trilox Posted October 10, 2011 ID:483943 Share Posted October 10, 2011 Virus started by creating popup asking for permission for fake task manager. It is now deleting my anti virus. I was unable to remove it with malwarebytes as it removed it. AVG found something called katusha.a which it removed. I think the virus is still infecting other files and copying itself. I ran combofix and it found a rootkit virus. There is this weird problem where my firewall is blocking every program and I have to manually disable it. I think my windows firewall is also infected. Websites are also attempting to be redirected to add sites but my AdPlus is blocking it. Here is my combofix log. Could you tell me if I ave anymore viruses? ComboFix 11-10-09.01 - Michael 09/10/2011 18:01:13.1.2 - x86Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.2.1033.18.2046.939 [GMT -7:00]Running from: c:\users\Michael\Downloads\ComboFix.exe..((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))..c:\users\Marshal\AppData\Roaming\inst.exec:\users\Michael\AppData\Roaming\Adobe\plugsc:\users\Michael\AppData\Roaming\Adobe\shedc:\users\Michael\AppData\Roaming\inst.exec:\windows\$NtUninstallKB48982$\1457554540c:\windows\$NtUninstallKB48982$\2554124437\@c:\windows\$NtUninstallKB48982$\2554124437\click.tlbc:\windows\$NtUninstallKB48982$\2554124437\L\qnbwvotoc:\windows\$NtUninstallKB48982$\2554124437\loader.tlbc:\windows\$NtUninstallKB48982$\2554124437\U\@00000001c:\windows\$NtUninstallKB48982$\2554124437\U\@000000c0c:\windows\$NtUninstallKB48982$\2554124437\U\@000000cbc:\windows\$NtUninstallKB48982$\2554124437\U\@000000cfc:\windows\$NtUninstallKB48982$\2554124437\U\@80000000c:\windows\$NtUninstallKB48982$\2554124437\U\@800000c0c:\windows\$NtUninstallKB48982$\2554124437\U\@800000cbc:\windows\$NtUninstallKB48982$\2554124437\U\@800000cfc:\windows\{2521BB91-29B1-4d7e-9137-AC9875D77735}c:\windows\assembly\GAC_MSIL\desktop.inic:\windows\system32\ c:\windows\system32\a6874e7.dllc:\windows\system32\AutoRun.infc:\windows\system32\comct332.ocxc:\windows\system32\servicec:\windows\system32\service\02062009_TIS17_SfFniAU.logc:\windows\system32\service\05052009_TIS17_SfFniAU.logc:\windows\system32\service\09022009_TIS17_SfFniAU.logc:\windows\system32\service\20032009_TIS17_SfFniAU.logc:\windows\system32\service\27032009_TIS17_SfFniAU.logc:\windows\system32\service\28032009_TIS17_SfFniAU.logc:\windows\system32\service\31032009_TIS17_SfFniAU.logc:\windows\system32\zip32.dllc:\windows\$NtUninstallKB48982$ . . . . Failed to deletec:\windows\system32\drivers\ . . . . Failed to delete..((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))..-------\Service_983cd895..((((((((((((((((((((((((( Files Created from 2011-09-10 to 2011-10-10 )))))))))))))))))))))))))))))))..2011-10-10 01:16 . 2011-10-10 01:16 -------- d-----w- c:\users\Marshal\AppData\Local\temp2011-10-10 01:16 . 2011-10-10 01:20 -------- d-----w- c:\users\Michael\AppData\Local\temp2011-10-10 00:31 . 2011-10-10 00:31 101720 ----a-w- c:\windows\system32\drivers\SBREDrv.sys2011-10-10 00:24 . 2011-08-18 22:25 64512 ----a-w- c:\windows\system32\drivers\Lbd.sys2011-10-10 00:24 . 2011-10-10 00:24 -------- d-----w- c:\program files\Lavasoft2011-10-10 00:22 . 2010-11-30 18:43 439632 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{F5AB1E39-E4BB-4AEC-AFCE-812023F8AD80}\gapaengine.dll2011-10-10 00:21 . 2011-10-10 00:21 56200 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{EFA63CAF-0863-4A58-AE5A-645A79E5D7F5}\offreg.dll2011-10-10 00:21 . 2011-09-12 23:14 7269712 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{EFA63CAF-0863-4A58-AE5A-645A79E5D7F5}\mpengine.dll2011-10-10 00:19 . 2011-10-10 00:19 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys2011-10-10 00:19 . 2011-10-10 00:19 -------- d-----w- C:\Malwarebytes' Anti-Malware2011-10-10 00:17 . 2011-10-10 00:17 -------- d-----w- c:\program files\Microsoft Security Client2011-10-10 00:07 . 2011-10-10 00:13 -------- d-----w- C:\TDSSKiller_Quarantine2011-10-09 20:14 . 2011-10-09 20:14 -------- d-sh--w- c:\users\Michael\AppData\Local\983cd8952011-09-29 06:49 . 2011-09-29 07:12 -------- d-----w- c:\users\Michael\AppData\Roaming\WinFF2011-09-29 06:49 . 2011-09-29 06:49 -------- d-----w- c:\program files\WinFF2011-09-29 06:31 . 2011-09-29 06:31 -------- d-----w- c:\users\Michael\AppData\Roaming\DVDVideoSoft2011-09-29 06:31 . 2011-09-29 06:40 -------- d-----w- c:\program files\Common Files\DVDVideoSoft2011-09-29 05:36 . 2011-09-29 06:45 -------- d-----w- c:\users\Michael\dwhelper...(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))).2011-09-01 00:00 . 2010-10-31 01:56 22216 ----a-w- c:\windows\system32\drivers\mbam.sys2011-10-01 00:33 . 2011-06-03 07:24 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll..((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))..*Note* empty entries & legit default entries are not shown REGEDIT4.[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]2011-02-18 05:12 94208 ----a-w- c:\users\Michael\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll.[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]2011-02-18 05:12 94208 ----a-w- c:\users\Michael\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll.[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]2011-02-18 05:12 94208 ----a-w- c:\users\Michael\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll.[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-09 1232896]"Veoh"="c:\program files\Veoh Networks\Veoh\VeohClient.exe" [2008-08-28 3660848]"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2006-11-02 125440]"WindowsWelcomeCenter"="oobefldr.dll" [2006-11-02 2159104]"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-31 4670704]"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2009-04-23 691656]"Steam"="c:\program files\Steam\Steam.exe" [2011-08-02 1242448]"Skype"="c:\program files\Skype\Phone\Skype.exe" [2011-07-29 19558024].[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2007-04-18 65536]"KBD"="c:\hp\KBD\KbdStub.EXE" [2006-12-08 65536]"OsdMaestro"="c:\program files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe" [2007-02-15 118784]"RtHDVCpl"="RtHDVCpl.exe" [2008-01-15 4874240]"HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2007-05-24 71176]"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-12 49152]"Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2008-12-12 157312]"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-07-21 141608]"QuickTime Task"="c:\program files\QuickTime Alternative\QTTask.exe" [2010-08-10 421888]"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2011-09-01 1047208]"SunJavaUpdateReg"="c:\windows\system32\jureg.exe" [2009-09-28 55072]"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2009-06-17 55824]"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-03-21 1230704]"AVG_TRAY"="c:\program files\AVG\AVG10\avgtray.exe" [2011-09-10 2338656]"Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2011-09-01 1047208]"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 997920].[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]"AvgUninstallURL"="start http://www.avg.com/ww.special-uninstallation-feedback-appf?lic=NFVMV0gtR0JZUzQtOU5USEQtUUE3WEQtQzJRSEgtTkZGS0o&inst=NzctNTY5OTM0MDUwLUtWMys3LUJBKzEtWEwrMS1UMS1VQ0FMTCsxLUJBUjhHKzEtVUNBTEwyKzItVEI4KzItRkwrOC1GOE0xMUMrMS1VUEcrMjAxMS1DSUExMCsyLUZMMTArMS1DSVArMg∏=90&ver=10.0.1204" [?].c:\users\Michael\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk - c:\users\Michael\AppData\Roaming\Dropbox\bin\Dropbox.exe [2011-5-25 24176560]OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680].c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-3-11 210520]Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2010-12-27 813584]Snapfish Media Detector.lnk - c:\program files\Snapfish Picture Mover\SnapfishMediaDetector.exe [2007-5-7 1273856].[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]"mixer4"=wdmaud.drv.[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG10\avgchsvx.exe /sync\0c:\progra~1\AVG\AVG10\avgrsx.exe /sync /restart.[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]@="Service".[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]@="Service".[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]"DisableMonitoring"=dword:00000001.[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]"DisableMonitoring"=dword:00000001.[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]"DisableMonitoring"=dword:00000001.R0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [x]R1 MpKsl2804583b;MpKsl2804583b;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{EFA63CAF-0863-4A58-AE5A-645A79E5D7F5}\MpKsl2804583b.sys [x]R1 MpKsl7304dec9;MpKsl7304dec9;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{E0ECD3C7-DD64-4A83-B287-B2D9D8659EFE}\MpKsl7304dec9.sys [x]R2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe [2011-08-18 7390560]R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2011-10-10 2151640]R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [x]R3 EagleXNt;EagleXNt;c:\windows\system32\drivers\EagleXNt.sys [x]R3 GarenaPEngine;GarenaPEngine;c:\users\Michael\AppData\Local\Temp\WYGBC70.tmp [x]R3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys [2011-08-18 15232]R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [2011-04-18 43392]R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]S0 AVGIDSEH;AVGIDSEH;c:\windows\system32\DRIVERS\AVGIDSEH.Sys [2011-02-22 22992]S0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\DRIVERS\avgrkx86.sys [2011-03-16 32592]S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2011-08-18 64512]S1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\DRIVERS\avgldx86.sys [2011-01-07 248656]S1 Avgtdix;AVG TDI Driver;c:\windows\system32\DRIVERS\avgtdix.sys [2011-04-05 297168]S2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe [2006-11-02 22016]S2 avgwd;AVG WatchDog;c:\program files\AVG\AVG10\avgwdsvc.exe [2011-02-08 269520]S3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\DRIVERS\AVGIDSDriver.Sys [2011-05-28 134480]S3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\DRIVERS\AVGIDSFilter.Sys [2011-02-10 24144]S3 AVGIDSShim;AVGIDSShim;c:\windows\system32\DRIVERS\AVGIDSShim.Sys [2011-02-10 28624]S3 LEqdUsb;Logitech SetPoint Unifying KMDF USB Filter;c:\windows\system32\Drivers\LEqdUsb.Sys [2009-06-17 40720]S3 LHidEqd;Logitech SetPoint Unifying KMDF HID Filter;c:\windows\system32\Drivers\LHidEqd.Sys [2009-06-17 10384]S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [2010-03-10 68200]S3 pcouffin;VSO Software pcouffin;c:\windows\system32\Drivers\pcouffin.sys [2007-12-27 47360]..[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvcAkamai REG_MULTI_SZ Akamai.Contents of the 'Scheduled Tasks' folder.2011-10-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3894330282-596885355-3085526799-1000Core.job- c:\users\Marshal\AppData\Local\Google\Update\GoogleUpdate.exe [2008-09-03 03:32].2011-10-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3894330282-596885355-3085526799-1000UA.job- c:\users\Marshal\AppData\Local\Google\Update\GoogleUpdate.exe [2008-09-03 03:32]..------- Supplementary Scan -------.uStart Page = hxxp://www.ask.com?o=15179&l=dismStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_CA&c=74&bd=Pavilion&pf=desktopuInternet Settings,ProxyOverride = local;*.localIE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000TCP: Interfaces\{DC57F269-7A8A-46DB-985E-FD1F3937297C}: NameServer = 192.168.1.254,199.185.220.254FF - ProfilePath - c:\users\Michael\AppData\Roaming\Mozilla\Firefox\Profiles\me2c3ie5.default\.- - - - ORPHANS REMOVED - - - -.WebBrowser-{4F11ACBB-393F-4C86-A214-FF3D0D155CC3} - (no file)HKCU-Run-msnmsgr - c:\program files\Windows Live\Messenger\msnmsgr.exeAddRemove-IP Changer 2.0 - c:\program files\Plustech Inc.\IP Changer 2.0\Uninst.isuAddRemove-{7B63B2922B174135AFC0E1377DD81EC2} - c:\program files\DivX\DivXCodecUninstall.exeAddRemove-Build Your Own Net Dream - c:\users\Michael\Desktop\Uninst.exeAddRemove-{50897E53-4A8B-4C0C-81C0-DCFA6893C753} - c:\users\Michael\AppData\Local\{BB2A91A2-3FC7-4F93-99C6-92BC5BCBBED0}\Hide The IP 2009.exe...**************************************************************************.catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.netRootkit scan 2011-10-09 18:21Windows 6.0.6000 NTFS.scanning hidden processes ... .scanning hidden autostart entries ... .scanning hidden files ... .scan completed successfullyhidden files: 0.**************************************************************************.[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\GarenaPEngine]"ImagePath"="\??\c:\users\Michael\AppData\Local\Temp\WYGBC70.tmp".--------------------- LOCKED REGISTRY KEYS ---------------------.[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]@Denied: (A) (Users)@Denied: (A) (Everyone)@Allowed: (B 1 2 3 4 5) (S-1-5-20)"BlindDial"=dword:00000000.[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]@Denied: (A) (Users)@Denied: (A) (Everyone)@Allowed: (B 1 2 3 4 5) (S-1-5-20)"BlindDial"=dword:00000000.[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]@Denied: (A) (Users)@Denied: (A) (Everyone)@Allowed: (B 1 2 3 4 5) (S-1-5-20)"BlindDial"=dword:00000000.--------------------- DLLs Loaded Under Running Processes ---------------------.- - - - - - - > 'Explorer.exe'(3836)c:\users\Michael\AppData\Roaming\Dropbox\bin\DropboxExt.14.dllc:\program files\QuikCAT\MiPro\QCShExt.dllc:\program files\WinSCP\DragExt.dll.------------------------ Other Running Processes ------------------------.c:\progra~1\AVG\AVG10\avgrsx.exec:\windows\system32\WUDFHost.exec:\windows\system32\conime.exec:\windows\system32\wbem\unsecapp.exe.**************************************************************************.Completion time: 2011-10-09 18:28:53 - machine was rebootedComboFix-quarantined-files.txt 2011-10-10 01:28.Pre-Run: 37,138,763,776 bytes freePost-Run: 38,134,878,208 bytes free.- - End Of File - - 53235E2EB2176C0D7E677415147EDC4A Link to post Share on other sites More sharing options...
trilox Posted October 10, 2011 Author ID:483944 Share Posted October 10, 2011 Also my antivirus programs that I am trying to install are being disabled as they are scanning by the virus. Link to post Share on other sites More sharing options...
Staff screen317 Posted October 10, 2011 Staff ID:483946 Share Posted October 10, 2011 Hi and welcome to Malwarebytes.Please update MBAM, run a Quick Scan, and post its log.Next, download DDS by sUBs and save it to your Desktop.Double-click on the DDS icon and let the scan run. When it has run two logs will be produced, please post only DDS.txt directly into your reply.Do not put any logs in code tags. Link to post Share on other sites More sharing options...
trilox Posted October 10, 2011 Author ID:483947 Share Posted October 10, 2011 I am getting a directory is invalid error for any programs that I'm now downloading. Link to post Share on other sites More sharing options...
trilox Posted October 10, 2011 Author ID:483949 Share Posted October 10, 2011 nvm I fixed it. somehow temp folder in windows got deleted Link to post Share on other sites More sharing options...
trilox Posted October 10, 2011 Author ID:483952 Share Posted October 10, 2011 DDS.DDS (Ver_2011-08-26.01) - NTFSx86 Internet Explorer: 7.0.6000.16609 BrowserJavaVersion: 1.6.0_22Run by Michael at 18:55:01 on 2011-10-09Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.2.1033.18.2046.885 [GMT -7:00]..============== Running Processes ===============.C:\PROGRA~1\AVG\AVG10\avgrsx.exeC:\Windows\system32\wininit.exeC:\Windows\system32\lsm.exeC:\Windows\system32\svchost.exe -k DcomLaunchC:\Windows\system32\svchost.exe -k rpcssC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestrictedC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestrictedC:\Windows\system32\svchost.exe -k netsvcsC:\Windows\system32\SLsvc.exeC:\Windows\system32\svchost.exe -k LocalServiceC:\Windows\system32\svchost.exe -k NetworkServiceC:\Windows\System32\spoolsv.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetworkC:\Windows\System32\svchost.exe -k AkamaiC:\Program Files\AVG\AVG10\avgwdsvc.exeC:\Windows\system32\svchost.exe -k hpdevmgmtC:\Windows\System32\svchost.exe -k HPZ12C:\Windows\System32\svchost.exe -k HPZ12C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestrictedC:\Windows\system32\svchost.exe -k imgsvcC:\Windows\System32\svchost.exe -k WerSvcGroupC:\Windows\system32\SearchIndexer.exeC:\Windows\system32\WUDFHost.exeC:\Windows\system32\taskeng.exeC:\Windows\system32\Dwm.exeC:\Windows\system32\taskeng.exeC:\Windows\Explorer.EXEC:\hp\support\hpsysdrv.exeC:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exeC:\Windows\RtHDVCpl.exeC:\Program Files\HP\HP Software Update\hpwuSchd2.exeC:\Program Files\Zune\ZuneLauncher.exeC:\Program Files\iTunes\iTunesHelper.exeC:\Program Files\DivX\DivX Update\DivXUpdate.exeC:\Program Files\Microsoft Security Client\msseces.exeC:\Windows\system32\wbem\unsecapp.exeC:\Program Files\Windows Sidebar\sidebar.exeC:\Windows\system32\wbem\wmiprvse.exeC:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\ehome\ehtray.exeC:\Program Files\HP\Digital Imaging\bin\hpqtra08.exeC:\Program Files\Logitech\SetPoint\SetPoint.exeC:\Program Files\Microsoft Office\Office12\ONENOTEM.EXEC:\Windows\ehome\ehmsas.exeC:\hp\kbd\kbd.exeC:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXEC:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exeC:\Program Files\iPod\bin\iPodService.exeC:\Windows\system32\SearchProtocolHost.exeC:\Windows\system32\wuauclt.exeC:\Windows\system32\taskeng.exeC:\Windows\servicing\TrustedInstaller.exeC:\Program Files\Mozilla Firefox\plugin-container.exeC:\Windows\system32\SearchFilterHost.exeC:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exeC:\Windows\system32\conime.exeC:\Windows\system32\wbem\wmiprvse.exe.============== Pseudo HJT Report ===============.uStart Page = hxxp://www.ask.com?o=15179&l=dismStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_CA&c=74&bd=Pavilion&pf=desktopuInternet Settings,ProxyOverride = local;*.localBHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dllBHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dllBHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dllBHO: DivX Plus Web Player HTML5 <video>: {326e768d-4182-46fd-9c16-1449a49795f4} - c:\program files\divx\divx plus web player\npdivx32.dllBHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg10\avgssie.dllBHO: DivX HiQ: {593ddec6-7468-4cdd-90e1-42dadaa222e9} - c:\program files\divx\divx plus web player\npdivx32.dllBHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dllBHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dllBHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dllBHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dllTB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dllTB: Veoh Browser Plug-in: {d0943516-5076-4020-a3b5-aefaf26ab263} - c:\program files\veoh networks\veoh\plugins\reg\VeohToolbar.dllTB: Veoh Web Player Video Finder: {0fbb9689-d3d7-4f7a-a2e2-585b10099bfc} - c:\program files\veoh networks\veohwebplayer\VeohIEToolbar.dllEB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dlluRun: [sidebar] c:\program files\windows sidebar\sidebar.exe /autoRunuRun: [Veoh] "c:\program files\veoh networks\veoh\VeohClient.exe" /VeohHideuRun: [ehTray.exe] c:\windows\ehome\ehTray.exeuRun: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenteruRun: [Yahoo! Pager] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quietuRun: [DAEMON Tools Lite] "c:\program files\daemon tools lite\daemon.exe" -autorunuRun: [steam] "c:\program files\steam\Steam.exe" -silentuRun: [skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimizedmRun: [hpsysdrv] c:\hp\support\hpsysdrv.exemRun: [KBD] c:\hp\kbd\KbdStub.EXEmRun: [OsdMaestro] "c:\program files\hewlett-packard\on-screen osd indicator\OSD.exe"mRun: [RtHDVCpl] RtHDVCpl.exemRun: [HP Health Check Scheduler] c:\program files\hewlett-packard\hp health check\HPHC_Scheduler.exemRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exemRun: [Zune Launcher] "c:\program files\zune\ZuneLauncher.exe"mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"mRun: [QuickTime Task] "c:\program files\quicktime alternative\QTTask.exe" -atboottimemRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscriptmRun: [sunJavaUpdateReg] "c:\windows\system32\jureg.exe" -deletemRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXEmRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOWmRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exemRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscriptmRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkeymRunOnce: [AvgUninstallURL] cmd.exe /c start http://www.avg.com/ww.special-uninstallation-feedback-appf?lic=NFVMV0gtR0JZUzQtOU5USEQtUUE3WEQtQzJRSEgtTkZGS0o"&"inst=NzctNTY5OTM0MDUwLUtWMys3LUJBKzEtWEwrMS1UMS1VQ0FMTCsxLUJBUjhHKzEtVUNBTEwyKzItVEI4KzItRkwrOC1GOE0xMUMrMS1VUEcrMjAxMS1DSUExMCsyLUZMMTArMS1DSVArMg"&"prod=90"&"ver=10.0.1204StartupFolder: c:\users\michael\appdata\roaming\micros~1\windows\startm~1\programs\startup\dropbox.lnk - c:\users\michael\appdata\roaming\dropbox\bin\Dropbox.exeStartupFolder: c:\users\michael\appdata\roaming\micros~1\windows\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXEStartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exeStartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exeStartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\snapfi~1.lnk - c:\program files\snapfish picture mover\SnapfishMediaDetector.exeIE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dllIE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dllIE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLLIE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dllDPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cabDPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cabDPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cabTCP: Interfaces\{DC57F269-7A8A-46DB-985E-FD1F3937297C} : NameServer = 192.168.1.254,199.185.220.254Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll.================= FIREFOX ===================.FF - ProfilePath - c:\users\michael\appdata\roaming\mozilla\firefox\profiles\me2c3ie5.default\FF - plugin: c:\program files\divx\divx ovs helper\npovshelper.dllFF - plugin: c:\program files\divx\divx plus web player\npdivx32.dllFF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dllFF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dllFF - plugin: c:\program files\mozilla firefox\plugins\npqtplugin8.dllFF - plugin: c:\program files\nvidia corporation\3d vision\npnv3dv.dllFF - plugin: c:\program files\nvidia corporation\3d vision\npnv3dvstreaming.dllFF - plugin: c:\program files\pando networks\media booster\npPandoWebPlugin.dllFF - plugin: c:\program files\quicktime alternative\plugins\npqtplugin.dllFF - plugin: c:\program files\quicktime alternative\plugins\npqtplugin2.dllFF - plugin: c:\program files\quicktime alternative\plugins\npqtplugin3.dllFF - plugin: c:\program files\quicktime alternative\plugins\npqtplugin4.dllFF - plugin: c:\program files\quicktime alternative\plugins\npqtplugin5.dllFF - plugin: c:\program files\quicktime alternative\plugins\npqtplugin6.dllFF - plugin: c:\program files\quicktime alternative\plugins\npqtplugin7.dllFF - plugin: c:\program files\quicktime alternative\plugins\npqtplugin8.dllFF - plugin: c:\program files\veoh networks\veoh\plugins\noreg\NPVeohVersion.dllFF - plugin: c:\program files\veoh networks\veohwebplayer\NPVeohTVPlugin.dllFF - plugin: c:\program files\veoh networks\veohwebplayer\npWebPlayerVideoPluginATL.dllFF - plugin: c:\programdata\nexonus\ngm\npNxGameUS.dllFF - plugin: c:\users\michael\appdata\local\yahoo!\browserplus\2.9.8\plugins\npybrowserplus_2.9.8.dll.============= SERVICES / DRIVERS ===============.R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2011-2-22 22992]R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2011-3-16 32592]R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2011-10-9 64512]R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2011-1-7 248656]R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2011-3-1 34896]R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2011-4-5 297168]R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2011-4-18 165648]R2 Akamai;Akamai NetSession Interface;c:\windows\system32\svchost.exe -k Akamai [2006-11-2 22016]R2 avgwd;AVG WatchDog;c:\program files\avg\avg10\avgwdsvc.exe [2011-2-8 269520]R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2011-5-27 134480]R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2011-2-10 24144]R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2011-2-10 28624]R3 LEqdUsb;Logitech SetPoint Unifying KMDF USB Filter;c:\windows\system32\drivers\LEqdUsb.sys [2009-6-17 40720]R3 LHidEqd;Logitech SetPoint Unifying KMDF HID Filter;c:\windows\system32\drivers\LHidEqd.sys [2009-6-17 10384]R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [2011-2-25 68200]S2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [2011-8-18 7390560]S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2011-8-18 2151640]S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\nvidia corporation\3d vision\nvscpapisvr.exe --> c:\program files\nvidia corporation\3d vision\nvSCPAPISvr.exe [?]S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\lavasoft\ad-aware\kernexplorer.sys [2011-8-18 15232]S3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\drivers\MpNWMon.sys [2011-4-18 43392]S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504].=============== Created Last 30 ================.2011-10-10 01:28:55 -------- d-----w- c:\users\michael\appdata\local\temp2011-10-10 01:20:17 -------- d-sh--w- C:\$RECYCLE.BIN2011-10-10 00:47:34 256000 ----a-w- c:\windows\PEV.exe2011-10-10 00:47:34 208896 ----a-w- c:\windows\MBR.exe2011-10-10 00:47:33 98816 ----a-w- c:\windows\sed.exe2011-10-10 00:47:33 518144 ----a-w- c:\windows\SWREG.exe2011-10-10 00:46:52 -------- d-----w- C:\ComboFix2011-10-10 00:31:19 101720 ----a-w- c:\windows\system32\drivers\SBREDrv.sys2011-10-10 00:24:48 64512 ----a-w- c:\windows\system32\drivers\Lbd.sys2011-10-10 00:24:29 -------- d-----w- c:\program files\Lavasoft2011-10-10 00:22:49 439632 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{f5ab1e39-e4bb-4aec-afce-812023f8ad80}\gapaengine.dll2011-10-10 00:21:49 56200 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{efa63caf-0863-4a58-ae5a-645a79e5d7f5}\offreg.dll2011-10-10 00:21:28 7269712 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{efa63caf-0863-4a58-ae5a-645a79e5d7f5}\mpengine.dll2011-10-10 00:19:40 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys2011-10-10 00:19:21 -------- d-----w- C:\Malwarebytes' Anti-Malware2011-10-10 00:17:06 -------- d-----w- c:\program files\Microsoft Security Client2011-10-10 00:07:42 -------- d-----w- C:\TDSSKiller_Quarantine2011-10-09 20:14:22 -------- d-sh--w- c:\users\michael\appdata\local\983cd8952011-09-29 06:49:58 -------- d-----w- c:\users\michael\appdata\roaming\WinFF2011-09-29 06:49:56 -------- d-----w- c:\program files\WinFF2011-09-29 06:31:51 -------- d-----w- c:\users\michael\appdata\roaming\DVDVideoSoft2011-09-29 06:31:35 -------- d-----w- c:\users\michael\appdata\roaming\DVDVideoSoftIEHelpers2011-09-29 06:31:15 -------- d-----w- c:\program files\common files\DVDVideoSoft2011-09-29 05:36:59 -------- d-----w- c:\users\michael\dwhelper.==================== Find3M ====================.2011-09-01 00:00:50 22216 ----a-w- c:\windows\system32\drivers\mbam.sys.============= FINISH: 18:56:21.04 =============== Link to post Share on other sites More sharing options...
trilox Posted October 10, 2011 Author ID:483957 Share Posted October 10, 2011 MBAMMalwarebytes' Anti-Malware 1.51.2.1300www.malwarebytes.orgDatabase version: 7911Windows 6.0.6000Internet Explorer 7.0.6000.1660909/10/2011 7:04:51 PMmbam-log-2011-10-09 (19-04-51).txtScan type: Quick scanObjects scanned: 216948Time elapsed: 7 minute(s), 27 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 0Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:(No malicious items detected)Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:(No malicious items detected) Link to post Share on other sites More sharing options...
trilox Posted October 10, 2011 Author ID:483961 Share Posted October 10, 2011 AVG is still detecting win32.Katusha.A from other programs like my Ad-aware. Link to post Share on other sites More sharing options...
Staff screen317 Posted October 10, 2011 Staff ID:483965 Share Posted October 10, 2011 Hi,Unfortunately that is a variant of a file infector.These are particularly malicious, in that they infect all of your legitimate programs.The problem is... the virus is very buggy, so it does not do a good job of infecting your files, so any attempt to disinfect and possibly save your files would be futile, in that, due to the buggy virus, we cannot properly disinfect your files.What I highly recommend now is a reformat and a reinstallation of Windows XP.Please let me know if you are prepared to do so.You may backup and save all files except programs (meaning pictures and documents are okay), because if you backup any applications, they will transfer to your clean system, and you will be reinfected.So, with that said, do you have your Windows XP CD? Link to post Share on other sites More sharing options...
trilox Posted October 10, 2011 Author ID:484061 Share Posted October 10, 2011 Im on vista but im not sure if i can find the reformat cd I made. There is an option in one of the menus on startup to make a backup and to reformat. Is it safe to use that? Link to post Share on other sites More sharing options...
Staff screen317 Posted October 10, 2011 Staff ID:484065 Share Posted October 10, 2011 Yes that is probably your recovery partition and should be safe to use. Keep in mind that you will need to reinstall all of your programs. Link to post Share on other sites More sharing options...
trilox Posted October 10, 2011 Author ID:484073 Share Posted October 10, 2011 Is it possible for the partition to get infected? Link to post Share on other sites More sharing options...
trilox Posted October 10, 2011 Author ID:484075 Share Posted October 10, 2011 because I tried throwing a MBAM folder into my d drive which is where the reformat files are and when i tried to run it the virus infected it. Link to post Share on other sites More sharing options...
trilox Posted October 10, 2011 Author ID:484092 Share Posted October 10, 2011 Are music/video files safe to back up? This only infects executables right? Link to post Share on other sites More sharing options...
trilox Posted October 10, 2011 Author ID:484113 Share Posted October 10, 2011 Ok I reformatted. There is the one .exe from what I said above that remained on the D drive. 0000.exe. I cant delete it because I don't have privileges. Know how I can delete it? Link to post Share on other sites More sharing options...
trilox Posted October 10, 2011 Author ID:484125 Share Posted October 10, 2011 nvm i went on hidden admin and deleted it. So now that I cleaned everything my computer is safe again right? Link to post Share on other sites More sharing options...
trilox Posted October 10, 2011 Author ID:484154 Share Posted October 10, 2011 bump. still need some confirmation if my computer is safe again. havent found a sign of the virus so far. Link to post Share on other sites More sharing options...
Staff screen317 Posted October 12, 2011 Staff ID:484903 Share Posted October 12, 2011 Hi,My apologies for the delay.What exactly is your D: drive? Link to post Share on other sites More sharing options...
Staff screen317 Posted October 14, 2011 Staff ID:485881 Share Posted October 14, 2011 Are you still with us? This topic will be closed in a few days if we do not hear back from you. Link to post Share on other sites More sharing options...
Staff screen317 Posted October 31, 2011 Staff ID:490535 Share Posted October 31, 2011 Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread. Thanks! Link to post Share on other sites More sharing options...
Recommended Posts