Jump to content

HELP PLEASE! NOTHING IS WORKING RIGHT!


ph3nom
 Share

Recommended Posts

combo fix told me to write this down and we may need it in the future. here you go.

C:\windows\system32\drivers\UACuwqoowbivf.sys

C:\windows\system32\UACturrtqlten.dll

C:\windows\system32\UACqttlpkmsrs.dll

C:\windows\system32\UACkyibqjifhl.dat

C:\windows\system32\UACdeqrmyvhft.db

C:\windows\system32\UACabtlnskukp.dll

C:\windows\system32\Uacxlwntpogoe.dll

heres a combo fix log. i got it to work somehow with a virus scan that clean up some stuff. not with avg but with avast!......

ComboFix Beta_09-08-18.01 - anthony 08/23/2009 13:49.5.2 - NTFSx86 NETWORK

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.3327.3040 [GMT -5:00]

Running from: c:\documents and settings\anthony\Desktop\ComboFix.exe

AV: avast! antivirus 4.8.1351 [VPS 090823-0] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\docume~1\ALLUSE~1\Desktop\avast! Antivirus.lnk

c:\docume~1\anthony\LOCALS~1\Temp\_av_inet.tm~a02804\setupeng.exe

c:\documents and settings\anthony\Local Settings\temp\_av_inet.tm~a02804\setupeng.exe

c:\windows\braviax.exe

c:\windows\run.log

c:\windows\system32\braviax.exe

c:\windows\system32\drivers\UACuwqoowbivf.sys

c:\windows\system32\UACabtlnskukp.dll

c:\windows\system32\UACdeqrmyvhft.db

c:\windows\system32\uacinit.dll

c:\windows\system32\UACkyibqjifhl.dat

c:\windows\system32\UACqttlpkmsrs.dll

c:\windows\system32\UACturrtqlten.dll

c:\windows\system32\UACxlwntpogoe.dll

Infected copy of c:\windows\system32\mspmsnsv.dll was found and disinfected

Restored copy from - c:\windows\system32\dllcache\mspmsnsv.dll

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Service_UACd.sys

-------\Legacy_UACd.sys

-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}

-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}

((((((((((((((((((((((((( Files Created from 2009-07-23 to 2009-08-23 )))))))))))))))))))))))))))))))

.

2009-08-23 01:58 . 2009-08-23 01:58 687104 ----a-w- c:\windows\is-BA5Q8.exe

2009-08-23 01:06 . 2009-08-17 16:04 51376 ----a-w- c:\windows\system32\drivers\aswTdi.sys

2009-08-23 01:06 . 2009-08-17 16:04 23152 ----a-w- c:\windows\system32\drivers\aswRdr.sys

2009-08-23 01:06 . 2009-08-17 16:03 26944 ----a-w- c:\windows\system32\drivers\aavmker4.sys

2009-08-23 01:06 . 2009-08-17 16:06 93392 ----a-w- c:\windows\system32\drivers\aswmon.sys

2009-08-23 01:06 . 2009-08-17 16:06 94160 ----a-w- c:\windows\system32\drivers\aswmon2.sys

2009-08-23 01:06 . 2009-08-17 16:05 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys

2009-08-23 01:06 . 2009-08-17 16:05 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys

2009-08-23 01:06 . 2009-08-17 16:02 97480 ----a-w- c:\windows\system32\AvastSS.scr

2009-08-23 01:05 . 2009-08-17 16:10 1279456 ----a-w- c:\windows\system32\aswBoot.exe

2009-08-23 01:05 . 2009-08-23 01:05 -------- d-----w- c:\program files\Alwil Software

2009-08-22 22:34 . 2009-08-03 18:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-08-22 22:34 . 2009-08-23 01:59 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-08-22 22:34 . 2009-08-03 18:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-08-20 15:50 . 2009-08-20 15:50 0 ----a-w- c:\documents and settings\anthony\settings.dat

2009-08-19 20:06 . 2009-08-19 20:06 -------- d-----w- c:\documents and settings\anthony\Local Settings\Application Data\AVG Security Toolbar

2009-08-19 19:58 . 2009-08-22 01:52 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\AVG Security Toolbar

2009-08-13 20:12 . 2009-08-13 20:12 -------- d-----w- c:\windows\ServicePackFiles

2009-08-11 07:20 . 2008-10-10 09:52 452440 ----a-w- c:\windows\system32\d3dx10_40.dll

2009-08-11 07:20 . 2008-10-10 09:52 2036576 ----a-w- c:\windows\system32\D3DCompiler_40.dll

2009-08-11 07:20 . 2008-10-10 09:52 4379984 ----a-w- c:\windows\system32\D3DX9_40.dll

2009-08-11 07:20 . 2009-08-11 07:20 -------- d-----w- c:\windows\Logs

2009-08-03 15:42 . 2009-08-16 01:30 11952 ----a-w- c:\windows\system32\avgrsstx.dll

2009-08-03 15:42 . 2009-08-03 15:42 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys

2009-08-03 15:42 . 2009-08-16 01:30 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys

2009-08-03 15:42 . 2009-08-16 01:30 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys

2009-08-03 15:42 . 2009-08-23 18:37 -------- d-----w- c:\windows\system32\drivers\Avg

2009-08-02 19:31 . 2009-08-02 19:31 -------- d-----w- c:\windows\system32\XPSViewer

2009-08-02 19:31 . 2009-08-02 19:31 -------- d-----w- c:\program files\Reference Assemblies

2009-08-02 19:30 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll

2009-08-02 19:30 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll

2009-08-02 19:30 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll

2009-08-02 19:30 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll

2009-08-02 19:30 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe

2009-08-02 19:30 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll

2009-08-02 19:30 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll

2009-08-02 19:28 . 2009-08-02 19:28 -------- d-----w- c:\program files\MSXML 6.0

2009-08-02 19:24 . 2009-08-22 22:20 -------- d-----w- c:\program files\Windows Desktop Search

2009-08-02 19:24 . 2009-08-02 19:24 -------- d-----w- c:\windows\system32\GroupPolicy

2009-08-02 19:23 . 2009-08-02 19:23 -------- d-----w- c:\program files\Windows Media Connect 2

2009-08-02 19:19 . 2009-08-02 19:19 -------- d-----w- c:\windows\system32\URTTEMP

2009-08-02 19:16 . 2006-11-13 06:02 36352 ------w- c:\windows\system32\tsgqec.dll

2009-08-02 19:16 . 2006-11-13 06:02 288768 ------w- c:\windows\system32\rhttpaa.dll

2009-08-02 19:16 . 2006-11-13 06:02 116736 ------w- c:\windows\system32\aaclient.dll

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-08-22 22:17 . 2009-04-11 10:10 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\avg8

2009-08-19 20:30 . 2008-09-06 00:48 -------- d-----w- c:\program files\DAP

2009-08-19 20:18 . 2008-09-06 00:48 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\SpeedBit

2009-08-19 20:17 . 2008-09-06 00:48 -------- d---a-w- c:\docume~1\ALLUSE~1\APPLIC~1\TEMP

2009-08-19 20:16 . 2008-09-08 04:32 1324 ----a-w- c:\windows\system32\d3d9caps.dat

2009-08-19 19:19 . 2008-09-05 19:10 75032 ----a-w- c:\documents and settings\anthony\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-08-19 19:05 . 2008-11-04 02:20 -------- d-----w- c:\documents and settings\anthony\Application Data\uTorrent

2009-08-05 09:11 . 2004-08-04 12:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll

2009-08-02 19:31 . 2009-01-19 23:36 -------- d-----w- c:\program files\MSBuild

2009-08-01 08:14 . 2009-05-19 02:49 -------- d-----w- c:\program files\Spybot - Search & Destroy

2009-07-17 18:55 . 2004-08-04 12:00 58880 ----a-w- c:\windows\system32\atl.dll

2009-07-15 17:40 . 2008-11-30 06:55 137544 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys

2009-07-15 17:40 . 2008-11-30 06:09 189480 ----a-w- c:\windows\system32\PnkBstrB.exe

2009-07-15 17:38 . 2009-07-15 17:38 139152 ----a-w- c:\documents and settings\anthony\Application Data\PnkBstrK.sys

2009-07-15 17:38 . 2009-07-15 17:38 139152 ----a-w- c:\documents and settings\anthony\Application Data\PnkBstrK.sys

2009-07-15 17:38 . 2009-07-15 17:14 794408 ----a-w- c:\windows\system32\pbsvc.exe

2009-07-15 17:38 . 2008-11-30 05:42 75064 ----a-w- c:\windows\system32\PnkBstrA.exe

2009-07-14 04:43 . 2004-08-04 12:00 286208 ----a-w- c:\windows\system32\wmpdxm.dll

2009-07-09 04:34 . 2008-11-27 02:36 -------- d-----w- c:\documents and settings\anthony\Application Data\Skype

2009-07-09 04:32 . 2008-11-27 02:38 -------- d-----w- c:\documents and settings\anthony\Application Data\skypePM

2009-06-29 16:12 . 2004-08-04 12:00 827392 ----a-w- c:\windows\system32\wininet.dll

2009-06-29 16:12 . 2004-08-04 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll

2009-06-29 16:12 . 2004-08-04 12:00 17408 ------w- c:\windows\system32\corpol.dll

2009-06-25 15:37 . 2008-10-27 01:04 -------- d-----w- c:\program files\vghd

2009-06-25 15:36 . 2008-10-27 01:04 5 ----a-w- c:\windows\sbacknt.bin

2009-06-25 08:44 . 2004-08-04 12:00 724480 ----a-w- c:\windows\system32\lsasrv.dll

2009-06-25 08:44 . 2004-08-04 12:00 59392 ----a-w- c:\windows\system32\wdigest.dll

2009-06-25 08:44 . 2004-08-04 12:00 56320 ----a-w- c:\windows\system32\secur32.dll

2009-06-25 08:44 . 2004-08-04 12:00 298496 ----a-w- c:\windows\system32\kerberos.dll

2009-06-25 08:44 . 2004-08-04 12:00 168448 ----a-w- c:\windows\system32\schannel.dll

2009-06-25 08:44 . 2004-08-04 12:00 133632 ----a-w- c:\windows\system32\msv1_0.dll

2009-06-25 04:55 . 2008-10-27 01:04 152904 ----a-w- c:\windows\system32\vghd.scr

2009-06-25 04:53 . 2008-10-27 01:25 -------- d--h--w- c:\documents and settings\anthony\Application Data\vghd

2009-06-22 11:34 . 2004-08-04 12:00 92544 ----a-w- c:\windows\system32\drivers\ksecdd.sys

2009-06-21 02:27 . 2009-06-21 02:27 390664 ----a-w- c:\documents and settings\anthony\Application Data\Real\RealPlayer\Update\realplayer11gold.exe

2009-06-16 14:55 . 2004-08-04 12:00 82432 ----a-w- c:\windows\system32\fontsub.dll

2009-06-16 14:55 . 2004-08-04 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll

2009-06-15 02:44 . 2009-06-15 02:44 10134 ----a-r- c:\documents and settings\anthony\Application Data\Microsoft\Installer\{E3E71D07-CD27-46CB-8448-16D4FB29AA13}\ARPPRODUCTICON.exe

2009-06-12 11:50 . 2004-08-04 12:00 76288 ----a-w- c:\windows\system32\telnet.exe

2009-06-10 14:21 . 2004-08-04 12:00 84992 ----a-w- c:\windows\system32\avifil32.dll

2009-06-10 06:32 . 2004-08-04 12:00 132096 ----a-w- c:\windows\system32\wkssvc.dll

2009-06-09 23:49 . 2009-06-09 23:49 152576 ----a-w- c:\documents and settings\anthony\Application Data\Sun\Java\jre1.6.0_14\lzma.dll

2009-06-09 15:06 . 2008-09-05 15:34 1871872 ----a-w- c:\windows\system32\mstscax.dll

2009-06-03 19:27 . 2004-08-04 12:00 1290752 ----a-w- c:\windows\system32\quartz.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]

"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]

2009-07-24 14:55 1090816 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]

"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

"AIM"="c:\program files\AIM\aim.exe" [2006-08-01 67112]

"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]

"EA Core"="c:\program files\Electronic Arts\EADM\Core.exe" [2009-04-29 3338240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-09-18 13574144]

"zBrowser Launcher"="c:\program files\Logitech\iTouch\iTouch.exe" [2004-03-18 892928]

"WinampAgent"="c:\program files\Winamp\winampa.exe" [2009-04-10 37888]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-05-19 198160]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-21 148888]

"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-08-16 2007832]

"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-08-17 81000]

"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2008-02-29 76304]

"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2008-11-07 17421824]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"RunNarrator"="Narrator.exe" - c:\windows\system32\narrator.exe [2006-10-04 53760]

c:\docume~1\ALLUSE~1\STARTM~1\Programs\Startup\

Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2008-9-5 805392]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]

2009-08-16 01:30 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]

@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk

backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^anthony^Start Menu^Programs^Startup^DesktopVideoPlayer.LNK]

path=c:\documents and settings\anthony\Start Menu\Programs\Startup\DesktopVideoPlayer.LNK

backup=c:\windows\pss\DesktopVideoPlayer.LNKStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"ZuneNetworkSvc"=3 (0x3)

"VideoAcceleratorService"=2 (0x2)

"SvcOnlineArmor"=2 (0x2)

"odserv"=3 (0x3)

"OAcat"=2 (0x2)

"Microsoft Office Groove Audit Service"=3 (0x3)

"MDM"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\SpeedBit Video Accelerator\\VideoAccelerator.exe"=

"d:\\Program Files\\steamapps\\aznl2iceboi5o4\\counter-strike source\\hl2.exe"=

"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"c:\\Program Files\\mIRC\\mirc.exe"=

"d:\\Program Files\\steamapps\\aznl2iceboi5o4\\zombie panic! source\\hl2.exe"=

"c:\\Program Files\\VentSrv\\ventrilo_srv.exe"=

"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=

"d:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"=

"d:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"d:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=

"d:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"d:\\Program Files\\steamapps\\common\\dawn of war soulstorm demo\\Soulstorm.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\AIM\\aim.exe"=

"d:\\Program Files\\steamapps\\common\\lumines\\lumines.exe"=

"d:\\Program Files\\Electronic Arts\\Battlefield 2142\\BF2142.exe"=

"d:\\Program Files\\steamapps\\aznl2iceboi5o4\\team fortress 2\\hl2.exe"=

"d:\\Program Files\\steamapps\\aznl2iceboi5o4\\counter-strike\\hl.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

"d:\\Program Files\\steamapps\\aznl2iceboi5o4\\half-life 2 deathmatch\\hl2.exe"=

"d:\\Program Files\\steamapps\\common\\america's army 3\\Binaries\\AA3Game.exe"=

"c:\\WINDOWS\\system32\\PnkBstrA.exe"=

"c:\\WINDOWS\\system32\\PnkBstrB.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [8/22/2009 8:06 PM 114768]

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [8/3/2009 10:42 AM 335240]

R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [8/3/2009 10:42 AM 108552]

R1 BIOS;BIOS;c:\windows\system32\drivers\BIOS.sys [1/18/2009 4:58 AM 13696]

R2 {09BB444F-B2E2-4009-BAF2-7B727681223E};BuddyVM;c:\program files\VMLaunch\BuddyVM.sys [1/6/2009 1:25 PM 15488]

R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [8/22/2009 8:06 PM 20560]

R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [8/3/2009 10:41 AM 297752]

R2 sbbotdi;sbbotdi;c:\progra~1\SPEEDB~1\sbbotdi.sys [9/5/2008 7:51 PM 35584]

S2 ulbaliz;ulbaliz;c:\windows\system32\drivers\tkrrz.sys --> c:\windows\system32\drivers\tkrrz.sys [?]

S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [8/22/2009 5:34 PM 38160]

S4 VideoAcceleratorService;VideoAcceleratorService;c:\progra~1\SPEEDB~1\VideoAcceleratorService.exe -start -scm --> c:\progra~1\SPEEDB~1\VideoAcceleratorService.exe -start -scm [?]

.

- - - - ORPHANS REMOVED - - - -

URLSearchHooks-*{57BCA5FA-5DBB-45a2-B558-1755C3F6253B} - (no file)

Notify-cscdll - (no file)

Notify-LBTWlgn - (no file)

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com

mStart Page = hxxp://www.google.com

IE: &Winamp Search - c:\documents and settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html

FF - ProfilePath - c:\docume~1\anthony\APPLIC~1\Mozilla\Firefox\Profiles\eo5xqksd.default\

FF - prefs.js: keyword.URL - hxxp://us.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_us&p=

FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll

FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll

FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll

FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll

FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----

c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");

c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");

c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-08-23 13:53

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2888)

c:\windows\system32\WININET.dll

c:\program files\Logitech\SetPoint\GameHook.dll

c:\program files\Logitech\SetPoint\lgscroll.dll

c:\program files\Common Files\Logitech\Scrolling\LgMsgHk.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Alwil Software\Avast4\aswUpdSv.exe

c:\program files\Alwil Software\Avast4\ashServ.exe

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\windows\system32\nvsvc32.exe

c:\windows\system32\HPZipm12.exe

c:\windows\system32\PnkBstrA.exe

c:\windows\system32\PnkBstrB.exe

c:\windows\system32\ZuneBusEnum.exe

c:\progra~1\AVG\AVG8\avgnsx.exe

c:\program files\Alwil Software\Avast4\ashMaiSv.exe

c:\program files\Alwil Software\Avast4\ashWebSv.exe

c:\program files\Common Files\Logishrd\KHAL2\KHALMNPR.exe

c:\program files\AVG\AVG8\avgui.exe

.

**************************************************************************

.

Completion time: 2009-08-23 13:56 - machine was rebooted

ComboFix-quarantined-files.txt 2009-08-23 18:56

ComboFix2.txt 2009-07-09 16:58

Pre-Run: 39,976,849,408 bytes free

Post-Run: 40,159,604,736 bytes free

338 --- E O F --- 2009-08-14 16:44

and heres a hijack this log. i was able in install it in my second hard drive. D but was able to install in C but it wouldnt run. it says the error that the access point is deleted or not found like i had before.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 2:05:04 PM, on 8/23/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16876)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\HPZipm12.exe

C:\WINDOWS\system32\PnkBstrA.exe

C:\WINDOWS\system32\PnkBstrB.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\ZuneBusEnum.exe

C:\PROGRA~1\AVG\AVG8\avgnsx.exe

C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

C:\Program Files\Logitech\iTouch\iTouch.exe

C:\WINDOWS\RTHDCPL.EXE

C:\Program Files\Winamp\winampa.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\PROGRA~1\AVG\AVG8\avgtray.exe

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\Program Files\AIM\aim.exe

C:\Program Files\Electronic Arts\EADM\Core.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Logitech\SetPoint\SetPoint.exe

C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE

C:\WINDOWS\explorer.exe

C:\Program Files\Mozilla Firefox\firefox.exe

D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll

R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

O2 - BHO: Winamp Toolbar Loader - {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - C:\Program Files\Winamp Toolbar\winamptb.dll

O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - D:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll

O2 - BHO: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - (no file)

O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl Class - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll

O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll

O3 - Toolbar: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - (no file)

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE

O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [EA Core] "C:\Program Files\Electronic Arts\EADM\Core.exe" -silent

O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')

O4 - Startup: DesktopVideoPlayer.LNK = C:\Program Files\vghd\vghd.exe

O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe

O8 - Extra context menu item: &Winamp Search - C:\Documents and Settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - D:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe

--

End of file - 7515 bytes

want me to check and fix anything on here?

and heres a quick scan with malwarebytes(not a full scan, tell me if i need to when u read all this)

Malwarebytes' Anti-Malware 1.40

Database version: 2684

Windows 5.1.2600 Service Pack 2

8/23/2009 2:12:07 PM

mbam-log-2009-08-23 (14-12-07).txt

Scan type: Quick Scan

Objects scanned: 99250

Time elapsed: 2 minute(s), 32 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 4

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\Tasks\{7B02EF0B-A410-4938-8480-9BA26420A627}.job (Trojan.Downloader) -> Quarantined and deleted successfully.

and i picked remove all and told me to restart.

also avg resident shield is still off even when i say to turn it on, so avg is still bugged. Also on firefox i still get redirected on my search engine. when i type espn and click the espn homepage on google search. it redirect me to somewhere way different.

Link to post
Share on other sites

  • Replies 70
  • Created
  • Last Reply

Top Posters In This Topic

heres a gooredfix report

GooredFix by jpshortstuff (03.07.09)

Log created at 14:15 on 23/08/2009 (anthony)

Firefox version 3.5.2 (en-US)

========== GooredScan ==========

C:\Program Files\Mozilla Firefox\extensions\

{972ce4c6-7e08-4474-a285-3208198ce6fd} [16:00 09/07/2009]

{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} [04:46 29/09/2008]

{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA} [00:21 29/11/2008]

{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} [08:07 18/03/2009]

{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} [09:50 11/04/2009]

{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} [23:49 09/06/2009]

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]

"{ABDE892B-13A8-4d1b-88E6-365A6E755758}"="C:\Program Files\Real\RealPlayer\browserrecord" [06:45 19/05/2009]

"jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff" [09:50 11/04/2009]

"{20a82645-c095-46ed-80e3-08825760534b}"="C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\" [19:32 02/08/2009]

"{3f963a5b-e555-4543-90e2-c3908898db71}"="C:\Program Files\AVG\AVG8\Firefox" [15:41 03/08/2009]

"avg@igeared"="C:\Program Files\AVG\AVG8\Toolbar\Firefox\avg@igeared" [01:47 21/08/2009]

-=E.O.F=-

Link to post
Share on other sites

last thing. my spybot search and destroy tea timer is now always detecting a thing that keep trying to change my setting. i always deny it. here is info.

Spybot - Search and Destroy has detected an important registry entry that has been changed.

Category: System Startup global entry

Change: Value Deleted

Entry: Alcmtr

Old data: ALCMTR.EXE

and i picked deney change but it pop up from time to time. what do i do next after all the logs i gave now.

Link to post
Share on other sites

  • Staff

Hi ph3nom,

Please delete your copy of ComboFix, download the latest version from here, and save it to your Desktop. Do not run it yet.

Next, please open Notepad - don't use any other text editor than notepad or the script will fail.

Copy/paste the text in the quotebox below into Notepad:

Driver::

ulbaliz

KILLALL::

Save this as CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

CFScriptB-4.gif

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Spybot - Search and Destroy has detected an important registry entry that has been changed.
That's for your audio driver. Allow it the next time it pops up, but let me know of anything else TeaTimer pops up with.

Please go to VirusTotal, and upload the following files for analysis:

c:\windows\system32\dllcache\printfilterpipelinesvc.exe

c:\windows\system32\tsgqec.dll

c:\windows\system32\rhttpaa.dll

c:\windows\system32\aaclient.dll

Post the results in your reply.

-screen317

Link to post
Share on other sites

here is my combofix log...

ComboFix 09-08-23.01 - anthony 08/24/2009 9:06.6.2 - NTFSx86

Running from: c:\documents and settings\anthony\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\anthony\Desktop\CFScript.txt

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_ULBALIZ

-------\Service_ulbaliz

((((((((((((((((((((((((( Files Created from 2009-07-24 to 2009-08-24 )))))))))))))))))))))))))))))))

.

2009-08-23 20:04 . 2009-08-23 19:54 906520 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgemc.exe

2009-08-23 20:04 . 2009-08-23 19:54 53528 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\libsasl.dll

2009-08-23 20:04 . 2009-08-23 19:54 36632 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\sasldigestmd5.dll

2009-08-23 20:04 . 2009-08-23 19:54 18200 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\saslcrammd5.dll

2009-08-23 20:04 . 2009-08-23 19:54 16664 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\saslplain.dll

2009-08-23 20:04 . 2009-08-23 19:54 16664 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\sasllogin.dll

2009-08-23 19:43 . 2009-08-23 19:43 -------- d-----w- c:\documents and settings\anthony\Local Settings\Application Data\AVG Security Toolbar

2009-08-23 19:41 . 2009-08-23 19:41 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar

2009-08-23 19:36 . 2009-08-23 19:38 -------- d-sh--w- c:\windows\Installer

2009-08-23 01:58 . 2009-08-23 01:58 687104 ----a-w- c:\windows\is-BA5Q8.exe

2009-08-23 01:06 . 2009-08-17 16:04 51376 ----a-w- c:\windows\system32\drivers\aswTdi.sys

2009-08-23 01:06 . 2009-08-17 16:04 23152 ----a-w- c:\windows\system32\drivers\aswRdr.sys

2009-08-23 01:06 . 2009-08-17 16:03 26944 ----a-w- c:\windows\system32\drivers\aavmker4.sys

2009-08-23 01:06 . 2009-08-17 16:06 93392 ----a-w- c:\windows\system32\drivers\aswmon.sys

2009-08-23 01:06 . 2009-08-17 16:06 94160 ----a-w- c:\windows\system32\drivers\aswmon2.sys

2009-08-23 01:06 . 2009-08-17 16:05 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys

2009-08-23 01:06 . 2009-08-17 16:05 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys

2009-08-23 01:06 . 2009-08-17 16:02 97480 ----a-w- c:\windows\system32\AvastSS.scr

2009-08-23 01:05 . 2009-08-17 16:10 1279456 ----a-w- c:\windows\system32\aswBoot.exe

2009-08-23 01:05 . 2009-08-23 01:05 -------- d-----w- c:\program files\Alwil Software

2009-08-22 22:34 . 2009-08-03 18:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-08-22 22:34 . 2009-08-23 01:59 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-08-22 22:34 . 2009-08-03 18:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-08-20 15:50 . 2009-08-20 15:50 0 ----a-w- c:\documents and settings\anthony\settings.dat

2009-08-13 20:12 . 2009-08-13 20:12 -------- d-----w- c:\windows\ServicePackFiles

2009-08-11 07:20 . 2008-10-10 09:52 452440 ----a-w- c:\windows\system32\d3dx10_40.dll

2009-08-11 07:20 . 2008-10-10 09:52 2036576 ----a-w- c:\windows\system32\D3DCompiler_40.dll

2009-08-11 07:20 . 2008-10-10 09:52 4379984 ----a-w- c:\windows\system32\D3DX9_40.dll

2009-08-11 07:20 . 2009-08-11 07:20 -------- d-----w- c:\windows\Logs

2009-08-03 15:45 . 2009-08-23 19:55 1454360 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgupd.dll

2009-08-03 15:45 . 2009-08-23 19:54 1085208 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgupd.exe

2009-08-03 15:42 . 2009-08-23 20:04 11952 ----a-w- c:\windows\system32\avgrsstx.dll

2009-08-03 15:42 . 2009-08-03 15:42 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys

2009-08-03 15:42 . 2009-08-23 20:04 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys

2009-08-03 15:42 . 2009-08-23 20:04 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys

2009-08-03 15:42 . 2009-08-24 14:01 -------- d-----w- c:\windows\system32\drivers\Avg

2009-08-02 19:31 . 2009-08-02 19:31 -------- d-----w- c:\windows\system32\XPSViewer

2009-08-02 19:31 . 2009-08-02 19:31 -------- d-----w- c:\program files\Reference Assemblies

2009-08-02 19:30 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll

2009-08-02 19:30 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll

2009-08-02 19:30 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll

2009-08-02 19:30 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll

2009-08-02 19:30 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe

2009-08-02 19:30 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll

2009-08-02 19:30 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll

2009-08-02 19:28 . 2009-08-02 19:28 -------- d-----w- c:\program files\MSXML 6.0

2009-08-02 19:24 . 2009-08-22 22:20 -------- d-----w- c:\program files\Windows Desktop Search

2009-08-02 19:24 . 2009-08-02 19:24 -------- d-----w- c:\windows\system32\GroupPolicy

2009-08-02 19:23 . 2009-08-02 19:23 -------- d-----w- c:\program files\Windows Media Connect 2

2009-08-02 19:19 . 2009-08-02 19:19 -------- d-----w- c:\windows\system32\URTTEMP

2009-08-02 19:16 . 2006-11-13 06:02 36352 ------w- c:\windows\system32\tsgqec.dll

2009-08-02 19:16 . 2006-11-13 06:02 288768 ------w- c:\windows\system32\rhttpaa.dll

2009-08-02 19:16 . 2006-11-13 06:02 116736 ------w- c:\windows\system32\aaclient.dll

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-08-23 20:06 . 2008-11-27 02:36 -------- d-----w- c:\documents and settings\anthony\Application Data\Skype

2009-08-23 19:55 . 2009-04-11 10:10 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8

2009-08-23 19:55 . 2009-08-16 01:30 1262368 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgwd.dll

2009-08-23 19:55 . 2009-08-16 01:30 531736 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgsched.dll

2009-08-23 19:55 . 2009-08-16 01:30 512280 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgvvx.dll

2009-08-23 19:55 . 2009-08-16 01:30 341272 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgsrmax.exe

2009-08-23 19:55 . 2009-08-16 01:30 338712 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgscanx.dll

2009-08-23 19:55 . 2009-08-16 01:30 310528 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avglngx.dll

2009-08-23 19:55 . 2009-08-03 15:46 829208 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcfgx.dll

2009-08-19 20:30 . 2008-09-06 00:48 -------- d-----w- c:\program files\DAP

2009-08-19 20:18 . 2008-09-06 00:48 -------- d-----w- c:\documents and settings\All Users\Application Data\SpeedBit

2009-08-19 20:17 . 2008-09-06 00:48 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2009-08-19 20:16 . 2008-09-08 04:32 1324 ----a-w- c:\windows\system32\d3d9caps.dat

2009-08-19 19:19 . 2008-09-05 19:10 75032 ----a-w- c:\documents and settings\anthony\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-08-19 19:05 . 2008-11-04 02:20 -------- d-----w- c:\documents and settings\anthony\Application Data\uTorrent

2009-08-05 09:11 . 2004-08-04 12:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll

2009-08-02 19:31 . 2009-01-19 23:36 -------- d-----w- c:\program files\MSBuild

2009-08-01 08:14 . 2009-05-19 02:49 -------- d-----w- c:\program files\Spybot - Search & Destroy

2009-07-17 18:55 . 2004-08-04 12:00 58880 ----a-w- c:\windows\system32\atl.dll

2009-07-15 17:40 . 2008-11-30 06:55 137544 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys

2009-07-15 17:40 . 2008-11-30 06:09 189480 ----a-w- c:\windows\system32\PnkBstrB.exe

2009-07-15 17:38 . 2009-07-15 17:38 139152 ----a-w- c:\documents and settings\anthony\Application Data\PnkBstrK.sys

2009-07-15 17:38 . 2009-07-15 17:38 139152 ----a-w- c:\documents and settings\anthony\Application Data\PnkBstrK.sys

2009-07-15 17:38 . 2009-07-15 17:14 794408 ----a-w- c:\windows\system32\pbsvc.exe

2009-07-15 17:38 . 2008-11-30 05:42 75064 ----a-w- c:\windows\system32\PnkBstrA.exe

2009-07-14 04:43 . 2004-08-04 12:00 286208 ----a-w- c:\windows\system32\wmpdxm.dll

2009-07-09 04:32 . 2008-11-27 02:38 -------- d-----w- c:\documents and settings\anthony\Application Data\skypePM

2009-06-29 16:12 . 2004-08-04 12:00 827392 ----a-w- c:\windows\system32\wininet.dll

2009-06-29 16:12 . 2004-08-04 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll

2009-06-29 16:12 . 2004-08-04 12:00 17408 ------w- c:\windows\system32\corpol.dll

2009-06-25 15:37 . 2008-10-27 01:04 -------- d-----w- c:\program files\vghd

2009-06-25 15:36 . 2008-10-27 01:04 5 ----a-w- c:\windows\sbacknt.bin

2009-06-25 08:44 . 2004-08-04 12:00 724480 ----a-w- c:\windows\system32\lsasrv.dll

2009-06-25 08:44 . 2004-08-04 12:00 59392 ----a-w- c:\windows\system32\wdigest.dll

2009-06-25 08:44 . 2004-08-04 12:00 56320 ----a-w- c:\windows\system32\secur32.dll

2009-06-25 08:44 . 2004-08-04 12:00 298496 ----a-w- c:\windows\system32\kerberos.dll

2009-06-25 08:44 . 2004-08-04 12:00 168448 ----a-w- c:\windows\system32\schannel.dll

2009-06-25 08:44 . 2004-08-04 12:00 133632 ----a-w- c:\windows\system32\msv1_0.dll

2009-06-25 04:55 . 2008-10-27 01:04 152904 ----a-w- c:\windows\system32\vghd.scr

2009-06-22 11:34 . 2004-08-04 12:00 92544 ----a-w- c:\windows\system32\drivers\ksecdd.sys

2009-06-21 02:27 . 2009-06-21 02:27 390664 ----a-w- c:\documents and settings\anthony\Application Data\Real\RealPlayer\Update\realplayer11gold.exe

2009-06-16 14:55 . 2004-08-04 12:00 82432 ----a-w- c:\windows\system32\fontsub.dll

2009-06-16 14:55 . 2004-08-04 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll

2009-06-15 02:44 . 2009-06-15 02:44 10134 ----a-r- c:\documents and settings\anthony\Application Data\Microsoft\Installer\{E3E71D07-CD27-46CB-8448-16D4FB29AA13}\ARPPRODUCTICON.exe

2009-06-12 11:50 . 2004-08-04 12:00 76288 ----a-w- c:\windows\system32\telnet.exe

2009-06-10 14:21 . 2004-08-04 12:00 84992 ----a-w- c:\windows\system32\avifil32.dll

2009-06-10 06:32 . 2004-08-04 12:00 132096 ----a-w- c:\windows\system32\wkssvc.dll

2009-06-09 23:49 . 2009-06-09 23:49 152576 ----a-w- c:\documents and settings\anthony\Application Data\Sun\Java\jre1.6.0_14\lzma.dll

2009-06-09 15:06 . 2008-09-05 15:34 1871872 ----a-w- c:\windows\system32\mstscax.dll

2009-06-03 19:27 . 2004-08-04 12:00 1290752 ----a-w- c:\windows\system32\quartz.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]

"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-14 1004800]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]

2009-06-14 21:07 1004800 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-14 1004800]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]

"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-14 1004800]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

"AIM"="c:\program files\AIM\aim.exe" [2006-08-01 67112]

"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]

"EA Core"="c:\program files\Electronic Arts\EADM\Core.exe" [2009-04-29 3338240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-09-18 13574144]

"zBrowser Launcher"="c:\program files\Logitech\iTouch\iTouch.exe" [2004-03-18 892928]

"WinampAgent"="c:\program files\Winamp\winampa.exe" [2009-04-10 37888]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-05-19 198160]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-21 148888]

"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-08-23 2007832]

"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-08-17 81000]

"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2008-02-29 76304]

"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2008-11-07 17421824]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"RunNarrator"="Narrator.exe" - c:\windows\system32\narrator.exe [2006-10-04 53760]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]

2009-08-23 20:04 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]

@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk

backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^anthony^Start Menu^Programs^Startup^DesktopVideoPlayer.LNK]

path=c:\documents and settings\anthony\Start Menu\Programs\Startup\DesktopVideoPlayer.LNK

backup=c:\windows\pss\DesktopVideoPlayer.LNKStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"ZuneNetworkSvc"=3 (0x3)

"VideoAcceleratorService"=2 (0x2)

"SvcOnlineArmor"=2 (0x2)

"odserv"=3 (0x3)

"OAcat"=2 (0x2)

"Microsoft Office Groove Audit Service"=3 (0x3)

"MDM"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\SpeedBit Video Accelerator\\VideoAccelerator.exe"=

"d:\\Program Files\\steamapps\\aznl2iceboi5o4\\counter-strike source\\hl2.exe"=

"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"c:\\Program Files\\mIRC\\mirc.exe"=

"d:\\Program Files\\steamapps\\aznl2iceboi5o4\\zombie panic! source\\hl2.exe"=

"c:\\Program Files\\VentSrv\\ventrilo_srv.exe"=

"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=

"d:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"=

"d:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"d:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=

"d:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"d:\\Program Files\\steamapps\\common\\dawn of war soulstorm demo\\Soulstorm.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\AIM\\aim.exe"=

"d:\\Program Files\\steamapps\\common\\lumines\\lumines.exe"=

"d:\\Program Files\\Electronic Arts\\Battlefield 2142\\BF2142.exe"=

"d:\\Program Files\\steamapps\\aznl2iceboi5o4\\team fortress 2\\hl2.exe"=

"d:\\Program Files\\steamapps\\aznl2iceboi5o4\\counter-strike\\hl.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

"d:\\Program Files\\steamapps\\aznl2iceboi5o4\\half-life 2 deathmatch\\hl2.exe"=

"d:\\Program Files\\steamapps\\common\\america's army 3\\Binaries\\AA3Game.exe"=

"c:\\WINDOWS\\system32\\PnkBstrA.exe"=

"c:\\WINDOWS\\system32\\PnkBstrB.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=

"c:\\WINDOWS\\system32\\sessmgr.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=

R4 VideoAcceleratorService;VideoAcceleratorService;c:\progra~1\SPEEDB~1\VideoAcceleratorService.exe [2008-09-06 292472]

S1 aswSP;avast! Self Protection; [x]

S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2009-08-23 335240]

S1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2009-08-03 108552]

S1 BIOS;BIOS;c:\windows\system32\drivers\BIOS.sys [2005-03-16 13696]

S2 {09BB444F-B2E2-4009-BAF2-7B727681223E};BuddyVM;c:\program files\VMLaunch\BuddyVM.sys [2005-02-18 15488]

S2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2009-08-17 20560]

S2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2009-08-23 908056]

S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-08-23 297752]

S2 sbbotdi;sbbotdi;c:\progra~1\SPEEDB~1\sbbotdi.sys [2008-09-06 35584]

.

- - - - ORPHANS REMOVED - - - -

URLSearchHooks-*{57BCA5FA-5DBB-45a2-B558-1755C3F6253B} - (no file)

Notify-cscdll - (no file)

Notify-LBTWlgn - (no file)

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com

mStart Page = hxxp://www.google.com

FF - ProfilePath - c:\documents and settings\anthony\Application Data\Mozilla\Firefox\Profiles\eo5xqksd.default\

FF - prefs.js: keyword.URL - hxxp://us.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_us&p=

FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll

FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll

FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll

FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll

FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----

c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");

c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");

c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-08-24 09:11

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3348)

c:\windows\system32\WININET.dll

c:\program files\Logitech\SetPoint\GameHook.dll

c:\program files\Logitech\SetPoint\lgscroll.dll

c:\program files\Logitech\iTouch\iTchHk.dll

c:\program files\Common Files\Logitech\Scrolling\LgMsgHk.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Alwil Software\Avast4\aswUpdSv.exe

c:\program files\Alwil Software\Avast4\ashServ.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\windows\system32\nvsvc32.exe

c:\windows\system32\HPZipm12.exe

c:\windows\system32\PnkBstrA.exe

c:\windows\system32\PnkBstrB.exe

c:\windows\system32\ZuneBusEnum.exe

c:\program files\AVG\AVG8\avgrsx.exe

c:\progra~1\AVG\AVG8\avgnsx.exe

c:\program files\AVG\AVG8\avgcsrvx.exe

c:\program files\AVG\AVG8\avgcsrvx.exe

c:\program files\Alwil Software\Avast4\ashMaiSv.exe

c:\program files\Alwil Software\Avast4\ashWebSv.exe

c:\program files\Logitech\SetPoint\SetPoint.exe

c:\program files\Common Files\Logishrd\KHAL2\KHALMNPR.exe

.

**************************************************************************

.

Completion time: 2009-08-24 9:13 - machine was rebooted

ComboFix-quarantined-files.txt 2009-08-24 14:13

ComboFix2.txt 2009-08-23 18:56

Pre-Run: 40,316,989,440 bytes free

Post-Run: 40,260,739,072 bytes free

331 --- E O F --- 2009-08-14 16:44

here is my hijack this log...

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 9:15:06 AM, on 8/24/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16876)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\HPZipm12.exe

C:\WINDOWS\system32\PnkBstrA.exe

C:\WINDOWS\system32\PnkBstrB.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\ZuneBusEnum.exe

C:\PROGRA~1\AVG\AVG8\avgemc.exe

C:\PROGRA~1\AVG\AVG8\avgrsx.exe

C:\PROGRA~1\AVG\AVG8\avgnsx.exe

C:\Program Files\AVG\AVG8\avgcsrvx.exe

C:\Program Files\Logitech\iTouch\iTouch.exe

C:\WINDOWS\RTHDCPL.EXE

C:\Program Files\Winamp\winampa.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\AVG\AVG8\avgcsrvx.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\PROGRA~1\AVG\AVG8\avgtray.exe

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

C:\Program Files\AIM\aim.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

C:\Program Files\Electronic Arts\EADM\Core.exe

C:\Program Files\Logitech\SetPoint\SetPoint.exe

C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\explorer.exe

C:\Program Files\Mozilla Firefox\firefox.exe

D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

\?\C:\WINDOWS\system32\WBEM\WMIADAP.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll

R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - D:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll

O2 - BHO: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - (no file)

O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl Class - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll

O3 - Toolbar: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - (no file)

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE

O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [EA Core] "C:\Program Files\Electronic Arts\EADM\Core.exe" -silent

O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')

O4 - Startup: DesktopVideoPlayer.LNK = C:\Program Files\vghd\vghd.exe

O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - D:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe

O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe

--

End of file - 7461 bytes

heres the virustotal log of files you told me to upload for analysis...

for c:\windows\system32\dllcache\printfilterpipelinesvc.exe

here is link... http://www.virustotal.com/analisis/d2a468e...6e8a-1251123555

for c:\windows\system32\tsgqec.dll

here is link... http://www.virustotal.com/analisis/96a74a9...39b7-1251126169

for c:\windows\system32\rhttpaa.dll

here is link... http://www.virustotal.com/analisis/4e8f792...eb35-1251126260

for c:\windows\system32\aaclient.dll

here is link... http://www.virustotal.com/analisis/ffe3c0e...b246-1251126374

also last...is avast! anti-virus any good? i have avg working now and i also have avast! anti-virus installed and working. i was wondering which one i should keep and which is better and which to use since i know keeping two ant-virus working at the same time is not a good idea.

Link to post
Share on other sites

  • Staff

Hi,

also last...is avast! anti-virus any good? i have avg working now and i also have avast! anti-virus installed and working. i was wondering which one i should keep and which is better and which to use since i know keeping two ant-virus working at the same time is not a good idea.
I would take avast! over AVG.

Also, it is vital that you have a firewall. The one that comes with Windows XP is not sufficient in that it only checks incoming data. I recommend selecting one of the following free firewalls. Be sure to only install one.

Kerio

Comodo

Outpost

Are you still getting redirected?

Please go to VirusTotal, and upload the following file for analysis:

c:\windows\system32\drivers\BIOS.sys

Post the results in your reply.

-screen317

Link to post
Share on other sites

ok avg is uninstalled and only avast remains. but its on a trail demo license. where can i find a key for it? and now for your part.

i got Kerio, is that good?and how should i set the settings on it? please guide me. like what should i allow to run, and not to run. like for games i know and programs i use like zune and so on. but for others, how i know it safe? for example like that teatimer incident that you told me to accept but i didn't know it was for my audio and i should allow it.

and also i dont believe im getting redirected on google anymore. how will i know im clean for sure?

and heres the analysis from virustotal for c:\windows\system32\drivers\BIOS.sys...

http://www.virustotal.com/analisis/7110afc...de72-1251181724

and lastly. am i clean yet? how do i know im completely clean of all virus, malware, adware and other harmful infections on my computer and not getting redirected on google in the future? do you want me to do a full scan or something?

also i still have all the logs and files you told me to get. (root repeal, upload.bat, fixes.bat, avenger, win32kdiag, and win32kdiag.txt, filecopy.bat, combofix and all the logs from the programs i used, and gooredfix.

PLEASE ASSIST WITH ALL THIS. i suck when it come to this. so i want to know everything i can and run through everything thoroughly to make sure everything is ok and clean of all infections and how to use stuff u told me to get.

thanks a lot!!! much!!

Link to post
Share on other sites

  • Staff

ph3nom,

ok avg is uninstalled and only avast remains. but its on a trail demo license. where can i find a key for it? and now for your part.
You downloaded the trial of the pro version. You were supposed to download the free version.
i got Kerio, is that good?and how should i set the settings on it? please guide me. like what should i allow to run, and not to run. like for games i know and programs i use like zune and so on. but for others, how i know it safe? for example like that teatimer incident that you told me to accept but i didn't know it was for my audio and i should allow it.
Kerio is fine. When in doubt, use common sense. Did you just launch a program that would try to connect to the Internet? Do you recognize the program? If not, look it up here and on Google to confirm its legitimacy.
and also i dont believe im getting redirected on google anymore. how will i know im clean for sure?
You can never know for sure, unfortunately, but with good protection you have in place now, and with my observation, I believe you are pretty clean. :D
and heres the analysis from virustotal for c:\windows\system32\drivers\BIOS.sys...

http://www.virustotal.com/analisis/7110afc...de72-1251181724

The link doesn't work. Copy and paste the results directly here, unless it came up 0/41, in which case let me know.
and lastly. am i clean yet? how do i know im completely clean of all virus, malware, adware and other harmful infections on my computer and not getting redirected on google in the future? do you want me to do a full scan or something?
Sure, do a full scan to confirm. I believe you are clean now though, pending the results of the file above.
also i still have all the logs and files you told me to get. (rot repeal, upload.bat, fixes.bat, avenger, win32kdiag, and win32kdiag.txt, filecopy.bat, combofix and all the logs from the programs i used, and gooredfix.

Navigate to Start --> Run, and type Combofix /u in the box that appears. Click OK afterwards. Notice the space between the X and the /u

This uninstalls all of ComboFix's components.

Then run this command:

"%userprofile%\Desktop\GooredFix.exe" /uninstall

Delete these files:

upload.bat

fixes.bat

win32kdiag.txt

win32kdiag.exe

filecopy.bat

Next, please download OTC by OldTimer and save it to your Desktop.

  • Double-click OTC.exe
  • Click the CleanUp! button.
  • Select Yes when the Begin cleanup Process? prompt appears.
  • If you are prompted to reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes. If it doesn't, delete it by yourself.

Let me know what issues remain.

-screen317

Link to post
Share on other sites

You downloaded the trial of the pro version. You were supposed to download the free version.

I have the home edition, and when i install your file you told me to get, it just say remove or repair. it says time limited demo license..

The link doesn't work. Copy and paste the results directly here, unless it came up 0/41, in which case let me know.

http://www.virustotal.com/analisis/7110afc...de72-1251250839

that link should work it work for me. it also say 0/41.

here is report in case.

Antivirus Version Last Update Result

a-squared 4.5.0.24 2009.08.26 -

AhnLab-V3 5.0.0.2 2009.08.25 -

AntiVir 7.9.1.3 2009.08.25 -

Antiy-AVL 2.0.3.7 2009.08.24 -

Authentium 5.1.2.4 2009.08.26 -

Avast 4.8.1335.0 2009.08.25 -

AVG 8.5.0.406 2009.08.25 -

BitDefender 7.2 2009.08.26 -

CAT-QuickHeal 10.00 2009.08.25 -

ClamAV 0.94.1 2009.08.25 -

Comodo 2091 2009.08.26 -

DrWeb 5.0.0.12182 2009.08.26 -

eSafe 7.0.17.0 2009.08.25 -

eTrust-Vet 31.6.6700 2009.08.25 -

F-Prot 4.4.4.56 2009.08.25 -

F-Secure 8.0.14470.0 2009.08.26 -

Fortinet 3.120.0.0 2009.08.26 -

GData 19 2009.08.26 -

Ikarus T3.1.1.68.0 2009.08.26 -

Jiangmin 11.0.800 2009.08.25 -

K7AntiVirus 7.10.827 2009.08.25 -

Kaspersky 7.0.0.125 2009.08.26 -

McAfee 5720 2009.08.25 -

McAfee+Artemis 5720 2009.08.25 -

McAfee-GW-Edition 6.8.5 2009.08.26 -

Microsoft 1.4903 2009.08.26 -

NOD32 4367 2009.08.25 -

Norman 2009.08.25 -

nProtect 2009.1.8.0 2009.08.25 -

Panda 10.0.2.2 2009.08.25 -

PCTools 4.4.2.0 2009.08.25 -

Prevx 3.0 2009.08.26 -

Rising 21.44.11.00 2009.08.25 -

Sophos 4.44.0 2009.08.26 -

Sunbelt 3.2.1858.2 2009.08.25 -

Symantec 1.4.4.12 2009.08.26 -

TheHacker 6.3.4.3.388 2009.08.25 -

TrendMicro 8.950.0.1094 2009.08.25 -

VBA32 3.12.10.10 2009.08.25 -

ViRobot 2009.8.25.1901 2009.08.25 -

VirusBuster 4.6.5.0 2009.08.25 -

Additional information

File size: 13696 bytes

MD5...: be5d50529799b9bab6be879ec768b6cf

SHA1..: 8b5350ca00576e60017baf2f27b5bf22ee34efb9

SHA256: 7110afc1e16584c8c194ee0de9d779a159d1ad2553ea650324f16c3da847de72

ssdeep: 192:ZyAcOFMCCMY/fIbBu2bQG08P4YZn6K39B/dbVJTPEZZYwnNmmb5MsHKKi/5n

EIGv:ZyjOj1xQyAgSLbKsHKn9E0Qk

PEiD..: -

RDS...: NSRL Reference Data Set

-

pdfid.: -

trid..: Generic Win/DOS Executable (49.9%)

DOS Executable Generic (49.8%)

Autodesk FLIC Image File (extensions: flc, fli, cel) (0.1%)

Sure, do a full scan to confirm. I believe you are clean now though, pending the results of the file above.

here is scan for you to double check.

malwarebytes

Malwarebytes' Anti-Malware 1.40

Database version: 2697

Windows 5.1.2600 Service Pack 2

8/25/2009 9:50:52 PM

mbam-log-2009-08-25 (21-50-52).txt

Scan type: Full Scan (C:\|D:\|)

Objects scanned: 224702

Time elapsed: 1 hour(s), 2 minute(s), 19 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

hijackthis

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 9:59:02 PM, on 8/25/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16876)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\Kerio\Personal Firewall\persfw.exe

C:\WINDOWS\system32\HPZipm12.exe

C:\WINDOWS\system32\PnkBstrA.exe

C:\WINDOWS\system32\PnkBstrB.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\ZuneBusEnum.exe

C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Logitech\iTouch\iTouch.exe

C:\WINDOWS\RTHDCPL.EXE

C:\Program Files\Winamp\winampa.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Logitech\SetPoint\SetPoint.exe

C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Alwil Software\Avast4\ashSimpl.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\WINDOWS\system32\msiexec.exe

D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R3 - URLSearchHook: (no name) - {A3BC75A2-1F87-4686-AA43-5347D756017C} - (no file)

R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

R3 - URLSearchHook: (no name) - *{57BCA5FA-5DBB-45a2-B558-1755C3F6253B} - (no file)

O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll

O2 - BHO: (no name) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - D:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll

O2 - BHO: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - (no file)

O2 - BHO: (no name) - {A3BC75A2-1F87-4686-AA43-5347D756017C} - (no file)

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)

O3 - Toolbar: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - (no file)

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE

O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [EA Core] "C:\Program Files\Electronic Arts\EADM\Core.exe" -silent

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')

O4 - Startup: DesktopVideoPlayer.LNK = C:\Program Files\vghd\vghd.exe

O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - D:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Kerio Personal Firewall (PersFw) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall\persfw.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe

--

End of file - 6887 bytes

so am i clean? and whats next. also i deleted what u told me to.

Link to post
Share on other sites

  • Staff

Hi,

We're almost through.

I see you are running Teatimer.

I suggest you to disable it because it can interfere with the changes you'll make on your system.

When everything is done and your log is clean again, you can enable it again.

If teatimer gives you a warning afterwards that some changes were made, allow this instead of blocking it.

How to disable TeaTimer during HijackThis Cleanup

Then, download ResetTeaTimer.bat.

Double click ResetTeaTimer.bat to remove all entries set by TeaTimer.

After all of the fixes are complete it is very important that you enable TeaTimer again.

Next, please open HijackThis, and select Do a system scan only.

Place a checkmark next to the following entries (if present):

R3 - URLSearchHook: (no name) - {A3BC75A2-1F87-4686-AA43-5347D756017C} - (no file)

R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

R3 - URLSearchHook: (no name) - *{57BCA5FA-5DBB-45a2-B558-1755C3F6253B} - (no file)

O2 - BHO: (no name) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)

O2 - BHO: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - (no file)

O2 - BHO: (no name) - {A3BC75A2-1F87-4686-AA43-5347D756017C} - (no file)

O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)

O3 - Toolbar: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - (no file)

O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\

Then, close all other windows, leaving only HijackThis open, and select Fix checked.

Restart the computer twice.

Enable TeaTimer after the second restart.

Next, download DDS by sUBs and save it to your Desktop.

Double-click on the DDS icon and let the scan run. When it has run two logs will be produced, please post both logs.

-screen317

Link to post
Share on other sites

here is the DDS logs

DDS (Ver_09-07-30.01) - NTFSx86

Run by anthony at 11:24:38.76 on Thu 08/27/2009

Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_15

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com

mStart Page = hxxp://www.google.com

mURLSearchHooks: H - No File

mURLSearchHooks: H - No File

BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll

BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No File

BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll

BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - d:\program files\microsoft office\office12\GrooveShellExtensions.dll

BHO: {A057A204-BACC-4D26-9990-79A187E2698E} - No File

BHO: {A3BC75A2-1F87-4686-AA43-5347D756017C} - No File

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File

TB: {EBF2BA02-9094-4C5A-858B-BB198F3D8DE2} - No File

uRun: [AIM] c:\program files\aim\aim.exe -cnetwait.odl

uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background

uRun: [EA Core] "c:\program files\electronic arts\eadm\Core.exe" -silent

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [spybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE

mRun: [zBrowser Launcher] c:\program files\logitech\itouch\iTouch.exe

mRun: [RTHDCPL] RTHDCPL.EXE

mRun: [WinampAgent] "c:\program files\winamp\winampa.exe"

mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot

mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe

mRun: [sunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"

dRunOnce: [RunNarrator] Narrator.exe

IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - d:\program files\microsoft office\office12\GrooveSystemServices.dll

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - d:\program files\microsoft office\office12\GrooveShellExtensions.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\anthony\applic~1\mozilla\firefox\profiles\eo5xqksd.default\

FF - prefs.js: keyword.URL - hxxp://us.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_us&p=

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----

c:\program files\mozilla firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("media.cache_size", 51200);

c:\program files\mozilla firefox\greprefs\all.js - pref("media.ogg.enabled", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("media.wave.enabled", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("media.autoplay.enabled", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");

c:\program files\mozilla firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);

c:\program files\mozilla firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.dpi", -1);

c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);

c:\program files\mozilla firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);

c:\program files\mozilla firefox\greprefs\all.js - pref("geo.enabled", true);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");

============= SERVICES / DRIVERS ===============

=============== Created Last 30 ================

2009-08-27 11:23 <DIR> --d-h--- c:\windows\PIF

2009-08-25 01:24 <DIR> --d----- c:\program files\Kerio

2009-08-25 01:24 102,912 -------- c:\windows\system32\drivers\FWDRV.SYS

2009-08-23 14:36 <DIR> --dsh--- c:\windows\Installer

2009-08-22 20:58 687,104 a------- c:\windows\is-BA5Q8.exe

2009-08-22 20:58 10,498 a------- c:\windows\is-BA5Q8.msg

2009-08-22 20:58 417 a------- c:\windows\is-BA5Q8.lst

2009-08-22 17:34 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys

2009-08-22 17:34 19,096 a------- c:\windows\system32\drivers\mbam.sys

2009-08-22 17:34 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware

2009-08-20 10:50 0 a------- c:\documents and settings\anthony\settings.dat

2009-08-11 02:20 2,036,576 a------- c:\windows\system32\D3DCompiler_40.dll

2009-08-11 02:20 452,440 a------- c:\windows\system32\d3dx10_40.dll

2009-08-11 02:20 4,379,984 a------- c:\windows\system32\D3DX9_40.dll

2009-08-11 02:20 <DIR> --d----- c:\windows\Logs

2009-08-02 14:31 <DIR> --d----- c:\windows\system32\XPSViewer

2009-08-02 14:30 597,504 -c------ c:\windows\system32\dllcache\printfilterpipelinesvc.exe

2009-08-02 14:30 575,488 -c------ c:\windows\system32\dllcache\xpsshhdr.dll

2009-08-02 14:30 89,088 -c------ c:\windows\system32\dllcache\filterpipelineprintproc.dll

2009-08-02 14:30 575,488 -------- c:\windows\system32\xpsshhdr.dll

2009-08-02 14:30 117,760 -------- c:\windows\system32\prntvpt.dll

2009-08-02 14:30 1,676,288 -c------ c:\windows\system32\dllcache\xpssvcs.dll

2009-08-02 14:30 1,676,288 -------- c:\windows\system32\xpssvcs.dll

2009-08-02 14:28 <DIR> --d----- c:\program files\MSXML 6.0

2009-08-02 14:25 201,050 a------- c:\windows\system32\nvapps.nvb

2009-08-02 14:24 <DIR> --d----- c:\windows\system32\GroupPolicy

2009-08-02 14:24 <DIR> --d----- c:\program files\Windows Desktop Search

2009-08-02 14:23 <DIR> --d----- c:\program files\Windows Media Connect 2

2009-08-02 14:19 <DIR> --d----- c:\windows\system32\URTTEMP

2009-08-02 14:16 288,768 -------- c:\windows\system32\rhttpaa.dll

2009-08-02 14:16 116,736 -------- c:\windows\system32\aaclient.dll

2009-08-02 14:16 36,352 -------- c:\windows\system32\tsgqec.dll

==================== Find3M ====================

2009-08-05 04:11 204,800 a------- c:\windows\system32\mswebdvd.dll

2009-07-25 05:23 411,368 a------- c:\windows\system32\deploytk.dll

2009-07-17 13:55 58,880 a------- c:\windows\system32\atl.dll

2009-07-15 12:40 137,544 a------- c:\windows\system32\drivers\PnkBstrK.sys

2009-07-15 12:40 189,480 a------- c:\windows\system32\PnkBstrB.exe

2009-07-15 12:38 139,152 a------- c:\docume~1\anthony\applic~1\PnkBstrK.sys

2009-07-15 12:38 794,408 a------- c:\windows\system32\pbsvc.exe

2009-07-15 12:38 75,064 a------- c:\windows\system32\PnkBstrA.exe

2009-07-13 23:43 286,208 a------- c:\windows\system32\wmpdxm.dll

2009-06-29 11:12 827,392 -------- c:\windows\system32\wininet.dll

2009-06-29 11:12 78,336 a------- c:\windows\system32\ieencode.dll

2009-06-29 11:12 17,408 -------- c:\windows\system32\corpol.dll

2009-06-25 03:44 724,480 a------- c:\windows\system32\lsasrv.dll

2009-06-25 03:44 298,496 a------- c:\windows\system32\kerberos.dll

2009-06-25 03:44 168,448 a------- c:\windows\system32\schannel.dll

2009-06-25 03:44 133,632 a------- c:\windows\system32\msv1_0.dll

2009-06-25 03:44 59,392 a------- c:\windows\system32\wdigest.dll

2009-06-25 03:44 56,320 a------- c:\windows\system32\secur32.dll

2009-06-24 23:55 152,904 a------- c:\windows\system32\vghd.scr

2009-06-16 09:55 119,808 a------- c:\windows\system32\t2embed.dll

2009-06-16 09:55 82,432 a------- c:\windows\system32\fontsub.dll

2009-06-12 06:50 76,288 a------- c:\windows\system32\telnet.exe

2009-06-10 09:21 84,992 a------- c:\windows\system32\avifil32.dll

2009-06-10 01:32 132,096 a------- c:\windows\system32\wkssvc.dll

2009-06-09 10:06 1,871,872 a------- c:\windows\system32\mstscax.dll

2009-06-03 14:27 1,290,752 a------- c:\windows\system32\quartz.dll

2008-10-30 07:59 133 a---h--- c:\docume~1\anthony\applic~1\lakerda1967.sys

============= FINISH: 11:25:02.01 ===============

here is the second one...

==== Installed Programs ======================

Link to post
Share on other sites

  • Staff

Register your avast! Home Edition here:

http://www.avast.com/eng/home-registration.php

Next, it is absolutely essential that you upgrade to Windows XP Service Pack 3. Service Pack 2, which is what you currently have, has vulnerabilities that leave you wide open for re-infection. To upgrade, please visit Windows Update and download all critical updates.

Good work. Your log appears to be clean!

Now that your computer seems to be in proper working order, please take the following steps to help prevent reinfection:

1) It is vital that you have a firewall. The one that comes with Windows XP is not sufficient in that it only checks incoming data. I recommend selecting one of the following free firewalls. Be sure to only install one.

Kerio

Comodo

Outpost

2) Download and install Javacool's SpywareBlaster, which will prevent malware from being installed on your computer. A tutorial on it can be found here.

3) Download and install IE-Spyad, which will place over 5000 'bad' sites on your Internet Explorer Restricted List. A tutorial on it can be found here.

4) Make sure your programs are up to date! Older versions may contain security risks. To find out what programs need to be updated, please run Secunia's Software Inspector.

5) Go to Windows Update frequently to get all of the latest updates (security or otherwise) for Windows.

6) WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:

  • Green to go
  • Yellow for caution
  • Red to stop

WOT has an addon available for both Firefox and IE.

7) Be sure to update your Antivirus and Antispyware programs often!

Finally, please also take the time to read Tony Klein's excellent article on: So How Did I Get Infected in the First Place?

Safe surfing,

-screen317

Link to post
Share on other sites

  • 2 weeks later...
Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.