Jump to content

Re-Infected?


Recommended Posts

I just got un-infected not to long ago and I was doing scans of anti-virus/malware/spyware almost daily. Today my antivirus scan came up with over 24 root kits or backdoor programs. Here is my HJT log and the Avira Log from its scan. Where did they all come from? How to keep them from coming back? Do I need to do a fresh install? Ive got Spyware Guard, SpywareBlaster, Spybot Search and Destroy and Malwarebytes all on my machine.

Logfile of HijackThis v1.99.1

Scan saved at 12:43:11 PM, on 18/01/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe

C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\system32\HPZipm12.exe

C:\WINDOWS\ehome\RMSvc.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\ehome\ehtray.exe

C:\WINDOWS\ALCWZRD.EXE

C:\WINDOWS\eHome\ehmsas.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe

C:\Program Files\ATI Multimedia\main\ATISched.EXE

C:\Program Files\ATI Multimedia\main\ATIDtct.EXE

C:\Program Files\Veoh Networks\Veoh\VeohClient.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\Program Files\SpywareGuard\sgmain.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\SpywareGuard\sgbhp.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Avira\AntiVir PersonalEdition Classic\avscan.exe

C:\Killer Stuff\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll

O4 - HKLM\..\Run: [uSRpdA] C:\WINDOWS\SYSTEM32\USRmlnkA.exe RunServices \Device\3cpipe-USRpdA

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [HPHUPD08] C:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe

O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe

O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe

O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE

O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min

O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\COGECO Security Services\Common\FSM32.EXE" /splash

O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\COGECO Security Services\FSGUI\TNBUtil.exe" /CHECKALL /WAITFORSW

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKCU\..\Run: [ATI Scheduler] C:\Program Files\ATI Multimedia\main\ATISched.EXE

O4 - HKCU\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\main\ATIDtct.EXE

O4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe

O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL

O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll (file missing)

O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll (file missing)

O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll

O14 - IERESET.INF: START_PAGE_URL=http:\\www.mdg.ca

O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.1.99.cab

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab

O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab

O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe

O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Unknown owner - C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf (file missing)

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

Avira AntiVir Personal

Report file date: January 18, 2009 12:00

Scanning for 1223757 virus strains and unwanted programs.

Licensed to: Avira AntiVir PersonalEdition Classic

Serial number: 0000149996-ADJIE-0001

Platform: Windows XP

Windows version: (Service Pack 2) [5.1.2600]

Boot mode: Normally booted

Username: SYSTEM

Computer name: DAM_LAYCOCKS

Version information:

BUILD.DAT : 8.2.0.337 16934 Bytes 11/18/2008 13:05:00

AVSCAN.EXE : 8.1.4.10 315649 Bytes 11/18/2008 14:21:26

AVSCAN.DLL : 8.1.4.0 40705 Bytes 5/26/2008 13:56:40

LUKE.DLL : 8.1.4.5 164097 Bytes 6/12/2008 18:44:19

LUKERES.DLL : 8.1.4.0 12033 Bytes 5/26/2008 13:58:52

ANTIVIR0.VDF : 7.1.0.0 15603712 Bytes 10/27/2008 17:30:36

ANTIVIR1.VDF : 7.1.1.113 2817536 Bytes 1/14/2009 14:07:50

ANTIVIR2.VDF : 7.1.1.114 2048 Bytes 1/14/2009 14:07:51

ANTIVIR3.VDF : 7.1.1.136 292352 Bytes 1/18/2009 15:07:46

Engineversion : 8.2.0.57

AEVDF.DLL : 8.1.0.6 102772 Bytes 10/14/2008 16:05:56

AESCRIPT.DLL : 8.1.1.26 340347 Bytes 1/17/2009 14:08:06

AESCN.DLL : 8.1.1.5 123251 Bytes 11/7/2008 21:06:41

AERDL.DLL : 8.1.1.3 438645 Bytes 11/4/2008 19:58:38

AEPACK.DLL : 8.1.3.5 393588 Bytes 1/17/2009 14:08:04

AEOFFICE.DLL : 8.1.0.33 196987 Bytes 1/17/2009 14:08:03

AEHEUR.DLL : 8.1.0.84 1540471 Bytes 1/17/2009 14:08:01

AEHELP.DLL : 8.1.2.0 119159 Bytes 1/17/2009 14:07:57

AEGEN.DLL : 8.1.1.10 323957 Bytes 1/17/2009 14:07:56

AEEMU.DLL : 8.1.0.9 393588 Bytes 10/14/2008 16:05:56

AECORE.DLL : 8.1.5.2 172405 Bytes 1/17/2009 14:07:54

AEBB.DLL : 8.1.0.3 53618 Bytes 10/14/2008 16:05:56

AVWINLL.DLL : 1.0.0.12 15105 Bytes 7/9/2008 14:40:05

AVPREF.DLL : 8.0.2.0 38657 Bytes 5/16/2008 15:28:01

AVREP.DLL : 8.0.0.2 98344 Bytes 7/31/2008 18:02:15

AVREG.DLL : 8.0.0.1 33537 Bytes 5/9/2008 17:26:40

AVARKT.DLL : 1.0.0.23 307457 Bytes 2/12/2008 14:29:23

AVEVTLOG.DLL : 8.0.0.16 119041 Bytes 6/12/2008 18:27:49

SQLITE3.DLL : 3.3.17.1 339968 Bytes 1/22/2008 23:28:02

SMTPLIB.DLL : 1.2.0.23 28929 Bytes 6/12/2008 18:49:40

NETNT.DLL : 8.0.0.1 7937 Bytes 1/25/2008 18:05:10

RCIMAGE.DLL : 8.0.0.51 2371841 Bytes 6/12/2008 19:48:07

RCTEXT.DLL : 8.0.52.0 86273 Bytes 6/27/2008 19:34:37

Configuration settings for the scan:

Jobname..........................: Local Hard Disks

Configuration file...............: C:\Program Files\Avira\AntiVir PersonalEdition Classic\alldiscs.avp

Logging..........................: low

Primary action...................: interactive

Secondary action.................: ignore

Scan master boot sector..........: on

Scan boot sector.................: on

Boot sectors.....................: C:, D:,

Process scan.....................: on

Scan registry....................: on

Search for rootkits..............: off

Scan all files...................: Intelligent file selection

Scan archives....................: on

Recursion depth..................: 20

Smart extensions.................: on

Macro heuristic..................: on

File heuristic...................: medium

Start of the scan: January 18, 2009 12:00

The scan of running processes will be started

Scan process 'avscan.exe' - '1' Module(s) have been scanned

Scan process 'rundll32.exe' - '1' Module(s) have been scanned

Scan process 'guardgui.exe' - '1' Module(s) have been scanned

Scan process 'wuauclt.exe' - '1' Module(s) have been scanned

Scan process 'dwwin.exe' - '1' Module(s) have been scanned

Scan process 'sgbhp.exe' - '1' Module(s) have been scanned

Scan process 'iPodService.exe' - '1' Module(s) have been scanned

Scan process 'sgmain.exe' - '1' Module(s) have been scanned

Scan process 'TeaTimer.exe' - '1' Module(s) have been scanned

Scan process 'VeohClient.exe' - '1' Module(s) have been scanned

Scan process 'atidtct.exe' - '1' Module(s) have been scanned

Scan process 'AtiSched.exe' - '1' Module(s) have been scanned

Scan process 'avgnt.exe' - '1' Module(s) have been scanned

Scan process 'jusched.exe' - '1' Module(s) have been scanned

Scan process 'iTunesHelper.exe' - '1' Module(s) have been scanned

Scan process 'ehmsas.exe' - '1' Module(s) have been scanned

Scan process 'ALCWZRD.EXE' - '1' Module(s) have been scanned

Scan process 'ehtray.exe' - '1' Module(s) have been scanned

Scan process 'hkcmd.exe' - '1' Module(s) have been scanned

Scan process 'hpwuSchd2.exe' - '1' Module(s) have been scanned

Scan process 'SOUNDMAN.EXE' - '1' Module(s) have been scanned

Scan process 'alg.exe' - '1' Module(s) have been scanned

Scan process 'dllhost.exe' - '1' Module(s) have been scanned

Scan process 'McrdSvc.exe' - '1' Module(s) have been scanned

Scan process 'wdfmgr.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'RMSvc.exe' - '1' Module(s) have been scanned

Scan process 'HPZipm12.exe' - '1' Module(s) have been scanned

Scan process 'jqs.exe' - '1' Module(s) have been scanned

Scan process 'GoogleUpdaterService.exe' - '1' Module(s) have been scanned

Scan process 'ehSched.exe' - '1' Module(s) have been scanned

Scan process 'ehrecvr.exe' - '1' Module(s) have been scanned

Scan process 'mDNSResponder.exe' - '1' Module(s) have been scanned

Scan process 'AppleMobileDeviceService.exe' - '1' Module(s) have been scanned

Scan process 'avguard.exe' - '1' Module(s) have been scanned

Scan process 'sched.exe' - '1' Module(s) have been scanned

Scan process 'spoolsv.exe' - '1' Module(s) have been scanned

Scan process 'aawservice.exe' - '1' Module(s) have been scanned

Scan process 'explorer.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'lsass.exe' - '1' Module(s) have been scanned

Scan process 'services.exe' - '1' Module(s) have been scanned

Scan process 'winlogon.exe' - '1' Module(s) have been scanned

Scan process 'csrss.exe' - '1' Module(s) have been scanned

Scan process 'smss.exe' - '1' Module(s) have been scanned

50 processes with 50 modules were scanned

Starting master boot sector scan:

Master boot sector HD0

[iNFO] No virus was found!

Master boot sector HD1

[iNFO] No virus was found!

Start scanning boot sectors:

Boot sector 'C:\'

[iNFO] No virus was found!

Boot sector 'D:\'

[iNFO] No virus was found!

Starting to scan the registry.

The registry was scanned ( '65' files ).

Starting the file scan:

Begin scan in 'C:\'

C:\hiberfil.sys

[WARNING] The file could not be opened!

C:\pagefile.sys

[WARNING] The file could not be opened!

C:\System Volume Information\_restore{598DEA7A-C02E-4233-B8BA-68938A05F1FE}\RP0\A0000001.sys

[DETECTION] Contains recognition pattern of the RKIT/TDss.G.22 root kit

[NOTE] The file was moved to '49a36929.qua'!

C:\System Volume Information\_restore{598DEA7A-C02E-4233-B8BA-68938A05F1FE}\RP0\A0000002.dll

[DETECTION] Contains a recognition pattern of the (harmful) BDS/TDSS.JW back-door program

[NOTE] The file was moved to '49a36940.qua'!

C:\System Volume Information\_restore{598DEA7A-C02E-4233-B8BA-68938A05F1FE}\RP0\A0000003.dll

[DETECTION] Contains a recognition pattern of the (harmful) BDS/TDSS.adb back-door program

[NOTE] The file was moved to '49a3694d.qua'!

C:\System Volume Information\_restore{598DEA7A-C02E-4233-B8BA-68938A05F1FE}\RP0\A0000004.dll

[DETECTION] Contains a recognition pattern of the (harmful) BDS/TDSS.acs back-door program

[NOTE] The file was moved to '49a36955.qua'!

C:\System Volume Information\_restore{598DEA7A-C02E-4233-B8BA-68938A05F1FE}\RP0\A0000005.dll

[DETECTION] Is the TR/TDss.AT.518 Trojan

[NOTE] The file was moved to '49a36965.qua'!

C:\System Volume Information\_restore{598DEA7A-C02E-4233-B8BA-68938A05F1FE}\RP0\A0000027.exe

[DETECTION] Is the TR/Click.VB.cqq Trojan

[NOTE] The file was moved to '49a3696a.qua'!

C:\System Volume Information\_restore{598DEA7A-C02E-4233-B8BA-68938A05F1FE}\RP0\A0000029.dll

[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan

[NOTE] The file was moved to '49a3696b.qua'!

C:\System Volume Information\_restore{598DEA7A-C02E-4233-B8BA-68938A05F1FE}\RP0\A0000030.dll

[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan

[NOTE] The file was moved to '49a3696e.qua'!

C:\System Volume Information\_restore{598DEA7A-C02E-4233-B8BA-68938A05F1FE}\RP0\A0000031.dll

[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan

[NOTE] The file was moved to '49a36971.qua'!

C:\System Volume Information\_restore{598DEA7A-C02E-4233-B8BA-68938A05F1FE}\RP0\A0000032.dll

[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan

[NOTE] The file was moved to '49a36976.qua'!

C:\System Volume Information\_restore{598DEA7A-C02E-4233-B8BA-68938A05F1FE}\RP0\A0000033.dll

[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan

[NOTE] The file was moved to '49a36978.qua'!

C:\System Volume Information\_restore{598DEA7A-C02E-4233-B8BA-68938A05F1FE}\RP0\A0000034.dll

[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan

[NOTE] The file was moved to '49a3697c.qua'!

C:\System Volume Information\_restore{598DEA7A-C02E-4233-B8BA-68938A05F1FE}\RP0\A0000035.dll

[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan

[NOTE] The file was moved to '49a3697e.qua'!

C:\System Volume Information\_restore{598DEA7A-C02E-4233-B8BA-68938A05F1FE}\RP0\A0000036.dll

[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan

[NOTE] The file was moved to '49a36980.qua'!

C:\System Volume Information\_restore{598DEA7A-C02E-4233-B8BA-68938A05F1FE}\RP0\A0000037.dll

[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan

[NOTE] The file was moved to '49a36982.qua'!

C:\System Volume Information\_restore{598DEA7A-C02E-4233-B8BA-68938A05F1FE}\RP0\A0000038.dll

[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan

[NOTE] The file was moved to '49a36984.qua'!

C:\System Volume Information\_restore{598DEA7A-C02E-4233-B8BA-68938A05F1FE}\RP0\A0000039.dll

[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan

[NOTE] The file was moved to '49a36986.qua'!

C:\System Volume Information\_restore{598DEA7A-C02E-4233-B8BA-68938A05F1FE}\RP0\A0000040.dll

[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan

[NOTE] The file was moved to '49a36988.qua'!

C:\System Volume Information\_restore{598DEA7A-C02E-4233-B8BA-68938A05F1FE}\RP0\A0000041.dll

[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan

[NOTE] The file was moved to '49a36989.qua'!

C:\System Volume Information\_restore{598DEA7A-C02E-4233-B8BA-68938A05F1FE}\RP0\A0000042.dll

[DETECTION] Is the TR/Dldr.Small.ahmz Trojan

[NOTE] The file was moved to '49a3698b.qua'!

C:\System Volume Information\_restore{598DEA7A-C02E-4233-B8BA-68938A05F1FE}\RP0\A0000043.dll

[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan

[NOTE] The file was moved to '49a3698d.qua'!

C:\System Volume Information\_restore{598DEA7A-C02E-4233-B8BA-68938A05F1FE}\RP0\A0000044.dll

[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan

[NOTE] The file was moved to '49a3698f.qua'!

C:\System Volume Information\_restore{598DEA7A-C02E-4233-B8BA-68938A05F1FE}\RP0\A0000045.dll

[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan

[NOTE] The file was moved to '49a36992.qua'!

C:\System Volume Information\_restore{598DEA7A-C02E-4233-B8BA-68938A05F1FE}\RP1\A0000170.dll

[DETECTION] Is the TR/Agent.ALPG Trojan

[NOTE] The file was moved to '49a36997.qua'!

Begin scan in 'D:\'

End of the scan: January 18, 2009 12:57

Used time: 57:45 Minute(s)

The scan has been done completely.

10275 Scanning directories

303277 Files were scanned

24 viruses and/or unwanted programs were found

0 Files were classified as suspicious:

0 files were deleted

0 files were repaired

24 files were moved to quarantine

0 files were renamed

2 Files cannot be scanned

303251 Files not concerned

7917 Archives were scanned

2 Warnings

24 Notes

Link to post
Share on other sites

Hi there

We need to disable your TeaTimer as it may interfere with the fixes that we need to make.

1) Run Spybot-S&D

2) Go to the Mode menu, and make sure "Advanced Mode" is selected

3) On the left hand side, choose Tools -> Resident

4) Uncheck "Resident TeaTimer" and OK any prompts

5) Restart your computer.

Download ResetTeaTimer.bat by right-clicking on the link, and choosing Save As.

* Save it to your Desktop.

* Double-click ResetTeaTimer.zip

* Double-click ResetTeaTimer.bat and click Run to remove all entries set by TeaTimer.

After all of the fixes are complete it is very important that you enable TeaTimer again, I will let you know when it is safe to do so.

A Tutorial for Tea Timer can be found here -> http://russelltexas.com/malware/teatimer.htm

===========================================

I notice that you mention you have Malwarebytes Antimalware (MBAM) installed

I want you to run a scan for me..

First I want you to update MBAM so we have the latest definitions onboard

Please open Malwarebytes Antimalware

Now click on the update tab

Next - Click on the Check for updates button

  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.

    [*]The next screen will ask you to select the drives to scan. Leave all the drives selected and click on the Start Scan button.

    [*]The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.

    [*]When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".

    [*]Click OK to close the message box and continue with the removal process.

    [*]Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.

    [*]Make sure that everything is checked, and click Remove Selected.

    [*]When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)

    [*]The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.

    [*]Copy and paste the contents of that report in your next reply and exit MBAM.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

===========================================

Please scan with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Ensure that you install the recovery console

Also ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review.

===========================================

Download GMER Rootkit Scanner from here or here.

  • Extract the contents of the zipped file to desktop.
  • Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
    th_Gmer_initScan.gif
    Click the image to enlarge it
  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • Sections
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)

    [*] Then click the Scan button & wait for it to finish.

    [*] Once done click on the [save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.

    [*]Save it where you can easily find it, such as your desktop and add this to your next post as an attachment

**Caution**

Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

Please post back with all 3 logs

Link to post
Share on other sites

Ok did as you said. Only problem was with GMER, when ran it seemed to scan right away and when prompted to scan again after unchecking the apropriate boxes, it did nothing. No log created that I could find. Here are the other two logs

Malwarebytes' Anti-Malware 1.33

Database version: 1666

Windows 5.1.2600 Service Pack 2

18/01/2009 4:20:08 PM

mbam-log-2009-01-18 (16-20-08).txt

Scan type: Quick Scan

Objects scanned: 62378

Time elapsed: 4 minute(s), 37 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

ComboFix 09-01-18.01 - Laycocks 2009-01-18 16:24:12.3 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1503.951 [GMT -5:00]

Running from: c:\documents and settings\Laycocks\Desktop\ComboFix.exe

AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Updated)

* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

((((((((((((((((((((((((( Files Created from 2008-12-18 to 2009-01-18 )))))))))))))))))))))))))))))))

.

2009-01-18 11:17 . 2009-01-18 13:07 <DIR> d-------- c:\program files\World of Warcraft Trial

2009-01-18 11:17 . 2009-01-18 11:17 <DIR> d-------- c:\program files\Common Files\Blizzard Entertainment

2009-01-17 19:00 . 2009-01-17 19:18 <DIR> d-------- c:\windows\system32\CatRoot_bak

2009-01-17 00:28 . 2009-01-17 00:28 <DIR> d-------- c:\program files\Avira

2009-01-17 00:28 . 2009-01-17 00:28 <DIR> d-------- c:\documents and settings\All Users\Application Data\Avira

2009-01-16 23:58 . 2009-01-18 13:06 <DIR> d-------- c:\program files\SpywareGuard

2009-01-16 23:57 . 2009-01-17 11:07 <DIR> d-------- c:\program files\SpywareBlaster

2009-01-16 23:57 . 2009-01-18 13:06 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP

2009-01-16 23:25 . 2009-01-17 22:33 <DIR> d-------- c:\program files\Spybot - Search & Destroy

2009-01-16 23:22 . 2009-01-16 23:22 410,984 --a------ c:\windows\system32\deploytk.dll

2009-01-16 23:22 . 2009-01-16 23:22 73,728 --a------ c:\windows\system32\javacpl.cpl

2009-01-11 01:05 . 2009-01-11 01:05 <DIR> d-------- c:\documents and settings\Laycocks\Application Data\Malwarebytes

2009-01-09 21:57 . 2009-01-17 22:34 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2009-01-09 21:34 . 2009-01-17 11:04 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware

2009-01-09 21:34 . 2009-01-09 21:34 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-01-09 21:34 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys

2009-01-09 21:34 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys

2009-01-07 17:19 . 2009-01-18 12:42 <DIR> d-------- C:\Killer Stuff

2009-01-06 22:41 . 2009-01-06 22:41 <DIR> d-------- c:\documents and settings\Laycocks\Application Data\F-Secure

2009-01-06 22:30 . 2009-01-06 22:33 <DIR> d-------- c:\documents and settings\All Users\Application Data\F-Secure

2008-12-21 10:46 . 2008-12-26 02:54 <DIR> d-------- c:\documents and settings\All Users\Application Data\fssg

2008-12-20 19:46 . 2008-12-20 19:46 <DIR> d-------- C:\fsaua.data

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-01-17 22:51 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater

2009-01-17 17:02 14,154 ----a-w c:\documents and settings\Laycocks\Application Data\wklnhst.dat

2009-01-17 04:22 --------- d-----w c:\program files\Java

2009-01-07 01:48 --------- d-----w c:\program files\Common Files\Symantec Shared

2009-01-07 01:48 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec

2008-12-29 06:08 805 ----a-w c:\windows\system32\drivers\SYMEVENT.INF

2008-12-29 06:08 10,740 ----a-w c:\windows\system32\drivers\SYMEVENT.CAT

2008-12-21 00:42 --------- d-----w c:\program files\SopCast

2008-12-11 11:57 333,184 ----a-w c:\windows\system32\drivers\srv.sys

2008-11-28 05:16 --------- d-----w c:\program files\QuickTime

2008-11-27 17:39 --------- d-----w c:\program files\iTunes

2008-11-27 17:39 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}

2008-11-27 17:35 --------- d-----w c:\program files\iPod

2008-11-27 17:35 --------- d-----w c:\program files\Common Files\Apple

2008-11-27 17:21 --------- d-----w c:\program files\Safari

2008-11-24 03:09 --------- d-----w c:\documents and settings\All Users\Application Data\ATI MMC

2008-10-23 13:01 283,648 ----a-w c:\windows\system32\gdi32.dll

2008-05-21 22:31 133,160 -c--a-w c:\documents and settings\Laycocks\Application Data\GDIPFONTCACHEV1.DAT

2006-09-19 05:24 81,920 -c--a-w c:\documents and settings\Laycocks\Application Data\ezpinst.exe

2006-09-19 05:24 47,360 -c--a-w c:\documents and settings\Laycocks\Application Data\pcouffin.sys

2006-09-13 05:18 774,144 -c--a-w c:\program files\RngInterstitial.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ATI Scheduler"="c:\program files\ATI Multimedia\main\ATISched.EXE" [2005-05-04 36864]

"ATI DeviceDetect"="c:\program files\ATI Multimedia\main\ATIDtct.EXE" [2005-05-04 53248]

"Veoh"="c:\program files\Veoh Networks\Veoh\VeohClient.exe" [2008-09-26 3660848]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"USRpdA"="c:\windows\SYSTEM32\USRmlnkA.exe" [2004-08-10 77891]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-02-08 155648]

"HPHUPD08"="c:\program files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [2005-06-01 49152]

"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-11 49152]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-02-08 126976]

"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]

"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-03 111936]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-16 136600]

"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]

"SoundMan"="SOUNDMAN.EXE" [2004-07-01 c:\windows\SOUNDMAN.EXE]

"High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" [2004-03-17 c:\windows\system32\Hdaudpropshortcut.exe]

"AlcWzrd"="ALCWZRD.EXE" [2004-07-05 c:\windows\ALCWZRD.EXE]

c:\documents and settings\Laycocks\Start Menu\Programs\Startup\

SpywareGuard.lnk - c:\program files\SpywareGuard\sgmain.exe [2003-08-29 360448]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"NoAutoUpdate"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"VIDC.UYVY"= c:\windows\system32\msyuv.dll

"VIDC.YUY2"= ATIVYUY.DLL

"VIDC.YU12"= ATIYUV12.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"c:\\WINDOWS\\system32\\sessmgr.exe"=

"c:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

R3 ATICXCAP;ATI TV Wonder Pro A/V Capture;c:\windows\system32\drivers\aticxcap.sys [2005-03-30 173824]

R3 ATICXTUN;ATI TV Wonder Pro Tuner (Philips 1236 MK3);c:\windows\system32\drivers\aticxtun.sys [2005-03-30 29184]

R3 ATICXXBR;ATI TV Wonder Pro A/V Crossbar;c:\windows\system32\drivers\aticxxbr.sys [2005-03-30 9088]

S3 F-Secure Gatekeeper;F-Secure Gatekeeper;\??\c:\program files\COGECO Security Services\Anti-Virus\minifilter\fsgk.sys --> c:\program files\COGECO Security Services\Anti-Virus\minifilter\fsgk.sys [?]

S3 w300mgmt;Sony Ericsson W300 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\w300mgmt.sys [2007-01-12 87824]

S3 w300obex;Sony Ericsson W300 USB WMC OBEX Interface;c:\windows\system32\drivers\w300obex.sys [2007-01-12 85696]

S4 F-Secure Filter;F-Secure File System Filter;\??\c:\program files\COGECO Security Services\Anti-Virus\Win2K\FSfilter.sys --> c:\program files\COGECO Security Services\Anti-Virus\Win2K\FSfilter.sys [?]

S4 F-Secure Recognizer;F-Secure File System Recognizer;\??\c:\program files\COGECO Security Services\Anti-Virus\Win2K\FSrec.sys --> c:\program files\COGECO Security Services\Anti-Virus\Win2K\FSrec.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

QWAVE REG_MULTI_SZ QWAVE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{019f7bfa-dd09-11dd-a766-00132057a270}]

\Shell\AutoRun\command - E:\setupSNK.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2acb4399-dc4c-11dd-a75e-00132057a270}]

\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL http://www.mgae.com/keylauncher/?code=3654267062666774

.

Contents of the 'Scheduled Tasks' folder

2009-01-07 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2009-01-18 c:\windows\Tasks\uhbjlxmv.job

- c:\windows\system32\rundll32.exe [2004-08-10 07:00]

.

- - - - ORPHANS REMOVED - - - -

HKCU-Run-ATI Launchpad - (no file)

HKLM-Run-F-Secure Manager - c:\program files\COGECO Security Services\Common\FSM32.EXE

HKLM-Run-F-Secure TNB - c:\program files\COGECO Security Services\FSGUI\TNBUtil.exe

.

------- Supplementary Scan -------

.

uStart Page = about:blank

uInternet Connection Wizard,ShellNext = iexplore

FF - ProfilePath - c:\documents and settings\Laycocks\Application Data\Mozilla\Firefox\Profiles\igth902o.default\

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage - hxxp://en-US.start2.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official

FF - plugin: c:\documents and settings\Laycocks\Application Data\Mozilla\plugins\npPxPlay.dll

FF - plugin: c:\program files\Google\Google Updater\2.4.1368.5602\npCIDetect13.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npgcplug.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\NPMySrWB.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npracplug.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll

FF - plugin: c:\program files\Real\RealArcade\Plugins\Mozilla\npracplug.dll

FF - plugin: c:\program files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll

FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-01-18 16:26:41

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-262542382-820493166-2832226997-1004\Software\Microsoft\SystemCertificates\AddressBook*]

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

.

Completion time: 2009-01-18 16:30:18

ComboFix-quarantined-files.txt 2009-01-18 21:29:01

Pre-Run: 49,291,890,688 bytes free

Post-Run: 49,283,387,392 bytes free

163 --- E O F --- 2009-01-18 06:05:39

Link to post
Share on other sites

Hi there

Lets re-try GMER...

Delete the version you already have on your computer.

Download GMER Rootkit Scanner from here or here.

You must rename it before saving it. Save it to your desktop.

Save it under the name of ARK

Close/disable all anti virus and anti malware programs so they do not interfere with the running of GMER

  • Extract the contents of the zipped file to desktop.
  • Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
    th_Gmer_initScan.gif
    Click the image to enlarge it
  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • Sections
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)

    [*] Then click the Scan button & wait for it to finish.

    [*] Once done click on the [save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.

    [*]Save it where you can easily find it, such as your desktop and add this to your next post as an attachment

**Caution**

Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

Link to post
Share on other sites

Ok it took some fooling around with but I think I got it going. Here is the log (hopefully)

GMER 1.0.14.14536 - http://www.gmer.net

Autostart scan 2009-01-19 15:02:40

Windows 5.1.2600 Service Pack 2

HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems@Windows = %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon@Userinit = C:\WINDOWS\system32\userinit.exe,

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ >>>

igfxcui@DLLName = igfxsrvc.dll

WgaLogon@DLLName = WgaLogon.dll

HKLM\SYSTEM\CurrentControlSet\Services\ >>>

aawservice@ = "C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe"

AntiVirScheduler@ = "C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe"

AntiVirService@ = "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe"

Apple Mobile Device@ = "C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe"

Bonjour Service@ = "C:\Program Files\Bonjour\mDNSResponder.exe"

ehRecvr@ = C:\WINDOWS\eHome\ehRecvr.exe

ehSched@ = C:\WINDOWS\eHome\ehSched.exe

gusvc@ = "C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe"

JavaQuickStarterService@ = "C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf"

McrdSvc@ = C:\WINDOWS\ehome\McrdSvc.exe

Pml Driver HPZ12@ = C:\WINDOWS\system32\HPZipm12.exe

RMSvc@ = C:\WINDOWS\ehome\RMSvc.exe

ScsiPort@ = %SystemRoot%\system32\drivers\scsiport.sys

UMWdf@ = C:\WINDOWS\system32\wdfmgr.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\Run >>>

@USRpdAC:\WINDOWS\SYSTEM32\USRmlnkA.exe RunServices \Device\3cpipe-USRpdA = C:\WINDOWS\SYSTEM32\USRmlnkA.exe RunServices \Device\3cpipe-USRpdA

@SoundManSOUNDMAN.EXE = SOUNDMAN.EXE

@IgfxTrayC:\WINDOWS\system32\igfxtray.exe = C:\WINDOWS\system32\igfxtray.exe

@HPHUPD08C:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe = C:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe

@HP Software UpdateC:\Program Files\HP\HP Software Update\HPWuSchd2.exe = C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

@HotKeysCmdsC:\WINDOWS\system32\hkcmd.exe = C:\WINDOWS\system32\hkcmd.exe

@High Definition Audio Property Page ShortcutHDAudPropShortcut.exe = HDAudPropShortcut.exe

@ehTrayC:\WINDOWS\ehome\ehtray.exe = C:\WINDOWS\ehome\ehtray.exe

@AlcWzrdALCWZRD.EXE = ALCWZRD.EXE

@AppleSyncNotifierC:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe = C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

@iTunesHelper"C:\Program Files\iTunes\iTunesHelper.exe" = "C:\Program Files\iTunes\iTunesHelper.exe"

@QuickTime Task"C:\Program Files\QuickTime\QTTask.exe" -atboottime = "C:\Program Files\QuickTime\QTTask.exe" -atboottime

@SunJavaUpdateSched"C:\Program Files\Java\jre6\bin\jusched.exe" = "C:\Program Files\Java\jre6\bin\jusched.exe"

@avgnt"C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min = "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min

@KernelFaultCheck%systemroot%\system32\dumprep 0 -k = %systemroot%\system32\dumprep 0 -k

HKCU\Software\Microsoft\Windows\CurrentVersion\Run >>>

@ATI SchedulerC:\Program Files\ATI Multimedia\main\ATISched.EXE = C:\Program Files\ATI Multimedia\main\ATISched.EXE

@ATI DeviceDetectC:\Program Files\ATI Multimedia\main\ATIDtct.EXE = C:\Program Files\ATI Multimedia\main\ATIDtct.EXE

@Veoh"C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide = "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide

HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad@UPnPMonitor = C:\WINDOWS\system32\upnpui.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved >>>

@{42071714-76d4-11d1-8b24-00a0c9068ff3} /*Display Panning CPL Extension*/deskpan.dll /*file not found*/ = deskpan.dll /*file not found*/

@{596AB062-B4D2-4215-9F74-E9109B0A8153} /*Previous Versions Property Page*/C:\WINDOWS\system32\twext.dll = C:\WINDOWS\system32\twext.dll

@{9DB7A13C-F208-4981-8353-73CC61AE2783} /*Previous Versions*/C:\WINDOWS\system32\twext.dll = C:\WINDOWS\system32\twext.dll

@{00E7B358-F65B-4dcf-83DF-CD026B94BFD4} /*Autoplay for SlideShow*/(null) =

@{692F0339-CBAA-47e6-B5B5-3B84DB604E87} /*Extensions Manager Folder*/%SystemRoot%\system32\extmgr.dll = %SystemRoot%\system32\extmgr.dll

@{BDEADF00-C265-11D0-BCED-00A0C90AB50F} /*Web Folders*/C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL

@{42042206-2D85-11D3-8CFF-005004838597} /*Microsoft Office HTML Icon Handler*/C:\Program Files\Microsoft Office\Office10\msohev.dll = C:\Program Files\Microsoft Office\Office10\msohev.dll

@{B41DB860-8EE4-11D2-9906-E49FADC173CA} /*WinRAR shell extension*/C:\Program Files\WinRAR\rarext.dll = C:\Program Files\WinRAR\rarext.dll

@{BB7DF450-F119-11CD-8465-00AA00425D90} /*Microsoft Access Custom Icon Handler*/C:\Program Files\msaccrt\Access 97\soa800.dll /*file not found*/ = C:\Program Files\msaccrt\Access 97\soa800.dll /*file not found*/

@{FC9FB64A-1EB2-4CCF-AF5E-1A497A9B5C2D} /*Messenger Sharing Folders*/C:\Program Files\Windows Live\Messenger\fsshext.8.5.1302.1018.dll = C:\Program Files\Windows Live\Messenger\fsshext.8.5.1302.1018.dll

@{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4} /*Shell Extensions for RealOne Player*/C:\Program Files\Real\RealPlayer\rpshell.dll = C:\Program Files\Real\RealPlayer\rpshell.dll

@{e57ce731-33e8-4c51-8354-bb4de9d215d1} /*Universal Plug and Play Devices*/C:\WINDOWS\system32\upnpui.dll = C:\WINDOWS\system32\upnpui.dll

@{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF} /*iTunes*/C:\Program Files\iTunes\iTunesMiniPlayer.dll = C:\Program Files\iTunes\iTunesMiniPlayer.dll

@{45AC2688-0253-4ED8-97DE-B5370FA7D48A} /*Shell Extension for Malware scanning*/C:\Program Files\Avira\AntiVir PersonalEdition Classic\shlext.dll = C:\Program Files\Avira\AntiVir PersonalEdition Classic\shlext.dll

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\ >>>

Shell Extension for Malware scanning@{45AC2688-0253-4ED8-97DE-B5370FA7D48A} = C:\Program Files\Avira\AntiVir PersonalEdition Classic\shlext.dll

WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ >>>

Library@{54F51408-DD44-4a12-82EF-519AD2A80DE9} = C:\Program Files\ATI Multimedia\mlibrary\MLShell.dll

MBAMShlExt@{57CE581A-0CB6-4266-9CA0-19364C90A0B3} = C:\Program Files\Malwarebytes' Anti-Malware\mbamext.dll

Shell Extension for Malware scanning@{45AC2688-0253-4ED8-97DE-B5370FA7D48A} = C:\Program Files\Avira\AntiVir PersonalEdition Classic\shlext.dll

WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects >>>

@{53707962-6F74-2D53-2644-206D7942484F}C:\PROGRA~1\SPYBOT~1\SDHelper.dll = C:\PROGRA~1\SPYBOT~1\SDHelper.dll

@{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}C:\Program Files\Java\jre6\bin\ssv.dll = C:\Program Files\Java\jre6\bin\ssv.dll

@{DBC80044-A445-435b-BC74-9C25C1C588A9}C:\Program Files\Java\jre6\bin\jp2ssv.dll = C:\Program Files\Java\jre6\bin\jp2ssv.dll

@{E7E6F031-17CE-4C07-BC86-EABFE594F69C}C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll = C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

HKLM\Software\Microsoft\Internet Explorer\Main >>>

@Default_Page_URLhttp://go.microsoft.com/fwlink/?LinkId=69157 = http://go.microsoft.com/fwlink/?LinkId=69157

@Start Pagehttp://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home = http://www.microsoft.com/isapi/redir.dll?p...ER}&ar=home

@Local Page%SystemRoot%\system32\blank.htm = %SystemRoot%\system32\blank.htm

HKCU\Software\Microsoft\Internet Explorer\Main >>>

@Start Pageabout:blank = about:blank

@Local PageC:\WINDOWS\system32\blank.htm = C:\WINDOWS\system32\blank.htm

HKLM\Software\Classes\PROTOCOLS\Handler\ >>>

cdo@CLSID = C:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL

dvd@CLSID = C:\WINDOWS\system32\msvidctl.dll

its@CLSID = C:\WINDOWS\system32\itss.dll

mhtml@CLSID = %SystemRoot%\system32\inetcomm.dll

ms-its@CLSID = C:\WINDOWS\system32\itss.dll

ms-itss@CLSID = C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll

tv@CLSID = C:\WINDOWS\system32\msvidctl.dll

wia@CLSID = C:\WINDOWS\system32\wiascr.dll

HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000004@LibraryPath = C:\Program Files\Bonjour\mdnsNSP.dll

C:\Documents and Settings\Laycocks\Start Menu\Programs\Startup = SpywareGuard.lnk

---- EOF - GMER 1.0.14 ----

Link to post
Share on other sites

Sorry, I fiddled around with GMER more and was able to get it to work properly here is the proper log you were asking for(I hope).

GMER 1.0.14.14536 - http://www.gmer.net

Rootkit scan 2009-01-19 15:16:10

Windows 5.1.2600 Service Pack 2

---- System - GMER 1.0.14 ----

SSDT BAFC7AB4 ZwCreateThread

SSDT BAFC7AA0 ZwOpenProcess

SSDT BAFC7AA5 ZwOpenThread

SSDT BAFC7AAF ZwTerminateProcess

SSDT BAFC7AAA ZwWriteVirtualMemory

---- EOF - GMER 1.0.14 ----

Link to post
Share on other sites

Hi there

From what I see your system is clear. What was initially found with Antivir was in system restore and has now been deleted by Antivir. Just a reminant in task scheduler to clear out...

Open NOTEPAD.exe and copy/paste the text in the quotebox below into it:

@echo offif exist "%temp%\log.txt" del "%temp%\log.txt"
for %%g in (
"c:\windows\Tasks\uhbjlxmv.job"
) do (del /a/f/q %%g >nul 2>&1if exist %%g echo.%%~g>>"%temp%\log.txt")for %%g in ("%systemdrive%\VundoFix Backups"%systemdrive%\Qoobox) do (rd /s/q %%g >nul 2>&1if exist %%g echo.%%~g>>"%temp%\log.txt")if exist "%temp%\log.txt" ( start notepad "%temp%\log.txt") else echo.Deleted Successfully !!nircmd wait 7000del %0

Save this as fix.bat Choose to "Save type as - All Files"

It should look like this: bat_icon.gif

Double click on fix.bat & allow it to run

Post back to tell me what it says.

How are things running, any problems to report

Link to post
Share on other sites

Copied, saved and ran as you said and it came back with a reply of Deleted Successfully.

As for how are things running, quite well. I have not found anything with subsequent scans.

Thanks for your help, I guess I got a bit nervous after just getting my system clean to find 24 Trojans and such.

Link to post
Share on other sites

Only too glad to help

Lets tidy up after ourselves

The following will implement some cleanup procedures as well as reset System Restore points:

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /u

Now that you appear to be free from malware lets help you stay that way!

Update windows on a regular basis - If you do not have automatic updates enabled then

Visit Microsoft's Update Page and update your computer from there

Update your virus checker on a regular basis - It is no use having a virus checker with out of date definitions.

Keep an eye on your firewall. check what it wants to allow, do not simply allow everything, If there is any processes that you are unsure of then dont be afraid to ask for advice. For more information on firewalls read this article here

Make your Internet Explorer more secure - This can be done by following these simple instructions:

Open Internet Explorer, click on the Tools menu and then click on Options.

Click once on the Security tab

Click once on the Internet icon so it becomes highlighted.

Click once on the Custom Level button.

Change the Download signed ActiveX controls to Prompt

Change the Download unsigned ActiveX controls to Disable

Change the Initialise and script ActiveX controls not marked as safe to Disable

Change the Installation of desktop items to Prompt

Change the Launching programs and files in an IFRAME to Prompt

Change the Navigate sub-frames across different domains to Prompt

When all these settings have been made, click on the OK button.

If it prompts you as to whether or not you want to save the settings, press the Yes button.

Next press the Apply button and then the OK to exit the Internet Properties page.

Safer Browsing

Use software such as Trendprotect or Sitehound to help you stay away from unsuspecting sites that have malicious purposes.

Use Spywareblaster to help prevent the installation of unwanted BHO's (Browser Helper Objects)

Use an alternative browser

Other browsers tend to be more secure than IE as they do not make use of active x objects, active x objects can be used by spyware as an infection point on your computer. Safer non active x browsers include Opera browser and, more recently, Firefox browser.

Computer Maintenance

Malware can breed in temporary locations. Use a program such as ccleaner slim to clear out temporary files your computer on a regular basis.

Scan your computer regularly for malware

Scan on a regular basis to keep your computer clean, free software such as Spybot's Search & Destroy and Adaware 2007 Free by Lavasoft can help you keep clear. These products are scan on demand and do not have active back ground scanning. These two products can be installed together without any complications.

Other alternative software that runs under licience and monitors your computer continuously in the background for malware is Malwarebytes Anti-Malware (MBAM) - Please note that this product can also be run as free without a licience but the background protection will not be active.

Secure your router

Change your routers default username and password, do not leave it at factory preset, doing so makes it easy for unauthorised access.

Encrypt your network. Set your wireless network encryption to a minimum level of WPA-PSK [TKIP]. This will help prevent any unauthorised users "piggybacking" onto your network and stealing your bandwidth which you have rightly paid for.

I have included some security related articles that I advise you read through in your own time. These articles will give you tips and advice on preveting malware, and how to stay safe whilst browsing the internet.

-> So How Did I Get Infected In First Place - By TonyKlein

-> How to prevent Malware - By miekiemoes

-> I'm not pulling your leg, honest - By Sandi Hardmeie

Good luck and happy safe surfing

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.