Jump to content

mbam, hjt blocked - need help


thecaleb

Recommended Posts

recently my computer was infected with some kind of virus. when i try to open mbam, i can run it once, only to have it scan 0 files and crash. reopening it brings up a message that says "Windows cannot find the specified device, path, or file. You may not have the appropriate permissions to access the item." hijackthis performs the same way. AVG scanned and found nothing. My computer is now constantly pegged at 100% usage, and google searches will often redirect me to a different unrelated site.

internet explorer seems to work fine other than redirects.

any help would be greatly appreciated

Link to post
Share on other sites

  • Staff

Hi and welcome to Malwarebytes.

Please visit this webpage for instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

  • When the tool is finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a new HijackThis log so we may continue cleaning the system.

-screen317

Link to post
Share on other sites

combofix just finished, i'll run hijackthis in a second

here's the combofix log:

ComboFix 09-09-25.01 - Caleb 09/27/2009 22:48.1.2 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2559.2067 [GMT -4:00]

Running from: c:\documents and settings\Caleb\Desktop\ComboFix.exe

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

* Created a new restore point

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\Caleb\Application Data\Microsoft\Internet Explorer\Quick Launch\AntivirusPro_2010.lnk

c:\documents and settings\Caleb\Local Settings\Application Data\{BC31A679-1CCA-425D-9999-6E2388C2534D}

c:\documents and settings\Caleb\Local Settings\Application Data\{BC31A679-1CCA-425D-9999-6E2388C2534D}\chrome.manifest

c:\documents and settings\Caleb\Local Settings\Application Data\{BC31A679-1CCA-425D-9999-6E2388C2534D}\chrome\content\_cfg.js

c:\documents and settings\Caleb\Local Settings\Application Data\{BC31A679-1CCA-425D-9999-6E2388C2534D}\chrome\content\c.js

c:\documents and settings\Caleb\Local Settings\Application Data\{BC31A679-1CCA-425D-9999-6E2388C2534D}\chrome\content\overlay.xul

c:\documents and settings\Caleb\Local Settings\Application Data\{BC31A679-1CCA-425D-9999-6E2388C2534D}\install.rdf

c:\windows\Installer\c1930.msi

c:\windows\Installer\WMEncoder.msi

c:\windows\system32\lowsec

c:\windows\system32\lowsec\local.ds

c:\windows\system32\lowsec\user(2).ds

c:\windows\system32\lowsec\user(3).ds

c:\windows\system32\lowsec\user.ds

c:\windows\system32\sdra64.exe

c:\windows\system32\xa.tmp

Infected copy of c:\windows\system32\eventlog.dll was found and disinfected

Restored copy from - c:\windows\ServicePackFiles\i386\eventlog.dll

c:\windows\system32\proquota.exe was missing

Restored copy from - c:\windows\ServicePackFiles\i386\proquota.exe

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}

((((((((((((((((((((((((( Files Created from 2009-08-28 to 2009-09-28 )))))))))))))))))))))))))))))))

.

2009-09-28 02:56 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe

2009-09-27 22:38 . 2009-09-27 22:38 -------- d-----w- c:\program files\uTorrent

2009-09-27 22:32 . 2009-09-27 22:32 -------- d-----w- c:\documents and settings\Caleb\Local Settings\Application Data\AskToolbar

2009-09-27 22:32 . 2009-09-27 22:38 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-09-25 21:07 . 2009-09-25 21:07 -------- d-----w- c:\documents and settings\Caleb\Application Data\SUPERAntiSpyware.com

2009-09-25 20:01 . 2009-09-27 22:39 0 ----a-r- c:\windows\win32k.sys

2009-09-14 04:16 . 2008-12-11 12:38 159600 ----a-w- c:\windows\system32\drivers\pctgntdi.sys

2009-09-14 04:16 . 2009-04-03 14:18 130936 ----a-w- c:\windows\system32\drivers\PCTCore.sys

2009-09-14 04:16 . 2008-12-18 15:16 73840 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys

2009-09-14 04:16 . 2009-09-14 04:17 -------- d-----w- c:\program files\Common Files\PC Tools

2009-09-14 04:16 . 2008-12-10 15:36 64392 ----a-w- c:\windows\system32\drivers\pctplsg.sys

2009-09-14 04:16 . 2009-09-14 04:16 -------- d-----w- c:\documents and settings\Caleb\Application Data\PC Tools

2009-09-14 04:16 . 2009-09-14 04:16 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools

2009-09-03 04:19 . 2009-09-03 04:19 -------- d-----w- c:\program files\iPod

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-09-27 22:38 . 2009-06-27 07:09 -------- d-----w- c:\documents and settings\Caleb\Application Data\uTorrent

2009-09-25 05:39 . 2008-06-09 02:42 -------- d-----w- c:\documents and settings\Caleb\Application Data\FrostWire

2009-09-14 04:22 . 2009-06-23 06:04 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2009-09-09 02:47 . 2008-09-11 22:30 -------- d-----w- c:\program files\Common Files\Blizzard Entertainment

2009-09-03 04:19 . 2007-07-17 17:19 -------- d-----w- c:\program files\iTunes

2009-09-03 04:19 . 2007-07-18 17:48 -------- d-----w- c:\program files\Common Files\Apple

2009-08-22 19:14 . 2008-06-09 02:28 11952 ----a-w- c:\windows\system32\avgrsstx.dll

2009-08-22 19:14 . 2008-06-09 02:28 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys

2009-08-22 19:14 . 2008-06-09 02:28 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-05-24 39408]

"PC Suite Tray"="c:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe" [2009-06-12 1414144]

"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]

"AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2008-12-04 2356088]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-07-27 1388544]

"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]

"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-08-22 2007832]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

D-Link AirPlus DWL-120+ Configuration Utility.lnk - c:\program files\D-Link AirPlus DWL-120+\AIRPLUS.EXE [2007-7-21 253952]

HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-11 282624]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]

2009-08-22 19:14 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]

@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]

@=""

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=

"c:\\Program Files\\FrostWire\\FrostWire.exe"=

"c:\\Program Files\\AIM6\\aim6.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\uTorrent\\uTorrent.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [9/14/2009 12:16 AM 130936]

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [6/8/2008 10:28 PM 335240]

R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [6/8/2008 10:28 PM 108552]

R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [7/4/2008 9:22 PM 908056]

R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [7/4/2008 9:22 PM 297752]

S1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys --> c:\program files\SUPERAntiSpyware\SASKUTIL.sys [?]

S1 Start1Driver;Start1Driver; [x]

S2 Start2Driver;Start2Driver; [x]

S3 KLSIENET;Driver for USB Ethernet Adapter;c:\windows\system32\drivers\usb101et.sys [7/16/2007 3:45 PM 32384]

S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe --> c:\program files\Spyware Doctor\pctsAuxs.exe [?]

S3 SNPP202;PC Camera (6028 VGA);c:\windows\system32\drivers\snpp202.sys [6/19/2008 2:41 AM 236544]

S3 TIAcxubt;D-Link WLAN USB Boot Device;c:\windows\system32\drivers\tiacxubt.sys [7/21/2007 7:15 PM 58752]

S3 TIACXUSB;D-Link AirPlus DWL-120+ Wireless USB Adapter;c:\windows\system32\drivers\tiacxusb.sys [7/21/2007 7:15 PM 177792]

.

Contents of the 'Scheduled Tasks' folder

2009-08-27 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2009-09-25 c:\windows\Tasks\WebReg Officejet 5600 series.job

- c:\program files\HP\Digital Imaging\bin\hpqwrg.exe [2005-05-12 20:45]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.netscape.com/

mStart Page = hxxp://www.google.com

uInternet Settings,ProxyOverride = *.local

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

DPF: {E5ABEB00-B357-4884-9949-77B2C71A7EE3} - hxxp://www.intel.com/design/motherbd/boardid/BoardID.cab

.

- - - - ORPHANS REMOVED - - - -

BHO-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)

Toolbar-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)

WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)

HKCU-Run-SUPERAntiSpyware - c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe

HKCU-Run-Aim6 - (no file)

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-09-27 22:58

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(656)

c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(3692)

c:\windows\system32\WPDShServiceObj.dll

c:\program files\Nokia\Nokia PC Suite 7\PhoneBrowser.dll

c:\program files\Nokia\Nokia PC Suite 7\NGSCM.DLL

c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\MSVCR80.dll

c:\program files\Nokia\Nokia PC Suite 7\Lang\PhoneBrowser_eng-us.nlr

c:\program files\Nokia\Nokia PC Suite 7\Resource\PhoneBrowser_Nokia.ngr

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\ati2evxx.exe

c:\windows\system32\ati2evxx.exe

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\windows\system32\HPZipm12.exe

c:\program files\Analog Devices\SoundMAX\SMAgent.exe

c:\program files\AVG\AVG8\avgrsx.exe

c:\progra~1\AVG\AVG8\avgnsx.exe

c:\program files\Windows Media Player\wmpnetwk.exe

c:\program files\AVG\AVG8\avgcsrvx.exe

c:\program files\iPod\bin\iPodService.exe

c:\program files\PC Connectivity Solution\ServiceLayer.exe

c:\program files\PC Connectivity Solution\Transports\NclUSBSrv.exe

c:\program files\PC Connectivity Solution\Transports\NclRSSrv.exe

c:\program files\HP\Digital Imaging\bin\hpqste08.exe

.

**************************************************************************

.

Completion time: 2009-09-28 23:02 - machine was rebooted

ComboFix-quarantined-files.txt 2009-09-28 03:02

Pre-Run: 23,539,798,016 bytes free

Post-Run: 30,435,319,808 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

206 --- E O F --- 2008-12-18 08:03

Link to post
Share on other sites

i got this error when i tried to run hijackthis:

"Windows cannot find the specified device, path, or file. You may not have the appropriate permissions to access the item."

on a side note, my cpu usage isn't pegged at 100% anymore, but still jumps around between around 15% and 80%. still better than 100% though B)

Link to post
Share on other sites

  • Staff

Hi,

i got this error when i tried to run hijackthis:

"Windows cannot find the specified device, path, or file. You may not have the appropriate permissions to access the item."

Uninstall and reinstall HijackThis; see if it will run now.
on a side note, my cpu usage isn't pegged at 100% anymore, but still jumps around between around 15% and 80%. still better than 100% though B)
Which process is spiking like that?

Please delete your copy of ComboFix, download the latest version from here, and save it to your Desktop. Do not run it yet.

Next, please open Notepad - don't use any other text editor than notepad or the script will fail.

Copy/paste the text in the quotebox below into Notepad:

Driver::

Start1Driver

Start2Driver

Save this as CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

CFScriptB-4.gif

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

-screen317

Link to post
Share on other sites

i couldn't figure out what process was spiking up my usage. i checked out other similar problems and people seemed to have an eventlog.dll problem that i noticed combofix took care of so i'm assuming that was it

hijackthis reinstall worked, here's the log:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 8:17:15 PM, on 9/28/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16876)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

C:\PROGRA~1\AVG\AVG8\avgtray.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe

C:\Program Files\Windows Media Player\WMPNSCFG.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\D-Link AirPlus DWL-120+\AIRPLUS.EXE

C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\system32\HPZipm12.exe

C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

C:\WINDOWS\system32\svchost.exe

C:\PROGRA~1\AVG\AVG8\avgrsx.exe

C:\PROGRA~1\AVG\AVG8\avgnsx.exe

C:\PROGRA~1\AVG\AVG8\avgemc.exe

C:\Program Files\AVG\AVG8\avgcsrvx.exe

C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe

C:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Java\jre6\bin\jucheck.exe

C:\Documents and Settings\Caleb\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.netscape.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll

O4 - HKLM\..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe

O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - HKCU\..\Run: [PC Suite Tray] "C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe" -onlytray

O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe

O4 - HKCU\..\Run: [AdobeUpdater] "C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - Global Startup: D-Link AirPlus DWL-120+ Configuration Utility.lnk = ?

O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\dtv\EXPLBAR.DLL

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {37A273C2-5129-11D5-BF37-00A0CCE8754B} (TTestGenXInstallObject) - http://asp.mathxl.com/wizmodules/testgen/i...GenXInstall.cab

O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1184681017755

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1199072276421

O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.0...oUploader55.cab

O16 - DPF: {95D88B35-A521-472B-A182-BB1A98356421} (Pearson Installation Assistant 2) - http://asp.mathxl.com/books/_Players/PearsonInstallAsst2.cab

O16 - DPF: {E5ABEB00-B357-4884-9949-77B2C71A7EE3} (BoardCtl Class) - http://www.intel.com/design/motherbd/boardid/BoardID.cab

O16 - DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} (Pearson MathXL Player) - http://asp.mathxl.com/books/_Players/MathPlayer.cab

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll

O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll

O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe

O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: PC Tools Auxiliary Service (sdAuxService) - Unknown owner - C:\Program Files\Spyware Doctor\pctsAuxs.exe (file missing)

O23 - Service: PC Tools Security Service (sdCoreService) - Unknown owner - C:\Program Files\Spyware Doctor\pctsSvc.exe (file missing)

O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--

End of file - 8013 bytes

-------------------------------------

when i ran combofix, i got a weird log in C: named "Bug":

PUSHD "C:\32788R22FWJFW"

SET "Comspec=C:\WINDOWS\system32\cmd.execf"

IF NOT EXIST C:\WINDOWS\system32\cmd.exe GOTO Not_NT

VER 1>OsVer

GREP.cfxxe -F "5.1.2" OsVer 1>XP.mac

IF 0 == 0 GOTO NT

GREP.cfxxe -isq "ProductType.*WinNT" WinNT00 || GOTO Not_NT

SET "Ver_CF=09-09-28.01"

IF NOT EXIST NircmdB.exe COPY /Y Nircmd.cfxxe NircmdB.exe

1 file(s) copied.

PEV UZIP License\pv_5_2_2.zip .\

MOVE /Y PV.exe PV.cfxxe

IF NOT EXIST PEV.cfxxe COPY /Y PEV.exe PEV.cfxxe

1 file(s) copied.

SED "/^PATH=/I!d; s///; s/\x22//g" Oripath 1>OriPath00

PEV -rtf -s+901 .\OriPath00 && (

SED -r "s/\x22//g; s/(.{900}).*/\1/; s/;[^;]*$//" OriPath00 1>OriPath01

FOR /F "TOKENS=*" %G IN (OriPath01) DO @SET "PATH=C:\32788R22FWJFW;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;%G"

)

IF NOT EXIST OriPath01 FOR /F "TOKENS=*" %G IN (OriPath00) DO SET "PATH=C:\32788R22FWJFW;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;%G"

SET "PATH=C:\32788R22FWJFW;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\Program Files\PC Connectivity Solution;C:\Program Files\Intel\DMIX;C:\Program Files\ATI Technologies\ATI.ACE\Core-Static;C:\Program Files\QuickTime\QTSystem"

Killing 'runonce.exe'

Killing 'grpconv.exe'

Killing 'procmon.exe'

Killing 'ANDRE.EXE'

Killing 'TOLO.exe'

Killing 'Merlin.scr'

Killing 'jalang.exe'

Killing 'jalangkung.exe'

Killing 'jantungan.exe'

Killing 'DOSEN.exe'

Killing 'C3W3K4MPUS.exe'

pv: No matching processes found

PEV -rtf --c:##5# .\* and { License.exe or 32788R22FWJFW.exe or OsVer.exe or WinNT.exe or N_.exe } 1>temp00 && (

PV -o%f * 1>temp01

PEV -tf -t!o --files:temp01 --c:##5#b#f# 1>temp02

GREP -Fif temp00 temp02 1>temp03

SED "/.* /!d; s///" temp03 1>temp04

SED ":a; $!N; s/\n/\x22 \x22/; ta; s/.*/\x22&\x22/" temp04 1>temp05

FOR /F "TOKENS=*" %G IN (temp05) DO @NIRCMD KILLPROCESS %G

)

Active code page: 1252

Could Not Find C:\32788R22FWJFW\AbortB

CALL :MDCheck

Could Not Find C:\32788R22FWJFW\md5sum00.pif

PEV -rtf -md57921AF466349CCE6A177991EE4FD143D .\md5sum.pif || CALL :MDFaiL ChkSum_Fail

.\md5sum.pif

PEV -tf --files:files.pif --c:##5#b#f# 1>mdCheck00.dat

GREP -vs "^!MD5:" mdCheck00.dat 1>mdCheck0a.dat

GREP -Fvf md5sum.pif mdCheck0a.dat 1>mdCheck01.dat && CALL :MDFaiL

GOTO :EOF

=============================================

ALLUSERSPROFILE=C:\Documents and Settings\All Users

APPDATA=C:\Documents and Settings\Caleb\Application Data

cfExt=cfxxe

CFLDR=32788R22FWJFW

Chksum=7921AF466349CCE6A177991EE4FD143D

CLASSPATH=.;C:\Program Files\Java\jre6\lib\ext\QTJava.zip

CLIENTNAME=Console

Command switches used=Command switches used

CommonProgramFiles=C:\Program Files\Common Files

Completion time=Completion time

COMPUTERNAME=GLENN-887A624B2

ComSpec=C:\WINDOWS\system32\cmd.execf

Connecting to=Connecting to

Connecting to ComboFix servers=Connecting to ComboFix servers

Cryptography Services Error=Cryptography Services Error

Disclaimer=The following websites are not in any way affiliated to ComboFix:~n~n http://www.combofix.org/~n http://www.combofixdownload.com/~n~nIf you have purchased anything from them, I suggest you instruct your~nfinanciers to cancel the transaction.~n~n ----------------------- -----------------------~n~nA guide on proper ComboFix usage may be found at:~nhttp://www.bleepingcomputer.com/combofix/how-to-use-combofix~n~nComboFix is meant for private use. It should never be used in an~nunsupervised environment. If infections are found, it will automatically~nreboot the machine to complete the removal process. Please ensure all~nopened windows are closed before proceeding.~n~nThis software is provided 'as is', without warranty of any kind. All~nimplied warranties are expressly disclaimed. If you do not agree to the~nabove terms, please click No to exit" "DISCLAIMER OF WARRANTY ON SOFTWARE.

DLLs Loaded Under Running Processes=DLLs Loaded Under Running Processes

Drivers/Services=Drivers/Services

Fail2Delete=failed to delete

File Associations=File Associations

File Replicators=File Replicators

Files Infected - Patched=Files Infected - Patched

FIREFOX POLICIES=FIREFOX POLICIES

FP_NO_HOST_CHECK=NO

hidden files=hidden files

HOMEDRIVE=C:

HOMEPATH=\Documents and Settings\Caleb

is infected=is infected

is missing=is missing

KMD=CF8913.exe

LANG_CF=EN

Line1=Please wait.

Line10=ComboFix has detected the presence of rootkit activity and needs to reboot the machine~nKindly note down on paper, the name of each file. We may need it later~n~n%~G" "Rootkit !!

Line10A=ComboFix has detected the presence of rootkit activity and needs to reboot the machine" "Rootkit !!

Line11=Scanning for infected files . . .

Line12=This typically doesn't take more than 10 minutes

Line13=However, scan times for badly infected machines may easily double

Line14=%G ...... driver unloaded successfully.

Line15=Rootkit driver %G is still present. A rootkit scan is required

Line16=ComboFix has changed your clock settings.

Line17=Do not change it back. It shall be restored later

Line18=ComboFix encountered a terminal error!! Please upload this file - C:\ComboFix_error.dat

Line19=to: http://www.bleepingcomputer.com/submit-malware.php?channel=4

Line2=ComboFix is preparing to run.

Line20=Preparing Log Report.

Line21=Do not run any programs until ComboFix has finished

Line22=No new files created in this timespan

Line23=*Note* empty entries ^& legit default entries are not shown

Line24=Contents of the 'Scheduled Tasks' folder

Line25=Almost done . . This window will close in a short while

Line26=Please wait a few seconds for the report log to pop up

Line27=ComboFix's log shall be located at C:\COMBOFIX.TXT

Line28=Rebooting Windows . . . Please wait

Line29=Please allow ComboFix to reboot the machine.

Line3=You need Administrative privileges to run this tool" "Not Admin !!

Line30=Overlay aborted ... Please run ComboFix once more

Line31=Date Error: ~%CurrDate.yyyy-MM-dd%~n~nCheck your settings" "DATE ERROR

Line32=C:\WINDOWS\system32\HAL.DLL is missing !!~n~nIt's IMPORTANT that you DO NOT reboot/shutdown the machine~n~nPost to the forums for immediate help. Do not click OK until further instructed" "CRITICAL WARNING !!

Line33=ComboFix needs to submit malware files for further analysis.~n~nPlease ensure that you're connected to the internet before clicking OK" "Submit Files for further analysis

Line34=Submit malware to Bleeping Computer for analysis.

Line35=Copy/Paste the filepath below into the box above and click Send.

Line36=Infected copy of %~1 was found and disinfected

Line36A=Restored copy from - %~2

Line37=%~1 . . . is infected!!

Line38=((((((((((((((((((((((((( Files Created from %thirty% to %dateX% )))))))))))))))))))))))))))))))

Line39=(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

Line4=C:\WINDOWS\regedit.exe is missing~n~nCopy one from another machine" "Terminal Error - Missing file

Line40=Webserver appears to be temporarily inaccessible.~nFor your convenience, ComboFix created a submissions form located at:~n~n* C:\CF-Submit.htm~n~nPlease use that to manually upload it later. " "Upload Failed!!

Line41=((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

Line42=((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

Line43=Deleting Files:

Line43A=Deleting Folders:

Line44=- REDUCED FUNCTIONALITY MODE -

Line45=SafeBoot registry key needs repairs. This machine cannot enter Safe Mode.

Line46=scanning hidden processes ...

Line47=scanning hidden autostart entries ...

Line48=scanning hidden files ...

Line49=-- Snapshot reset to current date --

Line5=Current date is ~%CurrDate.yyyy-MM-dd%. ComboFix has expired~n~nClick 'Yes' to run in REDUCED FUNCTIONALITY mode~n~nClick 'No' to exit" "Version_%ver_CF%

Line50=ComboFix is uninstalled" "Info

Line51=Will only install the Recovery Console for Windows XP

Line52=Boot Partition cannot be enumerated correctly

Line53=%BootDir%Boot.ini is not correctly formated

Line54=This machine already has the Recovery Console installed.~n~nAborting operations

Line55=Please click 'YES' in the End User License Agreement (EULA) dialog that follows ..." "Installing the Recovery Console

Line56=Installation file - %~G - cannot be found

Line57=You didn't select YES~n~nInstallation is aborted

Line58=Contents of %BootDir%cmdcons are not in order.~n~nPlease disable your security programs before trying again

Line59=Congratulations!!! The Microsoft Recovery Console was successfully installed.~n~nOn each restart of the machine, a black screen will offer you the option to boot into recovery console mode.~nFor normal use, just ignore the black screen. Windows shall boot normally in 2 seconds~n~nClick 'Yes' to continue scanning for malware" "Info

Line6=Were you trying to run CFScript?~n~nThe name, CFScript appears to be incorrectly spelt" "CFScript Name Error

Line60=Click 'Yes' to continue scanning for malware~n~nClick 'No' to exit" "What's next ?

Line62=There's a newer version of ComboFix available.~n~nWould you like to update ComboFix?" "Update

Line63=--- WARNING !! ---~n~nA critical update is required.~n~nComboFix shall now update itself.~n~n--- WARNING !! ---" "Mandatory Update

Line64=Failed to download updated copy.~n~nWill continue with existing copy" "Failed Download

Line65=ComboFix shall now restart" "Updated

Line66=Interference detected~n~nPlease perform a Rootkit Scan" "Abort!

Line67=You cannot rename ComboFix as %FileName%~n~nPlease use another name, preferbaly made up of alphanumeric characters

Line68=%cd% not in expected location~n~n Inform sUBs now!!

Line69=ComboFix effected repairs on missing C:\WINDOWS\system32\hal.dll

Line7=Attempting to create a new System Restore point

Line70=This machine does not have the 'Microsoft Windows recovery console' installed~n~nWithout it, ComboFix shall not attempt the fixing of some serious infections.~n~nClick 'Yes' to have ComboFix download/install it.~n~nNOTE: this requires an active internet connection." "Microsoft Windows Recovery Console

Line71=Click 'Yes' if this is a WINDOWS XP *HOME EDITION* machine" "XP Home Edition

Line72=Failed to download required files. Aborting ... ~n~nShall continue scanning for malware

Line73=Internal error! Failed to enumerate download path. ~n~nAborting ... Shall continue scanning for malware

Line74=You do not appear to be connected to the internet. Kindly connect before clicking 'OK'

Line75=The following files were trying to attach to ComboFix. They shall be disabled~nKindly note down on paper, the name of each file. We may need it later~n~n%~G" "Parasites found !!

Line76=ComboFix has detected the following real time scanner(s) to be active:~n~n%G~n~nAntivirus and intrusion prevention programs are known to interfere~nwith ComboFix's running. This may lead to unpredictable results or~npossible machine damage.~n~nPlease disable these scanners before clicking 'OK'." "Warning !!

Line77=%G~n~nThe above real time scanner(s) are still active but ComboFix shall~ncontinue to run. Kindly note that this is at your own risk" "Warning !!

Line78=%~1 was missing

Line79=%~1 . . . is missing!!

Line8=Rich text formats (RTF) are unacceptable !!~n~nPlease save CFScript commands as a textfile, using Notepad.exe" "ERROR - Script format is incorrect

Line80=!! ALERT !! It is NOT SAFE to continue!~n~nThe contents of the ComboFix package has been compromised.~nPlease download a fresh copy from:~n~nhttp://www.bleepingcomputer.com/combofix/how-to-use-combofix~n~nNote: You may be infected with a file patching virus 'Virut'" "Error

Line81=ComboFix's script appears tampered. It is not safe to continue.~nComboFix shall now exit. Please inform the forum helper that's aiding~nyou. Unless further instructed to do so, do not run ComboFix again." "Failed Verification

Line82=Webserver appears to be temporarily inaccessible.~nFor your convenience, a zipped file has been created at:~n~nC:\CFCollect.zip~n~nPlease upload the file to BleepingComputer~n~nDo not forget to fill in the 'Comments' section" "Upload Failed!!

Line83=NETSVCS REQUIRES REPAIRS - current entries shown

Line84=http://download.bleepingcomputer.com/sUBs/ComboFix.exe~nhttp://www.forospyware.com/sUBs/ComboFix.exe~n~nComboFix.exe may be downloaded from any of the above sites. If you~nhave downloaded from some other site, there's a likely chance that it~nmay be tainted. For peace of mind, I suggest that you delete the current~ncopy and get a fresh one." "Caution

Line85=Manual Fix is required for restoring CommonStartup

Line9=Rootkit driver %G is present. ... attempting disinfection

Line90=ComboFix needs to perform a deeper scan

Line91=This should not take more than 10-15 minutes

Line92=Infected HTML files detected.

Line93=ComboFix will now attempt to disinfect

Line94=This is going to take some time

Line95=Disinfection complete !!! ... continuing Log Report preparation

Line96=Recovery in Progress . . .

Line97=WARNING !! Do not manually reboot the machine yourself

LOCKED REGISTRY KEYS=LOCKED REGISTRY KEYS

LOGONSERVER=\\GLENN-887A624B2

machine was rebooted=machine was rebooted

not completed=not completed

NUMBER_OF_PROCESSORS=2

ORPHANS REMOVED=ORPHANS REMOVED

OS=Windows_NT

Other Running Processes=Other Running Processes

Other Services/Drivers In Memory=Other Services/Drivers In Memory

Path=C:\32788R22FWJFW;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\Program Files\PC Connectivity Solution;C:\Program Files\Intel\DMIX;C:\Program Files\ATI Technologies\ATI.ACE\Core-Static;C:\Program Files\QuickTime\QTSystem

PATHEXT=.cfxxe;.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH

Possible infected sites=Possible infected sites

Post-Run=Post-Run

Pre-Run=Pre-Run

Previous Run=Previous Run

PROCESS=PROCESS

PROCESSOR_ARCHITECTURE=x86

PROCESSOR_IDENTIFIER=x86 Family 15 Model 2 Stepping 9, GenuineIntel

PROCESSOR_LEVEL=15

PROCESSOR_REVISION=0209

ProgramFiles=C:\Program Files

PROMPT=$

Qrntn=C:\Qoobox\Quarantine

QTJAVA=C:\Program Files\Java\jre6\lib\ext\QTJava.zip

RecoveryConsole=WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

Resident AV is active=Resident AV is active

RestorePoint= * Created a new restore point

RKEY_=hklm\software\microsoft\windows nt\currentversion\windows

Running from=Running from

scan completed successfully=scan completed successfully

SESSIONNAME=Console

sfxcmd="C:\Documents and Settings\Caleb\Desktop\ComboFix.exe" "C:\Documents and Settings\Caleb\Desktop\CFScript.txt"

sfxname=C:\Documents and Settings\Caleb\Desktop\ComboFix.exe

Stage=Completed Stage_

Supplementary Scan=Supplementary Scan

SYSTEM=C:\WINDOWS\system32

SystemDrive=C:

SystemRoot=C:\WINDOWS

TEMP=C:\DOCUME~1\Caleb\LOCALS~1\Temp

The following files were disabled during the run=The following files were disabled during the run

TMP=C:\DOCUME~1\Caleb\LOCALS~1\Temp

Upload was successful=Upload was successful

Uploading files to server=Uploading files to server

USERDOMAIN=GLENN-887A624B2

USERNAME=Caleb

USERPROFILE=C:\Documents and Settings\Caleb

Ver_CF=09-09-28.01

windir=C:\WINDOWS

=============================================

IF NOT DEFINED sfxname GOTO END

GREP -F \ temp01 && CALL :Aux

GREP -Fi "C:\WINDOWS\system32\userinit.exe" Userinit00 || (SWREG ADD "hklm\software\microsoft\windows nt\currentversion\winlogon" /v Userinit /d "C:\WINDOWS\system32\userinit.exe," )

Userinit REG_SZ C:\WINDOWS\system32\userinit.exe,

SET SfxCmd 1>SET00

SED -r "/SfxCmd=/I!d; s///; s/\s*$//; s/^(\x22[^\x22]*\x22|[^\x22]\S*) +//; s/^\x22*C:\\Documents and Settings\\Caleb\\Desktop\\ComboFix.exe\x22*//I; s/^([^\x22]\S*)/@SET SfxCmd=\x22\1\x22/; s/^(\x22.*)/@SET SfxCmd=\1/" SET00 1>sfx.cmd

DEL /A/F SET00

ATTRIB +R "C:\Documents and Settings\Caleb\Desktop\ComboFix.exe"

@SET SfxCmd="C:\Documents and Settings\Caleb\Desktop\CFScript.txt"

CALL sfx.cmd

CALL AV.cmd

SET /a AVCount+=1

NIRCMD EXEC HIDE PV -d9000 -kf CSCRIPT.EXE

CSCRIPT.exe //NOLOGO //E:VBSCRIPT //B //T:08 av.vbs

PV -kf CSCRIPT.exe PV.*

Killing 'CSCRIPT.exe'

Killing 'PV.*'

IF NOT EXIST AvBlack00 GREP -Fsf AVBlack resident.txt 1>AvBlack00 && (

SED -r "s/\x22//g; s/.*\) //; s/.*(\{.{8}-.{4}-.{4}-.{4}-.{12}\}).*/\1/" AvBlack00 1>AvBlack01

FOR /F "TOKENS=*" %G IN (AvBlack01) DO @CSCRIPT.EXE //NOLOGO //E:VBSCRIPT //T:5 wmi_rem.vbs "%~G"

NIRCMD EXEC HIDE PV -d6000 -kf CSCRIPT.EXE

CSCRIPT.exe //NOLOGO //E:VBSCRIPT //B //T:08 av.vbs

PV -kf CSCRIPT.exe PV.*

)

GREP -Fivf AVWhite resident.txt | GREP -E "^(AV|SP): .*enabled\* \(" 1>AVChk && (

SED -r "s/^AV:/antivirus: /; s/^SP:/antispyware: /; s/ \*(On-access scanning |)enabled\*.*//" AVChk | SED ":a; $!N;s/\n/~n/;ta" 1>AVChkB

NIRCMD LOOP 2 80 BEEP 3000 200

IF 1 LEQ 1 FOR /F "TOKENS=*" %G IN (AVChkB) DO @NIRCMD INFOBOX "ComboFix has detected the following real time scanner(s) to be active:~n~n%G~n~nAntivirus and intrusion prevention programs are known to interfere~nwith ComboFix's running. This may lead to unpredictable results or~npossible machine damage.~n~nPlease disable these scanners before clicking 'OK'." "Warning !!" "" && GOTO Av-check

IF 1 GTR 1 FOR /F "TOKENS=*" %G IN (AVChkB) DO @NIRCMD INFOBOX "%G~n~nThe above real time scanner(s) are still active but ComboFix shall~ncontinue to run. Kindly note that this is at your own risk" "Warning !!" ""

)

SET /a AVCount+=1

NIRCMD EXEC HIDE PV -d9000 -kf CSCRIPT.EXE

CSCRIPT.exe //NOLOGO //E:VBSCRIPT //B //T:08 av.vbs

PV -kf CSCRIPT.exe PV.*

Killing 'CSCRIPT.exe'

Killing 'PV.*'

IF NOT EXIST AvBlack00 GREP -Fsf AVBlack resident.txt 1>AvBlack00 && (

SED -r "s/\x22//g; s/.*\) //; s/.*(\{.{8}-.{4}-.{4}-.{4}-.{12}\}).*/\1/" AvBlack00 1>AvBlack01

FOR /F "TOKENS=*" %G IN (AvBlack01) DO @CSCRIPT.EXE //NOLOGO //E:VBSCRIPT //T:5 wmi_rem.vbs "%~G"

NIRCMD EXEC HIDE PV -d6000 -kf CSCRIPT.EXE

CSCRIPT.exe //NOLOGO //E:VBSCRIPT //B //T:08 av.vbs

PV -kf CSCRIPT.exe PV.*

)

GREP -Fivf AVWhite resident.txt | GREP -E "^(AV|SP): .*enabled\* \(" 1>AVChk && (

SED -r "s/^AV:/antivirus: /; s/^SP:/antispyware: /; s/ \*(On-access scanning |)enabled\*.*//" AVChk | SED ":a; $!N;s/\n/~n/;ta" 1>AVChkB

NIRCMD LOOP 2 80 BEEP 3000 200

IF 2 LEQ 1 FOR /F "TOKENS=*" %G IN (AVChkB) DO @NIRCMD INFOBOX "ComboFix has detected the following real time scanner(s) to be active:~n~n%G~n~nAntivirus and intrusion prevention programs are known to interfere~nwith ComboFix's running. This may lead to unpredictable results or~npossible machine damage.~n~nPlease disable these scanners before clicking 'OK'." "Warning !!" "" && GOTO Av-check

IF 2 GTR 1 FOR /F "TOKENS=*" %G IN (AVChkB) DO @NIRCMD INFOBOX "%G~n~nThe above real time scanner(s) are still active but ComboFix shall~ncontinue to run. Kindly note that this is at your own risk" "Warning !!" ""

)

DEL /A/F/Q AVChk? AvWhite AvBlack AvBlack0?

SET AVCount=

IF EXIST vista.mac CALL :Vista

GREP -Fx "REGEDIT4" Fin.dat || (

ECHO.1>"C:\DOCUME~1\Caleb\LOCALS~1\Temp\tdsstdss"

PEV -rtf "C:\DOCUME~1\Caleb\LOCALS~1\Temp\tdsstdss" || (

ECHO.1>wtf_tdssserv

CALL c.bat

GOTO END

)

GOTO AbortD

)

REGEDIT4

IF /I "C:\32788R22FWJFW" NEQ "C:\32788R22FWJFW" GOTO Abort

IF EXIST "C:\DOCUME~1\Caleb\LOCALS~1\Temp\32788R22FWJFW32788R22FWJFW.log" DEL /A/F "C:\DOCUME~1\Caleb\LOCALS~1\Temp\32788R22FWJFW32788R22FWJFW.log"

C:\ComboFix\swreg.exe

Access is denied.

COPY /Y /B "C:\WINDOWS\system32\cmd.execf" "C:\WINDOWS\system32\CF8913.exe"

1 file(s) copied.

SET "COMSPEC=C:\WINDOWS\system32\CF8913.exe"

FOR /F "TOKENS=*" %G IN ("C:\Documents and Settings\Caleb\Desktop\ComboFix.exe") DO (

SET "FileName=%~NG"

SET "FilePath=%~DPG"

)

(

SET "FileName=ComboFix"

SET "FilePath=C:\Documents and Settings\Caleb\Desktop\"

)

SET FileName 1>FileName

GREP -ix "FileName=[-[:alnum:]@.]*" FileName || GOTO AbortB

FileName=ComboFix

DIR /AD/B C:\* 1>DirName00

GREP -ivx ComboFix DirName00 1>DirName01

GREP -Fisqx "ComboFix" DirName01 && CALL :NameChk

IF EXIST DirName0? DEL /A/F/Q DirName0?

IF EXIST Oldsfxname00 DEL /A/F Oldsfxname00

IF EXIST "C:\ComboFix\" (

SWXCACLS "C:\ComboFix" /RESET /Q

RD /S/Q "C:\ComboFix"

IF EXIST "C:\ComboFix\" (

PV -kf *.cfxxe

RD /S/Q "C:\ComboFix"

)

IF EXIST "C:\ComboFix\" (

HANDLE "C:\ComboFix" 1>temp00

SED -R "/.* pid: (\d*) +(\S*):.*/I!d;s//@ECHO.y|Handle -c \2 -p \1/" temp00 1>temp00.bat

CALL temp00.bat

DEL /A/F temp00.bat temp00

RD /S/Q "C:\ComboFix"

)

)

C:\ComboFix\swreg.exe - Access is denied.

Killing '*.cfxxe'

C:\ComboFix\swreg.exe - Access is denied.

C:\ComboFix\swreg.exe - Access is denied.

IF EXIST "C:\ComboFix\" RD /S/Q "C:\ComboFix"

C:\ComboFix\swreg.exe - Access is denied.

IF EXIST "C:\ComboFix\" GOTO :EOF

Link to post
Share on other sites

that worked. before i did that i ran mbam (since hijackthis was working, i figured mbam would run too) and it knocked out a file.

here's the log:

ComboFix 09-10-01.05 - Caleb 10/02/2009 13:33.2.2 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2559.1919 [GMT -4:00]

Running from: c:\documents and settings\Caleb\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Caleb\Desktop\CFScript.txt

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

* Created a new restore point

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\Installer\e40c.msi

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_START1DRIVER

-------\Legacy_START2DRIVER

-------\Service_Start1Driver

-------\Service_Start2Driver

((((((((((((((((((((((((( Files Created from 2009-09-02 to 2009-10-02 )))))))))))))))))))))))))))))))

.

2009-09-29 02:03 . 2009-09-29 02:03 -------- d--h--w- c:\windows\PIF

2009-09-29 01:27 . 2009-09-29 01:27 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-09-28 04:35 . 2009-09-28 04:35 -------- d-----w- c:\windows\system32\XPSViewer

2009-09-28 04:35 . 2009-09-28 04:35 -------- d-----w- c:\program files\MSBuild

2009-09-28 04:34 . 2009-09-28 04:34 -------- d-----w- c:\program files\Reference Assemblies

2009-09-28 04:34 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll

2009-09-28 04:34 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll

2009-09-28 04:34 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe

2009-09-28 04:34 . 2009-09-28 04:34 -------- d-----w- C:\408e8d735c3606b82b

2009-09-28 04:34 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll

2009-09-28 04:34 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll

2009-09-28 04:34 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll

2009-09-28 04:34 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll

2009-09-28 03:07 . 2009-03-06 14:22 284160 -c----w- c:\windows\system32\dllcache\pdh.dll

2009-09-28 03:07 . 2009-02-09 12:10 473600 -c----w- c:\windows\system32\dllcache\fastprox.dll

2009-09-28 03:07 . 2009-02-09 12:10 401408 -c----w- c:\windows\system32\dllcache\rpcss.dll

2009-09-28 03:07 . 2009-02-06 11:11 110592 -c----w- c:\windows\system32\dllcache\services.exe

2009-09-28 03:07 . 2009-02-06 10:10 227840 -c----w- c:\windows\system32\dllcache\wmiprvse.exe

2009-09-28 03:07 . 2009-02-09 12:10 729088 -c----w- c:\windows\system32\dllcache\lsasrv.dll

2009-09-28 03:07 . 2009-02-09 12:10 617472 -c----w- c:\windows\system32\dllcache\advapi32.dll

2009-09-28 03:07 . 2009-02-09 12:10 453120 -c----w- c:\windows\system32\dllcache\wmiprvsd.dll

2009-09-28 03:07 . 2009-02-09 12:10 714752 -c----w- c:\windows\system32\dllcache\ntdll.dll

2009-09-28 03:07 . 2009-06-21 21:44 153088 -c----w- c:\windows\system32\dllcache\triedit.dll

2009-09-28 03:06 . 2009-07-10 13:27 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll

2009-09-28 03:04 . 2008-05-03 11:55 2560 ------w- c:\windows\system32\xpsp4res.dll

2009-09-28 03:04 . 2008-04-21 12:08 215552 -c----w- c:\windows\system32\dllcache\wordpad.exe

2009-09-28 02:56 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe

2009-09-27 22:38 . 2009-09-27 22:38 -------- d-----w- c:\program files\uTorrent

2009-09-27 22:32 . 2009-09-27 22:32 -------- d-----w- c:\documents and settings\Caleb\Local Settings\Application Data\AskToolbar

2009-09-25 21:07 . 2009-09-25 21:07 -------- d-----w- c:\documents and settings\Caleb\Application Data\SUPERAntiSpyware.com

2009-09-14 04:16 . 2008-12-11 12:38 159600 ----a-w- c:\windows\system32\drivers\pctgntdi.sys

2009-09-14 04:16 . 2009-04-03 14:18 130936 ----a-w- c:\windows\system32\drivers\PCTCore.sys

2009-09-14 04:16 . 2008-12-18 15:16 73840 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys

2009-09-14 04:16 . 2009-09-14 04:17 -------- d-----w- c:\program files\Common Files\PC Tools

2009-09-14 04:16 . 2008-12-10 15:36 64392 ----a-w- c:\windows\system32\drivers\pctplsg.sys

2009-09-14 04:16 . 2009-09-14 04:16 -------- d-----w- c:\documents and settings\Caleb\Application Data\PC Tools

2009-09-14 04:16 . 2009-09-14 04:16 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools

2009-09-03 04:19 . 2009-09-03 04:19 -------- d-----w- c:\program files\iPod

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-10-02 04:57 . 2009-06-27 07:09 -------- d-----w- c:\documents and settings\Caleb\Application Data\uTorrent

2009-09-29 02:10 . 2007-07-21 22:35 -------- d-----w- c:\program files\Common Files\Adobe

2009-09-29 00:38 . 2008-06-09 02:46 18632 ----a-w- c:\documents and settings\Caleb\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-09-25 05:39 . 2008-06-09 02:42 -------- d-----w- c:\documents and settings\Caleb\Application Data\FrostWire

2009-09-14 04:22 . 2009-06-23 06:04 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2009-09-10 18:54 . 2009-01-02 04:17 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-09-10 18:53 . 2009-01-02 04:17 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-09-09 02:47 . 2008-09-11 22:30 -------- d-----w- c:\program files\Common Files\Blizzard Entertainment

2009-09-03 04:19 . 2007-07-17 17:19 -------- d-----w- c:\program files\iTunes

2009-09-03 04:19 . 2007-07-18 17:48 -------- d-----w- c:\program files\Common Files\Apple

2009-08-22 19:14 . 2008-06-09 02:28 11952 ----a-w- c:\windows\system32\avgrsstx.dll

2009-08-22 19:14 . 2008-06-09 02:28 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys

2009-08-22 19:14 . 2008-06-09 02:28 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys

2009-08-05 09:01 . 2004-08-04 12:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll

2009-07-29 04:37 . 2004-08-04 12:00 81920 ----a-w- c:\windows\system32\fontsub.dll

2009-07-29 04:37 . 2004-08-04 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll

2009-07-17 19:01 . 2004-08-04 12:00 58880 ----a-w- c:\windows\system32\atl.dll

2009-07-14 03:43 . 2004-08-04 12:00 286208 ----a-w- c:\windows\system32\wmpdxm.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-05-24 39408]

"PC Suite Tray"="c:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe" [2009-06-12 1414144]

"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-07-27 1388544]

"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]

"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-08-22 2007832]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]

"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

D-Link AirPlus DWL-120+ Configuration Utility.lnk - c:\program files\D-Link AirPlus DWL-120+\AIRPLUS.EXE [2007-7-21 253952]

HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-11 282624]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]

2009-08-22 19:14 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]

@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]

@=""

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=

"c:\\Program Files\\FrostWire\\FrostWire.exe"=

"c:\\Program Files\\AIM6\\aim6.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\uTorrent\\uTorrent.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [9/14/2009 12:16 AM 130936]

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [6/8/2008 10:28 PM 335240]

R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [6/8/2008 10:28 PM 108552]

R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [7/4/2008 9:22 PM 908056]

R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [7/4/2008 9:22 PM 297752]

S1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys --> c:\program files\SUPERAntiSpyware\SASKUTIL.sys [?]

S3 KLSIENET;Driver for USB Ethernet Adapter;c:\windows\system32\drivers\usb101et.sys [7/16/2007 3:45 PM 32384]

S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe --> c:\program files\Spyware Doctor\pctsAuxs.exe [?]

S3 SNPP202;PC Camera (6028 VGA);c:\windows\system32\drivers\snpp202.sys [6/19/2008 2:41 AM 236544]

S3 TIAcxubt;D-Link WLAN USB Boot Device;c:\windows\system32\drivers\tiacxubt.sys [7/21/2007 7:15 PM 58752]

S3 TIACXUSB;D-Link AirPlus DWL-120+ Wireless USB Adapter;c:\windows\system32\drivers\tiacxusb.sys [7/21/2007 7:15 PM 177792]

.

Contents of the 'Scheduled Tasks' folder

2009-08-27 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2009-09-25 c:\windows\Tasks\WebReg Officejet 5600 series.job

- c:\program files\HP\Digital Imaging\bin\hpqwrg.exe [2005-05-12 20:45]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.netscape.com/

mStart Page = hxxp://www.google.com

uInternet Settings,ProxyOverride = *.local

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

DPF: {E5ABEB00-B357-4884-9949-77B2C71A7EE3} - hxxp://www.intel.com/design/motherbd/boardid/BoardID.cab

FF - ProfilePath - c:\documents and settings\Caleb\Application Data\Mozilla\Firefox\Profiles\yta25jnu.default\

FF - prefs.js: browser.startup.homepage - hxxp://netscape.aol.com

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-10-02 13:39

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(656)

c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(3000)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\WPDShServiceObj.dll

c:\program files\Nokia\Nokia PC Suite 7\PhoneBrowser.dll

c:\program files\Nokia\Nokia PC Suite 7\NGSCM.DLL

c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll

c:\program files\Nokia\Nokia PC Suite 7\Lang\PhoneBrowser_eng-us.nlr

c:\program files\Nokia\Nokia PC Suite 7\Resource\PhoneBrowser_Nokia.ngr

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\ati2evxx.exe

c:\windows\system32\ati2evxx.exe

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\windows\system32\HPZipm12.exe

c:\program files\Analog Devices\SoundMAX\SMAgent.exe

c:\program files\AVG\AVG8\avgrsx.exe

c:\progra~1\AVG\AVG8\avgnsx.exe

c:\program files\Windows Media Player\wmpnetwk.exe

c:\program files\AVG\AVG8\avgcsrvx.exe

c:\windows\system32\wscntfy.exe

c:\program files\iPod\bin\iPodService.exe

c:\program files\PC Connectivity Solution\ServiceLayer.exe

c:\program files\PC Connectivity Solution\Transports\NclUSBSrv.exe

c:\program files\HP\Digital Imaging\bin\hpqste08.exe

c:\program files\PC Connectivity Solution\Transports\NclRSSrv.exe

.

**************************************************************************

.

Completion time: 2009-10-02 13:42 - machine was rebooted

ComboFix-quarantined-files.txt 2009-10-02 17:42

ComboFix2.txt 2009-09-28 03:02

Pre-Run: 28,187,054,080 bytes free

Post-Run: 28,195,168,256 bytes free

216 --- E O F --- 2009-09-30 06:31

Link to post
Share on other sites

  • Staff

Hi,

Things are looking good. :D

Next, please use the Internet Explorer browser and click here to use the F-Secure Online Scanner.

  • Click Start Scanning.
  • You should get a notification bar (on top) to install the ActiveX control.
  • Click on it and select to install the ActiveX.
  • Once the ActiveX is installed, you should accept the License terms by clicking OK below to start the scan.
  • In case you are having problems with installing the ActiveX/starting the scan, please read here.
  • Click the Full System Scan button.
  • It will start to download scanner components and databases. This can take a while.
  • The main scan will start.
  • Once the scan has finished scanning, click the Automatic cleaning (recommended) button
  • It could be possible that your firewall gives an alert - allow it, because that's a connection you establish to submit infected files to F-Secure.
  • The cleaning can take a while, so please be patient.
  • Then click the Show report button and Copy/Paste what is present under results in your next reply.

Next, download my Security Check from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Let me know how things are running now and what issues remain.

-screen317

Link to post
Share on other sites

f-secure actually only found 1 file out of around 42,000 so i just had it clean that. i forgot to get the results, but if it's crucial i can run the scan again

here's what securitycheck came up with:

Results of screen317's Security Check version 0.99.0

Windows XP Service Pack 3

``````````````````````````````

Antivirus/Firewall Check:

Windows Firewall Enabled!

AVG Free 8.5

``````````````````````````````

Anti-malware/Other Utilities Check:

HijackThis 2.0.2

CCleaner (remove only)

Java 6 Update 15

Java 6 Update 2

Java 6 Update 3

Java 6 Update 5

Java 6 Update 7

Out of date Java installed!

Adobe Flash Player 10

Adobe Reader 8.1.3

Out of date Adobe Reader installed!

``````````````````````````````

Process Check:

objlist.exe by Laurent

AVG avgwdsvc.exe

AVG avgtray.exe

AVG avgrsx.exe

AVG avgnsx.exe

AVG avgemc.exe

AVG avgemc.exe

``````````````````````````````

DNS Vulnerability Check:

GREAT! (Not vulnerable to DNS cache poisoning)

`````````End of Log```````````

Link to post
Share on other sites

  • Staff

Hi,

but if it's crucial i can run the scan again
It's probably not.

Navigate to Start --> Run, and type Combofix /u in the box that appears. Click OK afterwards. Notice the space between the X and the /u

This uninstalls all of ComboFix's components.

Delete SecurityCheck.

After that, navigate to Start --> Control Panel --> Add or Remove Programs, and uninstall the following programs (if present):

Java

Link to post
Share on other sites

  • Staff

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.