BleepingComputer.com: Lingering trogan

Jump to content

Forum Guidelines

Posted Image Read the following topic before creating a new topic in this forum. It contains instructions on the what we would like you to post, which will enable us to help you more quickly.

Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help


Posted Image Unfortunately, with the amount of logs we receive per day, the average response time is 5 days. I want to assure you, though, that your topic will be looked at and responded to. So please be patient.


Posted Image DO NOT RUN ComboFix unless requested to.


Posted Image Only members of the Malware Response Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.


Posted Image When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.


Posted Image Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.
  • 3 Pages +
  • 1
  • 2
  • 3
  • You cannot start a new topic
  • This topic is locked

Lingering trogan I've tried to remove this thing three times now!

#1 User is offline   KTorrential 

  • Member
  • PipPip
  • Find Topics
  • Group: Members
  • Posts: 18
  • Joined: 05-April 11

Posted 09 April 2011 - 01:55 PM

Hey guys. Firstly, thanks for helping in advance. A few years ago I used this site for my mother's PC and haven't had any problems since. I know I can trust you.

A few days ago, I received some error messages RE my hardrive failing. I'm not sure what happened but my laptop was stupidly slow and I couldn't open anything. I tried a System Restore, which seemed to work. Except I lost ALL of my data. I'm in my third, and final, year at uni, so it could not have happened at a worse time.

I followed some instructions (from this website) on how to remove some Malware (forgive me, I have forgotten the name), which worked but Google was still redirecting.
A couple of days later, I had a problem with one of the fake Windows Security programs. Again, I followed the instructions on here how to deal with it. It seemed to work, apart from the Google redirections and Firefox pop ups.
Today, I received multiple messages from AVG claiming I was infected and once again I restarted in Safe Mode and just used MBytes, which picked up 11 infected files.

Based on that, and continous pop ups, I decided posting a log might be my best option.

No matter what I try, I cannot get rid.

Thanks again,

K.




.
DDS (Ver_11-03-05.01) - NTFSx86 NETWORK
Run by Kate at 18:19:20.78 on 09/04/2011
Internet Explorer: 8.0.6001.19019 BrowserJavaVersion: 1.6.0_22
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.1976.1469 [GMT 1:00]
.
AV: Microsoft Security Essentials *Disabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
AV: AVG Anti-Virus 2011 *Enabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus 2011 *Enabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Microsoft Security Essentials *Disabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\Explorer.EXE
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Users\Kate\Downloads\Defogger.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Users\Kate\Downloads\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.co.uk/
uDefault_Page_URL = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0809&s=2&o=vp32&d=0809&m=extensa_5635z
mStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0809&s=2&o=vp32&d=0809&m=extensa_5635z
mDefault_Page_URL = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0809&s=2&o=vp32&d=0809&m=extensa_5635z
BHO: txthlpBHO Class: {060235dc-6d84-47bd-95d7-a4ef5099a59d} - c:\progra~1\texthe~1\readan~1\TE3219~1.DLL
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg10\avgssie.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Easy Photo Print: {9421dd08-935f-4701-a9ca-22df90ac4ea6} - c:\program files\epson software\easy photo print\EPTBL.dll
BHO: Windows Live Messenger Companion Helper: {9fdde16b-836f-4806-ab1f-1455cbeff289} - c:\program files\windows live\companion\companioncore.dll
BHO: ba3HelperObj Class: {a17b153f-2267-4161-a165-73dcd6c31bef} - c:\progra~1\texthe~1\readan~1\ba3bho.dll
BHO: Skype Plug-In: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - "c:\program files\microsoft\bingbar\BingExt.dll"
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Easy Photo Print: {9421dd08-935f-4701-a9ca-22df90ac4ea6} - c:\program files\epson software\easy photo print\EPTBL.dll
TB: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} - "c:\program files\microsoft\bingbar\BingExt.dll"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [cAudioFilterAgent] c:\program files\conexant\caudiofilteragent\cAudioFilterAgent.exe
mRun: [PLFSetI] c:\windows\PLFSetI.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [Acer ePower Management] c:\program files\acer\acer epower management\ePowerTray.exe
mRun: [Windows Mobile Device Center] %windir%\WindowsMobile\wmdc.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\secuni~1.lnk - c:\program files\secunia\psi\psi_tray.exe
uPolicies-explorer: HideSCAHealth = 1 (0x1)
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {0000036B-C524-4050-81A0-243669A86B9F} - {B63DBA5F-523F-4B9C-A43D-65DF1977EAD3} - c:\program files\windows live\companion\companioncore.dll
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\windows\windowsmobile\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\windows\windowsmobile\INetRepl.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll
Notify: igfxcui - igfxdev.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\kate\appdata\roaming\mozilla\firefox\profiles\kn8rxld8.default\
FF - prefs.js: browser.startup.homepage - google.co.uk
FF - component: c:\program files\avg\avg10\firefox4\components\avgssff4.dll
FF - component: c:\program files\mozilla firefox\extensions\{ab2ce124-6272-4b12-94a9-7303c7397bd1}\components\SkypeFfComponent.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Skype extension: {AB2CE124-6272-4b12-94A9-7303C7397BD1} - c:\program files\mozilla firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: AVG Safe Search: {1E73965B-8B48-48be-9C8D-68B920ABC1C4} - c:\program files\avg\avg10\Firefox4
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: InvisibleHand: canitbecheaper@trafficbroker.co.uk - %profile%\extensions\canitbecheaper@trafficbroker.co.uk
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2010-9-13 25680]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2010-9-7 26064]
R0 pssnap;Paramount Software Snapshot Filter;c:\windows\system32\drivers\pssnap.sys [2010-1-28 15328]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2010-11-12 299984]
R3 L1C;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;c:\windows\system32\drivers\L1C60x86.sys [2009-11-13 57344]
S1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2010-12-8 251728]
S1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2010-9-7 34384]
S1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2009-6-18 165264]
S2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [2011-1-6 6128720]
S2 avgwd;AVG WatchDog;c:\program files\avg\avg10\avgwdsvc.exe [2010-10-22 265400]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 ePowerSvc;Acer ePower Service;c:\program files\acer\acer epower management\ePowerSvc.exe [2009-8-18 723488]
S2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-21 21504]
S2 NTISchedulerSvc;NTI Backup Now 5 Scheduler Service;c:\program files\newtech infosystems\nti backup now 5\SchedulerSvc.exe [2008-9-23 144632]
S2 ReflectService;Macrium Reflect Image Mounting Service;c:\program files\macrium\reflect\ReflectService.exe [2010-1-28 220128]
S2 regi;regi;c:\windows\system32\drivers\regi.sys [2007-4-18 11032]
S2 RS_Service;Raw Socket Service;c:\program files\acer\acer vcm\RS_Service.exe [2009-4-11 237568]
S2 Secunia PSI Agent;Secunia PSI Agent;c:\program files\secunia\psi\psia.exe [2011-1-10 993848]
S2 Secunia Update Agent;Secunia Update Agent;c:\program files\secunia\psi\sua.exe [2011-1-10 399416]
S3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2010-8-3 123472]
S3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2010-8-3 30288]
S3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2010-8-3 27216]
S3 BBSvc;Bing Bar Update Service;c:\program files\microsoft\bingbar\BBSvc.EXE [2011-2-28 183560]
S3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\drivers\btwl2cap.sys [2009-8-18 29472]
S3 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr.sys [2010-10-23 39272]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2010-9-23 1493352]
S3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\drivers\MpNWMon.sys [2009-6-18 43392]
S3 NETw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\drivers\NETw5v32.sys [2009-4-11 4232704]
S3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2010-10-24 54144]
S3 NisSrv;Microsoft Network Inspection;c:\program files\microsoft security client\antimalware\NisSrv.exe [2010-11-11 206360]
S3 NTIBackupSvc;NTI Backup Now 5 Backup Service;c:\program files\newtech infosystems\nti backup now 5\BackupSvc.exe [2008-9-23 50424]
S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2010-9-1 15544]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\windows live\mesh\wlcrasvc.exe [2010-9-22 51040]
.
=============== Created Last 30 ================
.
2011-04-09 15:45:52 344064 --sha-w- c:\users\kate\appdata\local\xvc.exe
2011-04-09 15:35:25 -------- d-----w- c:\users\kate\appdata\local\Secunia PSI
2011-04-09 15:35:19 -------- d-----w- c:\program files\Secunia
2011-04-07 11:50:38 6792528 ----a-w- c:\progra~2\microsoft\microsoft antimalware\definition updates\{49004087-e0d8-4ac1-89b9-ed27e1b919f9}\mpengine.dll
2011-04-06 11:31:40 439632 ------w- c:\progra~2\microsoft\microsoft antimalware\definition updates\{602a1e4e-559f-41d7-b1d2-33616f6d6ffc}\gapaengine.dll
2011-04-05 14:52:55 -------- d-----w- c:\users\kate\appdata\roaming\Malwarebytes
2011-04-05 14:52:51 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-04-05 14:52:50 -------- d-----w- c:\progra~2\Malwarebytes
2011-04-05 14:52:47 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-04-05 14:52:47 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-04-03 18:20:06 -------- d-----w- c:\users\kate\appdata\roaming\AVG10
2011-04-03 18:11:43 -------- d--h--w- c:\progra~2\Common Files
2011-04-03 18:09:55 -------- d-----w- c:\windows\system32\drivers\AVG
2011-04-03 18:09:55 -------- d-----w- c:\progra~2\AVG10
2011-04-03 18:08:48 -------- d-----w- c:\program files\AVG
2011-04-03 18:06:33 -------- d-----w- c:\progra~2\MFAData
2011-04-02 11:35:48 439632 ------w- c:\progra~2\microsoft\microsoft antimalware\definition updates\nisbackup\gapaengine.dll
2011-04-02 11:35:45 439632 ------w- c:\progra~2\microsoft\microsoft antimalware\definition updates\{69a13615-65f1-4946-a7e4-78c0d7f13d4a}\gapaengine.dll
2011-04-02 11:21:56 -------- d-----w- c:\windows\Temp3EB947CE-CF27-39B1-B43A-F857EC70FD0D-Signatures
2011-04-02 11:20:05 -------- d-----w- c:\program files\Microsoft Security Client
2011-04-02 11:19:15 221568 ----a-w- c:\windows\system32\drivers\netio.sys
2011-03-28 00:36:42 -------- d--h--w- c:\users\kate\appdata\local\Twiget
2011-03-28 00:19:05 -------- d-----w- c:\users\kate\appdata\local\Opera
2011-03-23 17:13:38 797696 ----a-w- c:\windows\system32\FntCache.dll
2011-03-23 17:13:38 1068544 ----a-w- c:\windows\system32\DWrite.dll
2011-03-23 17:13:37 288768 ----a-w- c:\windows\system32\XpsGdiConverter.dll
.
==================== Find3M ====================
.
2011-02-05 22:57:36 1024 ----a-w- c:\windows\system32\grcauth2.dll
2011-02-05 22:57:36 1024 ----a-w- c:\windows\system32\grcauth1.dll
2011-02-05 22:57:36 100 ----a-w- c:\windows\system32\prsgrc.dll
2011-02-05 22:51:28 205 ----a-w- c:\windows\system32\lsprst7.dll
2011-02-05 22:51:27 1025 ----a-w- c:\windows\system32\sysprs7.dll
2011-01-20 16:08:16 478720 ----a-w- c:\windows\system32\dxgi.dll
2011-01-20 16:08:06 219648 ----a-w- c:\windows\system32\d3d10_1core.dll
2011-01-20 16:08:06 189952 ----a-w- c:\windows\system32\d3d10core.dll
2011-01-20 16:08:06 160768 ----a-w- c:\windows\system32\d3d10_1.dll
2011-01-20 16:08:06 1029120 ----a-w- c:\windows\system32\d3d10.dll
2011-01-20 16:07:58 37376 ----a-w- c:\windows\system32\cdd.dll
2011-01-20 16:07:42 258048 ----a-w- c:\windows\system32\winspool.drv
2011-01-20 16:07:16 586240 ----a-w- c:\windows\system32\stobject.dll
2011-01-20 16:06:38 2873344 ----a-w- c:\windows\system32\mf.dll
2011-01-20 16:06:35 26112 ----a-w- c:\windows\system32\printfilterpipelineprxy.dll
2011-01-20 16:04:54 98816 ----a-w- c:\windows\system32\mfps.dll
2011-01-20 16:04:54 209920 ----a-w- c:\windows\system32\mfplat.dll
2011-01-20 14:28:38 1554432 ----a-w- c:\windows\system32\xpsservices.dll
2011-01-20 14:27:50 876032 ----a-w- c:\windows\system32\XpsPrint.dll
2011-01-20 14:26:30 667648 ----a-w- c:\windows\system32\printfilterpipelinesvc.exe
2011-01-20 14:25:25 847360 ----a-w- c:\windows\system32\OpcServices.dll
2011-01-20 14:24:26 135680 ----a-w- c:\windows\system32\XpsRasterService.dll
2011-01-20 14:15:10 979456 ----a-w- c:\windows\system32\MFH264Dec.dll
2011-01-20 14:14:39 357376 ----a-w- c:\windows\system32\MFHEAACdec.dll
2011-01-20 14:14:03 302592 ----a-w- c:\windows\system32\mfmp4src.dll
2011-01-20 14:14:03 261632 ----a-w- c:\windows\system32\mfreadwrite.dll
2011-01-20 14:12:46 1172480 ----a-w- c:\windows\system32\d3d10warp.dll
2011-01-20 14:11:34 486400 ----a-w- c:\windows\system32\d3d10level9.dll
2011-01-20 13:47:51 683008 ----a-w- c:\windows\system32\d2d1.dll
.
============= FINISH: 18:21:08.57 ===============

Attached File(s)

  • Attached File  Attach.txt (6.56K)
    Number of downloads: 0
  • Attached File  ark.txt (5.6K)
    Number of downloads: 3

#2 User is offline   m0le 

  • I know the drill!
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Instructor
  • Posts: 29,103
  • Joined: 24-July 08
  • Gender:Male
  • Location:London, UK

Posted 18 April 2011 - 07:09 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.

  • Please subscribe to this topic, if you haven't already. Click the Watch This Topic button at the top on the right.


  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.


  • Please reply to this post so I know you are there.

The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks :thumbup2:
If I have helped you fix your PC then please donate. Thanks

Posted Image
m0le is a proud member of UNITE (Unified Network of Instructors and Trusted Eliminators)

#3 User is offline   m0le 

  • I know the drill!
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Instructor
  • Posts: 29,103
  • Joined: 24-July 08
  • Gender:Male
  • Location:London, UK

Posted 23 April 2011 - 07:22 PM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.
If I have helped you fix your PC then please donate. Thanks

Posted Image
m0le is a proud member of UNITE (Unified Network of Instructors and Trusted Eliminators)

#4 User is offline   m0le 

  • I know the drill!
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Instructor
  • Posts: 29,103
  • Joined: 24-July 08
  • Gender:Male
  • Location:London, UK

Posted 24 April 2011 - 07:20 AM

Reopened at user's request

-----------------------------------------

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop making sure you rename it comfix.exe
  • Disable your AntiVirus and AntiSpyware applications including Firewalls, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Comfix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
If I have helped you fix your PC then please donate. Thanks

Posted Image
m0le is a proud member of UNITE (Unified Network of Instructors and Trusted Eliminators)

#5 User is offline   KTorrential 

  • Member
  • PipPip
  • Find Topics
  • Group: Members
  • Posts: 18
  • Joined: 05-April 11

Posted 26 April 2011 - 04:17 AM

Thanks again, m0le.

When I started ComboFix, it alerted me that AVG was running. As I haven't got on with AVG since installing, and it was suggested by ComboFix, I uninstalled it. However, upon rebooting and restarting ComboFix, I was alerted that AVG was still running. I had uninstalled it and could not figure how it was running, and could see no solution.
I continued despite this, if you can think of anything that I should have done, or should do, please suggest so and I will do it.

Anyway, here is the log:

ComboFix 11-04-25.02 - Kate 26/04/2011 10:03:09.1.2 - x86 NETWORK
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.1976.1518 [GMT 1:00]
Running from: c:\users\Kate\Desktop\ComboFix.exe
AV: Ad-Aware Total Security *Disabled/Outdated* {54ACC2FC-837E-E665-7A92-5352D560D5EF}
AV: AVG Anti-Virus 2011 *Enabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
AV: Microsoft Security Essentials *Disabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
FW: Ad-Aware Personal Firewall *Disabled* {6C9743D9-C911-E73D-51CD-FA672BB39294}
SP: Ad-Aware Total Security *Disabled/Outdated* {EFCD2318-A544-E9EB-4022-6820AEE79F52}
SP: AVG Anti-Virus 2011 *Enabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Microsoft Security Essentials *Disabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Kate\AppData\Local\{EDA1D5AB-D2BC-4F8A-93B2-E70FF39740C9}
c:\users\Kate\AppData\Local\{EDA1D5AB-D2BC-4F8A-93B2-E70FF39740C9}\chrome.manifest
c:\users\Kate\AppData\Local\{EDA1D5AB-D2BC-4F8A-93B2-E70FF39740C9}\chrome\content\_cfg.js
c:\users\Kate\AppData\Local\{EDA1D5AB-D2BC-4F8A-93B2-E70FF39740C9}\chrome\content\overlay.xul
c:\users\Kate\AppData\Local\{EDA1D5AB-D2BC-4F8A-93B2-E70FF39740C9}\install.rdf
c:\users\Kate\AppData\Roaming\Microsoft\Windows\Templates\18a5b1f1t8p5h78s0p57bl5b0a
c:\windows\system32\lsprst7.dll
c:\windows\system32\prsgrc.dll
.
.
((((((((((((((((((((((((( Files Created from 2011-03-26 to 2011-04-26 )))))))))))))))))))))))))))))))
.
.
2011-04-26 09:10 . 2011-04-26 09:11 -------- d-----w- c:\users\Kate\AppData\Local\temp
2011-04-26 09:10 . 2011-04-26 09:10 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-04-24 10:37 . 2011-04-24 10:38 -------- d-----w- C:\582fdbc010a0a06db8
2011-04-18 17:25 . 2011-04-18 17:25 29992 ----a-w- c:\windows\system32\drivers\GRD.sys
2011-04-16 12:24 . 2011-04-16 12:24 47560 ----a-w- c:\windows\system32\drivers\PktIcpt.sys
2011-04-16 12:23 . 2011-04-16 12:18 15880 ----a-w- c:\windows\system32\lsdelete.exe
2011-04-16 12:23 . 2010-05-11 03:19 137288 ----a-w- c:\program files\Mozilla Firefox\extensions\{9AA46F4F-4DC7-4c06-97AF-5035170633FE}\Components\AvkWebFilterFF.dll
2011-04-16 12:23 . 2011-04-16 12:23 38856 ----a-w- c:\windows\system32\drivers\HookCentre.sys
2011-04-16 12:23 . 2011-04-16 12:23 62024 ----a-w- c:\windows\system32\drivers\MiniIcpt.sys
2011-04-16 12:23 . 2011-04-16 12:23 33480 ----a-w- c:\windows\system32\drivers\GDBehave.sys
2011-04-16 12:22 . 2011-04-16 12:22 40904 ----a-w- c:\windows\system32\drivers\gdwfpcd32.sys
2011-04-16 12:20 . 2011-04-16 12:36 -------- d-----w- c:\programdata\G DATA
2011-04-16 12:20 . 2011-04-16 12:20 -------- d-----w- c:\program files\Common Files\G Data
2011-04-16 12:20 . 2011-04-16 12:20 -------- d-----w- c:\program files\Lavasoft
2011-04-16 12:18 . 2011-04-16 12:18 -------- d-----w- c:\users\Kate\AppData\Local\Downloaded Installations
2011-04-16 11:42 . 2011-04-16 11:42 -------- d-----w- c:\users\Kate\AppData\Local\Real
2011-04-16 11:42 . 2011-04-16 11:42 11776 ----a-w- c:\program files\Mozilla Firefox\plugins\nprjplug.dll
2011-04-16 11:42 . 2011-04-16 11:42 -------- d-----w- c:\program files\Common Files\xing shared
2011-04-16 11:41 . 2011-04-16 11:41 150712 ----a-w- c:\program files\Mozilla Firefox\plugins\nppl3260.dll
2011-04-16 11:41 . 2011-04-16 11:41 105472 ----a-w- c:\program files\Mozilla Firefox\plugins\nprpjplug.dll
2011-04-16 11:41 . 2011-04-16 11:42 -------- d-----w- c:\program files\real
2011-04-16 11:39 . 2011-04-16 11:39 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\Google
2011-04-16 01:01 . 2011-04-16 01:01 0 ----a-w- c:\users\Kate\AppData\Local\Ugeyisohunirum.bin
2011-04-09 15:46 . 2011-04-09 15:46 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\Adobe
2011-04-09 15:35 . 2011-04-09 15:35 -------- d-----w- c:\users\Kate\AppData\Local\Secunia PSI
2011-04-09 15:35 . 2011-04-09 15:35 -------- d-----w- c:\program files\Secunia
2011-04-07 11:50 . 2011-03-14 20:05 6792528 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{49004087-E0D8-4AC1-89B9-ED27E1B919F9}\mpengine.dll
2011-04-06 11:31 . 2011-04-02 11:34 439632 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{602A1E4E-559F-41D7-B1D2-33616F6D6FFC}\gapaengine.dll
2011-04-05 14:52 . 2011-04-05 14:52 -------- d-----w- c:\users\Kate\AppData\Roaming\Malwarebytes
2011-04-05 14:52 . 2010-12-20 17:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-04-05 14:52 . 2011-04-05 14:52 -------- d-----w- c:\programdata\Malwarebytes
2011-04-05 14:52 . 2011-04-05 14:52 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-04-05 14:52 . 2010-12-20 17:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-04-03 18:20 . 2011-04-03 18:20 -------- d-----w- c:\users\Kate\AppData\Roaming\AVG10
2011-04-03 18:11 . 2011-04-03 18:11 -------- d--h--w- c:\programdata\Common Files
2011-04-03 18:09 . 2011-04-26 08:50 -------- d-----w- c:\programdata\AVG10
2011-04-03 18:08 . 2011-04-03 18:08 -------- d-----w- c:\program files\AVG
2011-04-03 18:06 . 2011-04-03 18:09 -------- d-----w- c:\programdata\MFAData
2011-04-02 11:35 . 2011-04-02 11:34 439632 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\NISBackup\gapaengine.dll
2011-04-02 11:35 . 2011-04-02 11:34 439632 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{69A13615-65F1-4946-A7E4-78C0D7F13D4A}\gapaengine.dll
2011-04-02 11:21 . 2011-04-02 11:21 -------- d-----w- c:\windows\Temp3EB947CE-CF27-39B1-B43A-F857EC70FD0D-Signatures
2011-04-02 11:20 . 2011-04-02 11:22 -------- d-----w- c:\program files\Microsoft Security Client
2011-04-02 11:19 . 2010-04-05 20:00 221568 ----a-w- c:\windows\system32\drivers\netio.sys
2011-03-28 00:36 . 2011-03-28 00:36 -------- d--h--w- c:\users\Kate\AppData\Local\Twiget
2011-03-28 00:19 . 2011-03-28 00:36 -------- d-----w- c:\users\Kate\AppData\Local\Opera
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-04-16 11:41 . 2010-03-12 16:42 499712 ----a-w- c:\windows\system32\msvcp71.dll
2011-04-16 11:41 . 2010-03-12 16:42 348160 ----a-w- c:\windows\system32\msvcr71.dll
2011-04-05 14:43 . 2010-03-11 10:48 185856 ----a-w- c:\windows\system32\drivers\netbt.sys
2011-03-14 20:05 . 2010-03-12 16:45 6792528 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-03-08 22:29 . 2010-06-24 10:33 18328 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2011-02-22 14:13 . 2011-03-23 17:13 288768 ----a-w- c:\windows\system32\XpsGdiConverter.dll
2011-02-22 13:33 . 2011-03-23 17:13 1068544 ----a-w- c:\windows\system32\DWrite.dll
2011-02-22 13:33 . 2011-03-23 17:13 797696 ----a-w- c:\windows\system32\FntCache.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"cAudioFilterAgent"="c:\program files\Conexant\cAudioFilterAgent\cAudioFilterAgent.exe" [2008-11-05 474168]
"PLFSetI"="c:\windows\PLFSetI.exe" [2008-07-30 200704]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-03-05 1434920]
"Acer ePower Management"="c:\program files\Acer\Acer ePower Management\ePowerTray.exe" [2009-04-04 698912]
"Windows Mobile Device Center"="c:\windows\WindowsMobile\wmdc.exe" [2007-05-31 648072]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-08-25 136216]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-08-25 171032]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-08-25 170520]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2010-11-30 997408]
"TkBellExe"="c:\program files\real\realplayer\update\realsched.exe" [2011-04-16 273544]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
"G Data AntiVirus Tray Application"="c:\program files\Lavasoft\Ad-Aware Total Security\AVKTray\AVKTray.exe" [2010-06-29 981504]
"GDFirewallTray"="c:\program files\Lavasoft\Ad-Aware Total Security\Firewall\GDFirewallTray.exe" [2010-06-29 1550576]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"GrpConv"="grpconv -o" [X]
"AvgUninstallURL"="start http:" [X]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Secunia PSI Tray.lnk - c:\program files\Secunia\PSI\psi_tray.exe [2011-1-10 291896]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"HideSCAHealth"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer1"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer]
@="Service"
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Acer VCM.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Acer VCM.lnk
backup=c:\windows\pss\Acer VCM.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Bluetooth.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Bluetooth.lnk
backup=c:\windows\pss\Bluetooth.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
%ProgramFiles%\Windows Defender\MSASCui.exe -hide [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-09-20 22:07 932288 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-09-23 03:47 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EEventManager]
2008-12-04 13:24 665424 ----a-w- c:\progra~1\EPSONS~1\EVENTM~1\EEventManager.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON SX110 Series]
2008-09-26 23:00 199680 ----a-w- c:\windows\System32\spool\drivers\w32x86\3\E_FATIFBE.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif]
2009-02-12 00:38 186904 ----a-w- c:\program files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LManager]
2009-03-05 07:43 805384 ----a-w- c:\program files\Launch Manager\LManager.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ProductReg]
2008-11-17 09:47 135168 ----a-w- c:\program files\Acer\WR_PopUp\ProductReg.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 16:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sidebar]
2009-04-10 23:28 1233920 ----a-w- c:\program files\Windows Sidebar\sidebar.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-05-14 10:44 248552 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-4150277254-4131139385-318742057-1003]
"EnableNotificationsRef"=dword:00000001
.
R1 GDMnIcpt;GDMnIcpt;c:\windows\system32\drivers\MiniIcpt.sys [2011-04-16 62024]
R1 gdwfpcd;G DATA WFP CD;c:\windows\system32\drivers\gdwfpcd32.sys [2011-04-16 40904]
R1 GRD;G Data Rootkit Detector Driver;c:\windows\system32\drivers\GRD.sys [2011-04-18 29992]
R1 HookCentre;HookCentre;c:\windows\system32\drivers\HookCentre.sys [2011-04-16 38856]
R2 AVKProxy;Ad-Aware Total Security Proxy;c:\program files\Common Files\G Data\AVKProxy\AVKProxy.exe [2010-06-29 1081384]
R2 AVKService;Ad-Aware Scheduler;c:\program files\Lavasoft\Ad-Aware Total Security\AVK\AVKService.exe [2010-06-29 412944]
R2 AVKWCtl;Ad-Aware Filesystem Monitor;c:\program files\Lavasoft\Ad-Aware Total Security\AVK\AVKWCtl.exe [2010-06-23 1635672]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 ePowerSvc;Acer ePower Service;c:\program files\Acer\Acer ePower Management\ePowerSvc.exe [2009-04-04 723488]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2011-04-16 136176]
R2 NTISchedulerSvc;NTI Backup Now 5 Scheduler Service;c:\program files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe [2008-09-23 144632]
R2 ReflectService;Macrium Reflect Image Mounting Service;c:\program files\Macrium\Reflect\ReflectService.exe [2010-01-28 220128]
R2 regi;regi;c:\windows\system32\drivers\regi.sys [2007-04-18 11032]
R2 RS_Service;Raw Socket Service;c:\program files\Acer\Acer VCM\RS_Service.exe [2009-02-05 237568]
R2 Secunia PSI Agent;Secunia PSI Agent;c:\program files\Secunia\PSI\PSIA.exe [2011-01-10 993848]
R2 Secunia Update Agent;Secunia Update Agent;c:\program files\Secunia\PSI\sua.exe [2011-01-10 399416]
R3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [2009-04-20 29472]
R3 GDBackupSvc;Ad-Aware Backup Service;c:\program files\Lavasoft\Ad-Aware Total Security\AVKBackup\AVKBackupService.exe [2010-06-29 911976]
R3 GDFwSvc;Ad-Aware Personal Firewall;c:\program files\Lavasoft\Ad-Aware Total Security\Firewall\GDFwSvc.exe [2010-06-15 1834432]
R3 GDPkIcpt;GDPkIcpt;c:\windows\system32\drivers\PktIcpt.sys [2011-04-16 47560]
R3 GDScan;Ad-Aware Scanner;c:\program files\Common Files\G Data\GDScan\GDScan.exe [2010-06-29 624064]
R3 GDTunerSvc;Ad-Aware Tuner Service;c:\program files\Lavasoft\Ad-Aware Total Security\AVKTuner\AVKTunerService.exe [2010-06-29 1234896]
R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [2010-10-24 43392]
R3 NETw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\NETw5v32.sys [2009-03-23 4232704]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2010-10-24 54144]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\Antimalware\NisSrv.exe [2010-11-11 206360]
R3 NTIBackupSvc;NTI Backup Now 5 Backup Service;c:\program files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe [2008-09-23 50424]
R3 PSI;PSI;c:\windows\system32\DRIVERS\psi_mf.sys [2010-09-01 15544]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
R4 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2010-12-08 691696]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-22 51040]
S0 GDBehave;GDBehave;c:\windows\system32\drivers\GDBehave.sys [2011-04-16 33480]
S0 pssnap;Paramount Software Snapshot Filter;c:\windows\system32\DRIVERS\pssnap.sys [2010-01-28 15328]
S3 L1C;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;c:\windows\system32\DRIVERS\L1C60x86.sys [2009-11-13 57344]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder
.
2011-04-24 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-04-16 11:38]
.
2011-04-18 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-04-16 11:38]
.
2011-04-26 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-4150277254-4131139385-318742057-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-03-29 09:47]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
mStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0809&s=2&o=vp32&d=0809&m=extensa_5635z
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
FF - ProfilePath - c:\users\Kate\AppData\Roaming\Mozilla\Firefox\Profiles\kn8rxld8.default\
FF - prefs.js: browser.startup.homepage - google.co.uk
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Ad-Aware WebFilter: {9AA46F4F-4DC7-4c06-97AF-5035170633FE} - c:\program files\Mozilla Firefox\extensions\{9AA46F4F-4DC7-4c06-97AF-5035170633FE}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\programdata\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: InvisibleHand: canitbecheaper@trafficbroker.co.uk - %profile%\extensions\canitbecheaper@trafficbroker.co.uk
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-RunOnce-<NO NAME> - (no file)
SafeBoot-klmdb.sys
SafeBoot-MsMpSvc
MSConfigStartUp-DivXUpdate - c:\program files\DivX\DivX Update\DivXUpdate.exe
MSConfigStartUp-TkBellExe - c:\program files\Common Files\Real\Update_OB\realsched.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-04-26 10:11
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Environment*]
"Licence0"="04F0D21-79D8-7A25-D702-433F"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2011-04-26 10:13:32
ComboFix-quarantined-files.txt 2011-04-26 09:13
.
Pre-Run: 102,798,196,736 bytes free
Post-Run: 103,174,258,688 bytes free
.
- - End Of File - - 91EA56E3DC790C9A5C8342617DBE12E6


K

#6 User is offline   m0le 

  • I know the drill!
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Instructor
  • Posts: 29,103
  • Joined: 24-July 08
  • Gender:Male
  • Location:London, UK

Posted 26 April 2011 - 05:02 PM

It looks like Combofix has removed the malware despite the AVG problem but unfortunately we have to be sure. Please use the AVG uninstaller to remove AVG completely.

Once that's done please rerun Combofix.
If I have helped you fix your PC then please donate. Thanks

Posted Image
m0le is a proud member of UNITE (Unified Network of Instructors and Trusted Eliminators)

#7 User is offline   KTorrential 

  • Member
  • PipPip
  • Find Topics
  • Group: Members
  • Posts: 18
  • Joined: 05-April 11

Posted 28 April 2011 - 12:44 PM

Sorry I didn't reply yesterday - I had a trip to what appears to be your home town!

I couldn't use that uninstaller, it claimed that it isn't compatible with my version of Windows

#8 User is offline   m0le 

  • I know the drill!
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Instructor
  • Posts: 29,103
  • Joined: 24-July 08
  • Gender:Male
  • Location:London, UK

Posted 28 April 2011 - 06:34 PM

Sorry. Try AVG for 32 bit
If I have helped you fix your PC then please donate. Thanks

Posted Image
m0le is a proud member of UNITE (Unified Network of Instructors and Trusted Eliminators)

#9 User is offline   KTorrential 

  • Member
  • PipPip
  • Find Topics
  • Group: Members
  • Posts: 18
  • Joined: 05-April 11

Posted 28 April 2011 - 06:49 PM

I will run Combofix now, anyhow, and post the results shortly.

This post has been edited by m0le: 28 April 2011 - 07:05 PM

#10 User is offline   m0le 

  • I know the drill!
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Instructor
  • Posts: 29,103
  • Joined: 24-July 08
  • Gender:Male
  • Location:London, UK

Posted 28 April 2011 - 07:05 PM

:thumbup2:
If I have helped you fix your PC then please donate. Thanks

Posted Image
m0le is a proud member of UNITE (Unified Network of Instructors and Trusted Eliminators)

#11 User is offline   KTorrential 

  • Member
  • PipPip
  • Find Topics
  • Group: Members
  • Posts: 18
  • Joined: 05-April 11

Posted 28 April 2011 - 07:38 PM

I presume your choice to edit meant that everything went as expected!
Thusly, my log:

ComboFix 11-04-28.01 - Kate 29/04/2011 1:07.2.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.1976.1094 [GMT 1:00]
Running from: c:\users\Kate\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Disabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((( Files Created from 2011-03-28 to 2011-04-29 )))))))))))))))))))))))))))))))
.
.
2011-04-29 00:27 . 2011-04-29 00:28 -------- d-----w- c:\users\Kate\AppData\Local\temp
2011-04-29 00:27 . 2011-04-29 00:27 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\temp
2011-04-29 00:27 . 2011-04-29 00:27 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-04-24 10:37 . 2011-04-24 10:38 -------- d-----w- C:\582fdbc010a0a06db8
2011-04-18 18:35 . 2011-02-16 14:02 292864 ----a-w- c:\windows\system32\atmfd.dll
2011-04-18 17:25 . 2011-04-18 17:25 29992 ----a-w- c:\windows\system32\drivers\GRD.sys
2011-04-16 12:24 . 2011-04-16 12:24 47560 ----a-w- c:\windows\system32\drivers\PktIcpt.sys
2011-04-16 12:23 . 2011-04-16 12:18 15880 ----a-w- c:\windows\system32\lsdelete.exe
2011-04-16 12:23 . 2011-04-16 12:23 62024 ----a-w- c:\windows\system32\drivers\MiniIcpt.sys
2011-04-16 12:23 . 2011-04-16 12:23 33480 ----a-w- c:\windows\system32\drivers\GDBehave.sys
2011-04-16 12:22 . 2011-04-16 12:22 40904 ----a-w- c:\windows\system32\drivers\gdwfpcd32.sys
2011-04-16 12:20 . 2011-04-28 23:59 -------- d-----w- c:\programdata\G DATA
2011-04-16 12:20 . 2011-04-28 23:57 -------- d-----w- c:\program files\Lavasoft
2011-04-16 12:20 . 2011-04-28 23:57 -------- d-----w- c:\program files\Common Files\G Data
2011-04-16 12:18 . 2011-04-16 12:18 -------- d-----w- c:\users\Kate\AppData\Local\Downloaded Installations
2011-04-16 11:42 . 2011-04-16 11:42 -------- d-----w- c:\users\Kate\AppData\Local\Real
2011-04-16 11:42 . 2011-04-16 11:42 11776 ----a-w- c:\program files\Mozilla Firefox\plugins\nprjplug.dll
2011-04-16 11:42 . 2011-04-16 11:42 -------- d-----w- c:\program files\Common Files\xing shared
2011-04-16 11:41 . 2011-04-16 11:41 150712 ----a-w- c:\program files\Mozilla Firefox\plugins\nppl3260.dll
2011-04-16 11:41 . 2011-04-16 11:41 105472 ----a-w- c:\program files\Mozilla Firefox\plugins\nprpjplug.dll
2011-04-16 11:41 . 2011-04-16 11:42 -------- d-----w- c:\program files\real
2011-04-16 11:39 . 2011-04-26 19:50 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\Google
2011-04-16 01:01 . 2011-04-16 01:01 0 ----a-w- c:\users\Kate\AppData\Local\Ugeyisohunirum.bin
2011-04-09 15:46 . 2011-04-09 15:46 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\Adobe
2011-04-09 15:35 . 2011-04-09 15:35 -------- d-----w- c:\users\Kate\AppData\Local\Secunia PSI
2011-04-09 15:35 . 2011-04-09 15:35 -------- d-----w- c:\program files\Secunia
2011-04-07 11:50 . 2011-03-14 20:05 6792528 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{49004087-E0D8-4AC1-89B9-ED27E1B919F9}\mpengine.dll
2011-04-06 11:31 . 2011-04-02 11:34 439632 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{602A1E4E-559F-41D7-B1D2-33616F6D6FFC}\gapaengine.dll
2011-04-05 14:52 . 2011-04-05 14:52 -------- d-----w- c:\users\Kate\AppData\Roaming\Malwarebytes
2011-04-05 14:52 . 2010-12-20 17:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-04-05 14:52 . 2011-04-05 14:52 -------- d-----w- c:\programdata\Malwarebytes
2011-04-05 14:52 . 2011-04-05 14:52 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-04-05 14:52 . 2010-12-20 17:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-04-03 18:20 . 2011-04-03 18:20 -------- d-----w- c:\users\Kate\AppData\Roaming\AVG10
2011-04-03 18:11 . 2011-04-03 18:11 -------- d--h--w- c:\programdata\Common Files
2011-04-03 18:09 . 2011-04-26 08:50 -------- d-----w- c:\programdata\AVG10
2011-04-03 18:08 . 2011-04-03 18:08 -------- d-----w- c:\program files\AVG
2011-04-03 18:06 . 2011-04-03 18:09 -------- d-----w- c:\programdata\MFAData
2011-04-02 11:35 . 2011-04-02 11:34 439632 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\NISBackup\gapaengine.dll
2011-04-02 11:35 . 2011-04-02 11:34 439632 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{69A13615-65F1-4946-A7E4-78C0D7F13D4A}\gapaengine.dll
2011-04-02 11:21 . 2011-04-02 11:21 -------- d-----w- c:\windows\Temp3EB947CE-CF27-39B1-B43A-F857EC70FD0D-Signatures
2011-04-02 11:20 . 2011-04-02 11:22 -------- d-----w- c:\program files\Microsoft Security Client
2011-04-02 11:19 . 2010-04-05 20:00 221568 ----a-w- c:\windows\system32\drivers\netio.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-04-16 11:41 . 2010-03-12 16:42 499712 ----a-w- c:\windows\system32\msvcp71.dll
2011-04-16 11:41 . 2010-03-12 16:42 348160 ----a-w- c:\windows\system32\msvcr71.dll
2011-04-05 14:43 . 2010-03-11 10:48 185856 ----a-w- c:\windows\system32\drivers\netbt.sys
2011-03-14 20:05 . 2010-03-12 16:45 6792528 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-03-08 22:29 . 2010-06-24 10:33 18328 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2011-02-22 14:13 . 2011-03-23 17:13 288768 ----a-w- c:\windows\system32\XpsGdiConverter.dll
2011-02-22 13:33 . 2011-03-23 17:13 1068544 ----a-w- c:\windows\system32\DWrite.dll
2011-02-22 13:33 . 2011-03-23 17:13 797696 ----a-w- c:\windows\system32\FntCache.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"cAudioFilterAgent"="c:\program files\Conexant\cAudioFilterAgent\cAudioFilterAgent.exe" [2008-11-05 474168]
"PLFSetI"="c:\windows\PLFSetI.exe" [2008-07-30 200704]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-03-05 1434920]
"Acer ePower Management"="c:\program files\Acer\Acer ePower Management\ePowerTray.exe" [2009-04-04 698912]
"Windows Mobile Device Center"="c:\windows\WindowsMobile\wmdc.exe" [2007-05-31 648072]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-08-25 136216]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-08-25 171032]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-08-25 170520]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2010-11-30 997408]
"TkBellExe"="c:\program files\real\realplayer\update\realsched.exe" [2011-04-16 273544]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Secunia PSI Tray.lnk - c:\program files\Secunia\PSI\psi_tray.exe [2011-1-10 291896]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"HideSCAHealth"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer1"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer]
@="Service"
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Acer VCM.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Acer VCM.lnk
backup=c:\windows\pss\Acer VCM.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Bluetooth.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Bluetooth.lnk
backup=c:\windows\pss\Bluetooth.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
%ProgramFiles%\Windows Defender\MSASCui.exe -hide [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-09-20 22:07 932288 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-09-23 03:47 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EEventManager]
2008-12-04 13:24 665424 ----a-w- c:\progra~1\EPSONS~1\EVENTM~1\EEventManager.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON SX110 Series]
2008-09-26 23:00 199680 ----a-w- c:\windows\System32\spool\drivers\w32x86\3\E_FATIFBE.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif]
2009-02-12 00:38 186904 ----a-w- c:\program files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LManager]
2009-03-05 07:43 805384 ----a-w- c:\program files\Launch Manager\LManager.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ProductReg]
2008-11-17 09:47 135168 ----a-w- c:\program files\Acer\WR_PopUp\ProductReg.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 16:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sidebar]
2009-04-10 23:28 1233920 ----a-w- c:\program files\Windows Sidebar\sidebar.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-05-14 10:44 248552 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-4150277254-4131139385-318742057-1003]
"EnableNotificationsRef"=dword:00000001
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2011-04-16 136176]
R3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [2009-04-20 29472]
R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2011-04-16 136176]
R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [2010-10-24 43392]
R3 NETw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\NETw5v32.sys [2009-03-23 4232704]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2010-10-24 54144]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\Antimalware\NisSrv.exe [2010-11-11 206360]
R3 NTIBackupSvc;NTI Backup Now 5 Backup Service;c:\program files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe [2008-09-23 50424]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
R4 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2010-12-08 691696]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-22 51040]
S0 pssnap;Paramount Software Snapshot Filter;c:\windows\system32\DRIVERS\pssnap.sys [2010-01-28 15328]
S2 ePowerSvc;Acer ePower Service;c:\program files\Acer\Acer ePower Management\ePowerSvc.exe [2009-04-04 723488]
S2 NTISchedulerSvc;NTI Backup Now 5 Scheduler Service;c:\program files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe [2008-09-23 144632]
S2 ReflectService;Macrium Reflect Image Mounting Service;c:\program files\Macrium\Reflect\ReflectService.exe [2010-01-28 220128]
S2 regi;regi;c:\windows\system32\drivers\regi.sys [2007-04-18 11032]
S2 RS_Service;Raw Socket Service;c:\program files\Acer\Acer VCM\RS_Service.exe [2009-02-05 237568]
S2 Secunia PSI Agent;Secunia PSI Agent;c:\program files\Secunia\PSI\PSIA.exe [2011-01-10 993848]
S2 Secunia Update Agent;Secunia Update Agent;c:\program files\Secunia\PSI\sua.exe [2011-01-10 399416]
S3 L1C;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;c:\windows\system32\DRIVERS\L1C60x86.sys [2009-11-13 57344]
S3 PSI;PSI;c:\windows\system32\DRIVERS\psi_mf.sys [2010-09-01 15544]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder
.
2011-04-29 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-04-16 11:38]
.
2011-04-28 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-04-16 11:38]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
mStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0809&s=2&o=vp32&d=0809&m=extensa_5635z
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
FF - ProfilePath - c:\users\Kate\AppData\Roaming\Mozilla\Firefox\Profiles\kn8rxld8.default\
FF - prefs.js: browser.startup.homepage - google.co.uk
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\programdata\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: InvisibleHand: canitbecheaper@trafficbroker.co.uk - %profile%\extensions\canitbecheaper@trafficbroker.co.uk
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-04-29 01:28
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Environment*]
"Licence0"="04F0D21-79D8-7A25-D702-433F"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(3336)
c:\program files\Acer\Acer ePower Management\SysHook.dll
.
Completion time: 2011-04-29 01:36:47
ComboFix-quarantined-files.txt 2011-04-29 00:36
ComboFix2.txt 2011-04-26 09:13
.
Pre-Run: 102,286,147,584 bytes free
Post-Run: 102,267,789,312 bytes free
.
- - End Of File - - 3A3376C1F8772583AC6F50F87096E305

#12 User is offline   m0le 

  • I know the drill!
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Instructor
  • Posts: 29,103
  • Joined: 24-July 08
  • Gender:Male
  • Location:London, UK

Posted 28 April 2011 - 08:12 PM

Quote

I had a trip to what appears to be your home town!


Whereabouts in London did you go?


Combofix ran clean second time around, as expected.

You can reinstall AVG when I give the all clear (or choose a replacement)

Please go online and scan with ESET

I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.

  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Under scan settings, check Posted Image and check Remove found threats
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology

  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image

If no log is generated that means nothing was found. Please let me know if this happens.
If I have helped you fix your PC then please donate. Thanks

Posted Image
m0le is a proud member of UNITE (Unified Network of Instructors and Trusted Eliminators)

#13 User is offline   KTorrential 

  • Member
  • PipPip
  • Find Topics
  • Group: Members
  • Posts: 18
  • Joined: 05-April 11

Posted 29 April 2011 - 08:27 AM

Quote

Whereabouts in London did you go?

I was being a typical tourist - a few hours in Camden, to the Tate, Forbidden Planet and to the Cathedral to point and laugh at all the campers ready for today. I love going to the big city.

I'm unsure whether you'll get around to this part, but I thought I should make you aware that Windows can't check for any updates, throwing this code at me: 80070005.

Here is the ESET Scan file:

C:\Users\Kate\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\12\3cc664c-110587d4 Java/TrojanDownloader.OpenStream.NBS trojan cleaned by deleting - quarantined
C:\Users\Kate\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\7\143b51c7-35200f66 a variant of Java/TrojanDownloader.OpenStream.NBM trojan cleaned by deleting - quarantined

#14 User is offline   m0le 

  • I know the drill!
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Instructor
  • Posts: 29,103
  • Joined: 24-July 08
  • Gender:Male
  • Location:London, UK

Posted 29 April 2011 - 03:34 PM

I found an answer on Microsoft's forum. Let me know if you get stuck.

As for the malware we are nearly there. Apart from the update problem is there any other issue?
If I have helped you fix your PC then please donate. Thanks

Posted Image
m0le is a proud member of UNITE (Unified Network of Instructors and Trusted Eliminators)

#15 User is offline   KTorrential 

  • Member
  • PipPip
  • Find Topics
  • Group: Members
  • Posts: 18
  • Joined: 05-April 11

Posted 30 April 2011 - 02:19 AM

I shall take a look at that solution tomorrow, I am being dragged to a wedding today.

Problems persist, such as Google redirects, new tabs and browser windows opening.

I have not used my machine for more than 5 minutes today, so any other problems would go unnoticed.

Share this topic:


  • 3 Pages +
  • 1
  • 2
  • 3
  • You cannot start a new topic
  • This topic is locked

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users