Jump to content

Can't Get Rid of Anti-Malware Doctor


Recommended Posts

I've been researching a bit as well (http://support.microsoft.com/kb/950249/en-us) and (http://support.microsoft.com/kb/307654/).

If i can install the recovery console, I could uninstall the SP3 from there. But to install the recovery console, I usually need the XP disk, which I don't have. But at the bottom of this advice from Microsoft, they outline another method to get the recovery console - by using an UNC connection. Would this method work? I don't understand how I could use an UNC connection without an internet connection, though:

To install the Recovery Console, follow these steps:

Insert the Windows XP CD into the CD-ROM drive.

Click Start, and then click Run.

In the Open box, type d:\i386\winnt32.exe /cmdcons where d is the drive letter for the CD-ROM drive. In the case of 'Microsoft Windows XP Professional x64 Edition, type d:\amd64\winnt32.exe /cmdcons where d is the drive letter for the CD-ROM drive.

A Windows Setup Dialog Box appears. The Windows Setup Dialog Box describes the Recovery Console option. To confirm the installation, click Yes.

Restart the computer. The next time that you start your computer, "Microsoft Windows Recovery Console" appears on the startup menu.

Alternatively, you can use a Universal Naming Convention (UNC)-established connection to install the Recovery Console from a network share point.

T

No it is already installed if it was able to uninstall then you could re-download it again.

But for now let me research the issue.

I will be back with you in a bit.

Link to post
Share on other sites

  • Replies 97
  • Created
  • Last Reply

Top Posters In This Topic

Yes I can have you create a bootable media but service pack 3 cache has been removed or deleted for some reason.

So there is no hope for uninstalling service pack 3,give me a bit to think it over I will be back with you in the morning.

Link to post
Share on other sites

You will need another computer to do this.

Download RC.ISO and burn it to a cd as an ISO image. You may need a burning toy like ISO Recorder to do this...be sure to get the version for your operating system.

Once you have burned this as an ISO image, insert the CD into the drive, and then restart the computer. Watch for the prompt to "Press any key to boot from cd" and press the spacebar when you see it. You may have to change the boot priority in BIOS Setup to accomplish this...we'll cross that bridge if we get to it.

When the "Welcome to Setup" screen appears, press R to start the Recovery Console.

If you have a dual-boot or multiple-boot computer, select the installation that you want to access from the Recovery Console...by number (usually 1)

When you are prompted to do so, type the Administrator password. If you have not set an administrator password, leave it blank and just press "Enter".

When you get to the Recovery Console prompt, type cd \ and press "Enter".

Type cd system~1\_resto~1 and press "Enter".

Type dir and press "Enter".

After you press enter you will see a list of folders (like rp1, rp2) If the list of restore points has more than one page then press the "Enter" key until you reach the end of the list

Type cd rp {number of the second to last folder in the list} and press "Enter".

Note: Example: cd rp9 if the last restore point is rp10

Type cd snapshot and press "Enter".

Type copy _registry_machine_system c:\windows\system32\config\system and press "Enter".

Type copy _registry_machine_software c:\windows\system32\config\software and press "Enter".

Type exit and press "Enter".

Your PC will reboot.

=======================

If you get an access denied error when doing the above, then do the following at the recovery console:

Type cd \ and press "Enter".

Type cd windows\system32\config and press "Enter".

Type ren system system.bak and press "Enter".

Type exit and press "Enter".

Your PC will reboot, go back into the Recovery Console and start from the beginning.

==================

Then let's see if that can get you in normally.

Link to post
Share on other sites

Sorry, I didn't see that.

However, when I try to do what is recommended when I get that error, it still doesn't work.

After inputing the last line <ren system system.bak> it comes back and says: "A directory or file with the name system.bak already exists.

Assuming that everything was okay, I continued on, but I again got the "Access is denied" error after rebooting and restarting the console.

T

Link to post
Share on other sites

Okay, I found a way around the last error message I mentioned. I simply renamed the system file system1.bak.

Now, as I have worked my way down through the remaining instructions, I've become hung up somewhere else. I'm at the following for the prompt: C:\system~1\_resto~1\RP766>

RP 766 is the second to last RP on my list, the last one being RP 767.

Now, when I enter "cd snapshot" as directed, this message comes up: "The system cannot find the file or directory specified."

Now what?

Link to post
Share on other sites

That means that there is no restore snapshot in that folder.

You will have to type in this to go one level back cd .. you will need to type in 2 periods to go one directory back just like what is in bold.

Once you type that try a different folder until you find one that has an intact snapshot folder.

Link to post
Share on other sites

Okay, progress.

When I get to this line <Type copy _registry_machine_software c:\windows\system32\config\software and press "Enter"> and hit enter, it asks me if I want to overwrite software (Yes, No, All):

Yes or All?

That means that there is no restore snapshot in that folder.

You will have to type in this to go one level back cd .. you will need to type in 2 periods to go one directory back just like what is in bold.

Once you type that try a different folder until you find one that has an intact snapshot folder.

Link to post
Share on other sites

Okay, I took a chance and entered Yes, exit, and then rebooted, but I still got an error screen in the process of rebooting windows.

Now what?

Okay, progress.

When I get to this line <Type copy _registry_machine_software c:\windows\system32\config\software and press "Enter"> and hit enter, it asks me if I want to overwrite software (Yes, No, All):

Yes or All?

Link to post
Share on other sites

I went through your steps, but it didn't work. I still get the blue screen error upon start up.

Try to do this boot into Safe mode and go to start run then msconfig.

Choose diagnostic startup.

Hit ok to save the changes then reboot and see if it boot's into normal windows.

Link to post
Share on other sites

OK since it didn't do anything make sure to switch it to normal startup through msconfig then hit ok to save the changes.

Please delete your version of Combofix and re-download it from one of these locations:

Link 1

Link 2

Please then go here: http://support.microsoft.com/kb/310994 and manually download the setup disks for the Recovery Console choose the one for xp sp2 it won't matter about the service pack difference.

Once that is done transfer that to the infected computer then drag and drop it into Combofix.

Once the Windows Recovery Console has finished installed, ComboFix will open a prompt stating that it was installed and asking if you would like to proceed with scanning your computer. At this point hit yes.

Then please post the log from this run.

Link to post
Share on other sites

Hi,

Thanks for your message, and thanks for all your help this past week.

I just want to be clear about the instructions below. My infected computer doesn't have a floppy drive, so, are you telling me to download the setup disk file <WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe > and transfer that with my flash drive to my infected computer, and put that into the newly downloaded version of combo fix? So, you're not actually asking me to make set up floppy disks, right?

T

OK since it didn't do anything make sure to switch it to normal startup through msconfig then hit ok to save the changes.

Please delete your version of Combofix and re-download it from one of these locations:

Link 1

Link 2

Please then go here: http://support.microsoft.com/kb/310994 and manually download the setup disks for the Recovery Console choose the one for xp sp2 it won't matter about the service pack difference.

Once that is done transfer that to the infected computer then drag and drop it into Combofix.

Once the Windows Recovery Console has finished installed, ComboFix will open a prompt stating that it was installed and asking if you would like to proceed with scanning your computer. At this point hit yes.

Then please post the log from this run.

Link to post
Share on other sites

Below is the log. I tried to start it normally after rebooting when combofix finished, but I still get the blue screen error.

I remembered after running the scan that I was supposed to first disable AVG. But when I looked at the log below, it says that On-access scanning disabled. So, perhaps it was already disabled. If I need to manually disable AVG and run it again, please let me know.

T

----------------

ComboFix 10-05-27.03 - Administrator 05/28/2010 10:27:17.2.1 - x86 MINIMAL

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.804 [GMT -4:00]

Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Administrator\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\system32\zh9qide.log

.

((((((((((((((((((((((((( Files Created from 2010-04-28 to 2010-05-28 )))))))))))))))))))))))))))))))

.

2010-05-26 15:39 . 2009-10-22 17:54 37392 ----a-w- c:\windows\system32\drivers\69062482.sys

2010-05-26 15:39 . 2009-09-25 21:59 128016 ----a-w- c:\windows\system32\drivers\69062481.sys

2010-05-26 15:39 . 2009-10-10 03:31 315408 ----a-w- c:\windows\system32\drivers\6906248.sys

2010-05-26 13:15 . 2010-05-27 11:55 -------- d-----w- c:\windows\LastGood.Tmp

2010-05-22 01:11 . 2008-04-13 19:20 182656 -c--a-w- c:\windows\system32\dllcache\ndis.sys

2010-05-22 01:11 . 2008-04-13 19:20 182656 ----a-w- c:\windows\system32\drivers\ndis.sys

2010-05-21 21:34 . 2006-07-14 19:15 237637 ----a-w- c:\windows\system32\wsimd.dll

2010-05-21 21:34 . 2006-07-14 19:15 245831 ----a-w- c:\windows\system32\wsfwDS.dll

2010-05-21 21:34 . 2006-07-14 19:04 53248 ----a-w- c:\windows\system32\dsaNac.dll

2010-05-21 21:34 . 2006-07-14 19:04 1253432 ----a-w- c:\windows\system32\dsa.dll

2010-05-21 21:34 . 2006-06-02 16:52 54432 ----a-w- c:\windows\system32\wsimd.sys

2010-05-21 21:34 . 2006-06-02 16:52 54432 ----a-w- c:\windows\system32\drivers\wsimd.sys

2010-05-21 21:33 . 2006-06-13 15:27 507424 ----a-w- c:\windows\system32\ar5211.sys

2010-05-21 20:41 . 2008-04-14 00:12 39424 -c--a-w- c:\windows\system32\dllcache\grpconv.exe

2010-05-21 20:41 . 2008-04-14 00:12 39424 ----a-w- c:\windows\system32\grpconv.exe

2010-05-20 16:14 . 2010-05-21 21:34 -------- d-----w- C:\temp

2010-05-19 19:58 . 2010-05-19 19:58 -------- d-----w- c:\documents and settings\Administrator\Application Data\GetRightToGo

2010-05-19 16:48 . 2009-11-10 14:26 767952 ----a-w- c:\windows\BDTSupport.dll

2010-05-19 16:48 . 2009-11-10 14:28 149456 ----a-w- c:\windows\SGDetectionTool.dll

2010-05-19 16:48 . 2008-11-26 16:08 131 ----a-w- c:\windows\IDB.zip

2010-05-19 16:48 . 2009-11-10 14:28 165840 ----a-w- c:\windows\PCTBDRes.dll

2010-05-19 16:48 . 2009-11-10 14:28 1640400 ----a-w- c:\windows\PCTBDCore.dll

2010-05-19 16:48 . 2009-10-28 05:36 1152444 ----a-w- c:\windows\UDB.zip

2010-05-19 16:47 . 2010-02-05 13:17 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys

2010-05-19 16:47 . 2009-10-06 20:31 87784 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys

2010-05-19 16:47 . 2009-09-23 20:10 207280 ----a-w- c:\windows\system32\drivers\PCTCore.sys

2010-05-19 16:47 . 2010-02-05 13:25 70408 ----a-w- c:\windows\system32\drivers\pctplsg.sys

2010-05-19 16:46 . 2010-05-19 16:49 -------- d-----w- c:\program files\Common Files\PC Tools

2010-05-19 16:46 . 2010-05-19 16:46 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools

2010-05-19 16:46 . 2010-05-19 16:46 -------- d-----w- c:\documents and settings\Administrator\Application Data\PC Tools

2010-05-19 16:46 . 2010-05-19 16:52 -------- d-----w- c:\program files\Spyware Doctor

2010-05-19 16:45 . 2010-05-19 16:45 -------- d-----w- c:\documents and settings\Administrator\Application Data\TrojanHunter

2010-05-19 15:30 . 2010-05-19 16:49 -------- d-----w- c:\program files\TrojanHunter 5.3

2010-05-19 03:18 . 2010-05-19 07:00 -------- d-----w- c:\windows\system32\MpEngineStore

2010-05-19 03:14 . 2010-05-19 11:01 -------- d-----w- C:\82a5d4438523fbde003de8

2010-05-19 02:51 . 2010-05-19 02:51 -------- d-----w- C:\spoolerlogs

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-05-25 14:41 . 2010-01-28 03:53 -------- d-----w- c:\documents and settings\Administrator\Application Data\vlc

2010-05-21 21:50 . 2008-02-09 00:10 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2010-05-21 21:39 . 2006-08-17 22:12 -------- d-----w- c:\program files\Atheros

2010-05-21 21:33 . 2003-09-03 17:42 -------- d--h--w- c:\program files\InstallShield Installation Information

2010-05-20 12:58 . 2010-03-13 01:41 -------- d-----w- c:\documents and settings\Administrator\Application Data\Dropbox

2010-05-19 19:59 . 2009-10-01 20:17 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-05-19 03:10 . 2004-07-16 18:54 90112 ----a-w- c:\windows\DUMP815d.tmp

2010-05-09 19:55 . 2005-10-29 15:13 -------- d-----w- c:\documents and settings\Administrator\Application Data\Skype

2010-05-09 13:57 . 2009-10-25 14:16 -------- d-----w- c:\documents and settings\Administrator\Application Data\skypePM

2010-04-29 19:39 . 2009-10-01 20:17 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-04-29 19:39 . 2009-10-01 20:17 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-03-20 14:45 . 2010-03-20 14:45 8704 ----a-w- c:\windows\system32\SpOrder.dll

2010-03-10 06:15 . 2003-09-03 17:04 420352 ----a-w- c:\windows\system32\vbscript.dll

2009-08-20 08:15 . 2009-08-20 08:15 135630545 ----a-w- c:\program files\openofficeorg1.cab

2009-08-20 08:13 . 2009-08-20 08:13 9815040 ----a-w- c:\program files\openofficeorg31.msi

2009-08-19 08:31 . 2009-08-19 08:31 336 ----a-w- c:\program files\setup.ini

2008-03-22 13:23 . 2008-03-22 13:24 774144 -c--a-w- c:\program files\RngInterstitial.dll

2002-03-11 09:06 . 2002-03-11 09:06 1822520 ----a-w- c:\program files\instmsiw.exe

2002-03-11 08:45 . 2002-03-11 08:45 1708856 ----a-w- c:\program files\instmsia.exe

2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll

2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]

"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-26 1008896]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]

2009-06-26 14:36 1008896 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]

2009-04-02 23:50 809864 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-26 1008896]

"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2009-04-02 809864]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]

[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]

[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]

[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]

"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-26 1008896]

"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2009-04-02 809864]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]

[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]

[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]

[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-19 68856]

"Google Update"="c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-08 133104]

"BitTorrent"="c:\program files\BitTorrent\bittorrent.exe" [2007-09-07 43008]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"TDxVGAUTIL"="c:\windows\system32\TDxVGAUTIL.EXE" [2007-08-01 237568]

"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2003-07-03 110592]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2003-07-03 618496]

"Sunkist2k"="c:\program files\Multimedia Card Reader\shwicon2k.exe" [2004-07-07 135168]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]

"StorageGuard"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-02-13 155648]

"SoundMan"="SOUNDMAN.EXE" [2003-03-27 53248]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]

"IndicatorUtility"="c:\program files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe" [2003-08-21 81920]

"Boingo Wi-Fi"="c:\program files\Boingo\Boingo Wi-Fi\Boingo.lnk" [2009-10-01 2179]

"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2010-03-19 2046816]

"AGRSMMSG"="AGRSMMSG.exe" [2003-07-25 88363]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]

"ACU"="c:\program files\Atheros\ACU.exe" [2006-08-10 344187]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\

MagicDisc.lnk - c:\program files\MagicDisc\MagicDisc.exe [2007-11-10 557568]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]

2009-08-25 16:50 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk

backup=c:\windows\pss\Acrobat Assistant.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk

backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office OneNote 2003 Quick Launch.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office OneNote 2003 Quick Launch.lnk

backup=c:\windows\pss\Microsoft Office OneNote 2003 Quick Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk

backup=c:\windows\pss\Quicken Scheduled Updates.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Startup.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Quicken Startup.lnk

backup=c:\windows\pss\Quicken Startup.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^TOAST.net Accelerator.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\TOAST.net Accelerator.lnk

backup=c:\windows\pss\TOAST.net Accelerator.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"iPodService"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=

"c:\\Program Files\\Java\\jre1.5.0_05\\bin\\javaw.exe"=

"c:\\Program Files\\BitTorrent\\bittorrent.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

"c:\\WINDOWS\\system32\\spoolsv.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"1723:TCP"= 1723:TCP:@xpsp2res.dll,-22015

"1701:UDP"= 1701:UDP:@xpsp2res.dll,-22016

"500:UDP"= 500:UDP:@xpsp2res.dll,-22017

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [5/19/2010 12:47 PM 207280]

R3 CONAN;CONAN;c:\windows\system32\drivers\o2mmb.sys [9/3/2003 2:44 PM 190465]

R3 MbxStby;MbxStby;c:\windows\system32\drivers\MbxStby.sys [9/3/2003 2:44 PM 5817]

S0 vrvbqg;vrvbqg; [x]

S1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [5/1/2008 4:43 PM 335240]

S1 gyrcynpk;gyrcynpk;\??\c:\windows\system32\drivers\gyrcynpk.sys --> c:\windows\system32\drivers\gyrcynpk.sys [?]

S1 zrhkbeuop1;zrhkbeuop1;c:\windows\system32\drivers\zrhkbeuop1.sys --> c:\windows\system32\drivers\zrhkbeuop1.sys [?]

S2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [5/1/2008 4:43 PM 297752]

S2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\Spyware Doctor\BDT\BDTUpdateService.exe [5/19/2010 12:48 PM 112592]

S2 MSIU-f36decbb;MSIU-f36decbb;c:\windows\system32\-f36decbb.exe --> c:\windows\system32\-f36decbb.exe [?]

S3 ADM851X;ADM851X USB To Fast Ethernet Adapter;c:\windows\system32\drivers\adm851x.sys [9/28/2007 11:28 AM 27135]

S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\system32\drivers\aspi32.sys [3/21/2010 11:13 PM 16512]

S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [5/19/2010 12:46 PM 365280]

S3 SunkFilt6;Alcor Micro Corp - 6360;\??\c:\windows\System32\Drivers\sunkfilt6.sys --> c:\windows\System32\Drivers\sunkfilt6.sys [?]

S3 SunkFilt62;Alcor Micro Corp - 6362;c:\windows\system32\drivers\sunkfilt62.sys [7/23/2004 4:55 PM 46536]

S3 TdxMrMINI;TdxMrMINI;c:\windows\system32\drivers\TdxMrMini.sys [9/28/2007 11:28 AM 249600]

S3 TdxVGAMINI;TdxVGAMINI;c:\windows\system32\drivers\TdxVgaMini.sys [9/28/2007 11:28 AM 252160]

S3 TdxVGAUSB;TARGUS USB2.0 VGA DOCK DEVICE(USB);c:\windows\system32\drivers\TdxVGAUSB.SYS [9/28/2007 11:28 AM 33280]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

vvdsvc REG_MULTI_SZ vvdsvc

.

Contents of the 'Scheduled Tasks' folder

2009-07-01 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-753973301-2746587474-1836351941-500Core.job

- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-08 18:03]

2009-07-22 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job

- c:\program files\Ask.com\UpdateTask.exe [2009-04-02 23:50]

2009-10-08 c:\windows\Tasks\WGASetup.job

- c:\windows\system32\KB905474\wgasetup.exe [2009-04-30 02:18]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.nytimes.com/

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000

IE: {{74FD513B-2A58-4A42-9151-7551BFB6FCD7} - {E9C7A4B7-B0EF-4F32-9F82-45DBED19BA1A} - c:\progra~1\SCHOLA~1\SAEXPL~1.DLL

LSP: c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll

FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\bs18700o.default\

FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage - hxxp://www.nytimes.com

FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q=

FF - prefs.js: network.proxy.type - 4

FF - component: c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\bs18700o.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll

FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll

FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll

FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll

FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll

FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll

FF - plugin: c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\1.2.183.7\npGoogleOneClick8.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\NPInfotl.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npracplug.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint_03000F10.dll

FF - plugin: c:\program files\Real\RealArcade\Plugins\Mozilla\npracplug.dll

FF - plugin: c:\program files\Veetle\Player\npvlc.dll

FF - plugin: c:\program files\Veetle\plugins\npVeetle.dll

FF - plugin: c:\program files\Veetle\VLCBroadcast\npvbp.dll

FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----

FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-05-28 10:39

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(252)

c:\windows\system32\WININET.dll

- - - - - - - > 'lsass.exe'(312)

c:\windows\system32\WININET.dll

.

Completion time: 2010-05-28 10:49:44

ComboFix-quarantined-files.txt 2010-05-28 14:49

ComboFix2.txt 2010-05-22 03:58

ComboFix3.txt 2010-05-21 21:13

Pre-Run: 14,848,176,128 bytes free

Post-Run: 14,801,162,240 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

Current=3 Default=3 Failed=1 LastKnownGood=4 Sets=1,2,3,4

- - End Of File - - 134947A7E11361775048DFF64111965F

Link to post
Share on other sites

Yes please disable the AVG shield before proceeding.

Ok please do the following:

1. Please open Notepad

  • Click Start , then Run
  • type in notepad in the Run Box then hit ok.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

KILLALL::

TDL::
C:\WINDOWS\System32\DRIVERS\kbdclass.sys

Driver::
vrvbqg
gyrcynpk
zrhkbeuop1
MSIU-f36decbb

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
"vvdsvc"=-

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

CFScriptB-4.gif

5. After reboot, (in case it asks to reboot), please post the following report/log into your next reply:

  • Combofix.txt

=============

Link to post
Share on other sites

ComboFix 10-05-27.03 - Administrator 05/28/2010 14:54:44.3.1 - x86 MINIMAL

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.803 [GMT -4:00]

Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_MSIU-F36DECBB

-------\Service_gyrcynpk

-------\Service_MSIU-f36decbb

-------\Service_vrvbqg

-------\Service_zrhkbeuop1

((((((((((((((((((((((((( Files Created from 2010-04-28 to 2010-05-28 )))))))))))))))))))))))))))))))

.

2010-05-26 15:39 . 2009-10-22 17:54 37392 ----a-w- c:\windows\system32\drivers\69062482.sys

2010-05-26 15:39 . 2009-09-25 21:59 128016 ----a-w- c:\windows\system32\drivers\69062481.sys

2010-05-26 15:39 . 2009-10-10 03:31 315408 ----a-w- c:\windows\system32\drivers\6906248.sys

2010-05-26 13:15 . 2010-05-27 11:55 -------- d-----w- c:\windows\LastGood.Tmp

2010-05-22 01:11 . 2008-04-13 19:20 182656 -c--a-w- c:\windows\system32\dllcache\ndis.sys

2010-05-22 01:11 . 2008-04-13 19:20 182656 ----a-w- c:\windows\system32\drivers\ndis.sys

2010-05-21 21:34 . 2006-07-14 19:15 237637 ----a-w- c:\windows\system32\wsimd.dll

2010-05-21 21:34 . 2006-07-14 19:15 245831 ----a-w- c:\windows\system32\wsfwDS.dll

2010-05-21 21:34 . 2006-07-14 19:04 53248 ----a-w- c:\windows\system32\dsaNac.dll

2010-05-21 21:34 . 2006-07-14 19:04 1253432 ----a-w- c:\windows\system32\dsa.dll

2010-05-21 21:34 . 2006-06-02 16:52 54432 ----a-w- c:\windows\system32\wsimd.sys

2010-05-21 21:34 . 2006-06-02 16:52 54432 ----a-w- c:\windows\system32\drivers\wsimd.sys

2010-05-21 21:33 . 2006-06-13 15:27 507424 ----a-w- c:\windows\system32\ar5211.sys

2010-05-21 20:41 . 2008-04-14 00:12 39424 -c--a-w- c:\windows\system32\dllcache\grpconv.exe

2010-05-21 20:41 . 2008-04-14 00:12 39424 ----a-w- c:\windows\system32\grpconv.exe

2010-05-20 16:14 . 2010-05-21 21:34 -------- d-----w- C:\temp

2010-05-19 19:58 . 2010-05-19 19:58 -------- d-----w- c:\documents and settings\Administrator\Application Data\GetRightToGo

2010-05-19 16:48 . 2009-11-10 14:26 767952 ----a-w- c:\windows\BDTSupport.dll

2010-05-19 16:48 . 2009-11-10 14:28 149456 ----a-w- c:\windows\SGDetectionTool.dll

2010-05-19 16:48 . 2008-11-26 16:08 131 ----a-w- c:\windows\IDB.zip

2010-05-19 16:48 . 2009-11-10 14:28 165840 ----a-w- c:\windows\PCTBDRes.dll

2010-05-19 16:48 . 2009-11-10 14:28 1640400 ----a-w- c:\windows\PCTBDCore.dll

2010-05-19 16:48 . 2009-10-28 05:36 1152444 ----a-w- c:\windows\UDB.zip

2010-05-19 16:47 . 2010-02-05 13:17 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys

2010-05-19 16:47 . 2009-10-06 20:31 87784 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys

2010-05-19 16:47 . 2009-09-23 20:10 207280 ----a-w- c:\windows\system32\drivers\PCTCore.sys

2010-05-19 16:47 . 2010-02-05 13:25 70408 ----a-w- c:\windows\system32\drivers\pctplsg.sys

2010-05-19 16:46 . 2010-05-19 16:49 -------- d-----w- c:\program files\Common Files\PC Tools

2010-05-19 16:46 . 2010-05-19 16:46 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools

2010-05-19 16:46 . 2010-05-19 16:46 -------- d-----w- c:\documents and settings\Administrator\Application Data\PC Tools

2010-05-19 16:46 . 2010-05-19 16:52 -------- d-----w- c:\program files\Spyware Doctor

2010-05-19 16:45 . 2010-05-19 16:45 -------- d-----w- c:\documents and settings\Administrator\Application Data\TrojanHunter

2010-05-19 15:30 . 2010-05-19 16:49 -------- d-----w- c:\program files\TrojanHunter 5.3

2010-05-19 03:18 . 2010-05-19 07:00 -------- d-----w- c:\windows\system32\MpEngineStore

2010-05-19 03:14 . 2010-05-19 11:01 -------- d-----w- C:\82a5d4438523fbde003de8

2010-05-19 02:51 . 2010-05-19 02:51 -------- d-----w- C:\spoolerlogs

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-05-25 14:41 . 2010-01-28 03:53 -------- d-----w- c:\documents and settings\Administrator\Application Data\vlc

2010-05-21 21:50 . 2008-02-09 00:10 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2010-05-21 21:39 . 2006-08-17 22:12 -------- d-----w- c:\program files\Atheros

2010-05-21 21:33 . 2003-09-03 17:42 -------- d--h--w- c:\program files\InstallShield Installation Information

2010-05-20 12:58 . 2010-03-13 01:41 -------- d-----w- c:\documents and settings\Administrator\Application Data\Dropbox

2010-05-19 19:59 . 2009-10-01 20:17 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-05-19 03:10 . 2004-07-16 18:54 90112 ----a-w- c:\windows\DUMP815d.tmp

2010-05-09 19:55 . 2005-10-29 15:13 -------- d-----w- c:\documents and settings\Administrator\Application Data\Skype

2010-05-09 13:57 . 2009-10-25 14:16 -------- d-----w- c:\documents and settings\Administrator\Application Data\skypePM

2010-04-29 19:39 . 2009-10-01 20:17 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-04-29 19:39 . 2009-10-01 20:17 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-03-20 14:45 . 2010-03-20 14:45 8704 ----a-w- c:\windows\system32\SpOrder.dll

2010-03-10 06:15 . 2003-09-03 17:04 420352 ----a-w- c:\windows\system32\vbscript.dll

2009-08-20 08:15 . 2009-08-20 08:15 135630545 ----a-w- c:\program files\openofficeorg1.cab

2009-08-20 08:13 . 2009-08-20 08:13 9815040 ----a-w- c:\program files\openofficeorg31.msi

2009-08-19 08:31 . 2009-08-19 08:31 336 ----a-w- c:\program files\setup.ini

2008-03-22 13:23 . 2008-03-22 13:24 774144 -c--a-w- c:\program files\RngInterstitial.dll

2002-03-11 09:06 . 2002-03-11 09:06 1822520 ----a-w- c:\program files\instmsiw.exe

2002-03-11 08:45 . 2002-03-11 08:45 1708856 ----a-w- c:\program files\instmsia.exe

2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll

2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]

"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-26 1008896]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]

2009-06-26 14:36 1008896 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]

2009-04-02 23:50 809864 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-26 1008896]

"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2009-04-02 809864]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]

[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]

[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]

[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]

"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-26 1008896]

"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2009-04-02 809864]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]

[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]

[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]

[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-19 68856]

"Google Update"="c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-08 133104]

"BitTorrent"="c:\program files\BitTorrent\bittorrent.exe" [2007-09-07 43008]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"TDxVGAUTIL"="c:\windows\system32\TDxVGAUTIL.EXE" [2007-08-01 237568]

"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2003-07-03 110592]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2003-07-03 618496]

"Sunkist2k"="c:\program files\Multimedia Card Reader\shwicon2k.exe" [2004-07-07 135168]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]

"StorageGuard"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-02-13 155648]

"SoundMan"="SOUNDMAN.EXE" [2003-03-27 53248]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]

"IndicatorUtility"="c:\program files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe" [2003-08-21 81920]

"Boingo Wi-Fi"="c:\program files\Boingo\Boingo Wi-Fi\Boingo.lnk" [2009-10-01 2179]

"AGRSMMSG"="AGRSMMSG.exe" [2003-07-25 88363]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]

"ACU"="c:\program files\Atheros\ACU.exe" [2006-08-10 344187]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\

MagicDisc.lnk - c:\program files\MagicDisc\MagicDisc.exe [2007-11-10 557568]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]

2009-08-25 16:50 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk

backup=c:\windows\pss\Acrobat Assistant.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk

backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office OneNote 2003 Quick Launch.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office OneNote 2003 Quick Launch.lnk

backup=c:\windows\pss\Microsoft Office OneNote 2003 Quick Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk

backup=c:\windows\pss\Quicken Scheduled Updates.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Startup.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Quicken Startup.lnk

backup=c:\windows\pss\Quicken Startup.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^TOAST.net Accelerator.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\TOAST.net Accelerator.lnk

backup=c:\windows\pss\TOAST.net Accelerator.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG8_TRAY]

2010-03-19 19:59 2046816 ----a-w- c:\progra~1\AVG\AVG8\avgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"iPodService"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=

"c:\\Program Files\\Java\\jre1.5.0_05\\bin\\javaw.exe"=

"c:\\Program Files\\BitTorrent\\bittorrent.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

"c:\\WINDOWS\\system32\\spoolsv.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"1723:TCP"= 1723:TCP:@xpsp2res.dll,-22015

"1701:UDP"= 1701:UDP:@xpsp2res.dll,-22016

"500:UDP"= 500:UDP:@xpsp2res.dll,-22017

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [5/19/2010 12:47 PM 207280]

R3 CONAN;CONAN;c:\windows\system32\drivers\o2mmb.sys [9/3/2003 2:44 PM 190465]

R3 MbxStby;MbxStby;c:\windows\system32\drivers\MbxStby.sys [9/3/2003 2:44 PM 5817]

S1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [5/1/2008 4:43 PM 335240]

S2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [5/1/2008 4:43 PM 297752]

S2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\Spyware Doctor\BDT\BDTUpdateService.exe [5/19/2010 12:48 PM 112592]

S3 ADM851X;ADM851X USB To Fast Ethernet Adapter;c:\windows\system32\drivers\adm851x.sys [9/28/2007 11:28 AM 27135]

S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\system32\drivers\aspi32.sys [3/21/2010 11:13 PM 16512]

S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [5/19/2010 12:46 PM 365280]

S3 SunkFilt6;Alcor Micro Corp - 6360;\??\c:\windows\System32\Drivers\sunkfilt6.sys --> c:\windows\System32\Drivers\sunkfilt6.sys [?]

S3 SunkFilt62;Alcor Micro Corp - 6362;c:\windows\system32\drivers\sunkfilt62.sys [7/23/2004 4:55 PM 46536]

S3 TdxMrMINI;TdxMrMINI;c:\windows\system32\drivers\TdxMrMini.sys [9/28/2007 11:28 AM 249600]

S3 TdxVGAMINI;TdxVGAMINI;c:\windows\system32\drivers\TdxVgaMini.sys [9/28/2007 11:28 AM 252160]

S3 TdxVGAUSB;TARGUS USB2.0 VGA DOCK DEVICE(USB);c:\windows\system32\drivers\TdxVGAUSB.SYS [9/28/2007 11:28 AM 33280]

.

Contents of the 'Scheduled Tasks' folder

2009-07-01 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-753973301-2746587474-1836351941-500Core.job

- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-08 18:03]

2009-07-22 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job

- c:\program files\Ask.com\UpdateTask.exe [2009-04-02 23:50]

2009-10-08 c:\windows\Tasks\WGASetup.job

- c:\windows\system32\KB905474\wgasetup.exe [2009-04-30 02:18]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.nytimes.com/

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000

IE: {{74FD513B-2A58-4A42-9151-7551BFB6FCD7} - {E9C7A4B7-B0EF-4F32-9F82-45DBED19BA1A} - c:\progra~1\SCHOLA~1\SAEXPL~1.DLL

LSP: c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll

FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\bs18700o.default\

FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage - hxxp://www.nytimes.com

FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q=

FF - prefs.js: network.proxy.type - 4

FF - component: c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\bs18700o.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll

FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll

FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll

FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll

FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll

FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll

FF - plugin: c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\1.2.183.7\npGoogleOneClick8.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\NPInfotl.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npracplug.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint_03000F10.dll

FF - plugin: c:\program files\Real\RealArcade\Plugins\Mozilla\npracplug.dll

FF - plugin: c:\program files\Veetle\Player\npvlc.dll

FF - plugin: c:\program files\Veetle\plugins\npVeetle.dll

FF - plugin: c:\program files\Veetle\VLCBroadcast\npvbp.dll

FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----

FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-05-28 15:37

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(260)

c:\windows\system32\WININET.dll

- - - - - - - > 'lsass.exe'(320)

c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(1152)

c:\windows\system32\WININET.dll

c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll

c:\windows\system32\ieframe.dll

.

Completion time: 2010-05-28 15:51:00 - machine was rebooted

ComboFix-quarantined-files.txt 2010-05-28 19:50

ComboFix2.txt 2010-05-28 14:49

ComboFix3.txt 2010-05-22 03:58

ComboFix4.txt 2010-05-21 21:13

Pre-Run: 14,817,034,240 bytes free

Post-Run: 14,774,038,528 bytes free

Current=3 Default=3 Failed=1 LastKnownGood=4 Sets=1,2,3,4

- - End Of File - - C01E5A6596A2B14479217C380BF688C3

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.