Jump to content

Trojan.Agent problem


Recommended Posts

This is basically a continuation of this thread. Below are the results of following the instructions I was pointed to.

I ran MBAM and got the same three Trojan.Agent registry keys reported before.

Ran a full scan with AVG 9.0. It didn't find anything (although it had found and removed 4 things when I'd run it the day before).

Disabled using Defogger. No problems.

Ran DDS. The logs are below.

Tried to run GMER several times, and it always either hung the computer or caused it to reboot after a while, although I didn't see anything on the screen while it was running that was obviously malware.

Ran RootkitReveal instead. The log is below.

Then I tried running MBAM and now I'm getting Error code: 730 (0, 0) on startup. I went through the whole uninstall, reboot, run mbam-clean, reboot, reinstall sequence (twice, in fact) and I'm still getting the error code. I had hoped to report whether any of the Trojan.Agent hits had been removed, but haven't been able to get it to run, but I can still see them in regedit. So now in addition to trying to remove those keys there is the matter of getting MBAM working on this machine again.

I have not run defogger enable yet.

DDS.txt:

DDS (Ver_10-03-17.01) - NTFSx86

Run by Owner at 22:13:47.79 on Thu 03/18/2010

Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_01

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.447.181 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup

C:\Program Files\AVG\AVG9\avgchsvx.exe

C:\Program Files\AVG\AVG9\avgrsx.exe

svchost.exe

svchost.exe

C:\Program Files\AVG\AVG9\avgcsrvx.exe

C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\AVG\AVG9\avgwdsvc.exe

C:\WINDOWS\system32\svchost.exe -k hpdevmgmt

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\WINDOWS\System32\svchost.exe -k HPZ12

C:\WINDOWS\cyb2k.exe

C:\PROGRA~1\AVG\AVG9\avgtray.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\System32\svchost.exe -k HPZ12

C:\WINDOWS\System32\svchost.exe -k imgsvc

C:\Program Files\AVG\AVG9\avgnsx.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Documents and Settings\Owner\Desktop\dds.scr

C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe

============== Pseudo HJT Report ===============

uInternet Connection Wizard,ShellNext = iexplore

uInternet Settings,ProxyServer = http=127.0.0.1:5555

uInternet Settings,ProxyOverride = <local>;localhost

BHO: MRI_DISABLED - No File

BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hewlett-packard\digital imaging\smart web printing\hpswp_printenhancer.dll

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll

BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll

BHO: {4c8d65d0-fddd-48d8-b59c-ba2d9bdc12d8} - c:\windows\system32\ci.dll

BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll

BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hewlett-packard\digital imaging\smart web printing\hpswp_BHO.dll

TB: hp toolkit: {b2847e28-5d7d-4deb-8b67-05d28bcf79f5} - c:\hp\explorebar\HPTOOLKT.DLL

TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll

TB: {0BF43445-2F28-4351-9252-17FE6E806AA0} - No File

TB: {3041D03E-FD4B-44E0-B742-2D9B88305F98} - No File

EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [C2K] c:\windows\cyb2k.exe

mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autoru~1\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autoru~1\hpcent~2.lnk - c:\program files\hp center\137903\shadow\ShadowBar.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autoru~1\hpcent~1.lnk - c:\program files\hp center\137903\program\BackWeb-137903.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autoru~1\hpdigi~1.lnk - c:\program files\hewlett-packard\digital imaging\bin\hpqtra08.exe

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000

IE: {17A27031-71FC-11d4-815C-005004D0F1FA} - c:\program files\marketbrowser\lmt\MarketBrowser_Launch.xpy

IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_01\bin\ssv.dll

IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hewlett-packard\digital imaging\smart web printing\hpswp_BHO.dll

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll

LSP: c:\windows\system32\lspcs.dll

DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab

DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab

DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab

Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL

Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll

Notify: avgrsstarter - avgrsstx.dll

Notify: igfxcui - igfxsrvc.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\m9k2su9g.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.goodsearch.com/

FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll

FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----

pref(dom.disable_open_during_load, true);c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);

c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 fnxpkfjn;fnxpkfjn;c:\windows\system32\drivers\phbzraad.dat --> c:\windows\system32\drivers\phbzraad.dat [?]

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-3-15 64288]

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2010-3-17 216200]

R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2010-3-17 29512]

R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-3-17 242696]

R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-3-17 308064]

R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-2-4 1229232]

=============== Created Last 30 ================

2010-03-19 03:00:38 0 ----a-w- c:\documents and settings\owner\defogger_reenable

2010-03-18 03:37:53 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-03-18 03:37:47 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-03-18 03:37:47 0 d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-03-18 03:06:13 0 d-sh--w- C:\found.000

2010-03-17 06:35:20 0 d--h--w- C:\$AVG

2010-03-17 06:03:43 12464 ----a-w- c:\windows\system32\avgrsstx.dll

2010-03-17 06:03:42 242696 ----a-w- c:\windows\system32\drivers\avgtdix.sys

2010-03-17 06:03:42 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys

2010-03-17 06:03:19 0 d-----w- c:\windows\system32\drivers\Avg

2010-03-17 06:03:00 0 d-----w- c:\program files\AVG

2010-03-17 06:03:00 0 d-----w- c:\docume~1\alluse~1\applic~1\avg9

2010-03-17 02:53:25 0 d-sha-r- C:\cmdcons

2010-03-17 02:53:23 0 d-----w- c:\windows\setup.pss

2010-03-17 02:53:03 0 d-----w- c:\windows\setupupd

2010-03-16 03:18:51 98816 ----a-w- c:\windows\sed.exe

2010-03-16 03:18:51 77312 ----a-w- c:\windows\MBR.exe

2010-03-16 03:18:51 261632 ----a-w- c:\windows\PEV.exe

2010-03-16 03:18:51 161792 ----a-w- c:\windows\SWREG.exe

2010-03-15 08:02:51 15880 ----a-w- c:\windows\system32\lsdelete.exe

2010-03-15 06:03:39 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys

2010-03-15 06:02:59 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys

2010-03-15 05:54:36 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}

2010-03-15 03:29:01 0 d-----w- c:\program files\SysInternals

2010-03-14 23:42:04 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe

2010-03-14 23:37:02 0 d-----w- c:\docume~1\owner\applic~1\Malwarebytes

==================== Find3M ====================

2010-01-05 10:00:29 832512 ------w- c:\windows\system32\wininet.dll

2010-01-05 10:00:21 78336 ----a-w- c:\windows\system32\ieencode.dll

2010-01-05 10:00:20 17408 ------w- c:\windows\system32\corpol.dll

2004-11-30 00:05:18 22 ----a-w- c:\program files\Profmine.zip

2009-02-05 02:01:01 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009020420090205\index.dat

============= FINISH: 22:16:57.46 ===============

Attach.txt:

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-03-17.01)

Microsoft Windows XP Home Edition

Boot Device: \Device\HarddiskVolume2

Install Date: 2/3/2006 5:29:24 PM

System Uptime: 3/18/2010 10:07:16 PM (0 hours ago)

Motherboard: ASUSTeK Computer INC. | | A7N8X-LA

Processor: AMD Athlon XP 2600+ | CPU 1 | 2130/133mhz

==== Disk Partitions =========================

A: is Removable

C: is FIXED (NTFS) - 70 GiB total, 40.412 GiB free.

D: is FIXED (FAT32) - 4 GiB total, 0.738 GiB free.

E: is CDROM ()

F: is CDROM ()

G: is Removable

H: is Removable

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP1: 3/15/2010 11:03:26 PM - System Checkpoint

RP2: 3/16/2010 1:35:32 AM - Spybot-S&D Spyware removal

RP3: 3/17/2010 6:43:09 PM - Avg Update

RP4: 3/18/2010 9:07:28 PM - System Checkpoint

==== Installed Programs ======================

32 Bit HP CIO Components Installer

Ad-Aware

Ad-Aware Email Scanner for Outlook

Adobe Flash Player 10 Plugin

Adobe Reader 7.1.0

Adobe Shockwave Player

Adobe

Link to post
Share on other sites

  • Staff

Hi and welcome to Malwarebytes.

Please visit this webpage for instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

  • When the tool is finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a new HijackThis log so we may continue cleaning the system.

-screen317

Link to post
Share on other sites

Hi and welcome to Malwarebytes.

Please visit this webpage for instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

  • When the tool is finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a new HijackThis log so we may continue cleaning the system.

-screen317

As discussed in the previous thread, I ran Combofix earlier (it was after MBAM had detected and failed to remove the Trojan.Agent keys); can I just repost that log? Haven't run HijackThis yet but will do so.

Link to post
Share on other sites

Yes please post its log.

Please also update MBAM, run a Quick Scan, and post its log.

MBAM aborts on startup giving Error code: 730 (0, 0)

I've already tried uninstalling it, rebooting, running mbam-clean, rebooting, reinstalling, retrying. Same result.

I'm heading for bed now but I'll have the ComboFix and HijackThis logs tomorrow.

Link to post
Share on other sites

What the heck, I can't sleep, so here are the logs.

As noted, the ComboFix log is a little over three days old. The only significant change I can think of since I last ran it was installing AVG 9.0. I could rerun it if you'd rather see the results of a more current run. The hijackthis log is from a few minutes ago.

NOW I'm going to sleep again and will respond to any additional requests tomorrow.

Combofix.txt:

ComboFix 10-03-16.03 - Owner 03/16/2010 21:58:33.2.1 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.447.191 [GMT -5:00]

Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe

.

((((((((((((((((((((((((( Files Created from 2010-02-17 to 2010-03-17 )))))))))))))))))))))))))))))))

.

2010-03-16 05:19 . 2010-03-16 05:19 -------- d-----w- c:\documents and settings\Administrator.YOUR-RVLNHR6V8D\Application Data\Malwarebytes

2010-03-15 08:02 . 2010-03-15 06:02 15880 ----a-w- c:\windows\system32\lsdelete.exe

2010-03-15 06:03 . 2010-02-04 15:53 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys

2010-03-15 06:02 . 2010-03-15 06:02 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys

2010-03-15 06:01 . 2010-03-15 06:01 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google

2010-03-15 05:56 . 2010-03-15 06:01 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Temp

2010-03-15 05:54 . 2010-03-15 05:54 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}

2010-03-15 03:29 . 2010-03-15 03:29 -------- d-----w- c:\program files\SysInternals

2010-03-14 23:42 . 2009-10-23 15:28 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe

2010-03-14 23:37 . 2010-03-14 23:37 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-03-17 02:41 . 2003-02-21 16:33 -------- d-----w- c:\program files\Common Files\Symantec Shared

2010-03-17 02:25 . 2003-07-27 03:55 22 ----a-w- c:\windows\liccyval.dat

2010-03-17 02:20 . 2003-02-21 16:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec

2010-03-17 02:19 . 2008-11-05 02:57 -------- d-----w- c:\documents and settings\Owner\Application Data\HPAppData

2010-03-17 02:17 . 2007-03-02 00:31 -------- d-----w- c:\program files\Google

2010-03-16 06:05 . 2004-09-10 01:35 -------- d-----w- c:\program files\Spybot - Search & Destroy

2010-03-16 05:48 . 2004-09-10 01:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2010-03-16 04:37 . 2010-01-10 19:08 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-03-16 04:36 . 2010-03-16 04:36 5115824 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe

2010-03-15 05:55 . 2004-09-08 00:41 -------- d-----w- c:\program files\Lavasoft

2010-03-14 23:43 . 2010-03-14 23:43 439816 ----a-w- c:\documents and settings\Owner\Application Data\Real\Update\setup3.10\setup.exe

2010-02-04 15:53 . 2010-03-15 05:54 2954656 -c--a-w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}\Ad-AwareInstaller.exe

2010-01-07 21:07 . 2010-01-10 19:08 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-01-07 21:07 . 2010-01-10 19:08 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-01-05 10:00 . 2003-02-05 12:07 832512 ----a-w- c:\windows\system32\wininet.dll

2010-01-05 10:00 . 2004-08-04 07:56 78336 ----a-w- c:\windows\system32\ieencode.dll

2010-01-05 10:00 . 2003-02-05 12:23 17408 ------w- c:\windows\system32\corpol.dll

2009-12-31 16:50 . 2003-02-05 12:06 353792 ----a-w- c:\windows\system32\drivers\srv.sys

2004-11-30 00:05 . 2004-11-30 00:03 22 ----a-w- c:\program files\Profmine.zip

2008-09-10 19:49 . 2008-09-10 19:49 5817064 ----a-w- c:\program files\mozilla firefox\plugins\ScorchPDFWrapper.dll

2007-08-25 16:19 . 2007-08-25 16:19 1255234 --sha-w- c:\windows\system32\ducpbqqe.tmp

2007-08-14 22:15 . 2007-08-14 22:15 1233793 --sha-w- c:\windows\system32\dyqerdty.tmp

2007-04-13 22:31 . 2007-04-13 22:31 1624700 --sha-w- c:\windows\system32\qeputgte.tmp

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]

2008-07-17 23:20 279944 ----a-w- c:\program files\AskBarDis\bar\bin\askBar.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4C8D65D0-FDDD-48D8-B59C-BA2D9BDC12D8}]

c:\windows\system32\ci.dll [bU]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-07-17 279944]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]

[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]

"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-07-17 279944]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]

[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"C2K"="c:\windows\cyb2k.exe" [2006-02-08 3067392]

c:\documents and settings\All Users\Start Menu\Programs\Startup\AutorunsDisabled

Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]

hp center UI.lnk - c:\program files\hp center\137903\Shadow\ShadowBar.exe [2003-2-20 69632]

hp center.lnk - c:\program files\hp center\137903\Program\BackWeb-137903.exe [2003-2-20 16384]

HP Digital Imaging Monitor.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]

@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk

backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Event Reminder.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Event Reminder.lnk

backup=c:\windows\pss\Event Reminder.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk

backup=c:\windows\pss\Google Updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp center UI.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\hp center UI.lnk

backup=c:\windows\pss\hp center UI.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp center.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\hp center.lnk

backup=c:\windows\pss\hp center.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^LaunchU3.exe.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\LaunchU3.exe.lnk

backup=c:\windows\pss\LaunchU3.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk

backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microtek Scanner Finder.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microtek Scanner Finder.lnk

backup=c:\windows\pss\Microtek Scanner Finder.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^OZ-290_ZQ-290II Synchronization Software.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\OZ-290_ZQ-290II Synchronization Software.lnk

backup=c:\windows\pss\OZ-290_ZQ-290II Synchronization Software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk

backup=c:\windows\pss\Quicken Scheduled Updates.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]

2005-06-07 05:46 57344 ----a-w- c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcxMonitor]

2004-09-07 18:47 57344 ----a-w- c:\windows\ALCXMNTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C2K]

2006-02-08 21:02 3067392 ----a-w- c:\windows\Cyb2k.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CamMonitor]

2002-10-07 06:23 90112 ----a-w- c:\program files\Hewlett-Packard\Digital Imaging\Unload\HpqCmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]

2008-04-14 00:12 15360 ------w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]

2002-10-16 14:05 114688 ----a-w- c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]

2002-11-22 19:49 188416 ----a-w- c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD04]

2002-11-22 19:50 49152 ----a-w- c:\program files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpsysdrv]

1998-05-08 00:04 52736 ----a-w- c:\windows\system\hpsysdrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KBD]

2001-07-07 04:56 61440 ----a-w- c:\hp\KBD\kbd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]

2004-09-23 00:20 53248 ----a-w- c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]

2002-09-10 06:35 372736 ----a-w- c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PS2]

2002-10-16 23:57 81920 ----a-w- c:\windows\system32\ps2.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2006-09-01 00:05 77824 ----a-w- c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]

2002-09-14 05:42 212992 ----a-w- c:\windows\SMINST\Recguard.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]

2003-01-11 09:47 315392 ----a-w- c:\windows\CREATOR\Remind_XP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon]

2002-04-18 01:42 69632 ----a-w- c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StorageGuard]

2002-06-18 15:01 155648 ----a-w- c:\program files\VERITAS Software\Update Manager\sgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

2007-03-14 08:43 83608 ----a-w- c:\program files\Java\jre1.6.0_01\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec PIF AlertEng]

2008-01-29 23:38 583048 ----a-w- c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]

2006-12-30 16:18 180269 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]

2006-03-30 21:45 313472 ----a-r- c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WCOLOREAL]

2002-11-27 01:14 131072 ----a-w- c:\program files\Coloreal\COLOREAL.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zero Knowledge Freedom]

2002-12-07 05:25 20539 ----a-w- c:\program files\Zero Knowledge\Freedom\AutoStarterR.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"gusvc"=2 (0x2)

"Pml Driver HPH11"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\WINDOWS\\Cyb2k.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqtra08.exe"=

"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqste08.exe"=

"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpofxm08.exe"=

"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hposfx08.exe"=

"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hposid01.exe"=

"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpzwiz01.exe"=

"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\Unload\\HpqPhUnl.exe"=

"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpoews01.exe"=

"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpiscnapp.exe"=

"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqkygrp.exe"=

"c:\\Program Files\\hp center\\137903\\Program\\BackWeb-137903.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"15986:TCP"= 15986:TCP:NortonAV

"13394:TCP"= 13394:TCP:NortonAV

"15091:TCP"= 15091:TCP:NortonAV

"15797:TCP"= 15797:TCP:NortonAV

"16129:TCP"= 16129:TCP:NortonAV

"15115:TCP"= 15115:TCP:NortonAV

"17695:TCP"= 17695:TCP:NortonAV

"17362:TCP"= 17362:TCP:NortonAV

"14021:TCP"= 14021:TCP:NortonAV

"15926:TCP"= 15926:TCP:NortonAV

"17294:TCP"= 17294:TCP:NortonAV

"13465:TCP"= 13465:TCP:NortonAV

"14388:TCP"= 14388:TCP:NortonAV

"13967:TCP"= 13967:TCP:NortonAV

"16406:TCP"= 16406:TCP:NortonAV

"12830:TCP"= 12830:TCP:NortonAV

"13874:TCP"= 13874:TCP:NortonAV

"16024:TCP"= 16024:TCP:NortonAV

"13844:TCP"= 13844:TCP:NortonAV

"17827:TCP"= 17827:TCP:NortonAV

"16022:TCP"= 16022:TCP:NortonAV

"17113:TCP"= 17113:TCP:NortonAV

"15416:TCP"= 15416:TCP:NortonAV

"15328:TCP"= 15328:TCP:NortonAV

"18575:TCP"= 18575:TCP:NortonAV

"18870:TCP"= 18870:TCP:NortonAV

"16921:TCP"= 16921:TCP:NortonAV

"17537:TCP"= 17537:TCP:NortonAV

"13872:TCP"= 13872:TCP:NortonAV

"18773:TCP"= 18773:TCP:NortonAV

"17522:TCP"= 17522:TCP:NortonAV

"18196:TCP"= 18196:TCP:NortonAV

"17072:TCP"= 17072:TCP:NortonAV

"18140:TCP"= 18140:TCP:NortonAV

"13352:TCP"= 13352:TCP:NortonAV

"12905:TCP"= 12905:TCP:NortonAV

"18476:TCP"= 18476:TCP:NortonAV

"17062:TCP"= 17062:TCP:NortonAV

"17181:TCP"= 17181:TCP:NortonAV

"16220:TCP"= 16220:TCP:NortonAV

"16115:TCP"= 16115:TCP:NortonAV

"17075:TCP"= 17075:TCP:NortonAV

"18641:TCP"= 18641:TCP:NortonAV

"12365:TCP"= 12365:TCP:NortonAV

"14353:TCP"= 14353:TCP:NortonAV

"16214:TCP"= 16214:TCP:NortonAV

"14931:TCP"= 14931:TCP:NortonAV

"12112:TCP"= 12112:TCP:NortonAV

"13103:TCP"= 13103:TCP:NortonAV

"18951:TCP"= 18951:TCP:NortonAV

"14965:TCP"= 14965:TCP:NortonAV

"15730:TCP"= 15730:TCP:NortonAV

"13087:TCP"= 13087:TCP:NortonAV

"12820:TCP"= 12820:TCP:NortonAV

"15577:TCP"= 15577:TCP:NortonAV

R0 fnxpkfjn;fnxpkfjn;c:\windows\system32\drivers\phbzraad.dat --> c:\windows\system32\drivers\phbzraad.dat [?]

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [3/15/2010 1:03 AM 64288]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [3/15/2010 12:56 AM 135664]

S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2/4/2010 10:52 AM 1229232]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

.

Contents of the 'Scheduled Tasks' folder

2010-03-17 c:\windows\Tasks\Ad-Aware Update (Weekly).job

- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 06:02]

2008-04-17 c:\windows\Tasks\easy Internet sign-up.job

- c:\program files\Hewlett-Packard\EZ Internet Signup\HPSdpApp.exe [2003-02-20 05:10]

2010-03-17 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-15 05:55]

2010-03-17 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-15 05:55]

.

.

------- Supplementary Scan -------

.

uInternet Connection Wizard,ShellNext = iexplore

uInternet Settings,ProxyServer = http=127.0.0.1:5555

uInternet Settings,ProxyOverride = <local>;localhost

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000

IE: {{17A27031-71FC-11d4-815C-005004D0F1FA} - c:\program files\MarketBrowser\lmt\MarketBrowser_Launch.xpy

LSP: c:\windows\system32\lspcs.dll

DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\m9k2su9g.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.goodsearch.com/

FF - plugin: c:\program files\Google\Update\1.2.183.17\npGoogleOneClick8.dll

FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

---- FIREFOX POLICIES ----

pref(dom.disable_open_during_load, true);.

- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-ccApp - c:\program files\Common Files\Symantec Shared\ccApp.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-03-16 22:08

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\fnxpkfjn]

"ImagePath"="system32\drivers\phbzraad.dat"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(1116)

c:\windows\system32\lspcs.dll

- - - - - - - > 'explorer.exe'(3468)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

Completion time: 2010-03-16 22:21:04

ComboFix-quarantined-files.txt 2010-03-17 03:21

ComboFix2.txt 2010-03-16 04:32

Pre-Run: 43,040,763,904 bytes free

Post-Run: 43,031,441,408 bytes free

- - End Of File - - 102C18DE77B2C4F917EA448E50358C1A

hijackthis.log:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 02:36:02, on 3/20/2010

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16981)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\AVG\AVG9\avgchsvx.exe

C:\Program Files\AVG\AVG9\avgrsx.exe

C:\Program Files\AVG\AVG9\avgcsrvx.exe

C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\cyb2k.exe

C:\PROGRA~1\AVG\AVG9\avgtray.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\AVG\AVG9\avgwdsvc.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\AVG\AVG9\avgnsx.exe

C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555

O2 - BHO: (no name) - MRI_DISABLED - (no file)

O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\Hewlett-Packard\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll

O2 - BHO: (no name) - {4C8D65D0-FDDD-48D8-B59C-BA2D9BDC12D8} - C:\WINDOWS\system32\ci.dll (file missing)

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\Hewlett-Packard\Digital Imaging\Smart Web Printing\hpswp_BHO.dll

O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll

O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)

O4 - HKLM\..\Run: [C2K] C:\WINDOWS\cyb2k.exe

O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - Global Startup: AutorunsDisabled

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - AutorunsDisabled - (no file)

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\Hewlett-Packard\Digital Imaging\Smart Web Printing\hpswp_BHO.dll

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll

O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll

O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe

O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

--

End of file - 5186 bytes

Link to post
Share on other sites

Hi,

There is evidence of malware here.

Before we continue, please go to VirusTotal, and upload the following file for analysis:

c:\windows\cyb2k.exe

Post the results in your reply.

-screen317

(I'm about 99% sure that file is part of CyberSitter, although if it's been altered/corrupted, all bets are off...)

File has already been analysed:

MD5: b22e82990e1abcccdf5ecfc01578c6ed

First received: 2008.11.29 09:02:59 UTC

Date: 2008.11.29 09:02:59 UTC [>475D]

Results: 1/37

Permalink: analisis/6877802a3dd9e5b78efee643645d58999b3b948abaec9e8fd667cb2849d0e8ed-1227949379

Link to post
Share on other sites

  • Staff

Just wanted to make sure; thanks for confirming that.

First, I see the Ask Toolbar in your log.

I strongly recommend you remove Ask Toolbar from your computer because:

  • It promotes its toolbars on sites targeted at kids.
  • It promotes its toolbars through ads that appear to be part of other companies' sites.
  • It promotes its toolbars through other companies' spyware.
  • It is Installed without any disclosure whatsoever and without any consent from the user whatsoever.
  • It Solicits installations via "deceptive door openers" that do not accurately describe the offer; failing to affirmatively show a license agreement; linking to a EULA via an off-screen link.
  • It makes confusing changes to user's browsers -- increasing Ask's revenues while taking users to pages they didn't intend to visit.

You can read more about Ask.com here

To remove it:

Click Start-->Control Panel-->Programs and Features

Click on the program name AskBarDis to highlight it

From the menu at the top, select Uninstall or Remove.

Please reboot the computer.

Please delete your copy of ComboFix, download the latest version from here, and save it to your Desktop. Do not run it yet.

Next, please open Notepad - don't use any other text editor than notepad or the script will fail.

Copy/paste the text in the quotebox below into Notepad:

Driver::

fnxpkfjn

KILLALL::

File::

c:\windows\liccyval.dat

Registry::

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4C8D65D0-FDDD-48D8-B59C-BA2D9BDC12D8}]

Save this as CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

CFScriptB-4.gif

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

-screen317

Link to post
Share on other sites

Regarding Ask Toolbar, I see that in the three-day-old Combofix log I had posted above, and it turns out I had already spotted that one and removed it (but if you see any evidence of it still lurking in any other or forthcoming logs, please let me know). Also I'm guessing that Start-->Control Panel-->Programs and Features is the Vista or Win 7 equivalent of Start-->Control Panel-->Add or Remove Programs on Win XP.

Anyhow, the logs are below. I'm suspicious of the three .tmp files in c:\windows\system32\ (although the file dates, if they haven't been tampered with, suggest they may be leftovers from old infections). Also, please let me know if the MBAM-related entries suggest why I'm getting the 730 error.

ComboFix.txt:

ComboFix 10-03-19.08 - Owner 03/20/2010 12:26:09.3.1 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.447.129 [GMT -5:00]

Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

FILE ::

"c:\windows\liccyval.dat"

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\liccyval.dat

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_FNXPKFJN

-------\Service_fnxpkfjn

((((((((((((((((((((((((( Files Created from 2010-02-20 to 2010-03-20 )))))))))))))))))))))))))))))))

.

2010-03-20 07:33 . 2010-03-20 07:33 -------- d-----w- c:\program files\Trend Micro

2010-03-20 02:29 . 2010-03-20 02:29 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes

2010-03-20 02:28 . 2010-01-07 21:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-03-20 02:27 . 2010-01-07 21:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-03-20 02:27 . 2010-03-20 02:29 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-03-20 01:18 . 2010-03-20 02:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-03-17 06:35 . 2010-03-17 06:35 -------- d-----w- C:\$AVG

2010-03-17 06:03 . 2010-03-17 06:03 12464 ----a-w- c:\windows\system32\avgrsstx.dll

2010-03-17 06:03 . 2010-03-17 06:03 242696 ----a-w- c:\windows\system32\drivers\avgtdix.sys

2010-03-17 06:03 . 2010-03-17 06:03 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys

2010-03-17 06:03 . 2010-03-17 06:03 29512 ----a-w- c:\windows\system32\drivers\avgmfx86.sys

2010-03-17 06:03 . 2010-03-20 16:55 -------- d-----w- c:\windows\system32\drivers\Avg

2010-03-17 06:03 . 2010-03-17 06:03 -------- d-----w- c:\program files\AVG

2010-03-17 06:03 . 2010-03-17 06:03 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9

2010-03-17 03:59 . 2010-03-17 03:59 -------- d-----w- c:\documents and settings\Administrator.YOUR-RVLNHR6V8D\Local Settings\Application Data\Mozilla

2010-03-15 08:02 . 2010-03-15 06:02 15880 ----a-w- c:\windows\system32\lsdelete.exe

2010-03-15 06:03 . 2010-02-04 15:53 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys

2010-03-15 06:02 . 2010-03-15 06:02 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys

2010-03-15 06:01 . 2010-03-15 06:01 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google

2010-03-15 05:56 . 2010-03-15 06:01 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Temp

2010-03-15 05:54 . 2010-03-15 05:54 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}

2010-03-15 03:29 . 2010-03-15 03:29 -------- d-----w- c:\program files\SysInternals

2010-03-14 23:42 . 2009-10-23 15:28 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-03-20 17:48 . 2010-03-20 17:48 22 ----a-w- c:\windows\liccyval.dat

2010-03-18 00:09 . 2007-03-02 00:31 -------- d-----w- c:\program files\Google

2010-03-17 02:41 . 2003-02-21 16:33 -------- d-----w- c:\program files\Common Files\Symantec Shared

2010-03-17 02:20 . 2003-02-21 16:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec

2010-03-17 02:19 . 2008-11-05 02:57 -------- d-----w- c:\documents and settings\Owner\Application Data\HPAppData

2010-03-16 06:05 . 2004-09-10 01:35 -------- d-----w- c:\program files\Spybot - Search & Destroy

2010-03-16 05:48 . 2004-09-10 01:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2010-03-15 05:55 . 2004-09-08 00:41 -------- d-----w- c:\program files\Lavasoft

2010-01-05 10:00 . 2003-02-05 12:07 832512 ------w- c:\windows\system32\wininet.dll

2010-01-05 10:00 . 2004-08-04 07:56 78336 ----a-w- c:\windows\system32\ieencode.dll

2010-01-05 10:00 . 2003-02-05 12:23 17408 ------w- c:\windows\system32\corpol.dll

2009-12-31 16:50 . 2003-02-05 12:06 353792 ----a-w- c:\windows\system32\drivers\srv.sys

2004-11-30 00:05 . 2004-11-30 00:03 22 ----a-w- c:\program files\Profmine.zip

2008-09-10 19:49 . 2008-09-10 19:49 5817064 ----a-w- c:\program files\mozilla firefox\plugins\ScorchPDFWrapper.dll

2007-08-25 16:19 . 2007-08-25 16:19 1255234 --sha-w- c:\windows\system32\ducpbqqe.tmp

2007-08-14 22:15 . 2007-08-14 22:15 1233793 --sha-w- c:\windows\system32\dyqerdty.tmp

2007-04-13 22:31 . 2007-04-13 22:31 1624700 --sha-w- c:\windows\system32\qeputgte.tmp

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"C2K"="c:\windows\cyb2k.exe" [2006-02-08 3067392]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]

2010-03-17 06:03 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]

@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk

backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Event Reminder.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Event Reminder.lnk

backup=c:\windows\pss\Event Reminder.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk

backup=c:\windows\pss\Google Updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp center UI.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\hp center UI.lnk

backup=c:\windows\pss\hp center UI.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp center.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\hp center.lnk

backup=c:\windows\pss\hp center.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^LaunchU3.exe.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\LaunchU3.exe.lnk

backup=c:\windows\pss\LaunchU3.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk

backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microtek Scanner Finder.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microtek Scanner Finder.lnk

backup=c:\windows\pss\Microtek Scanner Finder.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^OZ-290_ZQ-290II Synchronization Software.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\OZ-290_ZQ-290II Synchronization Software.lnk

backup=c:\windows\pss\OZ-290_ZQ-290II Synchronization Software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk

backup=c:\windows\pss\Quicken Scheduled Updates.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]

2005-06-07 05:46 57344 ----a-w- c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcxMonitor]

2004-09-07 18:47 57344 ----a-w- c:\windows\ALCXMNTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C2K]

2006-02-08 21:02 3067392 ----a-w- c:\windows\Cyb2k.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CamMonitor]

2002-10-07 06:23 90112 ----a-w- c:\program files\Hewlett-Packard\Digital Imaging\Unload\HpqCmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]

2008-04-14 00:12 15360 ------w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]

2002-10-16 14:05 114688 ----a-w- c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]

2002-11-22 19:49 188416 ----a-w- c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD04]

2002-11-22 19:50 49152 ----a-w- c:\program files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpsysdrv]

1998-05-08 00:04 52736 ----a-w- c:\windows\system\hpsysdrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KBD]

2001-07-07 04:56 61440 ----a-w- c:\hp\KBD\kbd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]

2004-09-23 00:20 53248 ----a-w- c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]

2002-09-10 06:35 372736 ----a-w- c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PS2]

2002-10-16 23:57 81920 ----a-w- c:\windows\system32\ps2.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2006-09-01 00:05 77824 ----a-w- c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]

2002-09-14 05:42 212992 ----a-w- c:\windows\SMINST\Recguard.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]

2003-01-11 09:47 315392 ----a-w- c:\windows\CREATOR\Remind_XP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon]

2002-04-18 01:42 69632 ----a-w- c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StorageGuard]

2002-06-18 15:01 155648 ----a-w- c:\program files\VERITAS Software\Update Manager\sgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

2007-03-14 08:43 83608 ----a-w- c:\program files\Java\jre1.6.0_01\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec PIF AlertEng]

2008-01-29 23:38 583048 ----a-w- c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]

2006-12-30 16:18 180269 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]

2006-03-30 21:45 313472 ----a-r- c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WCOLOREAL]

2002-11-27 01:14 131072 ----a-w- c:\program files\Coloreal\COLOREAL.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zero Knowledge Freedom]

2002-12-07 05:25 20539 ----a-w- c:\program files\Zero Knowledge\Freedom\AutoStarterR.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"gusvc"=2 (0x2)

"Pml Driver HPH11"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\WINDOWS\\Cyb2k.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqtra08.exe"=

"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqste08.exe"=

"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpofxm08.exe"=

"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hposfx08.exe"=

"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hposid01.exe"=

"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpzwiz01.exe"=

"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\Unload\\HpqPhUnl.exe"=

"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpoews01.exe"=

"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpiscnapp.exe"=

"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqkygrp.exe"=

"c:\\Program Files\\hp center\\137903\\Program\\BackWeb-137903.exe"=

"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=

"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"15986:TCP"= 15986:TCP:NortonAV

"13394:TCP"= 13394:TCP:NortonAV

"15091:TCP"= 15091:TCP:NortonAV

"15797:TCP"= 15797:TCP:NortonAV

"16129:TCP"= 16129:TCP:NortonAV

"15115:TCP"= 15115:TCP:NortonAV

"17695:TCP"= 17695:TCP:NortonAV

"17362:TCP"= 17362:TCP:NortonAV

"14021:TCP"= 14021:TCP:NortonAV

"15926:TCP"= 15926:TCP:NortonAV

"17294:TCP"= 17294:TCP:NortonAV

"13465:TCP"= 13465:TCP:NortonAV

"14388:TCP"= 14388:TCP:NortonAV

"13967:TCP"= 13967:TCP:NortonAV

"16406:TCP"= 16406:TCP:NortonAV

"12830:TCP"= 12830:TCP:NortonAV

"13874:TCP"= 13874:TCP:NortonAV

"16024:TCP"= 16024:TCP:NortonAV

"13844:TCP"= 13844:TCP:NortonAV

"17827:TCP"= 17827:TCP:NortonAV

"16022:TCP"= 16022:TCP:NortonAV

"17113:TCP"= 17113:TCP:NortonAV

"15416:TCP"= 15416:TCP:NortonAV

"15328:TCP"= 15328:TCP:NortonAV

"18575:TCP"= 18575:TCP:NortonAV

"18870:TCP"= 18870:TCP:NortonAV

"16921:TCP"= 16921:TCP:NortonAV

"17537:TCP"= 17537:TCP:NortonAV

"13872:TCP"= 13872:TCP:NortonAV

"18773:TCP"= 18773:TCP:NortonAV

"17522:TCP"= 17522:TCP:NortonAV

"18196:TCP"= 18196:TCP:NortonAV

"17072:TCP"= 17072:TCP:NortonAV

"18140:TCP"= 18140:TCP:NortonAV

"13352:TCP"= 13352:TCP:NortonAV

"12905:TCP"= 12905:TCP:NortonAV

"18476:TCP"= 18476:TCP:NortonAV

"17062:TCP"= 17062:TCP:NortonAV

"17181:TCP"= 17181:TCP:NortonAV

"16220:TCP"= 16220:TCP:NortonAV

"16115:TCP"= 16115:TCP:NortonAV

"17075:TCP"= 17075:TCP:NortonAV

"18641:TCP"= 18641:TCP:NortonAV

"12365:TCP"= 12365:TCP:NortonAV

"14353:TCP"= 14353:TCP:NortonAV

"16214:TCP"= 16214:TCP:NortonAV

"14931:TCP"= 14931:TCP:NortonAV

"12112:TCP"= 12112:TCP:NortonAV

"13103:TCP"= 13103:TCP:NortonAV

"18951:TCP"= 18951:TCP:NortonAV

"14965:TCP"= 14965:TCP:NortonAV

"15730:TCP"= 15730:TCP:NortonAV

"13087:TCP"= 13087:TCP:NortonAV

"12820:TCP"= 12820:TCP:NortonAV

"15577:TCP"= 15577:TCP:NortonAV

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [3/15/2010 1:03 AM 64288]

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [3/17/2010 1:03 AM 216200]

R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [3/17/2010 1:03 AM 242696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

.

Contents of the 'Scheduled Tasks' folder

2010-03-20 c:\windows\Tasks\Ad-Aware Update (Weekly).job

- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 06:02]

2008-04-17 c:\windows\Tasks\easy Internet sign-up.job

- c:\program files\Hewlett-Packard\EZ Internet Signup\HPSdpApp.exe [2003-02-20 05:10]

.

.

------- Supplementary Scan -------

.

uInternet Connection Wizard,ShellNext = iexplore

uInternet Settings,ProxyServer = http=127.0.0.1:5555

uInternet Settings,ProxyOverride = <local>;localhost

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000

IE: {{17A27031-71FC-11d4-815C-005004D0F1FA} - c:\program files\MarketBrowser\lmt\MarketBrowser_Launch.xpy

LSP: c:\windows\system32\lspcs.dll

DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\m9k2su9g.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.goodsearch.com/

FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll

FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

---- FIREFOX POLICIES ----

pref(dom.disable_open_during_load, true);c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);

c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

.

- - - - ORPHANS REMOVED - - - -

WebBrowser-{3041D03E-FD4B-44E0-B742-2D9B88305F98} - (no file)

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-03-20 12:50

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(1136)

c:\windows\system32\lspcs.dll

- - - - - - - > 'explorer.exe'(2812)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\AVG\AVG9\avgchsvx.exe

c:\program files\AVG\AVG9\avgrsx.exe

c:\program files\AVG\AVG9\avgcsrvx.exe

c:\program files\Lavasoft\Ad-Aware\AAWService.exe

c:\program files\AVG\AVG9\avgwdsvc.exe

c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

c:\windows\System32\nvsvc32.exe

c:\program files\AVG\AVG9\avgnsx.exe

c:\windows\System32\wbem\unsecapp.exe

c:\windows\system32\wscntfy.exe

.

**************************************************************************

.

Completion time: 2010-03-20 13:12:31 - machine was rebooted

ComboFix-quarantined-files.txt 2010-03-20 18:12

ComboFix2.txt 2010-03-17 03:21

ComboFix3.txt 2010-03-16 04:32

Pre-Run: 43,407,728,640 bytes free

Post-Run: 43,442,167,808 bytes free

- - End Of File - - ED4E6026FFB894A8B54FA922DE28ED3A

hijackthis.log:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 13:15:24, on 3/20/2010

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16981)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\AVG\AVG9\avgchsvx.exe

C:\Program Files\AVG\AVG9\avgrsx.exe

C:\Program Files\AVG\AVG9\avgcsrvx.exe

C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\AVG\AVG9\avgwdsvc.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\AVG\AVG9\avgnsx.exe

C:\WINDOWS\cyb2k.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\explorer.exe

C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555

O2 - BHO: (no name) - MRI_DISABLED - (no file)

O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\Hewlett-Packard\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\Hewlett-Packard\Digital Imaging\Smart Web Printing\hpswp_BHO.dll

O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll

O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)

O4 - HKLM\..\Run: [C2K] C:\WINDOWS\cyb2k.exe

O4 - Global Startup: AutorunsDisabled

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - AutorunsDisabled - (no file)

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\Hewlett-Packard\Digital Imaging\Smart Web Printing\hpswp_BHO.dll

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll

O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll

O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe

O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

--

End of file - 4676 bytes

Link to post
Share on other sites

One thing I forgot to mention in previous posts. The infection that rendered the computer useless before it was given to me to clean up was more than 30 days ago, longer ago than any 'last 30 days' section in any of the logs.

More on the MBAM 730 error...

(By the way I've been writing this post as I go through these steps.)

I once again uninstalled MBAM, rebooted, ran mbam-clean which rebooted again. At this point I ran a few searches

A search on the entire C: drive for 'Malwarebytes' returned the following:

C:\Documents and Settings\All Users\Application Data\Malwarebytes (folder)

C:\Documents and Settings\Owner\Application Data\Malwarebytes (folder)

C:\Documents and Settings\Owner\Application Data\Recent\Malwarebytes' Anti-Malware (shortcut)

Neither folder had any files or subdirectories in it, and the shortcut gave a 'missing shortcut' response

A search on the entire C: drive for 'mbam' returned the following:

Eight entries in C:\WINDOWS\Prefetch (let me know if you need more specifis on these

Three copies of mbam-setup.exe

mbam-clean.exe

C:\Documents and Settings\Owner\Application Data\Recent\mbam.chm

I'm not sure what this is but it pre-dates when I was able to run MBAM successfully.

A global search for 'malwarebytes' in regedit returned:

HKCR\CLSID\{57CE581A-0CB6-4266-9CA0-19364C90A0B3}\InprocServer32 (Default) C:\Program Files\Malwarebytes' Anti-Malware\mbamext.dll

HKCR\Typelib\{AFF1A83B-6C83-4342-8E68-1648DE06CB65}\1.0\0\win32 (Default) C:\Program Files\Malwarebytes' Anti-Malware\mbamext.dll

HKCR\Typelib\{AFF1A83B-6C83-4342-8E68-1648DE06CB65}\1.0\HELPDIR (Default) C:\Program Files\Malwarebytes' Anti-Malware\

HKCU\Software\Microsoft\Search Assistant\ACMRU\5603 000 malwarebytes

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\Malwarebytes' Anti-Malware which has two keys, (Default) with (value not set), and ORDER, with a REG_BINARY value I'm not going to try to reproduce here

Several entries in HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache, all of which point to either mbam-setup.exe or programs in the currently nonexistent C:\Program Files\Malwarebytes' Anti-Malware\

HKLM\Software\Classes\ has the same three entries as above under HKCR\

HKU\S-1-5-21-701049610-528680125-3636023944-1003\ has the same entries as above under HKCU\

A global search for 'mbam' in regedit returned:

HKCR\AllFilesystemObjects\shellex\ContextMenuHandlers\MBAMShlExt (Default) {57CE581A-0CB6-4266-9CA0-19364C90A0B3}

More stuff under HKCR\CLSID\{57CE581A-0CB6-4266-9CA0-19364C90A0B3}

HKCR\folder\shellex\ContextMenuHandlers\MBAMShlExt (Default) {57CE581A-0CB6-4266-9CA0-19364C90A0B3}

HKCR\Interface\{015FAC74-0374-494AA02D-316D562C0FCE} (Default) IMBAMShlExt

HKCR\MBAMExt.MBAMShlExt\ various keys and subdirs

HKCR\MBAMExt.MBAMShlExt.1\ various keys and subdirs

HKCR\Typelib\{AFF1A83B-6C83-4342-8E68-1648DE06CB65}\ various keys and subdirs

HKCU\Software\Microsoft\Search Assistant\ACMRU\5604 000 mbam

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU c mbam.exe\1

Multiple entries in HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache that point to non-existent copies of mbam-setup.tmp or to known copies of mbam-setup.exe or mbam-clean.exe

HKLM\Software\Classes\ has the same entries as above under HKCR\

HKLM\Software\Microsoft\ESENT\Process\mbam with only a (Default) key and a subdir with null-looking keys

HKU\S-1-5-21-701049610-528680125-3636023944-1003\ has the same entries as above under HKCU\

Once again, everything above is after uninstalling and running mbam-clean, before attempting another install.

Reinstalling it, everything looks good. On the final screen I have both 'Update Malwarebytes' Anti-Malware' and 'Launch Malwarebytes' Anti-Malware' checked when I click Finish. The 'Updating Malwarebytes' Anti-Malware' window pos up and appears to successfully download an update. It shows 'The database was successfully updated from version 3510 to version 3888' (on previous runs I would sometimes see 'updated from version 3510 to version 3510').

Okay, now it's working. I don't know why it was giving me the 730 error before. Either I did something wrong in my previous attempts to uninstall/clean/reinstall, or ComboFix cleaned up something that was causing problems for it. And when the run completed, it appears that the Trojan.Agent problem has been resolved as well.

Malwarebytes' Anti-Malware 1.44

Database version: 3888

Windows 5.1.2600 Service Pack 3

Internet Explorer 7.0.5730.13

3/20/2010 3:40:25 PM

mbam-log-2010-03-20 (15-40-25).txt

Scan type: Quick Scan

Objects scanned: 142805

Time elapsed: 11 minute(s), 29 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

So it looks like at long last I'm good to go, although please don't hesitate to point out anything that still looks suspicious in the most recent ComboFix or hijackthis logs.

Link to post
Share on other sites

  • Staff

Hi,

Okay, now it's working. I don't know why it was giving me the 730 error before. Either I did something wrong in my previous attempts to uninstall/clean/reinstall, or ComboFix cleaned up something that was causing problems for it. And when the run completed, it appears that the Trojan.Agent problem has been resolved as well.
It is likely that the infection was interfering.
Anyhow, the logs are below. I'm suspicious of the three .tmp files in c:\windows\system32\ (although the file dates, if they haven't been tampered with, suggest they may be leftovers from old infections).
Yes, those are definitely suspicious.

Please delete your copy of ComboFix, download the latest version from here, and save it to your Desktop. Do not run it yet.

Next, please open Notepad. Copy and paste the text in the Code box below into Notepad:

http://www.malwarebytes.org/forums/index.php?showtopic=21972
Collect::
c:\windows\system32\ducpbqqe.tmp
c:\windows\system32\dyqerdty.tmp
c:\windows\system32\qeputgte.tmp
c:\windows\liccyval.dat
KILLALL::
DDS::
O2 - BHO: (no name) - MRI_DISABLED - (no file)
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)

Save this as CFScript.txt

CFScriptB-4.gif

Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.

  • Ensure you are connected to the internet and click OK on the message box.

Next, please use the Internet Explorer browser and click here to use the F-Secure Online Scanner.

  • Click Start Scanning.
  • You should get a notification bar (on top) to install the ActiveX control.
  • Click on it and select to install the ActiveX.
  • Once the ActiveX is installed, you should accept the License terms by clicking OK below to start the scan.
  • In case you are having problems with installing the ActiveX/starting the scan, please read here.
  • Click the Full System Scan button.
  • It will start to download scanner components and databases. This can take a while.
  • The main scan will start.
  • Once the scan has finished scanning, click the Automatic cleaning (recommended) button
  • It could be possible that your firewall gives an alert - allow it, because that's a connection you establish to submit infected files to F-Secure.
  • The cleaning can take a while, so please be patient.
  • Then click the Show report button and Copy/Paste what is present under results in your next reply.

Next, download my Security Check from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Let me know how things are running now and what issues remain.

-screen317

Link to post
Share on other sites

Was it intentional that you had "http://www.malwarebytes.org/forums/index.php?showtopic=21972" as the first line in the CFScript.txt? The run seemed to work fine, regardless.

The latest ComboFix log appears below. F-Secure Online scanner is now running and it looks like it's going to take a while, so I'll post those results along with Security Check results later.

c:\windows\liccyval.dat keeps reappearing. A quick websearch suggests this file is associated with CyberSitter, which appears to be recreating the file on reboot. Unless you know something I don't about CyberSitter or have reason to suspect otherwise, I think we can write this one off as not malware.

The long list of globally open ports that it says are associated with NortonAV are also curious, considering I uninstalled the Norton package prior to installing AVG. (Side issue - there is a program under Control Panel-->Add or Remove Programs called 'Liveupdate Notice (Symantec Corporation)' that it won't let me remove ("You are attempting to uninstall a program that is required for Symantec products to run on your PC. You are unable to remove the program at this time."). Any idea how to remove this program (or why I shouldn't, as the case may be)?

A posting elsewhere about the following got me redirected back here... All this effort to get my brother's computer cleaned up has gotten me wondering about my own computer. About two months ago I got infected by Internet Security 2010. It took me about a week to get it cleaned up, and I have not experienced any problems or noticed any symptoms since then, but now I'm wondering if the cleanup was incomplete, even though neither MBAM, AdAware, Spybot S&D, nor AVG 9.0 has found anything worse than the occasional tracking cookie since then. What steps would you recommend to verify that I have cleaned up this or any other potentially undetected malware?

ComboFix.txt:

ComboFix 10-03-20.06 - Owner 03/21/2010 10:07:19.4.1 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.447.116 [GMT -5:00]

Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

file zipped: c:\windows\liccyval.dat

file zipped: c:\windows\system32\ducpbqqe.tmp

file zipped: c:\windows\system32\dyqerdty.tmp

file zipped: c:\windows\system32\qeputgte.tmp

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\liccyval.dat

c:\windows\system32\ducpbqqe.tmp

c:\windows\system32\dyqerdty.tmp

c:\windows\system32\qeputgte.tmp

.

((((((((((((((((((((((((( Files Created from 2010-02-21 to 2010-03-21 )))))))))))))))))))))))))))))))

.

2010-03-20 20:24 . 2010-01-07 21:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-03-20 20:24 . 2010-01-07 21:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-03-20 20:24 . 2010-03-21 04:47 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-03-20 07:33 . 2010-03-20 07:33 -------- d-----w- c:\program files\Trend Micro

2010-03-20 02:29 . 2010-03-20 20:25 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes

2010-03-20 01:18 . 2010-03-20 20:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-03-17 06:35 . 2010-03-17 06:35 -------- d-----w- C:\$AVG

2010-03-17 06:03 . 2010-03-17 06:03 12464 ----a-w- c:\windows\system32\avgrsstx.dll

2010-03-17 06:03 . 2010-03-17 06:03 242696 ----a-w- c:\windows\system32\drivers\avgtdix.sys

2010-03-17 06:03 . 2010-03-17 06:03 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys

2010-03-17 06:03 . 2010-03-17 06:03 29512 ----a-w- c:\windows\system32\drivers\avgmfx86.sys

2010-03-17 06:03 . 2010-03-21 14:54 -------- d-----w- c:\windows\system32\drivers\Avg

2010-03-17 06:03 . 2010-03-17 06:03 -------- d-----w- c:\program files\AVG

2010-03-17 06:03 . 2010-03-17 06:03 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9

2010-03-17 03:59 . 2010-03-17 03:59 -------- d-----w- c:\documents and settings\Administrator.YOUR-RVLNHR6V8D\Local Settings\Application Data\Mozilla

2010-03-15 08:02 . 2010-03-15 06:02 15880 ----a-w- c:\windows\system32\lsdelete.exe

2010-03-15 06:03 . 2010-02-04 15:53 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys

2010-03-15 06:02 . 2010-03-15 06:02 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys

2010-03-15 06:01 . 2010-03-15 06:01 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google

2010-03-15 05:56 . 2010-03-15 06:01 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Temp

2010-03-15 05:54 . 2010-03-15 05:54 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}

2010-03-15 03:29 . 2010-03-15 03:29 -------- d-----w- c:\program files\SysInternals

2010-03-14 23:42 . 2009-10-23 15:28 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-03-21 15:33 . 2010-03-21 15:33 22 ----a-w- c:\windows\liccyval.dat

2010-03-18 00:09 . 2007-03-02 00:31 -------- d-----w- c:\program files\Google

2010-03-17 02:41 . 2003-02-21 16:33 -------- d-----w- c:\program files\Common Files\Symantec Shared

2010-03-17 02:20 . 2003-02-21 16:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec

2010-03-17 02:19 . 2008-11-05 02:57 -------- d-----w- c:\documents and settings\Owner\Application Data\HPAppData

2010-03-16 06:05 . 2004-09-10 01:35 -------- d-----w- c:\program files\Spybot - Search & Destroy

2010-03-16 05:48 . 2004-09-10 01:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2010-03-15 05:55 . 2004-09-08 00:41 -------- d-----w- c:\program files\Lavasoft

2010-01-05 10:00 . 2003-02-05 12:07 832512 ------w- c:\windows\system32\wininet.dll

2010-01-05 10:00 . 2004-08-04 07:56 78336 ----a-w- c:\windows\system32\ieencode.dll

2010-01-05 10:00 . 2003-02-05 12:23 17408 ------w- c:\windows\system32\corpol.dll

2009-12-31 16:50 . 2003-02-05 12:06 353792 ----a-w- c:\windows\system32\drivers\srv.sys

2004-11-30 00:05 . 2004-11-30 00:03 22 ----a-w- c:\program files\Profmine.zip

2008-09-10 19:49 . 2008-09-10 19:49 5817064 ----a-w- c:\program files\mozilla firefox\plugins\ScorchPDFWrapper.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"C2K"="c:\windows\cyb2k.exe" [2006-02-08 3067392]

c:\documents and settings\All Users\Start Menu\Programs\Startup\AutorunsDisabled

Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]

Script execution time was exceeded on script "c:\combofix\lnkread.vbs".

Script execution was terminated.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]

2010-03-17 06:03 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]

@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk

backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Event Reminder.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Event Reminder.lnk

backup=c:\windows\pss\Event Reminder.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk

backup=c:\windows\pss\Google Updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp center UI.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\hp center UI.lnk

backup=c:\windows\pss\hp center UI.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp center.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\hp center.lnk

backup=c:\windows\pss\hp center.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^LaunchU3.exe.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\LaunchU3.exe.lnk

backup=c:\windows\pss\LaunchU3.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk

backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microtek Scanner Finder.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microtek Scanner Finder.lnk

backup=c:\windows\pss\Microtek Scanner Finder.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^OZ-290_ZQ-290II Synchronization Software.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\OZ-290_ZQ-290II Synchronization Software.lnk

backup=c:\windows\pss\OZ-290_ZQ-290II Synchronization Software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk

backup=c:\windows\pss\Quicken Scheduled Updates.lnkCommon Startup

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]

2005-06-07 05:46 57344 ----a-w- c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcxMonitor]

2004-09-07 18:47 57344 ----a-w- c:\windows\ALCXMNTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C2K]

2006-02-08 21:02 3067392 ----a-w- c:\windows\Cyb2k.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CamMonitor]

2002-10-07 06:23 90112 ----a-w- c:\program files\Hewlett-Packard\Digital Imaging\Unload\HpqCmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]

2008-04-14 00:12 15360 ------w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]

2002-10-16 14:05 114688 ----a-w- c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]

2002-11-22 19:49 188416 ----a-w- c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD04]

2002-11-22 19:50 49152 ----a-w- c:\program files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpsysdrv]

1998-05-08 00:04 52736 ----a-w- c:\windows\system\hpsysdrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KBD]

2001-07-07 04:56 61440 ----a-w- c:\hp\KBD\kbd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]

2004-09-23 00:20 53248 ----a-w- c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]

2002-09-10 06:35 372736 ----a-w- c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PS2]

2002-10-16 23:57 81920 ----a-w- c:\windows\system32\ps2.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2006-09-01 00:05 77824 ----a-w- c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]

2002-09-14 05:42 212992 ----a-w- c:\windows\SMINST\Recguard.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]

2003-01-11 09:47 315392 ----a-w- c:\windows\CREATOR\Remind_XP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon]

2002-04-18 01:42 69632 ----a-w- c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StorageGuard]

2002-06-18 15:01 155648 ----a-w- c:\program files\VERITAS Software\Update Manager\sgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

2007-03-14 08:43 83608 ----a-w- c:\program files\Java\jre1.6.0_01\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec PIF AlertEng]

2008-01-29 23:38 583048 ----a-w- c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]

2006-12-30 16:18 180269 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]

2006-03-30 21:45 313472 ----a-r- c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WCOLOREAL]

2002-11-27 01:14 131072 ----a-w- c:\program files\Coloreal\COLOREAL.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zero Knowledge Freedom]

2002-12-07 05:25 20539 ----a-w- c:\program files\Zero Knowledge\Freedom\AutoStarterR.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"gusvc"=2 (0x2)

"Pml Driver HPH11"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\WINDOWS\\Cyb2k.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqtra08.exe"=

"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqste08.exe"=

"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpofxm08.exe"=

"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hposfx08.exe"=

"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hposid01.exe"=

"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpzwiz01.exe"=

"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\Unload\\HpqPhUnl.exe"=

"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpoews01.exe"=

"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpiscnapp.exe"=

"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqkygrp.exe"=

"c:\\Program Files\\hp center\\137903\\Program\\BackWeb-137903.exe"=

"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=

"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"15986:TCP"= 15986:TCP:NortonAV

"13394:TCP"= 13394:TCP:NortonAV

"15091:TCP"= 15091:TCP:NortonAV

"15797:TCP"= 15797:TCP:NortonAV

"16129:TCP"= 16129:TCP:NortonAV

"15115:TCP"= 15115:TCP:NortonAV

"17695:TCP"= 17695:TCP:NortonAV

"17362:TCP"= 17362:TCP:NortonAV

"14021:TCP"= 14021:TCP:NortonAV

"15926:TCP"= 15926:TCP:NortonAV

"17294:TCP"= 17294:TCP:NortonAV

"13465:TCP"= 13465:TCP:NortonAV

"14388:TCP"= 14388:TCP:NortonAV

"13967:TCP"= 13967:TCP:NortonAV

"16406:TCP"= 16406:TCP:NortonAV

"12830:TCP"= 12830:TCP:NortonAV

"13874:TCP"= 13874:TCP:NortonAV

"16024:TCP"= 16024:TCP:NortonAV

"13844:TCP"= 13844:TCP:NortonAV

"17827:TCP"= 17827:TCP:NortonAV

"16022:TCP"= 16022:TCP:NortonAV

"17113:TCP"= 17113:TCP:NortonAV

"15416:TCP"= 15416:TCP:NortonAV

"15328:TCP"= 15328:TCP:NortonAV

"18575:TCP"= 18575:TCP:NortonAV

"18870:TCP"= 18870:TCP:NortonAV

"16921:TCP"= 16921:TCP:NortonAV

"17537:TCP"= 17537:TCP:NortonAV

"13872:TCP"= 13872:TCP:NortonAV

"18773:TCP"= 18773:TCP:NortonAV

"17522:TCP"= 17522:TCP:NortonAV

"18196:TCP"= 18196:TCP:NortonAV

"17072:TCP"= 17072:TCP:NortonAV

"18140:TCP"= 18140:TCP:NortonAV

"13352:TCP"= 13352:TCP:NortonAV

"12905:TCP"= 12905:TCP:NortonAV

"18476:TCP"= 18476:TCP:NortonAV

"17062:TCP"= 17062:TCP:NortonAV

"17181:TCP"= 17181:TCP:NortonAV

"16220:TCP"= 16220:TCP:NortonAV

"16115:TCP"= 16115:TCP:NortonAV

"17075:TCP"= 17075:TCP:NortonAV

"18641:TCP"= 18641:TCP:NortonAV

"12365:TCP"= 12365:TCP:NortonAV

"14353:TCP"= 14353:TCP:NortonAV

"16214:TCP"= 16214:TCP:NortonAV

"14931:TCP"= 14931:TCP:NortonAV

"12112:TCP"= 12112:TCP:NortonAV

"13103:TCP"= 13103:TCP:NortonAV

"18951:TCP"= 18951:TCP:NortonAV

"14965:TCP"= 14965:TCP:NortonAV

"15730:TCP"= 15730:TCP:NortonAV

"13087:TCP"= 13087:TCP:NortonAV

"12820:TCP"= 12820:TCP:NortonAV

"15577:TCP"= 15577:TCP:NortonAV

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [3/15/2010 1:03 AM 64288]

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [3/17/2010 1:03 AM 216200]

R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [3/17/2010 1:03 AM 242696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

.

Contents of the 'Scheduled Tasks' folder

2010-03-21 c:\windows\Tasks\Ad-Aware Update (Weekly).job

- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 21:52]

2008-04-17 c:\windows\Tasks\easy Internet sign-up.job

- c:\program files\Hewlett-Packard\EZ Internet Signup\HPSdpApp.exe [2003-02-20 05:10]

.

.

------- Supplementary Scan -------

.

uInternet Connection Wizard,ShellNext = iexplore

uInternet Settings,ProxyServer = http=127.0.0.1:5555

uInternet Settings,ProxyOverride = <local>;localhost

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000

IE: {{17A27031-71FC-11d4-815C-005004D0F1FA} - c:\program files\MarketBrowser\lmt\MarketBrowser_Launch.xpy

LSP: c:\windows\system32\lspcs.dll

DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\m9k2su9g.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.goodsearch.com/

FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll

FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

---- FIREFOX POLICIES ----

pref(dom.disable_open_during_load, true);c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);

c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-03-21 10:31

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

c:\windows\liccyval.dat 22 bytes

scan completed successfully

hidden files: 1

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(1136)

c:\windows\system32\lspcs.dll

- - - - - - - > 'explorer.exe'(2100)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\AVG\AVG9\avgchsvx.exe

c:\program files\AVG\AVG9\avgrsx.exe

c:\program files\AVG\AVG9\avgcsrvx.exe

c:\program files\Lavasoft\Ad-Aware\AAWService.exe

c:\program files\AVG\AVG9\avgwdsvc.exe

c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

c:\windows\System32\nvsvc32.exe

c:\program files\AVG\AVG9\avgnsx.exe

c:\windows\System32\wbem\unsecapp.exe

c:\windows\system32\wscntfy.exe

.

**************************************************************************

.

Completion time: 2010-03-21 10:53:25 - machine was rebooted

ComboFix-quarantined-files.txt 2010-03-21 15:53

ComboFix2.txt 2010-03-20 18:12

ComboFix3.txt 2010-03-17 03:21

ComboFix4.txt 2010-03-16 04:32

Pre-Run: 43,376,185,344 bytes free

Post-Run: 43,372,838,912 bytes free

- - End Of File - - 092F90A58B6EC49DB81DD8FB58178DD6

Link to post
Share on other sites

I made three attempts to run F-Secure Online Scanner. All three got to 100% on the Downloading files phase, sat there for a long time (15+ minutes on at least two of the three attempts, during which I could periodically hear HD activity), then ended with "F-Secure Online Scanner 4.2 encountered an error: "The program could not download all the necessary files. Make sure that you are connected to the Internet. If this error repeats, contact the support (error id: 27).". On two of the three runs I closed the F-Secure window, and had an error popup: "A Runtime Error has occurred. Do you wish to debug? Line: 50 Error: 'itHeader' is undefined.".

I ran Security Check. The log is below. The spybot I've been running is version 1.6.2, was last run yesterday, and running 'Search for Updates' just now returned 'No newer updates are available, but I believe there are multiple installs of it on the computer and; perhaps I should delete them all and then reinstall the most current one. The Ad-Aware tray icon opens Ad-Aware Free, which as far as I can tell is current and active (the last update and last scan both show 3/20/2010 dates) so I'm not sure why it shows as disabled or what I should do to fix it. I have not attempted to use SpywareBlaster throughout this whole recovery process. The out of date Adobe Reader is likely a legitimate concern that I can address.

checkup.txt:

Results of screen317's Security Check version 0.99.1

Windows XP Service Pack 3

``````````````````````````````

Antivirus/Firewall Check:

Windows Firewall Enabled!

AVG Free 9.0

``````````````````````````````

Anti-malware/Other Utilities Check:

Out of date Spybot installed!

Ad-Aware

Spybot - Search & Destroy 1.5.2.20

SpywareBlaster 4.0

Spybot - Search & Destroy

HijackThis 2.0.2

Java SE Runtime Environment 6 Update 1

Adobe Flash Player 10

Adobe Reader 7.1.0

Out of date Adobe Reader installed!

``````````````````````````````

Process Check:

objlist.exe by Laurent

Ad-Aware AAWService.exe

Ad-Aware AAWTray.exe is disabled!

``````````````````````````````

DNS Vulnerability Check:

GREAT! (Not vulnerable to DNS cache poisoning)

`````````End of Log```````````

Link to post
Share on other sites

Regarding my own computer, speak of the devil. Coincidentally or otherwise it just got hit by an infection, so I'm going to start a separate thread for that one, so no need to address that here.

As for this computer, I made the Adobe Reader and Spybot changes that I discussed in my earlier post. Reran Security Check, and the log is below. It returned an error message of "*** cns.area4.il.chicago.comcast.net can't find porttest.dns-oarc.net:Server failed" (which I'm pretty sure I didn't get earlier). A rerun of Spybot found a few things it hadn't before (making me wonder if up to now it was getting its signature files crossed between versions, though it could have been something the Adobe upgrade added). Nothing that looked too threatening, just some stuff from WildTangent and one other Dialer registry key. All were cleaned. Unfortunately I don't have a log.

The MBAM problems described earlier are back. Updated and it said it updated but the new version number in the message was the same as the old. I ran it, and it completed much faster than expected with a lower than expected number of objects examined. I ran it again and this time it "completed" in only a few seconds, with a lower number still. Went through the uninstall, reboot, mbam-clean, reboot, install process, and had it update and load at the end of the install. The update ran and once again the update message showed the same version number both places, and when it started to run, it aborted with the Error code 730 (0, 0).

checkup.txt:

Results of screen317's Security Check version 0.99.1

Windows XP Service Pack 3

``````````````````````````````

Antivirus/Firewall Check:

Windows Firewall Enabled!

AVG Free 9.0

``````````````````````````````

Anti-malware/Other Utilities Check:

Ad-Aware

SpywareBlaster 4.0

Spybot - Search & Destroy

HijackThis 2.0.2

Java SE Runtime Environment 6 Update 1

Adobe Flash Player 10

Adobe Reader 9.3

``````````````````````````````

Process Check:

objlist.exe by Laurent

Ad-Aware AAWService.exe

Ad-Aware AAWTray.exe is disabled!

``````````````````````````````

DNS Vulnerability Check:

`````````End of Log```````````

Link to post
Share on other sites

Here's one more clue on the 730 error. As I'm still composing the post for the other infection and running checks to include logs of, I tried copying the rules.ref from my brother's computer to my own. Running MBAM on that computer gave me the same 730 error. Luckily I had only renamed the old copy, so I renamed it back. Bingo! MBAM ran without a hitch using that one. So it appears the rules.ref file is getting corrupted on my brother's computer.

Link to post
Share on other sites

  • Staff

My mistake. I put the wrong link at the top of the script.

c:\windows\liccyval.dat keeps reappearing. A quick websearch suggests this file is associated with CyberSitter, which appears to be recreating the file on reboot. Unless you know something I don't about CyberSitter or have reason to suspect otherwise, I think we can write this one off as not malware.
Yes I agree, let's leave it alone.

Download and this file on the computer with the 730 issue.

http://www.malwarebytes.org/mbam/database/mbam-rules.exe

Double-click it on the infected computer, then run a Quick Scan with MBAM and post its log. The log will show if it's using the latest database. See if you can update successfully after that.

-screen317

Link to post
Share on other sites

Looks like that cleared the MBAM problem. It updated, and had different database version numbers in the update message. The scan ran okay. No problems detected.

Malwarebytes' Anti-Malware 1.44

Database version: 3898

Windows 5.1.2600 Service Pack 3

Internet Explorer 7.0.5730.13

3/22/2010 1:32:26 AM

mbam-log-2010-03-22 (01-32-26).txt

Scan type: Quick Scan

Objects scanned: 143941

Time elapsed: 7 minute(s), 33 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites

  • Staff

Good to hear. :unsure:

On your computer, navigate to Start --> Run, and type Combofix /uninstall in the box that appears. Click OK afterwards. Notice the space between the X and the /uninstall

This uninstalls all of ComboFix's components.

Delete SecurityCheck.

Restart your computer and let me know what issues remain.

Link to post
Share on other sites

Done. No problems immediately evident, although it did not remove ComboFix.exe from the desktop.

Is that long list of globally open ports anything I should be concerned about? e.g. from ComboFix.txt a few posts back...

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"15986:TCP"= 15986:TCP:NortonAV

"13394:TCP"= 13394:TCP:NortonAV

"15091:TCP"= 15091:TCP:NortonAV

...and so forth. NortonAV is no longer installed.

I also have not yet run Defogger enable.

Link to post
Share on other sites

Done...

ComboFix 10-03-21.04 - Owner 03/22/2010 9:10.5.1 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.447.180 [GMT -5:00]

Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

.

((((((((((((((((((((((((( Files Created from 2010-02-22 to 2010-03-22 )))))))))))))))))))))))))))))))

.

2010-03-21 22:14 . 2010-01-07 21:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-03-21 22:13 . 2010-01-07 21:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-03-21 22:12 . 2010-03-21 22:15 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-03-21 20:50 . 2010-03-21 21:03 -------- d-----w- c:\program files\Spybot - Search & Destroy

2010-03-21 15:33 . 2010-03-22 07:07 22 ----a-w- c:\windows\liccyval.dat

2010-03-20 07:33 . 2010-03-20 07:33 -------- d-----w- c:\program files\Trend Micro

2010-03-20 02:29 . 2010-03-21 22:15 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes

2010-03-20 01:18 . 2010-03-21 22:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-03-17 06:35 . 2010-03-17 06:35 -------- d-----w- C:\$AVG

2010-03-17 06:03 . 2010-03-17 06:03 12464 ----a-w- c:\windows\system32\avgrsstx.dll

2010-03-17 06:03 . 2010-03-17 06:03 242696 ----a-w- c:\windows\system32\drivers\avgtdix.sys

2010-03-17 06:03 . 2010-03-17 06:03 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys

2010-03-17 06:03 . 2010-03-17 06:03 29512 ----a-w- c:\windows\system32\drivers\avgmfx86.sys

2010-03-17 06:03 . 2010-03-21 22:44 -------- d-----w- c:\windows\system32\drivers\Avg

2010-03-17 06:03 . 2010-03-17 06:03 -------- d-----w- c:\program files\AVG

2010-03-17 06:03 . 2010-03-17 06:03 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9

2010-03-17 03:59 . 2010-03-17 03:59 -------- d-----w- c:\documents and settings\Administrator.YOUR-RVLNHR6V8D\Local Settings\Application Data\Mozilla

2010-03-15 08:02 . 2010-03-15 06:02 15880 ----a-w- c:\windows\system32\lsdelete.exe

2010-03-15 06:03 . 2010-02-04 15:53 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys

2010-03-15 06:02 . 2010-03-15 06:02 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys

2010-03-15 06:01 . 2010-03-15 06:01 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google

2010-03-15 05:56 . 2010-03-15 06:01 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Temp

2010-03-15 05:54 . 2010-03-15 05:54 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}

2010-03-15 03:29 . 2010-03-15 03:29 -------- d-----w- c:\program files\SysInternals

2010-03-14 23:42 . 2009-10-23 15:28 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-03-22 13:50 . 2008-11-05 02:57 -------- d-----w- c:\documents and settings\Owner\Application Data\HPAppData

2010-03-22 13:39 . 2003-02-21 16:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec

2010-03-22 13:39 . 2003-02-21 16:33 -------- d-----w- c:\program files\Common Files\Symantec Shared

2010-03-21 21:56 . 2004-09-10 01:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2010-03-18 00:09 . 2007-03-02 00:31 -------- d-----w- c:\program files\Google

2010-03-15 05:55 . 2004-09-08 00:41 -------- d-----w- c:\program files\Lavasoft

2010-01-05 10:00 . 2003-02-05 12:07 832512 ------w- c:\windows\system32\wininet.dll

2010-01-05 10:00 . 2004-08-04 07:56 78336 ----a-w- c:\windows\system32\ieencode.dll

2010-01-05 10:00 . 2003-02-05 12:23 17408 ------w- c:\windows\system32\corpol.dll

2009-12-31 16:50 . 2003-02-05 12:06 353792 ----a-w- c:\windows\system32\drivers\srv.sys

2004-11-30 00:05 . 2004-11-30 00:03 22 ----a-w- c:\program files\Profmine.zip

2008-09-10 19:49 . 2008-09-10 19:49 5817064 ----a-w- c:\program files\mozilla firefox\plugins\ScorchPDFWrapper.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"C2K"="c:\windows\cyb2k.exe" [2006-02-08 3067392]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]

2010-03-17 06:03 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]

@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk

backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Event Reminder.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Event Reminder.lnk

backup=c:\windows\pss\Event Reminder.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk

backup=c:\windows\pss\Google Updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp center UI.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\hp center UI.lnk

backup=c:\windows\pss\hp center UI.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp center.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\hp center.lnk

backup=c:\windows\pss\hp center.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^LaunchU3.exe.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\LaunchU3.exe.lnk

backup=c:\windows\pss\LaunchU3.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk

backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microtek Scanner Finder.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microtek Scanner Finder.lnk

backup=c:\windows\pss\Microtek Scanner Finder.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^OZ-290_ZQ-290II Synchronization Software.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\OZ-290_ZQ-290II Synchronization Software.lnk

backup=c:\windows\pss\OZ-290_ZQ-290II Synchronization Software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk

backup=c:\windows\pss\Quicken Scheduled Updates.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]

2005-06-07 05:46 57344 ----a-w- c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcxMonitor]

2004-09-07 18:47 57344 ----a-w- c:\windows\ALCXMNTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C2K]

2006-02-08 21:02 3067392 ----a-w- c:\windows\Cyb2k.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CamMonitor]

2002-10-07 06:23 90112 ----a-w- c:\program files\Hewlett-Packard\Digital Imaging\Unload\HpqCmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]

2008-04-14 00:12 15360 ------w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]

2002-10-16 14:05 114688 ----a-w- c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]

2002-11-22 19:49 188416 ----a-w- c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD04]

2002-11-22 19:50 49152 ----a-w- c:\program files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpsysdrv]

1998-05-08 00:04 52736 ----a-w- c:\windows\system\hpsysdrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KBD]

2001-07-07 04:56 61440 ----a-w- c:\hp\KBD\kbd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]

2004-09-23 00:20 53248 ----a-w- c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]

2002-09-10 06:35 372736 ----a-w- c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PS2]

2002-10-16 23:57 81920 ----a-w- c:\windows\system32\ps2.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2006-09-01 00:05 77824 ----a-w- c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]

2002-09-14 05:42 212992 ----a-w- c:\windows\SMINST\Recguard.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]

2003-01-11 09:47 315392 ----a-w- c:\windows\CREATOR\Remind_XP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon]

2002-04-18 01:42 69632 ----a-w- c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StorageGuard]

2002-06-18 15:01 155648 ----a-w- c:\program files\VERITAS Software\Update Manager\sgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

2007-03-14 08:43 83608 ----a-w- c:\program files\Java\jre1.6.0_01\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]

2006-12-30 16:18 180269 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WCOLOREAL]

2002-11-27 01:14 131072 ----a-w- c:\program files\Coloreal\COLOREAL.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zero Knowledge Freedom]

2002-12-07 05:25 20539 ----a-w- c:\program files\Zero Knowledge\Freedom\AutoStarterR.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"gusvc"=2 (0x2)

"Pml Driver HPH11"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\WINDOWS\\Cyb2k.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqtra08.exe"=

"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqste08.exe"=

"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpofxm08.exe"=

"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hposfx08.exe"=

"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hposid01.exe"=

"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpzwiz01.exe"=

"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\Unload\\HpqPhUnl.exe"=

"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpoews01.exe"=

"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpiscnapp.exe"=

"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqkygrp.exe"=

"c:\\Program Files\\hp center\\137903\\Program\\BackWeb-137903.exe"=

"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=

"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"15986:TCP"= 15986:TCP:NortonAV

"13394:TCP"= 13394:TCP:NortonAV

"15091:TCP"= 15091:TCP:NortonAV

"15797:TCP"= 15797:TCP:NortonAV

"16129:TCP"= 16129:TCP:NortonAV

"15115:TCP"= 15115:TCP:NortonAV

"17695:TCP"= 17695:TCP:NortonAV

"17362:TCP"= 17362:TCP:NortonAV

"14021:TCP"= 14021:TCP:NortonAV

"15926:TCP"= 15926:TCP:NortonAV

"17294:TCP"= 17294:TCP:NortonAV

"13465:TCP"= 13465:TCP:NortonAV

"14388:TCP"= 14388:TCP:NortonAV

"13967:TCP"= 13967:TCP:NortonAV

"16406:TCP"= 16406:TCP:NortonAV

"12830:TCP"= 12830:TCP:NortonAV

"13874:TCP"= 13874:TCP:NortonAV

"16024:TCP"= 16024:TCP:NortonAV

"13844:TCP"= 13844:TCP:NortonAV

"17827:TCP"= 17827:TCP:NortonAV

"16022:TCP"= 16022:TCP:NortonAV

"17113:TCP"= 17113:TCP:NortonAV

"15416:TCP"= 15416:TCP:NortonAV

"15328:TCP"= 15328:TCP:NortonAV

"18575:TCP"= 18575:TCP:NortonAV

"18870:TCP"= 18870:TCP:NortonAV

"16921:TCP"= 16921:TCP:NortonAV

"17537:TCP"= 17537:TCP:NortonAV

"13872:TCP"= 13872:TCP:NortonAV

"18773:TCP"= 18773:TCP:NortonAV

"17522:TCP"= 17522:TCP:NortonAV

"18196:TCP"= 18196:TCP:NortonAV

"17072:TCP"= 17072:TCP:NortonAV

"18140:TCP"= 18140:TCP:NortonAV

"13352:TCP"= 13352:TCP:NortonAV

"12905:TCP"= 12905:TCP:NortonAV

"18476:TCP"= 18476:TCP:NortonAV

"17062:TCP"= 17062:TCP:NortonAV

"17181:TCP"= 17181:TCP:NortonAV

"16220:TCP"= 16220:TCP:NortonAV

"16115:TCP"= 16115:TCP:NortonAV

"17075:TCP"= 17075:TCP:NortonAV

"18641:TCP"= 18641:TCP:NortonAV

"12365:TCP"= 12365:TCP:NortonAV

"14353:TCP"= 14353:TCP:NortonAV

"16214:TCP"= 16214:TCP:NortonAV

"14931:TCP"= 14931:TCP:NortonAV

"12112:TCP"= 12112:TCP:NortonAV

"13103:TCP"= 13103:TCP:NortonAV

"18951:TCP"= 18951:TCP:NortonAV

"14965:TCP"= 14965:TCP:NortonAV

"15730:TCP"= 15730:TCP:NortonAV

"13087:TCP"= 13087:TCP:NortonAV

"12820:TCP"= 12820:TCP:NortonAV

"15577:TCP"= 15577:TCP:NortonAV

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [3/15/2010 1:03 AM 64288]

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [3/17/2010 1:03 AM 216200]

R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [3/17/2010 1:03 AM 242696]

R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [3/17/2010 1:03 AM 308064]

R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2/4/2010 10:52 AM 1263728]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

.

Contents of the 'Scheduled Tasks' folder

2010-03-22 c:\windows\Tasks\Ad-Aware Update (Weekly).job

- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 21:52]

2008-04-17 c:\windows\Tasks\easy Internet sign-up.job

- c:\program files\Hewlett-Packard\EZ Internet Signup\HPSdpApp.exe [2003-02-20 05:10]

.

.

------- Supplementary Scan -------

.

uInternet Connection Wizard,ShellNext = iexplore

uInternet Settings,ProxyServer = http=127.0.0.1:5555

uInternet Settings,ProxyOverride = <local>;localhost

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000

IE: {{17A27031-71FC-11d4-815C-005004D0F1FA} - c:\program files\MarketBrowser\lmt\MarketBrowser_Launch.xpy

LSP: c:\windows\system32\lspcs.dll

DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\m9k2su9g.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.goodsearch.com/

FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll

FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

---- FIREFOX POLICIES ----

pref(dom.disable_open_during_load, true);c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);

c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

.

- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-Symantec PIF AlertEng - c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe

MSConfigStartUp-updateMgr - c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-03-22 09:21

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(1132)

c:\windows\system32\lspcs.dll

- - - - - - - > 'explorer.exe'(3620)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

Completion time: 2010-03-22 09:36:31

ComboFix-quarantined-files.txt 2010-03-22 14:36

ComboFix2.txt 2010-03-21 15:53

ComboFix3.txt 2010-03-20 18:12

ComboFix4.txt 2010-03-17 03:21

ComboFix5.txt 2010-03-22 14:08

Pre-Run: 42,379,911,168 bytes free

Post-Run: 42,946,306,048 bytes free

- - End Of File - - 122738F325D0499F5E5C8F79AEE2C69B

Link to post
Share on other sites

  • Staff

Hi,

Next, please open Notepad - don't use any other text editor than notepad or the script will fail.

Copy/paste the text in the quotebox below into Notepad:

Registry::

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"15986:TCP"=-

"13394:TCP"=-

"15091:TCP"=-

"15797:TCP"=-

"16129:TCP"=-

"15115:TCP"=-

"17695:TCP"=-

"17362:TCP"=-

"14021:TCP"=-

"15926:TCP"=-

"17294:TCP"=-

"13465:TCP"=-

"14388:TCP"=-

"13967:TCP"=-

"16406:TCP"=-

"12830:TCP"=-

"13874:TCP"=-

"16024:TCP"=-

"13844:TCP"=-

"17827:TCP"=-

"16022:TCP"=-

"17113:TCP"=-

"15416:TCP"=-

"15328:TCP"=-

"18575:TCP"=-

"18870:TCP"=-

"16921:TCP"=-

"17537:TCP"=-

"13872:TCP"=-

"18773:TCP"=-

"17522:TCP"=-

"18196:TCP"=-

"17072:TCP"=-

"18140:TCP"=-

"13352:TCP"=-

"12905:TCP"=-

"18476:TCP"=-

"17062:TCP"=-

"17181:TCP"=-

"16220:TCP"=-

"16115:TCP"=-

"17075:TCP"=-

"18641:TCP"=-

"12365:TCP"=-

"14353:TCP"=-

"16214:TCP"=-

"14931:TCP"=-

"12112:TCP"=-

"13103:TCP"=-

"18951:TCP"=-

"14965:TCP"=-

"15730:TCP"=-

"13087:TCP"=-

"12820:TCP"=-

"15577:TCP"=-

Save this as CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

CFScriptB-4.gif

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together.

Let me know what issues remain.

-screen317

Link to post
Share on other sites

I'm at work but I'll follow the above instructions as soon as I get home.

Today I received a new DRAM for that computer that will upgrade it from 448M to 1280M. Any problem with installing that before I continue?

After a bit of online research I've decided to uninstall AVG 9.0 and install Avast or Avira instead, but unless you say otherwise I'll wait until we're all done with everything before I do that.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.