Jump to content

Total Security, Soft Safeness, and AntiVirus Pro 2010 Oh My!


Recommended Posts

I appear to be infected with all the above(Total Security, Soft Safeness, and AntiVirus Pro 2010).

I have tried the following:

o Scan with AVG - Did not run

o Scan with Lavasoft Adaware - Scan started then PC shutdown out of nowhere

o In order to do the following(and to access any webpage) I had to install "process explorer" from sysinternals to kill the process that was hijacking my browser(I normally use firefox. I am currently using chrome as it does not seem to be affected by any of these.)

o Download and install MalwareBytes - Installed fine and started scan then program shuts down

o Download and install HiJackThis - Installed fine but will not open

I have been reading though these forums and the amount of help that is given here is awe inspiring! Please help me out of this mess(my finance's wedding planning got me into it).

Colin

Link to post
Share on other sites

Hello JSntgRvr,

Thanks in advance for your help! This is what was in the log:

Running from: C:\Documents and Settings\Colin\Desktop\Win32kDiag.exe

Log file at : C:\Documents and Settings\Colin\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...

Cannot access: C:\WINDOWS\$NtUninstallKB835732$\callcont.dll

[1] 2004-03-29 21:48:36 364544 C:\WINDOWS\$NtServicePackUninstall$\callcont.dll (Microsoft Corporation)

Link to post
Share on other sites

Hi, Colin Klayer :P

Please follow these steps:

Step 1

Click on Start->Run, copy and paste the following command into the "Run" box (including the quotation marks), and click OK. Allow enough time for this application to finish. When it's finished, there will be a log called Win32kDiag.txt on your desktop. It should contain the word finished at the end of the report. Please open it with notepad and post the contents here in your next reply.

"C:\Documents and Settings\Colin\Desktop\Win32kDiag.exe" -f -r

Step 2

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

  1. If you are using Firefox, make sure that your download settings are as follows:
    • Tools->Options->Main tab
    • Set to "Always ask me where to Save the files".

[*]During the download, rename Combofix to Combo-Fix as follows:

CF_download_FF.gif

CF_download_rename.gif

[*]It is important you rename Combofix during the download, but not after.

[*]Please do not rename Combofix to other names, but only to the one indicated.

[*]Close any open browsers.

[*]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

-----------------------------------------------------------

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

    -----------------------------------------------------------


  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

-----------------------------------------------------------

[*]Double click on combo-Fix.exe & follow the prompts.

[*]When finished, it will produce a report for you.

[*]Please post the "C:\Combo-Fix.txt" .

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.

Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security.

Please do not install any new programs or update anything unless told to do so while we are fixing your problem.

Link to post
Share on other sites

Win32kdiag log:

Running from: C:\Documents and Settings\Colin\Desktop\Win32kDiag.exe

Log file at : C:\Documents and Settings\Colin\Desktop\Win32kDiag.txt

Removing all found mount points.

Attempting to reset file permissions.

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...

Cannot access: C:\WINDOWS\$NtUninstallKB835732$\callcont.dll

Attempting to restore permissions of : C:\WINDOWS\$NtUninstallKB835732$\callcont.dll

Cannot access: C:\WINDOWS\$NtUninstallKB835732$\cmdevtgprov.dll

Attempting to restore permissions of : C:\WINDOWS\$NtUninstallKB835732$\cmdevtgprov.dll

Cannot access: C:\WINDOWS\$NtUninstallKB835732$\evtgprov.dll

Attempting to restore permissions of : C:\WINDOWS\$NtUninstallKB835732$\evtgprov.dll

Cannot access: C:\WINDOWS\$NtUninstallKB835732$\gdi32.dll

Attempting to restore permissions of : C:\WINDOWS\$NtUninstallKB835732$\gdi32.dll

Cannot access: C:\WINDOWS\$NtUninstallKB835732$\h323.tsp

Attempting to restore permissions of : C:\WINDOWS\$NtUninstallKB835732$\h323.tsp

Cannot access: C:\WINDOWS\$NtUninstallKB835732$\h323msp.dll

Attempting to restore permissions of : C:\WINDOWS\$NtUninstallKB835732$\h323msp.dll

Cannot access: C:\WINDOWS\$NtUninstallKB835732$\helpctr.exe

Attempting to restore permissions of : C:\WINDOWS\$NtUninstallKB835732$\helpctr.exe

Cannot access: C:\WINDOWS\$NtUninstallKB835732$\ipnathlp.dll

Attempting to restore permissions of : C:\WINDOWS\$NtUninstallKB835732$\ipnathlp.dll

Cannot access: C:\WINDOWS\$NtUninstallKB835732$\lsasrv.dll

Attempting to restore permissions of : C:\WINDOWS\$NtUninstallKB835732$\lsasrv.dll

Cannot access: C:\WINDOWS\$NtUninstallKB835732$\mf3216.dll

Attempting to restore permissions of : C:\WINDOWS\$NtUninstallKB835732$\mf3216.dll

Cannot access: C:\WINDOWS\$NtUninstallKB835732$\msasn1.dll

Attempting to restore permissions of : C:\WINDOWS\$NtUninstallKB835732$\msasn1.dll

Cannot access: C:\WINDOWS\$NtUninstallKB835732$\msgina.dll

Attempting to restore permissions of : C:\WINDOWS\$NtUninstallKB835732$\msgina.dll

Cannot access: C:\WINDOWS\$NtUninstallKB835732$\mst120.dll

Attempting to restore permissions of : C:\WINDOWS\$NtUninstallKB835732$\mst120.dll

Cannot access: C:\WINDOWS\$NtUninstallKB835732$\netapi32.dll

Attempting to restore permissions of : C:\WINDOWS\$NtUninstallKB835732$\netapi32.dll

Cannot access: C:\WINDOWS\$NtUninstallKB835732$\nmcom.dll

Attempting to restore permissions of : C:\WINDOWS\$NtUninstallKB835732$\nmcom.dll

Cannot access: C:\WINDOWS\$NtUninstallKB835732$\rtcdll.dll

Attempting to restore permissions of : C:\WINDOWS\$NtUninstallKB835732$\rtcdll.dll

Cannot access: C:\WINDOWS\$NtUninstallKB835732$\schannel.dll

Attempting to restore permissions of : C:\WINDOWS\$NtUninstallKB835732$\schannel.dll

Finished!

Combofix log:

ComboFix 09-09-16.05 - Colin 09/17/2009 17:26.1.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2047.1347 [GMT -4:00]

Running from: c:\documents and settings\Colin\Desktop\Combo-Fix.exe

AV: AVG Anti-Virus Free *On-access scanning enabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\All Users\Application Data\13165254

c:\documents and settings\All Users\Application Data\13165254\13165254

c:\documents and settings\All Users\Application Data\13165254\13165254.exe

c:\documents and settings\All Users\Application Data\13165254\pc13165254ins

c:\documents and settings\Colin\Application Data\Microsoft\Installer\{AFF1EA96-9C23-4249-B7D4-CD4B54D4582F}\NewShortcut3_2E7595EC4FB14E2993D49083C8A9B107.exe

c:\documents and settings\Colin\Application Data\Microsoft\Internet Explorer\Quick Launch\Advanced Virus Remover.lnk

c:\documents and settings\Colin\Desktop\Advanced Virus Remover.lnk

c:\documents and settings\Colin\Start Menu\Advanced Virus Remover.lnk

c:\documents and settings\Sarah\Application Data\Microsoft\Internet Explorer\Quick Launch\Advanced Virus Remover.lnk

c:\documents and settings\Sarah\Desktop\Advanced Virus Remover.lnk

c:\documents and settings\Sarah\Start Menu\Advanced Virus Remover.lnk

C:\kqbvc.exe

C:\p2hhr.bat

c:\program files\AdvancedVirusRemover

c:\program files\AdvancedVirusRemover\PAVRM.exe

c:\program files\AntivirusPro_2010

c:\program files\AntivirusPro_2010\AntivirusPro_2010.exe

c:\program files\AntivirusPro_2010\AVEngn.dll

c:\program files\AntivirusPro_2010\data\daily.cvd

c:\program files\AntivirusPro_2010\htmlayout.dll

c:\program files\AntivirusPro_2010\Microsoft.VC80.CRT\Microsoft.VC80.CRT.manifest

c:\program files\AntivirusPro_2010\Microsoft.VC80.CRT\msvcm80.dll

c:\program files\AntivirusPro_2010\Microsoft.VC80.CRT\msvcp80.dll

c:\program files\AntivirusPro_2010\Microsoft.VC80.CRT\msvcr80.dll

c:\program files\AntivirusPro_2010\pthreadVC2.dll

c:\program files\AntivirusPro_2010\wscui.cpl

c:\program files\Windows Police Pro

c:\program files\Windows Police Pro\msvcm80.dll

c:\program files\Windows Police Pro\msvcp80.dll

c:\program files\Windows Police Pro\msvcr80.dll

c:\program files\Windows Police Pro\tmp\dbsinit.exe

c:\program files\Windows Police Pro\windows Police Pro.exe

C:\smp.bat

c:\windows\BM53d85d83.txt

c:\windows\BM53d85d83.xml

c:\windows\braviax.exe

c:\windows\COUPON~1.OCX

c:\windows\CouponPrinter.ocx

c:\windows\cru629.dat

c:\windows\Installer\3d28e.msi

c:\windows\Installer\3d28f.msp

c:\windows\Installer\3d290.msp

c:\windows\Installer\3d291.msp

c:\windows\Installer\3d292.msp

c:\windows\Installer\3d293.msp

c:\windows\Installer\3d294.msp

c:\windows\Installer\3d295.msp

c:\windows\Installer\3d296.msp

c:\windows\Installer\3d297.msp

c:\windows\Installer\cc6a3.msi

c:\windows\msa.exe

c:\windows\msb.exe

c:\windows\msc.exe

c:\windows\ppp3.dat

c:\windows\ppp4.dat

c:\windows\pskt.ini

c:\windows\svchast.exe

c:\windows\system32\~.exe

c:\windows\system32\AVR09.exe

c:\windows\system32\bennuar.old

c:\windows\system32\bincd32.dat

c:\windows\system32\braviax.exe

c:\windows\system32\cru629.dat

c:\windows\system32\ddDEsot.dll

c:\windows\system32\depopuho.exe

c:\windows\system32\desot.exe

c:\windows\system32\ganotida.dll

c:\windows\system32\getovojo.dll

c:\windows\system32\horefupa.dll

c:\windows\system32\images

c:\windows\system32\images\i1.gif

c:\windows\system32\images\i2.gif

c:\windows\system32\images\i3.gif

c:\windows\system32\images\j1.gif

c:\windows\system32\images\j2.gif

c:\windows\system32\images\j3.gif

c:\windows\system32\images\jj1.gif

c:\windows\system32\images\jj2.gif

c:\windows\system32\images\jj3.gif

c:\windows\system32\images\l1.gif

c:\windows\system32\images\l2.gif

c:\windows\system32\images\l3.gif

c:\windows\system32\images\pix.gif

c:\windows\system32\images\t1.gif

c:\windows\system32\images\t2.gif

c:\windows\system32\images\up1.gif

c:\windows\system32\images\up2.gif

c:\windows\system32\images\w1.gif

c:\windows\system32\images\w11.gif

c:\windows\system32\images\w2.gif

c:\windows\system32\images\w3.gif

c:\windows\system32\images\w3.jpg

c:\windows\system32\images\wt1.gif

c:\windows\system32\images\wt2.gif

c:\windows\system32\images\wt3.gif

c:\windows\system32\jonotama.dll

c:\windows\system32\msxml71.dll

c:\windows\system32\nlyrcxud.ini

c:\windows\system32\pimenuda.dll

c:\windows\system32\sonhelp.htm

c:\windows\system32\sysnet.dat

c:\windows\system32\wbem\proquota.exe

c:\windows\system32\wenijalu.exe

c:\windows\system32\winhelper.dll

c:\windows\system32\winupdate.exe

c:\windows\system32\wisdstr.exe

c:\windows\system32\wispex.html

c:\windows\system32\xIOqWvut.ini

c:\windows\system32\xIOqWvut.ini2

c:\windows\system32\ygsuhdf83id.dll

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat . . . . failed to delete

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat . . . . failed to delete

----- BITS: Possible infected sites -----

hxxp://193.33.61.160

Infected copy of c:\windows\system32\eventlog.dll was found and disinfected

Restored copy from - c:\windows\ServicePackFiles\i386\eventlog.dll

-- Previous Run --

Infected copy of c:\windows\system32\eventlog.dll was found and disinfected

Restored copy from - c:\windows\ServicePackFiles\i386\eventlog.dll

--------

c:\windows\system32\drivers\beep.sys . . . is infected!!

c:\windows\system32\proquota.exe was missing

Restored copy from - c:\windows\ServicePackFiles\i386\proquota.exe

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}

-------\Legacy_AntipPolice_

-------\Service_AntipPolice_

((((((((((((((((((((((((( Files Created from 2009-08-17 to 2009-09-17 )))))))))))))))))))))))))))))))

.

2009-09-17 21:46 . 2004-08-04 07:56 50176 ----a-w- c:\windows\system32\proquota.exe

2009-09-16 20:20 . 2009-09-16 20:20 101376 ----a-w- c:\windows\system32\TJ8nVHyA8U.dll

2009-09-16 19:51 . 2009-09-16 19:51 -------- d-----w- c:\program files\Trend Micro

2009-09-16 19:06 . 2009-09-16 19:06 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes

2009-09-16 19:02 . 2009-09-17 21:25 0 ----a-w- c:\windows\win32k.sys

2009-09-16 16:57 . 2009-09-16 16:57 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache

2009-09-16 16:56 . 2009-09-16 16:56 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE

2009-09-16 05:50 . 2009-09-16 05:50 -------- d-----w- c:\documents and settings\Colin\Application Data\Malwarebytes

2009-09-16 05:50 . 2009-09-10 18:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-09-16 05:50 . 2009-09-10 18:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-09-16 05:50 . 2009-09-16 05:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-09-16 05:50 . 2009-09-17 17:02 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-09-16 04:45 . 2009-09-16 04:45 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Adobe

2009-09-16 04:37 . 2009-09-16 04:37 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE

2009-09-16 04:26 . 2009-09-16 04:26 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla

2009-09-16 04:23 . 2009-09-16 04:23 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache

2009-09-16 01:14 . 2009-09-16 01:14 73728 ----a-w- C:\xjehx.exe

2009-09-16 01:14 . 2009-09-16 01:14 49152 ----a-w- C:\scmhux.exe

2009-09-16 01:14 . 2009-09-16 01:14 17920 ----a-w- C:\fjmpqp.exe

2009-09-16 01:14 . 2009-09-16 01:14 79360 ----a-w- C:\wpfpqa.exe

2009-09-16 01:14 . 2009-09-16 01:14 19968 ----a-w- C:\udtcnn.exe

2009-09-16 01:14 . 2009-09-16 01:14 155136 ----a-w- C:\pfhoc.exe

2009-09-16 01:14 . 2009-09-16 01:14 49066 ----a-w- C:\psiefutv.exe

2009-09-09 14:32 . 2009-06-21 22:04 153088 -c----w- c:\windows\system32\dllcache\triedit.dll

2009-09-05 14:34 . 2009-09-05 14:34 -------- d-----w- c:\program files\Provericon Software Development

2009-09-03 21:38 . 2009-09-03 21:38 -------- d-sh--w- c:\documents and settings\Sarah\IETldCache

2009-08-21 20:53 . 2009-08-21 20:53 -------- d-----w- c:\program files\iPod

2009-08-21 20:53 . 2009-08-21 20:55 -------- d-----w- c:\program files\iTunes

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-09-17 22:23 . 2008-01-18 00:33 156869 ----a-w- c:\windows\system32\nvModes.dat

2009-09-17 17:41 . 2008-06-09 16:16 -------- d-----w- c:\program files\Mozilla Thunderbird

2009-09-16 17:54 . 2009-06-16 17:53 49664 --sha-w- c:\windows\system32\yadihoni.dll

2009-09-16 01:10 . 2008-01-18 14:48 80200 ----a-w- c:\documents and settings\Colin\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-09-16 01:08 . 2009-01-29 17:43 -------- d-----w- c:\documents and settings\Colin\Application Data\Skype

2009-09-15 14:39 . 2009-05-14 21:32 -------- d-----w- c:\documents and settings\Colin\Application Data\Launchy

2009-09-15 14:39 . 2009-01-29 17:45 -------- d-----w- c:\documents and settings\Colin\Application Data\skypePM

2009-09-10 15:58 . 2008-06-25 04:01 -------- d-----w- c:\program files\Microsoft Silverlight

2009-09-10 03:21 . 2008-05-20 13:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help

2009-08-21 20:53 . 2007-11-15 20:30 -------- d-----w- c:\program files\Common Files\Apple

2009-08-14 16:08 . 2008-06-02 22:33 -------- d-----w- c:\program files\Paint.NET

2009-08-12 04:21 . 2009-08-12 04:21 -------- d-----w- c:\documents and settings\Colin\Application Data\acccore

2009-08-06 18:38 . 2007-09-27 15:15 -------- d-----w- c:\program files\Apoint

2009-08-05 09:11 . 2002-09-03 19:48 204800 ----a-w- c:\windows\system32\mswebdvd.dll

2009-07-24 17:02 . 2008-01-20 17:24 -------- d-----w- c:\documents and settings\Colin\Application Data\Azureus

2009-07-24 02:05 . 2008-01-20 16:29 -------- d-----w- c:\program files\LimeWire

2009-07-17 18:55 . 2002-09-03 19:33 58880 ----a-w- c:\windows\system32\atl.dll

2009-07-14 03:43 . 2004-08-04 07:56 286208 ------w- c:\windows\system32\wmpdxm.dll

2009-07-03 18:03 . 2009-03-07 12:24 1324 ----a-w- c:\windows\system32\d3d9caps.dat

2009-07-03 17:09 . 2006-06-23 15:33 915456 ----a-w- c:\windows\system32\wininet.dll

2009-06-25 18:36 . 2002-09-03 19:45 471552 ----a-w- c:\windows\system32\mqutil.dll

2009-06-25 18:36 . 2002-09-03 19:45 48640 ----a-w- c:\windows\system32\mqupgrd.dll

2009-06-25 18:36 . 2002-09-03 19:45 186880 ----a-w- c:\windows\system32\mqtrig.dll

2009-06-25 18:36 . 2002-09-03 19:45 95744 ----a-w- c:\windows\system32\mqsec.dll

2009-06-25 18:36 . 2002-09-03 19:45 517120 ----a-w- c:\windows\system32\mqsnap.dll

2009-06-25 18:36 . 2002-09-03 19:45 661504 ----a-w- c:\windows\system32\mqqm.dll

2009-06-25 18:36 . 2002-09-03 19:45 177152 ----a-w- c:\windows\system32\mqrt.dll

2009-06-25 18:36 . 2002-09-03 19:45 123392 ----a-w- c:\windows\system32\mqrtdep.dll

2009-06-25 18:36 . 2002-09-03 19:45 225280 ----a-w- c:\windows\system32\mqoa.dll

2009-06-25 18:36 . 2002-09-03 19:45 16896 ----a-w- c:\windows\system32\mqise.dll

2009-06-25 18:36 . 2002-09-03 19:45 47104 ----a-w- c:\windows\system32\mqdscli.dll

2009-06-25 18:36 . 2002-09-03 19:45 138240 ----a-w- c:\windows\system32\mqad.dll

2009-06-25 08:44 . 2005-06-15 17:50 298496 ----a-w- c:\windows\system32\kerberos.dll

2009-06-25 08:44 . 2002-09-03 20:02 59392 ----a-w- c:\windows\system32\wdigest.dll

2009-06-25 08:44 . 2002-09-03 19:54 56320 ----a-w- c:\windows\system32\secur32.dll

2009-06-25 08:44 . 2002-09-03 19:54 168448 ----a-w- c:\windows\system32\schannel.dll

2009-06-25 08:44 . 2002-09-03 19:48 133632 ----a-w- c:\windows\system32\msv1_0.dll

2009-06-25 08:44 . 2002-09-03 19:42 724480 ----a-w- c:\windows\system32\lsasrv.dll

2009-06-22 11:49 . 2002-09-03 19:45 117248 ----a-w- c:\windows\system32\mqtgsvc.exe

2009-06-22 11:49 . 2002-09-03 19:45 19968 ----a-w- c:\windows\system32\mqbkup.exe

2009-06-22 11:49 . 2002-09-03 19:45 4608 ----a-w- c:\windows\system32\mqsvc.exe

2009-06-22 11:48 . 2002-09-03 19:45 91776 ----a-w- c:\windows\system32\drivers\mqac.sys

2009-06-22 11:34 . 2002-09-03 19:41 92544 ----a-w- c:\windows\system32\drivers\ksecdd.sys

2009-02-24 19:34 . 2009-02-24 19:34 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll

2009-02-24 19:34 . 2009-02-24 19:34 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll

2009-06-16 17:54 . 2009-06-16 17:54 49664 --sha-w- c:\windows\system32\saperiho.dll

.

------- Sigcheck -------

[-] 2009-09-16 04:46 . 471098B6001A434561CC4CE1F068907C . 28672 . . [------] . . c:\windows\system32\dllcache\beep.sys

c:\windows\system32\drivers\beep.sys ... is missing !!

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{de35813e-785b-4407-a481-0cbbaeca992f}]

2009-06-16 17:54 49664 --sha-w- c:\windows\system32\saperiho.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"GoToMeeting"="c:\program files\Citrix\GoToMeeting\320\g2mstart.exe" [2008-10-17 31552]

"Google Update"="c:\documents and settings\Colin\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-04 133104]

"Skype"="c:\program files\Skype\Phone\Skype.exe" [2008-11-07 21633320]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Apoint"="c:\program files\Apoint\Apoint.exe" [2005-10-07 176128]

"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-07-29 335872]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2004-10-26 4632576]

"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="c:\program files\Google\Gmail Notifier\gnotify.exe" [2005-07-15 479232]

"DLPSP"="c:\program files\dell printers\Additional Color Laser Software\Status Monitor\DLPSP.EXE" [2005-01-13 126976]

"DivX Free Codec"="c:\program files\DivX Free Codec\Divx Free Update.exe" [2007-03-30 274432]

"UltraMon"="c:\program files\UltraMon\UltraMon.exe" [2006-10-13 304640]

"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2006-10-23 620152]

"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-05-14 177472]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]

"MSConfig"="c:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-04 158208]

"ATIModeChange"="Ati2mdxx.exe" - c:\windows\system32\Ati2mdxx.exe [2001-09-04 28672]

"PCTVOICE"="pctspk.exe" - c:\windows\system32\pctspk.exe [2002-07-18 163840]

"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2004-10-26 921600]

c:\documents and settings\Colin\Start Menu\Programs\Startup\

allSnap.lnk - c:\program files\allSnap\allSnap.exe [2009-5-1 90112]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Launchy.lnk - c:\program files\Launchy\Launchy.exe [2009-5-14 286720]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]

"NoSetActiveDesktop"= 1 (0x1)

"NoActiveDesktopChanges"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]

@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]

backup=c:\windows\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Colin^Start Menu^Programs^Startup^LimeWire On Startup.lnk]

backup=c:\windows\pss\LimeWire On Startup.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Colin^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]

path=c:\documents and settings\Colin\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk

backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"UpdatesDisableNotify"=dword:00000001

"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\LimeWire\\LimeWire.exe"=

"c:\\Program Files\\Azureus\\Azureus.exe"=

"c:\\Program Files\\QuickTime\\QuickTimePlayer.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"c:\\Program Files\\AIM6\\aim6.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\MicroStar\\WLANUtility\\APUtility.exe"=

"c:\\Program Files\\Winamp Remote\\bin\\Orb.exe"=

"c:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe"=

"c:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\WINDOWS\\explorer.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [6/16/2008 5:11 PM 96520]

R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [6/16/2008 5:10 PM 902424]

R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [6/16/2008 5:10 PM 282904]

R2 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [6/16/2008 5:11 PM 75272]

R2 DisplayLinkService;DisplayLink Service;c:\program files\DisplayLink Core Software\DisplayLinkService.exe [4/16/2009 8:27 AM 447848]

R2 DLSDB;Dell Printer Status Database;c:\program files\Dell Printers\Additional Color Laser Software\Status Monitor\dlsdbnt.exe [5/13/2008 3:01 PM 135168]

R2 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [10/10/2008 5:45 AM 13088]

R2 UltraMonUtility;UltraMon Utility Driver;c:\program files\Common Files\Realtime Soft\UltraMonMirrorDrv\x32\UltraMonUtility.sys [9/24/2006 9:22 PM 11776]

R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [5/27/2008 1:44 PM 24652]

R3 DisplayLinkGA;DisplayLinkGA;c:\windows\system32\drivers\DisplayLinkGAport.sys [4/16/2009 8:27 AM 20736]

R3 DisplayLinkmirror;DisplayLinkmirror;c:\windows\system32\drivers\DisplayLinkmirrorport.sys [4/16/2009 8:27 AM 18944]

R3 UltraMonMirror;UltraMonMirror;c:\windows\system32\drivers\UltraMonMirror.sys [9/24/2006 9:23 PM 3584]

S3 DisplayLinkUsbPort;DisplayLink USB Device;c:\windows\system32\drivers\DisplayLinkUsbPort.sys [5/27/2009 11:15 PM 20992]

S3 IPN2220;Wireless-G Notebook Adapter ver.4.0 Driver;c:\windows\system32\drivers\i2220ntx.sys [8/27/2007 11:40 PM 117248]

S3 Netaapl;Apple Mobile Device Ethernet Service;c:\windows\system32\drivers\netaapl.sys [6/17/2009 12:30 PM 17408]

S3 RTL8187B;TRENDnet TEW-424UB 54M USB Dongle;c:\windows\system32\drivers\RTL8187B.sys [11/24/2008 1:30 PM 264576]

S3 SjyPkt;SjyPkt;c:\windows\system32\drivers\SjyPkt.sys [10/2/2002 10:57 AM 13532]

S3 Vgomnse;Vgomnse; [x]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]

"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP

.

Contents of the 'Scheduled Tasks' folder

2009-08-12 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2009-09-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-776561741-789336058-839522115-1004Core.job

- c:\documents and settings\Colin\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-04 05:29]

2009-09-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-776561741-789336058-839522115-1004UA.job

- c:\documents and settings\Colin\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-04 05:29]

2009-09-16 c:\windows\Tasks\SyncBack Zipscene.job

- c:\program files\2BrightSparks\SyncBack\SyncBack.exe [2009-03-04 17:00]

2009-09-17 c:\windows\Tasks\User_Feed_Synchronization-{DD492AFF-3B5D-4B43-BE97-8058FF6A319B}.job

- c:\windows\system32\msfeedssync.exe [2007-08-13 08:31]

2009-09-17 c:\windows\Tasks\WGASetup.job

- c:\windows\system32\KB905474\wgasetup.exe [2009-05-06 02:18]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com

uDefault_Search_URL = hxxp://www.google.com/ie

mStart Page = hxxp://www.google.com

uInternet Settings,ProxyOverride = *.local

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: Add to Evernote - c:\program files\Evernote\Evernote3\enbar.dll/2000

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

Trusted Zone: turbotax.com

DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab

DPF: Microsoft XML Parser for Java

FF - ProfilePath - c:\documents and settings\Colin\Application Data\Mozilla\Firefox\Profiles\vivakpoz.default\

FF - prefs.js: browser.startup.homepage - hxxps://zipscene.basecamphq.com/login

FF - component: c:\documents and settings\Colin\Application Data\Mozilla\Firefox\Profiles\vivakpoz.default\extensions\{E0B8C461-F8FB-49b4-8373-FE32E9252800}\platform\WINNT_x86-msvc\components\enbar3.dll

FF - plugin: c:\documents and settings\Colin\Local Settings\Application Data\Google\Update\1.2.183.7\npGoogleOneClick8.dll

FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll

FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npOGAPlugin.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npsharedview.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll

FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

.

- - - - ORPHANS REMOVED - - - -

HKCU-Run-Aim6 - (no file)

HKLM-Run-13165254 - c:\documents and settings\All Users\Application Data\13165254\13165254.exe

HKLM-Run-pdfSaver3 - (no file)

HKLM-Run-lugosusibi - ganotida.dll

HKU-Default-Run-Advanced Virus Remover - c:\program files\AdvancedVirusRemover\PAVRM.exe

Notify-ljJDUono - ljJDUono.dll

AddRemove-CANONBJ_Deinstall_CNMCP49.DLL - c:\windows\system32\CNMCP49.exe -PRINTERNAMECanon i550 -HELPERDLLc:\documents and settings\All Users\Application Data\CanonBJ\IJPrinter\CNMWINDOWS\Canon i550 Installer\Inst2\cnmis.dll

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-09-17 18:25

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

c:\docume~1\Colin\LOCALS~1\Temp\etilqs_YcSZ6qjK97EbCUjNCwEH 479232 bytes

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]

@Denied: (2) (LocalSystem)

"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,ca,7c,dc,99,d7,28,e7,4e,9e,48,90,\

"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,ca,7c,dc,99,d7,28,e7,4e,9e,48,90,\

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(560)

c:\windows\system32\Ati2evxx.dll

c:\program files\Funk Software\Odyssey Client\odLogin.dll

- - - - - - - > 'explorer.exe'(3756)

c:\windows\system32\WININET.dll

c:\program files\UltraMon\RTSUltraMonHook.dll

c:\windows\system32\saperiho.dll

c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\program files\UltraMon\Resources\en\RTSUltraMonHookRes.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Lavasoft\Ad-Aware\aawservice.exe

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\CDBurnerXP\NMSAccessU.exe

c:\windows\system32\nvsvc32.exe

c:\windows\system32\BCMWLTRY.EXE

c:\windows\system32\searchindexer.exe

c:\program files\Dell Printers\Additional Color Laser Software\Status Monitor\dlpwdnt.exe

c:\program files\Canon\CAL\CALMAIN.exe

c:\progra~1\AVG\AVG8\avgrsx.exe

c:\program files\DisplayLink Core Software\DisplayLinkManager.exe

c:\program files\DisplayLink Core Software\DisplayLinkUI.exe

c:\program files\Apoint\ApntEx.exe

c:\program files\Apoint\hidfind.exe

c:\windows\system32\rundll32.exe

c:\program files\Mozilla Thunderbird\thunderbird.exe

c:\program files\iPod\bin\iPodService.exe

c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

c:\program files\Skype\Plugin Manager\skypePM.exe

c:\program files\UltraMon\UltraMonTaskbar.exe

.

**************************************************************************

.

Completion time: 2009-09-17 18:48 - machine was rebooted

ComboFix-quarantined-files.txt 2009-09-17 22:46

Pre-Run: 473,489,408 bytes free

Post-Run: 6,681,198,592 bytes free

437 --- E O F --- 2009-09-10 03:29

I will note that the machine seems to be loading with out interruption from scareware.

Link to post
Share on other sites

Hi, Colin Klayer :P

  • Copy the entire contents of the Quote Box below to Notepad.
  • Name the file as CFScript.txt
  • Change the Save as Type to All Files
  • and Save it on the desktop

http://www.malwarebytes.org/forums/index.p...mp;#entry128683

Collect::[4]

c:\windows\system32\TJ8nVHyA8U.dll

C:\xjehx.exe

C:\scmhux.exe

C:\fjmpqp.exe

C:\wpfpqa.exe

C:\udtcnn.exe

C:\pfhoc.exe

C:\psiefutv.exe

c:\windows\system32\yadihoni.dll

c:\windows\system32\saperiho.dll

c:\docume~1\Colin\LOCALS~1\Temp\etilqs_YcSZ6qjK97EbCUjNCwEH

Registry::

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{de35813e-785b-4407-a481-0cbbaeca992f}]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]

"NoSetActiveDesktop"=-

"NoActiveDesktopChanges"=-

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"UpdatesDisableNotify"=-

"AntiVirusOverride"=-

Driver::

Vgomnse

Reglock::

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]

CFScriptB-4.gif

Once saved, referring to the picture above, drag CFScript.txt into ComboFix.exe, and post back the resulting report.

Additionally, when CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.

  • Ensure you are connected to the internet and click OK on the message box.

Please run the F-Secure Online Scanner

Note: You must use Internet Explorer for this scan!

  • Accept the License Agreement.
  • Once the ActiveX installs click Full System Scan
  • Once the download completes, the scan will begin automatically.
  • The scan will take some time to finish, so please be patient.
  • When the scan completes, click the Automatic cleaning (recommended) button.
  • Click the Show Report button and copy and paste the entire report in your next reply.

Link to post
Share on other sites

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.