Jump to content

Please help! Antivirus 2010 wreaking havoc on my pc


Recommended Posts

My neighbor got the newest Antivirus 2010 virus on his computer and called me to try and fix it. I've been working on it for a couple of days and haven't gotten very far. Originally, I got a red screen and it said something to the effect of "my computer has malfunctioned" and that it needs spyware to be removed before moving forward. The pc was running Windows Security Essentials, but it would not open after the virus infected the computer. AVG was on the computer, so I tried using it. It originally opened and said it found 903 viruses after the scan. It fixed 901, but then had to restart. The problem continued after restart.

I tried on youtube to find some videos that would help, but all of the antivirus 2010 videos were different the the virus I had. They told me to stop the application. The applications were different than the ones shown on the videos. When I would try and end them in tast manager, an error would come up saying something like "The system is shutting down. Please save all work in progress and log off. Initiated by NT Authority\System". It would shut down in 60 seconds. I also noticed that new processes were appearing faster than I could end them. Some of the processes that I suspect are avgcsrvs.exe, avgemc.exe, svchost.exe, avgrsx.exe, avgwdsvc.exe.

The virus allows me to download software, but not to run it. The exceptions are cccleaner, combofix, tdsskiller and avenger. None of these have worked totally, but the red screen no longer pops up. |Also, I am able to now use google and yahoo when on the internet. The virus did not allow this before. I am still unable to stop the processes or use antivirus programs or malwarebytes.

UPDATE: I WAS TOLD TO TRY DEFOGGER, DDS AND GMER. DEFOGGER DID NOT OPEN. I WILL ATTACH MY DDS LOGS TO THIS EMAIL. I LEFT THE GMER SCAN RUNNING WHEN I WENT TO BED LAST NIGHT. WHEN I GOT UP THIS MORNING, THE COMPUTER WAS TRYING OVER AND OVER AGAIN TO BOOT UP. IT GETS AS FAR AS THE LOADING XP SCREEN AND THEN GOES BLACK AND STARTS AGAIN. I CAN GET TO THE ADVANCED OPTIONS MENU TO CHOOSE SAFE MODE, ECT. WHEN I TRY TO OPEN IN SAFE MODE, THE COMPUTER RESTARTS. THIS IS AS FAR AS I CAN GET NOW. ANY HELP WOULD BE MUCH APPRECIATED.

Here is my combofix log:

ComboFix 10-09-24.03 - Compaq_Administrator 09/24/2010 18:49:44.3.1 - x86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1982.1498 [GMT -5:00]

Running from: F:\ComboFix.exe

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

AV: Microsoft Security Essentials *On-access scanning enabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\docume~1\COMPAQ~1\LOCALS~1\Temp\IadHide5.dll

c:\documents and settings\All Users\Application Data\FL0821pU.exe

c:\documents and settings\All Users\Application Data\NUBMfm15E.exe

c:\documents and settings\Compaq_Administrator\Local Settings\Application Data\NUBMfm15E.exe

c:\documents and settings\Compaq_Administrator\Local Settings\Temp\IadHide5.dll

c:\documents and settings\Compaq_Administrator\NUBMfm15E.com

c:\documents and settings\NetworkService\Local Settings\Application Data\NUBMfm15E.exe

c:\program files\HP\HP Software Update\HPWuSchd2 .exe

c:\program files\HP\HP Software Update\HPWuSchd2.exe

c:\windows\Fonts\NUBMfm15E.com

c:\windows\system32\config\systemprofile\NUBMfm15E.com

c:\windows\Tasks\At265.job

c:\windows\Tasks\At268.job

c:\windows\Tasks\At270.job

c:\windows\Tasks\At276.job

c:\windows\Tasks\At279.job

c:\windows\Tasks\At285.job

.

((((((((((((((((((((((((( Files Created from 2010-08-24 to 2010-09-24 )))))))))))))))))))))))))))))))

.

2010-09-24 22:22 . 2010-09-24 22:22 -------- d-----w- c:\program files\Mlalwarebytes' Anti-Malware

2010-09-24 22:15 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-09-24 22:15 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-09-24 20:44 . 2004-08-04 05:56 21504 ----a-w- c:\windows\system32\hidserv.dll

2010-09-23 17:18 . 2010-09-23 17:18 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes

2010-09-23 16:43 . 2010-09-23 16:43 -------- d-----w- c:\program files\Trend Micro

2010-09-23 14:03 . 2010-09-23 14:03 -------- d-----w- c:\documents and settings\Compaq_Administrator\Local Settings\Application Data\PCHealth

2010-09-23 13:51 . 2004-08-04 03:58 14848 ----a-w- c:\windows\system32\drivers\kbdhid.sys

2010-09-23 13:51 . 2004-08-04 03:58 14848 ----a-w- c:\windows\system32\dllcache\kbdhid.sys

2010-09-23 13:51 . 2001-08-17 18:48 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys

2010-09-23 13:51 . 2001-08-17 18:48 12160 ----a-w- c:\windows\system32\dllcache\mouhid.sys

2010-09-23 13:51 . 2001-08-17 19:02 9600 ----a-w- c:\windows\system32\drivers\hidusb.sys

2010-09-23 13:51 . 2001-08-17 19:02 9600 ----a-w- c:\windows\system32\dllcache\hidusb.sys

2010-09-23 01:35 . 2010-09-22 20:17 94724 ----a-w- c:\windows\system32\NUBMfm15E.com

2010-09-23 01:28 . 2010-08-12 12:15 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys

2010-09-23 01:28 . 2010-09-23 01:28 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys

2010-09-23 01:25 . 2010-09-23 01:25 -------- d-----w- c:\documents and settings\Compaq_Administrator\Local Settings\Application Data\Sunbelt Software

2010-09-23 01:25 . 2010-09-23 01:25 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{ECC164E0-3133-4C70-A831-F08DB2940F70}

2010-09-23 01:24 . 2010-09-23 01:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft

2010-09-23 01:24 . 2010-09-23 01:24 -------- d-----w- c:\program files\Lavasoft

2010-09-23 00:22 . 2010-09-23 00:22 -------- d-----w- c:\documents and settings\Compaq_Administrator\Logs

2010-09-22 23:42 . 2010-09-24 22:11 -------- d-----w- c:\program files\aMalwarebytes' Anti-Malware

2010-09-22 23:29 . 2010-09-23 00:41 -------- d-----w- c:\program files\sys5

2010-09-22 23:28 . 2010-09-23 00:41 -------- d-----w- c:\program files\sys4

2010-09-22 23:28 . 2010-09-24 21:22 -------- d-----w- c:\program files\Microsoft

2010-09-22 23:13 . 2010-09-22 23:13 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools

2010-09-22 20:04 . 2010-09-22 20:04 -------- d-s---w- c:\documents and settings\NetworkService\UserData

2010-09-22 19:09 . 2010-09-22 19:09 -------- d-----w- c:\documents and settings\LocalService\Application Data\AdobeUM

2010-09-22 19:08 . 2010-09-22 19:09 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe

2010-09-22 11:09 . 2010-09-23 14:06 0 ----a-w- c:\windows\Wsaxageqewipe.bin

2010-09-22 11:09 . 2010-09-23 01:08 120 ----a-w- c:\windows\Dqufini.dat

2010-09-22 11:08 . 2004-08-04 03:59 34688 ----a-w- c:\windows\system32\drivers\lbrtfdc.sys

2010-09-22 11:08 . 2004-08-04 03:59 34688 ----a-w- c:\windows\system32\dllcache\lbrtfdc.sys

2010-09-22 11:07 . 2004-08-04 04:00 8192 ----a-w- c:\windows\system32\drivers\i2omgmt.sys

2010-09-22 11:07 . 2004-08-04 04:00 8192 ----a-w- c:\windows\system32\dllcache\i2omgmt.sys

2010-09-22 11:07 . 2004-08-04 04:00 8192 ----a-w- c:\windows\system32\drivers\changer.sys

2010-09-22 11:07 . 2004-08-04 04:00 8192 ----a-w- c:\windows\system32\dllcache\changer.sys

2010-09-22 00:51 . 2010-09-23 00:52 664 ----a-w- c:\windows\system32\d3d9caps.dat

2010-09-14 23:22 . 2010-09-14 23:22 -------- d-----w- c:\windows\system32\wbem\mof

2010-09-14 23:20 . 2010-09-14 23:20 -------- d-----w- C:\found.000

2010-09-03 23:47 . 2010-09-03 23:51 19521 ----a-w- c:\windows\hpqins13.dat

1601-01-01 00:00 . 1601-01-01 00:00 -------- d-----w- c:\windows\LastGood.Tmp

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-09-24 23:44 . 2010-09-22 20:19 112 ----a-w- c:\documents and settings\All Users\Application Data\Ahu00A5K.dat

2010-09-24 22:15 . 2009-11-03 16:06 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-09-24 21:06 . 2009-11-03 16:32 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9

2010-09-23 16:30 . 2010-09-23 13:55 42496 ----a-w- c:\documents and settings\Compaq_Administrator\Application Data\Microsoft\Windows\shellSrv.exe

2010-09-23 16:19 . 2010-03-02 23:26 -------- d-----w- c:\program files\CCleaner

2010-09-23 14:07 . 2010-08-22 20:29 -------- d-----w- c:\program files\Microsoft Security Essentials

2010-09-23 01:55 . 2010-09-22 23:29 142848 ----a-w- c:\documents and settings\Compaq_Administrator\Application Data\Microsoft\Windows\shell.exe

2010-09-23 00:40 . 2006-08-26 03:37 -------- d-----w- c:\program files\Rhapsody

2010-09-23 00:39 . 2006-08-26 03:51 -------- d-----w- c:\program files\Quicken

2010-09-23 00:39 . 2006-08-26 04:01 -------- d-----w- c:\program files\PC-Doctor 5 for Windows

2010-09-23 00:20 . 2006-08-26 03:36 -------- d-----w- c:\program files\music_now

2010-09-23 00:20 . 2006-08-26 03:49 -------- d-----w- c:\program files\Microsoft Works

2010-09-23 00:00 . 2006-08-26 03:03 -------- d-----w- c:\program files\GemMaster

2010-09-22 23:59 . 2006-08-26 03:03 -------- d-----w- c:\program files\EnglishOtto

2010-09-22 23:59 . 2006-08-26 03:43 -------- d-----w- c:\program files\DISC

2010-09-22 23:59 . 2006-08-26 03:38 -------- d-----w- c:\program files\Common Files\SureThing Shared

2010-09-22 23:59 . 2006-08-26 03:32 -------- d-----w- c:\program files\Common Files\Sonic Shared

2010-09-22 23:58 . 2006-08-26 03:46 -------- d---a-w- c:\program files\Common Files\LightScribe

2010-08-24 08:01 . 2010-08-24 08:01 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2

2010-08-22 21:11 . 2010-08-22 21:11 -------- d-----w- c:\documents and settings\All Users\Application Data\IObit

2010-08-22 20:01 . 2010-08-22 20:01 -------- d-----w- c:\documents and settings\Compaq_Administrator\Application Data\IObit

2010-08-22 20:01 . 2010-08-22 20:01 -------- d-----w- c:\program files\IObit

2010-08-12 12:16 . 2010-09-23 01:25 2979848 -c--a-w- c:\documents and settings\All Users\Application Data\{ECC164E0-3133-4C70-A831-F08DB2940F70}\Ad-AwareInstall.exe

2010-07-15 14:04 . 2009-11-03 16:34 243024 ----a-w- c:\windows\system32\drivers\avgtdix.sys

2010-07-15 14:04 . 2010-07-15 14:04 12536 ----a-w- c:\windows\system32\avgrsstx.dll

2010-07-15 14:03 . 2009-11-03 16:34 216400 ----a-w- c:\windows\system32\drivers\avgldx86.sys

.

CODE

<pre>

c:\program files\AVG\AVG9\avgtray .exe

c:\program files\Common Files\Microsoft Shared\DW\dwtrig20 .exe

c:\program files\Common Files\Real\Update_OB\realsched .exe

c:\program files\Internet Explorer\svchost .exe

c:\program files\Microsoft Security Essentials\msseces .exe

c:\windows\ehome\ehtray .exe

c:\windows\SMINST\RECGUARD .exe

c:\windows\system32\rundll32 .exe

</pre>

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]

"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-10-16 1119488]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]

2009-10-16 18:12 1119488 ----a-w- c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-10-16 1119488]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]

"ftutil2"="ftutil2.dll" [2004-06-07 106496]

"RTHDCPL"="RTHDCPL.EXE" [2006-06-14 16239616]

"AlwaysReady Power Message APP"="ARPWRMSG.EXE" [2005-08-03 77312]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-05-09 7311360]

"nwiz"="nwiz.exe" [2006-05-09 1519616]

"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp .exe" [N/A]

"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [N/A]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Compaq Connections.lnk - c:\program files\Compaq Connections\5577497\Program\Compaq Connections.exe [2006-8-25 36903]

HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]

2010-07-15 14:04 12536 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]

@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]

@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

c:\program files\Messenger\msmsgs.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\svchost]

c:\documents and settings\Compaq_Administrator\Application Data\Microsoft\svchost.exe [N/A]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\DISC\\DiscStreamHub.exe"=

"c:\\Program Files\\DISC\\myFTP.exe"=

"c:\\Program Files\\Compaq Connections\\5577497\\Program\\Compaq Connections.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

"c:\\Program Files\\AVG\\AVG9\\avgemc.exe"=

"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=

"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpse.exe"=

"c:\\Program Files\\Common Files\\HP\\Digital Imaging\\Bin\\hpqPhotoCrm.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqsudi.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpsapp.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [9/22/2010 8:28 PM 64288]

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [11/3/2009 11:34 AM 216400]

R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [11/3/2009 11:34 AM 243024]

R2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [7/15/2010 9:03 AM 921952]

R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [7/15/2010 9:04 AM 308136]

R3 mvb35316;mvb35316;c:\windows\system32\drivers\mvb35316.sys [8/10/2004 6:00 AM 12800]

S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [8/12/2010 7:15 AM 1355928]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

.

Contents of the 'Scheduled Tasks' folder

2010-09-23 c:\windows\Tasks\Ad-Aware Update (Weekly).job

- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-08-12 01:28]

2010-09-23 c:\windows\Tasks\At49.job

- c:\windows\system32\NUBMfm15E.com [2010-09-23 20:17]

2010-09-23 c:\windows\Tasks\At50.job

- c:\windows\system32\NUBMfm15E.com [2010-09-23 20:17]

2010-09-23 c:\windows\Tasks\At51.job

- c:\windows\system32\NUBMfm15E.com [2010-09-23 20:17]

2010-09-23 c:\windows\Tasks\At52.job

- c:\windows\system32\NUBMfm15E.com [2010-09-23 20:17]

2010-09-23 c:\windows\Tasks\At53.job

- c:\windows\system32\NUBMfm15E.com [2010-09-23 20:17]

2010-09-23 c:\windows\Tasks\At54.job

- c:\windows\system32\NUBMfm15E.com [2010-09-23 20:17]

2010-09-23 c:\windows\Tasks\At55.job

- c:\windows\system32\NUBMfm15E.com [2010-09-23 20:17]

2010-09-23 c:\windows\Tasks\At56.job

- c:\windows\system32\NUBMfm15E.com [2010-09-23 20:17]

2010-09-23 c:\windows\Tasks\At57.job

- c:\windows\system32\NUBMfm15E.com [2010-09-23 20:17]

2010-09-23 c:\windows\Tasks\At58.job

- c:\windows\system32\NUBMfm15E.com [2010-09-23 20:17]

2010-09-23 c:\windows\Tasks\At59.job

- c:\windows\system32\NUBMfm15E.com [2010-09-23 20:17]

2010-09-23 c:\windows\Tasks\At60.job

- c:\windows\system32\NUBMfm15E.com [2010-09-23 20:17]

2010-09-23 c:\windows\Tasks\At61.job

- c:\windows\system32\NUBMfm15E.com [2010-09-23 20:17]

2010-09-23 c:\windows\Tasks\At62.job

- c:\windows\system32\NUBMfm15E.com [2010-09-23 20:17]

2010-09-23 c:\windows\Tasks\At63.job

- c:\windows\system32\NUBMfm15E.com [2010-09-23 20:17]

2010-09-23 c:\windows\Tasks\At64.job

- c:\windows\system32\NUBMfm15E.com [2010-09-23 20:17]

2010-09-23 c:\windows\Tasks\At65.job

- c:\windows\system32\NUBMfm15E.com [2010-09-23 20:17]

2010-09-23 c:\windows\Tasks\At66.job

- c:\windows\system32\NUBMfm15E.com [2010-09-23 20:17]

2010-09-24 c:\windows\Tasks\At67.job

- c:\windows\system32\NUBMfm15E.com [2010-09-23 20:17]

2010-09-23 c:\windows\Tasks\At68.job

- c:\windows\system32\NUBMfm15E.com [2010-09-23 20:17]

2010-09-23 c:\windows\Tasks\At69.job

- c:\windows\system32\NUBMfm15E.com [2010-09-23 20:17]

2010-09-23 c:\windows\Tasks\At70.job

- c:\windows\system32\NUBMfm15E.com [2010-09-23 20:17]

2010-09-23 c:\windows\Tasks\At71.job

- c:\windows\system32\NUBMfm15E.com [2010-09-23 20:17]

2010-09-23 c:\windows\Tasks\At72.job

- c:\windows\system32\NUBMfm15E.com [2010-09-23 20:17]

2010-09-22 c:\windows\Tasks\MP Scheduled Scan.job

- c:\program files\Microsoft Security Essentials\MpCmdRun.exe [2010-03-26 02:40]

.

.

------- Supplementary Scan -------

.

uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PRESARIO&pf=desktop

mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=PRESARIO&pf=desktop

mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PRESARIO&pf=desktop

uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=PRESARIO&pf=desktop

uInternet Settings,ProxyServer = http=127.0.0.1:50370

Trusted Zone: trymedia.com

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-09-24 18:56

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Gpc]

"ImagePath"="system32\DRIVERS\msgpc.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\HDAudBus]

"ImagePath"="system32\DRIVERS\HDAudBus.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\helpsvc]

"ServiceDll"="%WINDIR%\PCHealth\HelpCtr\Binaries\pchsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\HidServ]

"ServiceDll"=" %SystemRoot%\System32\hidserv.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\HidUsb]

"ImagePath"="system32\DRIVERS\hidusb.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\hpn]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\hpqcxs08]

"ServiceDll"="c:\program files\HP\Digital Imaging\bin\hpqcxs08.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\hpqddsvc]

"ServiceDll"="c:\program files\HP\Digital Imaging\bin\hpqddsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\HPZid412]

"ImagePath"="system32\DRIVERS\HPZid412.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\HPZipr12]

"ImagePath"="system32\DRIVERS\HPZipr12.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\HPZius12]

"ImagePath"="system32\DRIVERS\HPZius12.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\HSXHWBS2]

"ImagePath"="system32\DRIVERS\HSXHWBS2.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\HSX_DP]

"ImagePath"="system32\DRIVERS\HSX_DP.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\HTTP]

"ImagePath"="System32\Drivers\HTTP.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\HTTPFilter]

"ServiceDll"="%SystemRoot%\System32\w3ssl.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\i2omgmt]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\i2omp]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\i8042prt]

"ImagePath"="system32\DRIVERS\i8042prt.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\IDriverT]

"ImagePath"="\"c:\program files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe\""

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Imapi]

"ImagePath"="system32\DRIVERS\imapi.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ImapiService]

"ImagePath"="%systemroot%\system32\imapi.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\inetaccs]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ini910u]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Inport]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\IntcAzAudAddService]

"ImagePath"="system32\drivers\RtkHDAud.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\IntelIde]

"ImagePath"="system32\DRIVERS\intelide.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\intelppm]

"ImagePath"="system32\DRIVERS\intelppm.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Ip6Fw]

"ImagePath"="system32\DRIVERS\Ip6Fw.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\IpFilterDriver]

"ImagePath"="system32\DRIVERS\ipfltdrv.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\IpInIp]

"ImagePath"="system32\DRIVERS\ipinip.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\IpNat]

"ImagePath"="system32\DRIVERS\ipnat.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\IPSec]

"ImagePath"="system32\DRIVERS\ipsec.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\IRENUM]

"ImagePath"="system32\DRIVERS\irenum.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ISAPISearch]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\isapnp]

"ImagePath"="system32\DRIVERS\isapnp.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Kbdclass]

"ImagePath"="system32\DRIVERS\kbdclass.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\kbdhid]

"ImagePath"="system32\DRIVERS\kbdhid.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\kmixer]

"ImagePath"="system32\drivers\kmixer.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\KSecDD]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\lanmanserver]

"ServiceDll"="%SystemRoot%\System32\srvsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\lanmanworkstation]

"ServiceDll"="%SystemRoot%\System32\wkssvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Lavasoft Ad-Aware Service]

"ImagePath"="\"c:\program files\Lavasoft\Ad-Aware\AAWService.exe\""

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Lbd]

"ImagePath"="system32\DRIVERS\Lbd.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\lbrtfdc]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ldap]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\LicenseService]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\LightScribeService]

"ImagePath"="\"c:\program files\Common Files\LightScribe\LSSrvc.exe\""

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\LmHosts]

"ServiceDll"="%SystemRoot%\System32\lmhsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\McrdSvc]

"ImagePath"="c:\windows\ehome\mcrdsvc.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\mdmxsdk]

"ImagePath"="system32\DRIVERS\mdmxsdk.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Messenger]

"ServiceDll"="%SystemRoot%\System32\msgsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MHN]

"ServiceDll"="%SystemRoot%\System32\mhn.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MHNDRV]

"ImagePath"="system32\DRIVERS\mhndrv.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\mnmdd]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\mnmsrvc]

"ImagePath"="c:\windows\system32\mnmsrvc.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Modem]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Mouclass]

"ImagePath"="system32\DRIVERS\mouclass.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\mouhid]

"ImagePath"="system32\DRIVERS\mouhid.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MountMgr]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MpFilter]

"ImagePath"="system32\DRIVERS\MpFilter.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\mraid35x]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MRxDAV]

"ImagePath"="system32\DRIVERS\mrxdav.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MRxSmb]

"ImagePath"="system32\DRIVERS\mrxsmb.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Msfs]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MSIServer]

"ImagePath"="%systemroot%\system32\msiexec.exe /V"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MSKSSRV]

"ImagePath"="system32\drivers\MSKSSRV.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MsMpSvc]

"ImagePath"="\"c:\program files\Microsoft Security Essentials\MsMpEng.exe\""

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MSPCLOCK]

"ImagePath"="system32\drivers\MSPCLOCK.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MSPQM]

"ImagePath"="system32\drivers\MSPQM.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\mssmbios]

"ImagePath"="system32\DRIVERS\mssmbios.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Mup]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\mvb35316]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NDIS]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NdisTapi]

"ImagePath"="system32\DRIVERS\ndistapi.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Ndisuio]

"ImagePath"="system32\DRIVERS\ndisuio.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NdisWan]

"ImagePath"="system32\DRIVERS\ndiswan.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NDProxy]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Net Driver HPZ12]

"ServiceDll"="c:\windows\system32\HPZinw12.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NetBIOS]

"ImagePath"="system32\DRIVERS\netbios.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NetBT]

"ImagePath"="system32\DRIVERS\netbt.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NetDDE]

"ImagePath"="%SystemRoot%\system32\netdde.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NetDDEdsdm]

"ImagePath"="%SystemRoot%\system32\netdde.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Netlogon]

"ImagePath"="%SystemRoot%\system32\lsass.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Netman]

"ServiceDll"="%SystemRoot%\System32\netman.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NIC1394]

"ImagePath"="system32\DRIVERS\nic1394.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Nla]

"ServiceDll"="%SystemRoot%\System32\mswsock.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Npfs]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Ntfs]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NtLmSsp]

"ImagePath"="%SystemRoot%\system32\lsass.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NtmsSvc]

"ServiceDll"="%SystemRoot%\system32\ntmssvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Null]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\nv]

"ImagePath"="system32\DRIVERS\nv4_mini.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NVENETFD]

"ImagePath"="system32\DRIVERS\NVENETFD.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\nvnetbus]

"ImagePath"="system32\DRIVERS\nvnetbus.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NVSvc]

"ImagePath"="%SystemRoot%\system32\nvsvc32.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NwlnkFlt]

"ImagePath"="system32\DRIVERS\nwlnkflt.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NwlnkFwd]

"ImagePath"="system32\DRIVERS\nwlnkfwd.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ohci1394]

"ImagePath"="system32\DRIVERS\ohci1394.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\P3]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Parport]

"ImagePath"="system32\DRIVERS\parport.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PartMgr]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ParVdm]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PCI]

"ImagePath"="system32\DRIVERS\pci.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PCIDump]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PCIIde]

"ImagePath"="system32\DRIVERS\pciide.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Pcmcia]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PDCOMP]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PDFRAME]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PDRELI]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PDRFRAME]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\perc2]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\perc2hib]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PerfDisk]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PerfNet]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PerfOS]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PerfProc]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PlugPlay]

"ImagePath"="%SystemRoot%\system32\services.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Pml Driver HPZ12]

"ServiceDll"="c:\windows\system32\HPZipm12.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PolicyAgent]

"ImagePath"="%SystemRoot%\system32\lsass.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PptpMiniport]

"ImagePath"="system32\DRIVERS\raspptp.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Processor]

"ImagePath"="system32\DRIVERS\processr.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ProtectedStorage]

"ImagePath"="%SystemRoot%\system32\lsass.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PSched]

"ImagePath"="system32\DRIVERS\psched.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Ptilink]

"ImagePath"="system32\DRIVERS\ptilink.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PxHelp20]

"ImagePath"="System32\Drivers\PxHelp20.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ql1080]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Ql10wnt]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ql12160]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ql1240]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ql1280]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RasAcd]

"ImagePath"="system32\DRIVERS\rasacd.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RasAuto]

"ServiceDll"="%SystemRoot%\System32\rasauto.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Rasl2tp]

"ImagePath"="system32\DRIVERS\rasl2tp.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RasMan]

"ServiceDll"="%SystemRoot%\System32\rasmans.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RasPppoe]

"ImagePath"="system32\DRIVERS\raspppoe.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Raspti]

"ImagePath"="system32\DRIVERS\raspti.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Rdbss]

"ImagePath"="system32\DRIVERS\rdbss.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RDPCDD]

"ImagePath"="System32\DRIVERS\RDPCDD.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RDPDD]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\rdpdr]

"ImagePath"="system32\DRIVERS\rdpdr.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RDPNP]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RDPWD]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RDSessMgr]

"ImagePath"="c:\windows\system32\sessmgr.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\redbook]

"ImagePath"="system32\DRIVERS\redbook.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RemoteAccess]

"ServiceDll"="%SystemRoot%\System32\mprdim.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RemoteRegistry]

"ServiceDll"="%SystemRoot%\system32\regsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RpcLocator]

"ImagePath"="%SystemRoot%\system32\locator.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RpcSs]

"ServiceDll"="%SystemRoot%\System32\rpcss.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RSVP]

"ImagePath"="%SystemRoot%\system32\rsvp.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\rtl8139]

"ImagePath"="system32\DRIVERS\RTL8139.SYS"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SamSs]

"ImagePath"="%SystemRoot%\system32\lsass.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SCardSvr]

"ImagePath"="%SystemRoot%\System32\SCardSvr.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Schedule]

"ServiceDll"="%SystemRoot%\system32\schedsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Secdrv]

"ImagePath"="system32\DRIVERS\secdrv.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\seclogon]

"ServiceDll"="%SystemRoot%\System32\seclogon.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SENS]

"ServiceDll"="%SystemRoot%\system32\sens.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Serial]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Sfloppy]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess]

"ServiceDll"="%SystemRoot%\System32\ipnathlp.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ShellHWDetection]

"ServiceDll"="%SystemRoot%\System32\shsvcs.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Simbad]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Sparrow]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\splitter]

"ImagePath"="system32\drivers\splitter.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Spooler]

"ImagePath"="%SystemRoot%\system32\spoolsv.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\sr]

"ImagePath"="system32\DRIVERS\sr.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\srservice]

"ServiceDll"="%SystemRoot%\system32\srsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Srv]

"ImagePath"="system32\DRIVERS\srv.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SSDPSRV]

"ServiceDll"="%SystemRoot%\System32\ssdpsrv.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\stisvc]

"ServiceDll"="%SystemRoot%\system32\wiaservc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\swenum]

"ImagePath"="system32\DRIVERS\swenum.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\swmidi]

"ImagePath"="system32\drivers\swmidi.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SwPrv]

"ImagePath"="c:\windows\system32\dllhost.exe /Processid:{8DA84759-6C62-4695-9DB6-4789D64FAF43}"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\symc810]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\symc8xx]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\sym_hi]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\sym_u3]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\sysaudio]

"ImagePath"="system32\drivers\sysaudio.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SysmonLog]

"ImagePath"="%SystemRoot%\system32\smlogsvc.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TapiSrv]

"ServiceDll"="%SystemRoot%\System32\tapisrv.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip]

"ImagePath"="system32\DRIVERS\tcpip.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TDPIPE]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TDTCP]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TermDD]

"ImagePath"="system32\DRIVERS\termdd.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TermService]

"ServiceDll"="%SystemRoot%\System32\termsrv.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Themes]

"ServiceDll"="%SystemRoot%\System32\shsvcs.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TlntSvr]

"ImagePath"="c:\windows\system32\tlntsvr.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TosIde]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TrkWks]

"ServiceDll"="%SystemRoot%\system32\trkwks.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TSDDD]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Udfs]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ultra]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Update]

"ImagePath"="system32\DRIVERS\update.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\upnphost]

"ServiceDll"="%SystemRoot%\System32\upnphost.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\UPS]

"ImagePath"="%SystemRoot%\System32\ups.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\usb]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\usbccgp]

"ImagePath"="system32\DRIVERS\usbccgp.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\usbehci]

"ImagePath"="system32\DRIVERS\usbehci.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\usbhub]

"ImagePath"="system32\DRIVERS\usbhub.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\usbohci]

"ImagePath"="system32\DRIVERS\usbohci.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\usbprint]

"ImagePath"="system32\DRIVERS\usbprint.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\usbscan]

"ImagePath"="system32\DRIVERS\usbscan.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\usbstor]

"ImagePath"="system32\DRIVERS\USBSTOR.SYS"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\usbuhci]

"ImagePath"="system32\DRIVERS\usbuhci.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\VgaSave]

"ImagePath"="\SystemRoot\System32\drivers\vga.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ViaIde]

"ImagePath"="system32\DRIVERS\viaide.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\VolSnap]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\VSS]

"ImagePath"="%SystemRoot%\System32\vssvc.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\W32Time]

"ServiceDll"="%systemroot%\system32\w32time.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\W3SVC]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Wanarp]

"ImagePath"="system32\DRIVERS\wanarp.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WDICA]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\wdmaud]

"ImagePath"="system32\drivers\wdmaud.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WebClient]

"ServiceDll"="%SystemRoot%\System32\webclnt.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\winachsx]

"ImagePath"="system32\DRIVERS\HSX_CNXT.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\winmgmt]

"ServiceDll"="%SystemRoot%\system32\wbem\WMIsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Winsock]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WinSock2]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WinTrust]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WmdmPmSN]

"ServiceDll"="c:\windows\system32\mspmsnsv.dll"

--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Wmi]

"ServiceDll"="%SystemRoot%\System32\advapi32.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WmiApRpl]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WmiApSrv]

"ImagePath"="c:\windows\system32\wbem\wmiapsrv.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WMPNetworkSvc]

"ImagePath"="\"c:\program files\Windows Media Player\WMPNetwk.exe\""

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WS2IFSL]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\wscsvc]

"ServiceDll"="%SYSTEMROOT%\system32\wscsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\wuauserv]

"ServiceDll"="c:\windows\system32\wuauserv.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WudfPf]

"ImagePath"="system32\DRIVERS\WudfPf.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WudfRd]

"ImagePath"="system32\DRIVERS\wudfrd.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WudfSvc]

"ServiceDll"="%SystemRoot%\System32\WUDFSvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WZCSVC]

"ServiceDll"="%SystemRoot%\System32\wzcsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\xmlprov]

"ServiceDll"="%SystemRoot%\System32\xmlprov.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{892900FC-9814-4488-99C0-81491C1EE93D}]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{AA7A78B9-BFEE-4F42-B323-FFED67AA600C}]

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1512)

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\AVG\AVG9\avgchsvx.exe

c:\program files\AVG\AVG9\avgrsx.exe

c:\program files\AVG\AVG9\avgcsrvx.exe

c:\windows\RTHDCPL.EXE

c:\windows\arservice.exe

c:\windows\eHome\ehRecvr.exe

c:\windows\eHome\ehSched.exe

c:\program files\Common Files\LightScribe\LSSrvc.exe

c:\program files\AVG\AVG9\avgnsx.exe

c:\windows\system32\nvsvc32.exe

c:\program files\AVG\AVG9\avgcsrvx.exe

c:\windows\system32\dllhost.exe

c:\windows\eHome\ehmsas.exe

.

**************************************************************************

.

Completion time: 2010-09-24 19:02:25 - machine was rebooted

ComboFix-quarantined-files.txt 2010-09-25 00:02

ComboFix2.txt 2010-09-24 22:09

ComboFix3.txt 2010-09-24 21:32

Pre-Run: 95,140,368,384 bytes free

Post-Run: 95,132,585,984 bytes free

- - End Of File - - 6FD261BE0CAA25DB5B667F818627814E

Please help me. I am not sure what to try next. Thanks in advance!

DDS.zip

Link to post
Share on other sites

I used the xp pro disk you mentioned and reformatted the hard drive. The internet would not work, but I found out that the problem was that the virus erased my ethernet drivers. I found them on the HP site and got the internet up. Once I got the internet up, I downloaded malwarebytes and it found something like 27 problems. I also downloaded avira antivirus and ran it. It found 79 viruses. After removing the viruses, I downloaded all windows updates. After restarting my computer, malwarebytes and Avira found viruses again. I continued to run full scans and now I may be clean. I am not totally sure as I have been fighting this thing for three days. Can you help me to ensure that my computer is clean?

Link to post
Share on other sites

While I thought my pc was clean, I soon found out that it is still infected. Luckily, Avira is and Avast are catching the virus as it periodically attempts to run.

I ran combofix again and made sure to turn off the antivirus programs first. Here is my log:

ComboFix 10-09-25.07 - ll 09/26/2010 12:25:00.1.1 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1982.1442 [GMT -5:00]

Running from: D:\ComboFix.exe

AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\program files\Internet Explorer\complete.dat

c:\program files\Internet Explorer\dmlconf.dat

c:\windows\system32\Cache

.

((((((((((((((((((((((((( Files Created from 2010-08-26 to 2010-09-26 )))))))))))))))))))))))))))))))

.

2010-09-26 04:33 . 2010-09-26 04:33 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google

2010-09-26 03:43 . 2010-09-26 03:43 -------- d-----w- c:\documents and settings\All Users\Application Data\IObit

2010-09-26 03:40 . 2010-09-26 03:40 -------- d-----w- c:\program files\CCleaner

2010-09-26 03:37 . 2010-09-26 03:37 -------- d-----w- c:\windows\LastGood

2010-09-26 00:29 . 2010-09-26 00:29 -------- d-----w- c:\windows\system32\scripting

2010-09-26 00:29 . 2010-09-26 00:29 -------- d-----w- c:\windows\l2schemas

2010-09-26 00:29 . 2010-09-26 00:29 -------- d-----w- c:\windows\system32\bits

2010-09-25 23:29 . 2010-09-25 23:29 -------- d-sh--w- c:\documents and settings\ll\IECompatCache

2010-09-25 23:29 . 2010-09-25 23:29 -------- d-sh--w- c:\documents and settings\ll\PrivacIE

2010-09-25 23:29 . 2010-09-25 23:29 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache

2010-09-25 23:26 . 2010-09-25 23:26 -------- d-sh--w- c:\documents and settings\ll\IETldCache

2010-09-25 22:41 . 2010-09-26 03:38 -------- d-----w- c:\windows\system32\NtmsData

2010-09-25 22:40 . 2010-09-25 22:40 -------- d-----w- c:\documents and settings\ll\Application Data\Avira

2010-09-25 22:37 . 2010-03-01 15:05 124784 ----a-w- c:\windows\system32\drivers\avipbb.sys

2010-09-25 22:37 . 2010-02-16 19:24 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2010-09-25 22:37 . 2009-05-11 17:49 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys

2010-09-25 22:37 . 2009-05-11 17:49 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys

2010-09-25 22:37 . 2010-09-25 22:37 -------- d-----w- c:\program files\Avira

2010-09-25 22:37 . 2010-09-25 22:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira

2010-09-25 22:34 . 2010-09-25 22:34 -------- d-----w- c:\windows\ie8updates

2010-09-25 22:33 . 2010-05-06 10:41 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll

2010-09-25 22:33 . 2010-05-06 10:41 599040 -c----w- c:\windows\system32\dllcache\msfeeds.dll

2010-09-25 22:33 . 2010-05-06 10:41 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll

2010-09-25 22:33 . 2010-05-06 10:41 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll

2010-09-25 22:33 . 2010-05-06 10:41 1985536 -c----w- c:\windows\system32\dllcache\iertutil.dll

2010-09-25 22:33 . 2010-05-06 10:41 11076096 -c----w- c:\windows\system32\dllcache\ieframe.dll

2010-09-25 22:33 . 2010-05-06 10:41 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll

2010-09-25 22:33 . 2010-09-25 22:33 -------- dc-h--w- c:\windows\ie8

2010-09-25 22:23 . 2010-09-25 22:23 -------- d-----w- c:\program files\MSXML 6.0

2010-09-25 22:18 . 2009-01-07 23:21 26144 ----a-w- c:\windows\system32\spupdsvc.exe

2010-09-25 22:18 . 2010-09-25 22:18 -------- d-----w- c:\program files\MSXML 4.0

2010-09-25 22:17 . 2010-09-25 22:36 -------- d--h--w- c:\windows\$hf_mig$

2010-09-25 22:15 . 2008-04-14 00:12 7680 ----a-w- c:\windows\system32\spdwnwxp.exe

2010-09-25 22:03 . 2009-09-11 14:18 136192 -c----w- c:\windows\system32\dllcache\msv1_0.dll

2010-09-25 22:02 . 2010-05-02 05:22 1851264 -c----w- c:\windows\system32\dllcache\win32k.sys

2010-09-25 22:01 . 2008-06-13 11:05 272128 -c----w- c:\windows\system32\dllcache\bthport.sys

2010-09-25 22:01 . 2008-06-13 11:05 272128 ------w- c:\windows\system32\drivers\bthport.sys

2010-09-25 22:01 . 2010-03-05 18:45 456704 -c----w- c:\windows\system32\dllcache\smtpsvc.dll

2010-09-25 22:01 . 2009-12-31 16:50 353792 -c----w- c:\windows\system32\dllcache\srv.sys

2010-09-25 22:01 . 2010-02-24 13:11 455680 -c----w- c:\windows\system32\dllcache\mrxsmb.sys

2010-09-25 21:59 . 2008-05-08 14:02 203136 -c----w- c:\windows\system32\dllcache\rmcast.sys

2010-09-25 21:57 . 2008-10-15 16:34 337408 -c----w- c:\windows\system32\dllcache\netapi32.dll

2010-09-25 21:57 . 2008-05-03 11:55 2560 ------w- c:\windows\system32\xpsp4res.dll

2010-09-25 21:57 . 2008-04-21 12:08 215552 -c----w- c:\windows\system32\dllcache\wordpad.exe

2010-09-25 21:45 . 2009-12-24 06:59 177664 -c----w- c:\windows\system32\dllcache\wintrust.dll

2010-09-25 21:45 . 2010-01-13 14:01 86016 -c----w- c:\windows\system32\dllcache\cabview.dll

2010-09-25 21:44 . 2010-09-25 21:45 -------- d-----w- c:\program files\sys5

2010-09-25 21:44 . 2010-09-25 21:45 -------- d-----w- c:\program files\sys4

2010-09-25 21:43 . 2010-09-25 21:43 -------- d-sh--w- c:\documents and settings\ll\UserData

2010-09-25 21:42 . 2009-08-07 00:23 274288 ----a-w- c:\windows\system32\mucltui.dll

2010-09-25 21:41 . 2006-03-03 20:30 101888 ----a-w- c:\windows\system32\drivers\nvtcp.sys

2010-09-25 21:41 . 2006-02-22 21:59 176128 ----a-w- c:\windows\system32\nvunrm.exe

2010-09-25 21:37 . 2010-09-25 21:37 -------- d-----w- C:\softpaq

2010-09-25 21:37 . 2010-09-25 21:37 -------- d-----w- c:\program files\CONEXANT

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-09-26 04:29 . 2010-09-26 04:28 -------- d-----w- c:\program files\Google

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Advanced SystemCare 3"="c:\program files\IObit\Advanced SystemCare 3\AWC.exe" [2010-08-10 2349776]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MsmqIntCert"="mqrt.dll" [2009-06-25 177152]

"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-03-02 282792]

"avast5"="c:\program files\Alwil Software\Avast5\avastUI.exe" [2010-09-07 2838912]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\WINDOWS\\system32\\mqsvc.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"1723:TCP"= 1723:TCP:@xpsp2res.dll,-22015

"1701:UDP"= 1701:UDP:@xpsp2res.dll,-22016

"500:UDP"= 500:UDP:@xpsp2res.dll,-22017

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [9/25/2010 11:28 PM 165584]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [9/25/2010 5:37 PM 135336]

R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [9/25/2010 11:28 PM 17744]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [9/25/2010 11:28 PM 136176]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - AAVMKER4

*NewlyCreated* - ASWFSBLK

*NewlyCreated* - ASWMON2

*NewlyCreated* - ASWRDR

*NewlyCreated* - ASWSP

*NewlyCreated* - ASWTDI

*NewlyCreated* - AVAST!_ANTIVIRUS

*NewlyCreated* - AVAST!_MAIL_SCANNER

*NewlyCreated* - AVAST!_WEB_SCANNER

*NewlyCreated* - GUPDATE

.

Contents of the 'Scheduled Tasks' folder

2010-09-26 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-09-26 04:28]

2010-09-26 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-09-26 04:28]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

uInternet Settings,ProxyServer = http=127.0.0.1:50370

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-09-26 12:27

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

Completion time: 2010-09-26 12:29:21

ComboFix-quarantined-files.txt 2010-09-26 17:29

Pre-Run: 103,029,407,744 bytes free

Post-Run: 103,158,853,632 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 37C450A46B28BAA94AD6B9E5397828D9

Link to post
Share on other sites

I suggest you do this:

Download HijackThis .

  • Save HijackThis.exe to your desktop.
  • Doubleclick on the HijackThis.exe icon on your desktop.
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed, it will launch Hijackthis.
  • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
  • DO NOT use the AnalyseThis button, its findings are dangerous if misinterpreted.
  • DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

Link to post
Share on other sites

I will try this. Since my last post, my internet quit working again. When I try to use the thumb drive to load programs, I get a message saying autorun is not working from Avira. When I try and access the drive from windows explorer, no files show up. I have run full scans from avira, avast and malwarebytes. None of them are catching anything anymore. What do you recommend? Am I going to have to reinstall windows again?

Link to post
Share on other sites

Looks like you're running 2 anti-virus programs.

Never install more than one Antivirus and Firewall! Rather than giving you extra protection, it will decrease the reliability of it seriously!

The reason for this is that if both products have their automatic (Real-Time) protection switched on, your system may lock up due to both software products attempting to access the same file at the same time.

Also because more than one Antivirus and Firewall installed are not compatible with each other, it can cause system performance problems and a serious system slowdown.

Please do not delete anything unless instructed to.

1.Click Start > Settings > Control Panel.

2.Next, open Add/Remove Programs and remove either:

avira

avast

Reboot

Link to post
Share on other sites

Your log shows a proxy server. We need to remove that.

check some settings on your system:

  1. Enter your Control Panel and double-click on Network Connections
  2. Then right click on your Default Connection
    • Usually Local Area Connection for Cable and DSL, or AOL Connection.

[*]Left click on Properties

[*]Double-Click on the Internet Protocol (TCP/IP) item

[*]Select the radio dial that says Obtain DNS Servers Automatically

[*]Press OK twice to get out of the properties screen

Go to Start->Run->Type CMD and click Ok. The MSDOS Window will be displayed. At the command prompt, type the following and press Enter after each line:

IPCONFIG /release

IPCONFIG /renew

Type Exit

Restart the computer.

Link to post
Share on other sites

I followed your directions, but my computer will still not get on the internet. I ran network diagnostics for windows xp. It says "Windows cannot connect to the internet using HTTP, HTTPS, or FTP. This is probably caused by firewall settings on this computer. Check the firewall settings for the HTTP port (80). HTTPS port (443) and FTP port (21). You might need to contact your internet service provider (ISP) or manufacturer of you firewall software."

What should I do next? Thanks so much for your help!

Link to post
Share on other sites

The warning I am getting from Avira with the thumbdrive is "Guard: Autorun blocked. Type: Autorun blocked. Acess to the file 'D:\autorun.inf' was blocked for your security. Additional information on this is available in help."

Don't know if this information will help. I am just trying to figure out a way to get Hijackthis.exe on my computer.

Link to post
Share on other sites

Did you do this?

Your log shows a proxy server. We need to remove that.

check some settings on your system:

  1. Enter your Control Panel and double-click on Network Connections
  2. Then right click on your Default Connection
    • Usually Local Area Connection for Cable and DSL, or AOL Connection.

[*]Left click on Properties

[*]Double-Click on the Internet Protocol (TCP/IP) item

[*]Select the radio dial that says Obtain DNS Servers Automatically

[*]Press OK twice to get out of the properties screen

Go to Start->Run->Type CMD and click Ok. The MSDOS Window will be displayed. At the command prompt, type the following and press Enter after each line:

IPCONFIG /release

IPCONFIG /renew

Type Exit

Restart the computer.

Link to post
Share on other sites

I did do that. Still couldn't get on the internet after I restarted.

quote name='LDTate' date='Sep 27 2010, 06:31 AM' post='319177']

Did you do this?

Your log shows a proxy server. We need to remove that.

check some settings on your system:

  1. Enter your Control Panel and double-click on Network Connections
  2. Then right click on your Default Connection
    • Usually Local Area Connection for Cable and DSL, or AOL Connection.

[*]Left click on Properties

[*]Double-Click on the Internet Protocol (TCP/IP) item

[*]Select the radio dial that says Obtain DNS Servers Automatically

[*]Press OK twice to get out of the properties screen

Go to Start->Run->Type CMD and click Ok. The MSDOS Window will be displayed. At the command prompt, type the following and press Enter after each line:

IPCONFIG /release

IPCONFIG /renew

Type Exit

Restart the computer.

Link to post
Share on other sites

I am having trouble logging on to bleepingcomputer. I am on my phone now. I got the hijackthis file, but can't post it because of not being able to log in. Not sure what the problem is. I was logging on fine until today. Tried like 15 times and no luck. Sm still on vis phone, though. Is there any way I can give you specific info about the log this way?

Lets see if we can get the PC back on the internet. This file will fit on a floppy or thumb drive.

Get a copy of winsockxpfix.exe and copy it to the infected computer.

You just run it and things should work OK after it reboots your system.

http://www.snapfiles.com/get/winsockxpfix.html

Link to post
Share on other sites

I've attached my hijackthis file. I had to reload windows again and was able to get it. I'm sure the virus will be back. I reloaded avast and malwarebytes and did the updates. Scans are currently running and so far nothing has been found, but I don't this it's gone. I am able to get on the internet now, but it will probably only be temporarily.

I am having trouble logging on to bleepingcomputer. I am on my phone now. I got the hijackthis file, but can't post it because of not being able to log in. Not sure what the problem is. I was logging on fine until today. Tried like 15 times and no luck. Sm still on vis phone, though. Is there any way I can give you specific info about the log this way?

hijackthis.log

Link to post
Share on other sites

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 9:17:17 AM, on 9/27/2010

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\system32\msiexec.exe

C:\WINDOWS\system32\rundll32.exe

F:\sp26805.exe

c:\softpaq\sp26805\Install.exe

C:\WINDOWS\system32\mmc.exe

\?\C:\WINDOWS\system32\WBEM\WMIADAP.EXE

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

C:\WINDOWS\system32\wuauclt.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

--

End of file - 1052 bytes

Can't say I've ever seen a HJT log that only showed 09's

Did you try the winsockxpfix.exe?

Link to post
Share on other sites

I did not try winsockxpfix.exe. This virus was nasty. I found out that the virus has infected my jump drive and I was reinfecting every time I brought programs and ethernet drivers over to the xp computer. To fix it, I reinstalled xp pro, disconnected my pc from the internet. I downloaded avast, malwarebytes and the drivers directly from the websites they came from. I burned them to a dvd. I used the dvd instead of the jump drive. I then installed the programs and drivers and ran the antivirus and malwarebytes before updating via the internet. It found nothing. Then I connected the internet and immediately downloaded updates to avast and malwarebytes. I ran both programs again and nothing was found. I believe it is fixed.

Now I am concerned about the laptop I was using to move programs over with the jump drive. It has a windows 7 64 bit operating system and mcafee antivirus. I ran mcafee scans periodically on the jump drive when I was working on the xp machine. My mcafee had current virus definitions and it never found anything on the jump drive or my laptop. The same goes with malwarebytes. Nothing was found. Do you think the laptop is clean? Is there a way to tell? If not, I am considering reinstalling windows 7 on it. Also, I have a legitimate copy of Microsoft Office Ultimate, but no discs. If I reinstall windows 7, do you know where I can download a legit copy of Office Ultimate and use my key? Thanks for all of your help!

Link to post
Share on other sites

That's why it's never a good idea to have autorun active.

Download this file

http://download.bleepingcomputer.com/sUBs/...Disinfector.exe

For all of your USB or external drives:

Open the drive.

Click the Tools menu, and then click Folder Options.

Click the View tab.

Uncheck "Hide file extensions for known file types."

Under the "Hidden files" folder, select "Show hidden files and folders."

Uncheck "Hide protected operating system files."

Click Apply, and then click OK.

Look for the file autorun.inf and delete it if found.

Also look for a Folder that's named resycled, make sure of the spelling and delete the folder if found. DO NOT delete the Recycler folder.

Now run the Flash_Disinfector.exe.

Be sure to insert any flash drives or USB devices that you use.

Do this for every USB / external drives:

I have a legitimate copy of Microsoft Office Ultimate, but no discs. If I reinstall windows 7, do you know where I can download a legit copy of Office Ultimate and use my key? Thanks for all of your help!
Your best bet would be talking to MS.

This is a free service and toll-free call.

1-866-PCSAFETY

or

1-866-727-2338

It is available 24 hours a day for the U.S. and Canada.

For support outside the United States and Canada, please contact your Microsoft Help and Support worldwide. Go to this page and choose your region from the box in the upper right corner: http://support.microsoft.com/?pr=SecurityHome

Link to post
Share on other sites

I'm in windows 7 on this computer. I found the device manager, but the format is different than above. Can you walk me through this in windows 7? Thanks!

I searched for the files using the search engine. I did find an inf. file called autorun. I'm thinking this is the one you want me to delete. I did not find a file name resycled.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.