Jump to content

Antipyware Soft won't remove!!


Recommended Posts

Last night I got the Antispyware Soft ....thing. (Sorry I'm not very computer literate when it comes to viruses/spyware/malware.) I've had Antivirus Soft before and I got rid of it using Malwarebytes. But this time it's not working.

So far I have ran:

Malwarebytes 1.45, with latest updates, 3 times.

Spyware Doctor, once, but couldn't buy the full product at the end.

Spybot, but my computer froze half way through.

Everytime I run Malwarebytes it finds something, and removes it. But then when I run in normal mode, Antispyware Soft is still there!

I just don't know what else I can do.

Any help would be extremely appreciated.

Link to post
Share on other sites

Hello earlgrey! Welcome to MalwareBytes' Anti-Malware Forums!

My name is Borislav and I will be glad to help you solve your problems with malware. Before we begin, please note the following:

  • The process of cleaning your system may take some time, so please be patient.
  • Stay with the topic until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
  • Instructions that I give are for your system only!
  • If you don't know or can't understand something please ask.
  • Do not install any software or hardware, while work on.

MalwareBytes' Anti-Malware is designed to operate in normal mode but not in Safe Mode. Therefore we will use the normal mode of operation of the operating system.

Step 1:

  • Launch Malwarebytes' Anti-Malware
  • Go to "Update" tab and select "Check for Updates". If an update is found, it will download and install the latest version.
  • Go to "Scanner" tab and select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Step 2:

Download DDS and save it to your desktop from here or here or here.

Disable any script blocker, and then double click dds.scr to run the tool.

  • When done, DDS will open two (2) logs:
    1. DDS.txt
    2. Attach.txt

    [*]Save both reports to your desktop. Post them back to your topic.

Step 3:

Please download the following scanning tool. GMER

  • Open the zip file and copy the file
    gmer.exe
    to your Desktop.

  • Double click on
    gmer.exe
    and run it.

  • It may take a minute to load and become available.

  • Do not make any changes. Click on the
    SCAN
    button and DO NOT use the computer while it's scanning.

  • Once the scan is done click on the
    SAVE
    button and browse to your Desktop and save the file as
    GMER.LOG

  • Zip up the
    GMER.LOG
    file and save it as
    gmerlog.zip
    and attach it to your reply post.

  • DO NOT
    directly post this log into a reply. You
    MUST
    attach it as a
    .ZIP
    file.

  • Click OK and quit the GMER program.

In your next reply, please include these log(s):

* MalwareBytes' Anti-Malware log

* DDS log with Attach.txt

* GMER log

Link to post
Share on other sites

Malwarebytes' Anti-Malware 1.45

www.malwarebytes.org

Database version: 3993

Windows 5.1.2600 Service Pack 2

Internet Explorer 7.0.5730.11

15/04/2010 7:47:00 PM

mbam-log-2010-04-15 (19-47-00).txt

Scan type: Quick scan

Objects scanned: 122183

Time elapsed: 26 minute(s), 13 second(s)

Memory Processes Infected: 2

Memory Modules Infected: 0

Registry Keys Infected: 4

Registry Values Infected: 2

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 2

Memory Processes Infected:

C:\Documents and Settings\main_user\Local Settings\Application Data\jtmojytql\djpalljtssd.exe (Trojan.FakeAlert.Gen) -> Unloaded process successfully.

C:\Documents and Settings\main_user\Local Settings\Application Data\jtmojytql\djpalljtssd.exe (Trojan.FakeAlert.Gen) -> Unloaded process successfully.

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\avsuite (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\Software\avsuite (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\avsoft (Trojan.Fraudpack) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\Software\avsoft (Trojan.Fraudpack) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ggqootdl (Trojan.FakeAlert.Gen) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ggqootdl (Trojan.FakeAlert.Gen) -> Quarantined and deleted successfully.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\Documents and Settings\main_user\Local Settings\Application Data\jtmojytql\djpalljtssd.exe (Trojan.FakeAlert.Gen) -> Quarantined and deleted successfully.

C:\Documents and Settings\main_user\Local Settings\Temporary Internet Files\Content.IE5\MKD8NP3I\80a5ad[1].exe (Trojan.FakeAlert.Gen) -> Quarantined and deleted successfully.

____

DDS (Ver_09-09-29.01) - NTFSx86

Run by main_user at 20:30:50.12 on 15/04/2010

Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_17

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.511.101 [GMT -4:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

C:\WINDOWS\system32\svchost -k rpcss

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup

C:\Program Files\AVG\AVG9\avgchsvx.exe

C:\Program Files\AVG\AVG9\avgrsx.exe

C:\WINDOWS\system32\svchost.exe -k NetworkService

C:\WINDOWS\system32\svchost.exe -k LocalService

C:\Program Files\AVG\AVG9\avgcsrvx.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\svchost.exe -k LocalService

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\AVG\AVG9\avgwdsvc.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\Motive\McciCMService.exe

C:\Program Files\AVG\AVG9\avgnsx.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\CyberLink\Shared files\RichVideo.exe

C:\Program Files\Spyware Doctor\pctsAuxs.exe

C:\PROGRA~1\INSTAN~1\INSTAN~1\IWCTRL.EXE

C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

C:\Program Files\D-Link\AirPlus G\AirGCFG.exe

C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe

C:\Program Files\Lexmark 2300 Series\lxcgmon.exe

C:\Program Files\Lexmark 2300 Series\ezprint.exe

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

C:\WINDOWS\system32\CTHELPER.EXE

C:\Program Files\BellCanada\McciTrayApp.exe

C:\PROGRA~1\AVG\AVG9\avgtray.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\uTorrent\uTorrent.exe

C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

C:\WINDOWS\system32\Wtablet\TabUserW.exe

C:\WINDOWS\system32\slserv.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\WINDOWS\system32\Tablet.exe

C:\WINDOWS\system32\MsPMSPSv.exe

C:\WINDOWS\system32\lxcgcoms.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\System32\alg.exe

C:\Program Files\Spyware Doctor\pctsSvc.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Windows Live\Messenger\msnmsgr.exe

C:\Documents and Settings\main_user\Desktop\dds.com

C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/

uSearch Page = hxxp://www.google.com

uSearch Bar = hxxp://www.google.com

mSearch Bar = hxxp://www.google.com

uInternet Settings,ProxyServer = http=127.0.0.1:5555

uInternet Settings,ProxyOverride = <local>

mSearchAssistant = hxxp://www.google.com/ie

BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll

BHO: PC Tools Browser Guard BHO: {2a0f3d1b-0909-4ff4-b272-609cce6054e7} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll

BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll

BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: PC Tools Browser Guard: {472734ea-242a-422b-adf8-83d1e48cc825} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll

TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File

EB: DA Bar: {59c40940-073e-11de-8c30-0800200c9a66} - %SystemRoot%\system32\shdocvw.dll

uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe

uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background

uRun: [uTorrent] "c:\program files\utorrent\uTorrent.exe"

mRun: [iW Controlcenter] c:\progra~1\instan~1\instan~1\IWCTRL.EXE

mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"

mRun: [LanguageShortcut] "c:\program files\cyberlink\powerdvd\language\Language.exe"

mRun: [D-Link AirPlus G] c:\program files\d-link\airplus g\AirGCFG.exe

mRun: [ANIWZCS2Service] c:\program files\ani\aniwzcs2 service\WZCSLDR2.exe

mRun: [LXCGCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\LXCGtime.dll,_RunDLLEntry@16

mRun: [lxcgmon.exe] "c:\program files\lexmark 2300 series\lxcgmon.exe"

mRun: [EzPrint] "c:\program files\lexmark 2300 series\ezprint.exe"

mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe

mRun: [WINDVDPatch] CTHELPER.EXE

mRun: [updReg] c:\windows\UpdReg.EXE

mRun: [Jet Detection] "c:\program files\creative\sblive\program\ADGJDet.exe"

mRun: [CTStartup] c:\program files\creative\splash screen\CTEaxSpl.EXE /run

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [nwiz] nwiz.exe /install

mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit

mRun: [bellCanada_McciTrayApp] c:\program files\bellcanada\McciTrayApp.exe

mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe

mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

mRun: [iSTray] "c:\program files\spyware doctor\pctsTray.exe"

dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\tabuse~1.lnk - c:\windows\system32\wtablet\TabUserW.exe

mPolicies-explorer: <NO NAME> =

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL

LSP: c:\program files\common files\pc tools\lsp\PCTLsp.dll

DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab

DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1165110948911

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab

DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab

DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab

Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll

Notify: avgrsstarter - avgrsstx.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\main_u~1\applic~1\mozilla\firefox\profiles\mpbq3u84.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca

FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll

FF - component: c:\program files\mozilla firefox\components\rpff.dll

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2010-4-15 217032]

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-3-29 216200]

R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-3-29 29512]

R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-3-29 242696]

R1 cdrdrv;cdrdrv;c:\windows\system32\drivers\Cdrdrv.sys [2006-12-2 61952]

R1 vobcom;vobcom;c:\windows\system32\drivers\vobcom.sys [2006-12-2 9728]

R1 vobiw;vobiw;c:\windows\system32\drivers\vobIW.sys [2006-12-2 178688]

R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-3-15 308064]

R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\spyware doctor\bdt\BDTUpdateService.exe [2010-4-15 112592]

R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2010-4-15 366840]

R2 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2010-4-15 1142224]

S3 QCEmerald;Logitech QuickCam Web;c:\windows\system32\drivers\OVCE.sys [2008-8-16 31872]

S3 V90drv;v90drv;c:\windows\system32\drivers\v90drv.sys [2001-11-29 1432836]

=============== Created Last 30 ================

2010-04-15 18:51 70,408 a------- c:\windows\system32\drivers\pctplsg.sys

2010-04-15 18:51 7,383 a------- c:\windows\system32\drivers\pctplsg.cat

2010-04-15 18:51 <DIR> --d----- c:\docume~1\main_u~1\applic~1\PC Tools

2010-04-15 18:51 <DIR> --d----- c:\docume~1\alluse~1\applic~1\PC Tools

2010-04-15 12:17 <DIR> --d----- c:\program files\File Scanner Library (Spybot - Search & Destroy)

2010-04-15 10:31 767,952 a------- c:\windows\BDTSupport.dll

2010-04-15 10:31 149,456 a------- c:\windows\SGDetectionTool.dll

2010-04-15 10:31 882 a------- c:\windows\RegSDImport.xml

2010-04-15 10:31 879 a------- c:\windows\RegISSImport.xml

2010-04-15 10:31 131 a------- c:\windows\IDB.zip

2010-04-15 10:31 1,652,688 a------- c:\windows\PCTBDCore.dll

2010-04-15 10:31 1,152,444 a------- c:\windows\UDB.zip

2010-04-15 10:31 165,840 a------- c:\windows\PCTBDRes.dll

2010-04-15 10:27 233,136 a------- c:\windows\system32\drivers\pctgntdi.sys

2010-04-15 10:27 7,387 a------- c:\windows\system32\drivers\pctgntdi.cat

2010-04-15 10:26 217,032 a------- c:\windows\system32\drivers\PCTCore.sys

2010-04-15 10:26 88,040 a------- c:\windows\system32\drivers\PCTAppEvent.sys

2010-04-15 10:26 7,412 a------- c:\windows\system32\drivers\PCTAppEvent.cat

2010-04-15 10:26 7,383 a------- c:\windows\system32\drivers\pctcore.cat

2010-04-15 10:26 <DIR> --d----- c:\program files\Spyware Doctor

2010-04-15 10:26 <DIR> --d----- c:\program files\common files\PC Tools

2010-03-21 20:29 3,247 a------- c:\windows\system32\wbem\Outlook_01cac956aac1d540.mof

==================== Find3M ====================

2010-04-15 19:51 12,494 a------- c:\windows\system32\tablet.dat

2010-03-30 00:46 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys

2010-03-30 00:45 20,824 a------- c:\windows\system32\drivers\mbam.sys

2010-03-15 13:15 62,752 a---h--- c:\windows\system32\mlfcache.dat

2010-03-15 11:28 242,696 a------- c:\windows\system32\drivers\avgtdix.sys

2010-03-15 11:28 12,464 a------- c:\windows\system32\avgrsstx.dll

2010-03-15 11:28 216,200 a------- c:\windows\system32\drivers\avgldx86.sys

2010-03-11 08:38 832,512 a------- c:\windows\system32\wininet.dll

2010-03-11 08:38 78,336 a------- c:\windows\system32\ieencode.dll

2010-03-11 08:38 17,408 -------- c:\windows\system32\corpol.dll

2010-03-09 07:09 430,080 a------- c:\windows\system32\vbscript.dll

2010-02-24 08:31 454,016 a------- c:\windows\system32\drivers\mrxsmb.sys

2010-02-16 09:19 2,181,376 a------- c:\windows\system32\ntoskrnl.exe

2010-02-16 08:39 2,058,368 a------- c:\windows\system32\ntkrnlpa.exe

2010-02-12 00:47 100,864 a------- c:\windows\system32\6to4svc.dll

2009-09-22 11:35 1,083 a------- c:\program files\INSTALL.LOG

2009-08-30 11:12 16,384 a--sh--- c:\windows\temp\cookies\index.dat

2009-08-30 11:12 16,384 a--sh--- c:\windows\temp\history\history.ie5\index.dat

2009-08-30 11:12 32,768 a--sh--- c:\windows\temp\temporary internet files\content.ie5\index.dat

============= FINISH: 20:33:40.77 ===============

___

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-09-29.01)

Microsoft Windows XP Home Edition

Boot Device: \Device\HarddiskVolume1

Install Date: 02/12/2006 3:06:29 AM

System Uptime: 15/04/2010 7:49:44 PM (1 hours ago)

Motherboard: ECS | | P4VXASD2+

Processor: Intel® Pentium® 4 CPU 2.40GHz | FC-478 | 2400/133mhz

==== Disk Partitions =========================

A: is Removable

C: is FIXED (NTFS) - 76 GiB total, 22.318 GiB free.

D: is CDROM ()

E: is CDROM ()

G: is CDROM ()

==== Disabled Device Manager Items =============

Class GUID:

Description: Multimedia Audio Controller

Device ID: PCI\VEN_1106&DEV_3059&SUBSYS_0A831019&REV_50\3&61AAA01&0&8D

Manufacturer:

Name: Multimedia Audio Controller

PNP Device ID: PCI\VEN_1106&DEV_3059&SUBSYS_0A831019&REV_50\3&61AAA01&0&8D

Service:

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}

Description: VIA Rhine II Fast Ethernet Adapter

Device ID: PCI\VEN_1106&DEV_3065&SUBSYS_01021106&REV_74\3&61AAA01&0&90

Manufacturer: VIA Technologies, Inc.

Name: VIA Rhine II Fast Ethernet Adapter

PNP Device ID: PCI\VEN_1106&DEV_3065&SUBSYS_01021106&REV_74\3&61AAA01&0&90

Service: FETND5BV

==== System Restore Points ===================

RP568: 16/01/2010 3:33:01 PM - System Checkpoint

RP569: 18/01/2010 2:21:20 PM - Avg8 Update

RP570: 22/01/2010 1:49:44 PM - System Checkpoint

RP571: 23/01/2010 3:00:43 AM - Software Distribution Service 3.0

RP572: 23/01/2010 2:12:02 PM - Software Distribution Service 3.0

RP573: 24/01/2010 2:46:04 PM - System Checkpoint

RP574: 25/01/2010 8:41:54 PM - System Checkpoint

RP575: 26/01/2010 11:57:23 AM - Avg8 Update

RP576: 27/01/2010 9:16:02 PM - System Checkpoint

RP577: 30/01/2010 4:32:37 PM - System Checkpoint

RP578: 01/02/2010 10:27:57 AM - System Checkpoint

RP579: 02/02/2010 10:36:33 AM - System Checkpoint

RP580: 04/02/2010 6:08:17 PM - Installed Java 6 Update 17

RP581: 11/02/2010 12:12:54 PM - Software Distribution Service 3.0

RP582: 13/02/2010 1:20:26 AM - Software Distribution Service 3.0

RP583: 24/02/2010 7:24:45 PM - Installed Compatibility Pack for the 2007 Office system

RP584: 25/02/2010 2:27:34 AM - Software Distribution Service 3.0

RP585: 11/03/2010 12:58:31 AM - Software Distribution Service 3.0

RP586: 12/03/2010 12:07:38 PM - System Checkpoint

RP587: 13/03/2010 12:18:33 PM - System Checkpoint

RP588: 14/03/2010 4:32:24 PM - System Checkpoint

RP589: 15/03/2010 11:22:53 AM - Avg8 Update

RP590: 15/03/2010 11:29:29 AM - Avg Update

RP591: 16/03/2010 1:13:08 PM - Avg Update

RP592: 17/03/2010 4:43:23 PM - System Checkpoint

RP593: 18/03/2010 7:09:03 PM - System Checkpoint

RP594: 19/03/2010 7:11:36 PM - System Checkpoint

RP595: 20/03/2010 9:48:55 PM - System Checkpoint

RP596: 25/03/2010 7:09:14 PM - System Checkpoint

RP597: 27/03/2010 6:35:07 PM - System Checkpoint

RP598: 28/03/2010 6:55:10 PM - System Checkpoint

RP599: 01/04/2010 11:58:52 AM - Software Distribution Service 3.0

RP600: 01/04/2010 12:10:38 PM - Avg Update

RP601: 01/04/2010 12:12:18 PM - Avg Update

RP602: 02/04/2010 4:51:20 PM - System Checkpoint

RP603: 03/04/2010 3:00:17 AM - Software Distribution Service 3.0

RP604: 04/04/2010 4:47:35 PM - System Checkpoint

RP605: 05/04/2010 10:56:55 PM - System Checkpoint

RP606: 07/04/2010 12:17:23 PM - Avg Update

RP607: 08/04/2010 6:34:33 PM - System Checkpoint

RP608: 10/04/2010 10:19:35 AM - System Checkpoint

RP609: 11/04/2010 11:55:37 AM - System Checkpoint

RP610: 12/04/2010 12:43:08 PM - System Checkpoint

RP611: 13/04/2010 2:49:28 PM - System Checkpoint

RP612: 15/04/2010 9:14:32 AM - Software Distribution Service 3.0

RP613: 15/04/2010 10:11:58 AM - Software Distribution Service 3.0

RP614: 15/04/2010 1:20:48 PM - Software Distribution Service 3.0

RP615: 15/04/2010 4:07:54 PM - Software Distribution Service 3.0

==== Installed Programs ======================

Link to post
Share on other sites

Step 1:

Please uninstall the following applications:

Adobe Reader 7.0.5

LimeWire 5.2.13[/n]

After finish our work, please download and install the latest version of Adobe Reader from:

http://www.adobe.com

LimeWire is against our policy.

Step 2:

Please go into the Control Panel, Add/Remove and for now remove ALL versions of JAVA

Then run this tool to help cleanup any left over Java

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.

Please download JavaRa and unzip it to your desktop.

***Please close any instances of Internet Explorer (or other web browser) before continuing!***

  • Double-click on JavaRa.exe to start the program.
  • From the drop-down menu, choose English and click on Select.
  • JavaRa will open; click on Remove Older Versions to remove the older versions of Java installed on your computer.
  • Click Yes when prompted. When JavaRa is done, a notice will appear that a logfile has been produced. Click OK.
  • A logfile will pop up. Please save it to a convenient location and post it back when you reply
    Then look for the following Java folders and if found delete them.
    C:\Program Files\Java
    C:\Program Files\Common Files\Java
    C:\Windows\Sun
    C:\Documents and Settings\All Users\Application Data\Java
    C:\Documents and Settings\All Users\Application Data\Sun\Java
    C:\Documents and Settings\username\Application Data\Java
    C:\Documents and Settings\username\Application Data\Sun\Java

Step 3:

**Note: If you need more detailed information, please visit the web page of ComboFix in BleepingComputer. **

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by me or another helper.

Please download ComboFix from

Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

  1. If you are using Firefox, make sure that your download settings are as follows:
    • Open Tools -> Options -> Main tab
    • Set to Always ask me where to Save the files.

[*]During the download, rename Combofix to Combo-Fix as follows:

CF_download_FF.gif

CF_download_rename.gif

[*]It is important you rename Combofix during the download, but not after.

[*]Please do not rename Combofix to other names, but only to the one indicated.

[*]Close any open browsers.

[*]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

-----------------------------------------------------------

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause unpredictable results.
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

    -----------------------------------------------------------


  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

-----------------------------------------------------------

[*]Double click on combo-Fix.exe & follow the prompts.

[*]When finished, it will produce a report for you.

[*]Please post the C:\Combo-Fix.txt for further review.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

In your next reply, please include these log(s):

* JavaRa log

* ComboFix log

Link to post
Share on other sites

JavaRa 1.15 Removal Log.Report follows after line.------------------------------------The JavaRa removal process was started on Fri Apr 16 12:45:20 2010

Found and removed: C:\Program Files\Java\jre1.5.0_09Found and removed: C:\Documents and Settings\main_user\Application Data\Sun\Java\jre1.6.0_12Found and removed: C:\Documents and Settings\main_user\Application Data\Sun\Java\jre1.6.0_13Found and removed: C:\Documents and Settings\main_user\Application Data\Sun\Java\jre1.6.0_14Found and removed: C:\Documents and Settings\main_user\Application Data\Sun\Java\jre1.6.0_15Found and removed: C:\Windows\System32\jpicpl32.cplFound and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\\C:\Program Files\Common Files\Java\Update\Base Images\jre1.5.0.b64\Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\\C:\Program Files\Java\jre1.5.0_09\Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDlls\C:\Program Files\Common Files\Java\Update\Base Images\jre1.5.0.b64\core1.zipFound and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDlls\C:\Program Files\Common Files\Java\Update\Base Images\jre1.5.0.b64\core2.zipFound and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDlls\C:\Program Files\Common Files\Java\Update\Base Images\jre1.5.0.b64\core3.zipJavaRa 1.15 Removal Log.Report follows after line.------------------------------------The JavaRa removal process was started on Fri Apr 16 12:46:42 2010

------------------------------------Finished reporting.

____

ComboFix 10-04-15.05 - main_user 16/04/2010 13:59:49.1.1 - x86

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.511.106 [GMT -4:00]

Running from: c:\documents and settings\main_user\Desktop\Combo-Fix.exe

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\main_user\Recent\Thumbs.db

c:\program files\INSTALL.LOG

c:\windows\system32\Thumbs.db

.

((((((((((((((((((((((((( Files Created from 2010-03-16 to 2010-04-16 )))))))))))))))))))))))))))))))

.

2010-04-15 23:04 . 2010-04-15 23:04 -------- d-----w- c:\documents and settings\main_user\Local Settings\Application Data\Threat Expert

2010-04-15 22:51 . 2010-02-05 13:25 70408 ----a-w- c:\windows\system32\drivers\pctplsg.sys

2010-04-15 22:51 . 2010-04-15 22:51 -------- d-----w- c:\documents and settings\main_user\Application Data\PC Tools

2010-04-15 22:51 . 2010-04-15 22:51 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools

2010-04-15 16:17 . 2010-04-15 16:17 -------- d-----w- c:\program files\File Scanner Library (Spybot - Search & Destroy)

2010-04-15 14:31 . 2010-01-22 13:56 149456 ----a-w- c:\windows\SGDetectionTool.dll

2010-04-15 14:31 . 2010-01-22 13:55 767952 ----a-w- c:\windows\BDTSupport.dll

2010-04-15 14:31 . 2008-11-26 16:08 131 ----a-w- c:\windows\IDB.zip

2010-04-15 14:31 . 2010-01-22 13:56 165840 ----a-w- c:\windows\PCTBDRes.dll

2010-04-15 14:31 . 2010-01-22 13:56 1652688 ----a-w- c:\windows\PCTBDCore.dll

2010-04-15 14:31 . 2009-10-28 05:36 1152444 ----a-w- c:\windows\UDB.zip

2010-04-15 14:27 . 2010-02-05 13:17 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys

2010-04-15 14:26 . 2010-03-10 15:36 217032 ----a-w- c:\windows\system32\drivers\PCTCore.sys

2010-04-15 14:26 . 2009-11-23 17:54 88040 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys

2010-04-15 14:26 . 2010-04-16 18:15 -------- d-----w- c:\program files\Spyware Doctor

2010-04-15 14:26 . 2010-04-15 23:00 -------- d-----w- c:\program files\Common Files\PC Tools

2010-04-15 01:41 . 2010-04-15 01:41 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes

2010-04-15 01:28 . 2010-04-15 23:47 -------- d-----w- c:\documents and settings\main_user\Local Settings\Application Data\jtmojytql

2010-04-07 16:17 . 2010-04-07 16:17 4255072 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcorex.dll

2010-04-01 16:12 . 2010-04-01 16:12 4076824 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgui.exe

2010-04-01 16:12 . 2010-04-01 16:12 2059544 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtray.exe

2010-04-01 16:12 . 2010-04-01 16:12 1598744 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgssie.dll

2010-04-01 16:12 . 2010-04-01 16:12 1515224 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgwd.dll

2010-04-01 16:12 . 2010-04-01 16:12 1274136 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgfrw.exe

2010-04-01 16:12 . 2010-04-01 16:12 598296 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgsrmx.dll

2010-04-01 16:12 . 2010-04-01 16:12 341272 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgxch32.dll

2010-04-01 16:12 . 2010-04-01 16:12 313112 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avglogx.dll

2010-04-01 16:12 . 2010-04-01 16:12 459544 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcclix.dll

2010-04-01 16:12 . 2010-04-01 16:12 1086744 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgchsvx.exe

2010-04-01 16:12 . 2010-04-01 16:12 556824 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgchjwx.dll

2010-04-01 16:12 . 2010-04-01 16:12 301336 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgchclx.dll

2010-04-01 16:10 . 2010-04-01 16:10 1685784 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.dll

2010-04-01 16:10 . 2010-04-01 16:10 1035032 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.exe

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-04-16 18:12 . 2009-04-14 19:15 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2010-04-16 17:49 . 2007-07-14 03:59 12494 ----a-w- c:\windows\system32\tablet.dat

2010-04-16 17:47 . 2008-02-18 01:26 24 ----a-w- c:\windows\system32\DVCStateBkp-{00000000-00000000-0000000B-00001102-00000002-80651102}.dat

2010-04-16 17:47 . 2008-02-18 01:26 24 ----a-w- c:\windows\system32\DVCState-{00000000-00000000-0000000B-00001102-00000002-80651102}.dat

2010-04-16 17:46 . 2008-10-14 04:19 -------- d-----w- c:\documents and settings\main_user\Application Data\uTorrent

2010-04-16 17:20 . 2006-12-03 04:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2010-04-16 17:01 . 2009-11-13 04:39 0 ----a-w- c:\documents and settings\main_user\Local Settings\Application Data\prvlcl.dat

2010-04-16 16:48 . 2009-09-22 15:33 -------- d-----w- c:\program files\BellCanada

2010-04-16 16:12 . 2008-01-25 05:22 -------- d-----w- c:\program files\LimeWire

2010-04-15 13:20 . 2010-03-01 06:30 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-04-15 13:20 . 2010-03-01 06:31 5918776 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe

2010-04-15 00:36 . 2008-01-20 22:02 -------- d-----w- c:\program files\Lx_cats

2010-04-14 03:24 . 2008-01-25 05:23 -------- d-----w- c:\documents and settings\main_user\Application Data\LimeWire

2010-03-30 04:46 . 2010-03-01 06:30 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-03-30 04:45 . 2010-03-01 06:30 20824 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-03-18 03:42 . 2009-03-26 05:35 -------- d-----w- c:\program files\uTorrent

2010-03-15 17:15 . 2009-10-25 20:48 62752 ---ha-w- c:\windows\system32\mlfcache.dat

2010-03-15 15:28 . 2009-03-29 19:46 242696 ----a-w- c:\windows\system32\drivers\avgtdix.sys

2010-03-15 15:28 . 2010-03-15 15:28 12464 ----a-w- c:\windows\system32\avgrsstx.dll

2010-03-15 15:28 . 2009-03-29 19:46 29512 ----a-w- c:\windows\system32\drivers\avgmfx86.sys

2010-03-15 15:28 . 2009-03-29 19:46 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys

2010-03-11 12:38 . 2004-08-04 12:00 832512 ----a-w- c:\windows\system32\wininet.dll

2010-03-11 12:38 . 2004-08-04 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll

2010-03-11 12:38 . 2004-08-04 12:00 17408 ------w- c:\windows\system32\corpol.dll

2010-03-11 00:17 . 2008-06-30 23:22 -------- d-----w- c:\program files\Celtx

2010-03-09 11:09 . 2004-08-04 12:00 430080 ----a-w- c:\windows\system32\vbscript.dll

2010-03-01 06:31 . 2010-03-01 06:31 -------- d-----w- c:\documents and settings\main_user\Application Data\Malwarebytes

2010-03-01 06:30 . 2010-03-01 06:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-02-26 03:50 . 2008-05-04 15:57 -------- d-----w- c:\documents and settings\main_user\Application Data\Apple Computer

2010-02-25 18:27 . 2006-12-03 02:01 89664 ----a-w- c:\documents and settings\main_user\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-02-25 00:24 . 2010-02-25 00:24 -------- d-----w- c:\program files\MSECache

2010-02-24 12:31 . 2004-08-04 12:00 454016 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2010-02-16 13:19 . 2004-08-04 12:00 2181376 ----a-w- c:\windows\system32\ntoskrnl.exe

2010-02-16 12:39 . 2004-08-03 22:59 2058368 ----a-w- c:\windows\system32\ntkrnlpa.exe

2010-02-12 04:47 . 2004-08-04 12:00 100864 ----a-w- c:\windows\system32\6to4svc.dll

2010-02-11 12:01 . 2004-08-04 12:00 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys

2010-02-02 23:20 . 2010-02-02 23:20 72488 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.3.15\SetupAdmin.exe

2010-01-17 19:01 . 2010-01-17 19:01 290816 ----a-w- c:\documents and settings\main_user\Application Data\SystemRequirementsLab\SRLProxy_nvd_4.dll

2010-01-17 19:01 . 2010-01-17 19:01 290816 ----a-w- c:\documents and settings\main_user\Application Data\SystemRequirementsLab\SRLProxy_nvd_3.dll

2010-01-17 19:01 . 2010-01-17 19:01 290816 ----a-w- c:\documents and settings\main_user\Application Data\SystemRequirementsLab\SRLProxy_nvd_2.dll

2010-01-17 19:01 . 2010-01-17 19:01 290816 ----a-w- c:\documents and settings\main_user\Application Data\SystemRequirementsLab\SRLProxy_nvd_1.dll

2009-10-05 23:34 . 2009-09-14 18:29 210944 ----a-w- c:\program files\mozilla firefox\components\rpff.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2010-03-18 319792]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IW Controlcenter"="c:\progra~1\INSTAN~1\INSTAN~1\IWCTRL.EXE" [2002-09-26 751104]

"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2005-12-08 30208]

"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2006-05-18 49152]

"D-Link AirPlus G"="c:\program files\D-Link\AirPlus G\AirGCFG.exe" [2004-07-09 1249280]

"ANIWZCS2Service"="c:\program files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2004-04-14 45056]

"LXCGCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXCGtime.dll" [2005-07-20 73728]

"lxcgmon.exe"="c:\program files\Lexmark 2300 Series\lxcgmon.exe" [2005-07-21 200704]

"EzPrint"="c:\program files\Lexmark 2300 Series\ezprint.exe" [2005-08-01 94208]

"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-09-24 49152]

"WINDVDPatch"="CTHELPER.EXE" [2002-07-02 24576]

"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]

"Jet Detection"="c:\program files\Creative\SBLive\PROGRAM\ADGJDet.exe" [2001-11-29 28672]

"CTStartup"="c:\program files\Creative\Splash Screen\CTEaxSpl.EXE" [2001-12-20 28672]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-22 7700480]

"nwiz"="nwiz.exe" [2006-10-22 1622016]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-10-22 86016]

"BellCanada_McciTrayApp"="c:\program files\BellCanada\McciTrayApp.exe" [2008-12-07 1471488]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-01-23 141608]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]

2010-03-15 15:28 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"aux"=wdmaud.sys

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\WINDOWS\\system32\\lxcgcoms.exe"=

"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxcgpswx.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\uTorrent\\uTorrent.exe"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=

"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"135:TCP"= 135:TCP:TCP Port 135

"5000:TCP"= 5000:TCP:TCP Port 5000

"5001:TCP"= 5001:TCP:TCP Port 5001

"5002:TCP"= 5002:TCP:TCP Port 5002

"5003:TCP"= 5003:TCP:TCP Port 5003

"5004:TCP"= 5004:TCP:TCP Port 5004

"5005:TCP"= 5005:TCP:TCP Port 5005

"5006:TCP"= 5006:TCP:TCP Port 5006

"5007:TCP"= 5007:TCP:TCP Port 5007

"5008:TCP"= 5008:TCP:TCP Port 5008

"5009:TCP"= 5009:TCP:TCP Port 5009

"5010:TCP"= 5010:TCP:TCP Port 5010

"5011:TCP"= 5011:TCP:TCP Port 5011

"5012:TCP"= 5012:TCP:TCP Port 5012

"5013:TCP"= 5013:TCP:TCP Port 5013

"5014:TCP"= 5014:TCP:TCP Port 5014

"5015:TCP"= 5015:TCP:TCP Port 5015

"5016:TCP"= 5016:TCP:TCP Port 5016

"5017:TCP"= 5017:TCP:TCP Port 5017

"5018:TCP"= 5018:TCP:TCP Port 5018

"5019:TCP"= 5019:TCP:TCP Port 5019

"5020:TCP"= 5020:TCP:TCP Port 5020

R0 a347scsi;a347scsi;c:\windows\system32\drivers\a347scsi.sys [02/12/2006 11:50 PM 5248]

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [15/04/2010 10:26 AM 217032]

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [29/03/2009 3:46 PM 216200]

R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [29/03/2009 3:46 PM 242696]

R1 cdrdrv;cdrdrv;c:\windows\system32\drivers\Cdrdrv.sys [02/12/2006 11:03 PM 61952]

R1 vobcom;vobcom;c:\windows\system32\drivers\vobcom.sys [02/12/2006 11:03 PM 9728]

R1 vobiw;vobiw;c:\windows\system32\drivers\vobIW.sys [02/12/2006 11:03 PM 178688]

R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [15/03/2010 11:28 AM 308064]

R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\Spyware Doctor\BDT\BDTUpdateService.exe [15/04/2010 10:31 AM 112592]

R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [15/04/2010 6:51 PM 366840]

S0 a347bus;a347bus;c:\windows\system32\drivers\a347bus.sys [02/12/2006 11:50 PM 160640]

S3 QCEmerald;Logitech QuickCam Web;c:\windows\system32\drivers\OVCE.sys [16/08/2008 8:50 PM 31872]

S3 V90drv;v90drv;c:\windows\system32\drivers\v90drv.sys [29/11/2001 4:10 AM 1432836]

--- Other Services/Drivers In Memory ---

*Deregistered* - PCTSDInjDriver32

.

Contents of the 'Scheduled Tasks' folder

2009-10-15 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 16:34]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.yahoo.com/

mSearch Bar = hxxp://www.google.com

uInternet Settings,ProxyServer = http=127.0.0.1:5555

uInternet Settings,ProxyOverride = <local>

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

LSP: c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll

FF - ProfilePath - c:\documents and settings\main_user\Application Data\Mozilla\Firefox\Profiles\mpbq3u84.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca

FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll

FF - component: c:\program files\Mozilla Firefox\components\rpff.dll

---- FIREFOX POLICIES ----

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

.

- - - - ORPHANS REMOVED - - - -

HKLM-Run-ISTray - c:\program files\Spyware Doctor\pctsTray.exe

HKLM-Run-SunJavaUpdateSched - c:\program files\Java\jre1.5.0_09\bin\jusched.exe

AddRemove-DealAssistant - c:\documents and settings\main_user\Application Data\DealAssistant\DAUninstall.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-04-16 14:14

Windows 5.1.2600 Service Pack 2 NTFS

detected NTDLL code modification:

ZwClose

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

LXCGCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXCGtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

CTStartup = c:\program files\Creative\Splash Screen\CTEaxSpl.EXE /run???h??????s?????\?w? ?w???????w???w4???????.??w4???????4???TA?s4????????&2???A~??A~????????\???\???????????U?A~??A~\???\???????@xa??????C@?\???\??????s????\??????s\????&2?A??s?&2??C@?x???`|?w\?????@

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1390067357-1935655697-1343024091-1004\Software\Microsoft\SystemCertificates\AddressBook*]

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

.

Completion time: 2010-04-16 14:22:48

ComboFix-quarantined-files.txt 2010-04-16 18:22

Pre-Run: 25,034,256,384 bytes free

Post-Run: 33,597,816,832 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - 6A2E47C83BFA6D95BFF4F700E088F4B5

Link to post
Share on other sites

Open Notepad and copy and paste the text in the code box below into it:

KillAll::

DirLook::
c:\documents and settings\main_user\Local Settings\Application Data\jtmojytql

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"="wdmaud.drv"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"135:TCP"=-
"5000:TCP"=-
"5001:TCP"=-
"5002:TCP"=-
"5003:TCP"=-
"5004:TCP"=-
"5005:TCP"=-
"5006:TCP"=-
"5007:TCP"=-
"5008:TCP"=-
"5009:TCP"=-
"5010:TCP"=-
"5011:TCP"=-
"5012:TCP"=-
"5013:TCP"=-
"5014:TCP"=-
"5015:TCP"=-
"5016:TCP"=-
"5017:TCP"=-
"5018:TCP"=-
"5019:TCP"=-
"5020:TCP"=-

DDS::
uInternet Settings,ProxyServer = http=127.0.0.1:5555

Save the file to your desktop and name it CFScript.txt

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.

CFScriptB-4.gif

This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply.

Note: These instructions and script were created specifically for this user. If you are not this user,

do NOT follow these instructions or use this script as it could damage the workings of your system.

Link to post
Share on other sites

ComboFix 10-04-15.05 - main_user 16/04/2010 16:11:08.2.1 - x86

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.511.234 [GMT -4:00]

Running from: c:\documents and settings\main_user\Desktop\Combo-Fix.exe

Command switches used :: c:\documents and settings\main_user\Desktop\CFScript.txt

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

.

((((((((((((((((((((((((( Files Created from 2010-03-16 to 2010-04-16 )))))))))))))))))))))))))))))))

.

2010-04-15 23:04 . 2010-04-15 23:04 -------- d-----w- c:\documents and settings\main_user\Local Settings\Application Data\Threat Expert

2010-04-15 22:51 . 2010-02-05 13:25 70408 ----a-w- c:\windows\system32\drivers\pctplsg.sys

2010-04-15 22:51 . 2010-04-15 22:51 -------- d-----w- c:\documents and settings\main_user\Application Data\PC Tools

2010-04-15 22:51 . 2010-04-15 22:51 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools

2010-04-15 16:17 . 2010-04-15 16:17 -------- d-----w- c:\program files\File Scanner Library (Spybot - Search & Destroy)

2010-04-15 14:31 . 2010-01-22 13:56 149456 ----a-w- c:\windows\SGDetectionTool.dll

2010-04-15 14:31 . 2010-01-22 13:55 767952 ----a-w- c:\windows\BDTSupport.dll

2010-04-15 14:31 . 2008-11-26 16:08 131 ----a-w- c:\windows\IDB.zip

2010-04-15 14:31 . 2010-01-22 13:56 165840 ----a-w- c:\windows\PCTBDRes.dll

2010-04-15 14:31 . 2010-01-22 13:56 1652688 ----a-w- c:\windows\PCTBDCore.dll

2010-04-15 14:31 . 2009-10-28 05:36 1152444 ----a-w- c:\windows\UDB.zip

2010-04-15 14:27 . 2010-02-05 13:17 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys

2010-04-15 14:26 . 2010-03-10 15:36 217032 ----a-w- c:\windows\system32\drivers\PCTCore.sys

2010-04-15 14:26 . 2009-11-23 17:54 88040 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys

2010-04-15 14:26 . 2010-04-16 20:25 -------- d-----w- c:\program files\Spyware Doctor

2010-04-15 14:26 . 2010-04-15 23:00 -------- d-----w- c:\program files\Common Files\PC Tools

2010-04-15 01:41 . 2010-04-15 01:41 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes

2010-04-15 01:28 . 2010-04-15 23:47 -------- d-----w- c:\documents and settings\main_user\Local Settings\Application Data\jtmojytql

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-04-16 20:31 . 2008-10-14 04:19 -------- d-----w- c:\documents and settings\main_user\Application Data\uTorrent

2010-04-16 20:25 . 2009-04-14 19:15 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2010-04-16 20:24 . 2007-07-14 03:59 12494 ----a-w- c:\windows\system32\tablet.dat

2010-04-16 20:23 . 2008-02-18 01:26 24 ----a-w- c:\windows\system32\DVCStateBkp-{00000000-00000000-0000000B-00001102-00000002-80651102}.dat

2010-04-16 20:23 . 2008-02-18 01:26 24 ----a-w- c:\windows\system32\DVCState-{00000000-00000000-0000000B-00001102-00000002-80651102}.dat

2010-04-16 19:01 . 2009-11-13 04:39 0 ----a-w- c:\documents and settings\main_user\Local Settings\Application Data\prvlcl.dat

2010-04-16 17:20 . 2006-12-03 04:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2010-04-16 16:48 . 2009-09-22 15:33 -------- d-----w- c:\program files\BellCanada

2010-04-16 16:12 . 2008-01-25 05:22 -------- d-----w- c:\program files\LimeWire

2010-04-15 13:20 . 2010-03-01 06:30 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-04-15 00:36 . 2008-01-20 22:02 -------- d-----w- c:\program files\Lx_cats

2010-04-14 03:24 . 2008-01-25 05:23 -------- d-----w- c:\documents and settings\main_user\Application Data\LimeWire

2010-03-30 04:46 . 2010-03-01 06:30 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-03-30 04:45 . 2010-03-01 06:30 20824 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-03-18 03:42 . 2009-03-26 05:35 -------- d-----w- c:\program files\uTorrent

2010-03-15 17:15 . 2009-10-25 20:48 62752 ---ha-w- c:\windows\system32\mlfcache.dat

2010-03-15 15:28 . 2009-03-29 19:46 242696 ----a-w- c:\windows\system32\drivers\avgtdix.sys

2010-03-15 15:28 . 2010-03-15 15:28 12464 ----a-w- c:\windows\system32\avgrsstx.dll

2010-03-15 15:28 . 2009-03-29 19:46 29512 ----a-w- c:\windows\system32\drivers\avgmfx86.sys

2010-03-15 15:28 . 2009-03-29 19:46 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys

2010-03-11 12:38 . 2004-08-04 12:00 832512 ----a-w- c:\windows\system32\wininet.dll

2010-03-11 12:38 . 2004-08-04 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll

2010-03-11 12:38 . 2004-08-04 12:00 17408 ------w- c:\windows\system32\corpol.dll

2010-03-11 00:17 . 2008-06-30 23:22 -------- d-----w- c:\program files\Celtx

2010-03-09 11:09 . 2004-08-04 12:00 430080 ----a-w- c:\windows\system32\vbscript.dll

2010-03-01 06:31 . 2010-03-01 06:31 -------- d-----w- c:\documents and settings\main_user\Application Data\Malwarebytes

2010-03-01 06:30 . 2010-03-01 06:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-02-26 03:50 . 2008-05-04 15:57 -------- d-----w- c:\documents and settings\main_user\Application Data\Apple Computer

2010-02-25 18:27 . 2006-12-03 02:01 89664 ----a-w- c:\documents and settings\main_user\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-02-25 00:24 . 2010-02-25 00:24 -------- d-----w- c:\program files\MSECache

2010-02-24 12:31 . 2004-08-04 12:00 454016 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2010-02-16 13:19 . 2004-08-04 12:00 2181376 ----a-w- c:\windows\system32\ntoskrnl.exe

2010-02-16 12:39 . 2004-08-03 22:59 2058368 ----a-w- c:\windows\system32\ntkrnlpa.exe

2010-02-12 04:47 . 2004-08-04 12:00 100864 ----a-w- c:\windows\system32\6to4svc.dll

2010-02-11 12:01 . 2004-08-04 12:00 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys

2009-10-05 23:34 . 2009-09-14 18:29 210944 ----a-w- c:\program files\mozilla firefox\components\rpff.dll

.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))

.

---- Directory of c:\documents and settings\main_user\Local Settings\Application Data\jtmojytql ----

------- Sigcheck -------

[-] 2008-04-13 . 9F3A2F5AA6875C72BF062C712CFA2674 . 96512 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\atapi.sys

[7] 2004-08-04 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\ERDNT\cache\atapi.sys

[-] 2004-08-04 12:00 . !HASH: COULD NOT OPEN FILE !!!!! . 95360 . . [------] . . c:\windows\system32\drivers\atapi.sys

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2010-03-18 319792]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IW Controlcenter"="c:\progra~1\INSTAN~1\INSTAN~1\IWCTRL.EXE" [2002-09-26 751104]

"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2005-12-08 30208]

"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2006-05-18 49152]

"D-Link AirPlus G"="c:\program files\D-Link\AirPlus G\AirGCFG.exe" [2004-07-09 1249280]

"ANIWZCS2Service"="c:\program files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2004-04-14 45056]

"LXCGCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXCGtime.dll" [2005-07-20 73728]

"lxcgmon.exe"="c:\program files\Lexmark 2300 Series\lxcgmon.exe" [2005-07-21 200704]

"EzPrint"="c:\program files\Lexmark 2300 Series\ezprint.exe" [2005-08-01 94208]

"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-09-24 49152]

"WINDVDPatch"="CTHELPER.EXE" [2002-07-02 24576]

"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]

"Jet Detection"="c:\program files\Creative\SBLive\PROGRAM\ADGJDet.exe" [2001-11-29 28672]

"CTStartup"="c:\program files\Creative\Splash Screen\CTEaxSpl.EXE" [2001-12-20 28672]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-22 7700480]

"nwiz"="nwiz.exe" [2006-10-22 1622016]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-10-22 86016]

"BellCanada_McciTrayApp"="c:\program files\BellCanada\McciTrayApp.exe" [2008-12-07 1471488]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-01-23 141608]

"ISTray"="c:\program files\Spyware Doctor\pctsTray.exe" [bU]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-12-16 113664]

HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-9-24 282624]

TabUserW.exe.lnk - c:\windows\system32\Wtablet\TabUserW.exe [2003-12-4 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]

2010-03-15 15:28 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\WINDOWS\\system32\\lxcgcoms.exe"=

"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxcgpswx.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\uTorrent\\uTorrent.exe"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=

"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 a347bus;a347bus;c:\windows\system32\drivers\a347bus.sys [02/12/2006 11:50 PM 160640]

R0 a347scsi;a347scsi;c:\windows\system32\drivers\a347scsi.sys [02/12/2006 11:50 PM 5248]

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [15/04/2010 10:26 AM 217032]

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [29/03/2009 3:46 PM 216200]

R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [29/03/2009 3:46 PM 242696]

R1 cdrdrv;cdrdrv;c:\windows\system32\drivers\Cdrdrv.sys [02/12/2006 11:03 PM 61952]

R1 vobcom;vobcom;c:\windows\system32\drivers\vobcom.sys [02/12/2006 11:03 PM 9728]

R1 vobiw;vobiw;c:\windows\system32\drivers\vobIW.sys [02/12/2006 11:03 PM 178688]

R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [15/03/2010 11:28 AM 308064]

R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\Spyware Doctor\BDT\BDTUpdateService.exe [15/04/2010 10:31 AM 112592]

R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [15/04/2010 6:51 PM 366840]

S3 QCEmerald;Logitech QuickCam Web;c:\windows\system32\drivers\OVCE.sys [16/08/2008 8:50 PM 31872]

S3 V90drv;v90drv;c:\windows\system32\drivers\v90drv.sys [29/11/2001 4:10 AM 1432836]

--- Other Services/Drivers In Memory ---

*Deregistered* - PCTSDInjDriver32

.

Contents of the 'Scheduled Tasks' folder

2009-10-15 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 16:34]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.yahoo.com/

mSearch Bar = hxxp://www.google.com

uInternet Settings,ProxyOverride = <local>

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

LSP: c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll

FF - ProfilePath - c:\documents and settings\main_user\Application Data\Mozilla\Firefox\Profiles\mpbq3u84.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca

FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll

FF - component: c:\program files\Mozilla Firefox\components\rpff.dll

---- FIREFOX POLICIES ----

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-04-16 16:30

Windows 5.1.2600 Service Pack 2 NTFS

detected NTDLL code modification:

ZwClose

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

LXCGCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXCGtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

CTStartup = c:\program files\Creative\Splash Screen\CTEaxSpl.EXE /run??????????st????\?w? ?w???????w???w4???????.??w4???????4???TA?s4???n????'2???A~??A~n???????\???\???????t???U?A~??A~\???\???????0?`?L????C@?\???\??????sn???\??????s\????'2?A??s?'2??C@?x???`|?w\?????@

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully

user: MBR read successfully

called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys PCTCore.sys ACPI.sys hal.dll >>UNKNOWN [0x82B77340]<<

kernel: MBR read successfully

detected MBR rootkit hooks:

\Driver\Disk -> CLASSPNP.SYS @ 0xf8799fc3

\Driver\ACPI -> ACPI.sys @ 0xf86c4cb8

\Driver\atapi -> 0x82b77340

IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a18f6

ParseProcedure -> ntoskrnl.exe @ 0x8056f26d

\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a18f6

ParseProcedure -> ntoskrnl.exe @ 0x8056f26d

NDIS: -> SendCompleteHandler -> 0x0

PacketIndicateHandler -> 0x0

SendHandler -> 0x0

Warning: possible MBR rootkit infection !

user & kernel MBR OK

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1390067357-1935655697-1343024091-1004\Software\Microsoft\SystemCertificates\AddressBook*]

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3612)

c:\windows\system32\WININET.dll

c:\program files\Spyware Doctor\pctgmhk.dll

c:\windows\system32\tabhook.dll

c:\windows\system32\ctagent.dll

c:\progra~1\WINDOW~2\wmpband.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\WS2_32.dll

c:\windows\system32\WS2HELP.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\AVG\AVG9\avgchsvx.exe

c:\program files\AVG\AVG9\avgrsx.exe

c:\program files\AVG\AVG9\avgcsrvx.exe

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\Common Files\Motive\McciCMService.exe

c:\windows\system32\nvsvc32.exe

c:\program files\CyberLink\Shared files\RichVideo.exe

c:\program files\Spyware Doctor\pctsSvc.exe

c:\program files\AVG\AVG9\avgnsx.exe

c:\windows\system32\Tablet.exe

c:\windows\system32\MsPMSPSv.exe

c:\windows\system32\CTHELPER.EXE

c:\windows\system32\wscntfy.exe

c:\windows\system32\lxcgcoms.exe

c:\program files\iPod\bin\iPodService.exe

.

**************************************************************************

.

Completion time: 2010-04-16 16:41:51 - machine was rebooted

ComboFix-quarantined-files.txt 2010-04-16 20:41

ComboFix2.txt 2010-04-16 18:22

Pre-Run: 33,639,919,616 bytes free

Post-Run: 33,591,144,448 bytes free

- - End Of File - - 327FC9BEB79F07B55A7D7348CD4830C4

Link to post
Share on other sites

Open Notepad and copy and paste the text in the code box below into it:

KillAll::

Folder::
c:\documents and settings\main_user\Local Settings\Application Data\jtmojytql

FCopy::
c:\windows\ERDNT\cache\atapi.sys | c:\windows\system32\drivers\atapi.sys

Save the file to your desktop and name it CFScript.txt

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.

CFScriptB-4.gif

This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply.

Note: These instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system.

Link to post
Share on other sites

ComboFix 10-04-15.05 - main_user 17/04/2010 12:15:30.3.1 - x86

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.511.110 [GMT -4:00]

Running from: c:\documents and settings\main_user\Desktop\Combo-Fix.exe

Command switches used :: c:\documents and settings\main_user\Desktop\CFScript.txt

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\main_user\Local Settings\Application Data\jtmojytql

.

--------------- FCopy ---------------

c:\windows\ERDNT\cache\atapi.sys --> c:\windows\system32\drivers\atapi.sys

.

((((((((((((((((((((((((( Files Created from 2010-03-17 to 2010-04-17 )))))))))))))))))))))))))))))))

.

2010-04-15 23:04 . 2010-04-15 23:04 -------- d-----w- c:\documents and settings\main_user\Local Settings\Application Data\Threat Expert

2010-04-15 22:51 . 2010-02-05 13:25 70408 ----a-w- c:\windows\system32\drivers\pctplsg.sys

2010-04-15 22:51 . 2010-04-15 22:51 -------- d-----w- c:\documents and settings\main_user\Application Data\PC Tools

2010-04-15 22:51 . 2010-04-15 22:51 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools

2010-04-15 16:17 . 2010-04-15 16:17 -------- d-----w- c:\program files\File Scanner Library (Spybot - Search & Destroy)

2010-04-15 14:31 . 2010-01-22 13:56 149456 ----a-w- c:\windows\SGDetectionTool.dll

2010-04-15 14:31 . 2010-01-22 13:55 767952 ----a-w- c:\windows\BDTSupport.dll

2010-04-15 14:31 . 2008-11-26 16:08 131 ----a-w- c:\windows\IDB.zip

2010-04-15 14:31 . 2010-01-22 13:56 165840 ----a-w- c:\windows\PCTBDRes.dll

2010-04-15 14:31 . 2010-01-22 13:56 1652688 ----a-w- c:\windows\PCTBDCore.dll

2010-04-15 14:31 . 2009-10-28 05:36 1152444 ----a-w- c:\windows\UDB.zip

2010-04-15 14:27 . 2010-02-05 13:17 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys

2010-04-15 14:26 . 2010-03-10 15:36 217032 ----a-w- c:\windows\system32\drivers\PCTCore.sys

2010-04-15 14:26 . 2009-11-23 17:54 88040 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys

2010-04-15 14:26 . 2010-04-17 16:30 -------- d-----w- c:\program files\Spyware Doctor

2010-04-15 14:26 . 2010-04-15 23:00 -------- d-----w- c:\program files\Common Files\PC Tools

2010-04-15 01:41 . 2010-04-15 01:41 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-04-17 16:36 . 2008-10-14 04:19 -------- d-----w- c:\documents and settings\main_user\Application Data\uTorrent

2010-04-17 16:30 . 2009-04-14 19:15 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2010-04-17 16:30 . 2007-07-14 03:59 12494 ----a-w- c:\windows\system32\tablet.dat

2010-04-17 16:28 . 2008-02-18 01:26 24 ----a-w- c:\windows\system32\DVCStateBkp-{00000000-00000000-0000000B-00001102-00000002-80651102}.dat

2010-04-17 16:28 . 2008-02-18 01:26 24 ----a-w- c:\windows\system32\DVCState-{00000000-00000000-0000000B-00001102-00000002-80651102}.dat

2010-04-17 16:01 . 2009-11-13 04:39 0 ----a-w- c:\documents and settings\main_user\Local Settings\Application Data\prvlcl.dat

2010-04-16 17:20 . 2006-12-03 04:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2010-04-16 16:48 . 2009-09-22 15:33 -------- d-----w- c:\program files\BellCanada

2010-04-16 16:12 . 2008-01-25 05:22 -------- d-----w- c:\program files\LimeWire

2010-04-15 13:20 . 2010-03-01 06:30 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-04-15 00:36 . 2008-01-20 22:02 -------- d-----w- c:\program files\Lx_cats

2010-04-14 03:24 . 2008-01-25 05:23 -------- d-----w- c:\documents and settings\main_user\Application Data\LimeWire

2010-03-30 04:46 . 2010-03-01 06:30 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-03-30 04:45 . 2010-03-01 06:30 20824 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-03-18 03:42 . 2009-03-26 05:35 -------- d-----w- c:\program files\uTorrent

2010-03-15 17:15 . 2009-10-25 20:48 62752 ---ha-w- c:\windows\system32\mlfcache.dat

2010-03-15 15:28 . 2009-03-29 19:46 242696 ----a-w- c:\windows\system32\drivers\avgtdix.sys

2010-03-15 15:28 . 2010-03-15 15:28 12464 ----a-w- c:\windows\system32\avgrsstx.dll

2010-03-15 15:28 . 2009-03-29 19:46 29512 ----a-w- c:\windows\system32\drivers\avgmfx86.sys

2010-03-15 15:28 . 2009-03-29 19:46 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys

2010-03-11 12:38 . 2004-08-04 12:00 832512 ----a-w- c:\windows\system32\wininet.dll

2010-03-11 12:38 . 2004-08-04 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll

2010-03-11 12:38 . 2004-08-04 12:00 17408 ------w- c:\windows\system32\corpol.dll

2010-03-11 00:17 . 2008-06-30 23:22 -------- d-----w- c:\program files\Celtx

2010-03-09 11:09 . 2004-08-04 12:00 430080 ----a-w- c:\windows\system32\vbscript.dll

2010-03-01 06:31 . 2010-03-01 06:31 -------- d-----w- c:\documents and settings\main_user\Application Data\Malwarebytes

2010-03-01 06:30 . 2010-03-01 06:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-02-26 03:50 . 2008-05-04 15:57 -------- d-----w- c:\documents and settings\main_user\Application Data\Apple Computer

2010-02-25 18:27 . 2006-12-03 02:01 89664 ----a-w- c:\documents and settings\main_user\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-02-25 00:24 . 2010-02-25 00:24 -------- d-----w- c:\program files\MSECache

2010-02-24 12:31 . 2004-08-04 12:00 454016 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2010-02-16 13:19 . 2004-08-04 12:00 2181376 ----a-w- c:\windows\system32\ntoskrnl.exe

2010-02-16 12:39 . 2004-08-03 22:59 2058368 ----a-w- c:\windows\system32\ntkrnlpa.exe

2010-02-12 04:47 . 2004-08-04 12:00 100864 ----a-w- c:\windows\system32\6to4svc.dll

2010-02-11 12:01 . 2004-08-04 12:00 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys

2009-10-05 23:34 . 2009-09-14 18:29 210944 ----a-w- c:\program files\mozilla firefox\components\rpff.dll

.

------- Sigcheck -------

[-] 2008-04-13 . 9F3A2F5AA6875C72BF062C712CFA2674 . 96512 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\atapi.sys

[7] 2004-08-04 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\ERDNT\cache\atapi.sys

[7] 2004-08-04 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\system32\dllcache\atapi.sys

[-] 2004-08-04 12:00 . !HASH: COULD NOT OPEN FILE !!!!! . 95360 . . [------] . . c:\windows\system32\drivers\atapi.sys

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2010-03-18 319792]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IW Controlcenter"="c:\progra~1\INSTAN~1\INSTAN~1\IWCTRL.EXE" [2002-09-26 751104]

"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2005-12-08 30208]

"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2006-05-18 49152]

"D-Link AirPlus G"="c:\program files\D-Link\AirPlus G\AirGCFG.exe" [2004-07-09 1249280]

"ANIWZCS2Service"="c:\program files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2004-04-14 45056]

"LXCGCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXCGtime.dll" [2005-07-20 73728]

"lxcgmon.exe"="c:\program files\Lexmark 2300 Series\lxcgmon.exe" [2005-07-21 200704]

"EzPrint"="c:\program files\Lexmark 2300 Series\ezprint.exe" [2005-08-01 94208]

"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-09-24 49152]

"WINDVDPatch"="CTHELPER.EXE" [2002-07-02 24576]

"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]

"Jet Detection"="c:\program files\Creative\SBLive\PROGRAM\ADGJDet.exe" [2001-11-29 28672]

"CTStartup"="c:\program files\Creative\Splash Screen\CTEaxSpl.EXE" [2001-12-20 28672]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-22 7700480]

"nwiz"="nwiz.exe" [2006-10-22 1622016]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-10-22 86016]

"BellCanada_McciTrayApp"="c:\program files\BellCanada\McciTrayApp.exe" [2008-12-07 1471488]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-01-23 141608]

"ISTray"="c:\program files\Spyware Doctor\pctsTray.exe" [bU]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-12-16 113664]

HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-9-24 282624]

TabUserW.exe.lnk - c:\windows\system32\Wtablet\TabUserW.exe [2003-12-4 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]

2010-03-15 15:28 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\WINDOWS\\system32\\lxcgcoms.exe"=

"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxcgpswx.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\uTorrent\\uTorrent.exe"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=

"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 a347bus;a347bus;c:\windows\system32\drivers\a347bus.sys [02/12/2006 11:50 PM 160640]

R0 a347scsi;a347scsi;c:\windows\system32\drivers\a347scsi.sys [02/12/2006 11:50 PM 5248]

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [15/04/2010 10:26 AM 217032]

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [29/03/2009 3:46 PM 216200]

R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [29/03/2009 3:46 PM 242696]

R1 cdrdrv;cdrdrv;c:\windows\system32\drivers\Cdrdrv.sys [02/12/2006 11:03 PM 61952]

R1 vobcom;vobcom;c:\windows\system32\drivers\vobcom.sys [02/12/2006 11:03 PM 9728]

R1 vobiw;vobiw;c:\windows\system32\drivers\vobIW.sys [02/12/2006 11:03 PM 178688]

R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [15/03/2010 11:28 AM 308064]

R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\Spyware Doctor\BDT\BDTUpdateService.exe [15/04/2010 10:31 AM 112592]

R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [15/04/2010 6:51 PM 366840]

S3 QCEmerald;Logitech QuickCam Web;c:\windows\system32\drivers\OVCE.sys [16/08/2008 8:50 PM 31872]

S3 V90drv;v90drv;c:\windows\system32\drivers\v90drv.sys [29/11/2001 4:10 AM 1432836]

--- Other Services/Drivers In Memory ---

*Deregistered* - PCTSDInjDriver32

.

Contents of the 'Scheduled Tasks' folder

2009-10-15 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 16:34]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.yahoo.com/

mSearch Bar = hxxp://www.google.com

uInternet Settings,ProxyOverride = <local>

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

LSP: c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll

FF - ProfilePath - c:\documents and settings\main_user\Application Data\Mozilla\Firefox\Profiles\mpbq3u84.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca

FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll

FF - component: c:\program files\Mozilla Firefox\components\rpff.dll

---- FIREFOX POLICIES ----

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-04-17 12:35

Windows 5.1.2600 Service Pack 2 NTFS

detected NTDLL code modification:

ZwClose

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

LXCGCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXCGtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

CTStartup = c:\program files\Creative\Splash Screen\CTEaxSpl.EXE /run??????????st????\?w? ?w???????w???w4???????.??w4???????4???TA?s4????????'2???A~??A~????????\???\???????t???U?A~??A~\???\?????????a?L????C@?\???\??????s????\??????s\????'2?A??s?'2??C@?x???`|?w\?????@

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully

user: MBR read successfully

called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys PCTCore.sys ACPI.sys hal.dll >>UNKNOWN [0x82B8AD00]<<

kernel: MBR read successfully

detected MBR rootkit hooks:

\Driver\Disk -> CLASSPNP.SYS @ 0xf8799fc3

\Driver\ACPI -> ACPI.sys @ 0xf86c4cb8

\Driver\atapi -> 0x82b8ad00

IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a18f6

ParseProcedure -> ntoskrnl.exe @ 0x8056f26d

\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a18f6

ParseProcedure -> ntoskrnl.exe @ 0x8056f26d

NDIS: -> SendCompleteHandler -> 0x0

PacketIndicateHandler -> 0x0

SendHandler -> 0x0

Warning: possible MBR rootkit infection !

user & kernel MBR OK

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1390067357-1935655697-1343024091-1004\Software\Microsoft\SystemCertificates\AddressBook*]

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3072)

c:\windows\system32\WININET.dll

c:\program files\Spyware Doctor\pctgmhk.dll

c:\windows\system32\tabhook.dll

c:\windows\system32\ctagent.dll

c:\progra~1\WINDOW~2\wmpband.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\WS2_32.dll

c:\windows\system32\WS2HELP.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\AVG\AVG9\avgchsvx.exe

c:\program files\AVG\AVG9\avgrsx.exe

c:\program files\AVG\AVG9\avgcsrvx.exe

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\Common Files\Motive\McciCMService.exe

c:\windows\system32\nvsvc32.exe

c:\program files\CyberLink\Shared files\RichVideo.exe

c:\program files\Spyware Doctor\pctsSvc.exe

c:\program files\AVG\AVG9\avgnsx.exe

c:\windows\system32\Tablet.exe

c:\windows\system32\MsPMSPSv.exe

c:\windows\system32\CTHELPER.EXE

c:\windows\system32\lxcgcoms.exe

c:\program files\iPod\bin\iPodService.exe

c:\windows\system32\wscntfy.exe

.

**************************************************************************

.

Completion time: 2010-04-17 12:46:55 - machine was rebooted

ComboFix-quarantined-files.txt 2010-04-17 16:46

ComboFix2.txt 2010-04-16 20:41

ComboFix3.txt 2010-04-16 18:22

Pre-Run: 33,570,000,896 bytes free

Post-Run: 33,541,095,424 bytes free

- - End Of File - - 75AB9B6ABED122239F3C552F8A26C2DA

Link to post
Share on other sites

Please read the following through carefully so that you understand what to do.

  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
  • Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK. (If Vista, click on the Vista Orb and copy and paste the following into the Search field. (make sure you include the quotation marks) Then press Ctrl+Shift+Enter.)
    "%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v
  • If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.
  • It may ask you to reboot the computer to complete the process. Allow it to do so.
  • When it is done, a log file should be created on your C: drive called "TDSSKiller.txt" please copy and paste the contents of that file here.

Link to post
Share on other sites

Oh! Nevermind! I found the .txt file. :)

15:52:02:801 2500 TDSS rootkit removing tool 2.2.8.1 Mar 22 2010 10:43:04

15:52:02:801 2500 ================================================================================

15:52:02:801 2500 SystemInfo:

15:52:02:811 2500 OS Version: 5.1.2600 ServicePack: 2.0

15:52:02:811 2500 Product type: Workstation

15:52:02:811 2500 ComputerName: TONY-A5

15:52:02:811 2500 UserName: main_user

15:52:02:811 2500 Windows directory: C:\WINDOWS

15:52:02:811 2500 Processor architecture: Intel x86

15:52:02:811 2500 Number of processors: 1

15:52:02:811 2500 Page size: 0x1000

15:52:02:831 2500 Boot type: Normal boot

15:52:02:831 2500 ================================================================================

15:52:02:931 2500 UnloadDriverW: NtUnloadDriver error 2

15:52:02:931 2500 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2

15:52:03:973 2500 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system

15:52:03:973 2500 wfopen_ex: MyNtCreateFileW error 32 (C0000043)

15:52:03:973 2500 wfopen_ex: Trying to KLMD file open

15:52:03:973 2500 wfopen_ex: File opened ok (Flags 2)

15:52:03:973 2500 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software

15:52:03:973 2500 wfopen_ex: MyNtCreateFileW error 32 (C0000043)

15:52:03:973 2500 wfopen_ex: Trying to KLMD file open

15:52:03:973 2500 wfopen_ex: File opened ok (Flags 2)

15:52:03:973 2500 Initialize success

15:52:03:973 2500

15:52:03:973 2500 Scanning Services ...

15:52:04:554 2500 Raw services enum returned 347 services

15:52:04:574 2500

15:52:04:574 2500 Scanning Kernel memory ...

15:52:04:574 2500 Devices to scan: 2

15:52:04:574 2500

15:52:04:574 2500 Driver Name: Disk

15:52:04:574 2500 IRP_MJ_CREATE : F879BC30

15:52:04:574 2500 IRP_MJ_CREATE_NAMED_PIPE : 804FB8EE

15:52:04:574 2500 IRP_MJ_CLOSE : F879BC30

15:52:04:574 2500 IRP_MJ_READ : F8795D9B

15:52:04:574 2500 IRP_MJ_WRITE : F8795D9B

15:52:04:574 2500 IRP_MJ_QUERY_INFORMATION : 804FB8EE

15:52:04:574 2500 IRP_MJ_SET_INFORMATION : 804FB8EE

15:52:04:574 2500 IRP_MJ_QUERY_EA : 804FB8EE

15:52:04:574 2500 IRP_MJ_SET_EA : 804FB8EE

15:52:04:584 2500 IRP_MJ_FLUSH_BUFFERS : F8796366

15:52:04:584 2500 IRP_MJ_QUERY_VOLUME_INFORMATION : 804FB8EE

15:52:04:584 2500 IRP_MJ_SET_VOLUME_INFORMATION : 804FB8EE

15:52:04:584 2500 IRP_MJ_DIRECTORY_CONTROL : 804FB8EE

15:52:04:584 2500 IRP_MJ_FILE_SYSTEM_CONTROL : 804FB8EE

15:52:04:584 2500 IRP_MJ_DEVICE_CONTROL : F879644D

15:52:04:584 2500 IRP_MJ_INTERNAL_DEVICE_CONTROL : F8799FC3

15:52:04:584 2500 IRP_MJ_SHUTDOWN : F8796366

15:52:04:584 2500 IRP_MJ_LOCK_CONTROL : 804FB8EE

15:52:04:584 2500 IRP_MJ_CLEANUP : 804FB8EE

15:52:04:584 2500 IRP_MJ_CREATE_MAILSLOT : 804FB8EE

15:52:04:584 2500 IRP_MJ_QUERY_SECURITY : 804FB8EE

15:52:04:584 2500 IRP_MJ_SET_SECURITY : 804FB8EE

15:52:04:584 2500 IRP_MJ_POWER : F8797EF3

15:52:04:584 2500 IRP_MJ_SYSTEM_CONTROL : F879CA24

15:52:04:584 2500 IRP_MJ_DEVICE_CHANGE : 804FB8EE

15:52:04:584 2500 IRP_MJ_QUERY_QUOTA : 804FB8EE

15:52:04:584 2500 IRP_MJ_SET_QUOTA : 804FB8EE

15:52:04:624 2500 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1

15:52:04:624 2500

15:52:04:624 2500 Driver Name: atapi

15:52:04:624 2500 IRP_MJ_CREATE : 82B8AD00

15:52:04:624 2500 IRP_MJ_CREATE_NAMED_PIPE : 82B8AD00

15:52:04:624 2500 IRP_MJ_CLOSE : 82B8AD00

15:52:04:624 2500 IRP_MJ_READ : 82B8AD00

15:52:04:624 2500 IRP_MJ_WRITE : 82B8AD00

15:52:04:624 2500 IRP_MJ_QUERY_INFORMATION : 82B8AD00

15:52:04:624 2500 IRP_MJ_SET_INFORMATION : 82B8AD00

15:52:04:624 2500 IRP_MJ_QUERY_EA : 82B8AD00

15:52:04:624 2500 IRP_MJ_SET_EA : 82B8AD00

15:52:04:624 2500 IRP_MJ_FLUSH_BUFFERS : 82B8AD00

15:52:04:624 2500 IRP_MJ_QUERY_VOLUME_INFORMATION : 82B8AD00

15:52:04:624 2500 IRP_MJ_SET_VOLUME_INFORMATION : 82B8AD00

15:52:04:624 2500 IRP_MJ_DIRECTORY_CONTROL : 82B8AD00

15:52:04:624 2500 IRP_MJ_FILE_SYSTEM_CONTROL : 82B8AD00

15:52:04:624 2500 IRP_MJ_DEVICE_CONTROL : 82B8AD00

15:52:04:624 2500 IRP_MJ_INTERNAL_DEVICE_CONTROL : 82B8AD00

15:52:04:624 2500 IRP_MJ_SHUTDOWN : 82B8AD00

15:52:04:624 2500 IRP_MJ_LOCK_CONTROL : 82B8AD00

15:52:04:624 2500 IRP_MJ_CLEANUP : 82B8AD00

15:52:04:624 2500 IRP_MJ_CREATE_MAILSLOT : 82B8AD00

15:52:04:624 2500 IRP_MJ_QUERY_SECURITY : 82B8AD00

15:52:04:624 2500 IRP_MJ_SET_SECURITY : 82B8AD00

15:52:04:624 2500 IRP_MJ_POWER : 82B8AD00

15:52:04:624 2500 IRP_MJ_SYSTEM_CONTROL : 82B8AD00

15:52:04:624 2500 IRP_MJ_DEVICE_CHANGE : 82B8AD00

15:52:04:624 2500 IRP_MJ_QUERY_QUOTA : 82B8AD00

15:52:04:624 2500 IRP_MJ_SET_QUOTA : 82B8AD00

15:52:04:644 2500 C:\WINDOWS\system32\DRIVERS\atapi.sys - Verdict: 1

15:52:04:644 2500

15:52:04:644 2500 Completed

15:52:04:644 2500

15:52:04:644 2500 Results:

15:52:04:644 2500 Memory objects infected / cured / cured on reboot: 0 / 0 / 0

15:52:04:644 2500 Registry objects infected / cured / cured on reboot: 0 / 0 / 0

15:52:04:644 2500 File objects infected / cured / cured on reboot: 0 / 0 / 0

15:52:04:644 2500

15:52:04:654 2500 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system

15:52:04:654 2500 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software

15:52:04:664 2500 KLMD(ARK) unloaded successfully

Link to post
Share on other sites

ESET Online Scanner

Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however may need to disable your current installed Anti-Virus, how to do so can be read here.

  • Please go here then click on: EOLS1.gif
  • Select the option YES, I accept the Terms of Use then click on: EOLS2.gif
  • When prompted allow the Add-On/Active X to install.
  • Now click on Advanced Settings and select the following:

    • Remove found threats
    • Scan archives
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology

[*]Now click on: EOLS3.gif

[*]The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.

[*]When completed the Online Scan will begin automatically.

[*]Do not touch either the Mouse or keyboard during the scan otherwise it may stall.

[*]When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!

[*]Now click on: EOLS4.gif

[*]Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.

[*]Copy and paste that log as a reply to this topic.

Note: Do not forget to re-enable your Anti-Virus application after running the above scan!

Link to post
Share on other sites

ESETSmartInstaller@High as CAB hook log:

OnlineScanner.ocx - registred OK

# version=7

# iexplore.exe=7.00.6000.17023 (vista_gdr.100222-0012)

# OnlineScanner.ocx=1.0.0.6211

# api_version=3.0.2

# EOSSerial=155ac8da214ad14a8aab9c96da4140d7

# end=finished

# remove_checked=true

# archives_checked=true

# unwanted_checked=true

# unsafe_checked=true

# antistealth_checked=true

# utc_time=2010-04-17 11:40:56

# local_time=2010-04-17 07:40:56 (-0500, Eastern Daylight Time)

# country="Canada"

# lang=1033

# osver=5.1.2600 NT Service Pack 2

# compatibility_mode=1024 16777191 100 0 13089951 13089951 0 0

# compatibility_mode=2560 16777215 100 0 0 0 0 0

# compatibility_mode=8192 67108863 100 0 0 0 0 0

# scanned=79173

# found=8

# cleaned=8

# scan_time=10391

C:\Documents and Settings\main_user\My Documents\My Music\31 flavours (rare track).wav a variant of WMA/TrojanDownloader.GetCodec.gen trojan (cleaned - quarantined) 00000000000000000000000000000000 C

C:\Documents and Settings\main_user\My Documents\My Music\Louis Prima - Yes, We have No Bananas.mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan (cleaned - quarantined) 00000000000000000000000000000000 C

C:\Documents and Settings\main_user\My Documents\My Music\other father song [cd rip].mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan (cleaned - quarantined) 00000000000000000000000000000000 C

C:\Documents and Settings\main_user\My Documents\My Music\ten thousand paces CD quality.mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan (cleaned - quarantined) 00000000000000000000000000000000 C

C:\Program Files\PopCap Games\TipTop Deluxe\CRACK-TipTopDeluxe.exe Win32/Tool.TPE.A application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{E926DFA9-A30F-4C2B-8FE3-DA724F5344EB}\RP584\A0730828.exe Win32/Adware.OneStep application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{E926DFA9-A30F-4C2B-8FE3-DA724F5344EB}\RP584\A0730829.exe Win32/Adware.OneStep application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{E926DFA9-A30F-4C2B-8FE3-DA724F5344EB}\RP618\A0904960.exe Win32/Tool.TPE.A application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

Link to post
Share on other sites

Delete your copy of ComboFix.

**Note: If you need more detailed information, please visit the web page of ComboFix in BleepingComputer. **

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by me or another helper.

Please download ComboFix from

Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

  1. If you are using Firefox, make sure that your download settings are as follows:
    • Open Tools -> Options -> Main tab
    • Set to Always ask me where to Save the files.

[*]During the download, rename Combofix to Combo-Fix as follows:

CF_download_FF.gif

CF_download_rename.gif

[*]It is important you rename Combofix during the download, but not after.

[*]Please do not rename Combofix to other names, but only to the one indicated.

[*]Close any open browsers.

[*]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

-----------------------------------------------------------

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause unpredictable results.
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

    -----------------------------------------------------------


  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

-----------------------------------------------------------

[*]Double click on combo-Fix.exe & follow the prompts.

[*]When finished, it will produce a report for you.

[*]Please post the C:\Combo-Fix.txt for further review.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

Link to post
Share on other sites

ComboFix 10-04-17.07 - main_user 18/04/2010 17:03:39.4.1 - x86

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.511.109 [GMT -4:00]

Running from: c:\documents and settings\main_user\Desktop\Combo-Fix.exe

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

.

((((((((((((((((((((((((( Files Created from 2010-03-18 to 2010-04-18 )))))))))))))))))))))))))))))))

.

2010-04-17 20:38 . 2010-04-17 20:38 -------- d-----w- c:\program files\ESET

2010-04-15 23:04 . 2010-04-15 23:04 -------- d-----w- c:\documents and settings\main_user\Local Settings\Application Data\Threat Expert

2010-04-15 22:51 . 2010-02-05 13:25 70408 ----a-w- c:\windows\system32\drivers\pctplsg.sys

2010-04-15 22:51 . 2010-04-15 22:51 -------- d-----w- c:\documents and settings\main_user\Application Data\PC Tools

2010-04-15 22:51 . 2010-04-15 22:51 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools

2010-04-15 16:17 . 2010-04-15 16:17 -------- d-----w- c:\program files\File Scanner Library (Spybot - Search & Destroy)

2010-04-15 14:31 . 2010-01-22 13:56 149456 ----a-w- c:\windows\SGDetectionTool.dll

2010-04-15 14:31 . 2010-01-22 13:55 767952 ----a-w- c:\windows\BDTSupport.dll

2010-04-15 14:31 . 2008-11-26 16:08 131 ----a-w- c:\windows\IDB.zip

2010-04-15 14:31 . 2010-01-22 13:56 165840 ----a-w- c:\windows\PCTBDRes.dll

2010-04-15 14:31 . 2010-01-22 13:56 1652688 ----a-w- c:\windows\PCTBDCore.dll

2010-04-15 14:31 . 2009-10-28 05:36 1152444 ----a-w- c:\windows\UDB.zip

2010-04-15 14:27 . 2010-02-05 13:17 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys

2010-04-15 14:26 . 2010-03-10 15:36 217032 ----a-w- c:\windows\system32\drivers\PCTCore.sys

2010-04-15 14:26 . 2009-11-23 17:54 88040 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys

2010-04-15 14:26 . 2010-04-18 21:06 -------- d-----w- c:\program files\Spyware Doctor

2010-04-15 14:26 . 2010-04-15 23:00 -------- d-----w- c:\program files\Common Files\PC Tools

2010-04-15 01:41 . 2010-04-15 01:41 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-04-18 20:59 . 2009-04-14 19:15 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2010-04-18 20:59 . 2007-07-14 03:59 12494 ----a-w- c:\windows\system32\tablet.dat

2010-04-18 20:50 . 2008-02-18 01:26 24 ----a-w- c:\windows\system32\DVCStateBkp-{00000000-00000000-0000000B-00001102-00000002-80651102}.dat

2010-04-18 20:50 . 2008-02-18 01:26 24 ----a-w- c:\windows\system32\DVCState-{00000000-00000000-0000000B-00001102-00000002-80651102}.dat

2010-04-18 20:48 . 2008-10-14 04:19 -------- d-----w- c:\documents and settings\main_user\Application Data\uTorrent

2010-04-18 20:02 . 2009-11-13 04:39 0 ----a-w- c:\documents and settings\main_user\Local Settings\Application Data\prvlcl.dat

2010-04-17 17:10 . 2008-01-20 22:02 -------- d-----w- c:\program files\Lx_cats

2010-04-16 17:20 . 2006-12-03 04:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2010-04-16 16:48 . 2009-09-22 15:33 -------- d-----w- c:\program files\BellCanada

2010-04-16 16:12 . 2008-01-25 05:22 -------- d-----w- c:\program files\LimeWire

2010-04-15 13:20 . 2010-03-01 06:30 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-04-15 13:20 . 2010-03-01 06:31 5918776 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe

2010-04-14 03:24 . 2008-01-25 05:23 -------- d-----w- c:\documents and settings\main_user\Application Data\LimeWire

2010-04-07 16:17 . 2010-04-07 16:17 4255072 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcorex.dll

2010-04-01 16:12 . 2010-04-01 16:12 4076824 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgui.exe

2010-04-01 16:12 . 2010-04-01 16:12 2059544 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtray.exe

2010-04-01 16:12 . 2010-04-01 16:12 1598744 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgssie.dll

2010-04-01 16:12 . 2010-04-01 16:12 1515224 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgwd.dll

2010-04-01 16:12 . 2010-04-01 16:12 1274136 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgfrw.exe

2010-04-01 16:12 . 2010-04-01 16:12 598296 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgsrmx.dll

2010-04-01 16:12 . 2010-04-01 16:12 341272 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgxch32.dll

2010-04-01 16:12 . 2010-04-01 16:12 313112 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avglogx.dll

2010-04-01 16:12 . 2010-04-01 16:12 459544 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcclix.dll

2010-04-01 16:12 . 2010-04-01 16:12 1086744 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgchsvx.exe

2010-04-01 16:12 . 2010-04-01 16:12 556824 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgchjwx.dll

2010-04-01 16:12 . 2010-04-01 16:12 301336 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgchclx.dll

2010-04-01 16:10 . 2010-04-01 16:10 1685784 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.dll

2010-04-01 16:10 . 2010-04-01 16:10 1035032 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.exe

2010-03-30 04:46 . 2010-03-01 06:30 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-03-30 04:45 . 2010-03-01 06:30 20824 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-03-18 03:42 . 2009-03-26 05:35 -------- d-----w- c:\program files\uTorrent

2010-03-15 17:15 . 2009-10-25 20:48 62752 ---ha-w- c:\windows\system32\mlfcache.dat

2010-03-15 15:28 . 2009-03-29 19:46 242696 ----a-w- c:\windows\system32\drivers\avgtdix.sys

2010-03-15 15:28 . 2010-03-15 15:28 12464 ----a-w- c:\windows\system32\avgrsstx.dll

2010-03-15 15:28 . 2009-03-29 19:46 29512 ----a-w- c:\windows\system32\drivers\avgmfx86.sys

2010-03-15 15:28 . 2009-03-29 19:46 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys

2010-03-11 12:38 . 2004-08-04 12:00 832512 ----a-w- c:\windows\system32\wininet.dll

2010-03-11 12:38 . 2004-08-04 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll

2010-03-11 12:38 . 2004-08-04 12:00 17408 ------w- c:\windows\system32\corpol.dll

2010-03-11 00:17 . 2008-06-30 23:22 -------- d-----w- c:\program files\Celtx

2010-03-09 11:09 . 2004-08-04 12:00 430080 ----a-w- c:\windows\system32\vbscript.dll

2010-03-01 06:31 . 2010-03-01 06:31 -------- d-----w- c:\documents and settings\main_user\Application Data\Malwarebytes

2010-03-01 06:30 . 2010-03-01 06:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-02-26 03:50 . 2008-05-04 15:57 -------- d-----w- c:\documents and settings\main_user\Application Data\Apple Computer

2010-02-25 18:27 . 2006-12-03 02:01 89664 ----a-w- c:\documents and settings\main_user\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-02-25 00:24 . 2010-02-25 00:24 -------- d-----w- c:\program files\MSECache

2010-02-24 12:31 . 2004-08-04 12:00 454016 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2010-02-16 13:19 . 2004-08-04 12:00 2181376 ----a-w- c:\windows\system32\ntoskrnl.exe

2010-02-16 12:39 . 2004-08-03 22:59 2058368 ----a-w- c:\windows\system32\ntkrnlpa.exe

2010-02-12 04:47 . 2004-08-04 12:00 100864 ----a-w- c:\windows\system32\6to4svc.dll

2010-02-11 12:01 . 2004-08-04 12:00 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys

2010-02-02 23:20 . 2010-02-02 23:20 72488 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.3.15\SetupAdmin.exe

2009-10-05 23:34 . 2009-09-14 18:29 210944 ----a-w- c:\program files\mozilla firefox\components\rpff.dll

.

((((((((((((((((((((((((((((( SnapShot@2010-04-16_18.15.05 )))))))))))))))))))))))))))))))))))))))))

.

+ 2010-04-18 20:59 . 2010-04-18 20:59 16384 c:\windows\Temp\Perflib_Perfdata_578.dat

+ 2004-08-04 12:00 . 2004-08-04 12:00 95360 c:\windows\system32\dllcache\atapi.sys

+ 2004-08-04 12:00 . 2004-08-04 12:00 33280 c:\windows\Help\sstub.dll

+ 2004-08-04 12:00 . 2004-08-04 12:00 34816 c:\windows\Help\sniffpol.dll

+ 2004-08-04 12:00 . 2004-08-04 12:00 279040 c:\windows\Help\tshoot.dll

+ 2004-08-04 12:00 . 2004-08-04 12:00 152576 c:\windows\Help\bnts.dll

+ 2004-08-04 12:00 . 2004-08-04 12:00 3374640 c:\windows\Help\Tours\mmTour\tour.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2010-03-18 319792]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IW Controlcenter"="c:\progra~1\INSTAN~1\INSTAN~1\IWCTRL.EXE" [2002-09-26 751104]

"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2005-12-08 30208]

"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2006-05-18 49152]

"D-Link AirPlus G"="c:\program files\D-Link\AirPlus G\AirGCFG.exe" [2004-07-09 1249280]

"ANIWZCS2Service"="c:\program files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2004-04-14 45056]

"LXCGCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXCGtime.dll" [2005-07-20 73728]

"lxcgmon.exe"="c:\program files\Lexmark 2300 Series\lxcgmon.exe" [2005-07-21 200704]

"EzPrint"="c:\program files\Lexmark 2300 Series\ezprint.exe" [2005-08-01 94208]

"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-09-24 49152]

"WINDVDPatch"="CTHELPER.EXE" [2002-07-02 24576]

"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]

"Jet Detection"="c:\program files\Creative\SBLive\PROGRAM\ADGJDet.exe" [2001-11-29 28672]

"CTStartup"="c:\program files\Creative\Splash Screen\CTEaxSpl.EXE" [2001-12-20 28672]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-22 7700480]

"nwiz"="nwiz.exe" [2006-10-22 1622016]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-10-22 86016]

"BellCanada_McciTrayApp"="c:\program files\BellCanada\McciTrayApp.exe" [2008-12-07 1471488]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-01-23 141608]

"ISTray"="c:\program files\Spyware Doctor\pctsTray.exe" [bU]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-12-16 113664]

HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-9-24 282624]

TabUserW.exe.lnk - c:\windows\system32\Wtablet\TabUserW.exe [2003-12-4 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]

2010-03-15 15:28 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\WINDOWS\\system32\\lxcgcoms.exe"=

"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxcgpswx.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\uTorrent\\uTorrent.exe"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=

"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 a347scsi;a347scsi;c:\windows\system32\drivers\a347scsi.sys [02/12/2006 11:50 PM 5248]

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [15/04/2010 10:26 AM 217032]

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [29/03/2009 3:46 PM 216200]

R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [29/03/2009 3:46 PM 242696]

R1 cdrdrv;cdrdrv;c:\windows\system32\drivers\Cdrdrv.sys [02/12/2006 11:03 PM 61952]

R1 vobcom;vobcom;c:\windows\system32\drivers\vobcom.sys [02/12/2006 11:03 PM 9728]

R1 vobiw;vobiw;c:\windows\system32\drivers\vobIW.sys [02/12/2006 11:03 PM 178688]

R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [15/03/2010 11:28 AM 308064]

R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\Spyware Doctor\BDT\BDTUpdateService.exe [15/04/2010 10:31 AM 112592]

R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [15/04/2010 6:51 PM 366840]

S0 a347bus;a347bus;c:\windows\system32\drivers\a347bus.sys [02/12/2006 11:50 PM 160640]

S3 QCEmerald;Logitech QuickCam Web;c:\windows\system32\drivers\OVCE.sys [16/08/2008 8:50 PM 31872]

S3 V90drv;v90drv;c:\windows\system32\drivers\v90drv.sys [29/11/2001 4:10 AM 1432836]

--- Other Services/Drivers In Memory ---

*Deregistered* - PCTSDInjDriver32

.

Contents of the 'Scheduled Tasks' folder

2009-10-15 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 16:34]

.

.

------- Supplementary Scan -------

.

uStart Page = about:blank

mSearch Bar = hxxp://www.google.com

uInternet Settings,ProxyOverride = <local>

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

LSP: c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll

FF - ProfilePath - c:\documents and settings\main_user\Application Data\Mozilla\Firefox\Profiles\mpbq3u84.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca

FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll

FF - component: c:\program files\Mozilla Firefox\components\rpff.dll

---- FIREFOX POLICIES ----

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-04-18 17:16

Windows 5.1.2600 Service Pack 2 NTFS

detected NTDLL code modification:

ZwClose

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

LXCGCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXCGtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

CTStartup = c:\program files\Creative\Splash Screen\CTEaxSpl.EXE /run??????????st????\?w? ?w???????w???w4???????.??w4???????4???TA?s4????????&2???A~??A~????????\???\???????t???U?A~??A~\???\????????oa?L????C@?\???\??????s????\??????s\????&2?A??s?&2??C@?x???`|?w\?????@

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1390067357-1935655697-1343024091-1004\Software\Microsoft\SystemCertificates\AddressBook*]

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

.

Completion time: 2010-04-18 17:25:04

ComboFix-quarantined-files.txt 2010-04-18 21:24

ComboFix2.txt 2010-04-17 16:46

ComboFix3.txt 2010-04-16 20:41

ComboFix4.txt 2010-04-16 18:22

Pre-Run: 33,488,932,864 bytes free

Post-Run: 33,468,370,944 bytes free

- - End Of File - - 3BF9CBD0E1327C70FB462E7E9EBB1DF1

Link to post
Share on other sites

Uninstall it and:

  • Launch Malwarebytes' Anti-Malware
  • Go to "Update" tab and select "Check for Updates". If an update is found, it will download and install the latest version.
  • Go to "Scanner" tab and select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Link to post
Share on other sites

Malwarebytes' Anti-Malware 1.45

www.malwarebytes.org

Database version: 4011

Windows 5.1.2600 Service Pack 2

Internet Explorer 7.0.5730.11

20/04/2010 2:18:57 AM

mbam-log-2010-04-20 (02-18-57).txt

Scan type: Quick scan

Objects scanned: 109091

Time elapsed: 9 minute(s), 39 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites

Excellent! :(

Some final steps:

Step 1:

* Go to start > run and copy and paste next command in the field:

ComboFix /uninstall

Make sure there's a space between Combofix and /

Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Step 2:

Please manually delete DDS ; GMER ; JavaRa ;

Step 3:

Please locate to:

C:\Program Files\ESET\ESET Online Scanner

and run ESET Online Scanner uninstaller. Follow the instruction to successfully remove it.

Step 4:

Some malware preventions:

http://miekiemoes.blogspot.com/2008/02/how...nt-malware.html

Safe surfing! :(

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.