Jump to content

I think I'm infected


bootanuts
 Share

Recommended Posts

When I boot up I get a window that says my computer has avirus , this is before I get a desktop on my screen. I have too close the window before I get a desktop .

MalwareBytes will not open I looked in the Program Files folder and in the Malwarebytes folder the mbam.exe file is not there I uninstalled and reinstalled Malwarebytes but at the end it said it could not find the mbam.exe file. I tried to rename the setup file still no luck.

I ran Alvira yesterday but it did not remove the virus

I ran Hijackthis ,below is the file it generated.

Thanks for any help

Tim aka... bootanuts

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 9:28:59 PM, on 12/23/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16945)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Avira\AntiVir Desktop\sched.exe

C:\Program Files\Avira\AntiVir Desktop\avguard.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\winupdate86.exe

C:\Program Files\Real\RealPlayer\RealPlay.exe

C:\Program Files\QuickTime\qttask.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe

C:\Program Files\Avira\AntiVir Desktop\avgnt.exe

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\palmOne\Hotsync.exe

C:\Program Files\Linksys\Wireless-G Notebook Adapter\OdHost.exe

C:\Program Files\Linksys\Wireless-G Notebook Adapter\WPC54Cfg.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\winlogon86.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll

O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll

O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [semanticInsight] C:\Program Files\RXToolBar\Semantic Insight\SemanticInsight.exe

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min

O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe

O4 - HKLM\..\Run: [storageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [winupdate86.exe] C:\WINDOWS\system32\winupdate86.exe

O4 - HKLM\..\Run: [rewugokol] Rundll32.exe "c:\windows\system32\ruziveki.dll",a

O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent

O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"

O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdS7_0_0

O4 - HKCU\..\Run: [28863567115271023172430148157078] C:\Program Files\Antivirus 2009\av2009.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\palmOne\Hotsync.exe

O4 - Global Startup: Wireless-G Notebook Adapter Utility.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter\Startup.exe

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\ssv.dll

O9 - Extra button: UltimateBet - {10F055B8-F443-4adf-948A-EC551E9DBCE4} - C:\Documents and Settings\timo\Start Menu\Programs\UltimateBet\UltimateBet.lnk

O9 - Extra 'Tools' menuitem: UltimateBet - {10F055B8-F443-4adf-948A-EC551E9DBCE4} - C:\Documents and Settings\timo\Start Menu\Programs\UltimateBet\UltimateBet.lnk

O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe

O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra button: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\timo\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk (file missing) (HKCU)

O9 - Extra 'Tools' menuitem: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\timo\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk (file missing) (HKCU)

O9 - Extra button: CarbonPoker - {e4e8c758-34b4-44bb-8ef9-1f0786e81d2d} - C:\Documents and Settings\timo\Start Menu\Programs\CarbonPoker\CarbonPoker.lnk (HKCU)

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll

O16 - DPF: {37DF41B2-61DB-4CAC-A755-CFB3C7EE7F40} - http://esupport.aol.com/help/acp2/engine/aolcoach_core_1.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{6C87D285-3BF7-494D-914E-415E7D865DDA}: NameServer = 193.104.110.38,4.2.2.1

O17 - HKLM\System\CCS\Services\Tcpip\..\{BD225C1D-C142-43E5-8B4B-EF3D3D22E534}: NameServer = 193.104.110.38,4.2.2.1,192.168.0.1

O18 - Filter hijack: text/html - (no CLSID) - (no file)

O20 - AppInit_DLLs: nogezote.dll c:\windows\system32\ruziveki.dll

O21 - SSODL: robalovug - {84ac32bc-7ad4-4c49-93f0-ddd04ffee5cc} - c:\windows\system32\ruziveki.dll

O22 - SharedTaskScheduler: jugezatag - {84ac32bc-7ad4-4c49-93f0-ddd04ffee5cc} - c:\windows\system32\ruziveki.dll

O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe

O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

O23 - Service: Google Update Service (gupdate1c95c38217184e0) (gupdate1c95c38217184e0) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe

O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: NICSer_WPC54G - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe

--

End of file - 9346 bytes

Link to post
Share on other sites

  • Staff

Hi,

To run malwarebytes when you get the error code 2 during install, or mbam.exe gets deleted, please see here:

http://www.malwarebytes.org/forums/index.php?showtopic=29028

Once malwarebytes opens, click the "Update" tab, click "Check for Updates" in order to download the updates.

Then run the scan, let mbam quarantine/delete what it found and reboot afterwards.

After reboot, post the malwarebytes log together with a new HijackThislog.

Link to post
Share on other sites

Thank you for your time Mieke

I put it, wwXBz4JB9.exe the renamed file in the C/ Program Files / Malwarebytes' Anti-Malware , folder and tried to run it. It did not work. I got an error message , well 2 actually. The first one was in a small window , titled

vbAccelerator SGrid ll Control

Run-time error '0'

2nd error message was a Malwarebytes titled window

error code '440':

I then tried renaming the file to "explorer.exe" in the Malwarebytes folder and I got the same

2 error messages as above.

Again thanks for your time and patience

Tim

Link to post
Share on other sites

  • Staff

Hi,

Looks like the malware already damaged too much here.

Do the following instead..

* Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the log from ComboFix in your next reply.

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix..This because Security Software may see some components ComboFix uses (prep.com for example) as suspicious and blocks the tool, or even deletes it. Please visit HERE if you don't know how.

Link to post
Share on other sites

Hi, I didn't mean to take so long but with the holidays and all. I ran ComboFix and will attache the log file. After running ComboFix the screen with the note infected computer is gone and the screne is back to normal.

Tim

ComboFix 09-12-31.A1 - timo 01/01/2010 17:27:37.1.1 - x86

Running from: c:\documents and settings\timo\Desktop\ComboFix.exe

AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

AV: AVG 7.5.560 *On-access scanning enabled* (Outdated) {41564737-3200-1071-989B-0000E87B4FB1}

.

ADS - svchost.exe: deleted 39936 bytes in 1 streams.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\DFR16F.tmp

c:\documents and settings\All Users.WINDOWS\Application Data\Microsoft\Network\Downloader\qmgr0.dat

c:\documents and settings\All Users.WINDOWS\Application Data\Microsoft\Network\Downloader\qmgr1.dat

C:\oqnqso.exe

c:\program files\Need2Find

c:\program files\Need2Find\bar\History\search

c:\recycler\S-1-5-21-1763111270-1850054518-1897187023-1183

c:\recycler\S-1-5-21-2127521184-1604012920-1887927527-2439749

c:\recycler\S-1-5-21-3900364688-2233193267-973688402-1008

C:\uwlwfa.exe

C:\waxfhosk.exe

c:\windows\system32\6to4v32.dll

c:\windows\system32\AVR10.exe

c:\windows\system32\badarizo.exe

c:\windows\system32\balineko.dll

c:\windows\system32\balomane.dll

c:\windows\system32\bebewute.dll

c:\windows\system32\behubaza.dll

c:\windows\system32\bojivira.exe

c:\windows\system32\BtwSrv.dll

c:\windows\system32\bugeyumo.dll

c:\windows\system32\Cache

c:\windows\system32\certstore.dat

c:\windows\system32\critical_warning.html

c:\windows\system32\dagitufa.dll

c:\windows\system32\dakimuyu.dll

c:\windows\system32\difasadi.exe

c:\windows\system32\diposeli.dll

c:\windows\system32\divitawu.dll

c:\windows\system32\duhepigi.dll

c:\windows\system32\f6e2n486.dll

c:\windows\system32\farakire.dll

c:\windows\system32\FastNetSrv.exe

c:\windows\system32\FInstall.sys

c:\windows\system32\flags.ini

c:\windows\system32\fopelene.dll

c:\windows\system32\forefiyu.dll

c:\windows\system32\fulupufa.dll

c:\windows\system32\gekeyego.dll

c:\windows\system32\gudadamu.dll

c:\windows\system32\hewipali.dll

c:\windows\system32\hinikafo.dll

c:\windows\system32\hitusoli.dll

c:\windows\system32\i14fh.dll

c:\windows\system32\Iasv32.dll

c:\windows\system32\Install.txt

c:\windows\system32\jaralaze.dll

c:\windows\system32\jegowibo.dll

c:\windows\system32\jerosefo.dll

c:\windows\system32\jifafusu.exe

c:\windows\system32\jisaleyu.dll

c:\windows\system32\jutizowi.dll

c:\windows\system32\kiganopo.dll

c:\windows\system32\kikububu.dll

c:\windows\system32\kiloruho.dll

c:\windows\system32\kipogewu.dll

c:\windows\system32\kiyituhe.dll

c:\windows\system32\kumeweva.exe

c:\windows\system32\kunobesi.dll

c:\windows\system32\kuvihube.exe

c:\windows\system32\lahesumo.dll

c:\windows\system32\livediti.dll

c:\windows\system32\liyayeki.dll

c:\windows\system32\lowsec

c:\windows\system32\lowsec\local.ds

c:\windows\system32\lowsec\user.ds

c:\windows\system32\lsm32.sys

c:\windows\system32\midogiru.dll

c:\windows\system32\mofanedo.exe

c:\windows\system32\nasijuye.dll

c:\windows\system32\nidofeza.dll

c:\windows\system32\nifesuro.dll

c:\windows\system32\nozigita.dll

c:\windows\system32\opeia.exe

c:\windows\system32\pibahoju.dll

c:\windows\system32\raboloho.dll

c:\windows\system32\robovoji.dll

c:\windows\system32\rotirufe.dll

c:\windows\system32\ruginefo.dll

c:\windows\system32\ruwiraje.exe

c:\windows\system32\sdra64.exe

c:\windows\system32\sshnas.dll

c:\windows\system32\supekede.dll

c:\windows\system32\tasasifu.dll

c:\windows\system32\turejaka.exe

c:\windows\system32\tuvikize.dll

c:\windows\system32\uses32.dat

c:\windows\system32\viweyeju.dll

c:\windows\system32\wapetose.dll

c:\windows\system32\winhelper86.dll

c:\windows\system32\winlogon86.exe

c:\windows\system32\winsts.sys

c:\windows\system32\winupdate86.exe

c:\windows\system32\wivevevi.dll

c:\windows\system32\wmdtc.exe

c:\windows\system32\wn33q1f53.dll

c:\windows\system32\wudagodo.dll

c:\windows\system32\yelahihi.dll

c:\windows\system32\zekuboli.exe

c:\windows\system32\zutiguhi.dll

c:\windows\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job

c:\windows\Tasks\{66BA574B-1E11-49b8-909C-8CC9E0E8E015}.job

c:\windows\Tasks\akumaanj.job

c:\windows\Temp\1121644512.exe

c:\windows\Temp\242142352.exe

c:\windows\Temp\2567263264.exe

c:\windows\Temp\2763101296.exe

c:\windows\Temp\2815325216.exe

c:\windows\Temp\2941029440.exe

c:\windows\Temp\3214021984.exe

c:\windows\Temp\3663424624.exe

c:\windows\Temp\3967410560.exe

c:\windows\Temp\566056944.exe

c:\windows\Temp\lsass.exe

c:\windows\TEMP\mta13187.dll

c:\windows\TEMP\x1c40101.dll

----- BITS: Possible infected sites -----

hxxp://82.98.235.29

hxxp://82.98.231.102

Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected

Restored copy from - Kitty ate it :)

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_BTWSRV

-------\Legacy_FASTNETSRV

-------\Legacy_FCI

-------\Legacy_IAS

-------\Legacy_SSHNAS

-------\Legacy_WINSTS

-------\Service_BtwSrv

-------\Service_fastnetsrv

-------\Service_FCI

-------\Service_Ias

-------\Service_SSHNAS

-------\Service_winsts

((((((((((((((((((((((((( Files Created from 2009-12-02 to 2010-01-02 )))))))))))))))))))))))))))))))

.

2010-01-01 11:08 . 2010-01-01 11:08 -------- d-sh--w- c:\documents and settings\NetworkService.NT AUTHORITY\UserData

2010-01-01 08:28 . 2010-01-01 23:43 -------- d-----w- c:\documents and settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\Adobe

2009-12-31 04:12 . 2010-01-02 02:05 773120 ----a-w- c:\windows\system32\drivers\niduly.sys

2009-12-30 23:55 . 2009-12-30 23:55 -------- d-sh--w- c:\windows\system32\config\systemprofile\UserData

2009-12-26 13:45 . 2009-12-26 13:45 5838 --sh--w- c:\windows\system32\latesuti.dll

2009-12-24 04:27 . 2009-12-24 04:27 -------- d-----w- c:\program files\Trend Micro

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-01-01 23:17 . 2006-12-19 03:05 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\avg7

2010-01-01 14:34 . 2008-12-09 00:55 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Google Updater

2010-01-01 04:43 . 2008-10-23 09:00 -------- d-----w- c:\program files\PlayersOnly Poker

2009-12-26 03:24 . 2009-08-24 18:06 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-12-25 02:15 . 2004-08-04 12:00 14336 ----a-w- c:\windows\system32\svchost.exe

2009-12-20 04:55 . 2004-05-24 02:16 -------- d-----w- c:\program files\Google

2009-12-15 01:59 . 2009-12-15 01:59 185240 ----a-w- c:\documents and settings\timo\Application Data\Mozilla\plugins\atgpcext.dll

2009-12-15 01:59 . 2009-12-15 01:59 28488 ----a-w- c:\documents and settings\timo\Application Data\Mozilla\plugins\atgpcdec.dll

2009-12-15 01:59 . 2009-12-15 01:59 61848 ----a-w- c:\documents and settings\timo\Application Data\Mozilla\plugins\npatgpc.dll

2009-12-15 01:58 . 2007-12-31 06:25 664 ----a-w- c:\windows\system32\d3d9caps.dat

2009-12-08 03:54 . 2009-03-30 23:29 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2009-11-28 18:20 . 2009-11-27 14:38 79488 ----a-w- c:\documents and settings\timo\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll

2009-11-22 22:51 . 2007-07-26 06:04 -------- d-----w- c:\program files\PokerStars

2009-11-19 18:48 . 2009-11-26 11:33 872960 ----a-w- c:\documents and settings\timo\Application Data\Mozilla\Firefox\Profiles\joruknh6.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll

2009-11-19 18:48 . 2009-11-26 11:33 43008 ----a-w- c:\documents and settings\timo\Application Data\Mozilla\Firefox\Profiles\joruknh6.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll

2009-11-19 18:48 . 2009-11-26 11:33 340480 ----a-w- c:\documents and settings\timo\Application Data\Mozilla\Firefox\Profiles\joruknh6.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll

2009-11-19 18:48 . 2009-11-26 11:33 346624 ----a-w- c:\documents and settings\timo\Application Data\Mozilla\Firefox\Profiles\joruknh6.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll

2009-11-11 05:30 . 2007-12-09 20:42 -------- d-----w- c:\program files\UltimateBet

2009-10-29 07:46 . 2004-08-04 12:00 832512 ----a-w- c:\windows\system32\wininet.dll

2009-10-29 07:46 . 2004-08-04 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll

2009-10-29 07:46 . 2004-08-04 12:00 17408 ------w- c:\windows\system32\corpol.dll

2009-10-21 06:00 . 2004-08-04 12:00 75776 ----a-w- c:\windows\system32\strmfilt.dll

2009-10-21 06:00 . 2004-08-04 12:00 25088 ----a-w- c:\windows\system32\httpapi.dll

2009-10-20 14:58 . 2004-08-04 12:00 263552 ----a-w- c:\windows\system32\drivers\http.sys

2009-10-13 10:53 . 2004-08-04 12:00 266752 ----a-w- c:\windows\system32\oakley.dll

2009-10-12 13:54 . 2004-08-04 12:00 69632 ----a-w- c:\windows\system32\raschap.dll

2009-10-12 13:54 . 2004-08-04 12:00 112128 ----a-w- c:\windows\system32\rastls.dll

1601-01-01 00:03 . 1601-01-01 00:03 61440 --sha-w- c:\windows\SYSTEM32\fijiveni.dll

.

------- Sigcheck -------

[7] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys

[7] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys

[7] 2008-06-20 . 2A5554FC5B1E04E131230E3CE035C3F9 . 360320 . . [5.1.2600.3394] . . c:\windows\SYSTEM32\DLLCACHE\tcpip.sys

[-] 2008-06-20 . 0B788EE2A876D7B31DF840C13F08CD2B . 360320 . . [5.1.2600.3394] . . c:\windows\SYSTEM32\DRIVERS\tcpip.sys

[7] 2008-06-20 . 744E57C99232201AE98C49168B918F48 . 360960 . . [5.1.2600.3394] . . c:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys

[-] 2008-04-13 . 93EA8D04EC73A85DB02EB8805988F733 . 361344 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\tcpip.sys

[-] 2008-04-13 . 93EA8D04EC73A85DB02EB8805988F733 . 361344 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\tcpip.sys

[7] 2007-10-30 . 90CAFF4B094573449A0872A0F919B178 . 360064 . . [5.1.2600.3244] . . c:\windows\$NtUninstallKB951748$\tcpip.sys

[7] 2007-10-30 . 64798ECFA43D78C7178375FCDD16D8C8 . 360832 . . [5.1.2600.3244] . . c:\windows\$hf_mig$\KB941644\SP2QFE\tcpip.sys

[7] 2006-04-20 . B2220C618B42A2212A59D91EBD6FC4B4 . 360576 . . [5.1.2600.2892] . . c:\windows\$hf_mig$\KB917953\SP2QFE\tcpip.sys

[7] 2006-04-20 . 1DBF125862891817F374F407626967F4 . 359808 . . [5.1.2600.2892] . . c:\windows\$NtUninstallKB941644$\tcpip.sys

[7] 2006-01-13 . 5562CC0A47B2AEF06D3417B733F3C195 . 360448 . . [5.1.2600.2827] . . c:\windows\$hf_mig$\KB913446\SP2QFE\tcpip.sys

[7] 2006-01-13 . 583E063FDC888CA30D05C2724B0D7EF4 . 359808 . . [5.1.2600.2827] . . c:\windows\$NtUninstallKB917953$\tcpip.sys

[7] 2005-05-25 . 63FDFEA54EB53DE2D863EE454937CE1E . 359936 . . [5.1.2600.2685] . . c:\windows\$hf_mig$\KB893066\SP2QFE\tcpip.sys

[7] 2005-05-25 . 88763A98A4C26C409741B4AA162720C9 . 359808 . . [5.1.2600.2685] . . c:\windows\$NtUninstallKB913446$\tcpip.sys

[7] 2004-08-04 . 9F4B36614A0FC234525BA224957DE55C . 359040 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB893066$\tcpip.sys

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-01 68856]

"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2004-11-22 307200]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2006-01-09 26112]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-01-18 98304]

"AVG7_CC"="c:\progra~1\Grisoft\AVGFRE~1\avgcc.exe" [2009-02-25 590848]

"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

"dla"="c:\windows\system32\dla\tfswctrl.exe" [2003-08-06 114741]

"StorageGuard"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-02-13 155648]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-04-22 136600]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"AVG7_Run"="c:\progra~1\Grisoft\AVGFRE~1\avgw.exe" [2007-10-24 219136]

c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\

Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]

HotSync Manager.lnk - c:\program files\palmOne\Hotsync.exe [2004-6-9 471040]

Wireless-G Notebook Adapter Utility.lnk - c:\program files\Linksys\Wireless-G Notebook Adapter\Startup.exe [2006-1-6 24576]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]

"NoSetActiveDesktop"= 1 (0x1)

"NoActiveDesktopChanges"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Grisoft\\AVG Free\\avginet.exe"=

"c:\\Program Files\\Grisoft\\AVG Free\\avgamsvr.exe"=

"c:\\Program Files\\Grisoft\\AVG Free\\avgcc.exe"=

"c:\\Program Files\\Grisoft\\AVG Free\\avgemc.exe"=

"c:\\Program Files\\CarbonPoker\\client.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Grisoft\\AVG Free\\avgw.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]

"AllowInboundTimestampRequest"= 1 (0x1)

"AllowInboundMaskRequest"= 1 (0x1)

"AllowInboundRouterRequest"= 1 (0x1)

"AllowOutboundDestinationUnreachable"= 1 (0x1)

"AllowOutboundSourceQuench"= 1 (0x1)

"AllowOutboundParameterProblem"= 1 (0x1)

"AllowOutboundTimeExceeded"= 1 (0x1)

"AllowRedirect"= 1 (0x1)

"AllowOutboundPacketTooBig"= 1 (0x1)

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [3/30/2009 4:29 PM 108289]

S2 gupdate1c95c38217184e0;Google Update Service (gupdate1c95c38217184e0);c:\program files\Google\Update\GoogleUpdate.exe [12/12/2008 2:00 AM 133104]

S3 ndisdrv;ndisdrv;c:\windows\SYSTEM32\ndisdrv.sys [8/4/2004 5:00 AM 2304]

S3 TNET1130x;Wireless-G Notebook Adapter v.2.0;c:\windows\SYSTEM32\DRIVERS\TNET1130x.sys [1/6/2006 10:53 PM 385536]

--- Other Services/Drivers In Memory ---

*Deregistered* - niduly

.

Contents of the 'Scheduled Tasks' folder

2010-01-02 c:\windows\Tasks\Google Software Updater.job

- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-02-24 05:52]

2010-01-02 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2008-12-12 12:37]

2010-01-01 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2008-12-12 12:37]

.

.

------- Supplementary Scan -------

.

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html

mWindow Title =

uInternet Connection Wizard,ShellNext = iexplore

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html

IE: {{10F055B8-F443-4adf-948A-EC551E9DBCE4} - c:\documents and settings\timo\Start Menu\Programs\UltimateBet\UltimateBet.lnk

Trusted Zone: earthlink.net

Trusted Zone: microsoft.com\www

TCP: {6C87D285-3BF7-494D-914E-415E7D865DDA} = 193.104.110.38,4.2.2.1

TCP: {BD225C1D-C142-43E5-8B4B-EF3D3D22E534} = 193.104.110.38,4.2.2.1,192.168.0.1

FF - ProfilePath - c:\documents and settings\timo\Application Data\Mozilla\Firefox\Profiles\joruknh6.default\

FF - prefs.js: network.proxy.type - 4

FF - component: c:\documents and settings\timo\Application Data\Mozilla\Firefox\Profiles\joruknh6.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll

FF - plugin: c:\documents and settings\timo\Application Data\Mozilla\plugins\npatgpc.dll

FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll

FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll

FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll

.

- - - - ORPHANS REMOVED - - - -

BHO-{1b7d82a7-d304-446d-8c7a-68e365aa7856} - pibahoju.dll

HKCU-Run-Sonic RecordNow! - (no file)

HKLM-Run-rewugokol - c:\windows\system32\zahariho.dll

HKLM-Run-vikavarese - kunobesi.dll

SharedTaskScheduler-{cca47350-b8bd-4348-b8fb-5c4738a8e0d3} - c:\windows\system32\zahariho.dll

SSODL-wijidelek-{cca47350-b8bd-4348-b8fb-5c4738a8e0d3} - c:\windows\system32\zahariho.dll

AddRemove-AltnetDM - c:\program files\Altnet\Download Manager\AltnetUninstall.exe

AddRemove-AOLAntivirus - c:\program files\mcafee.com\antivirus\uninst.exe

AddRemove-A-18 CSF Demo - c:\i-magic\iF18Demo\Uninst.isu

AddRemove-Return Fire II 3Dfx Demo - c:\program files\Prolific Publishing

AddRemove-ShockwaveFlash - c:\windows\system32\Macromed\Flash\FlashUtil9b.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-01-01 19:03

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\niduly]

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1252)

c:\program files\Funk Software\Odyssey Client\odLogin.dll

- - - - - - - > 'explorer.exe'(956)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\mshtml.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\System32\SCardSvr.exe

c:\program files\Avira\AntiVir Desktop\avguard.exe

c:\progra~1\Grisoft\AVGFRE~1\avgamsvr.exe

c:\progra~1\Grisoft\AVGFRE~1\avgupsvc.exe

c:\progra~1\Grisoft\AVGFRE~1\avgemc.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\windows\system32\wdfmgr.exe

c:\windows\system32\wscntfy.exe

c:\program files\Linksys\Wireless-G Notebook Adapter\OdHost.exe

c:\program files\Linksys\Wireless-G Notebook Adapter\WPC54Cfg.exe

.

**************************************************************************

.

Completion time: 2010-01-01 19:16:05 - machine was rebooted

ComboFix-quarantined-files.txt 2010-01-02 02:16

Pre-Run: 11,336,708,096 bytes free

Post-Run: 11,965,775,872 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /noexecute=optin

- - End Of File - - 05B490A34DD57511CEFB5F75680452E9

Link to post
Share on other sites

  • Staff

Hi,

I notice from your log that there's more than 1 Antivirus installed. AVG and Avira

Never install more than one Antivirus and Firewall! Rather than giving you extra protection, it will decrease the reliability of it seriously!

The reason for this is that if both products have their automatic (Real-Time) protection switched on, your system may lock up due to both software products attempting to access the same file at the same time.

Also because more than one Antivirus and Firewall installed are not compatible with eachother, it can cause system performance problems and a serious system slowdown.

So you have to make a decision here and keep the Antivirus you prefer and uninstall the other one.

Then reboot after uninstalling.

* Open notepad - don't use any other texteditor than notepad or the script will fail.

Copy/paste the text in the quotebox below into notepad:

Collect::[8]

c:\windows\system32\latesuti.dll

c:\windows\SYSTEM32\fijiveni.dll

c:\windows\system32\drivers\niduly.sys

Driver::

niduly

Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

CFScript.gif

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

Link to post
Share on other sites

Hello, I uninstalled AVG, run ComboFix and here is the log file.

Tim

ComboFix 10-01-02.01 - timo 01/02/2010 17:35:29.2.1 - x86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.289 [GMT -7:00]

Running from: c:\documents and settings\timo\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\timo\Desktop\CFScript.txt

AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

file zipped: c:\windows\system32\drivers\niduly.sys

file zipped: c:\windows\SYSTEM32\fijiveni.dll

file zipped: c:\windows\system32\latesuti.dll

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\Install.txt

c:\windows\system32\drivers\niduly.sys

c:\windows\system32\fijiveni.dll

c:\windows\system32\latesuti.dll

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_NIDULY

-------\Service_niduly

((((((((((((((((((((((((( Files Created from 2009-12-03 to 2010-01-03 )))))))))))))))))))))))))))))))

.

2010-01-01 11:08 . 2010-01-01 11:08 -------- d-sh--w- c:\documents and settings\NetworkService.NT AUTHORITY\UserData

2010-01-01 08:31 . 2010-01-01 08:31 -------- d-----w- c:\documents and settings\NetworkService.NT AUTHORITY\Application Data\AdobeUM

2010-01-01 08:28 . 2010-01-01 23:43 -------- d-----w- c:\documents and settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\Adobe

2009-12-30 23:55 . 2009-12-30 23:55 -------- d-sh--w- c:\windows\system32\config\systemprofile\UserData

2009-12-24 04:27 . 2009-12-24 04:27 -------- d-----w- c:\program files\Trend Micro

2009-12-15 01:59 . 2009-12-15 01:59 185240 ----a-w- c:\documents and settings\timo\Application Data\Mozilla\plugins\atgpcext.dll

2009-12-15 01:59 . 2009-12-15 01:59 28488 ----a-w- c:\documents and settings\timo\Application Data\Mozilla\plugins\atgpcdec.dll

2009-12-15 01:59 . 2009-12-15 01:59 61848 ----a-w- c:\documents and settings\timo\Application Data\Mozilla\plugins\npatgpc.dll

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-01-02 23:41 . 2008-12-09 00:55 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Google Updater

2010-01-02 11:43 . 2008-10-23 09:00 -------- d-----w- c:\program files\PlayersOnly Poker

2009-12-26 03:24 . 2009-08-24 18:06 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-12-25 02:15 . 2004-08-04 12:00 14336 ------w- c:\windows\system32\svchost.exe

2009-12-20 04:55 . 2004-05-24 02:16 -------- d-----w- c:\program files\Google

2009-12-15 01:58 . 2007-12-31 06:25 664 ----a-w- c:\windows\system32\d3d9caps.dat

2009-12-08 03:54 . 2009-03-30 23:29 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2009-11-28 18:20 . 2009-11-27 14:38 79488 ----a-w- c:\documents and settings\timo\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll

2009-11-22 22:51 . 2007-07-26 06:04 -------- d-----w- c:\program files\PokerStars

2009-11-19 18:48 . 2009-11-26 11:33 872960 ----a-w- c:\documents and settings\timo\Application Data\Mozilla\Firefox\Profiles\joruknh6.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll

2009-11-19 18:48 . 2009-11-26 11:33 43008 ----a-w- c:\documents and settings\timo\Application Data\Mozilla\Firefox\Profiles\joruknh6.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll

2009-11-19 18:48 . 2009-11-26 11:33 340480 ----a-w- c:\documents and settings\timo\Application Data\Mozilla\Firefox\Profiles\joruknh6.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll

2009-11-19 18:48 . 2009-11-26 11:33 346624 ----a-w- c:\documents and settings\timo\Application Data\Mozilla\Firefox\Profiles\joruknh6.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll

2009-11-11 05:30 . 2007-12-09 20:42 -------- d-----w- c:\program files\UltimateBet

2009-10-29 07:46 . 2004-08-04 12:00 832512 ------w- c:\windows\system32\wininet.dll

2009-10-29 07:46 . 2004-08-04 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll

2009-10-29 07:46 . 2004-08-04 12:00 17408 ------w- c:\windows\system32\corpol.dll

2009-10-21 06:00 . 2004-08-04 12:00 75776 ----a-w- c:\windows\system32\strmfilt.dll

2009-10-21 06:00 . 2004-08-04 12:00 25088 ----a-w- c:\windows\system32\httpapi.dll

2009-10-20 14:58 . 2004-08-04 12:00 263552 ----a-w- c:\windows\system32\drivers\http.sys

2009-10-13 10:53 . 2004-08-04 12:00 266752 ----a-w- c:\windows\system32\oakley.dll

2009-10-12 13:54 . 2004-08-04 12:00 69632 ----a-w- c:\windows\system32\raschap.dll

2009-10-12 13:54 . 2004-08-04 12:00 112128 ----a-w- c:\windows\system32\rastls.dll

.

------- Sigcheck -------

[7] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys

[7] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys

[7] 2008-06-20 . 2A5554FC5B1E04E131230E3CE035C3F9 . 360320 . . [5.1.2600.3394] . . c:\windows\SYSTEM32\DLLCACHE\tcpip.sys

[-] 2008-06-20 . 0B788EE2A876D7B31DF840C13F08CD2B . 360320 . . [5.1.2600.3394] . . c:\windows\SYSTEM32\DRIVERS\tcpip.sys

[7] 2008-06-20 . 744E57C99232201AE98C49168B918F48 . 360960 . . [5.1.2600.3394] . . c:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys

[-] 2008-04-13 . 93EA8D04EC73A85DB02EB8805988F733 . 361344 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\tcpip.sys

[-] 2008-04-13 . 93EA8D04EC73A85DB02EB8805988F733 . 361344 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\tcpip.sys

[7] 2007-10-30 . 90CAFF4B094573449A0872A0F919B178 . 360064 . . [5.1.2600.3244] . . c:\windows\$NtUninstallKB951748$\tcpip.sys

[7] 2007-10-30 . 64798ECFA43D78C7178375FCDD16D8C8 . 360832 . . [5.1.2600.3244] . . c:\windows\$hf_mig$\KB941644\SP2QFE\tcpip.sys

[7] 2006-04-20 . B2220C618B42A2212A59D91EBD6FC4B4 . 360576 . . [5.1.2600.2892] . . c:\windows\$hf_mig$\KB917953\SP2QFE\tcpip.sys

[7] 2006-04-20 . 1DBF125862891817F374F407626967F4 . 359808 . . [5.1.2600.2892] . . c:\windows\$NtUninstallKB941644$\tcpip.sys

[7] 2006-01-13 . 5562CC0A47B2AEF06D3417B733F3C195 . 360448 . . [5.1.2600.2827] . . c:\windows\$hf_mig$\KB913446\SP2QFE\tcpip.sys

[7] 2006-01-13 . 583E063FDC888CA30D05C2724B0D7EF4 . 359808 . . [5.1.2600.2827] . . c:\windows\$NtUninstallKB917953$\tcpip.sys

[7] 2005-05-25 . 63FDFEA54EB53DE2D863EE454937CE1E . 359936 . . [5.1.2600.2685] . . c:\windows\$hf_mig$\KB893066\SP2QFE\tcpip.sys

[7] 2005-05-25 . 88763A98A4C26C409741B4AA162720C9 . 359808 . . [5.1.2600.2685] . . c:\windows\$NtUninstallKB913446$\tcpip.sys

[7] 2004-08-04 . 9F4B36614A0FC234525BA224957DE55C . 359040 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB893066$\tcpip.sys

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-01 68856]

"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2004-11-22 307200]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2006-01-09 26112]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-01-18 98304]

"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

"dla"="c:\windows\system32\dla\tfswctrl.exe" [2003-08-06 114741]

"StorageGuard"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-02-13 155648]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-04-22 136600]

c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\

Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]

HotSync Manager.lnk - c:\program files\palmOne\Hotsync.exe [2004-6-9 471040]

Wireless-G Notebook Adapter Utility.lnk - c:\program files\Linksys\Wireless-G Notebook Adapter\Startup.exe [2006-1-6 24576]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]

"NoSetActiveDesktop"= 1 (0x1)

"NoActiveDesktopChanges"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\CarbonPoker\\client.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]

"AllowInboundTimestampRequest"= 1 (0x1)

"AllowInboundMaskRequest"= 1 (0x1)

"AllowInboundRouterRequest"= 1 (0x1)

"AllowOutboundDestinationUnreachable"= 1 (0x1)

"AllowOutboundSourceQuench"= 1 (0x1)

"AllowOutboundParameterProblem"= 1 (0x1)

"AllowOutboundTimeExceeded"= 1 (0x1)

"AllowRedirect"= 1 (0x1)

"AllowOutboundPacketTooBig"= 1 (0x1)

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [3/30/2009 4:29 PM 108289]

S2 gupdate1c95c38217184e0;Google Update Service (gupdate1c95c38217184e0);c:\program files\Google\Update\GoogleUpdate.exe [12/12/2008 2:00 AM 133104]

S3 ndisdrv;ndisdrv;c:\windows\SYSTEM32\ndisdrv.sys [8/4/2004 5:00 AM 2304]

S3 TNET1130x;Wireless-G Notebook Adapter v.2.0;c:\windows\SYSTEM32\DRIVERS\TNET1130x.sys [1/6/2006 10:53 PM 385536]

.

Contents of the 'Scheduled Tasks' folder

2010-01-03 c:\windows\Tasks\Google Software Updater.job

- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-02-24 05:52]

2010-01-03 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2008-12-12 12:37]

2010-01-03 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2008-12-12 12:37]

.

.

------- Supplementary Scan -------

.

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html

mWindow Title =

uInternet Connection Wizard,ShellNext = iexplore

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html

IE: {{10F055B8-F443-4adf-948A-EC551E9DBCE4} - c:\documents and settings\timo\Start Menu\Programs\UltimateBet\UltimateBet.lnk

Trusted Zone: earthlink.net

Trusted Zone: microsoft.com\www

TCP: {6C87D285-3BF7-494D-914E-415E7D865DDA} = 193.104.110.38,4.2.2.1

TCP: {BD225C1D-C142-43E5-8B4B-EF3D3D22E534} = 193.104.110.38,4.2.2.1,192.168.0.1

FF - ProfilePath - c:\documents and settings\timo\Application Data\Mozilla\Firefox\Profiles\joruknh6.default\

FF - prefs.js: network.proxy.type - 4

FF - component: c:\documents and settings\timo\Application Data\Mozilla\Firefox\Profiles\joruknh6.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-01-02 17:50

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(764)

c:\program files\Funk Software\Odyssey Client\odLogin.dll

- - - - - - - > 'explorer.exe'(2220)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\mshtml.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\System32\SCardSvr.exe

c:\program files\Avira\AntiVir Desktop\avguard.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\windows\system32\wdfmgr.exe

c:\windows\system32\wscntfy.exe

c:\program files\Linksys\Wireless-G Notebook Adapter\OdHost.exe

c:\program files\Linksys\Wireless-G Notebook Adapter\WPC54Cfg.exe

.

**************************************************************************

.

Completion time: 2010-01-02 17:59:52 - machine was rebooted

ComboFix-quarantined-files.txt 2010-01-03 00:59

ComboFix2.txt 2010-01-02 02:16

Pre-Run: 12,273,922,048 bytes free

Post-Run: 12,250,456,064 bytes free

- - End Of File - - 7166774F5CC564B7743F18A9AD12605F

Link to post
Share on other sites

  • Staff

Hi,

* Go to start > run and copy and paste next command in the field:

ComboFix /Uninstall

Make sure there's a space between Combofix and /

Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Then, * Go here to run an online scannner from ESET.

  • Note: You will need to use Internet explorer for this scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Check next options: Remove found threats and Scan unwanted applications.
  • Click Scan
  • Wait for the scan to finish
  • Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log in your next reply and also let me know how things are now.

Link to post
Share on other sites

Hello Miekiemoes

I was not able to follow your instructions in your last post. My computer seemed to be running better, I was on the internet for a couple hours , So I had shut it down for the nite, but when I booted up the next day, I got that same Antivirus message, that I got originaly on my screen before I got a desktop (it had went away, the antivirus message ), when I finnally did get a desktop I could not get an internet connection. I tried to reboot it (sometimes that works when I can't get an internet connection ), but now I just get a blue screen that says;

Page_Fault_In_Nonpaged_area

STOP: 0x0000007E (0xC0000005,0x81B64113 ,0xF899AB0, 0xF899A4AC )

I have tried to reboot in Safemode and safemode with networking but I get the same blue screen.

Page_fault_in_nonpaged_area

I am at a loss as to what happened or where to go from here.

I do appreciate your help

thanks

Bootanuts

Link to post
Share on other sites

  • Staff

Hi,

Looks like the malware already caused too much damage in a meanwhile unfortunately. Cleaning the malware doesn't repair the damage.

After all, your computer was SEVERLY infected. I'm actually suprised it was still able to boot.

What I suggest here is a Windows repair install and see if that solves it. A Windows repair install won't delete your data:

http://michaelstevenstech.com/XPrepairinstall.htm

Link to post
Share on other sites

Hello,

I ran the diagnostics program from the boot menu, it passed. My computer booted, desk top came back with the infected computer note and a internet security 2010 anti-virus program. The name of the virus is worm. win32.netsky. I ran hijackthis again and here's the log file. I did not run recovery council.

Tim

Toolbar\GoogleToolbar_32.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll

O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll

O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min

O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe

O4 - HKLM\..\Run: [storageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [winupdate86.exe] C:\WINDOWS\system32\winupdate86.exe

O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"

O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdS7_0_0

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [internet Security 2010] C:\Program Files\InternetSecurity2010\IS2010.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\palmOne\Hotsync.exe

O4 - Global Startup: Wireless-G Notebook Adapter Utility.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter\Startup.exe

O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\ssv.dll

O9 - Extra button: UltimateBet - {10F055B8-F443-4adf-948A-EC551E9DBCE4} - C:\Documents and Settings\timo\Start Menu\Programs\UltimateBet\UltimateBet.lnk

O9 - Extra 'Tools' menuitem: UltimateBet - {10F055B8-F443-4adf-948A-EC551E9DBCE4} - C:\Documents and Settings\timo\Start Menu\Programs\UltimateBet\UltimateBet.lnk

O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe

O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra button: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\timo\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk (file missing) (HKCU)

O9 - Extra 'Tools' menuitem: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\timo\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk (file missing) (HKCU)

O9 - Extra button: CarbonPoker - {e4e8c758-34b4-44bb-8ef9-1f0786e81d2d} - C:\Documents and Settings\timo\Start Menu\Programs\CarbonPoker\CarbonPoker.lnk (HKCU)

O10 - Unknown file in Winsock LSP: c:\windows\system32\winhelper86.dll

O10 - Unknown file in Winsock LSP: c:\windows\system32\winhelper86.dll

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll

O16 - DPF: {37DF41B2-61DB-4CAC-A755-CFB3C7EE7F40} - http://esupport.aol.com/help/acp2/engine/aolcoach_core_1.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{6C87D285-3BF7-494D-914E-415E7D865DDA}: NameServer = 193.104.110.38,4.2.2.1

O17 - HKLM\System\CCS\Services\Tcpip\..\{BD225C1D-C142-43E5-8B4B-EF3D3D22E534}: NameServer = 193.104.110.38,4.2.2.1,192.168.0.1

O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe

O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe

O23 - Service: Google Update Service (gupdate1c95c38217184e0) (gupdate1c95c38217184e0) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe

O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: NICSer_WPC54G - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe

--

End of file - 7897 bytes

Link to post
Share on other sites

  • Staff

Hi,

Please install Malwarebytes, (newest version), but before you install, rename the mbam-setup.exe to firefox.exe

Then install.

Once installed, navigate to the C:\Program Files\Malwarebytes' anti-malware folder and locate mbam.exe in there. Rename it to firefox.exe as well and launch it in order to run the scan.

Post the malwarebytes log in your next reply together with a new HijackThislog.

Link to post
Share on other sites

Hello,

I ran malware, my computer tried to reboot after malware was finished but the blue screen came back. Everytime I tried to boot up blue screen. Ran tests from the boot menu dianostics page and my desktop came back without the infected computer message. Here's the logs from malware and hijackthis.

Tim

Malwarebytes' Anti-Malware 1.44

Database version: 3510

Windows 5.1.2600 Service Pack 2

Internet Explorer 7.0.5730.13

1/10/2010 8:21:10 AM

mbam-log-2010-01-10 (08-21-10).txt

Scan type: Full Scan (C:\|)

Objects scanned: 258400

Time elapsed: 7 hour(s), 40 minute(s), 34 second(s)

Memory Processes Infected: 2

Memory Modules Infected: 1

Registry Keys Infected: 1

Registry Values Infected: 6

Registry Data Items Infected: 12

Folders Infected: 1

Files Infected: 87

Memory Processes Infected:

C:\WINDOWS\SYSTEM32\winupdate86.exe (Trojan.FakeAlert) -> Unloaded process successfully.

C:\Program Files\InternetSecurity2010\IS2010.exe (Trojan.FakeAlert) -> Unloaded process successfully.

Memory Modules Infected:

C:\WINDOWS\SYSTEM32\winhelper86.dll (Trojan.FakeAlert) -> Delete on reboot.

Registry Keys Infected:

HKEY_CURRENT_USER\SOFTWARE\IS2010 (Rogue.InternetSecurity2010) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdate86.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\internet security 2010 (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\General\wallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\mbt (Backdoor.Bot) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\udfa (Backdoor.Bot) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\mfa (Backdoor.Bot) -> Quarantined and deleted successfully.

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.FakeAlert) -> Data: c:\windows\system32\winlogon86.exe -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.FakeAlert) -> Data: system32\winlogon86.exe -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.Userinit) -> Bad: (C:\WINDOWS\system32\winlogon86.exe) Good: (Userinit.exe) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\activedesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{6c87d285-3bf7-494d-914e-415e7d865dda}\NameServer (Trojan.DNSChanger) -> Data: 193.104.110.38,4.2.2.1 -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{bd225c1d-c142-43e5-8b4b-ef3d3d22e534}\NameServer (Trojan.DNSChanger) -> Data: 193.104.110.38,4.2.2.1,192.168.0.1 -> Quarantined and deleted successfully.

Folders Infected:

C:\Program Files\InternetSecurity2010 (Rogue.InternetSecurity2010) -> Quarantined and deleted successfully.

Files Infected:

C:\WINDOWS\SYSTEM32\winhelper86.dll (Trojan.FakeAlert) -> Delete on reboot.

C:\WINDOWS\SYSTEM32\winupdate86.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\Program Files\InternetSecurity2010\IS2010.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\Documents and Settings\timo\Local Settings\temp\pdfupd.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\Documents and Settings\timo\Local Settings\Temporary Internet Files\Content.IE5\6LS9YWJM\update[1].exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\uwlwfa.exe.vir (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\waxfhosk.exe.vir (Trojan.Dropper) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\6to4v32.dll.vir (Backdoor.Bot) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\AVR10.exe.vir (Rogue.Installer) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\balineko.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\balomane.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\bebewute.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\behubaza.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\BtwSrv.dll.vir (Backdoor.Bot) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\bugeyumo.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\dagitufa.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\difasadi.exe.vir (Rogue.Antivirus.Plus) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\diposeli.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\divitawu.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\f6e2n486.dll.vir (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\FastNetSrv.exe.vir (Backdoor.Bot) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\fijiveni.dll.vir (Malware.Trace) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\fopelene.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\forefiyu.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\fulupufa.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\gudadamu.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\hinikafo.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\hitusoli.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\i14fh.dll.vir (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\Iasv32.dll.vir (Backdoor.Bot) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\jisaleyu.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\kiganopo.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\kiloruho.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\kumeweva.exe.vir (Rogue.Installer) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\kunobesi.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\kuvihube.exe.vir (Rogue.Antivirus.Plus) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\lahesumo.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\latesuti.dll.vir (Malware.Trace) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\lsm32.sys.vir (Backdoor.Bot) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\midogiru.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\gekeyego.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\jegowibo.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\kiyituhe.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\nasijuye.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\nifesuro.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\nozigita.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\opeia.exe.vir (Backdoor.Bot) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\pibahoju.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\robovoji.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\rotirufe.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\ruginefo.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\ruwiraje.exe.vir (Rogue.Installer) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\sshnas.dll.vir (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\supekede.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\tasasifu.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\turejaka.exe.vir (Rogue.Installer) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\tuvikize.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\viweyeju.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\winlogon86.exe.vir (Trojan.Dropper) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\winsts.sys.vir (Rootkit.Agent) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\winupdate86.exe.vir (Trojan.Dropper) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\wmdtc.exe.vir (Backdoor.Bot) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\wn33q1f53.dll.vir (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\yelahihi.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\zekuboli.exe.vir (Rogue.Installer) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\DRIVERS\niduly.sys.vir (Rootkit.Agent) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{B6C7BB8D-6EB8-4EE8-8605-0C76DD4586CE}\RP1\A0000025.dll (Malware.Trace) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{B6C7BB8D-6EB8-4EE8-8605-0C76DD4586CE}\RP1\A0000026.dll (Malware.Trace) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{B6C7BB8D-6EB8-4EE8-8605-0C76DD4586CE}\RP1\A0000035.sys (Rootkit.Agent) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{B6C7BB8D-6EB8-4EE8-8605-0C76DD4586CE}\RP1\A0000180.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{B6C7BB8D-6EB8-4EE8-8605-0C76DD4586CE}\RP1\A0000125.sys (Malware.Trace) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{B6C7BB8D-6EB8-4EE8-8605-0C76DD4586CE}\RP1\A0000168.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{B6C7BB8D-6EB8-4EE8-8605-0C76DD4586CE}\RP1\A0000170.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{B6C7BB8D-6EB8-4EE8-8605-0C76DD4586CE}\RP1\A0000178.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{B6C7BB8D-6EB8-4EE8-8605-0C76DD4586CE}\RP1\A0001178.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{B6C7BB8D-6EB8-4EE8-8605-0C76DD4586CE}\RP1\A0001180.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{B6C7BB8D-6EB8-4EE8-8605-0C76DD4586CE}\RP1\A0002178.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\WINDOWS\SYSTEM32\FastNetSrv.exex (Backdoor.Bot) -> Quarantined and deleted successfully.

C:\WINDOWS\SYSTEM32\ndisdrv.sys (Rootkit.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\SYSTEM32\bwsb.gio (Backdoor.Bot) -> Quarantined and deleted successfully.

C:\WINDOWS\SYSTEM32\winlogon86.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\WINDOWS\SYSTEM32\SPOOL\PRTPROCS\W32X86\C.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\Documents and Settings\timo\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Security 2010.lnk (Rogue.InternetSecurity2010) -> Quarantined and deleted successfully.

C:\Documents and Settings\timo\Start Menu\Internet Security 2010.lnk (Rogue.InternetSecurity2010) -> Quarantined and deleted successfully.

C:\WINDOWS\SYSTEM32\critical_warning.html (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\WINDOWS\Prefetch\SVCHOST.EXE (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\SYSTEM32\41.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 5:45:49 PM, on 1/12/2010

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16945)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Avira\AntiVir Desktop\sched.exe

C:\Program Files\Avira\AntiVir Desktop\avguard.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Real\RealPlayer\RealPlay.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Avira\AntiVir Desktop\avgnt.exe

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\palmOne\Hotsync.exe

C:\Program Files\Linksys\Wireless-G Notebook Adapter\OdHost.exe

C:\Program Files\Linksys\Wireless-G Notebook Adapter\WPC54Cfg.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

C:\WINDOWS\system32\wuauclt.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll

O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll

O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min

O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe

O4 - HKLM\..\Run: [storageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"

O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdS7_0_0

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\palmOne\Hotsync.exe

O4 - Global Startup: Wireless-G Notebook Adapter Utility.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter\Startup.exe

O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\ssv.dll

O9 - Extra button: UltimateBet - {10F055B8-F443-4adf-948A-EC551E9DBCE4} - C:\Documents and Settings\timo\Start Menu\Programs\UltimateBet\UltimateBet.lnk

O9 - Extra 'Tools' menuitem: UltimateBet - {10F055B8-F443-4adf-948A-EC551E9DBCE4} - C:\Documents and Settings\timo\Start Menu\Programs\UltimateBet\UltimateBet.lnk

O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe

O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra button: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\timo\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk (file missing) (HKCU)

O9 - Extra 'Tools' menuitem: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\timo\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk (file missing) (HKCU)

O9 - Extra button: CarbonPoker - {e4e8c758-34b4-44bb-8ef9-1f0786e81d2d} - C:\Documents and Settings\timo\Start Menu\Programs\CarbonPoker\CarbonPoker.lnk (HKCU)

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll

O16 - DPF: {37DF41B2-61DB-4CAC-A755-CFB3C7EE7F40} - http://esupport.aol.com/help/acp2/engine/aolcoach_core_1.cab

O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe

O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe

O23 - Service: Google Update Service (gupdate1c95c38217184e0) (gupdate1c95c38217184e0) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe

O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: NICSer_WPC54G - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe

--

End of file - 7115 bytes

Link to post
Share on other sites

Hello,

I ran combofix, here's the log file.

Tim

ComboFix 10-01-15.01 - timo 01/15/2010 23:31:19.3.1 - x86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.295 [GMT -7:00]

Running from: c:\documents and settings\timo\Desktop\ComboFix.exe

AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\timo\Desktop\Internet Security 2010.lnk

c:\windows\system32\10291.exe

c:\windows\system32\10383.exe

c:\windows\system32\11020.exe

c:\windows\system32\11323.exe

c:\windows\system32\11337.exe

c:\windows\system32\11478.exe

c:\windows\system32\1150.exe

c:\windows\system32\11538.exe

c:\windows\system32\11840.exe

c:\windows\system32\11942.exe

c:\windows\system32\12052.exe

c:\windows\system32\12287.exe

c:\windows\system32\12316.exe

c:\windows\system32\12382.exe

c:\windows\system32\12623.exe

c:\windows\system32\12859.exe

c:\windows\system32\13030.exe

c:\windows\system32\13290.exe

c:\windows\system32\13931.exe

c:\windows\system32\13966.exe

c:\windows\system32\13977.exe

c:\windows\system32\14604.exe

c:\windows\system32\14771.exe

c:\windows\system32\14893.exe

c:\windows\system32\14945.exe

c:\windows\system32\15006.exe

c:\windows\system32\15141.exe

c:\windows\system32\153.exe

c:\windows\system32\15350.exe

c:\windows\system32\15457.exe

c:\windows\system32\15573.exe

c:\windows\system32\15574.exe

c:\windows\system32\15724.exe

c:\windows\system32\15890.exe

c:\windows\system32\16118.exe

c:\windows\system32\16413.exe

c:\windows\system32\16512.exe

c:\windows\system32\16541.exe

c:\windows\system32\1655.exe

c:\windows\system32\16827.exe

c:\windows\system32\16941.exe

c:\windows\system32\16944.exe

c:\windows\system32\17035.exe

c:\windows\system32\17410.exe

c:\windows\system32\17421.exe

c:\windows\system32\17673.exe

c:\windows\system32\18007.exe

c:\windows\system32\18127.exe

c:\windows\system32\1842.exe

c:\windows\system32\18467.exe

c:\windows\system32\18588.exe

c:\windows\system32\18636.exe

c:\windows\system32\1869.exe

c:\windows\system32\18716.exe

c:\windows\system32\18756.exe

c:\windows\system32\18762.exe

c:\windows\system32\19072.exe

c:\windows\system32\19169.exe

c:\windows\system32\19264.exe

c:\windows\system32\19629.exe

c:\windows\system32\19668.exe

c:\windows\system32\19718.exe

c:\windows\system32\19895.exe

c:\windows\system32\19912.exe

c:\windows\system32\19954.exe

c:\windows\system32\1999.exe

c:\windows\system32\20037.exe

c:\windows\system32\20537.exe

c:\windows\system32\2082.exe

c:\windows\system32\21538.exe

c:\windows\system32\21548.exe

c:\windows\system32\21724.exe

c:\windows\system32\21726.exe

c:\windows\system32\22190.exe

c:\windows\system32\22355.exe

c:\windows\system32\22386.exe

c:\windows\system32\22648.exe

c:\windows\system32\22704.exe

c:\windows\system32\22929.exe

c:\windows\system32\2306.exe

c:\windows\system32\23199.exe

c:\windows\system32\23281.exe

c:\windows\system32\23655.exe

c:\windows\system32\23805.exe

c:\windows\system32\23811.exe

c:\windows\system32\23986.exe

c:\windows\system32\24021.exe

c:\windows\system32\24084.exe

c:\windows\system32\24221.exe

c:\windows\system32\24350.exe

c:\windows\system32\24393.exe

c:\windows\system32\24464.exe

c:\windows\system32\24484.exe

c:\windows\system32\24626.exe

c:\windows\system32\24767.exe

c:\windows\system32\24946.exe

c:\windows\system32\25547.exe

c:\windows\system32\25667.exe

c:\windows\system32\26299.exe

c:\windows\system32\26308.exe

c:\windows\system32\26418.exe

c:\windows\system32\26500.exe

c:\windows\system32\26777.exe

c:\windows\system32\26924.exe

c:\windows\system32\26962.exe

c:\windows\system32\27348.exe

c:\windows\system32\27350.exe

c:\windows\system32\27446.exe

c:\windows\system32\27506.exe

c:\windows\system32\27529.exe

c:\windows\system32\27595.exe

c:\windows\system32\27624.exe

c:\windows\system32\27644.exe

c:\windows\system32\27753.exe

c:\windows\system32\27938.exe

c:\windows\system32\28145.exe

c:\windows\system32\28253.exe

c:\windows\system32\28703.exe

c:\windows\system32\28745.exe

c:\windows\system32\288.exe

c:\windows\system32\29168.exe

c:\windows\system32\292.exe

c:\windows\system32\29358.exe

c:\windows\system32\29658.exe

c:\windows\system32\2995.exe

c:\windows\system32\30106.exe

c:\windows\system32\30191.exe

c:\windows\system32\30333.exe

c:\windows\system32\3035.exe

c:\windows\system32\30836.exe

c:\windows\system32\31101.exe

c:\windows\system32\31107.exe

c:\windows\system32\31115.exe

c:\windows\system32\31322.exe

c:\windows\system32\31673.exe

c:\windows\system32\32209.exe

c:\windows\system32\32391.exe

c:\windows\system32\32439.exe

c:\windows\system32\32591.exe

c:\windows\system32\32662.exe

c:\windows\system32\32757.exe

c:\windows\system32\3430.exe

c:\windows\system32\3548.exe

c:\windows\system32\3602.exe

c:\windows\system32\3728.exe

c:\windows\system32\3788.exe

c:\windows\system32\3902.exe

c:\windows\system32\4031.exe

c:\windows\system32\4041.exe

c:\windows\system32\4596.exe

c:\windows\system32\4639.exe

c:\windows\system32\4664.exe

c:\windows\system32\467.exe

c:\windows\system32\4734.exe

c:\windows\system32\4827.exe

c:\windows\system32\4833.exe

c:\windows\system32\491.exe

c:\windows\system32\4966.exe

c:\windows\system32\5021.exe

c:\windows\system32\5097.exe

c:\windows\system32\53.exe

c:\windows\system32\5436.exe

c:\windows\system32\5447.exe

c:\windows\system32\5537.exe

c:\windows\system32\5705.exe

c:\windows\system32\5829.exe

c:\windows\system32\6270.exe

c:\windows\system32\6334.exe

c:\windows\system32\6359.exe

c:\windows\system32\6422.exe

c:\windows\system32\6483.exe

c:\windows\system32\6868.exe

c:\windows\system32\6900.exe

c:\windows\system32\7376.exe

c:\windows\system32\7711.exe

c:\windows\system32\778.exe

c:\windows\system32\8281.exe

c:\windows\system32\8723.exe

c:\windows\system32\8909.exe

c:\windows\system32\8942.exe

c:\windows\system32\900.exe

c:\windows\system32\9040.exe

c:\windows\system32\9161.exe

c:\windows\system32\9374.exe

c:\windows\system32\9741.exe

c:\windows\system32\9758.exe

c:\windows\system32\9894.exe

c:\windows\system32\9930.exe

c:\windows\system32\9961.exe

Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected

Restored copy from - Kitty ate it ;)

.

((((((((((((((((((((((((( Files Created from 2009-12-16 to 2010-01-16 )))))))))))))))))))))))))))))))

.

2010-01-10 06:48 . 2010-01-10 06:48 -------- d-----w- c:\documents and settings\timo\Application Data\Malwarebytes

2010-01-10 06:48 . 2010-01-07 23:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-01-10 06:48 . 2010-01-07 23:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-01-10 06:48 . 2010-01-10 15:19 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-01-03 03:05 . 2010-01-03 03:05 -------- d-----w- C:\spoolerlogs

2010-01-01 11:08 . 2010-01-01 11:08 -------- d-sh--w- c:\documents and settings\NetworkService.NT AUTHORITY\UserData

2010-01-01 08:31 . 2010-01-01 08:31 -------- d-----w- c:\documents and settings\NetworkService.NT AUTHORITY\Application Data\AdobeUM

2010-01-01 08:28 . 2010-01-01 23:43 -------- d-----w- c:\documents and settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\Adobe

2009-12-30 23:55 . 2009-12-30 23:55 -------- d-sh--w- c:\windows\system32\config\systemprofile\UserData

2009-12-24 04:27 . 2009-12-24 04:27 -------- d-----w- c:\program files\Trend Micro

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-01-16 03:37 . 2008-12-09 00:55 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Google Updater

2010-01-16 03:17 . 2008-10-23 09:00 -------- d-----w- c:\program files\PlayersOnly Poker

2010-01-10 14:28 . 2004-08-04 12:00 95360 ----a-w- c:\windows\system32\drivers\atapi.sys

2010-01-10 01:15 . 2007-12-31 06:25 664 ----a-w- c:\windows\system32\d3d9caps.dat

2010-01-04 03:22 . 2006-01-04 13:12 90112 ----a-w- c:\windows\DUMP5461.tmp

2009-12-25 02:15 . 2004-08-04 12:00 14336 ------w- c:\windows\system32\svchost.exe

2009-12-20 04:55 . 2004-05-24 02:16 -------- d-----w- c:\program files\Google

2009-12-15 01:59 . 2009-12-15 01:59 185240 ----a-w- c:\documents and settings\timo\Application Data\Mozilla\plugins\atgpcext.dll

2009-12-15 01:59 . 2009-12-15 01:59 28488 ----a-w- c:\documents and settings\timo\Application Data\Mozilla\plugins\atgpcdec.dll

2009-12-15 01:59 . 2009-12-15 01:59 61848 ----a-w- c:\documents and settings\timo\Application Data\Mozilla\plugins\npatgpc.dll

2009-12-08 03:54 . 2009-03-30 23:29 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2009-11-28 18:20 . 2009-11-27 14:38 79488 ----a-w- c:\documents and settings\timo\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll

2009-11-22 22:51 . 2007-07-26 06:04 -------- d-----w- c:\program files\PokerStars

2009-11-19 18:48 . 2009-11-26 11:33 872960 ----a-w- c:\documents and settings\timo\Application Data\Mozilla\Firefox\Profiles\joruknh6.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll

2009-11-19 18:48 . 2009-11-26 11:33 43008 ----a-w- c:\documents and settings\timo\Application Data\Mozilla\Firefox\Profiles\joruknh6.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll

2009-11-19 18:48 . 2009-11-26 11:33 340480 ----a-w- c:\documents and settings\timo\Application Data\Mozilla\Firefox\Profiles\joruknh6.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll

2009-11-19 18:48 . 2009-11-26 11:33 346624 ----a-w- c:\documents and settings\timo\Application Data\Mozilla\Firefox\Profiles\joruknh6.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll

2009-10-29 07:46 . 2004-08-04 12:00 832512 ------w- c:\windows\system32\wininet.dll

2009-10-29 07:46 . 2004-08-04 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll

2009-10-29 07:46 . 2004-08-04 12:00 17408 ------w- c:\windows\system32\corpol.dll

2009-10-21 06:00 . 2004-08-04 12:00 75776 ----a-w- c:\windows\system32\strmfilt.dll

2009-10-21 06:00 . 2004-08-04 12:00 25088 ----a-w- c:\windows\system32\httpapi.dll

2009-10-20 14:58 . 2004-08-04 12:00 263552 ----a-w- c:\windows\system32\drivers\http.sys

.

------- Sigcheck -------

[7] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys

[7] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys

[7] 2008-06-20 . 2A5554FC5B1E04E131230E3CE035C3F9 . 360320 . . [5.1.2600.3394] . . c:\windows\SYSTEM32\DLLCACHE\tcpip.sys

[-] 2008-06-20 . 0B788EE2A876D7B31DF840C13F08CD2B . 360320 . . [5.1.2600.3394] . . c:\windows\SYSTEM32\DRIVERS\tcpip.sys

[7] 2008-06-20 . 744E57C99232201AE98C49168B918F48 . 360960 . . [5.1.2600.3394] . . c:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys

[-] 2008-04-13 . 93EA8D04EC73A85DB02EB8805988F733 . 361344 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\tcpip.sys

[-] 2008-04-13 . 93EA8D04EC73A85DB02EB8805988F733 . 361344 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\tcpip.sys

[7] 2007-10-30 . 90CAFF4B094573449A0872A0F919B178 . 360064 . . [5.1.2600.3244] . . c:\windows\$NtUninstallKB951748$\tcpip.sys

[7] 2007-10-30 . 64798ECFA43D78C7178375FCDD16D8C8 . 360832 . . [5.1.2600.3244] . . c:\windows\$hf_mig$\KB941644\SP2QFE\tcpip.sys

[7] 2006-04-20 . B2220C618B42A2212A59D91EBD6FC4B4 . 360576 . . [5.1.2600.2892] . . c:\windows\$hf_mig$\KB917953\SP2QFE\tcpip.sys

[7] 2006-04-20 . 1DBF125862891817F374F407626967F4 . 359808 . . [5.1.2600.2892] . . c:\windows\$NtUninstallKB941644$\tcpip.sys

[7] 2006-01-13 . 5562CC0A47B2AEF06D3417B733F3C195 . 360448 . . [5.1.2600.2827] . . c:\windows\$hf_mig$\KB913446\SP2QFE\tcpip.sys

[7] 2006-01-13 . 583E063FDC888CA30D05C2724B0D7EF4 . 359808 . . [5.1.2600.2827] . . c:\windows\$NtUninstallKB917953$\tcpip.sys

[7] 2005-05-25 . 63FDFEA54EB53DE2D863EE454937CE1E . 359936 . . [5.1.2600.2685] . . c:\windows\$hf_mig$\KB893066\SP2QFE\tcpip.sys

[7] 2005-05-25 . 88763A98A4C26C409741B4AA162720C9 . 359808 . . [5.1.2600.2685] . . c:\windows\$NtUninstallKB913446$\tcpip.sys

[7] 2004-08-04 . 9F4B36614A0FC234525BA224957DE55C . 359040 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB893066$\tcpip.sys

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-01 68856]

"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2004-11-22 307200]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2006-01-09 26112]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-01-18 98304]

"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

"dla"="c:\windows\system32\dla\tfswctrl.exe" [2003-08-06 114741]

"StorageGuard"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-02-13 155648]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-04-22 136600]

c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\

Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]

HotSync Manager.lnk - c:\program files\palmOne\Hotsync.exe [2004-6-9 471040]

Wireless-G Notebook Adapter Utility.lnk - c:\program files\Linksys\Wireless-G Notebook Adapter\Startup.exe [2006-1-6 24576]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]

"NoSetActiveDesktop"= 1 (0x1)

"NoActiveDesktopChanges"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\CarbonPoker\\client.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]

"AllowInboundTimestampRequest"= 1 (0x1)

"AllowInboundMaskRequest"= 1 (0x1)

"AllowInboundRouterRequest"= 1 (0x1)

"AllowOutboundDestinationUnreachable"= 1 (0x1)

"AllowOutboundSourceQuench"= 1 (0x1)

"AllowOutboundParameterProblem"= 1 (0x1)

"AllowOutboundTimeExceeded"= 1 (0x1)

"AllowRedirect"= 1 (0x1)

"AllowOutboundPacketTooBig"= 1 (0x1)

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [3/30/2009 4:29 PM 108289]

S0 dexn;dexn;c:\windows\system32\drivers\rbyqgm.sys --> c:\windows\system32\drivers\rbyqgm.sys [?]

S2 gupdate1c95c38217184e0;Google Update Service (gupdate1c95c38217184e0);c:\program files\Google\Update\GoogleUpdate.exe [12/12/2008 2:00 AM 133104]

S3 ndisdrv;ndisdrv;\??\c:\windows\system32\ndisdrv.sys --> c:\windows\system32\ndisdrv.sys [?]

S3 TNET1130x;Wireless-G Notebook Adapter v.2.0;c:\windows\SYSTEM32\DRIVERS\TNET1130x.sys [1/6/2006 10:53 PM 385536]

.

Contents of the 'Scheduled Tasks' folder

2010-01-16 c:\windows\Tasks\Google Software Updater.job

- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-02-24 05:52]

2010-01-16 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2008-12-12 12:37]

2010-01-16 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2008-12-12 12:37]

.

.

------- Supplementary Scan -------

.

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html

mWindow Title =

uInternet Connection Wizard,ShellNext = iexplore

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html

IE: {{10F055B8-F443-4adf-948A-EC551E9DBCE4} - c:\documents and settings\timo\Start Menu\Programs\UltimateBet\UltimateBet.lnk

Trusted Zone: earthlink.net

Trusted Zone: microsoft.com\www

FF - ProfilePath - c:\documents and settings\timo\Application Data\Mozilla\Firefox\Profiles\joruknh6.default\

FF - prefs.js: network.proxy.type - 4

FF - component: c:\documents and settings\timo\Application Data\Mozilla\Firefox\Profiles\joruknh6.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll

FF - plugin: c:\documents and settings\timo\Application Data\Mozilla\plugins\npatgpc.dll

FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll

FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll

FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-01-15 23:48

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1244)

c:\program files\Funk Software\Odyssey Client\odLogin.dll

- - - - - - - > 'explorer.exe'(992)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\mshtml.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\System32\SCardSvr.exe

c:\program files\Avira\AntiVir Desktop\avguard.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\windows\system32\wdfmgr.exe

c:\windows\system32\wscntfy.exe

c:\program files\Linksys\Wireless-G Notebook Adapter\OdHost.exe

c:\program files\Linksys\Wireless-G Notebook Adapter\WPC54Cfg.exe

.

**************************************************************************

.

Completion time: 2010-01-15 23:58:43 - machine was rebooted

ComboFix-quarantined-files.txt 2010-01-16 06:58

ComboFix2.txt 2010-01-03 00:59

ComboFix3.txt 2010-01-02 02:16

Pre-Run: 12,004,196,352 bytes free

Post-Run: 11,980,881,920 bytes free- - End Of File - - 288400034CCF1D505B1C5EF3D64FDF72

Link to post
Share on other sites

  • Staff

Hi,

Go to start > run and copy and paste next command in the field:

sc delete dexn

Hit enter

Then, * Go to start > run and copy and paste next command in the field:

ComboFix /Uninstall

Make sure there's a space between Combofix and /

Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Let me know in your next reply how things are now.

Link to post
Share on other sites

  • Staff

Good to hear. :)

Please read my Prevention page with lots of info and tips how to prevent this in the future.

And if you want to improve speed/system performance after malware removal, take a look here.

Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.