Jump to content

Same problem - ad infinitum


Recommended Posts

So I'm having the same problem everyone else is having, MBAM and HJT won't run for more than a few seconds before shutting down when scanning. Same setup as well, AVG 8.5 is putting up the false impression that it's working, and windows firewall is shutdown. No access to many programs/functions as access is denied.

The cause is I accidentally clicked to close a pop up box saying to DL a false antivirus program, instead of hitting alt-f4. Right after that, I noticed windows firewall was off and when I clicked on security center, desktop went blank. I have managed to restore the desktop by killing explorer.exe using fileassassin in MBAM, but there is the obvious google redirect. Last thing to note is that RootRepeal hangs the computer when I try to run it. It simply says 'initalizing, please wait'. A vundo trojan has also shown up in scans from an anti-virus program. Help is appreciated. I will wait for further instructions as to the program to DL and log to post.

Link to post
Share on other sites

Welcome to the forum infectthis

DDS:

Before scanning, ensure all other running programs are closed. Do not use your computer for anything else during the scan.

Also, ensure there aren't any scheduled antivirus scans running while the dds scan is being performed.

*Note - Some antivirus programs falsely detect dds.scr as a threat.

dds_.gif

Download DDS and save it to your desktop from here or here.

Disable any script blocker, and then double click dds.scr to run the tool.

  • When done, DDS will open two (2) logs
    1. DDS.txt
    2. Attach.txt

    [*]Post the DDS.txt and attach the other please.

Link to post
Share on other sites

Here is the log file:

Log file is located at: C:\Documents and Settings\Owner\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...

Found mount point : C:\WINDOWS\$hf_mig$\KB936357\KB936357

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB968389\KB968389

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP1ED.tmp\ZAP1ED.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP1FC.tmp\ZAP1FC.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP85.tmp\ZAP85.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD1.tmp\ZAPD1.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD2.tmp\ZAPD2.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\temp\temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Config\Config

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Debug\UserMode\UserMode

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPer\Cbz\Cbz

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPer\Lib\Lib

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPer\Wave\Wave

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\chsime\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imejp\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imejp98\imejp98

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imjp8_1\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imkr6_1\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\shared\res\res

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\msapps\msinfo\msinfo

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\mui\mui

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHealth\ERRORREP\QHEADLES\QHEADLES

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHealth\ERRORREP\QSIGNOFF\QSIGNOFF

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHealth\HelpCtr\BATCH\BATCH

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHealth\HelpCtr\Config\CheckPoint\CheckPoint

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHealth\HelpCtr\HelpFiles\HelpFiles

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHealth\HelpCtr\InstalledSKUs\InstalledSKUs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHealth\HelpCtr\System\DFS\DFS

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHealth\HelpCtr\Temp\Temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PIF\PIF

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\setup.pss\setupupd\temp\temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\AuthCabs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\355f788b6de8a3ec79e9aa172e6317f1\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\SelfUpdate\Registered\Registered

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1025\1025

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1028\1028

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1031\1031

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1037\1037

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1041\1041

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1042\1042

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1054\1054

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\2052\2052

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\3076\3076

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\3com_dmi\3com_dmi

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\TempDir\TempDir

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Identities\{257AF31E-6BFB-408E-B680-AFCBD28E2625}\{257AF31E-6BFB-408E-B680-AFCBD28E2625}

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Credentials\Credentials

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Media Player\Media Player

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\Certificates\Certificates

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CRLs\CRLs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CTLs\CTLs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\SampleView\SampleView

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\javaws\cache\cache

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Desktop\Desktop

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\CD Burning\CD Burning

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Credentials\Credentials

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\OFFICE\OFFICE

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\NetHood\NetHood

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\PrintHood\PrintHood

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\WINDOWS\system\system

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\dhcp\dhcp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\drivers\disdn\disdn

Mount point destination : \Device\__max++>\^

Cannot access: C:\WINDOWS\system32\dumprep.exe

[1] 2004-08-03 23:56:48 10752 C:\WINDOWS\$NtServicePackUninstall$\dumprep.exe (Microsoft Corporation)

[1] 2008-04-13 16:12:18 10752 C:\WINDOWS\ServicePackFiles\i386\dumprep.exe (Microsoft Corporation)

[1] 2008-04-13 16:12:18 10752 C:\WINDOWS\system32\dumprep.exe ()

Cannot access: C:\WINDOWS\system32\eventlog.dll

[1] 2004-08-03 23:56:42 55808 C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll (Microsoft Corporation)

[1] 2008-04-13 16:11:53 56320 C:\WINDOWS\ServicePackFiles\i386\eventlog.dll (Microsoft Corporation)

[1] 2008-04-13 16:11:53 62464 C:\WINDOWS\system32\eventlog.dll ()

[2] 2008-04-13 16:11:53 56320 C:\WINDOWS\system32\logevent.dll (Microsoft Corporation)

Found mount point : C:\WINDOWS\system32\export\export

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\FxsTmp\FxsTmp

Mount point destination : \Device\__max++>\^

Cannot access: C:\WINDOWS\system32\hkcmd.exe

[1] 2004-08-20 14:51:14 118784 C:\WINDOWS\system32\hkcmd.exe ()

[1] 2004-04-20 16:43:18 118784 C:\WINDOWS\system32\ReinstallBackups\0012\DriverFiles\hkcmd.exe (Intel Corporation)

Cannot access: C:\WINDOWS\system32\igfxtray.exe

[1] 2004-08-20 14:55:14 155648 C:\WINDOWS\system32\igfxtray.exe ()

[1] 2004-04-20 16:47:22 155648 C:\WINDOWS\system32\ReinstallBackups\0012\DriverFiles\igfxtray.exe (Intel Corporation)

Found mount point : C:\WINDOWS\system32\IME\CINTLGNT\CINTLGNT

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\IME\PINTLGNT\PINTLGNT

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\IME\TINTLGNT\TINTLGNT

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\inetsrv\inetsrv

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\LogFiles\WUDF\WUDF

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\mui\dispspec\dispspec

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\oobe\html\ispsgnup\ispsgnup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\oobe\html\oemcust\oemcust

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\oobe\html\oemreg\oemreg

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\oobe\sample\sample

Mount point destination : \Device\__max++>\^

Cannot access: C:\WINDOWS\system32\rundll32.exe

[1] 2004-08-03 23:56:55 33280 C:\WINDOWS\$NtServicePackUninstall$\rundll32.exe (Microsoft Corporation)

[1] 2008-04-13 16:12:33 33280 C:\WINDOWS\ServicePackFiles\i386\rundll32.exe (Microsoft Corporation)

[1] 2008-04-13 16:12:33 33280 C:\WINDOWS\system32\rundll32.exe ()

Found mount point : C:\WINDOWS\system32\ShellExt\ShellExt

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\spool\PRINTERS\PRINTERS

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\wbem\mof\bad\bad

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\wbem\mof\good\good

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\wbem\snmp\snmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\wins\wins

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\xircom\xircom

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\ProdID\bases\bases

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp

Mount point destination : \Device\__max++>\^

Finished!

Link to post
Share on other sites

Go start run copy then paste in the line below and press enter

%userprofile%\desktop\Win32kDiag.exe -r -f

Post the log that should automaticly open

Combofix

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix..This is because Security Software may see some components ComboFix uses (prep.com for example)as suspicious and blocks the tool, or even deletes it.

Please visit HERE if you don't know how. http://www.bleepingcomputer.com/forums/topic114351.html

After posting combofix's LOG dont forget to re-enable your Antivirus/Antispyware/Firewall software.

Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

When you download the file rename it slightly, example combo--fix.exe (As you download not afterwords)

Post the log from ComboFix in your next reply.

Link to post
Share on other sites

The attempt to generate the 1st log had a response that the file was not found.

But here is the ComboFix log:

ComboFix 09-09-06.06 - Owner 07/09/2009 7:38.1.2 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.686 [GMT -8:00]

Running from: c:\documents and settings\Owner\Desktop\Combo----Fix.exe

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

* Created a new restore point

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\recycler\S-1-5-21-1369345178-2992633476-3056374095-1003

c:\recycler\S-1-5-21-2158975906-306199611-3339370157-1003

c:\recycler\S-1-5-21-3718177255-4201361091-3246046916-1003

c:\windows\Installer\88640.msi

c:\windows\run.log

c:\windows\system32\drivers\kbiwkmlrulhhlu.sys

c:\windows\system32\drivers\UACplsowylkgx.sys

c:\windows\system32\kbiwkmfitdxtfu.dll

c:\windows\system32\kbiwkmlvfbvcvn.dll

c:\windows\system32\kbiwkmmujepyap.dat

c:\windows\system32\kbiwkmufrqhesr.dat

c:\windows\system32\net.net

c:\windows\system32\ps2.bat

c:\windows\system32\UACdomxsleymw.dll

c:\windows\system32\uacinit.dll

c:\windows\system32\UACkdtsemydew.dat

c:\windows\system32\UAClguefvtnsk.dll

c:\windows\system32\UAClygmcimomb.dll

c:\windows\system32\UACpxfkkwuwen.db

c:\windows\system32\UACqxaijntyoo.dll

D:\Autorun.inf

Infected copy of c:\windows\system32\eventlog.dll was found and disinfected

Restored copy from - c:\windows\system32\logevent.dll

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Service_kbiwkmvkjbobrq

-------\Legacy_kbiwkmvkjbobrq

-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}

((((((((((((((((((((((((( Files Created from 2009-08-07 to 2009-09-07 )))))))))))))))))))))))))))))))

.

2009-09-04 05:33 . 2009-09-04 05:33 -------- d-----w- c:\program files\Trend Micro

2009-09-04 04:47 . 2009-09-04 04:47 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes

2009-09-04 02:32 . 2009-09-04 02:34 -------- d-----w- c:\documents and settings\Owner\.housecall6.6

2009-09-01 05:26 . 2009-09-01 05:25 411368 ----a-w- c:\windows\system32\deploytk.dll

2009-08-31 22:55 . 2009-08-31 22:55 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes

2009-08-31 22:55 . 2009-08-03 21:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-08-31 22:55 . 2009-09-05 23:12 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-08-31 22:55 . 2009-08-31 22:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-08-31 22:55 . 2009-08-03 21:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-08-31 03:17 . 2009-08-31 03:17 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache

2009-08-30 09:32 . 2009-08-30 09:32 -------- d-----w- C:\VundoFix Backups

2009-08-30 08:37 . 2009-08-30 15:51 32 --sha-w- c:\windows\system32\drivers\fidbox2.dat

2009-08-30 08:37 . 2009-08-30 15:51 32 --sha-w- c:\windows\system32\drivers\fidbox.dat

2009-08-30 08:31 . 2009-08-31 07:24 -------- d-----w- c:\program files\Common Files\ParetoLogic

2009-08-30 08:31 . 2009-08-31 07:24 -------- d-----w- c:\documents and settings\All Users\Application Data\ParetoLogic

2009-08-30 08:28 . 2009-08-30 08:28 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Downloaded Installations

2009-08-30 08:19 . 2009-08-30 22:29 -------- d--h--w- c:\windows\PIF

2009-08-30 06:36 . 2008-06-20 01:24 28544 ----a-w- c:\windows\system32\drivers\pavboot.sys

2009-08-30 06:35 . 2009-08-30 06:35 -------- d-----w- c:\program files\Panda Security

2009-08-30 04:07 . 2009-08-30 04:07 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache

2009-08-30 04:06 . 2009-08-30 04:06 -------- d-----w- C:\spoolerlogs

2009-08-12 21:48 . 2009-07-10 13:27 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-09-07 15:29 . 2004-06-04 21:13 56320 ----a-w- c:\windows\system32\eventlog.dll

2009-09-06 22:16 . 2008-08-26 19:48 -------- d-----w- c:\program files\Starcraft

2009-09-04 03:26 . 2008-08-26 19:37 -------- d-----w- c:\documents and settings\Owner\Application Data\uTorrent

2009-09-01 05:25 . 2004-05-13 02:35 -------- d-----w- c:\program files\Java

2009-09-01 01:17 . 2008-12-21 01:29 -------- d-----w- c:\program files\LimeWire

2009-08-31 07:25 . 2008-11-05 06:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint

2009-08-30 15:51 . 2009-08-30 08:37 32 --sha-w- c:\windows\system32\drivers\fidbox2.idx

2009-08-30 15:51 . 2009-08-30 08:37 32 --sha-w- c:\windows\system32\drivers\fidbox.idx

2009-08-30 04:11 . 2005-01-07 17:45 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\SampleView

2009-08-30 03:56 . 2009-08-30 03:56 889638 ----a-w- c:\windows\system32\xa.tmp

2009-08-15 22:33 . 2008-06-28 02:57 11952 ----a-w- c:\windows\system32\avgrsstx.dll

2009-08-15 22:33 . 2008-06-28 02:57 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys

2009-08-15 22:33 . 2008-06-28 02:56 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys

2009-08-05 09:01 . 2002-12-12 14:14 204800 ----a-w- c:\windows\system32\mswebdvd.dll

2009-07-28 01:22 . 2009-07-02 08:08 -------- d-----w- c:\program files\InvestRT

2009-07-17 19:01 . 2004-06-04 21:12 58880 ----a-w- c:\windows\system32\atl.dll

2009-07-14 07:43 . 2004-05-13 02:32 286208 ----a-w- c:\windows\system32\wmpdxm.dll

2009-07-03 17:09 . 2006-06-23 18:33 915456 ----a-w- c:\windows\system32\wininet.dll

2009-06-16 14:36 . 2004-06-04 21:13 81920 ----a-w- c:\windows\system32\fontsub.dll

2009-06-16 14:36 . 2004-06-04 20:56 119808 ----a-w- c:\windows\system32\t2embed.dll

2009-06-12 12:31 . 2004-05-13 01:35 76288 ----a-w- c:\windows\system32\telnet.exe

2009-06-10 17:19 . 2004-06-04 21:14 2066432 ----a-w- c:\windows\system32\mstscax.dll

2009-06-10 14:13 . 2004-06-04 21:12 84992 ----a-w- c:\windows\system32\avifil32.dll

2009-06-10 06:14 . 2004-05-13 01:35 132096 ----a-w- c:\windows\system32\wkssvc.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]

"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2004-08-20 118784]

"PS2"="c:\windows\system32\ps2.exe" [2003-09-13 98304]

"IgfxTray"="c:\windows\System32\igfxtray.exe" [2004-08-20 155648]

"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-08-15 2007832]

"MSConfig"="c:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2008-04-14 169984]

"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-09-01 149280]

"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2004-04-14 233472]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-12-30 98304]

"KBD"="c:\hp\KBD\KBD.EXE" [2003-02-12 61440]

"AlcxMonitor"="ALCXMNTR.EXE" - c:\windows\ALCXMNTR.EXE [2004-09-07 57344]

"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\AGRSMMSG.exe [2004-06-29 88363]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Compaq Connections.lnk - c:\program files\Compaq Connections\1940576\Program\BackWeb-1940576.exe [2004-5-12 16384]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]

2009-08-15 22:33 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk

backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"iPodService"=3 (0x3)

"Viewpoint Manager Service"=2 (0x2)

"ZeppelinService"=2 (0x2)

"idsvc"=3 (0x3)

"WMPNetworkSvc"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Compaq Connections\\1940576\\Program\\BackWeb-1940576.exe"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\Hamachi\\hamachi.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=

"c:\\Program Files\\uTorrent\\uTorrent.exe"=

"c:\\Program Files\\Starcraft\\StarCraft.exe"=

"c:\\WINDOWS\\system32\\javaw.exe"=

"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

"c:\\Program Files\\LimeWire\\LimeWire.exe"=

"c:\\Program Files\\Microsoft Office\\OFFICE11\\WINWORD.EXE"=

"c:\\Program Files\\NinjaTrader 6.5\\bin\\NinjaTrader.exe"=

"c:\\Program Files\\Real\\RealOne Player\\realplay.exe"=

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [29/08/2009 10:36 PM 28544]

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [27/06/2008 6:57 PM 335240]

R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [27/06/2008 6:57 PM 108552]

R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [03/07/2008 1:10 PM 297752]

S2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [03/07/2008 1:10 PM 908056]

S2 mrtRate;mrtRate; [x]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]

"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP

.

Contents of the 'Scheduled Tasks' folder

.

- - - - ORPHANS REMOVED - - - -

HKLM-Run-VTTimer - VTTimer.exe

SafeBoot-AVG Anti-Spyware Driver

SafeBoot-AVG Anti-Spyware Guard

.

------- Supplementary Scan -------

.

uStart Page = hxxp://start.shaw.ca/

uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_CA&c=Q304&bd=presario&pf=desktop

mSearch Bar = hxxp://start.shaw.ca/start/enca/addons/search/

mWindow Title = Internet Explorer Provided by SHAW Internet

uInternet Settings,ProxyOverride = localhost

uSearchURL,(Default) = hxxp://www.google.com/keyword/%s

IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000

IE: {{2ef50289-0ea7-482e-a30b-4947a81e44cf} - c:\program files\Trillian\Trillian

FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\8cbca1an.default\

FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrie7&query=

FF - prefs.js: browser.search.selectedEngine - AIM Search

FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca/firefox?client=firefox-a&rls=org.mozilla:en-US:official

FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrab&query=

FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll

FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nppl3260.dll

FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nprjplug.dll

FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nprpjplug.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-09-07 07:49

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2968)

c:\windows\system32\WININET.dll

c:\docume~1\Owner\LOCALS~1\Temp\IadHide4.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\AVG\AVG8\avgrsx.exe

c:\progra~1\AVG\AVG8\avgnsx.exe

c:\windows\system32\wscntfy.exe

.

**************************************************************************

.

Completion time: 2009-09-07 7:54 - machine was rebooted

ComboFix-quarantined-files.txt 2009-09-07 15:54

Pre-Run: 21,623,136,256 bytes free

Post-Run: 23,377,940,480 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

218 --- E O F --- 2009-08-27 21:44

Link to post
Share on other sites

The attempt to generate the 1st log had a response that the file was not found.

Is Win32kDiag still on your desktop ?

Run it again by double clicking i want to confirm something, post it log.

If you have other possible infected usb sticks/pendrives now is the time to plug them in and run combofix again, if you do so post the resultant log.

Hows the PC running ?

Link to post
Share on other sites

The google search redirect is gone, and I am able to launch certain programs (eg. Control Panel), my desktop doesn't disappear anymore, however I am still unable to access areas in my computer. Such as anything in Control Panel, right clicking on my computer to get to properties, and etc.

Here is the win32kdiag new log:

Log file is located at: C:\Documents and Settings\Owner\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...

Cannot access: C:\WINDOWS\system32\dumprep.exe

[1] 2004-08-03 23:56:48 10752 C:\WINDOWS\$NtServicePackUninstall$\dumprep.exe (Microsoft Corporation)

[1] 2008-04-13 16:12:18 10752 C:\WINDOWS\ServicePackFiles\i386\dumprep.exe (Microsoft Corporation)

[1] 2008-04-13 16:12:18 10752 C:\WINDOWS\system32\dumprep.exe ()

Cannot access: C:\WINDOWS\system32\hkcmd.exe

[1] 2004-08-20 14:51:14 118784 C:\WINDOWS\system32\hkcmd.exe ()

[1] 2004-04-20 16:43:18 118784 C:\WINDOWS\system32\ReinstallBackups\0012\DriverFiles\hkcmd.exe (Intel Corporation)

Cannot access: C:\WINDOWS\system32\igfxtray.exe

[1] 2004-08-20 14:55:14 155648 C:\WINDOWS\system32\igfxtray.exe ()

[1] 2004-04-20 16:47:22 155648 C:\WINDOWS\system32\ReinstallBackups\0012\DriverFiles\igfxtray.exe (Intel Corporation)

Cannot access: C:\WINDOWS\system32\rundll32.exe

[1] 2004-08-03 23:56:55 33280 C:\WINDOWS\$NtServicePackUninstall$\rundll32.exe (Microsoft Corporation)

[1] 2008-04-13 16:12:33 33280 C:\WINDOWS\ServicePackFiles\i386\rundll32.exe (Microsoft Corporation)

[1] 2008-04-13 16:12:33 33280 C:\WINDOWS\system32\rundll32.exe ()

Finished!

Link to post
Share on other sites

Log file is located at: C:\Documents and Settings\Owner\Desktop\Win32kDiag.txt

Removing all found mount points.

Attempting to reset file permissions.

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...

Cannot access: C:\WINDOWS\system32\dumprep.exe

Attempting to restore permissions of : C:\WINDOWS\system32\dumprep.exe

[1] 2004-08-03 23:56:48 10752 C:\WINDOWS\$NtServicePackUninstall$\dumprep.exe (Microsoft Corporation)

[1] 2008-04-13 16:12:18 10752 C:\WINDOWS\ServicePackFiles\i386\dumprep.exe (Microsoft Corporation)

[1] 2008-04-13 16:12:18 10752 C:\WINDOWS\system32\dumprep.exe (Microsoft Corporation)

Cannot access: C:\WINDOWS\system32\hkcmd.exe

Attempting to restore permissions of : C:\WINDOWS\system32\hkcmd.exe

[1] 2004-08-20 14:51:14 118784 C:\WINDOWS\system32\hkcmd.exe (Intel Corporation)

[1] 2004-04-20 16:43:18 118784 C:\WINDOWS\system32\ReinstallBackups\0012\DriverFiles\hkcmd.exe (Intel Corporation)

Cannot access: C:\WINDOWS\system32\igfxtray.exe

Attempting to restore permissions of : C:\WINDOWS\system32\igfxtray.exe

[1] 2004-08-20 14:55:14 155648 C:\WINDOWS\system32\igfxtray.exe (Intel Corporation)

[1] 2004-04-20 16:47:22 155648 C:\WINDOWS\system32\ReinstallBackups\0012\DriverFiles\igfxtray.exe (Intel Corporation)

Cannot access: C:\WINDOWS\system32\rundll32.exe

Attempting to restore permissions of : C:\WINDOWS\system32\rundll32.exe

[1] 2004-08-03 23:56:55 33280 C:\WINDOWS\$NtServicePackUninstall$\rundll32.exe (Microsoft Corporation)

[1] 2008-04-13 16:12:33 33280 C:\WINDOWS\ServicePackFiles\i386\rundll32.exe (Microsoft Corporation)

[1] 2008-04-13 16:12:33 33280 C:\WINDOWS\system32\rundll32.exe (Microsoft Corporation)

Finished!

Link to post
Share on other sites

It seems I have full access again, and here is the 2 files as requested. The attach is unzipped, if you want it zipped just let me know.

And 1 possible concern: I ran MBAM last night right after post #9 in the thread, and it detected 2 infections (different viruses), however I took no action as I didn't want to interfere with the process. After the events in post #11, right before this post, I reran MBAM and it only detected 1 of the 2 virii which I then deleted. Cause for worry?

DDS (Ver_09-07-30.01) - NTFSx86

Run by Owner at 0:29:31.31 on 09/09/2009

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_15

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.651 [GMT -8:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\PROGRA~1\AVG\AVG8\avgrsx.exe

C:\PROGRA~1\AVG\AVG8\avgnsx.exe

C:\WINDOWS\Explorer.EXE

C:\windows\system\hpsysdrv.exe

C:\WINDOWS\System32\igfxtray.exe

C:\PROGRA~1\AVG\AVG8\avgtray.exe

C:\Program Files\QuickTime\qttask.exe

C:\HP\KBD\KBD.EXE

C:\WINDOWS\ALCXMNTR.EXE

C:\WINDOWS\AGRSMMSG.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://start.shaw.ca/

uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_CA&c=Q304&bd=presario&pf=desktop

mSearch Bar = hxxp://start.shaw.ca/start/enca/addons/search/

mWindow Title = Internet Explorer Provided by SHAW Internet

uInternet Settings,ProxyOverride = localhost

uSearchURL,(Default) = hxxp://www.google.com/keyword/%s

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll

BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll

BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

BHO: {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - No File

TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File

EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [hpsysdrv] c:\windows\system\hpsysdrv.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [PS2] c:\windows\system32\ps2.exe

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe

mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto

mRun: [updateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r

mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [KBD] c:\hp\kbd\KBD.EXE

mRun: [AlcxMonitor] ALCXMNTR.EXE

mRun: [AGRSMMSG] AGRSMMSG.exe

mRun: [sunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"

dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\compaq~1.lnk - c:\program files\compaq connections\1940576\program\BackWeb-1940576.exe

IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000

IE: {2ef50289-0ea7-482e-a30b-4947a81e44cf} - c:\program files\trillian\Trillian

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL

DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.hotmail.com/mail/w3/pr01/resources/MSNPUpld.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll

Notify: avgrsstarter - avgrsstx.dll

Notify: igfxcui - igfxsrvc.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\8cbca1an.default\

FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrie7&query=

FF - prefs.js: browser.search.selectedEngine - AIM Search

FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca/firefox?client=firefox-a&rls=org.mozilla:en-US:official

FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrab&query=

FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll

FF - plugin: c:\program files\real\realone player\netscape6\nppl3260.dll

FF - plugin: c:\program files\real\realone player\netscape6\nprjplug.dll

FF - plugin: c:\program files\real\realone player\netscape6\nprpjplug.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----

c:\program files\mozilla firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("media.cache_size", 51200);

c:\program files\mozilla firefox\greprefs\all.js - pref("media.ogg.enabled", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("media.wave.enabled", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("media.autoplay.enabled", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");

c:\program files\mozilla firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);

c:\program files\mozilla firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.dpi", -1);

c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);

c:\program files\mozilla firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);

c:\program files\mozilla firefox\greprefs\all.js - pref("geo.enabled", true);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");

============= SERVICES / DRIVERS ===============

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-8-29 28544]

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-6-27 335240]

R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-6-27 27784]

R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-6-27 108552]

R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-7-3 297752]

S2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2008-7-3 908056]

S2 mrtRate;mrtRate; [x]

=============== Created Last 30 ================

2009-09-08 16:55 153,088 -c------ c:\windows\system32\dllcache\triedit.dll

2009-09-07 07:26 <DIR> a-dshr-- C:\cmdcons

2009-09-07 07:24 230,912 a------- c:\windows\PEV.exe

2009-09-07 07:24 161,792 a------- c:\windows\SWREG.exe

2009-09-07 07:24 98,816 a------- c:\windows\sed.exe

2009-09-03 21:33 <DIR> --d----- c:\program files\Trend Micro

2009-09-03 18:32 <DIR> --d----- c:\documents and settings\owner\.housecall6.6

2009-08-31 21:26 411,368 a------- c:\windows\system32\deploytk.dll

2009-08-31 14:55 <DIR> --d----- c:\docume~1\owner\applic~1\Malwarebytes

2009-08-31 14:55 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys

2009-08-31 14:55 19,096 a------- c:\windows\system32\drivers\mbam.sys

2009-08-31 14:55 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware

2009-08-31 14:55 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes

2009-08-30 01:32 <DIR> --d----- C:\VundoFix Backups

2009-08-30 00:37 32 a--sh--- c:\windows\system32\drivers\fidbox2.idx

2009-08-30 00:37 32 a--sh--- c:\windows\system32\drivers\fidbox2.dat

2009-08-30 00:37 32 a--sh--- c:\windows\system32\drivers\fidbox.idx

2009-08-30 00:37 32 a--sh--- c:\windows\system32\drivers\fidbox.dat

2009-08-30 00:37 4,106 a------- C:\rollback.ini

2009-08-30 00:31 <DIR> --d----- c:\program files\common files\ParetoLogic

2009-08-30 00:31 <DIR> --d----- c:\docume~1\alluse~1\applic~1\ParetoLogic

2009-08-30 00:19 <DIR> --d-h--- c:\windows\PIF

2009-08-29 22:36 28,544 a------- c:\windows\system32\drivers\pavboot.sys

2009-08-29 22:35 <DIR> --d----- c:\program files\Panda Security

2009-08-29 20:06 <DIR> --d----- C:\spoolerlogs

2009-08-12 13:48 128,512 -c------ c:\windows\system32\dllcache\dhtmled.ocx

2009-08-12 13:48 1,315,328 -c------ c:\windows\system32\dllcache\msoe.dll

2009-08-10 23:10 54,156 a---h--- c:\windows\QTFont.qfn

2009-08-10 23:10 1,409 a------- c:\windows\QTFont.for

==================== Find3M ====================

2009-09-07 07:29 56,320 -------- c:\windows\system32\eventlog.dll

2009-08-15 14:33 11,952 a------- c:\windows\system32\avgrsstx.dll

2009-08-15 14:33 335,240 a------- c:\windows\system32\drivers\avgldx86.sys

2009-08-05 01:01 204,800 a------- c:\windows\system32\mswebdvd.dll

2009-07-17 11:01 58,880 a------- c:\windows\system32\atl.dll

2009-07-13 23:43 286,208 a------- c:\windows\system32\wmpdxm.dll

2009-07-03 09:09 915,456 -------- c:\windows\system32\wininet.dll

2009-06-16 06:36 119,808 a------- c:\windows\system32\t2embed.dll

2009-06-16 06:36 81,920 a------- c:\windows\system32\fontsub.dll

2009-06-12 04:31 76,288 a------- c:\windows\system32\telnet.exe

2003-03-28 11:37 38,528 ac---r-- c:\windows\inf\FASTNIC.SYS

2008-10-11 16:17 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008101120081012\index.dat

============= FINISH: 0:30:15.87 ===============

Attach.txt

Link to post
Share on other sites

"Cause for worry?"

If it or anything new crops up do take action and post an mbam log

You can/should delete "C:\VundoFix Backups" and vundofix as it is not needed.

go start run and paste in the fallowing command

"c:\documents and settings\Owner\Desktop\Combo----Fix.exe" /u

Or combofix /u

You should see a success message, did you ?

=======

Think Prevention: Put in place a good hosts file

http://www.mvps.org/winhelp2002/hosts.htm

Repeat that proccess about once or even twice a month

To help avoid reinfection see "So how did I get infected in the first place?" http://www.malwarebytes.org/forums/index.p...65&hl=place?

See Recommended Minimal Security Settings: http://www.mvps.org/winhelp2002/unwanted.htm#happen

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.