Jump to content

vundo.h can only boot safemode can't update. help!


Recommended Posts

Hi! I'm new here and unfortunately need help. I stupidly installed a program that prompted I needed to update my Divx codecs. Shortly after Spybot caught it trying to change my system with C:\resycled\boot.com. When I denied the change I got the blue screen of death. I googled the problem and ended up installing and running Malwarebyte's Anti-Malware which cleaned 8 instances of Trojan.Vundo.H It still didn't help. I found that it also infected my other drives with a "resycle" sub-directory on each which I deleted and was replaced by "RECYCLER" subdirectories on each that are locked (these definitely weren't on these drives before). I still can only boot in safemode. I am posting the hijackthis.log and uninstall_list.txt hoping that someone can please help me! I'm really concerned.

(UPDATE: Aw Man, I also infected my laptop by copying the logfiles onto a cd from the infected desktop to post here. This really sucks! I ran Malaware on my laptop and since it can access the internet did the updates first. Hopefully that will help.)

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 2:41:23 PM, on 1/2/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)

Boot mode: Safe mode

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\svchost.exe

C:\1Trojan Problems\HiJackThis.exe

C:\Program Files\Mozilla Firefox\firefox.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=3448&clcid=0x0409

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

R3 - Default URLSearchHook is missing

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: Java

Link to post
Share on other sites

  • Root Admin

Hello and Welcome to Malwarebytes.org

Please read and follow the instructions provided here: Pre- HJT Post Instructions

When ready please post your logs here: Malware Removal - HijackThis Logs

Someone will be happy to assist you further with cleaning your system.

During this scan and cleanup process you should not install any other software unless requested to do so.

Link to post
Share on other sites

Hello and Welcome to Malwarebytes.org

Please read and follow the instructions provided here: Pre- HJT Post Instructions

When ready please post your logs here: Malware Removal - HijackThis Logs

Someone will be happy to assist you further with cleaning your system.

During this scan and cleanup process you should not install any other software unless requested to do so.

Hi Advanced! I can't perform PandaActive or ESOT as the infected computer only runs in safemode and is not connected to the internet. I already posted the HiJackThis logs above and I'll now attempt to recreate the mbam-log manually.

Link to post
Share on other sites

Hi Advanced! I can't perform PandaActive or ESOT as the infected computer only runs in safemode and is not connected to the internet. I already posted the HiJackThis logs above and I'll now attempt to recreate the mbam-log manually.

mbam-log

Hi AdMalwarebytes' Anti-Malware 1.31

Database version 1456

Windows 5.1.2600 Service Pack 3

1/2/2009 7:57:31 PM

mbam-log-2009-01-02 (19-57-31).txt

Scan type: Full Scan (C;\| E:\|F:\|G:\|H:\|)

Objects scanned: 151726

Time elapsed: 48 minute(s), 22 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

REMEMBER: I could not download the latest definitions for mbam, so the version that I used only had the definitions available at the release date.

Link to post
Share on other sites

  • Root Admin

Please run this Antivirus scanner and see if it can correct enough to get you back into Normal mode.

No you can not edit posts due to some users messing things up for others.

Download to the desktop: Dr.Web CureIt

  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, Click Options > Change settings
  • Choose the "Scan"-tab, remove the mark at "Heuristic analysis".
  • Back at the main window, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can click next icon next to the files found:
    check.gif
    If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
    move.gif
    This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
  • After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
  • Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web you saved previously in your next reply with a new hijackthis log.
Link to post
Share on other sites

Please run this Antivirus scanner and see if it can correct enough to get you back into Normal mode.

No you can not edit posts due to some users messing things up for others.

Download to the desktop: Dr.Web CureIt

  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan

  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.

  • Once the short scan has finished, Click Options > Change settings

  • Choose the "Scan"-tab, remove the mark at "Heuristic analysis".

  • Back at the main window, mark the drives that you want to scan.

  • Select all drives. A red dot shows which drives have been chosen.

  • Click the green arrow at the right, and the scan will start.

  • Click 'Yes to all' if it asks if you want to cure/move the file.

  • When the scan has finished, look if you can click next icon next to the files found:

    check.gif

    If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:

    move.gif

    This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)

  • After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list

  • Save the report to your desktop. The report will be called DrWeb.csv

  • Close Dr.Web Cureit.

  • Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.

  • After reboot, post the contents of the log from Dr.Web you saved previously in your next reply with a new hijackthis log.

I originally could not find where to set up the multiple drive scan so I scanned C:\ and it deleted A:\resycled boot.com and Trojan.StartPage.1505 and moved VirtumondeBeGone (archive that contained infected objects). When I went to obtain the DrWeb log file the system froze so I had to reboot again in safemode. I then found where to do the multiple drive scans and ran DrWeb again. The 2nd time it scanned C:\ it found and moved a:\ autorun.inf "Corrupted - probably Win32.HLLW.Autorunner" and found no viruses on my E:\ F:| G:| and H:\ drives. I had the CD with the virus software programs in the D:\ drive and the DrWeb log recorded this:

virtumondeBeGone.exe\data005;D:\VirtumondeBeGone.exe;Tool.Prockill;;

VirtumondeBeGone.exe;D:\;Archive contains infected objects;;

So, I tried to reboot in normal mode and Spybot again caught the virus trying to install C:\resylced\boot.com and moments later got the blue screen of death again.

Does this mean that my boot sector is infected; and if so, how does one cure that?

If you need me to send another HiJackThis log I'll manually transcribe on another post.

Link to post
Share on other sites

  • Root Admin

Please run the following.

Reconfigure Windows XP to show hidden files:

To enable the viewing of Hidden files follow these steps:

* Close all programs so that you are at your desktop.

* Double-click on the My Computer icon.

* Select the Tools menu and click Folder Options.

* After the new window appears select the View tab.

* Put a checkmark in the checkbox labeled Display the contents of system folders.

* Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.

* Remove the checkmark from the checkbox labeled Hide file extensions for known file types.

* Remove the checkmark from the checkbox labeled Hide protected operating system files.

* Press the Apply button and then the OK button and exit My Computer.

* Now your computer is configured to show all hidden files.

Then open My Computer and select each drive one at a time and open it to the top/root of the drive.

Look for a file named autorun.inf and delete it on each drive if you have more than one drive.

Then locate the folder named resycled from each drive and if found delete it.

Then empty the Recycle Bin on your desktop by right clicking over it and choose Empty Recycle Bin

Then run the following

    Download and install CCleaner
  • CCleaner


  • Double-click on the downloaded file "ccsetup215.exe" and install the application.

  • Keep the default installation folder "C:\Program Files\CCleaner"

  • Uncheck "Add CCleaner Yahoo! Toolbar and use CCleaner from your browser"

  • Click finish when done and close
    ALL PROGRAMS

  • Start the
    CCleaner
    program.

  • Click on
    Registry
    and
    Uncheck
    Registry Integrity so that it does not run

  • Click on
    Options
    -
    Advanced
    and
    Uncheck
    "Only delete files in Windows Temp folders older than 48 hours"

  • Click back to
    Cleaner
    and click on the
    Run Cleaner
    button on the bottom right side of the program.

  • Click OK to any prompts


Then run this

Malwarebytes' Anti-Malware

  • Start MalwareBytes AntiMalware
    • Update Malwarebytes' Anti-Malware
    • Select the Update tab
    • Click Update

    [*]When the update is complete, select the Scanner tab

    [*]Select Perform quick scan, then click Scan.

    [*]When the scan is complete, click OK, then Show Results to view the results.

    [*]Be sure that everything is checked, and click Remove Selected.

    [*]When completed, a log will open in Notepad. please copy and paste the log into your next reply

    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Then RESTART the computer and AFTER the restart run Hijackthis Scan and save log

Post back both the NEW MBAM and HJT logs.

Link to post
Share on other sites

Still no good! I ran CCleaner as directed and Malwarebyte's Anti-Malware again. Still cannot boot normally. Spybot catches command c:\resycled\boot.com, or something like that as the BSOD follows shortly. Here is a manual transacription of the mbam log file and hijackthis.log since if I copy into this machine it will become infected also.

Malwarebytes' Anti-Malware 1.31

Database version 1456

Windows 5.1.2600 Service Pack 3

1/4/2009 9:53:53 AM

mbam-log-2009-01-04 (09-53-53).txt

Scan type: Full Scan (A:\|C;\|D:\|E:\|F:\|G:\|H:\|)

Objects scanned: 151535

Time elapsed: 48 minute(s), 28 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

I'll post the Hijackthis log on a separate post.

Link to post
Share on other sites

Here's a partial copy of the HiJackThis.log I ran after I rebooted again in safemode (up to all the "O2" items). I'll complete the rest in my next post.

Logfile of Trend Micro HiJackThis v2.0.2

Scan saved at 8:34:56PM, on 1/4/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)

Boot mode: Safe mode

Running processes:

C:\WINDOWS\System32\smss\exe

C:\WINDOWS\System32\winlogon.exe

C:\WINDOWS\System32\services.exe

C:\WINDOWS\System32\lsass.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\svchost.exe

C:\1Trojan Problems\HiKackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R1 - HKCU\Software\Microsoft\Internet Connection Wizard, ShellNext=

http://go.microsoft.com/fwlink/?LinkId=3448&clcid=0x0409

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

R3 - Default URLSearchHook is missing

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Common

Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} -

C:\Program Files\Real\RealPlayer\rpbrowswerrecordplugin.dll

O2 - BHO: WormRadar.com IESiteBlocker.NacFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program

Files\AVG\AVG8\avgssie.dll

O2 - BHO:Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search &

Destroy\SDHelper.dll

02 - BHO: Jave Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program

Files\Java\jre6\bin\ssv.dll

02 - BHO: Jave Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} C:\Program

Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDectectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program

Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O2 - BHO: (no name) - {EAD9E7C9-E10D-4839-91D0-795040FB998F} - C:\WINDOWS\system32\fccabcBu.dll (file missing)

Link to post
Share on other sites

Here's the remainder of the log.

04 - HKLM\..\Run: [startCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core\Static\CLIStart.exe

04 - HKLM\..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe

04 - HKLM\..\Run: [soundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray

04 - HKLM\..\Run: [JMB36X Configure] C:\WINDOWS\System32\JMRaidTool.exe boot

04 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

04 - HKLM\..\Run: [AsusServiceProvider] C:\Program Files\ASUS\AASP\1.00.01\aaCenter.exe

04 - HKLM\..\Run: [Ai Nap] "C:\Profgram Files\ASUS\Ai Suite\AiNap\AiNap.exe

04 - HKLM\..\Run: [TKBellEXe] "C:\Program FIles\Common Files\Real\Update_OB\realsched.exe" -osboot

04 - HKLM\..\Run: [EPSON Stylus C66 Series] C:\Windows\System32\spool\DRIVERS\W32X86\3\E_S4I2S1.EXE /P23 "EPSON

Stylus C66 Series"" /O6 "USB001" /M "Stylus C66"

04 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jrel.6.0_07\bin\jusched.exe

04 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe

04 - HKLM\..\Run: [Quicktime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

04 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe

04 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader\ 8.0\Reader\Reader_sl.exe"

04 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\systerm32\dumprep 0 -k

04 - HKLM\..\RunOnce: [spybotDeleteingA7724] \ command /c del "c:\resycled\boot.com"

04 - HKLM\..\RunOnce: [spybotDeleteingC5176] \ cmd /c del "c:\resycled\boot.com"

04 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C;\Program Files\Malwarebytes' Anit-Malware\mbamgui.exe /install

/silent

04 - HKLM\..\RunOnce: [spybotDeleteingB9117] \ command /c del "c:\resycled\boot.com"

04 - HKLM\..\RunOnce: [spybotDeleteingD772] \ cmd /c del "c:\resycled\boot.com"

04 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

04 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

09 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search &

Destroy\SDHelper.dll

09 - Extra 'Tools" meniutem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} -

C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

09 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

09 - Extra 'Tools" meniutem: @xpsp3res.dll, -2001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network

Diagnostic\xpnetdiag.exe

09 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

09 - Extra 'Tools" meniutem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe

018 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FDBBE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll

020 - AppInit_DLLS: avgrsstx.dll

023 - Service: a-squared Free Service (a2free) - Emsi Software Gmbh - C:\Program Files\a-squared Free\a2service.exe

023 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

023 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device

023 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:|WINDOWS\System32\Ati2evxx.exe

023 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

023 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Tecgnologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe

023 - Service: AVG8 WatchDog (avg8wd) - AVG Tecgnologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

023 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A. Corporation -

C:\WINDOWS\system32\bgsvcgen.exe

023 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

023 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive

Software\DiskeeperLite\DKService.exe

023 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

023 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program

Files\Java\jre6\bin\jqs.exe

--

End of files - 6256 bytes

Link to post
Share on other sites

  • Root Admin

Please download a new copy of Dr Web and run it in SAFE MODE if you can and have it cleanup.

Then restart and see if it will boot into NORMAL mode and stay running, if it will then run this.

Malwarebytes' Anti-Malware

  • Start MalwareBytes AntiMalware
    • Update Malwarebytes' Anti-Malware
    • Select the Update tab
    • Click Update

    [*]When the update is complete, select the Scanner tab

    [*]Select Perform quick scan, then click Scan.

    [*]When the scan is complete, click OK, then Show Results to view the results.

    [*]Be sure that everything is checked, and click Remove Selected.

    [*]When completed, a log will open in Notepad. please copy and paste the log into your next reply

    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Then RESTART the computer and run HJT Scan and Save log, then post back NEW MBAM and HJT logs.

Link to post
Share on other sites

  • Root Admin

When the computer starts you should see a Start Menu for Safe Mode, one of those choices though is for a LAST KNOWN GOOD

Please try that choice and see if it will go into Windows normal. If it does then reboot again and see if it will go directly into Windows.

If you don't see the menu, tap the F8 key while it's booting and it should come up.

Link to post
Share on other sites

  • Root Admin

Please try to run this...

Important!

All of the following instructions must be run on the affected computer. Logs from a different computer will not help me help you. So, if you need to download all of this and then copy it to CD or memory stick and take it to the other computer, please do so. Either way, it's important. The logs have to be made by the computer with the problem.

I also need for you to download this program
OTListIt2.exe
to your desktop.
  • Close all applications and windows so that you have nothing open and are at your Desktop

  • Double-click on the OTListIt.exe file to start OTListIt. OK any warning about running OTListIt.

  • Place a checkmark in the
    "Scan All Users"
    checkbox (Leave the 'Use Whitelist' checked' and the 'File Age:' at 30 days)

  • Click the Run Scan button

  • NOTE:
    Please be patient and let the scan run without using the computer

  • When the scan is complete, a text file (
    OTListIt.Txt
    ) will open in Notepad (if not, it can be found on your Desktop)

  • In Notepad, click
    Edit
    ,
    Select all
    then
    Edit
    ,
    Copy

  • Reply to this topic, click in the topic reply window, and press Ctrl+V to paste the log or Righ click paste.

  • Submit your reply and close the Notepad window with
    OTList.txt

  • Also OTListIt's
    Extras.txt
    log file will be minimized in the Taskbar (and located on your Desktop) - click on this and maximize the window

  • In Notepad, click
    Edit
    ,
    Select all
    then
    Edit
    ,
    Copy

  • Reply to this topic again, click in the topic reply window, and press Ctrl+V to paste the extras log or Right click paste.

  • NOTE:
    If the files (
    OTListIt.txt, Extras.txt
    ) do not appear in your taskbar, just open the files in notepad from your desktop.


Please allow me time to analyze your post. If you don't see a reply from me after 48 hours, feel free to PM me.

Link to post
Share on other sites

Here are the log files:

OTListIt.Txt

OTListIt logfile created on: 1/7/2009 6:53:15 PM - Run

OTListIt2 by OldTimer - Version 1.0.3.0 Folder = C:\Documents and Settings\Administrator\Desktop

Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 6.0.2900.5512)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 100.00% Memory free

4.00 Gb Paging File | 4.00 Gb Available in Paging File | 100.00% Paging File free

Paging file location(s): C:\pagefile.sys 2560 3072;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 59.63 Gb Total Space | 47.44 Gb Free Space | 79.55% Space Free | Partition Type: NTFS

Drive D: | 0.47 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

Drive E: | 78.13 Gb Total Space | 40.28 Gb Free Space | 51.55% Space Free | Partition Type: NTFS

Drive F: | 95.13 Gb Total Space | 46.93 Gb Free Space | 49.33% Space Free | Partition Type: NTFS

Drive G: | 111.51 Gb Total Space | 30.01 Gb Free Space | 26.92% Space Free | Partition Type: FAT32

Drive H: | 16.45 Gb Total Space | 11.47 Gb Free Space | 69.70% Space Free | Partition Type: FAT32

I: Drive not present or media not loaded

Computer Name: LAMBCHOP

Current User Name: Administrator

Logged in as Administrator.

Current Boot Mode: SafeMode

Scan Mode: All users

Output = Standard

File Age = 30 Days

Company Name Whitelist: On

========== Processes (SafeList) ==========

[2008/07/07 07:15:18 | 00,611,664 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

[2009/01/07 18:47:03 | 00,419,328 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTListIt2.exe

========== (O23) Win32 Services (SafeList) ==========

[2008/01/07 17:56:32 | 00,366,712 | ---- | M] (Emsi Software GmbH) -- C:\Program Files\a-squared Free\a2service.exe -- (a2free [Auto | Stopped])

[2008/07/07 07:15:18 | 00,611,664 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe -- (aawservice [Auto | Running])

[2008/09/05 21:26:28 | 00,116,040 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -- (Apple Mobile Device [Auto | Stopped])

[2008/07/25 11:16:40 | 00,034,312 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe -- (aspnet_state [On_Demand | Stopped])

[2007/06/26 20:49:20 | 00,483,328 | ---- | M] (ATI Technologies Inc.) -- C:\WINDOWS\system32\ati2evxx.exe -- (Ati HotKey Poller [Auto | Stopped])

[2007/06/29 21:05:00 | 00,520,192 | ---- | M] () -- C:\WINDOWS\system32\ati2sgag.exe -- (ATI Smart [Auto | Stopped])

[2008/08/30 08:34:23 | 00,875,288 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgemc.exe -- (avg8emc [Auto | Stopped])

[2008/08/30 08:34:22 | 00,231,704 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgwdsvc.exe -- (avg8wd [Auto | Stopped])

[2008/06/22 13:29:26 | 00,118,784 | ---- | M] (B.H.A Corporation) -- C:\WINDOWS\system32\bgsvcgen.exe -- (bgsvcgen [Auto | Stopped])

[2008/08/29 09:18:44 | 00,238,888 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe -- (Bonjour Service [Auto | Stopped])

[2008/07/25 11:17:02 | 00,069,632 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32 [On_Demand | Stopped])

[2002/10/16 21:56:00 | 00,176,128 | ---- | M] (Executive Software International, Inc.) -- C:\Program Files\Executive Software\DiskeeperLite\DKService.exe -- (Diskeeper [Auto | Stopped])

[2008/07/29 21:10:04 | 00,046,104 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe -- (FontCache3.0.0.0 [On_Demand | Stopped])

[2008/07/29 19:24:50 | 00,881,664 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe -- (idsvc [unknown | Stopped])

[2008/04/14 04:42:24 | 00,015,360 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\inetsrv\inetinfo.exe -- (IISADMIN [Auto | Stopped])

[2008/09/08 22:02:00 | 00,536,872 | ---- | M] (Apple Inc.) -- C:\Program Files\iPod\bin\iPodService.exe -- (iPod Service [On_Demand | Stopped])

[2008/12/20 15:23:33 | 00,152,984 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService [Auto | Stopped])

[2008/07/29 19:16:38 | 00,132,096 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe -- (NetTcpPortSharing [Disabled | Stopped])

[2008/04/14 04:42:24 | 00,015,360 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\inetsrv\inetinfo.exe -- (SMTPSVC [Auto | Stopped])

[2005/01/28 13:44:28 | 00,038,912 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wdfmgr.exe -- (UMWdf [Auto | Stopped])

[2008/04/14 04:42:24 | 00,015,360 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\inetsrv\inetinfo.exe -- (W3SVC [Auto | Stopped])

========== Driver Services (SafeList) ==========

[2006/06/15 03:02:22 | 00,142,464 | R--- | M] (Analog Devices, Inc.) -- C:\WINDOWS\system32\drivers\adidts.sys -- (ADIDTSFiltService [On_Demand | Stopped])

[2006/05/02 04:12:06 | 00,229,376 | R--- | M] (Analog Devices, Inc.) -- C:\WINDOWS\system32\drivers\ADIHdAud.sys -- (ADIHdAudAddService [On_Demand | Stopped])

[2006/04/26 17:42:40 | 00,093,824 | R--- | M] (Andrea Electronics Corporation) -- C:\WINDOWS\system32\drivers\aeaudio.sys -- (AEAudio [On_Demand | Stopped])

[2002/04/17 20:27:02 | 00,011,264 | ---- | M] (VOB Computersysteme GmbH) -- C:\WINDOWS\system32\drivers\asapi.sys -- (Asapi [system | Running])

[2005/12/21 21:22:18 | 00,005,685 | R--- | M] () -- C:\WINDOWS\system32\drivers\AsIO.sys -- (AsIO [system | Stopped])

[2007/06/26 20:58:16 | 02,303,488 | ---- | M] (ATI Technologies Inc.) -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag [On_Demand | Stopped])

[2008/08/30 08:34:21 | 00,097,928 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\system32\drivers\avgldx86.sys -- (AvgLdx86 [system | Stopped])

[2008/07/05 21:59:52 | 00,026,824 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\system32\drivers\avgmfx86.sys -- (AvgMfx86 [system | Stopped])

[2008/07/05 21:59:57 | 00,076,040 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\system32\drivers\avgtdix.sys -- (AvgTdiX [Auto | Stopped])

[2008/06/22 13:29:26 | 00,033,408 | ---- | M] (B.H.A Corporation) -- C:\WINDOWS\system32\drivers\CDRBSDRV.SYS -- (cdrbsdrv [system | Running])

[2001/10/18 02:07:30 | 00,009,278 | ---- | M] (B.H.A Co.,Ltd.) -- C:\WINDOWS\system32\drivers\cdrbsvsd.sys -- (cdrbsvsd [system | Running])

[2003/10/28 14:17:52 | 00,005,273 | ---- | M] (Arrowkey) -- C:\Program Files\321Studios\Shared\CDRPDACC.SYS -- (CDRPDACC [Auto | Stopped])

[2007/01/25 11:12:22 | 00,302,336 | ---- | M] (Midiman/M-Audio) -- C:\WINDOWS\system32\drivers\delta.sys -- (DELTA [On_Demand | Stopped])

[2005/05/03 10:34:02 | 00,027,392 | ---- | M] (SlySoft, Inc.) -- C:\WINDOWS\system32\drivers\ElbyCDFL.sys -- (ElbyCDFL [On_Demand | Running])

[2007/08/07 14:48:33 | 00,025,160 | ---- | M] (Elaborate Bytes AG) -- C:\WINDOWS\system32\drivers\ElbyCDIO.sys -- (ElbyCDIO [system | Stopped])

[2007/02/15 19:56:49 | 00,011,984 | ---- | M] (Elaborate Bytes AG) -- C:\WINDOWS\system32\drivers\ElbyDelay.sys -- (ElbyDelay [On_Demand | Running])

[2000/05/15 07:24:50 | 00,017,923 | R--- | M] (emagic Soft- und Hardware GmbH, Germany) -- C:\WINDOWS\system32\drivers\EMGICUSB.sys -- (EmgicUsb [Auto | Stopped])

[2008/04/17 12:12:54 | 00,015,464 | ---- | M] (GEAR Software Inc.) -- C:\WINDOWS\system32\drivers\GEARAspiWDM.sys -- (GEARAspiWDM [On_Demand | Running])

[2004/10/27 15:21:36 | 00,138,240 | ---- | M] (Windows

Edited by AdvancedSetup
Removed quoting
Link to post
Share on other sites

  • Root Admin

Please see if you can copy over ComboFix to the infected computer and run it from Safe Mode or not.

how-to-use-combofix

If you can't get ComboFix to run then do you have access to a CD burner from another computer, either at home, a friend, at work?

If so please try to run this Avira tool for cleanup.

Requires access to a working computer with a CD/DVD burner to create a bootable CD.

    Avira AntiVir Rescue System
    Avira AntiVir Rescue System is a Linux-based application that allows accessing computers that cannot be booted anymore. Thus it is possible to:


  • repair a damaged system,
  • rescue data,

  • scan the system for virus infections.


    Just double-click on the rescue system package to burn it to a CD/DVD. You can then use this CD/DVD to boot your computer.
    The Avira AntiVir Rescue System is updated several times a day so that the most recent security updates are always available.

Link to post
Share on other sites

Please see if you can copy over ComboFix to the infected computer and run it from Safe Mode or not.

how-to-use-combofix

If you can't get ComboFix to run then do you have access to a CD burner from another computer, either at home, a friend, at work?

If so please try to run this Avira tool for cleanup.

Requires access to a working computer with a CD/DVD burner to create a bootable CD.

  • Avira AntiVir Rescue System

    Avira AntiVir Rescue System is a Linux-based application that allows accessing computers that cannot be booted anymore. Thus it is possible to:

repair a damaged system,

rescue data,

scan the system for virus infections.

Just double-click on the rescue system package to burn it to a CD/DVD. You can then use this CD/DVD to boot your computer.

The Avira AntiVir Rescue System is updated several times a day so that the most recent security updates are always available.

AMAZING!!!!! I am back online in NORMAL MODE!!! I ran CombFix as directed and it found some rootkit activity

RootKit Activity

c:\WINDOWS\system32\drivers\msqpdxjewpkkya.sys

c:\WINDOWS\sstem32\msqpdxbuhhlxrr.dll

It prompted me to reboot which I did and it continued the process in NORMAL MODE and created the following log.

ComboFix 09-01-08.05 - Me 2009-01-09 17:03:37.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3007.2562 [GMT -5:00]

Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe

AV: AVG Anti-Virus Free *On-access scanning disabled* (Outdated)

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

A:\resycled

c:\documents and settings\Me\Start Menu\Programs\videosoft

c:\documents and settings\Me\Start Menu\Programs\videosoft\Uninstall.lnk

c:\program files\videosoft

c:\program files\videosoft\Uninstall.exe

c:\windows\system32\Cache

c:\windows\system32\drivers\msqpdxjewpkkya.sys

c:\windows\system32\msqpdxbuhhlxrr.dll

c:\windows\system32\msvcsv60.dll

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Service_MSQPDXSERV.SYS

((((((((((((((((((((((((( Files Created from 2008-12-09 to 2009-01-09 )))))))))))))))))))))))))))))))

.

2009-01-04 08:49 . 2009-01-04 08:49 <DIR> d-------- c:\program files\CCleaner

2009-01-03 11:15 . 2009-01-03 11:25 <DIR> d-------- c:\documents and settings\Administrator\DoctorWeb

2009-01-02 14:29 . 2009-01-02 14:29 <DIR> d-------- c:\program files\ERUNT

2009-01-02 14:26 . 2009-01-07 19:54 <DIR> d-------- C:\1Trojan Problems

2009-01-02 13:55 . 2009-01-02 13:55 <DIR> d-------- C:\VundoFix Backups

2009-01-02 13:29 . 2009-01-02 14:09 <DIR> d-------- c:\documents and settings\Administrator\Application Data\BitTorrent

2009-01-02 11:48 . 2009-01-02 11:48 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware

2009-01-02 11:48 . 2009-01-02 11:48 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-01-02 11:48 . 2009-01-02 11:48 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes

2009-01-02 11:48 . 2008-12-03 19:52 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys

2009-01-02 11:48 . 2008-12-03 19:52 15,504 --a------ c:\windows\system32\drivers\mbam.sys

2009-01-01 09:22 . 2009-01-01 09:22 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Steinberg

2008-12-30 23:24 . 2008-12-30 23:25 743,621 --a------ c:\windows\system32\RPUpdates.zip

2008-12-30 23:24 . 2008-12-30 23:25 45 --a------ c:\windows\system32\RPVersion.ini

2008-12-30 22:28 . 2008-12-30 22:28 <DIR> d-------- c:\documents and settings\Me\Application Data\Thinstall

2008-12-21 19:49 . 2008-12-31 17:46 <DIR> d-------- c:\documents and settings\Me\Application Data\BitTorrent

2008-12-21 19:48 . 2008-12-21 19:49 <DIR> d-------- c:\program files\BitTorrent

2008-12-20 15:23 . 2008-12-20 15:23 410,984 --a------ c:\windows\system32\deploytk.dll

2008-12-10 09:12 . 2008-12-15 22:07 16 --a------ c:\windows\system32\w3data.vss

2008-12-10 09:12 . 2008-12-15 22:07 16 --a------ c:\windows\msocreg32.dat

2008-12-10 09:03 . 2008-12-10 09:03 <DIR> d-------- c:\program files\IK Multimedia

2008-12-10 07:10 . 2008-12-10 07:10 <DIR> d-------- c:\program files\AudioVero

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-01-09 22:07 --------- d-----w c:\program files\DNA

2009-01-09 22:07 --------- d-----w c:\documents and settings\Me\Application Data\DNA

2009-01-08 01:30 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2008-12-31 19:56 --------- d-----w c:\program files\Finale 2008

2008-12-20 20:23 --------- d-----w c:\program files\Java

2008-12-10 14:03 --------- d--h--w c:\program files\InstallShield Installation Information

2008-12-08 08:56 --------- d-----w c:\program files\Kjaerhus Audio

2008-12-08 02:20 --------- d-----w c:\program files\Studio Buddy

2008-12-07 08:34 --------- d-----w c:\program files\Reference Assemblies

2008-12-07 08:34 --------- d-----w c:\program files\MSBuild

2008-12-06 17:02 --------- d-----w c:\program files\Nomad Factory

2008-12-06 17:00 --------- d-----w c:\program files\Brainworx Music

2008-12-06 14:44 --------- d-----w c:\program files\Common Files\Adobe

2008-11-29 13:17 --------- d-----w c:\program files\M-Audio

2008-11-29 07:53 --------- d-----w c:\documents and settings\Me\Application Data\InstallShield

2008-11-28 03:40 --------- d-----w c:\program files\URS Plugins

2008-11-26 13:25 --------- d-----w c:\program files\ETF5.x

2008-11-26 13:24 73,216 ----a-w c:\windows\ST6UNST.EXE

2008-11-26 13:24 249,856 ------w c:\windows\Setup1.exe

2008-11-23 06:46 --------- d-----w c:\program files\PSPaudioware.com

2008-11-23 03:24 --------- d-----w c:\program files\Pinguin

2008-11-18 13:18 --------- d-----w c:\program files\Spybot - Search & Destroy

2008-02-24 16:30 2,197 ----a-w c:\program files\uninstal.log

2008-02-24 16:13 81,920 ----a-w c:\documents and settings\Me\Application Data\ezpinst.exe

2008-02-24 16:13 47,360 ----a-w c:\documents and settings\Me\Application Data\pcouffin.sys

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"PhotoShow Deluxe Media Manager"="c:\progra~1\Nero\data\Xtras\mssysmgr.exe" [2005-02-25 212992]

"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2008-12-21 342848]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]

"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2006-05-18 843776]

"JMB36X Configure"="c:\windows\System32\JMRaidTool.exe" [2006-06-02 385024]

"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]

"AsusServiceProvider"="c:\program files\ASUS\AASP\1.00.01\aaCenter.exe" [2006-06-30 582144]

"Ai Nap"="c:\program files\ASUS\Ai Suite\AiNap\AiNap.exe" [2006-07-10 1093632]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-02-17 185896]

"EPSON Stylus C66 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I2S1.EXE" [2004-01-13 99840]

"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]

"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-11-27 1261336]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-09-08 289576]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{93994DE8-8239-4655-B1D1-5F4E91300429}"= "c:\progra~1\DVDIDL~1\DVDShell.dll" [2004-10-09 49152]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"vidc.ffds"= ffdshow.ax

"msacm.ac3filter"= ac3filter.acm

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk

backup=c:\windows\pss\WinZip Quick Pick.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CloneCDTray]

--a------ 2005-05-19 08:47 57344 c:\program files\SlySoft\CloneCD\CloneCDTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

--a------ 2008-09-08 22:02 289576 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]

-rahs---- 2008-09-16 12:16 1833296 c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"Avg7Alrt"=2 (0x2)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]

"SpybotSD TeaTimer"=c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\DNA\\btdna.exe"=

"c:\\Program Files\\BitTorrent\\bittorrent.exe"=

"c:\\totalcmd\\TOTALCMD.EXE"=

"c:\\Program Files\\Ahead\\Nero ShowTime\\ShowTime.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\WINDOWS\\system32\\dpvsetup.exe"=

R1 Asapi;Asapi;c:\windows\system32\drivers\asapi.sys [2008-01-30 11264]

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-05-28 97928]

R4 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2008-07-05 875288]

R4 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-07-05 231704]

R4 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-05-28 76040]

S3 SynasUSB;SynasUSB;c:\windows\system32\drivers\SynasUSB.sys [2008-01-27 16896]

S4 EmgicUsb;emagic USB kernel driver;c:\windows\system32\drivers\EMGICUSB.sys [2008-03-16 17923]

.

Contents of the 'Scheduled Tasks' folder

2009-01-09 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

.

- - - - ORPHANS REMOVED - - - -

BHO-{EAD9E7C9-E10D-4839-91D0-795040FB998F} - c:\windows\system32\fccabcBu.dll

MSConfigStartUp-3074a134 - c:\windows\system32\udlmglnx.dll

MSConfigStartUp-AVG7_CC - c:\progra~1\Grisoft\AVG7\avgcc.exe

MSConfigStartUp-BM334792a8 - c:\windows\system32\ynhonkaq.dll

MSConfigStartUp-CloneDVDElbyDelay - c:\program files\Elaborate Bytes\CloneDVD\ElbyCheck.exe

MSConfigStartUp-Tons Up - c:\docume~1\Me\APPLIC~1\CAMPFL~1\bitsphone.exe

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.metacrawler.com/

uInternet Settings,ProxyOverride = *.local

FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ubnjzt8z.default\

FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-01-09 17:07:45

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(896)

c:\windows\system32\Ati2evxx.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\ati2evxx.exe

c:\windows\system32\ati2evxx.exe

c:\program files\Lavasoft\Ad-Aware\aawservice.exe

c:\program files\a-squared Free\a2service.exe

c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\windows\system32\bgsvcgen.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\Executive Software\DiskeeperLite\DKService.exe

c:\windows\system32\inetsrv\inetinfo.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\windows\system32\wdfmgr.exe

c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe

c:\program files\iPod\bin\iPodService.exe

c:\windows\system32\wscntfy.exe

c:\program files\Real\RealPlayer\realplay.exe

c:\program files\AVG\AVG8\avgrsx.exe

.

**************************************************************************

.

Completion time: 2009-01-09 17:10:30 - machine was rebooted

ComboFix-quarantined-files.txt 2009-01-09 22:10:27

Pre-Run: 50,876,219,392 bytes free

Post-Run: 50,788,950,016 bytes free

Current=4 Default=4 Failed=3 LastKnownGood=5 Sets=1,3,4,5

202

THIS IS SIMPLY GREAT!!!! THANKS SO MUCH ADVANCEDSETUP. I checked my other drives and even the locked C:\RECYLCED sub-directories that were created are now gone. I've got to ask. Is there some way that I can show my appreciation for what you did for me? I'm not loaded by any means, but if you've got a paypal account I'd be more than willing to give you a little something to show my gratitude. You saved me from a nightmare. This desktop is my DAW and, although I backed up my audio files to DVD's a few weeks, it would have taken me hours and hours to reformat the harddrives and reinstall and tweaks the numerous associated audio programs. Man, you are simply a lifesaver! Thank you so so much!

Link to post
Share on other sites

  • Root Admin
THIS IS SIMPLY GREAT!!!! THANKS SO MUCH ADVANCEDSETUP. I checked my other drives and even the locked C:\RECYLCED sub-directories that were created are now gone. I've got to ask. Is there some way that I can show my appreciation for what you did for me? I'm not loaded by any means, but if you've got a paypal account I'd be more than willing to give you a little something to show my gratitude. You saved me from a nightmare. This desktop is my DAW and, although I backed up my audio files to DVD's a few weeks, it would have taken me hours and hours to reformat the harddrives and reinstall and tweaks the numerous associated audio programs. Man, you are simply a lifesaver! Thank you so so much!

Your thank you, and sincere appreciation is thanks enough. Thank you for the kind words.

We're not done yet though as we still need to review your system and see what else might be going on.

Please follow the tasks below so that we can finish cleaning up your system.

Update and Scan with
Malwarebytes' Anti-Malware

  • Start MalwareBytes AntiMalware (
    Vista
    users must Right click and choose RunAs Admin)

  • Please
    DO NOT
    run MBAM in
    Safe Mode
    unless requested to, you MUST run it in normal Windows mode.

    • Update Malwarebytes' Anti-Malware

    • Select the Update tab

    • Click Update

    [*]
    When the update is complete, select the
    Scanner
    tab

    [*]
    Select
    Perform quick scan
    , then click
    Scan
    .

    [*]
    When the scan is complete, click
    OK
    , then
    Show Results
    to view the results.

    [*]
    Be sure that everything is checked, and click
    Remove Selected
    .

    [*]
    When completed, a log will open in Notepad. please copy and paste the log into your next reply
    • If you accidently close it, the log file is saved here and will be named like this:

    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\
      mbam-log-date (time).txt

Then RESTART the computer and AFTER the reboot run HJT Do a system scan and save a logfile

Then run this scanner as well.

Please download the following scanning tool.
GMER
  • Open the zip file and copy the file
    gmer.exe
    to your Desktop.

  • Double click on
    gmer.exe
    and run it.

  • It may take a minute to load and become available.

  • Do not make any changes. As soon as it's done and the
    COPY
    button is available click on the
    COPY
    button.

  • DO NOT
    Click on the
    SCAN
    button.

  • This will place the scan in your clipboard. Paste that into notepad or into your next reply post please.

  • Click OK and quit the GMER program.

The post back NEW MBAM and HJT logs in that order please.

Please note that I may be out of Town tonight but will try to get back with you this weekend.

Link to post
Share on other sites

Your thank you, and sincere appreciation is thanks enough. Thank you for the kind words.

We're not done yet though as we still need to review your system and see what else might be going on.

Please follow the tasks below so that we can finish cleaning up your system.

Update and Scan with
  • Start MalwareBytes AntiMalware (
    Vista
    users must Right click and choose RunAs Admin)

  • Please
    DO NOT
    run MBAM in
    Safe Mode
    unless requested to, you MUST run it in normal Windows mode.

    • Update Malwarebytes' Anti-Malware

    • Select the Update tab

    • Click Update

    [*]
    When the update is complete, select the
    Scanner
    tab
    [*]
    Select
    Perform quick scan
    , then click
    Scan
    .
    [*]
    When the scan is complete, click
    OK
    , then
    Show Results
    to view the results.
    [*]
    Be sure that everything is checked, and click
    Remove Selected
    .
    [*]
    When completed, a log will open in Notepad. please copy and paste the log into your next reply
    • If you accidently close it, the log file is saved here and will be named like this:

    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\
      mbam-log-date (time).txt

Then RESTART the computer and AFTER the reboot run HJT Do a system scan and save a logfile
Then run this scanner as well.
Please download the following scanning tool.
  • Open the zip file and copy the file
    gmer.exe
    to your Desktop.

  • Double click on
    gmer.exe
    and run it.

  • It may take a minute to load and become available.

  • Do not make any changes. As soon as it's done and the
    COPY
    button is available click on the
    COPY
    button.

  • DO NOT
    Click on the
    SCAN
    button.

  • This will place the scan in your clipboard. Paste that into notepad or into your next reply post please.

  • Click OK and quit the GMER program.

The post back NEW MBAM and HJT logs in that order please.

Please note that I may be out of Town tonight but will try to get back with you this weekend.

WOW, you're right! Even before I read your reply I updated and ran mbam (the same way as you indicted) and it found 7 infected files. Here are the three log files as you directed.

Malwarebytes' Anti-Malware 1.32

Database version: 1638

Windows 5.1.2600 Service Pack 3

1/10/2009 10:04:14 AM

mbam-log-2009-01-10 (10-04-14).txt

Scan type: Full Scan (C:\|E:\|F:\|G:\|H:\|)

Objects scanned: 155913

Time elapsed: 40 minute(s), 28 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 4

Registry Values Infected: 2

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 5

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{eec73ea5-1367-49d1-93f4-ca1d8c22e9f9} (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{eec73ea5-1367-49d1-93f4-ca1d8c22e9f9} (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\WakeNet (Trojan.Adware) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\New Windows\Allow\host-domain-lookup.com (Malware.Trace) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\New Windows\Allow\www.host-domain-lookup.com (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\Qoobox\Quarantine\C\Program Files\videosoft\Uninstall.exe.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\msqpdxbuhhlxrr.dll.vir (Trojan.TDSS) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{E5F95557-5702-452F-8E29-91862E8677B8}\RP266\A0056514.dll (Trojan.TDSS) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{E5F95557-5702-452F-8E29-91862E8677B8}\RP266\A0056527.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

H:\C Drive\Program Files\videosoft\Uninstall.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 10:08:43 AM, on 1/10/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\System32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Analog Devices\Core\smax4pnp.exe

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE

C:\Program Files\ASUS\AASP\1.00.01\aaCenter.exe

C:\Program Files\ASUS\Ai Suite\AiNap\AiNap.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Analog Devices\SoundMAX\Smax4.exe

C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe

C:\Program Files\DNA\btdna.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\Program Files\a-squared Free\a2service.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

C:\WINDOWS\system32\bgsvcgen.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Executive Software\DiskeeperLite\DKService.exe

C:\WINDOWS\System32\inetsrv\inetinfo.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\PROGRA~1\AVG\AVG8\avgrsx.exe

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe

C:\PROGRA~1\AVG\AVG8\avgemc.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

C:\Program Files\AVG\AVG8\avgtray.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Program Files\Mozilla Firefox\firefox.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\1Trojan Problems\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.metacrawler.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll

O2 - BHO: (no name) - {c59de4cb-4e20-4682-89e6-da5c0e2c2fb7} - (no file)

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O2 - BHO: (no name) - {EAD9E7C9-E10D-4839-91D0-795040FB998F} - (no file)

O4 - HKLM\..\Run: [startCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

O4 - HKLM\..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe

O4 - HKLM\..\Run: [JMB36X Configure] C:\WINDOWS\System32\JMRaidTool.exe boot

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [AsusServiceProvider] C:\Program Files\ASUS\AASP\1.00.01\aaCenter.exe

O4 - HKLM\..\Run: [Ai Nap] "C:\Program Files\ASUS\Ai Suite\AiNap\AiNap.exe"

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [EPSON Stylus C66 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2S1.EXE /P23 "EPSON Stylus C66 Series" /O6 "USB001" /M "Stylus C66"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"

O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [soundMax] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray

O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe

O4 - HKCU\..\Run: [bitTorrent DNA] "C:\Program Files\DNA\btdna.exe"

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll

O20 - AppInit_DLLs: avgrsstx.dll

O20 - Winlogon Notify: iifcBqpq - C:\WINDOWS\

O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe

O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe

O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS\system32\bgsvcgen.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\DiskeeperLite\DKService.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

--

End of file - 7692 bytes

GMER 1.0.14.14536 - http://www.gmer.net

Rootkit scan 2009-01-10 10:11:33

Windows 5.1.2600 Service Pack 3

---- Devices - GMER 1.0.14 ----

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

---- EOF - GMER 1.0.14 ----

Link to post
Share on other sites

  • Root Admin

Okay, well you did a Full scan which was not required. Please check for Updates again with MBAM but this time just do a Quick Scan and make sure you tell it to fix anything it find.

Then RESTART the computer and AFTER the restart please run HJT Scan and Save log and post back both new logs.

Thanks.

Link to post
Share on other sites

Okay, well you did a Full scan which was not required. Please check for Updates again with MBAM but this time just do a Quick Scan and make sure you tell it to fix anything it find.

Then RESTART the computer and AFTER the restart please run HJT Scan and Save log and post back both new logs.

Thanks.

Okay, I ran MBAM with the latest updates, did a Quick Scan and it found nothing. I then rebooted and ran HiJackThis. Here are the two log files, as requested.

Malwarebytes' Anti-Malware 1.32

Database version: 1638

Windows 5.1.2600 Service Pack 3

1/10/2009 10:01:45 PM

mbam-log-2009-01-10 (22-01-45).txt

Scan type: Quick Scan

Objects scanned: 51839

Time elapsed: 3 minute(s), 17 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 10:05:56 PM, on 1/10/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\System32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Analog Devices\Core\smax4pnp.exe

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE

C:\Program Files\ASUS\AASP\1.00.01\aaCenter.exe

C:\Program Files\ASUS\Ai Suite\AiNap\AiNap.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe

C:\PROGRA~1\AVG\AVG8\avgtray.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

C:\Program Files\Analog Devices\SoundMAX\Smax4.exe

C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe

C:\Program Files\DNA\btdna.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\a-squared Free\a2service.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

C:\WINDOWS\system32\bgsvcgen.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Executive Software\DiskeeperLite\DKService.exe

C:\WINDOWS\System32\inetsrv\inetinfo.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\PROGRA~1\AVG\AVG8\avgrsx.exe

C:\PROGRA~1\AVG\AVG8\avgemc.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\wuauclt.exe

C:\1Trojan Problems\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.metacrawler.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll

O2 - BHO: (no name) - {c59de4cb-4e20-4682-89e6-da5c0e2c2fb7} - (no file)

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O2 - BHO: (no name) - {EAD9E7C9-E10D-4839-91D0-795040FB998F} - (no file)

O4 - HKLM\..\Run: [startCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

O4 - HKLM\..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe

O4 - HKLM\..\Run: [JMB36X Configure] C:\WINDOWS\System32\JMRaidTool.exe boot

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [AsusServiceProvider] C:\Program Files\ASUS\AASP\1.00.01\aaCenter.exe

O4 - HKLM\..\Run: [Ai Nap] "C:\Program Files\ASUS\Ai Suite\AiNap\AiNap.exe"

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [EPSON Stylus C66 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2S1.EXE /P23 "EPSON Stylus C66 Series" /O6 "USB001" /M "Stylus C66"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"

O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [soundMax] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray

O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe

O4 - HKCU\..\Run: [bitTorrent DNA] "C:\Program Files\DNA\btdna.exe"

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll

O20 - AppInit_DLLs: avgrsstx.dll

O20 - Winlogon Notify: iifcBqpq - C:\WINDOWS\

O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe

O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe

O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS\system32\bgsvcgen.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\DiskeeperLite\DKService.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

--

End of file - 7677 bytes

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.