Jump to content

Difficulty Removing Malware


Recommended Posts

Here are the symptoms, or anything that I've notice behave strangely since I first notice I had the infection:

(Internet related errors have occurred in both Firefox and Chrome

Search Redirects

Longer page load times

Occasionally improperly loaded web pages

I'm pretty sure I'm having strangely high Packet In/Out

Broken Plugins are very common (Always Flash or Unknown)

The start menu sometimes locks on the screen in the foreground covering part of the screen

Antimalware software damaged on use (ie: mbam.exe installs, then +/- 8 secs into the scan it just goes away and I can no longer run mbam.exe, same thing occurs with HijackThis and Windows Malware Removal Tool)

(Another weird thing is strange behavior with MS Word, after saving, WINWORD.EXE has an error and I have to open a new window to continue.)

What I expected would be affected, but wasnt:

Once a video starts streaming, it doesn't go slowly; it continues at a normal rate

Once connected to a server for a multiplayer game, I experience normal interaction with the game online

I use Windows XP Professional (5.1, SP3, Build 2600)

If anyone could take the time to help me through this it would be greatly appreciated.

Link to post
Share on other sites

Thanks for helping me out.

I DL'd GMER rootkit but it stops working whenever I click the Scan button, even in Safe Mode.

Here is the DDS:

DDS (Ver_10-12-12.02) - NTFSx86

Run by Kevin.Jonathan at 11:04:36.48 on Thu 12/23/2010

Internet Explorer: 8.0.6001.18702

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3327.2642 [GMT -5:00]

============== Running Processes ===============

"\\.\globalroot\Device\svchost.exe\svchost.exe"

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup

svchost.exe

svchost.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\LEXPPS.EXE

svchost.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe

C:\WINDOWS\system32\PnkBstrA.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\Viewpoint\Common\ViewpointService.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Microsoft IntelliType Pro\itype.exe

C:\Program Files\Microsoft IntelliPoint\ipoint.exe

C:\Program Files\Lexmark 2200 Series\lxbvbmgr.exe

C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

C:\Program Files\CyberLink\PowerDVD10\PDVD10Serv.exe

C:\Program Files\Cyberlink\Shared files\brs.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Skype\Phone\Skype.exe

C:\Program Files\Lexmark 2200 Series\lxbvbmon.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Skype\Plugin Manager\skypePM.exe

C:\Documents and Settings\Kevin.Jonathan\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\Kevin.Jonathan\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\Kevin.Jonathan\My Documents\Downloads\dds.com

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll

BHO: Media Access Startup: {25b8d58c-b0cb-46b0-ba64-05b3804e4e86} - c:\program files\media access startup\1.3.0.790\HPIEAddOn.dll

BHO: NP Helper Class: {35b8d58c-b0cb-46b0-ba64-05b3804e4e86} - c:\program files\internet saving optimizer\3.4.0.4340\NPIEAddOn.dll

BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5805.1910\swg.dll

BHO: System Search Dispatcher: {cdbfb47b-58a8-4111-bf95-06178dce326d} - c:\program files\system search dispatcher\1.2.0.750\ssd.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

uRun: [NVIDIA nTune] "c:\program files\nvidia corporation\ntune\nTuneCmd.exe" clear

uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [Google Update] "c:\documents and settings\kevin.jonathan\local settings\application data\google\update\GoogleUpdate.exe" /c

uRun: [<NO NAME>] c:\documents and settings\kevin.jonathan\my documents\downloads\US accs - EU US - 80's.exe

uRun: [steam] "c:\program files\steam\Steam.exe" -silent

uRun: [skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized

mRun: [itype] "c:\program files\microsoft intellitype pro\itype.exe"

mRun: [intelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"

mRun: [Lexmark 2200 Series] "c:\program files\lexmark 2200 series\lxbvbmgr.exe"

mRun: [RTHDCPL] RTHDCPL.EXE

mRun: [Alcmtr] ALCMTR.EXE

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"

mRun: [RemoteControl10] "c:\program files\cyberlink\powerdvd10\PDVD10Serv.exe"

mRun: [bDRegion] c:\program files\cyberlink\shared files\brs.exe

mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /installquiet

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit

mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

mRunOnce: [AvgUninstallURL] cmd.exe /c start http://www.avg.com/ww.special-uninstallati...t;ver=10.0.1170

dRun: [NVIDIA nTune] "c:\program files\nvidia corporation\ntune\nTuneCmd.exe" clear

dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE

IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office10\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll/cmsidewiki.html

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

LSP: mswsock.dll

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/8/b/d/8bd77752-5704-4d68-a152-f7252adaa4f2/LegitCheckControl.cab

DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} - hxxp://www.srtest.com/srl_bin/sysreqlab_srl.cab

DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab

DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.5.0.cab

DPF: {4E218431-2F07-40BD-A9D3-035324C1F13F} - hxxp://webserver.dyyno.com/DyynoClient/DyynoCAB.CAB

DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.hotmail.com/mail/w3/resources/MSNPUpld.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab

DPF: {B8A48F42-30E1-48f8-AE87-7BD7C75DB8AA} - hxxp://www.srtest.com/srl_bin/sysreqlab_test.cab

DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\kevin~1.jon\applic~1\mozilla\firefox\profiles\bzajtrc3.default\

FF - prefs.js: browser.startup.homepage - www.google.com

FF - prefs.js: network.proxy.type - 0

FF - plugin: c:\documents and settings\kevin.jonathan\local settings\application data\google\update\1.2.183.39\npGoogleOneClick8.dll

FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll

FF - plugin: c:\program files\google\update\1.2.183.29\npGoogleOneClick8.dll

FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll

FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension

FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}

============= SERVICES / DRIVERS ===============

R2 {1BA31E5A-C098-42d8-8F88-3C9F78A2FDDC};Power Control [2010/03/20 21:28:15];c:\program files\cyberlink\powerdvd10\navfilter\000.fcl [2010-3-13 87536]

R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2009-1-16 24652]

R3 AtcL001;NDIS Miniport Driver for Atheros L1 Gigabit Ethernet Controller;c:\windows\system32\drivers\l151x86.sys [2009-9-11 36864]

R3 VCSVADHWSer;Avnex Virtual Audio Device (WDM);c:\windows\system32\drivers\vcsvad.sys [2009-7-29 17792]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-3-1 135664]

S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?]

S3 rootrepeal;rootrepeal;c:\windows\system32\drivers\rootrepeal.sys [2010-12-19 34816]

S3 SCREAMINGBDRIVER;Screaming Bee Audio;c:\windows\system32\drivers\ScreamingBAudio.sys [2009-4-6 23064]

=============== Created Last 30 ================

2010-12-19 19:50:24 34816 ----a-w- c:\windows\system32\drivers\rootrepeal.sys

2010-12-17 22:21:52 -------- d--h--w- c:\windows\PIF

2010-12-15 20:33:31 40960 -c----w- c:\windows\system32\dllcache\ndproxy.sys

2010-12-15 20:32:49 45568 -c----w- c:\windows\system32\dllcache\wab.exe

2010-12-07 03:59:37 -------- d-----w- c:\docume~1\kevin~1.jon\applic~1\Malwarebytes

2010-12-07 03:59:28 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes

2010-12-07 03:59:25 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-12-01 01:57:32 -------- d--h--w- c:\docume~1\alluse~1\applic~1\Common Files

2010-12-01 01:56:21 -------- d-----w- c:\docume~1\alluse~1\applic~1\AVG10

2010-12-01 00:48:56 -------- d-----w- c:\docume~1\alluse~1\applic~1\MFAData

2010-11-29 12:18:32 -------- d-----w- c:\program files\iPod

==================== Find3M ====================

2010-11-22 22:54:50 232968 ----a-w- c:\windows\system32\nvdrsdb0.bin

2010-11-22 22:54:50 1 ----a-w- c:\windows\system32\nvdrssel.bin

2010-11-22 22:49:16 232968 ----a-w- c:\windows\system32\nvdrsdb1.bin

2010-11-18 18:12:44 81920 ----a-w- c:\windows\system32\isign32.dll

2010-11-06 00:26:58 916480 ----a-w- c:\windows\system32\wininet.dll

2010-11-06 00:26:58 43520 ----a-w- c:\windows\system32\licmgr10.dll

2010-11-06 00:26:58 1469440 ----a-w- c:\windows\system32\inetcpl.cpl

2010-11-03 12:25:54 385024 ----a-w- c:\windows\system32\html.iec

2010-10-31 23:10:57 1244446540 ---ha-w- c:\program files\VSX3_Pro_TBYB.exe.part

2010-10-28 13:13:22 290048 ----a-w- c:\windows\system32\atmfd.dll

2010-10-26 13:25:00 1853312 ----a-w- c:\windows\system32\win32k.sys

2010-09-28 20:44:52 4184352 ----a-w- c:\windows\system32\usbaaplrc.dll

=================== ROOTKIT ====================

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net

Windows 5.1.2600 Disk: ST3250410AS rev.3.AAF -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3

device: opened successfully

user: MBR read successfully

Disk trace:

called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0xB826D119]<<

_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; PUSH EBX; PUSH ESI; PUSH EDI; CMP EAX, [0xb8270858]; JNZ 0x1f; MOV EBX, [EBP+0xc]; CALL 0xfffffffffffffd3b; }

1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x8B2CBAB8]

3 CLASSPNP[0xB80E8FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x8B06E470]

\Driver\Disk[0x8B0F7C20] -> IRP_MJ_CREATE -> 0xB826D119

kernel: MBR read successfully

_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [bP+0x0], CH; JL 0x2e; JNZ 0x3a; }

user & kernel MBR OK

============= FINISH: 11:05:10.28 ===============

Link to post
Share on other sites

Phonetic:

icon11.gif Please download Rootkit Unhooker and save it on your desktop.

  • Disable your security programs
  • Double click RKUnhookerLE.exe to run it
  • Click the Report tab, then click Scan
  • Check Drivers, Stealth Code, Files, and Code Hooks
  • Uncheck the rest, then click OK
  • When prompted to Select Disks for Scan, make sure C:\ is checked and click OK
  • Wait till the scanner has finished then go File > Save Report
  • Save the report somewhere you can find it. Click Close
  • Copy the entire contents of the report and paste it in your next reply.

Note - You may get this warning it is ok, just ignore it:

"Rootkit Unhooker has detected a parasite inside itself!

It is recommended to remove parasite, okay?"

Please include the following in your next post:

  • RootkitUnhooker log

Link to post
Share on other sites

When I scanned under your instructions, the stealth code scan was fine, but then the file scan couldnt get a list of files and directories and canceling that to move on to code hooks resulted in the RkU executable closing and breaking like the other programs. So the only report I could manage to get was the stealth code report:

RkU Version: 3.8.388.590, Type LE (SR2)

==============================================

OS Name: Windows XP

Version 5.1.2600 (Service Pack 3)

Number of processors #4

==============================================

>Stealth

==============================================

WARNING: File locked for read access [C:\WINDOWS\system32\drivers\vbmaa924.sys]

WARNING: Virus alike driver modification [rdpdr.sys]

0xB824C53A Unknown page with executable code, 2758 bytes

0xB824928E Unknown page with executable code, 3442 bytes

0xB8353D68 Unknown thread object [ ETHREAD 0x8ACD32C8 ] TID: 140, 600 bytes

0xB8353D68 Unknown thread object [ ETHREAD 0x8AD241F8 ] TID: 144, 600 bytes

0xB8353D68 Unknown thread object [ ETHREAD 0x8B07D2A0 ] TID: 148, 600 bytes

0xB8353D68 Unknown thread object [ ETHREAD 0x8AC51DA8 ] TID: 152, 600 bytes

0xB824DCCA Unknown thread object [ ETHREAD 0x8B0B0DA8 ] TID: 172, 600 bytes

0xB824DCCA Unknown thread object [ ETHREAD 0x8B1B5DA8 ] TID: 176, 600 bytes

0xB824DCCA Unknown thread object [ ETHREAD 0x8B1D61D0 ] TID: 180, 600 bytes

0xB824DCCA Unknown thread object [ ETHREAD 0x8B068DA8 ] TID: 184, 600 bytes

!!POSSIBLE ROOTKIT ACTIVITY DETECTED!! =)

Link to post
Share on other sites

Phonetic:

Do you have your Windows XP installation CD/DVD? Please do this next:

icon11.gif Download TDSSKiller.zip and extract TDSSKiller.exe to your desktop

  • Execute TDSSKiller.exe by doubleclicking on it.
  • Press Start Scan
  • If Malicious objects are found then ensure Cure is selected. Important - If there is no option to "Cure" it is critical that you select "Skip"
  • Then click Continue > Reboot now
  • Once complete, a log will be produced in c:\. It will be named for example, TDSSKiller.2.4.0.0_24.07.2010_13.10.52_log.txt
  • Attach that log, please.

Please include the following in your next post:

  • Let me know if you have your Windows XP installation media
  • TDSSKiller log

Link to post
Share on other sites

Phonetic:

icon11.gif We need to use your OS CD to boot into the Recovery Console. Please review the instructions carefully and ask any questions you have before you start:

Print out these instructions to use while in the Recovery Console:

  1. Restart your computer with the disk in the CDROM drive.
  2. If you are prompted to press a key to start the computer from CDROM, do so quickly. Otherwise it may try to boot from the hard drive.
  3. After a few minutes, you'll see a prompt to press the R key to start the Recovery Console.
  4. When Recovery Console starts, it will prompt you to enter a number corresponding to the Windows XP installation that you need to repair. In most cases, you'll enter "1" (which will be the only choice). ( If you press ENTER without typing a number, Recovery Console will quit and restart your computer.)
  5. Enter your Administrator password. If you don't enter the correct password, you cannot continue. (If you did not set a password, just hit enter)
  6. At the C:\Windows prompt, type the following bolded entries, one at a time and press 'Enter' after each line. (refer to the quote box under the commands for the location of the spaces which are very important):
    Disable vbmaa924
    Delete C:\WINDOWS\system32\drivers\vbmaa924.sys
    exit
    Disable<space>vbmaa924
    Delete<space>C:\WINDOWS\system32\drivers\vbmaa924.sys
    exit
  7. Your computer should reboot back into the normal mode

icon11.gif Download ComboFix from one of the following locations:

Link 1

Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link

  • Double click on ComboFix.exe & follow the prompts.

As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RC1.png

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

RC2-1.png

  • Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Notes:

1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.

2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

Please include the following in your next post:

  • ComboFix log

Please include the following in your next post:

  • Confirm that you were able to complete the work in the Recovery Console
  • ComboFix log

Link to post
Share on other sites

Data loss is always a possibility when dealing with malware, so I'd recommend backing up your data. That procedure isn't particularly risky though, I'm just removing a bad service and file that was placed by the malware. With this particular infection it works better when done outside of Windows from the Recovery Console.

Link to post
Share on other sites

I was able to do everything you instructed me to, and my PC already seems to be working faster. I haven't had issues yet.

I wasn't sure if you wanted the log pasted or attached so I'll do both:

ComboFix.txt

ComboFix 10-12-28.01 - Kevin.Jonathan 12/28/2010 22:05:35.1.4 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3327.2963 [GMT -5:00]

Running from: c:\documents and settings\Kevin.Jonathan\Desktop\ComboFix.exe

* Created a new restore point

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\All Users\Application Data\.wtav

c:\documents and settings\Kevin.Jonathan\Local Settings\Application Data\DoubleD

c:\documents and settings\Kevin.Jonathan\Local Settings\Temporary Internet Files\_tm526.tmp

c:\documents and settings\Kevin.Jonathan\Local Settings\Temporary Internet Files\{5617ECA9-488D-4BA2-8562-9710B9AB78D2}

c:\documents and settings\Kevin.Jonathan\Local Settings\Temporary Internet Files\{5617ECA9-488D-4BA2-8562-9710B9AB78D2}\bg.jpg

c:\documents and settings\Kevin.Jonathan\Local Settings\Temporary Internet Files\{5617ECA9-488D-4BA2-8562-9710B9AB78D2}\CurrentVersion.xml

c:\documents and settings\Kevin.Jonathan\Local Settings\Temporary Internet Files\{5617ECA9-488D-4BA2-8562-9710B9AB78D2}\Data\ProductInfo.mx

c:\documents and settings\Kevin.Jonathan\Local Settings\Temporary Internet Files\{5617ECA9-488D-4BA2-8562-9710B9AB78D2}\ExtractZipFile.zip

c:\documents and settings\Kevin.Jonathan\Local Settings\Temporary Internet Files\{5617ECA9-488D-4BA2-8562-9710B9AB78D2}\icon.ico

c:\documents and settings\Kevin.Jonathan\Local Settings\Temporary Internet Files\{5617ECA9-488D-4BA2-8562-9710B9AB78D2}\tdf.dat

c:\documents and settings\Kevin.Jonathan\Local Settings\Temporary Internet Files\{5617ECA9-488D-4BA2-8562-9710B9AB78D2}\TDF\Cache\248d6576afce4ee94af42d7350131106.gif

c:\documents and settings\Kevin.Jonathan\Local Settings\Temporary Internet Files\{5617ECA9-488D-4BA2-8562-9710B9AB78D2}\TDF\Cache\24a70fb875fab686b6b3c217612bc07c.gif

c:\documents and settings\Kevin.Jonathan\Local Settings\Temporary Internet Files\{5617ECA9-488D-4BA2-8562-9710B9AB78D2}\TDF\Cache\2afcf6f3f2e19cc42d7f72f3b18b26ef.gif

c:\documents and settings\Kevin.Jonathan\Local Settings\Temporary Internet Files\{5617ECA9-488D-4BA2-8562-9710B9AB78D2}\TDF\Cache\50bffa6936b3e661971a58e3c8bdf4cb.gif

c:\documents and settings\Kevin.Jonathan\Local Settings\Temporary Internet Files\{5617ECA9-488D-4BA2-8562-9710B9AB78D2}\TDF\Cache\default1.dat

c:\documents and settings\Kevin.Jonathan\Local Settings\Temporary Internet Files\{5617ECA9-488D-4BA2-8562-9710B9AB78D2}\TDF\Cache\loading.dat

c:\documents and settings\Kevin.Jonathan\Local Settings\Temporary Internet Files\{5617ECA9-488D-4BA2-8562-9710B9AB78D2}\TDF\Cache\loading.gif

c:\documents and settings\Kevin.Jonathan\Local Settings\Temporary Internet Files\{5617ECA9-488D-4BA2-8562-9710B9AB78D2}\TDF\Data\Module_Cursor.mx

c:\documents and settings\Kevin.Jonathan\Local Settings\Temporary Internet Files\{5617ECA9-488D-4BA2-8562-9710B9AB78D2}\TDF\Data\Module_DailyVideo.mx

c:\documents and settings\Kevin.Jonathan\Local Settings\Temporary Internet Files\{5617ECA9-488D-4BA2-8562-9710B9AB78D2}\TDF\Data\Module_Game.mx

c:\documents and settings\Kevin.Jonathan\Local Settings\Temporary Internet Files\{5617ECA9-488D-4BA2-8562-9710B9AB78D2}\TDF\Data\Module_Glitter.mx

c:\documents and settings\Kevin.Jonathan\Local Settings\Temporary Internet Files\{5617ECA9-488D-4BA2-8562-9710B9AB78D2}\TDF\Data\Module_Logo.mx

c:\documents and settings\Kevin.Jonathan\Local Settings\Temporary Internet Files\{5617ECA9-488D-4BA2-8562-9710B9AB78D2}\TDF\Data\Module_Option.mx

c:\documents and settings\Kevin.Jonathan\Local Settings\Temporary Internet Files\{5617ECA9-488D-4BA2-8562-9710B9AB78D2}\TDF\Data\Module_Recipe.mx

c:\documents and settings\Kevin.Jonathan\Local Settings\Temporary Internet Files\{5617ECA9-488D-4BA2-8562-9710B9AB78D2}\TDF\Data\Module_Ringtone.mx

c:\documents and settings\Kevin.Jonathan\Local Settings\Temporary Internet Files\{5617ECA9-488D-4BA2-8562-9710B9AB78D2}\TDF\Data\Module_Screensaver.mx

c:\documents and settings\Kevin.Jonathan\Local Settings\Temporary Internet Files\{5617ECA9-488D-4BA2-8562-9710B9AB78D2}\TDF\Data\Module_Search.mx

c:\documents and settings\Kevin.Jonathan\Local Settings\Temporary Internet Files\{5617ECA9-488D-4BA2-8562-9710B9AB78D2}\TDF\Data\Module_Smiley.mx

c:\documents and settings\Kevin.Jonathan\Local Settings\Temporary Internet Files\{5617ECA9-488D-4BA2-8562-9710B9AB78D2}\TDF\Data\Module_Smiley_Config.mx

c:\documents and settings\Kevin.Jonathan\Local Settings\Temporary Internet Files\{5617ECA9-488D-4BA2-8562-9710B9AB78D2}\TDF\Data\Module_Smiley_TellAFriend.mx

c:\documents and settings\Kevin.Jonathan\Local Settings\Temporary Internet Files\{5617ECA9-488D-4BA2-8562-9710B9AB78D2}\TDF\Data\Module_Wallpaper.mx

c:\documents and settings\Kevin.Jonathan\Local Settings\Temporary Internet Files\{5617ECA9-488D-4BA2-8562-9710B9AB78D2}\TDF\Data\Module_Web.mx

c:\documents and settings\Kevin.Jonathan\Local Settings\Temporary Internet Files\{5617ECA9-488D-4BA2-8562-9710B9AB78D2}\TDF\Data\pixel.mx

c:\documents and settings\Kevin.Jonathan\Local Settings\Temporary Internet Files\{5617ECA9-488D-4BA2-8562-9710B9AB78D2}\TDF\Data\ProductInfo.mx

c:\documents and settings\Kevin.Jonathan\Local Settings\Temporary Internet Files\{5617ECA9-488D-4BA2-8562-9710B9AB78D2}\TDF\Data\profile.mx

c:\documents and settings\Kevin.Jonathan\Local Settings\Temporary Internet Files\{5617ECA9-488D-4BA2-8562-9710B9AB78D2}\TDF\Data\SearchEngineList.mx

c:\documents and settings\Kevin.Jonathan\Local Settings\Temporary Internet Files\{5617ECA9-488D-4BA2-8562-9710B9AB78D2}\TDF\Data\tbcore.mx

c:\documents and settings\Kevin.Jonathan\Local Settings\Temporary Internet Files\{5617ECA9-488D-4BA2-8562-9710B9AB78D2}\TDF\Data\ToolbarLayout.mx

c:\documents and settings\Kevin.Jonathan\Local Settings\Temporary Internet Files\{5617ECA9-488D-4BA2-8562-9710B9AB78D2}\TDF\Data\UpdateCentre.mx

c:\documents and settings\Kevin.Jonathan\Local Settings\Temporary Internet Files\{5617ECA9-488D-4BA2-8562-9710B9AB78D2}\TDF\Data\UpdateCentreBk.mx

c:\documents and settings\Kevin.Jonathan\Local Settings\Temporary Internet Files\{5617ECA9-488D-4BA2-8562-9710B9AB78D2}\TDF\Data\URLDynamic.mx

c:\documents and settings\Kevin.Jonathan\Local Settings\Temporary Internet Files\{5617ECA9-488D-4BA2-8562-9710B9AB78D2}\TDF\Data\URLStatic.mx

c:\documents and settings\Kevin.Jonathan\Local Settings\Temporary Internet Files\{5617ECA9-488D-4BA2-8562-9710B9AB78D2}\TDF\Icons\About.mg

c:\documents and settings\Kevin.Jonathan\Local Settings\Temporary Internet Files\{5617ECA9-488D-4BA2-8562-9710B9AB78D2}\TDF\Icons\Component_ComboBox.mg

c:\documents and settings\Kevin.Jonathan\Local Settings\Temporary Internet Files\{5617ECA9-488D-4BA2-8562-9710B9AB78D2}\TDF\Icons\Module_Cursor.mg

c:\documents and settings\Kevin.Jonathan\Local Settings\Temporary Internet Files\{5617ECA9-488D-4BA2-8562-9710B9AB78D2}\TDF\Icons\Module_Cursor.png

c:\documents and settings\Kevin.Jonathan\Local Settings\Temporary Internet Files\{5617ECA9-488D-4BA2-8562-9710B9AB78D2}\TDF\Icons\Module_DailyVideo.mg

c:\documents and settings\Kevin.Jonathan\Local Settings\Temporary Internet Files\{5617ECA9-488D-4BA2-8562-9710B9AB78D2}\TDF\Icons\Module_Game.mg

c:\documents and settings\Kevin.Jonathan\Local Settings\Temporary Internet Files\{5617ECA9-488D-4BA2-8562-9710B9AB78D2}\TDF\Icons\Module_Glitter.mg

c:\documents and settings\Kevin.Jonathan\Local Settings\Temporary Internet Files\{5617ECA9-488D-4BA2-8562-9710B9AB78D2}\TDF\Icons\Module_Glitter.png

c:\documents and settings\Kevin.Jonathan\Local Settings\Temporary Internet Files\{5617ECA9-488D-4BA2-8562-9710B9AB78D2}\TDF\Icons\Module_Logo.mg

c:\documents and settings\Kevin.Jonathan\Local Settings\Temporary Internet Files\{5617ECA9-488D-4BA2-8562-9710B9AB78D2}\TDF\Icons\Module_Option.mg

c:\documents and settings\Kevin.Jonathan\Local Settings\Temporary Internet Files\{5617ECA9-488D-4BA2-8562-9710B9AB78D2}\TDF\Icons\Module_Recipe.mg

c:\documents and settings\Kevin.Jonathan\Local Settings\Temporary Internet Files\{5617ECA9-488D-4BA2-8562-9710B9AB78D2}\TDF\Icons\Module_Ringtone.mg

c:\documents and settings\Kevin.Jonathan\Local Settings\Temporary Internet Files\{5617ECA9-488D-4BA2-8562-9710B9AB78D2}\TDF\Icons\Module_Screensaver.mg

c:\documents and settings\Kevin.Jonathan\Local Settings\Temporary Internet Files\{5617ECA9-488D-4BA2-8562-9710B9AB78D2}\TDF\Icons\Module_Search.mg

c:\documents and settings\Kevin.Jonathan\Local Settings\Temporary Internet Files\{5617ECA9-488D-4BA2-8562-9710B9AB78D2}\TDF\Icons\Module_Smiley.mg

c:\documents and settings\Kevin.Jonathan\Local Settings\Temporary Internet Files\{5617ECA9-488D-4BA2-8562-9710B9AB78D2}\TDF\Icons\Module_Smiley.png

c:\documents and settings\Kevin.Jonathan\Local Settings\Temporary Internet Files\{5617ECA9-488D-4BA2-8562-9710B9AB78D2}\TDF\Icons\Module_Wallpaper.mg

c:\documents and settings\Kevin.Jonathan\Local Settings\Temporary Internet Files\{5617ECA9-488D-4BA2-8562-9710B9AB78D2}\TDF\Icons\Module_Web.mg

c:\documents and settings\Kevin.Jonathan\Local Settings\Temporary Internet Files\{5617ECA9-488D-4BA2-8562-9710B9AB78D2}\TDF\Icons\TBBtnDefault.png

c:\documents and settings\Kevin.Jonathan\Local Settings\Temporary Internet Files\{5617ECA9-488D-4BA2-8562-9710B9AB78D2}\TDF\Icons\TBBtnDisplay.bmp

c:\documents and settings\Kevin.Jonathan\Local Settings\Temporary Internet Files\{5617ECA9-488D-4BA2-8562-9710B9AB78D2}\TDF\Icons\TBBtnDisplay.png

c:\documents and settings\Kevin.Jonathan\Local Settings\Temporary Internet Files\{5617ECA9-488D-4BA2-8562-9710B9AB78D2}\TDF\Icons\TBBtnDisplay18.bmp

c:\documents and settings\Kevin.Jonathan\Local Settings\Temporary Internet Files\{5617ECA9-488D-4BA2-8562-9710B9AB78D2}\TDF\Icons\TBBtnDisplay20.bmp

c:\documents and settings\Kevin.Jonathan\Local Settings\Temporary Internet Files\{5617ECA9-488D-4BA2-8562-9710B9AB78D2}\TDF\Icons\TBBtnGlitters.bmp

c:\documents and settings\Kevin.Jonathan\Local Settings\Temporary Internet Files\{5617ECA9-488D-4BA2-8562-9710B9AB78D2}\TDF\Icons\TBBtnGlitters.png

c:\documents and settings\Kevin.Jonathan\Local Settings\Temporary Internet Files\{5617ECA9-488D-4BA2-8562-9710B9AB78D2}\TDF\Icons\TBBtnGlitters18.bmp

c:\documents and settings\Kevin.Jonathan\Local Settings\Temporary Internet Files\{5617ECA9-488D-4BA2-8562-9710B9AB78D2}\TDF\Icons\TBBtnGlitters20.bmp

c:\documents and settings\Kevin.Jonathan\Local Settings\Temporary Internet Files\{5617ECA9-488D-4BA2-8562-9710B9AB78D2}\TDF\Icons\TBBtnOption.png

c:\documents and settings\Kevin.Jonathan\Local Settings\Temporary Internet Files\{5617ECA9-488D-4BA2-8562-9710B9AB78D2}\TDF\Icons\TBBtnSmiley.bmp

c:\documents and settings\Kevin.Jonathan\Local Settings\Temporary Internet Files\{5617ECA9-488D-4BA2-8562-9710B9AB78D2}\TDF\Icons\TBBtnSmiley.png

c:\documents and settings\Kevin.Jonathan\Local Settings\Temporary Internet Files\{5617ECA9-488D-4BA2-8562-9710B9AB78D2}\TDF\Icons\TBBtnSmiley18.bmp

c:\documents and settings\Kevin.Jonathan\Local Settings\Temporary Internet Files\{5617ECA9-488D-4BA2-8562-9710B9AB78D2}\TDF\Icons\TBBtnSmiley20.bmp

c:\documents and settings\Kevin.Jonathan\Local Settings\Temporary Internet Files\{5617ECA9-488D-4BA2-8562-9710B9AB78D2}\TDF\Icons\TBBtnTellFd.bmp

c:\documents and settings\Kevin.Jonathan\Local Settings\Temporary Internet Files\{5617ECA9-488D-4BA2-8562-9710B9AB78D2}\TDF\Icons\TBBtnTellFd.png

c:\documents and settings\Kevin.Jonathan\Local Settings\Temporary Internet Files\{5617ECA9-488D-4BA2-8562-9710B9AB78D2}\TDF\Icons\TBBtnTellFd18.bmp

c:\documents and settings\Kevin.Jonathan\Local Settings\Temporary Internet Files\{5617ECA9-488D-4BA2-8562-9710B9AB78D2}\TDF\Icons\TBBtnTellFd20.bmp

c:\documents and settings\Kevin.Jonathan\Local Settings\Temporary Internet Files\{5617ECA9-488D-4BA2-8562-9710B9AB78D2}\TDF\Icons\TBBtnWink.bmp

c:\documents and settings\Kevin.Jonathan\Local Settings\Temporary Internet Files\{5617ECA9-488D-4BA2-8562-9710B9AB78D2}\TDF\Icons\TBBtnWink.png

c:\documents and settings\Kevin.Jonathan\Local Settings\Temporary Internet Files\{5617ECA9-488D-4BA2-8562-9710B9AB78D2}\TDF\Icons\TBBtnWink18.bmp

c:\documents and settings\Kevin.Jonathan\Local Settings\Temporary Internet Files\{5617ECA9-488D-4BA2-8562-9710B9AB78D2}\TDF\Icons\TBBtnWink20.bmp

c:\documents and settings\Kevin.Jonathan\Local Settings\Temporary Internet Files\{5617ECA9-488D-4BA2-8562-9710B9AB78D2}\TDF\Skins\myskin1.skf

c:\documents and settings\Kevin.Jonathan\Local Settings\Temporary Internet Files\{5617ECA9-488D-4BA2-8562-9710B9AB78D2}\TDF\Skins\myskin2.skf

c:\documents and settings\Kevin.Jonathan\Local Settings\Temporary Internet Files\{5617ECA9-488D-4BA2-8562-9710B9AB78D2}\TDF\Skins\myskin3.skf

c:\documents and settings\Kevin.Jonathan\Local Settings\Temporary Internet Files\{5617ECA9-488D-4BA2-8562-9710B9AB78D2}\TDF\Skins\myskin4.skf

c:\documents and settings\Kevin.Jonathan\Local Settings\Temporary Internet Files\{5617ECA9-488D-4BA2-8562-9710B9AB78D2}\TDF\Skins\TellafriendSkin.skf

c:\documents and settings\Kevin.Jonathan\Local Settings\Temporary Internet Files\{5617ECA9-488D-4BA2-8562-9710B9AB78D2}\TDF\Skins\TellafriendSkin_s.skf

c:\documents and settings\Kevin.Jonathan\Local Settings\Temporary Internet Files\{5617ECA9-488D-4BA2-8562-9710B9AB78D2}\TDF\Skins\ToastSkin.skf

c:\documents and settings\Kevin.Jonathan\Local Settings\Temporary Internet Files\stb06759.tmp

c:\program files\Media Access Startup

c:\program files\Media Access Startup\1.3.0.790\Data\config.md

c:\program files\Media Access Startup\1.3.0.790\FF\chrome.manifest

c:\program files\Media Access Startup\1.3.0.790\FF\chrome\content\HPAddOn.js

c:\program files\Media Access Startup\1.3.0.790\FF\chrome\content\HPAddOn.xul

c:\program files\Media Access Startup\1.3.0.790\FF\chrome\HPAddOn.jar

c:\program files\Media Access Startup\1.3.0.790\FF\components\HPFFAddOn.dll

c:\program files\Media Access Startup\1.3.0.790\FF\components\HPFFAddOn.xpt

c:\program files\Media Access Startup\1.3.0.790\FF\components\HPFFHelperComponent.js

c:\program files\Media Access Startup\1.3.0.790\FF\install.rdf

c:\program files\Media Access Startup\1.3.0.790\HPCommon.dll

c:\program files\Media Access Startup\1.3.0.790\MAHelper.exe

c:\program files\Media Access Startup\1.3.0.790\unins000.dat

c:\program files\Media Access Startup\1.3.0.790\unins000.exe

c:\windows\assembly\GAC\__AssemblyInfo__.ini

c:\windows\system32\drivers\vbmaa924.sys

c:\windows\WinSxS\x86_Microsoft.Windows.Shell.HWEventDetector_6595b64144ccf1df_5.2.2.3_x-ww_5390e909\shsvcs.dll

Infected copy of c:\windows\system32\DRIVERS\rdpdr.sys was found and disinfected

Restored copy from - The cat found it :lol:

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Service_vbmaa924

((((((((((((((((((((((((( Files Created from 2010-11-28 to 2010-12-29 )))))))))))))))))))))))))))))))

.

2010-12-27 21:07 . 2010-12-27 21:07 -------- d-----w- c:\program files\iPod

2010-12-27 05:58 . 2010-12-27 05:58 5812224 ---ha-w- c:\documents and settings\Kevin.Jonathan\ntuser.tmp

2010-12-24 16:34 . 2010-12-24 16:34 6656 ----a-w- c:\windows\system32\A926F98A.exe

2010-12-19 19:50 . 2010-12-19 19:50 34816 ----a-w- c:\windows\system32\drivers\rootrepeal.sys

2010-12-17 22:21 . 2010-12-17 22:21 -------- d--h--w- c:\windows\PIF

2010-12-16 11:46 . 2010-12-16 11:46 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\PCHealth

2010-12-15 20:33 . 2010-11-02 15:17 40960 -c----w- c:\windows\system32\dllcache\ndproxy.sys

2010-12-15 20:32 . 2010-10-11 14:59 45568 -c----w- c:\windows\system32\dllcache\wab.exe

2010-12-12 13:48 . 2010-12-12 13:48 -------- d-----w- c:\program files\Common Files\Skype

2010-12-07 03:59 . 2010-12-07 03:59 -------- d-----w- c:\documents and settings\Kevin.Jonathan\Application Data\Malwarebytes

2010-12-07 03:59 . 2010-12-07 03:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-12-07 03:59 . 2010-12-17 22:23 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-12-01 01:57 . 2010-12-01 01:57 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files

2010-12-01 01:56 . 2010-12-13 01:59 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG10

2010-12-01 00:48 . 2010-12-01 00:49 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData

2010-11-29 22:38 . 2010-11-29 22:38 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx

2010-11-29 22:38 . 2010-11-29 22:38 69632 ----a-w- c:\windows\system32\QuickTime.qts

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-12-29 03:00 . 2008-08-15 13:54 196224 ----a-w- c:\windows\system32\drivers\rdpdr.sys

2010-11-18 18:12 . 2008-08-15 13:56 81920 ----a-w- c:\windows\system32\isign32.dll

2010-11-06 00:26 . 2006-02-28 12:00 916480 ----a-w- c:\windows\system32\wininet.dll

2010-11-06 00:26 . 2006-02-28 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll

2010-11-06 00:26 . 2006-02-28 12:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl

2010-11-03 12:25 . 2006-02-28 12:00 385024 ----a-w- c:\windows\system32\html.iec

2010-11-02 15:17 . 2006-02-28 12:00 40960 ----a-w- c:\windows\system32\drivers\ndproxy.sys

2010-10-31 23:10 . 2010-10-31 23:00 1244446540 ---ha-w- c:\program files\VSX3_Pro_TBYB.exe.part

2010-10-28 13:13 . 2006-02-28 12:00 290048 ----a-w- c:\windows\system32\atmfd.dll

2010-10-26 13:25 . 2006-02-28 12:00 1853312 ----a-w- c:\windows\system32\win32k.sys

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NVIDIA nTune"="c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-09-04 81920]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-08-15 39408]

"Google Update"="c:\documents and settings\Kevin.Jonathan\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-12-05 133104]

"Steam"="c:\program files\Steam\Steam.exe" [2010-11-16 1242448]

"Skype"="c:\program files\Skype\Phone\Skype.exe" [2010-10-11 14940040]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2006-11-22 813912]

"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2007-02-05 849280]

"Lexmark 2200 Series"="c:\program files\Lexmark 2200 Series\lxbvbmgr.exe" [2004-02-13 57344]

"RTHDCPL"="RTHDCPL.EXE" [2007-10-25 16855552]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]

"RemoteControl10"="c:\program files\CyberLink\PowerDVD10\PDVD10Serv.exe" [2010-02-03 87336]

"BDRegion"="c:\program files\Cyberlink\Shared files\brs.exe" [2010-03-13 75048]

"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2010-07-08 1753192]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-07-09 13923432]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-07-09 110696]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-12-13 421160]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

"AvgUninstallURL"="start http:" [X]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"NVIDIA nTune"="c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-09-04 81920]

"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeCS4ServiceManager]

2008-08-14 11:58 611712 ----a-w- c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]

2010-11-16 22:36 1242448 ----a-w- c:\program files\Steam\Steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

"AntiSpywareOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\WINDOWS\\system32\\PnkBstrA.exe"=

"c:\\WINDOWS\\system32\\PnkBstrB.exe"=

"c:\\WINDOWS\\system32\\LEXPPS.EXE"=

"c:\\WINDOWS\\system32\\dpvsetup.exe"=

"c:\\Program Files\\mIRC\\mirc.exe"=

"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=

"c:\\Program Files\\Warcraft III\\Warcraft III.exe"=

"c:\\Program Files\\Java\\jre6\\bin\\javaws.exe"=

"c:\\Program Files\\World of Warcraft\\Launcher.exe"=

"c:\\Program Files\\LimeWire\\LimeWire.exe"=

"c:\\Program Files\\World of Warcraft\\WoW-3.1.2.9901-to-3.1.3.9947-enUS-downloader.exe"=

"c:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=

"c:\\Program Files\\World of Warcraft\\WoW-3.1.1.9806-to-3.1.1.9835-enUS-downloader.exe"=

"c:\\Program Files\\Xfire\\Xfire.exe"=

"c:\\Program Files\\World of Warcraft\\WoW-3.1.3.9947-to-3.2.0.10192-enUS-downloader.exe"=

"c:\\Program Files\\World of Warcraft\\WoW-3.2.0.10192-to-3.2.0.10314-enUS-downloader.exe"=

"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Heroes of Newerth\\hon.exe"=

"c:\\Program Files\\World of Warcraft\\WoW-3.2.0.10314-to-3.2.2.10482-enUS-downloader.exe"=

"c:\\Program Files\\World of Warcraft\\WoW-3.2.2.10482-to-3.2.2.10505-enUS-downloader.exe"=

"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=

"c:\\Program Files\\Heroes of Newerth Test Client\\hon.exe"=

"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=

"c:\\Program Files\\Steam\\Steam.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\Steam\\steamapps\\death_by_ch0colate\\counter-strike source\\hl2.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

"c:\\Documents and Settings\\Kevin.Jonathan\\Local Settings\\Application Data\\Dyyno Receiver\\DPPM.exe"=

"c:\\WINDOWS\\system32\\sessmgr.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"43594:TCP"= 43594:TCP:*:Disabled:RSCA

"6112:TCP"= 6112:TCP:Blizz D-Loader

"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

"3784:TCP"= 3784:TCP:Ventrilo 3784

"5800:TCP"= 5800:TCP:*:Disabled:VNC

"5900:TCP"= 5900:TCP:*:Disabled:VNC2

"5353:TCP"= 5353:TCP:Adobe CSI CS4

"1038:TCP"= 1038:TCP:*:Disabled:Akamai NetSession Interface

"5000:UDP"= 5000:UDP:*:Disabled:Akamai NetSession Interface

R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-03-02 135664]

R3 A926F98A;A926F98A;c:\windows\system32\A926F98A.exe [2010-12-24 6656]

R3 Normandy;Normandy SR2; [x]

R3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des [2009-06-29 3110016]

R3 SCREAMINGBDRIVER;Screaming Bee Audio;c:\windows\system32\drivers\ScreamingBAudio.sys [2009-04-06 23064]

S2 {1BA31E5A-C098-42d8-8F88-3C9F78A2FDDC};Power Control [2010/03/20 21:28];c:\program files\CyberLink\PowerDVD10\NavFilter\000.fcl [2010-03-13 16:58 87536]

S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]

S3 AtcL001;NDIS Miniport Driver for Atheros L1 Gigabit Ethernet Controller;c:\windows\system32\DRIVERS\l151x86.sys [2007-11-01 36864]

S3 VCSVADHWSer;Avnex Virtual Audio Device (WDM);c:\windows\system32\DRIVERS\vcsvad.sys [2008-12-10 17792]

.

Contents of the 'Scheduled Tasks' folder

2010-12-27 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 15:50]

2010-12-29 c:\windows\Tasks\Google Software Updater.job

- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-08-15 02:20]

2010-12-29 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-02 01:44]

2010-12-29 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-02 01:44]

2010-12-25 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-606747145-1604221776-839522115-1003Core.job

- c:\documents and settings\Kevin.Jonathan\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-12-05 02:55]

2010-12-29 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-606747145-1604221776-839522115-1003UA.job

- c:\documents and settings\Kevin.Jonathan\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-12-05 02:55]

2010-12-29 c:\windows\Tasks\OGALogon.job

- c:\windows\system32\OGAEXEC.exe [2009-08-03 19:07]

2010-12-28 c:\windows\Tasks\User_Feed_Synchronization-{AD20F425-9355-48E2-86F2-781443E33FFF}.job

- c:\windows\system32\msfeedssync.exe [2007-08-13 08:31]

.

.

------- Supplementary Scan -------

.

uInternet Settings,ProxyOverride = *.local

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll/cmsidewiki.html

LSP: mswsock.dll

DPF: {B8A48F42-30E1-48f8-AE87-7BD7C75DB8AA} - hxxp://www.srtest.com/srl_bin/sysreqlab_test.cab

FF - ProfilePath - c:\documents and settings\Kevin.Jonathan\Application Data\Mozilla\Firefox\Profiles\bzajtrc3.default\

FF - prefs.js: browser.startup.homepage - www.google.com

FF - prefs.js: network.proxy.type - 0

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension

FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}

.

- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-BitTorrent DNA - c:\program files\DNA\btdna.exe

MSConfigStartUp-CTSyncU - c:\program files\Creative\Sync Manager Unicode\CTSyncU.exe

MSConfigStartUp-FaxCenterServer - c:\program files\Lexmark Fax Solutions\fm3032.exe

MSConfigStartUp-NapsterShell - c:\program files\Napster\napster.exe

AddRemove-{16B6279B-9FF5-41fb-8BF9-404324F5DD1F}}_is1 - c:\program files\Media Access Startup\1.3.0.790\unins000.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-12-28 22:15

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\.HDAudBus]

"ImagePath"="\*"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\npggsvc]

"ImagePath"="c:\windows\system32\GameMon.des -service"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\{1BA31E5A-C098-42d8-8F88-3C9F78A2FDDC}]

"ImagePath"="\??\c:\program files\CyberLink\PowerDVD10\NavFilter\000.fcl"

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\

Link to post
Share on other sites

Phonetic:

icon11.gif Open Notepad Go to Start> All Programs> Accessories> Notepad ( this will only work with Notepad ) and copy all the text inside the Codebox by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above File::

File::
c:\windows\system32\A926F98A.exe
Driver::
A926F98A

Save this as CFScript to your desktop.

Then disable your security programs and drag the CFScript into ComboFix.exe as you see in the screenshot below.

CFScriptB-4.gif

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

icon11.gif You have this program installed, Malwarebytes' Anti-Malware (MBAM). Please update it and run a scan.

Open MBAM

  • Click the Update tab
  • Click Check for Updates
  • If an update is found, it will download and install the latest version.
  • The program will close to update and reopen.
  • Once the program has loaded, select "Perform full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

Please include the following in your next post:

  • ComboFix log
  • MBAM log

Link to post
Share on other sites

Everything went well.

ComboFix Log

ComboFix 10-12-28.02 - Kevin.Jonathan 12/29/2010 1:13.2.4 - x86

Running from: c:\documents and settings\Kevin.Jonathan\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Kevin.Jonathan\Desktop\CFScript.txt

* Created a new restore point

FILE ::

"c:\windows\system32\A926F98A.exe"

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\system32\A926F98A.exe

c:\windows\system32\config\oioiomui

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_A926F98A

-------\Service_A926F98A

((((((((((((((((((((((((( Files Created from 2010-11-28 to 2010-12-29 )))))))))))))))))))))))))))))))

.

2010-12-27 21:07 . 2010-12-27 21:07 -------- d-----w- c:\program files\iPod

2010-12-27 05:58 . 2010-12-27 05:58 5812224 ---ha-w- c:\documents and settings\Kevin.Jonathan\ntuser.tmp

2010-12-19 19:50 . 2010-12-19 19:50 34816 ----a-w- c:\windows\system32\drivers\rootrepeal.sys

2010-12-17 22:21 . 2010-12-17 22:21 -------- d--h--w- c:\windows\PIF

2010-12-16 11:46 . 2010-12-16 11:46 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\PCHealth

2010-12-15 20:33 . 2010-11-02 15:17 40960 -c----w- c:\windows\system32\dllcache\ndproxy.sys

2010-12-15 20:32 . 2010-10-11 14:59 45568 -c----w- c:\windows\system32\dllcache\wab.exe

2010-12-12 13:48 . 2010-12-12 13:48 -------- d-----w- c:\program files\Common Files\Skype

2010-12-07 03:59 . 2010-12-07 03:59 -------- d-----w- c:\documents and settings\Kevin.Jonathan\Application Data\Malwarebytes

2010-12-07 03:59 . 2010-12-07 03:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-12-07 03:59 . 2010-12-17 22:23 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-12-01 01:57 . 2010-12-01 01:57 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files

2010-12-01 01:56 . 2010-12-13 01:59 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG10

2010-12-01 00:48 . 2010-12-01 00:49 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData

2010-11-29 22:38 . 2010-11-29 22:38 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx

2010-11-29 22:38 . 2010-11-29 22:38 69632 ----a-w- c:\windows\system32\QuickTime.qts

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-12-29 03:00 . 2008-08-15 13:54 196224 ----a-w- c:\windows\system32\drivers\rdpdr.sys

2010-11-18 18:12 . 2008-08-15 13:56 81920 ----a-w- c:\windows\system32\isign32.dll

2010-11-06 00:26 . 2006-02-28 12:00 916480 ----a-w- c:\windows\system32\wininet.dll

2010-11-06 00:26 . 2006-02-28 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll

2010-11-06 00:26 . 2006-02-28 12:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl

2010-11-03 12:25 . 2006-02-28 12:00 385024 ----a-w- c:\windows\system32\html.iec

2010-11-02 15:17 . 2006-02-28 12:00 40960 ----a-w- c:\windows\system32\drivers\ndproxy.sys

2010-10-31 23:10 . 2010-10-31 23:00 1244446540 ---ha-w- c:\program files\VSX3_Pro_TBYB.exe.part

2010-10-28 13:13 . 2006-02-28 12:00 290048 ----a-w- c:\windows\system32\atmfd.dll

2010-10-26 13:25 . 2006-02-28 12:00 1853312 ----a-w- c:\windows\system32\win32k.sys

.

((((((((((((((((((((((((((((( SnapShot@2010-12-29_03.15.13 )))))))))))))))))))))))))))))))))))))))))

.

+ 2010-12-29 06:19 . 2010-12-29 06:19 16384 c:\windows\Temp\Perflib_Perfdata_75c.dat

+ 2010-12-29 06:19 . 2010-12-29 06:19 16384 c:\windows\Temp\Perflib_Perfdata_6cc.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NVIDIA nTune"="c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-09-04 81920]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-08-15 39408]

"Google Update"="c:\documents and settings\Kevin.Jonathan\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-12-05 133104]

"Steam"="c:\program files\Steam\Steam.exe" [2010-11-16 1242448]

"Skype"="c:\program files\Skype\Phone\Skype.exe" [2010-10-11 14940040]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2006-11-22 813912]

"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2007-02-05 849280]

"Lexmark 2200 Series"="c:\program files\Lexmark 2200 Series\lxbvbmgr.exe" [2004-02-13 57344]

"RTHDCPL"="RTHDCPL.EXE" [2007-10-25 16855552]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]

"RemoteControl10"="c:\program files\CyberLink\PowerDVD10\PDVD10Serv.exe" [2010-02-03 87336]

"BDRegion"="c:\program files\Cyberlink\Shared files\brs.exe" [2010-03-13 75048]

"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2010-07-08 1753192]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-07-09 13923432]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-07-09 110696]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-12-13 421160]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

"AvgUninstallURL"="start http:" [X]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"NVIDIA nTune"="c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-09-04 81920]

"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeCS4ServiceManager]

2008-08-14 11:58 611712 ----a-w- c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]

2010-11-16 22:36 1242448 ----a-w- c:\program files\Steam\Steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

"AntiSpywareOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\WINDOWS\\system32\\PnkBstrA.exe"=

"c:\\WINDOWS\\system32\\PnkBstrB.exe"=

"c:\\WINDOWS\\system32\\LEXPPS.EXE"=

"c:\\WINDOWS\\system32\\dpvsetup.exe"=

"c:\\Program Files\\mIRC\\mirc.exe"=

"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=

"c:\\Program Files\\Warcraft III\\Warcraft III.exe"=

"c:\\Program Files\\Java\\jre6\\bin\\javaws.exe"=

"c:\\Program Files\\World of Warcraft\\Launcher.exe"=

"c:\\Program Files\\LimeWire\\LimeWire.exe"=

"c:\\Program Files\\World of Warcraft\\WoW-3.1.2.9901-to-3.1.3.9947-enUS-downloader.exe"=

"c:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=

"c:\\Program Files\\World of Warcraft\\WoW-3.1.1.9806-to-3.1.1.9835-enUS-downloader.exe"=

"c:\\Program Files\\Xfire\\Xfire.exe"=

"c:\\Program Files\\World of Warcraft\\WoW-3.1.3.9947-to-3.2.0.10192-enUS-downloader.exe"=

"c:\\Program Files\\World of Warcraft\\WoW-3.2.0.10192-to-3.2.0.10314-enUS-downloader.exe"=

"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Heroes of Newerth\\hon.exe"=

"c:\\Program Files\\World of Warcraft\\WoW-3.2.0.10314-to-3.2.2.10482-enUS-downloader.exe"=

"c:\\Program Files\\World of Warcraft\\WoW-3.2.2.10482-to-3.2.2.10505-enUS-downloader.exe"=

"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=

"c:\\Program Files\\Heroes of Newerth Test Client\\hon.exe"=

"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=

"c:\\Program Files\\Steam\\Steam.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\Steam\\steamapps\\death_by_ch0colate\\counter-strike source\\hl2.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

"c:\\Documents and Settings\\Kevin.Jonathan\\Local Settings\\Application Data\\Dyyno Receiver\\DPPM.exe"=

"c:\\WINDOWS\\system32\\sessmgr.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"43594:TCP"= 43594:TCP:*:Disabled:RSCA

"6112:TCP"= 6112:TCP:Blizz D-Loader

"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

"3784:TCP"= 3784:TCP:Ventrilo 3784

"5800:TCP"= 5800:TCP:*:Disabled:VNC

"5900:TCP"= 5900:TCP:*:Disabled:VNC2

"5353:TCP"= 5353:TCP:Adobe CSI CS4

"1038:TCP"= 1038:TCP:*:Disabled:Akamai NetSession Interface

"5000:UDP"= 5000:UDP:*:Disabled:Akamai NetSession Interface

R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-03-02 135664]

R3 Normandy;Normandy SR2; [x]

R3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des [2009-06-29 3110016]

R3 SCREAMINGBDRIVER;Screaming Bee Audio;c:\windows\system32\drivers\ScreamingBAudio.sys [2009-04-06 23064]

S2 {1BA31E5A-C098-42d8-8F88-3C9F78A2FDDC};Power Control [2010/03/20 21:28];c:\program files\CyberLink\PowerDVD10\NavFilter\000.fcl [2010-03-13 16:58 87536]

S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]

S3 AtcL001;NDIS Miniport Driver for Atheros L1 Gigabit Ethernet Controller;c:\windows\system32\DRIVERS\l151x86.sys [2007-11-01 36864]

S3 VCSVADHWSer;Avnex Virtual Audio Device (WDM);c:\windows\system32\DRIVERS\vcsvad.sys [2008-12-10 17792]

.

Contents of the 'Scheduled Tasks' folder

2010-12-27 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 15:50]

2010-12-29 c:\windows\Tasks\Google Software Updater.job

- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-08-15 02:20]

2010-12-29 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-02 01:44]

2010-12-29 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-02 01:44]

2010-12-25 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-606747145-1604221776-839522115-1003Core.job

- c:\documents and settings\Kevin.Jonathan\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-12-05 02:55]

2010-12-29 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-606747145-1604221776-839522115-1003UA.job

- c:\documents and settings\Kevin.Jonathan\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-12-05 02:55]

2010-12-29 c:\windows\Tasks\OGALogon.job

- c:\windows\system32\OGAEXEC.exe [2009-08-03 19:07]

2010-12-28 c:\windows\Tasks\User_Feed_Synchronization-{AD20F425-9355-48E2-86F2-781443E33FFF}.job

- c:\windows\system32\msfeedssync.exe [2007-08-13 08:31]

.

.

------- Supplementary Scan -------

.

uInternet Settings,ProxyOverride = *.local

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll/cmsidewiki.html

LSP: mswsock.dll

DPF: {B8A48F42-30E1-48f8-AE87-7BD7C75DB8AA} - hxxp://www.srtest.com/srl_bin/sysreqlab_test.cab

FF - ProfilePath - c:\documents and settings\Kevin.Jonathan\Application Data\Mozilla\Firefox\Profiles\bzajtrc3.default\

FF - prefs.js: browser.startup.homepage - www.google.com

FF - prefs.js: network.proxy.type - 0

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension

FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-12-29 01:19

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\.HDAudBus]

"ImagePath"="\*"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\npggsvc]

"ImagePath"="c:\windows\system32\GameMon.des -service"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\{1BA31E5A-C098-42d8-8F88-3C9F78A2FDDC}]

"ImagePath"="\??\c:\program files\CyberLink\PowerDVD10\NavFilter\000.fcl"

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\

Link to post
Share on other sites

Phonetic:

How is your computer running now? Please do this next:

icon11.gifYour Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.

Please follow these steps to remove older version Java components and update.

  • Go to this page.
  • Scroll down to where it says "Java Platform, Standard Edition."
  • Click the "Download JRE" button to the right.
  • Select the Windows platform from the dropdown menu.
  • Read the License Agreement and then check the box that says: " I agree to the Java SE Runtime Environment 6 with JavaFX License Agreement". Click on Continue.The page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Now go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java 6) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u21-windows-i586-p.exe to install the newest version.
  • After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
    • On the General tab, under Temporary Internet Files, click the Settings button.
    • Next, click on the Delete Files button
    • There are two options in the window to clear the cache - Leave BOTH Checked
      Applications and AppletsTrace and Log Files

    [*]Click OK on Delete Temporary Files Window

    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.

    [*]Click OK to leave the Temporary Files Window

    [*]Click OK to leave the Java Control Panel.

icon11.gif Please run ESET Online Scanner

  • Place a check mark in the box YES, I accept the Terms Of Use
  • Click the Start button.
  • Now click the Install button.
  • Click Start. The scanner engine will initialize and update.
  • Do Not place a check mark in the box beside Remove found threats.
  • Click the Scan button. The scan will now run, please be patient.
  • When the scan finishes click the Details tab.
  • Copy and paste the contents of the C:\ProgramFiles\EsetOnlineScanner\log.txt into your next reply.

Please include the following in your next post:

  • ESET log
  • How is the computer running?

Link to post
Share on other sites

My computer is doing a lot better. Speed seems to be back to normal and I havent encountered any google redirects but I havent used google that much recently.

Here is the ESET Log

ESETSmartInstaller@High as downloader log:

all ok

# version=7

# OnlineScannerApp.exe=1.0.0.1

# OnlineScanner.ocx=1.0.0.6419

# api_version=3.0.2

# EOSSerial=7515f4b7330a37428137f65545282055

# end=finished

# remove_checked=false

# archives_checked=false

# unwanted_checked=true

# unsafe_checked=false

# antistealth_checked=true

# utc_time=2010-12-30 03:04:02

# local_time=2010-12-30 10:04:02 (-0500, Eastern Standard Time)

# country="United States"

# lang=1033

# osver=5.1.2600 NT Service Pack 3

# compatibility_mode=crash

# scanned=135389

# found=120

# cleaned=0

# scan_time=3341

C:\Documents and Settings\Kevin.Jonathan\My Documents\LimeWire\Saved\welcome home instrumental (instrumental version).mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan (unable to clean) 00000000000000000000000000000000 I

C:\Program Files\Sarm Software\WebCamera\WebCam.exe probably a variant of Win32/Genetik trojan (unable to clean) 00000000000000000000000000000000 I

C:\Qoobox\Quarantine\C\Program Files\Media Access Startup\1.3.0.790\MAHelper.exe.vir probably a variant of Win32/Adware.DoubleD.AD application (unable to clean) 00000000000000000000000000000000 I

C:\Qoobox\Quarantine\C\Program Files\Media Access Startup\1.3.0.790\FF\components\HPFFAddOn.dll.vir a variant of Win32/Adware.DoubleD.AE application (unable to clean) 00000000000000000000000000000000 I

C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\rdpdr.sys.vir a variant of Win32/Rootkit.Agent.NSF trojan (unable to clean) 00000000000000000000000000000000 I

C:\Qoobox\Quarantine\C\WINDOWS\WinSxS\x86_Microsoft.Windows.Shell.HWEventDetector_6595b64144ccf1df_5.2.2.3_x-ww_5390e909\shsvcs.dll.vir probably a variant of Win32/Kryptik.YQ trojan (unable to clean) 00000000000000000000000000000000 I

C:\System Volume Information\_restore{94B6D795-FDE1-42BC-A0CC-A4C1A51C9523}\RP751\A0189942.dll a variant of Win32/Adware.DoubleD.AE application (unable to clean) 00000000000000000000000000000000 I

C:\System Volume Information\_restore{94B6D795-FDE1-42BC-A0CC-A4C1A51C9523}\RP751\A0191185.dll probably a variant of Win32/Kryptik.YQ trojan (unable to clean) 00000000000000000000000000000000 I

C:\System Volume Information\_restore{94B6D795-FDE1-42BC-A0CC-A4C1A51C9523}\RP752\A0192207.sys a variant of Win32/Rootkit.Agent.NSF trojan (unable to clean) 00000000000000000000000000000000 I

C:\System Volume Information\_restore{94B6D795-FDE1-42BC-A0CC-A4C1A51C9523}\RP754\A0192333.sys a variant of Win32/Rootkit.Agent.NSF trojan (unable to clean) 00000000000000000000000000000000 I

C:\System Volume Information\_restore{94B6D795-FDE1-42BC-A0CC-A4C1A51C9523}\RP755\A0193333.sys a variant of Win32/Rootkit.Agent.NSF trojan (unable to clean) 00000000000000000000000000000000 I

C:\System Volume Information\_restore{94B6D795-FDE1-42BC-A0CC-A4C1A51C9523}\RP756\A0193391.sys a variant of Win32/Rootkit.Agent.NSF trojan (unable to clean) 00000000000000000000000000000000 I

C:\System Volume Information\_restore{94B6D795-FDE1-42BC-A0CC-A4C1A51C9523}\RP756\A0194391.sys a variant of Win32/Rootkit.Agent.NSF trojan (unable to clean) 00000000000000000000000000000000 I

C:\System Volume Information\_restore{94B6D795-FDE1-42BC-A0CC-A4C1A51C9523}\RP756\A0194416.sys a variant of Win32/Rootkit.Agent.NSF trojan (unable to clean) 00000000000000000000000000000000 I

C:\System Volume Information\_restore{94B6D795-FDE1-42BC-A0CC-A4C1A51C9523}\RP756\A0194440.sys a variant of Win32/Rootkit.Agent.NSF trojan (unable to clean) 00000000000000000000000000000000 I

C:\System Volume Information\_restore{94B6D795-FDE1-42BC-A0CC-A4C1A51C9523}\RP756\A0194466.sys a variant of Win32/Rootkit.Agent.NSF trojan (unable to clean) 00000000000000000000000000000000 I

C:\System Volume Information\_restore{94B6D795-FDE1-42BC-A0CC-A4C1A51C9523}\RP756\A0195466.sys a variant of Win32/Rootkit.Agent.NSF trojan (unable to clean) 00000000000000000000000000000000 I

C:\System Volume Information\_restore{94B6D795-FDE1-42BC-A0CC-A4C1A51C9523}\RP757\A0195498.sys a variant of Win32/Rootkit.Agent.NSF trojan (unable to clean) 00000000000000000000000000000000 I

C:\System Volume Information\_restore{94B6D795-FDE1-42BC-A0CC-A4C1A51C9523}\RP757\A0195525.sys a variant of Win32/Rootkit.Agent.NSF trojan (unable to clean) 00000000000000000000000000000000 I

C:\System Volume Information\_restore{94B6D795-FDE1-42BC-A0CC-A4C1A51C9523}\RP757\A0195652.sys a variant of Win32/Rootkit.Agent.NSF trojan (unable to clean) 00000000000000000000000000000000 I

C:\System Volume Information\_restore{94B6D795-FDE1-42BC-A0CC-A4C1A51C9523}\RP757\A0195689.sys a variant of Win32/Rootkit.Agent.NSF trojan (unable to clean) 00000000000000000000000000000000 I

C:\System Volume Information\_restore{94B6D795-FDE1-42BC-A0CC-A4C1A51C9523}\RP757\A0195734.sys a variant of Win32/Rootkit.Agent.NSF trojan (unable to clean) 00000000000000000000000000000000 I

C:\System Volume Information\_restore{94B6D795-FDE1-42BC-A0CC-A4C1A51C9523}\RP757\A0195752.sys a variant of Win32/Rootkit.Agent.NSF trojan (unable to clean) 00000000000000000000000000000000 I

C:\System Volume Information\_restore{94B6D795-FDE1-42BC-A0CC-A4C1A51C9523}\RP757\A0195766.sys a variant of Win32/Rootkit.Agent.NSF trojan (unable to clean) 00000000000000000000000000000000 I

C:\System Volume Information\_restore{94B6D795-FDE1-42BC-A0CC-A4C1A51C9523}\RP758\A0195879.sys a variant of Win32/Rootkit.Agent.NSF trojan (unable to clean) 00000000000000000000000000000000 I

C:\System Volume Information\_restore{94B6D795-FDE1-42BC-A0CC-A4C1A51C9523}\RP758\A0195901.sys a variant of Win32/Rootkit.Agent.NSF trojan (unable to clean) 00000000000000000000000000000000 I

C:\System Volume Information\_restore{94B6D795-FDE1-42BC-A0CC-A4C1A51C9523}\RP758\A0196901.sys a variant of Win32/Rootkit.Agent.NSF trojan (unable to clean) 00000000000000000000000000000000 I

C:\System Volume Information\_restore{94B6D795-FDE1-42BC-A0CC-A4C1A51C9523}\RP758\A0196907.sys a variant of Win32/Rootkit.Agent.NSF trojan (unable to clean) 00000000000000000000000000000000 I

C:\System Volume Information\_restore{94B6D795-FDE1-42BC-A0CC-A4C1A51C9523}\RP758\A0197907.sys a variant of Win32/Rootkit.Agent.NSF trojan (unable to clean) 00000000000000000000000000000000 I

C:\System Volume Information\_restore{94B6D795-FDE1-42BC-A0CC-A4C1A51C9523}\RP759\A0198907.sys a variant of Win32/Rootkit.Agent.NSF trojan (unable to clean) 00000000000000000000000000000000 I

C:\System Volume Information\_restore{94B6D795-FDE1-42BC-A0CC-A4C1A51C9523}\RP759\A0198927.sys a variant of Win32/Rootkit.Agent.NSF trojan (unable to clean) 00000000000000000000000000000000 I

C:\System Volume Information\_restore{94B6D795-FDE1-42BC-A0CC-A4C1A51C9523}\RP760\A0198997.sys a variant of Win32/Rootkit.Agent.NSF trojan (unable to clean) 00000000000000000000000000000000 I

C:\System Volume Information\_restore{94B6D795-FDE1-42BC-A0CC-A4C1A51C9523}\RP760\A0199997.sys a variant of Win32/Rootkit.Agent.NSF trojan (unable to clean) 00000000000000000000000000000000 I

C:\System Volume Information\_restore{94B6D795-FDE1-42BC-A0CC-A4C1A51C9523}\RP761\A0200019.sys a variant of Win32/Rootkit.Agent.NSF trojan (unable to clean) 00000000000000000000000000000000 I

C:\System Volume Information\_restore{94B6D795-FDE1-42BC-A0CC-A4C1A51C9523}\RP762\A0200041.sys a variant of Win32/Rootkit.Agent.NSF trojan (unable to clean) 00000000000000000000000000000000 I

C:\System Volume Information\_restore{94B6D795-FDE1-42BC-A0CC-A4C1A51C9523}\RP763\A0200062.sys a variant of Win32/Rootkit.Agent.NSF trojan (unable to clean) 00000000000000000000000000000000 I

C:\System Volume Information\_restore{94B6D795-FDE1-42BC-A0CC-A4C1A51C9523}\RP764\A0200088.sys a variant of Win32/Rootkit.Agent.NSF trojan (unable to clean) 00000000000000000000000000000000 I

C:\System Volume Information\_restore{94B6D795-FDE1-42BC-A0CC-A4C1A51C9523}\RP764\A0201088.sys a variant of Win32/Rootkit.Agent.NSF trojan (unable to clean) 00000000000000000000000000000000 I

C:\System Volume Information\_restore{94B6D795-FDE1-42BC-A0CC-A4C1A51C9523}\RP764\A0201116.sys a variant of Win32/Rootkit.Agent.NSF trojan (unable to clean) 00000000000000000000000000000000 I

C:\System Volume Information\_restore{94B6D795-FDE1-42BC-A0CC-A4C1A51C9523}\RP764\A0202116.sys a variant of Win32/Rootkit.Agent.NSF trojan (unable to clean) 00000000000000000000000000000000 I

C:\System Volume Information\_restore{94B6D795-FDE1-42BC-A0CC-A4C1A51C9523}\RP764\A0202156.sys a variant of Win32/Rootkit.Agent.NSF trojan (unable to clean) 00000000000000000000000000000000 I

C:\System Volume Information\_restore{94B6D795-FDE1-42BC-A0CC-A4C1A51C9523}\RP764\A0202192.sys a variant of Win32/Rootkit.Agent.NSF trojan (unable to clean) 00000000000000000000000000000000 I

C:\System Volume Information\_restore{94B6D795-FDE1-42BC-A0CC-A4C1A51C9523}\RP765\A0204192.sys a variant of Win32/Rootkit.Agent.NSF trojan (unable to clean) 00000000000000000000000000000000 I

C:\System Volume Information\_restore{94B6D795-FDE1-42BC-A0CC-A4C1A51C9523}\RP765\A0204231.sys a variant of Win32/Rootkit.Agent.NSF trojan (unable to clean) 00000000000000000000000000000000 I

C:\System Volume Information\_restore{94B6D795-FDE1-42BC-A0CC-A4C1A51C9523}\RP765\A0205231.sys a variant of Win32/Rootkit.Agent.NSF trojan (unable to clean) 00000000000000000000000000000000 I

C:\System Volume Information\_restore{94B6D795-FDE1-42BC-A0CC-A4C1A51C9523}\RP765\A0206231.sys a variant of Win32/Rootkit.Agent.NSF trojan (unable to clean) 00000000000000000000000000000000 I

C:\System Volume Information\_restore{94B6D795-FDE1-42BC-A0CC-A4C1A51C9523}\RP765\A0207231.sys a variant of Win32/Rootkit.Agent.NSF trojan (unable to clean) 00000000000000000000000000000000 I

C:\System Volume Information\_restore{94B6D795-FDE1-42BC-A0CC-A4C1A51C9523}\RP767\A0207572.sys a variant of Win32/Rootkit.Agent.NSF trojan (unable to clean) 00000000000000000000000000000000 I

C:\System Volume Information\_restore{94B6D795-FDE1-42BC-A0CC-A4C1A51C9523}\RP767\A0207594.sys a variant of Win32/Rootkit.Agent.NSF trojan (unable to clean) 00000000000000000000000000000000 I

C:\System Volume Information\_restore{94B6D795-FDE1-42BC-A0CC-A4C1A51C9523}\RP768\A0208594.sys a variant of Win32/Rootkit.Agent.NSF trojan (unable to clean) 00000000000000000000000000000000 I

C:\System Volume Information\_restore{94B6D795-FDE1-42BC-A0CC-A4C1A51C9523}\RP770\A0209594.sys a variant of Win32/Rootkit.Agent.NSF trojan (unable to clean) 00000000000000000000000000000000 I

C:\System Volume Information\_restore{94B6D795-FDE1-42BC-A0CC-A4C1A51C9523}\RP770\A0210594.sys a variant of Win32/Rootkit.Agent.NSF trojan (unable to clean) 00000000000000000000000000000000 I

C:\System Volume Information\_restore{94B6D795-FDE1-42BC-A0CC-A4C1A51C9523}\RP770\A0210612.sys a variant of Win32/Rootkit.Agent.NSF trojan (unable to clean) 00000000000000000000000000000000 I

C:\System Volume Information\_restore{94B6D795-FDE1-42BC-A0CC-A4C1A51C9523}\RP770\A0211612.sys a variant of Win32/Rootkit.Agent.NSF trojan (unable to clean) 00000000000000000000000000000000 I

C:\System Volume Information\_restore{94B6D795-FDE1-42BC-A0CC-A4C1A51C9523}\RP770\A0212612.sys a variant of Win32/Rootkit.Agent.NSF trojan (unable to clean) 00000000000000000000000000000000 I

C:\System Volume Information\_restore{94B6D795-FDE1-42BC-A0CC-A4C1A51C9523}\RP770\A0213612.sys a variant of Win32/Rootkit.Agent.NSF trojan (unable to clean) 00000000000000000000000000000000 I

C:\System Volume Information\_restore{94B6D795-FDE1-42BC-A0CC-A4C1A51C9523}\RP770\A0214612.sys a variant of Win32/Rootkit.Agent.NSF trojan (unable to clean) 00000000000000000000000000000000 I

C:\System Volume Information\_restore{94B6D795-FDE1-42BC-A0CC-A4C1A51C9523}\RP770\A0215610.dll probably a variant of Win32/Kryptik.YQ trojan (unable to clean) 00000000000000000000000000000000 I

C:\System Volume Information\_restore{94B6D795-FDE1-42BC-A0CC-A4C1A51C9523}\RP770\A0215612.sys a variant of Win32/Rootkit.Agent.NSF trojan (unable to clean) 00000000000000000000000000000000 I

C:\System Volume Information\_restore{94B6D795-FDE1-42BC-A0CC-A4C1A51C9523}\RP771\A0216612.sys a variant of Win32/Rootkit.Agent.NSF trojan (unable to clean) 00000000000000000000000000000000 I

C:\System Volume Information\_restore{94B6D795-FDE1-42BC-A0CC-A4C1A51C9523}\RP771\A0217612.sys a variant of Win32/Rootkit.Agent.NSF trojan (unable to clean) 00000000000000000000000000000000 I

C:\System Volume Information\_restore{94B6D795-FDE1-42BC-A0CC-A4C1A51C9523}\RP771\A0218612.sys a variant of Win32/Rootkit.Agent.NSF trojan (unable to clean) 00000000000000000000000000000000 I

C:\System Volume Information\_restore{94B6D795-FDE1-42BC-A0CC-A4C1A51C9523}\RP772\A0218712.sys a variant of Win32/Rootkit.Agent.NSF trojan (unable to clean) 00000000000000000000000000000000 I

C:\System Volume Information\_restore{94B6D795-FDE1-42BC-A0CC-A4C1A51C9523}\RP772\A0218739.sys a variant of Win32/Rootkit.Agent.NSF trojan (unable to clean) 00000000000000000000000000000000 I

C:\System Volume Information\_restore{94B6D795-FDE1-42BC-A0CC-A4C1A51C9523}\RP772\A0219739.sys a variant of Win32/Rootkit.Agent.NSF trojan (unable to clean) 00000000000000000000000000000000 I

C:\System Volume Information\_restore{94B6D795-FDE1-42BC-A0CC-A4C1A51C9523}\RP772\A0220739.sys a variant of Win32/Rootkit.Agent.NSF trojan (unable to clean) 00000000000000000000000000000000 I

C:\System Volume Information\_restore{94B6D795-FDE1-42BC-A0CC-A4C1A51C9523}\RP773\A0220751.sys a variant of Win32/Rootkit.Agent.NSF trojan (unable to clean) 00000000000000000000000000000000 I

C:\System Volume Information\_restore{94B6D795-FDE1-42BC-A0CC-A4C1A51C9523}\RP773\A0221751.sys a variant of Win32/Rootkit.Agent.NSF trojan (unable to clean) 00000000000000000000000000000000 I

C:\System Volume Information\_restore{94B6D795-FDE1-42BC-A0CC-A4C1A51C9523}\RP774\A0222751.sys a variant of Win32/Rootkit.Agent.NSF trojan (unable to clean) 00000000000000000000000000000000 I

C:\System Volume Information\_restore{94B6D795-FDE1-42BC-A0CC-A4C1A51C9523}\RP777\A0223749.sys a variant of Win32/Rootkit.Agent.NSF trojan (unable to clean) 00000000000000000000000000000000 I

C:\System Volume Information\_restore{94B6D795-FDE1-42BC-A0CC-A4C1A51C9523}\RP777\A0224749.sys a variant of Win32/Rootkit.Agent.NSF trojan (unable to clean) 00000000000000000000000000000000 I

C:\System Volume Information\_restore{94B6D795-FDE1-42BC-A0CC-A4C1A51C9523}\RP778\A0224759.sys a variant of Win32/Rootkit.Agent.NSF trojan (unable to clean) 00000000000000000000000000000000 I

C:\System Volume Information\_restore{94B6D795-FDE1-42BC-A0CC-A4C1A51C9523}\RP778\A0225759.sys a variant of Win32/Rootkit.Agent.NSF trojan (unable to clean) 00000000000000000000000000000000 I

C:\System Volume Information\_restore{94B6D795-FDE1-42BC-A0CC-A4C1A51C9523}\RP778\A0226759.sys a variant of Win32/Rootkit.Agent.NSF trojan (unable to clean) 00000000000000000000000000000000 I

C:\System Volume Information\_restore{94B6D795-FDE1-42BC-A0CC-A4C1A51C9523}\RP778\A0227759.sys a variant of Win32/Rootkit.Agent.NSF trojan (unable to clean) 00000000000000000000000000000000 I

C:\System Volume Information\_restore{94B6D795-FDE1-42BC-A0CC-A4C1A51C9523}\RP779\A0228759.dll probably a variant of Win32/Kryptik.YQ trojan (unable to clean) 00000000000000000000000000000000 I

C:\System Volume Information\_restore{94B6D795-FDE1-42BC-A0CC-A4C1A51C9523}\RP779\A0228761.sys a variant of Win32/Rootkit.Agent.NSF trojan (unable to clean) 00000000000000000000000000000000 I

C:\System Volume Information\_restore{94B6D795-FDE1-42BC-A0CC-A4C1A51C9523}\RP779\A0229759.dll probably a variant of Win32/Kryptik.YQ trojan (unable to clean) 00000000000000000000000000000000 I

C:\System Volume Information\_restore{94B6D795-FDE1-42BC-A0CC-A4C1A51C9523}\RP779\A0229761.sys a variant of Win32/Rootkit.Agent.NSF trojan (unable to clean) 00000000000000000000000000000000 I

C:\System Volume Information\_restore{94B6D795-FDE1-42BC-A0CC-A4C1A51C9523}\RP779\A0230761.sys a variant of Win32/Rootkit.Agent.NSF trojan (unable to clean) 00000000000000000000000000000000 I

C:\System Volume Information\_restore{94B6D795-FDE1-42BC-A0CC-A4C1A51C9523}\RP779\A0231761.sys a variant of Win32/Rootkit.Agent.NSF trojan (unable to clean) 00000000000000000000000000000000 I

C:\System Volume Information\_restore{94B6D795-FDE1-42BC-A0CC-A4C1A51C9523}\RP779\A0232761.sys a variant of Win32/Rootkit.Agent.NSF trojan (unable to clean) 00000000000000000000000000000000 I

C:\System Volume Information\_restore{94B6D795-FDE1-42BC-A0CC-A4C1A51C9523}\RP781\A0232773.sys a variant of Win32/Rootkit.Agent.NSF trojan (unable to clean) 00000000000000000000000000000000 I

C:\System Volume Information\_restore{94B6D795-FDE1-42BC-A0CC-A4C1A51C9523}\RP781\A0233773.sys a variant of Win32/Rootkit.Agent.NSF trojan (unable to clean) 00000000000000000000000000000000 I

C:\System Volume Information\_restore{94B6D795-FDE1-42BC-A0CC-A4C1A51C9523}\RP781\A0234773.sys a variant of Win32/Rootkit.Agent.NSF trojan (unable to clean) 00000000000000000000000000000000 I

C:\System Volume Information\_restore{94B6D795-FDE1-42BC-A0CC-A4C1A51C9523}\RP782\A0235773.sys a variant of Win32/Rootkit.Agent.NSF trojan (unable to clean) 00000000000000000000000000000000 I

C:\System Volume Information\_restore{94B6D795-FDE1-42BC-A0CC-A4C1A51C9523}\RP782\A0236773.sys a variant of Win32/Rootkit.Agent.NSF trojan (unable to clean) 00000000000000000000000000000000 I

C:\System Volume Information\_restore{94B6D795-FDE1-42BC-A0CC-A4C1A51C9523}\RP784\A0236785.sys a variant of Win32/Rootkit.Agent.NSF trojan (unable to clean) 00000000000000000000000000000000 I

C:\System Volume Information\_restore{94B6D795-FDE1-42BC-A0CC-A4C1A51C9523}\RP785\A0237785.sys a variant of Win32/Rootkit.Agent.NSF trojan (unable to clean) 00000000000000000000000000000000 I

C:\System Volume Information\_restore{94B6D795-FDE1-42BC-A0CC-A4C1A51C9523}\RP785\A0238785.sys a variant of Win32/Rootkit.Agent.NSF trojan (unable to clean) 00000000000000000000000000000000 I

C:\System Volume Information\_restore{94B6D795-FDE1-42BC-A0CC-A4C1A51C9523}\RP786\A0239785.sys a variant of Win32/Rootkit.Agent.NSF trojan (unable to clean) 00000000000000000000000000000000 I

C:\System Volume Information\_restore{94B6D795-FDE1-42BC-A0CC-A4C1A51C9523}\RP786\A0240785.sys a variant of Win32/Rootkit.Agent.NSF trojan (unable to clean) 00000000000000000000000000000000 I

C:\System Volume Information\_restore{94B6D795-FDE1-42BC-A0CC-A4C1A51C9523}\RP786\A0240795.sys a variant of Win32/Rootkit.Agent.NSF trojan (unable to clean) 00000000000000000000000000000000 I

C:\System Volume Information\_restore{94B6D795-FDE1-42BC-A0CC-A4C1A51C9523}\RP786\A0241795.sys a variant of Win32/Rootkit.Agent.NSF trojan (unable to clean) 00000000000000000000000000000000 I

C:\System Volume Information\_restore{94B6D795-FDE1-42BC-A0CC-A4C1A51C9523}\RP786\A0242793.dll probably a variant of Win32/Kryptik.YQ trojan (unable to clean) 00000000000000000000000000000000 I

C:\System Volume Information\_restore{94B6D795-FDE1-42BC-A0CC-A4C1A51C9523}\RP786\A0242795.sys a variant of Win32/Rootkit.Agent.NSF trojan (unable to clean) 00000000000000000000000000000000 I

C:\System Volume Information\_restore{94B6D795-FDE1-42BC-A0CC-A4C1A51C9523}\RP786\A0242808.sys a variant of Win32/Rootkit.Agent.NSF trojan (unable to clean) 00000000000000000000000000000000 I

C:\System Volume Information\_restore{94B6D795-FDE1-42BC-A0CC-A4C1A51C9523}\RP786\A0243808.sys a variant of Win32/Rootkit.Agent.NSF trojan (unable to clean) 00000000000000000000000000000000 I

C:\System Volume Information\_restore{94B6D795-FDE1-42BC-A0CC-A4C1A51C9523}\RP787\A0244808.sys a variant of Win32/Rootkit.Agent.NSF trojan (unable to clean) 00000000000000000000000000000000 I

C:\System Volume Information\_restore{94B6D795-FDE1-42BC-A0CC-A4C1A51C9523}\RP787\A0245808.sys a variant of Win32/Rootkit.Agent.NSF trojan (unable to clean) 00000000000000000000000000000000 I

C:\System Volume Information\_restore{94B6D795-FDE1-42BC-A0CC-A4C1A51C9523}\RP787\A0246808.sys a variant of Win32/Rootkit.Agent.NSF trojan (unable to clean) 00000000000000000000000000000000 I

C:\System Volume Information\_restore{94B6D795-FDE1-42BC-A0CC-A4C1A51C9523}\RP787\A0247808.sys a variant of Win32/Rootkit.Agent.NSF trojan (unable to clean) 00000000000000000000000000000000 I

C:\System Volume Information\_restore{94B6D795-FDE1-42BC-A0CC-A4C1A51C9523}\RP788\A0247819.sys a variant of Win32/Rootkit.Agent.NSF trojan (unable to clean) 00000000000000000000000000000000 I

C:\System Volume Information\_restore{94B6D795-FDE1-42BC-A0CC-A4C1A51C9523}\RP788\A0248819.sys a variant of Win32/Rootkit.Agent.NSF trojan (unable to clean) 00000000000000000000000000000000 I

C:\System Volume Information\_restore{94B6D795-FDE1-42BC-A0CC-A4C1A51C9523}\RP788\A0249819.sys a variant of Win32/Rootkit.Agent.NSF trojan (unable to clean) 00000000000000000000000000000000 I

C:\System Volume Information\_restore{94B6D795-FDE1-42BC-A0CC-A4C1A51C9523}\RP788\A0250819.sys a variant of Win32/Rootkit.Agent.NSF trojan (unable to clean) 00000000000000000000000000000000 I

C:\System Volume Information\_restore{94B6D795-FDE1-42BC-A0CC-A4C1A51C9523}\RP788\A0251819.sys a variant of Win32/Rootkit.Agent.NSF trojan (unable to clean) 00000000000000000000000000000000 I

C:\System Volume Information\_restore{94B6D795-FDE1-42BC-A0CC-A4C1A51C9523}\RP788\A0252819.sys a variant of Win32/Rootkit.Agent.NSF trojan (unable to clean) 00000000000000000000000000000000 I

C:\System Volume Information\_restore{94B6D795-FDE1-42BC-A0CC-A4C1A51C9523}\RP789\A0252830.sys a variant of Win32/Rootkit.Agent.NSF trojan (unable to clean) 00000000000000000000000000000000 I

C:\System Volume Information\_restore{94B6D795-FDE1-42BC-A0CC-A4C1A51C9523}\RP790\A0253830.sys a variant of Win32/Rootkit.Agent.NSF trojan (unable to clean) 00000000000000000000000000000000 I

C:\System Volume Information\_restore{94B6D795-FDE1-42BC-A0CC-A4C1A51C9523}\RP792\A0254830.sys a variant of Win32/Rootkit.Agent.NSF trojan (unable to clean) 00000000000000000000000000000000 I

C:\System Volume Information\_restore{94B6D795-FDE1-42BC-A0CC-A4C1A51C9523}\RP792\A0255830.sys a variant of Win32/Rootkit.Agent.NSF trojan (unable to clean) 00000000000000000000000000000000 I

C:\System Volume Information\_restore{94B6D795-FDE1-42BC-A0CC-A4C1A51C9523}\RP792\A0256830.sys a variant of Win32/Rootkit.Agent.NSF trojan (unable to clean) 00000000000000000000000000000000 I

C:\System Volume Information\_restore{94B6D795-FDE1-42BC-A0CC-A4C1A51C9523}\RP792\A0257830.sys a variant of Win32/Rootkit.Agent.NSF trojan (unable to clean) 00000000000000000000000000000000 I

C:\System Volume Information\_restore{94B6D795-FDE1-42BC-A0CC-A4C1A51C9523}\RP792\A0257842.sys a variant of Win32/Rootkit.Agent.NSF trojan (unable to clean) 00000000000000000000000000000000 I

C:\System Volume Information\_restore{94B6D795-FDE1-42BC-A0CC-A4C1A51C9523}\RP793\A0258870.dll a variant of Win32/Adware.DoubleD.AE application (unable to clean) 00000000000000000000000000000000 I

C:\System Volume Information\_restore{94B6D795-FDE1-42BC-A0CC-A4C1A51C9523}\RP793\A0258872.exe probably a variant of Win32/Adware.DoubleD.AD application (unable to clean) 00000000000000000000000000000000 I

C:\System Volume Information\_restore{94B6D795-FDE1-42BC-A0CC-A4C1A51C9523}\RP793\A0258875.dll probably a variant of Win32/Kryptik.YQ trojan (unable to clean) 00000000000000000000000000000000 I

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\KXMZ01QR\uninstall[1] Win32/Adware.Antivirus2010 application (unable to clean) 00000000000000000000000000000000 I

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\SHI7W9AB\script_card[1] Win32/Adware.Antivirus2010 application (unable to clean) 00000000000000000000000000000000 I

Link to post
Share on other sites

Phonetic:

icon11.gif Go to Start > Run and copy/paste the contents of the codebox below into the Run box and click OK:

cmd /c del /a/f/q "C:\Documents and Settings\Kevin.Jonathan\My Documents\LimeWire\Saved\welcome home instrumental (instrumental version).mp3"

A DOS window may briefly open and close again, this is normal.

icon11.gif Download TFC to your desktop

  • Close any open windows.
  • Double click the TFC icon to run the program
  • TFC will close all open programs itself in order to run,
  • Click the Start button to begin the process.
  • Allow TFC to run uninterrupted.
  • The program should not take long to finish it's job
  • Once its finished it should automatically reboot your machine,
  • if it doesn't, manually reboot to ensure a complete clean

icon11.gif Go to My Computer-> Tools-> Folder Options-> View tab:

  • Under the Hidden files and folders heading:
  • Select - Show hidden files and folders.
  • Uncheck- Hide protected operating system files (recommended) option.
  • Also, make sure there is no checkmark beside Hide file extensions for known file types.
  • Click OK. (Remember to Hide files and folders once done)

Please go to one of the below sites to scan the following files:

virscan.org

Virus Total

Click on Browse, and upload the following file for analysis:

C:\Program Files\Sarm Software\WebCamera\WebCam.exe

Then click Submit. Allow the file to be scanned, and then please copy and paste the results here for me to see.

If it says already scanned -- click "reanalyze now"

Please post the results in your next reply.

Please include the following in your next post:

  • File analysis results

Link to post
Share on other sites

File already submitted: The file sent has already been analysed by VirusTotal in the past. This is same basic info regarding the sample itself and its last analysis:

MD5: 1d50f1c4832c0ac7068750636ac7a293

Date first seen: 2010-06-08 04:54:31 (UTC)

Date last seen: 2010-06-08 05:01:17 (UTC)

Detection ratio: 2/41

Link to post
Share on other sites

Phonetic:

Everything is looking good. I have anohter update and some very important cleanup for you to take care of now:

icon11.gif Your Adobe reader needs to be updated. Please visit Adobe's site and grab the newest version. Be sure to watch for and uncheck any boxes offering to install other software.

icon11.gif Uninstall ComboFix

  • Press the Windows key + R on your keyboard or click Start -> Run. Copy and past the following text into the run box that opens and press OK:
    Combofix /Uninstall

Combofix_uninstall_image.jpg

icon11.gif Delete the following tools along with any other logs you saved from our work:

  • DDS
  • GMER
  • Rootkit Unhooker
  • TDSSKiller
  • ESET Online Scanner (can be removed via add/remove programs)

icon11.gif Install an anti-virus program. I don't see any anti-virus software running on your computer. Choose one, (but no more) reputable AV program. If you need help chosing one, this site has good information. Avast, Avira and Microsoft all offer free AV products.

icon11.gif Finally, I'd like to make a couple of suggestions to help you stay clean in the future:

  • Restart any anti-malware programs that we disabled while we were cleaning your machine.
  • Keep your antivirus application and MBAM current and updated. Scan with them at least weekly.
  • Avoid using P2P programs. Refer back to my earlier post for more information.
  • Please visit this General Computer Security Forum and review this post for some helpful information.

Please post once more so I know you are all set and I can mark this thread resolved. Good luck and stay safe!

Link to post
Share on other sites

Ok ive done all that.

I just have one question: How can i delete the executable files that were corrupted from by the virus. IE: The programs in my downloads folder that you had me try that wouldnt work. The regular delete function gives the error: Cannot delete (program): Access is denied. Make sure the disk is not full or write-protected and that the file is not currently in use.

Link to post
Share on other sites

Run this for me, please:

icon11.gif Please save this file to your desktop.

  • Click on Start > Run, and copy-paste the following command (the bolded text) into the open run box, then click OK.

    "%userprofile%\desktop\win32kdiag.exe" -f -r


  • When it's finished, there will be a log called Win32kDiag.txt on your desktop.
  • Please open it with notepad and post the contents here.

Link to post
Share on other sites

Sorry for my little hiatus there.

Running from: C:\Documents and Settings\Kevin.Jonathan\desktop\win32kdiag.exe

Log file at : C:\Documents and Settings\Kevin.Jonathan\Desktop\Win32kDiag.txt

Removing all found mount points.

Attempting to reset file permissions.

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...

Cannot access: C:\WINDOWS\assembly\GAC_MSIL\Desktop.ini

Attempting to restore permissions of : C:\WINDOWS\assembly\GAC_MSIL\Desktop.ini

Cannot access: C:\WINDOWS\system32\MRT.exe

Attempting to restore permissions of : C:\WINDOWS\system32\MRT.exe

Finished!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.