Jump to content

Help Please!!!


Recommended Posts

Hey, I'm new to this forum and it is the first time that I've used MBAM. I did the full system scan and after a couple of hours on my PC, it was done, but it gave me 80 infected files which are now in quarantine. I need some help determining which files are legitimate and which ones are actually malware. All help would be greatly appreciated! :D

mbam_log_2010_08_13__19_38_16_.txt

Link to post
Share on other sites

Hi,

Download ComboFix from one of these locations:

Link 1

Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Here is a guide on how to disable them:
    Click me
    If you can't disable them then just continue on.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

whatnext.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt log in your next reply.

Link to post
Share on other sites

Hi,

Please do not attach your logs as it is harder for me to read them that way. Post them instead:

ComboFix 10-08-18.04 - Owner 08/19/2010 22:00:00.1.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.406 [GMT -4:00]

Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe

AV: Rogers Online Protection Anti-Virus *On-access scanning enabled* (Updated) {5B5A3BD7-8573-4672-AEA8-C9BB713B6755}

FW: Rogers Online Protection Firewall *enabled* {80593BF4-D969-4EC5-ADAE-A22F2DFC7A22}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\docume~1\Owner\LOCALS~1\Temp\IadHide5.dll

c:\documents and settings\All Users\Application Data\shs_setup_4059-354328.exe

c:\documents and settings\Owner\Local Settings\Temp\IadHide5.dll

c:\windows\settings.reg

c:\windows\system32\Data

c:\windows\system32\system

.

((((((((((((((((((((((((( Files Created from 2010-07-20 to 2010-08-20 )))))))))))))))))))))))))))))))

.

2010-08-19 20:48 . 2010-08-19 20:59 -------- d-----w- c:\documents and settings\Owner\Application Data\yoclient

2010-08-17 17:15 . 2010-08-17 17:15 -------- d-----w- c:\documents and settings\Owner\Application Data\Publish Providers

2010-08-17 17:13 . 2010-08-17 17:14 -------- d-----w- c:\documents and settings\Owner\Application Data\Sony

2010-08-17 16:41 . 2010-08-17 16:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Sony

2010-08-17 02:13 . 2010-08-17 02:13 -------- d-----w- c:\documents and settings\Owner\Application Data\Toribash

2010-08-13 17:03 . 2010-08-13 17:03 -------- d-----w- c:\documents and settings\Owner\Application Data\NewSoft

2010-08-11 00:36 . 2010-08-11 00:36 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes

2010-08-11 00:36 . 2010-08-11 00:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-08-07 02:06 . 2010-08-07 02:06 -------- d-----w- c:\documents and settings\NetworkService\Application Data\DivX

2010-07-27 16:01 . 2010-07-27 16:01 -------- d-----w- c:\documents and settings\Owner\Application Data\.minecraft

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-08-20 02:20 . 2010-06-18 18:39 -------- d-----w- c:\documents and settings\Owner\Application Data\.oit

2010-08-20 02:11 . 2010-08-19 02:55 165432 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat

2010-08-19 21:43 . 2010-08-12 18:37 215016 ----a-w- c:\windows\system32\PnkBstrB.exe

2010-08-19 21:11 . 2010-08-12 18:37 138184 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys

2010-08-18 15:48 . 2010-01-03 18:03 -------- d-----w- c:\documents and settings\Owner\Application Data\vlc

2010-08-18 02:40 . 2010-06-24 22:02 -------- d-----w- c:\documents and settings\Owner\Application Data\uTorrent

2010-08-17 16:41 . 2009-09-02 23:33 -------- d-----w- c:\program files\Sony

2010-08-14 21:02 . 2010-08-14 21:02 -------- d-----w- c:\program files\Trend Micro

2010-08-12 18:37 . 2010-08-12 18:37 138056 ----a-w- c:\documents and settings\Owner\Application Data\PnkBstrK.sys

2010-08-12 18:36 . 2010-08-12 18:36 75064 ----a-w- c:\windows\system32\PnkBstrA.exe

2010-08-12 18:36 . 2010-08-12 18:36 2427248 ----a-w- c:\windows\system32\pbsvc_heroes.exe

2010-08-12 18:20 . 2010-08-12 18:20 -------- d-----w- c:\program files\EA Games

2010-08-11 00:36 . 2010-08-11 00:36 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-08-10 19:35 . 2010-05-25 13:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help

2010-08-10 17:40 . 2010-08-10 17:28 -------- d-----w- c:\program files\mp3DirectCut

2010-08-10 17:29 . 2010-06-16 01:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Screentime

2010-08-06 18:55 . 2010-08-06 18:55 -------- d-----w- c:\program files\ffdshow

2010-08-06 18:50 . 2010-08-06 18:50 -------- d-----w- c:\program files\TVersity Codec Pack

2010-08-06 18:50 . 2010-08-06 18:50 -------- d-----w- c:\program files\TVersity

2010-08-06 11:35 . 2010-05-13 01:50 -------- d-----w- c:\program files\Steam

2010-08-06 11:32 . 2010-06-24 22:03 -------- d-----w- c:\program files\uTorrent

2010-07-30 15:49 . 2009-08-30 21:03 -------- d-----w- c:\program files\Rogers

2010-07-30 15:13 . 2009-12-07 00:55 -------- d-----w- c:\program files\Rogers Online Protection

2010-07-28 03:29 . 2010-07-28 03:29 -------- d-----w- c:\program files\Common Files\Java

2010-07-28 03:27 . 2009-08-27 02:31 -------- d-----w- c:\program files\Java

2010-07-26 02:52 . 2010-07-26 02:52 664 ----a-w- c:\windows\system32\d3d9caps.dat

2010-07-21 19:15 . 2009-10-29 23:47 -------- d-----w- c:\program files\iTunes

2010-07-21 19:12 . 2010-07-21 19:12 -------- d-----w- c:\program files\iPod

2010-07-21 19:12 . 2009-08-17 13:32 -------- d-----w- c:\program files\Common Files\Apple

2010-07-17 09:00 . 2010-04-21 10:54 423656 ----a-w- c:\windows\system32\deployJava1.dll

2010-07-16 18:38 . 2009-08-16 19:26 73552 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-07-16 16:07 . 2010-07-16 16:07 -------- d-----w- c:\documents and settings\Owner\Application Data\Epic

2010-07-16 16:07 . 2010-07-16 16:06 -------- d-----w- c:\program files\Epic

2010-07-16 15:09 . 2009-12-07 00:55 -------- d-----w- c:\documents and settings\Owner\Application Data\Rogers Online Protection

2010-07-16 15:07 . 2009-12-07 01:13 53192 ----a-w- c:\windows\system32\drivers\rp_skt32.sys

2010-07-16 15:07 . 2009-12-07 01:13 48384 ----a-w- c:\windows\system32\drivers\rp_pkt32.sys

2010-07-16 15:07 . 2010-07-16 15:07 -------- d-----w- c:\program files\Raxco

2010-07-16 15:07 . 2010-07-16 15:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Raxco

2010-07-16 15:04 . 2009-12-07 00:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Rogers Online Protection

2010-07-16 15:04 . 2009-08-15 21:11 -------- d-----w- c:\program files\InstallShield Installation Information

2010-07-16 14:58 . 2010-07-16 14:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Radialpoint

2010-07-14 20:32 . 2010-07-03 17:25 -------- d-----w- c:\documents and settings\Owner\Application Data\Azureus

2010-07-13 13:44 . 2010-06-18 18:32 -------- d-----w- c:\documents and settings\Owner\Application Data\Epson

2010-07-13 12:03 . 2010-07-13 11:58 -------- d-----w- c:\program files\Common Files\EPSON

2010-07-13 11:58 . 2010-07-13 11:58 -------- d-----w- c:\program files\EpsonNet

2010-07-13 11:52 . 2010-06-18 18:30 -------- d-----w- c:\program files\Epson Software

2010-07-13 11:27 . 2010-05-25 13:36 -------- d-----w- c:\program files\Microsoft Mouse Mischief

2010-07-13 00:40 . 2009-12-04 01:52 58292 ---ha-w- c:\windows\system32\mlfcache.dat

2010-07-11 13:50 . 2010-07-11 13:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Musicnotes

2010-07-11 13:46 . 2010-07-11 13:46 -------- d-----w- c:\documents and settings\Owner\Application Data\Sibelius Software

2010-07-11 13:38 . 2010-04-24 23:09 -------- d-----w- c:\documents and settings\All Users\Application Data\DivX

2010-07-11 13:38 . 2009-11-29 14:30 -------- d-----w- c:\program files\DivX

2010-07-07 23:00 . 2010-07-07 22:56 -------- d-----w- c:\program files\Graboid

2010-07-05 16:44 . 2010-07-05 16:43 -------- d-----w- c:\program files\QuickTime

2010-07-05 16:43 . 2009-08-17 13:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer

2010-07-05 16:42 . 2010-07-05 16:42 -------- d-----w- c:\program files\Apple Software Update

2010-07-05 16:37 . 2009-08-21 23:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Skyline

2010-07-05 16:07 . 2010-06-04 23:21 -------- d-----w- c:\documents and settings\Owner\Application Data\BitZipper

2010-07-03 17:24 . 2010-07-03 17:24 -------- d-----w- c:\program files\Vuze

2010-07-03 17:20 . 2010-06-14 20:26 -------- d-----w- c:\program files\Frets on Fire

2010-06-30 12:31 . 2009-08-20 16:16 149504 ----a-w- c:\windows\system32\schannel.dll

2010-06-29 21:23 . 2010-06-29 20:47 -------- d-----w- c:\program files\Valve

2010-06-29 19:59 . 2009-09-24 02:14 -------- d-----w- c:\program files\SystemRequirementsLab

2010-06-29 19:58 . 2009-09-24 02:13 -------- d-----w- c:\documents and settings\Owner\Application Data\SystemRequirementsLab

2010-06-24 12:22 . 2004-08-04 00:56 916480 ----a-w- c:\windows\system32\wininet.dll

2010-06-23 13:44 . 2004-08-03 23:17 1851904 ----a-w- c:\windows\system32\win32k.sys

2010-06-21 15:27 . 2004-08-03 23:14 354304 ----a-w- c:\windows\system32\drivers\srv.sys

2010-06-20 20:54 . 2010-08-19 20:54 32 ----a-r- c:\documents and settings\All Users\hash.dat

2010-06-17 14:03 . 2004-08-04 00:56 80384 ----a-w- c:\windows\system32\iccvid.dll

2010-06-14 07:41 . 2004-08-04 00:56 1172480 ----a-w- c:\windows\system32\msxml3.dll

2010-06-03 02:41 . 2010-06-03 02:41 3600384 ----a-w- c:\windows\system32\GPhotos.scr

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-08-16 39408]

"LDM"="c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe" [2009-08-17 36864]

"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-06-01 94208]

"Google Update"="c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-02-26 135664]

"Messenger (Yahoo!)"="c:\progra~1\Yahoo!\MESSEN~1\YahooMessenger.exe" [2010-06-01 5252408]

"PMSpeed"="c:\program files\NewSoft\Presto! PageManager 8 for EP\PMSpeed.EXE" [2008-12-09 55120]

"ltcmScheduler"="c:\program files\LTCM Client\ltcmScheduler.exe" [2009-08-05 105664]

"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SMSERIAL"="sm56hlpr.exe" [2005-06-06 544768]

"CTSysVol"="c:\program files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [2005-10-31 57344]

"P17Helper"="P17.dll" [2005-05-03 64512]

"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]

"RTHDCPL"="RTHDCPL.EXE" [2006-11-14 16270848]

"SkyTel"="SkyTel.EXE" [2006-05-16 2879488]

"VX3000"="c:\windows\vVX3000.exe" [2006-10-13 707376]

"CallControl 4.5"="c:\program files\FaxTalk Communicator\FTCtrl32.exe" [2004-03-23 123904]

"Logitech Hardware Abstraction Layer"="c:\program files\Common Files\Logitech\khalshared\KHALMNPR.EXE" [2006-07-19 94208]

"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2006-07-19 94208]

"LogitechCommunicationsManager"="c:\program files\Common Files\Logitech\LComMgr\Communications_Helper.exe" [2006-08-03 529968]

"LVCOMSX"="c:\program files\Common Files\Logitech\LComMgr\LVComSX.exe" [2006-08-03 244520]

"Rogers SHS"="c:\program files\Rogers\SelfHealing\shs.exe" [2010-06-03 2736128]

"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]

"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]

"LifeCam"="c:\program files\Microsoft LifeCam\LifeExp.exe" [2006-10-13 277296]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-04-03 13670504]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-04-03 110696]

"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]

"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-06-03 1144104]

"EEventManager"="c:\progra~1\EPSONS~1\EVENTM~1\EEventManager.exe" [2009-04-07 673616]

"FUFAXSTM"="c:\program files\Epson Software\FAX Utility\FUFAXSTM.exe" [2009-06-05 843776]

"WrtMon.exe"="c:\windows\system32\spool\drivers\w32x86\3\WrtMon.exe" [2008-05-24 26448]

"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-03-18 207360]

"LTCM Client"="c:\program files\LTCM Client\ltcmClient.exe" [2009-08-05 1596096]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-19 421888]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-07-16 141608]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

"RogersServicepointAgent.exe"="c:\program files\Rogers Online Protection\Rogers Servicepoint Agent\RogersServicepointAgent.exe" [2010-05-26 4314352]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2009-8-16 196608]

Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2009-8-16 671744]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]

BootExecute REG_MULTI_SZ PDBoot.exe\0autocheck autochk *

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Radialpoint Security Services]

@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=

"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\WINDOWS\\system32\\PnkBstrA.exe"=

"c:\\WINDOWS\\system32\\PnkBstrB.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=

"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=

"c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=

"c:\\Documents and Settings\\Owner\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=

"c:\\Documents and Settings\\Owner\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=

"c:\\Program Files\\Microsoft Corporation\\Tinker\\Tinker.exe"=

"c:\\Program Files\\Steam\\Steam.exe"=

"c:\\Program Files\\Steam\\steamapps\\common\\america's army 3\\Binaries\\AA3Game.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\Epson Software\\Event Manager\\EEventManager.exe"=

"c:\\Program Files\\uTorrent\\uTorrent.exe"=

"c:\\Program Files\\Valve\\hl.exe"=

"c:\\Program Files\\Valve\\hlds.exe"=

"c:\\Program Files\\Vuze\\Azureus.exe"=

"c:\\Program Files\\EpsonNet\\EpsonNet Setup\\tool09\\ENEasyApp.exe"=

"c:\\Program Files\\NewSoft\\Presto! PageManager 8 for EP\\LicenseCheck.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Rogers Online Protection\\Rogers Servicepoint Agent\\ServicepointService.exe"=

"c:\\Program Files\\TVersity\\Media Server\\MediaServer.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"8370:TCP"= 8370:TCP:League of Legends Launcher

"8370:UDP"= 8370:UDP:League of Legends Launcher

"8372:TCP"= 8372:TCP:League of Legends Launcher

"8372:UDP"= 8372:UDP:League of Legends Launcher

"6969:TCP"= 6969:TCP:League of Legends Launcher

"6969:UDP"= 6969:UDP:League of Legends Launcher

R0 RadialpointIDSEH;RadialpointIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [7/16/2010 11:09 AM 25608]

R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [8/16/2009 10:36 PM 3712]

R2 Radialpoint Security Services;Rogers Online Protection;c:\program files\Rogers Online Protection\Rogers Online Protection\RpsSecurityAwareR.exe [5/31/2010 1:46 PM 166944]

R2 RadialpointIDSAgent;RadialpointIDSAgent;c:\program files\Rogers Online Protection\Rogers Online Protection\AVG\Identity Protection\agent\bin\AVGIDSAgent.exe [7/16/2010 11:09 AM 5832712]

R2 RogersSelfHelpService;Rogers SHS Service;c:\program files\Rogers\SelfHealing\RogersSelfHelpService.exe [6/3/2010 3:46 PM 139264]

R2 RogersUpdateManager;Rogers Update Manager;c:\program files\Rogers\Update Manager\RogersUpdateManager.exe [6/3/2010 3:46 PM 163840]

R2 ServicepointService;ServicepointService;c:\program files\Rogers Online Protection\Rogers Servicepoint Agent\ServicepointService.exe [7/30/2010 11:13 AM 689392]

R3 RadialpointIDSDriver;RadialpointIDSDriver;c:\program files\Rogers Online Protection\Rogers Online Protection\AVG\Identity Protection\agent\drivers\AVGIDSDriver.sys [7/16/2010 11:09 AM 122376]

R3 RadialpointIDSFilter;RadialpointIDSFilter;c:\program files\Rogers Online Protection\Rogers Online Protection\AVG\Identity Protection\agent\drivers\AVGIDSfilter.sys [7/16/2010 11:09 AM 30216]

R3 RadialpointIDSShim;RadialpointIDSShim;c:\program files\Rogers Online Protection\Rogers Online Protection\AVG\Identity Protection\agent\drivers\AVGIDSShim.sys [7/16/2010 11:09 AM 25736]

S2 gupdate1ca1ee4f000432a;Google Update Service (gupdate1ca1ee4f000432a);c:\program files\Google\Update\GoogleUpdate.exe [8/16/2009 10:46 PM 133104]

S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]

S3 pbfilter;pbfilter;c:\documents and settings\Owner\My Documents\Downloads\PeerBlock_r181__Win32_Release\pbfilter.sys [9/28/2009 2:02 AM 14424]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - 7F057304

*NewlyCreated* - 8D96FD75

*Deregistered* - 7f057304

*Deregistered* - 8d96fd75

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

bdx REG_MULTI_SZ scan sysagent

.

Contents of the 'Scheduled Tasks' folder

2010-08-16 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 15:50]

2010-08-20 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-08-17 02:46]

2010-08-20 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-08-17 02:46]

2010-08-18 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2052111302-1993962763-725345543-1003Core.job

- c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-03-02 17:38]

2010-08-20 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2052111302-1993962763-725345543-1003UA.job

- c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-03-02 17:38]

2010-08-20 c:\windows\Tasks\User_Feed_Synchronization-{CE5D59C6-3BFE-474B-A1F9-4CA99F8DBED3}.job

- c:\windows\system32\msfeedssync.exe [2009-03-08 11:31]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.gmail.com

uDefault_Search_URL = hxxp://www.google.com/ie

mStart Page = hxxp://www.yahoo.com

uInternet Connection Wizard,ShellNext = iexplore

uInternet Settings,ProxyOverride = *.local

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html

Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll

DPF: {E6BB2089-163F-466B-812A-748096614DFD} - hxxp://cainternetsecurity.net/scanner/cascanner.cab

FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\amyr41v6.default\

FF - prefs.js: browser.search.selectedEngine - Ask.com

FF - prefs.js: browser.startup.homepage - hxxp://ca.yahoo.com/

FF - component: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\amyr41v6.default\extensions\{463F6CA5-EE3C-4be1-B7E6-7FEE11953374}\platform\WINNT\components\FoxyTunes.dll

FF - plugin: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\amyr41v6.default\extensions\battlefieldheroespatcher@ea.com\platform\WINNT_x86-msvc\plugins\npBFHUpdater.dll

FF - plugin: c:\documents and settings\Owner\Application Data\Mozilla\plugins\npgoogletalk.dll

FF - plugin: c:\documents and settings\Owner\Application Data\Mozilla\plugins\npgtpo3dautoplugin.dll

FF - plugin: c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\1.2.183.29\npGoogleOneClick8.dll

FF - plugin: c:\documents and settings\Owner\Local Settings\Application Data\Unity\WebPlayer\loader\npUnity3D32.dll

FF - plugin: c:\documents and settings\Owner\Local Settings\Application Data\Yahoo!\BrowserPlus\2.9.8\Plugins\npybrowserplus_2.9.8.dll

FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll

FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll

FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll

FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll

FF - plugin: c:\program files\Rogers Online Protection\Rogers Servicepoint Agent\nprpspa.dll

FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll

---- FIREFOX POLICIES ----

FF - user.js: yahoo.ytff.general.dontshowhpoffer - truec:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

.

- - - - ORPHANS REMOVED - - - -

WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)

WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)

HKCU-Run-ares - c:\program files\Ares\Ares.exe

HKLM-Run-NWEReboot - (no file)

HKLM-Run-nwiz - nwiz.exe

AddRemove-NVIDIA Display Control Panel - c:\program files\NVIDIA Corporation\Uninstall\nvuninst.exe

AddRemove-RSH Home Networking Wizard - c:\program files\Rogers\HomeNetworking\uninst.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-08-19 22:17

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

c:\docume~1\Owner\LOCALS~1\Temp\lucene-f9b5889647e446f5e474651506cf5dfa-commit.lock 0 bytes

scan completed successfully

hidden files: 1

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]

"ImagePath"="c:\windows\system32\GameMon.des -service"

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2052111302-1993962763-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{10A749E4-A9EF-86F9-4B88-18B6FE3D0646}*]

"haldkmegclfjppga"=hex:6a,61,68,67,62,69,61,62,6c,67,6c,62,6d,6b,70,6d,6c,6d,

63,69,00,f2

"gaeendhdcnbaic"=hex:61,63,65,6e,66,61,63,61,68,65,69,64,65,6f,6e,63,63,6e,63,

66,66,6c,6e,6d,6c,65,66,68,6a,61,69,68,62,6a,62,66,6f,61,6f,67,64,6d,63,66,\

[HKEY_USERS\S-1-5-21-2052111302-1993962763-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{58104CD9-78FD-CC33-2D5B-5F5560C491A1}*]

"iajdlolnlecigoleip"=hex:6a,61,64,67,66,62,6c,6b,68,66,69,6c,62,6c,61,64,6c,6d,

69,65,00,f2

"hapabpiacfmcfcld"=hex:6a,61,64,67,66,62,6c,6b,68,66,69,6c,62,6c,61,64,6c,6d,

69,65,00,f2

"gaiagcpcjbilgc"=hex:61,63,6e,67,65,6d,66,70,67,65,67,66,6b,66,69,6e,69,67,6b,

69,65,6b,6d,69,6e,67,6c,70,65,6d,61,6f,62,65,67,65,67,65,65,6c,64,64,66,63,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2640)

c:\windows\system32\WININET.dll

c:\docume~1\Owner\LOCALS~1\Temp\IadHide5.dll

c:\program files\Logitech\SetPoint\lgscroll.dll

c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\msi.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\nvsvc32.exe

c:\program files\Rogers Online Protection\Rogers Online Protection\Fws.exe

c:\program files\Common Files\EPSON\EBAPI\eEBSVC.exe

c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe

c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\windows\system32\CTsvcCDA.exe

c:\windows\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

c:\program files\Microsoft LifeCam\MSCamS32.exe

c:\windows\system32\PnkBstrA.exe

c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

c:\program files\TVersity\Media Server\MediaServer.exe

c:\program files\Windows Media Player\WMPNetwk.exe

c:\windows\system32\WgaTray.exe

c:\windows\sm56hlpr.exe

c:\windows\system32\Rundll32.exe

c:\windows\RTHDCPL.EXE

c:\windows\system32\spool\drivers\w32x86\3\WrtProc.exe

c:\program files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac

c:\program files\iPod\bin\iPodService.exe

c:\progra~1\Yahoo!\MESSEN~1\ymsgr_tray.exe

.

**************************************************************************

.

Completion time: 2010-08-19 22:33:12 - machine was rebooted

ComboFix-quarantined-files.txt 2010-08-20 02:33

Pre-Run: 10,222,350,336 bytes free

Post-Run: 14,887,546,880 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

- - End Of File - - 244503266A45ED939D26C2860F57EB62

Link to post
Share on other sites

Hi,

Download TFC to your desktop

  • Open the file and close any other windows.
  • It will close all programs itself when run, make sure to let it run uninterrupted.
  • Click the Start button to begin the process. The program should not take long to finish its job
  • Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Start Malwarebytes' Anti-Malware

  • Once the program has loaded, click the "Update" tab and click the "Check For updates" button.
  • Once the updates were downloaded, click the "Scanner" tab, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

I'd like us to scan your machine with ESET OnlineScan

  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the esetOnline.png button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

    1. Click on esetSmartInstall.png to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the esetSmartInstallDesktopIcon.png icon on your desktop.

    3. Check esetAcceptTerms.png
    4. Click the esetStart.png button.
    5. Accept any security warnings from your browser.
    6. Check esetScanArchives.png
    7. Push the Start button.
    8. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
    9. When the scan completes, push esetListThreats.png
    10. Push esetExport.png, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
    11. Push the esetBack.png button.
    12. Push esetFinish.png

Link to post
Share on other sites

I ran the TFC and it rebooted automatically. That went fine with about 1,000mb deleted. After the reboot I ran MBAM and performed a quick scan that resulted in the following log:

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4458

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

8/21/2010 4:16:43 PM

mbam-log-2010-08-21 (16-16-43).txt

Scan type: Quick scan

Objects scanned: 148982

Time elapsed: 13 minute(s), 0 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

I will go ahead and try the ESET online scanner and get back to you soon. Thanks for all the help so far :]

Link to post
Share on other sites

The ESET online scanner found nothing. There was no log, 0 files found. I however ran a new full scan with MBAM and these showed up. Any tips on this log?

---------------------------------------------------------------

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4478

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

8/25/2010 10:10:11 PM

mbam-log-2010-08-25 (22-10-11).txt

Scan type: Full scan (C:\|G:\|)

Objects scanned: 342656

Time elapsed: 3 hour(s), 15 minute(s), 44 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 1

Registry Values Infected: 4

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 8

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{n68d6a48-d0w7-21v7-p82n-34c3cpk25hx1} (Generic.Bot.H) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hkcu (Trojan.Backdoor) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\policies (Trojan.Backdoor) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hklm (Trojan.Backdoor) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\policies (Trojan.Backdoor) -> Quarantined and deleted successfully.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\system32\WindowsUpdate\server.exe (Generic.Bot.H) -> Quarantined and deleted successfully.

C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\User Data\Default\Cache\f_000d53 (Trojan.Dropper) -> Quarantined and deleted successfully.

C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\User Data\Default\Cache\f_000da1 (Spyware.Dybalom) -> Quarantined and deleted successfully.

C:\Documents and Settings\Owner\Local Settings\Temp\CCryp122.exe (Trojan.Backdoor) -> Quarantined and deleted successfully.

C:\RECYCLER\S-1-5-21-2052111302-1993962763-725345543-1003\Dc14.exe (Trojan.Dropper) -> Quarantined and deleted successfully.

C:\Documents and Settings\Owner\Application Data\logs.dat (Bifrose.Trace) -> Quarantined and deleted successfully.

C:\Documents and Settings\Owner\Local Settings\Temp\UuU.uUu (Malware.Trace) -> Quarantined and deleted successfully.

C:\Documents and Settings\Owner\Local Settings\Temp\XxX.xXx (Malware.Trace) -> Delete on reboot.

------------------------------------------------------------

Thanks for the help :)

Link to post
Share on other sites

Hi,

Please delete your copy of ComboFix.exe from the desktop.

Then download the latest version of ComboFix from one of these locations:

Link 1

Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Here is a guide on how to disable them:
    Click me
    If you can't disable them then just continue on.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

whatnext.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt log in your next reply.

Link to post
Share on other sites

  • 2 weeks later...

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.