Jump to content

need help!! system security virus gone wrong


Recommended Posts

hey guys im after some help.....

my computer got infected with the system security virus 2 days ago. It started out with me not being able to do anything,

(taskbar is gone, start button gone, cant open any files at all, no system restore, anything). I rebooted the computer and the same thing again. I then used the mrs laptop to do some research on the virus. i have pretty much done everything recommended on the net but still cant get my comp working. The virus seems to be gone and i can run some programs but i still have no start or taskbar, no net connectivity, and still cant run malwarebytes.

Can some one please help me??? I need my comp asap and dont really want to format my drive. Any help would be greatly appreciated.

here is a log from hijackthis

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 2:33:47 PM, on 7/8/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18241)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Spyware Doctor\pctsAuxs.exe

C:\Program Files\Spyware Doctor\pctsSvc.exe

C:\Program Files\Spyware Doctor\pctsTray.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\WINDOWS\RTHDCPL.EXE

C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe

C:\WINDOWS\system32\ctfmon.exe

C:\DOCUME~1\Homer\LOCALS~1\Temp\b.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R3 - URLSearchHook: (no name) - FBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll

O1 - Hosts: ::1 localhost

O1 - Hosts: 209.44.111.62 antispy.microsoft.com

O1 - Hosts: 209.44.111.62 antiaware-pro.com

O1 - Hosts: 209.44.111.62 www.antiaware-pro.com

O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll

O4 - HKLM\..\Run: [PPort11reminder] "C:\Program Files\ScanSoft\PaperPort\Ereg\Ereg.exe" -r "C:\Documents and Settings\All Users\Application Data\ScanSoft\PaperPort\11\Config\Ereg\Ereg.ini

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [sSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot

O4 - HKLM\..\Run: [skyTel] SkyTel.EXE

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [PaperPort PTD] "C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe"

O4 - HKLM\..\Run: [net] "C:\WINDOWS\system32\net.net"

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [iSTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"

O4 - HKLM\..\Run: [indexSearch] "C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe"

O4 - HKLM\..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun

O4 - HKLM\..\Run: [brMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN

O4 - HKLM\..\Run: [bootSkin Startup Jobs] "C:\Program Files\Stardock\WinCustomize\BootSkin\BootSkin.exe" /StartupJobs

O4 - HKLM\..\Run: [bluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent

O4 - HKLM\..\Run: [amd_dc_opt] C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

O4 - HKLM\..\Run: [14774844] C:\Documents and Settings\All Users\Application Data\14774844\14774844.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [MalwareRemovalBot] J:\MalwareRemovalBot\MalwareRemovalBot.exe -boot

O4 - HKCU\..\Run: [steam] "C:\Program Files\Steam\Steam.exe" -silent

O4 - HKCU\..\Run: [Cognac] C:\DOCUME~1\Homer\LOCALS~1\Temp\b.exe

O4 - HKUS\S-1-5-21-448539723-838170752-839522115-1002\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')

O4 - HKUS\S-1-5-21-448539723-838170752-839522115-1002\..\Run: [MalwareRemovalBot] J:\MalwareRemovalBot\MalwareRemovalBot.exe -boot (User '?')

O4 - HKUS\S-1-5-21-448539723-838170752-839522115-1002\..\Run: [steam] "C:\Program Files\Steam\Steam.exe" -silent (User '?')

O4 - HKUS\S-1-5-21-448539723-838170752-839522115-1002\..\Run: [Cognac] C:\DOCUME~1\Homer\LOCALS~1\Temp\b.exe (User '?')

O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User '?')

O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O8 - Extra context menu item: &Download by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/201

O8 - Extra context menu item: &Grab video by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/204

O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/203

O8 - Extra context menu item: Down&load all by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/202

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (file missing)

O20 - AppInit_DLLs: ,C:\DOCUME~1\Homer\LOCALS~1\Temp\2471625755mxx.dll

O23 - Service: Adobe Active File Monitor V7 (AdobeActiveFileMonitor7.0) - Adobe Systems Incorporated - C:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: Google Update Service (gupdate1c9a1ca569e944e) (gupdate1c9a1ca569e944e) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE

O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe

O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

O23 - Service: sopidkc Service (sopidkc) - Unknown owner - C:\WINDOWS\system32\sopidkc.exe (file missing)

--

End of file - 8690 bytes

Link to post
Share on other sites

  • Root Admin

STEP 01

With all other applications closed (Taskbar empty), open HijackThis again

and run Do a system scan only and place a check mark on the following items.

  • R3 - URLSearchHook: (no name) - FBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
  • O1 - Hosts: ::1 localhost
  • O1 - Hosts: 209.44.111.62 antispy.microsoft.com
  • O1 - Hosts: 209.44.111.62 antiaware-pro.com
  • O1 - Hosts: 209.44.111.62 www.antiaware-pro.com
  • O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll
  • O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
  • O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
  • O2 - BHO: Java
Link to post
Share on other sites

Hey mate thanks for that. I will give it a go today and post back my results.

The only problem is that i dont have a task bar and cant click on start to get the run application up. Is there another way to get to it?

Also i cannot access the internet on the computer so im currently using a laptop to read this.

Thanks again for your help.

Link to post
Share on other sites

Ok i got to the run command by holding the windows key and pressing R.

Did what you said above but when i restarted the comp i got these messages popping up

userinit.exe - application error The instruction at "0x00fc4a49" referenced memory at "0x80000024". The memory could not "read". Click ok to terminate the program

pctstray: pctsTray.exe - application error The instruction at "0x7c934feb" referenced memory at "0x00200070". The memory could not "read". Click ok to terminate the program

pctstray: pctsTray.exe - application error The instruction at "0x7c934fe9" referenced memory at "0x0000f300". The memory could not "read". Click ok to terminate the program

pctstray: pctsTray.exe - application error The instruction at "0x7c934feb" referenced memory at "0x00000000". The memory could not "read". Click ok to terminate the program

pctsTray.exe - application error The instruction at "0x7c934feb" referenced memory at "0xffffffff". The memory could not "read". Click ok to terminate the program

pctsTray.exe - application error The instruction at "0x771544f1" referenced memory at "0x0129c698". The memory could not "read". Click ok to terminate the program

pctsTray.exe - application error The instruction at "0x771544f1" referenced memory at "0x01294f00". The memory could not "read". Click ok to terminate the program

pctsTray.exe - application error The instruction at "0x771544f1" referenced memory at "0x01286690". The memory could not "read". Click ok to terminate the program

There were about another 4 of these errors with different referenced memory locations.

After those messages i got this

Error - Runtime error 216 at 00FC4A49

I wouldnt have a clue what these are?

Link to post
Share on other sites

Ok so i tried to re-install malwarebytes after the process you mentioned above. I ran the setup file off my usb stick and renamed it to winlogon.exe otherwise it wont run. Once it starts install its all good until the end and gets stuck on finishing installation. I left it for a while but it still stays frozen.

I got up the task manager and there is a winlogon.tmp process running which is the setup program. Once i end that process the frozen setup screen goes away.

When i try to run malwarebytes after that it wont run but comes up in the task manager as mbam.exe

I tried to rename the mbam.exe to winlogon.exe but i get this error.

Run-time error '372': Failed to load control 'vbalGrid' from vbalsgrid6.ocx. Your version of vbalsgrid.ocx may be outdated. Make sure you are using the version of the control that was provided with your application.

Ok so now im stuck. Blood viruses.

Any more help would be great. Thanks mate. Also where are you located? Just want to know the time difference so i know when you would most likely to be on here. Thanks again.

Link to post
Share on other sites

  • Root Admin

Copy this over and try to run it. Try rename as well and Safe Mode if needed.

Please visit this webpage for instructions for downloading ComboFix to your
DESKTOP
:
how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

NOTE!!:

You must save and run
ComboFix.exe
on your DESKTOP and not from any other folder.

Also,
DO NOT
click the mouse or launch any other applications while this is running or it may stall the program

Additional links to download the tool:

Note:

The
Windows Recovery Console
will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click
    Yes
    to allow ComboFix to continue scanning for malware.

  • When the tool is finished, it will produce a report for you.

  • Please post the
    C:\ComboFix.txt
    along with a
    new HijackThis log
    so we may continue cleaning the system.

Link to post
Share on other sites

I cant copy anything to the computer. The only way to get any new programs on is run the setup file from my usb stick.

I cant copy and past, or even drag and drop from anywhere on the comp or usb.

I dont know any other way to get combofix onto my desktop, plus it has removed all my network connections and they dont show up to even repair them.

Link to post
Share on other sites

Ok ive got some good news. I put my hard drive in another comp as a slave and ran malwarebytes on it there. The results came back and cleaned up some trojans, and backdoors. I then put it back in my normal comp and now was able to install and run malwarebytes with out any problems. I also got my taskbar and start button back.

Here is 3 log from malwarebytes and i also ran combofix after thats aswell.

1.)

Malwarebytes' Anti-Malware 1.38

Database version: 2297

Windows 5.1.2600 Service Pack 2

7/3/2009 5:35:48 PM

mbam-log-2009-07-03 (17-35-48).txt

Scan type: Full Scan (C:\|D:\|E:\|F:\|G:\|H:\|I:\|J:\|)

Objects scanned: 165097

Time elapsed: 14 minute(s), 46 second(s)

Memory Processes Infected: 1

Memory Modules Infected: 1

Registry Keys Infected: 4

Registry Values Infected: 2

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 5

Memory Processes Infected:

C:\WINDOWS\sysguard.exe (Trojan.Agent) -> Unloaded process successfully.

Memory Modules Infected:

C:\WINDOWS\system32\iehelper.dll (Trojan.Vundo.H) -> Delete on reboot.

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8567edfa-408c-43e9-b929-4c25c04f5003} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{8567edfa-408c-43e9-b929-4c25c04f5003} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{8567edfa-408c-43e9-b929-4c25c04f5003} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\AvScan (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lowriskfiletypes (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysldtray (Backdoor.Bot) -> Quarantined and deleted successfully.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\system32\iehelper.dll (Trojan.Vundo.H) -> Delete on reboot.

C:\WINDOWS\sysguard.exe (Trojan.Agent) -> Quarantined and deleted successfully.

c:\documents and settings\Homer\local settings\Temp\install[1].exe (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\ld12.exe (Backdoor.Bot) -> Delete on reboot.

c:\WINDOWS\strt_1246661561.exe (Worm.KoobFace) -> Quarantined and deleted successfully.

2.)

Malwarebytes' Anti-Malware 1.38

Database version: 2366

Windows 5.1.2600 Service Pack 2

7/3/2009 6:08:19 PM

mbam-log-2009-07-03 (18-08-19).txt

Scan type: Full Scan (C:\|)

Objects scanned: 125020

Time elapsed: 9 minute(s), 58 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 1

Registry Keys Infected: 8

Registry Values Infected: 1

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 4

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

c:\program files\drv\drv.dll (Trojan.Agent) -> Delete on reboot.

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\drv (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\drv (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\drv (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\drvdrv (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\drvdrv (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\drvdrv (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\LEGACY_DRVDRV (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\LEGACY_DRV (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\drv (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

c:\documents and settings\Homer\local settings\temporary internet files\Content.IE5\67M5SH61\pdrv[1].exe (Worm.Koobface) -> Quarantined and deleted successfully.

C:\WINDOWS\010112010146118114.dat (Worm.KoobFace) -> Quarantined and deleted successfully.

C:\Program Files\drv\drv.dll (Trojan.Agent) -> Delete on reboot.

C:\Program Files\drv\drv.sys (Trojan.Agent) -> Quarantined and deleted successfully.

3.)

Malwarebytes' Anti-Malware 1.38

Database version: 2402

Windows 5.1.2600 Service Pack 2

7/10/2009 11:29:32 PM

mbam-log-2009-07-10 (23-29-32).txt

Scan type: Full Scan (C:\|D:\|G:\|H:\|I:\|)

Objects scanned: 168269

Time elapsed: 13 minute(s), 56 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 8

Registry Values Infected: 8

Registry Data Items Infected: 0

Folders Infected: 6

Files Infected: 15

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CLASSES_ROOT\Typelib\{40196867-19f8-7157-c097-ecaff653c9ad} (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{500bca15-57a7-4eaf-8143-8c619470b13d} (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Cognac (Rogue.Multiple) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\MalwareRemovalBot (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\xpreapp (Malware.Trace) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\ColdWare (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\BuildW (Malware.Trace) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Ulrn (Malware.Trace) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Update (Malware.Trace) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\UpdateNew (Malware.Trace) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\i (Malware.Trace) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\mso (Malware.Trace) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\udso (Malware.Trace) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\uid (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

c:\documents and settings\Administrator\Application Data\MalwareRemovalBot (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.

c:\documents and settings\administrator\application data\malwareremovalbot\Log (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.

c:\documents and settings\administrator\application data\malwareremovalbot\Settings (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.

c:\documents and settings\Homer\Application Data\MalwareRemovalBot (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.

c:\documents and settings\Homer\application data\malwareremovalbot\Log (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.

c:\documents and settings\Homer\application data\malwareremovalbot\Settings (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.

Files Infected:

c:\documents and settings\administrator\application data\malwareremovalbot\rs.dat (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.

c:\documents and settings\administrator\application data\malwareremovalbot\Log\2009 Jul 07 - 11_55_17 PM_640.log (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.

c:\documents and settings\administrator\application data\malwareremovalbot\Log\2009 Jul 07 - 11_57_39 PM_203.log (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.

c:\documents and settings\administrator\application data\malwareremovalbot\Log\2009 Jul 08 - 08_29_22 AM_093.log (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.

c:\documents and settings\administrator\application data\malwareremovalbot\Settings\ScanResults.pie (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.

c:\documents and settings\Homer\application data\malwareremovalbot\rs.dat (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.

c:\documents and settings\Homer\application data\malwareremovalbot\Log\2009 Jul 07 - 10_05_22 PM_750.log (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.

c:\documents and settings\Homer\application data\malwareremovalbot\Log\2009 Jul 08 - 11_53_33 AM_531.log (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.

c:\documents and settings\Homer\application data\malwareremovalbot\Log\2009 Jul 08 - 12_23_46 PM_078.log (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.

c:\documents and settings\Homer\application data\malwareremovalbot\Log\2009 Jul 08 - 12_46_34 PM_875.log (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.

c:\documents and settings\Homer\application data\malwareremovalbot\Settings\ScanResults.pie (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\FInstall.sys (Backdoor.Bot) -> Quarantined and deleted successfully.

C:\WINDOWS\Tasks\{783AF354-B514-42d6-970E-3E8BF0A5279C}.job (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\wiawow32.sys (Backdoor.Bot) -> Quarantined and deleted successfully.

Then combofix

ComboFix 09-07-09.08 - Homer 07/10/2009 23:51.1.2 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2943.2533 [GMT -7:00]

Running from: c:\documents and settings\Homer\Desktop\ComboFix.exe

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\Homer\Application Data\inst.exe

c:\program files\Internet Explorer\ws2help.dll

c:\recycler\S-1-5-21-2000478354-57989841-839522115-1003

c:\windows\Install.txt

c:\windows\kb913800.exe

c:\windows\system32\Install.txt

c:\windows\system32\msconfig.exe

c:\windows\system32\UACbmeuwftoipgekxi.dat

c:\windows\system32\UACfhdspgwcdhmylte.db

c:\windows\system32\uactmp.db

c:\windows\system32\proquota.exe . . . is missing!!

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_MSNCACHE

-------\Service_UACd.sys

((((((((((((((((((((((((( Files Created from 2009-06-11 to 2009-07-11 )))))))))))))))))))))))))))))))

.

2009-07-11 06:54 . 2009-07-11 06:54 -------- d-----w- c:\windows\system32\wbem\snmp

2009-07-11 06:54 . 2009-07-11 06:54 -------- d-----w- c:\windows\srchasst

2009-07-11 06:54 . 2009-07-11 06:54 -------- d-----w- c:\windows\system32\xircom

2009-07-11 06:54 . 2009-07-11 06:54 -------- d-----w- c:\program files\microsoft frontpage

2009-07-10 19:56 . 2009-06-17 18:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-07-10 19:56 . 2009-07-11 06:28 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-07-10 19:56 . 2009-07-10 19:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-07-10 19:56 . 2009-06-17 18:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-07-08 21:33 . 2009-07-08 21:33 -------- d-----w- c:\program files\Trend Micro

2009-07-08 06:53 . 2008-12-11 15:38 159600 ----a-w- c:\windows\system32\drivers\pctgntdi.sys

2009-07-08 06:52 . 2009-03-06 23:45 130424 ----a-w- c:\windows\system32\drivers\PCTCore.sys

2009-07-08 06:52 . 2008-12-18 19:16 73840 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys

2009-07-08 06:52 . 2009-07-08 06:54 -------- d-----w- c:\program files\Common Files\PC Tools

2009-07-08 06:52 . 2008-12-10 19:36 64392 ----a-w- c:\windows\system32\drivers\pctplsg.sys

2009-07-08 06:52 . 2009-07-11 05:41 -------- d-----w- c:\program files\Spyware Doctor

2009-07-08 06:52 . 2009-07-08 06:52 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools

2009-07-08 06:52 . 2009-07-08 06:52 -------- d-----w- c:\documents and settings\Administrator\Application Data\PC Tools

2009-07-08 05:53 . 2009-07-08 05:53 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\AVG Security Toolbar

2009-07-08 05:53 . 2009-07-08 05:53 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla

2009-07-08 02:55 . 2009-07-08 02:55 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar

2009-07-08 01:48 . 2009-07-08 01:48 -------- d-----w- c:\program files\Chec

2009-07-05 19:59 . 2004-08-04 07:56 21504 ----a-w- c:\windows\system32\drivers\hidserv.dll

2009-07-04 00:18 . 2009-07-04 00:18 -------- d-----w- c:\documents and settings\Homer\Application Data\Malwarebytes

2009-07-03 22:34 . 2009-07-08 05:22 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8

2009-06-23 16:22 . 2009-06-23 16:22 152576 ----a-w- c:\documents and settings\Homer\Application Data\Sun\Java\jre1.6.0_14\lzma.dll

2009-06-16 20:11 . 2009-06-16 20:11 -------- d-----w- c:\program files\iPod

2009-06-16 20:10 . 2009-06-16 20:11 -------- d-----w- c:\program files\QuickTime

2009-06-16 20:05 . 2009-06-16 20:05 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.0.23\SetupAdmin.exe

2009-06-12 15:56 . 2009-05-07 15:44 344064 ------w- c:\windows\system32\dllcache\localspl.dll

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-07-11 06:44 . 2009-03-10 21:50 -------- d-----w- c:\program files\Google

2009-07-11 05:52 . 2009-03-03 21:54 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2009-07-10 18:41 . 2007-08-11 23:47 -------- d-----w- c:\program files\Steam

2009-07-07 23:22 . 2007-12-24 03:31 -------- d-----w- c:\documents and settings\Homer\Application Data\uTorrent

2009-07-05 20:00 . 2009-07-05 20:00 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_NuidFltr_01005.Wdf

2009-07-05 20:00 . 2009-07-05 20:00 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf

2009-07-05 00:20 . 2007-09-09 05:32 -------- d-----w- c:\documents and settings\Homer\Application Data\CopyToDvd

2009-07-05 00:17 . 2007-09-09 05:32 -------- d-----w- c:\documents and settings\Homer\Application Data\Vso

2009-07-04 00:41 . 2009-03-03 21:51 -------- d-----w- c:\program files\Trojan Remover

2009-07-03 23:00 . 2007-08-25 03:21 -------- d-----w- c:\program files\VSO

2009-06-27 04:14 . 2007-08-11 20:32 25792 ----a-w- c:\documents and settings\Homer\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-06-23 16:23 . 2008-04-03 16:39 -------- d-----w- c:\program files\Java

2009-06-16 20:11 . 2009-04-12 00:45 -------- d-----w- c:\program files\iTunes

2009-06-16 20:11 . 2008-09-23 04:53 -------- d-----w- c:\program files\Common Files\Apple

2009-06-15 06:55 . 2009-02-19 19:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help

2009-05-28 16:38 . 2009-05-28 16:38 -------- d-----w- c:\program files\MSECache

2009-05-25 21:40 . 2009-05-25 21:40 152576 ----a-w- c:\documents and settings\Homer\Application Data\Sun\Java\jre1.6.0_13\lzma.dll

2009-05-21 18:33 . 2008-11-25 04:36 410984 ----a-w- c:\windows\system32\deploytk.dll

2009-05-12 22:19 . 2009-05-12 22:19 -------- d-----r- c:\documents and settings\Homer\Application Data\Brother

2009-05-09 08:14 . 2009-05-09 08:14 1418120 ----a-w- c:\windows\system32\wdfcoinstaller01005.dll

2009-05-09 08:14 . 2009-05-09 08:14 14736 ----a-w- c:\windows\system32\drivers\nuidfltr.sys

2009-05-07 15:44 . 2004-08-03 17:56 344064 ----a-w- c:\windows\system32\localspl.dll

2009-04-17 10:09 . 2007-05-23 15:13 1847936 ----a-w- c:\windows\system32\win32k.sys

2009-04-15 15:26 . 2007-05-23 15:12 583168 ----a-w- c:\windows\system32\rpcrt4.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"PPort11reminder"="c:\program files\ScanSoft\PaperPort\Ereg\Ereg.exe" [2007-02-01 255528]

"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-27 413696]

"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2007-01-30 30248]

"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-06-05 292136]

"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2007-01-30 46632]

"ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2007-01-26 65536]

"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2007-03-12 663552]

"amd_dc_opt"="c:\program files\AMD\Dual-Core Optimizer\amd_dc_opt.exe" [2006-11-17 77824]

"SkyTel"="SkyTel.EXE" - c:\windows\SkyTel.exe [2006-05-16 2879488]

"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2006-11-14 16270848]

"BluetoothAuthenticationAgent"="bthprops.cpl" - c:\windows\system32\bthprops.cpl [2004-08-03 110592]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

"HideRunAsVerb"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"NoResolveTrack"= 1 (0x1)

"NoSMConfigurePrograms"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]

"NoSMHelp"= 1 (0x1)

"NoResolveTrack"= 1 (0x1)

"NoSMConfigurePrograms"= 1 (0x1)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]

@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]

@=""

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"15703:TCP"= 15703:TCP:NortonAV

"12722:TCP"= 12722:TCP:NortonAV

"12750:TCP"= 12750:TCP:NortonAV

"18713:TCP"= 18713:TCP:NortonAV

"13750:TCP"= 13750:TCP:NortonAV

"17044:TCP"= 17044:TCP:NortonAV

"12781:TCP"= 12781:TCP:NortonAV

"13323:TCP"= 13323:TCP:NortonAV

"18150:TCP"= 18150:TCP:NortonAV

"17396:TCP"= 17396:TCP:NortonAV

"13473:TCP"= 13473:TCP:NortonAV

"16219:TCP"= 16219:TCP:NortonAV

"15190:TCP"= 15190:TCP:NortonAV

"18641:TCP"= 18641:TCP:NortonAV

"17730:TCP"= 17730:TCP:NortonAV

"15712:TCP"= 15712:TCP:NortonAV

"15037:TCP"= 15037:TCP:NortonAV

"13928:TCP"= 13928:TCP:NortonAV

"14461:TCP"= 14461:TCP:NortonAV

"18371:TCP"= 18371:TCP:NortonAV

"16029:TCP"= 16029:TCP:NortonAV

"12416:TCP"= 12416:TCP:NortonAV

"13943:TCP"= 13943:TCP:NortonAV

"16441:TCP"= 16441:TCP:NortonAV

"12697:TCP"= 12697:TCP:NortonAV

"8085:TCP"= 8085:TCP:drv

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [7/7/2009 11:52 PM 130424]

R2 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;c:\program files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe [9/16/2008 1:03 PM 169312]

S2 BootScreen;BootScreen;c:\windows\system32\drivers\vidstub.sys [9/6/2008 12:16 PM 163712]

S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [7/7/2009 11:52 PM 348752]

NETSVCS REQUIRES REPAIRS - current entries shown

msncache

6to4

AppMgmt

AudioSrv

Browser

CryptSvc

DMServer

DHCP

EventSystem

FastUserSwitchingCompatibility

HidServ

Ias

Iprip

Irmon

LanmanServer

LanmanWorkstation

Netman

Nla

NWCWorkstation

Nwsapagent

Rasauto

Rasman

Remoteaccess

Schedule

SENS

Sharedaccess

SRService

Tapisrv

Themes

WZCSVC

Wmi

WmdmPmSp

winmgmt

xmlprov

BITS

wuauserv

ShellHWDetection

WmdmPmSN

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs

.

Contents of the 'Scheduled Tasks' folder

2009-06-16 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

2009-07-07 c:\windows\Tasks\OGADaily.job

- c:\windows\system32\OGAVerify.exe [2009-01-01 00:04]

2009-07-11 c:\windows\Tasks\OGALogon.job

- c:\windows\system32\OGAVerify.exe [2009-01-01 00:04]

.

- - - - ORPHANS REMOVED - - - -

BHO-{A3BC75A2-1F87-4686-AA43-5347D756017C} - c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

HKLM-Run-NWEReboot - (no file)

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

FF - ProfilePath - c:\documents and settings\Homer\Application Data\Mozilla\Firefox\Profiles\gbcuo58b.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com.au/webhp?hl=en

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----

FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-07-10 23:55

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(728)

c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(1848)

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\ati2evxx.exe

c:\windows\system32\ati2evxx.exe

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\windows\system32\rundll32.exe

c:\program files\iPod\bin\iPodService.exe

.

**************************************************************************

.

Completion time: 2009-07-11 23:57 - machine was rebooted

ComboFix-quarantined-files.txt 2009-07-11 06:57

Pre-Run: 16,689,463,296 bytes free

Post-Run: 16,770,150,400 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /usepmtimer

257 --- E O F --- 2009-07-05 20:00

Now what should i do?

Thanks again for your time.

Link to post
Share on other sites

  • Root Admin

First off I see you have another post open for a laptop. Please wait till we're done with this one. Try not to share the network with this computer and the laptop though for now just in case one of them has something that is reaching out and infecting the other.

STEP 01

Please copy/paste the following entries into a new Notepad document and save it to your Desktop as DefaultServices.REG when saving you'll need to select the SAVE AS TYPE and choose ALL FILES to save with the .REG extension. Then double-click on it to run it.

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Alerter]
"Start"=dword:00000004
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ALG]
"Start"=dword:00000003
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AppMgmt]
"Start"=dword:00000003
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AudioSrv]
"Start"=dword:00000002
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS]
"Start"=dword:00000003
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Browser]
"Start"=dword:00000002
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cisvc]
"Start"=dword:00000003
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ClipSrv]
"Start"=dword:00000004
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\COMSysApp]
"Start"=dword:00000003
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CryptSvc]
"Start"=dword:00000002
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DcomLaunch]
"Start"=dword:00000002
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dhcp]
"Start"=dword:00000002
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\dmadmin]
"Start"=dword:00000003
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\dmserver]
"Start"=dword:00000002
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache]
"Start"=dword:00000002
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ERSvc]
"Start"=dword:00000002
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog]
"Start"=dword:00000002
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventSystem]
"Start"=dword:00000003
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\FastUserSwitchingCompatibility]
"Start"=dword:00000003
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\helpsvc]
"Start"=dword:00000002
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HidServ]
"Start"=dword:00000004
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HTTPFilter]
"Start"=dword:00000003
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ImapiService]
"Start"=dword:00000003
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver]
"Start"=dword:00000002
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanworkstation]
"Start"=dword:00000002
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LmHosts]
"Start"=dword:00000002
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Messenger]
"Start"=dword:00000004
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mnmsrvc]
"Start"=dword:00000003
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSDTC]
"Start"=dword:00000003
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSIServer]
"Start"=dword:00000003
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetDDE]
"Start"=dword:00000004
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetDDEdsdm]
"Start"=dword:00000004
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon]
"Start"=dword:00000003
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netman]
"Start"=dword:00000003
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Nla]
"Start"=dword:00000003
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NtLmSsp]
"Start"=dword:00000003
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NtmsSvc]
"Start"=dword:00000003
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PlugPlay]
"Start"=dword:00000002
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgent]
"Start"=dword:00000002
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ProtectedStorage]
"Start"=dword:00000002
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasAuto]
"Start"=dword:00000003
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan]
"Start"=dword:00000003
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RDSessMgr]
"Start"=dword:00000003
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteAccess]
"Start"=dword:00000004
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry]
"Start"=dword:00000002
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RpcLocator]
"Start"=dword:00000003
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RpcSs]
"Start"=dword:00000002
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RSVP]
"Start"=dword:00000003
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SamSs]
"Start"=dword:00000002
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SCardSrv]
"Start"=dword:00000003
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Schedule]
"Start"=dword:00000002
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\seclogon]
"Start"=dword:00000002
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SENS]
"Start"=dword:00000002
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess]
"Start"=dword:00000002
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ShellHWDetection]
"Start"=dword:00000002
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Spooler]
"Start"=dword:00000002
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\srservice]
"Start"=dword:00000002
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SSDPSRV]
"Start"=dword:00000003
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\stisvc]
"Start"=dword:00000003
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SwPrv]
"Start"=dword:00000003
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SysmonLog]
"Start"=dword:00000003
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TapiSrv]
"Start"=dword:00000003
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermService]
"Start"=dword:00000003
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Themes]
"Start"=dword:00000002
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr]
"Start"=dword:00000003
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TrkWks]
"Start"=dword:00000002
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\upnphost]
"Start"=dword:00000003
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UPS]
"Start"=dword:00000003
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VSS]
"Start"=dword:00000003
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time]
"Start"=dword:00000002
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WebClient]
"Start"=dword:00000002
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\winmgmt]
"Start"=dword:00000002
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WmdmPmSN]
"Start"=dword:00000003
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Wmi]
"Start"=dword:00000003
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WmiApSrv]
"Start"=dword:00000003
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc]
"Start"=dword:00000002
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv]
"Start"=dword:00000002
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WZCSVC]
"Start"=dword:00000002
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xmlprov]
"Start"=dword:00000003

STEP 02

Then download and run the following and reboot your computer.

Please download and run these tools which are designed to restore some standard policy settings. They are not harmful.

    VArestorepolicies.INF
  • Download this INF repair file from here: VArestorepolicies.zip by MS-MVP Miekiemoes
  • Unzip or open the file VArestorepolicies.zip
  • Open the folder VArestorepolicies and Right-click the file inside, VArestorepolicies.INF and choose Install
    FixPolicies.exe
  • Download this self-extracting ZIP archive from here: FixPolicies.exe by MS-MVP Bill Castner and save it to your desktop.
  • Double-click FixPolicies.exe
  • Click the "Install" button on the bottom toolbar of the box that will open
  • The program will create a new Folder called FixPolicies
  • Double-click to Open the new Folder, and then double-click the file within: Fix_Policies.cmd
  • A black box will briefly appear and then close
  • These fixes may prove temporary. Active malware may revert these changes on your next startup. You can safely run these utilities again.

STEP 03

Then temporarily disable your Anti-Virus and run this Online AV scanner.

Run Eset NOD32 Online AntiVirus

Note: You will need to use Internet Explorer for this scan.

  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Disable your current Antivirus software. You can usually do this with its Notfication Tray icon near the clock.
  • Click Start
  • Make sure that the option "Remove found threats" is Un-checked, and the option "Scan unwanted applications" is checked
  • Click Scan
  • Wait for the scan to finish
  • Re-enable your Anvirisus software.
  • A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

STEP 04

You're missing this file: c:\windows\system32\proquota.exe so you'll need to get a copy from a clean Windows XP Pro system to copy it over from or you might possibly be able to get it from downloading and installing Service Pack 3 from Microsoft once we're certain the system is clean.

DO NOT install Service Pack 3 or any other software unless asked to while were fixing the computer.

Link to post
Share on other sites

Ok done the above steps and heres the log from Eset.

ESETSmartInstaller@High as CAB hook log:

OnlineScanner.ocx - registred OK

# version=6

# iexplore.exe=8.00.6001.18241 (longhorn_ie8_beta2(wmbla).080822-0214)

# OnlineScanner.ocx=1.0.0.5886

# api_version=3.0.2

# EOSSerial=bffe672cc7511045afdccf60d47215d4

# end=finished

# remove_checked=false

# archives_checked=false

# unwanted_checked=true

# unsafe_checked=false

# antistealth_checked=true

# utc_time=2009-07-11 10:00:38

# local_time=2009-07-11 03:00:38 (-0800, Pacific Daylight Time)

# country="United States"

# lang=9

# osver=5.1.2600 NT Service Pack 2

# scanned=76445

# found=4

# cleaned=0

# scan_time=1223

C:\Documents and Settings\Homer\Desktop\programs\mp3splitter.exe probably a variant of Win32/TrojanDownloader.Agent trojan 00000000000000000000000000000000 I

D:\MUSIC\Rihanna - Good Girl Gone Bad (Reloaded) (2008)\05 - Shut Up & Drive.mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan 00000000000000000000000000000000 I

D:\New Folder\programs\mp3splitter.exe probably a variant of Win32/TrojanDownloader.Agent trojan 00000000000000000000000000000000 I

G:\music\Nero 7.10.1.0 (stew's)\Nero-7.10.1.0_eng_full.exe Win32/Toolbar.AskSBar application 00000000000000000000000000000000 I

Link to post
Share on other sites

  • Root Admin

STEP 01

Please submit the following files to http://www.virustotal.com and if they come back as infected as well then delete them.

C:\Documents and Settings\Homer\Desktop\programs\mp3splitter.exe

D:\MUSIC\Rihanna - Good Girl Gone Bad (Reloaded) (2008)\05 - Shut Up & Drive.mp3

D:\New Folder\programs\mp3splitter.exe

STEP 02

Click on START - RUN and copy / paste the entry below into the run line and click OK

CMD /C NETSH FIREWALL RESET

Click on START - RUN and copy / paste the entry below into the run line and click OK

CMD /C NETSH int ip reset c:\resetlog.txt

STEP 03

Please disable your current Anti-Virus and then delete your current copy of Combofix.exe and dowload a NEW fresh copy and run it again and post back the log.

Additional links to download the tool:

ComboFix.exe

ComboFix.exe

ComboFix.exe

Link to post
Share on other sites

Hey mate sorry late reply ive been sick with the flu and havent touched my comp.

I deleted those files, they werent needed anyway.

Heres the combofix log

ComboFix 09-07-14.07 - Homer 07/15/2009 14:25.2.2 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2943.2416 [GMT -7:00]

Running from: c:\documents and settings\Homer\Desktop\ComboFix.exe

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\system32\proquota.exe . . . is missing!!

.

((((((((((((((((((((((((( Files Created from 2009-06-15 to 2009-07-15 )))))))))))))))))))))))))))))))

.

2009-07-11 21:35 . 2009-07-11 21:35 -------- d-----w- c:\program files\ESET

2009-07-11 06:54 . 2009-07-11 06:54 -------- d-----w- c:\windows\system32\wbem\snmp

2009-07-11 06:54 . 2009-07-11 06:54 -------- d-----w- c:\windows\srchasst

2009-07-11 06:54 . 2009-07-11 06:54 -------- d-----w- c:\windows\system32\xircom

2009-07-11 06:54 . 2009-07-11 06:54 -------- d-----w- c:\program files\microsoft frontpage

2009-07-10 19:56 . 2009-06-17 18:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-07-10 19:56 . 2009-07-11 06:28 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-07-10 19:56 . 2009-07-10 19:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-07-10 19:56 . 2009-06-17 18:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-07-08 21:33 . 2009-07-08 21:33 -------- d-----w- c:\program files\Trend Micro

2009-07-08 06:53 . 2008-12-11 15:38 159600 ----a-w- c:\windows\system32\drivers\pctgntdi.sys

2009-07-08 06:52 . 2009-03-06 23:45 130424 ----a-w- c:\windows\system32\drivers\PCTCore.sys

2009-07-08 06:52 . 2008-12-18 19:16 73840 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys

2009-07-08 06:52 . 2009-07-08 06:54 -------- d-----w- c:\program files\Common Files\PC Tools

2009-07-08 06:52 . 2008-12-10 19:36 64392 ----a-w- c:\windows\system32\drivers\pctplsg.sys

2009-07-08 06:52 . 2009-07-11 05:41 -------- d-----w- c:\program files\Spyware Doctor

2009-07-08 06:52 . 2009-07-08 06:52 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools

2009-07-08 06:52 . 2009-07-08 06:52 -------- d-----w- c:\documents and settings\Administrator\Application Data\PC Tools

2009-07-08 05:53 . 2009-07-08 05:53 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\AVG Security Toolbar

2009-07-08 05:53 . 2009-07-08 05:53 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla

2009-07-08 02:55 . 2009-07-08 02:55 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar

2009-07-08 01:48 . 2009-07-08 01:48 -------- d-----w- c:\program files\Chec

2009-07-05 19:59 . 2004-08-04 07:56 21504 ----a-w- c:\windows\system32\drivers\hidserv.dll

2009-07-04 00:18 . 2009-07-04 00:18 -------- d-----w- c:\documents and settings\Homer\Application Data\Malwarebytes

2009-07-03 22:34 . 2009-07-08 05:22 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8

2009-06-23 16:22 . 2009-06-23 16:22 152576 ----a-w- c:\documents and settings\Homer\Application Data\Sun\Java\jre1.6.0_14\lzma.dll

2009-06-16 20:11 . 2009-06-16 20:11 -------- d-----w- c:\program files\iPod

2009-06-16 20:10 . 2009-06-16 20:11 -------- d-----w- c:\program files\QuickTime

2009-06-16 20:05 . 2009-06-16 20:05 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.0.23\SetupAdmin.exe

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-07-15 21:19 . 2007-12-24 03:31 -------- d-----w- c:\documents and settings\Homer\Application Data\uTorrent

2009-07-15 02:51 . 2007-09-09 05:32 -------- d-----w- c:\documents and settings\Homer\Application Data\CopyToDvd

2009-07-15 02:51 . 2007-09-09 05:32 -------- d-----w- c:\documents and settings\Homer\Application Data\Vso

2009-07-11 06:44 . 2009-03-10 21:50 -------- d-----w- c:\program files\Google

2009-07-11 05:52 . 2009-03-03 21:54 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2009-07-10 18:41 . 2007-08-11 23:47 -------- d-----w- c:\program files\Steam

2009-07-05 20:00 . 2009-07-05 20:00 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_NuidFltr_01005.Wdf

2009-07-05 20:00 . 2009-07-05 20:00 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf

2009-07-04 00:41 . 2009-03-03 21:51 -------- d-----w- c:\program files\Trojan Remover

2009-07-03 23:00 . 2007-08-25 03:21 -------- d-----w- c:\program files\VSO

2009-06-27 04:14 . 2007-08-11 20:32 25792 ----a-w- c:\documents and settings\Homer\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-06-23 16:23 . 2008-04-03 16:39 -------- d-----w- c:\program files\Java

2009-06-16 20:11 . 2009-04-12 00:45 -------- d-----w- c:\program files\iTunes

2009-06-16 20:11 . 2008-09-23 04:53 -------- d-----w- c:\program files\Common Files\Apple

2009-06-15 06:55 . 2009-02-19 19:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help

2009-05-28 16:38 . 2009-05-28 16:38 -------- d-----w- c:\program files\MSECache

2009-05-25 21:40 . 2009-05-25 21:40 152576 ----a-w- c:\documents and settings\Homer\Application Data\Sun\Java\jre1.6.0_13\lzma.dll

2009-05-21 18:33 . 2008-11-25 04:36 410984 ----a-w- c:\windows\system32\deploytk.dll

2009-05-09 08:14 . 2009-05-09 08:14 1418120 ----a-w- c:\windows\system32\wdfcoinstaller01005.dll

2009-05-09 08:14 . 2009-05-09 08:14 14736 ----a-w- c:\windows\system32\drivers\nuidfltr.sys

2009-05-07 15:44 . 2004-08-03 17:56 344064 ----a-w- c:\windows\system32\localspl.dll

2009-04-17 10:09 . 2007-05-23 15:13 1847936 ----a-w- c:\windows\system32\win32k.sys

2009-06-14 00:59 . 2008-08-12 00:51 134648 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll

.

((((((((((((((((((((((((((((( SnapShot@2009-07-11_06.55.42 )))))))))))))))))))))))))))))))))))))))))

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-03 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"PPort11reminder"="c:\program files\ScanSoft\PaperPort\Ereg\Ereg.exe" [2007-02-01 255528]

"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-27 413696]

"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2007-01-30 30248]

"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-06-05 292136]

"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2007-01-30 46632]

"ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2007-01-26 65536]

"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2007-03-12 663552]

"amd_dc_opt"="c:\program files\AMD\Dual-Core Optimizer\amd_dc_opt.exe" [2006-11-17 77824]

"SkyTel"="SkyTel.EXE" - c:\windows\SkyTel.exe [2006-05-16 2879488]

"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2006-11-14 16270848]

"BluetoothAuthenticationAgent"="bthprops.cpl" - c:\windows\system32\bthprops.cpl [2004-08-03 110592]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

"HideRunAsVerb"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"NoResolveTrack"= 1 (0x1)

"NoSMConfigurePrograms"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]

"NoSMHelp"= 1 (0x1)

"NoResolveTrack"= 1 (0x1)

"NoSMConfigurePrograms"= 1 (0x1)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]

@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]

@=""

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [7/7/2009 11:52 PM 130424]

R2 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;c:\program files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe [9/16/2008 1:03 PM 169312]

S2 BootScreen;BootScreen;c:\windows\system32\drivers\vidstub.sys [9/6/2008 12:16 PM 163712]

S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [7/7/2009 11:52 PM 348752]

NETSVCS REQUIRES REPAIRS - current entries shown

6to4

AppMgmt

AudioSrv

Browser

CryptSvc

DMServer

DHCP

EventSystem

FastUserSwitchingCompatibility

HidServ

Ias

Iprip

Irmon

LanmanServer

LanmanWorkstation

Netman

Nla

NWCWorkstation

Nwsapagent

Rasauto

Rasman

Remoteaccess

Schedule

SENS

Sharedaccess

SRService

Tapisrv

Themes

WZCSVC

Wmi

WmdmPmSp

winmgmt

xmlprov

BITS

wuauserv

ShellHWDetection

WmdmPmSN

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs

.

Contents of the 'Scheduled Tasks' folder

2009-06-16 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

2009-07-15 c:\windows\Tasks\OGADaily.job

- c:\windows\system32\OGAVerify.exe [2009-01-01 00:04]

2009-07-15 c:\windows\Tasks\OGALogon.job

- c:\windows\system32\OGAVerify.exe [2009-01-01 00:04]

.

- - - - ORPHANS REMOVED - - - -

Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab

FF - ProfilePath - c:\documents and settings\Homer\Application Data\Mozilla\Firefox\Profiles\gbcuo58b.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com.au/webhp?hl=en

---- FIREFOX POLICIES ----

FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-07-15 14:27

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(720)

c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(2464)

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

Completion time: 2009-07-15 14:28

ComboFix-quarantined-files.txt 2009-07-15 21:27

ComboFix2.txt 2009-07-11 06:57

Pre-Run: 16,556,101,632 bytes free

Post-Run: 16,539,009,024 bytes free

196 --- E O F --- 2009-07-05 20:00

Thanks for your time.

Link to post
Share on other sites

  • Root Admin

Hi there,

Well you have something a bit odd there still, so please do the following:

Please download Download SystemLook and save it to your Desktop.

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    :reg
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost /s


  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

Link to post
Share on other sites

ok heres the log

SystemLook v1.0 by jpshortstuff (22.05.09)

Log created at 21:18 on 15/07/2009 by Homer (Administrator - Elevation successful)

========== reg ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost]

"bthsvcs"="BthServ"

"DcomLaunch"="DcomLaunch TermService"

"HTTPFilter"="HTTPFilter"

"imgsvc"="StiSvc"

"LocalService"="WebClient LmHosts upnphost SSDPSRV"

"netsvcs"="6to4 AppMgmt AudioSrv Browser CryptSvc DMServer DHCP EventSystem FastUserSwitchingCompatibility HidServ Ias Iprip Irmon LanmanServer LanmanWorkstation Netman Nla NWCWorkstation Nwsapagent Rasauto Rasman Remoteaccess Schedule SENS Sharedaccess SRService Tapisrv Themes WZCSVC Wmi WmdmPmSp winmgmt xmlprov BITS wuauserv ShellHWDetection WmdmPmSN"

"NetworkService"="DnsCache"

"rpcss"="RpcSs"

"termsvcs"="TermService"

"WudfServiceGroup"="WUDFSvc"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost\DComLaunch]

"CoInitializeSecurityParam"= 0x0000000001 (1)

"DefaultRpcStackSize"= 0x0000000008 (8)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost\HTTPFilter]

"CoInitializeSecurityParam"= 0x0000000001 (1)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost\LocalService]

"AuthenticationCapabilities"= 0x0000002000 (8192)

"CoInitializeSecurityParam"= 0x0000000001 (1)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost\netsvcs]

"AuthenticationCapabilities"= 0x0000003020 (12320)

"CoInitializeSecurityParam"= 0x0000000001 (1)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost\termsvcs]

"CoInitializeSecurityParam"= 0x0000000001 (1)

"DefaultRpcStackSize"= 0x0000000008 (8)

-=End Of File=-

Link to post
Share on other sites

  • Root Admin

Please download and extract the following file. Then double click on it to merge it into the Registry. XPSP2 netsvcs

Then delete your current copy of Combofix.exe and download a NEW fresh copy and after disabling your Anti-Virus run it again and post back that new log.

Additional links to download the tool:

ComboFix.exe

ComboFix.exe

ComboFix.exe

Link to post
Share on other sites

ok thats done and heres the log

ComboFix 09-07-14.08 - Homer 07/16/2009 13:50.3.2 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2943.2522 [GMT -7:00]

Running from: c:\documents and settings\Homer\Desktop\ComboFix.exe

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\system32\proquota.exe . . . is missing!!

.

((((((((((((((((((((((((( Files Created from 2009-06-16 to 2009-07-16 )))))))))))))))))))))))))))))))

.

2009-07-15 15:29 . 2009-06-16 14:45 81920 ------w- c:\windows\system32\dllcache\fontsub.dll

2009-07-15 15:29 . 2009-06-16 14:45 119808 ------w- c:\windows\system32\dllcache\t2embed.dll

2009-07-11 21:35 . 2009-07-11 21:35 -------- d-----w- c:\program files\ESET

2009-07-11 06:54 . 2009-07-11 06:54 -------- d-----w- c:\windows\system32\wbem\snmp

2009-07-11 06:54 . 2009-07-11 06:54 -------- d-----w- c:\windows\srchasst

2009-07-11 06:54 . 2009-07-11 06:54 -------- d-----w- c:\windows\system32\xircom

2009-07-11 06:54 . 2009-07-11 06:54 -------- d-----w- c:\program files\microsoft frontpage

2009-07-10 19:56 . 2009-06-17 18:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-07-10 19:56 . 2009-07-11 06:28 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-07-10 19:56 . 2009-07-10 19:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-07-10 19:56 . 2009-06-17 18:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-07-08 21:33 . 2009-07-08 21:33 -------- d-----w- c:\program files\Trend Micro

2009-07-08 06:53 . 2008-12-11 15:38 159600 ----a-w- c:\windows\system32\drivers\pctgntdi.sys

2009-07-08 06:52 . 2009-03-06 23:45 130424 ----a-w- c:\windows\system32\drivers\PCTCore.sys

2009-07-08 06:52 . 2008-12-18 19:16 73840 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys

2009-07-08 06:52 . 2009-07-08 06:54 -------- d-----w- c:\program files\Common Files\PC Tools

2009-07-08 06:52 . 2008-12-10 19:36 64392 ----a-w- c:\windows\system32\drivers\pctplsg.sys

2009-07-08 06:52 . 2009-07-11 05:41 -------- d-----w- c:\program files\Spyware Doctor

2009-07-08 06:52 . 2009-07-08 06:52 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools

2009-07-08 06:52 . 2009-07-08 06:52 -------- d-----w- c:\documents and settings\Administrator\Application Data\PC Tools

2009-07-08 05:53 . 2009-07-08 05:53 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\AVG Security Toolbar

2009-07-08 05:53 . 2009-07-08 05:53 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla

2009-07-08 02:55 . 2009-07-08 02:55 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar

2009-07-08 01:48 . 2009-07-08 01:48 -------- d-----w- c:\program files\Chec

2009-07-05 19:59 . 2004-08-04 07:56 21504 ----a-w- c:\windows\system32\drivers\hidserv.dll

2009-07-04 00:18 . 2009-07-04 00:18 -------- d-----w- c:\documents and settings\Homer\Application Data\Malwarebytes

2009-07-03 22:34 . 2009-07-08 05:22 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8

2009-06-23 16:22 . 2009-06-23 16:22 152576 ----a-w- c:\documents and settings\Homer\Application Data\Sun\Java\jre1.6.0_14\lzma.dll

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-07-16 04:58 . 2009-02-19 19:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help

2009-07-15 22:47 . 2007-12-24 03:31 -------- d-----w- c:\documents and settings\Homer\Application Data\uTorrent

2009-07-15 02:51 . 2007-09-09 05:32 -------- d-----w- c:\documents and settings\Homer\Application Data\CopyToDvd

2009-07-15 02:51 . 2007-09-09 05:32 -------- d-----w- c:\documents and settings\Homer\Application Data\Vso

2009-07-11 06:44 . 2009-03-10 21:50 -------- d-----w- c:\program files\Google

2009-07-11 05:52 . 2009-03-03 21:54 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2009-07-10 18:41 . 2007-08-11 23:47 -------- d-----w- c:\program files\Steam

2009-07-05 20:00 . 2009-07-05 20:00 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_NuidFltr_01005.Wdf

2009-07-05 20:00 . 2009-07-05 20:00 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf

2009-07-04 00:41 . 2009-03-03 21:51 -------- d-----w- c:\program files\Trojan Remover

2009-07-03 23:00 . 2007-08-25 03:21 -------- d-----w- c:\program files\VSO

2009-06-27 04:14 . 2007-08-11 20:32 25792 ----a-w- c:\documents and settings\Homer\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-06-23 16:23 . 2008-04-03 16:39 -------- d-----w- c:\program files\Java

2009-06-16 20:11 . 2009-04-12 00:45 -------- d-----w- c:\program files\iTunes

2009-06-16 20:11 . 2009-06-16 20:11 -------- d-----w- c:\program files\iPod

2009-06-16 20:11 . 2008-09-23 04:53 -------- d-----w- c:\program files\Common Files\Apple

2009-06-16 20:11 . 2009-06-16 20:10 -------- d-----w- c:\program files\QuickTime

2009-06-16 20:05 . 2009-06-16 20:05 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.0.23\SetupAdmin.exe

2009-06-16 14:45 . 2007-05-23 15:13 119808 ----a-w- c:\windows\system32\t2embed.dll

2009-06-16 14:45 . 2007-05-23 15:10 81920 ----a-w- c:\windows\system32\fontsub.dll

2009-06-03 19:24 . 2007-05-23 15:12 1291264 ----a-w- c:\windows\system32\quartz.dll

2009-05-28 16:38 . 2009-05-28 16:38 -------- d-----w- c:\program files\MSECache

2009-05-25 21:40 . 2009-05-25 21:40 152576 ----a-w- c:\documents and settings\Homer\Application Data\Sun\Java\jre1.6.0_13\lzma.dll

2009-05-21 18:33 . 2008-11-25 04:36 410984 ----a-w- c:\windows\system32\deploytk.dll

2009-05-09 08:14 . 2009-05-09 08:14 1418120 ----a-w- c:\windows\system32\wdfcoinstaller01005.dll

2009-05-09 08:14 . 2009-05-09 08:14 14736 ----a-w- c:\windows\system32\drivers\nuidfltr.sys

2009-05-07 15:44 . 2004-08-03 17:56 344064 ----a-w- c:\windows\system32\localspl.dll

2009-06-14 00:59 . 2008-08-12 00:51 134648 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll

.

((((((((((((((((((((((((((((( SnapShot@2009-07-11_06.55.42 )))))))))))))))))))))))))))))))))))))))))

.

- 2009-02-19 19:36 . 2009-06-15 06:55 35088 c:\windows\Installer\{91120000-002E-0000-0000-0000000FF1CE}\oisicon.exe

+ 2009-02-19 19:36 . 2009-07-16 04:58 35088 c:\windows\Installer\{91120000-002E-0000-0000-0000000FF1CE}\oisicon.exe

+ 2009-02-19 19:36 . 2009-07-16 04:58 18704 c:\windows\Installer\{91120000-002E-0000-0000-0000000FF1CE}\mspicons.exe

- 2009-02-19 19:36 . 2009-06-15 06:55 18704 c:\windows\Installer\{91120000-002E-0000-0000-0000000FF1CE}\mspicons.exe

- 2009-02-19 19:36 . 2009-06-15 06:55 20240 c:\windows\Installer\{91120000-002E-0000-0000-0000000FF1CE}\cagicon.exe

+ 2009-02-19 19:36 . 2009-07-16 04:58 20240 c:\windows\Installer\{91120000-002E-0000-0000-0000000FF1CE}\cagicon.exe

- 2009-02-19 19:36 . 2009-06-15 06:55 888080 c:\windows\Installer\{91120000-002E-0000-0000-0000000FF1CE}\wordicon.exe

+ 2009-02-19 19:36 . 2009-07-16 04:58 888080 c:\windows\Installer\{91120000-002E-0000-0000-0000000FF1CE}\wordicon.exe

- 2009-02-19 19:36 . 2009-06-15 06:55 272648 c:\windows\Installer\{91120000-002E-0000-0000-0000000FF1CE}\pubs.exe

+ 2009-02-19 19:36 . 2009-07-16 04:58 272648 c:\windows\Installer\{91120000-002E-0000-0000-0000000FF1CE}\pubs.exe

- 2009-02-19 19:36 . 2009-06-15 06:55 922384 c:\windows\Installer\{91120000-002E-0000-0000-0000000FF1CE}\pptico.exe

+ 2009-02-19 19:36 . 2009-07-16 04:58 922384 c:\windows\Installer\{91120000-002E-0000-0000-0000000FF1CE}\pptico.exe

- 2009-02-19 19:36 . 2009-06-15 06:55 845584 c:\windows\Installer\{91120000-002E-0000-0000-0000000FF1CE}\outicon.exe

+ 2009-02-19 19:36 . 2009-07-16 04:58 845584 c:\windows\Installer\{91120000-002E-0000-0000-0000000FF1CE}\outicon.exe

+ 2009-02-19 19:36 . 2009-07-16 04:58 217864 c:\windows\Installer\{91120000-002E-0000-0000-0000000FF1CE}\misc.exe

- 2009-02-19 19:36 . 2009-06-15 06:55 217864 c:\windows\Installer\{91120000-002E-0000-0000-0000000FF1CE}\misc.exe

+ 2009-02-19 19:36 . 2009-07-16 04:58 184080 c:\windows\Installer\{91120000-002E-0000-0000-0000000FF1CE}\joticon.exe

- 2009-02-19 19:36 . 2009-06-15 06:55 184080 c:\windows\Installer\{91120000-002E-0000-0000-0000000FF1CE}\joticon.exe

- 2009-02-19 19:36 . 2009-06-15 06:55 159504 c:\windows\Installer\{91120000-002E-0000-0000-0000000FF1CE}\inficon.exe

+ 2009-02-19 19:36 . 2009-07-16 04:58 159504 c:\windows\Installer\{91120000-002E-0000-0000-0000000FF1CE}\inficon.exe

+ 2008-09-08 00:13 . 2009-06-03 19:24 1291264 c:\windows\system32\dllcache\quartz.dll

+ 2009-05-27 01:54 . 2009-05-27 01:54 4192768 c:\windows\Installer\2e7c70d.msp

+ 2009-07-02 23:23 . 2009-07-02 23:23 5027328 c:\windows\Installer\2e7c6f4.msp

- 2009-02-19 19:36 . 2009-06-15 06:55 1172240 c:\windows\Installer\{91120000-002E-0000-0000-0000000FF1CE}\xlicons.exe

+ 2009-02-19 19:36 . 2009-07-16 04:58 1172240 c:\windows\Installer\{91120000-002E-0000-0000-0000000FF1CE}\xlicons.exe

+ 2009-02-19 19:35 . 2009-07-16 04:58 1165584 c:\windows\Installer\{91120000-002E-0000-0000-0000000FF1CE}\accicons.exe

- 2009-02-19 19:35 . 2009-06-15 06:55 1165584 c:\windows\Installer\{91120000-002E-0000-0000-0000000FF1CE}\accicons.exe

+ 2007-05-23 15:11 . 2009-07-07 15:10 24539592 c:\windows\system32\MRT.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-03 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"PPort11reminder"="c:\program files\ScanSoft\PaperPort\Ereg\Ereg.exe" [2007-02-01 255528]

"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-27 413696]

"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2007-01-30 30248]

"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-06-05 292136]

"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2007-01-30 46632]

"ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2007-01-26 65536]

"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2007-03-12 663552]

"amd_dc_opt"="c:\program files\AMD\Dual-Core Optimizer\amd_dc_opt.exe" [2006-11-17 77824]

"SkyTel"="SkyTel.EXE" - c:\windows\SkyTel.exe [2006-05-16 2879488]

"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2006-11-14 16270848]

"BluetoothAuthenticationAgent"="bthprops.cpl" - c:\windows\system32\bthprops.cpl [2004-08-03 110592]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

"HideRunAsVerb"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"NoResolveTrack"= 1 (0x1)

"NoSMConfigurePrograms"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]

"NoSMHelp"= 1 (0x1)

"NoResolveTrack"= 1 (0x1)

"NoSMConfigurePrograms"= 1 (0x1)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]

@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]

@=""

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\uTorrent\\utorrent.exe"=

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [7/7/2009 11:52 PM 130424]

R2 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;c:\program files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe [9/16/2008 1:03 PM 169312]

S2 BootScreen;BootScreen;c:\windows\system32\drivers\vidstub.sys [9/6/2008 12:16 PM 163712]

S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [7/7/2009 11:52 PM 348752]

.

Contents of the 'Scheduled Tasks' folder

2009-06-16 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

2009-07-15 c:\windows\Tasks\OGADaily.job

- c:\windows\system32\OGAVerify.exe [2009-01-01 00:04]

2009-07-16 c:\windows\Tasks\OGALogon.job

- c:\windows\system32\OGAVerify.exe [2009-01-01 00:04]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab

FF - ProfilePath - c:\documents and settings\Homer\Application Data\Mozilla\Firefox\Profiles\gbcuo58b.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com.au/webhp?hl=en

---- FIREFOX POLICIES ----

FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-07-16 13:53

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

c:\docume~1\Homer\LOCALS~1\Temp\RGI1A.tmp 7075 bytes

scan completed successfully

hidden files: 1

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(516)

c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(1448)

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

Completion time: 2009-07-16 13:54

ComboFix-quarantined-files.txt 2009-07-16 20:54

ComboFix2.txt 2009-07-15 21:28

ComboFix3.txt 2009-07-11 06:57

Pre-Run: 18,044,891,136 bytes free

Post-Run: 18,023,895,040 bytes free

190 --- E O F --- 2009-07-16 20:42

Link to post
Share on other sites

  • Root Admin

STEP 01

    Please create a BOOTLOG
  • Delete the following file if it exists. C:\Windows\ntbtlog.txt
  • Restart the computer and press F8 when Windows start booting. This will bring up the startup options.
  • Select "Enable Boot Logging" option and press enter.
  • Windows prompts you to select a Windows Installation (even if there is only one windows installation)
  • This boots windows normally and creates a boot log named ntbtlog.txt and saves it to C:\Windows
Link to post
Share on other sites

ok all the steps are done

bootlog:

Service Pack 2 7 17 2009 10:49:43.375

Loaded driver \WINDOWS\system32\ntkrnlpa.exe

Loaded driver \WINDOWS\system32\hal.dll

Loaded driver \WINDOWS\system32\KDCOM.DLL

Loaded driver \WINDOWS\system32\BOOTVID.dll

Loaded driver ACPI.sys

Loaded driver \WINDOWS\system32\DRIVERS\WMILIB.SYS

Loaded driver pci.sys

Loaded driver isapnp.sys

Loaded driver pciide.sys

Loaded driver \WINDOWS\system32\DRIVERS\PCIIDEX.SYS

Loaded driver MountMgr.sys

Loaded driver ftdisk.sys

Loaded driver dmload.sys

Loaded driver dmio.sys

Loaded driver PartMgr.sys

Loaded driver atapi.sys

Loaded driver disk.sys

Loaded driver \WINDOWS\system32\DRIVERS\CLASSPNP.SYS

Loaded driver fltMgr.sys

Loaded driver sr.sys

Loaded driver PCTCore.sys

Loaded driver PxHelp20.sys

Loaded driver KSecDD.sys

Loaded driver WudfPf.sys

Loaded driver Ntfs.sys

Loaded driver NDIS.sys

Loaded driver Mup.sys

Loaded driver \SystemRoot\system32\DRIVERS\AmdK8.sys

Loaded driver \SystemRoot\system32\DRIVERS\ati2mtag.sys

Loaded driver \SystemRoot\system32\DRIVERS\Rtenicxp.sys

Loaded driver \SystemRoot\system32\DRIVERS\imapi.sys

Loaded driver \SystemRoot\system32\DRIVERS\cdrom.sys

Loaded driver \SystemRoot\system32\DRIVERS\redbook.sys

Loaded driver \SystemRoot\system32\DRIVERS\GEARAspiWDM.sys

Loaded driver \SystemRoot\system32\DRIVERS\usbohci.sys

Loaded driver \SystemRoot\system32\DRIVERS\usbehci.sys

Loaded driver \SystemRoot\system32\DRIVERS\HDAudBus.sys

Loaded driver \SystemRoot\system32\DRIVERS\fdc.sys

Loaded driver \SystemRoot\system32\DRIVERS\parport.sys

Loaded driver \SystemRoot\system32\DRIVERS\i8042prt.sys

Loaded driver \SystemRoot\system32\DRIVERS\kbdclass.sys

Loaded driver \SystemRoot\system32\DRIVERS\mouclass.sys

Loaded driver \SystemRoot\system32\DRIVERS\audstub.sys

Loaded driver \SystemRoot\system32\DRIVERS\rasl2tp.sys

Loaded driver \SystemRoot\system32\DRIVERS\ndistapi.sys

Loaded driver \SystemRoot\system32\DRIVERS\ndiswan.sys

Loaded driver \SystemRoot\system32\DRIVERS\raspppoe.sys

Loaded driver \SystemRoot\system32\DRIVERS\raspptp.sys

Loaded driver \SystemRoot\system32\DRIVERS\msgpc.sys

Loaded driver \SystemRoot\system32\DRIVERS\psched.sys

Loaded driver \SystemRoot\system32\DRIVERS\ptilink.sys

Loaded driver \SystemRoot\system32\DRIVERS\raspti.sys

Loaded driver \SystemRoot\System32\Drivers\Pcouffin.sys

Loaded driver \SystemRoot\system32\DRIVERS\rdpdr.sys

Loaded driver \SystemRoot\system32\DRIVERS\termdd.sys

Loaded driver \SystemRoot\system32\DRIVERS\swenum.sys

Loaded driver \SystemRoot\system32\DRIVERS\update.sys

Loaded driver \SystemRoot\system32\DRIVERS\mssmbios.sys

Loaded driver \SystemRoot\system32\DRIVERS\AmdLLD.sys

Loaded driver \SystemRoot\System32\Drivers\NDProxy.SYS

Did not load driver \SystemRoot\System32\Drivers\NDProxy.SYS

Loaded driver \SystemRoot\system32\DRIVERS\usbhub.sys

Loaded driver \SystemRoot\system32\drivers\RtkHDAud.sys

Loaded driver \SystemRoot\system32\DRIVERS\flpydisk.sys

Did not load driver \SystemRoot\System32\Drivers\lbrtfdc.SYS

Did not load driver \SystemRoot\System32\Drivers\Sfloppy.SYS

Did not load driver \SystemRoot\System32\Drivers\i2omgmt.SYS

Did not load driver \SystemRoot\System32\Drivers\Changer.SYS

Did not load driver \SystemRoot\System32\Drivers\Cdaudio.SYS

Loaded driver \SystemRoot\System32\Drivers\Fs_Rec.SYS

Loaded driver \SystemRoot\System32\Drivers\Null.SYS

Did not load driver \SystemRoot\System32\Drivers\Beep.SYS

Did not load driver \SystemRoot\system32\DRIVERS\kbdhid.sys

Loaded driver \SystemRoot\System32\drivers\vga.sys

Loaded driver \SystemRoot\System32\DRIVERS\RDPCDD.sys

Loaded driver \SystemRoot\System32\Drivers\Msfs.SYS

Loaded driver \SystemRoot\System32\Drivers\Npfs.SYS

Loaded driver \SystemRoot\system32\DRIVERS\rasacd.sys

Loaded driver \SystemRoot\system32\DRIVERS\ipsec.sys

Loaded driver \SystemRoot\system32\DRIVERS\tcpip.sys

Loaded driver \SystemRoot\system32\DRIVERS\netbt.sys

Loaded driver \SystemRoot\system32\DRIVERS\ipnat.sys

Loaded driver \SystemRoot\system32\DRIVERS\wanarp.sys

Loaded driver \SystemRoot\System32\drivers\afd.sys

Loaded driver \SystemRoot\system32\DRIVERS\usbccgp.sys

Loaded driver \SystemRoot\system32\DRIVERS\netbios.sys

Did not load driver \SystemRoot\system32\DRIVERS\processr.sys

Did not load driver \SystemRoot\System32\Drivers\PCIDump.SYS

Loaded driver \SystemRoot\system32\DRIVERS\rdbss.sys

Loaded driver \SystemRoot\system32\DRIVERS\mrxsmb.sys

Loaded driver \SystemRoot\system32\DRIVERS\hidusb.sys

Loaded driver \SystemRoot\system32\DRIVERS\kbdhid.sys

Loaded driver \SystemRoot\System32\Drivers\Fips.SYS

Loaded driver \SystemRoot\system32\DRIVERS\mouhid.sys

Loaded driver \SystemRoot\system32\DRIVERS\Wdf01000.sys

Loaded driver \SystemRoot\system32\DRIVERS\NuidFltr.sys

Loaded driver \SystemRoot\System32\Drivers\Cdfs.SYS

Did not load driver \SystemRoot\System32\drivers\vidstub.sys

Loaded driver \SystemRoot\system32\DRIVERS\ndisuio.sys

Loaded driver \SystemRoot\system32\DRIVERS\rspndr.sys

Did not load driver \SystemRoot\system32\DRIVERS\rdbss.sys

Did not load driver \SystemRoot\system32\DRIVERS\mrxsmb.sys

Loaded driver \SystemRoot\system32\drivers\wdmaud.sys

Loaded driver \SystemRoot\system32\drivers\sysaudio.sys

Loaded driver \SystemRoot\system32\drivers\splitter.sys

Loaded driver \SystemRoot\system32\drivers\aec.sys

Loaded driver \SystemRoot\system32\drivers\swmidi.sys

Loaded driver \SystemRoot\system32\drivers\DMusic.sys

Loaded driver \SystemRoot\system32\drivers\kmixer.sys

Loaded driver \SystemRoot\system32\drivers\drmkaud.sys

Loaded driver \SystemRoot\system32\DRIVERS\mrxdav.sys

Loaded driver \SystemRoot\System32\Drivers\ParVdm.SYS

Did not load driver \SystemRoot\System32\Drivers\Serial.SYS

Loaded driver \SystemRoot\system32\DRIVERS\secdrv.sys

Loaded driver \SystemRoot\system32\DRIVERS\srv.sys

Did not load driver \SystemRoot\system32\DRIVERS\ipnat.sys

Loaded driver \SystemRoot\System32\Drivers\HTTP.sys

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.