Jump to content

Recommended Posts

Hi,

I've got some sort of trojan that can't be removed by mbam (or anything else i've tried). It's been doing some weird things to my computer, like shutting down programs, making it hard to even get mbam to install or run in the first place, as well as taking me to fake sites in firefox and playing some audio out of nowhere a couple of times. Ad-aware was finding a Trojan.TDSS, i don't know if that's what showed up here. Your help would be greatly appreciated, thanks.

Here's the HijackThis log

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 8:01:00 PM, on 7/16/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\WLTRYSVC.EXE

C:\WINDOWS\System32\bcmwltry.exe

C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\McAfee\Common Framework\FrameworkService.exe

C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe

C:\PROGRA~1\AVG\AVG8\avgrsx.exe

C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\StacSV.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Viewpoint\Common\ViewpointService.exe

C:\WINDOWS\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\CCM\CcmExec.exe

C:\WINDOWS\system32\WLTRAY.exe

C:\Program Files\McAfee\Common Framework\udaterui.exe

C:\Program Files\HP\hpcoretech\hpcmpmgr.exe

C:\WINDOWS\system32\RunDLL32.exe

C:\PROGRA~1\AVG\AVG8\avgtray.exe

C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\AirPort\APAgent.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\McAfee\Common Framework\McTray.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe

C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe

C:\WINDOWS\system32\braviax.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\msiexec.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O3 - Toolbar: (no name) - {DE9C389F-3316-41A7-809B-AA305ED9D922} - (no file)

O4 - HKLM\..\Run: [broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe

O4 - HKLM\..\Run: [shStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE

O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\udaterui.exe" /StartedFromRunKey

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"

O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe

O4 - HKLM\..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon

O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKLM\..\Run: [sigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe

O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"

O4 - HKLM\..\Run: [unlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [AirPort Base Station Agent] "C:\Program Files\AirPort\APAgent.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot

O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe"

O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [braviax] C:\WINDOWS\system32\braviax.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c

O4 - HKCU\..\Run: [braviax] C:\WINDOWS\system32\braviax.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O15 - Trusted Zone: *.antimalwareguard.com

O15 - Trusted Zone: *.gomyhit.com

O15 - Trusted Zone: *.microsoft.edu

O15 - Trusted Zone: *.villanova.edu

O15 - Trusted Zone: *.antimalwareguard.com (HKLM)

O15 - Trusted Zone: *.gomyhit.com (HKLM)

O16 - DPF: {B3E32D88-8E7F-468F-B0E2-3A300FD4A82C} (Enlite 2.x Simulation Engine Installer) - http://myitlab.pearsoncmg.com/webwiz/s/stub.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll

O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe

O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe

O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\WINDOWS\system32\StacSV.exe

O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe

O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--

End of file - 8089 bytes

And here's the Malwarebytes log

Malwarebytes' Anti-Malware 1.39

Database version: 2428

Windows 5.1.2600 Service Pack 3

7/16/2009 4:13:55 PM

mbam-log-2009-07-16 (16-13-47).txt

Scan type: Full Scan (C:\|E:\|)

Objects scanned: 175675

Time elapsed: 36 minute(s), 23 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 1

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> No action taken.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> No action taken.

Link to post
Share on other sites

Hi. :(

Download ComboFix from one of the locations below, and save it to your Desktop.

Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.

When finished, it shall produce a log for you. Post that log and a HijackThis log in your next reply

Note: Do not mouseclick Combofix's window while its running. That may cause it to stall

Link to post
Share on other sites

ok, got it to work. after the combofix scan, i got a message saying "You chose not to restore the original versions of the files. This may affect Windows stability. Are you sure you want to keep these unrecognized file versions?" It is also telling me to insert my windows professional CD-ROM to restore the original versions in a separate window.

Here is the combofix log (i tried disabling most of the features in the McAfee VirusScan Enterprise since there is no "disable all" option or anything, don't know if it worked. that is not my usual antivirus program, it was on the computer by default)

ComboFix 09-07-14.08 - Administrator 07/17/2009 17:01.1.2 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1579 [GMT -4:00]

Running from: c:\documents and settings\Administrator\Desktop\something.exe

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

AV: VirusScan Enterprise + AntiSpyware Enterprise *On-access scanning enabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}

* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\system32\drivers\beep.sys

c:\windows\system32\drivers\UACgesggwlvfpatvoxcm.sys

c:\windows\system32\UACbdrysbmasmskcntrd.dll

c:\windows\system32\UACfbkceycohpuvgfmrm.dll

c:\windows\system32\UACgntyoyelogegnwbaq.dll

c:\windows\system32\uacinit.dll

c:\windows\system32\UACmhimsxhsxhgqymviv.db

c:\windows\system32\UACqmnnqrpjnkceebdsu.dll

c:\windows\system32\UACqpeyffdmkmbemwsya.dll

c:\windows\system32\uactmp.db

c:\windows\system32\UACvyunmhvevyuxqiqii.dat

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Service_UACd.sys

((((((((((((((((((((((((( Files Created from 2009-06-17 to 2009-07-17 )))))))))))))))))))))))))))))))

.

2009-07-17 00:00 . 2009-07-17 01:58 238642 ----a-w- c:\windows\system32\wisdstr.exe

2009-07-16 23:56 . 2009-07-16 23:56 -------- d-----w- c:\program files\Trend Micro

2009-07-16 23:44 . 2009-07-16 23:44 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache

2009-07-14 18:25 . 2009-07-14 18:25 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes

2009-07-14 17:26 . 2009-07-13 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-07-14 17:21 . 2009-07-14 17:21 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Malwarebytes

2009-07-14 17:21 . 2009-07-13 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-07-14 07:58 . 2009-07-14 17:52 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-07-14 06:18 . 2009-07-14 06:18 91 ----a-w- c:\windows\system32\geyekryrbltiqq.dat

2009-07-14 06:07 . 2009-07-14 06:18 1385 ----a-w- c:\windows\system32\geyekrqahopxgf.dat

2009-07-14 06:07 . 2009-07-14 06:07 69632 ----a-w- c:\windows\system32\drivers\geyekroewwkpbp.sys

2009-07-14 06:07 . 2009-07-14 06:07 41984 ----a-w- c:\windows\system32\geyekrjwmaxwbd.dll

2009-07-14 05:56 . 2009-07-03 14:49 15688 ----a-w- c:\windows\system32\lsdelete.exe

2009-07-14 05:48 . 2009-07-03 14:49 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys

2009-07-14 05:43 . 2009-07-14 05:43 -------- dc-h--w- c:\docume~1\ALLUSE~1\APPLIC~1\{EF63305C-BAD7-4144-9208-D65528260864}

2009-07-14 05:43 . 2009-07-14 05:43 -------- d-----w- c:\program files\Lavasoft

2009-07-14 05:20 . 2009-07-14 05:20 67072 ----a-w- c:\windows\system32\drivers\geyekrxhnililh.sys

2009-07-14 05:19 . 2009-07-14 05:19 45056 --sha-r- c:\windows\system32\flashd.dll

2009-07-14 05:19 . 2009-07-14 05:19 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE

2009-07-14 05:11 . 2009-07-14 05:11 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache

2009-06-19 05:58 . 2009-06-19 05:58 -------- d-----w- c:\program files\Viewpoint

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-07-17 20:12 . 2008-09-05 19:30 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Google Updater

2009-07-17 02:12 . 2008-05-05 14:44 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Microsoft Help

2009-07-14 05:19 . 2008-12-25 08:06 -------- d-----w- c:\documents and settings\Administrator\Application Data\uTorrent

2009-07-10 13:07 . 2008-12-19 07:44 335752 ----a-w- c:\windows\system32\drivers\avgldx86.sys

2009-07-02 13:30 . 2008-12-19 07:44 11952 ----a-w- c:\windows\system32\avgrsstx.dll

2009-07-02 13:30 . 2008-12-19 07:44 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys

2009-06-19 05:59 . 2008-08-19 04:59 -------- d-----w- c:\program files\AIM6

2009-06-19 05:58 . 2008-08-19 05:01 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Viewpoint

2009-06-19 05:58 . 2008-08-19 05:01 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\acccore

2009-06-17 20:10 . 2009-06-17 20:10 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\AOL Downloads

2009-06-16 14:36 . 2004-08-04 12:00 81920 ----a-w- c:\windows\system32\fontsub.dll

2009-06-16 14:36 . 2004-08-04 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll

2009-06-14 03:59 . 2009-06-14 03:59 78580 ----a-w- c:\documents and settings\Administrator\Application Data\Move Networks\MoveMediaPlayer_win_mozilla_071303000006.exe

2009-06-14 03:59 . 2008-10-12 22:27 -------- d-----w- c:\documents and settings\Administrator\Application Data\Move Networks

2009-06-10 18:23 . 2008-05-13 14:18 -------- d-----w- c:\program files\Java

2009-06-10 18:22 . 2009-06-10 18:22 152576 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\jre1.6.0_14\lzma.dll

2009-06-10 02:06 . 2009-05-22 19:51 -------- d-----w- c:\program files\AirPort

2009-06-04 08:34 . 2009-06-04 08:34 -------- d-----w- c:\documents and settings\Administrator\Application Data\Cycling '74

2009-06-03 19:09 . 2004-08-04 12:00 1291264 ----a-w- c:\windows\system32\quartz.dll

2009-06-03 02:24 . 2008-08-18 21:23 -------- d-----w- c:\program files\iTunes

2009-06-03 02:23 . 2009-06-03 02:23 -------- d-----w- c:\program files\iPod

2009-06-03 02:23 . 2008-08-18 21:20 -------- d-----w- c:\program files\Common Files\Apple

2009-06-03 02:21 . 2009-06-03 02:20 -------- d-----w- c:\program files\QuickTime

2009-05-21 15:33 . 2008-09-16 20:03 410984 ----a-w- c:\windows\system32\deploytk.dll

2009-05-13 05:15 . 2004-08-04 12:00 915456 ----a-w- c:\windows\system32\wininet.dll

2009-05-09 00:58 . 2008-05-05 13:31 94935 ----a-w- c:\windows\system32\nvModes.dat

2009-05-07 15:32 . 2004-08-04 12:00 345600 ----a-w- c:\windows\system32\localspl.dll

2009-06-12 16:39 . 2008-06-25 20:12 134648 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll

2009-01-27 01:34 . 2009-01-27 01:34 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll

2009-01-27 01:34 . 2009-01-27 01:34 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll

.

------- Sigcheck -------

[-] 2009-07-16 23:57 28672 F320E25E8E51E6B404265C9377EDF327 c:\windows\system32\dllcache\beep.sys

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

"Google Update"="c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-03 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-03-16 1392640]

"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2009-01-28 111952]

"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\udaterui.exe" [2008-11-10 136512]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-02-22 13508608]

"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 241664]

"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-05-14 177472]

"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-07-02 1948440]

"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2007-05-15 644696]

"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2007-04-04 1603152]

"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2007-05-10 405504]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-05-30 292136]

"AirPort Base Station Agent"="c:\program files\AirPort\APAgent.exe" [2009-05-27 753664]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-21 148888]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-05-13 151552]

"RoxioDragToDisc"="c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe" [2006-08-17 1116920]

"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2007-09-17 124200]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]

"NvMediaCenter"="NvMCTray.dll" - c:\windows\system32\nvmctray.dll [2008-02-22 86016]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]

2009-07-02 13:30 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]

@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

"c:\\Program Files\\AIM6\\aim6.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

"c:\\Program Files\\uTorrent\\uTorrent.exe"=

"c:\\Documents and Settings\\Administrator\\Application Data\\Macromedia\\Flash Player\\www.macromedia.com\\bin\\octoshape\\octoshape.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\SoulseekNS\\slsk.exe"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\AirPort\\APAgent.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"5353:UDP"= 5353:UDP:Bonjour

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [7/14/2009 1:48 AM 64160]

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [12/19/2008 3:44 AM 335752]

R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [12/19/2008 3:43 AM 298776]

R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [6/19/2009 1:58 AM 24652]

S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [7/3/2009 10:49 AM 1029456]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]

"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP

.

- - - - ORPHANS REMOVED - - - -

HKCU-Run-Aim6 - (no file)

HKLM-Run-WinampAgent - c:\program files\Winamp\winampa.exe

HKLM-Run-UnlockerAssistant - c:\program files\Unlocker\UnlockerAssistant.exe

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com

mStart Page = hxxp://www.google.com

uInternet Settings,ProxyOverride = *.local

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

Trusted Zone: antimalwareguard.com

Trusted Zone: gomyhit.com

Trusted Zone: microsoft.edu

Trusted Zone: villanova.edu

Trusted Zone: antimalwareguard.com

Trusted Zone: gomyhit.com

FF - ProfilePath - c:\docume~1\ADMINI~1\APPLIC~1\Mozilla\Firefox\Profiles\ccqxcnyz.default\

FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?hl=en&source=iglk

FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll

FF - plugin: c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ccqxcnyz.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071101000055.dll

FF - plugin: c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\1.2.183.7\npGoogleOneClick8.dll

FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll

FF - plugin: c:\program files\Real\RealPlayer Enterprise\Netscape6\nppl3260.dll

FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-07-17 17:06

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-746137067-963894560-725345543-500\Software\Microsoft\Internet Explorer\User Preferences]

@Denied: (2) (Administrator)

"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,01,25,55,f7,ac,fd,36,45,ba,c0,76,\

"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,01,25,55,f7,ac,fd,36,45,ba,c0,76,\

.

Completion time: 2009-07-17 17:09

ComboFix-quarantined-files.txt 2009-07-17 21:08

Pre-Run: 26,422,534,144 bytes free

Post-Run: 26,651,090,944 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

204 --- E O F --- 2009-07-17 02:12

and here is the HijackThis log

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 5:16:35 PM, on 7/17/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\WLTRYSVC.EXE

C:\WINDOWS\System32\bcmwltry.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\McAfee\Common Framework\FrameworkService.exe

C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe

C:\PROGRA~1\AVG\AVG8\avgrsx.exe

C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\StacSV.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Viewpoint\Common\ViewpointService.exe

C:\WINDOWS\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe

C:\WINDOWS\system32\CCM\CcmExec.exe

C:\WINDOWS\system32\notepad.exe

C:\WINDOWS\explorer.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\McAfee\Common Framework\UdaterUI.exe

C:\Program Files\McAfee\Common Framework\McTray.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll

O3 - Toolbar: (no name) - {DE9C389F-3316-41A7-809B-AA305ED9D922} - (no file)

O4 - HKLM\..\Run: [broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe

O4 - HKLM\..\Run: [shStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE

O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\udaterui.exe" /StartedFromRunKey

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"

O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe

O4 - HKLM\..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon

O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon

O4 - HKLM\..\Run: [sigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [AirPort Base Station Agent] "C:\Program Files\AirPort\APAgent.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot

O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe"

O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O15 - Trusted Zone: *.antimalwareguard.com

O15 - Trusted Zone: *.gomyhit.com

O15 - Trusted Zone: *.microsoft.edu

O15 - Trusted Zone: *.villanova.edu

O15 - Trusted Zone: *.antimalwareguard.com (HKLM)

O15 - Trusted Zone: *.gomyhit.com (HKLM)

O16 - DPF: {B3E32D88-8E7F-468F-B0E2-3A300FD4A82C} (Enlite 2.x Simulation Engine Installer) - http://myitlab.pearsoncmg.com/webwiz/s/stub.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll

O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe

O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe

O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\WINDOWS\system32\StacSV.exe

O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe

O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--

End of file - 7452 bytes

Link to post
Share on other sites

Open open notepad and copy and paste in the following:

MD "%USERPROFILE%"\desktop\malware
xcopy c:\windows\system32\wisdstr.exe "%USERPROFILE%"\desktop\malware /c /q /r /h /yxcopy c:\windows\system32\geyekryrbltiqq.dat "%USERPROFILE%"\desktop\malware /c /q /r /h /yxcopy c:\windows\system32\drivers\geyekroewwkpbp.sys "%USERPROFILE%"\desktop\malware /c /q /r /h /yxcopy c:\windows\system32\geyekrjwmaxwbd.dll "%USERPROFILE%"\desktop\malware /c /q /r /h /yxcopy c:\windows\system32\drivers\geyekrxhnililh.sys "%USERPROFILE%"\desktop\malware /c /q /r /h /y
Attrib -s -r -h "%USERPROFILE%"\desktop\malware\*.*

Save it as getmalware.bat to the desktop and double-click on it to run it. It will create a folder called malware on your desktop. Please zip up this folder and attach it here in a new topic with a link to this thread. I will get back to you once they have been analyzed.

Link to post
Share on other sites

1. Please open Notepad

  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::

c:\windows\system32\drivers\geyekroewwkpbp.sys

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

CFScript.gif

5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

  • Combofix.txt
  • Update Malwarebytes, run a quick scan and post the new log.
Link to post
Share on other sites

Combofix log

ComboFix 09-07-14.08 - Administrator 07/18/2009 10:52.2.2 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1418 [GMT -4:00]

Running from: c:\documents and settings\Administrator\Desktop\something.exe

Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

AV: VirusScan Enterprise + AntiSpyware Enterprise *On-access scanning enabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}

* Resident AV is active

FILE ::

"c:\windows\system32\drivers\geyekroewwkpbp.sys"

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\system32\drivers\geyekroewwkpbp.sys

.

((((((((((((((((((((((((( Files Created from 2009-06-18 to 2009-07-18 )))))))))))))))))))))))))))))))

.

2009-07-18 14:49 . 2009-07-18 14:49 -------- d-----w- c:\windows\35C03C043F1F42C2A989A757EE691F65.TMP

2009-07-17 00:00 . 2009-07-17 01:58 238642 ----a-w- c:\windows\system32\wisdstr.exe

2009-07-16 23:56 . 2009-07-16 23:56 -------- d-----w- c:\program files\Trend Micro

2009-07-16 23:44 . 2009-07-16 23:44 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache

2009-07-14 18:25 . 2009-07-14 18:25 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes

2009-07-14 17:26 . 2009-07-13 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-07-14 17:21 . 2009-07-14 17:21 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Malwarebytes

2009-07-14 17:21 . 2009-07-13 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-07-14 07:58 . 2009-07-14 17:52 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-07-14 06:18 . 2009-07-14 06:18 91 ----a-w- c:\windows\system32\geyekryrbltiqq.dat

2009-07-14 06:07 . 2009-07-14 06:18 1385 ----a-w- c:\windows\system32\geyekrqahopxgf.dat

2009-07-14 06:07 . 2009-07-14 06:07 41984 ----a-w- c:\windows\system32\geyekrjwmaxwbd.dll

2009-07-14 05:56 . 2009-07-03 14:49 15688 ----a-w- c:\windows\system32\lsdelete.exe

2009-07-14 05:48 . 2009-07-03 14:49 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys

2009-07-14 05:43 . 2009-07-14 05:43 -------- dc-h--w- c:\docume~1\ALLUSE~1\APPLIC~1\{EF63305C-BAD7-4144-9208-D65528260864}

2009-07-14 05:43 . 2009-07-14 05:43 -------- d-----w- c:\program files\Lavasoft

2009-07-14 05:20 . 2009-07-14 05:20 67072 ----a-w- c:\windows\system32\drivers\geyekrxhnililh.sys

2009-07-14 05:19 . 2009-07-14 05:19 45056 --sha-r- c:\windows\system32\flashd.dll

2009-07-14 05:19 . 2009-07-14 05:19 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE

2009-07-14 05:11 . 2009-07-14 05:11 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache

2009-06-19 05:58 . 2009-06-19 05:58 -------- d-----w- c:\program files\Viewpoint

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-07-17 20:12 . 2008-09-05 19:30 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Google Updater

2009-07-17 02:12 . 2008-05-05 14:44 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Microsoft Help

2009-07-14 05:19 . 2008-12-25 08:06 -------- d-----w- c:\documents and settings\Administrator\Application Data\uTorrent

2009-07-10 13:07 . 2008-12-19 07:44 335752 ----a-w- c:\windows\system32\drivers\avgldx86.sys

2009-07-02 13:30 . 2008-12-19 07:44 11952 ----a-w- c:\windows\system32\avgrsstx.dll

2009-07-02 13:30 . 2008-12-19 07:44 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys

2009-06-19 05:59 . 2008-08-19 04:59 -------- d-----w- c:\program files\AIM6

2009-06-19 05:58 . 2008-08-19 05:01 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Viewpoint

2009-06-19 05:58 . 2008-08-19 05:01 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\acccore

2009-06-17 20:10 . 2009-06-17 20:10 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\AOL Downloads

2009-06-16 14:36 . 2004-08-04 12:00 81920 ----a-w- c:\windows\system32\fontsub.dll

2009-06-16 14:36 . 2004-08-04 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll

2009-06-14 03:59 . 2009-06-14 03:59 78580 ----a-w- c:\documents and settings\Administrator\Application Data\Move Networks\MoveMediaPlayer_win_mozilla_071303000006.exe

2009-06-14 03:59 . 2008-10-12 22:27 -------- d-----w- c:\documents and settings\Administrator\Application Data\Move Networks

2009-06-10 18:23 . 2008-05-13 14:18 -------- d-----w- c:\program files\Java

2009-06-10 18:22 . 2009-06-10 18:22 152576 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\jre1.6.0_14\lzma.dll

2009-06-10 02:06 . 2009-05-22 19:51 -------- d-----w- c:\program files\AirPort

2009-06-04 08:34 . 2009-06-04 08:34 -------- d-----w- c:\documents and settings\Administrator\Application Data\Cycling '74

2009-06-03 19:09 . 2004-08-04 12:00 1291264 ----a-w- c:\windows\system32\quartz.dll

2009-06-03 02:24 . 2008-08-18 21:23 -------- d-----w- c:\program files\iTunes

2009-06-03 02:23 . 2009-06-03 02:23 -------- d-----w- c:\program files\iPod

2009-06-03 02:23 . 2008-08-18 21:20 -------- d-----w- c:\program files\Common Files\Apple

2009-06-03 02:21 . 2009-06-03 02:20 -------- d-----w- c:\program files\QuickTime

2009-05-21 15:33 . 2008-09-16 20:03 410984 ----a-w- c:\windows\system32\deploytk.dll

2009-05-13 05:15 . 2004-08-04 12:00 915456 ----a-w- c:\windows\system32\wininet.dll

2009-05-09 00:58 . 2008-05-05 13:31 94935 ----a-w- c:\windows\system32\nvModes.dat

2009-05-07 15:32 . 2004-08-04 12:00 345600 ----a-w- c:\windows\system32\localspl.dll

2009-06-12 16:39 . 2008-06-25 20:12 134648 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll

2009-01-27 01:34 . 2009-01-27 01:34 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll

2009-01-27 01:34 . 2009-01-27 01:34 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll

.

------- Sigcheck -------

[-] 2009-07-16 23:57 28672 F320E25E8E51E6B404265C9377EDF327 c:\windows\system32\dllcache\beep.sys

.

((((((((((((((((((((((((((((( SnapShot@2009-07-17_21.06.36 )))))))))))))))))))))))))))))))))))))))))

.

+ 2009-07-18 14:49 . 2009-07-18 14:49 61457 c:\windows\35C03C043F1F42C2A989A757EE691F65.TMP\WiseCustomCalla.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

"Google Update"="c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-03 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-03-16 1392640]

"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2009-01-28 111952]

"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\udaterui.exe" [2008-11-10 136512]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-02-22 13508608]

"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 241664]

"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-05-14 177472]

"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-07-02 1948440]

"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2007-05-15 644696]

"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2007-04-04 1603152]

"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2007-05-10 405504]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-05-30 292136]

"AirPort Base Station Agent"="c:\program files\AirPort\APAgent.exe" [2009-05-27 753664]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-21 148888]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-05-13 151552]

"RoxioDragToDisc"="c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe" [2006-08-17 1116920]

"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2007-09-17 124200]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]

"NvMediaCenter"="NvMCTray.dll" - c:\windows\system32\nvmctray.dll [2008-02-22 86016]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]

2009-07-02 13:30 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]

@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

"c:\\Program Files\\AIM6\\aim6.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

"c:\\Program Files\\uTorrent\\uTorrent.exe"=

"c:\\Documents and Settings\\Administrator\\Application Data\\Macromedia\\Flash Player\\www.macromedia.com\\bin\\octoshape\\octoshape.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\SoulseekNS\\slsk.exe"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\AirPort\\APAgent.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"5353:UDP"= 5353:UDP:Bonjour

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [7/14/2009 1:48 AM 64160]

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [12/19/2008 3:44 AM 335752]

R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [12/19/2008 3:43 AM 298776]

R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [6/19/2009 1:58 AM 24652]

S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [7/3/2009 10:49 AM 1029456]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]

"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com

mStart Page = hxxp://www.google.com

uInternet Settings,ProxyOverride = *.local

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

Trusted Zone: antimalwareguard.com

Trusted Zone: gomyhit.com

Trusted Zone: microsoft.edu

Trusted Zone: villanova.edu

Trusted Zone: antimalwareguard.com

Trusted Zone: gomyhit.com

FF - ProfilePath - c:\docume~1\ADMINI~1\APPLIC~1\Mozilla\Firefox\Profiles\ccqxcnyz.default\

FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?hl=en&source=iglk

FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll

FF - plugin: c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ccqxcnyz.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071101000055.dll

FF - plugin: c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\1.2.183.7\npGoogleOneClick8.dll

FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll

FF - plugin: c:\program files\Real\RealPlayer Enterprise\Netscape6\nppl3260.dll

FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-07-18 10:55

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-746137067-963894560-725345543-500\Software\Microsoft\Internet Explorer\User Preferences]

@Denied: (2) (Administrator)

"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,01,25,55,f7,ac,fd,36,45,ba,c0,76,\

"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,01,25,55,f7,ac,fd,36,45,ba,c0,76,\

.

Completion time: 2009-07-18 10:58

ComboFix-quarantined-files.txt 2009-07-18 14:57

ComboFix2.txt 2009-07-17 21:09

Pre-Run: 26,590,093,312 bytes free

Post-Run: 26,543,042,560 bytes free

188 --- E O F --- 2009-07-17 02:12

mbam log

Malwarebytes' Anti-Malware 1.39

Database version: 2459

Windows 5.1.2600 Service Pack 3

7/18/2009 11:02:52 AM

mbam-log-2009-07-18 (11-02-47).txt

Scan type: Quick Scan

Objects scanned: 87479

Time elapsed: 2 minute(s), 11 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 4

Folders Infected: 0

Files Infected: 2

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

Folders Infected:

(No malicious items detected)

Files Infected:

c:\WINDOWS\system32\wisdstr.exe (Trojan.FakeAlert) -> No action taken.

C:\WINDOWS\system32\dllcache\beep.sys (Fake.Beep.sys) -> No action taken.

Link to post
Share on other sites

1. Please open Notepad

  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::

c:\windows\35C03C043F1F42C2A989A757EE691F65.TMP

c:\windows\system32\wisdstr.exe

c:\windows\system32\geyekryrbltiqq.dat

c:\windows\system32\geyekrqahopxgf.dat

c:\windows\system32\geyekrjwmaxwbd.dll

c:\windows\system32\drivers\geyekrxhnililh.sys

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

CFScript.gif

5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

  • Combofix.txt
  • A new HijackThis log.
Link to post
Share on other sites

Combofix log

ComboFix 09-07-19.01 - Administrator 07/19/2009 13:13.3.2 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1472 [GMT -4:00]

Running from: c:\documents and settings\Administrator\Desktop\something.exe

Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

AV: VirusScan Enterprise + AntiSpyware Enterprise *On-access scanning disabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}

* Resident AV is active

FILE ::

"c:\windows\35C03C043F1F42C2A989A757EE691F65.TMP"

"c:\windows\system32\drivers\geyekrxhnililh.sys"

"c:\windows\system32\geyekrjwmaxwbd.dll"

"c:\windows\system32\geyekrqahopxgf.dat"

"c:\windows\system32\geyekryrbltiqq.dat"

"c:\windows\system32\wisdstr.exe"

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\system32\drivers\geyekrxhnililh.sys

c:\windows\system32\geyekrjwmaxwbd.dll

c:\windows\system32\geyekrqahopxgf.dat

c:\windows\system32\geyekryrbltiqq.dat

c:\windows\system32\wisdstr.exe

.

((((((((((((((((((((((((( Files Created from 2009-06-19 to 2009-07-19 )))))))))))))))))))))))))))))))

.

2009-07-18 22:41 . 2009-07-18 22:41 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Temp

2009-07-18 14:49 . 2009-07-18 14:49 -------- d-----w- c:\windows\35C03C043F1F42C2A989A757EE691F65.TMP

2009-07-18 12:25 . 2009-07-02 13:30 353048 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgxch32.dll

2009-07-18 12:25 . 2009-07-02 13:30 2301208 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avguiadv.dll

2009-07-16 23:56 . 2009-07-16 23:56 -------- d-----w- c:\program files\Trend Micro

2009-07-16 23:44 . 2009-07-16 23:44 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache

2009-07-14 18:25 . 2009-07-14 18:25 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes

2009-07-14 17:26 . 2009-07-13 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-07-14 17:21 . 2009-07-14 17:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-07-14 17:21 . 2009-07-13 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-07-14 07:58 . 2009-07-14 17:52 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-07-14 05:56 . 2009-07-03 14:49 15688 ----a-w- c:\windows\system32\lsdelete.exe

2009-07-14 05:48 . 2009-07-03 14:49 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys

2009-07-14 05:43 . 2009-07-14 05:43 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}

2009-07-14 05:43 . 2009-07-08 17:28 2920112 -c--a-w- c:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}\Ad-AwareAE.exe

2009-07-14 05:43 . 2009-07-14 05:43 -------- d-----w- c:\program files\Lavasoft

2009-07-14 05:19 . 2009-07-14 05:19 45056 --sha-r- c:\windows\system32\flashd.dll

2009-07-14 05:19 . 2009-07-14 05:19 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE

2009-07-14 05:11 . 2009-07-14 05:11 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache

2009-07-10 13:07 . 2009-07-02 13:30 327688 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgldx86.sys

2009-07-10 13:07 . 2009-07-02 13:30 2052376 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcorex.dll

2009-07-10 13:07 . 2009-07-02 13:30 2167576 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgresf.dll

2009-07-10 13:07 . 2009-07-10 13:07 3403032 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgui.exe

2009-07-10 13:07 . 2009-07-02 13:30 1204504 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgabout.dll

2009-07-10 13:07 . 2009-07-02 13:30 3298072 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\setup.exe

2009-07-10 13:07 . 2009-07-02 13:30 337176 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avglogx.dll

2009-07-10 13:07 . 2009-07-02 13:30 829208 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcfgx.dll

2009-07-10 13:07 . 2009-07-02 13:29 1085208 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgupd.exe

2009-07-10 13:07 . 2009-07-02 13:29 1454360 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgupd.dll

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-07-18 21:13 . 2008-09-05 19:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater

2009-07-17 02:12 . 2008-05-05 14:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help

2009-07-14 05:19 . 2008-12-25 08:06 -------- d-----w- c:\documents and settings\Administrator\Application Data\uTorrent

2009-07-10 13:07 . 2008-12-19 07:44 335752 ----a-w- c:\windows\system32\drivers\avgldx86.sys

2009-07-02 13:30 . 2008-12-19 07:44 11952 ----a-w- c:\windows\system32\avgrsstx.dll

2009-07-02 13:30 . 2008-12-19 07:44 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys

2009-06-19 05:59 . 2008-08-19 04:59 -------- d-----w- c:\program files\AIM6

2009-06-19 05:58 . 2009-06-19 05:58 -------- d-----w- c:\program files\Viewpoint

2009-06-19 05:58 . 2008-08-19 05:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint

2009-06-19 05:58 . 2008-08-19 05:01 -------- d-----w- c:\documents and settings\All Users\Application Data\acccore

2009-06-17 20:10 . 2009-06-17 20:10 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL Downloads

2009-06-16 14:36 . 2004-08-04 12:00 81920 ----a-w- c:\windows\system32\fontsub.dll

2009-06-16 14:36 . 2004-08-04 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll

2009-06-14 03:59 . 2009-06-14 03:59 78580 ----a-w- c:\documents and settings\Administrator\Application Data\Move Networks\MoveMediaPlayer_win_mozilla_071303000006.exe

2009-06-14 03:59 . 2008-10-12 22:27 -------- d-----w- c:\documents and settings\Administrator\Application Data\Move Networks

2009-06-10 18:23 . 2008-05-13 14:18 -------- d-----w- c:\program files\Java

2009-06-10 18:22 . 2009-06-10 18:22 152576 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\jre1.6.0_14\lzma.dll

2009-06-10 02:06 . 2009-05-22 19:51 -------- d-----w- c:\program files\AirPort

2009-06-04 08:34 . 2009-06-04 08:34 -------- d-----w- c:\documents and settings\Administrator\Application Data\Cycling '74

2009-06-03 19:09 . 2004-08-04 12:00 1291264 ----a-w- c:\windows\system32\quartz.dll

2009-06-03 02:24 . 2008-08-18 21:23 -------- d-----w- c:\program files\iTunes

2009-06-03 02:23 . 2009-06-03 02:23 -------- d-----w- c:\program files\iPod

2009-06-03 02:23 . 2008-08-18 21:20 -------- d-----w- c:\program files\Common Files\Apple

2009-06-03 02:21 . 2009-06-03 02:20 -------- d-----w- c:\program files\QuickTime

2009-06-03 02:16 . 2009-06-03 02:16 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.0.23\SetupAdmin.exe

2009-05-21 15:33 . 2008-09-16 20:03 410984 ----a-w- c:\windows\system32\deploytk.dll

2009-05-19 05:36 . 2009-06-17 20:10 2884832 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\SUD4426\vwpt.exe

2009-05-19 05:36 . 2009-06-17 20:10 28 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\SUD4426\unregister.bat

2009-05-19 05:36 . 2009-06-17 20:10 1484856 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\SUD4426\toolbar.exe

2009-05-19 05:36 . 2009-06-17 20:10 25 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\SUD4426\register.bat

2009-05-19 05:36 . 2009-06-17 20:10 97072 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\SUD4426\bsetutil.exe

2009-05-19 05:36 . 2009-06-17 20:10 142040 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\SUD4426\alsetup.exe

2009-05-19 05:36 . 2009-06-17 20:10 30512 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\SUD4426\Uninstaller.exe

2009-05-19 05:36 . 2009-06-17 20:10 111920 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\SUD4426\AOLSearch.dll

2009-05-13 05:15 . 2004-08-04 12:00 915456 ----a-w- c:\windows\system32\wininet.dll

2009-05-11 23:17 . 2009-05-11 23:17 683801 ----a-w- c:\documents and settings\All Users\Application Data\Last.fm\Client\UninstWA\unins000.exe

2009-05-11 23:17 . 2008-08-19 22:10 275 ----a-w- c:\documents and settings\All Users\Application Data\Last.fm\Client\uninst2.bat

2009-05-09 00:58 . 2008-05-05 13:31 94935 ----a-w- c:\windows\system32\nvModes.dat

2009-05-07 15:32 . 2004-08-04 12:00 345600 ----a-w- c:\windows\system32\localspl.dll

2009-06-12 16:39 . 2008-06-25 20:12 134648 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll

2009-01-27 01:34 . 2009-01-27 01:34 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll

2009-01-27 01:34 . 2009-01-27 01:34 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll

.

------- Sigcheck -------

[-] 2009-07-16 23:57 28672 F320E25E8E51E6B404265C9377EDF327 c:\windows\system32\dllcache\beep.sys

.

((((((((((((((((((((((((((((( SnapShot@2009-07-17_21.06.36 )))))))))))))))))))))))))))))))))))))))))

.

+ 2009-07-18 14:49 . 2009-07-18 14:49 61457 c:\windows\35C03C043F1F42C2A989A757EE691F65.TMP\WiseCustomCalla.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

"Google Update"="c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-03 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-03-16 1392640]

"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2009-01-28 111952]

"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\udaterui.exe" [2008-11-10 136512]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-02-22 13508608]

"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 241664]

"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-05-14 177472]

"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-07-02 1948440]

"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2007-05-15 644696]

"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2007-04-04 1603152]

"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2007-05-10 405504]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-05-30 292136]

"AirPort Base Station Agent"="c:\program files\AirPort\APAgent.exe" [2009-05-27 753664]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-21 148888]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-05-13 151552]

"RoxioDragToDisc"="c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe" [2006-08-17 1116920]

"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2007-09-17 124200]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]

"NvMediaCenter"="NvMCTray.dll" - c:\windows\system32\nvmctray.dll [2008-02-22 86016]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]

2009-07-02 13:30 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]

@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

"c:\\Program Files\\AIM6\\aim6.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

"c:\\Program Files\\uTorrent\\uTorrent.exe"=

"c:\\Documents and Settings\\Administrator\\Application Data\\Macromedia\\Flash Player\\www.macromedia.com\\bin\\octoshape\\octoshape.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\SoulseekNS\\slsk.exe"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\AirPort\\APAgent.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"5353:UDP"= 5353:UDP:Bonjour

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [7/14/2009 1:48 AM 64160]

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [12/19/2008 3:44 AM 335752]

R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [12/19/2008 3:43 AM 298776]

R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [6/19/2009 1:58 AM 24652]

S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [7/3/2009 10:49 AM 1029456]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]

"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP

.

Contents of the 'Scheduled Tasks' folder

2009-07-14 c:\windows\Tasks\Ad-Aware Update (Weekly).job

- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-07-03 14:49]

2009-07-08 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:34]

2009-07-18 c:\windows\Tasks\Google Software Updater.job

- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-09-05 03:40]

2009-07-18 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-746137067-963894560-725345543-500Core.job

- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-03 02:55]

2009-07-19 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-746137067-963894560-725345543-500UA.job

- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-03 02:55]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com

mStart Page = hxxp://www.google.com

uInternet Settings,ProxyOverride = *.local

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

Trusted Zone: antimalwareguard.com

Trusted Zone: gomyhit.com

Trusted Zone: microsoft.edu

Trusted Zone: villanova.edu

Trusted Zone: antimalwareguard.com

Trusted Zone: gomyhit.com

FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ccqxcnyz.default\

FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?hl=en&source=iglk

FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll

FF - plugin: c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ccqxcnyz.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071101000055.dll

FF - plugin: c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\1.2.183.7\npGoogleOneClick8.dll

FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll

FF - plugin: c:\program files\Real\RealPlayer Enterprise\Netscape6\nppl3260.dll

FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-07-19 13:18

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

c:\docume~1\ADMINI~1\LOCALS~1\Temp\catchme.dll 53248 bytes executable

scan completed successfully

hidden files: 1

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-746137067-963894560-725345543-500\Software\Microsoft\Internet Explorer\User Preferences]

@Denied: (2) (Administrator)

"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,01,25,55,f7,ac,fd,36,45,ba,c0,76,\

"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,01,25,55,f7,ac,fd,36,45,ba,c0,76,\

.

Completion time: 2009-07-19 13:20

ComboFix-quarantined-files.txt 2009-07-19 17:19

ComboFix2.txt 2009-07-18 14:58

ComboFix3.txt 2009-07-17 21:09

Pre-Run: 26,366,869,504 bytes free

Post-Run: 26,341,847,040 bytes free

231 --- E O F --- 2009-07-17 02:12

HijackThis log

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 1:21:54 PM, on 7/19/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\WLTRYSVC.EXE

C:\WINDOWS\System32\bcmwltry.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\McAfee\Common Framework\FrameworkService.exe

C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\StacSV.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Viewpoint\Common\ViewpointService.exe

C:\WINDOWS\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe

C:\WINDOWS\system32\CCM\CcmExec.exe

C:\Program Files\McAfee\Common Framework\UdaterUI.exe

C:\Program Files\McAfee\Common Framework\McTray.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Last.fm\LastFM.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

C:\PROGRA~1\AVG\AVG8\avgrsx.exe

C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe

C:\WINDOWS\explorer.exe

C:\WINDOWS\system32\notepad.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll

O3 - Toolbar: (no name) - {DE9C389F-3316-41A7-809B-AA305ED9D922} - (no file)

O4 - HKLM\..\Run: [broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe

O4 - HKLM\..\Run: [shStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE

O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\udaterui.exe" /StartedFromRunKey

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"

O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe

O4 - HKLM\..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon

O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon

O4 - HKLM\..\Run: [sigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [AirPort Base Station Agent] "C:\Program Files\AirPort\APAgent.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot

O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe"

O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O15 - Trusted Zone: *.antimalwareguard.com

O15 - Trusted Zone: *.gomyhit.com

O15 - Trusted Zone: *.microsoft.edu

O15 - Trusted Zone: *.villanova.edu

O15 - Trusted Zone: *.antimalwareguard.com (HKLM)

O15 - Trusted Zone: *.gomyhit.com (HKLM)

O16 - DPF: {B3E32D88-8E7F-468F-B0E2-3A300FD4A82C} (Enlite 2.x Simulation Engine Installer) - http://myitlab.pearsoncmg.com/webwiz/s/stub.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll

O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe

O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe

O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\WINDOWS\system32\StacSV.exe

O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe

O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--

End of file - 7518 bytes

Link to post
Share on other sites

ok thanks, here's the new malwarebytes log.

Malwarebytes' Anti-Malware 1.39

Database version: 2464

Windows 5.1.2600 Service Pack 3

7/19/2009 8:24:00 PM

mbam-log-2009-07-19 (20-24-00).txt

Scan type: Quick Scan

Objects scanned: 87654

Time elapsed: 2 minute(s), 45 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 4

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\system32\dllcache\beep.sys (Fake.Beep.sys) -> Quarantined and deleted successfully.

Link to post
Share on other sites

There are only "Delete All" and "Restore All" options for me, no Remove All. I should do "Delete All" right?

I don't seem to be having any problems at the moment. But just thinking of something i posted a couple days ago- "after the combofix scan, i got a message saying "You chose not to restore the original versions of the files. This may affect Windows stability. Are you sure you want to keep these unrecognized file versions?" It is also telling me to insert my windows professional CD-ROM to restore the original versions in a separate window." Is this anything to be concerned about or is that normal?

Other than that... Thanks so much for your help! You've really been great, a lifesaver even :). I will recommend this forum to anyone with computer problems in the future.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.