Jump to content

Antivirus 2010 (Malwarebytes & HJT Inoperable)


Recommended Posts

I recently contracted the Antivirus malware and it has locked up my antivirus/spyware programs from opening.

I downloaded and installed Malwarebytes' Anti-Malware and HijackThis but they won't open. The error message received when trying to open them is the following: "Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item."

Also, AVG will not open now as well. I rebooted in safe mode and ran the programs but nothing gets picked up.

PLEASE HELP!!!!

Marcus

Link to post
Share on other sites

  • Staff

Hi and welcome to Malwarebytes.

Please visit this webpage for instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

  • When the tool is finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a new HijackThis log so we may continue cleaning the system.

-screen317

Link to post
Share on other sites

Hi and welcome to Malwarebytes.

Please visit this webpage for instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

  • When the tool is finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a new HijackThis log so we may continue cleaning the system.

-screen317

Thanks for the quick response!

Here is the Combofix text file:

ComboFix 09-09-25.01 - Marcus 09/26/2009 20:47.1.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1573 [GMT -4:00]

Running from: c:\documents and settings\Marcus\Desktop\ComboFix.exe

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\$recycle.bin\S-1-5-21-4117253376-465198573-4017034940-1000

c:\documents and settings\All Users\Application Data\mocemijoci.pif

c:\documents and settings\All Users\Documents\pygupiho.vbs

c:\documents and settings\All Users\Documents\rity.reg

c:\documents and settings\All Users\Documents\ymevimos.sys

c:\documents and settings\Marcus\Application Data\eradiqywe.sys

c:\documents and settings\Marcus\Application Data\Microsoft\Internet Explorer\Quick Launch\AntivirusPro_2010.lnk

c:\documents and settings\Marcus\Cookies\givy.com

c:\documents and settings\Marcus\Cookies\kofazekusa.dll

c:\documents and settings\Marcus\Cookies\ujagapulik.dll

c:\documents and settings\Marcus\Cookies\waxozaz.lib

c:\documents and settings\Marcus\Local Settings\Application Data\avuhysam._dl

c:\documents and settings\Marcus\Local Settings\Application Data\ijat.dll

c:\documents and settings\Marcus\Local Settings\Application Data\vejypakyg.bat

c:\documents and settings\Marcus\Local Settings\Application Data\yqobupez._dl

c:\documents and settings\Marcus\Local Settings\Application Data\yzikite._dl

c:\documents and settings\Marcus\Local Settings\Temporary Internet Files\ecilaxo.ban

c:\documents and settings\Marcus\Local Settings\Temporary Internet Files\ojerepogu.reg

c:\documents and settings\Marcus\Local Settings\Temporary Internet Files\yrak.com

c:\documents and settings\Marcus\Start Menu\Programs\AntivirusPro_2010

c:\documents and settings\Marcus\Start Menu\Programs\AntivirusPro_2010\AntivirusPro_2010.lnk

c:\documents and settings\Marcus\Start Menu\Programs\AntivirusPro_2010\Uninstall.lnk

c:\program files\WinPCap

c:\program files\WinPCap\daemon_mgm.exe

c:\program files\WinPCap\INSTALL.LOG

c:\program files\WinPCap\npf_mgm.exe

c:\program files\WinPCap\rpcapd.exe

c:\program files\WinPCap\Uninstall.exe

c:\recycler\S-1-5-21-993081466-2568998575-392820215-1005

c:\recycler\S-1-5-21-993081466-2568998575-392820215-500

c:\windows\Downloaded Program Files\IDropPTB.dll

c:\windows\Installer\100072f5.msi

c:\windows\Installer\100072f6.msi

c:\windows\Installer\10007308.msi

c:\windows\Installer\10007310.msi

c:\windows\Installer\10007311.msi

c:\windows\Installer\105310b.msi

c:\windows\Installer\1196d5.msi

c:\windows\Installer\11ec90.msi

c:\windows\Installer\123a4a.msi

c:\windows\Installer\123a59.msi

c:\windows\Installer\123c97.msi

c:\windows\Installer\123cb0.msi

c:\windows\Installer\123cc4.msi

c:\windows\Installer\123d03.msi

c:\windows\Installer\123d15.msi

c:\windows\Installer\123d7a.msi

c:\windows\Installer\123d8b.msi

c:\windows\Installer\123e88.msi

c:\windows\Installer\129a18f3.msp

c:\windows\Installer\13a6c3ba.msp

c:\windows\Installer\13a6c3da.msp

c:\windows\Installer\13a6c3e2.msi

c:\windows\Installer\13a6c446.msi

c:\windows\Installer\13a6c44e.msi

c:\windows\Installer\13a6c456.msi

c:\windows\Installer\13a6c45e.msi

c:\windows\Installer\13a6c46e.msi

c:\windows\Installer\15119a2b.msp

c:\windows\Installer\153ee5.msi

c:\windows\Installer\153eed.msi

c:\windows\Installer\153efb.msi

c:\windows\Installer\153f09.msi

c:\windows\Installer\156c4d6.msi

c:\windows\Installer\166c9ff1.msp

c:\windows\Installer\1730b7.msi

c:\windows\Installer\1730be.msi

c:\windows\Installer\17f717e6.msi

c:\windows\Installer\187b25e.msi

c:\windows\Installer\187b269.msi

c:\windows\Installer\1ab69ec.msi

c:\windows\Installer\1ab69f3.msi

c:\windows\Installer\1b7bb9.msi

c:\windows\Installer\1b9498b.msi

c:\windows\Installer\1c5eb42.msi

c:\windows\Installer\1c5eb50.msi

c:\windows\Installer\1c5eb57.msi

c:\windows\Installer\1d7df0c2.msp

c:\windows\Installer\1da0f85.msi

c:\windows\Installer\1da127c.msi

c:\windows\Installer\1da1283.msi

c:\windows\Installer\1da128a.msi

c:\windows\Installer\1da1291.msi

c:\windows\Installer\1da1298.msi

c:\windows\Installer\1da12c0.msi

c:\windows\Installer\1da12c7.msi

c:\windows\Installer\1da12d0.msi

c:\windows\Installer\1f12d.msi

c:\windows\Installer\23a8659.msi

c:\windows\Installer\242fab9.msi

c:\windows\Installer\2586cc98.msi

c:\windows\Installer\2586cf49.msi

c:\windows\Installer\2586d0de.msi

c:\windows\Installer\27c3e82.msp

c:\windows\Installer\2cf5127.msi

c:\windows\Installer\2f69b6d.msi

c:\windows\Installer\33880205.msp

c:\windows\Installer\352782a.msi

c:\windows\Installer\363c2e.msi

c:\windows\Installer\363c46.msi

c:\windows\Installer\383d755a.msi

c:\windows\Installer\383d7564.msi

c:\windows\Installer\45911d.msi

c:\windows\Installer\4ae8eb.msi

c:\windows\Installer\5351692.msi

c:\windows\Installer\54cd12.msi

c:\windows\Installer\54cd19.msi

c:\windows\Installer\54cd20.msi

c:\windows\Installer\54cd28.msi

c:\windows\Installer\54cd2f.msi

c:\windows\Installer\54cd3a.msi

c:\windows\Installer\54cd41.msi

c:\windows\Installer\54cd48.msi

c:\windows\Installer\54cd4f.msi

c:\windows\Installer\54cd56.msi

c:\windows\Installer\54cd5e.msi

c:\windows\Installer\54cd67.msi

c:\windows\Installer\54cd6e.msi

c:\windows\Installer\54cd75.msi

c:\windows\Installer\54cd7c.msi

c:\windows\Installer\54cd83.msi

c:\windows\Installer\54cd8a.msi

c:\windows\Installer\54cd91.msi

c:\windows\Installer\54da0c.msi

c:\windows\Installer\55b48.msp

c:\windows\Installer\5af58e.msi

c:\windows\Installer\5b612e3.msi

c:\windows\Installer\5d204b0.msp

c:\windows\Installer\5d204c9.msp

c:\windows\Installer\5d205a7.msp

c:\windows\Installer\5d205b1.msp

c:\windows\Installer\5d2060f.msp

c:\windows\Installer\5d20623.msp

c:\windows\Installer\5d2063b.msp

c:\windows\Installer\5d20644.msp

c:\windows\Installer\601c1.msp

c:\windows\Installer\601c9.msp

c:\windows\Installer\69405a5.msi

c:\windows\Installer\69405b4.msi

c:\windows\Installer\69405bc.msi

c:\windows\Installer\69405c9.msi

c:\windows\Installer\694a9f4.msi

c:\windows\Installer\694aa05.msi

c:\windows\Installer\694aa0f.msi

c:\windows\Installer\694aa2c.msi

c:\windows\Installer\694aa3d.msi

c:\windows\Installer\694aa45.msi

c:\windows\Installer\694aa4d.msi

c:\windows\Installer\694aa55.msi

c:\windows\Installer\7389778.msi

c:\windows\Installer\78a05.msp

c:\windows\Installer\78a10.msi

c:\windows\Installer\78a19.msi

c:\windows\Installer\78a37.msp

c:\windows\Installer\7dae2.msi

c:\windows\Installer\80924.msi

c:\windows\Installer\80927.msi

c:\windows\Installer\80937.msi

c:\windows\Installer\80941.msi

c:\windows\Installer\80949.msi

c:\windows\Installer\80968.msi

c:\windows\Installer\8097a.msi

c:\windows\Installer\809a5.msi

c:\windows\Installer\809ae.msi

c:\windows\Installer\809ba.msi

c:\windows\Installer\809c7.msi

c:\windows\Installer\809da.msi

c:\windows\Installer\809ed.msi

c:\windows\Installer\8808ba.msi

c:\windows\Installer\8808f8.msi

c:\windows\Installer\880932.msi

c:\windows\Installer\88093b.msi

c:\windows\Installer\8c3e0c.msi

c:\windows\Installer\8c7e8e.msi

c:\windows\Installer\8c7e96.msi

c:\windows\Installer\8c7e9e.msi

c:\windows\Installer\8c7ea6.msi

c:\windows\Installer\a1e2db9.msp

c:\windows\Installer\a47c15.msi

c:\windows\Installer\a86ef8.msi

c:\windows\Installer\aa14fa.msi

c:\windows\Installer\b69a2d.msi

c:\windows\Installer\c2d2785.msi

c:\windows\Installer\c2d28e9.msi

c:\windows\Installer\c86ccd.msi

c:\windows\Installer\c86cd4.msi

c:\windows\Installer\cc230cd.msi

c:\windows\Installer\cc230d5.msi

c:\windows\Installer\cc230dd.msi

c:\windows\Installer\cc230e5.msi

c:\windows\Installer\cc230ed.msi

c:\windows\Installer\cc230f5.msi

c:\windows\Installer\cc230fd.msi

c:\windows\Installer\cc23113.msi

c:\windows\Installer\cc2311b.msi

c:\windows\Installer\cc2312c.msi

c:\windows\Installer\cc23134.msi

c:\windows\Installer\cc2313c.msi

c:\windows\Installer\cc23144.msi

c:\windows\Installer\cc2314d.msi

c:\windows\Installer\cc23163.msi

c:\windows\Installer\cc2316b.msi

c:\windows\Installer\cc23185.msi

c:\windows\Installer\cc2318d.msi

c:\windows\Installer\cc23195.msi

c:\windows\Installer\cc2319d.msi

c:\windows\Installer\de513c.msp

c:\windows\Installer\de5155.msp

c:\windows\Installer\de516e.msp

c:\windows\Installer\de5188.msp

c:\windows\Installer\de51d2.msp

c:\windows\Installer\de51ed.msp

c:\windows\Installer\de5205.msp

c:\windows\Installer\de521f.msp

c:\windows\Installer\de5238.msp

c:\windows\Installer\de5241.msi

c:\windows\Installer\de5259.msp

c:\windows\Installer\de5278.msp

c:\windows\Installer\e1152b.msi

c:\windows\Installer\e28383.msi

c:\windows\Installer\ea21a7.msi

c:\windows\Installer\ea76a.msi

c:\windows\Nt_File_Temp

c:\windows\Nt_File_Temp\__write_ok__

c:\windows\ph401.dll

c:\windows\system32\_scui.cpl

c:\windows\system32\~.exe

c:\windows\system32\lylop.vbs

c:\windows\system32\udom.bat

c:\windows\system32\wonikubes.inf

F:\Autorun.inf

Infected copy of c:\windows\system32\eventlog.dll was found and disinfected

Restored copy from - c:\windows\system32\logevent.dll

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}

((((((((((((((((((((((((( Files Created from 2009-08-27 to 2009-09-27 )))))))))))))))))))))))))))))))

.

2009-09-27 00:29 . 2009-09-27 00:29 -------- d-----w- c:\documents and settings\Marcus\Application Data\HP

2009-09-26 20:52 . 2009-09-26 20:52 -------- d-----w- c:\program files\Trend Micro

2009-09-26 20:03 . 2009-09-26 20:05 0 ----a-r- c:\windows\win32k.sys

2009-09-26 17:10 . 2009-09-26 17:10 -------- d-----w- c:\documents and settings\All Users\Application Data\SITEguard

2009-09-26 17:09 . 2009-09-26 17:09 -------- d-----w- c:\program files\STOPzilla!

2009-09-26 17:09 . 2009-09-26 17:09 -------- d-----w- c:\program files\Common Files\iS3

2009-09-26 17:09 . 2009-09-26 17:10 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!

2009-09-26 16:58 . 2009-09-26 16:58 -------- d-----w- C:\_OTM

2009-09-26 04:30 . 2009-09-26 04:30 -------- d-----w- c:\documents and settings\Marcus\Application Data\Malwarebytes

2009-09-26 04:30 . 2009-09-10 18:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-09-26 04:30 . 2009-09-26 17:34 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-09-26 04:30 . 2009-09-26 04:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-09-26 04:30 . 2009-09-10 18:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-09-15 02:06 . 2009-09-15 02:06 -------- d-----w- c:\documents and settings\Marcus\Local Settings\Application Data\AVG Security Toolbar

2009-09-09 22:01 . 1995-03-08 13:58 97792 ----a-w- c:\windows\system\WINSYS.DLL

2009-09-09 22:01 . 1995-02-28 15:14 164928 ----a-w- c:\windows\system\BWCC.DLL

2009-09-09 22:01 . 2009-09-09 22:01 -------- d-----w- C:\IT

2009-09-09 22:01 . 1998-10-29 20:45 307004 ----a-w- c:\windows\ISUN16.EXE

2009-09-09 22:01 . 1995-07-13 22:43 26768 ----a-w- c:\windows\system\CTL3D.DLL

2009-09-09 22:01 . 2009-09-09 22:01 -------- d-----w- c:\documents and settings\Marcus\WINDOWS

2009-09-05 06:51 . 2009-09-05 15:28 -------- d-----w- c:\documents and settings\Marcus\Application Data\Audacity

2009-09-05 06:36 . 2009-09-05 06:36 -------- d-----w- c:\program files\Audacity 1.3 Beta (Unicode)

2009-09-05 06:32 . 2009-09-05 06:32 -------- d-----w- c:\documents and settings\Marcus\Application Data\Sony

2009-09-05 05:53 . 2009-09-05 05:54 -------- d-----w- c:\program files\HI-TECH Software

2009-09-05 05:32 . 2009-09-05 05:46 -------- d-----w- C:\VXIPNP

2009-09-05 05:31 . 2009-09-05 05:31 -------- d-----w- c:\program files\IVI

2009-09-05 05:12 . 2009-09-18 03:17 -------- d-----w- c:\documents and settings\All Users\Application Data\National Instruments

2009-09-05 05:10 . 2009-09-05 05:10 -------- d-----w- c:\windows\system32\cvirte

2009-09-05 05:08 . 2009-09-05 05:51 -------- d-----w- c:\program files\National Instruments

2009-09-04 01:03 . 2009-09-10 19:06 664 ----a-w- c:\windows\system32\d3d9caps.dat

2009-08-28 19:28 . 2009-08-28 19:28 -------- d-----w- c:\program files\Microsoft WSE

2009-08-28 19:27 . 2009-09-10 18:16 -------- d-----w- c:\documents and settings\Marcus\Application Data\Autodesk

2009-08-28 19:25 . 2009-09-11 00:42 -------- d-----w- c:\documents and settings\Marcus\Local Settings\Application Data\Autodesk

2009-08-28 19:25 . 2009-08-28 19:27 -------- d-----w- c:\program files\DWG TrueView 2010

2009-08-28 19:21 . 2009-08-28 19:45 -------- d-----w- c:\program files\Autodesk

2009-08-28 15:12 . 2009-08-28 15:12 -------- d-----w- C:\Autodesk

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-09-27 01:05 . 2009-01-05 17:21 -------- d-----w- c:\program files\DNA

2009-09-27 01:05 . 2009-01-05 17:21 -------- d-----w- c:\documents and settings\Marcus\Application Data\DNA

2009-09-27 00:30 . 2006-04-19 15:36 156856 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-09-26 20:20 . 2007-01-26 02:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help

2009-09-26 20:09 . 2009-09-26 04:09 230000 ----a-w- c:\documents and settings\Marcus\Application Data\lizkavd.exe

2009-09-26 04:10 . 2009-09-26 04:10 18597 ----a-w- c:\documents and settings\All Users\Application Data\noluxufyto.dat

2009-09-26 04:10 . 2009-09-26 04:10 19250 ----a-w- c:\documents and settings\Marcus\Application Data\sinafi.dat

2009-09-26 04:03 . 2009-09-26 04:03 329216 ----a-w- c:\documents and settings\Marcus\Application Data\svcst.exe

2009-09-26 04:03 . 2009-09-26 04:03 329216 ----a-w- c:\documents and settings\Marcus\Application Data\seres.exe

2009-09-24 06:11 . 2008-11-10 03:09 -------- d-----w- c:\documents and settings\Marcus\Application Data\U3

2009-09-18 03:16 . 2008-09-05 00:57 -------- d-----w- c:\program files\Microsoft Silverlight

2009-09-18 03:14 . 2009-03-05 17:04 1281264 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat

2009-09-15 02:05 . 2008-09-13 20:06 -------- d-----w- c:\documents and settings\Marcus\Application Data\Move Networks

2009-09-05 05:44 . 2006-10-16 17:03 -------- d-----w- c:\program files\Common Files\Merge Modules

2009-08-28 21:34 . 2007-04-25 01:57 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet

2009-08-28 19:43 . 2006-09-19 02:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Autodesk

2009-08-28 19:42 . 2006-09-19 02:24 -------- d-----w- c:\program files\Common Files\Autodesk Shared

2009-08-28 05:36 . 2009-02-28 23:36 -------- d-----w- c:\program files\V CAST Music with Rhapsody

2009-08-18 21:43 . 2008-07-31 04:09 11952 ----a-w- c:\windows\system32\avgrsstx.dll

2009-08-18 21:43 . 2008-07-31 04:09 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys

2009-08-18 21:43 . 2008-07-31 04:09 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys

2009-08-17 02:59 . 2009-08-17 02:59 -------- d-----w- c:\program files\Western Digital

2009-07-20 18:57 . 2009-07-20 18:57 17408 ----a-r- c:\windows\system32\SZIO5.dll

2009-07-20 18:56 . 2009-07-20 18:56 311296 ----a-r- c:\windows\system32\SZBase5.dll

2009-07-20 18:56 . 2009-07-20 18:56 540672 ----a-r- c:\windows\system32\SZComp5.dll

2009-07-09 19:52 . 2009-07-09 19:52 126976 ----a-r- c:\windows\system32\IS3HTUI5.dll

2009-07-09 19:52 . 2009-07-09 19:52 393216 ----a-r- c:\windows\system32\IS3DBA5.dll

2009-07-09 19:51 . 2009-07-09 19:51 385024 ----a-r- c:\windows\system32\IS3UI5.dll

2009-07-09 19:51 . 2009-07-09 19:51 61440 ----a-r- c:\windows\system32\IS3Hks5.dll

2009-07-09 19:51 . 2009-07-09 19:51 23040 ----a-r- c:\windows\system32\IS3XDat5.dll

2009-07-09 19:50 . 2009-07-09 19:50 225280 ----a-r- c:\windows\system32\IS3Win325.dll

2009-07-09 19:50 . 2009-07-09 19:50 94208 ----a-r- c:\windows\system32\IS3Inet5.dll

2009-07-09 19:50 . 2009-07-09 19:50 90112 ----a-r- c:\windows\system32\IS3Svc5.dll

2009-07-09 19:47 . 2009-07-09 19:47 724992 ----a-r- c:\windows\system32\IS3Base5.dll

2006-11-29 01:17 . 2006-11-29 01:17 604 -c-ha-w- c:\program files\STLL Notifier

2004-03-15 21:51 . 2004-03-15 21:51 114688 ----a-w- c:\program files\internet explorer\plugins\LV71ActiveXControl.dll

2006-01-23 14:32 . 2006-01-23 14:32 131072 ----a-w- c:\program files\internet explorer\plugins\LV80ActiveXControl.dll

2007-02-08 14:48 . 2007-02-08 14:48 133920 ----a-w- c:\program files\internet explorer\plugins\LV82ActiveXControl.dll

2007-07-24 23:03 . 2007-07-24 23:03 118784 ----a-w- c:\program files\internet explorer\plugins\LV85ActiveXControl.dll

2009-09-17 01:56 . 2007-12-27 04:14 67688 ----a-w- c:\program files\mozilla firefox\components\jar50.dll

2009-09-17 01:56 . 2007-12-27 04:14 54368 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll

2009-09-17 01:56 . 2007-12-27 04:14 34944 ----a-w- c:\program files\mozilla firefox\components\myspell.dll

2009-09-17 01:56 . 2007-12-27 04:14 46712 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll

2009-09-17 01:56 . 2007-12-27 04:14 172136 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll

2006-07-09 13:37 . 2006-07-09 10:37 22 -csha-w- c:\windows\SMINST\HPCD.sys

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]

"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-14 1004800]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]

2009-06-14 20:07 1004800 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-14 1004800]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]

"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-14 1004800]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Aim6"="c:\program files\AIM6\aim6.exe" [2008-03-25 50528]

"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]

"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2009-01-05 342848]

"mserv"="c:\documents and settings\Marcus\Application Data\svcst.exe" [2009-09-26 329216]

"svchost"="c:\documents and settings\Marcus\Application Data\svcst.exe" [2009-09-26 329216]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-08-18 2007832]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]

"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-04 111936]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-18 136600]

"Antivirus Pro 2010"="c:\program files\AntivirusPro_2010\AntivirusPro_2010.exe" [2009-09-27 230000]

c:\documents and settings\Marcus\Start Menu\Programs\Startup\

OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-8-24 101784]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]

VPN Client.lnk - c:\windows\Installer\{51FB15F4-AD27-43BC-AD4B-DD0354FB6BBD}\Icon3E5562ED7.ico [2009-9-13 6144]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"ForceClassicControlPanel"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]

2009-08-18 21:43 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Bluetooth.lnk

backup=c:\windows\pss\Bluetooth.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk

backup=c:\windows\pss\HP Photosmart Premier Fast Start.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusDisableNotify"=dword:00000001

"FirewallDisableNotify"=dword:00000001

"UpdatesDisableNotify"=dword:00000001

"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

"c:\\Program Files\\AIM6\\aim6.exe"=

"c:\\Program Files\\BitTorrent\\bittorrent.exe"=

"c:\\WINDOWS\\system32\\PnkBstrA.exe"=

"c:\\WINDOWS\\system32\\PnkBstrB.exe"=

"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

"c:\\Program Files\\LimeWire\\LimeWire.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\DNA\\btdna.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"c:\\Program Files\\MATLAB\\R2008a\\bin\\win32\\MATLAB.exe"=

R0 nipbcfk;National Instruments Class Upper Filter Driver;c:\windows\system32\drivers\nipbcfk.sys [7/10/2007 8:08 PM 15448]

R0 szkg5;szkg;c:\windows\system32\drivers\SZKG.sys [5/12/2009 2:13 PM 61328]

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [7/31/2008 12:09 AM 335240]

R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [7/31/2008 12:09 AM 108552]

R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [1/29/2009 8:58 PM 297752]

R2 NiViPxiK;NI-VISA PXI Driver;c:\windows\system32\drivers\NiViPxiKl.sys [7/19/2007 11:56 AM 11360]

R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [8/22/2005 5:06 AM 231424]

S2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [1/29/2009 8:58 PM 908056]

S3 nidimk;nidimk;c:\windows\system32\drivers\nidimkl.sys [7/12/2007 6:18 PM 11360]

S3 nipalfwedl;nipalfwedl;c:\windows\system32\drivers\nipalfwedl.sys [7/18/2007 9:11 PM 11904]

S3 nipalusbedl;nipalusbedl;c:\windows\system32\drivers\nipalusbedl.sys [7/18/2007 9:12 PM 11896]

S3 NiViFWK;NI-VISA FireWire Driver;c:\windows\system32\drivers\NiViFWKl.sys [7/19/2007 11:48 AM 11384]

S3 NiViPciK;NI-VISA PCI Driver;c:\windows\system32\drivers\NiViPciKl.sys [7/19/2007 11:56 AM 11360]

.

Contents of the 'Scheduled Tasks' folder

2009-09-26 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.yahoo.com/

uDefault_Search_URL = hxxp://www.google.com/ie

uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=laptop

uInternet Settings,ProxyOverride = *.local

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

IE: Send To &Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm

FF - ProfilePath - c:\documents and settings\Marcus\Application Data\Mozilla\Firefox\Profiles\jffeotct.default\

FF - prefs.js: network.proxy.type - 2

FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll

FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll

FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll

FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll

FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll

FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll

FF - component: c:\program files\Mozilla Firefox\extensions\talkback@mozilla.org\components\qfaservices.dll

.

- - - - ORPHANS REMOVED - - - -

HKCU-Run-MsnMsgr - c:\program files\Windows Live\Messenger\MsnMsgr.Exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-09-26 21:04

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

c:\windows\system32\pymiwy.pif 11350 bytes

c:\windows\system32\_scui.cpl 167424 bytes executable

c:\windows\system32\cygiv.exe 12639 bytes

scan completed successfully

hidden files: 3

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"cd042efbbd7f7af1647644e76e06692b"=hex:c8,28,51,af,b0,29,a3,98,a0,86,6b,0e,c0,

fb,20,8c,2e,e8,e1,00,eb,16,2b,de,4b,c4,88,ec,8a,82,79,8e,e2,63,26,f1,3f,c8,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"bca643cdc5c2726b20d2ecedcc62c59b"=hex:6a,9c,d6,61,af,45,84,18,ba,0d,0b,90,da,

7c,b0,52,46,47,15,b0,92,4b,c7,ef,79,84,5e,01,16,7b,de,0a,6a,9c,d6,61,af,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"2c81e34222e8052573023a60d06dd016"=hex:25,da,ec,7e,55,20,c9,26,3c,f0,84,a3,82,

b2,b0,14,7a,45,05,fd,91,e8,6f,31,b5,93,a0,51,74,07,5c,eb,ff,7c,85,e0,43,d4,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"2582ae41fb52324423be06337561aa48"=hex:3e,1e,9e,e0,57,5a,93,61,30,46,bf,8a,d4,

87,d1,1f,6b,65,49,6a,7e,99,74,f7,3d,aa,4d,00,f6,fc,36,a3,86,8c,21,01,be,91,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"caaeda5fd7a9ed7697d9686d4b818472"=hex:cd,44,cd,b9,a6,33,6c,cd,1a,7d,84,05,f2,

86,38,de,e9,02,6c,fa,fb,1d,47,57,41,7e,ad,d1,fb,ec,a8,69,f5,1d,4d,73,a8,13,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"a4a1bcf2cc2b8bc3716b74b2b4522f5d"=hex:50,93,e5,ab,ec,6a,4e,ab,f1,98,84,c3,f1,

35,ee,0e,50,93,e5,ab,ec,6a,4e,ab,81,02,97,db,83,8b,5a,36,df,20,58,62,78,6b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"4d370831d2c43cd13623e232fed27b7b"=hex:fb,a7,78,e6,12,2f,9a,ea,e4,43,27,6b,3a,

d1,6e,f6,97,20,4e,9a,c7,f1,35,ee,8b,cd,d7,25,b3,4b,51,82,fb,a7,78,e6,12,2f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"1d68fe701cdea33e477eb204b76f993d"=hex:83,6c,56,8b,a0,85,96,ab,05,03,39,9e,ac,

47,3d,23,aa,52,c6,00,84,3c,26,64,b1,7a,28,1b,60,18,f4,55,01,3a,48,fc,e8,04,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"1fac81b91d8e3c5aa4b0a51804d844a3"=hex:b2,46,9a,e2,1b,fe,1b,94,76,49,c1,7f,63,

92,06,16,b2,46,9a,e2,1b,fe,1b,94,c5,f5,e5,26,98,75,cf,5f,f6,0f,4e,58,98,5b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"f5f62a6129303efb32fbe080bb27835b"=hex:37,a4,aa,c3,a6,15,56,0a,4e,84,1e,fe,5f,

fc,ba,32,37,a4,aa,c3,a6,15,56,0a,91,00,c6,7a,af,49,97,1b,3d,ce,ea,26,2d,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"fd4e2e1a3940b94dceb5a6a021f2e3c6"=hex:2a,b7,cc,b5,b9,7f,41,e7,85,28,1a,8c,29,

f0,ac,42,f8,31,0f,a9,5f,a0,ec,fb,8a,71,35,93,e9,af,b2,17,2a,b7,cc,b5,b9,7f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"8a8aec57dd6508a385616fbc86791ec2"=hex:fa,ea,66,7f,d4,3b,6b,70,c8,64,00,69,8f,

19,5b,94,05,73,21,dd,54,d8,4a,c5,e7,df,fe,34,ba,89,52,68,6c,43,2d,1e,aa,22,\

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1300)

c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(984)

c:\windows\system32\msi.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\btncopy.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\ati2evxx.exe

c:\windows\system32\ati2evxx.exe

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe

c:\windows\system32\drivers\CDAC11BA.EXE

c:\program files\Cisco Systems\VPN Client\cvpnd.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Common Files\LightScribe\LSSrvc.exe

c:\windows\system32\lkcitdl.exe

c:\windows\system32\lkads.exe

c:\program files\AVG\AVG8\avgrsx.exe

c:\windows\system32\lktsrv.exe

c:\progra~1\AVG\AVG8\avgnsx.exe

c:\program files\National Instruments\MAX\nimxs.exe

c:\program files\National Instruments\Shared\Security\nidmsrv.exe

c:\windows\system32\nisvcloc.exe

c:\program files\National Instruments\Shared\Tagger\tagsrv.exe

c:\windows\system32\PnkBstrA.exe

c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe

c:\documents and settings\Marcus\Application Data\seres.exe

c:\program files\iPod\bin\iPodService.exe

c:\windows\system32\wscntfy.exe

c:\program files\AIM6\aolsoftware.exe

c:\windows\system32\rundll32.exe

c:\program files\Internet Explorer\iexplore.exe

.

**************************************************************************

.

Completion time: 2009-09-27 21:14 - machine was rebooted

ComboFix-quarantined-files.txt 2009-09-27 01:14

Pre-Run: 17,025,937,408 bytes free

Post-Run: 20,903,510,016 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

569 --- E O F --- 2009-05-11 04:06

Here is the HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 9:30:04 PM, on 9/26/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16705)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe

C:\WINDOWS\system32\drivers\CDAC11BA.EXE

C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\WINDOWS\system32\lkcitdl.exe

C:\WINDOWS\system32\lkads.exe

C:\PROGRA~1\AVG\AVG8\avgrsx.exe

C:\WINDOWS\system32\lktsrv.exe

C:\PROGRA~1\AVG\AVG8\avgnsx.exe

C:\Program Files\National Instruments\MAX\nimxs.exe

C:\Program Files\National Instruments\Shared\Security\nidmsrv.exe

C:\WINDOWS\system32\nisvcloc.exe

C:\Program Files\National Instruments\Shared\Tagger\tagsrv.exe

C:\WINDOWS\system32\PnkBstrA.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe

C:\PROGRA~1\AVG\AVG8\avgtray.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\AIM6\aim6.exe

C:\Program Files\DNA\btdna.exe

C:\Documents and Settings\Marcus\Application Data\svcst.exe

C:\Documents and Settings\Marcus\Application Data\seres.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\AntivirusPro_2010\AntivirusPro_2010.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\AIM6\aolsoftware.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\explorer.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Trend Micro\YouThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...n&pf=laptop

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: SITEguard BHO - {1827766B-9F49-4854-8034-F6EE26FCB1EC} - C:\Program Files\STOPzilla!\SZSG.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll

O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll

O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: STOPzilla Browser Helper Object - {E3215F20-3212-11D6-9F8B-00D0B743919D} - C:\Program Files\STOPzilla!\SZIEBHO.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll

O3 - Toolbar: STOPzilla - {98828DED-A591-462F-83BA-D2F62A68B8B8} - C:\Program Files\STOPzilla!\SZSG.dll

O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp

O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_1_0

O4 - HKCU\..\Run: [bitTorrent DNA] "C:\Program Files\DNA\btdna.exe"

O4 - HKCU\..\Run: [mserv] C:\Documents and Settings\Marcus\Application Data\svcst.exe

O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE

O4 - Startup: palmOne Registration.lnk = C:\Program Files\palmOne\register.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: VPN Client.lnk = ?

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm

O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - (no file)

O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - (no file)

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm

O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)

O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=laptop

O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.srtest.com/srl_bin/sysreqlab3.cab

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-01.sun.com/s/ESD5/JSCDL/jre...ows-i586-jc.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll

O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe

O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe

O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE

O23 - Service: Cisco Systems, Inc. (ITC) VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

O23 - Service: Lookout Citadel Server (LkCitadelServer) - National Instruments, Inc. - C:\WINDOWS\system32\lkcitdl.exe

O23 - Service: National Instruments PSP Server Locator (lkClassAds) - National Instruments Corporation - C:\WINDOWS\system32\lkads.exe

O23 - Service: National Instruments Time Synchronization (lkTimeSync) - National Instruments Corporation - C:\WINDOWS\system32\lktsrv.exe

O23 - Service: NI Configuration Manager (mxssvr) - National Instruments Corporation - C:\Program Files\National Instruments\MAX\nimxs.exe

O23 - Service: National Instruments Domain Service (NIDomainService) - National Instruments Corporation - C:\Program Files\National Instruments\Shared\Security\nidmsrv.exe

O23 - Service: NILM License Manager - Macrovision Corporation - C:\Program Files\National Instruments\Shared\License Manager\Bin\lmgrd.exe

O23 - Service: NI Service Locator (niSvcLoc) - National Instruments Corp. - C:\WINDOWS\system32\nisvcloc.exe

O23 - Service: National Instruments Variable Engine (NITaggerService) - National Instruments Corporation - C:\Program Files\National Instruments\Shared\Tagger\tagsrv.exe

O23 - Service: OpcEnum - OPC Foundation - C:\WINDOWS\system32\OpcEnum.exe

O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

O23 - Service: STOPzilla Service (szserver) - Unknown owner - C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe

--

End of file - 10689 bytes

-Marcus

Link to post
Share on other sites

  • Staff

Hi Marcus,

Before we continue, please go to VirusTotal, and upload the following files for analysis:

c:\windows\system\WINSYS.DLL

c:\windows\system\BWCC.DLL

c:\windows\ISUN16.EXE

c:\windows\system\CTL3D.DLL

c:\windows\system32\drivers\SZKG.sys

c:\documents and settings\Marcus\Application Data\svcst.exe

Post the results in your reply.

-screen317

Link to post
Share on other sites

Hi Marcus,

Before we continue, please go to VirusTotal, and upload the following files for analysis:

c:\windows\system\WINSYS.DLL

c:\windows\system\BWCC.DLL

c:\windows\ISUN16.EXE

c:\windows\system\CTL3D.DLL

c:\windows\system32\drivers\SZKG.sys

c:\documents and settings\Marcus\Application Data\svcst.exe

Post the results in your reply.

-screen317

screen317,

After using ComboFix I was able to reload Malwarebytes' Anti-Malware and perform a full scan. 25 items came up as infected on the scan and these items were quaratined and deleted. I ran the files above through VirusTotal just to make sure. Please analyze these and make sure everything is clean.

NOTE: After performing a scan using Malwarebytes' Anti-Malware, the following exe file is no longer on the system.

c:\documents and settings\Marcus\Application Data\svcst.exe

File WINSYS.DLL received on 2009.09.27 03:26:00 (UTC)

Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED

Result: 0/41 (0%)

Loading server information...

Your file is queued in position: 1.

Estimated start time is between 40 and 57 seconds.

Do not close the window until scan is complete.

The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.

If you are waiting for more than five minutes you have to resend your file.

Your file is being scanned by VirusTotal in this moment,

results will be shown as they're generated.

Compact Print results

Your file has expired or does not exists.

Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.

Email:

Antivirus Version Last Update Result

a-squared 4.5.0.24 2009.09.26 -

AhnLab-V3 5.0.0.2 2009.09.26 -

AntiVir 7.9.1.25 2009.09.25 -

Antiy-AVL 2.0.3.7 2009.09.25 -

Authentium 5.1.2.4 2009.09.26 -

Avast 4.8.1351.0 2009.09.26 -

AVG 8.5.0.412 2009.09.26 -

BitDefender 7.2 2009.09.27 -

CAT-QuickHeal 10.00 2009.09.26 -

ClamAV 0.94.1 2009.09.27 -

Comodo 2449 2009.09.27 -

DrWeb 5.0.0.12182 2009.09.27 -

eSafe 7.0.17.0 2009.09.24 -

eTrust-Vet 31.6.6761 2009.09.25 -

F-Prot 4.5.1.85 2009.09.26 -

F-Secure 8.0.14470.0 2009.09.26 -

Fortinet 3.120.0.0 2009.09.26 -

GData 19 2009.09.27 -

Ikarus T3.1.1.72.0 2009.09.26 -

Jiangmin 11.0.800 2009.09.26 -

K7AntiVirus 7.10.855 2009.09.26 -

Kaspersky 7.0.0.125 2009.09.27 -

McAfee 5753 2009.09.26 -

McAfee+Artemis 5753 2009.09.26 -

McAfee-GW-Edition 6.8.5 2009.09.27 -

Microsoft 1.5005 2009.09.23 -

NOD32 4460 2009.09.26 -

Norman 6.01.09 2009.09.26 -

nProtect 2009.1.8.0 2009.09.27 -

Panda 10.0.2.2 2009.09.26 -

PCTools 4.4.2.0 2009.09.25 -

Prevx 3.0 2009.09.27 -

Rising 21.48.60.00 2009.09.27 -

Sophos 4.45.0 2009.09.27 -

Sunbelt 3.2.1858.2 2009.09.26 -

Symantec 1.4.4.12 2009.09.27 -

TheHacker 6.5.0.2.019 2009.09.26 -

TrendMicro 8.950.0.1094 2009.09.25 -

VBA32 3.12.10.11 2009.09.25 -

ViRobot 2009.9.26.1958 2009.09.26 -

VirusBuster 4.6.5.0 2009.09.26 -

Additional information

File size: 97792 bytes

MD5...: 98553d7ce73228bbfdd2e8e1f33b1170

SHA1..: 2c13c30f26fd25c67971937cfaba89b8745f3821

SHA256: 9a39dddbac0c7379f69c758e93c8780ee816b734d59183346ad7fb7a5038d22b

ssdeep: 1536:suXDASB7S1ZMtfL1Dd/YEI1TvigkmJN6uQd8Neob/0gyjCpnjl7lUcMtSJz

+2:suzASB7S1ZUUEMzigksRQloYHjCpnxln

PEiD..: -

PEInfo: -

RDS...: NSRL Reference Data Set

-

pdfid.: -

trid..: DOS Executable Borland Pascal 7.0x (33.7%)

Generic Win/DOS Executable (33.1%)

DOS Executable Generic (33.1%)

sigcheck:

publisher....: n/a

copyright....: n/a

product......: n/a

description..: n/a

original name: n/a

internal name: n/a

file version.: n/a

comments.....: n/a

signers......: -

signing date.: -

verified.....: Unsigned

File BWCC.DLL received on 2009.09.27 03:30:19 (UTC)

Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED

Result: 0/41 (0%)

Loading server information...

Your file is queued in position: 1.

Estimated start time is between 40 and 57 seconds.

Do not close the window until scan is complete.

The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.

If you are waiting for more than five minutes you have to resend your file.

Your file is being scanned by VirusTotal in this moment,

results will be shown as they're generated.

Compact Print results

Your file has expired or does not exists.

Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.

Email:

Antivirus Version Last Update Result

a-squared 4.5.0.24 2009.09.26 -

AhnLab-V3 5.0.0.2 2009.09.26 -

AntiVir 7.9.1.25 2009.09.25 -

Antiy-AVL 2.0.3.7 2009.09.25 -

Authentium 5.1.2.4 2009.09.26 -

Avast 4.8.1351.0 2009.09.26 -

AVG 8.5.0.412 2009.09.26 -

BitDefender 7.2 2009.09.27 -

CAT-QuickHeal 10.00 2009.09.26 -

ClamAV 0.94.1 2009.09.27 -

Comodo 2449 2009.09.27 -

DrWeb 5.0.0.12182 2009.09.27 -

eSafe 7.0.17.0 2009.09.24 -

eTrust-Vet 31.6.6761 2009.09.25 -

F-Prot 4.5.1.85 2009.09.26 -

F-Secure 8.0.14470.0 2009.09.26 -

Fortinet 3.120.0.0 2009.09.26 -

GData 19 2009.09.27 -

Ikarus T3.1.1.72.0 2009.09.26 -

Jiangmin 11.0.800 2009.09.26 -

K7AntiVirus 7.10.855 2009.09.26 -

Kaspersky 7.0.0.125 2009.09.27 -

McAfee 5753 2009.09.26 -

McAfee+Artemis 5753 2009.09.26 -

McAfee-GW-Edition 6.8.5 2009.09.27 -

Microsoft 1.5005 2009.09.23 -

NOD32 4460 2009.09.26 -

Norman 6.01.09 2009.09.26 -

nProtect 2009.1.8.0 2009.09.27 -

Panda 10.0.2.2 2009.09.26 -

PCTools 4.4.2.0 2009.09.25 -

Prevx 3.0 2009.09.27 -

Rising 21.48.60.00 2009.09.27 -

Sophos 4.45.0 2009.09.27 -

Sunbelt 3.2.1858.2 2009.09.26 -

Symantec 1.4.4.12 2009.09.27 -

TheHacker 6.5.0.2.019 2009.09.26 -

TrendMicro 8.950.0.1094 2009.09.25 -

VBA32 3.12.10.11 2009.09.25 -

ViRobot 2009.9.26.1958 2009.09.26 -

VirusBuster 4.6.5.0 2009.09.26 -

Additional information

File size: 164928 bytes

MD5...: f2bb8cb392cc9032b805db7b293a6776

SHA1..: f7ed7abe2bce88a1d0d61a91cdeac383ed0bbade

SHA256: f1cab59ff0daff8713be2348d7abb5eccdbe21777a2b297e617bc6edc11ac39b

ssdeep: 1536:k+ywvL4CTC3WNZvMT7RksKG6DuoC6s2BEufkZINDxQuc:k+3UCTC3W3MfSs

B6DpkZINDxQuc

PEiD..: -

PEInfo: -

RDS...: NSRL Reference Data Set

-

pdfid.: -

trid..: DOS Executable Borland C++ (68.3%)

Clipper DOS Executable (10.6%)

Generic Win/DOS Executable (10.5%)

DOS Executable Generic (10.5%)

Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)

sigcheck:

publisher....: Borland International

copyright....: Copyright © Borland Int_l. 1991-1993

product......: n/a

description..: Borland Windows Custom Control Library

original name: BWCC.DLL

internal name: BWCC

file version.: 2.04

comments.....: n/a

signers......: -

signing date.: -

verified.....: Unsigned

File ISUN16.EXE received on 2009.09.27 03:32:41 (UTC)

Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED

Result: 0/41 (0%)

Loading server information...

Your file is queued in position: 1.

Estimated start time is between 40 and 57 seconds.

Do not close the window until scan is complete.

The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.

If you are waiting for more than five minutes you have to resend your file.

Your file is being scanned by VirusTotal in this moment,

results will be shown as they're generated.

Compact Print results

Your file has expired or does not exists.

Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.

Email:

Antivirus Version Last Update Result

a-squared 4.5.0.24 2009.09.26 -

AhnLab-V3 5.0.0.2 2009.09.26 -

AntiVir 7.9.1.25 2009.09.25 -

Antiy-AVL 2.0.3.7 2009.09.25 -

Authentium 5.1.2.4 2009.09.26 -

Avast 4.8.1351.0 2009.09.26 -

AVG 8.5.0.412 2009.09.26 -

BitDefender 7.2 2009.09.27 -

CAT-QuickHeal 10.00 2009.09.26 -

ClamAV 0.94.1 2009.09.27 -

Comodo 2449 2009.09.27 -

DrWeb 5.0.0.12182 2009.09.27 -

eSafe 7.0.17.0 2009.09.24 -

eTrust-Vet 31.6.6761 2009.09.25 -

F-Prot 4.5.1.85 2009.09.26 -

F-Secure 8.0.14470.0 2009.09.26 -

Fortinet 3.120.0.0 2009.09.26 -

GData 19 2009.09.27 -

Ikarus T3.1.1.72.0 2009.09.26 -

Jiangmin 11.0.800 2009.09.26 -

K7AntiVirus 7.10.855 2009.09.26 -

Kaspersky 7.0.0.125 2009.09.27 -

McAfee 5753 2009.09.26 -

McAfee+Artemis 5753 2009.09.26 -

McAfee-GW-Edition 6.8.5 2009.09.27 -

Microsoft 1.5005 2009.09.23 -

NOD32 4460 2009.09.26 -

Norman 6.01.09 2009.09.26 -

nProtect 2009.1.8.0 2009.09.27 -

Panda 10.0.2.2 2009.09.26 -

PCTools 4.4.2.0 2009.09.25 -

Prevx 3.0 2009.09.27 -

Rising 21.48.60.00 2009.09.27 -

Sophos 4.45.0 2009.09.27 -

Sunbelt 3.2.1858.2 2009.09.26 -

Symantec 1.4.4.12 2009.09.27 -

TheHacker 6.5.0.2.019 2009.09.26 -

TrendMicro 8.950.0.1094 2009.09.25 -

VBA32 3.12.10.11 2009.09.25 -

ViRobot 2009.9.26.1958 2009.09.26 -

VirusBuster 4.6.5.0 2009.09.26 -

Additional information

File size: 307004 bytes

MD5...: de62a45dfd0c593cda013a48c71ea9db

SHA1..: 594509ad23fbd428ce9671ec61496f0e19c42656

SHA256: a1df12dea48b65e9f92db5ef75954a4b3012c1e94f3b49f4dfa37020d92df75a

ssdeep: 6144:JrpL7rmO6n1S+u0kJQMItbsdVew7CFbr9cptPqE:Jl6nk0kSrxsdE2CkL

PEiD..: -

PEInfo: -

RDS...: NSRL Reference Data Set

-

pdfid.: -

trid..: Win16 NE executable (generic) (89.4%)

Generic Win/DOS Executable (5.2%)

DOS Executable Generic (5.2%)

sigcheck:

publisher....: InstallShield Software Corporation

copyright....: Copyright InstallShield Corporation, Inc. 1990-1997

product......: InstallShield_ unInstaller

description..: InstallShield_ unInstaller

original name: n/a

internal name: n/a

file version.: 5, 51, 138, 0

comments.....: n/a

signers......: -

signing date.: -

verified.....: Unsigned

File CTL3D.DLL received on 2009.09.27 03:34:19 (UTC)

Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED

Result: 0/40 (0%)

Loading server information...

Your file is queued in position: 1.

Estimated start time is between 40 and 57 seconds.

Do not close the window until scan is complete.

The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.

If you are waiting for more than five minutes you have to resend your file.

Your file is being scanned by VirusTotal in this moment,

results will be shown as they're generated.

Compact Print results

Your file has expired or does not exists.

Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.

Email:

Antivirus Version Last Update Result

a-squared 4.5.0.24 2009.09.26 -

AhnLab-V3 5.0.0.2 2009.09.26 -

AntiVir 7.9.1.25 2009.09.25 -

Antiy-AVL 2.0.3.7 2009.09.25 -

Authentium 5.1.2.4 2009.09.26 -

Avast 4.8.1351.0 2009.09.26 -

AVG 8.5.0.412 2009.09.26 -

BitDefender 7.2 2009.09.27 -

CAT-QuickHeal 10.00 2009.09.26 -

ClamAV 0.94.1 2009.09.27 -

Comodo 2449 2009.09.27 -

DrWeb 5.0.0.12182 2009.09.27 -

eSafe 7.0.17.0 2009.09.24 -

eTrust-Vet 31.6.6761 2009.09.25 -

F-Prot 4.5.1.85 2009.09.26 -

F-Secure 8.0.14470.0 2009.09.26 -

Fortinet 3.120.0.0 2009.09.26 -

GData 19 2009.09.27 -

Ikarus T3.1.1.72.0 2009.09.26 -

Jiangmin 11.0.800 2009.09.26 -

K7AntiVirus 7.10.855 2009.09.26 -

Kaspersky 7.0.0.125 2009.09.27 -

McAfee+Artemis 5753 2009.09.26 -

McAfee-GW-Edition 6.8.5 2009.09.27 -

Microsoft 1.5005 2009.09.23 -

NOD32 4460 2009.09.26 -

Norman 6.01.09 2009.09.26 -

nProtect 2009.1.8.0 2009.09.27 -

Panda 10.0.2.2 2009.09.26 -

PCTools 4.4.2.0 2009.09.25 -

Prevx 3.0 2009.09.27 -

Rising 21.48.60.00 2009.09.27 -

Sophos 4.45.0 2009.09.27 -

Sunbelt 3.2.1858.2 2009.09.26 -

Symantec 1.4.4.12 2009.09.27 -

TheHacker 6.5.0.2.019 2009.09.26 -

TrendMicro 8.950.0.1094 2009.09.25 -

VBA32 3.12.10.11 2009.09.25 -

ViRobot 2009.9.26.1958 2009.09.26 -

VirusBuster 4.6.5.0 2009.09.26 -

Additional information

File size: 26768 bytes

MD5...: 14b7d9a6c0deb0eaa0227c769fbe0a62

SHA1..: c3514ea342e6b74ce0efac06783f208a7a7f4e32

SHA256: b8e49ee96df4c5c88a76425ac38def02d65cdc4dfdc6f76ce1bfb30c034e32f7

ssdeep: 384:zkbezWYx+F6gu1hEy69lLKchfOVQ22SBHu5QXQZQ0DVPYOZ0hU+rk7Jg:zRi

Yx+F6GySYOmV7QZNJYOChU+GJg

PEiD..: -

PEInfo: -

RDS...: NSRL Reference Data Set

-

pdfid.: -

trid..: Win32 Dynamic Link Library (generic) (87.9%)

Generic Win/DOS Executable (6.0%)

DOS Executable Generic (6.0%)

Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)

sigcheck:

publisher....: Microsoft Corporation

copyright....: Copyright © Microsoft Corp. 1992-1995

product......: 3D Windows Controls

description..: Ctl3D 3D Windows Controls

original name: n/a

internal name: CTL3D

file version.: 2.31.000

comments.....: n/a

signers......: -

signing date.: -

verified.....: Unsigned

File SZKG.sys received on 2009.09.27 03:38:15 (UTC)

Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED

Result: 4/41 (9.76%)

Loading server information...

Your file is queued in position: ___.

Estimated start time is between ___ and ___ .

Do not close the window until scan is complete.

The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.

If you are waiting for more than five minutes you have to resend your file.

Your file is being scanned by VirusTotal in this moment,

results will be shown as they're generated.

Compact Print results

Your file has expired or does not exists.

Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.

Email:

Antivirus Version Last Update Result

a-squared 4.5.0.24 2009.09.26 -

AhnLab-V3 5.0.0.2 2009.09.26 Win-Trojan/Agent.54656.C

AntiVir 7.9.1.25 2009.09.25 -

Antiy-AVL 2.0.3.7 2009.09.25 Trojan/Win32.Agent.gen

Authentium 5.1.2.4 2009.09.26 -

Avast 4.8.1351.0 2009.09.26 -

AVG 8.5.0.412 2009.09.26 -

BitDefender 7.2 2009.09.27 -

CAT-QuickHeal 10.00 2009.09.26 -

ClamAV 0.94.1 2009.09.27 -

Comodo 2449 2009.09.27 -

DrWeb 5.0.0.12182 2009.09.27 -

eSafe 7.0.17.0 2009.09.24 Win32.RkitAgent.Jay

eTrust-Vet None 2009.09.25 -

F-Prot 4.5.1.85 2009.09.26 -

F-Secure 8.0.14470.0 2009.09.26 -

Fortinet 3.120.0.0 2009.09.26 PossibleThreat

GData 19 2009.09.27 -

Ikarus T3.1.1.72.0 2009.09.26 -

Jiangmin 11.0.800 2009.09.26 -

K7AntiVirus 7.10.855 2009.09.26 -

Kaspersky 7.0.0.125 2009.09.27 -

McAfee 5753 2009.09.26 -

McAfee+Artemis 5753 2009.09.26 -

McAfee-GW-Edition 6.8.5 2009.09.27 -

Microsoft 1.5005 2009.09.23 -

NOD32 4460 2009.09.26 -

Norman 6.01.09 2009.09.26 -

nProtect 2009.1.8.0 2009.09.27 -

Panda 10.0.2.2 2009.09.26 -

PCTools 4.4.2.0 2009.09.25 -

Prevx 3.0 2009.09.27 -

Rising 21.48.60.00 2009.09.27 -

Sophos 4.45.0 2009.09.27 -

Sunbelt 3.2.1858.2 2009.09.26 -

Symantec 1.4.4.12 2009.09.27 -

TheHacker 6.5.0.2.019 2009.09.26 -

TrendMicro 8.950.0.1094 2009.09.25 -

VBA32 3.12.10.11 2009.09.25 -

ViRobot 2009.9.26.1958 2009.09.26 -

VirusBuster 4.6.5.0 2009.09.26 -

Additional information

File size: 61328 bytes

MD5...: 2bb7c951bf74183a67efaaf614823076

SHA1..: 428f29db82ed6bb490f3d3f5e0e7d2ea9659393f

SHA256: eeb5aea0adca6108d7eeed7d5398f4229dcd915288e7c045aa4e022fd3adef33

ssdeep: 768:8jY9NWVngNuTIQmUg68Ad4gk19mHCD9gLa1tz/nUYJXyP5kLVbMmS:8jY9Ns

NF0+C19oCDKLazsiXMyJDS

PEiD..: -

PEInfo: PE Structure information

( base data )

entrypointaddress.: 0xbd72

timedatestamp.....: 0x49b9355a (Thu Mar 12 16:16:26 2009)

machinetype.......: 0x14c (I386)

( 9 sections )

name viradd virsiz rawdsiz ntrpy md5

.text 0x500 0x8a4a 0x8a80 6.59 b0b6c8d15fad22deb51e4c181674edc6

.rdata 0x8f80 0x1904 0x1980 7.35 4e1d4219dbf2ff8c0966d7cc2dd4aca7

.data 0xa900 0x424 0x480 2.29 be63029635f9cdd332dd038ef5302910

.CRT 0xad80 0x1c 0x80 0.80 d30872640923fa0ced64d0bd0a11b9cb

.STL 0xae00 0x10 0x80 0.00 f09f35a5637839458e462e6350ecbce4

PAGE 0xae80 0xbc4 0xc00 6.03 32c0a1bf5dc19684a2fc5df216074ad9

INIT 0xba80 0xbc2 0xc00 6.02 e5a2806f42798b6828a38b6af7223963

.rsrc 0xc680 0x390 0x400 3.00 62c0718fa1734b12b399d7eac069e75f

.reloc 0xca80 0xaaa 0xb00 5.20 627266c0d613b2701003ff69b407a945

( 2 imports )

> ntoskrnl.exe: ObfDereferenceObject, ObQueryNameString, ObReferenceObjectByHandle, MmGetSystemRoutineAddress, memcpy, RtlDeleteRegistryValue, PsGetVersion, KeInitializeEvent, MmMapLockedPages, IoAcquireCancelSpinLock, IoReleaseCancelSpinLock, IofCompleteRequest, IoFreeMdl, MmUnmapLockedPages, KeWaitForSingleObject, PsTerminateSystemThread, KeQuerySystemTime, wcsncmp, ZwReadFile, ZwOpenFile, MmIsNonPagedSystemAddressValid, memset, ProbeForWrite, DbgPrint, ZwQueryDirectoryFile, ZwEnumerateKey, ZwOpenKey, IoGetCurrentProcess, KeSetEvent, ZwOpenSymbolicLinkObject, PsSetLoadImageNotifyRoutine, KeServiceDescriptorTable, ZwSetValueKey, ZwCreateFile, RtlCopyUnicodeString, ExAllocatePoolWithTag, ZwOpenProcess, RtlUpcaseUnicodeChar, swprintf, tolower, ZwSetInformationFile, KeGetCurrentThread, IoGetBaseFileSystemDeviceObject, IoFreeIrp, IofCallDriver, IoReuseIrp, IoAllocateIrp, IoGetRelatedDeviceObject, MmBuildMdlForNonPagedPool, IoAllocateMdl, KeTickCount, KeBugCheckEx, ZwQuerySymbolicLinkObject, ZwDeleteKey, ZwClose, RtlAppendUnicodeStringToString, RtlInitUnicodeString, ExFreePoolWithTag, PsSetCreateProcessNotifyRoutine, IoDeleteDevice, IoCreateSymbolicLink, IoDeleteSymbolicLink, IoRegisterShutdownNotification, IoUnregisterShutdownNotification, IoCreateDevice, ZwWriteFile, ZwQueryInformationFile, memmove, ZwCreateKey, ZwEnumerateValueKey, PsCreateSystemThread, RtlUnwind, ExAllocatePool

> HAL.dll: KfRaiseIrql, KfLowerIrql, ExReleaseFastMutex, ExAcquireFastMutex, KfReleaseSpinLock, KfAcquireSpinLock

( 0 exports )

RDS...: NSRL Reference Data Set

-

pdfid.: -

trid..: Win32 Executable Generic (58.4%)

Clipper DOS Executable (13.8%)

Generic Win/DOS Executable (13.7%)

DOS Executable Generic (13.7%)

VXD Driver (0.2%)

sigcheck:

publisher....: iS3 Inc.

copyright....: Copyright ©2005-2009 iS3 Inc . All rights reserved.

product......: Stopzilla

description..: szkg Device Driver

original name: szkg.sys

internal name: Avenger V

file version.: 2.40.0

comments.....: n/a

signers......: iS3, Inc.

VeriSign Class 3 Code Signing 2004 CA

Class 3 Public Primary Certification Authority

signing date.: 8:12 PM 5/12/2009

verified.....: -

Link to post
Share on other sites

  • Staff

Hi,

Post the last log from MBAM please; I would like to see what else it removed.

Next, please open Notepad. Copy and paste the text in the Code box below into Notepad:

http://www.malwarebytes.org/forums/index.php?showtopic=25982
Collect::
c:\windows\system32\drivers\SZKG.sys
Driver::
szkg5

Save this as CFScript.txt

CFScriptB-4.gif

Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.

  • Ensure you are connected to the internet and click OK on the message box.

-screen317

Link to post
Share on other sites

  • Staff

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.