Jump to content

Won't remove locked files


Recommended Posts

Hello, and I'd like to thank anyone ahead of time who has input to help. I initially had trouble running Malwarebytes, tried the renaming methoads, but ultimately got it to run when I changed the Compatibility mode to win2000. Same issue running HijackThis, some solution worked to get those logs. Upon complettion of running Malwarebytes it says some files need to be removed on restart, so I select yes and it reboots the computer but mbam never runs. So I manually run the scan again and the same undeleted items are there with the same prompt to delete on reboot. I just can't seem to get rid of these items. Below are my log files from both.

-Thanks again!

Malwarebytes' Anti-Malware 1.39

Database version: 2421

Windows 5.1.2600 Service Pack 2

7/23/2009 11:25:54 AM

mbam-log-2009-07-23 (11-25-54).txt

Scan type: Full Scan (C:\|D:\|)

Objects scanned: 170114

Time elapsed: 29 minute(s), 43 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 1

Registry Keys Infected: 11

Registry Values Infected: 5

Registry Data Items Infected: 1

Folders Infected: 0

Files Infected: 5

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

C:\WINDOWS\system32\__c008215B.dat (Trojan.Agent) -> Delete on reboot.

Registry Keys Infected:

HKEY_CLASSES_ROOT\CLSID\{a36d2a01-00f3-42bd-f434-00bbc39c8953} (Trojan.Zlob.H) -> Delete on reboot.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{549b5ca7-4a86-11d7-a4df-000874180bb3} (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{d97fc677-694d-4a75-ac89-a5b85c2bcfed} (Adware.BullseyeToolbar) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6226ba26-c017-4007-928c-de9715c6fa67} (Adware.BullseyeToolbar) -> Quarantined and deleted successfully.

HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.

HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.

HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{c48635ad-d6b5-3ee4-aaa2-540d5a173658} (Backdoor.Bot) -> Quarantined and deleted successfully.

HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.

HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.

HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{c48635ad-d6b5-3ee4-aaa2-540d5a173658} (Backdoor.Bot) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__c008215b (Trojan.Vundo) -> Delete on reboot.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{a36d2a01-00f3-42bd-f434-00bbc39c8953} (Trojan.Zlob.H) -> Delete on reboot.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{6226ba26-c017-4007-928c-de9715c6fa67} (Adware.BullseyeToolbar) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jncuwhprpu (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\idstrf (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.Userinit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\drivers\smss.exe) Good: (Userinit.exe) -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\system32\ghaf8jkdfd.dll (Trojan.Zlob.H) -> Delete on reboot.

c:\documents and settings\Owner\local settings\Temp\E.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

c:\program files\mozilla firefox\components\f9f786b7-dc4b-0aa1-d21a-db74428bacdb.dll (Adware.Yoog) -> Quarantined and deleted successfully.

C:\Program Files\Mozilla Firefox\components\WWShow.dll (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\__c008215B.dat (Trojan.Vundo) -> Delete on reboot.

-------------------------------------------------------------------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 11:54:04 AM, on 7/23/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\do_not_delete.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\windows\system\hpsysdrv.exe

C:\WINDOWS\System32\hkcmd.exe

C:\WINDOWS\System32\hphmon05.exe

C:\HP\KBD\KBD.EXE

C:\WINDOWS\System32\svchost.exe

C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\PROGRA~1\AVG\AVG8\avgtray.exe

c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\WINDOWS\system32\do_not_delete.exe

C:\WINDOWS\system32\do_not_delete.exe

C:\Program Files\Messenger\msmsgs.exe

C:\WINDOWS\system32\do_not_delete.exe

C:\WINDOWS\explorer.exe

C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Update\1.2.183.7\GoogleCrashHandler.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\McAfee\SiteAdvisor\McSACore.exe

c:\Program Files\Norton AntiVirus\navapsvc.exe

C:\PROGRA~1\AVG\AVG8\avgrsx.exe

C:\Program Files\Viewpoint\Common\ViewpointService.exe

C:\PROGRA~1\AVG\AVG8\avgnsx.exe

c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\System32\alg.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus10.hpwis.com/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus10.hpwis.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus10.hpwis.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qus10.hpwis.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-qus10.hpwis.com/

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://qus10.hpwis.com/

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost

R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll

O2 - BHO: (no name) - {A36D2A01-00F3-42BD-F434-00BBC39C8953} - (no file)

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5,1,1,0.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll

O3 - Toolbar: AIM Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll

O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe

O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe

O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe

O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE

O4 - HKLM\..\Run: [updateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE

O4 - HKLM\..\Run: [VTTimer] VTTimer.exe

O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [NAV CfgWiz] c:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"

O4 - HKLM\..\Run: [cftmon] C:\WINDOWS\system32\ghmnl.exe

O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe

O4 - HKLM\..\Run: [do_not_delete] C:\WINDOWS\system32\do_not_delete.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c

O4 - HKCU\..\Run: [do_not_delete] C:\WINDOWS\system32\do_not_delete.exe

O4 - HKCU\..\Run: [A00F407BD.exe] C:\DOCUME~1\Owner\LOCALS~1\Temp\_A00F407BD.exe

O4 - HKLM\..\Policies\Explorer\Run: [do_not_delete] C:\WINDOWS\system32\do_not_delete.exe

O4 - HKCU\..\Policies\Explorer\Run: [do_not_delete] C:\WINDOWS\system32\do_not_delete.exe

O4 - HKUS\S-1-5-18\..\Run: [mswindows restore service] C:\WINDOWS\TEMP\lsdw35vzn6.exe (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\Run: [pridl] "C:\Documents and Settings\LocalService\Application Data\pridl\pridl.exe" 61A847B5BBF72811329B385672FF01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310 (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\Run: [do_not_delete] C:\WINDOWS\system32\do_not_delete.exe (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\Policies\Explorer\Run: [do_not_delete] C:\WINDOWS\system32\do_not_delete.exe (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [mswindows restore service] C:\WINDOWS\TEMP\lsdw35vzn6.exe (User 'Default user')

O4 - HKUS\.DEFAULT\..\Policies\Explorer\Run: [do_not_delete] C:\WINDOWS\system32\do_not_delete.exe (User 'Default user')

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O8 - Extra context menu item: &AIM Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: AIM Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll

O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll

O20 - AppInit_DLLs: C:\WINDOWS\System32\hpgwiamd32.dll

O20 - Winlogon Notify: 4c6f9504648 - C:\WINDOWS\System32\hpgwiamd32.dll

O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll

O20 - Winlogon Notify: __c006298F - C:\WINDOWS\system32\__c006298F.dat

O23 - Service: aawservice - Unknown owner - C:\WINDOWS\TEMP\VRT34.tmp (file missing)

O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe

O23 - Service: avg8wd - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

O23 - Service: ccEvtMgr - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: ccPwdSvc - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe

O23 - Service: ccSetMgr - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: Fax - Unknown owner - C:\WINDOWS\system32\fxssvc.exe

O23 - Service: gusvc - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: ImapiService - Unknown owner - C:\WINDOWS\System32\imapi.exe (file missing)

O23 - Service: JavaQuickStarterService - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe

O23 - Service: mnmsrvc - Unknown owner - C:\WINDOWS\System32\mnmsrvc.exe

O23 - Service: Distributed Transaction Coordinator (MSDTC) - Unknown owner - C:\WINDOWS\System32\msdtc.exe

O23 - Service: navapsvc - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe

O23 - Service: RDSessMgr - Unknown owner - C:\WINDOWS\system32\sessmgr.exe

O23 - Service: Remote Procedure Call (RPC) Locator (RpcLocator) - Unknown owner - C:\WINDOWS\System32\locator.exe

O23 - Service: RSVP - Unknown owner - C:\WINDOWS\System32\rsvp.exe

O23 - Service: SAVScan - Unknown owner - c:\Program Files\Norton AntiVirus\SAVScan.exe

O23 - Service: Smart Card (SCardSvr) - Unknown owner - C:\WINDOWS\System32\SCardSvr.exe

O23 - Service: Spooler - Unknown owner - C:\WINDOWS\system32\spoolsv.exe (file missing)

O23 - Service: Performance Logs and Alerts (SysmonLog) - Unknown owner - C:\WINDOWS\system32\smlogsvc.exe

O23 - Service: Uninterruptible Power Supply (UPS) - Unknown owner - C:\WINDOWS\System32\ups.exe

O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

O23 - Service: VSS - Unknown owner - C:\WINDOWS\System32\vssvc.exe

O23 - Service: WmiApSrv - Unknown owner - C:\WINDOWS\System32\wbem\wmiapsrv.exe

--

End of file - 9679 bytes

Link to post
Share on other sites

  • Staff

Hi,

I have bad news for you :D

I see you're dealing with Virut on top of the other nasty malware you are dealing with. In that case, it's unfortunately a lost case - Game over situation and a format and reinstall is the fastest and especially the safest solution.

You may want to read this why:

Virut and other File infectors - Throwing in the Towel?

So, I suggest you to start backup all of your valuable data/documents/pictures/movies/songs/etc.. Do NOT backup any applications/installers and Do NOT backup any .exe/.scr/.htm/.html/.xml/.zip/.rar files...

This because these files may be infected as well. If you back them up and replace them afterwards, it will infect your computer again.

Read here for instructions how to format and reinstall Windows: http://web.mit.edu/ist/products/winxp/adva...all-format.html

Link to post
Share on other sites

Hello,

Well, I think you're probably right but I have a couple of days to think about it as I'm about to ditch everything, but I've gotta wait on a clients approval who has files on this particular machine.

Anyways, in the meantime I tried running Combofix and of course it told me it couldn't run because it detected VIRUT. Sooooooo, I downloaded the VIRUT remover from AVG and ran it (3 times before it would actual complete the process) but it finally did. I then proceeded to run Malwarebytes and AVG. Upon restart I said for giggles I'd try and run Combofix, and what do ya know.... it ran. Crazy, but I'm not convinced VIRUT is gone. AVG came back clean and Malwarebytes CLAIMS it fixed all problems.

So I've ran a new set of logs that are posted below (Malwarebytes/HijackThis/Combofix). Keep in mind this machine has been disconnected from the internet for about a week and I'm a little scared to plug it back in so I've be doing everything remotely (updating rules and definitions manually). Any help or bad news would be much appreciated!!

-Thanks

Malwarebytes' Anti-Malware 1.39

Database version: 2489

Windows 5.1.2600 Service Pack 2

7/28/2009 2:03:10 PM

mbam-log-2009-07-28 (14-03-10).txt

Scan type: Full Scan (C:\|D:\|)

Objects scanned: 173828

Time elapsed: 1 hour(s), 4 minute(s), 37 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 2

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

c:\Qoobox\quarantine\C\WINDOWS\system32\geyekrntjdxexo.dll.vir (Trojan.TDSS) -> Quarantined and deleted successfully.

c:\system volume information\_restore{d1bd6c0f-8411-4455-8163-cef0f28ec0b2}\RP287\A0018729.dll (Trojan.TDSS) -> Quarantined and deleted successfully.

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 12:48:52 PM, on 7/28/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\McAfee\SiteAdvisor\McSACore.exe

c:\Program Files\Norton AntiVirus\navapsvc.exe

C:\Program Files\Viewpoint\Common\ViewpointService.exe

c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\PROGRA~1\AVG\AVG8\avgrsx.exe

C:\PROGRA~1\AVG\AVG8\avgnsx.exe

C:\WINDOWS\System32\alg.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\explorer.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus10.hpwis.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qus10.hpwis.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://qus10.hpwis.com/

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost

R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll

F2 - REG:system.ini: UserInit=C:\WINDOWS\explorer.exe,

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5,1,1,0.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll

O3 - Toolbar: AIM Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll

O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe

O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe

O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe

O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE

O4 - HKLM\..\Run: [updateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE

O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [NAV CfgWiz] c:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"

O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe

O4 - HKLM\..\Run: [do_not_delete] C:\WINDOWS\system32\do_not_delete.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c

O4 - HKCU\..\Run: [do_not_delete] C:\WINDOWS\system32\do_not_delete.exe

O4 - HKLM\..\Policies\Explorer\Run: [do_not_delete] C:\WINDOWS\system32\do_not_delete.exe

O4 - HKCU\..\Policies\Explorer\Run: [do_not_delete] C:\WINDOWS\system32\do_not_delete.exe

O4 - HKUS\S-1-5-18\..\Run: [do_not_delete] C:\WINDOWS\system32\do_not_delete.exe (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\Policies\Explorer\Run: [do_not_delete] C:\WINDOWS\system32\do_not_delete.exe (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [do_not_delete] C:\WINDOWS\system32\do_not_delete.exe (User 'Default user')

O4 - HKUS\.DEFAULT\..\Policies\Explorer\Run: [do_not_delete] C:\WINDOWS\system32\do_not_delete.exe (User 'Default user')

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O8 - Extra context menu item: &AIM Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: AIM Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll

O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll

O20 - Winlogon Notify: 4c6f9504648 - C:\WINDOWS\System32\hpgwiamd32.dll

O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll

O23 - Service: aawservice - Unknown owner - C:\WINDOWS\TEMP\VRT34.tmp (file missing)

O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe (file missing)

O23 - Service: avg8wd - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

O23 - Service: ccEvtMgr - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: ccPwdSvc - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe

O23 - Service: ccSetMgr - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: Fax - Unknown owner - C:\WINDOWS\system32\fxssvc.exe (file missing)

O23 - Service: gusvc - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: ImapiService - Unknown owner - C:\WINDOWS\system32\imapi.exe (file missing)

O23 - Service: JavaQuickStarterService - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe

O23 - Service: mnmsrvc - Unknown owner - C:\WINDOWS\System32\mnmsrvc.exe (file missing)

O23 - Service: Distributed Transaction Coordinator (MSDTC) - Unknown owner - C:\WINDOWS\System32\msdtc.exe

O23 - Service: navapsvc - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe

O23 - Service: RDSessMgr - Unknown owner - C:\WINDOWS\system32\sessmgr.exe (file missing)

O23 - Service: Remote Procedure Call (RPC) Locator (RpcLocator) - Unknown owner - C:\WINDOWS\System32\locator.exe

O23 - Service: RSVP - Unknown owner - C:\WINDOWS\System32\rsvp.exe (file missing)

O23 - Service: SAVScan - Unknown owner - c:\Program Files\Norton AntiVirus\SAVScan.exe (file missing)

O23 - Service: Smart Card (SCardSvr) - Unknown owner - C:\WINDOWS\System32\SCardSvr.exe (file missing)

O23 - Service: Spooler - Unknown owner - C:\WINDOWS\system32\spoolsv.exe (file missing)

O23 - Service: Performance Logs and Alerts (SysmonLog) - Unknown owner - C:\WINDOWS\system32\smlogsvc.exe (file missing)

O23 - Service: Uninterruptible Power Supply (UPS) - Unknown owner - C:\WINDOWS\System32\ups.exe (file missing)

O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

O23 - Service: VSS - Unknown owner - C:\WINDOWS\System32\vssvc.exe

O23 - Service: WmiApSrv - Unknown owner - C:\WINDOWS\System32\wbem\wmiapsrv.exe (file missing)

--

End of file - 8611 bytes

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

ComboFix 09-07-23.04 - Owner 07/28/2009 12:13.1.1 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.503.242 [GMT -6:00]

Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\LocalService\Local Settings\Temporary Internet Files\fbk.sts

c:\documents and settings\Owner\Application Data\02000000528f3651648C.manifest

c:\documents and settings\Owner\Application Data\02000000528f3651648O.manifest

c:\documents and settings\Owner\Application Data\02000000528f3651648P.manifest

c:\documents and settings\Owner\Application Data\02000000528f3651648S.manifest

c:\documents and settings\Owner\Local Settings\Temporary Internet Files\bestwiner.stt

c:\documents and settings\Owner\Local Settings\Temporary Internet Files\fbk.sts

c:\program files\IEToolbar

c:\windows\GnuHashes.ini

c:\windows\Installer\13c58.msi

c:\windows\system32\_id.dat

c:\windows\system32\3f070d27-ce92-1afa-4fc3-a502e613f7b5.exe

c:\windows\system32\drivers\geyekrvrocogtf.sys

c:\windows\system32\gadzmibdpgalekk.dll

c:\windows\system32\geyekrcfduyyxc.dat

c:\windows\system32\geyekrntjdxexo.dll

c:\windows\system32\geyekrrsadmlam.dat

c:\windows\system32\geyekrynkdbfdd.dll

c:\windows\system32\GroupPolicy000.dat

c:\windows\system32\jtwivbaouh.exe

c:\windows\system32\L0f1IQ4iNvTsi.vbs

c:\windows\system32\sFUTD.vbs

D:\Autorun.inf

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Service_geyekrcfakafyv

((((((((((((((((((((((((( Files Created from 2009-06-28 to 2009-07-28 )))))))))))))))))))))))))))))))

.

2009-07-28 15:29 . 2009-07-28 15:29 -------- d--h--w- c:\windows\PIF

2009-07-23 17:52 . 2009-07-23 17:52 -------- d-----w- c:\program files\Trend Micro

2009-07-23 17:42 . 2009-07-23 17:42 68608 ----a-w- c:\windows\system32\do_not_delete.exe

2009-07-23 15:45 . 2009-07-23 15:45 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes

2009-07-23 14:28 . 2009-07-23 14:28 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\SACore

2009-07-22 21:06 . 2009-07-22 21:06 -------- d-----w- C:\lj523

2009-07-22 21:02 . 2009-07-22 21:02 -------- d-----w- C:\lj5000

2009-07-22 20:44 . 2009-07-13 19:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-07-22 20:44 . 2009-07-23 17:35 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-07-22 20:44 . 2009-07-22 20:44 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Malwarebytes

2009-07-22 20:44 . 2009-07-13 19:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-07-22 16:38 . 2009-07-25 00:25 -------- d--h--w- C:\$AVG8.VAULT$

2009-07-22 16:33 . 2009-07-22 16:33 11952 ----a-w- c:\windows\system32\avgrsstx.dll

2009-07-22 16:33 . 2009-07-22 16:33 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys

2009-07-22 16:33 . 2009-07-22 16:33 335752 ----a-w- c:\windows\system32\drivers\avgldx86.sys

2009-07-22 16:33 . 2009-07-22 16:33 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys

2009-07-22 16:32 . 2009-07-22 23:55 -------- d-----w- c:\windows\system32\drivers\Avg

2009-07-22 16:32 . 2009-07-22 16:32 -------- d-----w- c:\program files\AVG

2009-07-22 16:32 . 2009-07-22 20:32 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\avg8

2009-07-22 16:20 . 2009-07-22 16:20 -------- d-----w- c:\documents and settings\Owner\Application Data\AVG8

2009-07-22 14:48 . 2009-07-22 14:48 120832 ----a-w- c:\windows\system32\hpgwiamd32.dll

2009-07-22 14:44 . 2009-07-22 14:44 4 ----a-w- c:\documents and settings\Owner\Application Data\NP.sys

2009-07-22 14:43 . 2009-07-22 14:43 432640 ----a-w- c:\windows\wdls81540.exe

2009-07-21 16:12 . 2009-07-21 16:12 -------- d-----w- c:\documents and settings\LocalService\Application Data\SACore

2009-07-21 16:11 . 2003-06-25 22:05 266360 ----a-w- c:\windows\system32\TweakUI.exe

2009-07-21 16:08 . 2009-07-21 16:08 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\SiteAdvisor

2009-07-21 16:08 . 2009-07-21 16:08 -------- d-----w- c:\program files\Common Files\McAfee

2009-07-21 16:07 . 2009-07-22 20:32 -------- d-----w- c:\program files\McAfee

2009-07-21 15:36 . 2009-07-21 15:35 410984 ----a-w- c:\windows\system32\deploytk.dll

2009-07-21 14:43 . 2009-07-21 16:08 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\McAfee

2009-07-21 14:42 . 2009-07-21 14:42 152576 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\jre1.6.0_14\lzma.dll

2009-07-20 08:41 . 2009-07-20 08:41 526848 ----a-w- c:\windows\system32\dsffdkbgaiasm.dll

2009-07-07 16:55 . 2009-07-07 16:56 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Thunderbird

2009-07-07 16:55 . 2009-07-07 16:55 -------- d-----w- c:\documents and settings\Owner\Application Data\Thunderbird

2009-07-07 16:55 . 2009-07-20 21:26 -------- d-----w- c:\program files\Mozilla Thunderbird

2009-07-02 12:47 . 2009-07-02 12:47 1340416 ----a-w- c:\windows\system32\nsd14C.dll

2009-07-01 15:47 . 2009-07-23 15:13 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Temp

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-07-28 15:19 . 2009-07-28 15:19 0 ----a-w- c:\windows\system32\1A.tmp

2009-07-24 23:06 . 2004-01-28 08:26 -------- d-----w- c:\program files\Norton AntiVirus

2009-07-24 18:58 . 2009-07-24 18:58 40 ----a-w- c:\windows\system32\21.tmp

2009-07-24 14:04 . 2009-07-24 14:04 40 ----a-w- c:\windows\system32\15.tmp

2009-07-24 14:03 . 2009-07-23 12:47 359040 ----a-w- c:\windows\system32\drivers\TCPIP.SYS.ORIGINAL

2009-07-24 14:03 . 2007-11-28 16:29 359040 ----a-w- c:\windows\system32\drivers\TCPIP.SYS

2009-07-23 16:42 . 2007-12-13 20:24 30040 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-07-23 13:26 . 2007-11-28 16:29 32768 ----a-w- c:\windows\system32\vssvc.exe

2009-07-23 13:13 . 2004-01-27 13:46 32768 ----a-w- c:\windows\system32\locator.exe

2009-07-23 13:05 . 2007-11-28 17:00 32768 ----a-w- c:\windows\system32\msdtc.exe

2009-07-21 15:35 . 2004-01-27 12:53 -------- d-----w- c:\program files\Java

2009-06-25 18:06 . 2009-06-25 18:06 5058 ----a-w- c:\windows\Help\hhcolreg.dat

2009-06-25 18:02 . 2009-06-25 18:02 -------- d-----w- c:\documents and settings\Owner\Application Data\Microsoft Web Folders

2009-06-25 18:02 . 2004-01-27 11:49 -------- d-----w- c:\program files\microsoft frontpage

2009-06-16 14:55 . 2007-11-28 16:59 82432 ----a-w- c:\windows\system32\fontsub.dll

2009-06-16 14:55 . 2007-11-28 16:29 119808 ----a-w- c:\windows\system32\t2embed.dll

2009-06-03 19:27 . 2005-08-30 15:14 1290752 ----a-w- c:\windows\system32\quartz.dll

2009-05-15 18:18 . 2009-05-15 18:18 152576 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\jre1.6.0_13\lzma.dll

2009-05-07 15:44 . 2007-11-28 17:00 344064 ----a-w- c:\windows\system32\localspl.dll

2009-06-16 14:53 . 2009-05-05 17:10 134648 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll

2009-07-20 08:41 . 2009-07-20 08:41 411648 ----a-w- c:\program files\mozilla firefox\components\dsffdkbgaiasm.dll

.

------- Sigcheck -------

[7] 2006-04-20 11:51 359808 1DBF125862891817F374F407626967F4 c:\windows\$hf_mig$\KB917953\SP2GDR\tcpip.sys

[7] 2006-04-20 12:18 360576 B2220C618B42A2212A59D91EBD6FC4B4 c:\windows\$hf_mig$\KB917953\SP2QFE\tcpip.sys

[7] 2007-10-30 16:53 360832 64798ECFA43D78C7178375FCDD16D8C8 c:\windows\$hf_mig$\KB941644\SP2QFE\tcpip.sys

[7] 2008-06-20 10:44 360960 744E57C99232201AE98C49168B918F48 c:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys

[7] 2008-06-20 11:51 361600 9AEFA14BD6B182D61E3119FA5F436D3D c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys

[7] 2008-06-20 11:59 361600 AD978A1B783B5719720CFF204B666C8E c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys

[7] 2006-04-20 11:38 340480 B8158E2A6112C0A5CA67BC158FC70218 c:\windows\$NtServicePackUninstall$\tcpip.sys

[7] 2004-08-04 06:14 359040 9F4B36614A0FC234525BA224957DE55C c:\windows\$NtUninstallKB917953$\tcpip.sys

[-] 2003-09-24 05:18 332928 244A2F9816BC9B593957281EF577D976 c:\windows\$NtUninstallKB917953_0$\tcpip.sys

[7] 2006-04-20 11:51 359808 1DBF125862891817F374F407626967F4 c:\windows\$NtUninstallKB941644$\tcpip.sys

[7] 2007-10-30 17:20 360064 90CAFF4B094573449A0872A0F919B178 c:\windows\$NtUninstallKB951748$\tcpip.sys

[7] 2004-08-04 06:14 359040 9F4B36614A0FC234525BA224957DE55C c:\windows\ServicePackFiles\i386\tcpip.sys

[-] 2008-04-13 19:20 361344 93EA8D04EC73A85DB02EB8805988F733 c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\tcpip.sys

[-] 2009-07-24 14:03 359040 6A603809F598332DBEDD535BDBCE313E c:\windows\system32\dllcache\TCPIP.SYS

[-] 2009-07-24 14:03 359040 6A603809F598332DBEDD535BDBCE313E c:\windows\system32\drivers\TCPIP.SYS

[-] 2007-06-13 10:23 1053696 81F0C43FBA9D1FD36B31F941D2B0B9CA c:\windows\explorer.exe

[-] 2007-06-13 11:26 1053696 FF263E24925AB07730B3F2B9A852ADE1 c:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe

[-] 2003-09-23 20:32 1024512 7C609B3BD2F46D5CBE006C90669DFF61 c:\windows\$NtServicePackUninstall$\explorer.exe

[-] 2004-08-04 07:56 1052672 629B8445371C3B12741E7E5AE917B43E c:\windows\$NtUninstallKB938828$\explorer.exe

[-] 2004-08-04 07:56 1052672 E03ECE695A2488E634AD2F2C10AEA491 c:\windows\ServicePackFiles\i386\explorer.exe

[-] 2008-04-14 00:12 1054208 7BA38B45AF5C0C92FDE620171BCA2BAF c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\explorer.exe

[-] 2007-06-13 10:23 1053696 B22BEAC485BA08DB974C63E6A84F3357 c:\windows\system32\dllcache\explorer.exe

[-] 2003-09-23 20:54 33792 5817A10CE1C37E9D0413414C2F000D44 c:\windows\$NtServicePackUninstall$\ctfmon.exe

[-] 2004-08-04 07:56 35840 9018BA69DFFF775448F6072D6FA10A56 c:\windows\ServicePackFiles\i386\ctfmon.exe

[-] 2008-04-14 00:12 35840 7BEC0C5CF6290E745BFC10B0A01F7945 c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\ctfmon.exe

[-] 2004-08-04 07:56 35840 B9559DE8C9B867D3E7A73CFB1119A901 c:\windows\system32\ctfmon.exe

[-] 2005-06-10 23:53 78336 64ABCC98C78471E23345164F0718A296 c:\windows\$hf_mig$\KB896423\SP2GDR\spoolsv.exe

[-] 2005-06-11 00:17 78336 265A25B5BD696C30D27FC7ECBC6E41E6 c:\windows\$hf_mig$\KB896423\SP2QFE\spoolsv.exe

[-] 2005-06-10 23:55 73728 7D8D1D155CD7A9D82CCEBDA0404C7DA5 c:\windows\$NtServicePackUninstall$\spoolsv.exe

[-] 2004-08-04 07:56 78336 EAAC34805CEF604B3A422C4147B8F158 c:\windows\$NtUninstallKB896423$\spoolsv.exe

[-] 2003-09-24 12:19 71680 54952B59BAF7EFBD60D8AF5E3EBA89C7 c:\windows\$NtUninstallKB896423_0$\spoolsv.exe

[-] 2004-08-04 07:56 78336 DC8C5D1921DF7C9478E2F97DB17A52E0 c:\windows\ServicePackFiles\i386\spoolsv.exe

[-] 2008-04-14 00:12 78336 6AA8662428F714E41393D337DDFA7D41 c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\spoolsv.exe

[-] 2003-09-24 04:45 42496 90499E7EC768D695EB603E93DCFA89F6 c:\windows\$NtServicePackUninstall$\userinit.exe

[-] 2004-08-04 07:56 45056 C78040F503F7150F39D6EE5011D8AB97 c:\windows\ServicePackFiles\i386\userinit.exe

[-] 2008-04-14 00:12 46592 003116B9DFE24698655E4F77F3986B3F c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\userinit.exe

[-] 2004-08-04 07:56 45056 C3C145E2C2D169383C46ED6BE741DA90 c:\windows\system32\userinit.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1714688]

"Google Update"="c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-07-01 133104]

"do_not_delete"="c:\windows\system32\do_not_delete.exe" [2009-07-23 68608]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-21 148888]

"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-08 73216]

"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2004-08-20 139264]

"HPHUPD05"="c:\program files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe" [2003-08-21 69632]

"HPHmon05"="c:\windows\System32\hphmon05.exe" [2003-08-21 503808]

"KBD"="c:\hp\KBD\KBD.EXE" [2003-02-12 81920]

"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 131072]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2004-01-27 172077]

"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2003-11-04 241664]

"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2003-08-15 70816]

"NAV CfgWiz"="c:\program files\Common Files\Symantec Shared\CfgWiz.exe" [2003-08-16 124096]

"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-07-22 1948440]

"do_not_delete"="c:\windows\system32\do_not_delete.exe" [2009-07-23 68608]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"do_not_delete"="c:\windows\system32\do_not_delete.exe" [2009-07-23 68608]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\Currentversion\policies\explorer\Run]

"do_not_delete"="c:\windows\system32\do_not_delete.exe" [2009-07-23 68608]

[HKEY_CURRENT_USER\software\microsoft\windows\Currentversion\policies\explorer\Run]

"do_not_delete"="c:\windows\system32\do_not_delete.exe" [2009-07-23 68608]

[HKEY_USERS\.DEFAULT\software\microsoft\windows\Currentversion\policies\explorer\Run]

"do_not_delete"="c:\windows\system32\do_not_delete.exe" [2009-07-23 68608]

c:\docume~1\ALLUSE~1\STARTM~1\Programs\Startup\

Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 86068]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]

"Userinit"="c:\windows\explorer.exe,"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\4c6f9504648]

2009-07-22 14:48 120832 ----a-w- c:\windows\system32\hpgwiamd32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]

2009-07-22 16:33 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]

@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Compaq Connections.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Compaq Connections.lnk

backup=c:\windows\pss\Compaq Connections.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk

backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk

backup=c:\windows\pss\Quicken Scheduled Updates.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Organize.lnk]

path=c:\documents and settings\Owner\Start Menu\Programs\Startup\Organize.lnk

backup=c:\windows\pss\Organize.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^spamsubtract.lnk]

path=c:\documents and settings\Owner\Start Menu\Programs\Startup\spamsubtract.lnk

backup=c:\windows\pss\spamsubtract.lnkStartup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\Compaq Connections\\1940576\\Program\\BackWeb-1940576.exe"=

"c:\\Program Files\\Macromedia\\Dreamweaver 8\\Dreamweaver.exe"=

"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

"c:\\Program Files\\AIM6\\aim6.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [7/22/2009 10:33 AM 335752]

R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [7/22/2009 10:33 AM 108552]

R2 avg8wd;avg8wd;c:\progra~1\AVG\AVG8\avgwdsvc.exe [7/22/2009 10:32 AM 298776]

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [7/21/2009 10:08 AM 210216]

R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [12/4/2007 11:21 AM 45132]

S2 mrtRate;mrtRate; [x]

.

- - - - ORPHANS REMOVED - - - -

HKCU-Run-Aim6 - (no file)

HKLM-Run-VTTimer - VTTimer.exe

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

uDefault_Search_URL = hxxp://srch-qus10.hpwis.com/

mStart Page = hxxp://qus10.hpwis.com/

mSearch Bar = hxxp://srch-qus10.hpwis.com/

uInternet Settings,ProxyOverride = localhost

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: &AIM Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000

LSP: SpSubLSP.dll

FF - ProfilePath - c:\docume~1\Owner\APPLIC~1\Mozilla\Firefox\Profiles\g8100dzo.default\

FF - prefs.js: browser.search.defaulturl - hxxp://search.aol.com/aolcom/search?invocationType=tbff50ie7&query=

FF - prefs.js: browser.search.selectedEngine - AIM Search

FF - prefs.js: keyword.URL - hxxp://search.aol.com/aolcom/search?invocationType=TB50TRFF;homepage=no;search=yesab&query=

FF - component: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\g8100dzo.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\components\ipc.dll

FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll

FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll

FF - component: c:\program files\Mozilla Firefox\components\dsffdkbgaiasm.dll

FF - plugin: c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\1.2.183.7\npGoogleOneClick8.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll

FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nppl3260.dll

FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nprjplug.dll

FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nprpjplug.dll

FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll

---- FIREFOX POLICIES ----

FF - user.js: google.toolbar.linkdoctor.enabled - false

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-07-28 12:21

Windows 5.1.2600 Service Pack 2 NTFS

detected NTDLL code modification:

ZwOpenFile

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\aawservice]

"ImagePath"="c:\windows\TEMP\VRT34.tmp"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(512)

c:\windows\System32\hpgwiamd32.dll

c:\windows\system32\SpSubLSP.dll

- - - - - - - > 'lsass.exe'(568)

c:\windows\system32\SpSubLSP.dll

.

Completion time: 2009-07-28 12:25

ComboFix-quarantined-files.txt 2009-07-28 18:25

Pre-Run: 24,134,766,592 bytes free

Post-Run: 24,328,372,224 bytes free

267 --- E O F --- 2009-07-16 09:05

Link to post
Share on other sites

  • Staff

Hi,

As I already explained. Virut is a lost case, so please backup important data and format and reinstall. There's not much we can do here anymore even though everything appears to be fine now. Legitimate exe files are infected and need to be disinfected. Scanners can't deal with it, because of this buggy virus.

Link to post
Share on other sites

  • 2 weeks later...
  • Staff

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.