Syndrome Posted August 8, 2009 ID:107446 Share Posted August 8, 2009 I used the program and there were 11 infections, but it only seems to have properly removed 9. This is my original log file from after the first scan:Malwarebytes' Anti-Malware 1.40Database version: 2577Windows 5.1.2600 Service Pack 28/8/2009 2:18:34 AMmbam-log-2009-08-08 (02-18-34).txtScan type: Full Scan (C:\|D:\|H:\|)Objects scanned: 218363Time elapsed: 45 minute(s), 40 second(s)Memory Processes Infected: 0Memory Modules Infected: 1Registry Keys Infected: 9Registry Values Infected: 0Registry Data Items Infected: 2Folders Infected: 1Files Infected: 3Memory Processes Infected:(No malicious items detected)Memory Modules Infected:\\?\globalroot\systemroot\system32\hjgruieekjljyq.dll (Trojan.TDSS) -> Delete on reboot.Registry Keys Infected:HKEY_CLASSES_ROOT\AppID\{1f5e0ea2-abea-44c3-95ec-2d1e721fe95e} (Adware.AdSponsor) -> Quarantined and deleted successfully.HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{c48635ad-d6b5-3ee4-aaa2-540d5a173658} (Backdoor.Bot) -> Quarantined and deleted successfully.HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494e6cec-7483-a4ee-0938-895519a84bc7} (Backdoor.Bot) -> Quarantined and deleted successfully.HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{c48635ad-d6b5-3ee4-aaa2-540d5a173658} (Backdoor.Bot) -> Quarantined and deleted successfully.HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494e6cec-7483-a4ee-0938-895519a84bc7} (Backdoor.Bot) -> Quarantined and deleted successfully.Registry Values Infected:(No malicious items detected)Registry Data Items Infected:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.Folders Infected:C:\WINDOWS\system32\lowsec (Stolen.data) -> Quarantined and deleted successfully.Files Infected:\\?\globalroot\systemroot\system32\hjgruieekjljyq.dll (Trojan.TDSS) -> Quarantined and deleted successfully.C:\WINDOWS\system32\lowsec\local.ds (Stolen.data) -> Quarantined and deleted successfully.C:\WINDOWS\system32\lowsec\user.ds (Stolen.data) -> Quarantined and deleted successfully.-----And this is my log file after I, being suspicious because I still couldn't start disk de-fragmenter, scanned again:Malwarebytes' Anti-Malware 1.40Database version: 2577Windows 5.1.2600 Service Pack 28/8/2009 3:08:30 AMmbam-log-2009-08-08 (03-08-30).txtScan type: Full Scan (C:\|D:\|H:\|)Objects scanned: 4218Time elapsed: 8 second(s)Memory Processes Infected: 0Memory Modules Infected: 1Registry Keys Infected: 0Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 1Memory Processes Infected:(No malicious items detected)Memory Modules Infected:\\?\globalroot\systemroot\system32\hjgruieekjljyq.dll (Trojan.TDSS) -> Delete on reboot.Registry Keys Infected:(No malicious items detected)Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:\\?\globalroot\systemroot\system32\hjgruieekjljyq.dll (Trojan.TDSS) -> Quarantined and deleted successfully.Despite what it says about being successfully removed, the 2 files in the second scan are still appearing, even though they're quarantined (supposedly).Help would be very much appreciated. Link to post Share on other sites More sharing options...
Staff miekiemoes Posted August 10, 2009 Staff ID:108331 Share Posted August 10, 2009 Hi,* Please visit this webpage for instructions for downloading and running ComboFix:http://www.bleepingcomputer.com/combofix/how-to-use-combofixPost the log from ComboFix in your next reply.Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix..This because Security Software may see some components ComboFix uses (prep.com for example) as suspicious and blocks the tool, or even deletes it. Please visit HERE if you don't know how. Link to post Share on other sites More sharing options...
Syndrome Posted August 10, 2009 Author ID:108451 Share Posted August 10, 2009 Alright, thanks, here's the log:ComboFix 09-08-10.01 - Owner 08/10/2009 17:16.1.2 - NTFSx86Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.894.469 [GMT -4:00]Running from: c:\documents and settings\Owner\Desktop\ComboFix.exeAV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}AV: Webroot AntiVirus with AntiSpyware *On-access scanning disabled* (Updated) {77E10C7F-2CCA-4187-9394-BDBC267AD597}FW: *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8} * Created a new restore point.((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))).?c:\recycler\S-1-5-21-3286318163-864645977-3896978577-500c:\windows\system32\Cache.((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))).-------\Service_hjgruioijirkcx-------\Legacy_hjgruioijirkcx((((((((((((((((((((((((( Files Created from 2009-07-10 to 2009-08-10 ))))))))))))))))))))))))))))))).2009-08-09 07:28 . 2009-08-09 07:28 -------- d--h--w- c:\windows\system32\GroupPolicy2009-08-09 06:28 . 2009-08-09 06:28 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes2009-08-09 03:47 . 2009-08-09 03:47 -------- d-----w- c:\documents and settings\LocalService\Application Data\Malwarebytes2009-08-08 05:29 . 2009-08-08 05:29 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes2009-08-08 05:29 . 2009-08-03 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys2009-08-08 05:29 . 2009-08-08 06:46 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware2009-08-08 05:29 . 2009-08-08 05:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes2009-08-08 05:29 . 2009-08-03 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys2009-08-08 03:33 . 2009-08-08 03:38 -------- d-----w- c:\documents and settings\Owner\.jnlp-applet2009-08-05 21:09 . 2009-08-05 21:09 -------- d-----w- c:\program files\MSSOAP2009-08-05 21:09 . 2009-08-05 21:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Webroot2009-08-05 21:09 . 2009-08-05 21:09 -------- d-----w- c:\program files\Webroot2009-08-05 21:09 . 2009-08-05 21:09 -------- d-----w- c:\documents and settings\Owner\Application Data\Webroot2009-08-05 21:09 . 2009-05-13 19:39 1563008 ----a-w- c:\windows\WRSetup.dll2009-08-05 21:07 . 2009-08-05 21:07 164 ----a-w- c:\windows\install.dat2009-08-05 20:44 . 2009-04-28 01:20 593920 ------w- c:\windows\system32\ati2sgag.exe2009-08-05 20:36 . 2009-08-05 20:36 -------- d-----w- C:\cabs2009-08-05 20:28 . 2009-08-05 20:28 -------- d-----w- C:\NVIDIA2009-08-05 20:05 . 2009-08-05 20:05 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\PC_Drivers_Headquarters2009-08-05 20:04 . 2009-08-05 20:04 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Drivers HeadQuarters2009-08-05 20:04 . 2009-08-05 20:04 -------- d-----w- c:\program files\PC Drivers HeadQuarters2009-08-05 04:19 . 2009-08-05 04:20 -------- d-----w- c:\documents and settings\Owner\Application Data\Nero2009-08-05 04:17 . 2009-08-05 04:18 -------- d-----w- c:\program files\Nero2009-08-05 04:17 . 2009-08-05 04:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Nero2009-08-05 04:16 . 2009-08-05 04:18 -------- d-----w- c:\program files\Common Files\Nero2009-08-04 03:17 . 2009-08-04 03:17 -------- d-----w- c:\documents and settings\Owner\Application Data\Participatory Culture Foundation2009-07-23 02:37 . 2009-07-23 02:37 8854 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{9559F7CA-5E34-4237-A2D9-D856464AD727}\Uninstall_Project64__9559F7CA5E344237A2D9D856464AD727.exe2009-07-23 02:37 . 2009-07-23 02:37 40960 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{9559F7CA-5E34-4237-A2D9-D856464AD727}\NewShortcut1_9559F7CA5E344237A2D9D856464AD727.exe2009-07-23 02:37 . 2009-07-23 02:37 40960 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{9559F7CA-5E34-4237-A2D9-D856464AD727}\ARPPRODUCTICON.exe2009-07-23 02:37 . 2009-07-25 07:37 -------- d-----w- c:\program files\Project64 1.62009-07-21 05:23 . 2009-07-21 05:23 -------- d-----w- c:\program files\mlt2009-07-21 05:23 . 2009-07-21 05:23 -------- d-----w- c:\program files\gtk22009-07-21 05:22 . 2009-07-21 05:22 86016 ----a-w- c:\windows\system32\OpenAL32.dll2009-07-21 05:22 . 2009-07-21 05:22 262144 ----a-w- c:\windows\system32\wrap_oal.dll2009-07-21 05:22 . 2009-07-21 05:22 -------- d-----w- c:\program files\OpenLibraries2009-07-19 05:16 . 2009-07-19 05:16 -------- d-----w- c:\documents and settings\Owner\Application Data\Sibelius Software2009-07-19 05:14 . 2009-07-19 05:14 -------- d-----w- c:\program files\Sibelius Software2009-07-19 00:43 . 2009-07-19 00:43 -------- d-----w- c:\program files\Family Games2009-07-17 13:28 . 2009-07-13 23:42 327688 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgldx86.sys2009-07-17 13:28 . 2009-07-13 23:41 2301208 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avguiadv.dll2009-07-17 13:28 . 2009-07-13 23:41 3402008 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgui.exe2009-07-17 13:28 . 2009-07-13 23:41 1204504 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgabout.dll2009-07-17 13:28 . 2009-07-13 23:42 3298072 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\setup.exe2009-07-13 23:42 . 2009-07-13 23:42 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys2009-07-13 23:42 . 2009-07-13 23:42 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys2009-07-13 23:42 . 2009-08-10 12:41 -------- d-----w- c:\windows\system32\drivers\Avg2009-07-13 23:41 . 2009-07-13 23:41 -------- d-----w- c:\program files\AVG2009-07-13 23:41 . 2009-07-13 23:41 -------- d-----w- c:\documents and settings\All Users\Application Data\avg82009-07-13 21:22 . 2009-07-13 21:22 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Adobe2009-07-12 05:20 . 2009-07-12 05:22 -------- d-----w- c:\program files\Musical Instrument Simulator_Mapper2009-07-12 05:19 . 2009-07-12 05:19 73216 ----a-w- c:\windows\ST6UNST.EXE2009-07-12 05:19 . 2009-07-12 05:19 249856 ------w- c:\windows\Setup1.exe2009-07-12 04:07 . 2009-07-12 04:07 -------- d-----w- c:\program files\NoteAttack.(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))).2009-08-05 20:46 . 2008-09-12 03:43 -------- d-----w- c:\program files\ATI Technologies2009-08-05 05:55 . 2006-12-09 04:50 -------- d-----w- c:\program files\LucasArts2009-07-21 05:24 . 2006-08-19 07:51 -------- d--h--w- c:\program files\InstallShield Installation Information2009-07-19 05:16 . 2006-06-19 04:25 59704 -c--a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT2009-07-17 13:28 . 2009-07-13 23:42 335752 ----a-w- c:\windows\system32\drivers\avgldx86.sys2009-07-14 12:31 . 2009-07-14 12:31 2052376 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcorex.dll2009-07-13 23:42 . 2009-07-13 23:42 11952 ----a-w- c:\windows\system32\avgrsstx.dll2009-07-13 23:42 . 2009-07-17 13:28 337176 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avglogx.dll2009-07-13 23:42 . 2009-07-17 13:28 1107224 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgssie.dll2009-07-13 23:41 . 2009-07-17 13:28 2167576 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgresf.dll2009-07-13 23:41 . 2009-07-17 13:28 829208 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcfgx.dll2009-07-13 23:41 . 2009-07-17 13:28 353048 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgxch32.dll2009-07-13 23:41 . 2009-07-17 13:27 1454360 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgupd.dll2009-07-13 23:41 . 2009-07-17 13:27 1085208 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgupd.exe2009-07-06 14:50 . 2006-12-12 13:53 1 ----a-w- c:\windows\system32\ai2drv.dat2009-07-06 03:34 . 2009-07-06 03:04 -------- d-----w- c:\program files\Audacity2009-07-05 22:49 . 2006-08-19 07:50 -------- d-----w- c:\program files\Google2009-07-05 22:44 . 2009-07-05 21:19 -------- d-----w- c:\program files\a-squared Free2009-07-05 20:11 . 2008-12-25 19:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer2009-07-05 19:41 . 2006-08-19 08:04 -------- d-----w- c:\program files\BigFix2009-07-05 19:04 . 2007-04-03 20:08 -------- d-----w- c:\program files\wings3d_0.98.362009-07-01 04:21 . 2009-07-01 04:21 -------- d-----w- c:\documents and settings\Owner\Application Data\NCH Software2009-07-01 04:21 . 2009-07-01 04:21 -------- d-----w- c:\documents and settings\All Users\Application Data\NCH Software2009-07-01 04:21 . 2008-11-27 15:54 -------- d-----w- c:\program files\NCH Software2009-06-27 22:34 . 2008-06-13 19:27 -------- d-----w- c:\documents and settings\Owner\Application Data\FileZilla2009-06-19 21:57 . 2008-12-21 08:19 -------- d-----w- c:\program files\Spybot - Search & Destroy2009-06-19 21:52 . 2008-12-25 19:09 -------- d-----w- c:\program files\iTunes2009-06-13 05:16 . 2008-07-04 05:25 6426 -c--a-w- c:\program files\config.xml2009-06-13 05:16 . 2008-07-04 05:48 1387 -c--a-w- c:\program files\session.xml2009-06-13 05:16 . 2008-06-14 20:21 1854 -c--a-w- c:\program files\shortcuts.xml2009-06-13 00:39 . 2008-07-04 04:10 -------- d-----w- c:\program files\Python2009-06-13 13:29 . 2009-06-13 13:29 28488 ----a-w- c:\program files\mozilla firefox\plugins\atgpcdec.dll2009-06-13 13:29 . 2009-06-13 13:29 184208 ----a-w- c:\program files\mozilla firefox\plugins\atgpcext.dll2009-06-13 13:29 . 2009-06-13 13:29 99216 ----a-w- c:\program files\mozilla firefox\plugins\ieatgpc.dll2009-06-18 17:16 . 2009-06-18 17:16 10437264 ----a-w- c:\program files\mozilla firefox\plugins\PDFNetC.dll2009-06-18 17:36 . 2009-06-18 17:36 108272 ----a-w- c:\program files\mozilla firefox\plugins\ScorchPDFWrapper.dll.((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))..*Note* empty entries & legit default entries are not shown REGEDIT4[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\BackupIconOverlayId]@="{2EE61E5C-8F94-4AAB-8A80-D2A8CD1FEDAD}"[HKEY_CLASSES_ROOT\CLSID\{2EE61E5C-8F94-4AAB-8A80-D2A8CD1FEDAD}]2009-05-13 19:34 238968 ----a-w- c:\program files\Webroot\WebrootSecurity\Backup\CtxMenu_1_0_0_10.dll[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"Power2GoExpress"="NA" [X]"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"MSConfig"="c:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2005-09-27 169984]"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-04-28 61440]"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2006-08-19 26112]"readericon"="c:\program files\Digital Media Reader\readericon45G.exe" [2005-12-10 139264]"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2005-08-12 1121792]"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-12 49152]"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-07-13 1948440]"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2006-04-17 16143872]"CHotkey"="zHotkey.exe" - c:\windows\zHotkey.exe [2004-12-09 550912]c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-3-11 210520]OZ_ZQ-590A Synchronization Software.lnk - c:\program files\SHARP\OZ_ZQ-590A\sync.exe [2008-5-26 655360][HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]2009-07-13 23:42 11952 ----a-w- c:\windows\system32\avgrsstx.dll[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]@="Service"[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]@="Service"[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WRConsumerService]@="Service"[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]"DisableMonitoring"=dword:00000001[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]"EnableFirewall"= 0 (0x0)[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]"%windir%\\system32\\sessmgr.exe"="c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="c:\\Program Files\\Real\\RealPlayer\\realplay.exe"="c:\\WINDOWS\\ehome\\ehtray.exe"="c:\\Program Files\\Messenger\\msmsgs.exe"="c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="c:\\Program Files\\Mozilla Firefox\\firefox.exe"="c:\\Program Files\\Bonjour\\mDNSResponder.exe"="c:\\Program Files\\iTunes\\iTunes.exe"="c:\\Program Files\\AVG\\AVG8\\avgupd.exe"="c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [4/21/2009 6:27 PM 29808]R1 Ai2sXP;Ai2sXP;c:\windows\system32\drivers\Ai2sXP.sys [12/12/2006 9:53 AM 7296]R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [7/13/2009 7:42 PM 335752]R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [7/13/2009 7:42 PM 108552]R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [7/13/2009 7:41 PM 298776]R2 WRConsumerService;Webroot Client Service;c:\program files\Webroot\WebrootSecurity\WRConsumerService.exe [8/5/2009 5:10 PM 1205760]S3 ATICDSDr;ATICDSDr;\??\c:\docume~1\Owner\LOCALS~1\Temp\{1735AD57-FD6E-4EB5-A276-56C2574D6412}\atiicdxx.sys --> c:\docume~1\Owner\LOCALS~1\Temp\{1735AD57-FD6E-4EB5-A276-56C2574D6412}\atiicdxx.sys [?]S3 gUSBSTOi;gUSBSTOi;\??\c:\docume~1\Owner\LOCALS~1\Temp\gUSBSTOi.sys --> c:\docume~1\Owner\LOCALS~1\Temp\gUSBSTOi.sys [?]S3 SPCP825K;Sunplus Serial port driver;c:\windows\system32\drivers\SPCP825K.sys [5/26/2008 12:10 PM 26624][HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc.Contents of the 'Scheduled Tasks' folder2009-08-06 c:\windows\Tasks\AppleSoftwareUpdate.job- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]2009-08-05 c:\windows\Tasks\wrSpySweeper_L7FFC7E3E51B3445AB8684918603AF41C.job- c:\program files\Webroot\WebrootSecurity\SpySweeperUI.exe [2009-08-05 19:40]2009-08-05 c:\windows\Tasks\wrSpySweeper_L7FFC7E3E51B3445AB8684918603AF41C.job- c:\program files\Webroot\WebrootSecurity\SpySweeperUI.exe [2009-08-05 19:40].- - - - ORPHANS REMOVED - - - -HKLM-Run-Rosary Reminder - c:\program files\Virtual Rosary\reminder.exeHKLM-Run-13274214 - c:\documents and settings\All Users\Application Data\13274214\13274214.exeNotify-urqNGxVo - urqNGxVo.dll.------- Supplementary Scan -------.uStart Page = hxxp://www.google.com/mStart Page = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&Br=EM&Loc=ENG_US&Sys=DTP&M=T5212uInternet Settings,ProxyOverride = *.localuSearchURL,(Default) = hxxp://www.google.com/keyword/%sIE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\etw0f58j.default\FF - prefs.js: browser.startup.homepage - hxxp://google.com/FF - component: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\etw0f58j.default\extensions\bkmrksync@nokia.com\components\BkMrkExt.dllFF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dllFF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dllFF - plugin: c:\program files\Mozilla Firefox\plugins\npatgpc.dllFF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dllFF - plugin: c:\program files\Mozilla Firefox\plugins\nptgeqplugin.dllFF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll.**************************************************************************catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.netRootkit scan 2009-08-10 17:21Windows 5.1.2600 Service Pack 2 NTFSscanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfullyhidden files: 0**************************************************************************.--------------------- DLLs Loaded Under Running Processes ---------------------- - - - - - - > 'winlogon.exe'(636)c:\windows\system32\Ati2evxx.dll.Completion time: 2009-08-10 17:23ComboFix-quarantined-files.txt 2009-08-10 21:23Pre-Run: 169,494,208,512 bytes freePost-Run: 169,958,285,312 bytes freeWindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe[boot loader]timeout=2default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS[operating systems]c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdconsmulti(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect238 --- E O F --- 2009-06-11 07:11 Link to post Share on other sites More sharing options...
Staff miekiemoes Posted August 11, 2009 Staff ID:108655 Share Posted August 11, 2009 Hi,This looks OK again.* Go to start > run and copy and paste next command in the field:ComboFix /uMake sure there's a space between Combofix and /Then hit enter.This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.Let me know in your next reply how things are now. Link to post Share on other sites More sharing options...
Syndrome Posted August 11, 2009 Author ID:108660 Share Posted August 11, 2009 I uninstalled it as you instructed. I also rebooted and checked a couple things; disk de-fragmenter is now actually starting, and running a scan with MBAM (aborting it after the period where it usually picked up the problems) revealed nothing.Everything seems to be in order now (to my knowledge, at any rate), thanks very much for the help. Link to post Share on other sites More sharing options...
Staff miekiemoes Posted August 11, 2009 Staff ID:108665 Share Posted August 11, 2009 Glad I could help. Please read my Prevention page with lots of info and tips how to prevent this in the future.And if you want to improve speed/system performance after malware removal, take a look here.Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.Happy Surfing again! Link to post Share on other sites More sharing options...
Syndrome Posted August 11, 2009 Author ID:108666 Share Posted August 11, 2009 Thanks again and thanks also for the tips, I'll keep them in mind. Link to post Share on other sites More sharing options...
Staff miekiemoes Posted August 11, 2009 Staff ID:108667 Share Posted August 11, 2009 You're most welcome Link to post Share on other sites More sharing options...
Staff miekiemoes Posted August 13, 2009 Staff ID:109521 Share Posted August 13, 2009 Since this issue appears resolved ... this Topic is closed.If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.Everyone else please begin a New Topic. Link to post Share on other sites More sharing options...
Recommended Posts