takethembowling Posted July 27, 2009 ID:103171 Share Posted July 27, 2009 I see its very busy here. If anyone has time to help me out I would greatly appreciate it.Symptoms: Browser Redirection, System Freezes or Crashes oftenHere are my logs----------------------------------------Malwarebytes' Anti-Malware 1.39Database version: 2512Windows 5.1.2600 Service Pack 37/27/2009 12:02:34 PMmbam-log-2009-07-27 (12-02-34).txtScan type: Quick ScanObjects scanned: 112337Time elapsed: 6 minute(s), 17 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 1Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 2Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> Quarantined and deleted successfully.Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:D:\autorun.inf (Worm.Agent.H) -> Quarantined and deleted successfully.C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Delete on reboot.------------------------------------------Logfile of Trend Micro HijackThis v2.0.2Scan saved at 12:09:03 PM, on 7/27/2009Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\PROGRA~1\AVG\AVG8\avgwdsvc.exeC:\WINDOWS\system32\nvsvc32.exeC:\Program Files\Softex\OmniPass\Omniserv.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\System32\TUProgSt.exeC:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exeC:\PROGRA~1\AVG\AVG8\avgrsx.exeC:\PROGRA~1\AVG\AVG8\avgnsx.exeC:\PROGRA~1\AVG\AVG8\avgemc.exeC:\Program Files\AVG\AVG8\avgcsrvx.exeC:\Program Files\Softex\OmniPass\OPXPApp.exeC:\WINDOWS\Explorer.EXEC:\HP\KBD\KBD.EXEC:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exeC:\Program Files\Pure Networks\Network Magic\nmapp.exeC:\PROGRA~1\AVG\AVG8\avgtray.exeC:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exeC:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqimzone.exeC:\WINDOWS\system32\wuauclt.exeC:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqSTE08.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ca9.hpwis.com/R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-ca9.hpwis.com/R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.crawler.com/search/dispatcher.a...&tbid=60327R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-ca9.hpwis.com/R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.netscape.com/R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ca9.hpwis.com/R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-ca9.hpwis.com/R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.crawler.com/search/ie.aspx?tb_id=60327R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = http://dnl.crawler.com/support/sa_customize.aspx?TbId=60327R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-ca9.hpwis.com/R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-ca9.hpwis.com/R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ca9.hpwis.com/R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.crawler.com/search/ie.aspx?tb_id=60327R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://dnl.crawler.com/support/sa_customize.aspx?TbId=60327R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;*.localR3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dllO1 - Hosts: 1.1.1.1 ewido.netO1 - Hosts: 1.1.1.1 www.ewido.netO1 - Hosts: 1.1.1.1 sysinternals.comO1 - Hosts: 1.1.1.1 www.sysinternals.comO1 - Hosts: 1.1.1.1 onguardonline.govO1 - Hosts: 1.1.1.1 www.onguardonline.govO1 - Hosts: 1.1.1.1 avast.comO1 - Hosts: 1.1.1.1 www.avast.comO1 - Hosts: 1.1.1.1 safety.live.comO1 - Hosts: 1.1.1.1 www.paretologic.comO1 - Hosts: 1.1.1.1 paretologic.comO2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dllO2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dllO2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dllO2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dllO2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dllO2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dllO2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dllO2 - BHO: Ask Toolbar BHO - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dllO2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dllO2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dllO2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)O3 - Toolbar: (no name) - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - (no file)O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dllO3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dllO3 - Toolbar: Ask && Record Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dllO4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXEO4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartupO4 - HKLM\..\Run: [nmctxth] "C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe"O4 - HKLM\..\Run: [nmapp] "C:\Program Files\Pure Networks\Network Magic\nmapp.exe" -autorun -nosplashO4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exeO4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInitO4 - HKLM\..\Run: [bHR] C:\Program Files\Browser Hijack Retaliator 4.5\BHR.exeO4 - S-1-5-18 Startup: AutoTBar.exe (User 'SYSTEM')O4 - S-1-5-18 Startup: mod_sm.lnk = C:\hp\bin\cloaker.exe (User 'SYSTEM')O4 - .DEFAULT Startup: AutoTBar.exe (User 'Default user')O4 - .DEFAULT Startup: mod_sm.lnk = C:\hp\bin\cloaker.exe (User 'Default user')O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user')O4 - .DEFAULT User Startup: mod_sm.lnk = C:\hp\bin\cloaker.exe (User 'Default user')O4 - Startup: services.lnk = ?O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exeO4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqthb08.exeO6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions presentO6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel presentO6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions presentO6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions presentO9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dllO9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.com/pages/MsnInstC.cabO16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1132870533937O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cabO18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dllO18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLLO20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dllO23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exeO23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exeO23 - Service: Pure Networks Net2Go Service (nmraapache) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\WebServer\bin\nmraapache.exeO23 - Service: Pure Networks Platform Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exeO23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exeO23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exeO23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exeO23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software - C:\WINDOWS\System32\TuneUpDefragService.exeO23 - Service: TuneUp Program Statistics Service (TuneUp.ProgramStatisticsSvc) - TuneUp Software - C:\WINDOWS\System32\TUProgSt.exe--End of file - 9501 bytes Link to post Share on other sites More sharing options...
Kenny94 Posted July 28, 2009 ID:103367 Share Posted July 28, 2009 Hi takethembowling and Welcome to Malwarebytes!O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions presentO6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel presentO6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions presentO6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel presentDid you or your network Admin..put these restrictions in place?Download the HostsXpert 4.2 - Hosts File Manager.Unzip HostsXpert 4.2 - Hosts File Manager to a convenient folder such as C:\HostsXpert 4.2 - Hosts File ManagerRun HostsXpert 4.2 - Hosts File Manager from its new homeClick on "File Handling".Click on "Restore MS Hosts File".Click OK on the Confirmation box.Click on "Make Read Only?"Click the X to exit the program.Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.NextPlease download ATF Cleaner by Atribune. Double-click ATF-Cleaner.exe to run the program. Under Main choose: Select All Click the Empty Selected button.Click Exit on the Main menu to close the program. Also, I would like you to generate a "Add/Remove Software list" log using the HijackThis application. Here is how you can do this:To get an Uninstall List from HijackThis:Open HijackThis, click Config, click Misc ToolsClick "Open Uninstall Manager"Click "Save List" (generates uninstall_list.txt)Click Save, copy and paste the results in your next post. Link to post Share on other sites More sharing options...
takethembowling Posted July 28, 2009 Author ID:103546 Share Posted July 28, 2009 Hi, thanks for the reply. I completed both steps in your post but I'm not sure about the IE restrictions. I should say that IE is part of the problem though. I currently use firefox, but recently I have seen iexplorer running in task manager even though its not on the task bar. Sometimes I will hear clicking sounds or even music playing Sorry for not putting that in my original post.Here is my add/remove program list from Hijack this.7-Zip 4.57AC3Filter (remove only)ACDSee for PENTAX 3.0Acoustica BeatcraftAcoustica Effects PackAcoustica MixcraftAcrobat.comAcrobat.comAdobe AIRAdobe AIRAdobe Flash Player 10 PluginAdobe Flash Player ActiveXAdobe Reader 7.0.9Adobe Shockwave PlayerAnvil StudioAnvil StudioApple Mobile Device SupportApple Software UpdateArcSoft ShowBiz 2Ares 2.0.3Ask & Record Toolbar 4.01 Ask ToolbarAudibleManagerAudioConverter Studio 5.9AVG Free 8.5AVI to MPEG ConverterBonjourCCleaner (remove only)Choice GuardCreative System InformationCreative ZENDH Driver Cleaner Professional EditionDigital Media Converter 2.74DivX CodecDivX ConverterDivX PlayerDivX Plus DirectShow FiltersDivX Web PlayerDreamStation DXi2EA Network Play SystemEnhanced Multimedia Keyboard SolutionEusing Free Registry CleanerEZ Vinyl Converter 2.0.0 by MixMeisterFixTunes (remove only)FrapsFree iPod Video Converter 1.26Free YouTube to Mp3 Converter version 3.1FreeRIP v2.945Google Toolbar for FirefoxGoogle Video PlayerHijackThis 2.0.2Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)HP Customer Participation Program 7.0HP Deskjet Preloaded Printer DriversHP Imaging Device Functions 7.0HP Instant SupportHP OrganizeHP Photo and Imaging 2.0 - Photosmart CamerasHP Photosmart and Deskjet 7.0 SoftwareHP Photosmart Premier Software 6.5HP Solution Center 7.0HP UpdateImage Resizer Powertoy for Windows XPInFlac 1.1.1Intel® Extreme Graphics DriverIntelliMover Data Transfer DemoInterVideo WinDVD Playeririver Music ManageriRiver UpdateriTunesJ2SE Runtime Environment 5.0 Update 10J2SE Runtime Environment 5.0 Update 8Java 2 Runtime Environment, SE v1.4.1_02Java Web StartJava 6 Update 11LiveReg (Symantec Corporation)LiveUpdate 1.80 (Symantec Corporation)Malwarebytes' Anti-MalwareMediaMonkey 3.1Memories Disc Creator 2.0MicroAdobe Free ASF Player (Free)Microsoft .NET Framework 1.1Microsoft .NET Framework 1.1Microsoft .NET Framework 1.1 Hotfix (KB928366)Microsoft .NET Framework 2.0 Service Pack 2Microsoft .NET Framework 3.0 Service Pack 2Microsoft .NET Framework 3.5 SP1Microsoft .NET Framework 3.5 SP1Microsoft Compression Client Pack 1.0 for Windows XPMicrosoft Money 2003Microsoft Money 2003 System PackMicrosoft Office Excel Viewer 2003Microsoft Office PowerPoint Viewer 2003Microsoft Plus! Digital Media EditionMicrosoft SilverlightMicrosoft User-Mode Driver Framework Feature Pack 1.0Microsoft Visual C++ 2005 RedistributableMicrosoft Visual J# .NET Redistributable Package 1.1Microsoft Works 7.0Mozilla Firefox (3.0.12)MSVCRTMSXML 4.0 SP2 (KB925672)MSXML 4.0 SP2 (KB927978)MSXML 4.0 SP2 (KB936181)MSXML 4.0 SP2 (KB954430)MSXML 4.0 SP2 Parser and SDKMSXML4 ParserMultimedia Card ReaderneroxmlNetwork MagicNorton AntiVirus 2003NVIDIA DriversOmniPassPhotosmart 140,240,7200,7600,7700,7900 SeriesProject64 1.6Python 2.2 combined Win32 extensionsPython 2.2.1QMusic 2.5Quicken 2003 New User EditionQuickTimeRealtek AC'97 AudioRecordNow!Replay Media Catcher 3.02S3DisplayS3Gamma2S3Info2S3OverlaySafariSegoe UIShotstoneSkype Link to post Share on other sites More sharing options...
Kenny94 Posted July 28, 2009 ID:103579 Share Posted July 28, 2009 First of all, you should not have more than one anti-virus program installed as they will conflict and cause problems. You have two so you need to uninstall one of them. Of the two, I would recommend keeping AVG Free 8.5 and remove Norton AntiVirus Toolbar. Unless you just purchase it? The uninstall list contains no Security Updates for Windows XP? Before we move on, run MGA Diagnostic Tool... Lets do the following for now.Please remove these entries from Add/Remove Programs in the Control PanelAsk ToolbarJ2SE Runtime Environment 5.0 Update 10J2SE Runtime Environment 5.0 Update 8Java 2 Runtime Environment, SE v1.4.1_02Java Link to post Share on other sites More sharing options...
takethembowling Posted July 28, 2009 Author ID:103616 Share Posted July 28, 2009 Thanks again for the help. I uninstalled Norton Anti-virus. It came with my PC years ago (2003) and I never use it so forgot all about it.Diagnostic Report (1.9.0011.0):-----------------------------------------WGA Data-->Validation Status: GenuineValidation Code: 0Cached Validation Code: N/AWindows Product Key: *****-*****-BRVBB-38MQ9-3PMFTWindows Product Key Hash: 2V2VyxlfhiaCt/JkDzYQfiNOHMA=Windows Product ID: 55277-OEM-2111907-00106Windows Product ID Type: 2Windows License Type: OEM SLPWindows OS version: 5.1.2600.2.00010300.3.0.homID: {615F4AD0-86B0-4DC5-97FF-5F9748DF7AE8}(3)Is Admin: YesTestCab: 0x0WGA Version: Registered, 1.7.69.2Signed By: MicrosoftProduct Name: N/AArchitecture: N/ABuild lab: N/ATTS Error: N/AValidation Diagnostic: 025D1FF3-230-1Resolution Status: N/AWgaER Data-->ThreatID(s): N/AVersion: N/AWGA Notifications Data-->Cached Result: 0File Exists: YesVersion: 1.7.18.5WgaTray.exe Signed By: MicrosoftWgaLogon.dll Signed By: MicrosoftOGA Notifications Data-->Cached Result: N/A, hr = 0x80070002Version: N/A, hr = 0x80070002OGAExec.exe Signed By: N/A, hr = 0x80070002OGAAddin.dll Signed By: N/A, hr = 0x80070002OGA Data-->Office Status: 109 N/AOGA Version: N/A, 0x80070002Signed By: N/A, hr = 0x80070002Office Diagnostics: 77F760FE-153-80070002_7E90FEE8-175-80070002_025D1FF3-230-1Browser Data-->Proxy settings: N/AUser Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)Default Browser: C:\Program Files\Mozilla Firefox\firefox.exeDownload signed ActiveX controls: PromptDownload unsigned ActiveX controls: DisabledRun ActiveX controls and plug-ins: AllowedInitialize and script ActiveX controls not marked as safe: DisabledAllow scripting of Internet Explorer Webbrowser control: DisabledActive scripting: AllowedScript ActiveX controls marked as safe for scripting: AllowedFile Scan Data-->Other data-->Office Details: <GenuineResults><MachineData><UGUID>{615F4AD0-86B0-4DC5-97FF-5F9748DF7AE8}</UGUID><Version>1.9.0011.0</Version><OS>5.1.2600.2.00010300.3.0.hom</OS><Architecture>x32</Architecture><PKey>*****-*****-*****-*****-3PMFT</PKey><PID>55277-OEM-2111907-00106</PID><PIDType>2</PIDType><SID>S-1-5-21-1598320945-1261319154-3162106693</SID><SYSTEM><Manufacturer>HP Pavilion 061</Manufacturer><Model>DM168A-ABA A320N</Model></SYSTEM><BIOS><Manufacturer>American Megatrends Inc.</Manufacturer><Version>3.14 </Version><SMBIOSVersion major="2" minor="3"/><Date>20030917000000.000000+000</Date><SLPBIOS>HP PAVILION</SLPBIOS></BIOS><HWID>A03435870184AE5F</HWID><UserLCID>1009</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>Pacific Standard Time(GMT-08:00)</TimeZone><iJoin>0</iJoin><SBID><stat>2</stat><msppid></msppid><name>Hewlett-Packard</name><model>Pavilion</model></SBID><OEM/><GANotification><File Name="WgaTray.exe" Version="1.7.18.5"/><File Name="WgaLogon.dll" Version="1.7.18.5"/></GANotification></MachineData><Software><Office><Result>109</Result><Products/><Applications/></Office></Software></GenuineResults> Licensing Data-->N/AHWID Data-->N/AOEM Activation 1.0 Data-->BIOS string matches: yesMarker string from BIOS: 104EA:Hewlett-Packard CompanyMarker string from OEMBIOS.DAT: HP PAVILIONOEM Activation 2.0 Data-->N/A--------------------------------------------Logfile of Trend Micro HijackThis v2.0.2Scan saved at 2:12:12 PM, on 7/28/2009Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\PROGRA~1\AVG\AVG8\avgwdsvc.exeC:\Program Files\Java\jre6\bin\jqs.exeC:\WINDOWS\system32\nvsvc32.exeC:\Program Files\Softex\OmniPass\Omniserv.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\System32\TUProgSt.exeC:\PROGRA~1\AVG\AVG8\avgemc.exeC:\PROGRA~1\AVG\AVG8\avgrsx.exeC:\PROGRA~1\AVG\AVG8\avgnsx.exeC:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exeC:\Program Files\AVG\AVG8\avgcsrvx.exeC:\Program Files\Softex\OmniPass\OPXPApp.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Internet Explorer\Iexplore.exeC:\HP\KBD\KBD.EXEC:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exeC:\Program Files\Pure Networks\Network Magic\nmapp.exeC:\PROGRA~1\AVG\AVG8\avgtray.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Java\jre6\bin\jusched.exeC:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exeC:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqimzone.exeC:\WINDOWS\system32\wuauclt.exeC:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqSTE08.exeC:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ca9.hpwis.com/R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-ca9.hpwis.com/R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.crawler.com/search/dispatcher.a...&tbid=60327R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-ca9.hpwis.com/R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.netscape.com/R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ca9.hpwis.com/R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-ca9.hpwis.com/R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.crawler.com/search/ie.aspx?tb_id=60327R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = http://dnl.crawler.com/support/sa_customize.aspx?TbId=60327R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-ca9.hpwis.com/R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-ca9.hpwis.com/R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ca9.hpwis.com/R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.crawler.com/search/ie.aspx?tb_id=60327R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://dnl.crawler.com/support/sa_customize.aspx?TbId=60327R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;*.localR3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dllO2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dllO2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dllO2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dllO2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dllO2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dllO2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dllO2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dllO2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dllO4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXEO4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartupO4 - HKLM\..\Run: [nmctxth] "C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe"O4 - HKLM\..\Run: [nmapp] "C:\Program Files\Pure Networks\Network Magic\nmapp.exe" -autorun -nosplashO4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exeO4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInitO4 - HKLM\..\Run: [bHR] C:\Program Files\Browser Hijack Retaliator 4.5\BHR.exeO4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"O4 - S-1-5-18 Startup: AutoTBar.exe (User 'SYSTEM')O4 - S-1-5-18 Startup: mod_sm.lnk = C:\hp\bin\cloaker.exe (User 'SYSTEM')O4 - .DEFAULT Startup: AutoTBar.exe (User 'Default user')O4 - .DEFAULT Startup: mod_sm.lnk = C:\hp\bin\cloaker.exe (User 'Default user')O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user')O4 - .DEFAULT User Startup: mod_sm.lnk = C:\hp\bin\cloaker.exe (User 'Default user')O4 - Startup: services.lnk = ?O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exeO4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqthb08.exeO6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions presentO9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dllO9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.com/pages/MsnInstC.cabO16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1132870533937O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_02) - O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cabO18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dllO18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLLO20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dllO23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exeO23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exeO23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exeO23 - Service: Pure Networks Net2Go Service (nmraapache) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\WebServer\bin\nmraapache.exeO23 - Service: Pure Networks Platform Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exeO23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exeO23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exeO23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exeO23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software - C:\WINDOWS\System32\TuneUpDefragService.exeO23 - Service: TuneUp Program Statistics Service (TuneUp.ProgramStatisticsSvc) - TuneUp Software - C:\WINDOWS\System32\TUProgSt.exe--End of file - 8613 bytes Link to post Share on other sites More sharing options...
Kenny94 Posted July 28, 2009 ID:103640 Share Posted July 28, 2009 I don't want to use ComboFix or any tools unless we need to. But MBAM pick up a "Rootkit.Trace" and Redirection items and it was removed by Malwarebytes.... Lets do this:Download RootRepeal:http://rootrepeal.googlepages.com/RootRepeal.zipExtract the archive to a folder you create such as C:\RootRepealDouble-click RootRepeal.exe to launch the program (Vista users should right-click and select "Run as Administrator).Click the "File" tab (located at the bottom of the RootRepeal screen)Click the "Scan" buttonIn the popup dialog, check the drives to be scanned - making sure to check your primary operating system drive - normally C:Click OK and the file scan will beginWhen the scan is done, there will be files listed, but most if not all of them will be legitimateClick the "Save Report" ButtonSave the log file to your Documents folderPost the content of the RootRepeal file scan log in your next reply.NextLaunch Malwarebytes' Anti-MalwareIf an update is found, it will download and install the latest version.Once the program has loaded, select "Perform Quick Scan", then click Scan.The scan may take some time to finish,so please be patient.When the scan is complete, click OK, then Show Results to view the results.Make sure that everything is checked, and click Remove Selected.When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.Copy&Paste the entire report in your next reply.Extra Note:If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.Also, please let me know how things are running now and if you encountered any problems while you were following the instructions I posted. Link to post Share on other sites More sharing options...
takethembowling Posted July 29, 2009 Author ID:103718 Share Posted July 29, 2009 Hmmmm... it seems there are recurring problems in the malware scan. I assumed that it had fixed that and maybe the problem was something it didn't detect. I ran a scan and found 2 problems (there was no D:\autorun.inf Worm.Agent.H) . I tried using malwarebytes in safe mode and got the same result. When I scanned again on reboot. (the most current log, that I posted here) there were 3 again (D:\autorun.inf Worm.Agent.H had returned).If it helps, the other two infections - HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) and C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) were found when mbam performed the "extra and heuristics scan" at the end of the quick scan.ROOTREPEAL © AD, 2007-2009==================================================Scan Start Time: 2009/07/28 16:13Program Version: Version 1.3.3.0Windows Version: Windows XP SP3==================================================Drivers-------------------Name: 00000047Image Path: \Driver\00000047Address: 0x00000000 Size: 0 File Visible: No Signed: -Status: -Name: 1394BUS.SYSImage Path: C:\WINDOWS\System32\DRIVERS\1394BUS.SYSAddress: 0xF851F000 Size: 57344 File Visible: - Signed: -Status: -Name: ACPI.sysImage Path: ACPI.sysAddress: 0xF8361000 Size: 187776 File Visible: - Signed: -Status: -Name: ACPI_HALImage Path: \Driver\ACPI_HALAddress: 0x804D7000 Size: 2189056 File Visible: - Signed: -Status: -Name: aec.sysImage Path: C:\WINDOWS\system32\drivers\aec.sysAddress: 0xB99F0000 Size: 142592 File Visible: - Signed: -Status: -Name: afd.sysImage Path: C:\WINDOWS\System32\drivers\afd.sysAddress: 0xF4FC0000 Size: 138496 File Visible: - Signed: -Status: -Name: AFS2K.SYSImage Path: C:\WINDOWS\System32\Drivers\AFS2K.SYSAddress: 0xF861F000 Size: 35840 File Visible: - Signed: -Status: -Name: agp440.sysImage Path: agp440.sysAddress: 0xF852F000 Size: 42368 File Visible: - Signed: -Status: -Name: ALCXWDM.SYSImage Path: C:\WINDOWS\system32\drivers\ALCXWDM.SYSAddress: 0xF7994000 Size: 2279424 File Visible: - Signed: -Status: -Name: amdk7.sysImage Path: C:\WINDOWS\System32\DRIVERS\amdk7.sysAddress: 0xF85CF000 Size: 37760 File Visible: - Signed: -Status: -Name: arp1394.sysImage Path: C:\WINDOWS\System32\DRIVERS\arp1394.sysAddress: 0xF7C79000 Size: 60800 File Visible: - Signed: -Status: -Name: atapi.sysImage Path: atapi.sysAddress: 0xF8319000 Size: 98304 File Visible: - Signed: -Status: -Name: atapi.sysImage Path: atapi.sysAddress: 0x00000000 Size: 0 File Visible: - Signed: -Status: -Name: ATMFD.DLLImage Path: C:\WINDOWS\System32\ATMFD.DLLAddress: 0xBFFA0000 Size: 286720 File Visible: - Signed: -Status: -Name: audstub.sysImage Path: C:\WINDOWS\System32\DRIVERS\audstub.sysAddress: 0xF8B88000 Size: 3072 File Visible: - Signed: -Status: -Name: avgldx86.sysImage Path: C:\WINDOWS\System32\Drivers\avgldx86.sysAddress: 0xF4EAC000 Size: 329088 File Visible: - Signed: -Status: -Name: avgmfx86.sysImage Path: C:\WINDOWS\System32\Drivers\avgmfx86.sysAddress: 0xF87BF000 Size: 21120 File Visible: - Signed: -Status: -Name: avgtdix.sysImage Path: C:\WINDOWS\System32\Drivers\avgtdix.sysAddress: 0xF5067000 Size: 101888 File Visible: - Signed: -Status: -Name: Beep.SYSImage Path: C:\WINDOWS\System32\Drivers\Beep.SYSAddress: 0xF89DB000 Size: 4224 File Visible: - Signed: -Status: -Name: BOOTVID.dllImage Path: C:\WINDOWS\system32\BOOTVID.dllAddress: 0xF88AF000 Size: 12288 File Visible: - Signed: -Status: -Name: Cdfs.SYSImage Path: C:\WINDOWS\System32\Drivers\Cdfs.SYSAddress: 0xB9833000 Size: 63744 File Visible: - Signed: -Status: -Name: cdrom.sysImage Path: C:\WINDOWS\System32\DRIVERS\cdrom.sysAddress: 0xF862F000 Size: 62976 File Visible: - Signed: -Status: -Name: cinemsup.sysImage Path: C:\WINDOWS\system32\drivers\cinemsup.sysAddress: 0xF87B7000 Size: 24576 File Visible: - Signed: -Status: -Name: CLASSPNP.SYSImage Path: C:\WINDOWS\System32\DRIVERS\CLASSPNP.SYSAddress: 0xF84DF000 Size: 53248 File Visible: - Signed: -Status: -Name: disk.sysImage Path: disk.sysAddress: 0xF84CF000 Size: 36352 File Visible: - Signed: -Status: -Name: DMusic.sysImage Path: C:\WINDOWS\system32\drivers\DMusic.sysAddress: 0xB9D09000 Size: 52864 File Visible: - Signed: -Status: -Name: drmk.sysImage Path: C:\WINDOWS\system32\drivers\drmk.sysAddress: 0xF860F000 Size: 61440 File Visible: - Signed: -Status: -Name: drmkaud.sysImage Path: C:\WINDOWS\system32\drivers\drmkaud.sysAddress: 0xF8BA0000 Size: 2944 File Visible: - Signed: -Status: -Name: dtscsi.sysImage Path: C:\WINDOWS\System32\Drivers\dtscsi.sysAddress: 0xF748D000 Size: 303104 File Visible: - Signed: -Status: -Name: dump_atapi.sysImage Path: C:\WINDOWS\System32\Drivers\dump_atapi.sysAddress: 0xF4E94000 Size: 98304 File Visible: No Signed: -Status: -Name: dump_WMILIB.SYSImage Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYSAddress: 0xF89FB000 Size: 8192 File Visible: No Signed: -Status: -Name: Dxapi.sysImage Path: C:\WINDOWS\System32\drivers\Dxapi.sysAddress: 0xF5149000 Size: 12288 File Visible: - Signed: -Status: -Name: dxg.sysImage Path: C:\WINDOWS\System32\drivers\dxg.sysAddress: 0xBF9C3000 Size: 73728 File Visible: - Signed: -Status: -Name: dxgthk.sysImage Path: C:\WINDOWS\System32\drivers\dxgthk.sysAddress: 0xF8AF6000 Size: 4096 File Visible: - Signed: -Status: -Name: Fastfat.SYSImage Path: C:\WINDOWS\System32\Drivers\Fastfat.SYSAddress: 0xF50EC000 Size: 143744 File Visible: - Signed: -Status: -Name: fdc.sysImage Path: C:\WINDOWS\System32\DRIVERS\fdc.sysAddress: 0xF8857000 Size: 27392 File Visible: - Signed: -Status: -Name: Fips.SYSImage Path: C:\WINDOWS\System32\Drivers\Fips.SYSAddress: 0xF870F000 Size: 44544 File Visible: - Signed: -Status: -Name: flpydisk.sysImage Path: C:\WINDOWS\System32\DRIVERS\flpydisk.sysAddress: 0xF8767000 Size: 20480 File Visible: - Signed: -Status: -Name: fltmgr.sysImage Path: fltmgr.sysAddress: 0xF82F9000 Size: 129792 File Visible: - Signed: -Status: -Name: Fs_Rec.SYSImage Path: C:\WINDOWS\System32\Drivers\Fs_Rec.SYSAddress: 0xF89D9000 Size: 7936 File Visible: - Signed: -Status: -Name: ftdisk.sysImage Path: ftdisk.sysAddress: 0xF8331000 Size: 125056 File Visible: - Signed: -Status: -Name: GEARAspiWDM.sysImage Path: C:\WINDOWS\System32\Drivers\GEARAspiWDM.sysAddress: 0xF864F000 Size: 40960 File Visible: - Signed: -Status: -Name: hal.dllImage Path: C:\WINDOWS\system32\hal.dllAddress: 0x806EE000 Size: 131840 File Visible: - Signed: -Status: -Name: HTTP.sysImage Path: C:\WINDOWS\System32\Drivers\HTTP.sysAddress: 0xB9C30000 Size: 264832 File Visible: - Signed: -Status: -Name: i8042prt.sysImage Path: C:\WINDOWS\System32\DRIVERS\i8042prt.sysAddress: 0xF85DF000 Size: 52480 File Visible: - Signed: -Status: -Name: ifp700.sysImage Path: ifp700.sysAddress: 0xF88B3000 Size: 13088 File Visible: - Signed: -Status: -Name: imapi.sysImage Path: C:\WINDOWS\System32\DRIVERS\imapi.sysAddress: 0xF865F000 Size: 42112 File Visible: - Signed: -Status: -Name: ipsec.sysImage Path: C:\WINDOWS\System32\DRIVERS\ipsec.sysAddress: 0xF50D9000 Size: 75264 File Visible: - Signed: -Status: -Name: isapnp.sysImage Path: isapnp.sysAddress: 0xF849F000 Size: 37248 File Visible: - Signed: -Status: -Name: kbdclass.sysImage Path: C:\WINDOWS\System32\DRIVERS\kbdclass.sysAddress: 0xF8867000 Size: 24576 File Visible: - Signed: -Status: -Name: KDCOM.DLLImage Path: C:\WINDOWS\system32\KDCOM.DLLAddress: 0xF899F000 Size: 8192 File Visible: - Signed: -Status: -Name: kmixer.sysImage Path: C:\WINDOWS\system32\drivers\kmixer.sysAddress: 0xB999D000 Size: 172416 File Visible: - Signed: -Status: -Name: ks.sysImage Path: C:\WINDOWS\system32\drivers\ks.sysAddress: 0xF794D000 Size: 143360 File Visible: - Signed: -Status: -Name: KSecDD.sysImage Path: KSecDD.sysAddress: 0xF82D0000 Size: 92288 File Visible: - Signed: -Status: -Name: ltmdmnt.sysImage Path: C:\WINDOWS\System32\DRIVERS\ltmdmnt.sysAddress: 0xF78B8000 Size: 606656 File Visible: - Signed: -Status: -Name: mnmdd.SYSImage Path: C:\WINDOWS\System32\Drivers\mnmdd.SYSAddress: 0xF89DD000 Size: 4224 File Visible: - Signed: -Status: -Name: Modem.SYSImage Path: C:\WINDOWS\System32\Drivers\Modem.SYSAddress: 0xF8887000 Size: 30080 File Visible: - Signed: -Status: -Name: mouclass.sysImage Path: C:\WINDOWS\System32\DRIVERS\mouclass.sysAddress: 0xF886F000 Size: 23040 File Visible: - Signed: -Status: -Name: MountMgr.sysImage Path: MountMgr.sysAddress: 0xF84AF000 Size: 42368 File Visible: - Signed: -Status: -Name: mrxdav.sysImage Path: C:\WINDOWS\System32\DRIVERS\mrxdav.sysAddress: 0xBA1EB000 Size: 180608 File Visible: - Signed: -Status: -Name: mrxsmb.sysImage Path: C:\WINDOWS\System32\DRIVERS\mrxsmb.sysAddress: 0xF4EFD000 Size: 455296 File Visible: - Signed: -Status: -Name: Msfs.SYSImage Path: C:\WINDOWS\System32\Drivers\Msfs.SYSAddress: 0xF877F000 Size: 19072 File Visible: - Signed: -Status: -Name: msgpc.sysImage Path: C:\WINDOWS\System32\DRIVERS\msgpc.sysAddress: 0xF869F000 Size: 35072 File Visible: - Signed: -Status: -Name: mssmbios.sysImage Path: C:\WINDOWS\System32\DRIVERS\mssmbios.sysAddress: 0xF815C000 Size: 15488 File Visible: - Signed: -Status: -Name: Mup.sysImage Path: Mup.sysAddress: 0xF81C4000 Size: 105344 File Visible: - Signed: -Status: -Name: NDIS.sysImage Path: NDIS.sysAddress: 0xF8203000 Size: 182656 File Visible: - Signed: -Status: -Name: ndistapi.sysImage Path: C:\WINDOWS\System32\DRIVERS\ndistapi.sysAddress: 0xF816C000 Size: 10112 File Visible: - Signed: -Status: -Name: ndisuio.sysImage Path: C:\WINDOWS\System32\DRIVERS\ndisuio.sysAddress: 0xBAD14000 Size: 14592 File Visible: - Signed: -Status: -Name: ndiswan.sysImage Path: C:\WINDOWS\System32\DRIVERS\ndiswan.sysAddress: 0xF7439000 Size: 91520 File Visible: - Signed: -Status: -Name: NDProxy.SYSImage Path: C:\WINDOWS\System32\Drivers\NDProxy.SYSAddress: 0xF86BF000 Size: 40576 File Visible: - Signed: -Status: -Name: netbios.sysImage Path: C:\WINDOWS\System32\DRIVERS\netbios.sysAddress: 0xF86DF000 Size: 34688 File Visible: - Signed: -Status: -Name: netbt.sysImage Path: C:\WINDOWS\System32\DRIVERS\netbt.sysAddress: 0xF503F000 Size: 162816 File Visible: - Signed: -Status: -Name: nic1394.sysImage Path: C:\WINDOWS\System32\DRIVERS\nic1394.sysAddress: 0xF856F000 Size: 61824 File Visible: - Signed: -Status: -Name: Npfs.SYSImage Path: C:\WINDOWS\System32\Drivers\Npfs.SYSAddress: 0xF8787000 Size: 30848 File Visible: - Signed: -Status: -Name: Ntfs.sysImage Path: Ntfs.sysAddress: 0xF8230000 Size: 574976 File Visible: - Signed: -Status: -Name: ntoskrnl.exeImage Path: C:\WINDOWS\system32\ntoskrnl.exeAddress: 0x804D7000 Size: 2189056 File Visible: - Signed: -Status: -Name: Null.SYSImage Path: C:\WINDOWS\System32\Drivers\Null.SYSAddress: 0xF8A92000 Size: 2944 File Visible: - Signed: -Status: -Name: nv4_disp.dllImage Path: C:\WINDOWS\System32\nv4_disp.dllAddress: 0xBF9D5000 Size: 4530176 File Visible: - Signed: -Status: -Name: nv4_mini.sysImage Path: C:\WINDOWS\system32\DRIVERS\nv4_mini.sysAddress: 0xF74EB000 Size: 3983680 File Visible: - Signed: -Status: -Name: nv_agp.sysImage Path: nv_agp.sysAddress: 0xF873F000 Size: 18688 File Visible: - Signed: -Status: -Name: NVENET.sysImage Path: C:\WINDOWS\System32\DRIVERS\NVENET.sysAddress: 0xF85FF000 Size: 54784 File Visible: - Signed: -Status: -Name: ohci1394.sysImage Path: ohci1394.sysAddress: 0xF850F000 Size: 61696 File Visible: - Signed: -Status: -Name: parport.sysImage Path: C:\WINDOWS\System32\DRIVERS\parport.sysAddress: 0xF7BE5000 Size: 80128 File Visible: - Signed: -Status: -Name: PartMgr.sysImage Path: PartMgr.sysAddress: 0xF8727000 Size: 19712 File Visible: - Signed: -Status: -Name: ParVdm.SYSImage Path: C:\WINDOWS\System32\Drivers\ParVdm.SYSAddress: 0xF8A1B000 Size: 6784 File Visible: - Signed: -Status: -Name: pci.sysImage Path: pci.sysAddress: 0xF8350000 Size: 68224 File Visible: - Signed: -Status: -Name: pciide.sysImage Path: pciide.sysAddress: 0xF8A67000 Size: 3328 File Visible: - Signed: -Status: -Name: PCIIDEX.SYSImage Path: C:\WINDOWS\System32\DRIVERS\PCIIDEX.SYSAddress: 0xF871F000 Size: 28672 File Visible: - Signed: -Status: -Name: pfc.sysImage Path: C:\WINDOWS\system32\drivers\pfc.sysAddress: 0xF8178000 Size: 9856 File Visible: - Signed: -Status: -Name: pnarp.sysImage Path: C:\WINDOWS\system32\DRIVERS\pnarp.sysAddress: 0xF8817000 Size: 18560 File Visible: - Signed: -Status: -Name: PnpManagerImage Path: \Driver\PnpManagerAddress: 0x804D7000 Size: 2189056 File Visible: - Signed: -Status: -Name: portcls.sysImage Path: C:\WINDOWS\system32\drivers\portcls.sysAddress: 0xF7970000 Size: 147456 File Visible: - Signed: -Status: -Name: PS2.sysImage Path: C:\WINDOWS\System32\DRIVERS\PS2.sysAddress: 0xF885F000 Size: 19072 File Visible: - Signed: -Status: -Name: psched.sysImage Path: C:\WINDOWS\System32\DRIVERS\psched.sysAddress: 0xF7428000 Size: 69120 File Visible: - Signed: -Status: -Name: ptilink.sysImage Path: C:\WINDOWS\System32\DRIVERS\ptilink.sysAddress: 0xF8897000 Size: 17792 File Visible: - Signed: -Status: -Name: purendis.sysImage Path: C:\WINDOWS\system32\DRIVERS\purendis.sysAddress: 0xF8827000 Size: 19840 File Visible: - Signed: -Status: -Name: PxHelp20.sysImage Path: PxHelp20.sysAddress: 0xF84EF000 Size: 35712 File Visible: - Signed: -Status: -Name: rasacd.sysImage Path: C:\WINDOWS\System32\DRIVERS\rasacd.sysAddress: 0xF8144000 Size: 8832 File Visible: - Signed: -Status: -Name: rasl2tp.sysImage Path: C:\WINDOWS\System32\DRIVERS\rasl2tp.sysAddress: 0xF866F000 Size: 51328 File Visible: - Signed: -Status: -Name: raspppoe.sysImage Path: C:\WINDOWS\System32\DRIVERS\raspppoe.sysAddress: 0xF867F000 Size: 41472 File Visible: - Signed: -Status: -Name: raspptp.sysImage Path: C:\WINDOWS\System32\DRIVERS\raspptp.sysAddress: 0xF868F000 Size: 48384 File Visible: - Signed: -Status: -Name: raspti.sysImage Path: C:\WINDOWS\System32\DRIVERS\raspti.sysAddress: 0xF889F000 Size: 16512 File Visible: - Signed: -Status: -Name: RAWImage Path: \FileSystem\RAWAddress: 0x804D7000 Size: 2189056 File Visible: - Signed: -Status: -Name: rdbss.sysImage Path: C:\WINDOWS\System32\DRIVERS\rdbss.sysAddress: 0xF4F95000 Size: 175744 File Visible: - Signed: -Status: -Name: RDPCDD.sysImage Path: C:\WINDOWS\System32\DRIVERS\RDPCDD.sysAddress: 0xF89DF000 Size: 4224 File Visible: - Signed: -Status: -Name: redbook.sysImage Path: C:\WINDOWS\System32\DRIVERS\redbook.sysAddress: 0xF863F000 Size: 57600 File Visible: - Signed: -Status: -Name: rootrepeal.sysImage Path: C:\WINDOWS\system32\drivers\rootrepeal.sysAddress: 0xB93C3000 Size: 49152 File Visible: No Signed: -Status: -Name: SCSIPORT.SYSImage Path: C:\WINDOWS\System32\Drivers\SCSIPORT.SYSAddress: 0xF838F000 Size: 98304 File Visible: - Signed: -Status: -Name: secdrv.sysImage Path: C:\WINDOWS\System32\DRIVERS\secdrv.sysAddress: 0xF730A000 Size: 40960 File Visible: - Signed: -Status: -Name: serenum.sysImage Path: C:\WINDOWS\System32\DRIVERS\serenum.sysAddress: 0xF817C000 Size: 15744 File Visible: - Signed: -Status: -Name: serial.sysImage Path: C:\WINDOWS\System32\DRIVERS\serial.sysAddress: 0xF85EF000 Size: 64512 File Visible: - Signed: -Status: -Name: sfdrv01.sysImage Path: sfdrv01.sysAddress: 0xF81DE000 Size: 73728 File Visible: - Signed: -Status: -Name: sfhlp02.sysImage Path: sfhlp02.sysAddress: 0xF8737000 Size: 32768 File Visible: - Signed: -Status: -Name: sfvfs02.sysImage Path: sfvfs02.sysAddress: 0xF81F0000 Size: 77824 File Visible: - Signed: -Status: -Name: SISAGPX.sysImage Path: SISAGPX.sysAddress: 0xF84FF000 Size: 36608 File Visible: - Signed: -Status: -Name: splitter.sysImage Path: C:\WINDOWS\system32\drivers\splitter.sysAddress: 0xF8A1D000 Size: 6272 File Visible: - Signed: -Status: -Name: sptd.sysImage Path: sptd.sysAddress: 0xF83A7000 Size: 880640 File Visible: - Signed: -Status: -Name: sr.sysImage Path: sr.sysAddress: 0xF82E7000 Size: 73472 File Visible: - Signed: -Status: -Name: srv.sysImage Path: C:\WINDOWS\System32\DRIVERS\srv.sysAddress: 0xBA0A9000 Size: 333952 File Visible: - Signed: -Status: -Name: srvkp.sysImage Path: C:\WINDOWS\System32\DRIVERS\srvkp.sysAddress: 0xF518D000 Size: 10624 File Visible: - Signed: -Status: -Name: sunkfilt.sysImage Path: C:\WINDOWS\System32\Drivers\sunkfilt.sysAddress: 0xF878F000 Size: 27488 File Visible: - Signed: -Status: -Name: swenum.sysImage Path: C:\WINDOWS\System32\DRIVERS\swenum.sysAddress: 0xF89D5000 Size: 4352 File Visible: - Signed: -Status: -Name: swmidi.sysImage Path: C:\WINDOWS\system32\drivers\swmidi.sysAddress: 0xF7C69000 Size: 56576 File Visible: - Signed: -Status: -Name: SYMEVENT.SYSImage Path: C:\Program Files\Symantec\SYMEVENT.SYSAddress: 0xF4FE2000 Size: 117952 File Visible: - Signed: -Status: -Name: SYMTDI.SYSImage Path: C:\WINDOWS\System32\Drivers\SYMTDI.SYSAddress: 0xF4FFF000 Size: 261536 File Visible: - Signed: -Status: -Name: sysaudio.sysImage Path: C:\WINDOWS\system32\drivers\sysaudio.sysAddress: 0xBA019000 Size: 60800 File Visible: - Signed: -Status: -Name: tcpip.sysImage Path: C:\WINDOWS\System32\DRIVERS\tcpip.sysAddress: 0xF5080000 Size: 361600 File Visible: - Signed: -Status: -Name: TDI.SYSImage Path: C:\WINDOWS\System32\DRIVERS\TDI.SYSAddress: 0xF888F000 Size: 20480 File Visible: - Signed: -Status: -Name: termdd.sysImage Path: C:\WINDOWS\System32\DRIVERS\termdd.sysAddress: 0xF86AF000 Size: 40704 File Visible: - Signed: -Status: -Name: update.sysImage Path: C:\WINDOWS\System32\DRIVERS\update.sysAddress: 0xF73A2000 Size: 384768 File Visible: - Signed: -Status: -Name: USBD.SYSImage Path: C:\WINDOWS\system32\drivers\USBD.SYSAddress: 0xF89A3000 Size: 8192 File Visible: - Signed: -Status: -Name: usbehci.sysImage Path: C:\WINDOWS\System32\DRIVERS\usbehci.sysAddress: 0xF887F000 Size: 30208 File Visible: - Signed: -Status: -Name: usbhub.sysImage Path: C:\WINDOWS\System32\DRIVERS\usbhub.sysAddress: 0xF86CF000 Size: 59520 File Visible: - Signed: -Status: -Name: usbohci.sysImage Path: C:\WINDOWS\System32\DRIVERS\usbohci.sysAddress: 0xF8877000 Size: 17152 File Visible: - Signed: -Status: -Name: USBPORT.SYSImage Path: C:\WINDOWS\System32\DRIVERS\USBPORT.SYSAddress: 0xF7BC1000 Size: 147456 File Visible: - Signed: -Status: -Name: USBSTOR.SYSImage Path: C:\WINDOWS\System32\DRIVERS\USBSTOR.SYSAddress: 0xF8797000 Size: 26368 File Visible: - Signed: -Status: -Name: vga.sysImage Path: C:\WINDOWS\System32\drivers\vga.sysAddress: 0xF8777000 Size: 20992 File Visible: - Signed: -Status: -Name: viaagp1.sysImage Path: viaagp1.sysAddress: 0xF872F000 Size: 26880 File Visible: - Signed: -Status: -Name: VIDEOPRT.SYSImage Path: C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYSAddress: 0xF74D7000 Size: 81920 File Visible: - Signed: -Status: -Name: VolSnap.sysImage Path: VolSnap.sysAddress: 0xF84BF000 Size: 52352 File Visible: - Signed: -Status: -Name: wanarp.sysImage Path: C:\WINDOWS\System32\DRIVERS\wanarp.sysAddress: 0xF7C89000 Size: 34560 File Visible: - Signed: -Status: -Name: watchdog.sysImage Path: C:\WINDOWS\System32\watchdog.sysAddress: 0xF87C7000 Size: 20480 File Visible: - Signed: -Status: -Name: wdmaud.sysImage Path: C:\WINDOWS\system32\drivers\wdmaud.sysAddress: 0xB9AB3000 Size: 83072 File Visible: - Signed: -Status: -Name: Win32kImage Path: \Driver\Win32kAddress: 0xBF800000 Size: 1847296 File Visible: - Signed: -Status: -Name: win32k.sysImage Path: C:\WINDOWS\System32\win32k.sysAddress: 0xBF800000 Size: 1847296 File Visible: - Signed: -Status: -Name: WMILIB.SYSImage Path: C:\WINDOWS\System32\Drivers\WMILIB.SYSAddress: 0xF89A1000 Size: 8192 File Visible: - Signed: -Status: -Name: WMIxWDMImage Path: \Driver\WMIxWDMAddress: 0x804D7000 Size: 2189056 File Visible: - Signed: -Status: -Name: ws2ifsl.sysImage Path: C:\WINDOWS\System32\drivers\ws2ifsl.sysAddress: 0xF5191000 Size: 12032 File Visible: - Signed: -Status: -Name: WudfPf.sysImage Path: WudfPf.sysAddress: 0xF82BD000 Size: 77568 File Visible: - Signed: -Status: -----------------------------------------------------Malwarebytes' Anti-Malware 1.39Database version: 2524Windows 5.1.2600 Service Pack 37/28/2009 5:32:57 PMmbam-log-2009-07-28 (17-32-57).txtScan type: Quick ScanObjects scanned: 108686Time elapsed: 8 minute(s), 40 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 1Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 2Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> Quarantined and deleted successfully.Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:D:\autorun.inf (Worm.Agent.H) -> Quarantined and deleted successfully.C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Delete on reboot. Link to post Share on other sites More sharing options...
Kenny94 Posted July 29, 2009 ID:103767 Share Posted July 29, 2009 I assumed that it had fixed that and maybe the problem was something it didn't detect. I ran a scan and found 2 problems (there was no D:\autorun.inf Worm.Agent.H) . I tried using malwarebytes in safe mode and got the same result. When I scanned again on reboot. (the most current log, that I posted here) there were 3 again (D:\autorun.inf Worm.Agent.H had returned).Yeah, I was afraid of this takethembowling. That is why I wanted you to run Malwarebytes again. Well, lets see what ComboFix shows us...Download ComboFix from one of these locations:Link 1Link 2Link 3**Note: It is important that it is saved directly to your desktop** -------------------------------------------------------------------- With malware infections being as they are today, it's strongly recommended to have the Windows Recovery Console pre-installed on your machine before doing any malware removal.The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.Go to Microsoft's website => http://support.microsoft.com/kb/310994Select the download that's appropriate for your Operating SystemDownload the file & save it as it's originally named. Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools.Please note once you start ComboFix you should not click anywhere on the ComboFix window as it can cause the program to stall. Drag the setup package onto ComboFix.exe and drop it.Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.At the next prompt, click 'Yes' to run the full ComboFix scan.When the tool is finished, it will produce a report for you.Please post the C:\ComboFix.txt in your next reply.Note:If you still cannot get ComboFix to run, try booting into Safe Mode, and run it there.To boot into Safe Mode, tap F8 after BIOS, and just before the Windows logo appears. A list of options will appear, select "Safe Mode." Link to post Share on other sites More sharing options...
takethembowling Posted July 29, 2009 Author ID:104077 Share Posted July 29, 2009 I'm having trouble getting combofix to run. When I drag and drop the windows recovery setup onto the combofix icon a window appears saying "Open File - Security Warning, The publisher could not be verified are you sure you want to run this software? |Run| or |Cancel|" That is nothing unusual, it displays a similar warning when I run/install other programs. So I click run but then nothing happens. I tried in safe mode and the same thing. I turned off AVG and windows firewall. Did I miss something? Also when I booted in safe mode I noticed iexplorer was running in taskmanager but I turned it off before trying combofix. Link to post Share on other sites More sharing options...
Kenny94 Posted July 29, 2009 ID:104080 Share Posted July 29, 2009 Lets rename ComboFix and skip the "install the Microsoft Windows Recovery Console" if you have done so already....Delete the copy of ComboFix you have & download it again from one of these locations (DO NOT download ComboFix from anywhere else but one of the provided links):Link 1Link 2**IMPORTANT !!! RENAME ComboFix.exe to Commy.exe BEFORE you save it to your Desktop**Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our toolsA guide to do this can be found hereDouble click on ComboFix.exe & follow the promptsAs part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malwareFollow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:Click on Yes, to continue scanning for malware.When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply Link to post Share on other sites More sharing options...
takethembowling Posted July 29, 2009 Author ID:104126 Share Posted July 29, 2009 Here is the combofix log. It also asked me to write down several file names during the initial scan that had to do with rootkit activity so I have those if you need them.ComboFix 09-07-29.03 - Owner 07/29/2009 16:18.1.1 - NTFSx86Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.193 [GMT -7:00]Running from: c:\documents and settings\Owner\Desktop\Commy.exeCommand switches used :: c:\documents and settings\Owner\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exeAV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}.((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))).c:\docume~1\ALLUSE~1\APPLIC~1\Microsoft\Network\Downloader\qmgr0.datc:\docume~1\ALLUSE~1\APPLIC~1\Microsoft\Network\Downloader\qmgr1.datc:\progra~1\COMMON~1\{3C44B~1c:\progra~1\COMMON~1\{6C44B~1c:\program files\Common Files\SLMSSc:\recycler\S-1-5-21-1915603095-2777713432-2000865000-1003c:\recycler\S-1-5-21-2795692431-2410440851-3507117092-1003c:\windows\cdmxtrasc:\windows\Fonts\acrsec.fonc:\windows\Install.txtc:\windows\Installer\1018a3.msic:\windows\Installer\1018aa.msic:\windows\Installer\11691f.msic:\windows\Installer\128cb.msic:\windows\Installer\12b892.msic:\windows\Installer\14d23b.msic:\windows\Installer\14d243.msic:\windows\Installer\1fb14.mspc:\windows\Installer\1fb52.mspc:\windows\Installer\1fb8a.msic:\windows\Installer\233b13.msic:\windows\Installer\24eba88.msic:\windows\Installer\25c226.msic:\windows\Installer\2609df.msic:\windows\Installer\27d3a6.msic:\windows\Installer\2921ff.msic:\windows\Installer\39468e.msic:\windows\Installer\3b7567.msic:\windows\Installer\3dae14.msic:\windows\Installer\400615.msic:\windows\Installer\45a5ca.msic:\windows\Installer\47abcc.msic:\windows\Installer\47abd2.msic:\windows\Installer\486e09.msic:\windows\Installer\5efa5.msic:\windows\Installer\704aae.msic:\windows\Installer\704ab9.msic:\windows\Installer\786cc.msic:\windows\Installer\8333aa.msic:\windows\Installer\a28c8.msic:\windows\Installer\aaf779.msic:\windows\Installer\aaf77c.msic:\windows\Installer\b08855.msic:\windows\Installer\b4cf46.msic:\windows\Installer\b73b7b.msic:\windows\Installer\b73b81.msic:\windows\Installer\b73b87.msic:\windows\Installer\b73b8d.msic:\windows\Installer\b73b93.msic:\windows\Installer\b7e4a.msic:\windows\Installer\bb6df.msic:\windows\Installer\c1117c.msic:\windows\patch.exec:\windows\Readme.txtc:\windows\smbols~1c:\windows\system32\drivers\TDSSserv.sysc:\windows\system32\drivers\UACqyisdhpbcbkssqcfr.sysc:\windows\system32\iAlmcoin.dllc:\windows\system32\Install.txtc:\windows\system32\skinboxer43.dllc:\windows\system32\sklh.datc:\windows\system32\uacinit.dllc:\windows\system32\UACjmjpjmpqdgwcndmgj.dllc:\windows\system32\UACkjlwkktcvonyrudvq.dllc:\windows\system32\UAClxbfpxvgbvfuvtmvr.datc:\windows\system32\UACmstsfvmydbawqibip.dbc:\windows\system32\UACpqjpibeexevnftiob.dllc:\windows\system32\UACqiuoeuidrtkjtutub.dllc:\windows\system32\UACvwauwbparrpiewmoe.dllc:\windows\system32\vimc.exeD:\Autorun.inf----- BITS: Possible infected sites -----hxxp://download.linksys.com.((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))).-------\Service_TDSSSERV-------\Service_UACd.sys-------\Legacy_RPCTFTPD((((((((((((((((((((((((( Files Created from 2009-06-28 to 2009-07-29 ))))))))))))))))))))))))))))))).2009-07-28 23:04 . 2009-07-28 23:11 15 ----a-w- C:\settings.dat2009-07-28 23:03 . 2009-07-28 16:14 471040 ----a-w- C:\RootRepeal.exe2009-07-28 23:02 . 2009-07-28 23:02 463738 ----a-w- C:\RootRepeal.zip2009-07-28 21:08 . 2009-07-28 21:08 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Office Genuine Advantage2009-07-28 18:00 . 2009-07-28 18:04 -------- d-----w- C:\HostsXpert2009-07-28 17:59 . 2009-07-28 17:59 353485 ----a-w- C:\HostsXpert.zip2009-07-27 19:08 . 2009-07-27 19:08 -------- d-----w- c:\program files\Trend Micro2009-07-23 08:15 . 2009-07-23 08:15 -------- d-----w- c:\program files\Eusing Free Registry Cleaner2009-07-23 07:46 . 2009-07-24 18:16 -------- d-----w- c:\program files\SpybotX - Search&Destroy2009-07-22 20:55 . 2009-07-22 20:55 -------- d-----w- c:\documents and settings\Administrator.FAMILY-COMPUTER\Application Data\Malwarebytes2009-07-22 06:09 . 2009-07-13 20:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys2009-07-22 06:09 . 2009-07-13 20:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys2009-07-22 06:09 . 2009-07-22 06:10 -------- d-----w- c:\program files\Kyle's Anti-Malware2009-07-21 23:24 . 2009-07-21 23:24 -------- d-----w- c:\program files\CCleaner2009-07-21 21:23 . 2009-07-21 21:23 604416 ----a-w- c:\windows\system32\TUProgSt.exe2009-07-21 21:23 . 2009-04-27 21:21 28928 ----a-w- c:\windows\system32\uxtuneup.dll2009-07-21 21:23 . 2009-07-21 21:23 361216 ----a-w- c:\windows\system32\TuneUpDefragService.exe2009-07-21 21:22 . 2009-07-21 21:24 -------- d-----w- c:\program files\TuneUp Utilities 20092009-07-21 21:22 . 2009-07-21 21:22 -------- d-sh--w- c:\docume~1\ALLUSE~1\APPLIC~1\{55A29068-F2CE-456C-9148-C869879E2357}2009-07-10 05:20 . 2009-07-18 00:17 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\FLVService2009-07-10 05:20 . 2009-07-10 05:20 -------- d-----w- c:\windows\Ask & Record Toolbar.(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))).2009-07-29 22:49 . 2009-05-14 04:12 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\avg82009-07-28 20:59 . 2009-01-15 01:00 410984 ----a-w- c:\windows\system32\deploytk.dll2009-07-28 20:46 . 2003-08-29 03:15 -------- d-----w- c:\program files\Common Files\Symantec Shared2009-07-28 20:29 . 2003-08-29 03:16 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Symantec2009-07-28 20:26 . 2004-07-23 08:17 -------- d-----w- c:\program files\Common Files\Java2009-07-28 20:26 . 2003-11-03 03:19 -------- d-----w- c:\program files\Java2009-07-28 20:04 . 2008-04-17 02:44 -------- d-----w- c:\documents and settings\Owner\Application Data\uTorrent2009-07-28 18:36 . 2006-12-27 22:06 -------- d---a-w- c:\docume~1\ALLUSE~1\APPLIC~1\TEMP2009-07-28 18:11 . 2007-01-28 05:53 -------- d-----w- c:\program files\eMulePlus2009-07-24 18:16 . 2003-12-20 22:43 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy2009-07-23 17:36 . 2003-12-20 22:42 -------- d-----w- c:\program files\Spybot - Search & Destroy2009-07-21 22:15 . 2008-11-11 04:12 -------- d-----w- c:\program files\Microsoft Silverlight2009-07-17 18:44 . 2009-05-14 04:12 335752 ----a-w- c:\windows\system32\drivers\avgldx86.sys2009-07-10 06:27 . 2009-04-20 07:29 -------- d-----w- c:\program files\Media Catcher2009-07-10 06:24 . 2009-04-20 07:30 323584 ----a-w- c:\windows\system32\AUDIOGENIE2.DLL2009-06-28 22:38 . 2009-06-28 15:42 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\AVG Security Toolbar2009-06-28 15:42 . 2009-06-28 15:42 -------- d-----w- c:\documents and settings\LocalService\Application Data\AVGTOOLBAR2009-06-28 15:42 . 2009-05-14 04:12 11952 ----a-w- c:\windows\system32\avgrsstx.dll2009-06-28 15:42 . 2009-05-14 04:12 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys2009-06-26 16:50 . 2005-06-18 07:49 666624 ----a-w- c:\windows\system32\wininet.dll2009-06-26 16:50 . 2004-08-04 07:56 81920 ------w- c:\windows\system32\ieencode.dll2009-06-25 21:02 . 2008-08-24 05:01 -------- d-----w- c:\program files\MediaMonkey2009-06-16 14:36 . 2003-08-08 16:18 81920 ----a-w- c:\windows\system32\fontsub.dll2009-06-16 14:36 . 2003-08-08 15:35 119808 ----a-w- c:\windows\system32\t2embed.dll2009-06-06 19:39 . 2009-04-18 00:23 -------- d-----w- c:\program files\Common Files\DivX Shared2009-06-06 19:11 . 2006-07-23 17:57 -------- d-----w- c:\program files\DivX2009-06-06 04:54 . 2003-12-06 04:44 -------- d-----w- c:\program files\Roms2009-06-03 19:09 . 2005-08-30 17:14 1291264 ----a-w- c:\windows\system32\quartz.dll2009-05-21 22:25 . 2009-04-20 07:31 156672 ----a-w- c:\windows\system32\rmc_fixasf.exe2009-05-21 22:25 . 2009-04-20 07:31 237568 ----a-w- c:\windows\system32\rmc_rtspdl.dll2009-05-14 04:12 . 2009-05-14 04:12 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys2009-05-07 15:32 . 2003-08-08 16:23 345600 ----a-w- c:\windows\system32\localspl.dll2009-05-01 21:02 . 2009-05-01 21:02 823296 ----a-w- c:\windows\system32\divx_xx0c.dll2009-05-01 21:02 . 2009-05-01 21:02 823296 ----a-w- c:\windows\system32\divx_xx07.dll2009-05-01 21:02 . 2009-05-01 21:02 815104 ----a-w- c:\windows\system32\divx_xx0a.dll2009-05-01 21:02 . 2009-05-01 21:02 811008 ----a-w- c:\windows\system32\divx_xx16.dll2009-05-01 21:02 . 2009-05-01 21:02 802816 ----a-w- c:\windows\system32\divx_xx11.dll2009-05-01 21:02 . 2009-05-01 21:02 685056 ----a-w- c:\windows\system32\DivX.dll2004-10-20 03:30 . 2004-10-20 03:23 8603976 ----a-w- c:\program files\gcsp20.exe2004-08-20 02:56 . 2004-08-20 05:20 4918 ----a-w- c:\program files\DoomConfig.cfg2002-03-23 01:50 . 2004-11-17 05:36 2061 -c--a-w- c:\program files\readme.txt1997-04-09 00:41 . 2004-09-11 20:28 3934 -c--a-w- c:\program files\LICINFO.TXT2009-07-22 03:04 . 2008-08-27 19:16 134648 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll.((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))..*Note* empty entries & legit default entries are not shown REGEDIT4[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-26 1008896][HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}][HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]2009-06-26 17:36 1008896 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-26 1008896][HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}][HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-26 1008896][HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"KBD"="c:\hp\KBD\KBD.EXE" [2005-02-02 61440]"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-08-24 7696384]"nmctxth"="c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2008-05-16 648504]"nmapp"="c:\program files\Pure Networks\Network Magic\nmapp.exe" [2008-05-22 451896]"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-06-28 1948440]"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-08-24 86016]"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-28 148888]c:\windows\system32\config\systemprofile\Start Menu\Programs\Startup\AutoTBar.exe [2003-6-18 53248]mod_sm.lnk - c:\hp\bin\cloaker.exe [1999-11-7 27136]c:\documents and settings\Administrator\Start Menu\Programs\Startup\mod_sm.lnk - c:\hp\bin\cloaker.exe [1999-11-7 27136]c:\documents and settings\Administrator.FAMILY-COMPUTER\Start Menu\Programs\Startup\AutoTBar.exe [2003-6-18 53248]mod_sm.lnk - c:\hp\bin\cloaker.exe [1999-11-7 27136]c:\documents and settings\Default User\Start Menu\Programs\Startup\AutoTBar.exe [2003-6-18 53248]mod_sm.lnk - c:\hp\bin\cloaker.exe [1999-11-7 27136]c:\docume~1\ALLUSE~1\STARTM~1\Programs\Startup\HP Digital Imaging Monitor.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]HP Photosmart Premier Fast Start.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpqthb08.exe [2006-2-10 73728][HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]"HideShutdownScripts"= 0 (0x0)[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]"NoVisualStyleChoice"= 0 (0x0)"NoColorChoice"= 0 (0x0)"NoSizeChoice"= 0 (0x0)"HideLogonScripts"= 0 (0x0)[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]"NoWelcomeScreen"= 0 (0x0)"NoHelp"= 0 (0x0)"NoViewOnDrive"= 0 (0x0)[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]"NoChangeAnimation"= 0 (0x0)"RestrictCpl"= 0 (0x0)"DisallowCpl"= 0 (0x0)"NoViewOnDrive"= 0 (0x0)"RestrictRun"= 0 (0x0)"NoRecycleFiles"= 0 (0x0)"ForceRecycleBinSize"= 0 (0x0)"NoCustomizeWebView"= 0 (0x0)"NoFileAssociate"= 0 (0x0)"NoDFSTab"= 0 (0x0)"NoCustomizeThisFolder"= 0 (0x0)"NoWebView"= 0 (0x0)"DontShowSuperHidden"= 0 (0x0)"NoOnlinePrintsWizard"= 0 (0x0)"NoPublishingWizard"= 0 (0x0)"NoSMConfigurePrograms"= 0 (0x0)"NoSMMyPictures"= 0 (0x0)"NoStartMenuMyMusic"= 0 (0x0)"NoHelp"= 0 (0x0)"NoCommonGroups"= 0 (0x0)"NoStartMenuEjectPC"= 0 (0x0)"NoSimpleStartMenu"= 0 (0x0)"NoStartMenuSubFolders"= 0 (0x0)"NoDisconnect"= 0 (0x0)"NoNtSecurity"= 0 (0x0)"GreyMSIAds"= 0 (0x0)"ForceMaxRecentDocs"= 0 (0x0)"NoSMBalloonTip"= 0 (0x0)"NoSMBalloonTips"= 0 (0x0)"NoTaskGrouping"= 0 (0x0)"NoWebServices"= 0 (0x0)"NoFileUrl"= 0 (0x0)"NoExpandedNewMenu"= 0 (0x0)"SpecifyDefaultButtons"= 0 (0x0)"NoRecentDocsNetHood"= 0 (0x0)"PromptRunasInstallNetPath"= 1 (0x1)"NoResolveTrack"= 0 (0x0)"NoDevMgrUpdate"= 0 (0x0)"NoThumbnailCache"= 0 (0x0)"ForceCopyAclwithFile"= 0 (0x0)"StartRunNoHOMEPATH"= 0 (0x0)[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]"NoThemesTab"= 0 (0x0)"NoChangeAnimation"= 0 (0x0)"RestrictCpl"= 0 (0x0)"DisallowCpl"= 0 (0x0)"NoViewOnDrive"= 0 (0x0)"RestrictRun"= 0 (0x0)"DisallowRun"= 0 (0x0)"NoRecycleFiles"= 0 (0x0)"ForceRecycleBinSize"= 0 (0x0)"NoCustomizeWebView"= 0 (0x0)"NoFileAssociate"= 0 (0x0)"NoDFSTab"= 0 (0x0)"NoCustomizeThisFolder"= 0 (0x0)"NoWebView"= 0 (0x0)"DontShowSuperHidden"= 0 (0x0)"NoOnlinePrintsWizard"= 0 (0x0)"NoPublishingWizard"= 0 (0x0)"NoSMConfigurePrograms"= 0 (0x0)"NoSMMyPictures"= 0 (0x0)"NoStartMenuMyMusic"= 0 (0x0)"NoHelp"= 0 (0x0)"NoCommonGroups"= 0 (0x0)"NoStartMenuEjectPC"= 0 (0x0)"NoSimpleStartMenu"= 0 (0x0)"NoStartMenuSubFolders"= 0 (0x0)"NoDisconnect"= 0 (0x0)"NoNtSecurity"= 0 (0x0)"GreyMSIAds"= 0 (0x0)"ForceMaxRecentDocs"= 0 (0x0)"NoSMBalloonTip"= 0 (0x0)"NoSMBalloonTips"= 0 (0x0)"HideClock"= 0 (0x0)"NoTaskGrouping"= 0 (0x0)"NoWebServices"= 0 (0x0)"NoFileUrl"= 0 (0x0)"NoExpandedNewMenu"= 0 (0x0)"SpecifyDefaultButtons"= 0 (0x0)"NoRecentDocsNetHood"= 0 (0x0)"PromptRunasInstallNetPath"= 1 (0x1)"NoResolveTrack"= 0 (0x0)"NoDevMgrUpdate"= 0 (0x0)"NoThumbnailCache"= 0 (0x0)"ForceCopyAclwithFile"= 0 (0x0)"StartRunNoHOMEPATH"= 0 (0x0)[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OPXPGina]2003-02-21 10:50 40960 ----a-w- c:\program files\Softex\OmniPass\OPXPGina.dll[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]2009-06-28 15:42 11952 ----a-w- c:\windows\system32\avgrsstx.dll[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AVG Anti-Spyware Driver]@=""[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AVG Anti-Spyware Guard]@=""[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnkbackup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^msmsgs.exe][HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]backup=c:\windows\pss\Quicken Scheduled Updates.lnkCommon Startup[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Sonic CinePlayer Quick Launch.lnk]backup=c:\windows\pss\Sonic CinePlayer Quick Launch.lnkCommon Startup[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Updates from HP.lnk]backup=c:\windows\pss\Updates from HP.lnkCommon Startup[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Adobe Gamma.lnk]backup=c:\windows\pss\Adobe Gamma.lnkStartup[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^spamsubtract.lnk]backup=c:\windows\pss\spamsubtract.lnkStartup[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]"Messenger"=3 (0x3)"BITS"=2 (0x2)"Fax"=3 (0x3)"SNDSrvc"=3 (0x3)"ccPwdSvc"=3 (0x3)"ccEvtMgr"=3 (0x3)"Adobe LM Service"=3 (0x3)"iPodService"=3 (0x3)"avast! Web Scanner"=3 (0x3)"avast! Mail Scanner"=3 (0x3)"avast! Antivirus"=2 (0x2)"aswUpdSv"=2 (0x2)"AVGEMS"=2 (0x2)"Avg7UpdSvc"=2 (0x2)"Avg7Alrt"=2 (0x2)"VSS"=3 (0x3)"Schedule"=2 (0x2)"IDriverT"=3 (0x3)"WMPNetworkSvc"=3 (0x3)"TUWinStylerThemeSvc"=3 (0x3)"CachemanXPService"=3 (0x3)"iPod Service"=3 (0x3)"AresChatServer"=3 (0x3)"usnjsvc"=3 (0x3)"Client IP-IPX"=2 (0x2)"Apple Mobile Device"=2 (0x2)"Bonjour Service"=2 (0x2)"PnkBstrA"=2 (0x2)"Creative Service for CDROM Access"=2 (0x2)"JavaQuickStarterService"=2 (0x2)"navapsvc"=2 (0x2)[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]"nwiz"=nwiz.exe /install[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]"EnableFirewall"= 0 (0x0)[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]"%windir%\\system32\\sessmgr.exe"="c:\\Program Files\\Google\\Google Video Player\\GoogleVideoPlayer.exe"="c:\\WINDOWS\\system32\\ftp.exe"="c:\\Program Files\\Ares\\Ares.exe"="c:\\Program Files\\uTorrent\\uTorrent.exe"="c:\\Program Files\\TrackMania Sunrise\\TmSunrise.exe"="c:\\Documents and Settings\\Owner\\My Documents\\LimeWire\\LimeWire.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe"="c:\\Program Files\\Mozilla Firefox\\firefox.exe"="c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"="c:\\Program Files\\Java\\jre6\\bin\\javaws.exe"="c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"="c:\\Program Files\\AVG\\AVG8\\avgui.exe"="c:\\Program Files\\AVG\\AVG8\\avgtray.exe"="c:\\Program Files\\AVG\\AVG8\\avgupd.exe"="c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"="c:\\Program Files\\AVG\\AVG8\\avgemc.exe"="c:\\Program Files\\Bonjour\\mDNSResponder.exe"="c:\\Program Files\\iTunes\\iTunes.exe"="c:\\Program Files\\Media Catcher\\MediaCatcher.exe"="c:\\WINDOWS\\system32\\javaw.exe"="c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]"4662:TCP"= 4662:TCP:eMule"4672:UDP"= 4672:UDP:eMule"4663:TCP"= 4663:TCP:eMule2"4673:UDP"= 4673:UDP:eMule22"67:UDP"= 67:UDP:DHCP Discovery Service[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]"AllowInboundEchoRequest"= 1 (0x1)R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [5/13/2009 9:12 PM 335752]R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [5/13/2009 9:12 PM 108552]R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [5/13/2009 9:12 PM 907032]R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [5/13/2009 9:12 PM 298776]S2 mrtRate;mrtRate; [x]S3 pohci13F;pohci13F;\??\c:\docume~1\Owner\LOCALS~1\Temp\pohci13F.sys --> c:\docume~1\Owner\LOCALS~1\Temp\pohci13F.sys [?]HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcsUxTuneUp.- - - - ORPHANS REMOVED - - - -HKLM-Run-BHR - c:\program files\Browser Hijack Retaliator 4.5\BHR.exe.------- Supplementary Scan -------.uStart Page = hxxp://www.netscape.com/uDefault_Search_URL = hxxp://srch-ca9.hpwis.com/mStart Page = hxxp://ca9.hpwis.com/mSearch Bar = hxxp://srch-ca9.hpwis.com/uInternet Connection Wizard,ShellNext = iexploreuInternet Settings,ProxyOverride = localhost;*.localLSP: SpSubLSP.dllDPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cabDPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cabFF - ProfilePath - c:\docume~1\Owner\APPLIC~1\Mozilla\Firefox\Profiles\oxkf16ee.default\FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=FF - prefs.js: browser.search.selectedEngine - Yahoo! SearchFF - prefs.js: browser.startup.homepage - www.netscape.comFF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dllFF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils2.dllFF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils3.dllFF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils35.dllFF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dllFF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll---- FIREFOX POLICIES ----FF - user.js: general.useragent.extra.zencast - .**************************************************************************catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.netRootkit scan 2009-07-29 16:33Windows 5.1.2600 Service Pack 3 NTFSscanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfullyhidden files: 0**************************************************************************.--------------------- LOCKED REGISTRY KEYS ---------------------[HKEY_LOCAL_MACHINE\software\Microsoft\Cryptography\RNG*]"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d, bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\.--------------------- DLLs Loaded Under Running Processes ---------------------- - - - - - - > 'winlogon.exe'(784)c:\program files\Softex\OmniPass\opxpgina.dll- - - - - - - > 'lsass.exe'(844)c:\windows\system32\SpSubLSP.dll- - - - - - - > 'explorer.exe'(2200)c:\windows\system32\WPDShServiceObj.dllc:\windows\system32\PortableDeviceTypes.dllc:\windows\system32\PortableDeviceApi.dll.------------------------ Other Running Processes ------------------------.c:\program files\Java\jre6\bin\jqs.exec:\windows\system32\nvsvc32.exec:\program files\Softex\OmniPass\omniServ.exec:\windows\system32\TUProgSt.exec:\program files\Common Files\Pure Networks Shared\Platform\nmsrvc.exec:\program files\AVG\AVG8\avgrsx.exec:\progra~1\AVG\AVG8\avgnsx.exec:\program files\AVG\AVG8\avgcsrvx.exec:\program files\Softex\OmniPass\OPXPApp.exec:\windows\system32\wscntfy.exec:\program files\Hewlett-Packard\Digital Imaging\bin\hpqimzone.exec:\program files\Hewlett-Packard\Digital Imaging\bin\hpqste08.exe.**************************************************************************.Completion time: 2009-07-29 16:43 - machine was rebootedComboFix-quarantined-files.txt 2009-07-29 23:43Pre-Run: 3,607,453,696 bytes freePost-Run: 3,441,811,456 bytes free468 --- E O F --- 2009-07-28 20:41 Link to post Share on other sites More sharing options...
Kenny94 Posted July 30, 2009 ID:104191 Share Posted July 30, 2009 Here is the combofix log. It also asked me to write down several file names during the initial scan that had to do with rootkit activity so I have those if you need them.WOW! I wish all users would take there time and write down stuff.... I see them thanks!Launch Malwarebytes' Anti-MalwareIf an update is found, it will download and install the latest version.Once the program has loaded, select "Perform Quick Scan", then click Scan.The scan may take some time to finish,so please be patient.When the scan is complete, click OK, then Show Results to view the results.Make sure that everything is checked, and click Remove Selected.When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.Copy&Paste the entire report in your next reply.Extra Note:If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.Also, please let me know how things are running now? Link to post Share on other sites More sharing options...
takethembowling Posted July 30, 2009 Author ID:104214 Share Posted July 30, 2009 I ran malwarebytes quick scan and nothing was found. I don't seen iexplorer running in the background anymore, my computer hasn't frozen or crashed since using combofix (i would know by now, it was like every 10min) and everything seems to be running smoothly. Thanks for all the help and guiding me through this process.Malwarebytes' Anti-Malware 1.39Database version: 2524Windows 5.1.2600 Service Pack 37/29/2009 6:51:41 PMmbam-log-2009-07-29 (18-51-41).txtScan type: Quick ScanObjects scanned: 108164Time elapsed: 9 minute(s), 29 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 0Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:(No malicious items detected)Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:(No malicious items detected) Link to post Share on other sites More sharing options...
Kenny94 Posted July 30, 2009 ID:104236 Share Posted July 30, 2009 Some final items:Follow these steps to uninstall Combofix and all of its files and components. Click START then RUN Now type ComboFix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.Now that your system is clean you should SET A NEW RESTORE POINT to prevent future reinfection from the old restore point AFTER cleaning your system of any malware infection. Any trojans or spyware you picked up could have been saved in System Restore and are waiting to re-infect you. Since System Restore is a protected directory, your tools can not access it to delete files, trapping viruses inside. Setting a new restore point should be done to prevent any future reinfection from the old restore point and enable your computer to "roll-back" in case there is a future problem.To SET A NEW RESTORE POINT:1. Go to Start > Programs > Accessories > System Tools and click "System Restore".2. Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.3. Then go to Start > Run and type: Cleanmgr4. Click "OK".5. Click the "More Options" Tab.6. Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.Graphics for doing this are in the following links if you need them.How to Create a Restore Point.How to use Cleanmgr.Here is some useful information on keeping your computer clean:Most important thing is to make sure Windows is kept up to date with the latest patches and updates from Windows Update.Here are two great Preventive programs:SpywareBlaster protects you from malicious ActiveX controls and cookies. Make sure and check for updates twice a month.Surf Safe with McAfee's SiteAdisor. SiteAdisor will work with Internet Explorer and Mozilla Firefox. SiteAdisor is a browser plugin that assigns a safety rating to domains listed in your search engine. SiteAdvisor uses the following color codes to indicate the safety level of each site.Red for WarningYellow for Use CautionGreen for SafeGrey for UnknownHere are the link to install SiteAdisor in Internet Explorer and FirefoxNow you should Clean up your PCHere are some additional links for you to check out to help you with your computer security. How did I get infected in the first place.Secunia software inspector & update checker It was nice working with you takethembowling.... Kenny Link to post Share on other sites More sharing options...
Recommended Posts