Jump to content

All kinds of problems, please help

goodfellow
 Share

Recommended Posts

goodfellow

goodfellow

Posted
Posted

Hello. This weekend I casually visited some website and my Avira virus protection started picking up all kinds of stuff. I indicated that all these worms or whatever should be quarantined. But then my computer started freezing, undergoing different problems. I received messages that the uploading module (engine CRC) had changed for Avira and the program no longer worked all of a sudden. I was told that my attempts to access Malwarebytes were invalid due to address. Then I suddenly did not have sufficient resources to complete almost all computer oprations. When I restarted my computer, the display settings changed. All desktop icons and type/ font size were much larger. I had insufficient resources or memory to complete all operations. Finally, the whole system froze. I couldn't do anything but watch the mouse move.

Today, I started the system in Safe Mode, ran Malwarebytes. It picked up several things which I have pasted below. Malwarebytes only runs in Safe Mode. In Normal mode, I get a Code 703 (0,7) error message.

Sometimes I get messages that various programs failed to initialize (such as drwtsn32.exe). Once I experienced a sudden NT AUTHORITY/ SYSTEM shutdown--my system was shut off against my will and restarted.

Also, the system is now running very SLOW.

Sorry for the long post. I hope you can help. See logs below (Malware bytes, Avira, Hijackthis).

Malwarebytes' Anti-Malware 1.40

Database version: 2635

Windows 5.1.2600 Service Pack 3 (Safe Mode)

11/2/2009 1:17:27 PM

mbam-log-2009-11-02 (13-17-27).txt

Scan type: Quick Scan

Objects scanned: 89869

Time elapsed: 14 minute(s), 52 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 1

Registry Data Items Infected: 1

Folders Infected: 0

Files Infected: 6

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Regedit32 (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: sxodibk.dll -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\sxodibk.dll (Trojan.Vundo.H) -> Delete on reboot.

C:\Documents and Settings\user1\Application Data\wiaserva.log (Malware.Trace) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\wpv591256559586.exe (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\wpv611255594149.exe (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\wpv841255492056.exe (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Documents and Settings\user1\oashdihasidhasuidhiasdhiashdiuasdhasd (Trace.Pandex) -> Quarantined and deleted successfully.

AVIRA LOG

Avira AntiVir Personal

Report file date: Monday, November 02, 2009 13:57

Scanning for 1851309 virus strains and unwanted programs.

Licensed to: Avira AntiVir Personal - FREE Antivirus

Serial number: 0000149996-ADJIE-0000001

Platform: Windows XP

Windows version: (Service Pack 3) [5.1.2600]

Boot mode: Normally booted

Username: SYSTEM

Computer name: NCR

Version information:

BUILD.DAT : 8.2.0.354 17048 Bytes 10/23/2009 13:15:00

AVSCAN.EXE : 8.1.4.10 315649 Bytes 11/27/2008 02:39:34

AVSCAN.DLL : 8.1.4.0 40705 Bytes 7/19/2008 19:44:57

LUKE.DLL : 8.1.4.5 164097 Bytes 7/19/2008 19:45:06

LUKERES.DLL : 8.1.4.0 12033 Bytes 7/19/2008 19:45:06

ANTIVIR0.VDF : 7.1.0.0 15603712 Bytes 10/27/2008 21:59:23

ANTIVIR1.VDF : 7.1.4.132 5707264 Bytes 6/24/2009 01:16:35

ANTIVIR2.VDF : 7.1.6.160 5413376 Bytes 10/28/2009 01:42:13

ANTIVIR3.VDF : 7.1.6.173 71680 Bytes 10/30/2009 01:42:16

Engineversion : 8.2.1.53

AEVDF.DLL : 8.1.1.2 106867 Bytes 9/16/2009 01:30:24

AESCRIPT.DLL : 8.1.2.43 528764 Bytes 10/31/2009 01:42:56

AESCN.DLL : 8.1.2.5 127346 Bytes 9/5/2009 01:28:42

AERDL.DLL : 8.1.3.2 479604 Bytes 10/3/2009 01:33:40

AEPACK.DLL : 8.2.0.2 422263 Bytes 10/23/2009 01:37:13

AEOFFICE.DLL : 8.1.0.38 196987 Bytes 6/18/2009 01:13:46

AEHEUR.DLL : 8.1.0.173 2064760 Bytes 10/31/2009 01:42:49

AEHELP.DLL : 8.1.7.0 237940 Bytes 9/5/2009 01:28:41

AEGEN.DLL : 8.1.1.70 364917 Bytes 10/31/2009 01:42:25

AEEMU.DLL : 8.1.1.0 393587 Bytes 10/3/2009 01:33:29

AECORE.DLL : 8.1.8.1 184693 Bytes 9/16/2009 01:30:18

AEBB.DLL : 8.1.0.3 53618 Bytes 10/16/2008 02:49:28

AVWINLL.DLL : 1.0.0.12 15105 Bytes 7/19/2008 19:44:58

AVPREF.DLL : 8.0.2.0 38657 Bytes 7/19/2008 19:44:57

AVREP.DLL : 8.0.0.3 155688 Bytes 4/20/2009 21:23:43

AVREG.DLL : 8.0.0.1 33537 Bytes 7/19/2008 19:44:57

AVARKT.DLL : 1.0.0.23 307457 Bytes 4/14/2008 22:36:50

AVEVTLOG.DLL : 8.0.0.16 119041 Bytes 7/19/2008 19:44:56

SQLITE3.DLL : 3.3.17.1 339968 Bytes 4/14/2008 22:37:02

SMTPLIB.DLL : 1.2.0.23 28929 Bytes 7/19/2008 19:45:09

NETNT.DLL : 8.0.0.1 7937 Bytes 4/14/2008 22:37:01

RCIMAGE.DLL : 8.0.0.51 2371841 Bytes 7/19/2008 19:44:34

RCTEXT.DLL : 8.0.52.0 86273 Bytes 7/19/2008 19:44:34

Configuration settings for the scan:

Jobname..........................: Complete system scan

Configuration file...............: c:\program files\avira\antivir personaledition classic\sysscan.avp

Logging..........................: low

Primary action...................: interactive

Secondary action.................: ignore

Scan master boot sector..........: on

Scan boot sector.................: on

Boot sectors.....................: C:,

Process scan.....................: on

Scan registry....................: on

Search for rootkits..............: off

Scan all files...................: Intelligent file selection

Scan archives....................: on

Recursion depth..................: 20

Smart extensions.................: on

Macro heuristic..................: on

File heuristic...................: medium

Start of the scan: Monday, November 02, 2009 13:57

The scan of running processes will be started

Scan process 'avscan.exe' - '1' Module(s) have been scanned

Scan process 'avcenter.exe' - '1' Module(s) have been scanned

Scan process 'infocard.exe' - '1' Module(s) have been scanned

Scan process 'iexplore.exe' - '1' Module(s) have been scanned

Scan process 'jucheck.exe' - '1' Module(s) have been scanned

Scan process 'rundll32.exe' - '1' Module(s) have been scanned

Scan process 'jqs.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'CTSVCCDA.EXE' - '1' Module(s) have been scanned

Scan process 'sched.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'Hotsync.exe' - '1' Module(s) have been scanned

Scan process 'DvzIncMsgr.exe' - '1' Module(s) have been scanned

Scan process 'restorer32_a.exe' - '1' Module(s) have been scanned

Scan process 'sa23sl.exe' - '1' Module(s) have been scanned

Scan process 'MtdAcqu.exe' - '1' Module(s) have been scanned

Scan process 'ctfmon.exe' - '1' Module(s) have been scanned

Scan process 'restorer32_a.exe' - '1' Module(s) have been scanned

Scan process 'jusched.exe' - '1' Module(s) have been scanned

Scan process 'avgnt.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'avguard.exe' - '1' Module(s) have been scanned

Scan process 'explorer.exe' - '1' Module(s) have been scanned

Scan process 'spoolsv.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'lsass.exe' - '1' Module(s) have been scanned

Scan process 'services.exe' - '1' Module(s) have been scanned

Scan process 'winlogon.exe' - '1' Module(s) have been scanned

Scan process 'csrss.exe' - '1' Module(s) have been scanned

Scan process 'smss.exe' - '1' Module(s) have been scanned

39 processes with 39 modules were scanned

Starting master boot sector scan:

Master boot sector HD0

[iNFO] No virus was found!

Master boot sector HD1

[iNFO] No virus was found!

Start scanning boot sectors:

Boot sector 'C:\'

[iNFO] No virus was found!

Starting to scan the registry.

The registry was scanned ( '63' files ).

Starting the file scan:

Begin scan in 'C:\' <XP 10GB>

C:\pagefile.sys

[WARNING] The file could not be opened!

End of the scan: Monday, November 02, 2009 15:26

Used time: 1:28:55 Hour(s)

The scan has been done completely.

5769 Scanning directories

345331 Files were scanned

0 viruses and/or unwanted programs were found

0 Files were classified as suspicious:

0 files were deleted

0 files were repaired

0 files were moved to quarantine

0 files were renamed

1 Files cannot be scanned

345330 Files not concerned

2709 Archives were scanned

1 Warnings

0 Notes

HIJACK THIS

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 1:31:15 PM, on 11/2/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe

C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\WINDOWS\system32\restorer32_a.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Creative\MediaSource5\MtdAcqu.exe

C:\WINDOWS\sa23sl.exe

C:\Documents and Settings\user1\restorer32_a.exe

C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe

C:\Program Files\palmOne\Hotsync.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe

C:\WINDOWS\system32\CTsvcCDA.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\Temp\wpv081257179558.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Java\jre6\bin\jucheck.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O4 - HKLM\..\Run: [iMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC

O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC

O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName

O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe

O4 - HKLM\..\Run: [restorer32_a] C:\WINDOWS\system32\restorer32_a.exe

O4 - HKLM\..\Run: [Mbokeru] rundll32.exe "C:\WINDOWS\ewevidif.dll",Startup

O4 - HKLM\..\Run: [Regedit32] C:\WINDOWS\system32\regedit.exe

O4 - HKLM\..\Run: [sysgif32] C:\WINDOWS\Temp\wpv081257179558.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [MtdAcqu] "C:\Program Files\Creative\MediaSource5\MtdAcqu.exe" /s

O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1

O4 - HKCU\..\Run: [ttool] C:\WINDOWS\sa23sl.exe

O4 - HKCU\..\Run: [restorer32_a] C:\Documents and Settings\user1\restorer32_a.exe

O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')

O4 - Startup: zavupd32.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: DataViz Inc Messenger.lnk = C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe

O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\palmOne\Hotsync.exe

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/betapit/PCPitStop.CAB

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab

O16 - DPF: {2EDF75C0-5ABD-49f9-BAB6-220476A32034} (System Requirements Lab) - http://intel-drv-cdn.systemrequirementslab...reqlab_srlx.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1188535179253

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1188535170821

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe

O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

--

End of file - 6434 bytes

Link to post
Share on other sites
goodfellow

goodfellow

Posted
  • Author
Posted

Here is the combofix log you requested. Let me know what the trouble is/ was and if there are other steps I should complete.

ComboFix 09-11-03.01 - user1 11/03/2009 14:47.1.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.255.115 [GMT -5:00]

Running from: c:\documents and settings\user1\Desktop\ComboFix.exe

AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\All Users\Start Menu\Live Safety Center.lnk

c:\documents and settings\user1\oashdihasidhasuidhiasdhiashdiuasdhasd

c:\windows\ewevidif.dll

c:\windows\system32\cffii.ini

c:\windows\system32\cffii.ini2

c:\windows\system32\restorer32_a.exe

c:\windows\system32\stem32~1

c:\windows\system32\wqehlbhb.ini

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_DOMAINSERVICE

((((((((((((((((((((((((( Files Created from 2009-10-03 to 2009-11-03 )))))))))))))))))))))))))))))))

.

2009-11-02 17:58 . 2009-11-02 17:58 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes

2009-11-02 17:57 . 2009-11-02 17:57 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache

2009-11-02 17:57 . 2009-11-02 17:57 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\{C3052C9C-5887-4B65-819A-50A5ABEADD56}

2009-10-31 21:03 . 2009-10-31 21:03 -------- d-----w- c:\documents and settings\user1\Local Settings\Application Data\WMTools Downloaded Files

2009-10-31 18:50 . 2009-11-03 18:29 0 ----a-w- c:\windows\Xbahi.bin

2009-10-31 18:50 . 2009-11-03 18:29 120 ----a-w- c:\windows\Wfawevozuji.dat

2009-10-31 18:49 . 2009-10-31 18:49 -------- d-----w- c:\documents and settings\user1\Local Settings\Application Data\{8DF5B707-E645-4D92-83EA-10ABB965D1F2}

2009-10-31 18:46 . 2009-10-31 18:46 47104 ----a-w- c:\documents and settings\user1\restorer32_a.exe

2009-10-31 18:44 . 2009-10-31 18:44 36864 ----a-w- c:\windows\sa23sl.exe

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-11-03 19:35 . 2006-10-08 22:12 23512 ----a-w- c:\documents and settings\user1\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-11-02 18:31 . 2009-11-02 18:31 6435 ----a-w- c:\program files\hijackthis.log

2009-11-02 17:50 . 2006-10-16 00:06 -------- d-----w- c:\documents and settings\user1\Application Data\OpenOffice.org2

2009-10-07 20:30 . 2007-05-13 02:20 -------- d-----w- c:\documents and settings\user1\Application Data\U3

2009-10-01 20:18 . 2009-10-01 20:17 -------- d-----w- c:\program files\Intel

2009-10-01 20:10 . 2009-10-01 20:10 -------- d-----w- c:\program files\SystemRequirementsLab

2009-09-27 02:21 . 2009-09-27 02:21 -------- d-----w- c:\documents and settings\user1\Application Data\MSNInstaller

2009-09-27 01:36 . 2006-10-19 18:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint

2009-09-27 01:34 . 2008-07-04 21:31 -------- d-----w- c:\program files\Common Files\Real

2009-09-27 01:32 . 2009-05-13 17:38 -------- d-----w- c:\program files\Panda Security

2009-09-26 20:34 . 2009-09-26 20:34 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Drivers HeadQuarters

2009-09-24 00:28 . 2007-09-13 02:05 1636 ----a-w- c:\windows\system32\d3d9caps.dat

2009-09-11 14:18 . 2004-08-04 04:56 136192 ----a-w- c:\windows\system32\msv1_0.dll

2009-09-04 21:03 . 2004-08-04 04:56 58880 ----a-w- c:\windows\system32\msasn1.dll

2009-08-29 08:08 . 2004-08-04 04:56 916480 ----a-w- c:\windows\system32\wininet.dll

2009-08-26 08:00 . 2004-08-04 04:56 247326 ----a-w- c:\windows\system32\strmdll.dll

2009-08-06 23:24 . 2006-10-08 21:40 327896 ----a-w- c:\windows\system32\wucltui.dll

2009-08-06 23:24 . 2006-10-08 21:40 209632 ----a-w- c:\windows\system32\wuweb.dll

2009-08-06 23:24 . 2006-10-08 22:24 44768 ----a-w- c:\windows\system32\wups2.dll

2009-08-06 23:24 . 2006-10-08 21:40 35552 ----a-w- c:\windows\system32\wups.dll

2009-08-06 23:24 . 2006-10-08 21:40 53472 ----a-w- c:\windows\system32\wuauclt.exe

2009-08-06 23:24 . 2004-08-04 04:56 96480 ----a-w- c:\windows\system32\cdm.dll

2009-08-06 23:23 . 2006-10-08 21:40 575704 ----a-w- c:\windows\system32\wuapi.dll

2009-08-06 23:23 . 2007-11-20 20:35 274288 ----a-w- c:\windows\system32\mucltui.dll

2009-08-06 23:23 . 2007-07-30 23:18 215920 ----a-w- c:\windows\system32\muweb.dll

2009-08-06 23:23 . 2006-10-08 21:40 1929952 ----a-w- c:\windows\system32\wuaueng.dll

2009-05-13 20:53 . 2009-05-13 20:53 396288 ----a-w- c:\program files\HijackThis.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MtdAcqu"="c:\program files\Creative\MediaSource5\MtdAcqu.exe" [2006-03-08 278528]

"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]

"restorer32_a"="c:\documents and settings\user1\restorer32_a.exe" [2009-10-31 47104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]

"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]

"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]

"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]

"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]

"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-07-19 266497]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-03-29 413696]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]

"AtiPTA"="Atiptaxx.exe" - c:\windows\system32\atiptaxx.exe [2001-10-10 270336]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"RunNarrator"="Narrator.exe" - c:\windows\system32\narrator.exe [2008-04-14 53760]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]

DataViz Inc Messenger.lnk - c:\program files\Common Files\DataViz\DvzIncMsgr.exe [2008-4-2 28672]

HotSync Manager.lnk - c:\program files\palmOne\Hotsync.exe [2004-6-9 471040]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=

R3 cwbwdm_device;Crystal WDM Audio Codec Driver;c:\windows\system32\drivers\cwbwdm.sys [10/8/2006 12:28 PM 72832]

S3 ati2mpad;ati2mpad;c:\windows\system32\drivers\ati2mpad.sys [2/18/2002 1:19 PM 303360]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - MBR

*Deregistered* - mbr

.

Contents of the 'Scheduled Tasks' folder

2009-11-02 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 19:57]

2009-11-03 c:\windows\Tasks\User_Feed_Synchronization-{0BAEA8CC-473C-4E20-92A9-FF0C786FB0BB}.job

- c:\windows\system32\msfeedssync.exe [2007-08-13 08:31]

.

.

------- Supplementary Scan -------

.

DPF: {2EDF75C0-5ABD-49f9-BAB6-220476A32034} - hxxp://intel-drv-cdn.systemrequirementslab.com/multi/bin/sysreqlab_srlx.cab

.

- - - - ORPHANS REMOVED - - - -

HKLM-Run-restorer32_a - c:\windows\system32\restorer32_a.exe

HKLM-Run-Mbokeru - c:\windows\ewevidif.dll

HKLM-Run-Regedit32 - c:\windows\system32\regedit.exe

AddRemove-KB913433 - c:\windows\system32\MacroMed\Flash\genuinst.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-11-03 15:14

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3580)

c:\windows\system32\WININET.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\IEFRAME.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Avira\AntiVir PersonalEdition Classic\avguard.exe

c:\program files\Avira\AntiVir PersonalEdition Classic\sched.exe

c:\windows\system32\CTsvcCDA.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\windows\system32\wscntfy.exe

c:\program files\Java\jre6\bin\jucheck.exe

.

**************************************************************************

.

Completion time: 2009-11-03 15:27 - machine was rebooted

ComboFix-quarantined-files.txt 2009-11-03 20:27

Pre-Run: 1,993,531,392 bytes free

Post-Run: 2,062,561,280 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

Link to post
Share on other sites
goodfellow

goodfellow

Posted
  • Author
Posted

Hi. It has been several days since I was instructed to download Combofix, run it, and post the log to my thread. Still waiting on a reply. My computer is working much better now but I would like for someone to take a look at the Combofix log and let me know if everything is okay. Also, can someone tell me what was wrong with my computer?

Thanks

Link to post
Share on other sites
Rosty

Rosty

Posted
Posted

Hi,

sorry for the delay!! I've overlooked your topic. :blink:

1. Please open Notepad

  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::

c:\documents and settings\user1\restorer32_a.exe

c:\windows\sa23sl.exe

c:\windows\Wfawevozuji.dat

c:\windows\Xbahi.bin

Registry::

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"restorer32_a"=-

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

CFScript.gif

5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

  • Combofix.txt
  • A new HijackThis log.

Link to post
Share on other sites
goodfellow

goodfellow

Posted
  • Author
Posted

Thanks. Below are the new Combofix and Hijackthis log files that you requested.

ComboFix 09-11-05.05 - user1 11/06/2009 15:56.2.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.255.107 [GMT -5:00]

Running from: c:\documents and settings\user1\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\user1\Desktop\CFScript.txt

AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

FILE ::

"c:\documents and settings\user1\restorer32_a.exe"

"c:\windows\sa23sl.exe"

"c:\windows\Wfawevozuji.dat"

"c:\windows\Xbahi.bin"

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\Administrator\Local Settings\Application Data\{C3052C9C-5887-4B65-819A-50A5ABEADD56}

c:\documents and settings\Administrator\Local Settings\Application Data\{C3052C9C-5887-4B65-819A-50A5ABEADD56}\chrome.manifest

c:\documents and settings\Administrator\Local Settings\Application Data\{C3052C9C-5887-4B65-819A-50A5ABEADD56}\chrome\content\_cfg.js

c:\documents and settings\Administrator\Local Settings\Application Data\{C3052C9C-5887-4B65-819A-50A5ABEADD56}\chrome\content\overlay.xul

c:\documents and settings\Administrator\Local Settings\Application Data\{C3052C9C-5887-4B65-819A-50A5ABEADD56}\install.rdf

c:\documents and settings\user1\Local Settings\Application Data\{8DF5B707-E645-4D92-83EA-10ABB965D1F2}

c:\documents and settings\user1\Local Settings\Application Data\{8DF5B707-E645-4D92-83EA-10ABB965D1F2}\chrome.manifest

c:\documents and settings\user1\Local Settings\Application Data\{8DF5B707-E645-4D92-83EA-10ABB965D1F2}\chrome\content\_cfg.js

c:\documents and settings\user1\Local Settings\Application Data\{8DF5B707-E645-4D92-83EA-10ABB965D1F2}\chrome\content\overlay.xul

c:\documents and settings\user1\Local Settings\Application Data\{8DF5B707-E645-4D92-83EA-10ABB965D1F2}\install.rdf

c:\windows\Wfawevozuji.dat

c:\windows\Xbahi.bin

.

((((((((((((((((((((((((( Files Created from 2009-10-06 to 2009-11-06 )))))))))))))))))))))))))))))))

.

2009-11-05 23:51 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-11-05 23:50 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-11-05 23:50 . 2009-11-05 23:51 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-11-05 23:10 . 2009-07-28 21:33 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2009-11-05 23:10 . 2009-03-30 15:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys

2009-11-05 23:10 . 2009-02-13 17:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys

2009-11-05 23:10 . 2009-02-13 17:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys

2009-11-05 23:09 . 2009-11-05 23:09 -------- d-----w- c:\program files\Avira

2009-11-05 23:09 . 2009-11-05 23:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira

2009-11-02 17:58 . 2009-11-02 17:58 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes

2009-11-02 17:57 . 2009-11-02 17:57 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache

2009-10-31 21:03 . 2009-10-31 21:03 -------- d-----w- c:\documents and settings\user1\Local Settings\Application Data\WMTools Downloaded Files

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-11-05 23:51 . 2009-05-13 17:48 -------- d-----w- c:\documents and settings\user1\Application Data\Malwarebytes

2009-11-05 23:50 . 2009-05-13 17:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-11-05 19:45 . 2006-10-16 00:06 -------- d-----w- c:\documents and settings\user1\Application Data\OpenOffice.org2

2009-11-05 08:24 . 2007-09-13 02:05 2296 ----a-w- c:\windows\system32\d3d9caps.dat

2009-11-03 19:35 . 2006-10-08 22:12 23512 ----a-w- c:\documents and settings\user1\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-10-07 20:30 . 2007-05-13 02:20 -------- d-----w- c:\documents and settings\user1\Application Data\U3

2009-10-01 20:18 . 2009-10-01 20:17 -------- d-----w- c:\program files\Intel

2009-10-01 20:10 . 2009-10-01 20:10 -------- d-----w- c:\program files\SystemRequirementsLab

2009-09-27 02:21 . 2009-09-27 02:21 1244648 ----a-w- c:\documents and settings\user1\Application Data\MSNInstaller\msnauins.exe

2009-09-27 02:21 . 2009-09-27 02:21 -------- d-----w- c:\documents and settings\user1\Application Data\MSNInstaller

2009-09-27 01:36 . 2006-10-19 18:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint

2009-09-27 01:34 . 2008-07-04 21:31 -------- d-----w- c:\program files\Common Files\Real

2009-09-27 01:32 . 2009-05-13 17:38 -------- d-----w- c:\program files\Panda Security

2009-09-26 20:34 . 2009-09-26 20:34 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Drivers HeadQuarters

2009-09-22 18:07 . 2009-09-22 18:05 17204720 ----a-w- c:\documents and settings\user1\Application Data\Real\Update\setup\rp\.exe

2009-09-22 18:05 . 2009-09-22 18:05 8406648 ----a-w- c:\documents and settings\user1\Application Data\Real\Update\setup\gtb_us\GOOGLE_TOOLBAR\GoogleToolbarInstaller.exe

2009-09-22 18:04 . 2009-09-22 18:04 10309448 ----a-w- c:\documents and settings\user1\Application Data\Real\Update\setup\chr\ChromeInstaller.exe

2009-09-22 18:02 . 2009-09-22 18:02 64000 ----a-w- c:\documents and settings\user1\Application Data\Real\Update\setup\RUP\inst_config\gcapi_dll.dll

2009-09-22 18:02 . 2009-09-22 18:02 52288 ----a-w- c:\documents and settings\user1\Application Data\Real\Update\setup\RUP\inst_config\gtapi.dll

2009-09-22 18:02 . 2009-09-22 18:02 50688 ----a-w- c:\documents and settings\user1\Application Data\Real\Update\setup\RUP\inst_config\fftbapi.dll

2009-09-22 18:02 . 2009-09-22 18:02 81920 ----a-w- c:\documents and settings\user1\Application Data\Real\Update\setup\RUP\inst_config\compat.dll

2009-09-11 14:18 . 2004-08-04 04:56 136192 ----a-w- c:\windows\system32\msv1_0.dll

2009-09-04 21:03 . 2004-08-04 04:56 58880 ----a-w- c:\windows\system32\msasn1.dll

2009-08-29 08:08 . 2004-08-04 04:56 916480 ----a-w- c:\windows\system32\wininet.dll

2009-08-26 08:00 . 2004-08-04 04:56 247326 ----a-w- c:\windows\system32\strmdll.dll

2009-05-13 20:53 . 2009-05-13 20:53 396288 ----a-w- c:\program files\HijackThis.exe

.

((((((((((((((((((((((((((((( SnapShot@2009-11-03_20.11.16 )))))))))))))))))))))))))))))))))))))))))

.

+ 2007-11-07 07:19 . 2007-11-07 07:19 54272 c:\windows\WinSxS\x86_Microsoft.VC90.OpenMP_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_ecc42bd1\vcomp90.dll

+ 2008-07-29 13:05 . 2008-07-29 13:05 62976 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90rus.dll

+ 2008-07-29 13:05 . 2008-07-29 13:05 46080 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90kor.dll

+ 2008-07-29 13:05 . 2008-07-29 13:05 46592 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90jpn.dll

+ 2008-07-29 13:05 . 2008-07-29 13:05 64512 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90ita.dll

+ 2008-07-29 13:05 . 2008-07-29 13:05 66048 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90fra.dll

+ 2008-07-29 13:05 . 2008-07-29 13:05 65024 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90esp.dll

+ 2008-07-29 13:05 . 2008-07-29 13:05 65024 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90esn.dll

+ 2008-07-29 13:05 . 2008-07-29 13:05 56832 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90enu.dll

+ 2008-07-29 13:05 . 2008-07-29 13:05 66560 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90deu.dll

+ 2008-07-29 13:05 . 2008-07-29 13:05 39936 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90cht.dll

+ 2008-07-29 13:05 . 2008-07-29 13:05 38912 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90chs.dll

+ 2008-07-29 11:07 . 2008-07-29 11:07 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfcm90u.dll

+ 2008-07-29 11:07 . 2008-07-29 11:07 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfcm90.dll

+ 2009-11-06 00:15 . 2009-11-06 00:15 16384 c:\windows\temp\Perflib_Perfdata_1b0.dat

+ 2007-11-19 02:22 . 2009-05-11 15:12 28520 c:\windows\system32\drivers\ssmdrv.sys

+ 2008-07-29 13:05 . 2008-07-29 13:05 655872 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcr90.dll

+ 2008-07-29 13:05 . 2008-07-29 13:05 572928 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcp90.dll

+ 2008-07-29 08:54 . 2008-07-29 08:54 225280 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcm90.dll

+ 2009-07-12 05:02 . 2009-07-12 05:02 159032 c:\windows\WinSxS\x86_Microsoft.VC90.ATL_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_353599c2\atl90.dll

+ 2008-07-29 13:05 . 2008-07-29 13:05 161784 c:\windows\WinSxS\x86_Microsoft.VC90.ATL_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_d01483b2\atl90.dll

+ 2009-11-05 23:00 . 2009-11-05 23:00 228352 c:\windows\Installer\d5d61.msi

+ 2009-11-06 08:00 . 2009-11-06 08:00 195584 c:\windows\Installer\1aafe01.msi

+ 2009-11-05 02:00 . 2008-07-08 13:02 382840 c:\windows\ie8updates\KB976749-IE8\spuninst\updspapi.dll

+ 2009-11-05 02:00 . 2008-07-08 13:02 231288 c:\windows\ie8updates\KB976749-IE8\spuninst\spuninst.exe

+ 2008-07-29 13:05 . 2008-07-29 13:05 3783672 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfc90u.dll

+ 2008-07-29 13:05 . 2008-07-29 13:05 3768312 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfc90.dll

+ 2004-08-04 04:56 . 2009-10-22 09:19 5939712 c:\windows\system32\mshtml.dll

+ 2004-08-04 04:56 . 2009-10-22 09:19 5939712 c:\windows\system32\dllcache\mshtml.dll

+ 2009-11-05 02:00 . 2009-08-29 08:08 5940224 c:\windows\ie8updates\KB976749-IE8\mshtml.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MtdAcqu"="c:\program files\Creative\MediaSource5\MtdAcqu.exe" [2006-03-08 278528]

"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]

"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]

"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]

"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]

"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-03-29 413696]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]

"restorer32_a"="c:\windows\system32\restorer32_a.exe" [bU]

"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]

"AtiPTA"="Atiptaxx.exe" - c:\windows\system32\atiptaxx.exe [2001-10-10 270336]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"RunNarrator"="Narrator.exe" - c:\windows\system32\narrator.exe [2008-04-14 53760]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]

DataViz Inc Messenger.lnk - c:\program files\Common Files\DataViz\DvzIncMsgr.exe [2008-4-2 28672]

HotSync Manager.lnk - c:\program files\palmOne\Hotsync.exe [2004-6-9 471040]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=

R3 cwbwdm_device;Crystal WDM Audio Codec Driver;c:\windows\system32\drivers\cwbwdm.sys [10/8/2006 12:28 PM 72832]

S3 ati2mpad;ati2mpad;c:\windows\system32\drivers\ati2mpad.sys [2/18/2002 1:19 PM 303360]

--- Other Services/Drivers In Memory ---

*Deregistered* - mbr

*Deregistered* - PROCEXP113

.

Contents of the 'Scheduled Tasks' folder

2009-11-05 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 19:57]

2009-11-06 c:\windows\Tasks\User_Feed_Synchronization-{0BAEA8CC-473C-4E20-92A9-FF0C786FB0BB}.job

- c:\windows\system32\msfeedssync.exe [2007-08-13 08:31]

.

.

------- Supplementary Scan -------

.

DPF: {2EDF75C0-5ABD-49f9-BAB6-220476A32034} - hxxp://intel-drv-cdn.systemrequirementslab.com/multi/bin/sysreqlab_srlx.cab

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-11-06 16:17

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

Completion time: 2009-11-06 16:27

ComboFix-quarantined-files.txt 2009-11-06 21:26

ComboFix2.txt 2009-11-03 20:27

Pre-Run: 1,906,896,896 bytes free

Post-Run: 2,000,027,648 bytes free

- - End Of File - - 64255F8F14C9742C7642758CF87EDDDD

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 4:35:07 PM, on 11/6/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Avira\AntiVir Desktop\sched.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\Avira\AntiVir Desktop\avgnt.exe

C:\Program Files\Creative\MediaSource5\MtdAcqu.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe

C:\Program Files\palmOne\Hotsync.exe

C:\Program Files\Avira\AntiVir Desktop\avguard.exe

C:\WINDOWS\system32\CTsvcCDA.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\Java\jre6\bin\jucheck.exe

c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe

C:\WINDOWS\explorer.exe

C:\Program Files\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O4 - HKLM\..\Run: [iMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC

O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC

O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe

O4 - HKLM\..\Run: [userFaultCheck] %systemroot%\system32\dumprep 0 -u

O4 - HKLM\..\Run: [restorer32_a] C:\WINDOWS\system32\restorer32_a.exe

O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min

O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript

O4 - HKCU\..\Run: [MtdAcqu] "C:\Program Files\Creative\MediaSource5\MtdAcqu.exe" /s

O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1

O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: DataViz Inc Messenger.lnk = C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe

O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\palmOne\Hotsync.exe

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/betapit/PCPitStop.CAB

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab

O16 - DPF: {2EDF75C0-5ABD-49f9-BAB6-220476A32034} (System Requirements Lab) - http://intel-drv-cdn.systemrequirementslab...reqlab_srlx.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1188535179253

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1188535170821

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe

O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

--

End of file - 5657 bytes

Link to post
Share on other sites
Rosty

Rosty

Posted
Posted

1. Please open Notepad

  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::

c:\windows\Installer\d5d61.msi

c:\windows\Installer\1aafe01.msi

Registry::

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"restorer32_a"=-

Renv::

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

CFScript.gif

5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

  • Combofix.txt
  • A new HijackThis log.

Link to post
Share on other sites
goodfellow

goodfellow

Posted
  • Author
Posted

Okay. Here are the Hijackthis and combofix files you requested. I really appreciate your help.

ComboFix 09-11-07.02 - user1 11/07/2009 19:50.3.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.255.143 [GMT -5:00]

Running from: c:\documents and settings\user1\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\user1\Desktop\CFScript.txt

AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

FILE ::

"c:\windows\Installer\1aafe01.msi"

"c:\windows\Installer\d5d61.msi"

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\Installer\1aafe01.msi

c:\windows\Installer\d5d61.msi

.

((((((((((((((((((((((((( Files Created from 2009-10-08 to 2009-11-08 )))))))))))))))))))))))))))))))

.

2009-11-05 23:51 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-11-05 23:50 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-11-05 23:50 . 2009-11-05 23:51 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-11-05 23:10 . 2009-07-28 21:33 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2009-11-05 23:10 . 2009-03-30 15:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys

2009-11-05 23:10 . 2009-02-13 17:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys

2009-11-05 23:10 . 2009-02-13 17:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys

2009-11-05 23:09 . 2009-11-05 23:09 -------- d-----w- c:\program files\Avira

2009-11-05 23:09 . 2009-11-05 23:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira

2009-11-02 17:58 . 2009-11-02 17:58 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes

2009-11-02 17:57 . 2009-11-02 17:57 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache

2009-10-31 21:03 . 2009-10-31 21:03 -------- d-----w- c:\documents and settings\user1\Local Settings\Application Data\WMTools Downloaded Files

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-11-08 00:36 . 2006-10-16 00:06 -------- d-----w- c:\documents and settings\user1\Application Data\OpenOffice.org2

2009-11-06 21:35 . 2009-11-06 21:35 5658 ----a-w- c:\program files\hijackthis.log

2009-11-05 23:51 . 2009-05-13 17:48 -------- d-----w- c:\documents and settings\user1\Application Data\Malwarebytes

2009-11-05 23:50 . 2009-05-13 17:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-11-05 08:24 . 2007-09-13 02:05 2296 ----a-w- c:\windows\system32\d3d9caps.dat

2009-11-03 19:35 . 2006-10-08 22:12 23512 ----a-w- c:\documents and settings\user1\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-10-07 20:30 . 2007-05-13 02:20 -------- d-----w- c:\documents and settings\user1\Application Data\U3

2009-10-01 20:18 . 2009-10-01 20:17 -------- d-----w- c:\program files\Intel

2009-10-01 20:10 . 2009-10-01 20:10 -------- d-----w- c:\program files\SystemRequirementsLab

2009-09-27 02:21 . 2009-09-27 02:21 1244648 ----a-w- c:\documents and settings\user1\Application Data\MSNInstaller\msnauins.exe

2009-09-27 02:21 . 2009-09-27 02:21 -------- d-----w- c:\documents and settings\user1\Application Data\MSNInstaller

2009-09-27 01:36 . 2006-10-19 18:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint

2009-09-27 01:34 . 2008-07-04 21:31 -------- d-----w- c:\program files\Common Files\Real

2009-09-27 01:32 . 2009-05-13 17:38 -------- d-----w- c:\program files\Panda Security

2009-09-26 20:34 . 2009-09-26 20:34 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Drivers HeadQuarters

2009-09-22 18:07 . 2009-09-22 18:05 17204720 ----a-w- c:\documents and settings\user1\Application Data\Real\Update\setup\rp\.exe

2009-09-22 18:05 . 2009-09-22 18:05 8406648 ----a-w- c:\documents and settings\user1\Application Data\Real\Update\setup\gtb_us\GOOGLE_TOOLBAR\GoogleToolbarInstaller.exe

2009-09-22 18:04 . 2009-09-22 18:04 10309448 ----a-w- c:\documents and settings\user1\Application Data\Real\Update\setup\chr\ChromeInstaller.exe

2009-09-22 18:02 . 2009-09-22 18:02 64000 ----a-w- c:\documents and settings\user1\Application Data\Real\Update\setup\RUP\inst_config\gcapi_dll.dll

2009-09-22 18:02 . 2009-09-22 18:02 52288 ----a-w- c:\documents and settings\user1\Application Data\Real\Update\setup\RUP\inst_config\gtapi.dll

2009-09-22 18:02 . 2009-09-22 18:02 50688 ----a-w- c:\documents and settings\user1\Application Data\Real\Update\setup\RUP\inst_config\fftbapi.dll

2009-09-22 18:02 . 2009-09-22 18:02 81920 ----a-w- c:\documents and settings\user1\Application Data\Real\Update\setup\RUP\inst_config\compat.dll

2009-09-11 14:18 . 2004-08-04 04:56 136192 ----a-w- c:\windows\system32\msv1_0.dll

2009-09-04 21:03 . 2004-08-04 04:56 58880 ----a-w- c:\windows\system32\msasn1.dll

2009-08-29 08:08 . 2004-08-04 04:56 916480 ----a-w- c:\windows\system32\wininet.dll

2009-08-26 08:00 . 2004-08-04 04:56 247326 ----a-w- c:\windows\system32\strmdll.dll

2009-05-13 20:53 . 2009-05-13 20:53 396288 ----a-w- c:\program files\HijackThis.exe

.

((((((((((((((((((((((((((((( SnapShot@2009-11-03_20.11.16 )))))))))))))))))))))))))))))))))))))))))

.

+ 2007-11-07 07:19 . 2007-11-07 07:19 54272 c:\windows\WinSxS\x86_Microsoft.VC90.OpenMP_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_ecc42bd1\vcomp90.dll

+ 2008-07-29 13:05 . 2008-07-29 13:05 62976 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90rus.dll

+ 2008-07-29 13:05 . 2008-07-29 13:05 46080 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90kor.dll

+ 2008-07-29 13:05 . 2008-07-29 13:05 46592 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90jpn.dll

+ 2008-07-29 13:05 . 2008-07-29 13:05 64512 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90ita.dll

+ 2008-07-29 13:05 . 2008-07-29 13:05 66048 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90fra.dll

+ 2008-07-29 13:05 . 2008-07-29 13:05 65024 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90esp.dll

+ 2008-07-29 13:05 . 2008-07-29 13:05 65024 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90esn.dll

+ 2008-07-29 13:05 . 2008-07-29 13:05 56832 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90enu.dll

+ 2008-07-29 13:05 . 2008-07-29 13:05 66560 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90deu.dll

+ 2008-07-29 13:05 . 2008-07-29 13:05 39936 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90cht.dll

+ 2008-07-29 13:05 . 2008-07-29 13:05 38912 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90chs.dll

+ 2008-07-29 11:07 . 2008-07-29 11:07 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfcm90u.dll

+ 2008-07-29 11:07 . 2008-07-29 11:07 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfcm90.dll

+ 2009-11-07 19:07 . 2009-11-07 19:07 16384 c:\windows\temp\Perflib_Perfdata_1c8.dat

- 2001-08-23 15:00 . 2009-11-03 20:16 67312 c:\windows\system32\perfc009.dat

+ 2001-08-23 15:00 . 2009-11-07 19:41 67312 c:\windows\system32\perfc009.dat

+ 2007-11-19 02:22 . 2009-05-11 15:12 28520 c:\windows\system32\drivers\ssmdrv.sys

+ 2008-07-29 13:05 . 2008-07-29 13:05 655872 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcr90.dll

+ 2008-07-29 13:05 . 2008-07-29 13:05 572928 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcp90.dll

+ 2008-07-29 08:54 . 2008-07-29 08:54 225280 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcm90.dll

+ 2009-07-12 05:02 . 2009-07-12 05:02 159032 c:\windows\WinSxS\x86_Microsoft.VC90.ATL_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_353599c2\atl90.dll

+ 2008-07-29 13:05 . 2008-07-29 13:05 161784 c:\windows\WinSxS\x86_Microsoft.VC90.ATL_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_d01483b2\atl90.dll

- 2001-08-23 15:00 . 2009-11-03 20:16 432356 c:\windows\system32\perfh009.dat

+ 2001-08-23 15:00 . 2009-11-07 19:41 432356 c:\windows\system32\perfh009.dat

+ 2009-11-05 02:00 . 2008-07-08 13:02 382840 c:\windows\ie8updates\KB976749-IE8\spuninst\updspapi.dll

+ 2009-11-05 02:00 . 2008-07-08 13:02 231288 c:\windows\ie8updates\KB976749-IE8\spuninst\spuninst.exe

+ 2008-07-29 13:05 . 2008-07-29 13:05 3783672 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfc90u.dll

+ 2008-07-29 13:05 . 2008-07-29 13:05 3768312 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfc90.dll

+ 2004-08-04 04:56 . 2009-10-22 09:19 5939712 c:\windows\system32\mshtml.dll

+ 2004-08-04 04:56 . 2009-10-22 09:19 5939712 c:\windows\system32\dllcache\mshtml.dll

+ 2009-11-05 02:00 . 2009-08-29 08:08 5940224 c:\windows\ie8updates\KB976749-IE8\mshtml.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MtdAcqu"="c:\program files\Creative\MediaSource5\MtdAcqu.exe" [2006-03-08 278528]

"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]

"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]

"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]

"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]

"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-03-29 413696]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]

"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]

"AtiPTA"="Atiptaxx.exe" - c:\windows\system32\atiptaxx.exe [2001-10-10 270336]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"RunNarrator"="Narrator.exe" - c:\windows\system32\narrator.exe [2008-04-14 53760]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]

DataViz Inc Messenger.lnk - c:\program files\Common Files\DataViz\DvzIncMsgr.exe [2008-4-2 28672]

HotSync Manager.lnk - c:\program files\palmOne\Hotsync.exe [2004-6-9 471040]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [11/5/2009 6:10 PM 108289]

R3 cwbwdm_device;Crystal WDM Audio Codec Driver;c:\windows\system32\drivers\cwbwdm.sys [10/8/2006 12:28 PM 72832]

S3 ati2mpad;ati2mpad;c:\windows\system32\drivers\ati2mpad.sys [2/18/2002 1:19 PM 303360]

--- Other Services/Drivers In Memory ---

*Deregistered* - mbr

*Deregistered* - PROCEXP113

.

Contents of the 'Scheduled Tasks' folder

2009-11-05 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 19:57]

2009-11-08 c:\windows\Tasks\User_Feed_Synchronization-{0BAEA8CC-473C-4E20-92A9-FF0C786FB0BB}.job

- c:\windows\system32\msfeedssync.exe [2007-08-13 08:31]

.

.

------- Supplementary Scan -------

.

DPF: {2EDF75C0-5ABD-49f9-BAB6-220476A32034} - hxxp://intel-drv-cdn.systemrequirementslab.com/multi/bin/sysreqlab_srlx.cab

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-11-07 20:09

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

Completion time: 2009-11-08 20:19

ComboFix-quarantined-files.txt 2009-11-08 01:18

ComboFix2.txt 2009-11-06 21:27

ComboFix3.txt 2009-11-03 20:27

Pre-Run: 2,024,112,128 bytes free

Post-Run: 2,045,112,320 bytes free

- - End Of File - - 9C1A199B9B9033CF6C1536820B1EC5C3

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 8:25:33 PM, on 11/7/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\Avira\AntiVir Desktop\avgnt.exe

C:\Program Files\Creative\MediaSource5\MtdAcqu.exe

C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe

C:\Program Files\palmOne\Hotsync.exe

C:\Program Files\Avira\AntiVir Desktop\sched.exe

C:\Program Files\Avira\AntiVir Desktop\avguard.exe

C:\WINDOWS\system32\CTsvcCDA.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Java\jre6\bin\jucheck.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\explorer.exe

C:\Program Files\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O4 - HKLM\..\Run: [iMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC

O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC

O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe

O4 - HKLM\..\Run: [userFaultCheck] %systemroot%\system32\dumprep 0 -u

O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min

O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript

O4 - HKCU\..\Run: [MtdAcqu] "C:\Program Files\Creative\MediaSource5\MtdAcqu.exe" /s

O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1

O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: DataViz Inc Messenger.lnk = C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe

O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\palmOne\Hotsync.exe

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/betapit/PCPitStop.CAB

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab

O16 - DPF: {2EDF75C0-5ABD-49f9-BAB6-220476A32034} (System Requirements Lab) - http://intel-drv-cdn.systemrequirementslab...reqlab_srlx.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1188535179253

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1188535170821

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe

O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

--

End of file - 5466 bytes

Link to post
Share on other sites
goodfellow

goodfellow

Posted
  • Author
Posted

Everything seems to be in order. Thanks for your assistance. ;) The only problem I encounter now and then is the taskbar of my window will turn black, making it impossible to see the words on the bar. But I can still use the taskbar. I'm not sure this is a virus problem. The black color comes and goes. Let me know if you have a remedy for this.

Link to post
Share on other sites
Rosty

Rosty

Posted
Posted

Your computer now seems to be clean.

The following will not only uninstall ComboFix but also clean up some other dangerous tools and backups, clean up the System Restore points and hide the system files.

  • Go to Start
  • Click on Run
  • Type ComboFix /u (Note: This command is case sensitive.)
    CFuninstall.png

  1. Clean out Temporary Files etc.
    This program is for Vista, XP and Windows 2000 only
    Please download ATF Cleaner by Atribune.

    2. Double-click ATF-Cleaner.exe to run the program.
    3. Under Main choose: Select All. Then remove the check mark for cookies
    4. Click the Empty Selected button.

If you use Firefox browser
  • Click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
  • Remove the check mark for Cookies
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt if asked .

If you use Opera browser

  • Click Opera at the top and
  • choose: Select All.
  • Remove the check mark for Cookies
  • Click the Empty Selected button.

It is a good idea to do this every few weeks as a lot of junk collects there over time.

[*]Create a new, clean System Restore point which you can use in case of future system problems:

Press Start->All Programs->Accessories->System Tools->System Restore

Select Create a restore point, then Next, type a name like All Clean then press the Create button and once it's done press Close

Now remove old, infected System Restore points:

Next click Start->Run and type cleanmgr in the box and press OK

Ensure the boxes for Temporary Files and Temporary Internet Files are checked, you can choose to check other boxes if you wish but they are not required.

Select the More Options tab, under System Restore press Clean up... and say Yes to the prompt

Press OK and Yes to confirm

[*]Set correct settings for files that should be hidden in Windows XP

  • Click Start > My Computer > Tools menu (at top of page) > Folder Options > View tab.
  • Under "Hidden files and folders" if necessary select Do not show hidden files and folders.
  • If unchecked please checkHide protected operating system files (Recommended)
  • If necessary check "Display content of system folders"
  • If necessary Uncheck Hide file extensions for known file types.
  • Click OK

[*]Download and install the free version of WinPatrol. This program protects your computer in a variety of ways and will work well with your existing security software. Have a look at this tutorial to help you get started with the program. If you want to help the developer of the program and get more information about what the programs that you see in Winpatrol please check out Winpatrol Plus. It does not need a new download.

[*]Download and install the free version of Malwarebytes' Anti-Malware to your desktop. Check for the latest updates and perform a full system scan. This is an on-demand scanner and runs very well with Winpatrol.

[*]If you are using Internet Explorer v. 7 please read and follow the recommendations at this site. http://surfthenetsafely.com/ieseczone8.htm

[*]Update your Anti Virus Software - It is imperative that you update your Anti virus software at least a few times a week (Once a day is a good idea). If you do not update your anti virus software it will not be able to catch new variants that come out.

[*]Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. Windows Firewall is not recommended.

Be restrictive with granting access to the Internet. If you are unsure if the program really needs the access, test it by denying the access and see if this has any negative effects. If not, make the block permanent.

[*]Never run two Antivirus programs or two Firewalls at the same time. They can interfere with each other and cause problems.

[*]Visit Microsoft's Windows Update Site Frequently or better yet set computer for automatic updates.

[*]Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

[*]Read and follow the suggestions given at this web site by Miekiemoes http://users.telenet.be/bluepatchy/miekiem...prevention.html that will give you more information on some of the points above.

[*]Please check out Tony Klein's article "How did I get infected in the first place?"

Follow this list and your potential for being infected again will reduce dramatically. (preventionspeech by Elrond)

Regards,

Rosty.

Link to post
Share on other sites
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.

  I accept