Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Audio Ads Virus


  • This topic is locked This topic is locked
27 replies to this topic

#1 Yatrix

Yatrix

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:05:57 PM

Posted 02 December 2009 - 12:57 PM

Hi all, I think I've caught some sort of virus or malware which plays audio advertisements, beeps, and conversations invisibly out the background of my computer. After running the task manager, I've found out that the problem comes from iexplore.exe which randomly appears in the processes list and takes upwards of 50k of memory. Ending this process ends the audio. Now, I never use internet explorer so its clear that this is being caused by some sort of malicious software.

I've tried scanning with multiple antiviruses (AVG, Housecall, F-prot, Symantec) but none of them have been able to locate the problem. Here is my HijackThis log. Thank you very much for your help.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:56:38 PM, on 12/2/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\ASUS\Six Engine\SixEngine.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Microsoft IntelliType Pro\dpupdchk.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\Program Files\Linksys\Linksys Wireless Manager\LinksysWirelessManager.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\MagicDisc\MagicDisc.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Steam\Steam.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\AVG\AVG9\avgui.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O1 - Hosts: 172.16.4.101 SCICIDCWEB01
O1 - Hosts: 172.16.4.102 SCICIDCWEB02
O1 - Hosts: 172.16.4.61 SCICIDCLG01
O1 - Hosts: 172.16.4.62 SCICIDCLG02
O1 - Hosts: 172.16.16.121 SCICIDCAPP01
O1 - Hosts: 172.16.16.141 SCICIDCINT01
O1 - Hosts: 172.16.20.181 SCICIDCDBW01
O1 - Hosts: 172.16.20.182 SCICIDCDBT01
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SearchHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Six Engine] "C:\Program Files\ASUS\Six Engine\SixEngine.exe" -r
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [XboxStat] "c:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe" silentrun
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [H2O] C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [nmctxth] "C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe"
O4 - HKLM\..\Run: [Linksys Wireless Manager] "C:\Program Files\Linksys\Linksys Wireless Manager\LinksysWirelessManager.exe" /cm /min /lcid 1033
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [EA Core] "C:\Program Files\Electronic Arts\EADM\Core.exe" -silent
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Acrobat Synchronizer.lnk = C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: UB - {1FBA04EE-3024-11d2-8F1F-0000F87ABD16} - C:\Documents and Settings\Yat\Start Menu\Programs\UB\UB.lnk (HKCU)
O9 - Extra 'Tools' menuitem: UB - {1FBA04EE-3024-11d2-8F1F-0000F87ABD16} - C:\Documents and Settings\Yat\Start Menu\Programs\UB\UB.lnk (HKCU)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1226988741206
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cisco Systems, Inc. Installer service (CiscoVpnInstallService) - Unknown owner - C:\DOCUME~1\Yat\Desktop\VPN\INSTAL~1.EXE (file missing)
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Pure Networks Platform Service (nmservice) - Cisco Systems, Inc. - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: WMP54Gv4SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe

--
End of file - 15189 bytes

Edit: Moved topic from XP to the more appropriate forum. ~ Animal

BC AdBot (Login to Remove)

 


#2 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 51,149 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:01:57 AM

Posted 16 December 2009 - 06:44 AM

Hello ,
And :( to the Bleeping Computer Malware Removal Forum
. My name is Elise and I'll be glad to help you with your computer problems.


I will be working on your malware issues, this may or may not solve other issues you may have with your machine.

Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.

You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.
-----------------------------------------------------------
If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results. Post both logs (no need to zip attach.txt).
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

-------------------------------------------------------------
Please be patient and I'd be grateful if you would note the following
  • The cleaning process is not instant. DDS logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.
  • Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic.
  • The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.
In the meantime please, do NOT install any new programs or update anything unless told to do so while we are fixing your problem

If you still need help, please include the following in your next reply
  • A detailed description of your problems
  • A new DDS log (don't forget attach.txt)
  • GMER log


Please give me some time to review your logs and take the steps necessary with you to get your machine back in working order clean and free of malware.

Thanks and again sorry for the delay
.
regards, Elise

"Now faith is the substance of things hoped for, the evidence of things not seen."


banner.png

Follow BleepingComputer on: Facebook | Twitter | Google+


#3 Yatrix

Yatrix
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:05:57 PM

Posted 21 December 2009 - 04:07 AM

Hi, here are the logs you requested. I am still getting the problem where iexplore.exe will randomly open and play audio, and my AVG Anti-virus keeps catching a problem coming from svchost.exe.

DDS LOG:


DDS (Ver_09-12-01.01) - NTFSx86
Run by Yat at 19:23:40.18 on Sun 12/20/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_10
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3327.2062 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\ASUS\Six Engine\SixEngine.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft IntelliType Pro\dpupdchk.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Linksys\Linksys Wireless Manager\LinksysWirelessManager.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\MagicDisc\MagicDisc.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\WINDOWS\TEMP\\puoi.tmp\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Windows Live\Toolbar\wltuser.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Program Files\iTunes\iTunes.exe
C:\Documents and Settings\Yat\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.ca/
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SearchHelper.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [EA Core] "c:\program files\electronic arts\eadm\Core.exe" -silent
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [itype] "c:\program files\microsoft intellitype pro\itype.exe"
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [Six Engine] "c:\program files\asus\six engine\SixEngine.exe" -r
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [XboxStat] "c:\program files\microsoft xbox 360 accessories\XboxStat.exe" silentrun
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 8.0\acrobat\Acrotray.exe"
mRun: [<NO NAME>]
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [H2O] c:\program files\syncrosoft\pos\h2o\cledx.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [nmctxth] "c:\program files\common files\pure networks shared\platform\nmctxth.exe"
mRun: [Linksys Wireless Manager] "c:\program files\linksys\linksys wireless manager\LinksysWirelessManager.exe" /cm /min /lcid 1033
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [RegistryMonitor1] c:\windows\system32\qtplugin.exe
dRun: [RegistryMonitor1] "c:\windows\temp\puoi.tmp\svchost.exe"
StartupFolder: c:\docume~1\yat\startm~1\programs\startup\magicd~1.lnk - c:\program files\magicdisc\MagicDisc.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobea~1.lnk - c:\windows\installer\{ac76ba86-1033-f400-7760-000000000003}\_SC_Acrobat.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobea~2.lnk - c:\program files\adobe\acrobat 8.0\acrobat\AdobeCollabSync.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office12\EXCEL.EXE/3000
IE: {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - c:\program files\pokerstars\PokerStarsUpdate.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\mi1933~1\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1226988741206
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Handler: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - c:\program files\common files\pure networks shared\platform\puresp4.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
Hosts: 127.0.0.1 www.spywareinfo.com
Hosts: 172.16.4.101 SCICIDCWEB01
Hosts: 172.16.4.102 SCICIDCWEB02
Hosts: 172.16.4.61 SCICIDCLG01
Hosts: 172.16.4.62 SCICIDCLG02

Note: multiple HOSTS entries found. Please refer to Attach.txt

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\yat\applic~1\mozilla\firefox\profiles\90pov9cb.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
FF - prefs.js: browser.startup.homepage - www.google.ca
FF - prefs.js: keyword.URL - hxxp://ca.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_ca&p=
FF - component: c:\documents and settings\yat\application data\mozilla\firefox\profiles\90pov9cb.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\bdqscan.dll
FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll
FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\xpavgtbapi.dll
FF - plugin: c:\documents and settings\yat\application data\mozilla\firefox\profiles\90pov9cb.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 mv61xx;mv61xx;c:\windows\system32\drivers\mv61xx.sys [2008-6-23 150568]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-11-30 333192]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-11-30 28424]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-11-30 360584]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-11-23 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-11-23 74480]
R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2006-9-6 337592]
R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2006-9-6 54968]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2009-11-30 285392]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2006-11-21 169576]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2009-11-10 54752]
R2 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2007-3-14 116416]
R3 CLEDX;Team H2O CLEDX service;c:\windows\system32\drivers\cledx.sys [2008-11-27 33792]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-11-30 102448]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20081207.005\naveng.sys [2008-12-8 89104]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20081207.005\navex15.sys [2008-12-8 876112]
R3 rt2870;Linksys 802.11n USB Wireless LAN Card Driver;c:\windows\system32\drivers\rt2870.sys [2009-9-9 709248]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-11-23 7408]
S2 SPService;SPService;c:\windows\system32\svchost.exe -k netsvc [2008-4-14 14336]
S3 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2006-11-21 192104]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2009-8-5 704864]
S3 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2007-3-14 1816768]
S3 vsdatant;vsdatant;\??\c:\windows\system32\vsdatant.sys --> c:\windows\system32\vsdatant.sys [?]

=============== Created Last 30 ================

2009-12-20 20:40:12 489984 ----a-w- c:\windows\system32\qtplugin.exe
2009-12-13 06:49:19 0 d-----w- c:\docume~1\yat\applic~1\My Games
2009-12-12 02:58:45 0 d-----w- c:\program files\Firaxis Games
2009-12-01 20:03:53 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-12-01 20:03:43 0 d-----w- c:\program files\SUPERAntiSpyware
2009-12-01 20:03:43 0 d-----w- c:\docume~1\yat\applic~1\SUPERAntiSpyware.com
2009-12-01 19:26:36 0 d-----w- c:\program files\Prevx
2009-12-01 19:26:33 202 ----a-w- c:\windows\wininit.ini
2009-12-01 19:26:33 0 d-----w- c:\docume~1\alluse~1\applic~1\PrevxCSI
2009-12-01 02:43:19 0 d--h--w- C:\$AVG
2009-12-01 02:42:59 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2009-12-01 02:42:58 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-12-01 02:42:53 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-12-01 02:42:36 0 d-----w- c:\windows\system32\drivers\Avg
2009-12-01 02:42:29 0 d-----w- c:\docume~1\alluse~1\applic~1\AVG Security Toolbar
2009-12-01 02:41:55 0 d-----w- c:\program files\AVG
2009-12-01 02:41:51 0 d-----w- c:\docume~1\alluse~1\applic~1\avg9
2009-12-01 01:40:31 0 d-----w- c:\docume~1\yat\applic~1\QuickScan
2009-12-01 01:32:18 0 d-----w- c:\program files\Trend Micro
2009-11-30 23:59:30 0 d-----w- c:\docume~1\alluse~1\applic~1\F-Secure
2009-11-30 23:39:38 0 d-----w- c:\windows\pss
2009-11-30 22:48:16 0 d-----w- c:\program files\Spybot - Search & Destroy
2009-11-30 22:48:16 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-11-30 18:17:13 0 d-----w- c:\docume~1\yat\applic~1\FRISK Software
2009-11-30 18:13:08 0 d-----w- c:\docume~1\alluse~1\applic~1\FRISK Software
2009-11-25 19:19:34 0 d-----w- c:\program files\UB
2009-11-25 19:19:34 0 d-----w- c:\docume~1\yat\applic~1\UB
2009-11-25 19:19:32 0 d-----w- c:\program files\_uninstallation_info
2009-11-24 16:03:35 0 d-----w- c:\docume~1\alluse~1\applic~1\SP

==================== Find3M ====================

2009-12-03 21:14:06 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-03 21:13:56 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-28 03:53:47 189184 ----a-w- c:\windows\system32\PnkBstrB.exe
2009-10-28 03:49:01 138064 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2006-06-24 06:48:54 32768 ----a-r- c:\windows\inf\UpdateUSB.exe

============= FINISH: 19:25:35.25 ===============


Attach.txt:


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-12-01.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 11/17/2008 9:54:03 PM
System Uptime: 12/20/2009 3:29:00 PM (4 hours ago)

Motherboard: ASUSTeK Computer INC. | | P5Q
Processor: Intel® Core™2 Quad CPU Q6600 @ 2.40GHz | LGA 775 | 2400/266mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 466 GiB total, 28.635 GiB free.
D: is CDROM (UDF)
E: is CDROM ()
F: is CDROM ()
H: is Removable

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP325: 9/21/2009 9:10:12 PM - System Checkpoint
RP326: 9/22/2009 10:10:12 PM - System Checkpoint
RP327: 9/23/2009 11:48:26 PM - System Checkpoint
RP328: 9/24/2009 11:50:09 PM - System Checkpoint
RP329: 9/26/2009 1:02:09 AM - System Checkpoint
RP330: 9/27/2009 1:50:09 AM - System Checkpoint
RP331: 9/28/2009 2:29:11 AM - System Checkpoint
RP332: 9/29/2009 3:02:09 AM - System Checkpoint
RP333: 9/30/2009 3:02:35 AM - System Checkpoint
RP334: 10/1/2009 4:02:35 AM - System Checkpoint
RP335: 10/2/2009 5:02:35 AM - System Checkpoint
RP336: 10/3/2009 6:02:35 AM - System Checkpoint
RP337: 10/4/2009 7:02:35 AM - System Checkpoint
RP338: 10/5/2009 7:50:35 AM - System Checkpoint
RP339: 10/6/2009 8:02:35 AM - System Checkpoint
RP340: 10/7/2009 9:02:49 AM - System Checkpoint
RP341: 10/8/2009 9:51:55 AM - System Checkpoint
RP342: 10/9/2009 11:02:50 AM - System Checkpoint
RP343: 10/10/2009 12:02:59 PM - System Checkpoint
RP344: 10/11/2009 2:00:26 PM - System Checkpoint
RP345: 10/12/2009 2:51:55 PM - System Checkpoint
RP346: 10/13/2009 4:02:50 PM - System Checkpoint
RP347: 10/14/2009 4:08:45 PM - System Checkpoint
RP348: 10/15/2009 5:08:45 PM - System Checkpoint
RP349: 10/16/2009 5:44:03 PM - System Checkpoint
RP350: 10/17/2009 6:42:57 PM - System Checkpoint
RP351: 10/18/2009 6:44:11 PM - System Checkpoint
RP352: 10/19/2009 7:42:57 PM - System Checkpoint
RP353: 10/20/2009 8:44:02 PM - System Checkpoint
RP354: 10/21/2009 9:42:57 PM - System Checkpoint
RP355: 10/22/2009 9:43:08 PM - System Checkpoint
RP356: 10/23/2009 10:43:08 PM - System Checkpoint
RP357: 10/24/2009 11:43:08 PM - System Checkpoint
RP358: 10/25/2009 10:08:55 PM - Removed The Witcher
RP359: 10/26/2009 10:32:12 PM - System Checkpoint
RP360: 10/27/2009 11:17:46 PM - Installed Call of Duty® - World at War™ 1.6 Patch
RP361: 10/28/2009 11:41:13 PM - System Checkpoint
RP362: 10/30/2009 12:00:29 AM - System Checkpoint
RP363: 10/31/2009 1:00:27 AM - System Checkpoint
RP364: 11/1/2009 1:48:27 AM - System Checkpoint
RP365: 11/2/2009 2:24:57 AM - System Checkpoint
RP366: 11/3/2009 3:59:09 AM - System Checkpoint
RP367: 11/4/2009 4:48:27 AM - System Checkpoint
RP368: 11/5/2009 6:00:27 AM - System Checkpoint
RP369: 11/8/2009 8:17:30 PM - System Checkpoint
RP370: 11/9/2009 8:49:59 PM - System Checkpoint
RP371: 11/10/2009 6:04:59 PM - Installed DirectX
RP372: 11/10/2009 6:31:07 PM - Installed Windows XP KB954708.
RP373: 11/10/2009 6:31:48 PM - Installed DirectX
RP374: 11/11/2009 6:44:30 PM - System Checkpoint
RP375: 11/12/2009 7:33:59 PM - System Checkpoint
RP376: 11/13/2009 8:33:58 PM - System Checkpoint
RP377: 11/15/2009 6:58:48 AM - System Checkpoint
RP378: 11/16/2009 7:20:34 AM - System Checkpoint
RP379: 11/17/2009 7:30:58 AM - System Checkpoint
RP380: 11/18/2009 8:26:10 AM - System Checkpoint
RP381: 11/19/2009 9:32:34 AM - System Checkpoint
RP382: 11/20/2009 10:40:45 AM - System Checkpoint
RP383: 11/21/2009 12:03:37 PM - System Checkpoint
RP384: 11/22/2009 1:17:10 PM - System Checkpoint
RP385: 11/23/2009 1:57:18 PM - System Checkpoint
RP386: 11/24/2009 3:09:18 PM - System Checkpoint
RP387: 11/25/2009 5:12:41 PM - System Checkpoint
RP388: 11/26/2009 6:00:13 PM - System Checkpoint
RP389: 11/27/2009 6:12:12 PM - System Checkpoint
RP390: 11/28/2009 7:00:13 PM - System Checkpoint
RP391: 11/30/2009 2:25:43 AM - System Checkpoint
RP392: 11/30/2009 1:13:05 PM - Installed F-PROT Antivirus for Windows
RP393: 11/30/2009 9:41:51 PM - Installed AVG Free 9.0
RP394: 12/1/2009 9:18:33 AM - Avg8 Update
RP395: 12/1/2009 9:25:19 AM - Removed F-PROT Antivirus for Windows
RP396: 12/1/2009 1:18:52 PM - Avg8 Update
RP397: 12/1/2009 3:03:42 PM - Installed SUPERAntiSpyware Free Edition
RP398: 12/2/2009 3:51:57 PM - System Checkpoint
RP399: 12/3/2009 3:53:51 PM - System Checkpoint
RP400: 12/4/2009 4:41:49 PM - System Checkpoint
RP401: 12/5/2009 4:49:33 PM - System Checkpoint
RP402: 12/6/2009 5:50:20 PM - System Checkpoint
RP403: 12/7/2009 5:55:00 PM - System Checkpoint
RP404: 12/9/2009 1:10:18 AM - System Checkpoint
RP405: 12/10/2009 1:26:41 AM - System Checkpoint
RP406: 12/11/2009 2:26:39 AM - System Checkpoint
RP407: 12/11/2009 9:58:51 PM - Installed Sid Meier's Civilization 4
RP408: 12/12/2009 8:37:56 AM - Avg8 Update
RP409: 12/12/2009 8:38:55 AM - Avg8 Update
RP410: 12/12/2009 3:28:27 PM - Configured Sid Meier's Civilization 4
RP411: 12/13/2009 4:29:55 PM - System Checkpoint
RP412: 12/14/2009 5:11:58 PM - System Checkpoint
RP413: 12/15/2009 5:37:29 PM - System Checkpoint
RP414: 12/16/2009 5:43:48 PM - System Checkpoint
RP415: 12/19/2009 8:43:33 PM - System Checkpoint

==== Hosts File Hijack ======================

Hosts: 127.0.0.1 www.spywareinfo.com
Hosts: 172.16.4.101 SCICIDCWEB01
Hosts: 172.16.4.102 SCICIDCWEB02
Hosts: 172.16.4.61 SCICIDCLG01
Hosts: 172.16.4.62 SCICIDCLG02
Hosts: 172.16.16.121 SCICIDCAPP01
Hosts: 172.16.16.141 SCICIDCINT01
Hosts: 172.16.20.181 SCICIDCDBW01
Hosts: 172.16.20.182 SCICIDCDBT01

==== Installed Programs ======================

µTorrent
2007 Microsoft Office Suite Service Pack 1 (SP1)
Adobe Acrobat 8 Professional - English, Français, Deutsch
Adobe Audition 3.0
Adobe Flash Player 10 Plugin
Apple Mobile Device Support
Apple Software Update
Armadillo Run Version 1.0.1
ASIO4ALL
Assassin's Creed
Atheros Communications Inc.® AR8121/AR8113/AR8114 Gigabit/Fast Ethernet Driver
Audacity 1.2.6
AVG Free 9.0
Battlefield 2142
Bonjour
Call of Duty® - World at War™
Call of Duty® - World at War™ 1.1 Patch
Call of Duty® - World at War™ 1.2 Patch
Call of Duty® - World at War™ 1.3 Patch
Call of Duty® - World at War™ 1.4 Patch
Call of Duty® - World at War™ 1.5 Patch
Call of Duty® - World at War™ 1.6 Patch
Call of Duty® 4 - Modern Warfare™
Call of Duty® 4 - Modern Warfare™ 1.6 Patch
Call of Duty® 4 - Modern Warfare™ 1.7 Patch
Call of Duty: Modern Warfare 2
Call of Duty: Modern Warfare 2 - Multiplayer
Counter-Strike: Source
Crysis WARHEAD®
Crysis®
DEVIL MAY CRY 4
Edirol HQ Orchestral v1.01
EPU-6 Engine
Eternal Silence
Fallout 3
Far Cry 2
FEAR
FL Studio 8
Foxit Reader
Grand Theft Auto IV
Hamachi 1.0.3.0
HijackThis 2.0.2
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows XP (KB915800-v4)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954708)
IL Download Manager
InterActual Player
iTunes
Java™ 6 Update 10
Junk Mail filter update
LAME v3.98.2 for Audacity
Left 4 Dead 2 Demo
Left 4 Dead v1.0.0.5
LimeWire 4.18.8
Linksys Wireless-G PCI Adapter
Linksys Wireless Manager
LiveUpdate 3.1 (Symantec Corporation)
MagicDisc 2.7.105
Malwarebytes' Anti-Malware
Maple 12
marvell 61xx
Mass Effect
Medieval II Total War
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0
Microsoft .NET Framework 3.0
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft Games for Windows - LIVE
Microsoft Games for Windows - LIVE Redistributable
Microsoft IntelliPoint 6.2
Microsoft IntelliType Pro 6.2
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft National Language Support Downlevel APIs
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office Live Add-in 1.3
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook Connector
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Save as PDF or XPS Add-in for 2007 Microsoft Office programs
Microsoft Search Enhancement Pack
Microsoft Silverlight
Microsoft Software Update for Web Folders (English) 12
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft SQL Server Desktop Engine (SONY_MEDIAMGR)
Microsoft Sync Framework Runtime Native v1.0 (x86)
Microsoft Sync Framework Services Native v1.0 (x86)
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft WSE 3.0 Runtime
Microsoft Xbox 360 Accessories 1.1
Mirror's Edge™
Mozilla Firefox (3.5.5)
Mozilla Thunderbird (2.0.0.23)
MSVCRT
MSXML 6.0 Parser (KB925673)
NVIDIA Drivers
NVIDIA PhysX v8.10.17
PLT Scheme v4.1.3
PoiZone
PokerStars
Project64 1.6
PunkBuster Services
Pure Networks Platform
QuickTime
Realtek High Definition Audio Driver
reFX Nexus 1.0.0
reFX Nexus 1.0.9
reFX Vanguard VSTi v1.6.1
Rockstar Games Social Club
SampleTank 2.5
Security Update for 2007 Microsoft Office System (KB951550)
Security Update for 2007 Microsoft Office System (KB951944)
Security Update for 2007 Microsoft Office System (KB958439)
Security Update for CAPICOM (KB931906)
Security Update for Microsoft Office Excel 2007 (KB958437)
Security Update for Microsoft Office OneNote 2007 (KB950130)
Security Update for Microsoft Office PowerPoint 2007 (KB951338)
Security Update for Microsoft Office Publisher 2007 (KB950114)
Security Update for Microsoft Office system 2007 (KB954326)
Security Update for Microsoft Office system 2007 (KB956828)
Security Update for Microsoft Office Word 2007 (KB956358)
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Media Player (KB952069)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Segoe UI
Sid Meier's Civilization 4
Sins of a Solar Empire
Sonik Synth 2
Sony Media Manager 2.0
Sony Vegas 6.0
Spybot - Search & Destroy
Steam
Steinberg Hypersonic 2
SUPERAntiSpyware Free Edition
Symantec AntiVirus
Syncrosoft's License Control
SyncroSoft Emu (Remove only)
The Orange Box
The Sims™ 3
Tom Clancy's Rainbow Six Vegas
Toxic Biohazard
UB
Update for Microsoft Office Outlook 2007 (KB952142)
Update for Office 2007 (KB946691)
Update for Outlook 2007 Junk Email Filter (kb958619)
Update for Windows XP (KB898461)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Vim 7.2 (self-installing)
VLC media player 0.9.6
Warcraft III: All Products
WebFldrs XP
Windows Communication Foundation
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Family Safety
Windows Live Mail
Windows Live Messenger
Windows Live Photo Gallery
Windows Live Sign-in Assistant
Windows Live Sync
Windows Live Toolbar
Windows Live Upload Tool
Windows Live Writer
Windows Media Format 11 runtime
Windows Presentation Foundation
Windows Search 4.0
Windows Workflow Foundation
WinRAR archiver
World in Conflict
XML Paper Specification Shared Components Pack 1.0

==== Event Viewer Messages From Past Week ========

12/20/2009 3:31:44 PM, error: Dhcp [1002] - The IP address lease 192.168.76.103 for the Network Card with network address 00259C099CCB has been denied by the DHCP server 192.168.0.1 (The DHCP Server sent a DHCPNACK message).
12/20/2009 3:30:04 PM, error: Dhcp [1002] - The IP address lease 192.168.0.15 for the Network Card with network address 00259C099CCB has been denied by the DHCP server 1.1.1.1 (The DHCP Server sent a DHCPNACK message).
12/16/2009 1:28:29 PM, error: Dhcp [1002] - The IP address lease 192.168.76.115 for the Network Card with network address 00259C099CCB has been denied by the DHCP server 192.168.0.1 (The DHCP Server sent a DHCPNACK message).
12/16/2009 1:26:57 PM, error: Dhcp [1002] - The IP address lease 192.168.0.12 for the Network Card with network address 00259C099CCB has been denied by the DHCP server 1.1.1.1 (The DHCP Server sent a DHCPNACK message).
12/14/2009 6:47:08 PM, error: Dhcp [1002] - The IP address lease 192.168.0.13 for the Network Card with network address 00259C099CCB has been denied by the DHCP server 192.168.0.1 (The DHCP Server sent a DHCPNACK message).
12/14/2009 5:34:59 PM, error: Dhcp [1002] - The IP address lease 192.168.76.175 for the Network Card with network address 00259C099CCB has been denied by the DHCP server 192.168.0.1 (The DHCP Server sent a DHCPNACK message).
12/14/2009 5:33:53 PM, error: Service Control Manager [7023] - The SPService service terminated with the following error: The specified module could not be found.
12/14/2009 5:33:53 PM, error: Service Control Manager [7000] - The Cisco Systems, Inc. Installer service service failed to start due to the following error: The system cannot find the path specified.
12/14/2009 5:32:49 PM, error: Dhcp [1002] - The IP address lease 192.168.0.13 for the Network Card with network address 00259C099CCB has been denied by the DHCP server 1.1.1.1 (The DHCP Server sent a DHCPNACK message).
12/14/2009 11:53:02 AM, error: Dhcp [1002] - The IP address lease 192.168.76.215 for the Network Card with network address 00259C099CCB has been denied by the DHCP server 192.168.0.1 (The DHCP Server sent a DHCPNACK message).
12/14/2009 1:13:54 PM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
12/14/2009 1:12:20 PM, error: Service Control Manager [7034] - The NVIDIA Display Driver Service service terminated unexpectedly. It has done this 1 time(s).
12/14/2009 1:08:06 PM, error: Server [2505] - The server could not bind to the transport \Device\NetBT_Tcpip_{8D596513-0E07-4DCB-8CEF-26BB647816AF} because another computer on the network has the same name. The server could not start.
12/13/2009 6:29:37 PM, error: Dhcp [1002] - The IP address lease 192.168.0.14 for the Network Card with network address 00259C099CCB has been denied by the DHCP server 192.168.0.1 (The DHCP Server sent a DHCPNACK message).

==== End Of File ===========================

#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 51,149 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:01:57 AM

Posted 21 December 2009 - 04:16 AM

Hello Yatrix,

P2P WARNING
-------------------
Going over your logs I noticed that you have uTorrent installed.
  • Avoid gaming sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs.
  • They are a security risk which can make your computer susceptible to a smörgĺsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites.
  • Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users.
  • The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications.
It is pretty much certain that if you continue to use P2P programs, you will get infected again.
I would recommend that you uninstall uTorrent, however that choice is up to you. If you choose to remove these programs, you can do so via Start > Control Panel > Add/Remove Programs.

If you wish to keep it, please do not use it until your computer is cleaned.


In order to safeguard your system from problems that can be brought on by a half finished fix, we need to disable TeaTimer. We can reenable it when we're done if you like.
  • Open SpyBot Search and Destroy by going to Start -> All Programs -> Spybot Search and Destroy -> Spybot Search and Destroy.
  • If prompted with a legal dialog, accept the warning.
  • Click Posted Image and then on "Advanced Mode"
    Posted Image
  • You may be presented with a warning dialog. If so, press Posted Image
  • Click on Posted Image
  • Click on Posted Image
  • Uncheck this checkbox:
    Posted Image
  • Close/Exit Spybot Search and Destroy
TWO ANTIVIRUS PROGRAMS
---------------------------------------
I do not recommend that you have more than one anti virus product installed and running on your computer at a time. The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to cause "false alarms". It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause:
  • False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.
  • System Performance Problems: Your system may lock up due to both products attempting to access the same file at the same time.
Therefore please go to add/remove in the control panel and remove either AVG or Symantec.


Please download HostsXpert 4.2
  • Extract (unzip) HostsXpert.zip to a permanent folder on your hard drive such as C:\HostsXpert
  • Double-click HostsXpert.exe to run the program.
  • Click "Restore MS Hosts File".
  • Click OK at the confirmation box.
  • Click "Make Read Only".
  • Click the X to exit the program.
-- Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.


COMBOFIX
---------------
Please download ComboFix from one of these locations:Bleepingcomputer
ForoSpyware
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.


In your next reply, please include the following:
  • Combofix.txt

regards, Elise

"Now faith is the substance of things hoped for, the evidence of things not seen."


banner.png

Follow BleepingComputer on: Facebook | Twitter | Google+


#5 Yatrix

Yatrix
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:05:57 PM

Posted 24 December 2009 - 04:57 PM

Hi Elise, here is the Combofix log. Thanks again for the help.

ComboFix 09-12-24.02 - Yat 12/24/2009 15:06:41.1.4 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3327.2836 [GMT -5:00]
Running from: c:\documents and settings\Yat\My Documents\Downloads\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Yat\Start Menu\Programs\Startup\MagicDisc.lnk
c:\windows\system32\qtplugin.exe

.
((((((((((((((((((((((((( Files Created from 2009-11-24 to 2009-12-24 )))))))))))))))))))))))))))))))
.

2009-12-24 21:08 . 2009-12-24 21:08 -------- d-----w- c:\windows\LastGood
2009-12-23 01:06 . 2009-12-23 01:06 -------- d-----w- c:\documents and settings\Yat\Application Data\MyGames
2009-12-23 01:04 . 2009-12-23 01:04 -------- d-----w- c:\windows\system32\{1361570A-7A05-4FE0-B657-E2B1D167B03D}
2009-12-13 06:49 . 2009-12-13 06:49 -------- d-----w- c:\documents and settings\Yat\Application Data\My Games
2009-12-12 02:58 . 2009-12-12 02:58 -------- d-----w- c:\program files\Firaxis Games
2009-12-11 09:37 . 2009-12-11 09:37 536576 ----a-w- c:\windows\system32\crash_report.dll
2009-12-01 20:03 . 2009-12-01 20:03 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-12-01 20:03 . 2009-12-01 20:03 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-12-01 20:03 . 2009-12-01 20:03 -------- d-----w- c:\documents and settings\Yat\Application Data\SUPERAntiSpyware.com
2009-12-01 19:26 . 2009-12-01 19:26 -------- d-----w- c:\program files\Prevx
2009-12-01 19:26 . 2009-12-01 19:26 -------- d-----w- c:\documents and settings\All Users\Application Data\PrevxCSI
2009-12-01 02:44 . 2009-12-01 02:44 -------- d-----w- c:\documents and settings\Yat\Local Settings\Application Data\AVG Security Toolbar
2009-12-01 02:43 . 2009-12-01 02:47 -------- d-----w- C:\$AVG
2009-12-01 02:42 . 2009-12-01 02:42 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2009-12-01 02:42 . 2009-12-01 02:42 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-12-01 02:42 . 2009-12-01 02:42 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-12-01 02:42 . 2009-12-01 02:42 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-12-01 02:42 . 2009-12-24 19:24 -------- d-----w- c:\windows\system32\drivers\Avg
2009-12-01 02:42 . 2009-12-01 02:42 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2009-12-01 02:41 . 2009-12-01 02:41 -------- d-----w- c:\program files\AVG
2009-12-01 02:41 . 2009-12-23 18:01 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2009-12-01 01:40 . 2009-12-01 02:09 -------- d-----w- c:\documents and settings\Yat\Application Data\QuickScan
2009-12-01 01:32 . 2009-12-01 01:32 -------- d-----w- c:\program files\Trend Micro
2009-11-30 23:59 . 2009-11-30 23:59 -------- d-----w- c:\documents and settings\All Users\Application Data\F-Secure
2009-11-30 22:48 . 2009-11-30 23:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-11-30 22:48 . 2009-11-30 22:50 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-11-30 18:17 . 2009-11-30 18:17 -------- d-----w- c:\documents and settings\Yat\Application Data\FRISK Software
2009-11-30 18:13 . 2009-12-01 17:08 -------- d-----w- c:\documents and settings\All Users\Application Data\FRISK Software
2009-11-25 19:19 . 2009-12-22 21:18 -------- d-----w- c:\program files\UB
2009-11-25 19:19 . 2009-11-25 19:20 -------- d-----w- c:\documents and settings\Yat\Application Data\UB
2009-11-25 19:19 . 2009-11-25 19:19 -------- d-----w- c:\program files\_uninstallation_info

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-24 19:45 . 2008-11-18 06:04 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-12-24 19:44 . 2008-11-18 06:04 -------- d-----w- c:\program files\Symantec
2009-12-24 19:44 . 2008-11-18 06:04 -------- d-----w- c:\program files\Symantec AntiVirus
2009-12-24 19:44 . 2008-11-18 06:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-12-23 20:51 . 2008-11-20 07:25 -------- d-----w- c:\program files\Steam
2009-12-22 21:51 . 2008-12-15 06:36 -------- d-----w- c:\documents and settings\Yat\Application Data\LimeWire
2009-12-22 13:59 . 2008-12-01 02:14 -------- d-----w- c:\program files\Mozilla Thunderbird
2009-12-14 18:11 . 2008-12-10 00:54 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-13 19:48 . 2009-01-31 18:33 -------- d-----w- c:\program files\PokerStars
2009-12-13 18:32 . 2008-11-25 00:20 -------- d-----w- c:\documents and settings\Yat\Application Data\uTorrent
2009-12-12 02:58 . 2008-11-18 03:07 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-12-03 21:14 . 2008-12-10 00:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-03 21:13 . 2008-12-10 00:54 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-01 20:03 . 2009-01-14 06:15 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-12-01 02:47 . 2009-11-24 16:03 -------- d-----w- c:\documents and settings\All Users\Application Data\SP
2009-11-21 13:41 . 2008-12-09 20:21 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-11-10 23:34 . 2009-11-10 23:34 -------- d-----w- c:\program files\Microsoft Silverlight
2009-11-10 23:34 . 2009-11-10 23:29 -------- d-----w- c:\program files\Microsoft
2009-11-10 23:33 . 2009-11-10 23:33 -------- d-----w- c:\program files\Microsoft Office Outlook Connector
2009-11-10 23:33 . 2008-11-19 02:07 -------- d-----w- c:\program files\Windows Live
2009-11-10 23:32 . 2009-11-10 23:32 -------- d-----w- c:\program files\Microsoft Sync Framework
2009-11-10 23:31 . 2009-11-10 23:31 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition
2009-11-10 23:28 . 2009-11-10 23:28 -------- d-----w- c:\program files\Windows Live SkyDrive
2009-11-10 23:20 . 2009-11-10 23:20 -------- d-----w- c:\program files\Common Files\Windows Live
2009-11-05 07:22 . 2008-11-25 05:49 -------- d-----w- c:\program files\Warcraft III
2009-11-02 21:56 . 2008-11-22 22:33 -------- d-----w- c:\documents and settings\Yat\Application Data\PLT Scheme
2009-10-28 03:53 . 2008-11-18 18:13 189184 ----a-w- c:\windows\system32\PnkBstrB.exe
2009-10-28 03:49 . 2008-11-18 18:13 138064 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2009-10-27 05:52 . 2008-11-28 04:05 -------- d-----w- c:\documents and settings\Yat\Application Data\Bioshock
2009-10-26 02:09 . 2009-02-06 20:28 -------- d-----w- c:\program files\The Witcher
2009-10-26 02:08 . 2009-03-09 18:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Electronic Arts
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-11-25 18:01 1230080 ----a-w- c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-11-23 2001648]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2007-08-31 988584]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2007-08-31 1037736]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-12-26 13680640]
"nwiz"="nwiz.exe" [2008-12-26 1657376]
"Six Engine"="c:\program files\ASUS\Six Engine\SixEngine.exe" [2008-06-03 5964800]
"XboxStat"="c:\program files\Microsoft Xbox 360 Accessories\XboxStat.exe" [2007-09-26 734264]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2006-10-23 620152]
"RTHDCPL"="RTHDCPL.EXE" [2008-11-07 17421824]
"H2O"="c:\program files\SyncroSoft\Pos\H2O\cledx.exe" [2005-12-18 307200]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-30 136600]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-12-26 86016]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-03-13 342312]
"nmctxth"="c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2008-12-12 642856]
"Linksys Wireless Manager"="c:\program files\Linksys\Linksys Wireless Manager\LinksysWirelessManager.exe" [2009-05-11 1348144]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2009-12-12 2033432]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-F400-7760-000000000003}\_SC_Acrobat.exe [2008-11-20 295606]
Adobe Acrobat Synchronizer.lnk - c:\program files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe [2006-10-23 734872]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-27 304128]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"crash_report"= {495FE683-6249-4A05-8D1A-8F7CD8DF5A6D} - c:\windows\system32\crash_report.dll [2009-12-11 536576]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-12-01 02:42 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\FPAVServer]
@=""

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\SideApps\\StrongDC\\StrongDC.exe"=
"c:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\Crysis.exe"=
"c:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\CrysisDedicatedServer.exe"=
"c:\\Program Files\\Ubisoft\\Assassin's Creed\\AssassinsCreed_Dx9.exe"=
"c:\\Program Files\\Ubisoft\\Assassin's Creed\\AssassinsCreed_Dx10.exe"=
"c:\\Program Files\\Ubisoft\\Assassin's Creed\\AssassinsCreed_Launcher.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Ubisoft\\Far Cry 2\\bin\\FarCry2.exe"=
"c:\\Program Files\\Ubisoft\\Far Cry 2\\bin\\FC2Launcher.exe"=
"c:\\Program Files\\Ubisoft\\Far Cry 2\\bin\\FC2Editor.exe"=
"c:\\Program Files\\Sierra\\FEAR\\FEAR.exe"=
"c:\\Program Files\\Mass Effect\\Binaries\\MassEffect.exe"=
"c:\\Program Files\\Mass Effect\\MassEffectLauncher.exe"=
"c:\\Program Files\\Rockstar Games\\Rockstar Games Social Club\\RGSCLauncher.exe"=
"c:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic.exe"=
"c:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic_online.exe"=
"c:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic_ds.exe"=
"c:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"c:\\Program Files\\Stardock Games\\Sins of a Solar Empire\\Sins of a Solar Empire.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\WINDOWS\\system32\\searchprotocolhost.exe"=
"c:\\Program Files\\EA Games\\Mirror's Edge\\Binaries\\MirrorsEdge.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Ubisoft\\Tom Clancy's Rainbow Six Vegas\\Binaries\\R6Vegas_Game.exe"=
"c:\\Program Files\\Ubisoft\\Tom Clancy's Rainbow Six Vegas\\Binaries\\R6Vegas_Launcher.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Electronic Arts\\Battlefield 2142\\BF2142.exe"=
"c:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaW.exe"=
"c:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaWmp.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\WINDOWS\\system32\\svchost.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\call of duty modern warfare 2\\iw4sp.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\call of duty modern warfare 2\\iw4mp.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\left 4 dead\\srcds.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"7385:TCP"= 7385:TCP:spport
"24462:TCP"= 24462:TCP:spport
"9535:TCP"= 9535:TCP:spport
"11253:TCP"= 11253:TCP:spport

R0 mv61xx;mv61xx;c:\windows\system32\drivers\mv61xx.sys [6/23/2008 5:21 PM 150568]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [11/30/2009 9:42 PM 333192]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [11/30/2009 9:42 PM 360584]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [11/23/2009 8:43 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [11/23/2009 8:43 AM 74480]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [11/30/2009 9:41 PM 285392]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [11/10/2009 6:33 PM 54752]
R3 CLEDX;Team H2O CLEDX service;c:\windows\system32\drivers\cledx.sys [11/27/2008 7:28 PM 33792]
R3 rt2870;Linksys 802.11n USB Wireless LAN Card Driver;c:\windows\system32\drivers\rt2870.sys [9/9/2009 10:42 AM 709248]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [11/23/2009 8:43 AM 7408]
S2 SPService;SPService;c:\windows\system32\svchost.exe -k netsvc [4/14/2008 6:42 AM 14336]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\Windows Live\Family Safety\fsssvc.exe [8/5/2009 10:48 PM 704864]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [11/25/2008 12:02 PM 717296]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - GTNDIS5

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
netsvc REG_MULTI_SZ SPService
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ca/
uInternet Settings,ProxyOverride = *.local
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Yat\Application Data\Mozilla\Firefox\Profiles\90pov9cb.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - www.google.ca
FF - prefs.js: keyword.URL - hxxp://ca.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_ca&p=
FF - component: c:\documents and settings\Yat\Application Data\Mozilla\Firefox\Profiles\90pov9cb.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\bdqscan.dll
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll
FF - plugin: c:\documents and settings\Yat\Application Data\Mozilla\Firefox\Profiles\90pov9cb.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
.
- - - - ORPHANS REMOVED - - - -

ShellIconOverlayIdentifiers-{96AFBE69-C3B0-4b00-8578-D933D2896EE2} - c:\documents and settings\all users\application data\sp\sp.dll
HKCU-Run-EA Core - c:\program files\Electronic Arts\EADM\Core.exe
Notify-NavLogon - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-24 16:13
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-796845957-1326574676-1801674531-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:fa,ed,fa,c1,7f,49,6a,a4,aa,ea,92,08,2f,a7,29,ed,8a,69,c1,9d,12,13,0d,
2f,ee,9a,c1,86,51,a4,08,8a,60,3d,95,19,b2,f4,46,5a,5c,68,48,9c,9d,d5,51,7c,\
"??"=hex:35,fc,c6,3d,c9,02,ad,db,37,1f,61,de,0f,33,8f,50

[HKEY_USERS\S-1-5-21-796845957-1326574676-1801674531-1003\Software\SecuROM\License information*]
"datasecu"=hex:cd,28,dd,30,3b,54,6a,2d,8f,bd,01,41,67,44,2f,2a,4d,fa,b4,b9,84,
28,1b,5f,ac,2a,10,7d,b4,de,cc,35,ce,88,4c,a2,34,36,7c,66,7c,a9,8e,53,9f,d1,\
"rkeysecu"=hex:da,e4,54,51,a2,49,35,b9,82,9a,a6,74,66,ea,02,bf

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\h–€|˙˙˙˙¤•€|ů•A~*]
"AB141C35E9F4BF344B9FC010BB17F68A"=""
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1052)
c:\program files\SUPERAntiSpyware\SASWINLO.dll

- - - - - - - > 'explorer.exe'(5324)
c:\program files\Windows Desktop Search\deskbar.dll
c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
c:\program files\Windows Desktop Search\dbres.dll
c:\program files\Windows Desktop Search\wordwheel.dll
c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
c:\program files\Windows Desktop Search\msnlExtRes.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\crash_report.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\PnkBstrB.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
c:\program files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
c:\windows\system32\SearchIndexer.exe
c:\program files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
c:\windows\system32\wscntfy.exe
c:\windows\RTHDCPL.EXE
c:\windows\system32\RUNDLL32.EXE
c:\program files\Microsoft IntelliType Pro\dpupdchk.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
c:\program files\Windows Live\Toolbar\wltuser.exe
c:\windows\SoftwareDistribution\Download\a9adf18fc8eded94a5e1af98a7572830\update\update.exe
.
**************************************************************************
.
Completion time: 2009-12-24 16:22:09 - machine was rebooted
ComboFix-quarantined-files.txt 2009-12-24 21:21

Pre-Run: 31,022,280,704 bytes free
Post-Run: 31,385,387,008 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - F0C870825439AEF802741DCA1799FAFC

#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 51,149 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:01:57 AM

Posted 25 December 2009 - 02:39 AM

Hello Yatrix,

MALWAREBYTES ANTIMALWARE
-------------------------------------------
Please launch MBAM and update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Full Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.


In your next reply, please include the following:
  • MBAM log
  • A new DDS log
  • A description of any remaining problems.

regards, Elise

"Now faith is the substance of things hoped for, the evidence of things not seen."


banner.png

Follow BleepingComputer on: Facebook | Twitter | Google+


#7 Yatrix

Yatrix
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:05:57 PM

Posted 27 December 2009 - 03:06 AM

Hi,

I'm afraid theres been a serious problem. When the computer rebooted after running MBAM, it was unable to properly boot up Windows XP. The loading bar hangs for a while and then shows a blue error screen for a split second before rebooting again. This happens repeatedly, even with safe mode or last known configurations.

Is the only way to recover from here to reformat the hard drive?

#8 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 51,149 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:01:57 AM

Posted 27 December 2009 - 03:13 AM

Do you happen to know if MBAM found stuff?

Also, are you absolutely sure the only thing that you did was running MBAM?

We Need to Diagnose Your BlueScreen
  • When you boot your machine, press F8 to list the startup options, exactly as you would if you were trying to enter Safe Mode
  • Select "Disable Automatic Restart on System Failure", as shown here:
    Posted Image
  • When your system BSODs, write down the STOP error code, as well as any written out error message back here. The STOP error will always appear, but the message may not. You are looking for this:
    Posted Image

regards, Elise

"Now faith is the substance of things hoped for, the evidence of things not seen."


banner.png

Follow BleepingComputer on: Facebook | Twitter | Google+


#9 Yatrix

Yatrix
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:05:57 PM

Posted 27 December 2009 - 10:50 AM

Hi,

there is no message that appears, but the STOP information is as follows:

STOP: 0x0000007E (0x80000003, 0x805C49B8, 0xBA4C32B4, 0xBA4C2FB0)

#10 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 51,149 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:01:57 AM

Posted 27 December 2009 - 12:09 PM

We need to retrieve MBAM's log, since this most likely caused the problem.

Ultimate Boot CD for Windows

Let's try to boot your computer using an Ultimate Boot CD for Windows (UBCD4win). First we have to make one. Please follow the steps below and let me know if you were successful. If you were unable to create the UBCD4win, please tell me what error messages you got and/or what steps you got hung up on.

1. Download and Run Ultimate Boot CD for Windows Version 3.50
  • Save it to your Desktop.
  • Double-Click on the UBCD4Win.EXE that you just downloaded to your desktop.
  • Follow all of the instructions/prompts that come up.
    NOTES:
  • Do not install to a folder with spaces in it's name.
  • Your Anti-Virus may report viruses or trojans when you extract UBCD4Win, these are most probably "False-Positives." Read HERE for information regarding the files that normally trigger AV software.
2. Insert your XP CD with SP1/SP2 into a CD Rom drive
  • Double-Click on UBCD4WinBuilder.exe located in your C:\ubcd4win folder.
  • If this is the first time you have run UBCD4Win PE Builder you will see this message, please read it:

    Posted Image

  • You will then see the following message, click NO:

    Posted Image

  • Another window will open:

    Posted Image

  • Make the following selections:
    • Builder
    • Source:(path to Windows installation files)
    • Enter the path to the drive where your XP CD is located.
    • You can click on the "..." button on the right to navigate to the path as well.
  • Custom: (include files and folders from this directory)
    • No information is necessary, leave blank.
  • Output: (C:\ubcd4win\BartPE)
    • Keep the default BartPE
  • Media output
  • Place a tick next to Create ISO image:(enter filename)
  • The path and file name will be created if they do not exist.
    NOTE: The filename MUST have an .iso extension or it will not be created
  • Place a tick next to Burn to CD/DVD
  • Use this option if you have 2 CD/DVD drives. Your XP CD will be in one drive already. Just place a blank CD in the empty drive.
  • If you only have 1 CD/DVD drive, then DO NOT place a tick next to Burn to CD/DVD.
[/list][*]Now click on the Build button
  • If you have built the project previously, you will see this screen (you will want to click Yes):

    Posted Image

  • If this is the first time building, you will see the Windows EULA message. Click on I Agree:

    Posted Image

  • You will now see the Build Screen. Let it run it's course:

    Posted Image

  • When the Build is finished, you will see the following "finished" screen:

    Posted Image

  • You can now click close, then exit
  • If you chose the option Burn to CD/DVD from above, then your CD will also be ready for use.
  • If you did not choose the option Burn to CD/DVD from above, then you will now have burn your ISO file to CD
  • Please see HERE on how to burn an ISO to CD.
[/list]1. Restart Your Computer Using the UBCD4Win Disc That You Have Created
  • Insert the UBCD4Win disc in to one of your CD/DVD drives.
  • Restart your computer.
    • The computer should choose to boot from the UBCD4Win CD automatically. If it doesn't and you are asked if you want to boot from CD, then choose that option.
  • In the window that pops up select Launch The Ultimate Boot CD For Windows and press Enter.
    • It may take a little longer for the Desktop to appear than it does when you start your computer normally. Just let the process run itself until the desktop appears.
  • Once the desktop appears, you will receive a message asking: Do you want to start Network support?
    • Click on NO
  • You should now have a desktop that looks like this:

    Posted Image

Using My Computer, open the following folder:

C:\Documents and Settings\Yat\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs

Now look for the most recent MBAM log and post its contents in your next reply. You can save the file on a flash drive if you have no internet access in UBCD4Win.
regards, Elise

"Now faith is the substance of things hoped for, the evidence of things not seen."


banner.png

Follow BleepingComputer on: Facebook | Twitter | Google+


#11 Yatrix

Yatrix
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:05:57 PM

Posted 28 December 2009 - 09:13 PM

Hi, I've followed all the instructions for building the iso but my computer does not recognize the cd being in the drive. The options to boot up are "Microsoft recovery console" or "start xp normally", both of which did what they did before and caused the computer to crash. There was no option for running the boot cd.

What should I do next? Am I missing something like hving to press delete or f8 as the computer is booting up?

#12 Yatrix

Yatrix
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:05:57 PM

Posted 28 December 2009 - 10:20 PM

Sorry about that, I've changed my BIOS settings to boot my CD drive before my hard drive and now the cd booted up fine. However, it appears that the log that was generated when I scanned that day is not in the folder. This leads me to believe that Windows probably failed before MBAM finished its scan....?

#13 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 51,149 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:01:57 AM

Posted 29 December 2009 - 05:26 AM

Lets try restoring the registry to a previous state.

Please boot up with UBCD, navigate to C:\Windows\ERDNT\Hiv-Backup folder and double click ERDNT.exe

This should restore your registry. Please let me know if you are able to boot now in windows.

Also, can you please check the following file exists?

c:\windows\system32\drivers\atapi.sys

Edited by elise025, 29 December 2009 - 10:12 AM.

regards, Elise

"Now faith is the substance of things hoped for, the evidence of things not seen."


banner.png

Follow BleepingComputer on: Facebook | Twitter | Google+


#14 Yatrix

Yatrix
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:05:57 PM

Posted 29 December 2009 - 10:59 AM

The file atapi.sys does exist

However, the computer still does not boot after restoring the registry.

#15 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 51,149 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:01:57 AM

Posted 29 December 2009 - 12:19 PM

Please have a look if the following file exists:

c:\windows\system32\drivers\iastor.sys
regards, Elise

"Now faith is the substance of things hoped for, the evidence of things not seen."


banner.png

Follow BleepingComputer on: Facebook | Twitter | Google+





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users