ----a-w- c:\documents and settings\Jorge\Application Data\Mozilla\Firefox\Profiles\y9q4jibc.default\extensions\piclens@cooliris.com\libs\cooliris18.dll

2009-04-17 20:58 . 2009-05-04 17:12 1161626 ----a-w- c:\documents and settings\Jorge\Application Data\Mozilla\Firefox\Profiles\y9q4jibc.default\extensions\piclens@cooliris.com\libs\avcodec-51.dll

2009-04-17 20:58 . 2009-05-04 17:12 4534272 ----a-w- c:\documents and settings\Jorge\Application Data\Mozilla\Firefox\Profiles\y9q4jibc.default\extensions\piclens@cooliris.com\libs\cooliris19.dll

2009-04-17 20:58 . 2009-05-04 17:12 131868 ----a-w- c:\documents and settings\Jorge\Application Data\Mozilla\Firefox\Profiles\y9q4jibc.default\extensions\piclens@cooliris.com\libs\avformat-52.dll

2009-03-24 22:33 . 2009-03-24 22:33 237264 ----a-w- c:\documents and settings\Jorge\Application Data\Mozilla\plugins\npgoogletalk.dll

2009-03-12 22:45 . 2009-03-12 22:45 348160 ----a-w- c:\documents and settings\Jorge\Application Data\Sun\Java\Deployment\cache\6.0\38\39ba6e6-72572e4c-n\msvcr71.dll

2009-03-12 22:45 . 2009-03-12 22:45 503808 ----a-w- c:\documents and settings\Jorge\Application Data\Sun\Java\Deployment\cache\6.0\38\39ba6e6-72572e4c-n\msvcp71.dll

2009-03-12 22:45 . 2009-03-12 22:45 499712 ----a-w- c:\documents and settings\Jorge\Application Data\Sun\Java\Deployment\cache\6.0\38\39ba6e6-72572e4c-n\jmc.dll

2009-03-12 22:45 . 2008-12-25 06:56 410984 ----a-w- c:\windows\system32\deploytk.dll

2009-03-12 22:44 . 2009-03-12 22:44 152576 ----a-w- c:\documents and settings\Jorge\Application Data\Sun\Java\jre1.6.0_12\lzma.dll

2009-03-12 08:17 . 2009-03-26 01:16 2902048 -c--a-w- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}\Ad-AwareAE.exe

2009-03-06 14:22 . 2004-08-10 11:00 284160 ----a-w- c:\windows\system32\pdh.dll

2003-01-30 05:42 . 2008-03-05 01:48 435 ----a-w- c:\program files\LAYOUT.BIN

2003-01-30 05:42 . 2008-03-05 01:48 34921746 ----a-w- c:\program files\DATA2.CAB

2003-01-30 05:41 . 2008-03-05 01:48 37248 ----a-w- c:\program files\DATA1.HDR

2003-01-30 05:41 . 2008-03-05 01:48 1510073 ----a-w- c:\program files\DATA1.CAB

2003-01-30 05:41 . 2008-03-05 01:48 214 ----a-w- c:\program files\Setup.ini

2003-01-30 05:41 . 2008-03-05 01:48 167462 ----a-w- c:\program files\SETUP.INX

2002-03-10 22:11 . 2008-03-05 01:48 437238 ----a-w- c:\program files\SETUP.BMP

2001-09-05 00:24 . 2008-03-05 01:48 344923 ----a-w- c:\program files\IKERNEL.EX_

2008-05-26 02:15 . 2008-05-26 01:07 848 --sha-w- c:\windows\system32\KGyGaAvL.sys

.

((((((((((((((((((((((((((((( SnapShot@2009-06-03_18.02.12 )))))))))))))))))))))))))))))))))))))))))

.

+ 2009-06-03 18:34 . 2009-06-03 18:34 16384 c:\windows\Temp\Perflib_Perfdata_618.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"AWMON"="c:\progra~1\Lavasoft\AD-AWA~1\Ad-Watch.exe" [2005-05-25 517632]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]

"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2006-02-10 344064]

"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-11-01 94208]

"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]

"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]

"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]

"DeadAIM"="c:\progra~1\AIM\\DeadAIM.ocm" [2004-02-28 144896]

"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]

"DIGStream"="c:\program files\DIGStream\digstream.exe" [2005-05-18 282624]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-02-01 385024]

"Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2008-09-12 160160]

"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_11\bin\jusched.exe" [2006-12-15 75520]

"MskAgentexe"="c:\program files\McAfee\MSK\MskAgent.exe" [bU]

"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [bU]

"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2005-03-22 339968]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"RunNarrator"="Narrator.exe" - c:\windows\system32\narrator.exe [2008-04-14 53760]

c:\documents and settings\Jorge\Start Menu\Programs\Startup\

OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-7 101440]

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32

"wave1"= serwvdrv.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]

@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]

@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]

@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

@="Driver"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\AIM\\aim.exe"=

"c:\\Program Files\\Azureus\\Azureus.exe"=

"c:\\Program Files\\LimeWire\\LimeWire.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager

"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager

"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application

"c:\\Program Files\\Participatory Culture Foundation\\Miro\\xulrunner\\python\\Miro_Downloader.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

"c:\\Documents and Settings\\Jorge\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=

"c:\\Documents and Settings\\Jorge\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\Starcraft\\StarCraft.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

"67:UDP"= 67:UDP:0.0.0.0/255.255.255.255:Enabled:DHCP Discovery Service

"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [3/25/2009 9:17 PM 64160]

R2 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [10/10/2008 6:45 AM 13088]

R2 LcSvrAdm;ELSA Administration Service;c:\elsawin\bin\LcSvrAdm.exe [4/7/2008 8:34 PM 147456]

R2 LcSvrDba;ELSA DBA Server;c:\elsawin\bin\LcSvrDba.exe [4/7/2008 8:34 PM 233472]

R2 LcSvrHis;ELSA Historie Server;c:\elsawin\bin\LcSvrHis.exe [4/7/2008 8:34 PM 217088]

R2 LcSvrPAS;ELSA PASS Server;c:\elsawin\bin\LcSvrPas.exe [4/7/2008 8:34 PM 368640]

R2 VSGate;ELSA Vaudis Service;c:\elsawin\bin\VSGate.exe [4/7/2008 8:34 PM 81920]

R3 LcSvrAuf;ELSA Auftragsverwaltungs Service;c:\elsawin\bin\LcSvrAuf.exe [4/7/2008 8:34 PM 1302528]

S3 getPlus® Helper;getPlus® Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [10/29/2008 3:20 PM 33752]

S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [3/9/2009 3:06 PM 1005904]

S3 rt2870;Linksys 802.11n USB Wireless LAN Card Driver;c:\windows\system32\DRIVERS\rt2870.sys --> c:\windows\system32\DRIVERS\rt2870.sys [?]

S3 sdAuxService;Spyware Doctor Auxiliary Service;c:\program files\Spyware Doctor\svcntaux.exe [6/29/2007 1:36 PM 708688]

.

Contents of the 'Scheduled Tasks' folder

2009-05-28 c:\windows\Tasks\Ad-Aware Update (Weekly).job

- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 01:17]

2009-05-29 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 19:57]

2009-05-29 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job

- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 15:20]

2009-06-03 c:\windows\Tasks\Google Software Updater.job

- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-03-03 23:53]

2009-05-29 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-839522115-1383384898-2147053123-1003.job

- c:\documents and settings\Jorge\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-12-31 16:51]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.yahoo.com/

mDefault_Page_URL = hxxp://www.yahoo.com

mStart Page = hxxp://www.yahoo.com

uInternet Connection Wizard,ShellNext = hxxp://downloads.yahoo.com/internetexplorer/welcome.php

IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

Trusted Zone: turbotax.com

Handler: vw-wi - {0F3C833F-FB28-40EA-8CB9-6A55B996C3F6} - c:\elsawin\bin\wiprot.dll

FF - ProfilePath - c:\documents and settings\Ernesto\Application Data\Mozilla\Firefox\Profiles\nx6jujtw.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/

FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll

FF - plugin: c:\program files\Google\Picasa3\npPicasa2.dll

FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll

FF - plugin: c:\program files\Virtual Earth 3D\npVE3D.dll

---- FIREFOX POLICIES ----

FF - user.js: dom.disable_open_during_load - true // Popupblocker control handled by McAfee Privacy Service

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-06-03 14:34

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3812)

c:\progra~1\WINDOW~3\wmpband.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\ati2evxx.exe

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\windows\system32\HPZipm12.exe

c:\windows\system32\ZuneBusEnum.exe

c:\windows\ehome\mcrdsvc.exe

c:\windows\system32\wscntfy.exe

.

**************************************************************************

.

Completion time: 2009-06-03 14:40 - machine was rebooted

ComboFix-quarantined-files.txt 2009-06-03 18:40

ComboFix2.txt 2009-06-03 18:09

Pre-Run: 109,857,574,912 bytes free

Post-Run: 109,841,080,320 bytes free

237 --- E O F --- 2009-05-28 07:01

Link to post
Share on other sites

  • Staff

Hi,

Navigate to and delete the following file:

c:\windows\system32\2289676192.dat

Then, * Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /

Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Then, * Please install Avira Antivirus: http://www.free-av.com/

Perform a full scan with Avira and let it delete everything it is finding.

Then reboot.

After reboot, open your Avira and select "reports".

There doubleclick the report from the Full scan you have done. Click the "Report File" button and copy and paste this report in your next reply.

Link to post
Share on other sites

Avira AntiVir Personal

Report file date: Wednesday, June 03, 2009 15:26

Scanning for 1284893 virus strains and unwanted programs.

Licensee : Avira AntiVir Personal - FREE Antivirus

Serial number : 0000149996-ADJIE-0000001

Platform : Windows XP

Windows version : (Service Pack 3) [5.1.2600]

Boot mode : Normally booted

Username : SYSTEM

Computer name : PEPITOS

Version information:

BUILD.DAT : 9.0.0.394 17962 Bytes 4/17/2009 11:20:00

AVSCAN.EXE : 9.0.3.5 466689 Bytes 4/17/2009 13:57:30

AVSCAN.DLL : 9.0.3.0 40705 Bytes 2/27/2009 15:58:24

LUKE.DLL : 9.0.3.2 209665 Bytes 2/20/2009 16:35:49

LUKERES.DLL : 9.0.2.0 12033 Bytes 2/27/2009 15:58:52

ANTIVIR0.VDF : 7.1.0.0 15603712 Bytes 10/27/2008 17:30:36

ANTIVIR1.VDF : 7.1.2.12 3336192 Bytes 2/11/2009 01:33:26

ANTIVIR2.VDF : 7.1.2.105 513536 Bytes 3/3/2009 12:41:14

ANTIVIR3.VDF : 7.1.2.127 110592 Bytes 3/5/2009 19:58:20

Engineversion : 8.2.0.100

AEVDF.DLL : 8.1.1.0 106868 Bytes 1/27/2009 22:36:42

AESCRIPT.DLL : 8.1.1.56 352634 Bytes 2/27/2009 01:01:56

AESCN.DLL : 8.1.1.7 127347 Bytes 2/12/2009 16:44:25

AERDL.DLL : 8.1.1.3 438645 Bytes 10/29/2008 23:24:41

AEPACK.DLL : 8.1.3.10 397686 Bytes 3/4/2009 18:06:10

AEOFFICE.DLL : 8.1.0.36 196987 Bytes 2/27/2009 01:01:56

AEHEUR.DLL : 8.1.0.100 1618295 Bytes 2/25/2009 20:49:16

AEHELP.DLL : 8.1.2.2 119158 Bytes 2/27/2009 01:01:56

AEGEN.DLL : 8.1.1.24 336244 Bytes 3/4/2009 18:06:10

AEEMU.DLL : 8.1.0.9 393588 Bytes 10/9/2008 19:32:40

AECORE.DLL : 8.1.6.6 176501 Bytes 2/17/2009 19:22:44

AEBB.DLL : 8.1.0.3 53618 Bytes 10/9/2008 19:32:40

AVWINLL.DLL : 9.0.0.3 18177 Bytes 12/12/2008 13:47:59

AVPREF.DLL : 9.0.0.1 43777 Bytes 12/5/2008 15:32:15

AVREP.DLL : 8.0.0.3 155905 Bytes 1/20/2009 19:34:28

AVREG.DLL : 9.0.0.0 36609 Bytes 12/5/2008 15:32:09

AVARKT.DLL : 9.0.0.3 292609 Bytes 3/24/2009 20:05:41

AVEVTLOG.DLL : 9.0.0.7 167169 Bytes 1/30/2009 15:37:08

SQLITE3.DLL : 3.6.1.0 326401 Bytes 1/28/2009 20:03:49

SMTPLIB.DLL : 9.2.0.25 28417 Bytes 2/2/2009 13:21:33

NETNT.DLL : 9.0.0.0 11521 Bytes 12/5/2008 15:32:10

RCIMAGE.DLL : 9.0.0.21 2438401 Bytes 2/9/2009 16:45:45

RCTEXT.DLL : 9.0.37.0 86785 Bytes 4/17/2009 15:19:48

Configuration settings for the scan:

Jobname.............................: Complete system scan

Configuration file..................: c:\program files\avira\antivir desktop\sysscan.avp

Logging.............................: low

Primary action......................: interactive

Secondary action....................: ignore

Scan master boot sector.............: on

Scan boot sector....................: on

Boot sectors........................: C:,

Process scan........................: on

Scan registry.......................: on

Search for rootkits.................: on

Integrity checking of system files..: off

Scan all files......................: All files

Scan archives.......................: on

Recursion depth.....................: 20

Smart extensions....................: on

Macro heuristic.....................: on

File heuristic......................: medium

Deviating risk categories...........: +APPL,

Start of the scan: Wednesday, June 03, 2009 15:26

Starting search for hidden objects.

'63504' objects were checked, '0' hidden objects were found.

The scan of running processes will be started

Scan process 'avscan.exe' - '1' Module(s) have been scanned

Scan process 'avcenter.exe' - '1' Module(s) have been scanned

Scan process 'avgnt.exe' - '1' Module(s) have been scanned

Scan process 'sched.exe' - '1' Module(s) have been scanned

Scan process 'avguard.exe' - '1' Module(s) have been scanned

Scan process 'msiexec.exe' - '1' Module(s) have been scanned

Scan process 'firefox.exe' - '1' Module(s) have been scanned

Scan process 'notepad.exe' - '1' Module(s) have been scanned

Scan process 'explorer.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'jusched.exe' - '1' Module(s) have been scanned

Scan process 'ZuneLauncher.exe' - '1' Module(s) have been scanned

Scan process 'stsystra.exe' - '1' Module(s) have been scanned

Scan process 'digstream.exe' - '1' Module(s) have been scanned

Scan process 'hpwuSchd2.exe' - '1' Module(s) have been scanned

Scan process 'issch.exe' - '1' Module(s) have been scanned

Scan process 'DMXLauncher.exe' - '1' Module(s) have been scanned

Scan process 'ehtray.exe' - '1' Module(s) have been scanned

Scan process 'wscntfy.exe' - '1' Module(s) have been scanned

Scan process 'alg.exe' - '1' Module(s) have been scanned

Scan process 'LcSvrAuf.exe' - '1' Module(s) have been scanned

Scan process 'mcrdsvc.exe' - '1' Module(s) have been scanned

Scan process 'ZuneBusEnum.exe' - '1' Module(s) have been scanned

Scan process 'VSGate.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'HPZipm12.exe' - '1' Module(s) have been scanned

Scan process 'LcSvrPas.exe' - '1' Module(s) have been scanned

Scan process 'LcSvrHis.exe' - '1' Module(s) have been scanned

Scan process 'LcSvrDba.exe' - '1' Module(s) have been scanned

Scan process 'LcSvrAdm.exe' - '1' Module(s) have been scanned

Scan process 'jqs.exe' - '1' Module(s) have been scanned

Scan process 'IntuitUpdateService.exe' - '1' Module(s) have been scanned

Scan process 'mDNSResponder.exe' - '1' Module(s) have been scanned

Scan process 'AppleMobileDeviceService.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'spoolsv.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'ati2evxx.exe' - '1' Module(s) have been scanned

Scan process 'lsass.exe' - '1' Module(s) have been scanned

Scan process 'services.exe' - '1' Module(s) have been scanned

Scan process 'winlogon.exe' - '1' Module(s) have been scanned

Scan process 'csrss.exe' - '1' Module(s) have been scanned

Scan process 'smss.exe' - '1' Module(s) have been scanned

49 processes with 49 modules were scanned

Starting master boot sector scan:

Master boot sector HD0

[iNFO] No virus was found!

Start scanning boot sectors:

Boot sector 'C:\'

[iNFO] No virus was found!

Starting to scan executable files (registry).

The registry was scanned ( '66' files ).

Starting the file scan:

Begin scan in 'C:\'

C:\pagefile.sys

[WARNING] The file could not be opened!

[NOTE] This file is a Windows system file.

[NOTE] This file cannot be opened for scanning.

C:\Downloads\Azureus Downloads\DVD X Studios CloneDVD 4.0.14.549\Keygen.exe

[0] Archive type: NSIS

--> [TempDir]/Keygen.exe

[DETECTION] Contains recognition pattern of the DIAL/211177.A dialer

C:\Music\Limewire\backyardigans.mpg

[DETECTION] Contains recognition pattern of the EXP/ASF.GetCodec.Gen exploit

C:\Music\Limewire\backyardingans.mpg

[DETECTION] Contains recognition pattern of the EXP/ASF.GetCodec.Gen exploit

C:\Music\Limewire\last time for last times [160k quality].mp3

[DETECTION] Contains recognition pattern of the EXP/ASF.GetCodec.Gen exploit

Beginning disinfection:

C:\Downloads\Azureus Downloads\DVD X Studios CloneDVD 4.0.14.549\Keygen.exe

[NOTE] The file was moved to '4a9ff1e2.qua'!

C:\Music\Limewire\backyardigans.mpg

[DETECTION] Contains recognition pattern of the EXP/ASF.GetCodec.Gen exploit

[NOTE] The file was moved to '4a89f1e0.qua'!

C:\Music\Limewire\backyardingans.mpg

[DETECTION] Contains recognition pattern of the EXP/ASF.GetCodec.Gen exploit

[NOTE] The file was moved to '4bf52601.qua'!

C:\Music\Limewire\last time for last times [160k quality].mp3

[DETECTION] Contains recognition pattern of the EXP/ASF.GetCodec.Gen exploit

[NOTE] The file was moved to '4a99f1e0.qua'!

End of the scan: Wednesday, June 03, 2009 17:56

Used time: 1:48:14 Hour(s)

The scan has been done completely.

13093 Scanned directories

523949 Files were scanned

4 Viruses and/or unwanted programs were found

0 Files were classified as suspicious

0 files were deleted

0 Viruses and unwanted programs were repaired

4 Files were moved to quarantine

0 Files were renamed

1 Files cannot be scanned

523944 Files not concerned

18922 Archives were scanned

1 Warnings

5 Notes

63504 Objects were scanned with rootkit scan

0 Hidden objects were found

Link to post
Share on other sites

  • Staff

Hi,

No wonder that you get infected if you use P2P and download/use illegal software.

Please read my Prevention page with lots of info and tips how to prevent this in the future.

And if you want to improve speed/system performance after malware removal, take a look here.

Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.