Jump to content

Please Help me...


MissMikel
 Share

Recommended Posts

Ok I am kinda dumb when it comes to computers so I need help...I awoke this morning to a serious virus. It took me all day to get my Malwarebytes to run and when it did it seemed to fix the problems...however when I tried to open mbam after the reboot it was a no go. It kept saying that Malwarebytes has encountered a problem and needs to close. So I uninstalled and tried to reinstall..but that will not work. I also tried to install Hijackthis but that wont work either. Here is the log of the scan:

Malwarebytes' Anti-Malware 1.40

Database version: 2759

Windows 5.1.2600 Service Pack 2

9/8/2009 4:13:28 PM

mbam-log-2009-09-08 (16-13-28).txt

Scan type: Full Scan (C:\|D:\|)

Objects scanned: 316684

Time elapsed: 1 hour(s), 16 minute(s), 1 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 2

Registry Keys Infected: 9

Registry Values Infected: 1

Registry Data Items Infected: 2

Folders Infected: 5

Files Infected: 53

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

\\?\globalroot\systemroot\system32\UACrkreyubnij.dll (Trojan.Agent) -> Delete on reboot.

C:\Program Files\Protection System\coreext.dll (Rogue.ProtectionSystem) -> Delete on reboot.

Registry Keys Infected:

HKEY_CLASSES_ROOT\CLSID\{76dc0b63-1533-4ba9-8be8-d59eb676fa02} (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{76dc0b63-1533-4ba9-8be8-d59eb676fa02} (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{76dc0b63-1533-4ba9-8be8-d59eb676fa02} (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{5e2121ee-0300-11d4-8d3b-444553540000} (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Win Police Pro (Rogue.WindowsPolicePro) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Protection System (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Malware.Trace) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\LEGACY_ANTIPPRO2009_100 (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\AntipPro2009_100 (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{5e2121ee-0300-11d4-8d3b-444553540000} (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BITS\ImagePath (Hijack.WindowsUpdates) -> Bad: (%fystemRoot%\system32\svchost.exe -k netsvcs) Good: (%SystemRoot%\System32\svchost.exe -k netsvcs) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\wuauserv\ImagePath (Hijack.WindowsUpdates) -> Bad: (%fystemroot%\system32\svchost.exe -k netsvcs) Good: (%SystemRoot%\System32\svchost.exe -k netsvcs) -> Quarantined and deleted successfully.

Folders Infected:

C:\Program Files\Protection System (Rogue.ProtectionSystem) -> Delete on reboot.

C:\Program Files\Windows Police Pro (Rogue.WindowsPolicePro) -> Quarantined and deleted successfully.

C:\Program Files\Windows Police Pro\tmp (Rogue.WindowsPolicePro) -> Quarantined and deleted successfully.

C:\Program Files\Windows Police Pro\tmp\images (Rogue.WindowsPolicePro) -> Quarantined and deleted successfully.

C:\Documents and Settings\All Users\Start Menu\Programs\Protection System (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.

Files Infected:

\\?\globalroot\systemroot\system32\UACrkreyubnij.dll (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Program Files\Windows Police Pro\windows Police Pro.exe (Antivirus2009) -> Quarantined and deleted successfully.

C:\Program Files\Windows Police Pro\tmp\dbsinit.exe (Trojan.Dropper) -> Quarantined and deleted successfully.

C:\Program Files\Protection System\blacklist.cga (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.

C:\Program Files\Protection System\core.cga (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.

C:\Program Files\Protection System\coreext.dll (Rogue.ProtectionSystem) -> Delete on reboot.

C:\Documents and Settings\All Users\Desktop\pornotube.com.lnk (Rogue.Link) -> Quarantined and deleted successfully.

C:\Program Files\Protection System\firewall.dll (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.

C:\Program Files\Protection System\help.ico (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.

C:\Program Files\Windows Police Pro\msvcm80.dll (Rogue.WindowsPolicePro) -> Quarantined and deleted successfully.

C:\Program Files\Windows Police Pro\msvcp80.dll (Rogue.WindowsPolicePro) -> Quarantined and deleted successfully.

C:\Program Files\Windows Police Pro\msvcr80.dll (Rogue.WindowsPolicePro) -> Quarantined and deleted successfully.

C:\Program Files\Windows Police Pro\tmp\wispex.html (Rogue.WindowsPolicePro) -> Quarantined and deleted successfully.

C:\Program Files\Windows Police Pro\tmp\images\i1.gif (Rogue.WindowsPolicePro) -> Quarantined and deleted successfully.

C:\Program Files\Windows Police Pro\tmp\images\i2.gif (Rogue.WindowsPolicePro) -> Quarantined and deleted successfully.

C:\Program Files\Windows Police Pro\tmp\images\i3.gif (Rogue.WindowsPolicePro) -> Quarantined and deleted successfully.

C:\Program Files\Windows Police Pro\tmp\images\j1.gif (Rogue.WindowsPolicePro) -> Quarantined and deleted successfully.

C:\Program Files\Windows Police Pro\tmp\images\j2.gif (Rogue.WindowsPolicePro) -> Quarantined and deleted successfully.

C:\Program Files\Windows Police Pro\tmp\images\j3.gif (Rogue.WindowsPolicePro) -> Quarantined and deleted successfully.

C:\Program Files\Windows Police Pro\tmp\images\jj1.gif (Rogue.WindowsPolicePro) -> Quarantined and deleted successfully.

C:\Program Files\Windows Police Pro\tmp\images\jj2.gif (Rogue.WindowsPolicePro) -> Quarantined and deleted successfully.

C:\Program Files\Windows Police Pro\tmp\images\jj3.gif (Rogue.WindowsPolicePro) -> Quarantined and deleted successfully.

C:\Program Files\Windows Police Pro\tmp\images\l1.gif (Rogue.WindowsPolicePro) -> Quarantined and deleted successfully.

C:\Program Files\Windows Police Pro\tmp\images\l2.gif (Rogue.WindowsPolicePro) -> Quarantined and deleted successfully.

C:\Program Files\Windows Police Pro\tmp\images\l3.gif (Rogue.WindowsPolicePro) -> Quarantined and deleted successfully.

C:\Program Files\Windows Police Pro\tmp\images\pix.gif (Rogue.WindowsPolicePro) -> Quarantined and deleted successfully.

C:\Program Files\Windows Police Pro\tmp\images\t1.gif (Rogue.WindowsPolicePro) -> Quarantined and deleted successfully.

C:\Program Files\Windows Police Pro\tmp\images\t2.gif (Rogue.WindowsPolicePro) -> Quarantined and deleted successfully.

C:\Program Files\Windows Police Pro\tmp\images\up1.gif (Rogue.WindowsPolicePro) -> Quarantined and deleted successfully.

C:\Program Files\Windows Police Pro\tmp\images\up2.gif (Rogue.WindowsPolicePro) -> Quarantined and deleted successfully.

C:\Program Files\Windows Police Pro\tmp\images\w1.gif (Rogue.WindowsPolicePro) -> Quarantined and deleted successfully.

C:\Program Files\Windows Police Pro\tmp\images\w11.gif (Rogue.WindowsPolicePro) -> Quarantined and deleted successfully.

C:\Program Files\Windows Police Pro\tmp\images\w2.gif (Rogue.WindowsPolicePro) -> Quarantined and deleted successfully.

C:\Program Files\Windows Police Pro\tmp\images\w3.gif (Rogue.WindowsPolicePro) -> Quarantined and deleted successfully.

C:\Program Files\Windows Police Pro\tmp\images\w3.jpg (Rogue.WindowsPolicePro) -> Quarantined and deleted successfully.

C:\Program Files\Windows Police Pro\tmp\images\wt1.gif (Rogue.WindowsPolicePro) -> Quarantined and deleted successfully.

C:\Program Files\Windows Police Pro\tmp\images\wt2.gif (Rogue.WindowsPolicePro) -> Quarantined and deleted successfully.

C:\Program Files\Windows Police Pro\tmp\images\wt3.gif (Rogue.WindowsPolicePro) -> Quarantined and deleted successfully.

C:\Documents and Settings\All Users\Start Menu\Programs\Protection System\Protection System Support.lnk (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.

C:\Documents and Settings\All Users\Start Menu\Programs\Protection System\Protection System.lnk (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.

C:\Documents and Settings\All Users\Start Menu\Programs\Protection System\Uninstall Protection System.lnk (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.

C:\Documents and Settings\All Users\Desktop\nudetube.com.lnk (Rogue.Link) -> Quarantined and deleted successfully.

C:\Documents and Settings\All Users\Desktop\Protection System Support.lnk (Rogue.Link) -> Quarantined and deleted successfully.

C:\Documents and Settings\All Users\Desktop\Protection System.lnk (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.

C:\Documents and Settings\All Users\Desktop\youporn.com.lnk (Rogue.Link) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\bennuar.old (Malware.Trace) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\bincd32.dat (Malware.Trace) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\onhelp.htm (Malware.Trace) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\sonhelp.htm (Malware.Trace) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\sysnet.dat (Malware.Trace) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Delete on reboot.

C:\WINDOWS\ppp3.dat (Malware.Trace) -> Quarantined and deleted successfully.

C:\WINDOWS\ppp4.dat (Malware.Trace) -> Quarantined and deleted successfully.

I would really appreciate any help that you can give me...again it seems as if the virus is gone, there are no more pop ups, the internet works properly and AVG will run, but not the Malwarebytes...which usually catches anything AVG doesn't. I should also maybe add that I have already had to do a system restore from the safe mode about six months ago (with help) and this thing has been a little wonky ever since...Perhaps it's time for an upgrade?? :P

Thanks in advance for any advice you could give...

Link to post
Share on other sites

Welcome to Malwarebytes!!! :huh:

Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 1

Link 2

Link 3

CF_download_FF.gif

CF_download_rename.gif

--------------------------------------------------------------------

Double click on Combo-Fix.exe & follow the prompts.

  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a HijackThis log so we can continue cleaning the system.

Link to post
Share on other sites

I am trying to run Combofix but it says I should disable AVG first...How do I do that??

Disregard that...I figured it out... Here is the Combo Fix Log:

ComboFix 09-09-09.09 - Michael 09/10/2009 9:18.1.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.959.619 [GMT -7:00]

Running from: c:\documents and settings\Michael\Desktop\Combo-Fix.exe

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\docume~1\Michael\LOCALS~1\Temp\tmp1.tmp

c:\docume~1\Michael\LOCALS~1\Temp\tmp2.tmp

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat

c:\documents and settings\KC.FREDDIE\Temporary Internet Files\fbk.sts

c:\windows\Installer\117de90.msi

c:\windows\Installer\11f251.msi

c:\windows\Installer\1339a6.msi

c:\windows\Installer\1502177.msi

c:\windows\Installer\1bc4ac0b.msi

c:\windows\Installer\1dd69ea.msi

c:\windows\Installer\1dd69f0.msi

c:\windows\Installer\1dd69f6.msi

c:\windows\Installer\1dd69fc.msi

c:\windows\Installer\1dd6a02.msi

c:\windows\Installer\1dd6a08.msi

c:\windows\Installer\1dd6a0e.msi

c:\windows\Installer\2207b51b.msi

c:\windows\Installer\25026dd.msi

c:\windows\Installer\25026e4.msi

c:\windows\Installer\25026ef.msi

c:\windows\Installer\2502719.msi

c:\windows\Installer\250271f.msi

c:\windows\Installer\2502731.msi

c:\windows\Installer\2502752.msi

c:\windows\Installer\2502893.msi

c:\windows\Installer\25028a1.msi

c:\windows\Installer\25028bf.msi

c:\windows\Installer\25028cc.msi

c:\windows\Installer\25028f5.msi

c:\windows\Installer\2502916.msi

c:\windows\Installer\250291c.msi

c:\windows\Installer\2502947.msi

c:\windows\Installer\250295a.msi

c:\windows\Installer\2502965.msi

c:\windows\Installer\2502988.msi

c:\windows\Installer\250298e.msi

c:\windows\Installer\25029ac.msi

c:\windows\Installer\25029b8.msi

c:\windows\Installer\25029c5.msi

c:\windows\Installer\352fbf2.msi

c:\windows\Installer\40b5de8.msi

c:\windows\Installer\4180fe.msi

c:\windows\Installer\41fbf.msi

c:\windows\Installer\421936d2.msi

c:\windows\Installer\4791b600.msp

c:\windows\Installer\4c699ee5.msi

c:\windows\Installer\4d7ed952.msi

c:\windows\Installer\519de8fa.msi

c:\windows\Installer\53d2bdd.msi

c:\windows\Installer\653fa6.msi

c:\windows\Installer\6a9b5.msi

c:\windows\Installer\6de1e7.msi

c:\windows\Installer\8b0ef.msi

c:\windows\Installer\8b11b.msi

c:\windows\Installer\8b167.msi

c:\windows\Installer\8b191.msi

c:\windows\Installer\8b199.msi

c:\windows\Installer\8b1a0.msi

c:\windows\Installer\8b1a6.msi

c:\windows\Installer\8b1ac.msi

c:\windows\Installer\a3b6c37.msi

c:\windows\Installer\aff55f6.msi

c:\windows\Installer\b1ecec0.msi

c:\windows\Installer\e9a8.msi

c:\windows\Installer\f1db05d.msi

c:\windows\kb913800.exe

c:\windows\ORUN32.EXE

c:\windows\run.log

c:\windows\system32\ahawewat.ini

c:\windows\system32\ahukefej.ini

c:\windows\system32\ajugujiz.ini

c:\windows\system32\anayagot.ini

c:\windows\system32\arfjwjpk.ini

c:\windows\system32\atomisap.ini

c:\windows\system32\avuyumud.ini

c:\windows\system32\bdfeefhk.ini

c:\windows\system32\bdfeefhk.ini2

c:\windows\system32\config\systemprofile\Start Menu\Programs\Windows Antivirus Pro

c:\windows\system32\config\systemprofile\Start Menu\Programs\Windows Antivirus Pro\Windows Antivirus Pro.lnk

c:\windows\system32\drivers\SKYNETqkytjilx.sys

c:\windows\system32\drivers\UACypaicogvml.sys

c:\windows\system32\egfuhina.ini

c:\windows\system32\ehikamot.ini

c:\windows\system32\eiukjgrv.ini

c:\windows\system32\gjjTstwa.ini

c:\windows\system32\gjjTstwa.ini2

c:\windows\system32\hbxssuax.ini

c:\windows\system32\hlgshegl.ini

c:\windows\system32\ibohevuj.ini

c:\windows\system32\ijadanuv.ini

c:\windows\system32\images

c:\windows\system32\images\i1.gif

c:\windows\system32\images\i2.gif

c:\windows\system32\images\i3.gif

c:\windows\system32\images\j1.gif

c:\windows\system32\images\j2.gif

c:\windows\system32\images\j3.gif

c:\windows\system32\images\jj1.gif

c:\windows\system32\images\jj2.gif

c:\windows\system32\images\jj3.gif

c:\windows\system32\images\l1.gif

c:\windows\system32\images\l2.gif

c:\windows\system32\images\l3.gif

c:\windows\system32\images\pix.gif

c:\windows\system32\images\t1.gif

c:\windows\system32\images\t2.gif

c:\windows\system32\images\up1.gif

c:\windows\system32\images\up2.gif

c:\windows\system32\images\w1.gif

c:\windows\system32\images\w11.gif

c:\windows\system32\images\w2.gif

c:\windows\system32\images\w3.gif

c:\windows\system32\images\w3.jpg

c:\windows\system32\images\wt1.gif

c:\windows\system32\images\wt2.gif

c:\windows\system32\images\wt3.gif

c:\windows\system32\inafagus.ini

c:\windows\system32\itosehet.ini

c:\windows\system32\ivutepun.ini

c:\windows\system32\jmgejjvw.ini

c:\windows\system32\nfr.assembly

c:\windows\system32\ogagiyiy.ini

c:\windows\system32\olajowih.ini

c:\windows\system32\onenijus.ini

c:\windows\system32\ovumejew.ini

c:\windows\system32\owmstplb.ini

c:\windows\system32\rcipjqwc.ini

c:\windows\system32\rhqxfprq.ini

c:\windows\system32\ryoerqdt.ini

c:\windows\system32\SKYNETlqohsavu.dll

c:\windows\system32\SKYNETmupejnpp.dat

c:\windows\system32\SKYNETnjeooxrs.dat

c:\windows\system32\SKYNETpwurpqol.dll

c:\windows\system32\SKYNETyubqaite.dll

c:\windows\system32\sllubkch.ini

c:\windows\system32\sppugbpi.ini

c:\windows\system32\SuxFffii.ini

c:\windows\system32\SuxFffii.ini2

c:\windows\system32\tCcKRBeg.ini

c:\windows\system32\tCcKRBeg.ini2

c:\windows\system32\typgemnh.ini

c:\windows\system32\UACeylmdxunmt.dat

c:\windows\system32\uacinit.dll

c:\windows\system32\UACkqrjbocnaf.dll

c:\windows\system32\UACqoydqmtahh.dll

c:\windows\system32\UACrkreyubnij.dll

c:\windows\system32\UACtuefyxjhct.dll

c:\windows\system32\udccokha.ini

c:\windows\system32\ugdjsdgo.ini

c:\windows\system32\ujererob.ini

c:\windows\system32\ujlhqjbi.ini

c:\windows\system32\uyujepoz.ini

c:\windows\system32\wlnoqibs.ini

c:\windows\system32\yiespmjf.ini

c:\windows\Tasks\cvwiqojx.job

c:\windows\wiaserviv.log

c:\windows\YOURAPP.EXE

D:\Autorun.inf

c:\recycler\S-1-5-21-2343318182-1239994931-4019461660-1005 . . . . failed to delete

c:\recycler\S-1-5-21-2343318182-1239994931-4019461660-1006 . . . . failed to delete

----- BITS: Possible infected sites -----

hxxp://82.98.235.205

c:\windows\system32\proquota.exe was missing

Restored copy from - c:\windows\$NtServicePackUninstall$\proquota.exe

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Service_SKYNETddlopyqg

-------\Legacy_SKYNETddlopyqg

-------\Service_UACd.sys

-------\Legacy_UACd.sys

-------\Legacy_BROWSERCTL

-------\Legacy_BROWSERCTLDRV

-------\Service_SfX

((((((((((((((((((((((((( Files Created from 2009-08-10 to 2009-09-10 )))))))))))))))))))))))))))))))

.

2009-09-10 16:27 . 2006-03-16 04:00 50176 ----a-w- c:\windows\system32\proquota.exe

2009-09-10 16:27 . 2006-03-16 04:00 50176 ----a-w- c:\windows\system32\dllcache\proquota.exe

2009-09-10 00:02 . 2009-08-03 20:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-09-10 00:02 . 2009-08-03 20:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-09-09 02:19 . 2009-09-09 02:19 -------- d-----w- c:\documents and settings\Michael\Local Settings\Application Data\Identities

2009-09-02 14:32 . 2009-09-02 14:32 -------- d-----w- c:\documents and settings\NetworkService\Application Data\AdobeUM

2009-09-02 14:31 . 2009-09-02 14:32 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe

2009-09-02 12:58 . 2009-09-02 12:58 -------- d-----w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\Adobe

2009-08-23 04:29 . 2009-08-23 04:29 664 ----a-w- c:\windows\system32\d3d9caps.dat

2009-08-15 17:29 . 2009-08-15 17:29 -------- d-----w- c:\documents and settings\Michael\Application Data\AVG8

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-09-10 01:25 . 2009-06-08 21:34 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-09-08 21:45 . 2006-09-19 22:48 -------- d-----w- c:\program files\music_now

2009-09-08 21:45 . 2006-09-19 22:31 -------- d-----w- c:\program files\Microsoft Works

2009-09-08 21:45 . 2008-12-30 02:21 -------- d-----w- c:\program files\Lexmark 3600-4600 Series

2009-09-08 21:45 . 2007-03-11 17:08 -------- d-----w- c:\program files\BFG

2009-09-08 18:36 . 2008-06-12 16:07 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8

2009-08-31 19:18 . 2009-03-04 21:30 1990 ----a-w- c:\documents and settings\Michael\Application Data\wklnhst.dat

2009-08-30 00:17 . 2006-12-30 00:36 -------- d-----w- c:\documents and settings\All Users\Application Data\WildTangent

2009-08-26 22:24 . 2006-12-30 00:48 -------- d-----w- c:\program files\HP Games

2009-08-15 17:51 . 2009-01-20 19:58 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys

2009-08-15 17:51 . 2009-01-20 19:58 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys

2009-08-15 17:51 . 2009-01-20 19:58 11952 ----a-w- c:\windows\system32\avgrsstx.dll

2009-08-05 22:09 . 2009-08-05 22:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Merscom

2009-08-03 19:17 . 2009-08-03 19:17 552 ----a-w- c:\windows\system32\d3d8caps.dat

2009-07-31 19:20 . 2009-07-31 19:20 -------- d-----w- c:\documents and settings\Michael\Application Data\Meridian93

2009-07-29 15:11 . 2009-07-19 00:30 -------- d-----w- c:\documents and settings\Michael\Application Data\YoudaGames

2009-07-25 00:36 . 2009-07-25 00:34 -------- d-----w- c:\documents and settings\Michael\Application Data\Wildgames JanesZOO

2009-07-24 17:53 . 2006-03-16 04:00 144096 ----a-w- c:\windows\system32\ist.dat

2009-07-24 17:53 . 2006-03-16 04:00 1202788 ----a-w- c:\windows\system32\pst.dat

2009-07-24 16:37 . 2009-07-24 16:37 -------- d-----w- c:\documents and settings\Michael\Application Data\HP

2009-07-14 15:09 . 2009-07-11 15:53 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS

2009-07-14 15:09 . 2009-07-11 15:53 -------- d-----w- c:\program files\NOS

2009-06-30 11:56 . 2009-06-30 11:56 0 ----a-w- c:\windows\system32\cok458en.dat

2009-06-30 11:56 . 2009-06-30 11:56 0 ----a-w- c:\windows\system32\mmd109en.dat

2009-06-30 11:56 . 2009-06-30 11:56 1 ----a-w- c:\windows\system32\perfc7683.dat

2009-06-26 12:47 . 2009-06-07 21:36 0 ----a-w- c:\windows\system32\drivers\d7098eef.sys

2008-03-12 02:49 . 2008-03-12 02:49 0 ----a-w- c:\program files\temp01

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]

"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]

"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-21 68856]

"QuickenScheduledUpdates"="c:\program files\Quicken\bagent.exe" [2007-05-07 87592]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]

"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-05-04 458752]

"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-11 36975]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-08-18 7585792]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-08-18 86016]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-04-01 761946]

"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2006-07-12 102400]

"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 249856]

"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 81920]

"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-06-19 163840]

"Cpqset"="c:\program files\Hewlett-Packard\Default Settings\cpqset.exe" [2006-05-30 40960]

"RecGuard"="c:\windows\SMINST\RecGuard.exe" [2005-10-11 1187840]

"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-09 54840]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-20 77824]

"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-08-15 2007832]

"lxdxmon.exe"="c:\program files\Lexmark 3600-4600 Series\lxdxmon.exe" [2008-06-13 668328]

"lxdxamon"="c:\program files\Lexmark 3600-4600 Series\lxdxamon.exe" [2008-06-13 16040]

"FaxCenterServer"="c:\program files\Lexmark Fax Solutions\fm3032.exe" [2008-06-13 320168]

"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2006-08-18 1617920]

"MsmqIntCert"="mqrt.dll" - c:\windows\system32\mqrt.dll [2006-03-16 177152]

"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" - c:\windows\system32\CHDAudPropShortcut.exe [2006-06-02 61952]

c:\windows\system32\config\systemprofile\Start Menu\Programs\Startup\

Vongo Tray.lnk - c:\program files\Vongo\Tray.exe [2006-5-9 73728]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\

Vongo Tray.lnk - c:\program files\Vongo\Tray.exe [2006-5-9 73728]

c:\documents and settings\KC.FREDDIE\Start Menu\Programs\Startup\

Vongo Tray.lnk - c:\program files\Vongo\Tray.exe [2006-5-9 73728]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]

HP Photosmart Premier Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2005-9-24 73728]

Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2007-9-19 282624]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]

"NoSetActiveDesktop"= 1 (0x1)

"NoActiveDesktopChanges"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]

2009-08-15 17:51 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\WINDOWS\\system32\\mqsvc.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

"c:\\Program Files\\Lexmark 3600-4600 Series\\lxdxmon.exe"=

"c:\\Program Files\\Lexmark 3600-4600 Series\\lxdxamon.exe"=

"c:\\Program Files\\Lexmark 3600-4600 Series\\frun.exe"=

"c:\\Program Files\\Abbyy FineReader 6.0 Sprint\\Scan\\ScanMan6.exe"=

"c:\\Program Files\\Lexmark Fax Solutions\\FaxCtr.exe"=

"c:\\WINDOWS\\system32\\lxdxcfg.exe"=

"c:\\WINDOWS\\system32\\lxdxcoms.exe"=

"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdxpswx.exe"=

"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdxtime.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [1/20/2009 12:58 PM 335240]

R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [1/20/2009 12:58 PM 108552]

R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [6/25/2009 7:01 PM 908056]

R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [6/25/2009 7:01 PM 297752]

R2 lxdx_device;lxdx_device;c:\windows\system32\lxdxcoms.exe -service --> c:\windows\system32\lxdxcoms.exe -service [?]

S1 61512975;61512975;c:\windows\system32\drivers\61512975.sys [1/25/2009 4:05 PM 0]

S1 d7098eef;d7098eef;c:\windows\system32\drivers\d7098eef.sys [6/7/2009 2:36 PM 0]

S2 lxdxCATSCustConnectService;lxdxCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxdxserv.exe [12/29/2008 7:31 PM 98984]

S3 5U870CAP_VID_1262&PID_25FD;HP Pavilion Webcam ;c:\windows\system32\drivers\5U870CAP.sys [6/6/2006 1:39 PM 61952]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

uSearch Page = hxxp://www.google.com

uSearch Bar = hxxp://www.google.com/ie

mStart Page = hxxp://www.google.com

uInternet Connection Wizard,ShellNext = hxxp://h30155.www3.hp.com/helpandsupport/npc/npcRedirectorPage.asp?context=doc100001&locale=0409

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000

FF - ProfilePath - c:\documents and settings\Michael\Application Data\Mozilla\Firefox\Profiles\iows3l1s.default\

FF - prefs.js: browser.search.selectedEngine - Yahoo! Search

FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll

FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll

FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll

FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll

FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll

FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava11.dll

FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava12.dll

FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava13.dll

FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava14.dll

FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava32.dll

FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll

FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPOJI610.dll

.

- - - - ORPHANS REMOVED - - - -

Notify-rqRIaApo - rqRIaApo.dll

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-09-10 09:31

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Cpqset = c:\program files\Hewlett-Packard\Default Settings\cpqset.exe????????????<?@? ????\??????Y?@?????<?@

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\msdtc.exe

c:\windows\ehome\ehrecvr.exe

c:\windows\ehome\ehSched.exe

c:\program files\Common Files\LightScribe\LSSrvc.exe

c:\program files\AVG\AVG8\avgrsx.exe

c:\windows\system32\lxdxcoms.exe

c:\progra~1\AVG\AVG8\avgnsx.exe

c:\windows\system32\nvsvc32.exe

c:\windows\system32\rundll32.exe

c:\program files\AVG\AVG8\avgtray.exe

c:\program files\Lexmark 3600-4600 Series\lxdxmsdmon.exe

c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe

c:\windows\ehome\mcrdsvc.exe

c:\windows\system32\mqsvc.exe

c:\program files\HP\Digital Imaging\bin\hpqimzone.exe

c:\program files\AVG\AVG8\avgcsrvx.exe

c:\windows\system32\mqtgsvc.exe

c:\windows\system32\wscntfy.exe

c:\windows\ehome\ehmsas.exe

c:\windows\system32\dllhost.exe

c:\windows\SoftwareDistribution\Download\8699e9d05b7d22d80989fbf809ac59a5\update\update.exe

.

**************************************************************************

.

Completion time: 2009-09-10 9:37 - machine was rebooted

ComboFix-quarantined-files.txt 2009-09-10 16:37

Pre-Run: 18,883,645,440 bytes free

Post-Run: 20,228,661,248 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

383 --- E O F --- 2009-01-20 20:07

And A new MBAM Log:

Malwarebytes' Anti-Malware 1.40

Database version: 2773

Windows 5.1.2600 Service Pack 2

9/10/2009 10:17:41 AM

mbam-log-2009-09-10 (10-17-41).txt

Scan type: Quick Scan

Objects scanned: 116406

Time elapsed: 8 minute(s), 35 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 2

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\Documents and Settings\KC.FREDDIE\Local Settings\Temp\uacaf87.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\Documents and Settings\KC.FREDDIE\Local Settings\Temp\uacc2c1.tmp (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.

It seems to be working fine now...I had a Whopping 52 windows updates after the Combo Fix reboot!! Is there anything else??

Thanx

Link to post
Share on other sites

  • 5 weeks later...
  • Root Admin

Due to the lack of feedback this Topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

The fixes and advice in this thread are for this machine only. Do not apply the instructions from this thread to your own machine. Please start a new thread describing your issue and someone will be along to assist you.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.