Jump to content

Recommended Posts

Hi Helpers

Thanks for even looking! I am at my wits end with this one. I have followed a few threads relating to this trojan to try and get a handle on how to rid the machine of it but I get nowhere. I have tried delete on reboot and a few other moves offered to me by friends. Anyone out there can help me please??

MalwareBytes log:

Malwarebytes' Anti-Malware 1.38

Database version: 2317

Windows 5.1.2600 Service Pack 3

20/06/2009 10:35:48

mbam-log-2009-06-20 (10-35-33).txt

Scan type: Quick Scan

Objects scanned: 120842

Time elapsed: 14 minute(s), 53 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 2

Registry Values Infected: 4

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 2

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8eb46525-fa49-4f21-98c4-9a2fb88acd9b} (Trojan.BHO.H) -> No action taken.

HKEY_CLASSES_ROOT\CLSID\{8eb46525-fa49-4f21-98c4-9a2fb88acd9b} (Trojan.BHO.H) -> No action taken.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bf (Trojan.Agent) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bk (Trojan.Agent) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\iu (Trojan.Agent) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\mu (Trojan.Agent) -> No action taken.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\system32\avtap.dll (Trojan.BHO.H) -> No action taken.

c:\documents and settings\russell\local settings\temp\brjgpuks.dat (Rootkit.Agent) -> No action taken.

HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 19:03:04, on 20/06/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16850)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Acer\Empowering Technology\ePerformance\MemCheck.exe

C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

C:\Acer\LANScope Agent\awServ.exe

C:\PROGRA~1\AVG\AVG8\avgrsx.exe

C:\PROGRA~1\AVG\AVG8\avgnsx.exe

C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe

C:\Program Files\Bonjour\mDNSResponder.exe

c:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\Acer\Empowering Technology\eLock\LockServ.exe

C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe

C:\Program Files\CyberLink\Shared Files\RichVideo.exe

C:\Acer\LANScope Agent\LockKM.exe

C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\SysMonitor.exe

C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe

C:\Acer\LANScope Agent\awtray.exe

C:\Acer\Empowering Technology\eRecovery\eRAgent.exe

C:\Acer\Empowering Technology\eLock\Monitor\LockMon.exe

C:\WINDOWS\RTHDCPL.EXE

C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I091.EXE

C:\Program Files\iTunes\iTunesHelper.exe

C:\PROGRA~1\AVG\AVG8\avgtray.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Acer\Empowering Technology\Acer.Empowering.Framework.Launcher.exe

C:\Corel\Graphics8\Programs\MFIndexer.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

C:\Program Files\Internet Explorer\iexplore.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: (no name) - {8EB46525-FA49-4F21-98C4-9A2FB88ACD9B} - C:\WINDOWS\system32\avtap.dll

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll

O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll

O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll

O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\WINDOWS\system32\eDStoolbar.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll

O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll

O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll

O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll

O4 - HKLM\..\Run: [LaunchApp] Alaunch

O4 - HKLM\..\Run: [Acer Empowering Technology Monitor] C:\WINDOWS\system32\SysMonitor.exe

O4 - HKLM\..\Run: [eLockMonitor] C:\Acer\Empowering Technology\eLock\Monitor\LaunchMonitor.exe

O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe 1

O4 - HKLM\..\Run: [installnet.exe] "C:\Acer\LANScope Agent\Installnet.exe" "C:\Acer\LANScope Agent\

O4 - HKLM\..\Run: [AdminWorks Tray] "C:\Acer\LANScope Agent\awtray.exe"

O4 - HKLM\..\Run: [iMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

O4 - HKLM\..\Run: [iMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE

O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC

O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC

O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"

O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\eRAgent.exe

O4 - HKLM\..\Run: [EPSON Stylus C48 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I091.EXE /P23 "EPSON Stylus C48 Series" /O6 "USB001" /M "Stylus C48"

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [AROReminder] C:\Program Files\Advanced Registry Optimizer\aro.exe -rem

O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')

O4 - Global Startup: Acer Empowering Technology.lnk = ?

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Corel MEDIA FOLDERS INDEXER 8.LNK = C:\Corel\Graphics8\Programs\MFIndexer.exe

O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm

O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O10 - Broken Internet access because of LSP provider 'c:\windows\system32\lsphmx.dll' missing

O16 - DPF: {138E6DC9-722B-4F4B-B09D-95D191869696} (Bebo Uploader Control) - http://www.bebo.com/files/BeboUploader.5.1.4.cab

O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-GB/a-UNO1/GAME_UNO1.cab

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab

O16 - DPF: {C45B1500-7B63-47C2-AB25-C28CB46AFDEE} (MSN Music Mediabar) - http://sib1.od2.com/common/musicmanager/in...nagerPlugin.CAB

O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab56986.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{95DF1652-220A-466C-9DCD-FE9DC16DB541}: NameServer = 192.168.1.1

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll

O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll

O20 - AppInit_DLLs: C:\WINDOWS\System32\dpnlobby32.dll

O20 - Winlogon Notify: 5c772cc8573 - C:\WINDOWS\System32\dpnlobby32.dll (file missing)

O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll

O23 - Service: Acer ODDSpeedControl - TODO: <????> - C:\Acer\Empowering Technology\eAcoustics\ODDSpeedCtl\speedcontrol.exe

O23 - Service: Memory Check Service (AcerMemUsageCheckService) - Acer Inc. - C:\Acer\Empowering Technology\ePerformance\MemCheck.exe

O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

O23 - Service: AdminWorks Agent X6 (AWService) - OSA Technologies Inc., An Avocent Company - C:\Acer\LANScope Agent\awServ.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files\Common Files\LightScribe\LSSrvc.exe

O23 - Service: LockServ - Unknown owner - C:\Acer\Empowering Technology\eLock\LockServ.exe

O23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe

O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe

--

End of file - 12068 bytes

Once again thanks for looking!

Link to post
Share on other sites

  • Staff

Hi,

* Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the log from ComboFix in your next reply.

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix..This because Security Software may see some components ComboFix uses (prep.com for example) as suspicious and blocks the tool, or even deletes it. Please visit HERE if you don't know how.

Link to post
Share on other sites

Hi Miekie

Thanks for the help so far but I have a problem.

I disabled anti-virus and firewall settings as per your link (thanks). I then followed the Combofix instructions as far as its scan for infections. I noticed several deletions on the way including avtap.dll and some .vbs files ..... I guess all was going well.

It appeared to get to where the log should have been created but I did not see exactly what happened next as the computer rebooted itself. It booted back into windows and when it got to the user logon buttons it continues to reboot itself in a cycle.

I stopped the machine by manually switching off otherwise it would be still going! I rebooted and it continued in the same cycle. It appears safe mode is accessible and it appears that the option for the recovery consule is available.

I have done no more than this awaiting your instructions .... if you can still help me.

Thanks

Link to post
Share on other sites

Ran Combofix in safe mode.

First time round it gave an error and terminated. It was a "date error" so I corrected the date manually and it ran perfectly to the end stage 50 or 51 I think.

I waited ages for the reboot.

On reboot it was a bit more stable and I got into the user account in normal mode but unfortunately there was no combofix.txt in the root. It now is back to the reboot cycle having crashed out of explorer looking for the text file!

Shall I try again?

Link to post
Share on other sites

  • Staff

Hi,

Yes, please try again.

Make sure your AVG is disabled, as this can cause your main issue as well (since it blocks combofix).

Maybe it would be better to temporary uninstall AVG.

If still no luck, Then go to start > run and copy and paste this command:

"%userprofile%\desktop\combofix.exe" /skipfix (assuming Combofix.exe is really on your desktop)

This will run Combofix, but skips removal; so it produces a log only

Link to post
Share on other sites

Hi Mieke

After quite a few tries removing AVG, I succeeded by using Grisoft's removal tool. You are absolutely right I must have somehow left AVG running on one of the reboots. Sorry for that.

Anyway, total success, stability returned in normal mode so I started again and ran Combofix successfully. Thank you!

Here is the report:-

ComboFix 09-06-22.0E - Russell 23/06/2009 22:13.3 - FAT32x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.767.399 [GMT -7:00]

Running from: c:\documents and settings\Russell\Desktop\ComboFix.exe

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

---- Previous Run -------

.

c:\windows\system32\avtap.dll

c:\windows\system32\drivers\kngagozb.sys

c:\windows\system32\drivers\nwbtxxvz.sys

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_NWBTXXVZ

-------\Service_nwbtxxvz

-------\Service_nwbtxxvz

((((((((((((((((((((((((( Files Created from 2009-05-24 to 2009-06-24 )))))))))))))))))))))))))))))))

.

2009-06-20 05:41 . 2009-06-20 05:41 152576 ----a-w- c:\documents and settings\Russell\Application Data\Sun\Java\jre1.6.0_13\lzma.dll

2009-06-20 05:18 . 2009-06-20 05:18 -------- d-----w- c:\windows\system32\wbem\Repository

2009-06-20 05:14 . 2009-06-20 05:14 -------- d-----w- c:\documents and settings\Russell\Application Data\Sammsoft

2009-06-20 05:14 . 2009-06-20 05:51 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-06-20 05:14 . 2009-06-20 05:14 -------- d-----w- c:\program files\Advanced Registry Optimizer

2009-06-20 05:13 . 2009-06-20 05:13 -------- d-----w- c:\documents and settings\Russell\Application Data\Malwarebytes

2009-06-20 02:18 . 2009-06-20 05:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2009-06-18 17:55 . 2009-06-18 17:55 -------- d-----w- c:\windows\system32\NtmsData

2009-06-18 02:35 . 2009-06-18 02:35 -------- d-----w- c:\program files\Trend Micro

2009-05-26 00:51 . 2009-05-26 00:51 0 ----a-w- c:\windows\system32\mmd109en.dat

2009-05-26 00:51 . 2009-05-26 00:51 0 ----a-w- c:\windows\system32\cok458en.dat

2009-05-25 19:25 . 2009-05-25 19:25 16896 ----a-w- c:\windows\system32\perfc5932.dat

2009-05-25 19:25 . 2009-05-25 19:25 1 ----a-w- c:\windows\system32\perfc7683.dat

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-06-24 05:15 . 2009-06-24 05:15 433 ----a-w- WrgNameDLL

2009-06-24 05:15 . 2009-06-24 05:15 156 ----a-w- BHO.dat

2009-06-24 05:12 . 2009-06-24 05:12 43 ----a-w- OsVer

2009-06-24 05:06 . 2009-04-16 00:08 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8

2009-06-24 04:03 . 2009-06-24 05:13 121 ----a-w- drev_.dat

2009-06-24 03:56 . 2009-06-24 05:13 196 ----a-w- SvcTarget.dat

2009-06-23 18:32 . 2009-06-24 05:12 1771 ----a-w- FD-SV.cmd

2009-06-23 02:44 . 2007-12-31 20:24 90112 ----a-w- c:\windows\DUMP5832.tmp

2009-06-23 02:33 . 2009-06-24 05:13 472 ----a-w- cache.folder.dat

2009-06-23 02:33 . 2009-06-24 05:13 424 ----a-w- localappdata.folder.dat

2009-06-23 02:33 . 2009-06-24 05:13 395 ----a-w- startup.folder.dat

2009-06-23 02:33 . 2009-06-24 05:13 390 ----a-w- appdata.folder.dat

2009-06-23 02:33 . 2009-06-24 05:13 381 ----a-w- localsettings.folder.dat

2009-06-23 02:33 . 2009-06-24 05:13 376 ----a-w- mypictures.folder.dat

2009-06-23 02:33 . 2009-06-24 05:13 235 ----a-w- templates.folder.dat

2009-06-23 02:33 . 2009-06-24 05:13 372 ----a-w- Profiles.Folder.dat

2009-06-21 04:34 . 2007-07-21 06:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help

2009-06-20 05:43 . 2007-12-31 22:27 -------- d-----w- c:\program files\Java

2009-06-20 05:40 . 2007-07-21 02:36 -------- d--h--w- c:\program files\InstallShield Installation Information

2009-06-20 05:40 . 2007-07-21 02:38 -------- d-----w- c:\program files\eSobi

2009-06-20 05:14 . 2007-12-31 22:47 -------- d-----w- c:\program files\commercial

2009-06-20 04:43 . 2007-04-16 15:52 0 ----a-w- c:\windows\system32\perfz9368.dat

2009-06-18 02:59 . 2007-07-21 02:38 -------- d-----w- c:\documents and settings\All Users\Application Data\eSobi

2009-06-18 02:19 . 2007-04-16 15:52 607780 ----a-w- c:\windows\system32\pst.dat

2009-06-17 18:27 . 2009-05-08 21:30 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-06-17 18:27 . 2009-05-08 21:30 19096 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-06-17 06:54 . 2007-12-31 16:01 -------- d-----w- c:\documents and settings\Russell\Application Data\LimeWire

2009-06-14 10:22 . 2009-06-24 05:12 1412 ----a-w- DelClsid.bat

2009-06-14 09:08 . 2009-06-24 05:12 1896 ----a-w- Boot-Rk.cmd

2009-06-10 18:38 . 2009-06-24 05:12 30 ----a-w- Rust.str

2009-06-10 09:25 . 2009-06-24 05:12 1464 ----a-w- safeboot.def.dat

2009-06-08 15:10 . 2009-06-24 05:12 155136 ----a-r- pev.cfexe

2009-06-08 15:10 . 2009-06-24 05:12 155136 ----a-w- pev.exe

2009-06-06 15:51 . 2009-06-24 05:12 732 ----a-w- Catch-sub.cmd

2009-06-05 14:20 . 2009-06-24 05:12 603 ----a-w- Fin.dat

2009-05-26 00:51 . 2009-05-26 00:51 80403 ----a-w- c:\windows\system32\wlkdfp.tmp

2009-05-26 00:51 . 2009-05-26 00:51 77798 ----a-w- c:\windows\system32\jhssrj.tmp

2009-05-25 20:39 . 2009-05-25 20:39 1882 ----a-w- c:\windows\system32\6ehuk5.tmp

2009-05-25 20:39 . 2009-05-25 20:39 1651 ----a-w- c:\windows\system32\5m86ko.tmp

2009-05-25 20:39 . 2009-05-25 20:39 1007 ----a-w- c:\windows\system32\z2xsc0.tmp

2009-05-25 20:39 . 2009-05-25 20:39 176 ----a-w- c:\windows\system32\hvw37e.tmp

2009-05-25 20:39 . 2009-05-25 20:39 1037 ----a-w- c:\windows\system32\76jlm2.tmp

2009-05-25 19:39 . 2009-05-25 19:39 2104 ----a-w- c:\windows\system32\uyrr85.tmp

2009-05-25 19:39 . 2009-05-25 19:39 2104 ----a-w- c:\windows\system32\0y44bp.tmp

2009-05-25 19:39 . 2009-05-25 19:39 1292 ----a-w- c:\windows\system32\ifyh5e.tmp

2009-05-25 17:13 . 2009-06-24 05:12 1792 ----a-w- RestoreO4.bat

2009-05-25 17:08 . 2009-06-24 05:12 1688 ----a-w- CSet.cmd

2009-05-25 17:05 . 2009-06-24 05:12 1095 ----a-w- FKMGen.cmd

2009-05-23 09:29 . 2009-06-24 05:12 1149 ----a-w- region.dat

2009-05-21 11:20 . 2009-06-24 05:12 675 ----a-w- av.cmd

2009-05-18 12:30 . 2009-06-24 05:12 30178 ----a-r- setpath.cfexe

2009-05-14 08:08 . 2009-06-24 05:12 592 ----a-w- Wmi_rem.vbs

2009-05-14 01:09 . 2009-06-24 05:12 1464 ----a-w- av.vbs

2009-05-08 23:22 . 2007-07-21 06:23 -------- d-----w- c:\program files\Microsoft SQL Server

2009-05-08 23:00 . 2009-04-11 20:58 -------- d-----w- c:\program files\Angle Interactive

2009-05-08 21:31 . 2009-05-08 21:31 -------- d-----w- c:\documents and settings\Mum\Application Data\Malwarebytes

2009-05-08 21:30 . 2009-05-08 21:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-05-08 20:33 . 2009-05-08 20:33 -------- d-----w- c:\program files\Sophos

2009-05-07 15:32 . 2004-08-04 05:00 345600 ----a-w- c:\windows\system32\localspl.dll

2009-05-03 18:40 . 2007-12-31 20:24 94208 ----a-w- c:\windows\DUMP3a1b.tmp

2009-05-03 05:37 . 2007-12-31 20:24 94208 ----a-w- c:\windows\DUMP3b36.tmp

2009-05-03 05:35 . 2007-12-31 20:24 94208 ----a-w- c:\windows\DUMP3c22.tmp

2009-05-03 05:34 . 2007-12-31 20:24 94208 ----a-w- c:\windows\DUMP3c8d.tmp

2009-05-03 05:33 . 2007-12-31 20:24 94208 ----a-w- c:\windows\DUMP3d2b.tmp

2009-05-03 05:32 . 2007-12-31 20:24 94208 ----a-w- c:\windows\DUMP3d47.tmp

2009-05-03 05:31 . 2007-12-31 20:24 94208 ----a-w- c:\windows\DUMP3e24.tmp

2009-05-03 05:29 . 2007-12-31 20:24 94208 ----a-w- c:\windows\DUMP3b93.tmp

2009-05-03 05:28 . 2007-12-31 20:24 94208 ----a-w- c:\windows\DUMP3d0b.tmp

2009-05-03 05:27 . 2007-12-31 20:24 94208 ----a-w- c:\windows\DUMP3c21.tmp

2009-05-03 05:26 . 2007-12-31 20:24 94208 ----a-w- c:\windows\DUMP3c20.tmp

2009-05-03 05:25 . 2007-12-31 20:24 94208 ----a-w- c:\windows\DUMP3c8c.tmp

2009-05-03 05:23 . 2007-12-31 20:24 94208 ----a-w- c:\windows\DUMP3b92.tmp

2009-05-03 05:22 . 2007-12-31 20:24 94208 ----a-w- c:\windows\DUMP3aa7.tmp

2009-05-03 05:21 . 2007-12-31 20:24 94208 ----a-w- c:\windows\DUMP3cdc.tmp

2009-05-03 05:20 . 2007-12-31 20:24 94208 ----a-w- c:\windows\DUMP3ede.tmp

2009-05-03 05:19 . 2007-12-31 20:24 94208 ----a-w- c:\windows\DUMP3d38.tmp

2009-05-03 05:17 . 2007-12-31 20:24 94208 ----a-w- c:\windows\DUMP3cac.tmp

2009-05-03 05:16 . 2007-12-31 20:24 94208 ----a-w- c:\windows\DUMP3ac6.tmp

2009-05-03 05:15 . 2007-12-31 20:24 94208 ----a-w- c:\windows\DUMP3da6.tmp

2009-05-03 05:14 . 2007-12-31 20:24 94208 ----a-w- c:\windows\DUMP3d2a.tmp

2009-05-03 05:13 . 2007-12-31 20:24 94208 ----a-w- c:\windows\DUMP3e70.tmp

2009-05-03 05:11 . 2007-12-31 20:24 94208 ----a-w- c:\windows\DUMP3edd.tmp

2009-05-03 05:10 . 2007-12-31 20:24 94208 ----a-w- c:\windows\DUMP3c9c.tmp

2009-05-03 05:09 . 2007-12-31 20:24 94208 ----a-w- c:\windows\DUMP3d37.tmp

2009-05-03 05:08 . 2007-12-31 20:24 94208 ----a-w- c:\windows\DUMP3cf9.tmp

2009-05-03 05:07 . 2007-12-31 20:24 94208 ----a-w- c:\windows\DUMP3c3f.tmp

2009-05-03 05:05 . 2007-12-31 20:24 94208 ----a-w- c:\windows\DUMP3d67.tmp

2009-05-03 05:04 . 2007-12-31 20:24 94208 ----a-w- c:\windows\DUMP3df4.tmp

2009-05-03 05:03 . 2007-12-31 20:24 94208 ----a-w- c:\windows\DUMP3d0a.tmp

2009-05-03 05:02 . 2007-12-31 20:24 94208 ----a-w- c:\windows\DUMP3b16.tmp

2009-05-03 05:01 . 2007-12-31 20:24 94208 ----a-w- c:\windows\DUMP4101.tmp

2009-05-03 04:59 . 2007-12-31 20:24 94208 ----a-w- c:\windows\DUMP3c9b.tmp

2009-05-03 04:58 . 2007-12-31 20:24 94208 ----a-w- c:\windows\DUMP3be1.tmp

2009-05-03 04:57 . 2007-12-31 20:24 94208 ----a-w- c:\windows\DUMP3d09.tmp

2009-05-03 04:56 . 2007-12-31 20:24 94208 ----a-w- c:\windows\DUMP3bf0.tmp

2009-05-03 04:54 . 2007-12-31 20:24 94208 ----a-w- c:\windows\DUMP3a78.tmp

2009-05-03 04:53 . 2007-12-31 20:24 94208 ----a-w- c:\windows\DUMP4100.tmp

2009-05-03 04:52 . 2007-12-31 20:24 94208 ----a-w- c:\windows\DUMP3cdb.tmp

2009-05-03 04:51 . 2007-12-31 20:24 94208 ----a-w- c:\windows\DUMP4074.tmp

2009-05-03 04:50 . 2007-12-31 20:24 94208 ----a-w- c:\windows\DUMP3b15.tmp

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]

2008-08-06 22:20 279944 ----a-w- c:\program files\AskBarDis\bar\bin\askBar.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-06-07 68856]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

"AROReminder"="c:\program files\Advanced Registry Optimizer\aro.exe" [2008-08-22 2084480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"LaunchApp"="Alaunch" [X]

"Acer Empowering Technology Monitor"="c:\windows\system32\SysMonitor.exe" [2006-04-19 49152]

"eLockMonitor"="c:\acer\Empowering Technology\eLock\Monitor\LaunchMonitor.exe" [2006-03-31 16384]

"eDataSecurity Loader"="c:\acer\Empowering Technology\eDataSecurity\eDSloader.exe" [2007-05-28 342528]

"AdminWorks Tray"="c:\acer\LANScope Agent\awtray.exe" [2007-05-22 1459992]

"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]

"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-04 44032]

"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]

"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]

"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]

"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2007-01-09 68640]

"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2007-01-09 52256]

"eRecoveryService"="c:\acer\Empowering Technology\eRecovery\eRAgent.exe" [2006-06-01 413696]

"EPSON Stylus C48 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I091.EXE" [2005-05-16 99840]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-02 289576]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]

"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2007-07-05 16380416]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-08-24 437160]

"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Acer Empowering Technology.lnk - c:\acer\Empowering Technology\Acer.Empowering.Framework.Launcher.exe [2006-9-12 45056]

Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-10-4 113664]

Corel MEDIA FOLDERS INDEXER 8.LNK - c:\corel\Graphics8\Programs\MFIndexer.exe [2008-1-23 83456]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\CyberLink\\PowerDVD\\PowerDVD.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

"c:\\Program Files\\BitLord\\BitLord.exe"=

"d:\\Program Files\\LimeWire\\LimeWire.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"9999:UDP"= 9999:UDP:LANScope UDP Port

"2804:TCP"= 2804:TCP:LANScope TCP Port

R2 AdobeActiveFileMonitor;Adobe Active File Monitor;c:\program files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe [04/10/2004 05:47 98304]

R2 BcmSqlStartupSvc;Business Contact Manager SQL Server Startup Service;c:\program files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe [11/01/2008 18:50 30312]

R2 eLock2BurnerLockDriver;eLock2BurnerLockDriver;c:\windows\system32\eLock2BurnerLockDriver.sys [08/06/2006 17:54 17664]

R2 eLock2FSCTLDriver;eLock2FSCTLDriver;c:\windows\system32\eLock2FSCTLDriver.sys [06/06/2006 18:36 90112]

R2 LockServ;LockServ;c:\acer\Empowering Technology\eLock\LockServ.exe -p --> c:\acer\Empowering Technology\eLock\LockServ.exe -p [?]

R2 netlimiter;netlimiter;c:\windows\system32\drivers\NetLimiter.sys [03/10/2006 11:03 18072]

R2 netlock;netlock;c:\windows\system32\drivers\NetLock.sys [30/05/2007 15:30 14616]

R2 PhotoshopElementsDeviceConnect;Photoshop Elements Device Connect;c:\program files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe [04/10/2004 04:40 118784]

S3 Acer ODDSpeedControl;Acer ODDSpeedControl;c:\acer\Empowering Technology\eAcoustics\ODDSpeedCtl\speedcontrol.exe [15/02/2005 09:02 81920]

S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\1.tmp --> c:\windows\system32\1.tmp [?]

S3 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [14/04/2006 10:07 28933976]

S3 QCEmerald;Logitech QuickCam Web;c:\windows\system32\drivers\OVCE.sys [31/12/2007 13:25 31872]

.

- - - - ORPHANS REMOVED - - - -

BHO-{8EB46525-FA49-4F21-98C4-9A2FB88ACD9B} - c:\windows\system32\avtap.dll

HKLM-Run-installnet.exe - c:\acer\LANScope Agent\Installnet.exe

Notify-5c772cc8573 - c:\windows\System32\dpnlobby32.dll

Notify-avgrsstarter - avgrsstx.dll

.

------- Supplementary Scan -------

.

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm

IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

TCP: {95DF1652-220A-466C-9DCD-FE9DC16DB541} = 192.168.1.1

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-06-23 22:16

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]

"ImagePath"="\??\c:\windows\system32\1.tmp"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(796)

c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(3612)

c:\windows\system32\MSNCHATHOOK.DLL

c:\windows\system32\sysenv.dll

c:\windows\system32\CryptoAPI.dll

c:\windows\system32\ShowErrMsg.dll

c:\windows\system32\MFC71U.DLL

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

Completion time: 2009-06-24 22:17

ComboFix-quarantined-files.txt 2009-06-24 05:17

Pre-Run: 51,915,575,296 bytes free

Post-Run: 51,899,047,936 bytes free

256 --- E O F --- 2009-06-24 05:11

Link to post
Share on other sites

  • Staff

Hi,

THis looks OK again.

Not sure how or where all these files from Combofix got dropped (as I see in your log, because all these "random" looking files appear to be a part of Combofix), but as I said, could be because of AVG interference before.

* Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /

Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Reboot afterwards.

Then,

Navigate to and delete the following files if still present:

c:\windows\system32\wlkdfp.tmp

c:\windows\system32\jhssrj.tmp

c:\windows\system32\6ehuk5.tmp

c:\windows\system32\5m86ko.tmp

c:\windows\system32\z2xsc0.tmp

c:\windows\system32\hvw37e.tmp

c:\windows\system32\76jlm2.tmp

c:\windows\system32\uyrr85.tmp

c:\windows\system32\0y44bp.tmp

c:\windows\system32\ifyh5e.tmp

c:\windows\system32\mmd109en.dat

c:\windows\system32\cok458en.dat

You may also delete these files as they are the dumpreports of the crashes you had previously:

c:\windows\DUMP3a1b.tmp

c:\windows\DUMP3b36.tmp

c:\windows\DUMP3c22.tmp

c:\windows\DUMP3c8d.tmp

c:\windows\DUMP3d2b.tmp

c:\windows\DUMP3d47.tmp

c:\windows\DUMP3e24.tmp

c:\windows\DUMP3b93.tmp

c:\windows\DUMP3d0b.tmp

c:\windows\DUMP3c21.tmp

c:\windows\DUMP3c20.tmp

c:\windows\DUMP3c8c.tmp

c:\windows\DUMP3b92.tmp

c:\windows\DUMP3aa7.tmp

c:\windows\DUMP3cdc.tmp

c:\windows\DUMP3ede.tmp

c:\windows\DUMP3d38.tmp

c:\windows\DUMP3cac.tmp

c:\windows\DUMP3ac6.tmp

c:\windows\DUMP3da6.tmp

c:\windows\DUMP3d2a.tmp

c:\windows\DUMP3e70.tmp

c:\windows\DUMP3edd.tmp

c:\windows\DUMP3c9c.tmp

c:\windows\DUMP3d37.tmp

c:\windows\DUMP3cf9.tmp

c:\windows\DUMP3c3f.tmp

c:\windows\DUMP3d67.tmp

c:\windows\DUMP3df4.tmp

c:\windows\DUMP3d0a.tmp

c:\windows\DUMP3b16.tmp

c:\windows\DUMP4101.tmp

c:\windows\DUMP3c9b.tmp

c:\windows\DUMP3be1.tmp

c:\windows\DUMP3d09.tmp

c:\windows\DUMP3bf0.tmp

c:\windows\DUMP3a78.tmp

c:\windows\DUMP4100.tmp

c:\windows\DUMP3cdb.tmp

c:\windows\DUMP4074.tmp

c:\windows\DUMP3b15.tmp

Then uninstall the Ask Toolbar via software > add&remove programs since this one is not recommended.

Then, * Please install Avira Antivirus: http://www.free-av.com/

Perform a full scan with Avira and let it delete everything it is finding.

Then reboot.

After reboot, open your Avira and select "reports".

There doubleclick the report from the Full scan you have done. Click the "Report File" button and copy and paste this report in your next reply.

Link to post
Share on other sites

Thanks Mieke,

Your instructions were spot on and the scan report is as follows:-

Avira AntiVir Personal

Report file date: 24 June 2009 23:11

Scanning for 1439934 virus strains and unwanted programs.

Licensee : Avira AntiVir Personal - FREE Antivirus

Serial number : 0000149996-ADJIE-0000001

Platform : Windows XP

Windows version : (Service Pack 3) [5.1.2600]

Boot mode : Normally booted

Username : SYSTEM

Computer name : ACER-AD993BA82B

Version information:

BUILD.DAT : 9.0.0.403 17961 Bytes 6/3/2009 17:05:00

AVSCAN.EXE : 9.0.3.6 466689 Bytes 5/11/2009 17:14:47

AVSCAN.DLL : 9.0.3.0 40705 Bytes 2/27/2009 18:58:24

LUKE.DLL : 9.0.3.2 209665 Bytes 2/20/2009 19:35:49

LUKERES.DLL : 9.0.2.0 12033 Bytes 2/27/2009 18:58:52

ANTIVIR0.VDF : 7.1.0.0 15603712 Bytes 10/27/2008 20:30:36

ANTIVIR1.VDF : 7.1.2.12 3336192 Bytes 2/11/2009 04:33:26

ANTIVIR2.VDF : 7.1.4.0 2336768 Bytes 5/20/2009 20:16:38

ANTIVIR3.VDF : 7.1.4.37 382976 Bytes 5/29/2009 20:25:16

Engineversion : 8.2.0.180

AEVDF.DLL : 8.1.1.1 106868 Bytes 4/30/2009 19:52:04

AESCRIPT.DLL : 8.1.2.0 389497 Bytes 5/28/2009 00:07:20

AESCN.DLL : 8.1.2.3 127347 Bytes 5/14/2009 19:02:01

AERDL.DLL : 8.1.1.3 438645 Bytes 10/30/2008 02:24:41

AEPACK.DLL : 8.1.3.18 401783 Bytes 5/28/2009 00:07:20

AEOFFICE.DLL : 8.1.0.36 196987 Bytes 2/27/2009 04:01:56

AEHEUR.DLL : 8.1.0.129 1761655 Bytes 5/14/2009 19:02:01

AEHELP.DLL : 8.1.2.2 119158 Bytes 5/29/2009 21:51:15

AEGEN.DLL : 8.1.1.44 348532 Bytes 5/14/2009 19:02:01

AEEMU.DLL : 8.1.0.9 393588 Bytes 10/9/2008 22:32:40

AECORE.DLL : 8.1.6.12 180599 Bytes 5/28/2009 00:07:20

AEBB.DLL : 8.1.0.3 53618 Bytes 10/9/2008 22:32:40

AVWINLL.DLL : 9.0.0.3 18177 Bytes 12/12/2008 16:47:59

AVPREF.DLL : 9.0.0.1 43777 Bytes 12/5/2008 18:32:15

AVREP.DLL : 8.0.0.3 155905 Bytes 1/20/2009 22:34:28

AVREG.DLL : 9.0.0.0 36609 Bytes 12/5/2008 18:32:09

AVARKT.DLL : 9.0.0.3 292609 Bytes 3/24/2009 23:05:41

AVEVTLOG.DLL : 9.0.0.7 167169 Bytes 1/30/2009 18:37:08

SQLITE3.DLL : 3.6.1.0 326401 Bytes 1/28/2009 23:03:49

SMTPLIB.DLL : 9.2.0.25 28417 Bytes 2/2/2009 16:21:33

NETNT.DLL : 9.0.0.0 11521 Bytes 12/5/2008 18:32:10

RCIMAGE.DLL : 9.0.0.25 2438913 Bytes 5/15/2009 23:39:58

RCTEXT.DLL : 9.0.37.0 86785 Bytes 4/17/2009 18:19:48

Configuration settings for the scan:

Jobname.............................: Complete system scan

Configuration file..................: c:\program files\avira\antivir desktop\sysscan.avp

Logging.............................: low

Primary action......................: interactive

Secondary action....................: ignore

Scan master boot sector.............: on

Scan boot sector....................: on

Boot sectors........................: C:, D:,

Process scan........................: on

Scan registry.......................: on

Search for rootkits.................: on

Integrity checking of system files..: off

Scan all files......................: All files

Scan archives.......................: on

Recursion depth.....................: 20

Smart extensions....................: on

Macro heuristic.....................: on

File heuristic......................: medium

Start of the scan: 24 June 2009 23:11

Starting search for hidden objects.

'53672' objects were checked, '0' hidden objects were found.

The scan of running processes will be started

Scan process 'avscan.exe' - '1' Module(s) have been scanned

Scan process 'avcenter.exe' - '1' Module(s) have been scanned

Scan process 'avgnt.exe' - '1' Module(s) have been scanned

Scan process 'sched.exe' - '1' Module(s) have been scanned

Scan process 'avguard.exe' - '1' Module(s) have been scanned

Scan process 'alg.exe' - '1' Module(s) have been scanned

Scan process 'iPodService.exe' - '1' Module(s) have been scanned

Scan process 'wscntfy.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'sqlwriter.exe' - '1' Module(s) have been scanned

Scan process 'RichVideo.exe' - '1' Module(s) have been scanned

Scan process 'PhotoshopElementsDeviceConnect.exe' - '1' Module(s) have been scanned

Scan process 'lockkm.exe' - '1' Module(s) have been scanned

Scan process 'LockServ.exe' - '1' Module(s) have been scanned

Scan process 'LSSrvc.exe' - '1' Module(s) have been scanned

Scan process 'mDNSResponder.exe' - '1' Module(s) have been scanned

Scan process 'BcmSqlStartupSvc.exe' - '1' Module(s) have been scanned

Scan process 'awServ.exe' - '1' Module(s) have been scanned

Scan process 'AppleMobileDeviceService.exe' - '1' Module(s) have been scanned

Scan process 'PhotoshopElementsFileAgent.exe' - '1' Module(s) have been scanned

Scan process 'MemCheck.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'MFIndexer.exe' - '1' Module(s) have been scanned

Scan process 'Acer.Empowering.Framework.Launcher.exe' - '1' Module(s) have been scanned

Scan process 'ctfmon.exe' - '1' Module(s) have been scanned

Scan process 'GoogleToolbarNotifier.exe' - '1' Module(s) have been scanned

Scan process 'msnmsgr.exe' - '1' Module(s) have been scanned

Scan process 'jusched.exe' - '1' Module(s) have been scanned

Scan process 'iTunesHelper.exe' - '1' Module(s) have been scanned

Scan process 'E_S4I091.EXE' - '1' Module(s) have been scanned

Scan process 'PDVDServ.exe' - '1' Module(s) have been scanned

Scan process 'RTHDCPL.exe' - '1' Module(s) have been scanned

Scan process 'LockMon.exe' - '1' Module(s) have been scanned

Scan process 'eRAgent.exe' - '1' Module(s) have been scanned

Scan process 'awtray.exe' - '1' Module(s) have been scanned

Scan process 'eDSloader.exe' - '1' Module(s) have been scanned

Scan process 'SysMonitor.exe' - '1' Module(s) have been scanned

Scan process 'explorer.exe' - '1' Module(s) have been scanned

Scan process 'spoolsv.exe' - '1' Module(s) have been scanned

Scan process 'ati2evxx.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'ati2evxx.exe' - '1' Module(s) have been scanned

Scan process 'lsass.exe' - '1' Module(s) have been scanned

Scan process 'services.exe' - '1' Module(s) have been scanned

Scan process 'winlogon.exe' - '1' Module(s) have been scanned

Scan process 'csrss.exe' - '1' Module(s) have been scanned

Scan process 'smss.exe' - '1' Module(s) have been scanned

52 processes with 52 modules were scanned

Starting master boot sector scan:

Master boot sector HD0

[iNFO] No virus was found!

Master boot sector HD1

[iNFO] No virus was found!

Master boot sector HD2

[iNFO] No virus was found!

Master boot sector HD3

[iNFO] No virus was found!

Master boot sector HD4

[iNFO] No virus was found!

Start scanning boot sectors:

Boot sector 'C:\'

[iNFO] No virus was found!

Boot sector 'D:\'

[iNFO] No virus was found!

Starting to scan executable files (registry).

The registry was scanned ( '73' files ).

Starting the file scan:

Begin scan in 'C:\' <ACER>

C:\hiberfil.sys

[WARNING] The file could not be opened!

[NOTE] This file is a Windows system file.

[NOTE] This file cannot be opened for scanning.

C:\pagefile.sys

[WARNING] The file could not be opened!

[NOTE] This file is a Windows system file.

[NOTE] This file cannot be opened for scanning.

C:\Program Files\Trend Micro\HijackThis\backups\backup-20090620-175329-495.dll

[DETECTION] Is the TR/Trash.Gen Trojan

Begin scan in 'D:\' <ACERDATA>

Beginning disinfection:

C:\Program Files\Trend Micro\HijackThis\backups\backup-20090620-175329-495.dll

[DETECTION] Is the TR/Trash.Gen Trojan

[NOTE] The file was moved to '4aa624c6.qua'!

End of the scan: 25 June 2009 00:16

Used time: 34:29 Minute(s)

The scan has been done completely.

9107 Scanned directories

370079 Files were scanned

1 Viruses and/or unwanted programs were found

0 Files were classified as suspicious

0 files were deleted

0 Viruses and unwanted programs were repaired

1 Files were moved to quarantine

0 Files were renamed

2 Files cannot be scanned

370076 Files not concerned

9187 Archives were scanned

2 Warnings

3 Notes

53672 Objects were scanned with rootkit scan

0 Hidden objects were found

Once again thanks

Merv

Link to post
Share on other sites

Hi Mieke

I ran a full avira scan again - all clean. I ran a full scan with Malwarebytes - all clean. I ran registry cleaner for a final tidy up and installed zonealarm firewall in the hope to keep trouble out.

Everything appears back to normal and working a lot faster!!

Thank you so so much for your help, it's really appreciated.

Thanks

Merv

Link to post
Share on other sites

  • Staff

Hi,

A question - why are you using a Registry Cleaner? Instead of cleaning, it may actually break things. You may also want to read here why I don't recommend Registry cleaners: http://miekiemoes.blogspot.com/2008/02/reg...weaking_13.html

Good to hear the rest is OK, Please read my Prevention page with lots of info and tips how to prevent this in the future.

And if you want to improve speed/system performance after malware removal, take a look here.

Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again! :P

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.