Jump to content

Antivirus XP won't let MBAM run and I can't connect to internet


Recommended Posts

Hi - I have posted an appeal for help in the general forum and as instructed I'm starting a new post here. I was asked to refer to instructions for downloading and installing MBAM and Defogger etc, but as the virus is stoppping my internet access I am wondering if I can download them to a clean PC and copy them accross to the infected PC's desktop? I put a reply on my other post but I'm thinking I should have put it on a fresh post here (?) so I am repeating below what I put in that post - I hope that's OK to do!

"I had been regularly using MBAM on my now infected PC, but when I got this infection, and couldn't get MBAM to run, I deleted MBAM because I had read that I would have to re-install it. Have I also read on these forums that I need to run a 'deep cleaning' program as well to remove all refences to MBAM? If so, I haven't done this so it may affect my next attempt to start MBAM when reloaded.

I cannot access the internet via my usual methods so I took a copy of mbam-setup.exe from a good PC (after first updating it) and pasted it on the desktop of my infected PC. (Is that an acceptable approach?)I then tried to get the exe extension to display, following the instructions shown in the virus removal guide, so that I could change it to a .com extension. However, I could not for the life of me find the option to display file extensions in My computer/tools/options? Is it possible that the virus could be removing that option? I'm running XP by the way."

I won't do anything now until I am told how to get MBAM etc onto my infected PC. Many thanks for the help.

Link to post
Share on other sites

Thanks for the quick response! I cannot get file extns to display, and after some searching it seems that the virus has taken away my rights to display them (not explained very well - sorry). So I renamed the MBAM installation file to .com on my clean PC, then copied that onto a memory stick then onto the infected PC desktop. That allowed me to install MBAM. I didn't tick the update box as I cannot connect to internet. I ticked the box to start MBAM after installation but nothing happened.

Could I find mbam.exe on my clean machine, rename it to mbam.com, copy it to the MBAM folder on my infected machine, and try running it there?

Link to post
Share on other sites

  • Staff
Could I find mbam.exe on my clean machine, rename it to mbam.com, copy it to the MBAM folder on my infected machine, and try running it there?
Yes, please do it that way.

Also, it may be a good idea to transfer the database file as well, so on your "clean" pc, please update malwarebytes first.

Then navigate to the folder C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware and find the file rules.ref in there. Transfer that file also to the infected PC and place it in that same folder C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware.

Link to post
Share on other sites

  • Staff

Also, can you give me some more information about the "missing option to show file extensions"? I mean, what exactly is you cannot find?

Is it the Folder Options from the menu? Or the view tab? Or do you see all options there as you see in the screenshot below, EXCEPT for the extensions one?

advanced-folder-options_sm.gif

In either way, if the folder options thing are missing in general, then malwarebytes will restore that anyway.

Link to post
Share on other sites

Hi again. I copied the renamed MBAM.com onto the infected PC. I couldn't put the Rules.ref file where you suggested because C:\Documents and Settings\All Users\Application Data folder doesn't show on my infected PC (I did a search though and it does exist - it's just hidden).

So I tried to run MBAM.com and got an error code 730 (0,0)?

Re the "missing option to show file extensions" - under the Tools tab I don't get the 'Folder Options' which would allow me to display file extns.

Thanks again - at least I feel like I am making progress with your help.

Link to post
Share on other sites

  • Staff

Hi,

The 730 error means mbam is unable to find the database, so unsure what is happening here. Is the mbam.com located in the C:\Program Files\Malwarebytes anti-malware folder now?

Let's have your folder options shown again first, so...

Open notepad and copy and paste next present in the quotebox below in it:

(don't forget to copy and paste REGEDIT4)

REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]

"NoFolderOptions"=-

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]

"NoFolderOptions"=-

Save this as fix.reg Choose to save as *all files and place it on your desktop.

It should look like this: reg.gif

Doubleclick on it and when it asks you if you want to merge the contents to the registry, click yes/ok.

Once you have your folder options back, you should be able to show hidden files and folders via those options as well and find the C:\Documents and Settings\All Users\Application Data folder and put/replace the rules.ref you transfered from the other computer to there.

Link to post
Share on other sites

  • Staff

Also, do the following..

Please download DDS and save it to your desktop.

  • Disable any script blocking protection
  • Double click dds.scr to run the tool.
  • When done, DDS.txt will open.
  • Click Yes at the next prompt for Optional Scan.
  • Save both reports to your desktop.

---------------------------------------------------

Copy and paste the contents of DDS.txt in your next reply. Do not copy and paste the contents of Attach.txt, but attach it to your reply instead.

Link to post
Share on other sites

Yes, MBAM.com is in the right folder.

Tried to run fix.reg and got the message "Registry editing has been disabled by your administrator".

I have attached "attach" file - didn't know how to zip it up, sorry.

DDS pasted below;

DDS (Ver_10-03-17.01) - NTFSx86

Run by Steve Jones at 18:57:10.07 on 23/03/2010

Internet Explorer: 6.0.2900.5512

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3069.2664 [GMT 0:00]

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe

C:\Program Files\Intel\WiFi\bin\S24EvMon.exe

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\WINDOWS\system32\agrsmsvc.exe

C:\WINDOWS\system32\svchost.exe -k netsvcs

C:\Program Files\Intel\WiFi\bin\EvtEng.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\Intel\WiFi\bin\ZCfgSvc.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\DOCUME~1\STEVEJ~1\LOCALS~1\Temp\ej5efw0bhs.exe

C:\DOCUME~1\STEVEJ~1\LOCALS~1\Temp\diskperfxp.exe

C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe

C:\Documents and Settings\Steve Jones\Local Settings\Application Data\ave.exe

C:\WINDOWS\system32\wbem\unsecapp.exe

C:\DOCUME~1\STEVEJ~1\LOCALS~1\Temp\asd4.tmp.exe

C:\Documents and Settings\Steve Jones\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.uk/

BHO: AutorunsDisabled - No File

BHO: c:\windows\system32\owmcfsdyq.dll: {a9ba40a1-74f1-52bd-f434-00b15a2c8953} - c:\windows\system32\owmcfsdyq.dll

uRun: [diskperfxp.exe] c:\docume~1\stevej~1\locals~1\temp\diskperfxp.exe

uRun: [hsa8ffushf83hoigjhs98jgijg9sd8e] c:\docume~1\stevej~1\locals~1\temp\ej5efw0bhs.exe

uRun: [hsf87efjhdsf87f3jfsdi7fhsujfd] c:\docume~1\stevej~1\locals~1\temp\csrss.exe

mRun: [intelZeroConfig] "c:\program files\intel\wifi\bin\ZCfgSvc.exe"

mRun: [intelWireless] "c:\program files\common files\intel\wirelesscommon\iFrmewrk.exe" /tf Intel Wireless Tray

mRun: [synTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE

dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t

uPolicies-explorer: NoFolderOptions = 1 (0x1)

uPolicies-system: DisableRegistryTools = 1 (0x1)

uPolicies-system: DisableTaskMgr = 1 (0x1)

mPolicies-system: DisableTaskMgr = 1 (0x1)

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000

IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm

IE: Send To Bluetooth - c:\program files\widcomm\bluetooth software\btsendto_ie.htm

IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL

DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab

DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab

STS: c:\windows\system32\owmcfsdyq.dll: {a9ba40a1-74f1-52bd-f434-00b15a2c8953} - c:\windows\system32\owmcfsdyq.dll

IFEO: AutorunsDisabled - ntsd -d

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\stevej~1\applic~1\mozilla\firefox\profiles\crhzgivt.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/

FF - plugin: c:\program files\google\update\1.2.183.7\npGoogleOneClick8.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

============= SERVICES / DRIVERS ===============

R2 BtwSvc;BtwSvc;c:\windows\system32\svchost.exe -k netsvcs [2004-8-4 14336]

S3 A310;AVerMedia A310 DVB-T;c:\windows\system32\drivers\AVerA310USB.sys [2009-9-11 26496]

S3 BDASwCap;AVerMedia A310 BDA DVBT Capture Device;c:\windows\system32\drivers\AVerA310Cap.sys [2009-9-11 42496]

S3 itecir;ITECIR Infrared Receiver;c:\windows\system32\drivers\itecir.sys --> c:\windows\system32\drivers\itecir.sys [?]

S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32.sys [2008-9-24 41376]

S3 STVqx3;Intel Play QX3 Microscope;c:\windows\system32\drivers\STVqx3.SYS [2009-11-9 131776]

S4 gel90xne;gel90xne;\??\c:\docume~1\stevej~1\locals~1\temp\gel90xne.sys --> c:\docume~1\stevej~1\locals~1\temp\gel90xne.sys [?]

S4 gupdate1c9fdad1e7e45f2;Google Update Service (gupdate1c9fdad1e7e45f2);c:\program files\google\update\GoogleUpdate.exe [2009-7-5 133104]

S4 peresvc;peresvc Service;c:\windows\system32\PereSvc.exe [2004-8-4 33280]

============== File Associations ===============

.exe=secfile

=============== Created Last 30 ================

2010-03-23 10:25:50 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-03-23 10:25:49 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-03-23 10:25:49 0 d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-03-21 20:15:29 0 d-----w- c:\program files\User Protection

2010-03-20 22:46:16 860672 ----a-w- c:\windows\system32\drivers\llafexn.sys

2010-03-20 22:46:01 20000 ----a-w- c:\windows\system32\owmcfsdyq.dll

2010-03-20 20:57:20 0 d-----w- c:\program files\common files\AVerMedia

2010-03-20 19:59:26 27461837 ----a-w- c:\program files\E506R_6.0.12.08041002_080428.exe

2010-03-20 14:51:45 0 d-----w- c:\program files\A310_V1.1.0.22_vista_x86(WHQL)

2010-03-20 14:51:26 459625 ----a-w- c:\program files\TV tuner-A310_V1.1.0.22_vista_x86(WHQL).zip

2010-03-18 12:52:54 0 d-----w- c:\program files\coolpro2

2010-03-18 12:26:17 319792 ----a-w- c:\program files\utorrent.exe

2010-02-26 17:33:34 0 d-----w- c:\docume~1\stevej~1\applic~1\Birdstep Technology

2010-02-26 17:33:18 10240 ------w- c:\windows\system32\drivers\mdvrmng.sys

2010-02-26 17:32:12 872192 ----a-w- c:\windows\system32\drivers\mod7700.sys

2010-02-26 17:32:12 24448 ----a-w- c:\windows\system32\drivers\ewdcsc.sys

2010-02-26 17:32:12 103168 ----a-w- c:\windows\system32\drivers\ewusbfake.sys

2010-02-26 17:32:12 101376 ----a-w- c:\windows\system32\drivers\ewusbmdm.sys

2010-02-26 17:32:12 100992 ----a-w- c:\windows\system32\drivers\ewusbnet.sys

==================== Find3M ====================

2010-03-15 11:02:17 43520 ----a-w- c:\windows\system32\CmdLineExt03.dll

2010-02-26 17:31:47 76118 ----a-w- c:\windows\Huawei ModemsUninstall.exe

2010-01-15 11:56:06 10583552 ----a-w- c:\program files\InstallScorch.msi

2010-01-05 20:31:41 18030130 ----a-w- c:\program files\vlc-1.0.3-win32.exe

2010-01-05 20:25:13 286720 ------w- c:\windows\Setup1.exe

2010-01-05 20:25:12 73216 ----a-w- c:\windows\ST6UNST.EXE

2010-01-05 20:24:44 2489250 ----a-w- c:\program files\PlayDVD.zip

2009-12-29 19:31:47 29375592 ----a-w- c:\program files\A16AR_6.0.18.09070601_091110.zip

2009-12-27 21:19:39 5436525 ----a-w- c:\program files\ITE_MIR_IT8512E-komku.blogspot.com-.zip

2009-11-18 12:30:42 8157274 ----a-w- c:\program files\11.Camera-Bison driver package V7.96.701.12a_Vistax86x64(WHQL).zip

2009-11-09 18:49:46 98224311 ----a-w- c:\program files\QX3Plus.exe

2009-10-23 22:02:17 69722473 ----a-w- c:\program files\FXhome_VisionLab_Studio_1005014_Demo_Installer.exe

2009-08-13 20:11:25 202071 ----a-w- c:\program files\RipIt4Me.zip

2009-08-04 10:07:32 2496707 ----a-w- c:\program files\vsoDivxToDVD_setup_v0.5.2b.exe

2009-06-21 17:42:42 608578 ----a-w- c:\program files\700_DDI_CB.exe

2009-05-15 08:46:51 4669067 ----a-w- c:\program files\ICS_Dx32.exe

2009-05-13 09:54:03 7303913 ----a-w- c:\program files\12.2.0.0_X_Drivers.zip

2007-03-21 20:19:52 643072 ----a-w- c:\program files\RipIt4Me.exe

============= FINISH: 18:57:34.45 ===============

I hope this is all done as needed. Many thanks

Attach.txt

Link to post
Share on other sites

  • Staff

Hi,

It looks like you are dealing with too many different infections here as well. I know malwarebytes can deal with it, but since you are currently having so many restrictions because of the other malware present, it may be a hassle to get malwarebytes to run first.

That's why we'll use something else instead...

* Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the log from ComboFix in your next reply.

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix..This because Security Software may see some components ComboFix uses (prep.com for example) as suspicious and blocks the tool, or even deletes it. Please visit HERE if you don't know how.

Link to post
Share on other sites

Just thought I should mention that before C/fix started the checking stages it reported finding files trying to attach to C/fix, plus it reported rootkit activity. I've noted all the file names but will it give you this info in its final report or do you need me to note these separately?

Link to post
Share on other sites

Combofix log;

ComboFix 10-03-24.01 - Steve Jones 24/03/2010 19:05:34.3.2 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3069.2735 [GMT 0:00]

Running from: c:\documents and settings\Steve Jones\Desktop\Firefox.exe

.

The following files were disabled during the run:

c:\documents and settings\Steve Jones\Local Settings\Application Data\Windows Server\ffjpbs.dll

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\docume~1\STEVEJ~1\LOCALS~1\Temp\csrss.exe

c:\documents and settings\All Users\Desktop\nudetube.com.lnk

c:\documents and settings\All Users\Desktop\pornotube.com.lnk

c:\documents and settings\All Users\Desktop\youporn.com.lnk

c:\documents and settings\All Users\Favorites\_favdata.dat

c:\documents and settings\Steve Jones\Local Settings\Application Data\ave.exe

c:\documents and settings\Steve Jones\Local Settings\Application Data\Windows Server

c:\documents and settings\Steve Jones\Local Settings\Application Data\Windows Server\ffjpbs.dll

c:\program files\User Protection

c:\windows\_VOIDmxbyfuxdst

c:\windows\_VOIDmxbyfuxdst\_VOIDd.sys

c:\windows\Install.txt

c:\windows\system32\_VOIDbxhcqpuamj.dat

c:\windows\system32\_VOIDppiypethxw.dll

c:\windows\system32\_VOIDuvbtubsqxd.dll

c:\windows\system32\_VOIDxxubnlrfvl.dll

c:\windows\system32\3498.exe

c:\windows\system32\BtwSvc.dll

c:\windows\system32\drivers\_VOIDnkfycdjnkl.sys

c:\windows\system32\drivers\llafexn.sys

c:\windows\system32\FInstall.sys

c:\windows\system32\Install.txt

c:\windows\system32\owmcfsdyq.dll

c:\windows\TEMP\mta13187.dll

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Service__VOIDd.sys

-------\Legacy__VOIDd.sys

-------\Service__VOIDmxbyfuxdst

-------\Legacy__VOIDmxbyfuxdst

-------\Legacy_BTWSVC

-------\Service_BtwSvc

-------\Legacy_llafexn

-------\Service_llafexn

((((((((((((((((((((((((( Files Created from 2010-02-24 to 2010-03-24 )))))))))))))))))))))))))))))))

.

2010-03-23 10:25 . 2009-09-10 14:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-03-23 10:25 . 2010-03-24 18:51 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-03-23 10:25 . 2009-09-10 14:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-03-20 22:47 . 2010-03-20 22:47 202752 --sha-w- c:\documents and settings\Steve Jones\Local Settings\Application Data\2383446155.dll

2010-03-20 20:57 . 2010-03-20 20:57 -------- d-----w- c:\documents and settings\Steve Jones\Local Settings\Application Data\AVerMeida

2010-03-20 20:57 . 2010-03-23 09:57 -------- d-----w- c:\program files\Common Files\AVerMedia

2010-03-20 19:59 . 2010-03-20 20:56 27461837 ----a-w- c:\program files\E506R_6.0.12.08041002_080428.exe

2010-03-20 14:51 . 2007-11-29 10:41 -------- d-----w- c:\program files\A310_V1.1.0.22_vista_x86(WHQL)

2010-03-20 14:51 . 2010-03-20 14:51 459625 ----a-w- c:\program files\TV tuner-A310_V1.1.0.22_vista_x86(WHQL).zip

2010-03-18 12:52 . 2010-03-18 12:58 -------- d-----w- c:\program files\coolpro2

2010-03-18 12:26 . 2010-03-18 12:26 319792 ----a-w- c:\program files\utorrent.exe

2010-03-04 20:59 . 2010-03-04 21:09 24805112 ----a-w- c:\documents and settings\All Users\Application Data\Birdstep Technology\EasyConnect\Update\3Connect_Flasher_Huawei.exe

2010-02-26 17:34 . 2010-02-26 17:37 13432816 ----a-w- c:\documents and settings\All Users\Application Data\Birdstep Technology\EasyConnect\Update\3UK_2.7.0.77_AUP_Huawei.exe

2010-02-26 17:33 . 2010-02-26 17:33 -------- d-----w- c:\documents and settings\Steve Jones\Application Data\Birdstep Technology

2010-02-26 17:33 . 2007-05-28 18:00 10240 ------w- c:\windows\system32\drivers\mdvrmng.sys

2010-02-26 17:32 . 2008-03-17 09:56 103168 ----a-w- c:\windows\system32\drivers\ewusbfake.sys

2010-02-26 17:32 . 2008-03-17 09:03 101376 ----a-w- c:\windows\system32\drivers\ewusbmdm.sys

2010-02-26 17:32 . 2008-03-16 12:47 872192 ----a-w- c:\windows\system32\drivers\mod7700.sys

2010-02-26 17:32 . 2008-01-22 13:09 100992 ----a-w- c:\windows\system32\drivers\ewusbnet.sys

2010-02-26 17:32 . 2007-08-09 02:13 24448 ----a-w- c:\windows\system32\drivers\ewdcsc.sys

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-03-23 09:58 . 2009-05-03 15:42 -------- d--h--w- c:\program files\InstallShield Installation Information

2010-03-18 12:54 . 2009-07-28 20:24 -------- d-----w- c:\documents and settings\Steve Jones\Application Data\Syntrillium

2010-03-15 11:02 . 2010-02-21 01:06 43520 ----a-w- c:\windows\system32\CmdLineExt03.dll

2010-03-15 09:36 . 2010-01-05 20:34 -------- d-----w- c:\documents and settings\Steve Jones\Application Data\vlc

2010-02-26 17:31 . 2009-05-03 19:39 76118 ----a-w- c:\windows\Huawei ModemsUninstall.exe

2010-02-26 13:24 . 2009-05-03 19:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Birdstep Technology

2010-02-25 10:45 . 2009-08-19 13:56 -------- d-----w- c:\program files\CCleaner

2010-02-23 09:54 . 2010-01-05 20:34 -------- d-----w- c:\documents and settings\Steve Jones\Application Data\dvdcss

2010-02-21 15:55 . 2009-05-09 08:56 -------- d-----w- c:\documents and settings\Steve Jones\Application Data\LimeWire

2010-02-13 17:44 . 2010-01-11 23:06 -------- d-----w- c:\program files\Doom 3

2010-02-13 17:43 . 2009-12-30 11:09 -------- d-----w- c:\documents and settings\Steve Jones\Application Data\runic games

2010-02-13 17:43 . 2009-12-30 11:07 -------- d-----w- c:\program files\Runic Games

2010-02-13 17:41 . 2010-02-11 18:53 -------- d-----w- c:\program files\Joustra

2010-02-13 16:18 . 2010-02-13 15:56 -------- d-----w- c:\program files\LG PC Suite II

2010-02-13 15:56 . 2010-02-13 15:56 -------- d-----w- c:\documents and settings\Steve Jones\Application Data\LG Electronics

2010-02-13 15:54 . 2010-02-13 15:54 -------- d-----w- c:\documents and settings\Steve Jones\Application Data\InstallShield

2010-02-13 15:52 . 2009-08-19 14:41 -------- d-----w- c:\program files\LG Electronics

2010-01-15 11:57 . 2009-05-03 18:54 59400 ----a-w- c:\documents and settings\Steve Jones\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-01-15 11:56 . 2010-01-15 11:56 10583552 ----a-w- c:\program files\InstallScorch.msi

2010-01-05 20:31 . 2010-01-05 20:28 18030130 ----a-w- c:\program files\vlc-1.0.3-win32.exe

2010-01-05 20:25 . 2010-01-05 20:25 286720 ------w- c:\windows\Setup1.exe

2010-01-05 20:25 . 2010-01-05 20:25 73216 ----a-w- c:\windows\ST6UNST.EXE

2010-01-05 20:24 . 2010-01-05 20:24 2489250 ----a-w- c:\program files\PlayDVD.zip

2009-12-29 19:31 . 2009-12-29 19:25 29375592 ----a-w- c:\program files\A16AR_6.0.18.09070601_091110.zip

2009-12-27 21:19 . 2009-12-27 21:16 5436525 ----a-w- c:\program files\ITE_MIR_IT8512E-komku.blogspot.com-.zip

2009-11-18 12:30 . 2009-11-18 12:30 8157274 ----a-w- c:\program files\11.Camera-Bison driver package V7.96.701.12a_Vistax86x64(WHQL).zip

2009-11-09 18:49 . 2009-11-09 18:45 98224311 ----a-w- c:\program files\QX3Plus.exe

2009-10-23 22:02 . 2009-10-23 22:02 69722473 ----a-w- c:\program files\FXhome_VisionLab_Studio_1005014_Demo_Installer.exe

2009-08-13 20:11 . 2009-08-13 20:11 202071 ----a-w- c:\program files\RipIt4Me.zip

2009-08-04 10:07 . 2009-08-04 10:06 2496707 ----a-w- c:\program files\vsoDivxToDVD_setup_v0.5.2b.exe

2009-06-21 17:42 . 2009-06-21 17:42 608578 ----a-w- c:\program files\700_DDI_CB.exe

2009-05-15 08:46 . 2009-05-15 08:46 4669067 ----a-w- c:\program files\ICS_Dx32.exe

2009-05-13 09:54 . 2009-05-13 09:54 7303913 ----a-w- c:\program files\12.2.0.0_X_Drivers.zip

2007-03-21 20:19 . 2010-01-14 08:50 643072 ----a-w- c:\program files\RipIt4Me.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IntelZeroConfig"="c:\program files\Intel\WiFi\bin\ZCfgSvc.exe" [2008-08-20 1368064]

"IntelWireless"="c:\program files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" [2008-08-20 1191936]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-12-06 1024000]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-12-08 13594624]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

Security Packages REG_MULTI_SZ msv1_0 schannel wdigest

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Update Agent.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Update Agent.lnk

backup=c:\windows\pss\Update Agent.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus Photo R220 Series]

2006-12-25 04:00 177664 ----a-w- c:\windows\system32\spool\drivers\w32x86\3\E_FATIAIE.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes Anti-Malware (reboot)]

2009-09-10 14:53 1312080 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\WINDOWS\\system32\\dpvsetup.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3724:TCP"= 3724:TCP:*:Disabled:Blizzard Downloader: 3724

"8095:TCP"= 8095:TCP:test

S3 A310;AVerMedia A310 DVB-T;c:\windows\system32\drivers\AVerA310USB.sys [11/09/2009 07:57 26496]

S3 BDASwCap;AVerMedia A310 BDA DVBT Capture Device;c:\windows\system32\drivers\AVerA310Cap.sys [11/09/2009 07:57 42496]

S3 itecir;ITECIR Infrared Receiver;c:\windows\system32\DRIVERS\itecir.sys --> c:\windows\system32\DRIVERS\itecir.sys [?]

S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32.sys [24/09/2008 15:09 41376]

S3 STVqx3;Intel Play QX3 Microscope;c:\windows\system32\drivers\STVqx3.SYS [09/11/2009 18:53 131776]

S4 gel90xne;gel90xne;\??\c:\docume~1\STEVEJ~1\LOCALS~1\Temp\gel90xne.sys --> c:\docume~1\STEVEJ~1\LOCALS~1\Temp\gel90xne.sys [?]

S4 gupdate1c9fdad1e7e45f2;Google Update Service (gupdate1c9fdad1e7e45f2);c:\program files\Google\Update\GoogleUpdate.exe [05/07/2009 20:13 133104]

S4 peresvc;peresvc Service;c:\windows\system32\PereSvc.exe [04/08/2004 12:00 33280]

.

Contents of the 'Scheduled Tasks' folder

2009-09-02 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-05 20:13]

2009-09-02 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-05 20:13]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.co.uk/

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm

IE: Send To Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm

FF - ProfilePath - c:\documents and settings\Steve Jones\Application Data\Mozilla\Firefox\Profiles\crhzgivt.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/

FF - plugin: c:\program files\Google\Update\1.2.183.7\npGoogleOneClick8.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

.

- - - - ORPHANS REMOVED - - - -

BHO-{A9BA40A1-74F1-52BD-F434-00B15A2C8953} - c:\windows\system32\owmcfsdyq.dll

SharedTaskScheduler-{A9BA40A1-74F1-52BD-F434-00B15A2C8953} - c:\windows\system32\owmcfsdyq.dll

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-03-24 19:12

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(680)

c:\windows\system32\netprovcredman.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe

c:\program files\Intel\WiFi\bin\S24EvMon.exe

c:\windows\system32\agrsmsvc.exe

c:\program files\Intel\WiFi\bin\EvtEng.exe

c:\windows\system32\nvsvc32.exe

c:\program files\Common Files\Intel\WirelessCommon\RegSrvc.exe

c:\windows\system32\wbem\unsecapp.exe

.

**************************************************************************

.

Completion time: 2010-03-24 19:15:13 - machine was rebooted

ComboFix-quarantined-files.txt 2010-03-24 19:15

Pre-Run: 215,264,534,528 bytes free

Post-Run: 215,215,009,792 bytes free

- - End Of File - - B11AA164036414FC3579679DBA46E5F2

Link to post
Share on other sites

  • Staff

Hi,

* Open notepad - don't use any other texteditor than notepad or the script will fail.

Copy/paste the text in the quotebox below into notepad:

Collect::[8]

c:\documents and settings\Steve Jones\Local Settings\Application Data\2383446155.dll

Dirlook::

c:\documents and settings\Steve Jones\Local Settings\Application Data\AVerMeida

Filelook::

c:\windows\Setup1.exe

Driver::

gel90xne

Registry::

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes Anti-Malware (reboot)]

Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

CFScript.gif

This will start ComboFix again.

Then, please visit this site:

http://www.bleepingcomputer.com/submit-malware.php?channel=8

Where it says: "Browse to the file you want to submit", use the Browse button to navigate to the following file: C:\Qoobox\Quarantine\[8]-Submit_date_time.zip (date_time will be replaced with the date and time when this file was created)

Then click the "Send File" button below in order to upload it.

After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

Link to post
Share on other sites

  • Staff

It's funny here though. I see Avermedia installed, which is a legitimate program, however, I'm puzzled why the foldername looks different:

c:\documents and settings\Steve Jones\Local Settings\Application Data\AVerMeida

Meida instead of Media. That would be a stupid typo by the developers. In either way, above script will also have a look inside that folder and list what files are present there so I can verify it's indeed related with Avermedia and not some malware that uses renamed versions of legitimate folders already present and put their own malicious files in it.

Link to post
Share on other sites

Hi - I will do as asked but can I just check did you mean to say 'AVerMeida ' in your instructions or should it read 'Avermedia'?

Plus I have a confession - I was SO relieved to see Combofix run and report that I could resist updating and doing a quick scan with MBAM. It's found a few problems and the log is pasted below. Apologies for being hasty - I hope I haven't messed up. Am I OK to tell MBAM to delete the infections it's found?

Malwarebytes' Anti-Malware 1.44

Database version: 3909

Windows 5.1.2600 Service Pack 3

Internet Explorer 6.0.2900.5512

24/03/2010 19:51:59

mbam-log-2010-03-24 (19-51-52).txt

Scan type: Quick Scan

Objects scanned: 124887

Time elapsed: 3 minute(s), 4 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 4

Registry Values Infected: 1

Registry Data Items Infected: 1

Folders Infected: 0

Files Infected: 7

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CURRENT_USER\Software\Malware Defense (Rogue.MalwareDefense) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Paladin Antivirus (Rogue.PaladinAntivirus) -> No action taken.

HKEY_CURRENT_USER\SOFTWARE\Paladin Antivirus (Rogue.PaladinAntivirus) -> No action taken.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\peresvc (Backdoor.Bot) -> No action taken.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\mbt (Backdoor.Bot) -> No action taken.

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\Steve Jones\Local Settings\Application Data\ave.exe" /START "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode) Good: (firefox.exe -safe-mode) -> No action taken.

Folders Infected:

(No malicious items detected)

Files Infected:

C:\Documents and Settings\All Users\Desktop\spam001.exe (Malware.Packer.Gen) -> No action taken.

C:\Documents and Settings\All Users\Desktop\spam003.exe (Malware.Packer.Gen) -> No action taken.

C:\Documents and Settings\All Users\Desktop\troj000.exe (Malware.Packer.Gen) -> No action taken.

C:\WINDOWS\system32\opear.exe (Backdoor.Bot) -> No action taken.

C:\WINDOWS\system32\PowerDes.exe (Backdoor.Bot) -> No action taken.

C:\WINDOWS\system32\msctc.sys (Backdoor.Bot) -> No action taken.

C:\WINDOWS\system32\PereSvc.exe (Backdoor.Bot) -> No action taken.

Link to post
Share on other sites

File sent off to Bleepingcomputer.

Combofix report below;

ComboFix 10-03-24.01 - Steve Jones 24/03/2010 20:09:56.4.2 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3069.2687 [GMT 0:00]

Running from: c:\documents and settings\Steve Jones\Desktop\Firefox.exe

Command switches used :: c:\documents and settings\Steve Jones\Desktop\CFScript.txt

file zipped: c:\documents and settings\Steve Jones\Local Settings\Application Data\2383446155.dll

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\Steve Jones\Local Settings\Application Data\2383446155.dll

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_GEL90XNE

-------\Service_gel90xne

((((((((((((((((((((((((( Files Created from 2010-02-24 to 2010-03-24 )))))))))))))))))))))))))))))))

.

2010-03-24 19:46 . 2010-03-24 19:46 5115824 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe

2010-03-23 10:25 . 2010-01-07 16:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-03-23 10:25 . 2010-03-24 19:51 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-03-23 10:25 . 2010-01-07 16:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-03-20 20:57 . 2010-03-20 20:57 -------- d-----w- c:\documents and settings\Steve Jones\Local Settings\Application Data\AVerMeida

2010-03-20 20:57 . 2010-03-23 09:57 -------- d-----w- c:\program files\Common Files\AVerMedia

2010-03-20 19:59 . 2010-03-20 20:56 27461837 ----a-w- c:\program files\E506R_6.0.12.08041002_080428.exe

2010-03-20 14:51 . 2007-11-29 10:41 -------- d-----w- c:\program files\A310_V1.1.0.22_vista_x86(WHQL)

2010-03-20 14:51 . 2010-03-20 14:51 459625 ----a-w- c:\program files\TV tuner-A310_V1.1.0.22_vista_x86(WHQL).zip

2010-03-18 12:52 . 2010-03-18 12:58 -------- d-----w- c:\program files\coolpro2

2010-03-18 12:26 . 2010-03-18 12:26 319792 ----a-w- c:\program files\utorrent.exe

2010-03-04 20:59 . 2010-03-04 21:09 24805112 ----a-w- c:\documents and settings\All Users\Application Data\Birdstep Technology\EasyConnect\Update\3Connect_Flasher_Huawei.exe

2010-02-26 17:34 . 2010-02-26 17:37 13432816 ----a-w- c:\documents and settings\All Users\Application Data\Birdstep Technology\EasyConnect\Update\3UK_2.7.0.77_AUP_Huawei.exe

2010-02-26 17:33 . 2010-02-26 17:33 -------- d-----w- c:\documents and settings\Steve Jones\Application Data\Birdstep Technology

2010-02-26 17:33 . 2007-05-28 18:00 10240 ------w- c:\windows\system32\drivers\mdvrmng.sys

2010-02-26 17:32 . 2008-03-17 09:56 103168 ----a-w- c:\windows\system32\drivers\ewusbfake.sys

2010-02-26 17:32 . 2008-03-17 09:03 101376 ----a-w- c:\windows\system32\drivers\ewusbmdm.sys

2010-02-26 17:32 . 2008-03-16 12:47 872192 ----a-w- c:\windows\system32\drivers\mod7700.sys

2010-02-26 17:32 . 2008-01-22 13:09 100992 ----a-w- c:\windows\system32\drivers\ewusbnet.sys

2010-02-26 17:32 . 2007-08-09 02:13 24448 ----a-w- c:\windows\system32\drivers\ewdcsc.sys

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-03-23 09:58 . 2009-05-03 15:42 -------- d--h--w- c:\program files\InstallShield Installation Information

2010-03-18 12:54 . 2009-07-28 20:24 -------- d-----w- c:\documents and settings\Steve Jones\Application Data\Syntrillium

2010-03-15 11:02 . 2010-02-21 01:06 43520 ----a-w- c:\windows\system32\CmdLineExt03.dll

2010-03-15 09:36 . 2010-01-05 20:34 -------- d-----w- c:\documents and settings\Steve Jones\Application Data\vlc

2010-02-26 17:31 . 2009-05-03 19:39 76118 ----a-w- c:\windows\Huawei ModemsUninstall.exe

2010-02-26 13:24 . 2009-05-03 19:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Birdstep Technology

2010-02-25 10:45 . 2009-08-19 13:56 -------- d-----w- c:\program files\CCleaner

2010-02-23 09:54 . 2010-01-05 20:34 -------- d-----w- c:\documents and settings\Steve Jones\Application Data\dvdcss

2010-02-21 15:55 . 2009-05-09 08:56 -------- d-----w- c:\documents and settings\Steve Jones\Application Data\LimeWire

2010-02-13 17:44 . 2010-01-11 23:06 -------- d-----w- c:\program files\Doom 3

2010-02-13 17:43 . 2009-12-30 11:09 -------- d-----w- c:\documents and settings\Steve Jones\Application Data\runic games

2010-02-13 17:43 . 2009-12-30 11:07 -------- d-----w- c:\program files\Runic Games

2010-02-13 17:41 . 2010-02-11 18:53 -------- d-----w- c:\program files\Joustra

2010-02-13 16:18 . 2010-02-13 15:56 -------- d-----w- c:\program files\LG PC Suite II

2010-02-13 15:56 . 2010-02-13 15:56 -------- d-----w- c:\documents and settings\Steve Jones\Application Data\LG Electronics

2010-02-13 15:54 . 2010-02-13 15:54 -------- d-----w- c:\documents and settings\Steve Jones\Application Data\InstallShield

2010-02-13 15:52 . 2009-08-19 14:41 -------- d-----w- c:\program files\LG Electronics

2010-01-15 11:57 . 2009-05-03 18:54 59400 ----a-w- c:\documents and settings\Steve Jones\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-01-15 11:56 . 2010-01-15 11:56 10583552 ----a-w- c:\program files\InstallScorch.msi

2010-01-05 20:31 . 2010-01-05 20:28 18030130 ----a-w- c:\program files\vlc-1.0.3-win32.exe

2010-01-05 20:25 . 2010-01-05 20:25 286720 ------w- c:\windows\Setup1.exe

2010-01-05 20:25 . 2010-01-05 20:25 73216 ----a-w- c:\windows\ST6UNST.EXE

2010-01-05 20:24 . 2010-01-05 20:24 2489250 ----a-w- c:\program files\PlayDVD.zip

2009-12-29 19:31 . 2009-12-29 19:25 29375592 ----a-w- c:\program files\A16AR_6.0.18.09070601_091110.zip

2009-12-27 21:19 . 2009-12-27 21:16 5436525 ----a-w- c:\program files\ITE_MIR_IT8512E-komku.blogspot.com-.zip

2009-11-18 12:30 . 2009-11-18 12:30 8157274 ----a-w- c:\program files\11.Camera-Bison driver package V7.96.701.12a_Vistax86x64(WHQL).zip

2009-11-09 18:49 . 2009-11-09 18:45 98224311 ----a-w- c:\program files\QX3Plus.exe

2009-10-23 22:02 . 2009-10-23 22:02 69722473 ----a-w- c:\program files\FXhome_VisionLab_Studio_1005014_Demo_Installer.exe

2009-08-13 20:11 . 2009-08-13 20:11 202071 ----a-w- c:\program files\RipIt4Me.zip

2009-08-04 10:07 . 2009-08-04 10:06 2496707 ----a-w- c:\program files\vsoDivxToDVD_setup_v0.5.2b.exe

2009-06-21 17:42 . 2009-06-21 17:42 608578 ----a-w- c:\program files\700_DDI_CB.exe

2009-05-15 08:46 . 2009-05-15 08:46 4669067 ----a-w- c:\program files\ICS_Dx32.exe

2009-05-13 09:54 . 2009-05-13 09:54 7303913 ----a-w- c:\program files\12.2.0.0_X_Drivers.zip

2007-03-21 20:19 . 2010-01-14 08:50 643072 ----a-w- c:\program files\RipIt4Me.exe

.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))

.

--- c:\windows\Setup1.exe ---

Company: Microsoft Corporation

File Description: Visual Basic 6.0 Setup Toolkit

File Version: 6.00.8171

Product Name: Microsoft Visual Basic for Windows

Copyright: Copyright © 1987-1998 Microsoft Corporation

Original Filename: setup1.exe

File size: 286720

Created time: 2010-01-05 20:25

Modified time: 2010-01-05 20:25

MD5: E40041E0CA436C712332EDAA9DB7DF08

SHA1: DEB8EAD922F4F1ACBADEBF0DB998F6BA2DC53DB0

---- Directory of c:\documents and settings\Steve Jones\Local Settings\Application Data\AVerMeida ----

2010-03-20 20:57 . 2010-03-20 20:57 67 ----a-w- c:\documents and settings\Steve Jones\Local Settings\Application Data\AVerMeida\Steve Jones.xml

((((((((((((((((((((((((((((( SnapShot@2010-03-24_19.12.15 )))))))))))))))))))))))))))))))))))))))))

.

- 2004-08-04 12:00 . 2010-03-24 19:09 68558 c:\windows\system32\perfc009.dat

+ 2004-08-04 12:00 . 2010-03-24 20:12 68558 c:\windows\system32\perfc009.dat

+ 2004-08-04 12:00 . 2010-03-24 20:12 435828 c:\windows\system32\perfh009.dat

- 2004-08-04 12:00 . 2010-03-24 19:09 435828 c:\windows\system32\perfh009.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IntelZeroConfig"="c:\program files\Intel\WiFi\bin\ZCfgSvc.exe" [2008-08-20 1368064]

"IntelWireless"="c:\program files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" [2008-08-20 1191936]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-12-06 1024000]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-12-08 13594624]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

Security Packages REG_MULTI_SZ msv1_0 schannel wdigest

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Update Agent.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Update Agent.lnk

backup=c:\windows\pss\Update Agent.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus Photo R220 Series]

2006-12-25 04:00 177664 ----a-w- c:\windows\system32\spool\drivers\w32x86\3\E_FATIAIE.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\WINDOWS\\system32\\dpvsetup.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3724:TCP"= 3724:TCP:*:Disabled:Blizzard Downloader: 3724

"8095:TCP"= 8095:TCP:test

S3 A310;AVerMedia A310 DVB-T;c:\windows\system32\drivers\AVerA310USB.sys [11/09/2009 07:57 26496]

S3 BDASwCap;AVerMedia A310 BDA DVBT Capture Device;c:\windows\system32\drivers\AVerA310Cap.sys [11/09/2009 07:57 42496]

S3 itecir;ITECIR Infrared Receiver;c:\windows\system32\DRIVERS\itecir.sys --> c:\windows\system32\DRIVERS\itecir.sys [?]

S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32.sys [24/09/2008 15:09 41376]

S3 STVqx3;Intel Play QX3 Microscope;c:\windows\system32\drivers\STVqx3.SYS [09/11/2009 18:53 131776]

S4 gupdate1c9fdad1e7e45f2;Google Update Service (gupdate1c9fdad1e7e45f2);c:\program files\Google\Update\GoogleUpdate.exe [05/07/2009 20:13 133104]

.

Contents of the 'Scheduled Tasks' folder

2009-09-02 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-05 20:13]

2009-09-02 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-05 20:13]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.co.uk/

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm

IE: Send To Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm

FF - ProfilePath - c:\documents and settings\Steve Jones\Application Data\Mozilla\Firefox\Profiles\crhzgivt.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/

FF - plugin: c:\program files\Google\Update\1.2.183.7\npGoogleOneClick8.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-03-24 20:16

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(680)

c:\windows\system32\netprovcredman.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe

c:\program files\Intel\WiFi\bin\S24EvMon.exe

c:\windows\system32\agrsmsvc.exe

c:\program files\Intel\WiFi\bin\EvtEng.exe

c:\windows\system32\nvsvc32.exe

c:\program files\Common Files\Intel\WirelessCommon\RegSrvc.exe

c:\windows\system32\wbem\unsecapp.exe

c:\\?\c:\windows\system32\WBEM\WMIADAP.EXE

.

**************************************************************************

.

Completion time: 2010-03-24 20:19:51 - machine was rebooted

ComboFix-quarantined-files.txt 2010-03-24 20:19

ComboFix2.txt 2010-03-24 19:15

Pre-Run: 215,190,683,648 bytes free

Post-Run: 215,158,820,864 bytes free

- - End Of File - - 7AB37B25A098A54ECC9A0A24F0D4470E

Link to post
Share on other sites

  • Staff

Hi,

I didn't receive the file. Can you send the C:\Qoobox\Quarantine\[8]-Submit_date_time.zip (date_time will be replaced with the date and time when this file was created) file to miekeATmalwarebytes.org instead please? (replace AT with @)

Thanks.

AFTER you have sent me that file, do the following:

* Go to start > run and copy and paste next command in the field:

ComboFix /Uninstall

Make sure there's a space between Combofix and /

Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

For the AverMeida folder:

---- Directory of c:\documents and settings\Steve Jones\Local Settings\Application Data\AVerMeida ----

2010-03-20 20:57 . 2010-03-20 20:57 67 ----a-w- c:\documents and settings\Steve Jones\Local Settings\Application Data\AVerMeida\Steve Jones.xml

It contains the Steve Jones.xml file. I assume it's a sort of configuration file for your Avermedia. Still funny it uses the avermeida name though :)

Let me know in your next reply how things are now. :)

Link to post
Share on other sites

Hi again! I have emailed the file as requested.

I have uninstalled Combofix.

Re Avermeida, I have been downloading all kinds of drivers in the last week in an attempt to get my TV tuner card working. This laptop came with Vista, which I immediately changed to XP because I prefer it. But that meant my Acer TV didn't work so I've been trying hard with that recently, to no avail. That's where any references to Avermedia / AverTV / A310 come from, and I'll be removing them all again soon!

The laptop is now looking exactly as did before the attack. You have no idea how happy and relieved I am. I cannot thank you enough.

I had just removed AVG because it kept pestering me to update and buy when the virus slipped through. I will now be installing Avira to give that a try.

Thanks again for all your efforts.

Steve Jones

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.