Jump to content

not sure if attachments made it for previous post


Recommended Posts

This started last night. I first noticed a decline in performance, then a second later, saw a black cmd prompt window just for an instant, knew I'd been had. I tried to run A-squared first, it wouldn't run, tried to run MBAM next, it wouldn't run. I did not have virus protection at the time. I uninstalled mbam, reinstalled it from the downloaded installer I still had, and it installed, but at the "update and start mbam" final step, nothing happened. Uninstalled mbam, used Yahoo to search your site, clicked on the link, and got a browser error stating it couldnt access your site, ditto symantec, mcafee, but all other sites i checked, ebay, local radio station, local sports team sites, loaded fine. Got on second machine, downloaded your installer, and checked your forums, found a post stating I should rename the mbam executable. Reinstalled mbam on infected machine using flash drive, and renamed the executable, which got mbam working. Scanned and removed 4 trojans. Tried to update mbam, wouldn't update. Restarted infected machine in safe mode with networking, this got mbam updated. Restarted in norm mode, ran full system scan, found 1 more infected item, im sorry i cant remember what that one was. Restarted infected machine, and ran another full system scan which said computer was clean. Started firefox 3.6, went to yahoo and clicked on the link to your site, this time i got redirected to a site with your company's name at the top, but it was selling something called malware remover. Got on 2nd machine, went to your forums, found a post talking about avira antivirus. Downloaded it, and installed it on the infected machine with flash drive. Avira found 7 more infected items and quarantined them. I then deleted them from the quarantine area. Rebooted, still have browser redirect issues, and still have performance issues. I have followed the prescribed steps, and have included the logs your help post requires. While running gmer, I couldn't get the ark.txt file to save. Had to restart in safe mode to get the scan to run to the end, and save file. Not sure if that matters. Thank you very much in advance for your time, hope you can figure out where it's hiding because i can't.

DDS (Ver_10-03-17.01) - NTFSx86

Run by Mike at 12:17:26.79 on Mon 08/30/2010

Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_21

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3071.2596 [GMT -5:00]

AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Avira\AntiVir Desktop\sched.exe

C:\Program Files\Avira\AntiVir Desktop\avguard.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Avira\AntiVir Desktop\avshadow.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\system32\HPZipm12.exe

C:\WINDOWS\system32\PnkBstrA.exe

C:\WINDOWS\system32\PnkBstrB.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\WINDOWS\system32\MsPMSPSv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe

C:\WINDOWS\RTHDCPL.EXE

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program Files\DivX\DivX Update\DivXUpdate.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\Avira\AntiVir Desktop\avgnt.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\TRENDnet\TRENDnet TEW-421PC_TEW-423PI\WlanCU.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Documents and Settings\Mike\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/

uInternet Settings,ProxyOverride = <local>

uInternet Settings,ProxyServer = http=127.0.0.1:5577

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [NBJ] "c:\program files\ahead\nero backitup\NBJ.exe"

uRun: [VeohPlugin] "c:\program files\veoh networks\veohwebplayer\veohwebplayer.exe"

mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe

mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"

mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [RTHDCPL] RTHDCPL.EXE

mRun: [nwiz] nwiz.exe /installquiet

mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\wirele~1.lnk - c:\program files\trendnet\trendnet tew-421pc_tew-423pi\WlanCU.exe

IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL

Trusted Zone: aol.com\free

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1236794227859

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab

DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\mike\applic~1\mozilla\firefox\profiles\l32ynets.default\

FF - prefs.js: browser.startup.homepage - www.yahoo.com

FF - plugin: c:\documents and settings\mike\application data\move networks\plugins\npqmp071505000010.dll

FF - plugin: c:\documents and settings\mike\application data\move networks\plugins\npqmp071505000011.dll

FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll

FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll

---- FIREFOX POLICIES ----

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);

c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);

c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);

c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 xfilt;VIA SATA IDE Hot-plug Driver;c:\windows\system32\drivers\xfilt.sys [2009-3-11 11264]

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2010-8-30 11608]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-8-30 135336]

R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-8-30 267432]

R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-8-30 60936]

R3 SjyPkt;SjyPkt;c:\windows\system32\drivers\SjyPkt.sys [2002-10-2 13532]

S3 ALSysIO;ALSysIO;\??\c:\docume~1\mike\locals~1\temp\alsysio.sys --> c:\docume~1\mike\locals~1\temp\ALSysIO.sys [?]

S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2010-3-13 1684736]

=============== Created Last 30 ================

2010-08-30 17:01:58 20 ----a-w- c:\documents and settings\mike\defogger_reenable

2010-08-30 11:37:10 0 d-----w- c:\windows\system32\NtmsData

2010-08-30 11:36:51 0 d-----w- c:\docume~1\mike\applic~1\Avira

2010-08-30 11:27:08 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2010-08-30 11:27:08 0 d-----w- c:\program files\Avira

2010-08-30 11:27:08 0 d-----w- c:\docume~1\alluse~1\applic~1\Avira

2010-08-30 09:19:29 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-08-30 09:19:29 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-08-30 09:19:29 0 d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-08-27 19:18:14 0 d-----w- C:\PerfLogs

2010-07-31 21:10:24 0 d-----w- c:\docume~1\mike\applic~1\Vuwy

==================== Find3M ====================

2010-08-24 05:12:33 218808 ----a-w- c:\windows\system32\PnkBstrB.exe

2010-08-24 03:51:10 137256 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys

2010-07-17 10:00:04 423656 ----a-w- c:\windows\system32\deployJava1.dll

2010-07-17 01:09:12 87608 ----a-w- c:\docume~1\mike\applic~1\inst.exe

2010-07-17 01:09:12 47360 ----a-w- c:\windows\system32\drivers\pcouffin.sys

2010-07-17 01:09:12 47360 ----a-w- c:\docume~1\mike\applic~1\pcouffin.sys

2010-07-09 19:04:40 41872 ----a-w- c:\windows\system32\xfcodec.dll

============= FINISH: 12:18:36.43 ===============

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4511

Windows 5.1.2600 Service Pack 3

Internet Explorer 7.0.5730.13

8/31/2010 12:03:00 AM

mbam-log-2010-08-31 (00-03-00).txt

Scan type: Full scan (C:\|)

Objects scanned: 201600

Time elapsed: 24 minute(s), 51 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\Temp\Q9wSK93.sys (Trojan.Downloader) -> Quarantined and deleted successfully.

Link to post
Share on other sites

Now that we have both posts here, lets do a rootkit scan.

Please download Rootkit Unhooker and save it to your Desktop

  • Double-click on RKUnhookerLE to run it
  • Click the Report tab, then click Scan
  • Check Drivers, Stealth, and uncheck the rest
  • Click OK
  • Wait until it's finished and then go to File > Save Report
  • Save the report to your Desktop

Copy the entire contents of the report and paste it in a reply here.

Note** you may get this warning it is ok, just ignore

"Rootkit Unhooker has detected a parasite inside itself!

It is recommended to remove parasite, okay?"

Link to post
Share on other sites

Here is the log from rookit unhooker. Thanks very much for your help elise.

RkU Version: 3.8.388.590, Type LE (SR2)

==============================================

OS Name: Windows XP

Version 5.1.2600 (Service Pack 3)

Number of processors #2

==============================================

>Drivers

==============================================

0xB620E000 C:\WINDOWS\system32\DRIVERS\nv4_mini.sys 10276864 bytes (NVIDIA Corporation, NVIDIA Compatible Windows 2000 Miniport Driver, Version 196.21 )

0xBD012000 C:\WINDOWS\System32\nv4_disp.dll 6361088 bytes (NVIDIA Corporation, NVIDIA Compatible Windows 2000 Display driver, Version 196.21 )

0xA9965000 C:\WINDOWS\system32\drivers\RtkHDAud.sys 6115328 bytes (Realtek Semiconductor Corp., Realtek® High Definition Audio Function Driver)

0x804D7000 C:\WINDOWS\system32\ntkrnlpa.exe 2150400 bytes (Microsoft Corporation, NT Kernel & System)

0x804D7000 PnpManager 2150400 bytes

0x804D7000 RAW 2150400 bytes

0x804D7000 WMIxWDM 2150400 bytes

0xBF800000 Win32k 1847296 bytes

0xBF800000 C:\WINDOWS\System32\win32k.sys 1847296 bytes (Microsoft Corporation, Multi-User Win32 Driver)

0xB7E35000 Ntfs.sys 577536 bytes (Microsoft Corporation, NT File System Driver)

0xA1EE7000 C:\WINDOWS\system32\DRIVERS\mrxsmb.sys 458752 bytes (Microsoft Corporation, Windows NT SMB Minirdr)

0xAF686000 C:\WINDOWS\system32\DRIVERS\update.sys 385024 bytes (Microsoft Corporation, Update Driver)

0xA1FF2000 C:\WINDOWS\system32\DRIVERS\tcpip.sys 364544 bytes (Microsoft Corporation, TCP/IP Protocol Driver)

0xA1ADB000 C:\WINDOWS\system32\DRIVERS\srv.sys 335872 bytes (Microsoft Corporation, Server driver)

0x9F742000 C:\WINDOWS\system32\DRIVERS\rtl8185.sys 307200 bytes (Realtek Semiconductor Corporation , Realtek RTL8185 NDIS5.1 miniport driver)

0xBFFA0000 C:\WINDOWS\System32\ATMFD.DLL 286720 bytes (Adobe Systems Incorporated, Windows NT OpenType/Type 1 Font Driver)

0xA0B81000 C:\WINDOWS\System32\Drivers\HTTP.sys 266240 bytes (Microsoft Corporation, HTTP Protocol Stack)

0xB28DC000 C:\WINDOWS\system32\DRIVERS\rdpdr.sys 196608 bytes (Microsoft Corporation, Microsoft RDP Device redirector)

0xB7F79000 ACPI.sys 188416 bytes (Microsoft Corporation, ACPI Driver for NT)

0xA1BCD000 C:\WINDOWS\system32\DRIVERS\mrxdav.sys 184320 bytes (Microsoft Corporation, Windows NT WebDav Minirdr)

0xB7E08000 NDIS.sys 184320 bytes (Microsoft Corporation, NDIS 5.1 wrapper driver)

0x93BD6000 C:\WINDOWS\system32\drivers\kmixer.sys 176128 bytes (Microsoft Corporation, Kernel Mode Audio Mixer)

0xA1F57000 C:\WINDOWS\system32\DRIVERS\rdbss.sys 176128 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)

0xB61D2000 C:\WINDOWS\system32\DRIVERS\HDAudBus.sys 163840 bytes (Windows ® Server 2003 DDK provider, High Definition Audio Bus Driver v1.0a)

0xA1FCA000 C:\WINDOWS\system32\DRIVERS\netbt.sys 163840 bytes (Microsoft Corporation, MBT Transport driver)

0xB7F23000 dmio.sys 155648 bytes (Microsoft Corp., Veritas Software, NT Disk Manager I/O Driver)

0xA1FA4000 C:\WINDOWS\system32\DRIVERS\ipnat.sys 155648 bytes (Microsoft Corporation, IP Network Address Translator)

0x93C01000 C:\WINDOWS\system32\drivers\PnkBstrK.sys 147456 bytes

0xA9941000 C:\WINDOWS\system32\drivers\portcls.sys 147456 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))

0xB618B000 C:\WINDOWS\system32\DRIVERS\USBPORT.SYS 147456 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)

0xB5780000 C:\WINDOWS\system32\DRIVERS\ks.sys 143360 bytes (Microsoft Corporation, Kernel CSA Library)

0xB61AF000 C:\WINDOWS\system32\DRIVERS\Rtenicxp.sys 143360 bytes (Realtek Semiconductor Corporation , Realtek 10/100/1000 NDIS 5.1 Driver )

0xA1F82000 C:\WINDOWS\System32\drivers\afd.sys 139264 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)

0xA1EC5000 C:\WINDOWS\system32\DRIVERS\avipbb.sys 139264 bytes (Avira GmbH, Avira Driver for Security Enhancement)

0x806E4000 ACPI_HAL 134400 bytes

0x806E4000 C:\WINDOWS\system32\hal.dll 134400 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)

0xB7EEB000 fltmgr.sys 131072 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)

0xB7F49000 ftdisk.sys 126976 bytes (Microsoft Corporation, FT Disk Driver)

0xB7DEE000 Mup.sys 106496 bytes (Microsoft Corporation, Multiple UNC Provider driver)

0xB7F0B000 atapi.sys 98304 bytes (Microsoft Corporation, IDE/ATAPI Port Driver)

0xB7EC2000 KSecDD.sys 94208 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)

0xB5769000 C:\WINDOWS\system32\DRIVERS\ndiswan.sys 94208 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))

0xA1C9A000 C:\WINDOWS\system32\DRIVERS\irda.sys 90112 bytes (Microsoft Corporation, IRDA Protocol Driver)

0xA1CB0000 C:\WINDOWS\system32\DRIVERS\avgntflt.sys 86016 bytes (Avira GmbH, Avira Minifilter Driver)

0xA17F6000 C:\WINDOWS\system32\drivers\wdmaud.sys 86016 bytes (Microsoft Corporation, MMSYSTEM Wave/Midi API mapper)

0xB5808000 C:\WINDOWS\system32\DRIVERS\parport.sys 81920 bytes (Microsoft Corporation, Parallel Port Driver)

0xB61FA000 C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS 81920 bytes (Microsoft Corporation, Video Port Driver)

0xA204B000 C:\WINDOWS\system32\DRIVERS\ipsec.sys 77824 bytes (Microsoft Corporation, IPSec Driver)

0xBD000000 C:\WINDOWS\System32\drivers\dxg.sys 73728 bytes (Microsoft Corporation, DirectX Graphics Driver)

0xB7ED9000 sr.sys 73728 bytes (Microsoft Corporation, System Restore Filesystem Filter Driver)

0xB7F68000 pci.sys 69632 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)

0xB5758000 C:\WINDOWS\system32\DRIVERS\psched.sys 69632 bytes (Microsoft Corporation, MS QoS Packet Scheduler)

0xA2EAA000 C:\WINDOWS\System32\Drivers\Cdfs.SYS 65536 bytes (Microsoft Corporation, CD-ROM File System Driver)

0xB722D000 C:\WINDOWS\system32\DRIVERS\cdrom.sys 65536 bytes (Microsoft Corporation, SCSI CD-ROM Driver)

0xB8268000 C:\WINDOWS\system32\DRIVERS\serial.sys 65536 bytes (Microsoft Corporation, Serial Device Driver)

0xAD42A000 C:\WINDOWS\system32\drivers\drmk.sys 61440 bytes (Microsoft Corporation, Microsoft Kernel DRM Descrambler Filter)

0xB721D000 C:\WINDOWS\system32\DRIVERS\redbook.sys 61440 bytes (Microsoft Corporation, Redbook Audio Filter Driver)

0xB4F66000 C:\WINDOWS\system32\drivers\sysaudio.sys 61440 bytes (Microsoft Corporation, System Audio WDM Filter)

0xAD41A000 C:\WINDOWS\system32\DRIVERS\usbhub.sys 61440 bytes (Microsoft Corporation, Default Hub Driver for USB)

0xB80A8000 qoxswm.sys 57344 bytes

0xB80F8000 C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS 53248 bytes (Microsoft Corporation, SCSI Class System Dll)

0xB720D000 C:\WINDOWS\system32\DRIVERS\rasl2tp.sys 53248 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)

0xB80D8000 VolSnap.sys 53248 bytes (Microsoft Corporation, Volume Shadow Copy Driver)

0xB4F56000 C:\WINDOWS\System32\Drivers\pcouffin.sys 49152 bytes (VSO Software, low level access layer for CD/DVD/BD devices)

0xB71ED000 C:\WINDOWS\system32\DRIVERS\raspptp.sys 49152 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)

0xA2EDA000 C:\WINDOWS\System32\Drivers\Fips.SYS 45056 bytes (Microsoft Corporation, FIPS Crypto Driver)

0xB723D000 C:\WINDOWS\system32\DRIVERS\imapi.sys 45056 bytes (Microsoft Corporation, IMAPI Kernel Driver)

0xB80C8000 MountMgr.sys 45056 bytes (Microsoft Corporation, Mount Manager)

0xB71FD000 C:\WINDOWS\system32\DRIVERS\raspppoe.sys 45056 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)

0xB80B8000 isapnp.sys 40960 bytes (Microsoft Corporation, PNP ISA Bus Driver)

0xADE81000 C:\WINDOWS\System32\Drivers\NDProxy.SYS 40960 bytes (Microsoft Corporation, NDIS Proxy)

0xB8108000 PxHelp20.sys 40960 bytes (Sonic Solutions, Px Engine Device Driver for Windows 2000/XP)

0xB49C4000 C:\WINDOWS\system32\DRIVERS\termdd.sys 40960 bytes (Microsoft Corporation, Terminal Server Driver)

0xB80E8000 disk.sys 36864 bytes (Microsoft Corporation, PnP Disk Driver)

0xA26BA000 C:\WINDOWS\system32\DRIVERS\HIDCLASS.SYS 36864 bytes (Microsoft Corporation, Hid Class Library)

0xB8228000 C:\WINDOWS\system32\DRIVERS\intelppm.sys 36864 bytes (Microsoft Corporation, Processor Device Driver)

0xB71DD000 C:\WINDOWS\system32\DRIVERS\msgpc.sys 36864 bytes (Microsoft Corporation, MS General Packet Classifier)

0xA2EFA000 C:\WINDOWS\system32\DRIVERS\netbios.sys 36864 bytes (Microsoft Corporation, NetBIOS interface driver)

0xA19A3000 C:\WINDOWS\System32\Drivers\Normandy.SYS 36864 bytes (RKU Driver)

0xA2EEA000 C:\WINDOWS\system32\DRIVERS\wanarp.sys 36864 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)

0xA2FFA000 C:\WINDOWS\System32\Drivers\Npfs.SYS 32768 bytes (Microsoft Corporation, NPFS Driver)

0xA2FEA000 C:\WINDOWS\system32\DRIVERS\usbccgp.sys 32768 bytes (Microsoft Corporation, USB Common Class Generic Parent Driver)

0xB83C0000 C:\WINDOWS\system32\DRIVERS\usbehci.sys 32768 bytes (Microsoft Corporation, EHCI eUSB Miniport Driver)

0xA3012000 C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS 28672 bytes (Microsoft Corporation, Hid Parsing Library)

0xB8328000 C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS 28672 bytes (Microsoft Corporation, PCI IDE Bus Driver Extension)

0xB83F0000 C:\WINDOWS\system32\DRIVERS\kbdclass.sys 24576 bytes (Microsoft Corporation, Keyboard Class Driver)

0xB83F8000 C:\WINDOWS\system32\DRIVERS\mouclass.sys 24576 bytes (Microsoft Corporation, Mouse Class Driver)

0xA2FF2000 C:\WINDOWS\system32\DRIVERS\ssmdrv.sys 24576 bytes (Avira GmbH, AVIRA SnapShot Driver)

0xB83B8000 C:\WINDOWS\system32\DRIVERS\usbuhci.sys 24576 bytes (Microsoft Corporation, UHCI USB Miniport Driver)

0xA300A000 C:\WINDOWS\System32\drivers\vga.sys 24576 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)

0xA302A000 C:\WINDOWS\system32\DRIVERS\AegisP.sys 20480 bytes (Meetinghouse Data Communications, IEEE 802.1X Protocol Driver)

0xB8450000 C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys 20480 bytes (GEAR Software Inc., CD DVD Filter)

0xA3002000 C:\WINDOWS\System32\Drivers\Msfs.SYS 20480 bytes (Microsoft Corporation, Mailslot driver)

0xB8330000 PartMgr.sys 20480 bytes (Microsoft Corporation, Partition Manager)

0xB83A0000 C:\WINDOWS\system32\DRIVERS\ptilink.sys 20480 bytes (Parallel Technologies, Inc., Parallel Technologies DirectParallel IO Library)

0xB8458000 C:\WINDOWS\system32\DRIVERS\rasirda.sys 20480 bytes (Microsoft Corporation, IrDA WAN Miniport Driver)

0xB83C8000 C:\WINDOWS\system32\DRIVERS\raspti.sys 20480 bytes (Microsoft Corporation, PTI DirectParallel® mini-port/call-manager driver)

0xB8460000 C:\WINDOWS\system32\DRIVERS\TDI.SYS 20480 bytes (Microsoft Corporation, TDI Wrapper)

0xA296D000 C:\WINDOWS\System32\watchdog.sys 20480 bytes (Microsoft Corporation, Watchdog Driver)

0xA28BC000 C:\WINDOWS\system32\DRIVERS\kbdhid.sys 16384 bytes (Microsoft Corporation, HID Mouse Filter Driver)

0xB6BEB000 C:\WINDOWS\system32\DRIVERS\mssmbios.sys 16384 bytes (Microsoft Corporation, System Management BIOS Driver)

0xB84CC000 C:\WINDOWS\system32\DRIVERS\ndisuio.sys 16384 bytes (Microsoft Corporation, NDIS User mode I/O Driver)

0xA5979000 C:\WINDOWS\system32\drivers\PfModNT.sys 16384 bytes (Creative Technology Ltd., PCI/ISA Device Info. Service)

0xB7DBA000 C:\WINDOWS\system32\DRIVERS\serenum.sys 16384 bytes (Microsoft Corporation, Serial Port Enumerator)

0xA1A17000 C:\WINDOWS\System32\Drivers\SjyPkt.sys 16384 bytes (Windows ® 2000 DDK provider, Sample NDIS 5.0 Protocol Driver)

0xB84B8000 C:\WINDOWS\system32\BOOTVID.dll 12288 bytes (Microsoft Corporation, VGA Boot Driver)

0xA9F4A000 C:\WINDOWS\System32\drivers\Dxapi.sys 12288 bytes (Microsoft Corporation, DirectX API Driver)

0xA28C4000 C:\WINDOWS\system32\DRIVERS\hidusb.sys 12288 bytes (Microsoft Corporation, USB Miniport Driver for Input Devices)

0xB7DB6000 C:\WINDOWS\system32\DRIVERS\mouhid.sys 12288 bytes (Microsoft Corporation, HID Mouse Filter Driver)

0xB7DAA000 C:\WINDOWS\system32\DRIVERS\ndistapi.sys 12288 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)

0xA2DB8000 C:\WINDOWS\system32\DRIVERS\rasacd.sys 12288 bytes (Microsoft Corporation, RAS Automatic Connection Driver)

0xB864C000 C:\Program Files\Avira\AntiVir Desktop\avgio.sys 8192 bytes (Avira GmbH, Avira AntiVir Support for Minifilter)

0xB8644000 C:\WINDOWS\System32\Drivers\Beep.SYS 8192 bytes (Microsoft Corporation, BEEP Driver)

0xB85AE000 dmload.sys 8192 bytes (Microsoft Corp., Veritas Software., NT Disk Manager Startup Driver)

0xB8642000 C:\WINDOWS\System32\Drivers\Fs_Rec.SYS 8192 bytes (Microsoft Corporation, File System Recognizer Driver)

0xB85A8000 C:\WINDOWS\system32\KDCOM.DLL 8192 bytes (Microsoft Corporation, Kernel Debugger HW Extension DLL)

0xB8646000 C:\WINDOWS\System32\Drivers\mnmdd.SYS 8192 bytes (Microsoft Corporation, Frame buffer simulator)

0xB865E000 C:\WINDOWS\System32\Drivers\ParVdm.SYS 8192 bytes (Microsoft Corporation, VDM Parallel Driver)

0xB8648000 C:\WINDOWS\System32\DRIVERS\RDPCDD.sys 8192 bytes (Microsoft Corporation, RDP Miniport)

0xB8626000 C:\WINDOWS\system32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)

0xB85B2000 C:\WINDOWS\system32\DRIVERS\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver)

0xB85AA000 C:\WINDOWS\system32\DRIVERS\WMILIB.SYS 8192 bytes (Microsoft Corporation, WMILIB WMI support library Dll)

0xB8752000 C:\WINDOWS\system32\DRIVERS\audstub.sys 4096 bytes (Microsoft Corporation, AudStub Driver)

0xB8762000 C:\WINDOWS\System32\drivers\dxgthk.sys 4096 bytes (Microsoft Corporation, DirectX Graphics Driver Thunk)

0xA2763000 C:\WINDOWS\System32\Drivers\Null.SYS 4096 bytes (Microsoft Corporation, NULL Driver)

0xB8670000 pciide.sys 4096 bytes (Microsoft Corporation, Generic PCI IDE Bus Driver)

!!!!!!!!!!!Hidden driver: 0x8ACD3AF1 ?_empty_? 1295 bytes

!!!!!!!!!!!Hidden driver: 0x8AD97760 ?_empty_? 0 bytes

==============================================

>Stealth

==============================================

0xB7F0B000 WARNING: suspicious driver modification [atapi.sys::0x8ACD3AF1]

0xB80B8000 WARNING: Virus alike driver modification [isapnp.sys], 40960 bytes

Link to post
Share on other sites

Hi, unfortunately you have a nasty rootkit infection. Before starting to clean it, please consider the following information.

BACKDOOR WARNING

------------------------------

One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.

COMBOFIX

---------------

Please download ComboFix from one of these locations:

Bleepingcomputer
ForoSpyware

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.

Query_RC.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

RC_successful.gif

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Link to post
Share on other sites

Thank you elise, I would like to continue trying to clean this machine, as I have approx 2 months till I can afford windows 7, and I don't want to nuke my hard drive twice. I don't do any banking on this computer, or anything else that is worrying, it's mostly my movie, gaming, and websurfing computer. I will take steps to insure that no sensitive information crosses it's hard drive till I can format. However, once downloading combofix, and doubleclicking it's icon, it wouldn't run. Can you help me to get it to run? Thanks again for all your hard work.

Link to post
Share on other sites

O.K. Sorry for multiple posts, I got combofix to update, scan, and here is the subsequent log. Thanks for your time.

ComboFix 10-09-01.02 - Mike 09/01/2010 13:55:03.1.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3071.2673 [GMT -5:00]

Running from: c:\documents and settings\Mike\Desktop\random.exe

AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\Mike\Application Data\inst.exe

Infected copy of c:\windows\system32\drivers\isapnp.sys was found and disinfected

Restored copy from - Kitty had a snack ;)

.

((((((((((((((((((((((((( Files Created from 2010-08-01 to 2010-09-01 )))))))))))))))))))))))))))))))

.

2010-09-01 18:00 . 2010-09-01 18:00 -------- d-----w- C:\random

2010-08-30 15:21 . 2010-08-30 15:21 -------- d-----w- c:\documents and settings\LocalService\Application Data\Avira

2010-08-30 11:37 . 2010-09-01 17:21 -------- d-----w- c:\windows\system32\NtmsData

2010-08-30 11:36 . 2010-08-30 11:36 -------- d-----w- c:\documents and settings\Mike\Application Data\Avira

2010-08-30 11:27 . 2010-08-30 11:27 -------- d-----w- c:\program files\Avira

2010-08-30 11:27 . 2010-08-30 11:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira

2010-08-30 11:27 . 2010-03-01 15:05 124784 ----a-w- c:\windows\system32\drivers\avipbb.sys

2010-08-30 11:27 . 2010-02-16 19:24 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2010-08-30 11:27 . 2009-05-11 17:49 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys

2010-08-30 11:27 . 2009-05-11 17:49 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys

2010-08-30 09:19 . 2010-08-30 09:42 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-08-30 09:19 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-08-30 09:19 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-08-27 19:18 . 2010-08-27 19:18 -------- d-----w- C:\PerfLogs

2010-08-15 15:57 . 2010-08-15 15:57 503808 ----a-w- c:\documents and settings\Heather\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-5f0a1297-n\msvcp71.dll

2010-08-15 15:57 . 2010-08-15 15:57 499712 ----a-w- c:\documents and settings\Heather\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-5f0a1297-n\jmc.dll

2010-08-15 15:57 . 2010-08-15 15:57 348160 ----a-w- c:\documents and settings\Heather\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-5f0a1297-n\msvcr71.dll

2010-08-15 15:57 . 2010-08-15 15:57 61440 ----a-w- c:\documents and settings\Heather\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-618aedaf-n\decora-sse.dll

2010-08-15 15:57 . 2010-08-15 15:57 12800 ----a-w- c:\documents and settings\Heather\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-618aedaf-n\decora-d3d.dll

2010-08-09 08:12 . 2010-08-09 08:12 503808 ----a-w- c:\documents and settings\Mike\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-72ca71a6-n\msvcp71.dll

2010-08-09 08:12 . 2010-08-09 08:12 499712 ----a-w- c:\documents and settings\Mike\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-72ca71a6-n\jmc.dll

2010-08-09 08:12 . 2010-08-09 08:12 348160 ----a-w- c:\documents and settings\Mike\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-72ca71a6-n\msvcr71.dll

2010-08-09 08:12 . 2010-08-09 08:12 61440 ----a-w- c:\documents and settings\Mike\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-2cb6b2a1-n\decora-sse.dll

2010-08-09 08:12 . 2010-08-09 08:12 12800 ----a-w- c:\documents and settings\Mike\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-2cb6b2a1-n\decora-d3d.dll

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-09-01 04:37 . 2010-03-15 19:57 218808 ----a-w- c:\windows\system32\PnkBstrB.exe

2010-09-01 02:49 . 2010-03-15 19:57 137256 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys

2010-08-27 01:35 . 2009-03-16 00:25 -------- d-----w- c:\documents and settings\Mike\Application Data\Xfire

2010-08-16 16:47 . 2010-07-31 21:10 -------- d-----w- c:\documents and settings\Mike\Application Data\Vuwy

2010-08-16 16:07 . 2010-01-18 16:48 -------- d-----w- c:\documents and settings\Mike\Application Data\Icze

2010-08-13 18:19 . 2009-03-31 03:52 -------- d-----w- c:\program files\Common Files\Java

2010-08-13 18:19 . 2009-03-31 03:52 -------- d-----w- c:\program files\Java

2010-08-08 00:06 . 2009-03-11 17:46 69328 ----a-w- c:\documents and settings\Mike\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-08-02 01:12 . 2009-07-08 00:55 1324 ----a-w- c:\windows\system32\d3d9caps.dat

2010-07-31 01:52 . 2009-03-16 00:25 -------- d-----w- c:\program files\Xfire

2010-07-28 00:04 . 2010-07-28 00:04 -------- d-----w- c:\program files\Total Seminars

2010-07-17 10:00 . 2010-05-12 22:11 423656 ----a-w- c:\windows\system32\deployJava1.dll

2010-07-17 01:09 . 2009-03-24 23:37 -------- d-----w- c:\documents and settings\Mike\Application Data\Vso

2010-07-17 01:09 . 2009-03-24 23:37 47360 ----a-w- c:\windows\system32\drivers\pcouffin.sys

2010-07-17 01:09 . 2009-03-24 23:37 47360 ----a-w- c:\documents and settings\Mike\Application Data\pcouffin.sys

2010-07-17 01:09 . 2009-03-24 23:37 47360 ----a-w- c:\documents and settings\Mike\Application Data\pcouffin.sys

2010-07-17 01:09 . 2010-07-17 01:09 -------- d-----w- c:\program files\DVDFab 7

2010-07-12 21:17 . 2010-07-12 21:17 -------- d-----w- c:\documents and settings\Mike\Application Data\Malwarebytes

2010-07-12 21:17 . 2010-07-12 21:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-07-10 00:30 . 2010-05-22 05:09 -------- d-----w- c:\documents and settings\All Users\Application Data\DivX

2010-07-10 00:30 . 2010-05-22 05:12 57344 ----a-w- c:\documents and settings\All Users\Application Data\DivX\RunAsUser\RUNASUSERPROCESS.dll

2010-07-10 00:30 . 2010-07-10 00:30 56765 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DivXPlusShortcuts\Uninstaller.exe

2010-07-10 00:30 . 2010-07-10 00:30 57715 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Player\Uninstaller.exe

2010-07-10 00:30 . 2009-05-31 19:57 -------- d-----w- c:\program files\DivX

2010-07-10 00:30 . 2010-07-10 00:30 54153 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DFXPlugin\Uninstaller.exe

2010-07-10 00:29 . 2010-05-22 05:12 895256 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Setup\DivXSetup.exe

2010-07-10 00:29 . 2010-05-22 05:12 1062184 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Setup\Resource.dll

2010-07-09 19:04 . 2010-07-09 19:04 41872 ----a-w- c:\windows\system32\xfcodec.dll

2010-06-23 17:17 . 2010-06-23 17:17 2568656 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\install_flash_player.exe

2010-06-06 22:48 . 2010-06-06 22:48 56997 ----a-w- c:\documents and settings\All Users\Application Data\DivX\WebPlayer\Uninstaller.exe

2010-06-06 22:48 . 2010-06-06 22:48 53600 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Update\Uninstaller.exe

2010-06-06 22:48 . 2010-06-06 22:48 54128 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Converter\Uninstaller.exe

2010-06-06 22:48 . 2010-06-06 22:48 54644 ----a-w- c:\documents and settings\All Users\Application Data\DivX\TranscodeEngine\Uninstaller.exe

2010-06-06 22:48 . 2010-06-06 22:48 54101 ----a-w- c:\documents and settings\All Users\Application Data\DivX\MPEG2Plugin\Uninstaller.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NBJ"="c:\program files\Ahead\Nero BackItUp\NBJ.exe" [2006-09-15 2048000]

"VeohPlugin"="c:\program files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe" [2010-07-06 2634048]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2006-01-12 155648]

"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-11-01 32768]

"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-03-11 342312]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]

"RTHDCPL"="RTHDCPL.EXE" [2009-10-06 18750976]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-01-12 110696]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-01-12 13666408]

"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-06-03 1144104]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-03-02 282792]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Wireless Configuration Utility HW.15.lnk - c:\program files\TRENDnet\TRENDnet TEW-421PC_TEW-423PI\WlanCU.exe [2007-1-30 577536]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Valve\\Steam\\SteamApps\\amberite2\\counter-strike source\\hl2.exe"=

"c:\\Program Files\\Xfire\\Xfire.exe"=

"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=

"c:\\Program Files\\Sierra\\FEAR\\FEAR.exe"=

"c:\\Program Files\\Sierra\\FEAR\\FEARMP.exe"=

"c:\\Program Files\\Activision\\Prototype\\prototypef.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Program Files\\Electronic Arts\\Battlefield Bad Company 2\\BFBC2Updater.exe"=

"c:\\WINDOWS\\system32\\PnkBstrA.exe"=

"c:\\WINDOWS\\system32\\PnkBstrB.exe"=

"c:\\Program Files\\Electronic Arts\\Battlefield Bad Company 2\\BFBC2Game.exe"=

"c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"=

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [8/30/2010 6:27 AM 135336]

S3 ALSysIO;ALSysIO;\??\c:\docume~1\Mike\LOCALS~1\Temp\ALSysIO.sys --> c:\docume~1\Mike\LOCALS~1\Temp\ALSysIO.sys [?]

S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [3/13/2010 9:28 PM 1684736]

S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [6/30/2009 6:54 PM 721904]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.yahoo.com/

uInternet Settings,ProxyOverride = <local>

uInternet Settings,ProxyServer = http=127.0.0.1:5577

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000

Trusted Zone: aol.com\free

FF - ProfilePath - c:\documents and settings\Mike\Application Data\Mozilla\Firefox\Profiles\l32ynets.default\

FF - prefs.js: browser.startup.homepage - www.yahoo.com

FF - plugin: c:\documents and settings\Mike\Application Data\Move Networks\plugins\npqmp071505000010.dll

FF - plugin: c:\documents and settings\Mike\Application Data\Move Networks\plugins\npqmp071505000011.dll

FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll

FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll

---- FIREFOX POLICIES ----

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);

.

- - - - ORPHANS REMOVED - - - -

HKLM-Run-nwiz - nwiz.exe

AddRemove-{7B63B2922B174135AFC0E1377DD81EC2} - c:\program files\DivX\DivXCodecUninstall.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-09-01 13:58

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1177238915-57989841-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{43225AB6-018F-DB11-47A5-9FF8D87B6815}*]

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

"iabhaagmgaocoopbem"=hex:64,61,61,66,6e,6a,6d,6b,00,e0

"iafibhfpipllcefnkg"=hex:69,61,68,67,69,68,61,63,68,64,6d,66,66,6b,6d,6e,70,64,

00,00

"haljkopcngchgnbb"=hex:69,61,68,67,69,68,61,63,68,64,6d,66,66,6b,6d,6e,70,64,

00,00

[HKEY_USERS\S-1-5-21-1177238915-57989841-682003330-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

"??"=hex:8c,7c,58,03,8d,d1,85,34,ec,eb,30,fd,78,b9,45,31,2d,42,62,3b,a8,4c,32,

6c,fe,6c,79,05,65,c2,10,1a,0e,93,a2,82,60,0e,9f,77,1f,72,3f,be,c2,97,0f,7f,\

"??"=hex:cf,55,c7,95,2b,14,4d,f8,66,7b,0c,1b,19,52,fe,22

[HKEY_USERS\S-1-5-21-1177238915-57989841-682003330-1003\Software\SecuROM\License information*]

"datasecu"=hex:23,68,f8,e8,87,fb,09,c8,2b,b1,ab,20,55,f4,2b,72,09,96,82,f2,cd,

db,81,2d,34,ea,c6,4b,1b,ce,6b,db,e4,0f,c9,5d,ea,08,b6,40,8b,eb,0e,c0,9c,3b,\

"rkeysecu"=hex:07,31,41,1d,55,73,33,56,b7,67,4a,76,64,77,18,5a

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

Completion time: 2010-09-01 14:00:51

ComboFix-quarantined-files.txt 2010-09-01 19:00

Pre-Run: 111,343,632,384 bytes free

Post-Run: 122,519,003,136 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - CB30A172125389D21BE024EA35D8D70F

Link to post
Share on other sites

Well done, that did the trick. ;)

CF-SCRIPT

-------------

We need to execute a CF-script.

  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click Start > Run and in the box that opens type notepad and press enter. Copy/paste the text in the codebox below into it:

DDS::
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:5577

Save this as CFScript.txt, in the same location as ComboFix.exe

CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Link to post
Share on other sites

Here is the log from combofix after I drag and dropped the CFScript.txt file into it.

ComboFix 10-09-01.02 - Mike 09/01/2010 15:24:39.2.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3071.2664 [GMT -5:00]

Running from: c:\documents and settings\Mike\Desktop\random.exe

Command switches used :: c:\documents and settings\Mike\Desktop\CFScript.txt

AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

.

((((((((((((((((((((((((( Files Created from 2010-08-01 to 2010-09-01 )))))))))))))))))))))))))))))))

.

2010-09-01 18:00 . 2010-09-01 18:00 -------- d-----w- C:\random

2010-08-30 15:21 . 2010-08-30 15:21 -------- d-----w- c:\documents and settings\LocalService\Application Data\Avira

2010-08-30 11:37 . 2010-09-01 17:21 -------- d-----w- c:\windows\system32\NtmsData

2010-08-30 11:36 . 2010-08-30 11:36 -------- d-----w- c:\documents and settings\Mike\Application Data\Avira

2010-08-30 11:27 . 2010-08-30 11:27 -------- d-----w- c:\program files\Avira

2010-08-30 11:27 . 2010-08-30 11:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira

2010-08-30 11:27 . 2010-03-01 15:05 124784 ----a-w- c:\windows\system32\drivers\avipbb.sys

2010-08-30 11:27 . 2010-02-16 19:24 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2010-08-30 11:27 . 2009-05-11 17:49 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys

2010-08-30 11:27 . 2009-05-11 17:49 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys

2010-08-30 09:19 . 2010-08-30 09:42 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-08-30 09:19 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-08-30 09:19 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-08-27 19:18 . 2010-08-27 19:18 -------- d-----w- C:\PerfLogs

2010-08-15 15:57 . 2010-08-15 15:57 503808 ----a-w- c:\documents and settings\Heather\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-5f0a1297-n\msvcp71.dll

2010-08-15 15:57 . 2010-08-15 15:57 499712 ----a-w- c:\documents and settings\Heather\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-5f0a1297-n\jmc.dll

2010-08-15 15:57 . 2010-08-15 15:57 348160 ----a-w- c:\documents and settings\Heather\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-5f0a1297-n\msvcr71.dll

2010-08-15 15:57 . 2010-08-15 15:57 61440 ----a-w- c:\documents and settings\Heather\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-618aedaf-n\decora-sse.dll

2010-08-15 15:57 . 2010-08-15 15:57 12800 ----a-w- c:\documents and settings\Heather\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-618aedaf-n\decora-d3d.dll

2010-08-09 08:12 . 2010-08-09 08:12 503808 ----a-w- c:\documents and settings\Mike\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-72ca71a6-n\msvcp71.dll

2010-08-09 08:12 . 2010-08-09 08:12 499712 ----a-w- c:\documents and settings\Mike\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-72ca71a6-n\jmc.dll

2010-08-09 08:12 . 2010-08-09 08:12 348160 ----a-w- c:\documents and settings\Mike\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-72ca71a6-n\msvcr71.dll

2010-08-09 08:12 . 2010-08-09 08:12 61440 ----a-w- c:\documents and settings\Mike\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-2cb6b2a1-n\decora-sse.dll

2010-08-09 08:12 . 2010-08-09 08:12 12800 ----a-w- c:\documents and settings\Mike\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-2cb6b2a1-n\decora-d3d.dll

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-09-01 04:37 . 2010-03-15 19:57 218808 ----a-w- c:\windows\system32\PnkBstrB.exe

2010-09-01 02:49 . 2010-03-15 19:57 137256 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys

2010-08-27 01:35 . 2009-03-16 00:25 -------- d-----w- c:\documents and settings\Mike\Application Data\Xfire

2010-08-16 16:47 . 2010-07-31 21:10 -------- d-----w- c:\documents and settings\Mike\Application Data\Vuwy

2010-08-16 16:07 . 2010-01-18 16:48 -------- d-----w- c:\documents and settings\Mike\Application Data\Icze

2010-08-13 18:19 . 2009-03-31 03:52 -------- d-----w- c:\program files\Common Files\Java

2010-08-13 18:19 . 2009-03-31 03:52 -------- d-----w- c:\program files\Java

2010-08-08 00:06 . 2009-03-11 17:46 69328 ----a-w- c:\documents and settings\Mike\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-08-02 01:12 . 2009-07-08 00:55 1324 ----a-w- c:\windows\system32\d3d9caps.dat

2010-07-31 01:52 . 2009-03-16 00:25 -------- d-----w- c:\program files\Xfire

2010-07-28 00:04 . 2010-07-28 00:04 -------- d-----w- c:\program files\Total Seminars

2010-07-17 10:00 . 2010-05-12 22:11 423656 ----a-w- c:\windows\system32\deployJava1.dll

2010-07-17 01:09 . 2009-03-24 23:37 -------- d-----w- c:\documents and settings\Mike\Application Data\Vso

2010-07-17 01:09 . 2009-03-24 23:37 47360 ----a-w- c:\windows\system32\drivers\pcouffin.sys

2010-07-17 01:09 . 2009-03-24 23:37 47360 ----a-w- c:\documents and settings\Mike\Application Data\pcouffin.sys

2010-07-17 01:09 . 2009-03-24 23:37 47360 ----a-w- c:\documents and settings\Mike\Application Data\pcouffin.sys

2010-07-17 01:09 . 2010-07-17 01:09 -------- d-----w- c:\program files\DVDFab 7

2010-07-12 21:17 . 2010-07-12 21:17 -------- d-----w- c:\documents and settings\Mike\Application Data\Malwarebytes

2010-07-12 21:17 . 2010-07-12 21:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-07-10 00:30 . 2010-05-22 05:09 -------- d-----w- c:\documents and settings\All Users\Application Data\DivX

2010-07-10 00:30 . 2010-05-22 05:12 57344 ----a-w- c:\documents and settings\All Users\Application Data\DivX\RunAsUser\RUNASUSERPROCESS.dll

2010-07-10 00:30 . 2010-07-10 00:30 56765 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DivXPlusShortcuts\Uninstaller.exe

2010-07-10 00:30 . 2010-07-10 00:30 57715 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Player\Uninstaller.exe

2010-07-10 00:30 . 2009-05-31 19:57 -------- d-----w- c:\program files\DivX

2010-07-10 00:30 . 2010-07-10 00:30 54153 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DFXPlugin\Uninstaller.exe

2010-07-10 00:29 . 2010-05-22 05:12 895256 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Setup\DivXSetup.exe

2010-07-10 00:29 . 2010-05-22 05:12 1062184 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Setup\Resource.dll

2010-07-09 19:04 . 2010-07-09 19:04 41872 ----a-w- c:\windows\system32\xfcodec.dll

2010-06-23 17:17 . 2010-06-23 17:17 2568656 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\install_flash_player.exe

2010-06-06 22:48 . 2010-06-06 22:48 56997 ----a-w- c:\documents and settings\All Users\Application Data\DivX\WebPlayer\Uninstaller.exe

2010-06-06 22:48 . 2010-06-06 22:48 53600 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Update\Uninstaller.exe

2010-06-06 22:48 . 2010-06-06 22:48 54128 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Converter\Uninstaller.exe

2010-06-06 22:48 . 2010-06-06 22:48 54644 ----a-w- c:\documents and settings\All Users\Application Data\DivX\TranscodeEngine\Uninstaller.exe

2010-06-06 22:48 . 2010-06-06 22:48 54101 ----a-w- c:\documents and settings\All Users\Application Data\DivX\MPEG2Plugin\Uninstaller.exe

.

((((((((((((((((((((((((((((( SnapShot@2010-09-01_18.58.41 )))))))))))))))))))))))))))))))))))))))))

.

+ 2010-09-01 19:12 . 2010-09-01 19:12 16384 c:\windows\Temp\Perflib_Perfdata_18c.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NBJ"="c:\program files\Ahead\Nero BackItUp\NBJ.exe" [2006-09-15 2048000]

"VeohPlugin"="c:\program files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe" [2010-07-06 2634048]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2006-01-12 155648]

"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-11-01 32768]

"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-03-11 342312]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]

"RTHDCPL"="RTHDCPL.EXE" [2009-10-06 18750976]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-01-12 110696]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-01-12 13666408]

"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-06-03 1144104]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-03-02 282792]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Wireless Configuration Utility HW.15.lnk - c:\program files\TRENDnet\TRENDnet TEW-421PC_TEW-423PI\WlanCU.exe [2007-1-30 577536]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Valve\\Steam\\SteamApps\\amberite2\\counter-strike source\\hl2.exe"=

"c:\\Program Files\\Xfire\\Xfire.exe"=

"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=

"c:\\Program Files\\Sierra\\FEAR\\FEAR.exe"=

"c:\\Program Files\\Sierra\\FEAR\\FEARMP.exe"=

"c:\\Program Files\\Activision\\Prototype\\prototypef.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Program Files\\Electronic Arts\\Battlefield Bad Company 2\\BFBC2Updater.exe"=

"c:\\WINDOWS\\system32\\PnkBstrA.exe"=

"c:\\WINDOWS\\system32\\PnkBstrB.exe"=

"c:\\Program Files\\Electronic Arts\\Battlefield Bad Company 2\\BFBC2Game.exe"=

"c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"=

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [8/30/2010 6:27 AM 135336]

R3 SjyPkt;SjyPkt;c:\windows\system32\drivers\SjyPkt.sys [10/2/2002 10:57 AM 13532]

S3 ALSysIO;ALSysIO;\??\c:\docume~1\Mike\LOCALS~1\Temp\ALSysIO.sys --> c:\docume~1\Mike\LOCALS~1\Temp\ALSysIO.sys [?]

S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [3/13/2010 9:28 PM 1684736]

S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [6/30/2009 6:54 PM 721904]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - SJYPKT

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.yahoo.com/

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000

Trusted Zone: aol.com\free

FF - ProfilePath - c:\documents and settings\Mike\Application Data\Mozilla\Firefox\Profiles\l32ynets.default\

FF - prefs.js: browser.startup.homepage - www.yahoo.com

FF - plugin: c:\documents and settings\Mike\Application Data\Move Networks\plugins\npqmp071505000010.dll

FF - plugin: c:\documents and settings\Mike\Application Data\Move Networks\plugins\npqmp071505000011.dll

FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll

FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll

---- FIREFOX POLICIES ----

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-09-01 15:27

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1177238915-57989841-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{43225AB6-018F-DB11-47A5-9FF8D87B6815}*]

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

"iabhaagmgaocoopbem"=hex:64,61,61,66,6e,6a,6d,6b,00,e0

"iafibhfpipllcefnkg"=hex:69,61,68,67,69,68,61,63,68,64,6d,66,66,6b,6d,6e,70,64,

00,00

"haljkopcngchgnbb"=hex:69,61,68,67,69,68,61,63,68,64,6d,66,66,6b,6d,6e,70,64,

00,00

[HKEY_USERS\S-1-5-21-1177238915-57989841-682003330-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

"??"=hex:8c,7c,58,03,8d,d1,85,34,ec,eb,30,fd,78,b9,45,31,2d,42,62,3b,a8,4c,32,

6c,fe,6c,79,05,65,c2,10,1a,0e,93,a2,82,60,0e,9f,77,1f,72,3f,be,c2,97,0f,7f,\

"??"=hex:cf,55,c7,95,2b,14,4d,f8,66,7b,0c,1b,19,52,fe,22

[HKEY_USERS\S-1-5-21-1177238915-57989841-682003330-1003\Software\SecuROM\License information*]

"datasecu"=hex:23,68,f8,e8,87,fb,09,c8,2b,b1,ab,20,55,f4,2b,72,09,96,82,f2,cd,

db,81,2d,34,ea,c6,4b,1b,ce,6b,db,e4,0f,c9,5d,ea,08,b6,40,8b,eb,0e,c0,9c,3b,\

"rkeysecu"=hex:07,31,41,1d,55,73,33,56,b7,67,4a,76,64,77,18,5a

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3332)

c:\progra~1\WINDOW~2\wmpband.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

Completion time: 2010-09-01 15:28:12

ComboFix-quarantined-files.txt 2010-09-01 20:28

ComboFix2.txt 2010-09-01 19:00

Pre-Run: 122,521,464,832 bytes free

Post-Run: 122,507,788,288 bytes free

- - End Of File - - A0EF5C6AABBA17246020DC32C5DE8E95

Link to post
Share on other sites

Hi Elise! The previously infected machine is running great! No browser redirects, performance seems to have gone back to normal operating parameters. However I'm still not going to trust the computer with any kind of sensitive data, or transfer any files from it to my laptop, at least not until i can reformat the hard drive with windows 7. I updated mbam and ran it with no infection detected, I also updated and ran avira, and it came back with two detections that it has listed as TR/Rootkit.Gen3. I will include it's log here as well, not sure if it will help.

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4530

Windows 5.1.2600 Service Pack 3

Internet Explorer 7.0.5730.13

9/2/2010 9:33:40 AM

mbam-log-2010-09-02 (09-33-40).txt

Scan type: Full scan (C:\|)

Objects scanned: 198980

Time elapsed: 17 minute(s), 40 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Avira AntiVir Personal

Report file date: Thursday, September 02, 2010 09:44

Scanning for 2772724 virus strains and unwanted programs.

The program is running as an unrestricted full version.

Online services are available:

Licensee : Avira AntiVir Personal - FREE Antivirus

Serial number : 0000149996-ADJIE-0000001

Platform : Windows XP

Windows version : (Service Pack 3) [5.1.2600]

Boot mode : Normally booted

Username : SYSTEM

Computer name : MIKEANDHEATHERS

Version information:

BUILD.DAT : 10.0.0.567 32097 Bytes 4/19/2010 15:07:00

AVSCAN.EXE : 10.0.3.0 433832 Bytes 4/1/2010 18:37:38

AVSCAN.DLL : 10.0.3.0 46440 Bytes 4/1/2010 18:57:04

LUKE.DLL : 10.0.2.3 104296 Bytes 3/8/2010 00:33:04

LUKERES.DLL : 10.0.0.1 12648 Bytes 2/11/2010 05:40:49

VBASE000.VDF : 7.10.0.0 19875328 Bytes 11/6/2009 15:05:36

VBASE001.VDF : 7.10.1.0 1372672 Bytes 11/19/2009 01:27:49

VBASE002.VDF : 7.10.3.1 3143680 Bytes 1/20/2010 23:37:42

VBASE003.VDF : 7.10.3.75 996864 Bytes 1/26/2010 22:37:42

VBASE004.VDF : 7.10.4.203 1579008 Bytes 3/5/2010 17:29:03

VBASE005.VDF : 7.10.6.82 2494464 Bytes 4/15/2010 11:29:54

VBASE006.VDF : 7.10.7.218 2294784 Bytes 6/2/2010 11:30:18

VBASE007.VDF : 7.10.9.165 4840960 Bytes 7/23/2010 11:31:09

VBASE008.VDF : 7.10.9.166 2048 Bytes 7/23/2010 11:31:10

VBASE009.VDF : 7.10.9.167 2048 Bytes 7/23/2010 11:31:10

VBASE010.VDF : 7.10.9.168 2048 Bytes 7/23/2010 11:31:10

VBASE011.VDF : 7.10.9.169 2048 Bytes 7/23/2010 11:31:10

VBASE012.VDF : 7.10.9.170 2048 Bytes 7/23/2010 11:31:10

VBASE013.VDF : 7.10.9.198 157696 Bytes 7/26/2010 11:31:12

VBASE014.VDF : 7.10.9.255 997888 Bytes 7/29/2010 11:31:23

VBASE015.VDF : 7.10.10.28 139264 Bytes 8/2/2010 11:31:24

VBASE016.VDF : 7.10.10.52 127488 Bytes 8/3/2010 11:31:26

VBASE017.VDF : 7.10.10.84 137728 Bytes 8/6/2010 11:31:27

VBASE018.VDF : 7.10.10.107 176640 Bytes 8/9/2010 11:31:29

VBASE019.VDF : 7.10.10.130 132608 Bytes 8/10/2010 11:31:31

VBASE020.VDF : 7.10.10.158 131072 Bytes 8/12/2010 11:31:32

VBASE021.VDF : 7.10.10.190 136704 Bytes 8/16/2010 11:31:34

VBASE022.VDF : 7.10.10.217 118272 Bytes 8/19/2010 11:31:35

VBASE023.VDF : 7.10.10.246 130048 Bytes 8/23/2010 11:31:36

VBASE024.VDF : 7.10.11.11 144896 Bytes 8/25/2010 11:31:38

VBASE025.VDF : 7.10.11.33 135168 Bytes 8/27/2010 11:31:40

VBASE026.VDF : 7.10.11.52 148992 Bytes 8/31/2010 05:04:26

VBASE027.VDF : 7.10.11.53 2048 Bytes 8/31/2010 05:04:26

VBASE028.VDF : 7.10.11.54 2048 Bytes 8/31/2010 05:04:26

VBASE029.VDF : 7.10.11.55 2048 Bytes 8/31/2010 05:04:26

VBASE030.VDF : 7.10.11.56 2048 Bytes 8/31/2010 05:04:27

VBASE031.VDF : 7.10.11.72 111616 Bytes 9/2/2010 14:43:29

Engineversion : 8.2.4.46

AEVDF.DLL : 8.1.2.1 106868 Bytes 8/30/2010 11:32:17

AESCRIPT.DLL : 8.1.3.44 1364346 Bytes 8/30/2010 11:32:17

AESCN.DLL : 8.1.6.1 127347 Bytes 8/30/2010 11:32:12

AESBX.DLL : 8.1.3.1 254324 Bytes 8/30/2010 11:32:18

AERDL.DLL : 8.1.8.2 614772 Bytes 8/30/2010 11:32:12

AEPACK.DLL : 8.2.3.5 471412 Bytes 8/30/2010 11:32:08

AEOFFICE.DLL : 8.1.1.8 201081 Bytes 8/30/2010 11:32:05

AEHEUR.DLL : 8.1.2.19 2867574 Bytes 8/30/2010 11:32:04

AEHELP.DLL : 8.1.13.3 242038 Bytes 8/30/2010 11:31:51

AEGEN.DLL : 8.1.3.20 397684 Bytes 8/30/2010 11:31:49

AEEMU.DLL : 8.1.2.0 393588 Bytes 8/30/2010 11:31:47

AECORE.DLL : 8.1.16.2 192887 Bytes 8/30/2010 11:31:46

AEBB.DLL : 8.1.1.0 53618 Bytes 8/30/2010 11:31:45

AVWINLL.DLL : 10.0.0.0 19304 Bytes 1/14/2010 18:03:38

AVPREF.DLL : 10.0.0.0 44904 Bytes 1/14/2010 18:03:35

AVREP.DLL : 10.0.0.8 62209 Bytes 2/18/2010 22:47:40

AVREG.DLL : 10.0.3.0 53096 Bytes 4/1/2010 18:35:46

AVSCPLR.DLL : 10.0.3.0 83816 Bytes 4/1/2010 18:39:51

AVARKT.DLL : 10.0.0.14 227176 Bytes 4/1/2010 18:22:13

AVEVTLOG.DLL : 10.0.0.8 203112 Bytes 1/26/2010 15:53:30

SQLITE3.DLL : 3.6.19.0 355688 Bytes 1/28/2010 18:57:58

AVSMTP.DLL : 10.0.0.17 63848 Bytes 3/16/2010 21:38:56

NETNT.DLL : 10.0.0.0 11624 Bytes 2/19/2010 20:41:00

RCIMAGE.DLL : 10.0.0.26 2550120 Bytes 1/28/2010 19:10:20

RCTEXT.DLL : 10.0.53.0 97128 Bytes 4/9/2010 20:14:29

Configuration settings for the scan:

Jobname.............................: Complete system scan

Configuration file..................: c:\program files\avira\antivir desktop\sysscan.avp

Logging.............................: low

Primary action......................: interactive

Secondary action....................: ignore

Scan master boot sector.............: on

Scan boot sector....................: on

Boot sectors........................: C:,

Process scan........................: on

Extended process scan...............: on

Scan registry.......................: on

Search for rootkits.................: on

Integrity checking of system files..: off

Scan all files......................: All files

Scan archives.......................: on

Recursion depth.....................: 20

Smart extensions....................: on

Macro heuristic.....................: on

File heuristic......................: medium

Start of the scan: Thursday, September 02, 2010 09:44

Starting search for hidden objects.

HKEY_USERS\S-1-5-21-1177238915-57989841-682003330-1003\Software\Microsoft\MediaPlayer\Preferences\backgroundscancompletedate

[NOTE] The registry entry is invisible.

HKEY_USERS\S-1-5-21-1177238915-57989841-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{43225AB6-018F-DB11-47A5-9FF8D87B6815}\iabhaagmgaocoopbem

[NOTE] The registry entry is invisible.

HKEY_USERS\S-1-5-21-1177238915-57989841-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{43225AB6-018F-DB11-47A5-9FF8D87B6815}\iafibhfpipllcefnkg

[NOTE] The registry entry is invisible.

HKEY_USERS\S-1-5-21-1177238915-57989841-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{43225AB6-018F-DB11-47A5-9FF8D87B6815}\haljkopcngchgnbb

[NOTE] The registry entry is invisible.

HKEY_USERS\S-1-5-21-1177238915-57989841-682003330-1003\Software\SecuROM\License information\datasecu

[NOTE] The registry entry is invisible.

HKEY_USERS\S-1-5-21-1177238915-57989841-682003330-1003\Software\SecuROM\License information\rkeysecu

[NOTE] The registry entry is invisible.

c:\windows\explorer.exe

c:\WINDOWS\explorer.exe

[NOTE] The process is not visible.

c:\windows\explorer.exe

The scan of running processes will be started

Scan process 'rsmsink.exe' - '28' Module(s) have been scanned

Scan process 'msdtc.exe' - '40' Module(s) have been scanned

Scan process 'dllhost.exe' - '61' Module(s) have been scanned

Scan process 'dllhost.exe' - '45' Module(s) have been scanned

Scan process 'vssvc.exe' - '48' Module(s) have been scanned

Scan process 'avscan.exe' - '67' Module(s) have been scanned

Scan process 'ctfmon.exe' - '25' Module(s) have been scanned

Scan process 'avcenter.exe' - '66' Module(s) have been scanned

Scan process 'plugin-container.exe' - '60' Module(s) have been scanned

Scan process 'firefox.exe' - '109' Module(s) have been scanned

Scan process 'wmplayer.exe' - '92' Module(s) have been scanned

Scan process 'DTProShellHlp.exe' - '23' Module(s) have been scanned

Scan process 'explorer.exe' - '123' Module(s) have been scanned

Scan process 'WlanCU.exe' - '46' Module(s) have been scanned

Scan process 'iPodService.exe' - '29' Module(s) have been scanned

Scan process 'avgnt.exe' - '51' Module(s) have been scanned

Scan process 'jusched.exe' - '20' Module(s) have been scanned

Scan process 'DivXUpdate.exe' - '57' Module(s) have been scanned

Scan process 'RUNDLL32.EXE' - '29' Module(s) have been scanned

Scan process 'RTHDCPL.EXE' - '36' Module(s) have been scanned

Scan process 'iTunesHelper.exe' - '52' Module(s) have been scanned

Scan process 'HPWuSchd2.exe' - '19' Module(s) have been scanned

Scan process 'PDVDServ.exe' - '25' Module(s) have been scanned

Scan process 'wscntfy.exe' - '18' Module(s) have been scanned

Scan process 'alg.exe' - '33' Module(s) have been scanned

Scan process 'avshadow.exe' - '26' Module(s) have been scanned

Scan process 'MsPMSPSv.exe' - '14' Module(s) have been scanned

Scan process 'svchost.exe' - '39' Module(s) have been scanned

Scan process 'PnkBstrB.exe' - '26' Module(s) have been scanned

Scan process 'PnkBstrA.exe' - '24' Module(s) have been scanned

Scan process 'HPZipm12.exe' - '18' Module(s) have been scanned

Scan process 'jqs.exe' - '33' Module(s) have been scanned

Scan process 'mDNSResponder.exe' - '32' Module(s) have been scanned

Scan process 'AppleMobileDeviceService.exe' - '25' Module(s) have been scanned

Scan process 'avguard.exe' - '56' Module(s) have been scanned

Scan process 'sched.exe' - '46' Module(s) have been scanned

Scan process 'spoolsv.exe' - '64' Module(s) have been scanned

Scan process 'svchost.exe' - '48' Module(s) have been scanned

Scan process 'svchost.exe' - '32' Module(s) have been scanned

Scan process 'svchost.exe' - '168' Module(s) have been scanned

Scan process 'svchost.exe' - '39' Module(s) have been scanned

Scan process 'svchost.exe' - '52' Module(s) have been scanned

Scan process 'nvsvc32.exe' - '37' Module(s) have been scanned

Scan process 'lsass.exe' - '58' Module(s) have been scanned

Scan process 'services.exe' - '27' Module(s) have been scanned

Scan process 'winlogon.exe' - '72' Module(s) have been scanned

Scan process 'csrss.exe' - '14' Module(s) have been scanned

Scan process 'smss.exe' - '2' Module(s) have been scanned

Starting master boot sector scan:

Master boot sector HD0

[iNFO] No virus was found!

Start scanning boot sectors:

Boot sector 'C:\'

[iNFO] No virus was found!

Starting to scan executable files (registry).

The registry was scanned ( '2269' files ).

Starting the file scan:

Begin scan in 'C:\'

C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\isapnp.sys.vir

[DETECTION] Is the TR/Rootkit.Gen3 Trojan

C:\System Volume Information\_restore{ADE6B800-1B74-4546-B478-1993FBA26FAE}\RP413\A0578764.sys

[DETECTION] Is the TR/Rootkit.Gen3 Trojan

Beginning disinfection:

C:\System Volume Information\_restore{ADE6B800-1B74-4546-B478-1993FBA26FAE}\RP413\A0578764.sys

[DETECTION] Is the TR/Rootkit.Gen3 Trojan

[NOTE] The file was moved to the quarantine directory under the name '4fb51a4d.qua'.

C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\isapnp.sys.vir

[DETECTION] Is the TR/Rootkit.Gen3 Trojan

[NOTE] The file was moved to the quarantine directory under the name '5776342d.qua'.

End of the scan: Thursday, September 02, 2010 10:11

Used time: 24:55 Minute(s)

The scan has been done completely.

7087 Scanned directories

282055 Files were scanned

2 Viruses and/or unwanted programs were found

0 Files were classified as suspicious

0 files were deleted

0 Viruses and unwanted programs were repaired

2 Files were moved to quarantine

0 Files were renamed

0 Files cannot be scanned

282053 Files not concerned

1849 Archives were scanned

0 Warnings

2 Notes

341131 Objects were scanned with rootkit scan

8 Hidden objects were found

Link to post
Share on other sites

Hi, thats looking great. ;)

Look at the filepaths of Avira's detections: one is in System Restore, the other in Combofix quarantine. In other words, both are harmless and will be removed anyway if you follow the steps below to uninstall combofix.

You are right to be careful with sensitive data on this computer until you reformat, but it is really clean now; however, better safe than sorry. :)

ALL CLEAN

--------------

Your machine appears to be clean, please take the time to read below on how to secure the machine and take the necessary steps to keep it clean :)

Please do the following to remove the remaining programs from your PC:

  • Delete the tools used during the disinfection:
    • Click start > run and type combofix /uninstall, press enter. This will remove Combofix from your computer.
    • Delete DDS and RKU.

Please read these advices, in order to prevent reinfecting your PC:

  1. Install and update the following programs regularly:
    • an outbound firewall
      A comprehensive tutorial and a list of possible firewalls can be found here.
    • an AntiVirus Software
      It is imperative that you update your AntiVirus Software on regular basis.If you do not update your AntiVirus Software then it will not be able to catch the latest threats.
    • an Anti-Spyware program
      Malware Byte's Anti Malware is an excellent Anti-Spyware scanner. It's scan times are usually under ten minutes, and has excellent detection and removal rates.
      SUPERAntiSpyware is another good scanner with high detection and removal rates.
      Both programs are free for non commercial home use but provide a resident and do not nag if you purchase the paid versions.
    • Spyware Blaster
      A tutorial for Spywareblaster can be found here. If you wish, the commercial version provides automatic updating.
    • MVPs hosts file
      A tutorial for MVPs hosts file can be found here. If you would like automatic updates you might want to take a look at HostMan host file manager. For more information on thehosts file, and what it can do for you,please consult the Tutorial on the Hosts file

[*]Keep Windows (and your other Microsoft software) up to date!

I cannot stress how important this is enough. Often holes are found in Internet Explorer or Windows itself that require patching. Sometimes these holes will allow an attacker unrestricted access to your computer.

Therefore, please, visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please REBOOT and repeat this process until there are no more updates to install!!

[*]Keep your other software up to date as well

Software does not need to be made by Microsoft to be insecure. You can use the Secunia Online Software occasionally to help you check for out of date software on yourmachine.

[*]Stay up to date!

The MOST IMPORTANT part of any security setup is keeping the software up to date. Malware writers release new variants every single day. If your software updates don't keep up, then the malware will always be one step ahead. Not a good thing.

Some more links you might find of interest:

Please reply to this topic if you have read the above information. If your computer is working fine, this topic will be closed afterwards.

Link to post
Share on other sites

Woot! Thanks Elise, you're help was absolutely invaluable. I have learned the lesson of going without anti-virus software, and not keeping programs like divx, adobe, and mbam updated regularly. I would like to thank you for all your hard work, and I will be donating something as soon as funds become available. Thanks to all the great people at Malwarebytes, without whom, I would be totally screwed right now. ;) Also to anyone else who is experiencing issues like mine, update those virus definitions, update that malware scanner, and scan twice a week. I'm out.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.