Jump to content

Persistent possible malware; MWBAM & DDS logs copy+pasted, but GMER gives me blue screen


Recommended Posts

Hiya. I recently had a weird issue where AVG's Resident shield would pop up with the same trojan detection once every half a minute for about 10 minutes every time I logged on. This one time, my computer screeched at me with a series of horrible, yet tuneful beeps. After a couple of virus scans, that problem stopped, but another one remains.

Internet Explorer starts out fine, but after a certain amount of time (5-10 minutes, or maybe after I've browsed a few different sites) it starts to become slightly unstable. Pages won't load properly (takes multiple refreshes or opening in new window/tabs to work), pages with multiple thumbnails (like Google Images) need to be refreshed before all thumbnails appear, and my browsing history doesn't seem to be being saved. Fairly small issues, but the thing that worries me is this thing's cockroach-like persistence. Might mean it's more dangerous than it seems.

I ran AVG, MBAM and Avira's virus scans in Safe Mode (later learned MBAM isn't designed for Safe Mode). I don't think AVG found anything, but MBAM and Avira both found a bunch of malware and removed it. It was around this time that I stopped getting pop-ups, but my Internet Explorer problem remains. Therefore, I decided to try out the remedy suggested in this forum's sticky (I'm infected - What do I do now?), including another MBAM scan outside of Safe Mode. I did everything it suggested and everything went peachy up until GMER.

When I try loading GMER, my computer becomes unresponsive for several minutes. I can still move my mouse cursor, but clicking on anything indefinitely extends the stalling, necessitating a reset. If GMER manages to load eventually, I initiate the suggested scan and it runs for a minute or two before I get blue screened. Tried that twice now. Anyway, the sticky said to post what I managed to complete anyway, so here it is, and thanks for your time.

MALEWAREBYTES

Malwarebytes' Anti-Malware 1.44

Database version: 3911

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

25/03/2010 15:57:46

mbam-log-2010-03-25 (15-57-46).txt

Scan type: Full Scan (C:\|)

Objects scanned: 281454

Time elapsed: 2 hour(s), 9 minute(s), 5 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 4

Registry Values Infected: 1

Registry Data Items Infected: 3

Folders Infected: 1

Files Infected: 5

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.

HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.

HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.

HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\uid (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Spyware.Zbot) -> Data: c:\windows\system32\sdra64.exe -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Spyware.Zbot) -> Data: system32\sdra64.exe -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.Userinit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,) Good: (Userinit.exe) -> Quarantined and deleted successfully.

Folders Infected:

C:\WINDOWS\system32\lowsec (Stolen.data) -> Delete on reboot.

Files Infected:

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP248\A0107174.exe (Trojan.Agent) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP248\A0108310.exe (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\lowsec\local.ds (Stolen.data) -> Delete on reboot.

C:\WINDOWS\system32\lowsec\user.ds (Stolen.data) -> Delete on reboot.

C:\WINDOWS\system32\sdra64.exe (Spyware.Zbot) -> Delete on reboot.

DDS

DDS (Ver_10-03-17.01) - NTFSx86

Run by Me at 16:39:58.56 on 25/03/2010

Internet Explorer: 8.0.6001.18702

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1163 [GMT 0:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

C:\Program Files\AVG\AVG9\avgchsvx.exe

C:\Program Files\AVG\AVG9\avgrsx.exe

C:\Program Files\AVG\AVG9\avgcsrvx.exe

C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

svchost.exe

svchost.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Avira\AntiVir Desktop\sched.exe

svchost.exe

C:\Program Files\Avira\AntiVir Desktop\avguard.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\AVG\AVG9\avgwdsvc.exe

C:\Program Files\Avira\AntiVir Desktop\avshadow.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe

C:\Program Files\AVG\AVG9\avgnsx.exe

C:\Program Files\Google\Update\GoogleUpdate.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe

svchost.exe "C:\WINDOWS\system32\12520850o.exe"

C:\Program Files\Dell Support Center\bin\sprtsvc.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\AVG\AVG9\avgemc.exe

C:\Program Files\AVG\AVG9\avgcsrvx.exe

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

C:\WINDOWS\Explorer.EXE

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\WINDOWS\system32\igfxpers.exe

C:\WINDOWS\OEM02Mon.exe

C:\WINDOWS\stsystra.exe

C:\Program Files\Dell\QuickSet\quickset.exe

C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe

C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe

C:\WINDOWS\system32\KADxMain.exe

C:\Program Files\Creative\Mixer\CTSVolFE.exe

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe

C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe

C:\Program Files\Dell\MediaDirect\PCMService.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\Program Files\Google\Quick Search Box\GoogleQuickSearchBox.exe

C:\PROGRA~1\AVG\AVG9\avgtray.exe

C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Avira\AntiVir Desktop\avgnt.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\Pando Networks\Media Booster\PMB.exe

C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe

C:\Program Files\Digital Line Detect\DLG.exe

C:\Program Files\WiFiConnector\NintendoWFCReg.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\Me\Desktop\dds.com

============== Pseudo HJT Report ===============

uStart Page = hxxp://en.wikipedia.org/wiki/Main_Page

uSearch Page = hxxp://www.google.co.uk/hws/sb/dell-usuk/en/side.html?channel=uk

uDefault_Page_URL = www.google.co.uk/ig/dell?hl=en&client=dell-usuk&channel=uk&ibd=2080124

uSearch Bar = hxxp://www.google.co.uk/hws/sb/dell-usuk/en/side.html?channel=uk

uInternet Settings,ProxyOverride = *.local

mSearchAssistant = hxxp://www.google.co.uk/hws/sb/dell-usuk/en/side.html?channel=uk

uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll

uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll

mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll

BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll

BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll

BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll

BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File

BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll

BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll

BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: OpenLastClosedTab.LastClosedTab: {e15e75e9-a653-42a3-8d05-f2f7e309bdca} - mscoree.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

BHO: ZoneAlarm Spy Blocker BHO: {f0d4b231-da4b-4daf-81e4-dfee4931a4aa} - c:\program files\zonealarmsb\bar\1.bin\SPYBLOCK.DLL

BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\progra~1\yahoo!\companion\installs\cpn\YTSingleInstance.dll

TB: ImageShack Toolbar: {6932d140-abc4-4073-a44c-d4a541665e35} - c:\program files\imageshacktoolbar\ImageShackToolbar.dll

TB: ZoneAlarm Spy Blocker: {f0d4b239-da4b-4daf-81e4-dfee4931a4aa} - c:\program files\zonealarmsb\bar\1.bin\SPYBLOCK.DLL

TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll

TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll

TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg9\toolbar\IEToolbar.dll

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter

uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"

uRun: [Pando Media Booster] c:\program files\pando networks\media booster\PMB.exe

mRun: [synTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [Persistence] c:\windows\system32\igfxpers.exe

mRun: [OEM02Mon.exe] c:\windows\OEM02Mon.exe

mRun: [sigmatelSysTrayApp] stsystra.exe

mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe

mRun: [intelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"

mRun: [intelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless

mRun: [DELL Webcam Manager] "c:\program files\dell\dell webcam manager\DellWMgr.exe" /s

mRun: [KADxMain] c:\windows\system32\KADxMain.exe

mRun: [CTSVolFE.exe] "c:\program files\creative\mixer\CTSVolFE.exe" /r

mRun: [iSUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup

mRun: [iSUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start

mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\9.0\sharedcom\RoxWatchTray9.exe"

mRun: [RoxioDragToDisc] "c:\program files\roxio\drag-to-disc\DrgToDsc.exe"

mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup

mRun: [ECenter] c:\dell\e-center\EULALauncher.exe

mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"

mRun: [PCMService] "c:\program files\dell\mediadirect\PCMService.exe"

mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe

mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"

mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"

mRun: [Google Quick Search Box] "c:\program files\google\quick search box\GoogleQuickSearchBox.exe" /autorun

mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [sunJavaUpdateSched] "c:\program files\java\jre1.5.0_06\bin\jusched.exe"

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min

dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\runnin~1.lnk - c:\program files\wificonnector\NintendoWFCReg.exe

IE: Post Image to Blog - c:\program files\imageshacktoolbar\ImageShackToolbar.dll/5003

IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm

IE: Tag This Image - c:\program files\imageshacktoolbar\ImageShackToolbar.dll/5002

IE: Transload Image to ImageShack - c:\program files\imageshacktoolbar\ImageShackToolbar.dll/5004

IE: Upload All Images to ImageShack - c:\program files\imageshacktoolbar\ImageShackToolbar.dll/5000

IE: Upload Image to ImageShack - c:\program files\imageshacktoolbar\ImageShackToolbar.dll/5001

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {e15e75e9-a653-42a3-8d05-f2f7e309bdca} - {e15e75e9-a653-42a3-8d05-f2f7e309bdca} - mscoree.dll

LSP: %SystemRoot%\system32\PrxerDrv.dll

DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} - hxxp://www.srtest.com/srl_bin/sysreqlab_srl.cab

DPF: {40F576AD-8680-4F9E-9490-99D069CD665F} - hxxp://srtest-cdn.systemrequirementslab.com.s3.amazonaws.com/bin/sysreqlabdetect.cab

DPF: {6932D140-ABC4-4073-A44C-D4A541665E35} - hxxp://toolbar.imageshack.us/toolbar/ImageShackToolbar.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab

DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

Filter: application/x-internet-signup - {A173B69A-1F9B-4823-9FDA-412F641E65D6} - c:\program files\tiscali\tiscali internet\dlls\tiscalifilter.dll

Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll

Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll

Notify: avgrsstarter - avgrsstx.dll

Notify: igfxcui - igfxdev.dll

AppInit_DLLs: c:\progra~1\google\google~2\GOEC62~1.DLL

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2010-3-24 11608]

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-5-24 216200]

R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-3-11 29512]

R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-5-24 242696]

R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2008-3-11 353672]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-3-24 135336]

R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-3-24 267432]

R2 avg9emc;AVG Free E-mail Scanner;c:\program files\avg\avg9\avgemc.exe [2010-3-14 916760]

R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-3-14 308064]

R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-3-24 60936]

R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]

S2 gupdate1c95ca48ba5d424;Google Update Service (gupdate1c95ca48ba5d424);c:\program files\google\update\GoogleUpdate.exe [2008-12-12 133104]

S2 RasAutohkmsvc;Remote Access Auto Connection Manager RasAutohkmsvc;c:\windows\system32\1025f.exe srv --> c:\windows\system32\1025f.exe srv [?]

S2 Spoolerwscsvc;Print Spooler Spoolerwscsvc;c:\windows\system32\12520850o.exe srv --> c:\windows\system32\12520850o.exe srv [?]

=============== Created Last 30 ================

2010-03-25 16:19:50 0 ----a-w- c:\documents and settings\me\defogger_reenable

2010-03-24 14:48:09 0 d-----w- c:\docume~1\me\applic~1\Avira

2010-03-24 14:46:46 0 d-----w- c:\windows\system32\NtmsData

2010-03-24 14:43:59 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2010-03-24 14:43:58 0 d-----w- c:\program files\Avira

2010-03-24 14:43:58 0 d-----w- c:\docume~1\alluse~1\applic~1\Avira

2010-03-24 06:24:03 122 ----a-w- c:\windows\wa.INI

2010-03-23 13:54:13 0 ----a-w- c:\windows\system32\activedsz.sys

2010-03-22 17:24:05 753046 --sha-w- c:\windows\system32\adsnty.sys

2010-03-22 06:47:49 100 --s-a-w- c:\windows\system32\2719601349.dat

2010-03-20 03:02:03 38160 ----a-w- c:\windows\system32\LMRTREND.dll

2010-03-20 03:02:03 140800 ----a-w- c:\windows\system32\tm20dec.ax

2010-03-20 03:02:02 182032 ----a-w- c:\windows\system32\dxtmsft3.dll

2010-03-20 03:01:58 63488 ----a-w- c:\windows\system32\unam4ie.exe

2010-03-20 03:01:54 5672 ----a-w- c:\windows\system32\quartz.vxd

2010-03-20 03:01:54 194320 ----a-w- c:\windows\system32\qcut.dll

2010-03-20 03:01:54 11776 ----a-w- c:\windows\system32\mciqtz.drv

2010-03-20 03:01:54 10240 ----a-w- c:\windows\system32\vidx16.dll

2010-03-20 03:01:53 4608 ----a-w- c:\windows\system32\w95inf32.dll

2010-03-20 03:01:53 2272 ----a-w- c:\windows\system32\w95inf16.dll

2010-03-20 03:01:30 0 d-----w- C:\Team17

2010-03-14 09:08:42 12464 ----a-w- c:\windows\system32\avgrsstx.dll

2010-03-13 00:49:04 293376 ------w- c:\windows\system32\browserchoice.exe

2010-03-10 21:36:21 3558912 ------w- c:\windows\system32\dllcache\moviemk.exe

==================== Find3M ====================

2010-03-25 13:52:57 96512 ----a-w- c:\windows\system32\drivers\atapi.sys

2010-03-25 13:52:57 96512 ----a-w- c:\windows\system32\dllcache\atapi.sys

2010-03-22 01:32:23 14374 ----a-w- c:\docume~1\me\applic~1\wklnhst.dat

2010-03-21 02:16:00 41 ----a-w- c:\documents and settings\me\jagex_runescape_preferences.dat

2010-03-21 02:15:34 69 ----a-w- c:\documents and settings\me\jagex_runescape_preferences2.dat

2010-03-14 09:08:44 242696 ----a-w- c:\windows\system32\drivers\avgtdix.sys

2010-03-14 09:08:34 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys

2010-01-28 22:34:18 411368 ----a-w- c:\windows\system32\deploytk.dll

2009-12-31 16:50:03 353792 ------w- c:\windows\system32\dllcache\srv.sys

2008-01-24 11:11:13 76 --sh--r- c:\windows\CT4CET.bin

2008-08-29 22:29:15 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008082920080830\index.dat

============= FINISH: 16:41:56.28 ===============

Attach.zip

Link to post
Share on other sites

Hey Mr Sparkle,

Welcome to Malwarebytes! I'm Ltangelic and I'll be helping you fix your computer problem.

Before we proceed, here are some things that you can take note of so that the cleaning up process will be more smooth and efficient. Do not worry, the points below are not any form of rules, it's just a few pointers that can ensure that you will get the best help from me. ;)

  • To ensure that you are informed of the latest replies to your thread, you may like to right click on Options at the top right hand corner of this page and select "Subscribe to this forum". That way, you will be notified via email when a reply was posted to your thread.
  • If you have any doubts or uncertainty about any part of my instructions, feel free to post on here and ask me about them.
  • Please do NOT attempt to run any tools or do any fixing on your own unless I tell you to, this will avoid any confusion that can occur during the cleaning process. Furthermore, fixing malware problems without sufficient knowledge can be dangerous at times and you can mess up your own computer without knowing.
  • Please do not PM me for malware removal assistance, any request for malware removal assistance should be posted in this thread only. The only time you can and should PM me is when I have not been replying to you for several days (usually around 4 days) and you need an explanation. If that's the case, just send me a message to me on here. :rolleyes:
  • Please do not start multiple topics (especially when you are already being assisted by an authorised staff). All staff are volunteers on here, starting multiple topics will waste the limited resource of manpower we have here at Malwarebytes, and this can further hinder our ability to assist other users. Please be considerate and stick to one thread.

I'm looking at your log now and will be back with a fix soon. Thanks for your patience and understanding. :)

Link to post
Share on other sites

Hey Mr Sparkle,

From your log(s), one or more of the identified infections are Backdoor Trojan and/or rootkit component. Rootkits and backdoor Trojan are very dangerous because they use advanced techniques (backdoors) as a means of accessing a computer system that bypasses security mechanisms and steal sensitive information which they send back to the hacker. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. Remote attackers use backdoor Trojans and rootkits as part of an exploit to gain unauthorized access to a computer and take control of it without your knowledge. If this computer is used for online commercial means, please do the following IMMEDIATELY!

1) Call all relevant organisations (like banks, credit card companies etc) and inform them that you may be a victim of identity theft and to put a watch on your accounts or change all your account numbers.

2) From an uninfected computer, change ALL your online important personal information that you have used on this computer.

Do NOT use the infected computer for any commercial means during this while as the trojan author can still get information from it.

Due to the likelihood that your computer has already been compromised, there can be no guarantee that your computer can ever be secure again. While, it is possible to completely remove the backdoor trojans on your computer, only a reformat can ensure that your computer is completely clean.

If you want to continue with the fixing, please follow the instructions below.

From your log, you seem to have multiple anti-virus running on your computer. This is not recommended as multiple protection of the same kind can cause conflicts and reduce the efficiency of the softwares. Please remove/disable one of the following:

AVG Anti-Virus Free

Avira antivir

Please follow my instructions in the order they were given, and print out a copy of it as you may not have access to the forums during the fix.

Before we go on to run the tools, it would be advisable to temporarily disable your protection software(s) (Your anti-virus and Zonealarm Firewall) as it/they may hinder the tools from running. Instructions is in the link below:

http://www.bleepingcomputer.com/forums/topic114351.html

1) Run ComboFix

Download ComboFix from one of these locations:

Link 1

Link 2

Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

whatnext.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

2) Remove Programs

Please go to Add or Remove Programs and remove the following (if present):

SearchAssist

Then use Windows Explorer and remove the following (if present):

C:\Program Files\SearchAssist

Reboot your computer.

3) Run OTS

To ensure that I get all the information this log will need to be attached (instructions at the end) if it is to large to attach then upload to Mediafire and post the sharing link.

Download OTS to your Desktop

  • Close ALL OTHER PROGRAMS.
  • Double-click on OTS.exe to start the program.
  • Check the box that says Scan All Users
  • Under Additional Scans check the following:
    • Reg - Shell Spawning
    • File - Lop Check
    • File - Purity Scan
    • Evnt - EvtViewer (last 10)

    [*]Under custom scans copy and paste the following

    • netsvcs
      %SYSTEMDRIVE%\*.exe
      %SYSTEMDRIVE%\*.*
      %ProgramFiles%\Movie Maker\*.dll
      %ALLUSERSAPPDATA%\*.dll
      %SYSTEMROOT%\*.tmp
      %PROGRAMFILES%\Internet Explorer\*.dll
      %DriveLetter%\RECYCLER\*S-%d-%d-%d-%d%d%d-%d%d%d-%d%d%d-%d*.
      %systemroot%\system32\*.dll /lockedfiles
      /md5start
      eventlog.dll
      scecli.dll
      netlogon.dll
      cngaudit.dll
      sceclt.dll
      ntelogon.dll
      logevent.dll
      iaStor.sys
      nvstor.sys
      atapi.sys
      IdeChnDr.sys
      viasraid.sys
      AGP440.sys
      vaxscsi.sys
      nvatabus.sys
      viamraid.sys
      nvata.sys
      nvgts.sys
      iastorv.sys
      ViPrt.sys
      /md5stop
      %systemroot%\*. /mp /s
      %systemroot%\system32\*.dll /lockedfiles
      %systemroot%\Tasks\*.job /lockedfiles
      c:\$recycle.bin\*.* /s
      CREATERESTOREPOINT

    [*]Now click the Run Scan button on the toolbar.

    [*]Let it run unhindered until it finishes.

    [*]When the scan is complete Notepad will open with the report file loaded in it.

    [*]Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Please attach the log in your next post.

To attach a file, do the following:

  • Click Add Reply
  • Under the reply panel is the Attachments Panel
  • Browse for the attachment file you want to upload, then click the green Upload button
  • Once it has uploaded, click the Manage Current Attachments drop down box
  • Click on attach_add.png to insert the attachment into your post

4) Run RootRepeal

Download RootRepeal from one of the following locations and save it to your desktop:

Link 1
Link 2
Link 3

  • Double click rr_DesktopIcon.png to start the program
  • Click on the Report tab at the bottom of the program window
  • Click the rr_Scan.png button
  • In the Select Scan dialog, check:

    • Drivers
    • Files
    • Processes
    • SSDT
    • Stealth Objects
    • Hidden Services
    • Shadow SSDT

    [*]Click the OK button

    [*]In the next dialog, select all drives showing

    [*]Click OK to start the scan

    Note: The scan can take some time.
    DO NOT
    run any other programs while the scan is running

    [*]When the scan is complete, click the rr_SaveReport.png button and save the report to your Desktop as RootRepeal.txt

    [*]Go to File, then Exit to close the program

If the report is not too long, post the contents of RootRepeal.txt in your next reply. If the report is very long, it will not be complete if you post it, so please attach it to your reply instead.

To attach a file, do the following:

  • Click Add Reply
  • Under the reply panel is the Attachments Panel
  • Browse for the attachment file you want to upload, then click the green Upload button
  • Once it has uploaded, click the Manage Current Attachments drop down box
  • Click on attach_add.png to insert the attachment into your post

Next reply (please include in your post):

OTS.txt (attached)

ComboFix.txt

RootRepeal.txt (attached)

Link to post
Share on other sites

OK, all scans ran without a problem, so here's the info (RootRepeal was short enough to be copy+pasted)...

COMBOFIX

ComboFix 10-03-29.04 - Me 01/04/2010 14:31:51.1.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1427 [GMT 1:00]

Running from: c:\documents and settings\Me\Desktop\ComboFix.exe

AV: AntiVir Desktop *On-access scanning disabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

FW: ZoneAlarm Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\Bluetooth.lnk

c:\windows\emizerazurowovox.dll

c:\windows\system32\drivers\svchost.exe

c:\windows\system32\lowsec

c:\windows\system32\lowsec\local.ds

c:\windows\system32\lowsec\user.ds

c:\windows\system32\ReadMe.txt

c:\windows\system32\sdra64.exe

c:\windows\system32\vidx16.dll

c:\windows\Temp\2112450234.exe

Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected

Restored copy from - Kitty ate it :)

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_RASAUTOHKMSVC

-------\Legacy_SPOOLERWSCSVC

-------\Service_RasAutohkmsvc

-------\Service_Spoolerwscsvc

((((((((((((((((((((((((( Files Created from 2010-03-01 to 2010-04-01 )))))))))))))))))))))))))))))))

.

2010-04-01 13:24 . 2010-04-01 13:24 -------- d-sha-r- \cmdcons

2010-04-01 13:22 . 2010-04-01 13:59 -------- d-----w- \ComboFix

2010-04-01 12:57 . 2010-04-01 13:58 -------- d-----w- \Qoobox

2010-03-31 22:05 . 2010-04-01 12:21 120 ----a-w- c:\windows\Wxoriracevenupe.dat

2010-03-31 22:05 . 2010-04-01 05:25 0 ----a-w- c:\windows\Qtuzo.bin

2010-03-31 22:05 . 2010-03-31 22:05 -------- d-----w- c:\documents and settings\Me\Local Settings\Application Data\{D7BD4506-8943-4A8B-AA72-314E36922292}

2010-03-31 21:59 . 2010-03-31 22:01 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe

2010-03-24 14:48 . 2010-03-24 14:48 -------- d-----w- c:\documents and settings\Me\Application Data\Avira

2010-03-24 14:43 . 2010-03-24 14:43 -------- d-----w- c:\program files\Avira

2010-03-24 14:43 . 2010-03-24 14:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira

2010-03-20 03:01 . 2010-03-20 03:01 -------- d-----w- C:\Team17

2010-03-20 03:01 . 2010-03-20 03:01 -------- d-----w- \Team17

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-04-01 13:31 . 2009-11-04 09:59 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9

2010-04-01 05:24 . 2008-12-04 12:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater

2010-03-22 01:32 . 2008-01-31 15:06 14374 ----a-w- c:\documents and settings\Me\Application Data\wklnhst.dat

2010-03-21 02:16 . 2010-01-20 09:34 41 ----a-w- c:\documents and settings\Me\jagex_runescape_preferences.dat

2010-03-21 02:15 . 2010-01-20 09:35 69 ----a-w- c:\documents and settings\Me\jagex_runescape_preferences2.dat

2010-02-23 20:32 . 2010-02-23 20:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage

2010-02-13 17:03 . 2010-02-13 17:02 -------- d-----w- c:\program files\iTunes

2010-02-13 17:02 . 2010-02-13 17:02 -------- d-----w- c:\program files\iPod

2010-02-13 17:02 . 2008-02-01 18:52 -------- d-----w- c:\program files\Common Files\Apple

2008-01-24 11:11 . 2008-01-24 11:11 76 --sh--r- c:\windows\CT4CET.bin

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]

"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-10-16 1119488]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]

2009-10-16 12:12 1119488 ----a-w- c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-10-16 1119488]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]

"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-10-16 1119488]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-01-24 68856]

"Pando Media Booster"="c:\program files\Pando Networks\Media Booster\PMB.exe" [2009-10-22 2923192]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-07-09 851968]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-07-09 137752]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-07-09 162328]

"Persistence"="c:\windows\system32\igfxpers.exe" [2007-07-09 137752]

"OEM02Mon.exe"="c:\windows\OEM02Mon.exe" [2007-08-28 36864]

"SigmatelSysTrayApp"="stsystra.exe" [2007-07-09 405504]

"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2007-07-03 1228800]

"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-02-21 819200]

"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-02-21 970752]

"DELL Webcam Manager"="c:\program files\Dell\Dell Webcam Manager\DellWMgr.exe" [2007-07-27 118784]

"KADxMain"="c:\windows\system32\KADxMain.exe" [2006-11-02 282624]

"CTSVolFE.exe"="c:\program files\Creative\Mixer\CTSVolFE.exe" [2005-02-23 57344]

"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-10-03 221184]

"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 81920]

"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2006-11-05 221184]

"RoxioDragToDisc"="c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe" [2006-08-17 1116920]

"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-01-24 1838592]

"ECenter"="c:\dell\E-Center\EULALauncher.exe" [2007-05-24 17920]

"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]

"PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe" [2007-11-01 189736]

"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]

"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]

"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-02-15 981384]

"Google Quick Search Box"="c:\program files\Google\Quick Search Box\GoogleQuickSearchBox.exe" [2009-05-22 68592]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-10 417792]

"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 36975]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-01-22 141608]

"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-03-02 282792]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-1-24 50688]

Run Nintendo Wi-Fi USB Connector Registration Tool.lnk - c:\program files\WiFiConnector\NintendoWFCReg.exe [2008-1-29 1073152]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]

2010-03-14 09:08 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Dell\\MediaDirect\\PCMService.exe"=

"c:\\Program Files\\WiFiConnector\\NintendoWFCReg.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=

"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=

"c:\\Program Files\\AVG\\AVG9\\avgemc.exe"=

"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=

"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"56600:TCP"= 56600:TCP:Pando Media Booster

"56600:UDP"= 56600:UDP:Pando Media Booster

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [24/05/2009 19:22 216200]

R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [24/05/2009 19:22 242696]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [24/03/2010 15:44 135336]

R2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [14/03/2010 10:08 916760]

R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [14/03/2010 10:08 308064]

S2 gupdate1c95ca48ba5d424;Google Update Service (gupdate1c95ca48ba5d424);c:\program files\Google\Update\GoogleUpdate.exe [12/12/2008 22:56 133104]

.

.

------- Supplementary Scan -------

.

uLocal Page = c:\windows\system32\blank.htm

uStart Page = hxxp://en.wikipedia.org/wiki/Main_Page

mLocal Page = c:\windows\system32\blank.htm

uInternet Settings,ProxyOverride = *.local

IE: Post Image to Blog - c:\program files\ImageShackToolbar\ImageShackToolbar.dll/5003

IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm

IE: Tag This Image - c:\program files\ImageShackToolbar\ImageShackToolbar.dll/5002

IE: Transload Image to ImageShack - c:\program files\ImageShackToolbar\ImageShackToolbar.dll/5004

IE: Upload All Images to ImageShack - c:\program files\ImageShackToolbar\ImageShackToolbar.dll/5000

IE: Upload Image to ImageShack - c:\program files\ImageShackToolbar\ImageShackToolbar.dll/5001

LSP: %SystemRoot%\system32\PrxerDrv.dll

.

- - - - ORPHANS REMOVED - - - -

HKLM-Run-Bsofudivoso - c:\windows\emizerazurowovox.dll

HKU-Default-Run-SVCHOST.EXE - c:\windows\system32\drivers\svchost.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-04-01 14:59

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

------------------------ Other Running Processes ------------------------

.

c:\windows\System32\smss.exe

c:\windows\system32\csrss.exe

c:\windows\system32\winlogon.exe

c:\windows\system32\services.exe

c:\windows\system32\lsass.exe

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe

c:\windows\System32\svchost.exe

c:\program files\Intel\Wireless\Bin\EvtEng.exe

c:\program files\AVG\AVG9\avgchsvx.exe

c:\program files\AVG\AVG9\avgrsx.exe

c:\program files\AVG\AVG9\avgcsrvx.exe

c:\program files\Intel\Wireless\Bin\S24EvMon.exe

c:\program files\Intel\Wireless\Bin\WLKeeper.exe

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe

c:\windows\system32\spoolsv.exe

c:\windows\system32\svchost.exe

c:\program files\Avira\AntiVir Desktop\avguard.exe

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe

c:\program files\Avira\AntiVir Desktop\avshadow.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\AVG\AVG9\avgnsx.exe

c:\program files\Intel\Wireless\Bin\RegSrvc.exe

c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe

c:\program files\Dell Support Center\bin\sprtsvc.exe

c:\windows\system32\svchost.exe

c:\program files\AVG\AVG9\avgcsrvx.exe

c:\windows\system32\wscntfy.exe

c:\windows\System32\alg.exe

c:\windows\System32\svchost.exe

c:\windows\system32\igfxsrvc.exe

c:\windows\stsystra.exe

c:\windows\system32\wbem\wmiprvse.exe

c:\program files\Intel\Wireless\Bin\Dot1XCfg.exe

c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe

c:\program files\iPod\bin\iPodService.exe

.

**************************************************************************

.

Completion time: 2010-04-01 15:11:22 - machine was rebooted

ComboFix-quarantined-files.txt 2010-04-01 14:11

Pre-Run: 95,329,959,936 bytes free

Post-Run: 96,654,061,568 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 14468E7FD0F858EBE7A55AA02461C530

ROOTREPEAL

ROOTREPEAL © AD, 2007-2009

==================================================

Scan Start Time: 2010/04/01 16:11

Program Version: Version 1.3.5.0

Windows Version: Windows XP SP3

==================================================

Drivers

-------------------

Name: dump_atapi.sys

Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys

Address: 0xA7329000 Size: 98304 File Visible: No Signed: -

Status: -

Name: dump_WMILIB.SYS

Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS

Address: 0xBA652000 Size: 8192 File Visible: No Signed: -

Status: -

Name: rootrepeal.sys

Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys

Address: 0xA5394000 Size: 49152 File Visible: No Signed: -

Status: -

Name: srescan.sys

Image Path: srescan.sys

Address: 0xB9D20000 Size: 81920 File Visible: No Signed: -

Status: -

Name: usbhub.sys

Image Path: C:\WINDOWS\system32\DRIVERS\usbhub.sys

Address: 0xB8D97000 Size: 59520 File Visible: - Signed: -

Status: Hidden from the Windows API!

Hidden/Locked Files

-------------------

Path: C:\hiberfil.sys

Status: Locked to the Windows API!

SSDT

-------------------

#: 031 Function Name: NtConnectPort

Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xa759ffc0

#: 037 Function Name: NtCreateFile

Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xa759cc80

#: 041 Function Name: NtCreateKey

Status: Hooked by "<unknown>" at address 0xba726a56

#: 046 Function Name: NtCreatePort

Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xa75a0580

#: 047 Function Name: NtCreateProcess

Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xa75b4900

#: 048 Function Name: NtCreateProcessEx

Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xa75b4b10

#: 050 Function Name: NtCreateSection

Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xa75b8b10

#: 053 Function Name: NtCreateThread

Status: Hooked by "<unknown>" at address 0xba726a4c

#: 056 Function Name: NtCreateWaitablePort

Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xa75a0670

#: 062 Function Name: NtDeleteFile

Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xa759d210

#: 063 Function Name: NtDeleteKey

Status: Hooked by "<unknown>" at address 0xba726a5b

#: 065 Function Name: NtDeleteValueKey

Status: Hooked by "<unknown>" at address 0xba726a65

#: 068 Function Name: NtDuplicateObject

Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xa75b4280

#: 098 Function Name: NtLoadKey

Status: Hooked by "<unknown>" at address 0xba726a6a

#: 099 Function Name: NtLoadKey2

Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xa75b7f90

#: 116 Function Name: NtOpenFile

Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xa759d070

#: 122 Function Name: NtOpenProcess

Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xa75b6180

#: 128 Function Name: NtOpenThread

Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xa75b5f40

#: 192 Function Name: NtRenameKey

Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xa75b86f0

#: 193 Function Name: NtReplaceKey

Status: Hooked by "<unknown>" at address 0xba726a74

#: 200 Function Name: NtRequestWaitReplyPort

Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xa759fbe0

#: 204 Function Name: NtRestoreKey

Status: Hooked by "<unknown>" at address 0xba726a6f

#: 210 Function Name: NtSecureConnectPort

Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xa75a0190

#: 224 Function Name: NtSetInformationFile

Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xa759d440

#: 247 Function Name: NtSetValueKey

Status: Hooked by "<unknown>" at address 0xba726a60

#: 255 Function Name: NtSystemDebugControl

Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xa75b5200

#: 257 Function Name: NtTerminateProcess

Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xa75b5080

==EOF==

OTS

OTS.Txt

Link to post
Share on other sites

Hey Mr Sparkle,

Thank you for the logs. :)

Please follow my instructions in the order they were given, and print out a copy of it as you may not have access to the forums during the fix.

Before we go on to run the tools, it would be advisable to temporarily disable your protection software(s) (AVG anti-virus and Zonealarm Firewall) as it/they may hinder the tools from running. Instructions is in the link below:

http://www.bleepingcomputer.com/forums/topic114351.html

1) Run CFScript

1. Please open Notepad

  • Click Start , then Run
  • Type notepad.exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
c:\windows\Wxoriracevenupe.dat
c:\windows\Qtuzo.bin
C:\WINDOWS\system32\12520850o.exe
c:\windows\system32\2719601349.dat

Driver::
Spoolerwscsvc

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000000

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

CFScriptB-4.gif

5. After reboot, (in case it asks to reboot), please post the following report/log into your next reply:

  • Combofix.txt .

2) Run SystemLook

Please download SystemLook from one of the links below and save it to your Desktop.

Download Mirror #1

Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    :Filefind
    srescan.sys


  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

3) Run Malwarebytes scan

  • Open Malwarebytes by clicking on its shortcut on desktop. Please click on the "Update" tab and click "Check for Updates".
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

Next reply (please include in your post):

Tell me how your computer is running

ComboFix.txt

Systemlook.txt

MBAM scan log

Link to post
Share on other sites

Thanks again for all the help! :)

Alright, after those scans, my computer seems to be doing better. It's still experiencing the same sorts of problems it was before, but far less frequently. I still get Internet Explorer pages occasionally refusing to load properly, but it's only occasionally and a refresh or two fixes it. Before, it happened constantly and I had to open multiple new windows before they loaded properly. Thumbnails still aren't loading all at once, but that's not really a big problem. And I'm still having that weird issue with my browsing history. For some sites, it'll only record my visit to the top page, but won't record any other activity within the site. This is most noticeable on Google, which should have loads of activity being saved.

So, while some mysterious things are still happening, Internet Explorer seems to at least be acting stable again. The other problems might be due to something benign, like perhaps I messed something up after deleting a false positive after a virus scan, I guess. But, IE's stability is back, and that's the main thing.

One last thing before the reports... If my computer does become unstable again and I decide to use my system restore discs (came with the PC, restores to factory settings), would it be safe for me to transfer the contents of My Documents over on a memory stick? If I'm only transferring things like word documents or jpegs, I should be safe from any possible infection, right? If I do have to restore, I just want to make sure I only have to do it the once. :)

COMBO FIX

ComboFix 10-04-03.01 - Me 03/04/2010 22:30:34.2.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1170 [GMT 1:00]

Running from: c:\documents and settings\Me\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Me\Desktop\CFScript.txt

AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

FW: ZoneAlarm Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

FILE ::

"c:\windows\Qtuzo.bin"

"c:\windows\system32\12520850o.exe"

"c:\windows\system32\2719601349.dat"

"c:\windows\Wxoriracevenupe.dat"

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\AppPatch\AcAdProc.dll

c:\windows\Qtuzo.bin

c:\windows\Wxoriracevenupe.dat

.

((((((((((((((((((((((((( Files Created from 2010-03-03 to 2010-04-03 )))))))))))))))))))))))))))))))

.

2010-03-31 22:05 . 2010-03-31 22:05 -------- d-----w- c:\documents and settings\Me\Local Settings\Application Data\{D7BD4506-8943-4A8B-AA72-314E36922292}

2010-03-31 22:01 . 2010-03-31 22:01 552 ----a-w- c:\windows\system32\d3d8caps.dat

2010-03-31 21:59 . 2010-03-31 22:01 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe

2010-03-24 14:48 . 2010-03-24 14:48 -------- d-----w- c:\documents and settings\Me\Application Data\Avira

2010-03-24 14:46 . 2010-03-30 08:48 -------- d-----w- c:\windows\system32\NtmsData

2010-03-24 14:43 . 2010-03-01 09:05 124784 ----a-w- c:\windows\system32\drivers\avipbb.sys

2010-03-24 14:43 . 2010-02-16 13:24 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2010-03-24 14:43 . 2009-05-11 11:49 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys

2010-03-24 14:43 . 2009-05-11 11:49 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys

2010-03-24 14:43 . 2010-03-24 14:43 -------- d-----w- c:\program files\Avira

2010-03-24 14:43 . 2010-03-24 14:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira

2010-03-23 13:54 . 2010-03-24 22:22 0 ----a-w- c:\windows\system32\activedsz.sys

2010-03-22 17:24 . 2010-03-24 23:07 753046 --sha-w- c:\windows\system32\adsnty.sys

2010-03-20 03:02 . 1998-09-02 08:28 38160 ----a-w- c:\windows\system32\LMRTREND.dll

2010-03-20 03:02 . 1998-08-27 04:51 182032 ----a-w- c:\windows\system32\dxtmsft3.dll

2010-03-20 03:01 . 1998-09-02 08:28 63488 ----a-w- c:\windows\system32\unam4ie.exe

2010-03-20 03:01 . 1998-09-02 08:02 194320 ----a-w- c:\windows\system32\qcut.dll

2010-03-20 03:01 . 1998-08-17 09:21 11776 ----a-w- c:\windows\system32\mciqtz.drv

2010-03-20 03:01 . 2010-03-20 03:01 4608 ----a-w- c:\windows\system32\w95inf32.dll

2010-03-20 03:01 . 2010-03-20 03:01 2272 ----a-w- c:\windows\system32\w95inf16.dll

2010-03-20 03:01 . 2010-03-20 03:01 -------- d-----w- C:\Team17

2010-03-14 09:08 . 2010-03-14 09:08 12464 ----a-w- c:\windows\system32\avgrsstx.dll

2010-03-13 00:49 . 2010-02-12 10:03 293376 ------w- c:\windows\system32\browserchoice.exe

2010-03-10 21:36 . 2009-10-23 15:28 3558912 ------w- c:\windows\system32\dllcache\moviemk.exe

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-04-03 12:37 . 2008-12-04 12:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater

2010-04-01 13:31 . 2009-11-04 09:59 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9

2010-03-31 22:01 . 2008-09-22 10:49 664 ----a-w- c:\windows\system32\d3d9caps.dat

2010-03-25 13:52 . 2004-08-03 22:59 96512 ------w- c:\windows\system32\drivers\atapi.sys

2010-03-22 01:32 . 2008-01-31 15:06 14374 ----a-w- c:\documents and settings\Me\Application Data\wklnhst.dat

2010-03-21 02:16 . 2010-01-20 09:34 41 ----a-w- c:\documents and settings\Me\jagex_runescape_preferences.dat

2010-03-21 02:15 . 2010-01-20 09:35 69 ----a-w- c:\documents and settings\Me\jagex_runescape_preferences2.dat

2010-03-14 09:08 . 2009-05-24 18:22 242696 ----a-w- c:\windows\system32\drivers\avgtdix.sys

2010-03-14 09:08 . 2008-03-11 10:07 29512 ----a-w- c:\windows\system32\drivers\avgmfx86.sys

2010-03-14 09:08 . 2009-05-24 18:22 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys

2010-02-25 06:24 . 2004-08-11 17:00 916480 ------w- c:\windows\system32\wininet.dll

2010-02-23 20:32 . 2010-02-23 20:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage

2010-02-13 17:03 . 2010-02-13 17:02 -------- d-----w- c:\program files\iTunes

2010-02-13 17:02 . 2010-02-13 17:02 -------- d-----w- c:\program files\iPod

2010-02-13 17:02 . 2008-02-01 18:52 -------- d-----w- c:\program files\Common Files\Apple

2010-01-28 22:34 . 2008-12-03 23:25 411368 ----a-w- c:\windows\system32\deploytk.dll

2010-01-07 16:07 . 2010-01-30 23:48 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-01-07 16:07 . 2010-01-30 23:48 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2008-01-24 11:11 . 2008-01-24 11:11 76 --sh--r- c:\windows\CT4CET.bin

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]

"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-10-16 1119488]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]

2009-10-16 12:12 1119488 ----a-w- c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-10-16 1119488]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]

"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-10-16 1119488]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-01-24 68856]

"Pando Media Booster"="c:\program files\Pando Networks\Media Booster\PMB.exe" [2009-10-22 2923192]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-07-09 851968]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-07-09 137752]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-07-09 162328]

"Persistence"="c:\windows\system32\igfxpers.exe" [2007-07-09 137752]

"OEM02Mon.exe"="c:\windows\OEM02Mon.exe" [2007-08-28 36864]

"SigmatelSysTrayApp"="stsystra.exe" [2007-07-09 405504]

"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2007-07-03 1228800]

"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-02-21 819200]

"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-02-21 970752]

"DELL Webcam Manager"="c:\program files\Dell\Dell Webcam Manager\DellWMgr.exe" [2007-07-27 118784]

"KADxMain"="c:\windows\system32\KADxMain.exe" [2006-11-02 282624]

"CTSVolFE.exe"="c:\program files\Creative\Mixer\CTSVolFE.exe" [2005-02-23 57344]

"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-10-03 221184]

"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 81920]

"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2006-11-05 221184]

"RoxioDragToDisc"="c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe" [2006-08-17 1116920]

"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-01-24 1838592]

"ECenter"="c:\dell\E-Center\EULALauncher.exe" [2007-05-24 17920]

"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]

"PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe" [2007-11-01 189736]

"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]

"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]

"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-02-15 981384]

"Google Quick Search Box"="c:\program files\Google\Quick Search Box\GoogleQuickSearchBox.exe" [2009-05-22 68592]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-10 417792]

"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 36975]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-01-22 141608]

"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-03-02 282792]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-1-24 50688]

Run Nintendo Wi-Fi USB Connector Registration Tool.lnk - c:\program files\WiFiConnector\NintendoWFCReg.exe [2008-1-29 1073152]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]

2010-03-14 09:08 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Dell\\MediaDirect\\PCMService.exe"=

"c:\\Program Files\\WiFiConnector\\NintendoWFCReg.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=

"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=

"c:\\Program Files\\AVG\\AVG9\\avgemc.exe"=

"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=

"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"56600:TCP"= 56600:TCP:Pando Media Booster

"56600:UDP"= 56600:UDP:Pando Media Booster

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [24/05/2009 19:22 216200]

R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [24/05/2009 19:22 242696]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [24/03/2010 15:44 135336]

R2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [14/03/2010 10:08 916760]

R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [14/03/2010 10:08 308064]

S2 gupdate1c95ca48ba5d424;Google Update Service (gupdate1c95ca48ba5d424);c:\program files\Google\Update\GoogleUpdate.exe [12/12/2008 22:56 133104]

.

Contents of the 'Scheduled Tasks' folder

2010-03-27 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2010-04-03 c:\windows\Tasks\Google Software Updater.job

- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-01-24 23:50]

2010-04-03 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2008-12-12 14:49]

2010-04-03 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2008-12-12 14:49]

2010-04-03 c:\windows\Tasks\User_Feed_Synchronization-{EEA18D69-C310-4584-9C8D-763CE464A80A}.job

- c:\windows\system32\msfeedssync.exe [2007-08-13 03:31]

2010-04-03 c:\windows\Tasks\WGASetup.job

- c:\windows\system32\KB905474\wgasetup.exe [2009-03-25 22:18]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://en.wikipedia.org/wiki/Main_Page

uInternet Settings,ProxyOverride = *.local

IE: Post Image to Blog - c:\program files\ImageShackToolbar\ImageShackToolbar.dll/5003

IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm

IE: Tag This Image - c:\program files\ImageShackToolbar\ImageShackToolbar.dll/5002

IE: Transload Image to ImageShack - c:\program files\ImageShackToolbar\ImageShackToolbar.dll/5004

IE: Upload All Images to ImageShack - c:\program files\ImageShackToolbar\ImageShackToolbar.dll/5000

IE: Upload Image to ImageShack - c:\program files\ImageShackToolbar\ImageShackToolbar.dll/5001

LSP: %SystemRoot%\system32\PrxerDrv.dll

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-04-03 22:43

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(5224)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\btncopy.dll

c:\program files\Roxio\Drag-to-Disc\Shellex.dll

c:\windows\system32\DLAAPI_W.DLL

c:\windows\system32\CDRTC.DLL

c:\program files\Roxio\Drag-to-Disc\ShellRes.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Intel\Wireless\Bin\EvtEng.exe

c:\program files\AVG\AVG9\avgchsvx.exe

c:\program files\AVG\AVG9\avgrsx.exe

c:\program files\AVG\AVG9\avgcsrvx.exe

c:\program files\Intel\Wireless\Bin\S24EvMon.exe

c:\program files\Intel\Wireless\Bin\WLKeeper.exe

c:\program files\Avira\AntiVir Desktop\avguard.exe

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe

c:\program files\Avira\AntiVir Desktop\avshadow.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Intel\Wireless\Bin\RegSrvc.exe

c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe

c:\program files\AVG\AVG9\avgnsx.exe

c:\program files\Dell Support Center\bin\sprtsvc.exe

c:\program files\AVG\AVG9\avgcsrvx.exe

c:\windows\stsystra.exe

c:\windows\system32\igfxsrvc.exe

c:\program files\Intel\Wireless\Bin\Dot1XCfg.exe

c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe

c:\program files\iPod\bin\iPodService.exe

.

**************************************************************************

.

Completion time: 2010-04-03 22:56:33 - machine was rebooted

ComboFix-quarantined-files.txt 2010-04-03 21:56

ComboFix2.txt 2010-04-01 14:11

Pre-Run: 96,436,785,152 bytes free

Post-Run: 96,601,645,056 bytes free

- - End Of File - - 4D1A8039F7859E33E5D20CD886F9C1C3

SYSTEM LOOK

SystemLook v1.0 by jpshortstuff (11.01.10)

Log created at 23:12 on 03/04/2010 by Me (Administrator - Elevation successful)

========== Filefind ==========

Searching for "srescan.sys"

C:\WINDOWS\system32\ZoneLabs\srescan.sys --a--- 51688 bytes [21:25 29/03/2009] [01:24 17/11/2008] BB1CC49B817D2551EB321F4A9AFB7D8C

-=End Of File=-

MBAM

Malwarebytes' Anti-Malware 1.45

www.malwarebytes.org

Database version: 3930

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

03/04/2010 23:20:50

mbam-log-2010-04-03 (23-20-50).txt

Scan type: Quick scan

Objects scanned: 119617

Time elapsed: 4 minute(s), 52 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 8

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.

HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.

HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{3446af26-b8d7-199b-4cfc-6fd764ca5c9f} (Backdoor.Bot) -> Quarantined and deleted successfully.

HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{4776c4dc-e894-7c06-2148-5d73cef5f905} (Backdoor.Bot) -> Quarantined and deleted successfully.

HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.

HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.

HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{3446af26-b8d7-199b-4cfc-6fd764ca5c9f} (Backdoor.Bot) -> Quarantined and deleted successfully.

HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{4776c4dc-e894-7c06-2148-5d73cef5f905} (Backdoor.Bot) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites

Hey Mr Sparkle,

Thank you for your feedback. :)

One last thing before the reports... If my computer does become unstable again and I decide to use my system restore discs (came with the PC, restores to factory settings), would it be safe for me to transfer the contents of My Documents over on a memory stick? If I'm only transferring things like word documents or jpegs, I should be safe from any possible infection, right? If I do have to restore, I just want to make sure I only have to do it the once.

It is always wise to backup your data. If you are worried that the infection may transfer, boot into safe mode and backup from there.

Please follow my instructions in the order they were given, and print out a copy of it as you may not have access to the forums during the fix.

Before we go on to run the tools, it would be advisable to temporarily disable your protection software(s) (AVG anti-virus and Zonealarm Firewall) as it/they may hinder the tools from running. Instructions is in the link below:

http://www.bleepingcomputer.com/forums/topic114351.html

1) Upload files for analysis

To enable the viewing of Hidden files follow these steps:

  • Close all programs so that you are at your desktop.
  • Double-click on the My Computer icon.
  • Select the Tools menu and click Folder Options.
  • After the new window appears select the View tab.
  • Put a checkmark in the checkbox labeled Display the contents of system folders.
  • Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.
  • Remove the checkmark from the checkbox labeled Hide file extensions for known file types.
  • Remove the checkmark from the checkbox labeled Hide protected operating system files.
  • Press the Apply button and then the OK button and close My Computer.
  • Now your computer is configured to show all hidden files.

THEN

Please visit the online Jotti Virus Scanner virus.gif<--link

  • Copy and paste the following filepath in the box:
    c:\windows\system32\1025f.exe
  • Click on the Clipboard021.jpg button.
    The scanner will check the file with various AV companies.
  • Copy and paste the results box into a reply to this thread.
  • Please do the same for the files below:
    c:\windows\system32\activedsz.sys
    c:\windows\system32\adsnty.sys
    c:\windows\system32\unam4ie.exe

2) Run Kaspersky Webscanner

Kaspersky online scanner uses JAVA tecnology to perform the scan. If you do not have the latest JAVA version, follow the instrutions below under Upgrading Java, to download and install the latest vesion.

Upgrading Java:

  • Download the latest version of Java SE Runtime Environment (JRE)JRE 6 Update 19.
  • Click the "Download JRE" button to the right.
  • Select your Platform and check the box that says: "I agree to the Java SE Runtime Environment 6u19 with JavaFX 1 License Agreement".
  • Click on Continue.
  • Click on the link to download Windows Offline Installation (jre-6u19-windows-i586.exe) and save it to your desktop. Do NOT use the Sun Download Manager..
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Make sure the C:\Program Files\JAVA folder is removed.
  • Then from your desktop double-click on the download to install the newest version.(Vista users, right click on the jre-6u19-windows-i586.exe and select "Run as an Administrator.")
    THEN
    Please do an online scan with Kaspersky WebScanner
  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure the following is checked.
    • Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases

    [*]Click on My Computer under Scan.

    [*]Once the scan is complete, it will display the results. Click on View Scan Report.

    [*]You will see a list of infected items there. Click on Save Report As....

    [*]Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.

    [*]Please post this log in your next reply.

3) Uninstall ComboFix and run Dr Web

  • Click START then RUN
  • Now type ComboFix /uninstall in the runbox and click OK. Note the space between the x and the /, it needs to be there.
    combofixuninstall.png

THEN

Download Dr.Web CureIt to the desktop.

  • Doubleclick the drweb-cureit.exe file, then on Start and allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, chose the Complete Scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow drweb_green_arrow.jpg at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, look and see if you can click the following icon next to the files found:
    drweb_check.gif
  • If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
    drweb_move.gif
  • This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
  • After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
  • Reboot your computer to allow files that were in use to be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web you saved previously in your next reply along with a new OTL log.

NOTE: During the scan, a pop-up window will open asking for full version purchase. Simply close the window by clicking on X in upper right corner.

4) Run Rooter and ComboFix

Please download Rooter.exe and save it to your desktop

  • Double-click it to start the tool. If you are using Vista, please right-click and choose Run As Administrator...
  • Alow it to run when you get a Security Warning.
  • At the main control page, please click the green scan_rooter.jpg button.
  • It will now begin to scan, please be paitent. The scan should not take more than 3 minutes
  • A Notepad file containing the report will open soon. It can also be foun/d at %systemdrive%\Rooter$\Rooter_1.txt
  • Now push the Close_Rooter.jpg button to close Rooter.
  • Please post the contents of that log file here in your next reply.

NEXT

Download ComboFix from one of the locations below, and save it to your Desktop.

Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.

When finished, it shall produce a log for you. Post that log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Next reply (please include in your post):

4 virscan reports

Kaspersky scan log

Drweb scan log

ComboFix.txt

Rooter_1.tzt

Link to post
Share on other sites

I'm having a little trouble with Jotti. I've disabled my anti-virus and firewall, and I made sure to enable hidden files exactly like you said. However, Jotti won't let me type or paste anything into its text box. I tried using the browse button and pasting the file name into there, but that just gives me a "File not found" box.

Link to post
Share on other sites

Hi,

Sincere apologies for the late reply. I will be unavailable from today and a fellow colleague will take over and help you instead. Please be patient in waiting for a reply, thank you. :)

Link to post
Share on other sites

Thanks for your response!

Unfortunately, I'm having the same problem with VirusTotal - file not found. The file doesn't seem to exist on my computer, even though it came up in one of those previous scans. I definitely have the computer set to show hidden files just like Ltangelic said (double-checked), but I still can't find it. I tried looking for it manually, as well, but to no avail. The closest thing I found was an empty folder within system32 named 1025 (as opposed to the program named 1025f.exe).

Actually, when I went into my system32 folder, the computer bleeped at me and Avira detected and quarantined a Meredrop trojan. Not sure if that has anything to do with this. I checked the name and it wasn't 1025f.exe.

Any idea where to go from here? I could get on with the rest of Ltangelic's instructions, but he said to do them in order, and it's that first one that's giving me problems...

Link to post
Share on other sites

  • Staff

Hi,

What file was Avira flagging when you opened the System32 folder??

Please download SystemLook from one of the links below and save it to your Desktop.

Download Mirror #1

Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    :filefind
    1025f.exe


  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

Link to post
Share on other sites

OK, here's the info. SystemLook first, then I copy+pasted the relevant Avira event reports after.

SystemLook

SystemLook v1.0 by jpshortstuff (11.01.10)

Log created at 23:06 on 12/04/2010 by Me (Administrator - Elevation successful)

========== filefind ==========

Searching for "1025f.exe"

No files found.

-=End Of File=-

Avira Guard

Virus or unwanted program 'TR/Meredrop.A.6821 [trojan]'

detected in file 'C:\WINDOWS\system32\advpackpt.exe.

Action performed: Deny access

Avira Scanner (Ran automatically after the detection)

The file 'C:\WINDOWS\system32\advpackpt.exe'

contained a virus or unwanted program 'TR/Meredrop.A.6821' [trojan]

Action(s) taken:

The file was moved to the quarantine directory under the name '4e6535b7.qua'.

Link to post
Share on other sites

OK, I managed to successfully scan the first and third of those files. I did do the second one (c:\windows\system32\adsnty.sys), but I accidentally closed the window without copying the text. Now, every time I try to re-send the file, I get...

Exception

Please report failure as: ErrorTime= "Apr 14 01:40:31"

I'll keep trying to get it to work again. In the meantime, here's the results for the other two. Also, the copy-paste text looks really awkward here, so I can upload the HTML version of the text, if you want.

==================================================

c:\windows\system32\activedsz.sys

0 bytes size received / Se ha recibido un archivo vacio

==================================================

c:\windows\system32\unam4ie.exe

File unam4ie.exe received on 2010.04.13 23:08:04 (UTC)

AntivirusVersionLast UpdateResulta-squared4.5.0.502010.04.13-AhnLab-V35.0.0.22010.04.13-AntiVir7.10.6.692010.04.13-Antiy-AVL2.0.3.72010.04.13-Authentium5.2.0.52010.04.13-Avast4.8.1351.02010.04.13-Avast55.0.332.02010.04.13-AVG9.0.0.7872010.04.13-BitDefender7.22010.04.13-CAT-QuickHealNone2010.04.13-ClamAV0.96.0.3-git2010.04.13-Comodo45912010.04.13-DrWeb5.0.2.033002010.04.14-eSafe7.0.17.02010.04.13-eTrust-Vet35.2.74232010.04.13-F-Prot4.5.1.852010.04.13-F-Secure9.0.15370.02010.04.14-Fortinet4.0.14.02010.04.12-GData192010.04.13-IkarusT3.1.1.80.02010.04.13-Jiangmin13.0.9002010.04.13-Kaspersky7.0.0.1252010.04.14-McAfee5.400.0.11582010.04.14-McAfee-GW-Edition6.8.52010.04.13-Microsoft1.56052010.04.13-NOD3250262010.04.13-Norman6.04.112010.04.13-nProtect2009.1.8.02010.04.06-Panda10.0.2.72010.04.13-PCTools7.0.3.52010.04.13-Prevx3.02010.04.14-Rising22.43.01.012010.04.13-Sophos4.52.02010.04.13-Sunbelt61732010.04.14-Symantec20091.2.0.412010.04.14-TheHacker6.5.2.0.2602010.04.13-TrendMicro9.120.0.10042010.04.13-VBA323.12.12.42010.04.09-ViRobot2010.4.13.22742010.04.13-VirusBuster5.0.27.02010.04.13-Additional informationFile size: 63488 bytesMD5...: 92f8115ddc7136eccd7bddbc492f9861SHA1..: 0e4ba60cbcfda5099e78b6a101bac0876246fa81SHA256: 4c94cec51c6758debb1bf9a23feaff36f3b5c0ad97b7434f6c3b70e74ed06e1bssdeep: 768:aSoqgbKXBUYWXmFLHlnFtONDEiqLVLq6HOEzjlkW:aftKXBU32bnFtO9EpVL

q6HOEzjD

PEiD..: -PEInfo: PE Structure information

( base data )

entrypointaddress.: 0x1a20

timedatestamp.....: 0x35ed642e (Wed Sep 02 15:28:46 1998)

machinetype.......: 0x14c (I386)

( 4 sections )

name viradd virsiz rawdsiz ntrpy md5

.text 0x1000 0x3746 0x3800 6.33 72bf3127e4e2287c5832ef9ea835462a

.rdata 0x5000 0xad0 0xc00 4.95 eecd56b467e9cc4e3ecedada85086050

.data 0x6000 0x43d4 0x2c00 0.91 3b820807ae6bc17b4792417231d5dd78

.rsrc 0xb000 0x8220 0x8400 5.95 cf73d13c3a2aeec9c27168b0dae85c52

( 3 imports )

> KERNEL32.dll: FindResourceA, LoadResource, SizeofResource, CompareStringA, CreateFileA, WriteFile, CloseHandle, GetVersionExA, GetSystemDirectoryA, GetWindowsDirectoryA, GetTempPathA, GetTempFileNameA, FreeEnvironmentStringsW, lstrlenA, lstrcpyA, GetExitCodeProcess, WaitForSingleObject, CreateProcessA, GetModuleHandleA, GetStartupInfoA, GetCommandLineA, GetVersion, ExitProcess, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, GetModuleFileNameA, FreeEnvironmentStringsA, lstrcatA, GetEnvironmentStrings, GetEnvironmentStringsW, WideCharToMultiByte, GetCPInfo, GetACP, GetOEMCP, SetHandleCount, GetStdHandle, GetFileType, DeleteCriticalSection, GetCurrentThreadId, TlsSetValue, TlsAlloc, SetLastError, TlsGetValue, GetLastError, HeapDestroy, HeapCreate, VirtualFree, RtlUnwind, InitializeCriticalSection, EnterCriticalSection, LeaveCriticalSection, HeapFree, HeapAlloc, VirtualAlloc, GetProcAddress, LoadLibraryA, FlushFileBuffers, SetStdHandle, SetFilePointer

> ADVAPI32.dll: RegQueryInfoKeyA, RegCreateKeyExA, RegDeleteKeyA, RegDeleteValueA, RegOpenKeyExA, RegSetValueExA, RegCloseKey

> USER32.dll: PeekMessageA, TranslateMessage, DispatchMessageA

( 0 exports )

RDS...: NSRL Reference Data Set

-pdfid.: -trid..: Win32 Executable MS Visual C++ 4.x (48.0%)

Win64 Executable Generic (30.5%)

Win32 Executable MS Visual C++ (generic) (13.4%)

Win32 Executable Generic (3.0%)

Win32 Dynamic Link Library (generic) (2.7%)sigcheck:

publisher....: Microsoft Corporation

copyright....: Copyright © 1992-1998 Microsoft Corp.

product......: DirectShow

description..: DirectShow uninstall.

original name: unam4ie.exe

internal name: unam4ie.exe

file version.: 6.00.02.0902

comments.....: n/a

signers......: -

signing date.: -

verified.....: Unsigned

Link to post
Share on other sites

There we go, it finally uploaded properly.

c:\windows\system32\adsnty.sys

Antivirus Version Last Update Result

a-squared 4.5.0.50 2010.04.14 -

AhnLab-V3 5.0.0.2 2010.04.13 -

AntiVir 7.10.6.72 2010.04.14 -

Antiy-AVL 2.0.3.7 2010.04.14 -

Authentium 5.2.0.5 2010.04.14 -

Avast 4.8.1351.0 2010.04.14 -

Avast5 5.0.332.0 2010.04.14 -

AVG 9.0.0.787 2010.04.14 -

BitDefender 7.2 2010.04.14 -

CAT-QuickHeal 10.00 2010.04.14 -

ClamAV 0.96.0.3-git 2010.04.14 -

Comodo 4595 2010.04.14 -

DrWeb 5.0.2.03300 2010.04.14 -

eSafe 7.0.17.0 2010.04.13 -

eTrust-Vet 35.2.7423 2010.04.13 -

F-Prot 4.5.1.85 2010.04.13 -

F-Secure 9.0.15370.0 2010.04.14 -

Fortinet 4.0.14.0 2010.04.12 -

GData 19 2010.04.14 -

Ikarus T3.1.1.80.0 2010.04.14 -

Jiangmin 13.0.900 2010.04.13 -

Kaspersky 7.0.0.125 2010.04.14 -

McAfee 5.400.0.1158 2010.04.14 -

McAfee-GW-Edition 6.8.5 2010.04.14 -

Microsoft 1.5605 2010.04.14 -

NOD32 5027 2010.04.14 -

Norman 6.04.11 2010.04.14 -

nProtect 2010-04-14.01 2010.04.14 -

Panda 10.0.2.7 2010.04.13 -

PCTools 7.0.3.5 2010.04.14 -

Prevx 3.0 2010.04.14 -

Rising 22.43.02.04 2010.04.14 -

Sophos 4.52.0 2010.04.14 -

Sunbelt 6175 2010.04.14 -

Symantec 20091.2.0.41 2010.04.14 -

TheHacker 6.5.2.0.261 2010.04.14 -

TrendMicro 9.120.0.1004 2010.04.14 -

VBA32 3.12.12.4 2010.04.09 -

ViRobot 2010.4.14.2275 2010.04.14 -

VirusBuster 5.0.27.0 2010.04.13 -

Additional information

File size: 753046 bytes

MD5...: 7c647fb8278a071b382f363701b42572

SHA1..: d7b9c4cb132b4990f905cda06bef6954791e3061

SHA256: db2cf0d3731a0f377da9b66bfd6036ba76d392027f5783f71a1a2340cec93713

ssdeep: 12288:SHckDa4cweh+xu1h8x7OHFz8Ca/t5uCdZJ:pkDa4cwA+xY8x7K/a/t5zZJ

PEiD..: -

PEInfo: -

RDS...: NSRL Reference Data Set

-

pdfid.: -

trid..: Unknown!

sigcheck:

publisher....: n/a

copyright....: n/a

product......: n/a

description..: n/a

original name: n/a

internal name: n/a

file version.: n/a

comments.....: n/a

signers......: -

signing date.: -

verified.....: Unsigned

packers (Kaspersky): Swf2Swc, Swf2Swc

packers (F-Prot): appended, doc_write

Link to post
Share on other sites

Alrighty, I've finished running those scans. Here's the logs from Kaspersky, DrWeb, Rooter and ComboFix.

Kaspersky

--------------------------------------------------------------------------------

KASPERSKY ONLINE SCANNER 7.0: scan report

Sunday, April 18, 2010

Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)

Kaspersky Online Scanner version: 7.0.26.13

Last database update: Saturday, April 17, 2010 20:30:30

Records in database: 3949147

--------------------------------------------------------------------------------

Scan settings:

scan using the following database: extended

Scan archives: yes

Scan e-mail databases: yes

Scan area - My Computer:

C:\

D:\

Scan statistics:

Objects scanned: 197689

Threats found: 7

Infected objects found: 8

Suspicious objects found: 0

Scan duration: 03:27:48

File name / Threat / Threats count

C:\Documents and Settings\Me\Application Data\Sun\Java\Deployment\cache\6.0\13\5754a58d-20f52bbf Infected: Trojan-Downloader.Java.OpenStream.af 1

C:\Documents and Settings\Me\Application Data\Sun\Java\Deployment\cache\6.0\56\4a4036b8-7c04322f Infected: Trojan-Downloader.Java.Agent.al 1

C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\atapi.sys.vir Infected: Rootkit.Win32.Tdss.ai 1

C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\svchost.exe.vir Infected: Hoax.Win32.Renos.vcog 1

C:\Qoobox\Quarantine\C\WINDOWS\system32\_sdra64_.exe.zip Infected: Trojan-Banker.Win32.Bancos.owz 1

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP249\A0108437.exe Infected: Backdoor.Win32.IRCNite.gk 1

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP250\A0119135.dll Infected: Trojan-Downloader.Win32.Mufanom.pxc 1

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP250\A0119176.exe Infected: Hoax.Win32.Renos.vcog 1

Selected area has been scanned.

DrWeb

5754a58d-20f52bbf\myf/y/AppletX.class;C:\Documents and Settings\Me\Application Data\Sun\Java\Deployment\cache\6.0\13\5754a58d-20f52bbf;Exploit.CVE2008.5353;;

5754a58d-20f52bbf\myf/y/BrodagF.class;C:\Documents and Settings\Me\Application Data\Sun\Java\Deployment\cache\6.0\13\5754a58d-20f52bbf;Exploit.CVE2008.5353;;

5754a58d-20f52bbf\myf/y/LoaderX.class;C:\Documents and Settings\Me\Application Data\Sun\Java\Deployment\cache\6.0\13\5754a58d-20f52bbf;Exploit.CVE2008.5353;;

5754a58d-20f52bbf;C:\Documents and Settings\Me\Application Data\Sun\Java\Deployment\cache\6.0\13;Archive contains infected objects;Moved.;

MapleStory.exe;C:\Program Files\NEXON\EuropeMapleStory;Probably Trojan.Packed.Based;Incurable.Moved.;

Rooter

Rooter.exe (v1.0.2) by Eric_71

.

SeDebugPrivilege granted successfully ...

.

Windows XP . (5.1.2600) Service Pack 3

[32_bits] - x86 Family 6 Model 15 Stepping 13, GenuineIntel

.

[wscsvc] (Security Center) RUNNING (state:4)

[sharedAccess] RUNNING (state:4)

Windows Firewall -> Disabled !

.

Internet Explorer 8.0.6001.18702

.

C:\ [Fixed-NTFS] .. ( Total:143 Go - Free:93 Go )

D:\ [CD_Rom]

.

Scan : 10:31.57

Path : C:\Documents and Settings\Me\Desktop\Rooter.exe

User : Me ( Administrator -> YES )

.

----------------------\\ Processes

.

Locked [system Process] (0)

______ System (4)

______ \SystemRoot\System32\smss.exe (812)

______ \??\C:\WINDOWS\system32\csrss.exe (868)

______ \??\C:\WINDOWS\system32\winlogon.exe (892)

______ C:\WINDOWS\system32\services.exe (936)

______ C:\WINDOWS\system32\lsass.exe (948)

______ C:\WINDOWS\system32\svchost.exe (1168)

______ C:\WINDOWS\system32\svchost.exe (1236)

______ C:\WINDOWS\System32\svchost.exe (1380)

______ C:\Program Files\Intel\Wireless\Bin\EvtEng.exe (1440)

______ C:\Program Files\AVG\AVG9\avgchsvx.exe (1472)

______ C:\Program Files\AVG\AVG9\avgrsx.exe (1480)

______ C:\Program Files\AVG\AVG9\avgcsrvx.exe (1584)

______ C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe (1776)

______ C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe (1808)

______ C:\WINDOWS\system32\svchost.exe (1936)

______ C:\WINDOWS\system32\svchost.exe (140)

______ C:\WINDOWS\Explorer.EXE (1796)

______ C:\WINDOWS\system32\spoolsv.exe (760)

______ C:\Program Files\Avira\AntiVir Desktop\sched.exe (848)

______ C:\WINDOWS\system32\svchost.exe (1288)

______ C:\Program Files\Avira\AntiVir Desktop\avguard.exe (2204)

______ C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe (2220)

______ C:\Program Files\AVG\AVG9\avgwdsvc.exe (2232)

______ C:\Program Files\Bonjour\mDNSResponder.exe (2260)

______ C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe (2308)

______ C:\Program Files\Avira\AntiVir Desktop\avshadow.exe (2544)

______ C:\Program Files\Java\jre6\bin\jqs.exe (2604)

______ C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe (2804)

______ C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe (3076)

______ C:\Program Files\AVG\AVG9\avgnsx.exe (3152)

______ C:\Program Files\Dell Support Center\bin\sprtsvc.exe (3316)

______ C:\WINDOWS\system32\svchost.exe (3360)

______ C:\Program Files\AVG\AVG9\avgemc.exe (3420)

______ C:\Program Files\AVG\AVG9\avgcsrvx.exe (3632)

______ C:\WINDOWS\System32\alg.exe (2228)

______ C:\WINDOWS\System32\svchost.exe (3976)

______ C:\Program Files\Synaptics\SynTP\SynTPEnh.exe (2484)

______ C:\WINDOWS\system32\hkcmd.exe (2672)

______ C:\WINDOWS\system32\igfxsrvc.exe (2700)

______ C:\WINDOWS\system32\igfxpers.exe (1944)

______ C:\WINDOWS\OEM02Mon.exe (2816)

______ C:\WINDOWS\stsystra.exe (2836)

______ C:\Program Files\Dell\QuickSet\quickset.exe (2824)

______ C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe (1344)

______ C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe (2876)

______ C:\WINDOWS\system32\KADxMain.exe (2996)

______ C:\Program Files\Creative\Mixer\CTSVolFE.exe (2744)

______ C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe (4084)

______ C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe (1744)

______ C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe (3932)

______ C:\WINDOWS\system32\wbem\wmiprvse.exe (3648)

______ C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe (2896)

______ C:\Program Files\Dell\MediaDirect\PCMService.exe (928)

______ C:\Program Files\Dell Support Center\bin\sprtcmd.exe (1900)

______ C:\Program Files\Google\Quick Search Box\GoogleQuickSearchBox.exe (3016)

______ C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (3680)

______ C:\Program Files\iTunes\iTunesHelper.exe (4040)

______ C:\Program Files\Common Files\Java\Java Update\jusched.exe (288)

______ C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (3200)

______ C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe (2684)

______ C:\Program Files\Pando Networks\Media Booster\PMB.exe (1996)

______ C:\WINDOWS\system32\ctfmon.exe (2020)

______ C:\Program Files\Digital Line Detect\DLG.exe (4752)

______ C:\Program Files\WiFiConnector\NintendoWFCReg.exe (5736)

______ C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe (4192)

______ C:\Program Files\iPod\bin\iPodService.exe (6008)

______ C:\WINDOWS\system32\wscntfy.exe (3952)

______ C:\Documents and Settings\Me\Desktop\Rooter.exe (5780)

.

----------------------\\ Device\Harddisk0\

.

\Device\Harddisk0 [sectors : 63 x 512 Bytes]

.

\Device\Harddisk0\Partition1 (Start_Offset:32256 | Length:123346944)

\Device\Harddisk0\Partition2 --[ MBR ]-- (Start_Offset:123379200 | Length:153681131520)

\Device\Harddisk0\Partition0 (Start_Offset:153812736000 | Length:2681441280)

\Device\Harddisk0\Partition3 (Start_Offset:156494177280 | Length:3545095680)

\Device\Harddisk0\Partition4 (Start_Offset:153812768256 | Length:2681409024)

.

----------------------\\ Scheduled Tasks

.

C:\WINDOWS\Tasks\AppleSoftwareUpdate.job

C:\WINDOWS\Tasks\desktop.ini

C:\WINDOWS\Tasks\Google Software Updater.job

C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job

C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job

C:\WINDOWS\Tasks\SA.DAT

C:\WINDOWS\Tasks\User_Feed_Synchronization-{EEA18D69-C310-4584-9C8D-763CE464A80A}.job

C:\WINDOWS\Tasks\WGASetup.job

.

----------------------\\ Registry

.

.

----------------------\\ Files & Folders

.

----------------------\\ Scan completed at 10:33.42

.

C:\Rooter$\Rooter_1.txt - (19/04/2010 | 10:33.43)

ComboFix

ComboFix 10-04-17.07 - Me 19/04/2010 10:43:48.3.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1285 [GMT 1:00]

Running from: c:\documents and settings\Me\Desktop\ComboFix.exe

AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

FW: ZoneAlarm Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\Me\Local Settings\Application Data\{D7BD4506-8943-4A8B-AA72-314E36922292}

c:\documents and settings\Me\Local Settings\Application Data\{D7BD4506-8943-4A8B-AA72-314E36922292}\chrome.manifest

c:\documents and settings\Me\Local Settings\Application Data\{D7BD4506-8943-4A8B-AA72-314E36922292}\chrome\content\_cfg.js

c:\documents and settings\Me\Local Settings\Application Data\{D7BD4506-8943-4A8B-AA72-314E36922292}\chrome\content\overlay.xul

c:\documents and settings\Me\Local Settings\Application Data\{D7BD4506-8943-4A8B-AA72-314E36922292}\install.rdf

.

((((((((((((((((((((((((( Files Created from 2010-03-19 to 2010-04-19 )))))))))))))))))))))))))))))))

.

2010-04-19 09:33 . 2010-04-19 09:33 -------- d-----w- C:\Rooter$

2010-04-18 22:03 . 2010-04-18 23:12 -------- d-----w- c:\documents and settings\Me\DoctorWeb

2010-04-17 23:14 . 2010-04-17 23:14 411368 ----a-w- c:\windows\system32\deployJava1.dll

2010-04-17 23:14 . 2010-04-17 23:14 -------- d-----w- c:\program files\Java

2010-04-10 16:07 . 2010-04-10 16:07 -------- d-----w- c:\program files\iPod

2010-04-10 16:07 . 2010-04-10 16:09 -------- d-----w- c:\program files\iTunes

2010-04-10 16:07 . 2010-04-10 16:09 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}

2010-04-10 16:02 . 2010-04-10 16:03 -------- d-----w- c:\program files\QuickTime

2010-04-10 15:58 . 2010-04-10 15:58 -------- d-----w- c:\program files\Bonjour

2010-04-10 15:55 . 2010-04-10 15:55 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.1.0.79\SetupAdmin.exe

2010-04-08 11:15 . 2010-04-08 11:15 4255072 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcorex.dll

2010-04-04 00:35 . 2010-04-04 00:35 0 ----a-w- c:\documents and settings\Me\jagex__preferences3.dat

2010-04-03 22:14 . 2010-04-03 22:14 5918776 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe

2010-04-03 14:12 . 2010-04-03 14:12 4076824 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgui.exe

2010-04-03 14:12 . 2010-04-03 14:12 2059544 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtray.exe

2010-04-03 14:12 . 2010-04-03 14:12 1598744 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgssie.dll

2010-04-03 14:12 . 2010-04-03 14:12 1515224 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgwd.dll

2010-04-03 14:12 . 2010-04-03 14:12 1274136 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgfrw.exe

2010-04-03 14:12 . 2010-04-03 14:12 598296 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgsrmx.dll

2010-04-03 14:12 . 2010-04-03 14:12 459544 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcclix.dll

2010-04-03 14:12 . 2010-04-03 14:12 313112 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avglogx.dll

2010-04-03 14:12 . 2010-04-03 14:12 556824 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgchjwx.dll

2010-04-03 14:12 . 2010-04-03 14:12 301336 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgchclx.dll

2010-04-03 14:12 . 2010-04-03 14:12 1086744 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgchsvx.exe

2010-04-02 11:46 . 2010-04-02 11:46 1685784 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.dll

2010-04-02 11:46 . 2010-04-02 11:46 1035032 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.exe

2010-03-31 22:01 . 2010-03-31 22:01 552 ----a-w- c:\windows\system32\d3d8caps.dat

2010-03-31 21:59 . 2010-03-31 22:01 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe

2010-03-24 14:48 . 2010-03-24 14:48 -------- d-----w- c:\documents and settings\Me\Application Data\Avira

2010-03-24 14:46 . 2010-03-30 08:48 -------- d-----w- c:\windows\system32\NtmsData

2010-03-24 14:43 . 2010-03-01 09:05 124784 ----a-w- c:\windows\system32\drivers\avipbb.sys

2010-03-24 14:43 . 2010-02-16 13:24 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2010-03-24 14:43 . 2009-05-11 11:49 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys

2010-03-24 14:43 . 2009-05-11 11:49 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys

2010-03-24 14:43 . 2010-03-24 14:43 -------- d-----w- c:\program files\Avira

2010-03-24 14:43 . 2010-03-24 14:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira

2010-03-23 13:54 . 2010-03-24 22:22 0 ----a-w- c:\windows\system32\activedsz.sys

2010-03-22 17:24 . 2010-03-24 23:07 753046 --sha-w- c:\windows\system32\adsnty.sys

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-04-19 08:19 . 2008-01-24 11:18 -------- d-----w- c:\program files\Google

2010-04-18 21:49 . 2008-12-04 12:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater

2010-04-17 23:15 . 2008-01-24 11:02 -------- d-----w- c:\program files\Common Files\Java

2010-04-12 11:12 . 2008-06-28 16:32 27660052 ----a-w- c:\windows\Internet Logs\tvDebug.zip

2010-04-10 16:10 . 2008-02-01 18:54 -------- d--h--w- c:\documents and settings\Me\Application Data\Apple Computer

2010-04-10 16:07 . 2008-02-01 18:52 -------- d-----w- c:\program files\Common Files\Apple

2010-04-08 17:45 . 2008-01-31 15:06 14374 ----a-w- c:\documents and settings\Me\Application Data\wklnhst.dat

2010-04-08 12:13 . 2010-04-08 12:13 138856 ----a-w- c:\windows\Internet Logs\vsmon_2nd_2010_04_08_13_08_47_small.dmp.zip

2010-04-08 12:08 . 2010-04-08 12:08 451072 ----a-w- c:\windows\Internet Logs\xDB16.tmp

2010-04-04 00:35 . 2010-01-20 09:35 69 ----a-w- c:\documents and settings\Me\jagex_runescape_preferences2.dat

2010-04-04 00:35 . 2010-01-20 09:34 41 ----a-w- c:\documents and settings\Me\jagex_runescape_preferences.dat

2010-04-03 22:14 . 2010-01-30 23:48 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-04-01 13:31 . 2009-11-04 09:59 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9

2010-04-01 12:17 . 2010-04-01 12:18 3082752 ----a-w- c:\windows\Internet Logs\xDB15.tmp

2010-04-01 12:17 . 2010-04-01 12:18 204800 ----a-w- c:\windows\Internet Logs\xDB14.tmp

2010-03-31 22:01 . 2008-09-22 10:49 664 ----a-w- c:\windows\system32\d3d9caps.dat

2010-03-29 23:46 . 2010-01-30 23:48 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-03-29 23:45 . 2010-01-30 23:48 20824 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-03-29 16:24 . 2010-03-29 16:31 799232 ----a-w- c:\windows\Internet Logs\xDB12.tmp

2010-03-29 16:24 . 2010-03-29 16:31 3078656 ----a-w- c:\windows\Internet Logs\xDB13.tmp

2010-03-27 17:25 . 2010-03-27 17:26 3077632 ----a-w- c:\windows\Internet Logs\xDB11.tmp

2010-03-25 13:52 . 2004-08-03 22:59 96512 ------w- c:\windows\system32\drivers\atapi.sys

2010-03-20 03:01 . 2010-03-20 03:01 4608 ----a-w- c:\windows\system32\w95inf32.dll

2010-03-20 03:01 . 2010-03-20 03:01 2272 ----a-w- c:\windows\system32\w95inf16.dll

2010-03-19 09:47 . 2010-03-19 09:47 74425 ----a-w- c:\windows\Internet Logs\vsmon_2nd_2010_03_19_03_04_22_small.dmp.zip

2010-03-19 03:04 . 2010-03-19 09:42 2647552 ----a-w- c:\windows\Internet Logs\xDB10.tmp

2010-03-14 11:42 . 2010-03-14 21:31 3018752 ----a-w- c:\windows\Internet Logs\xDBE.tmp

2010-03-14 09:08 . 2009-05-24 18:22 242696 ----a-w- c:\windows\system32\drivers\avgtdix.sys

2010-03-14 09:08 . 2010-03-14 09:08 12464 ----a-w- c:\windows\system32\avgrsstx.dll

2010-03-14 09:08 . 2008-03-11 10:07 29512 ----a-w- c:\windows\system32\drivers\avgmfx86.sys

2010-03-14 09:08 . 2009-05-24 18:22 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys

2010-03-10 06:15 . 2004-08-11 17:00 420352 ----a-w- c:\windows\system32\vbscript.dll

2010-02-25 06:24 . 2004-08-11 17:00 916480 ------w- c:\windows\system32\wininet.dll

2010-02-24 13:11 . 2004-08-11 17:00 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2010-02-23 20:32 . 2010-02-23 20:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage

2010-02-16 14:08 . 2004-08-11 17:00 2146304 ------w- c:\windows\system32\ntoskrnl.exe

2010-02-16 13:25 . 2004-08-03 22:59 2024448 ------w- c:\windows\system32\ntkrnlpa.exe

2010-02-12 10:46 . 2010-02-12 10:46 91424 ----a-w- c:\windows\system32\dnssd.dll

2010-02-12 10:46 . 2010-02-12 10:46 107808 ----a-w- c:\windows\system32\dns-sd.exe

2010-02-12 10:03 . 2010-03-13 00:49 293376 ------w- c:\windows\system32\browserchoice.exe

2010-02-12 04:33 . 2004-08-11 17:00 100864 ----a-w- c:\windows\system32\6to4svc.dll

2010-02-11 12:02 . 2004-08-11 17:00 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys

2010-02-06 08:13 . 2010-02-06 21:19 2963968 ----a-w- c:\windows\Internet Logs\xDBD.tmp

2010-02-02 00:53 . 2009-03-12 15:45 1 ----a-w- c:\documents and settings\Me\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys

2010-01-28 00:11 . 2010-01-28 00:11 503808 ----a-w- c:\documents and settings\Me\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-1664a3cb-n\msvcp71.dll

2010-01-28 00:11 . 2010-01-28 00:11 499712 ----a-w- c:\documents and settings\Me\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-1664a3cb-n\jmc.dll

2010-01-28 00:11 . 2010-01-28 00:11 348160 ----a-w- c:\documents and settings\Me\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-1664a3cb-n\msvcr71.dll

2010-01-28 00:11 . 2010-01-28 00:11 61440 ----a-w- c:\documents and settings\Me\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-29f1bcae-n\decora-sse.dll

2010-01-28 00:11 . 2010-01-28 00:11 12800 ----a-w- c:\documents and settings\Me\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-29f1bcae-n\decora-d3d.dll

2010-01-26 18:14 . 2010-01-26 18:30 2627072 ----a-w- c:\windows\Internet Logs\xDBA.tmp

2010-01-26 18:14 . 2010-01-26 18:30 2919936 ----a-w- c:\windows\Internet Logs\xDBB.tmp

2008-01-24 11:11 . 2008-01-24 11:11 76 --sh--r- c:\windows\CT4CET.bin

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]

"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-10-16 1119488]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]

2009-10-16 12:12 1119488 ----a-w- c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-10-16 1119488]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]

"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-10-16 1119488]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-01-24 68856]

"Pando Media Booster"="c:\program files\Pando Networks\Media Booster\PMB.exe" [2009-10-22 2923192]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-07-09 851968]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-07-09 137752]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-07-09 162328]

"Persistence"="c:\windows\system32\igfxpers.exe" [2007-07-09 137752]

"OEM02Mon.exe"="c:\windows\OEM02Mon.exe" [2007-08-28 36864]

"SigmatelSysTrayApp"="stsystra.exe" [2007-07-09 405504]

"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2007-07-03 1228800]

"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-02-21 819200]

"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-02-21 970752]

"DELL Webcam Manager"="c:\program files\Dell\Dell Webcam Manager\DellWMgr.exe" [2007-07-27 118784]

"KADxMain"="c:\windows\system32\KADxMain.exe" [2006-11-02 282624]

"CTSVolFE.exe"="c:\program files\Creative\Mixer\CTSVolFE.exe" [2005-02-23 57344]

"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-10-03 221184]

"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 81920]

"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2006-11-05 221184]

"RoxioDragToDisc"="c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe" [2006-08-17 1116920]

"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-01-24 1838592]

"ECenter"="c:\dell\E-Center\EULALauncher.exe" [2007-05-24 17920]

"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]

"PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe" [2007-11-01 189736]

"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-03-16 47392]

"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]

"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-02-15 981384]

"Google Quick Search Box"="c:\program files\Google\Quick Search Box\GoogleQuickSearchBox.exe" [2009-05-22 68592]

"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-03-02 282792]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-17 421888]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-03-26 142120]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-1-24 50688]

Run Nintendo Wi-Fi USB Connector Registration Tool.lnk - c:\program files\WiFiConnector\NintendoWFCReg.exe [2008-1-29 1073152]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]

2010-03-14 09:08 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Dell\\MediaDirect\\PCMService.exe"=

"c:\\Program Files\\WiFiConnector\\NintendoWFCReg.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=

"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=

"c:\\Program Files\\AVG\\AVG9\\avgemc.exe"=

"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=

"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"56600:TCP"= 56600:TCP:Pando Media Booster

"56600:UDP"= 56600:UDP:Pando Media Booster

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [24/05/2009 19:22 216200]

R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [24/05/2009 19:22 242696]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [24/03/2010 15:44 135336]

R2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [14/03/2010 10:08 916760]

R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [14/03/2010 10:08 308064]

S2 gupdate1c95ca48ba5d424;Google Update Service (gupdate1c95ca48ba5d424);c:\program files\Google\Update\GoogleUpdate.exe [12/12/2008 22:56 133104]

.

Contents of the 'Scheduled Tasks' folder

2010-04-17 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2010-04-19 c:\windows\Tasks\Google Software Updater.job

- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-01-24 23:50]

2010-04-19 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2008-12-12 14:49]

2010-04-19 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2008-12-12 14:49]

2010-04-19 c:\windows\Tasks\User_Feed_Synchronization-{EEA18D69-C310-4584-9C8D-763CE464A80A}.job

- c:\windows\system32\msfeedssync.exe [2007-08-13 03:31]

2010-04-19 c:\windows\Tasks\WGASetup.job

- c:\windows\system32\KB905474\wgasetup.exe [2009-03-25 22:18]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://forums.malwarebytes.org/index.php?showtopic=44586

uInternet Settings,ProxyOverride = *.local

IE: Post Image to Blog - c:\program files\ImageShackToolbar\ImageShackToolbar.dll/5003

IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm

IE: Tag This Image - c:\program files\ImageShackToolbar\ImageShackToolbar.dll/5002

IE: Transload Image to ImageShack - c:\program files\ImageShackToolbar\ImageShackToolbar.dll/5004

IE: Upload All Images to ImageShack - c:\program files\ImageShackToolbar\ImageShackToolbar.dll/5000

IE: Upload Image to ImageShack - c:\program files\ImageShackToolbar\ImageShackToolbar.dll/5001

LSP: %SystemRoot%\system32\PrxerDrv.dll

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-04-19 10:53

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

Completion time: 2010-04-19 10:55:45

ComboFix-quarantined-files.txt 2010-04-19 09:55

ComboFix2.txt 2010-04-03 21:56

Pre-Run: 99,760,730,112 bytes free

Post-Run: 100,294,234,112 bytes free

- - End Of File - - B9F3C535C3E51E2B1081A3748BFDA8C6

Link to post
Share on other sites

  • Staff

Hi,

Next, please use the Internet Explorer browser and click here to use the F-Secure Online Scanner.

  • Click Start Scanning.
  • You should get a notification bar (on top) to install the ActiveX control.
  • Click on it and select to install the ActiveX.
  • Once the ActiveX is installed, you should accept the License terms by clicking OK below to start the scan.
  • In case you are having problems with installing the ActiveX/starting the scan, please read here.
  • Click the Full System Scan button.
  • It will start to download scanner components and databases. This can take a while.
  • The main scan will start.
  • Once the scan has finished scanning, click the Automatic cleaning (recommended) button
  • It could be possible that your firewall gives an alert - allow it, because that's a connection you establish to submit infected files to F-Secure.
  • The cleaning can take a while, so please be patient.
  • Then click the Show report button and Copy/Paste what is present under results in your next reply.

Next, download my Security Check from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Let me know how things are running now and what issues remain.

-screen317

Link to post
Share on other sites

Wow! Everything seems to be back to normal again! Internet's working as fast as it used to, everything loads properly, and all images load at the same time. Thank you very much for all the help! And thanks again to Ltangelic, too! :)

Here's the reports you asked for. With regards to the Security Check one, I'm not sure if this is important or not, but I've replaced AVG with Avira. I've had AVG disabled for some time now and was just waiting to sort this problem out before uninstalling it, so that's why it's still there. I usually have both ZoneAlarm and Avira active, but I turned them off for the scans.

F-Secure

Scanning Report

Thursday, April 22, 2010 18:35:04 - 23:54:30

Computer name: SHANE

Scanning type: Scan system for malware, spyware and rootkits

Target: C:\

25 malware found

TrackingCookie.Questionmarket (spyware)

  • System (Disinfected)

TrackingCookie.Adinterax (spyware)

  • System (Disinfected)

TrackingCookie.Research-int (spyware)

  • System (Disinfected)

TrackingCookie.Advertising (spyware)

  • System (Disinfected)

TrackingCookie.Atdmt (spyware)

  • System (Disinfected)

Suspicious:W32/Malware!Gemini (spyware)

  • System (Disinfected)

TrackingCookie.Adtech (spyware)

  • System (Disinfected)

TrackingCookie.Adform (spyware)

  • System (Disinfected)

TrackingCookie.Doubleclick (spyware)

  • System (Disinfected)

TrackingCookie.Revsci (spyware)

  • System (Disinfected)

TrackingCookie.Admeta (spyware)

  • System (Disinfected)

TrackingCookie.Specificclick (spyware)

  • System (Disinfected)

TrackingCookie.Zanox (spyware)

  • System (Disinfected)

TrackingCookie.Adrevolver (spyware)

  • System (Disinfected)

TrackingCookie.Adbrite (spyware)

  • System (Disinfected)

TrackingCookie.Xiti (spyware)

  • System (Disinfected)

TrackingCookie.Webtrends (spyware)

  • System (Disinfected)

TrackingCookie.Mediaplex (spyware)

  • System (Disinfected)

TrackingCookie.Tradedoubler (spyware)

  • System (Disinfected)

TrackingCookie.Statcounter (spyware)

  • System (Disinfected)

TrackingCookie.Emediate (spyware)

  • System (Disinfected)

TrackingCookie.Atwola (spyware)

  • System (Disinfected)

TrackingCookie.Yieldmanager (spyware)

  • System (Disinfected)

Suspicious:W32/Malware!Gemini (virus)

  • C:\NEXON\DFO\DFOLAUNCHER.EXE (Not cleaned)

Suspicious:W32/Malware!Gemini (virus)

  • C:\DOCUMENTS AND SETTINGS\ME\DESKTOP\ROOTER.EXE (Not cleaned)

Statistics

Scanned:

  • Files: 51450
  • System: 5264
  • Not scanned: 7

Actions:

  • Disinfected: 23
  • Renamed: 0
  • Deleted: 0
  • Not cleaned: 2
  • Submitted: 0

Files not scanned:

  • C:\PAGEFILE.SYS
  • C:\HIBERFIL.SYS
  • C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
  • C:\WINDOWS\SYSTEM32\CONFIG\SAM
  • C:\WINDOWS\SYSTEM32\CONFIG\SECURITY
  • C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE
  • C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM

Options

Scanning engines: Scanning options:

  • Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML XXX ANI AVB BAT CMD JOB LSP MAP MHT MIF PHP POT SWF WMF NWS TAR
  • Use advanced heuristics

Security Check

Results of screen317's Security Check version 0.99.3

Windows XP Service Pack 3

Internet Explorer 8

``````````````````````````````

Antivirus/Firewall Check:

Windows Firewall Disabled!

AVG Free 9.0

Avira AntiVir Personal - Free Antivirus

ZoneAlarm

ZoneAlarm Spy Blocker

Antivirus up to date! (On Access scanning disabled!)

```````````````````````````````

Anti-malware/Other Utilities Check:

Malwarebytes' Anti-Malware

Java 6 Update 20

Out of date Java installed!

Adobe Flash Player 10

Adobe Reader 8.1.3

Out of date Adobe Reader installed!

````````````````````````````````

Process Check:

objlist.exe by Laurent

AVG avgwdsvc.exe

AVG avgrsx.exe

AVG avgnsx.exe

AVG avgemc.exe

Avira Antivir avgnt.exe

Avira Antivir avguard.exe

````````````````````````````````

DNS Vulnerability Check:

GREAT! (Not vulnerable to DNS cache poisoning)

``````````End of Log````````````

Link to post
Share on other sites

  • Staff

Hi,

Navigate to Start --> Run, and type Combofix /uninstall in the box that appears. Click OK afterward. Notice the space between the X and the /uninstall

This uninstalls all of ComboFix's components.

Delete SecurityCheck.

After that, navigate to Start --> Control Panel --> Add or Remove Programs, and uninstall the following programs (if present):

Adobe Reader 8.1.3

Here's the reports you asked for. With regards to the Security Check one, I'm not sure if this is important or not, but I've replaced AVG with Avira. I've had AVG disabled for some time now and was just waiting to sort this problem out before uninstalling it, so that's why it's still there. I usually have both ZoneAlarm and Avira active, but I turned them off for the scans.
Feel free to uninstall AVG now.

Restart your computer.

Get the latest version of Java and Adobe Reader.

Let me know what issues remain.

-screen317

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.