Jump to content

Infected w/ Windows Antivirus Pro


Recommended Posts

Even a pro can be really, really stupid sometimes. I was lazy and didn't check before downloading Windows Antivirus Pro. I already have your anti-malware file on my computer but can't get it to run, even after renaming. I get runtime errors '0' and '440'. Here's the HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 11:51:45 AM, on 8/19/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Safe mode with network support

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dialupforfree.com

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.dialupforfree.com

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://my.netzero.net/s/search?r=minisearch

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.netzero.net/s/search?r=minisearch

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dialupforfree.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dialupforfree.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.dialupforfree.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.dialupforfree.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.netzero.net/s/search?r=minisearch

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dialupforfree.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://my.netzero.net/s/search?r=minisearch

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.netzero.net/s/search?r=minisearch

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.avg.com/ww.download-app

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\Program Files\NetZero\SearchEnh1.dll

O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O2 - BHO: ICQSys (IE PlugIn) - {76DC0B63-1533-4ba9-8BE8-D59EB676FA02} - C:\WINDOWS\system32\dddesot.dll

O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll

O3 - Toolbar: ZeroBar - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - C:\Program Files\NetZero\Toolbar.dll

O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe

O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"

O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"

O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start

O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe

O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe

O4 - HKLM\..\Run: [Reminder] C:\Windows\CREATOR\Remind_XP.exe

O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe

O4 - HKLM\..\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe

O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe

O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [uniblue RegistryBooster 2009] C:\Program Files\Uniblue\RegistryBooster\RegistryBooster.exe /S

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKCU\..\Run: [bitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized

O4 - HKCU\..\Run: [NetZero_uoltray] C:\Program Files\NetZero\exec.exe regrun

O4 - Startup: OpenOffice.org 3.0.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe

O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL

O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=laptop

O16 - DPF: {642BF859-5616-4839-B474-658072B3FFC2} (Scanner Control) - http://www.smartpctools.com/free_registry_.../RegScanner.ocx

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll

O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll

O23 - Service: AntipyProex (AntipPro2009_100) - Unknown owner - C:\WINDOWS\svchast.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe

O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

O23 - Service: SureThing Labelflash service - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe

--

End of file - 8290 bytes

Link to post
Share on other sites

Well, that seems to have done it. I have no idea why it ran this time. Can it possibly have made a difference that I ran the setup and the .exe from the desktop this time?

I just updated my AVG anti-virus and am doing a full scan. (It wouldn't run at all before.) I'll let you know if anything still seems out of whack.

Thanks again.

rpochoda

Link to post
Share on other sites

Just downloaded a new version and renamed the setup file before running, the then renamed the .exe. It seems to be running. I'll let you know what it comes up with when finished.

rpochoda

Hello, While waiting on a response from the forum guys, I read your post and we have simalar problems. How did you re-name the .exe. I can't seem to figure that out. thanks-Greg

Link to post
Share on other sites

miekiemoes,

My computer shut down in the middle of the AVG scan. I thought that perhaps AVG had been corrupted by the Antivirus Pro, so I uninstalled AVG and downloaded a new version. But before running a new scan, I thought I'd run Anti-Malware again. It found 2 registry keys infected and one file. I removed all, rebooted and ran another Quick Scan. The registry problems are gone, but file is still infected:

Files Infected:

C:\WINDOWS\system32\kbiwkmkqwukira.dll (Rootkit.TDSS) -> Delete on reboot.

Here's the HJT log:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 4:42:46 PM, on 8/22/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\ehome\ehtray.exe

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\HP\QuickPlay\QPService.exe

C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe

C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe

C:\PROGRA~1\AVG\AVG8\avgtray.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\BitTorrent\bittorrent.exe

C:\Program Files\NetZero\exec.exe

C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

C:\Program Files\Logitech\SetPoint\SetPoint.exe

C:\Program Files\OpenOffice.org 3\program\soffice.exe

C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE

C:\Program Files\OpenOffice.org 3\program\soffice.bin

C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\WINDOWS\System32\svchost.exe

C:\PROGRA~1\AVG\AVG8\avgrsx.exe

C:\PROGRA~1\AVG\AVG8\avgnsx.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\AVG\AVG8\avgcsrvx.exe

C:\PROGRA~1\AVG\AVG8\avgemc.exe

C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe

C:\Program Files\AVG\AVG8\avgcsrvx.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\NetZero\exec.exe

C:\PROGRA~1\hpq\Shared\HPQTOA~1.EXE

C:\Program Files\Malwarebytes' Anti-Malware\090822cln.exe

C:\WINDOWS\eHome\ehmsas.exe

C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe

C:\WINDOWS\system32\msiexec.exe

C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe

C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dialupforfree.com

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.dialupforfree.com

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://my.netzero.net/s/search?r=minisearch

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.netzero.net/s/search?r=minisearch

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dialupforfree.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dialupforfree.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.dialupforfree.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.dialupforfree.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.netzero.net/s/search?r=minisearch

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dialupforfree.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://my.netzero.net/s/search?r=minisearch

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.netzero.net/s/search?r=minisearch

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.avg.com/ww.download-app

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\Program Files\NetZero\SearchEnh1.dll

O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll

O3 - Toolbar: ZeroBar - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - C:\Program Files\NetZero\Toolbar.dll

O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe

O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"

O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"

O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start

O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe

O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe

O4 - HKLM\..\Run: [Reminder] C:\Windows\CREATOR\Remind_XP.exe

O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe

O4 - HKLM\..\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe

O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE

O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [uniblue RegistryBooster 2009] C:\Program Files\Uniblue\RegistryBooster\RegistryBooster.exe /S

O4 - HKCU\..\Run: [bitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized

O4 - HKCU\..\Run: [NetZero_uoltray] C:\Program Files\NetZero\exec.exe regrun

O4 - Startup: OpenOffice.org 3.0.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe

O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL

O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=laptop

O16 - DPF: {642BF859-5616-4839-B474-658072B3FFC2} (Scanner Control) - http://www.smartpctools.com/free_registry_.../RegScanner.ocx

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll

O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe

O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

O23 - Service: SureThing Labelflash service - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe

--

End of file - 9598 bytes

Thanks for your help,

rpochoda

Link to post
Share on other sites

Greg,

Right click on Start, choose Explore, go to the Program Files folder, go to the Malwarebytes folder, then in the right-hand window right click on the file name and choose rename. (If you don't see right and left side windows when you go to Explore, click on the Folders button at the top of the screen.)

rpochoda

Link to post
Share on other sites

Greg,

Right click on Start, choose Explore, go to the Program Files folder, go to the Malwarebytes folder, then in the right-hand window right click on the file name and choose rename. (If you don't see right and left side windows when you go to Explore, click on the Folders button at the top of the screen.)

rpochoda

Thanks for the response. I tried your method of renaming, also tried to rename during the install....No matter what I try I am unable to launch the malware program. It seems to be quite a nasty version of the same thing everyone here seems to be battling. I ahve also tried a couple of the other programs suggested with the same result. Thanks again for your help. I hope your trouble is going better, Blessings,

Greg

Link to post
Share on other sites

  • Staff

sixstring, please start your own thread as this is extremely confusing when you post in someone elses thread.

As I said previously, it has to be renamed as a windows file, such as explorer.exe, winlogon.exe..

Anyway, for the original TS here (rpochoda), please do the following..

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dialupforfree.com

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.dialupforfree.com

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dialupforfree.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dialupforfree.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.dialupforfree.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.dialupforfree.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dialupforfree.com

O16 - DPF: {642BF859-5616-4839-B474-658072B3FFC2} (Scanner Control) - http://www.smartpctools.com/free_registry_.../RegScanner.ocx

* Click on Fix Checked when finished and exit HijackThis.

Make sure your Internet Explorer is closed when you click Fix Checked!

Then, * Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the log from ComboFix in your next reply.

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix..This because Security Software may see some components ComboFix uses (prep.com for example) as suspicious and blocks the tool, or even deletes it. Please visit HERE if you don't know how.

Link to post
Share on other sites

Ran HJT and removed the 7 entries as directed, then downloaded and ran ComboFix. Here's the log:

ComboFix 09-08-22.06 - REP 08/22/2009 23:01.1.1 - NTFSx86

Running from: c:\documents and settings\REP.RP.000\Desktop\ComboFix.exe

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

* Created a new restore point

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\recycler\S-1-5-21-3864686508-3413253365-1712271882-1005

c:\windows\Installer\10c729e.msi

c:\windows\Installer\12ac6fe3.msi

c:\windows\Installer\14dd2bec.msi

c:\windows\Installer\178e89.msi

c:\windows\Installer\178e8f.msi

c:\windows\Installer\178e95.msi

c:\windows\Installer\178e9b.msi

c:\windows\Installer\178ea1.msi

c:\windows\Installer\178ea7.msi

c:\windows\Installer\178ead.msi

c:\windows\Installer\178eb3.msi

c:\windows\Installer\178ec0.msi

c:\windows\Installer\178ec7.msi

c:\windows\Installer\178ece.msi

c:\windows\Installer\178ed5.msi

c:\windows\Installer\178edb.msi

c:\windows\Installer\178ee8.msi

c:\windows\Installer\178eee.msi

c:\windows\Installer\178ef4.msi

c:\windows\Installer\178efa.msi

c:\windows\Installer\178f00.msi

c:\windows\Installer\178f06.msi

c:\windows\Installer\178f0c.msi

c:\windows\Installer\178f12.msi

c:\windows\Installer\178f18.msi

c:\windows\Installer\178f1e.msi

c:\windows\Installer\178f24.msi

c:\windows\Installer\178f2b.msi

c:\windows\Installer\180c4e3f.msi

c:\windows\Installer\1a24e3a.msi

c:\windows\Installer\1ab406da.msi

c:\windows\Installer\1ae0c0d0.msi

c:\windows\Installer\1ae0c0d6.msi

c:\windows\Installer\1ae0c0dc.msi

c:\windows\Installer\1ae0c108.msi

c:\windows\Installer\1ae0c113.msi

c:\windows\Installer\1ae0c119.msi

c:\windows\Installer\1ae0c11f.msi

c:\windows\Installer\1ae0c125.msi

c:\windows\Installer\1ae0c12b.msi

c:\windows\Installer\1ae0c131.msi

c:\windows\Installer\1ae0c13c.msi

c:\windows\Installer\1ae0c14b.msi

c:\windows\Installer\1ae0c151.msi

c:\windows\Installer\1ae0c15d.msi

c:\windows\Installer\1ae0c164.msi

c:\windows\Installer\1ae0c16c.msi

c:\windows\Installer\1ae0c172.msi

c:\windows\Installer\1ae0c17c.msi

c:\windows\Installer\1ae0c182.msi

c:\windows\Installer\1ae0c189.msi

c:\windows\Installer\1b5ff2.msi

c:\windows\Installer\1e2e6.msi

c:\windows\Installer\1e2f2.msi

c:\windows\Installer\21091c39.msi

c:\windows\Installer\2331a.msi

c:\windows\Installer\23c73c40.msi

c:\windows\Installer\2953212f.msi

c:\windows\Installer\29532135.msi

c:\windows\Installer\2953213b.msi

c:\windows\Installer\29532141.msi

c:\windows\Installer\2953214d.msi

c:\windows\Installer\2953215e.msi

c:\windows\Installer\29532166.msi

c:\windows\Installer\2953216c.msi

c:\windows\Installer\29532176.msi

c:\windows\Installer\2953219f.msi

c:\windows\Installer\29623329.msi

c:\windows\Installer\29623348.msi

c:\windows\Installer\2ca9e.msi

c:\windows\Installer\2cb59.msi

c:\windows\Installer\309056.msi

c:\windows\Installer\31d2dce4.msi

c:\windows\Installer\31d2dcfc.msi

c:\windows\Installer\38586913.msi

c:\windows\Installer\3858691a.msi

c:\windows\Installer\391d03ef.msi

c:\windows\Installer\42c3f2.msp

c:\windows\Installer\4689ddc.msi

c:\windows\Installer\4689de2.msi

c:\windows\Installer\4b5427.msi

c:\windows\Installer\4b54e1e.msi

c:\windows\Installer\5567ff9.msi

c:\windows\Installer\5567fff.msi

c:\windows\Installer\5568005.msi

c:\windows\Installer\55b52.msi

c:\windows\Installer\55bdc.msi

c:\windows\Installer\55c67.msi

c:\windows\Installer\55c6f.msi

c:\windows\Installer\55cff.msi

c:\windows\Installer\55d07.msi

c:\windows\Installer\6dffc7c.msi

c:\windows\Installer\7283c.msi

c:\windows\Installer\8807630f.msi

c:\windows\Installer\9a13f.msi

c:\windows\Installer\9a156.msi

c:\windows\Installer\9a157.msp

c:\windows\Installer\9a158.msp

c:\windows\Installer\9a159.msp

c:\windows\Installer\9a15a.msp

c:\windows\Installer\9a15b.msp

c:\windows\Installer\9a15c.msp

c:\windows\Installer\9a15d.msp

c:\windows\Installer\9a15e.msp

c:\windows\Installer\9a15f.msp

c:\windows\Installer\9a170.msi

c:\windows\Installer\9a171.msp

c:\windows\Installer\9a172.msp

c:\windows\Installer\9a173.msp

c:\windows\Installer\9a174.msp

c:\windows\Installer\9a175.msp

c:\windows\Installer\9a176.msp

c:\windows\Installer\9a177.msp

c:\windows\Installer\9a178.msp

c:\windows\Installer\9a179.msp

c:\windows\Installer\9a17a.msp

c:\windows\Installer\9a181.msi

c:\windows\Installer\9f56ab.msi

c:\windows\Installer\9f56b1.msi

c:\windows\Installer\9f56b8.msi

c:\windows\Installer\b159cd9.msi

c:\windows\Installer\c030ad.msi

c:\windows\Installer\dd3db9.msi

c:\windows\Installer\f659f1.msi

c:\windows\Installer\f7b2a04.msi

c:\windows\Installer\f7b2a0a.msi

c:\windows\kb913800.exe

c:\windows\system32\config\systemprofile\Start Menu\Programs\Windows Antivirus Pro

c:\windows\system32\config\systemprofile\Start Menu\Programs\Windows Antivirus Pro\Windows Antivirus Pro.lnk

c:\windows\system32\drivers\kbiwkmtlaknawb.sys

c:\windows\system32\images

c:\windows\system32\images\i1.gif

c:\windows\system32\images\i2.gif

c:\windows\system32\images\i3.gif

c:\windows\system32\images\j1.gif

c:\windows\system32\images\j2.gif

c:\windows\system32\images\j3.gif

c:\windows\system32\images\jj1.gif

c:\windows\system32\images\jj2.gif

c:\windows\system32\images\jj3.gif

c:\windows\system32\images\l1.gif

c:\windows\system32\images\l2.gif

c:\windows\system32\images\l3.gif

c:\windows\system32\images\pix.gif

c:\windows\system32\images\t1.gif

c:\windows\system32\images\t2.gif

c:\windows\system32\images\up1.gif

c:\windows\system32\images\up2.gif

c:\windows\system32\images\w1.gif

c:\windows\system32\images\w11.gif

c:\windows\system32\images\w2.gif

c:\windows\system32\images\w3.gif

c:\windows\system32\images\w3.jpg

c:\windows\system32\images\wt1.gif

c:\windows\system32\images\wt2.gif

c:\windows\system32\images\wt3.gif

c:\windows\system32\kbiwkmkqwukira.dll

c:\windows\system32\kbiwkmmhrfubhj.dll

c:\windows\system32\kbiwkmnhlilmkx.dat

c:\windows\system32\kbiwkmrkddpumc.dat

D:\Autorun.inf

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Service_kbiwkmhsdwjoke

-------\Legacy_kbiwkmhsdwjoke

((((((((((((((((((((((((( Files Created from 2009-07-23 to 2009-08-23 )))))))))))))))))))))))))))))))

.

2009-08-22 18:35 . 2009-08-22 18:35 11952 -c--a-w- c:\windows\system32\avgrsstx.dll

2009-08-22 18:35 . 2009-08-22 18:35 108552 -c--a-w- c:\windows\system32\drivers\avgtdix.sys

2009-08-22 18:35 . 2009-08-22 18:35 335240 -c--a-w- c:\windows\system32\drivers\avgldx86.sys

2009-08-22 18:35 . 2009-08-22 18:35 27784 -c--a-w- c:\windows\system32\drivers\avgmfx86.sys

2009-08-22 18:35 . 2009-08-22 18:35 -------- dc----w- c:\windows\system32\drivers\Avg

2009-08-22 18:10 . 2009-08-22 18:10 -------- dc----w- c:\documents and settings\REP.RP.000\Application Data\AVG8

2009-08-22 16:49 . 2009-08-22 20:32 664 -c--a-w- c:\windows\system32\d3d9caps.dat

2009-08-22 16:36 . 2009-08-23 01:54 -------- dc----w- c:\program files\Malwarebytes' Anti-Malware

2009-08-19 15:00 . 2009-08-19 15:00 -------- dc----w- c:\documents and settings\REP.RP.000\Application Data\Malwarebytes

2009-08-19 15:00 . 2009-08-03 17:36 38160 -c--a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-08-19 15:00 . 2009-08-03 17:36 19096 -c--a-w- c:\windows\system32\drivers\mbam.sys

2009-08-19 00:47 . 2009-08-19 00:47 -------- dc----w- c:\program files\Common Files\Macrovision Shared

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-08-22 19:45 . 2009-04-04 20:54 -------- dc----w- c:\program files\Spybot - Search & Destroy

2009-08-22 19:43 . 2006-08-16 16:59 -------- dc----w- c:\docume~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy

2009-08-22 18:34 . 2008-05-31 17:11 -------- dc----w- c:\docume~1\ALLUSE~1\APPLIC~1\avg8

2009-08-19 15:40 . 2009-01-10 16:13 -------- dc----w- c:\program files\XMalwarebytes' Anti-Malware

2009-08-19 01:00 . 2007-11-03 04:36 -------- dc----w- c:\program files\Bonjour

2009-08-19 00:59 . 2006-07-12 03:49 -------- dc----w- c:\program files\Common Files\Adobe

2009-08-13 03:55 . 2009-04-11 19:31 -------- dc----w- c:\documents and settings\REP.RP.000\Application Data\AdobeUM

2009-08-09 16:34 . 2009-04-04 05:25 -------- dc----w- c:\documents and settings\REP.RP.000\Application Data\HPAppData

2009-07-09 15:07 . 2009-07-09 15:07 -------- dc----w- c:\documents and settings\REP.RP.000\Application Data\Thunderbird

2009-07-09 15:07 . 2009-07-09 15:07 335 -c--a-w- c:\windows\mozregistry.dat

2009-07-09 15:07 . 2006-07-12 00:48 611 -c--a-w- c:\windows\nsreg.dat

2009-07-09 15:07 . 2006-04-13 13:42 -------- dc----w- c:\program files\Netscape

2009-07-09 15:07 . 2009-07-09 15:07 9728 -c--a-w- c:\windows\system32\rnaph.dll

2009-07-09 15:00 . 2007-02-26 18:44 -------- dc----w- c:\program files\NetZero

2009-07-09 14:59 . 2009-07-09 14:59 -------- dc----w- c:\docume~1\ALLUSE~1\APPLIC~1\NetZero

2009-06-15 18:35 . 2006-04-13 13:56 130776 -c--a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2008-01-25 18:49 . 2008-01-25 18:49 1803972 -c--a-w- c:\program files\bg.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]

"BitTorrent"="c:\program files\BitTorrent\bittorrent.exe" [2006-09-30 43520]

"NetZero_uoltray"="c:\program files\NetZero\exec.exe" [2009-03-19 1720832]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]

"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-11-11 344064]

"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]

"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-15 49152]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-06-19 729178]

"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2005-12-12 94208]

"eabconfg.cpl"="c:\program files\HPQ\Quick Launch Buttons\EabServr.exe" [2005-12-22 405504]

"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2005-08-01 233534]

"RecGuard"="c:\windows\SMINST\RecGuard.exe" [2005-10-11 1187840]

"Reminder"="c:\windows\CREATOR\Remind_XP.exe" [2006-02-09 643072]

"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2005-12-13 507904]

"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2007-08-22 80896]

"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-08-22 2007832]

"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2008-10-10 69632]

c:\documents and settings\REP.RP.000\Start Menu\Programs\Startup\

OpenOffice.org 3.0.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2008-9-12 384000]

c:\docume~1\ALLUSE~1\STARTM~1\Programs\Startup\

Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]

HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360]

HP Photosmart Premier Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2005-9-24 73728]

Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2008-9-5 809488]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]

2008-11-07 20:41 72208 ----a-w- c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]

2009-08-22 18:35 11952 -c--a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]

@=""

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"c:\\Program Files\\BitTorrent\\bittorrent.exe"=

"c:\\Program Files\\uTorrent\\uTorrent.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [8/22/2009 2:35 PM 335240]

R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [8/22/2009 2:35 PM 108552]

R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [8/22/2009 2:34 PM 908056]

R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [8/22/2009 2:34 PM 297752]

R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [4/8/2009 3:21 PM 10384]

R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [8/22/2005 5:06 AM 231424]

S3 SureThing Labelflash service;SureThing Labelflash service;c:\program files\Common Files\SureThing Shared\stllssvr.exe [10/11/2008 6:10 PM 74392]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

.

- - - - ORPHANS REMOVED - - - -

HKCU-Run-Uniblue RegistryBooster 2009 - c:\program files\Uniblue\RegistryBooster\RegistryBooster.exe

.

------- Supplementary Scan -------

.

uInternet Connection Wizard,ShellNext = hxxp://www.avg.com/ww.download-app

uInternet Settings,ProxyOverride = *.local

uSearchURL,(Default) = hxxp://my.netzero.net/s/search?r=minisearch

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-08-22 23:09

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe????0???0?5?8?9??`???? ???B?????????????hLC? ???0??

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(892)

c:\windows\system32\Ati2evxx.dll

c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll

c:\program files\common files\logishrd\bluetooth\LBTServ.dll

.

Completion time: 2009-08-23 23:11

ComboFix-quarantined-files.txt 2009-08-23 03:11

Pre-Run: 3,554,967,552 bytes free

Post-Run: 5,295,865,856 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

317 --- E O F --- 2009-07-28 20:08

rpochoda

Link to post
Share on other sites

  • Staff

Hi,

This looks OK again.

* Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /

Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Let me know in your next reply how things are now.

Link to post
Share on other sites

  • Staff
First, should I add an Anti-Malware scan to my regular antivirus scans?
That Antimalware scan can be Malwarebytes :D
Second, when I ran ComboFix, it freed up almost 2 gigs of disk space. What could have been taking up so much room? Is there any way to tell if this is just from this last malware problem, or has it been accumulating over time? If the latter, what can I do to prevent such a buildup?
Combofix does a bit the same as cleanmgr does (in this case mainly cleaning temp folders): http://support.microsoft.com/kb/315246

Plus, it deleted older infected system restore points (which may take a lot of space as well) and created a new, clean one.

I'll give some tips afterwards how to clean them once in a while (improve system speed)

Last, will the /u switch work with any program or any that has an uninstall routine built in, or just those specifically programmed to run from a command line?
As a matter of fact, you can uninstall every program via the command line though, because it's that command that is executed via add&remove commands. The /u switch is by design, so every program may have another uninstall switch/command.

To find out what commands are being used to uninstall certain programs, open HijackThis, click Config, click Misc Tools

Click "Open Uninstall Manager"

This will generate a list of all the programs installed and on your right, if you select a certain program, you'll see what uninstall command it uses if you want to uninstall it. :)

Please don't use HijackThis to uninstall programs. This is only for your interest :)

Glad I could help. :)

Please read my Prevention page with lots of info and tips how to prevent this in the future.

And if you want to improve speed/system performance after malware removal, take a look here.

Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!

Link to post
Share on other sites

  • Staff

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.