Jump to content

MBAM, HJT, ASWR and now AVG wont scan


Recommended Posts

Hi,

I've got a windows XP sp3 pc (fully updated) which has something on it that sounds like a lot of people in here are encountering too. Heres what I have;

Looks like an exe was downloaded and run, AVG caught some viruses and quarantined them and all was thought fine. Later it was noticed that google search was redirecting to all sorts of web sites.

I was called and found something called b.exe running in the task manager and killed it and removed it from the msconfig startup.

I changed the google toobar search thing to another searchbar and that seemed to work.

I tried to run malwarebytes, but that started to scan and then stopped. Further tries tell me I dont have admin permissions to run it , and at boot up it gives an error message 707(2,0).

AVG scanning was working and found nothing but a few tracking cookies.

SUPERantispyware was working and a scan found nothing (I'd recently done a mban and SASW scan)

HJT starts and gets a few seconds into the scan and quits.

I've been watching the threads here evolve, but after and update to AVG, that wont scan now, and SASW wont scan either., I've got more worried.

So, nothing will scan, I cant find the pesky thing, and I know its still there, although its not doing much other than redirecting web stuff that I can see.

I am in your hands gurus, and I'll wait my turn for some help.

Link to post
Share on other sites

Hi Bobble54321 and Welcome to MalwareBytes!

------------------

Step 1:

------------------

Download Security Check by screen317 from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

------------------

Step 2:

------------------

Download RootRepeal from one of the following locations:

Unzip it to your Desktop.

  • Double click RootRepeal.exe to start the program
  • Click on the Report tab at the bottom of the program window
  • Click the Scan button
  • In the Select Scan dialog, check:

    • Drivers
    • Files
    • Processes
    • SSDT
    • Stealth Objects
    • Hidden Services
    • Shadow SSDT

    [*]Click the OK button

    [*]In the next dialog, select all drives showing

    [*]Click OK to start the scan

    Note: The scan can take some time.
    DO NOT
    run any other programs while the scan is running

    [*]When the scan is complete, the Save Report button will become available

    [*]Click this and save the report to your Desktop as RootRepeal.txt

    [*]Go to File, then Exit to close the program

If the report is not too long, post the contents of RootRepeal.txt in your next reply. If the report is very long, it will not be complete if you post it, so please attach it to your reply instead.

To attach a file, do the following:

  • Click Add Reply
  • Under the reply panel is the Attachments Panel
  • Browse for the attachment file you want to upload, then click the green Upload button
  • Once it has uploaded, click the Manage Current Attachments drop down box
  • Click on attach_add.png to insert the attachment into your post

------------------

Step 3:

------------------

  • Download OTL by OldTimer to your desktop.
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them all in.

Link to post
Share on other sites

ok, I went on to step 2 but got a blue screen crash, might have been my fault though as I was trying to turn some programs off.

I tried step 3, OTL after reboot, that scanned but didnt open any notepads and quit. It wont let me run it again, clicking icon and nothing happens.

I'm trying step 2 again, rootrepeal, its telling me it is initialising and the hard disk is accessing but nothing is updating. I shall leave running for a while unless you instruct otherwise.

Link to post
Share on other sites

Let's try this:

Download Combofix from any of the links below and save it to your desktop. You must rename it to sVchost.exe before saving it.

Link 1

Link 2

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

  • If you are using FireFox, make sure that your download settings are as follows:
    • Tools->Options->Main tab
    • Set to Always ask me where to Save the files

    [*] During the download, rename it to sVchost as follows:

    CF_download_FF.gif

    CF_download_rename.gif

    [*]It is important to rename it during the download and not after.

    [*]Please do not rename it to something other than what was indicated.

    [*]Make sure to do the following:

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause unpredictable results
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    • Close any open browsers.
    • Warning: ComboFix will disconnect your machine from the internet as soon as it starts.
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    [*]Double click on sVchost & follow the prompts.

    [*]When finished, it will produce a report for you.

    [*]Please post the C:\ComboFix.txt log so we can continue cleaning the system.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

Link to post
Share on other sites

that seemed to be a step forward I hope :) combilog follows:

ComboFix 09-09-20.01 - Dent 21/09/2009 15:08.1.2 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1583 [GMT 1:00]

Running from: c:\documents and settings\Dent\Desktop\ComboFix.exe

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\setup.exe

C:\test.txt

c:\windows\Fonts\arial_b.ttf

c:\windows\Fonts\arial_i.ttf

c:\windows\Fonts\arial_r.ttf

c:\windows\Fonts\arial_z.ttf

c:\windows\Fonts\arialn_r.ttf

c:\windows\Fonts\arialn_z.ttf

c:\windows\Fonts\cgor45w.ttf

c:\windows\Fonts\cgor46w.ttf

c:\windows\Fonts\cgor65w.ttf

c:\windows\Fonts\cgor66w.ttf

c:\windows\Fonts\cgtr45w.ttf

c:\windows\Fonts\cgtr46w.ttf

c:\windows\Fonts\cgtr65w.ttf

c:\windows\Fonts\cgtr66w.ttf

c:\windows\Fonts\olvr55w.ttf

c:\windows\Fonts\olvr56w.ttf

c:\windows\Fonts\olvr75w.ttf

c:\windows\Fonts\univcd.ttf

c:\windows\Fonts\univcdb.ttf

c:\windows\Fonts\univcdbi.ttf

c:\windows\Fonts\univcdi.ttf

c:\windows\Fonts\univlcd.ttf

c:\windows\Fonts\univlcdi.ttf

c:\windows\Fonts\unvr55w.ttf

c:\windows\Fonts\unvr56w.ttf

c:\windows\Fonts\unvr65w.ttf

c:\windows\Fonts\UNVR66W.TTF

c:\windows\Installer\24bd1b0.msi

c:\windows\Installer\24bd1b1.msp

c:\windows\Installer\24bd1b2.msp

c:\windows\Installer\24bd1b3.msp

c:\windows\Installer\24bd1b4.msp

c:\windows\Installer\24bd1b5.msp

c:\windows\Installer\24bd1b6.msp

c:\windows\Installer\24bd1b7.msp

c:\windows\Installer\24bd1b8.msp

c:\windows\Installer\24bd1b9.msp

c:\windows\Installer\36f53e7.msi

c:\windows\Installer\3a2b64.msi

c:\windows\Installer\4b1949e.msp

c:\windows\Installer\4b1949f.msp

c:\windows\Installer\4b194a0.msp

c:\windows\Installer\4b194a1.msp

c:\windows\Installer\4b194a2.msp

c:\windows\Installer\4b194a3.msp

c:\windows\Installer\4b194a4.msp

c:\windows\Installer\4b194a5.msp

c:\windows\Installer\4b194a6.msp

c:\windows\Installer\90da4.msi

c:\windows\Installer\WinRMSrv.msi

c:\windows\system32\209508482.dat

c:\windows\system32\6d629117.dll

c:\windows\system32\setup.ini

c:\windows\system32\wl.exe

c:\windows\system32\eventlog.dll . . . is infected!!

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}

((((((((((((((((((((((((( Files Created from 2009-08-21 to 2009-09-21 )))))))))))))))))))))))))))))))

.

2009-09-20 15:45 . 2009-09-20 15:45 -------- d-----w- c:\program files\Microsoft

2009-09-20 14:33 . 2009-09-20 14:33 -------- d-----w- c:\documents and settings\All Users\Application Data\F-Secure

2009-09-20 13:59 . 2009-09-21 13:44 0 ----a-r- c:\windows\win32k.sys

2009-09-20 13:58 . 2009-09-20 13:58 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-09-20 13:46 . 2009-09-20 13:58 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware(2)

2009-09-20 12:14 . 2009-09-20 12:50 156672 ----a-w- c:\windows\system32\rmc_fixasf.exe

2009-09-20 12:14 . 2009-09-20 12:50 237568 ----a-w- c:\windows\system32\rmc_rtspdl.dll

2009-09-20 12:14 . 2009-09-20 12:57 323584 ----a-w- c:\windows\system32\AUDIOGENIE2.DLL

2009-09-20 12:13 . 2009-09-20 12:53 -------- d-----w- c:\windows\Replay Media Catcher

2009-09-20 12:13 . 2009-09-20 13:58 -------- d-----w- c:\program files\Replay Media Catcher

2009-09-19 10:13 . 2009-09-19 10:13 -------- d-----w- c:\documents and settings\Dent\Application Data\Malwarebytes

2009-09-19 10:13 . 2009-09-10 13:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-09-19 10:13 . 2009-09-19 10:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-09-19 10:13 . 2009-09-10 13:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-09-18 23:51 . 2009-09-18 23:51 -------- d-----w- c:\documents and settings\Dent\Local Settings\Application Data\AVG Security Toolbar

2009-09-18 22:17 . 2009-09-20 15:01 -------- d-----w- c:\program files\Trend Micro

2009-09-18 20:48 . 2009-09-18 20:48 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache

2009-09-18 17:44 . 2009-09-18 17:44 -------- d-sh--w- c:\documents and settings\Dent\IECompatCache

2009-09-10 16:42 . 2009-09-10 16:42 -------- d-----w- c:\program files\AGEIA Technologies

2009-09-10 16:42 . 2009-09-10 16:42 -------- d-----w- c:\windows\system32\AGEIA

2009-09-10 16:42 . 2009-09-10 16:42 -------- d-----w- c:\documents and settings\All Users\Application Data\NVIDIA Corporation

2009-09-10 15:01 . 2009-09-10 15:01 -------- d-----w- c:\documents and settings\Dent\Local Settings\Application Data\Rockstar Games

2009-09-10 14:47 . 2009-09-10 14:47 -------- d-----w- c:\program files\Microsoft Games for Windows - LIVE

2009-09-10 14:34 . 2009-09-10 14:57 -------- d-----w- c:\program files\Rockstar Games

2009-09-09 21:24 . 2009-06-21 21:44 153088 -c----w- c:\windows\system32\dllcache\triedit.dll

2009-09-09 20:03 . 2009-09-09 20:03 -------- d-----w- c:\program files\PowerISO

2009-09-08 17:55 . 2009-09-08 17:55 -------- d-----w- c:\documents and settings\Dent\Application Data\DeLorme

2009-09-08 17:55 . 2009-09-08 17:55 -------- d-----w- c:\documents and settings\Dent\Local Settings\Application Data\DeLorme

2009-09-08 17:51 . 2009-09-08 17:55 -------- d-----w- c:\documents and settings\All Users\Application Data\DeLorme

2009-09-06 08:34 . 2004-05-12 07:49 1089536 ------w- c:\windows\system32\ROBOEX32.DLL

2009-09-04 22:16 . 2009-09-04 22:16 -------- d-----w- c:\documents and settings\Dent\Application Data\BBCiPlayerDesktop.61DB7A798358575D6A969CCD73DDBBD723A6DA9D.1

2009-09-04 22:16 . 2009-09-04 22:16 -------- d-----w- c:\program files\BBC iPlayer Desktop

2009-09-04 22:16 . 2009-09-04 22:16 -------- d-----w- c:\program files\Common Files\Adobe AIR

2009-08-25 21:26 . 2009-08-26 21:51 303536 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-09-20 13:32 . 2009-09-20 13:32 0 ----a-w- c:\documents and settings\Dent\ntuser.tmp

2009-09-20 12:56 . 2006-03-29 08:56 -------- d-----w- c:\documents and settings\Dent\Application Data\uTorrent

2009-09-18 21:18 . 2008-05-22 09:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Kontiki

2009-09-18 20:49 . 2009-01-03 11:58 -------- d-----w- c:\program files\SUPERAntiSpyware

2009-09-16 20:14 . 2005-06-16 19:55 -------- d--h--w- c:\program files\InstallShield Installation Information

2009-09-16 13:19 . 2009-08-15 07:48 -------- d-----w- c:\program files\Entropia Universe

2009-09-10 16:42 . 2005-06-18 15:41 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard

2009-09-10 16:24 . 2008-07-19 09:57 -------- d-----w- c:\program files\SystemRequirementsLab

2009-09-10 02:33 . 2008-09-22 11:41 -------- d-----w- c:\program files\Microsoft Silverlight

2009-09-10 02:05 . 2007-11-10 10:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help

2009-09-06 17:28 . 2005-06-16 23:19 -------- d-----w- c:\program files\Google

2009-09-04 23:00 . 2009-06-13 13:31 -------- d-----w- c:\program files\SpeedFan

2009-08-23 08:09 . 2005-06-16 20:00 98336 ----a-w- c:\documents and settings\Dent\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-08-19 14:43 . 2005-06-17 14:13 -------- d-----w- c:\documents and settings\Dent\Application Data\AdobeUM

2009-08-19 08:35 . 2009-01-31 13:58 11952 ----a-w- c:\windows\system32\avgrsstx.dll

2009-08-19 08:35 . 2008-06-20 08:51 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys

2009-08-19 08:35 . 2007-01-03 17:55 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys

2009-08-17 02:04 . 2009-08-17 02:04 2173472 ----a-w- c:\windows\system32\nvcplui.exe

2009-08-17 02:04 . 2009-08-17 02:04 81920 ----a-w- c:\windows\system32\nvwddi.dll

2009-08-17 02:03 . 2009-08-17 02:03 3170304 ----a-w- c:\windows\system32\nvwss.dll

2009-08-17 02:03 . 2009-08-17 02:03 4026368 ----a-w- c:\windows\system32\nvvitvs.dll

2009-08-17 02:03 . 2009-08-17 02:03 188416 ----a-w- c:\windows\system32\nvmccss.dll

2009-08-17 02:03 . 2009-08-17 02:03 1286144 ----a-w- c:\windows\system32\nvmobls.dll

2009-08-17 02:03 . 2009-08-17 02:03 3547136 ----a-w- c:\windows\system32\nvgames.dll

2009-08-17 02:03 . 2009-08-17 02:03 4923392 ----a-w- c:\windows\system32\nvdisps.dll

2009-08-17 02:03 . 2009-08-17 02:03 86016 ----a-w- c:\windows\system32\nvmctray.dll

2009-08-17 02:03 . 2009-08-17 02:03 168004 ----a-w- c:\windows\system32\nvsvc32.exe

2009-08-17 02:03 . 2009-08-17 02:03 143360 ----a-w- c:\windows\system32\nvcolor.exe

2009-08-17 02:03 . 2009-08-17 02:03 13877248 ----a-w- c:\windows\system32\nvcpl.dll

2009-08-17 02:02 . 2009-08-17 02:02 229376 ----a-w- c:\windows\system32\nvmccs.dll

2009-08-16 23:57 . 2009-08-16 23:57 2189856 ----a-w- c:\windows\system32\nvcuvid.dll

2009-08-16 23:57 . 2009-08-16 23:57 1706528 ----a-w- c:\windows\system32\nvcuvenc.dll

2009-08-16 23:57 . 2009-08-16 23:57 1597690 ----a-w- c:\windows\system32\nvdata.bin

2009-08-16 23:57 . 2008-02-02 15:31 485920 ----a-w- c:\windows\system32\nvudisp.exe

2009-08-16 23:57 . 2007-12-05 01:41 2002944 ----a-w- c:\windows\system32\nvcuda.dll

2009-08-16 23:57 . 2007-10-25 09:17 868352 ----a-w- c:\windows\system32\nvapi.dll

2009-08-16 23:57 . 2007-10-25 09:17 155648 ----a-w- c:\windows\system32\nvcodins.dll

2009-08-16 23:57 . 2007-10-25 09:17 155648 ----a-w- c:\windows\system32\nvcod.dll

2009-08-16 23:57 . 2007-10-25 09:17 10457088 ----a-w- c:\windows\system32\nvoglnt.dll

2009-08-16 23:57 . 2005-06-16 16:50 7729568 ----a-w- c:\windows\system32\drivers\nv4_mini.sys

2009-08-16 23:57 . 2005-06-16 16:50 5845760 ----a-w- c:\windows\system32\nv4_disp.dll

2009-08-15 06:44 . 2009-08-15 06:44 -------- d-----w- c:\program files\GPLGS

2009-08-15 06:43 . 2009-08-15 06:43 -------- d-----w- c:\program files\Acro Software

2009-08-15 06:35 . 2009-08-15 06:35 -------- d-----w- c:\program files\Universal Document Converter

2009-08-15 06:02 . 2005-07-14 20:59 -------- d-----w- c:\program files\DivX

2009-08-15 06:01 . 2009-08-15 06:01 -------- d-----w- c:\program files\Common Files\DivX Shared

2009-08-14 12:36 . 2009-08-14 12:36 70936 ----a-w- c:\windows\system32\PhysXLoader.dll

2009-08-13 22:15 . 2009-02-12 18:39 -------- d-----w- c:\documents and settings\Dent\Application Data\calibre

2009-08-13 08:29 . 2009-02-12 18:39 -------- d-----w- c:\program files\calibre

2009-08-11 11:35 . 2005-06-16 22:24 485920 ----a-w- c:\windows\system32\NVUNINST.EXE

2009-08-09 19:04 . 2007-11-10 10:48 -------- d-----w- c:\program files\Microsoft.NET

2009-08-05 09:01 . 2005-06-16 19:53 204800 ----a-w- c:\windows\system32\mswebdvd.dll

2009-07-27 02:43 . 2009-07-27 02:43 58908 ----a-w- c:\windows\system32\drivers\scdemu.sys

2009-07-26 15:44 . 2009-07-26 15:44 48448 ----a-w- c:\windows\system32\sirenacm.dll

2009-07-17 19:01 . 2001-08-23 12:00 58880 ----a-w- c:\windows\system32\atl.dll

2009-07-13 22:43 . 2005-06-16 16:50 286208 ----a-w- c:\windows\system32\wmpdxm.dll

2009-07-03 17:09 . 2001-08-23 12:00 915456 ----a-w- c:\windows\system32\wininet.dll

2009-06-25 08:25 . 2001-08-23 12:00 730112 ----a-w- c:\windows\system32\lsasrv.dll

2009-06-25 08:25 . 2001-08-23 12:00 56832 ----a-w- c:\windows\system32\secur32.dll

2009-06-25 08:25 . 2001-08-23 12:00 54272 ----a-w- c:\windows\system32\wdigest.dll

2009-06-25 08:25 . 2001-08-23 12:00 301568 ----a-w- c:\windows\system32\kerberos.dll

2009-06-25 08:25 . 2001-08-23 12:00 147456 ----a-w- c:\windows\system32\schannel.dll

2009-06-25 08:25 . 2001-08-23 12:00 136192 ----a-w- c:\windows\system32\msv1_0.dll

2009-06-24 11:18 . 2001-08-23 12:00 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys

2009-09-18 23:50 . 2007-05-10 20:26 67688 ----a-w- c:\program files\mozilla firefox\components\jar50.dll

2009-09-18 23:50 . 2007-05-10 20:26 54368 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll

2009-09-18 23:50 . 2007-05-10 20:26 34944 ----a-w- c:\program files\mozilla firefox\components\myspell.dll

2009-09-18 23:50 . 2007-05-10 20:26 46712 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll

2009-09-18 23:50 . 2007-05-10 20:26 172136 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll

2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll

2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll

2007-11-15 18:02 . 2007-11-15 18:02 0 -csha-w- c:\windows\S868D8344.tmp

2007-11-10 22:47 . 2007-11-03 15:25 88 --sh--r- c:\windows\system32\9A4435F11A.sys

2006-07-23 17:16 . 2006-07-23 17:16 8 --sh--r- c:\windows\system32\CCC82F31CA.dll

2007-11-17 21:01 . 2007-11-17 21:01 88 --sh--r- c:\windows\system32\DCB9C06D24.sys

2007-11-17 21:01 . 2007-11-03 15:25 4182 --sha-w- c:\windows\system32\KGyGaAvL.sys

.

------- Sigcheck -------

[7] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys

[7] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys

[-] 2008-06-20 . 9425B72F40257B45D45D24773273DAD0 . 361600 . . [5.1.2600.5625] . . c:\windows\system32\dllcache\tcpip.sys

[-] 2008-06-20 . 9425B72F40257B45D45D24773273DAD0 . 361600 . . [5.1.2600.5625] . . c:\windows\system32\drivers\tcpip.sys

[7] 2008-06-20 . 2A5554FC5B1E04E131230E3CE035C3F9 . 360320 . . [5.1.2600.3394] . . c:\windows\$NtServicePackUninstall$\tcpip.sys

[7] 2008-06-20 . 744E57C99232201AE98C49168B918F48 . 360960 . . [5.1.2600.3394] . . c:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys

[7] 2008-04-13 . 93EA8D04EC73A85DB02EB8805988F733 . 361344 . . [5.1.2600.5512] . . c:\windows\$NtUninstallKB951748$\tcpip.sys

[-] 2008-04-13 . ACCF5A9A1FFAA490F33DBA1C632B95E1 . 361344 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\tcpip.sys

[-] 2007-10-30 . 90CAFF4B094573449A0872A0F919B178 . 360064 . . [5.1.2600.3244] . . c:\windows\$NtUninstallKB951748_0$\tcpip.sys

[-] 2007-10-30 . 64798ECFA43D78C7178375FCDD16D8C8 . 360832 . . [5.1.2600.3244] . . c:\windows\$hf_mig$\KB941644\SP2QFE\tcpip.sys

[-] 2006-04-20 . B2220C618B42A2212A59D91EBD6FC4B4 . 360576 . . [5.1.2600.2892] . . c:\windows\$hf_mig$\KB917953\SP2QFE\tcpip.sys

[-] 2006-04-20 . 1DBF125862891817F374F407626967F4 . 359808 . . [5.1.2600.2892] . . c:\windows\$NtUninstallKB941644$\tcpip.sys

[-] 2006-01-13 . 5562CC0A47B2AEF06D3417B733F3C195 . 360448 . . [5.1.2600.2827] . . c:\windows\$hf_mig$\KB913446\SP2QFE\tcpip.sys

[-] 2006-01-13 . 583E063FDC888CA30D05C2724B0D7EF4 . 359808 . . [5.1.2600.2827] . . c:\windows\$NtUninstallKB917953$\tcpip.sys

[-] 2005-05-25 . 63FDFEA54EB53DE2D863EE454937CE1E . 359936 . . [5.1.2600.2685] . . c:\windows\$hf_mig$\KB893066\SP2QFE\tcpip.sys

[-] 2005-05-25 . 88763A98A4C26C409741B4AA162720C9 . 359808 . . [5.1.2600.2685] . . c:\windows\$NtUninstallKB913446$\tcpip.sys

[7] 2004-08-03 . 9F4B36614A0FC234525BA224957DE55C . 359040 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB893066$\tcpip.sys

[7] 2008-04-14 . 6D4FEB43EE538FC5428CC7F0565AA656 . 56320 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\eventlog.dll

[-] 2008-04-14 00:11 . 028C3E9C06BBEE764908254C0A9270D8 . 61952 . . [------] . . c:\windows\system32\eventlog.dll

[7] 2004-08-03 . 82B24CB70E5944E6E34662205A2A5B78 . 55808 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\eventlog.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]

"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-14 1004800]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]

2009-06-14 15:07 1004800 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-14 1004800]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]

"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-14 1004800]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Creative Detector"="c:\program files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-02 102400]

"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-12-22 1830128]

"NVIDIA nTune"="c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-09-04 81920]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"AudioDrvEmulator"="c:\program files\Creative\Shared Files\Module Loader\DLLML.exe" [2005-06-16 49152]

"MSConfig"="c:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2008-04-14 169984]

"CTDVDDET"="c:\program files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE" [2003-06-18 45056]

"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-08-19 2007832]

"amd_dc_opt"="c:\program files\AMD\Dual-Core Optimizer\amd_dc_opt.exe" [2006-11-17 77824]

"CTxfiHlp"="CTXFIHLP.EXE" - c:\windows\system32\Ctxfihlp.exe [2008-10-07 23552]

"CTHelper"="CTHELPER.EXE" - c:\windows\CTHELPER.EXE [2005-08-07 16384]

"SoundMan"="SOUNDMAN.EXE" - c:\windows\soundman.exe [2005-11-11 90112]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"swg"="c:\program files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2007-12-04 171448]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2008-12-22 11:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]

2009-08-19 08:35 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]

@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk

backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^CoreCenter.lnk]

backup=c:\windows\pss\CoreCenter.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^DigiCell.lnk]

backup=c:\windows\pss\DigiCell.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^DVB-Data Control.lnk]

backup=c:\windows\pss\DVB-Data Control.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^GammaTray.lnk]

backup=c:\windows\pss\GammaTray.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^GetRight - Tray Icon.lnk]

backup=c:\windows\pss\GetRight - Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]

backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NCProTray.lnk]

backup=c:\windows\pss\NCProTray.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Dent^Start Menu^Programs^Startup^Adobe Gamma.lnk]

path=c:\documents and settings\Dent\Start Menu\Programs\Startup\Adobe Gamma.lnk

backup=c:\windows\pss\Adobe Gamma.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Dent^Start Menu^Programs^Startup^BBC iPlayer Desktop.lnk]

path=c:\documents and settings\Dent\Start Menu\Programs\Startup\BBC iPlayer Desktop.lnk

backup=c:\windows\pss\BBC iPlayer Desktop.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Dent^Start Menu^Programs^Startup^WinMySQLadmin.lnk]

backup=c:\windows\pss\WinMySQLadmin.lnkStartup

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BBStart

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\kdx

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LiveMonitor

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\odb

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SNM

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue Registry Booster

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateWin

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VoipCheapCom

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"ATI Smart"=2 (0x2)

"StarWindService"=2 (0x2)

"PnkBstrB"=2 (0x2)

"PnkBstrA"=2 (0x2)

"KService"=2 (0x2)

"JavaQuickStarterService"=2 (0x2)

"FLEXnet Licensing Service"=3 (0x3)

"FLEXlm Service 1"=3 (0x3)

"WMPNetworkSvc"=3 (0x3)

"Sony SCSI Helper Service"=3 (0x3)

"ImapiService"=3 (0x3)

"CryptSvc"=3 (0x3)

"CCALib8"=2 (0x2)

"Bonjour Service"=2 (0x2)

"BITS"=3 (0x3)

"Adobe LM Service"=3 (0x3)

"aawservice"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"c:\\Program Files\\Hauppauge\\WinTV NOVA\\DVBData.exe"=

"c:\\Program Files\\eMule\\emule.exe"=

"c:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe"=

"c:\\Program Files\\utorrent\\utorrent.exe"=

"c:\\WINDOWS\\system32\\sessmgr.exe"=

"c:\\Program Files\\Hauppauge\\WinTV NOVA\\DVB-TV.exe"=

"c:\\Program Files\\MSI\\i-Speeder\\i-Speeder.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Program Files\\Kontiki\\KHost.exe"=

"c:\\Program Files\\Autodesk\\Maya 8.5 Personal Learning Edition\\bin\\maya.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager

"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=

"c:\\Program Files\\Ubisoft\\Far Cry 2\\bin\\FC2Editor.exe"=

"c:\\Program Files\\Ubisoft\\Far Cry 2\\bin\\FarCry2.exe"=

"c:\\Program Files\\Ubisoft\\Far Cry 2\\bin\\FC2Launcher.exe"=

"c:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe"=

"c:\\Program Files\\Kontiki\\KService.exe"=

"c:\\WINDOWS\\system32\\mmc.exe"=

"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\WINDOWS\\system32\\PnkBstrA.exe"=

"c:\\WINDOWS\\system32\\PnkBstrB.exe"=

"c:\\Program Files\\SecondLife\\SecondLife.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=

"c:\\WINDOWS\\system32\\rtcshare.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

"c:\\Program Files\\SecondLife\\SLVoice.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Program Files\\NetMeeting\\conf.exe"=

"c:\\Program Files\\Rockstar Games\\Grand Theft Auto IV\\LaunchGTAIV.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"7426:TCP"= 7426:TCP:*:Disabled:messenger

"3617:TCP"= 3617:TCP:*:Disabled:messenger

"8445:TCP"= 8445:TCP:messenger

"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [20/06/2008 09:51 335240]

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [22/12/2008 12:06 8944]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [22/12/2008 12:05 55024]

R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [31/01/2009 14:58 297752]

R3 CT20XUT.SYS;CT20XUT.SYS;c:\windows\system32\drivers\CT20XUT.sys [09/05/2008 15:15 171032]

R3 CTEXFIFX.SYS;CTEXFIFX.SYS;c:\windows\system32\drivers\CTEXFIFX.sys [09/05/2008 15:14 1324056]

R3 CTHWIUT.SYS;CTHWIUT.SYS;c:\windows\system32\drivers\CTHWIUT.sys [09/05/2008 15:15 72728]

R3 TTDVBLCD;TechnoTrend DVB PCI budget Driver;c:\windows\system32\drivers\ttdvblcd.sys [08/11/2004 18:39 65952]

S1 aiptektp;HyperPen;c:\windows\system32\drivers\aiptektp.sys [07/11/2007 19:05 22272]

S2 {09BB444F-B2E2-4009-BAF2-7B727681223E};BuddyVM;\??\c:\program files\VMLaunch\BuddyVM.sys --> c:\program files\VMLaunch\BuddyVM.sys [?]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [01/07/2009 20:05 133104]

S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [30/05/2009 19:14 79360]

S3 CT20XUT;CT20XUT;c:\windows\system32\drivers\CT20XUT.sys [09/05/2008 15:15 171032]

S3 CTEXFIFX;CTEXFIFX;c:\windows\system32\drivers\CTEXFIFX.sys [09/05/2008 15:14 1324056]

S3 CTHWIUT;CTHWIUT;c:\windows\system32\drivers\CTHWIUT.sys [09/05/2008 15:15 72728]

S3 F-Secure Standalone Minifilter;F-Secure Standalone Minifilter;\??\c:\docume~1\Dent\LOCALS~1\Temp\OnlineScanner\Anti-Virus\fsgk.sys --> c:\docume~1\Dent\LOCALS~1\Temp\OnlineScanner\Anti-Virus\fsgk.sys [?]

S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [22/12/2008 12:06 7408]

S4 FLEXlm Service 1;FLEXlm Service 1; [x]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]

"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{621FCD24-4498-4324-A81E-07D331376EDF}]

c:\program files\PixiePack Codec Pack\InstallerHelper.exe

.

Contents of the 'Scheduled Tasks' folder

2009-09-21 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-01 19:05]

2009-09-21 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-01 19:05]

2009-09-21 c:\windows\Tasks\RegCure Program Check.job

- c:\program files\RegCure\RegCure.exe [2007-03-09 20:15]

2009-09-17 c:\windows\Tasks\RegCure.job

- c:\program files\RegCure\RegCure.exe [2007-03-09 20:15]

.

.

------- Supplementary Scan -------

.

uStart Page = about:blank

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uInternet Settings,ProxyOverride = *.local

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

Trusted Zone: com.tw\www.msi

Trusted Zone: localhost

Trusted Zone: microsoft.com\*.update

Trusted Zone: microsoft.com\www.update

Trusted Zone: windowsupdate.com\download

TCP: {BDE83FC4-63DB-41FA-AE1B-AAEC1DE18AF1} = 212.104.130.65,212.104.130.9

DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab

DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} - hxxp://liveupdate.msi.com.tw/autobios/LOnline/install.cab

FF - ProfilePath - c:\documents and settings\Dent\Application Data\Mozilla\Firefox\Profiles\1gic4cko.default\

FF - prefs.js: browser.startup.homepage - about:blank

FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll

FF - plugin: c:\documents and settings\All Users\Application Data\Zylom\ZylomGamesPlayer\npzylomgamesplayer.dll

FF - plugin: c:\program files\Google\Update\1.2.183.7\npGoogleOneClick8.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npBBCPlugin.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npzylomgamesplayer.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

.

- - - - ORPHANS REMOVED - - - -

WebBrowser-{59FD2F2B-D5A0-4DF0-A38D-E5DE55B97021} - (no file)

ShellExecuteHooks-{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - (no file)

Notify-AtiExtEvent - (no file)

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-09-21 15:16

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]

"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]

@Denied: (A 2) (Everyone)

@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(984)

c:\program files\SUPERAntiSpyware\SASWINLO.dll

c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(3756)

c:\windows\system32\WININET.dll

c:\windows\system32\ctagent.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\nvsvc32.exe

c:\program files\Creative\Shared Files\CTAudSvc.exe

c:\windows\system32\CTSVCCDA.EXE

c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe

c:\program files\NVIDIA Corporation\nTune\nTuneService.exe

c:\windows\system32\PSIService.exe

c:\program files\AVG\AVG8\avgrsx.exe

c:\windows\system32\tcpsvcs.exe

c:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

c:\windows\system32\MsPMSPSv.exe

c:\windows\system32\wscntfy.exe

c:\windows\system32\CTxfispi.exe

.

**************************************************************************

.

Completion time: 2009-09-21 15:32 - machine was rebooted

ComboFix-quarantined-files.txt 2009-09-21 14:32

Pre-Run: 22,176,202,752 bytes free

Post-Run: 29,685,026,816 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn /usepmtimer

479 --- E O F --- 2009-09-19 08:21

Link to post
Share on other sites

We should be on the downhill side now :)

------------------

Step 1:

------------------

P2P

I see you have P2P software installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It may be contributing to your current situation. This page will give you further information.

Click > Start > Control Panel > Add or Remove Programs and uninstall the following programs (if they exist):

  • eMule
  • uTorrent

------------------

Step 2:

------------------

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

KillAll::

File::
c:\windows\win32k.sys

FCopy::
c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys | c:\windows\system32\dllcache\tcpip.sys
c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys | c:\windows\system32\drivers\tcpip.sys
c:\windows\ServicePackFiles\i386\eventlog.dll | c:\windows\system32\eventlog.dll

Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\eMule\\emule.exe"=-
"c:\\Program Files\\utorrent\\utorrent.exe"=-

RegLock::
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]

Save this as CFScript.txt, in the same location as ComboFix.exe

CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

------------------

Step 3:

------------------

Please save this file to your desktop.

Click on Start->Run, and copy-paste the following command into the "Open:" box, and click OK.

"%userprofile%\desktop\win32kdiag.exe" -f -r

When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here.

------------------

Step 4:

------------------

Please post back with the following:

  • How your machine is running
  • ComboFix.txt
  • Win32kDiag.txt

Link to post
Share on other sites

Ok, that seemed to go ok. I did a bit of googling and no redirects too.

AVG still wont scan though, not tried any of the others yet.

Combofix log below, Ill do the win32kdiag in another post;

ComboFix 09-09-20.01 - Dent 21/09/2009 16:16.2.2 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1476 [GMT 1:00]

Running from: c:\documents and settings\Dent\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Dent\Desktop\CFScript.txt

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

FILE ::

"c:\windows\win32k.sys"

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\win32k.sys

.

--------------- FCopy ---------------

c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys --> c:\windows\system32\dllcache\tcpip.sys

c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys --> c:\windows\system32\drivers\tcpip.sys

c:\windows\ServicePackFiles\i386\eventlog.dll --> c:\windows\system32\eventlog.dll

.

((((((((((((((((((((((((( Files Created from 2009-08-21 to 2009-09-21 )))))))))))))))))))))))))))))))

.

2009-09-20 15:45 . 2009-09-20 15:45 -------- d-----w- c:\program files\Microsoft

2009-09-20 14:33 . 2009-09-20 14:33 -------- d-----w- c:\documents and settings\All Users\Application Data\F-Secure

2009-09-20 13:58 . 2009-09-20 13:58 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-09-20 13:46 . 2009-09-20 13:58 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware(2)

2009-09-20 12:14 . 2009-09-20 12:50 156672 ----a-w- c:\windows\system32\rmc_fixasf.exe

2009-09-20 12:14 . 2009-09-20 12:50 237568 ----a-w- c:\windows\system32\rmc_rtspdl.dll

2009-09-20 12:14 . 2009-09-20 12:57 323584 ----a-w- c:\windows\system32\AUDIOGENIE2.DLL

2009-09-20 12:13 . 2009-09-20 12:53 -------- d-----w- c:\windows\Replay Media Catcher

2009-09-20 12:13 . 2009-09-20 13:58 -------- d-----w- c:\program files\Replay Media Catcher

2009-09-19 10:13 . 2009-09-19 10:13 -------- d-----w- c:\documents and settings\Dent\Application Data\Malwarebytes

2009-09-19 10:13 . 2009-09-10 13:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-09-19 10:13 . 2009-09-19 10:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-09-19 10:13 . 2009-09-10 13:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-09-18 23:51 . 2009-09-18 23:51 -------- d-----w- c:\documents and settings\Dent\Local Settings\Application Data\AVG Security Toolbar

2009-09-18 22:17 . 2009-09-20 15:01 -------- d-----w- c:\program files\Trend Micro

2009-09-18 20:48 . 2009-09-18 20:48 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache

2009-09-18 17:44 . 2009-09-18 17:44 -------- d-sh--w- c:\documents and settings\Dent\IECompatCache

2009-09-10 16:42 . 2009-09-10 16:42 -------- d-----w- c:\program files\AGEIA Technologies

2009-09-10 16:42 . 2009-09-10 16:42 -------- d-----w- c:\windows\system32\AGEIA

2009-09-10 16:42 . 2009-09-10 16:42 -------- d-----w- c:\documents and settings\All Users\Application Data\NVIDIA Corporation

2009-09-10 15:01 . 2009-09-10 15:01 -------- d-----w- c:\documents and settings\Dent\Local Settings\Application Data\Rockstar Games

2009-09-10 14:47 . 2009-09-10 14:47 -------- d-----w- c:\program files\Microsoft Games for Windows - LIVE

2009-09-10 14:34 . 2009-09-10 14:57 -------- d-----w- c:\program files\Rockstar Games

2009-09-09 21:24 . 2009-06-21 21:44 153088 -c----w- c:\windows\system32\dllcache\triedit.dll

2009-09-09 20:03 . 2009-09-09 20:03 -------- d-----w- c:\program files\PowerISO

2009-09-08 17:55 . 2009-09-08 17:55 -------- d-----w- c:\documents and settings\Dent\Application Data\DeLorme

2009-09-08 17:55 . 2009-09-08 17:55 -------- d-----w- c:\documents and settings\Dent\Local Settings\Application Data\DeLorme

2009-09-08 17:51 . 2009-09-08 17:55 -------- d-----w- c:\documents and settings\All Users\Application Data\DeLorme

2009-09-06 08:34 . 2004-05-12 07:49 1089536 ------w- c:\windows\system32\ROBOEX32.DLL

2009-09-04 22:16 . 2009-09-04 22:16 -------- d-----w- c:\documents and settings\Dent\Application Data\BBCiPlayerDesktop.61DB7A798358575D6A969CCD73DDBBD723A6DA9D.1

2009-09-04 22:16 . 2009-09-04 22:16 -------- d-----w- c:\program files\BBC iPlayer Desktop

2009-09-04 22:16 . 2009-09-04 22:16 -------- d-----w- c:\program files\Common Files\Adobe AIR

2009-08-25 21:26 . 2009-08-26 21:51 303536 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-09-20 12:56 . 2006-03-29 08:56 -------- d-----w- c:\documents and settings\Dent\Application Data\uTorrent

2009-09-18 21:18 . 2008-05-22 09:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Kontiki

2009-09-18 20:49 . 2009-01-03 11:58 -------- d-----w- c:\program files\SUPERAntiSpyware

2009-09-16 20:14 . 2005-06-16 19:55 -------- d--h--w- c:\program files\InstallShield Installation Information

2009-09-16 13:19 . 2009-08-15 07:48 -------- d-----w- c:\program files\Entropia Universe

2009-09-10 16:42 . 2005-06-18 15:41 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard

2009-09-10 16:24 . 2008-07-19 09:57 -------- d-----w- c:\program files\SystemRequirementsLab

2009-09-10 02:33 . 2008-09-22 11:41 -------- d-----w- c:\program files\Microsoft Silverlight

2009-09-10 02:05 . 2007-11-10 10:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help

2009-09-06 17:28 . 2005-06-16 23:19 -------- d-----w- c:\program files\Google

2009-09-04 23:00 . 2009-06-13 13:31 -------- d-----w- c:\program files\SpeedFan

2009-08-23 08:09 . 2005-06-16 20:00 98336 ----a-w- c:\documents and settings\Dent\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-08-19 14:43 . 2005-06-17 14:13 -------- d-----w- c:\documents and settings\Dent\Application Data\AdobeUM

2009-08-19 08:35 . 2009-01-31 13:58 11952 ----a-w- c:\windows\system32\avgrsstx.dll

2009-08-19 08:35 . 2008-06-20 08:51 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys

2009-08-19 08:35 . 2007-01-03 17:55 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys

2009-08-17 02:04 . 2009-08-17 02:04 2173472 ----a-w- c:\windows\system32\nvcplui.exe

2009-08-17 02:04 . 2009-08-17 02:04 81920 ----a-w- c:\windows\system32\nvwddi.dll

2009-08-17 02:03 . 2009-08-17 02:03 3170304 ----a-w- c:\windows\system32\nvwss.dll

2009-08-17 02:03 . 2009-08-17 02:03 4026368 ----a-w- c:\windows\system32\nvvitvs.dll

2009-08-17 02:03 . 2009-08-17 02:03 188416 ----a-w- c:\windows\system32\nvmccss.dll

2009-08-17 02:03 . 2009-08-17 02:03 1286144 ----a-w- c:\windows\system32\nvmobls.dll

2009-08-17 02:03 . 2009-08-17 02:03 3547136 ----a-w- c:\windows\system32\nvgames.dll

2009-08-17 02:03 . 2009-08-17 02:03 4923392 ----a-w- c:\windows\system32\nvdisps.dll

2009-08-17 02:03 . 2009-08-17 02:03 86016 ----a-w- c:\windows\system32\nvmctray.dll

2009-08-17 02:03 . 2009-08-17 02:03 168004 ----a-w- c:\windows\system32\nvsvc32.exe

2009-08-17 02:03 . 2009-08-17 02:03 143360 ----a-w- c:\windows\system32\nvcolor.exe

2009-08-17 02:03 . 2009-08-17 02:03 13877248 ----a-w- c:\windows\system32\nvcpl.dll

2009-08-17 02:02 . 2009-08-17 02:02 229376 ----a-w- c:\windows\system32\nvmccs.dll

2009-08-16 23:57 . 2009-08-16 23:57 2189856 ----a-w- c:\windows\system32\nvcuvid.dll

2009-08-16 23:57 . 2009-08-16 23:57 1706528 ----a-w- c:\windows\system32\nvcuvenc.dll

2009-08-16 23:57 . 2009-08-16 23:57 1597690 ----a-w- c:\windows\system32\nvdata.bin

2009-08-16 23:57 . 2008-02-02 15:31 485920 ----a-w- c:\windows\system32\nvudisp.exe

2009-08-16 23:57 . 2007-12-05 01:41 2002944 ----a-w- c:\windows\system32\nvcuda.dll

2009-08-16 23:57 . 2007-10-25 09:17 868352 ----a-w- c:\windows\system32\nvapi.dll

2009-08-16 23:57 . 2007-10-25 09:17 155648 ----a-w- c:\windows\system32\nvcodins.dll

2009-08-16 23:57 . 2007-10-25 09:17 155648 ----a-w- c:\windows\system32\nvcod.dll

2009-08-16 23:57 . 2007-10-25 09:17 10457088 ----a-w- c:\windows\system32\nvoglnt.dll

2009-08-16 23:57 . 2005-06-16 16:50 7729568 ----a-w- c:\windows\system32\drivers\nv4_mini.sys

2009-08-16 23:57 . 2005-06-16 16:50 5845760 ----a-w- c:\windows\system32\nv4_disp.dll

2009-08-15 06:44 . 2009-08-15 06:44 -------- d-----w- c:\program files\GPLGS

2009-08-15 06:43 . 2009-08-15 06:43 -------- d-----w- c:\program files\Acro Software

2009-08-15 06:35 . 2009-08-15 06:35 -------- d-----w- c:\program files\Universal Document Converter

2009-08-15 06:02 . 2005-07-14 20:59 -------- d-----w- c:\program files\DivX

2009-08-15 06:01 . 2009-08-15 06:01 -------- d-----w- c:\program files\Common Files\DivX Shared

2009-08-14 12:36 . 2009-08-14 12:36 70936 ----a-w- c:\windows\system32\PhysXLoader.dll

2009-08-13 22:15 . 2009-02-12 18:39 -------- d-----w- c:\documents and settings\Dent\Application Data\calibre

2009-08-13 08:29 . 2009-02-12 18:39 -------- d-----w- c:\program files\calibre

2009-08-11 11:35 . 2005-06-16 22:24 485920 ----a-w- c:\windows\system32\NVUNINST.EXE

2009-08-09 19:04 . 2007-11-10 10:48 -------- d-----w- c:\program files\Microsoft.NET

2009-08-05 09:01 . 2005-06-16 19:53 204800 ----a-w- c:\windows\system32\mswebdvd.dll

2009-07-27 02:43 . 2009-07-27 02:43 58908 ----a-w- c:\windows\system32\drivers\scdemu.sys

2009-07-26 15:44 . 2009-07-26 15:44 48448 ----a-w- c:\windows\system32\sirenacm.dll

2009-07-17 19:01 . 2001-08-23 12:00 58880 ----a-w- c:\windows\system32\atl.dll

2009-07-13 22:43 . 2005-06-16 16:50 286208 ----a-w- c:\windows\system32\wmpdxm.dll

2009-07-03 17:09 . 2001-08-23 12:00 915456 ------w- c:\windows\system32\wininet.dll

2009-06-25 08:25 . 2001-08-23 12:00 730112 ----a-w- c:\windows\system32\lsasrv.dll

2009-06-25 08:25 . 2001-08-23 12:00 56832 ----a-w- c:\windows\system32\secur32.dll

2009-06-25 08:25 . 2001-08-23 12:00 54272 ----a-w- c:\windows\system32\wdigest.dll

2009-06-25 08:25 . 2001-08-23 12:00 301568 ----a-w- c:\windows\system32\kerberos.dll

2009-06-25 08:25 . 2001-08-23 12:00 147456 ----a-w- c:\windows\system32\schannel.dll

2009-06-25 08:25 . 2001-08-23 12:00 136192 ----a-w- c:\windows\system32\msv1_0.dll

2009-06-24 11:18 . 2001-08-23 12:00 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys

2009-09-18 23:50 . 2007-05-10 20:26 67688 ----a-w- c:\program files\mozilla firefox\components\jar50.dll

2009-09-18 23:50 . 2007-05-10 20:26 54368 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll

2009-09-18 23:50 . 2007-05-10 20:26 34944 ----a-w- c:\program files\mozilla firefox\components\myspell.dll

2009-09-18 23:50 . 2007-05-10 20:26 46712 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll

2009-09-18 23:50 . 2007-05-10 20:26 172136 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll

2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll

2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll

2007-11-15 18:02 . 2007-11-15 18:02 0 -csha-w- c:\windows\S868D8344.tmp

2007-11-10 22:47 . 2007-11-03 15:25 88 --sh--r- c:\windows\system32\9A4435F11A.sys

2006-07-23 17:16 . 2006-07-23 17:16 8 --sh--r- c:\windows\system32\CCC82F31CA.dll

2007-11-17 21:01 . 2007-11-17 21:01 88 --sh--r- c:\windows\system32\DCB9C06D24.sys

2007-11-17 21:01 . 2007-11-03 15:25 4182 --sha-w- c:\windows\system32\KGyGaAvL.sys

.

((((((((((((((((((((((((((((( SnapShot@2009-09-21_14.17.23 )))))))))))))))))))))))))))))))))))))))))

.

+ 2009-09-21 15:27 . 2009-09-21 15:27 16384 c:\windows\Temp\Perflib_Perfdata_768.dat

+ 2001-08-23 12:00 . 2008-04-14 00:11 56320 c:\windows\system32\dllcache\eventlog.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]

"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-14 1004800]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]

2009-06-14 15:07 1004800 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-14 1004800]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]

"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-14 1004800]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Creative Detector"="c:\program files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-02 102400]

"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-12-22 1830128]

"NVIDIA nTune"="c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-09-04 81920]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"AudioDrvEmulator"="c:\program files\Creative\Shared Files\Module Loader\DLLML.exe" [2005-06-16 49152]

"MSConfig"="c:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2008-04-14 169984]

"CTDVDDET"="c:\program files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE" [2003-06-18 45056]

"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-08-19 2007832]

"amd_dc_opt"="c:\program files\AMD\Dual-Core Optimizer\amd_dc_opt.exe" [2006-11-17 77824]

"CTxfiHlp"="CTXFIHLP.EXE" - c:\windows\system32\Ctxfihlp.exe [2008-10-07 23552]

"CTHelper"="CTHELPER.EXE" - c:\windows\CTHELPER.EXE [2005-08-07 16384]

"SoundMan"="SOUNDMAN.EXE" - c:\windows\soundman.exe [2005-11-11 90112]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"swg"="c:\program files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2007-12-04 171448]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2008-12-22 11:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]

2009-08-19 08:35 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]

@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk

backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^CoreCenter.lnk]

backup=c:\windows\pss\CoreCenter.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^DigiCell.lnk]

backup=c:\windows\pss\DigiCell.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^DVB-Data Control.lnk]

backup=c:\windows\pss\DVB-Data Control.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^GammaTray.lnk]

backup=c:\windows\pss\GammaTray.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^GetRight - Tray Icon.lnk]

backup=c:\windows\pss\GetRight - Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]

backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NCProTray.lnk]

backup=c:\windows\pss\NCProTray.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Dent^Start Menu^Programs^Startup^Adobe Gamma.lnk]

path=c:\documents and settings\Dent\Start Menu\Programs\Startup\Adobe Gamma.lnk

backup=c:\windows\pss\Adobe Gamma.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Dent^Start Menu^Programs^Startup^BBC iPlayer Desktop.lnk]

path=c:\documents and settings\Dent\Start Menu\Programs\Startup\BBC iPlayer Desktop.lnk

backup=c:\windows\pss\BBC iPlayer Desktop.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Dent^Start Menu^Programs^Startup^WinMySQLadmin.lnk]

backup=c:\windows\pss\WinMySQLadmin.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"ATI Smart"=2 (0x2)

"StarWindService"=2 (0x2)

"PnkBstrB"=2 (0x2)

"PnkBstrA"=2 (0x2)

"KService"=2 (0x2)

"JavaQuickStarterService"=2 (0x2)

"WMPNetworkSvc"=3 (0x3)

"Sony SCSI Helper Service"=3 (0x3)

"ImapiService"=3 (0x3)

"CryptSvc"=3 (0x3)

"CCALib8"=2 (0x2)

"Bonjour Service"=2 (0x2)

"BITS"=3 (0x3)

"Adobe LM Service"=3 (0x3)

"aawservice"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"c:\\Program Files\\Hauppauge\\WinTV NOVA\\DVBData.exe"=

"c:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe"=

"c:\\WINDOWS\\system32\\sessmgr.exe"=

"c:\\Program Files\\Hauppauge\\WinTV NOVA\\DVB-TV.exe"=

"c:\\Program Files\\MSI\\i-Speeder\\i-Speeder.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Program Files\\Kontiki\\KHost.exe"=

"c:\\Program Files\\Autodesk\\Maya 8.5 Personal Learning Edition\\bin\\maya.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager

"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=

"c:\\Program Files\\Ubisoft\\Far Cry 2\\bin\\FC2Editor.exe"=

"c:\\Program Files\\Ubisoft\\Far Cry 2\\bin\\FarCry2.exe"=

"c:\\Program Files\\Ubisoft\\Far Cry 2\\bin\\FC2Launcher.exe"=

"c:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe"=

"c:\\Program Files\\Kontiki\\KService.exe"=

"c:\\WINDOWS\\system32\\mmc.exe"=

"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\WINDOWS\\system32\\PnkBstrA.exe"=

"c:\\WINDOWS\\system32\\PnkBstrB.exe"=

"c:\\Program Files\\SecondLife\\SecondLife.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=

"c:\\WINDOWS\\system32\\rtcshare.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

"c:\\Program Files\\SecondLife\\SLVoice.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Program Files\\NetMeeting\\conf.exe"=

"c:\\Program Files\\Rockstar Games\\Grand Theft Auto IV\\LaunchGTAIV.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"7426:TCP"= 7426:TCP:*:Disabled:messenger

"3617:TCP"= 3617:TCP:*:Disabled:messenger

"8445:TCP"= 8445:TCP:messenger

"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [20/06/2008 09:51 335240]

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [22/12/2008 12:06 8944]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [22/12/2008 12:05 55024]

R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [31/01/2009 14:58 297752]

R3 CT20XUT.SYS;CT20XUT.SYS;c:\windows\system32\drivers\CT20XUT.sys [09/05/2008 15:15 171032]

R3 CTEXFIFX.SYS;CTEXFIFX.SYS;c:\windows\system32\drivers\CTEXFIFX.sys [09/05/2008 15:14 1324056]

R3 CTHWIUT.SYS;CTHWIUT.SYS;c:\windows\system32\drivers\CTHWIUT.sys [09/05/2008 15:15 72728]

R3 TTDVBLCD;TechnoTrend DVB PCI budget Driver;c:\windows\system32\drivers\ttdvblcd.sys [08/11/2004 18:39 65952]

S1 aiptektp;HyperPen;c:\windows\system32\drivers\aiptektp.sys [07/11/2007 19:05 22272]

S2 {09BB444F-B2E2-4009-BAF2-7B727681223E};BuddyVM;\??\c:\program files\VMLaunch\BuddyVM.sys --> c:\program files\VMLaunch\BuddyVM.sys [?]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [01/07/2009 20:05 133104]

S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [30/05/2009 19:14 79360]

S3 CT20XUT;CT20XUT;c:\windows\system32\drivers\CT20XUT.sys [09/05/2008 15:15 171032]

S3 CTEXFIFX;CTEXFIFX;c:\windows\system32\drivers\CTEXFIFX.sys [09/05/2008 15:14 1324056]

S3 CTHWIUT;CTHWIUT;c:\windows\system32\drivers\CTHWIUT.sys [09/05/2008 15:15 72728]

S3 F-Secure Standalone Minifilter;F-Secure Standalone Minifilter;\??\c:\docume~1\Dent\LOCALS~1\Temp\OnlineScanner\Anti-Virus\fsgk.sys --> c:\docume~1\Dent\LOCALS~1\Temp\OnlineScanner\Anti-Virus\fsgk.sys [?]

S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [22/12/2008 12:06 7408]

S4 FLEXlm Service 1;FLEXlm Service 1; [x]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]

"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{621FCD24-4498-4324-A81E-07D331376EDF}]

c:\program files\PixiePack Codec Pack\InstallerHelper.exe

.

Contents of the 'Scheduled Tasks' folder

2009-09-21 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-01 19:05]

2009-09-21 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-01 19:05]

2009-09-21 c:\windows\Tasks\RegCure Program Check.job

- c:\program files\RegCure\RegCure.exe [2007-03-09 20:15]

2009-09-17 c:\windows\Tasks\RegCure.job

- c:\program files\RegCure\RegCure.exe [2007-03-09 20:15]

.

.

------- Supplementary Scan -------

.

uStart Page = about:blank

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uInternet Settings,ProxyOverride = *.local

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

Trusted Zone: com.tw\www.msi

Trusted Zone: localhost

Trusted Zone: microsoft.com\*.update

Trusted Zone: microsoft.com\www.update

Trusted Zone: windowsupdate.com\download

TCP: {BDE83FC4-63DB-41FA-AE1B-AAEC1DE18AF1} = 212.104.130.65,212.104.130.9

DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab

DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} - hxxp://liveupdate.msi.com.tw/autobios/LOnline/install.cab

FF - ProfilePath - c:\documents and settings\Dent\Application Data\Mozilla\Firefox\Profiles\1gic4cko.default\

FF - prefs.js: browser.startup.homepage - about:blank

FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll

FF - plugin: c:\documents and settings\All Users\Application Data\Zylom\ZylomGamesPlayer\npzylomgamesplayer.dll

FF - plugin: c:\program files\Google\Update\1.2.183.7\npGoogleOneClick8.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npBBCPlugin.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npzylomgamesplayer.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-09-21 16:26

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(984)

c:\program files\SUPERAntiSpyware\SASWINLO.dll

c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(1180)

c:\windows\system32\WININET.dll

c:\windows\system32\ctagent.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\nvsvc32.exe

c:\program files\Creative\Shared Files\CTAudSvc.exe

c:\windows\system32\CTSVCCDA.EXE

c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe

c:\program files\NVIDIA Corporation\nTune\nTuneService.exe

c:\windows\system32\PSIService.exe

c:\program files\AVG\AVG8\avgrsx.exe

c:\windows\system32\tcpsvcs.exe

c:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

c:\windows\system32\MsPMSPSv.exe

c:\windows\system32\wscntfy.exe

c:\windows\system32\CTxfispi.exe

.

**************************************************************************

.

Completion time: 2009-09-21 16:42 - machine was rebooted

ComboFix-quarantined-files.txt 2009-09-21 15:42

ComboFix2.txt 2009-09-21 14:32

Pre-Run: 29,710,856,192 bytes free

Post-Run: 29,662,650,368 bytes free

363 --- E O F --- 2009-09-19 08:21

Link to post
Share on other sites

Nice :) Let's do a couple more scans. You might have to uninstall and re-install AVG in the end but let's see what happens first.

Things are looking much better! Let's get a couple more scans to check for orphans :)

------------------

Step 1:

------------------

mbamicontw5.gifRun Malwarebytes' Anti-Malware

  • Select the Update tab and then click Check for Updates.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select the Scanner tab and "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

------------------

Step 2:

------------------

Please download JavaRa to your desktop and unzip it to its own folder

  • Run JavaRa.exe, pick the language of your choice and click Select. Then click Remove Older Versions.
  • Accept any prompts.
  • Open JavaRa.exe again and select Search For Updates.
  • Select Update Using Sun Java's Website then click Search and click on the Open Webpage button. Download and install the latest Java Runtime Environment (JRE) version for your computer.

------------------

Step 3:

------------------

Using Internet Explorer or Firefox, visit Kaspersky Online Scanner

1. Click Accept, when prompted to download and install the program files and database of malware definitions.

2. To optimize scanning time and produce a more sensible report for review:

  • Close any open programs
  • Turn off the real time scanner of any existing antivirus program while performing the online scan. Click HERE to see how to disable the most common antivirus programs.

3. Click Run at the Security prompt.

The program will then begin downloading and installing and will also update the database.

Please be patient as this can take quite a long time to download.

  • Once the update is complete, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:

    • Spyware, adware, dialers, and other riskware
    • Archives
    • E-mail databases

    [*]Click on My Computer under the green Scan bar to the left to start the scan.

    [*]Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.

    [*]Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.

    [*]Click View report... at the bottom.

    [*] Click the Save report... button.

    KasReport.png

    [*] Change the Files of type dropdown box to Text file (.txt) and name the file KasReport.txt to save the file to your desktop so that you may post it in your next reply

------------------

Step 4:

------------------

Please post back with the following:

  • How your machine is running
  • MBAM log
  • KasReport.txt

Link to post
Share on other sites

step 1 went well (had to reinstall mbam, and will do the same for avg later).

no malware found! :)

log below. I shall continue with the rest of the instructions;

Malwarebytes' Anti-Malware 1.41

Database version: 2837

Windows 5.1.2600 Service Pack 3

21/09/2009 17:15:07

mbam-log-2009-09-21 (17-15-07).txt

Scan type: Quick Scan

Objects scanned: 112173

Time elapsed: 6 minute(s), 16 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites

Its going to take quite a while to run Kaspersky (been going an hour and a half and it says only 7% complete...)

I'll start it going overnight and report back tomorrow as I need to go too. It found a few things so far however, report below, but I'll post a new full report tomorrow. I am tempted to delete all the files it mentions...

thanks again for your help today, there is no way I'd have got out of this with just googling around!

--------------------------------------------------------------------------------

KASPERSKY ONLINE SCANNER 7.0: scan report

Monday, September 21, 2009

Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)

Kaspersky Online Scanner version: 7.0.26.13

Last database update: Monday, September 21, 2009 18:36:25

Records in database: 2866538

--------------------------------------------------------------------------------

Scan settings:

scan using the following database: extended

Scan archives: yes

Scan e-mail databases: yes

Scan area - My Computer:

C:\

D:\

E:\

F:\

G:\

H:\

J:\

X:\

Z:\

Scan statistics:

Objects scanned: 146770

Threats found: 8

Infected objects found: 9

Suspicious objects found: 0

Scan duration: 01:35:16

File name / Threat / Threats count

C:\Documents and Settings\Dent\Application Data\Sun\Java\Deployment\cache\6.0\47\bd7ce2f-35f26240 Infected: Exploit.Java.Gimsh.b 1

C:\Documents and Settings\Dent\Application Data\Sun\Java\Deployment\cache\6.0\48\6b488e30-6435cdb4 Infected: Trojan-Downloader.Java.OpenConnection.ar 1

C:\Documents and Settings\Dent\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\Dummy.class-5983f703-129bace8.class Infected: Trojan.Java.ClassLoader.Dummy.d 1

C:\Documents and Settings\Dent\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\SecurityClassLoader.class-6fe02a8e-35efe06d.class Infected: Trojan-Downloader.JS.Iframe.bqj 1

C:\Documents and Settings\Dent\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-6b13a7e7-470afa3e.zip Infected: Exploit.Java.Gimsh.b 1

C:\Documents and Settings\Dent\Desktop\apps\click this to regain regedit.vbs Infected: not-a-virus:RiskTool.VBS.DisReg.a 1

C:\Documents and Settings\Dent\Desktop\stuff\apache\jscripts.cab Infected: not-a-virus:AdWare.Win32.Mostofate.ao 1

C:\Documents and Settings\Dent\Desktop\stuff\pranks\avoid.exe Infected: Hoax.Win32.BadJoke.Delf.af 1

C:\Documents and Settings\Dent\Desktop\stuff\pranks\ClickStart v1.00.exe Infected: Hoax.Win32.BadJoke.RJL.b 1

Scanning stopped by the user.

Link to post
Share on other sites

Mornin'

Kapersky finished, 6 hours :). Found a few things, log below.

I reinstalled AVG (had to uninstall as you said, repair install didnt work).

I did another mbam check and nothing detected.

Should I go ahead and delete all these files?

cheers

--------------------------------------------------------------------------------

KASPERSKY ONLINE SCANNER 7.0: scan report

Tuesday, September 22, 2009

Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)

Kaspersky Online Scanner version: 7.0.26.13

Last database update: Tuesday, September 22, 2009 00:08:46

Records in database: 2867351

--------------------------------------------------------------------------------

Scan settings:

scan using the following database: extended

Scan archives: yes

Scan e-mail databases: yes

Scan area - My Computer:

C:\

D:\

E:\

F:\

G:\

H:\

J:\

X:\

Z:\

Scan statistics:

Objects scanned: 431234

Threats found: 8

Infected objects found: 13

Suspicious objects found: 0

Scan duration: 06:03:06

File name / Threat / Threats count

C:\Documents and Settings\Dent\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\Dummy.class-5983f703-129bace8.class Infected: Trojan.Java.ClassLoader.Dummy.d 1

C:\Documents and Settings\Dent\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\SecurityClassLoader.class-6fe02a8e-35efe06d.class Infected: Trojan-Downloader.JS.Iframe.bqj 1

C:\Documents and Settings\Dent\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-6b13a7e7-470afa3e.zip Infected: Exploit.Java.Gimsh.b 1

C:\Program Files\Softomate\ToolbarStudio\installed\{59FD2F2B-D5A0-4DF0-A38D-E5DE55B97021}\0\jscripts.dll Infected: not-a-virus:AdWare.Win32.Mostofate.ao 1

C:\Program Files\Softomate\ToolbarStudio\installed\{59FD2F2B-D5A0-4DF0-A38D-E5DE55B97021}\1\jscripts.dll Infected: not-a-virus:AdWare.Win32.Mostofate.ao 1

C:\Program Files\Softomate\ToolbarStudio\projects\test.cab Infected: not-a-virus:AdWare.Win32.Mostofate.ao 1

C:\Program Files\Softomate\ToolbarStudio\projects\toolbar.cab Infected: not-a-virus:AdWare.Win32.Mostofate.ao 1

C:\RECYCLER\S-1-5-21-73586283-1547161642-725345543-1003\Dc10.vbs Infected: not-a-virus:RiskTool.VBS.DisReg.a 1

C:\RECYCLER\S-1-5-21-73586283-1547161642-725345543-1003\Dc11.cab Infected: not-a-virus:AdWare.Win32.Mostofate.ao 1

C:\RECYCLER\S-1-5-21-73586283-1547161642-725345543-1003\Dc12 Infected: Exploit.Java.Gimsh.b 1

C:\RECYCLER\S-1-5-21-73586283-1547161642-725345543-1003\Dc14 Infected: Trojan-Downloader.Java.OpenConnection.ar 1

C:\RECYCLER\S-1-5-21-73586283-1547161642-725345543-1003\Dc9\avoid.exe Infected: Hoax.Win32.BadJoke.Delf.af 1

C:\RECYCLER\S-1-5-21-73586283-1547161642-725345543-1003\Dc9\ClickStart v1.00.exe Infected: Hoax.Win32.BadJoke.RJL.b 1

Selected area has been scanned.

Link to post
Share on other sites

Good Morning :)

Let's finish killing these files and then see what we can do about AVG.

------------------

Step 1:

------------------

Please download OTM by OldTimer

  • Save it to your desktop.
  • Please double-click OTM.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
    :Processes
    explorer.exe

    :Services

    :Reg

    :Files
    C:\Documents and Settings\Dent\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\Dummy.class-5983f703-129bace8.class
    C:\Documents and Settings\Dent\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\SecurityClassLoader.class-6fe02a8e-35efe06d.class
    C:\Documents and Settings\Dent\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-6b13a7e7-470afa3e.zip
    C:\Program Files\Softomate
    C:\RECYCLER\S-1-5-21-73586283-1547161642-725345543-1003\Dc10.vbs
    C:\RECYCLER\S-1-5-21-73586283-1547161642-725345543-1003\Dc11.cab
    C:\RECYCLER\S-1-5-21-73586283-1547161642-725345543-1003\Dc12
    C:\RECYCLER\S-1-5-21-73586283-1547161642-725345543-1003\Dc14
    C:\RECYCLER\S-1-5-21-73586283-1547161642-725345543-1003\Dc9\avoid.exe
    C:\RECYCLER\S-1-5-21-73586283-1547161642-725345543-1003\Dc9\ClickStart v1.00.exe

    :Commands
    [emptytemp]
    [start explorer]
    [Reboot]


  • Return to OTM, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTM

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

------------------

Step 2:

------------------

For the AVG problem, before we go any further. Please uninstall using this tool:

Download and run the AVG removal tool from HERE. This should get rid of AVG.

Reboot, then reinstall again. Let me know how it goes.

Link to post
Share on other sites

Hi,

OTM did its stuff and rebooted. I've pasted the log file below. AVG is running fine now thanks.

hows it looking?

All processes killed

========== PROCESSES ==========

No active process named explorer.exe was found!

========== SERVICES/DRIVERS ==========

========== REGISTRY ==========

========== FILES ==========

C:\Documents and Settings\Dent\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\Dummy.class-5983f703-129bace8.class moved successfully.

C:\Documents and Settings\Dent\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\SecurityClassLoader.class-6fe02a8e-35efe06d.class moved successfully.

C:\Documents and Settings\Dent\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-6b13a7e7-470afa3e.zip moved successfully.

C:\Program Files\Softomate\WebUpdater moved successfully.

C:\Program Files\Softomate\ToolbarStudio\projects moved successfully.

C:\Program Files\Softomate\ToolbarStudio\nothing\cache moved successfully.

C:\Program Files\Softomate\ToolbarStudio\nothing moved successfully.

C:\Program Files\Softomate\ToolbarStudio\license moved successfully.

C:\Program Files\Softomate\ToolbarStudio\installed\{59FD2F2B-D5A0-4DF0-A38D-E5DE55B97021}\1 moved successfully.

C:\Program Files\Softomate\ToolbarStudio\installed\{59FD2F2B-D5A0-4DF0-A38D-E5DE55B97021}\0 moved successfully.

C:\Program Files\Softomate\ToolbarStudio\installed\{59FD2F2B-D5A0-4DF0-A38D-E5DE55B97021} moved successfully.

C:\Program Files\Softomate\ToolbarStudio\installed moved successfully.

C:\Program Files\Softomate\ToolbarStudio\bin moved successfully.

C:\Program Files\Softomate\ToolbarStudio moved successfully.

C:\Program Files\Softomate moved successfully.

File/Folder C:\RECYCLER\S-1-5-21-73586283-1547161642-725345543-1003\Dc10.vbs not found.

File/Folder C:\RECYCLER\S-1-5-21-73586283-1547161642-725345543-1003\Dc11.cab not found.

File/Folder C:\RECYCLER\S-1-5-21-73586283-1547161642-725345543-1003\Dc12 not found.

File/Folder C:\RECYCLER\S-1-5-21-73586283-1547161642-725345543-1003\Dc14 not found.

File/Folder C:\RECYCLER\S-1-5-21-73586283-1547161642-725345543-1003\Dc9\avoid.exe not found.

File/Folder C:\RECYCLER\S-1-5-21-73586283-1547161642-725345543-1003\Dc9\ClickStart v1.00.exe not found.

========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 78991 bytes

User: All Users

User: Default User

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 67 bytes

User: Dent

->Temp folder emptied: 269882103 bytes

->Temporary Internet Files folder emptied: 845535957 bytes

->Java cache emptied: 91924161 bytes

->FireFox cache emptied: 8130277 bytes

User: LocalService

->Temp folder emptied: 0 bytes

File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.

->Temporary Internet Files folder emptied: 144594 bytes

User: NetworkService

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 32902 bytes

%systemdrive% .tmp files removed: 0 bytes

C:\WINDOWS\msdownld.tmp folder deleted successfully.

C:\WINDOWS\NV26483208.TMP folder deleted successfully.

C:\WINDOWS\NV4562992.TMP folder deleted successfully.

%systemroot% .tmp files removed: 2190299 bytes

%systemroot%\System32 .tmp files removed: 9761319 bytes

File delete failed. C:\WINDOWS\temp\hlktmp scheduled to be deleted on reboot.

Windows Temp folder emptied: 8405600 bytes

RecycleBin emptied: 0 bytes

Total Files Cleaned = 1178.82 mb

OTM by OldTimer - Version 3.0.0.6 log created on 09222009_132723

Files moved on Reboot...

File move failed. C:\WINDOWS\temp\hlktmp scheduled to be moved on reboot.

Registry entries deleted on Reboot...

Link to post
Share on other sites

Quick question just so I know. Did the OTM script fix AVG? Or did you do the uninstall/reinstall?

I did an uninstall/reinstall, using the AVG installer this morning, before you suggested the OTM script and that seemed to sort it out.

I'm curious about how this malware works. Is it targeting specific programs like hjt and mbam, or does it just cripple anything that happens to be looking for it?

Link to post
Share on other sites

I'm curious about how this malware works. Is it targeting specific programs like hjt and mbam, or does it just cripple anything that happens to be looking for it?

Today's infections are very advanced and I believe they use a combination of watching for well-known cleansing applications and being able to catch programs that are scanning for it and disable it. The specifics are more well known to our software developers. It gets very complicated on how each application works and the different methods they use. But since they use these different methods, sometimes one works when another doesn't and it usually takes more than one tool to clean an infected machine. We on the front lines are just applying techniques and gathering information when needed :lol:

Now some good news.

Well done! Your log appears clean! :thumbsup:

------------------

Step 1:

------------------

We're almost done. We need to do some clean up and get you on your way.

Follow these steps to uninstall Combofix

  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    CF_Cleanup.png

(This will remove all restore points to rid your machine of saved infected files and create a new restore point)

------------------

Step 2:

------------------

We need to remove all the tools that you have used. This is so that should you ever be re-infected, you will download updated versions.

  • Run OTM.exe
  • Click the Clean Up button.
  • You will be asked to reboot the machine to finish the Cleanup process. Choose Yes.

Now delete any logs that you have left over on your desktop.

------------------

Step 3:

------------------

Download TFC by OldTimer to your desktop

  • Please double-click TFC.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • It will close all programs when run, so make sure you have saved all your work before you begin.
  • Click the Start button to begin the process. Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two. Let it run uninterrupted to completion.
  • Once it's finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.

Note: It is a good idea to run TFC to clear out all your temp files every now and again. This helps to keep your computer running more efficiently. It also can assist in getting rid of files that may contain malicious code that could re-infect your computer.

------------------

Step 4:

------------------

It is very important that you get all of the critical updates for your Operating System and Internet Explorer. Keeping your OS and browser up to date will help make you less susceptible to attacks by Trojans and viruses. Windows Updates are constantly being revised to combat the newest hacks and threats. Microsoft releases security updates that help your computer from becoming vunerable.

Please go to Microsoft's Windows Update and download all the critical updates to help prevent possible re-infection.

It is best if you have these set to download automatically.

Automatic Updates for Windows

  • Click Start.
  • Select Settings and then Control Panel.
  • Select Automatic Updates.
  • Click Automatic (recommended)
  • Choose a day and a time when you know the computer will be on and connected to the internet.
  • Click Apply then OK.

---------------------------------------------------------------------------------------------

This is a good time to set up protection against further attacks. Read our How Did I Get Infected In The First Place?. You need an antivirus that is continually updated, a good firewall, a spyware blocker, and a real time spyware program to prevent malware intrusions. Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them.

---------------------------------------------------------------------------------------------

Anti Spyware

Anti Spyware helps to eliminate certain types of infections. I would recommend getting these and running the scans at least twice a month. Also a real-time protector is beneficial to stop infections before they start. SpywareGuard is an excellent choice here.

  • superantispyware.gifSUPERAntiSpyware is a powerful tool that can eliminate nasties that make it onto your machine.
  • spywareblaster.pngSpywareBlaster to help prevent spyware from installing in the first place. A tutorial can be found here.
  • spywareguard.gifSpywareGuard to catch and block spyware before it can execute. A tutorial can be found here.

Note: If you find your system slows down after installing any of these, just uninstall it, or disable it from running at startup.

---------------------------------------------------------------------------------------------

Safer Web Browser

Internet Explorer is not the most secure tool for browsing the web. It has been known to be very susceptible to infection, and there are some good free alternatives:

All are faster, safer, more powerful and functional free alternatives to Internet Explorer. It's definitely worth the short period of adjustment to start using one of these.

If you choose FireFox, here are a couple of addons that I recommend:

  • NoScript - for blocking ads and other potential website attacks
  • McAfee SiteAdvisor - this tells you whether the sites you are about to visit are safe or not. A must have if you do alot of Google searches.

---------------------------------------------------------------------------------------------

Other Recommendations

FileHippo Update Checker is an extremely helpful program that will tell you which of your programs need to be updated. Its important to keep programs up to date so that malware doesn't exploit any old security flaws.

Take Care and Happy Surfing! :wave:

Link to post
Share on other sites

All the uninstalling went fine, a few reboots and things are working swimmingly.

Thanks a million for all this Perplexus, I'm very impressed with this web site and the help you've given me, and all the tools people have created to help us befuddled surfers. I'll take in all your advice and pass it on to collegues and friends, and Mbam might have a few more purchases soon :)

I can't say this has been fun, but its been interesting and enlightening! I hope that we don't have to meet again though :lol:

have fun!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.