Jump to content

Recommended Posts

Hi,

I was infected to some malwares/viruses. But I've tried to remove it, but I believe there's something ugly inside my PC.

Here's the scan log before I remove the files:

*********** Malwarebytes' Anti-Malware 1.51.1.1800 ***********

www.malwarebytes.org

Database version: 7698

Windows 5.1.2600 Service Pack 2

Internet Explorer 6.0.2900.2180

12/09/2011 17:17:54

mbam-log-2011-09-12 (17-17-54).txt

Scan type: Quick scan

Objects scanned: 198155

Time elapsed: 11 minute(s), 58 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 1

Registry Data Items Infected: 3

Folders Infected: 0

Files Infected: 8

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Intel System Core (Spyware.Passwords.XGen) -> Value: Intel System Core -> Quarantined and deleted successfully.

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore\DisableConfig (Windows.Tool.Disabled) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

c:\WINDOWS\system32\igfxpx32.exe (Spyware.Passwords.XGen) -> Delete on reboot.

c:\documents and settings\Cesilia\local settings\Temp\tmp01.exe (Worm.Kolab) -> Quarantined and deleted successfully.

c:\documents and settings\Cesilia\local settings\Temp\tmp70.exe (Trojan.Agent) -> Quarantined and deleted successfully.

c:\documents and settings\Cesilia\local settings\Temp\tmp73.exe (Trojan.Agent) -> Quarantined and deleted successfully.

c:\documents and settings\Cesilia\local settings\temporary internet files\Content.IE5\1GVRTKT9\e1[2].zip (Trojan.Agent) -> Quarantined and deleted successfully.

c:\documents and settings\Cesilia\local settings\temporary internet files\Content.IE5\4TI789MN\p1[1].exe (Trojab.Agent) -> Quarantined and deleted successfully.

c:\documents and settings\Cesilia\local settings\temporary internet files\Content.IE5\W3DZ26RH\j1[1].zip (Trojan.Agent) -> Quarantined and deleted successfully.

c:\documents and settings\Cesilia\local settings\Temp\tmp2.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

This is what inside my quarantine:

worm.kolab (in my document and settings)

trojan.agent (in my document and settings)

spyware.passwords.xgen (c:\windows\system32\igfxpx32.exe)

spyware.passwords.xgen (hklm\software\microsoft\currenversion\run\intel system core)

PUM.disabled.securitycenter (hklm\software\microsoft\security center\firewall disablednotify|1|0)

PUM.disabled.securitycenter (hklm\software\microsoft\security center\antivirus disablednotify|1|0)

windows.tool.disabled (hklm\software\policies\microsoft\windows NT\systemrestore\disableconfig|1|0)

And here's the log after I removed them:

*********** Malwarebytes' Anti-Malware 1.51.1.1800 ***********

www.malwarebytes.org

Database version: 7698

Windows 5.1.2600 Service Pack 2

Internet Explorer 6.0.2900.2180

12/09/2011 18:34:05

mbam-log-2011-09-12 (18-34-05).txt

Scan type: Quick scan

Objects scanned: 198381

Time elapsed: 16 minute(s), 36 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

*********** Here's the DDS: ***********

.

DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 6.0.2900.2180

Run by Cesilia at 20:47:32 on 2011-09-12

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1015.625 [GMT 7:00]

.

.

============== Running Processes ===============

.

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Avira\AntiVir Desktop\sched.exe

svchost.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\MySQL\bin\mysqld-nt.exe

C:\Program Files\Modem AC2726 UI\bin\MonServiceUDisk.exe

C:\WINDOWS\system32\WgaTray.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\RTHDCPL.EXE

C:\Program Files\Avira\AntiVir Desktop\avgnt.exe

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\Program Files\Modem AC2726 UI\bin\App.exe

C:\Program Files\Mozilla Firefox\firefox.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.google.com/

uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe

mRun: [RTHDCPL] RTHDCPL.EXE

mRun: [skyTel] SkyTel.EXE

mRun: [Alcmtr] ALCMTR.EXE

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [<NO NAME>]

mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [Persistence] c:\windows\system32\igfxpers.exe

dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

LSP: bmnet.dll

TCP: Interfaces\{736C0486-4AE5-4C25-A934-65CCC3E4B0F8} : NameServer = 10.17.3.244 10.17.3.252

Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL

Notify: igfxcui - igfxdev.dll

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\documents and settings\cesilia\application data\mozilla\firefox\profiles\3i1bz6da.default\

.

============= SERVICES / DRIVERS ===============

.

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2011-9-11 11608]

R1 HWiNFO32;HWiNFO32/64 Kernel Driver;c:\program files\hwinfo32\HWiNFO32.SYS [2011-9-12 21112]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2011-9-11 136360]

R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2011-9-11 66616]

R2 UDisk Monitor;UDisk Monitor;c:\program files\modem ac2726 ui\bin\MonServiceUDisk.exe [2011-5-21 266240]

R3 ztemtusbser;ZTEMT Legacy Serial Communication;c:\windows\system32\drivers\CT_ZTEMT_U_USBSER.sys [2011-5-21 104704]

S3 ATTRcAppSvc;AT&T RcAppSvc;c:\program files\at&t\communication manager\RcAppSvc.exe [2008-11-20 113152]

S3 rt2870;TP-LINK Wireless Adapter;c:\windows\system32\drivers\rt2870.sys [2011-7-25 829792]

S3 SWNC8U80;Sierra Wireless MUX NDIS Driver (UMTS80);c:\windows\system32\drivers\swnc8u80.sys [2008-8-20 197504]

S3 SWUMX80;Sierra Wireless USB MUX Driver (UMTS80);c:\windows\system32\drivers\swumx80.sys [2008-8-20 148992]

S3 wirelessusbser;Wireless USB Device for Legacy Serial Communication;c:\windows\system32\drivers\3GDatausbser.sys [2011-5-27 102656]

S4 avast! Antivirus;avast! Antivirus;"c:\program files\alwil software\avast4\ashserv.exe" --> c:\program files\alwil software\avast4\ashServ.exe [?]

.

=============== Created Last 30 ================

.

2011-09-12 12:35:28 -------- d-----w- c:\windows\pss

2011-09-12 12:00:47 388096 ----a-r- c:\documents and settings\cesilia\application data\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe

2011-09-12 12:00:46 -------- d-----w- c:\program files\Trend Micro

2011-09-12 10:24:25 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

2011-09-12 09:57:30 -------- d-----w- c:\documents and settings\cesilia\application data\Malwarebytes

2011-09-12 09:57:25 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-09-12 09:57:25 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes

2011-09-12 09:57:22 22712 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-09-12 09:57:22 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-09-12 09:53:41 172032 ----a-w- c:\windows\system32\igfxres.dll

2011-09-12 09:51:52 -------- d-----w- c:\windows\system32\Atheros_L2

2011-09-12 09:51:17 176128 ----a-w- c:\windows\system32\igfxrsky.lrc

2011-09-12 09:51:17 172032 ----a-w- c:\windows\system32\igfxrslv.lrc

2011-09-12 09:51:17 147456 ----a-w- c:\windows\system32\igfxCoIn_v4885.dll

2011-09-12 09:50:51 30720 ----a-w- c:\windows\system32\drivers\l251x86.sys

2011-09-12 08:46:45 -------- d-----w- C:\Intel

2011-09-12 08:46:11 -------- d-----w- c:\program files\Atheros Communications Inc

2011-09-12 08:33:48 -------- d-----w- c:\program files\HWiNFO32

2011-09-11 10:29:21 -------- d-----w- c:\windows\system32\NtmsData

2011-09-11 10:22:28 -------- d-----w- c:\documents and settings\cesilia\application data\Avira

2011-09-11 10:21:56 66616 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2011-09-11 10:21:23 -------- d-----w- c:\program files\Avira

2011-09-11 10:21:23 -------- d-----w- c:\documents and settings\all users\application data\Avira

2011-09-09 06:29:34 -------- d-----w- c:\documents and settings\cesilia\local settings\application data\Mozilla

2011-09-09 05:45:03 13906488 ----a-w- C:\Firefox Setup 6.0.2.exe

2011-08-26 08:48:04 201260 ----a-w- C:\Firefox Setup 6.0.exe

.

==================== Find3M ====================

.

2011-08-26 05:42:07 333312 ----a-w- c:\documents and settings\cesilia\bm.exe

2011-07-25 08:20:57 376832 ----a-w- c:\windows\system32\AegisI5Installer.exe

2009-07-01 17:59:52 2166784 ----a-w- c:\program files\common files\CReport21.dll

2009-07-01 17:59:38 1044480 ----a-w- c:\program files\common files\cSPT21.dll

2009-07-01 03:01:20 480904 ----a-w- c:\program files\common files\capicom.dll

2009-07-01 03:01:20 40960 ----a-w- c:\program files\common files\SSubTmr6.dll

2009-07-01 03:01:20 32768 ----a-w- c:\program files\common files\CBuilder21.dll

2009-07-01 03:01:20 24576 ----a-w- c:\program files\common files\CheckNPWP.dll

2009-07-01 03:01:20 159744 ----a-w- c:\program files\common files\cNewMenu6.dll

2005-01-21 03:42:48 1835120 ----a-w- c:\program files\common files\arpro2.dll

.

============= FINISH: 20:47:43.81 ===============

But I did not clear them appropriately. How to completely remove them?

I can't go to Safe Mode (everytime the Safe Mode scripts is about to finish, my PC automatically restarts again)

I can't activate my AntiVir Guard (there's no activate button) and I can't scan file using AntiVir.

Many thanks!

attach.zip

Link to post
Share on other sites

  • Staff

Hi and welcome to Malwarebytes.

Please update MBAM, run a Quick Scan, and post its log.

Next, please visit this webpage for instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

  • When the tool is finished, it will produce a report for you.
  • Please post the contents of C:\ComboFix.txt along with a new DDS log so we may continue cleaning the system.

Link to post
Share on other sites

Malwarebytes' Anti-Malware 1.51.2.1300

www.malwarebytes.org

Database version: 7707

Windows 5.1.2600 Service Pack 2

Internet Explorer 6.0.2900.2180

13/09/2011 10:33:59

mbam-log-2011-09-13 (10-33-59).txt

Scan type: Quick scan

Objects scanned: 198269

Time elapsed: 11 minute(s), 38 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

********************************************** Combofix Log *********************************************************************

ComboFix 11-09-12.05 - Cesilia 13/09/2011 10:49:52.1.2 - x86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1015.400 [GMT 7:00]

Running from: c:\documents and settings\Cesilia\My Documents\Downloads\ComboFix.exe

* Created a new restore point

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\cwsandbox\cwsandbox.exe

c:\documents and settings\Cesilia\bm.exe

c:\documents and settings\Cesilia\Local Settings\Application Data\ApplicationHistory

c:\documents and settings\Cesilia\Local Settings\Application Data\ApplicationHistory\MJAcct.exe.f87b3513.ini

c:\documents and settings\Cesilia\Local Settings\Application Data\ApplicationHistory\ngen.exe.2c05686e.ini

c:\documents and settings\Cesilia\userdiff.sav

c:\windows\system32\CLib212007.dll

c:\windows\system32\comct332.ocx

c:\windows\system32\userdiff.sav

c:\windows\system32\winlogon.bak

.

.

((((((((((((((((((((((((( Files Created from 2011-08-13 to 2011-09-13 )))))))))))))))))))))))))))))))

.

.

2011-09-12 12:00 . 2011-09-12 12:00 388096 ----a-r- c:\documents and settings\Cesilia\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe

2011-09-12 12:00 . 2011-09-12 12:00 -------- d-----w- c:\program files\Trend Micro

2011-09-12 09:57 . 2011-09-12 09:57 -------- d-----w- c:\documents and settings\Cesilia\Application Data\Malwarebytes

2011-09-12 09:57 . 2011-09-12 09:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2011-09-12 09:57 . 2011-09-13 03:10 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-09-12 09:57 . 2011-08-31 10:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-09-12 09:53 . 2007-10-30 00:39 172032 ----a-w- c:\windows\system32\igfxres.dll

2011-09-12 09:51 . 2011-09-12 09:51 -------- d-----w- c:\windows\system32\Atheros_L2

2011-09-12 09:51 . 2007-10-30 01:08 147456 ----a-w- c:\windows\system32\igfxCoIn_v4885.dll

2011-09-12 09:51 . 2007-10-30 00:43 176128 ----a-w- c:\windows\system32\igfxrsky.lrc

2011-09-12 09:51 . 2007-10-30 00:43 172032 ----a-w- c:\windows\system32\igfxrslv.lrc

2011-09-12 09:50 . 2007-10-17 13:12 30720 ----a-w- c:\windows\system32\drivers\l251x86.sys

2011-09-12 08:46 . 2011-09-12 08:46 -------- d-----w- C:\Intel

2011-09-12 08:46 . 2011-09-12 08:46 -------- d-----w- c:\program files\Atheros Communications Inc

2011-09-12 08:33 . 2011-09-12 08:33 -------- d-----w- c:\program files\HWiNFO32

2011-09-11 10:29 . 2011-09-12 03:38 -------- d-----w- c:\windows\system32\NtmsData

2011-09-11 10:22 . 2011-09-11 10:22 -------- d-----w- c:\documents and settings\Cesilia\Application Data\Avira

2011-09-11 10:21 . 2011-07-21 05:15 138192 ----a-w- c:\windows\system32\drivers\avipbb.sys

2011-09-11 10:21 . 2011-07-21 05:15 66616 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2011-09-11 10:21 . 2009-05-11 04:49 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys

2011-09-11 10:21 . 2009-05-11 04:49 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys

2011-09-11 10:21 . 2011-09-11 10:21 -------- d-----w- c:\program files\Avira

2011-09-11 10:21 . 2011-09-11 10:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira

2011-09-09 06:29 . 2011-09-09 06:29 -------- d-----w- c:\documents and settings\Cesilia\Local Settings\Application Data\Mozilla

2011-09-09 05:45 . 2011-09-09 05:47 13906488 ----a-w- C:\Firefox Setup 6.0.2.exe

2011-08-26 08:48 . 2011-08-26 08:48 201260 ----a-w- C:\Firefox Setup 6.0.exe

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-07-25 08:20 . 2011-07-25 08:11 376832 ----a-w- c:\windows\system32\AegisI5Installer.exe

2009-07-01 17:59 . 2009-07-01 17:59 2166784 ----a-w- c:\program files\Common Files\CReport21.dll

2009-07-01 17:59 . 2009-07-01 17:59 1044480 ----a-w- c:\program files\Common Files\cSPT21.dll

2009-07-01 03:01 . 2009-07-01 03:01 480904 ----a-w- c:\program files\Common Files\capicom.dll

2009-07-01 03:01 . 2009-07-01 03:01 40960 ----a-w- c:\program files\Common Files\SSubTmr6.dll

2009-07-01 03:01 . 2009-07-01 03:01 32768 ----a-w- c:\program files\Common Files\CBuilder21.dll

2009-07-01 03:01 . 2009-07-01 03:01 24576 ----a-w- c:\program files\Common Files\CheckNPWP.dll

2009-07-01 03:01 . 2009-07-01 03:01 159744 ----a-w- c:\program files\Common Files\cNewMenu6.dll

2005-01-21 03:42 . 2005-01-21 03:42 1835120 ----a-w- c:\program files\Common Files\arpro2.dll

2011-09-03 06:01 . 2011-09-12 10:24 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

.

.

------- Sigcheck -------

Note: Unsigned files aren't necessarily malware.

.

[-] 2010-01-08 . 6225F14B8CE08CCBA8B25AD27843C674 . 502272 . . [5.1.2600.2180] . . c:\windows\system32\winlogon.exe

[-] 2008-04-14 . ED0EF0A136DEC83DF69F04118870003E . 507904 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\winlogon.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"RTHDCPL"="RTHDCPL.EXE" [2007-04-10 16126464]

"SkyTel"="SkyTel.EXE" [2007-04-04 1822720]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]

"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-04-21 281768]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-11-08 141848]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-11-08 166424]

"Persistence"="c:\windows\system32\igfxpers.exe" [2007-11-08 137752]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-08-31 449608]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk

backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^TP-LINK Wireless Utility.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\TP-LINK Wireless Utility.lnk

backup=c:\windows\pss\TP-LINK Wireless Utility.lnkCommon Startup

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AT&T Communication Manager]

2008-12-01 07:23 33280 ----a-w- c:\program files\AT&T\Communication Manager\ATTCM.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HaierDcService]

2010-01-15 03:24 96768 ----a-w- c:\program files\Haier Dialer\Driver\HaierDcService.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TRUUpdater]

2009-08-13 12:59 562456 ----a-w- c:\program files\Sierra Wireless Inc\WebUpdater\TRUUpdater.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WatcherHelper]

2009-08-14 04:45 62744 ----a-w- c:\program files\Sierra Wireless Inc\3G Watcher\WaHelper.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Sierra Wireless Inc\\WebUpdater\\SwiApiMux.exe"=

"c:\\Program Files\\Sierra Wireless Inc\\3G Watcher\\SwiApiMux.exe"=

.

R1 HWiNFO32;HWiNFO32/64 Kernel Driver;c:\program files\HWiNFO32\HWiNFO32.SYS [12/09/2011 15:33 21112]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [11/09/2011 17:21 136360]

R3 ztemtusbser;ZTEMT Legacy Serial Communication;c:\windows\system32\drivers\CT_ZTEMT_U_USBSER.sys [21/05/2011 14:29 104704]

S2 UDisk Monitor;UDisk Monitor;c:\program files\Modem AC2726 UI\bin\MonServiceUDisk.exe [21/05/2011 14:29 266240]

S3 ATTRcAppSvc;AT&T RcAppSvc;c:\program files\AT&T\Communication Manager\RcAppSvc.exe [20/11/2008 22:07 113152]

S3 SWNC8U80;Sierra Wireless MUX NDIS Driver (UMTS80);c:\windows\system32\drivers\swnc8u80.sys [20/08/2008 13:35 197504]

S3 SWUMX80;Sierra Wireless USB MUX Driver (UMTS80);c:\windows\system32\drivers\swumx80.sys [20/08/2008 13:36 148992]

S3 wirelessusbser;Wireless USB Device for Legacy Serial Communication;c:\windows\system32\drivers\3GDatausbser.sys [27/05/2011 12:57 102656]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000

LSP: bmnet.dll

TCP: Interfaces\{736C0486-4AE5-4C25-A934-65CCC3E4B0F8}: NameServer = 10.17.3.244 10.17.3.252

FF - ProfilePath - c:\documents and settings\Cesilia\Application Data\Mozilla\Firefox\Profiles\3i1bz6da.default\

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-09-13 10:54

Windows 5.1.2600 Service Pack 2 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MySQL]

"ImagePath"="\"c:\mysql\bin\mysqld-nt\" --defaults-file=\"c:\mysql\my.ini\" MySQL"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(500)

c:\windows\system32\igfxdev.dll

.

- - - - - - - > 'lsass.exe'(556)

c:\windows\system32\bmnet.dll

.

Completion time: 2011-09-13 10:58:58

ComboFix-quarantined-files.txt 2011-09-13 03:58

.

Pre-Run: 28,327,149,568 bytes free

Post-Run: 29,612,408,832 bytes free

.

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

.

- - End Of File - - 81CE328BF52D84FAB8D1754D2C78687F

************************************************ new DDS log ************************************************

.

DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 6.0.2900.2180

Run by Cesilia at 11:01:50 on 2011-09-13

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1015.536 [GMT 7:00]

.

.

============== Running Processes ===============

.

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Avira\AntiVir Desktop\sched.exe

svchost.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\WINDOWS\system32\WgaTray.exe

C:\WINDOWS\RTHDCPL.EXE

C:\Program Files\Avira\AntiVir Desktop\avgnt.exe

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\WINDOWS\system32\notepad.exe

C:\WINDOWS\explorer.exe

C:\Program Files\Modem AC2726 UI\bin\App.exe

C:\Program Files\Mozilla Firefox\firefox.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.google.com/

mRun: [RTHDCPL] RTHDCPL.EXE

mRun: [skyTel] SkyTel.EXE

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [Persistence] c:\windows\system32\igfxpers.exe

mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent

dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

LSP: bmnet.dll

TCP: Interfaces\{736C0486-4AE5-4C25-A934-65CCC3E4B0F8} : NameServer = 10.17.3.244 10.17.3.252

Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL

Notify: igfxcui - igfxdev.dll

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\documents and settings\cesilia\application data\mozilla\firefox\profiles\3i1bz6da.default\

.

============= SERVICES / DRIVERS ===============

.

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2011-9-11 11608]

R1 HWiNFO32;HWiNFO32/64 Kernel Driver;c:\program files\hwinfo32\HWiNFO32.SYS [2011-9-12 21112]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2011-9-11 136360]

R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2011-9-11 66616]

R3 ztemtusbser;ZTEMT Legacy Serial Communication;c:\windows\system32\drivers\CT_ZTEMT_U_USBSER.sys [2011-5-21 104704]

S2 UDisk Monitor;UDisk Monitor;c:\program files\modem ac2726 ui\bin\MonServiceUDisk.exe [2011-5-21 266240]

S3 ATTRcAppSvc;AT&T RcAppSvc;c:\program files\at&t\communication manager\RcAppSvc.exe [2008-11-20 113152]

S3 rt2870;TP-LINK Wireless Adapter;c:\windows\system32\drivers\rt2870.sys [2011-7-25 829792]

S3 SWNC8U80;Sierra Wireless MUX NDIS Driver (UMTS80);c:\windows\system32\drivers\swnc8u80.sys [2008-8-20 197504]

S3 SWUMX80;Sierra Wireless USB MUX Driver (UMTS80);c:\windows\system32\drivers\swumx80.sys [2008-8-20 148992]

S3 wirelessusbser;Wireless USB Device for Legacy Serial Communication;c:\windows\system32\drivers\3GDatausbser.sys [2011-5-27 102656]

S4 avast! Antivirus;avast! Antivirus;"c:\program files\alwil software\avast4\ashserv.exe" --> c:\program files\alwil software\avast4\ashServ.exe [?]

.

=============== Created Last 30 ================

.

2011-09-13 03:49:03 -------- d-sha-r- C:\cmdcons

2011-09-13 03:34:57 98816 ----a-w- c:\windows\sed.exe

2011-09-13 03:34:57 518144 ----a-w- c:\windows\SWREG.exe

2011-09-13 03:34:57 256000 ----a-w- c:\windows\PEV.exe

2011-09-13 03:34:57 208896 ----a-w- c:\windows\MBR.exe

2011-09-12 12:35:28 -------- d-----w- c:\windows\pss

2011-09-12 12:00:47 388096 ----a-r- c:\documents and settings\cesilia\application data\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe

2011-09-12 12:00:46 -------- d-----w- c:\program files\Trend Micro

2011-09-12 10:24:25 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

2011-09-12 09:57:30 -------- d-----w- c:\documents and settings\cesilia\application data\Malwarebytes

2011-09-12 09:57:25 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes

2011-09-12 09:57:22 22216 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-09-12 09:57:22 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-09-12 09:53:41 172032 ----a-w- c:\windows\system32\igfxres.dll

2011-09-12 09:51:52 -------- d-----w- c:\windows\system32\Atheros_L2

2011-09-12 09:51:17 176128 ----a-w- c:\windows\system32\igfxrsky.lrc

2011-09-12 09:51:17 172032 ----a-w- c:\windows\system32\igfxrslv.lrc

2011-09-12 09:51:17 147456 ----a-w- c:\windows\system32\igfxCoIn_v4885.dll

2011-09-12 09:50:51 30720 ----a-w- c:\windows\system32\drivers\l251x86.sys

2011-09-12 08:46:45 -------- d-----w- C:\Intel

2011-09-12 08:46:11 -------- d-----w- c:\program files\Atheros Communications Inc

2011-09-12 08:33:48 -------- d-----w- c:\program files\HWiNFO32

2011-09-11 10:29:21 -------- d-----w- c:\windows\system32\NtmsData

2011-09-11 10:22:28 -------- d-----w- c:\documents and settings\cesilia\application data\Avira

2011-09-11 10:21:56 66616 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2011-09-11 10:21:23 -------- d-----w- c:\program files\Avira

2011-09-11 10:21:23 -------- d-----w- c:\documents and settings\all users\application data\Avira

2011-09-09 06:29:34 -------- d-----w- c:\documents and settings\cesilia\local settings\application data\Mozilla

2011-09-09 05:45:03 13906488 ----a-w- C:\Firefox Setup 6.0.2.exe

2011-08-26 08:48:04 201260 ----a-w- C:\Firefox Setup 6.0.exe

.

==================== Find3M ====================

.

2011-07-25 08:20:57 376832 ----a-w- c:\windows\system32\AegisI5Installer.exe

2009-07-01 17:59:52 2166784 ----a-w- c:\program files\common files\CReport21.dll

2009-07-01 17:59:38 1044480 ----a-w- c:\program files\common files\cSPT21.dll

2009-07-01 03:01:20 480904 ----a-w- c:\program files\common files\capicom.dll

2009-07-01 03:01:20 40960 ----a-w- c:\program files\common files\SSubTmr6.dll

2009-07-01 03:01:20 32768 ----a-w- c:\program files\common files\CBuilder21.dll

2009-07-01 03:01:20 24576 ----a-w- c:\program files\common files\CheckNPWP.dll

2009-07-01 03:01:20 159744 ----a-w- c:\program files\common files\cNewMenu6.dll

2005-01-21 03:42:48 1835120 ----a-w- c:\program files\common files\arpro2.dll

.

============= FINISH: 11:02:02.50 ===============

Link to post
Share on other sites

  • Staff

Hi,

I believe this may fix your issue:

Next, it is absolutely essential that you upgrade to Windows XP Service Pack 3. Service Pack 2, which is what you currently have, has vulnerabilities that leave you wide open for re-infection. To upgrade, please visit Windows Update and download all critical updates.

Let me know if the update was successful.

(In addition, it will overwrite many system files with more current versions which I believe will fix your issues.)

Link to post
Share on other sites

  • 4 weeks later...
  • Staff

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.