Jump to content

Recommended Posts

Please Help!

My PC is riddled with skynet infections. When I go online my network adaptor flashes like it's downloading at an enormous rate. I'm postingthis on another pc so any help would be appreciated but may take some time as I'llhave to save any logs etc to a flash disc to post here.

Really would be gratefulfor any help.

Link to post
Share on other sites

Please Help!

My PC is riddled with skynet infections. When I go online my network adaptor flashes like it's downloading at an enormous rate. I'm postingthis on another pc so any help would be appreciated but may take some time as I'llhave to save any logs etc to a flash disc to post here.

Really would be gratefulfor any help.

Really desperate here!

Thanks

Link to post
Share on other sites

Here are the logs from HijackThis and MBAM

HijackThis

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 09:24:19, on 24/07/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16850)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\WINDOWS\Explorer.EXE

c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

c:\Program Files\Common Files\Symantec Shared\ccProxy.exe

c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe

C:\PROGRA~1\AVG\AVG8\avgrsx.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\CyberLink\Shared files\RichVideo.exe

C:\Program Files\Spyware Terminator\sp_rsser.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology\ELService.exe

C:\PROGRA~1\AVG\AVG8\avgtray.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\Program Files\AutoSizer\AutoSizer.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.ask.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: (no name) - {161C7C9D-4CE4-4CE8-BC53-BC38DA207CC9} - (no file)

O2 - BHO: (no name) - {1C8626ED-7943-44D6-BA21-49FBFAB6D319} - (no file)

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: (no name) - {806173A1-A1B9-4A6A-93A9-22240664A605} - (no file)

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll

O2 - BHO: (no name) - {C24BE2F3-8DD8-4BBF-B3A5-F25491FCB619} - (no file)

O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll

O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll

O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe

O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKCU\..\Run: [AutoSizer] "C:\Program Files\AutoSizer\AutoSizer.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')

O4 - Global Startup: Adobe Reader Speed Launch.lnk.disabled

O4 - Global Startup: STK014 PNP Monitor.lnk.disabled

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Open Picture in &Microsoft PhotoDraw - res://C:\PROGRA~1\MICROS~3\Office\1033\phdintl.dll/phdContext.htm

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm

O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll

O17 - HKLM\System\CCS\Services\Tcpip\..\{667922C8-47F0-4692-AF98-B9FF009C3138}: NameServer = 208.67.222.222,208.67.220.220

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll

O20 - AppInit_DLLs: WIKI.DLL,wljwtf.dll,ypheor.dll,yixouc.dll

O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll

O23 - Service: IPv6 Helper Service 6to46to4aawservice (6to46to4aawservice) - Unknown owner - C:\WINDOWS\TEMP\hvkrquhecb.exe (file missing)

O23 - Service: IPv6 Helper Service 6to4aawservice (6to4aawservice) - Unknown owner - (no file)

O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - c:\Program Files\Norton Internet Security\ccPwdSvc.exe

O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccProxy.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: COM Host (comHost) - Symantec Corporation - c:\Program Files\Norton Internet Security\comHost.exe

O23 - Service: Intel

Link to post
Share on other sites

  • Root Admin

Please visit this webpage for instructions for downloading ComboFix to your
DESKTOP
:
how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

NOTE!!:

You must save and run
ComboFix.exe
on your DESKTOP and not from any other folder.

Also,
DO NOT
click the mouse or launch any other applications while this is running or it may stall the program

Additional links to download the tool:

Note:

The
Windows Recovery Console
will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click
    Yes
    to allow ComboFix to continue scanning for malware.

  • When the tool is finished, it will produce a report for you.

  • Please post the
    C:\ComboFix.txt
    along with a
    new HijackThis log
    so we may continue cleaning the system.

Link to post
Share on other sites

ComboFix log

ComboFix 09-07-23.02 - HP_Administrator 24/07/2009 10:13.1.2 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.1022.531 [GMT 1:00]

Running from: c:\documents and settings\HP_Administrator\Desktop\ComboFix.exe

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

AV: Norton Internet Security 2006 *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}

FW: Norton Internet Security 2006 *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

FW: ZoneAlarm Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\HP_Administrator\Application Data\inst.exe

c:\documents and settings\HP_Administrator\My Documents\notepad.exe

c:\recycler\S-1-5-21-609962132-7976554-2305607308-1007

c:\recycler\S-1-5-21-725345543-1644491937-839522115-500

c:\windows\Installer\127f97c.msi

c:\windows\Installer\1345ee7.msp

c:\windows\Installer\1345ef0.msi

c:\windows\Installer\146d7d3.msi

c:\windows\Installer\1d99fb.msi

c:\windows\Installer\1d9df3.msi

c:\windows\Installer\1d9e48.msi

c:\windows\Installer\291686.msp

c:\windows\Installer\2b5df26.msi

c:\windows\Installer\2b5df27.msp

c:\windows\Installer\2b5df28.msp

c:\windows\Installer\2b5df29.msp

c:\windows\Installer\2b5df2a.msp

c:\windows\Installer\2b5df2b.msp

c:\windows\Installer\2b5df2c.msp

c:\windows\Installer\2b5df2d.msp

c:\windows\Installer\2b5df2e.msp

c:\windows\Installer\2b5df2f.msp

c:\windows\Installer\2dc90.msi

c:\windows\Installer\2dca2.msi

c:\windows\Installer\393931.msi

c:\windows\Installer\3e7360.msi

c:\windows\Installer\458f5.msi

c:\windows\Installer\4714d2e.msi

c:\windows\Installer\4d54e95.msi

c:\windows\Installer\4d54e9f.msi

c:\windows\Installer\4ff4753.msi

c:\windows\Installer\4ff4772.msi

c:\windows\Installer\4ff4777.msi

c:\windows\Installer\5c18d44.msi

c:\windows\Installer\5c18d76.msi

c:\windows\Installer\6079a4b.msi

c:\windows\Installer\6079a67.msi

c:\windows\Installer\735b36.msi

c:\windows\Installer\735b3d.msi

c:\windows\Installer\735b43.msi

c:\windows\Installer\9d5e05.msi

c:\windows\Installer\bffe2bd.msi

c:\windows\Installer\c8b86.msi

c:\windows\Installer\c8b8b.msi

c:\windows\Installer\d1a625.msi

c:\windows\Installer\WMEncoder.msi

c:\windows\kb913800.exe

c:\windows\system32\ac3aoutz.exe

c:\windows\system32\drivers\SKYNETowylvmpj.sys

c:\windows\system32\drivers\ss.sys

c:\windows\system32\SKYNETckbenhdt.dll

c:\windows\system32\SKYNETcvoysfyy.dll

c:\windows\system32\SKYNETdyiyubyx.dat

c:\windows\system32\SKYNETyebjvudf.dat

D:\Autorun.inf

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Service_SKYNETxjkdtqpu

-------\Legacy_RASMAN6TO4AAWSERVICE

-------\Service_RasMan6to4aawservice

-------\Service_StreamSurge

((((((((((((((((((((((((( Files Created from 2009-06-24 to 2009-07-24 )))))))))))))))))))))))))))))))

.

2009-07-24 08:23 . 2009-07-24 08:23 -------- d-----w- c:\program files\Trend Micro

2009-07-23 18:07 . 2009-07-23 18:07 23040 --sha-w- c:\windows\system32\adsldph.dll

2009-07-23 17:45 . 2009-07-23 17:45 409684 ---ha-w- c:\windows\system32\mlfcache.dat

2009-07-22 11:24 . 2009-07-23 18:07 4909 --s-a-w- c:\windows\system32\221605600.dat

2009-07-21 12:49 . 2009-07-21 12:50 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Winamp

2009-07-21 10:33 . 2009-07-21 10:33 3584 ----a-r- c:\documents and settings\HP_Administrator\Application Data\Microsoft\Installer\{121634B0-2F4B-11D3-ADA3-00C04F52DD52}\Icon386ED4E3.exe

2009-07-21 10:33 . 2009-07-21 10:33 -------- d-----w- c:\program files\Windows Installer Clean Up

2009-07-20 20:05 . 2009-07-20 20:05 -------- d-----w- c:\documents and settings\HP_Administrator\Local Settings\Application Data\Ahead

2009-07-20 20:03 . 2009-07-21 09:44 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Ahead

2009-07-20 20:02 . 2009-07-20 20:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Ahead

2009-07-20 20:00 . 2009-07-20 20:01 -------- d-----w- c:\program files\Common Files\Ahead

2009-07-20 20:00 . 2009-07-20 20:00 -------- d-----w- c:\program files\Nero

2009-07-20 15:11 . 2009-07-20 15:51 -------- d-----w- c:\program files\RegCure

2009-07-20 15:11 . 2009-07-20 15:11 -------- d-----w- c:\windows\RegCure

2009-07-18 16:44 . 2009-07-18 16:44 -------- d-----w- C:\adaptec

2009-07-11 21:23 . 2009-07-11 21:26 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\InfraRecorder

2009-07-04 11:20 . 2009-07-04 11:20 -------- d-----w- c:\documents and settings\Jens

2009-07-04 07:43 . 2009-07-04 07:43 -------- d-----w- c:\windows\STPV temp

2009-07-03 07:41 . 2009-07-03 07:41 737280 ----a-w- c:\windows\iun6002.exe

2009-07-03 07:41 . 2009-07-03 07:41 -------- d-----w- c:\program files\AndreaMosaic

2009-07-01 17:22 . 2009-07-01 17:25 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Spotify

2009-07-01 17:22 . 2009-07-01 17:22 -------- d-----w- c:\documents and settings\HP_Administrator\Local Settings\Application Data\Spotify

2009-07-01 17:22 . 2009-07-01 17:22 -------- d-----w- c:\program files\Spotify

2009-06-30 18:20 . 2009-06-30 18:20 34304 ----a-w- c:\documents and settings\All Users\Application Data\Screentime\BBC Globe\saver1.dll

2009-06-30 18:20 . 2009-06-30 18:20 218112 ----a-w- c:\windows\system32\BBC Globe.scr

2009-06-30 18:20 . 2009-06-30 18:20 18192 ----a-w- c:\documents and settings\All Users\Application Data\Screentime\BBC Globe\saver2.dll

2009-06-30 18:19 . 2009-06-30 18:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Screentime

2009-06-30 18:19 . 2009-06-30 18:19 34304 ----a-w- c:\documents and settings\All Users\Application Data\Screentime\BBC Clock\saver1.dll

2009-06-30 18:19 . 2009-06-30 18:19 218112 ----a-w- c:\windows\system32\BBC Clock.scr

2009-06-30 18:19 . 2009-06-30 18:19 18192 ----a-w- c:\documents and settings\All Users\Application Data\Screentime\BBC Clock\saver2.dll

2009-06-30 18:19 . 2009-06-30 18:20 -------- d-----w- c:\documents and settings\HP_Administrator\Local Settings\Application Data\Screentime

2009-06-30 18:13 . 2009-06-30 18:13 65536 ----a-w- c:\windows\qt3wrap.dll

2009-06-30 18:13 . 2009-06-30 18:13 471552 ----a-w- c:\windows\testcards.scr

2009-06-30 18:13 . 2009-06-30 18:13 335360 ----a-w- c:\windows\Imw32d30.dll

2009-06-28 17:08 . 2009-06-28 17:08 6144 ----a-w- c:\documents and settings\All Users\Application Data\Spyware Terminator\sp_rsdel.exe

2009-06-28 17:08 . 2009-06-28 17:08 5632 ----a-w- c:\documents and settings\All Users\Application Data\Spyware Terminator\fileobjinfo.sys

2009-06-28 17:08 . 2009-06-28 17:08 142592 ----a-w- c:\windows\system32\drivers\sp_rsdrv2.sys

2009-06-28 17:08 . 2009-07-22 22:56 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Spyware Terminator

2009-06-28 17:08 . 2009-07-23 06:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Spyware Terminator

2009-06-28 17:08 . 2009-07-23 06:28 -------- d-----w- c:\program files\Spyware Terminator

2009-06-28 13:06 . 2009-06-28 13:07 -------- d-----w- c:\program files\SpyZooka

2009-06-28 13:05 . 2009-06-28 13:05 -------- d-----w- c:\program files\Alwil Software

2009-06-28 11:05 . 2009-06-28 11:05 117760 ----a-w- c:\documents and settings\HP_Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL

2009-06-28 11:04 . 2009-06-28 11:04 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com

2009-06-28 11:04 . 2009-06-28 11:04 -------- d-----w- c:\program files\SUPERAntiSpyware

2009-06-28 11:04 . 2009-06-28 11:04 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\SUPERAntiSpyware.com

2009-06-28 10:49 . 2008-12-11 07:38 159600 ----a-w- c:\windows\system32\drivers\pctgntdi.sys

2009-06-28 10:49 . 2009-03-06 15:45 130424 ----a-w- c:\windows\system32\drivers\PCTCore.sys

2009-06-28 10:49 . 2008-12-18 11:16 73840 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys

2009-06-28 10:48 . 2009-06-28 10:49 -------- d-----w- c:\program files\Common Files\PC Tools

2009-06-28 10:48 . 2008-12-10 11:36 64392 ----a-w- c:\windows\system32\drivers\pctplsg.sys

2009-06-28 10:48 . 2009-06-28 10:48 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools

2009-06-27 00:13 . 2009-07-21 10:17 -------- d-----w- c:\program files\DVDFab 6

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-07-23 16:36 . 2009-01-23 20:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Avg8

2009-07-22 22:43 . 2007-06-18 20:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2009-07-22 07:17 . 2009-07-22 07:19 2928640 ----a-w- c:\windows\Internet Logs\xDB14.tmp

2009-07-22 07:17 . 2009-07-22 07:19 989184 ----a-w- c:\windows\Internet Logs\xDB13.tmp

2009-07-21 12:50 . 2007-06-18 21:14 -------- d-----w- c:\program files\Winamp

2009-07-21 10:32 . 2008-07-18 18:28 -------- d-----w- c:\program files\MSECACHE

2009-07-20 20:00 . 2008-01-04 16:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Nero

2009-07-20 17:23 . 2008-01-10 08:11 -------- d-----w- c:\program files\Magic Video Converter

2009-07-19 14:48 . 2007-10-10 15:51 7919337 ----a-w- c:\windows\Internet Logs\tvDebug.Zip

2009-07-19 14:46 . 2009-07-19 14:48 2918912 ----a-w- c:\windows\Internet Logs\xDB12.tmp

2009-07-11 21:23 . 2008-11-20 12:34 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\AutoSizer

2009-07-09 09:26 . 2008-01-01 18:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Kontiki

2009-07-07 12:16 . 2009-07-07 12:18 2634240 ----a-w- c:\windows\Internet Logs\xDB11.tmp

2009-06-30 18:13 . 2008-08-06 12:34 12288 ----a-w- c:\windows\impborl.dll

2009-06-30 07:51 . 2009-01-23 21:02 11952 ----a-w- c:\windows\system32\avgrsstx.dll

2009-06-30 07:51 . 2009-01-23 21:02 327688 ----a-w- c:\windows\system32\drivers\avgldx86.sys

2009-06-30 07:51 . 2009-01-23 21:02 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys

2009-06-28 11:04 . 2008-06-13 20:01 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard

2009-06-28 11:01 . 2008-10-08 12:03 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2009-06-28 10:50 . 2008-10-08 12:02 -------- d-----w- c:\program files\Spyware Doctor

2009-06-27 18:34 . 2007-06-18 20:37 -------- d-----w- c:\program files\Spybot - Search & Destroy

2009-06-27 00:02 . 2007-12-28 10:32 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Vso

2009-06-26 21:47 . 2009-02-10 11:27 -------- d-----w- c:\program files\DVDFab 5

2009-06-24 17:45 . 2008-04-18 13:31 -------- d-----w- c:\program files\ffdshow

2009-06-24 07:14 . 2007-06-15 13:48 -------- d--h--w- c:\program files\InstallShield Installation Information

2009-06-23 18:15 . 2008-10-08 17:43 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-06-23 18:15 . 2008-10-20 21:12 3561743 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe

2009-06-22 17:16 . 2009-06-22 13:41 -------- d-----w- c:\program files\Cloudbrain

2009-06-19 20:18 . 2009-06-19 20:18 -------- d-----w- c:\program files\MP3ext

2009-06-19 08:31 . 2007-06-15 14:12 -------- d-----w- c:\program files\Common Files\Adobe

2009-06-19 07:44 . 2008-10-13 09:11 -------- d-----w- c:\program files\Safarp

2009-06-17 10:27 . 2008-10-08 17:43 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-06-17 10:27 . 2008-10-08 17:43 19096 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-06-16 14:36 . 2007-06-15 19:30 119808 ----a-w- c:\windows\system32\t2embed.dll

2009-06-16 14:36 . 2007-06-15 19:27 81920 ----a-w- c:\windows\system32\fontsub.dll

2009-06-15 17:03 . 2009-06-15 17:11 2793472 ----a-w- c:\windows\Internet Logs\xDB10.tmp

2009-06-05 15:41 . 2007-06-19 12:47 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\uTorrent

2009-06-03 19:09 . 2007-06-15 19:29 1291264 ----a-w- c:\windows\system32\quartz.dll

2009-05-27 21:34 . 2009-05-28 05:25 104960 ----a-w- c:\windows\Internet Logs\xDBF.tmp

2009-05-26 21:06 . 2007-06-19 16:56 738904 ----a-w- c:\documents and settings\HP_Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-05-26 14:52 . 2009-05-26 14:56 1125888 ----a-w- c:\windows\Internet Logs\xDBD.tmp

2009-05-26 14:52 . 2009-05-26 14:56 2771456 ----a-w- c:\windows\Internet Logs\xDBE.tmp

2009-05-26 12:49 . 2009-05-26 12:50 2772480 ----a-w- c:\windows\Internet Logs\xDBC.tmp

2009-05-20 21:25 . 2009-05-21 06:06 2732032 ----a-w- c:\windows\Internet Logs\xDBB.tmp

2009-05-08 08:00 . 2009-05-08 08:03 1373184 ----a-w- c:\windows\Internet Logs\xDB9.tmp

2009-05-08 08:00 . 2009-05-08 08:04 2712064 ----a-w- c:\windows\Internet Logs\xDBA.tmp

2009-05-07 15:32 . 2007-06-15 12:28 345600 ----a-w- c:\windows\system32\localspl.dll

2009-04-29 04:56 . 2007-06-15 19:30 827392 ----a-w- c:\windows\system32\wininet.dll

2009-04-29 04:55 . 2007-06-15 12:28 78336 ----a-w- c:\windows\system32\ieencode.dll

2007-12-14 19:49 . 2007-11-26 10:03 7168 --sha-w- c:\program files\Thumbs.db

2009-06-03 04:24 . 2009-07-09 08:09 134648 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

"AutoSizer"="c:\program files\AutoSizer\AutoSizer.exe" [2009-04-17 131072]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-06-30 1948440]

"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-02-15 981384]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-12-15 7323648]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Reader Speed Launch.lnk.disabled [2008-2-26 1768]

STK014 PNP Monitor.lnk.disabled [2007-10-25 1359]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]

2009-06-30 07:51 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]

@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]

@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]

@=""

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]

"MSMSGS"="c:\program files\Messenger\msmsgs.exe" /background

"ctfmon.exe"=c:\windows\system32\ctfmon.exe

"<NO NAME>"=c:\program files\AutoSizer\AutoSizer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]

"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe"

"DMAScheduler"=c:\program files\Sonic\DigitalMedia Plus\DigitalMedia Archive\DMAScheduler.exe

"ehTray"=c:\windows\ehome\ehtray.exe

"ftutil2"=rundll32.exe ftutil2.dll,SetWriteCacheMode

"HP Software Update"=c:\program files\HP\HP Software Update\HPwuSchd2.exe

"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run

"IAAnotif"=c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe

"NvCplDaemon"=RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

"nwiz"=nwiz.exe /installquiet /keeploaded /nodetect

"PCDrProfiler"="c:\program files\PC-Doctor 5 for Windows\RunProfiler.exe" -r

"Recguard"=c:\windows\SMINST\RECGUARD.EXE

"RTHDCPL"=RTHDCPL.EXE

"SSC_UserPrompt"="c:\program files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe"

"OpwareSE4"="c:\program files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe"

"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot

"ISUSPM Startup"=c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup

"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" -start

"ScanSoft OmniPage SE 4.0-reminder"="c:\program files\ScanSoft\OmniPageSE4.0\Ereg\Ereg.exe" -r "c:\documents and settings\All Users\Application Data\ScanSoft\OmniPageSE4.0\Ereg\ereg.ini"

"Belkin"=c:\program files\Belkin\F5D9050\Belkinwcui.exe

"F5D9050"=c:\program files\Belkin\F5D9050\Belkinwcui.exe

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=

"c:\\Program Files\\BitLord\\BitLord.exe"=

"c:\\Program Files\\Kontiki\\KService.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Documents and Settings\\HP_Administrator\\My Documents\\My Downloads\\utorrent.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\Spotify\\spotify.exe"=

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [28/06/2009 11:49 130424]

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [23/01/2009 22:02 327688]

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [23/06/2009 11:01 9968]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [23/06/2009 11:01 72944]

R1 sp_rsdrv2;Spyware Terminator Driver 2;c:\windows\system32\drivers\sp_rsdrv2.sys [28/06/2009 18:08 142592]

R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [23/01/2009 22:01 298776]

R3 3xHybrid;3xHybrid service;c:\windows\system32\drivers\3xHybrid.sys [15/06/2007 14:48 2815744]

S2 {FE4C91E7-22C2-4D0C-9F6B-82F1B7742054};{FE4C91E7-22C2-4D0C-9F6B-82F1B7742054};\??\c:\program files\CyberLink\PowerDVD8\000.fcl --> c:\program files\CyberLink\PowerDVD8\000.fcl [?]

S2 6to46to4aawservice;IPv6 Helper Service 6to46to4aawservice;c:\windows\TEMP\hvkrquhecb.exe service --> c:\windows\TEMP\hvkrquhecb.exe service [?]

S2 6to4aawservice;IPv6 Helper Service 6to4aawservice; [x]

S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [21/10/2008 14:46 17792]

S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [21/10/2008 14:46 7680]

S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [23/06/2009 11:01 7408]

S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [08/10/2008 13:02 348752]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - COMHOST

.

Contents of the 'Scheduled Tasks' folder

2007-07-23 c:\windows\Tasks\Norton AntiVirus - Run Full System Scan - HP_Administrator.job

- c:\progra~1\NORTON~1\NORTON~1\Navw32.exe [2005-10-07 13:26]

2009-07-24 c:\windows\Tasks\RegCure Program Check.job

- c:\program files\RegCure\RegCure.exe [2007-10-16 08:20]

2009-07-23 c:\windows\Tasks\RegCure.job

- c:\program files\RegCure\RegCure.exe [2007-10-16 08:20]

2008-12-13 c:\windows\Tasks\Symantec NetDetect.job

- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2007-06-15 20:21]

2009-07-23 c:\windows\Tasks\User_Feed_Synchronization-{F9773F81-20EF-47EA-B55D-46E90523CE4B}.job

- c:\windows\system32\msfeedssync.exe [2007-08-13 17:36]

.

- - - - ORPHANS REMOVED - - - -

BHO-{161C7C9D-4CE4-4CE8-BC53-BC38DA207CC9} - (no file)

BHO-{1C8626ED-7943-44D6-BA21-49FBFAB6D319} - (no file)

BHO-{806173A1-A1B9-4A6A-93A9-22240664A605} - (no file)

BHO-{C24BE2F3-8DD8-4BBF-B3A5-F25491FCB619} - (no file)

ShellExecuteHooks-{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - (no file)

.

------- Supplementary Scan -------

.

uStart Page = hxxp://uk.ask.com/

uInternet Settings,ProxyOverride = *.local

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000

IE: Open Picture in &Microsoft PhotoDraw - c:\progra~1\MICROS~3\Office\1033\phdintl.dll/phdContext.htm

TCP: {667922C8-47F0-4692-AF98-B9FF009C3138} = 208.67.222.222,208.67.220.220

FF - ProfilePath - c:\documents and settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\0nwwuhna.default\

FF - prefs.js: browser.search.selectedEngine - Ask.com

FF - prefs.js: browser.startup.homepage - hxxp://uk.ask.com/?o=312&l=dir

FF - plugin: c:\program files\Java\jre1.5.0_05\bin\NPJava11.dll

FF - plugin: c:\program files\Java\jre1.5.0_05\bin\NPJava12.dll

FF - plugin: c:\program files\Java\jre1.5.0_05\bin\NPJava13.dll

FF - plugin: c:\program files\Java\jre1.5.0_05\bin\NPJava14.dll

FF - plugin: c:\program files\Java\jre1.5.0_05\bin\NPJava32.dll

FF - plugin: c:\program files\Java\jre1.5.0_05\bin\NPJPI150_05.dll

FF - plugin: c:\program files\Java\jre1.5.0_05\bin\NPOJI610.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll

FF - plugin: c:\program files\Picasa2\npPicasa2.dll

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-07-24 10:33

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\{FE4C91E7-22C2-4D0C-9F6B-82F1B7742054}]

"ImagePath"="\??\c:\program files\CyberLink\PowerDVD8\000.fcl"

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1202815605-2651469824-4130500244-1007\Software\Microsoft\SystemCertificates\AddressBook*]

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1240)

c:\program files\AutoSizer\AutoSizer.dll

c:\windows\system32\WPDShServiceObj.dll

c:\program files\Nokia\Nokia PC Suite 7\phonebrowser.dll

c:\program files\Nokia\Nokia PC Suite 7\NGSCM.DLL

c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\MSVCR80.dll

c:\program files\Nokia\Nokia PC Suite 7\Lang\PhoneBrowser_eng.nlr

c:\program files\Nokia\Nokia PC Suite 7\Resource\PhoneBrowser_Nokia.ngr

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\ZoneLabs\vsmon.exe

c:\program files\Common Files\Symantec Shared\ccSetMgr.exe

c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe

c:\program files\Common Files\Symantec Shared\ccProxy.exe

c:\program files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

c:\program files\Lavasoft\Ad-Aware\aawservice.exe

c:\windows\ehome\ehrecvr.exe

c:\program files\AVG\AVG8\avgrsx.exe

c:\windows\ehome\ehSched.exe

c:\program files\Intel\Intel Matrix Storage Manager\IAANTmon.exe

c:\program files\Common Files\LightScribe\LSSrvc.exe

c:\program files\Norton Internet Security\Norton AntiVirus\navapsvc.exe

c:\program files\CyberLink\Shared files\RichVideo.exe

c:\program files\Spyware Terminator\sp_rsser.exe

c:\windows\ehome\mcrdsvc.exe

c:\program files\Intel\IntelDH\Intel® Quick Resume Technology\ELService.exe

.

**************************************************************************

.

Completion time: 2009-07-24 10:40 - machine was rebooted

ComboFix-quarantined-files.txt 2009-07-24 09:40

Pre-Run: 152,902,832,128 bytes free

Post-Run: 152,641,040,384 bytes free

Current=3 Default=3 Failed=1 LastKnownGood=4 Sets=,1,2,3,4

377 --- E O F --- 2009-07-15 08:12

New Hijack This log

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 11:54:16, on 24/07/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16850)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

c:\Program Files\Common Files\Symantec Shared\ccProxy.exe

c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\AVG\AVG8\avgtray.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

C:\Program Files\AutoSizer\AutoSizer.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\PROGRA~1\AVG\AVG8\avgrsx.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe

C:\Program Files\CyberLink\Shared files\RichVideo.exe

C:\Program Files\Spyware Terminator\sp_rsser.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology\ELService.exe

C:\WINDOWS\explorer.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.ask.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll

O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll

O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll

O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe

O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKCU\..\Run: [AutoSizer] "C:\Program Files\AutoSizer\AutoSizer.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')

O4 - Global Startup: Adobe Reader Speed Launch.lnk.disabled

O4 - Global Startup: STK014 PNP Monitor.lnk.disabled

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Open Picture in &Microsoft PhotoDraw - res://C:\PROGRA~1\MICROS~3\Office\1033\phdintl.dll/phdContext.htm

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm

O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll

O17 - HKLM\System\CCS\Services\Tcpip\..\{667922C8-47F0-4692-AF98-B9FF009C3138}: NameServer = 208.67.222.222,208.67.220.220

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll

O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll

O23 - Service: IPv6 Helper Service 6to46to4aawservice (6to46to4aawservice) - Unknown owner - C:\WINDOWS\TEMP\hvkrquhecb.exe (file missing)

O23 - Service: IPv6 Helper Service 6to4aawservice (6to4aawservice) - Unknown owner - (no file)

O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - c:\Program Files\Norton Internet Security\ccPwdSvc.exe

O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccProxy.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: COM Host (comHost) - Symantec Corporation - c:\Program Files\Norton Internet Security\comHost.exe

O23 - Service: Intel

Link to post
Share on other sites

  • Root Admin

STEP 00

Disable the Spybot Tea Timer - DO NOT continue until you've disabled the Tea Timer

Disable Teatimer

First step:

  • Right-click the Spybot Icon in the System Tray (looks like a blue/white calendar with a padlock symbol)
  • If you have the new version 1.5, Click once on
    Resident Protection
    , then Right click the Spybot icon again and make sure
    Resident Protection
    is now
    Unchecked
    . The Spybot icon in the System tray should now be now colorless.

  • If you have Version 1.4, Click on
    Exit Spybot S&D Resident

Second step, For Either Version :
  • Open Spybot S&D
  • Click
    Mode
    , choose
    Advanced Mode

  • Go To the bottom of the Vertical Panel on the Left, Click
    Tools

  • then, also in left panel, click
    Resident
    shows a red/white shield.

  • If your firewall raises a question, say
    OK

  • In the
    Resident protection status
    frame,
    Uncheck
    the box labeled
    Resident "Tea-Timer"(Protection of over-all system settings) active

  • OK
    any prompts.

  • Use
    File, Exit
    to terminate Spybot

  • Reboot
    your machine for the changes to take effect.

STEP 00a

Did you set these Name Servers on your own? NameServer = 208.67.222.222,208.67.220.220

If not then we need to remove them.

STEP 01

Download but do not yet run ComboFix

If you have a previous version of Combofix.exe, delete it and download a fresh copy.

Download it to your DESKTOP - it MUST run from the Desktop

download.bleepingcomputer.com/sUBs/ComboFix.exe

subs.geekstogo.com/ComboFix.exe

Using your mouse, Highlight and then Right-click | Copy the entire contents of the Code box below, including blank lines

KILLALL::
Driver::
6to46to4aawservice
6to4aawservice
File::
c:\windows\TEMP\hvkrquhecb.exe
c:\windows\Tasks\Norton AntiVirus - Run Full System Scan - HP_Administrator.job
c:\windows\Tasks\RegCure Program Check.job
c:\windows\Tasks\RegCure.job
c:\windows\Tasks\Symantec NetDetect.job
Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ZoneAlarm Client"=-
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
DDS::
FF - prefs.js: browser.startup.homepage - hxxp://uk.ask.com/?o=312&l=dir
FF - plugin: c:\program files\Java\jre1.5.0_05\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_05\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_05\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_05\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_05\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_05\bin\NPJPI150_05.dll
FF - plugin: c:\program files\Java\jre1.5.0_05\bin\NPOJI610.dll
RegLock::
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\{FE4C91E7-22C2-4D0C-9F6B-82F1B7742054}]

Open a new Notepad session (Do not use a Word Processor or WordPad). Click "Format" and be certain that Word Wrap is not enabled. Right-click | Paste the Code box contents from above into Notepad. Click File, Save as..., and set the location to your Desktop, and enter (including quotation marks) as the filename: "CFscript.txt" .

Using your mouse, drag the new file CFscript.txt and drop it on the Combo-Fix.exe icon as shown:

CFScript.gif

  • Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
  • Disconnect from the Internet.
  • Disable your Antivirus software. If it has Script Blocking features, please disable these as well.
  • A window may open with a series of Disclaimers. Accept the Disclaimers to start the fix.
  • It may identify that Recovery Console is not installed. Please accept when asked if you wish it to be installed.
    When the scan completes Notepad will open with with your results log open. Do a File, Exit.

A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

Post back the Combofix log on your next reply.

STEP 02

You have 2 Anti-Virus programs installed and running. You can only have 1 installed at any one time as they conflict with each other.

Please chooe 1 and FULLY remove the other one. AVG or Symantec AV

STEP 03

Please go into the Control Panel, Add/Remove and for now remove ALL versions of JAVA as they are compromised

Then run this tool to help cleanup any left over Java

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.

Please download JavaRa and unzip it to your desktop.

***Please close any instances of Internet Explorer (or other web browser) before continuing!***

  • Double-click on JavaRa.exe to start the program.
  • From the drop-down menu, choose English and click on Select.
  • JavaRa will open; click on Remove Older Versions to remove the older versions of Java installed on your computer.
  • Click Yes when prompted. When JavaRa is done, a notice will appear that a logfile has been produced. Click OK.
  • A logfile will pop up. Please save it to a convenient location and post it back when you reply
    Then look for the following Java folders and if found delete them.
    C:\Program Files\Java
    C:\Program Files\Common Files\Java
    C:\Windows\Sun
    C:\Documents and Settings\All Users\Application Data\Java
    C:\Documents and Settings\All Users\Application Data\Sun\Java
    C:\Documents and Settings\username\Application Data\Java
    C:\Documents and Settings\username\Application Data\Sun\Java

STEP 03

You may have corrupted files on your disk. Please try running the following.

First close ALL Applications as this routine will automatically restart your computer.

Click on START - RUN and copy / paste the following entry into the box and click OK

CMD /C ECHO Y|CHKDSK C: /F | SHUTDOWN /R /T 30

STEP 03a

    Download and install CCleaner
  • CCleaner
  • Double-click on the downloaded file "ccsetup220_slim.exe" and install the application.
  • Keep the default installation folder "C:\Program Files\CCleaner"
  • Click finish when done and close ALL PROGRAMS
  • Start the CCleaner program.
  • Click on Registry and Uncheck Registry Integrity so that it does not run (basically the very top, uncheck it)
  • Click on Options - Advanced and Uncheck "Only delete files in Windows Temp folders older than 48 hours"
  • Click back to Cleaner and under SYSTEM uncheck the Memory Dumps and Windows Log Files
  • Click on Run Cleaner button on the bottom right side of the program.
  • Click OK to any prompts

STEP 04

Download and Update Java Runtime

The most current version of Sun Java is: Java Runtime Environment (JRE) 6 Update 14.

  • Go to http://java.sun.com/javase/downloads/index.jsp
  • Go to Java Runtime Environment (JRE) 6 Update 14 about half way down the page and click on the Download button.
  • In Platform box choose Windows.
  • Check the box to Accept License Agreement and click Continue.
  • Click on Windows Offline Installation, click on the link under it which says jre-6u14-windows-i586.exe and save the downloaded file to your desktop.
  • Install the new version by running the newly-downloaded file with the java icon which will be on your desktop, and follow the on-screen instructions.
  • Uncheck the Toolbar button (unless you want the toolbar)
  • Reboot your computer

STEP 05

Update and Scan with Malwarebytes' Anti-Malware

  • Start MalwareBytes AntiMalware (Vista users must Right click and choose RunAs Admin)
  • Please DO NOT run MBAM in Safe Mode unless requested to, you MUST run it in normal Windows mode.
    • Update Malwarebytes' Anti-Malware
    • Select the Update tab
    • Click Update

    [*]When the update is complete, select the Scanner tab

    [*]Select Perform quick scan, then click Scan.

    [*]When the scan is complete, click OK, then Show Results to view the results.

    [*]Be sure that everything is checked, and click Remove Selected.

    [*]When completed, a log will open in Notepad. please copy and paste the log into your next reply

    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Then post back the MBAM log

STEP 06

Please temporarily disable your Anti-Virus and run this Online AV Scanner

Run Eset NOD32 Online AntiVirus

Note: You will need to use Internet Explorer for this scan.

  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Disable your current Antivirus software. You can usually do this with its Notfication Tray icon near the clock.
  • Click Start
  • Make sure that the option "Remove found threats" is Un-checked, and the option "Scan unwanted applications" is checked
  • Click Scan
  • Wait for the scan to finish
  • Re-enable your Anvirisus software.
  • A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
Link to post
Share on other sites

  • Root Admin

Due to the lack of feedback this Topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

The fixes and advice in this thread are for this machine only. Do not apply the instructions from this thread to your own machine. Please start a new thread describing your issue and someone will be along to assist you.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.