Jump to content

Network cable unplugged


eilatan
 Share

Recommended Posts

  • Staff

Well, I'm pretty sure you're dealing with malware here. This is normal when you use cracks and keygens as is shown in your mbam report.

Anyway do next please...

* Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the log from ComboFix in your next reply.

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix..This because Security Software may see some components ComboFix uses (prep.com for example) as suspicious and blocks the tool, or even deletes it. Please visit HERE if you don't know how.

Link to post
Share on other sites

Well, I'm pretty sure you're dealing with malware here. This is normal when you use cracks and keygens as is shown in your mbam report.

Anyway do next please...

* Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the log from ComboFix in your next reply.

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix..This because Security Software may see some components ComboFix uses (prep.com for example) as suspicious and blocks the tool, or even deletes it. Please visit HERE if you don't know how.

I am unable to install comboFix

Link to post
Share on other sites

Please give more info, because "unable to install" is so general. Can't you download? Can't you install because of an error? Can you install, but it won't run? Can you install but it will only run for a few seconds etc etc...

Thanks.

Sorry I can download but it stars to install and then goes off. I have also tried to re name

Link to post
Share on other sites

  • Staff

Ok, please delete the file and try this method:

NOTE - it HAS to be renamed before you actually save it on your desktop.

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

  1. If you are using Firefox, make sure that your download settings are as follows:
    • Tools->Options->Main tab
    • Set to "Always ask me where to Save the files".

[*]During the download, rename Combofix to Combo-Fix as follows:

CF_download_FF.gif

CF_download_rename.gif

[*]It is important you rename Combofix during the download, but not after.

[*]Please do not rename Combofix to other names, but only to the one indicated.

[*]Close any open browsers.

[*]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

-----------------------------------------------------------

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

    -----------------------------------------------------------


  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

-----------------------------------------------------------

[*]Double click on combo-Fix.exe & follow the prompts.

[*]When finished, it will produce a report for you.

[*]Please post the "C:\Combo-Fix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

If you still cannot get this to run, try booting into Safe Mode, and run it there.

To boot into Safe Mode, tap F8 after BIOS, and just before the Windows logo appears. A list of options will appear, select "Safe Mode."

If this doesn't work either, try the same method (above method), but name Combofix.exe to iexplore.exe instead, or winlogon.exe..

This because It also happens in some cases that malware blocks EVERY process except for what is in its own whitelist, so this whitelist also includes system important processes such as iexplore.exe, explorer.exe, winlogon.exe...

Link to post
Share on other sites

Ok, please delete the file and try this method:

NOTE - it HAS to be renamed before you actually save it on your desktop.

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

  1. If you are using Firefox, make sure that your download settings are as follows:
    • Tools->Options->Main tab
    • Set to "Always ask me where to Save the files".

[*]During the download, rename Combofix to Combo-Fix as follows:

CF_download_FF.gif

CF_download_rename.gif

[*]It is important you rename Combofix during the download, but not after.

[*]Please do not rename Combofix to other names, but only to the one indicated.

[*]Close any open browsers.

[*]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

-----------------------------------------------------------

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

    -----------------------------------------------------------


  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

-----------------------------------------------------------

[*]Double click on combo-Fix.exe & follow the prompts.

[*]When finished, it will produce a report for you.

[*]Please post the "C:\Combo-Fix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

If you still cannot get this to run, try booting into Safe Mode, and run it there.

To boot into Safe Mode, tap F8 after BIOS, and just before the Windows logo appears. A list of options will appear, select "Safe Mode."

If this doesn't work either, try the same method (above method), but name Combofix.exe to iexplore.exe instead, or winlogon.exe..

This because It also happens in some cases that malware blocks EVERY process except for what is in its own whitelist, so this whitelist also includes system important processes such as iexplore.exe, explorer.exe, winlogon.exe...

Still wont install

Link to post
Share on other sites

  • Staff

Still strange that Malwarebytes runs..

Anyway, Please download DDS and save it to your desktop.

  • Disable any script blocking protection
  • Double click dds.scr to run the tool.
  • When done, DDS.txt will open.
  • Click Yes at the next prompt for Optional Scan.
  • Save both reports to your desktop.

---------------------------------------------------

Copy and paste the contents of DDS.txt in your next reply. Do not copy and paste the contents of Attach.txt, but attach it to your reply instead.

Link to post
Share on other sites

Still strange that Malwarebytes runs..

Anyway, Please download DDS and save it to your desktop.

  • Disable any script blocking protection
  • Double click dds.scr to run the tool.
  • When done, DDS.txt will open.
  • Click Yes at the next prompt for Optional Scan.
  • Save both reports to your desktop.

---------------------------------------------------

Copy and paste the contents of DDS.txt in your next reply. Do not copy and paste the contents of Attach.txt, but attach it to your reply instead.

have downloaded to desk top when I run it I get a error message windows cannot find cmd

Link to post
Share on other sites

  • Staff

Please do me a favor and look if the file C:\Windows\system32\cmd.exe is present.

If so, doubleclick and let me know if you get an error then. If you get an error, let me know which one.

This to figure out what is causing this, because there could be several reasons..:

1) cmd.exe indeed missing

2) Comspec variables corrupted (although Combofix should fix that, either way)

3) Permission issue

Link to post
Share on other sites

Please do me a favor and look if the file C:\Windows\system32\cmd.exe is present.

If so, doubleclick and let me know if you get an error then. If you get an error, let me know which one.

This to figure out what is causing this, because there could be several reasons..:

1) cmd.exe indeed missing

2) Comspec variables corrupted (although Combofix should fix that, either way)

3) Permission issue

CMD.exe is missing

Link to post
Share on other sites

hijackthis report enclosed

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 10:18:41, on 05/09/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\BT Broadband Desktop Help\btbb\BTHelpNotifier.exe

C:\Program Files\BT Broadband Desktop Help\btbb_wcm\McciTrayApp.exe

C:\Program Files\thinkbroadband.com\tbbMeter\tbbmeter.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\Program Files\REALTEK\8192U Wireless LAN Utility\RtWLan.exe

C:\Program Files\Google\Update\GoogleUpdate.exe

C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S30RP1.EXE

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe

C:\Program Files\Common Files\Motive\McciCMService.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe

C:\WINDOWS\system32\WISPTIS.EXE

C:\Program Files\MSN Messenger\usnsvc.exe

C:\Program Files\isposure\IsposureAgent.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\PROGRA~1\Yahoo!\browser\ycommon.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qgb9.hpwis.com/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qgb9.hpwis.com/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/customi...fo/bt_side.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://uk.red.clientapps.yahoo.com/customi...arch.yahoo.com/

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://bt.yahoo.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://uk.red.clientapps.yahoo.com/customi...arch.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/customi...fo/bt_side.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://uk.red.clientapps.yahoo.com/customi...arch.yahoo.com/

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.red.clientapps.yahoo.com/customi...arch.yahoo.com/

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.15642\swg.dll

O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl Class - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O4 - HKLM\..\Run: [btbb_McciTrayApp] "C:\Program Files\BT Broadband Desktop Help\btbb\BTHelpNotifier.exe"

O4 - HKLM\..\Run: [btbb_wcm_McciTrayApp] "C:\Program Files\BT Broadband Desktop Help\btbb_wcm\McciTrayApp.exe"

O4 - HKLM\..\Run: [tbbMeter] C:\Program Files\thinkbroadband.com\tbbMeter\tbbmeter.exe

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - HKCU\..\Run: [EPSON Stylus Photo R265 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBNE.EXE /FU "C:\DOCUME~1\Owner\LOCALS~1\Temp\E_S14.tmp" /EF "HKCU"

O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background

O4 - HKCU\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe"

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKCU\..\RunOnce: [shockwave Updater] C:\WINDOWS\system32\Adobe\SHOCKW~1\SWHELP~1.EXE -Update -1103472 -"Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) ; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)" -"http://data.i-spelen.nl/games/aliasrunner.dcr"

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')

O4 - .DEFAULT User Startup: mod_sm.lnk = C:\hp\bin\cloaker.exe (User 'Default user')

O4 - Global Startup: REALTEK RTL8192U Wireless LAN Utility.lnk = C:\Program Files\REALTEK\8192U Wireless LAN Utility\RtWLan.exe

O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm

O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000

O9 - Extra button: BT Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll

O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1216400664593

O16 - DPF: {71057C18-0507-4747-86BC-E11CE7512C5F} (mailhelper Class) - https://register.btinternet.com/templates/b...lcontrol013.cab

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab

O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://help.broadbandassist.com/bbdesktop/...tivePreQual.cab

O16 - DPF: {EC5A4E7B-02EB-451D-B310-D5F2E0A4D8C3} (webhelper Class) - https://register.btinternet.com/templates/b...bcontrol028.cab

O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll

O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\570\G2AWinLogon.dll

O23 - Service: EPSON V3 Service4(01) (EPSON_PM_RPCV4_01) - SEIKO EPSON CORPORATION - C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S30RP1.EXE

O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\570\g2aservice.exe

O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: IsposureAgent (isposure_svc) - Epitiro Ltd. - C:\Program Files\isposure\IsposureAgent.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe

O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: TomTomHOMEService - TomTom - C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe

--

End of file - 11057 bytes

Link to post
Share on other sites

  • Staff
CMD.exe is missing
Well, in that case, you need to replace it again.

Let's see if there are any other instances of cmd.exe present we can use to replace..

Download FileFind by Atribune.

Unzip it.

* Double click on FileFind.exe to open the program.

* Enter cmd.exe into the File: box.

* Click on the Search button.

* After a while a list of file locations will appear in the List of Files: box.

* Click on the Export button.

Link to post
Share on other sites

Well, in that case, you need to replace it again.

Let's see if there are any other instances of cmd.exe present we can use to replace..

Download FileFind by Atribune.

Unzip it.

* Double click on FileFind.exe to open the program.

* Enter cmd.exe into the File: box.

* Click on the Search button.

* After a while a list of file locations will appear in the List of Files: box.

* Click on the Export button.

C:\WINDOWS\$NtServicePackUninstall$\cmd.exe - 388608 Bytes

C:\WINDOWS\ServicePackFiles\i386\cmd.exe - 389120 Bytes

C:\WINDOWS\system32\dllcache\cmd.exe - 389120 Bytes

Link to post
Share on other sites

Hi,

Navigate to your C:\WINDOWS\system32\dllcache folder and COPY the cmd.exe present there to your C:\Windows\system32 folder

Then run Combofix again.

Combofix starts to run but says AVG 7.5 scanner is active. I no longer have AVG on system ans when I try to install AVG 8.5 is says that 7.5 in installed.

Can I still run combofix

Link to post
Share on other sites

log file enclosed

ComboFix 09-09-05.02 - Owner 06/09/2009 9:44.1.1 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.447.193 [GMT 1:00]

Running from: c:\documents and settings\Owner\Desktop\Combo-Fix.exe

AV: AVG 7.5.557 *On-access scanning enabled* (Updated) {41564737-3200-1071-989B-0000E87B4FB1}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\Owner\Local Settings\Temporary Internet Files\mcc107.tmp

c:\documents and settings\Owner\Local Settings\Temporary Internet Files\mcc126.tmp

c:\documents and settings\Owner\Local Settings\Temporary Internet Files\mcc127.tmp

c:\documents and settings\Owner\Local Settings\Temporary Internet Files\mcc12F.tmp

c:\documents and settings\Owner\Local Settings\Temporary Internet Files\mcc13E.tmp

c:\documents and settings\Owner\Local Settings\Temporary Internet Files\mcc15F.tmp

c:\documents and settings\Owner\Local Settings\Temporary Internet Files\mcc180.tmp

c:\documents and settings\Owner\Local Settings\Temporary Internet Files\mcc19E.tmp

c:\documents and settings\Owner\Local Settings\Temporary Internet Files\mcc1C5.tmp

c:\documents and settings\Owner\Local Settings\Temporary Internet Files\mcc1DA.tmp

c:\documents and settings\Owner\Local Settings\Temporary Internet Files\mcc1F7.tmp

c:\documents and settings\Owner\Local Settings\Temporary Internet Files\mcc25.tmp

c:\documents and settings\Owner\Local Settings\Temporary Internet Files\mcc255.tmp

c:\documents and settings\Owner\Local Settings\Temporary Internet Files\mcc2C8.tmp

c:\documents and settings\Owner\Local Settings\Temporary Internet Files\mcc324.tmp

c:\documents and settings\Owner\Local Settings\Temporary Internet Files\mcc32B.tmp

c:\documents and settings\Owner\Local Settings\Temporary Internet Files\mcc3BC.tmp

c:\documents and settings\Owner\Local Settings\Temporary Internet Files\mcc3ED.tmp

c:\documents and settings\Owner\Local Settings\Temporary Internet Files\mcc57A.tmp

c:\documents and settings\Owner\Local Settings\Temporary Internet Files\mcc5F0.tmp

c:\documents and settings\Owner\Local Settings\Temporary Internet Files\mcc6A0.tmp

c:\documents and settings\Owner\Local Settings\Temporary Internet Files\mcc81.tmp

c:\documents and settings\Owner\Local Settings\Temporary Internet Files\mcc8246.tmp

c:\documents and settings\Owner\Local Settings\Temporary Internet Files\mcc82B5.tmp

c:\documents and settings\Owner\Local Settings\Temporary Internet Files\mcc8C.tmp

c:\documents and settings\Owner\Local Settings\Temporary Internet Files\mccB.tmp

c:\documents and settings\Owner\Local Settings\Temporary Internet Files\mccB4.tmp

c:\documents and settings\Owner\Local Settings\Temporary Internet Files\mccBD.tmp

c:\documents and settings\Owner\Local Settings\Temporary Internet Files\mccC.tmp

c:\documents and settings\Owner\Local Settings\Temporary Internet Files\mccC2.tmp

c:\documents and settings\Owner\Local Settings\Temporary Internet Files\mccC9.tmp

c:\documents and settings\Owner\Owner.exe

c:\windows\Installer\13176.msi

c:\windows\Installer\18a171b.msp

c:\windows\Installer\18a1734.msp

c:\windows\Installer\18a174b.msp

c:\windows\Installer\18a1762.msp

c:\windows\Installer\d573e44.msp

c:\windows\Installer\d573e45.msp

c:\windows\Installer\d573e46.msp

c:\windows\Installer\d573e47.msp

c:\windows\Installer\d573e48.msp

c:\windows\Installer\d573e49.msp

c:\windows\Installer\d573e4a.msp

c:\windows\Installer\d573e4b.msp

c:\windows\Installer\d573e4c.msp

c:\windows\Installer\d573e4d.msp

c:\windows\system32\iAlmcoin.dll

c:\windows\system32\ps2.bat

c:\windows\system32\UACgxkwklbunvdkmqihy.db

c:\windows\system32\uactmp.db

D:\Autorun.inf

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_UACd.sys

-------\Service_UACd.sys

((((((((((((((((((((((((( Files Created from 2009-08-06 to 2009-09-06 )))))))))))))))))))))))))))))))

.

2009-09-06 08:05 . 2008-04-14 00:12 389120 -c--a-w- c:\windows\system32\dllcache\cmd.exe

2009-09-06 08:05 . 2008-04-14 00:12 389120 ----a-w- c:\windows\system32\cmd.exe

2009-08-29 07:36 . 2009-08-29 07:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2009-08-29 07:36 . 2009-08-29 07:46 -------- d-----w- c:\program files\Spybot - Search & Destroy

2009-08-29 07:04 . 2009-08-03 12:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-08-29 07:04 . 2009-08-03 12:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-08-28 21:06 . 2009-08-28 21:06 -------- d-----w- c:\windows\system32\LogFiles

2009-08-28 20:59 . 2009-08-28 20:59 21035 ----a-w- c:\windows\system32\drivers\AegisP.sys

2009-08-28 20:59 . 2009-08-28 20:59 -------- d-----w- c:\windows\OPTIONS

2009-08-28 20:59 . 2008-05-20 12:58 414464 ----a-r- c:\windows\system32\drivers\RTL8192u.sys

2009-08-28 20:58 . 2009-08-28 20:58 -------- d-----w- c:\windows\system32\REALTEK RTL8192U Wireless LAN Driver and Utility

2009-08-28 20:58 . 2009-08-28 20:58 -------- d-----w- c:\program files\REALTEK

2009-08-28 20:46 . 2009-08-28 20:46 -------- d-----w- c:\windows\system32\wbem\Repository

2009-08-13 04:49 . 2009-07-10 13:27 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll

2009-08-12 14:02 . 2009-09-06 08:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Epitiro

2009-08-12 14:02 . 2009-09-06 08:58 -------- d-----w- c:\program files\isposure

2009-08-12 14:01 . 2009-08-12 14:01 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard

2009-08-12 14:01 . 2009-08-12 14:01 -------- d-----w- c:\program files\thinkbroadband.com

2009-08-11 12:37 . 2009-08-11 12:37 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Downloaded Installations

2009-08-08 19:19 . 2009-08-08 19:20 -------- d-----w- C:\9c4111a773c9db393968dc4691

2009-08-08 19:18 . 2009-08-09 02:06 -------- d-----w- c:\windows\SxsCaPendDel

2009-08-07 19:55 . 2009-08-07 19:55 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Motive

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-09-05 09:00 . 2008-07-20 20:46 -------- d-----w- c:\documents and settings\Owner\Application Data\AdobeUM

2009-09-03 07:56 . 2008-07-18 12:22 -------- d-----w- c:\program files\EPSON Print CD

2009-09-01 20:49 . 2008-07-21 11:12 -------- d-----w- c:\documents and settings\Owner\Application Data\BitTorrent

2009-08-29 07:04 . 2009-04-29 07:53 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-08-28 20:58 . 2003-01-01 18:38 -------- d--h--w- c:\program files\InstallShield Installation Information

2009-08-26 12:18 . 2008-08-17 14:04 -------- d-----w- c:\documents and settings\Owner\Application Data\ImgBurn

2009-08-26 11:38 . 2008-07-20 17:32 -------- d-----w- c:\program files\Google

2009-08-26 11:37 . 2009-07-26 15:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater

2009-08-26 07:48 . 2009-03-18 07:41 -------- d-----w- c:\documents and settings\Owner\Application Data\DVD Flick

2009-08-16 12:14 . 2008-07-18 18:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help

2009-08-12 14:02 . 2008-07-18 13:19 97184 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-08-05 09:01 . 2002-12-12 14:14 204800 ----a-w- c:\windows\system32\mswebdvd.dll

2009-08-05 06:47 . 2008-09-06 15:20 -------- d-----w- c:\program files\Microsoft Silverlight

2009-08-04 20:59 . 2009-08-04 20:59 -------- d-----w- c:\program files\TomTom International B.V

2009-08-04 20:58 . 2008-11-03 07:59 -------- d-----w- c:\program files\TomTom HOME 2

2009-08-04 05:41 . 2008-09-16 21:04 -------- d-----w- c:\program files\Virtual Earth 3D

2009-08-03 15:46 . 2009-08-03 15:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Motive

2009-08-03 15:41 . 2008-12-22 16:19 -------- d-----w- c:\program files\Yahoo!

2009-08-03 15:41 . 2009-08-03 15:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion

2009-08-03 15:40 . 2009-08-03 15:40 -------- d-----w- c:\documents and settings\Owner\Application Data\Motive

2009-08-03 15:40 . 2009-08-03 15:39 -------- d-----w- c:\program files\BT Broadband Desktop Help

2009-08-03 15:39 . 2009-08-03 15:39 -------- d-----w- c:\program files\Common Files\Motive

2009-08-03 15:39 . 2009-08-03 15:39 -------- d-----w- c:\program files\Citrix

2009-08-03 15:37 . 2009-08-03 15:37 -------- d-----w- c:\program files\BTHomeHub

2009-07-19 15:34 . 2009-07-18 21:00 -------- d-----w- c:\program files\Codec Pack - All In 1

2009-07-19 15:34 . 2009-07-19 15:34 -------- d-----w- c:\program files\ffdshow

2009-07-17 21:24 . 2009-01-04 13:44 -------- d-----w- c:\documents and settings\Owner\Application Data\TeamViewer

2009-07-17 19:01 . 2003-01-01 08:32 58880 ----a-w- c:\windows\system32\atl.dll

2009-07-12 12:35 . 2009-07-12 12:35 -------- d-----w- c:\program files\Trend Micro

2009-07-12 11:21 . 2003-01-01 18:01 233472 ----a-w- c:\windows\system32\wmpdxm.dll

2009-07-12 09:40 . 2009-07-12 09:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft

2009-07-12 09:39 . 2009-07-12 09:38 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}

2009-07-12 09:38 . 2009-07-12 09:38 -------- d-----w- c:\program files\Lavasoft

2009-07-12 09:19 . 2009-07-12 09:19 -------- d-----w- c:\documents and settings\Administrator.YOUR-V7OY5L24PG.000\Application Data\Malwarebytes

2009-07-12 08:42 . 2009-05-17 18:21 -------- d-----w- c:\program files\Hazard Perception 2003

2009-07-12 08:35 . 2008-08-01 13:46 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2009-07-12 07:39 . 2009-07-12 07:39 344 ----a-w- c:\documents and settings\Owner\QTFJMC.bat

2009-07-12 07:39 . 2009-07-12 07:39 85 ----a-w- C:\159.bat

2009-07-03 20:01 . 2009-07-03 20:01 410984 ----a-w- c:\windows\system32\deploytk.dll

2009-07-03 17:09 . 2006-06-23 10:33 915456 ----a-w- c:\windows\system32\wininet.dll

2009-07-03 14:49 . 2009-07-12 09:40 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys

2009-07-03 14:49 . 2009-07-12 10:18 15688 ----a-w- c:\windows\system32\lsdelete.exe

2009-06-25 08:25 . 2005-06-15 17:50 301568 ----a-w- c:\windows\system32\kerberos.dll

2009-06-25 08:25 . 2003-01-01 08:36 54272 ----a-w- c:\windows\system32\wdigest.dll

2009-06-25 08:25 . 2003-01-01 08:34 56832 ----a-w- c:\windows\system32\secur32.dll

2009-06-25 08:25 . 2003-01-01 08:34 147456 ----a-w- c:\windows\system32\schannel.dll

2009-06-25 08:25 . 2003-01-01 08:34 136192 ----a-w- c:\windows\system32\msv1_0.dll

2009-06-25 08:25 . 2003-01-01 08:34 730112 ----a-w- c:\windows\system32\lsasrv.dll

2009-06-24 11:18 . 2003-01-02 00:20 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys

2009-06-16 14:36 . 2003-01-01 08:35 119808 ----a-w- c:\windows\system32\t2embed.dll

2009-06-16 14:36 . 2003-01-01 08:33 81920 ----a-w- c:\windows\system32\fontsub.dll

2009-06-12 12:31 . 2003-01-02 00:20 76288 ----a-w- c:\windows\system32\telnet.exe

2009-06-10 14:13 . 2003-01-01 08:32 84992 ----a-w- c:\windows\system32\avifil32.dll

2009-06-10 08:19 . 2003-01-01 08:34 2066432 ----a-w- c:\windows\system32\mstscax.dll

2009-06-10 06:14 . 2003-01-01 08:36 132096 ----a-w- c:\windows\system32\wkssvc.dll

2008-07-18 12:05 . 2008-07-18 12:05 278528 ----a-w- c:\program files\Common Files\FDEUnInstaller.exe

2004-01-02 05:34 . 2008-07-18 19:52 0 --sha-w- c:\windows\SMINST\HPCD.SYS

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-01-25 39408]

"msnmsgr"="c:\program files\MSN Messenger\msnmsgr.exe" [2007-01-19 5674352]

"TomTomHOME.exe"="c:\program files\TomTom HOME 2\TomTomHOMERunner.exe" [2009-04-08 251240]

"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"btbb_McciTrayApp"="c:\program files\BT Broadband Desktop Help\btbb\BTHelpNotifier.exe" [2009-03-25 1548288]

"btbb_wcm_McciTrayApp"="c:\program files\BT Broadband Desktop Help\btbb_wcm\McciTrayApp.exe" [2009-03-25 1516032]

"tbbMeter"="c:\program files\thinkbroadband.com\tbbMeter\tbbmeter.exe" [2009-08-26 521736]

c:\documents and settings\Administrator.YOUR-V7OY5L24PG\Start Menu\Programs\Startup\

mod_sm.lnk - c:\hp\bin\cloaker.exe [1999-11-7 27136]

c:\documents and settings\Administrator.YOUR-V7OY5L24PG.000\Start Menu\Programs\Startup\

mod_sm.lnk - c:\hp\bin\cloaker.exe [1999-11-7 27136]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

REALTEK RTL8192U Wireless LAN Utility.lnk - c:\program files\REALTEK\8192U Wireless LAN Utility\RtWLan.exe [2009-8-28 868352]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]

2009-08-03 15:39 16680 ----a-w- c:\program files\Citrix\GoToAssist\570\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]

@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Exif Launcher.lnk]

backup=c:\windows\pss\Exif Launcher.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^IM-me.lnk]

backup=c:\windows\pss\IM-me.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]

backup=c:\windows\pss\Logitech Desktop Messenger.lnkCommon Startup

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechCommunicationsManager

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Stupid Data Dart Wave

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Warn Jugs

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"gusvc"=2 (0x2)

"gupdate1c9f4e4c6d8156"=2 (0x2)

"AVGEMS"=2 (0x2)

"Avg7UpdSvc"=2 (0x2)

"Avg7Alrt"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\BitTorrent\\bittorrent.exe"=

"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=

"c:\\Program Files\\MSN Messenger\\livecall.exe"=

"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=

"c:\\Program Files\\SopCast\\SopCast.exe"=

"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=

"c:\\Program Files\\TeamViewer\\Version4\\TeamViewer.exe"=

"c:\\Program Files\\Sony Ericsson\\Update Service\\Update Service.exe"=

"c:\\Program Files\\BT Broadband Desktop Help\\btbb\\BTHelpBrowser.exe"=

"c:\\Program Files\\BT Broadband Desktop Help\\btbb\\BTHelpNotifier.exe"=

"c:\\Program Files\\REALTEK\\8192U Wireless LAN Utility\\RtWLan.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"1542:TCP"= 1542:TCP:Realtek WPS TCP Prot

"1542:UDP"= 1542:UDP:Realtek WPS UDP Prot

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [12/07/2009 10:40 64160]

R2 isposure_svc;IsposureAgent;c:\program files\isposure\IsposureAgent.exe [23/10/2008 08:43 761856]

R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [03/07/2009 15:49 1029456]

R3 S3U10Scanner;600 CU Still Image Device Service;c:\windows\system32\drivers\UsbScan.sys [18/07/2008 20:53 15104]

S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\system32\drivers\aspi32.sys [01/08/2008 14:29 16512]

S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\drivers\ggflt.sys [11/01/2009 18:12 10976]

S3 RTL8192u;Realtek RTL8192U Wireless LAN 802.11n USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8192u.sys [28/08/2009 21:59 414464]

S3 s816bus;Sony Ericsson Device 816 driver (WDM);c:\windows\system32\drivers\s816bus.sys [25/12/2008 11:44 81832]

S3 s816mdfl;Sony Ericsson Device 816 USB WMC Modem Filter;c:\windows\system32\drivers\s816mdfl.sys [25/12/2008 11:44 13864]

S3 s816mdm;Sony Ericsson Device 816 USB WMC Modem Driver;c:\windows\system32\drivers\s816mdm.sys [25/12/2008 11:44 107304]

S3 s816mgmt;Sony Ericsson Device 816 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s816mgmt.sys [25/12/2008 11:44 99112]

S3 s816nd5;Sony Ericsson Device 816 USB Ethernet Emulation SEMCMR7 (NDIS);c:\windows\system32\drivers\s816nd5.sys [25/12/2008 11:44 21928]

S3 s816obex;Sony Ericsson Device 816 USB WMC OBEX Interface;c:\windows\system32\drivers\s816obex.sys [25/12/2008 11:44 97320]

S3 s816unic;Sony Ericsson Device 816 USB Ethernet Emulation SEMCMR7 (WDM);c:\windows\system32\drivers\s816unic.sys [25/12/2008 11:44 97704]

S4 gupdate1c9f4e4c6d8156;Google Update Service (gupdate1c9f4e4c6d8156);c:\program files\Google\Update\GoogleUpdate.exe [24/06/2009 16:54 133104]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]

"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP

.

Contents of the 'Scheduled Tasks' folder

2009-08-31 c:\windows\Tasks\Ad-Aware Update (Weekly).job

- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-07-03 14:49]

2009-09-06 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job

- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2006-09-27 16:39]

2009-09-06 c:\windows\Tasks\Google Software Updater.job

- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-07-20 15:48]

2009-09-06 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-24 15:54]

2009-09-06 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-24 15:54]

.

- - - - ORPHANS REMOVED - - - -

HKU-Default-Run-AVG7_Run - c:\progra~1\Grisoft\AVG7\avgw.exe

.

------- Supplementary Scan -------

.

uStart Page = hxxp://bt.yahoo.com

uDefault_Search_URL = hxxp://srch-qgb9.hpwis.com/

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

mSearch Bar = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html

uInternet Connection Wizard,ShellNext = iexplore

uSearchURL,(Default) = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/

IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm

IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000

Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll

DPF: {71057C18-0507-4747-86BC-E11CE7512C5F} - hxxps://register.btinternet.com/templates/btmailcontrol013.cab

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-09-06 09:57

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(716)

c:\program files\Citrix\GoToAssist\570\G2AWinLogon.dll

- - - - - - - > 'explorer.exe'(3868)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

.

------------------------ Other Running Processes ------------------------

.

c:\documents and settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S30RP1.EXE

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Common Files\Motive\McciCMService.exe

c:\windows\system32\nvsvc32.exe

c:\program files\TomTom HOME 2\TomTomHOMEService.exe

c:\windows\system32\wbem\unsecapp.exe

c:\program files\Lavasoft\Ad-Aware\AAWTray.exe

.

**************************************************************************

.

Completion time: 2009-09-06 10:07 - machine was rebooted

ComboFix-quarantined-files.txt 2009-09-06 09:06

Pre-Run: 21,065,994,240 bytes free

Post-Run: 21,046,419,456 bytes free

289 --- E O F --- 2009-09-01 20:52

Link to post
Share on other sites

  • Staff

Hi,

* Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /

Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Then,

* Please install Avira Antivirus: http://www.free-av.com/

Perform a full scan with Avira and let it delete everything it is finding.

Then reboot.

After reboot, open your Avira and select "reports".

There doubleclick the report from the Full scan you have done. Click the "Report File" button and copy and paste this report in your next reply.

Link to post
Share on other sites

Hi,

* Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /

Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Then,

* Please install Avira Antivirus: http://www.free-av.com/

Perform a full scan with Avira and let it delete everything it is finding.

Then reboot.

After reboot, open your Avira and select "reports".

There doubleclick the report from the Full scan you have done. Click the "Report File" button and copy and paste this report in your next reply.

Avira AntiVir Personal

Report file date: 06 September 2009 15:21

Scanning for 1684804 virus strains and unwanted programs.

Licensee : Avira AntiVir Personal - FREE Antivirus

Serial number : 0000149996-ADJIE-0000001

Platform : Windows XP

Windows version : (Service Pack 3) [5.1.2600]

Boot mode : Normally booted

Username : SYSTEM

Computer name : YOUR-V7OY5L24PG

Version information:

BUILD.DAT : 9.0.0.407 17961 Bytes 29/07/2009 10:34:00

AVSCAN.EXE : 9.0.3.7 466689 Bytes 21/07/2009 13:36:14

AVSCAN.DLL : 9.0.3.0 40705 Bytes 27/02/2009 10:58:24

LUKE.DLL : 9.0.3.2 209665 Bytes 20/02/2009 11:35:49

LUKERES.DLL : 9.0.2.0 12033 Bytes 27/02/2009 10:58:52

ANTIVIR0.VDF : 7.1.0.0 15603712 Bytes 27/10/2008 12:30:36

ANTIVIR1.VDF : 7.1.4.132 5707264 Bytes 24/06/2009 09:21:42

ANTIVIR2.VDF : 7.1.5.201 3414528 Bytes 03/09/2009 14:20:02

ANTIVIR3.VDF : 7.1.5.210 53760 Bytes 06/09/2009 14:20:02

Engineversion : 8.2.1.8

AEVDF.DLL : 8.1.1.1 106868 Bytes 28/07/2009 13:31:50

AESCRIPT.DLL : 8.1.2.27 467321 Bytes 06/09/2009 14:20:16

AESCN.DLL : 8.1.2.5 127346 Bytes 06/09/2009 14:20:14

AERDL.DLL : 8.1.2.4 430452 Bytes 23/07/2009 09:59:39

AEPACK.DLL : 8.1.3.18 401783 Bytes 28/07/2009 13:31:50

AEOFFICE.DLL : 8.1.0.38 196987 Bytes 23/07/2009 09:59:39

AEHEUR.DLL : 8.1.0.155 1921400 Bytes 06/09/2009 14:20:14

AEHELP.DLL : 8.1.7.0 237940 Bytes 06/09/2009 14:20:07

AEGEN.DLL : 8.1.1.60 364915 Bytes 06/09/2009 14:20:05

AEEMU.DLL : 8.1.0.9 393588 Bytes 09/10/2008 14:32:40

AECORE.DLL : 8.1.7.8 184692 Bytes 06/09/2009 14:20:03

AEBB.DLL : 8.1.0.3 53618 Bytes 09/10/2008 14:32:40

AVWINLL.DLL : 9.0.0.3 18177 Bytes 12/12/2008 08:47:59

AVPREF.DLL : 9.0.0.1 43777 Bytes 05/12/2008 10:32:15

AVREP.DLL : 8.0.0.3 155905 Bytes 20/01/2009 14:34:28

AVREG.DLL : 9.0.0.0 36609 Bytes 05/12/2008 10:32:09

AVARKT.DLL : 9.0.0.3 292609 Bytes 24/03/2009 15:05:41

AVEVTLOG.DLL : 9.0.0.7 167169 Bytes 30/01/2009 10:37:08

SQLITE3.DLL : 3.6.1.0 326401 Bytes 28/01/2009 15:03:49

SMTPLIB.DLL : 9.2.0.25 28417 Bytes 02/02/2009 08:21:33

NETNT.DLL : 9.0.0.0 11521 Bytes 05/12/2008 10:32:10

RCIMAGE.DLL : 9.0.0.25 2438913 Bytes 15/05/2009 15:39:58

RCTEXT.DLL : 9.0.37.0 86785 Bytes 17/04/2009 10:19:48

Configuration settings for the scan:

Jobname.............................: Complete system scan

Configuration file..................: c:\program files\avira\antivir desktop\sysscan.avp

Logging.............................: low

Primary action......................: interactive

Secondary action....................: ignore

Scan master boot sector.............: on

Scan boot sector....................: on

Boot sectors........................: C:, D:,

Process scan........................: on

Scan registry.......................: on

Search for rootkits.................: on

Integrity checking of system files..: off

Scan all files......................: All files

Scan archives.......................: on

Recursion depth.....................: 20

Smart extensions....................: on

Macro heuristic.....................: on

File heuristic......................: medium

Deviating risk categories...........: +APPL,+GAME,+JOKE,+PCK,+SPR,

Start of the scan: 06 September 2009 15:21

Starting search for hidden objects.

'67241' objects were checked, '0' hidden objects were found.

The scan of running processes will be started

Scan process 'avscan.exe' - '1' Module(s) have been scanned

Scan process 'avcenter.exe' - '1' Module(s) have been scanned

Scan process 'avcenter.exe' - '1' Module(s) have been scanned

Scan process 'avgnt.exe' - '1' Module(s) have been scanned

Scan process 'sched.exe' - '1' Module(s) have been scanned

Scan process 'avguard.exe' - '1' Module(s) have been scanned

Scan process 'msiexec.exe' - '1' Module(s) have been scanned

Scan process 'tbbMeter.exe' - '1' Module(s) have been scanned

Scan process 'AAWTray.exe' - '1' Module(s) have been scanned

Scan process 'unsecapp.exe' - '1' Module(s) have been scanned

Scan process 'AAWService.exe' - '1' Module(s) have been scanned

Scan process 'ctfmon.exe' - '1' Module(s) have been scanned

Scan process 'notepad.exe' - '1' Module(s) have been scanned

Scan process 'explorer.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'alg.exe' - '1' Module(s) have been scanned

Scan process 'wmiprvse.exe' - '1' Module(s) have been scanned

Scan process 'TomTomHOMEService.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'nvsvc32.exe' - '1' Module(s) have been scanned

Scan process 'RtWLan.exe' - '1' Module(s) have been scanned

Scan process 'McciCMService.exe' - '1' Module(s) have been scanned

Scan process 'TomTomHOMERunner.exe' - '1' Module(s) have been scanned

Scan process 'msnmsgr.exe' - '1' Module(s) have been scanned

Scan process 'GoogleToolbarNotifier.exe' - '1' Module(s) have been scanned

Scan process 'tbbMeter.exe' - '1' Module(s) have been scanned

Scan process 'McciTrayApp.exe' - '1' Module(s) have been scanned

Scan process 'BTHelpNotifier.exe' - '1' Module(s) have been scanned

Scan process 'jqs.exe' - '1' Module(s) have been scanned

Scan process 'IsposureAgent.exe' - '1' Module(s) have been scanned

Scan process 'E_S30RP1.EXE' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'GoogleUpdate.exe' - '1' Module(s) have been scanned

Scan process 'spoolsv.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'lsass.exe' - '1' Module(s) have been scanned

Scan process 'services.exe' - '1' Module(s) have been scanned

Scan process 'winlogon.exe' - '1' Module(s) have been scanned

Scan process 'csrss.exe' - '1' Module(s) have been scanned

Scan process 'smss.exe' - '1' Module(s) have been scanned

44 processes with 44 modules were scanned

Starting master boot sector scan:

Master boot sector HD0

[iNFO] No virus was found!

Start scanning boot sectors:

Boot sector 'C:\'

[iNFO] No virus was found!

Boot sector 'D:\'

[iNFO] No virus was found!

Starting to scan executable files (registry).

The registry was scanned ( '58' files ).

Starting the file scan:

Begin scan in 'C:\' <PRESARIO>

C:\pagefile.sys

[WARNING] The file could not be opened!

[NOTE] This file is a Windows system file.

[NOTE] This file cannot be opened for scanning.

C:\Documents and Settings\Owner\My Documents\programmes\ophcrack-win32-installer-3.0.1.exe

[0] Archive type: NSIS

--> ProgramFilesDir/pwdump6_setup.exe

[DETECTION] Contains recognition pattern of the SPR/Tool.JK program

--> ProgramFilesDir/imokav.exe

[DETECTION] Contains recognition pattern of the SPR/PSW.PWDump.F program

--> ProgramFilesDir/lstarget.dll

[DETECTION] Contains recognition pattern of the SPR/PSW.PWDump.F.1 program

C:\hp\bin\KillIt.exe

[DETECTION] Contains recognition pattern of the APPL/KillApp.A application

C:\hp\bin\KillWind.exe

[DETECTION] Contains recognition pattern of the APPL/KillApplicat.A application

C:\Program Files\Online Services\BTESAT\1890hp.exe

[DETECTION] Contains a recognition pattern of the (harmful) BDS/Hupigon.huap back-door program

C:\WINDOWS\Downloaded Program Files\btmailcontrol.dll

[DETECTION] Contains recognition pattern of the DIAL/94208.A.13 dialer

Begin scan in 'D:\' <PRESARIO_RP>

Beginning disinfection:

C:\Documents and Settings\Owner\My Documents\programmes\ophcrack-win32-installer-3.0.1.exe

[NOTE] The file was moved to '4b0bdc56.qua'!

C:\hp\bin\KillIt.exe

[DETECTION] Contains recognition pattern of the APPL/KillApp.A application

[NOTE] The file was moved to '4b0fdc4f.qua'!

C:\hp\bin\KillWind.exe

[DETECTION] Contains recognition pattern of the APPL/KillApplicat.A application

[NOTE] The file was moved to '4a6b1c68.qua'!

C:\Program Files\Online Services\BTESAT\1890hp.exe

[DETECTION] Contains a recognition pattern of the (harmful) BDS/Hupigon.huap back-door program

[NOTE] The file was moved to '4adcdc1e.qua'!

C:\WINDOWS\Downloaded Program Files\btmailcontrol.dll

[DETECTION] Contains recognition pattern of the DIAL/94208.A.13 dialer

[NOTE] The file was moved to '4b10dc5a.qua'!

End of the scan: 06 September 2009 16:57

Used time: 1:09:37 Hour(s)

The scan has been done completely.

7985 Scanned directories

403166 Files were scanned

7 Viruses and/or unwanted programs were found

0 Files were classified as suspicious

0 files were deleted

0 Viruses and unwanted programs were repaired

5 Files were moved to quarantine

0 Files were renamed

1 Files cannot be scanned

403158 Files not concerned

18724 Archives were scanned

1 Warnings

6 Notes

67241 Objects were scanned with rootkit scan

0 Hidden objects were found

Link to post
Share on other sites

  • Staff

Hi,

Please stop using cracks etc, because that's how you got infected.

Please read my Prevention page with lots of info and tips how to prevent this in the future.

And if you want to improve speed/system performance after malware removal, take a look here.

Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!

Link to post
Share on other sites

Hi,

Please stop using cracks etc, because that's how you got infected.

Please read my Prevention page with lots of info and tips how to prevent this in the future.

And if you want to improve speed/system performance after malware removal, take a look here.

Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!

what is meant by cracks

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.