Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

1st time Virus Sufferer


  • This topic is locked This topic is locked
30 replies to this topic

#1 zronin99

zronin99

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:07 PM

Posted 15 December 2008 - 06:55 PM

Mod. edit: Was receiving help in Am I Infected forum here: http://www.bleepingcomputer.com/forums/t/186605/first-time-virus-sufferer/ ~ OB

Ok i'll do my best to be brief.I was browsing on the internet when my broswer suddenly started loading a pdf file I didnt click on or was even near. Of course every thing froze an I waited to long to reboot.

After which whenever I opened a browser I would get attacked by popups and fake virus warnings asking me to download so and so program. Or windows security. It dosnt popup in firefox as much but even if im running firefox it will open IE and bring all the popups from there. Even if im not connect it will try this for a little while even when I dont open a browser. It also takes a long time to delete files.

So i relized i had a problem, I ran AVG anti virus and it found gadcom.exe (Trojan horse agent.AOQC) It said it healed it an needed to reboot so I did but im still having popup trouble so I switched computers as looked the file up.

So I ran MBA, When I tried rebooting afterwards it stuck at the windows xp boot screen for an hour. So I shutdown and turned it back on, It booted fine but to get into safe mode I had to use SAS since for some strange reason my laptop won't normally boot into safe mode.

So I ran AFT then SAS (scan took 6 hours), then booted back into normal windows an ran hijackthis and MBA again.

I added as attachments the first MBA scan and SAS scan I did after it. And what I did after that: the last Hijackthis scan I did after the MBA scan shown below.

Here is the last MBA log:

Malwarebytes' Anti-Malware 1.31
Database version: 1456
Windows 5.1.2600 Service Pack 3

12/15/2008 4:49:34 PM
mbam-log-2008-12-15 (16-49-34).txt

Scan type: Full Scan (C:|)
Objects scanned: 180220
Time elapsed: 1 hour(s), 33 minute(s), 2 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

So im a good now, an if so does any one know how I can fix this problem where I cant connect to the internet from my laptop. (it still works on the other 3 computers in the house) I reinstalled MBA, hijackthis and SAS. When I installed one of these not sure which one it put a firewall on my wirless connecter and wired.

I tried connected both in normaly boot and safe mode, however I get the same errors: If I try connecting by wire to the router then it says there was a error "Renewing the IP Adress" this same error happens if I try the repair option.

When I try connecting with the wirless or repairing it, it says "Connection failed!"

This are the same errors I get when none of the above programs are install and when they are and have there firewall up.

I added the logs from MBA which found nothing *wipes brow* and hijackthis, however now I am still faced with the inability to connect to the internet from it. Oh I also tried connecting to the routers web interface with that computer but it timeout after trying to load it. The network connection shows up in the system tray as being limited or no connectivity.

Sry about the double post didnt relise I didn't add the SAS log.

Merged posts. ~ OB

Attached Files


Edited by Orange Blossom, 15 December 2008 - 07:04 PM.


BC AdBot (Login to Remove)

 


#2 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,805 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:03:07 PM

Posted 23 December 2008 - 09:26 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a description of your problem, along with any steps you may have performed so far.

Upon completing the steps below a staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results, click no to the Optional_Scan
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet. Information on A/V control HERE

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#3 zronin99

zronin99
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:07 PM

Posted 25 December 2008 - 10:19 AM

Sorry for taking so long, I just stopped checking back here for a reply, My virus problem is fixed. However my connection problem still remains despite trying DAF and when that didnt help: SAS's repair routines, afterwards I was got a connection failed error when trying to connect by wireless after rebooting and a limited or no connectivity error when using wired (When I try to repair the connection is gives an error on renewing the IP). Then I tried this:

@echo off
ipconfig /all >"%USERPROFILE%"\Desktop\ipconfig.out

netsh interface ip delete arpcache

ipconfig /flushdns

ipconfig /release *

ipconfig /renew *

ipconfig /registerdns

nbtstat -RR

netsh winsock show catalog >"%USERPROFILE%"\Desktop\lsp.txt

netsh winsock reset catalog

netsh winsock show catalog >>"%USERPROFILE%"\Desktop\lsp.txt

netsh int ip reset "%USERPROFILE%"\Desktop\tcpreset.txt

After rebooting it was the same. So I tried Services.msc and checked to make sure Computer Browser, DHCP Client, DNS Client, Server, Wired Autoconfig, Wireless Zero configuration and Workstation were on automatic and started. Wired autoconfig wasnt so I set it to automatic rebooted and tried again but i was still getting the same errors. Thats when I stopped getting any help on the matter so I tried winsockfix and attempted to access the internet afterward but still got the same errors.

I dont know if you can help with this problem, but if you cant is there any place you could advise me to ask about my problem? (After my connection had gone out I accessed the routers web interface on my mac and checked its activity log and had a whole line of floods that must have been coming when the laptop was connected and pulling up whatever webpages/popups it wanted to untill I pulled its wire)


Thanks for your time.

Edited by zronin99, 25 December 2008 - 10:37 AM.


#4 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:12:07 PM

Posted 26 December 2008 - 12:14 AM

Unfortunately I'm not completely firmiliar such a problem. However, I may be able to discern the best course of action from the Event Viewer section of DDS's attach.txt.

If you'd post that log, I'd be able to do some research for you :thumbsup:

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#5 zronin99

zronin99
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:07 PM

Posted 26 December 2008 - 10:50 PM

Thanks heres the DSS.txt log? If you need the attach.txt log let me know. I'v tried uninstaling Comodo but now I see parts off it are still running :?


DDS (Version 1.1.0) - NTFSx86
Run by Owner at 22:41:50.35 on 2008-12-26
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_10
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1470.987 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Outdated)
FW: COMODO Firewall Pro *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe -k eapsvcs
svchost.exe
C:\WINDOWS\System32\svchost.exe -k dot3svc
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\PROGRA~1\COMMON~1\AOL\115512~1\EE\AOLHOS~1.EXE
C:\PROGRA~1\COMMON~1\AOL\115512~1\EE\AOLServiceHost.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Owner.YOUR-9552AE6F51\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
BHO: Megaupload Toolbar: {a057a204-bacc-4d26-c39e-35f1d2a32ec8} -
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Ask Toolbar BHO: {f0d4b231-da4b-4daf-81e4-dfee4931a4aa} - c:\program files\asksbar\bar\1.bin\ASKSBAR.DLL
TB: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
TB: Ask Toolbar: {f0d4b239-da4b-4daf-81e4-dfee4931a4aa} - c:\program files\asksbar\bar\1.bin\ASKSBAR.DLL
TB: {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - No File
TB: Megaupload Toolbar: {a057a204-bacc-4d26-c39e-35f1d2a32ec8} -
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [NBJ] "c:\program files\ahead\nero backitup\NBJ.exe"
uRun: [SalaatTime] c:\program files\salaat time\SalaatTime.exe
uRun: [DAEMON Tools Lite] "c:\program files\daemon tools lite\daemon.exe" -autorun
uRun: [Sony Ericsson PC Suite] "c:\program files\sony ericsson\sony ericsson pc suite\SEPCSuite.exe" /systray /nologon
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [HostManager] c:\program files\common files\aol\1155127143\ee\AOLHostManager.exe
mRun: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [REGSHAVE] c:\program files\regshave\REGSHAVE.EXE /AUTORUN
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
StartupFolder: c:\docume~1\owner~1.you\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\exifla~1.lnk - c:\program files\finepixviewer\QuickDCF2.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\orbit.lnk - c:\program files\orbitdownloader\orbitdm.exe
IE: &Download by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/204
IE: Add to Awasu workpad - c:\docume~1\owner~1.you\locals~1\temp\awasu4
IE: Do&wnload selected by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/202
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Open in Awasu - c:\docume~1\owner~1.you\locals~1\temp\awasu5
IE: Open in default browser - c:\docume~1\owner~1.you\locals~1\temp\awasu6
IE: Subscribe in A&wasu - c:\docume~1\owner~1.you\locals~1\temp\awasu7
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Handler: x-mem1 - {C3719F83-7EF8-4BA0-89B0-3360C7AFB7CC} - c:\windows\system32\wowctl2.dll
Handler: x-mem3 - {4F6D06DD-44AB-4F89-BF13-9027B505B15A} - c:\windows\system32\eztoolslib2.dll
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SecurityProviders: msapsspc.dllschannel.dlldigest.dllmsnsspc.dll
LSA: Notification Packages = scecli

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner~1.you\applic~1\mozilla\firefox\profiles\wxplvy0l.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=utf-8&fr=megaup&p=
FF - plugin: c:\program files\mozilla firefox\plugins\NPAskSBr.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-10-7 97928]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-10-7 26824]
R1 cmdGuard;COMODO Firewall Pro Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [2008-12-14 87056]
R1 cmdHlp;COMODO Firewall Pro Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2008-12-14 24208]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2008-10-7 875288]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-10-7 231704]
R2 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-10-7 76040]
R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [2006-8-9 200576]
S2 cmdAgent;COMODO Firewall Pro Helper Service;"c:\program files\comodo\firewall\cmdagent.exe" []
S2 ioloFileInfoList;iolo FileInfoList Service;c:\program files\iolo\common\lib\ioloServiceManager.exe []
S2 ioloSystemService;iolo System Service;c:\program files\iolo\common\lib\ioloServiceManager.exe []
S2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
S3 el575nd5;3Com Megahertz 10/100 LAN CardBus PC Card Driver;c:\windows\system32\drivers\el575nd5.sys [2006-8-9 69692]
S3 ir100;ir100;c:\windows\system32\drivers\ir100.sys [2007-8-23 16896]
S3 pwi_bus;Curitel PC Card Composite Device driver (WDM);c:\windows\system32\drivers\pwi_bus.sys [2006-11-11 55344]
S3 pwi_mdfl;Curitel PC Card Filter;c:\windows\system32\drivers\pwi_mdfl.sys [2006-11-11 9200]
S3 pwi_mdm;Curitel PC Card Drivers;c:\windows\system32\drivers\pwi_mdm.sys [2006-11-11 89936]
S3 pwi_oflt;Curitel PC Card OHCI Filter;c:\windows\system32\drivers\pwi_oflt.sys [2006-11-11 9472]
S3 pwi_serd;Curitel PC Card Diagnostic Serial Port (WDM);c:\windows\system32\drivers\pwi_serd.sys [2006-11-11 69632]
S3 s3017bus;Sony Ericsson Device 3017 driver (WDM);c:\windows\system32\drivers\s3017bus.sys [2008-9-27 83880]
S3 s3017mdfl;Sony Ericsson Device 3017 USB WMC Modem Filter;c:\windows\system32\drivers\s3017mdfl.sys [2008-9-27 15016]
S3 s3017mdm;Sony Ericsson Device 3017 USB WMC Modem Driver;c:\windows\system32\drivers\s3017mdm.sys [2008-9-27 110632]
S3 s3017mgmt;Sony Ericsson Device 3017 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s3017mgmt.sys [2008-9-27 104616]
S3 s3017nd5;Sony Ericsson Device 3017 USB Ethernet Emulation SEMC3017 (NDIS);c:\windows\system32\drivers\s3017nd5.sys [2008-9-27 25512]
S3 s3017obex;Sony Ericsson Device 3017 USB WMC OBEX Interface;c:\windows\system32\drivers\s3017obex.sys [2008-9-27 100648]
S3 s3017unic;Sony Ericsson Device 3017 USB Ethernet Emulation SEMC3017 (WDM);c:\windows\system32\drivers\s3017unic.sys [2008-9-27 110120]
S3 utm5nta4;AVZ Kernel Driver;\??\c:\windows\system32\drivers\utm5nta4.sys []

============== File Associations ===============

JSEFile=NOTEPAD.EXE %1
VBEFile=NOTEPAD.EXE %1
VBSFile=NOTEPAD.EXE %1

=============== Created Last 30 ================

2008-12-24 02:51 57,344 a------- c:\windows\system32\WNASPINT.DLL
2008-12-24 02:32 873 a------- C:\WinELF.html
2008-12-19 09:49 389,120 a------- c:\windows\system32\CF23911.exe
2008-12-19 09:49 <DIR> --d----- C:\ComboFix
2008-12-19 09:47 <DIR> a-dshr-- C:\autorun.inf
2008-12-18 13:27 245,792 a--sh--- c:\windows\system32\drivers\fidbox.dat
2008-12-18 13:27 3,956 a--sh--- c:\windows\system32\drivers\fidbox.idx
2008-12-17 18:42 578,560 ac------ c:\windows\system32\dllcache\user32.dll
2008-12-17 18:35 <DIR> --d----- c:\windows\ERUNT
2008-12-17 18:21 <DIR> --d----- C:\SDFix
2008-12-17 13:37 <DIR> --d----- c:\windows\system32\NtmsData
2008-12-17 13:11 48,242,688 a------- c:\windows\sectest.db
2008-12-17 13:06 <DIR> --d----- c:\windows\system32\CatRoot2
2008-12-17 09:44 161,792 a------- c:\windows\SWREG.exe
2008-12-17 09:44 98,816 a------- c:\windows\sed.exe
2008-12-15 16:56 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2008-12-15 15:14 15,504 a------- c:\windows\system32\drivers\mbam.sys
2008-12-15 15:14 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-15 15:14 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2008-12-14 13:52 237,552 a------- c:\windows\system32\tpuninst.exe
2008-12-14 12:51 <DIR> --d----- c:\program files\SUPERAntiSpyware
2008-12-14 12:51 <DIR> --d----- c:\docume~1\owner~1.you\applic~1\SUPERAntiSpyware.com
2008-12-14 02:28 249,592 a------- c:\windows\system32\cssdll32.dll
2008-12-14 02:28 <DIR> --d----- c:\program files\AskSBar
2008-12-14 02:27 143,104 a------- c:\windows\system32\guard32.dll
2008-12-14 02:27 24,208 a------- c:\windows\system32\drivers\cmdhlp.sys
2008-12-14 02:27 87,056 a------- c:\windows\system32\drivers\cmdguard.sys
2008-12-12 16:15 <DIR> --d----- c:\windows\system32\XPSViewer
2008-12-12 16:13 14,048 a------- c:\windows\system32\spmsg2.dll
2008-12-12 15:41 <DIR> --d----- c:\windows\SxsCaPendDel
2008-12-12 02:25 647,872 a------- c:\windows\system32\MSCOMCT2.OCX
2008-12-08 23:42 <DIR> --d----- c:\program files\Raptor
2008-12-06 02:14 50 a------- c:\windows\MegaManager.INI
2008-12-05 07:54 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-05 07:54 <DIR> --d----- c:\program files\iTunes
2008-12-05 01:49 <DIR> --d----- c:\docume~1\owner~1.you\applic~1\Megaupload
2008-12-05 01:44 <DIR> --d----- c:\program files\Megaupload
2008-11-30 04:26 <DIR> --d----- c:\program files\Unlocker

==================== Find3M ====================

2008-10-29 23:24 410,976 a------- c:\windows\system32\deploytk.dll
2008-10-28 20:58 60,744 a------- c:\documents and settings\owner.your-9552ae6f51\g2mdlhlpx.exe
2008-10-27 10:04 514,384 a------- c:\windows\system32\XAudio2_3.dll
2008-10-27 10:04 235,856 a------- c:\windows\system32\xactengine3_3.dll
2008-10-27 10:04 23,376 a------- c:\windows\system32\X3DAudio1_5.dll
2008-10-27 10:04 70,992 a------- c:\windows\system32\XAPOFX1_2.dll
2008-10-23 07:36 286,720 a------- c:\windows\system32\gdi32.dll
2008-10-22 15:52 47,360 a------- c:\docume~1\owner~1.you\applic~1\pcouffin.sys
2008-10-20 02:44 60,540 a---h--- c:\windows\system32\mlfcache.dat
2008-10-16 15:38 826,368 a------- c:\windows\system32\wininet.dll
2008-10-16 14:06 268,648 a------- c:\windows\system32\mucltui.dll
2008-10-16 14:06 208,744 a------- c:\windows\system32\muweb.dll
2008-10-11 02:18 86,811 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2008-10-10 04:52 4,379,984 a------- c:\windows\system32\D3DX9_40.dll
2008-10-10 04:52 2,036,576 a------- c:\windows\system32\D3DCompiler_40.dll
2008-10-10 04:52 452,440 a------- c:\windows\system32\d3dx10_40.dll
2008-10-07 21:33 10,520 a------- c:\windows\system32\avgrsstx.dll
2008-10-03 05:02 247,326 a------- c:\windows\system32\strmdll.dll
2008-10-02 21:16 286,720 a------- c:\windows\Setup1.exe
2008-10-02 21:16 73,216 a------- c:\windows\ST6UNST.EXE
2008-09-30 16:43 1,286,152 a------- c:\windows\system32\msxml4.dll
2007-09-08 21:26 52 a------- c:\docume~1\owner~1.you\applic~1\wklnhst.dat
2006-10-11 22:09 94,208 a--sh--- c:\windows\system32\SalaatTime.dll
2007-09-08 22:22 6,144 a--sh--- c:\windows\system32\ss.drv

============= FINISH: 22:43:00.34 ===============

Edited by zronin99, 26 December 2008 - 10:51 PM.


#6 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:12:07 PM

Posted 26 December 2008 - 11:57 PM

Hello, zronin99
Yeah... commodo is still running.

The log identifies your problems:

SecurityProviders: msapsspc.dllschannel.dlldigest.dllmsnsspc.dll


Please read the posting over at MalwareBytes' for a description:
http://www.malwarebytes.org/forums/index.php?showtopic=6105

This is a critical bug in MbAM. However, it was repaired quite some time ago, and it should have fixed itself. I'm not sure why it's still present on your system.

In addition, there's a large amount of malware still present in those logs.

We need to uninstall one or more programs
Please click on Start > Control Panel > Add/Remove Programs and uninstall the following programs(if present):
Comodo Firewall (We can reinstall when we're done if you want)

We Need to Run ComboFix

Note to readers of this post other than the starter of this thread:
ComboFix is a VERY POWERFUL tool which should NOT BE USED without guidance of an expert.

If this tool helped you, please consider a donation to it's author: Posted Image

How to run ComboFix:
  • Please download ComboFix from one of the following mirrors, and save it to your desktop.
  • Disable any running Anti-Virus or Anti-Malware programs. This includes Firewalls, Anti-Virus, Spyware Scanners, etc. Any or all of them may interfere with the running of ComboFix.
  • Double click Posted Image on your desktop.
  • Read and accept (Press Yes) to the disclaimer.
  • For Windows XP Systems: Install the Recovery Console:
    • If you are using Windows XP and do not already have the Recovery Console installed, please ensure your internet connection is active (if possible), and press Yes. If for some reason your internet is not working, please press No. If you are not using Windows XP, you will not be prompted.
    • When prompted to accept the EULA, press OK.
    • Accept Microsoft's EULA (Press Yes).
    • When you are told that the RC is installed correctly, please press YES to continue scanning for malware.
  • ComboFix will run. Simply wait for it to finish.
  • When it finishes, ComboFix will produce a log. Please post that log in your next reply here :thumbsup:
In your next reply, please include the following:
  • ComboFix.txt

BillyIII
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#7 zronin99

zronin99
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:07 PM

Posted 27 December 2008 - 03:07 AM

Ok here is the combofix log, I checked the page but the only place they have to download the fix from is a rapidshare link now, but since I have MBA 1.3 something when I try running the fix it says: Your SecurityProvers value is not corrupt. No action will be taken. Concerning Comodo, I had already uninstalled it by the method given but all that stuff you can see in the log from before stayed behind, any though how I could get rid of those extra bits?

Attached Files


Edited by zronin99, 27 December 2008 - 03:14 AM.


#8 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:12:07 PM

Posted 27 December 2008 - 08:47 AM

Hello, zronin99
The fix no longer works like that. We have to restore it manually.

We need to re-run ComboFix with some additonal directives.
  • Please disable any running anti-virus programs.

    If you are unsure how to do this, see this topic: http://www.bleepingcomputer.com/forums/t/114351/how-to-temporarily-disable-your-anti-virus-firewall-and-anti-malware-programs/

  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Open notepad and copy/paste the text in the quotebox below into it:
    registry::
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
    "SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"
    driver::
    utm5nta4
    DDS::
    IE: &Download by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/201
    IE: &Grab video by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/204
    IE: Do&wnload selected by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/203
    IE: Down&load all by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/202
  • Save this as CFScript.txt, in the same location as ComboFix.exe
  • Posted Image
    Refering to the picture above, drag CFScript into ComboFix.exe
  • When finished, it shall produce a log for you at "C:\ComboFix.txt". Please copy and paste that report here.
Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

I would like us to use ESET (NOD32)'s Online Scanner
  • Please go to ESET OnlineScan (NOD32)
  • You will then see the Terms of Use, tick the check-box infront of YES, I accept the Terms of Use
  • Now click Start
  • Should you face a Security Warning that asks if you want to install and run a file called "OnlineScanner.cab", click Yes
  • Click Start
    • Note: (the Onlinescanner will now prepare itself for running on your pc)
  • To do a full-scan, tick: "Remove found threats" and "Scan potentially unwanted applications"
  • Press Scan
  • The Onlinescan will now start and scan your pc (this could take a while)
  • When the scan has finished, it will show a screen with two tabs "overview" and "details" and the option to get information or buy software, just close the window
  • Click Start >> Run... >> type: C:\Program Files\EsetOnlineScanner\log.txt
  • The Scanresults will now open in Notepad
  • Click into the text area, right-click and chose "select all" (or use +A)
  • Right-click again and chose "Copy" (or +C)
  • Close/Exit Notepad
  • Navigate to this thread and post your log along with anything else requested from us, by right-clicking and "paste" (or ctrl+v) in the text area of the reply post you just created.
Note: For Vista Users: Eset is compatible but Internet Explorer must be run as Administrator. To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select "Run as Administrator" from the context menu.)

In your next reply, please include the following:
  • ComboFix.txt
  • ESET OnlineScan's Log

BillyIII
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#9 zronin99

zronin99
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:07 PM

Posted 27 December 2008 - 08:43 PM

I finished the Combofix with the txt you gave me.ComboFix 08-12-26.03 - Owner 2008-12-27 20:08:56.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1470.878 [GMT -5:00]
Running from: c:\documents and settings\Owner.YOUR-9552AE6F51\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner.YOUR-9552AE6F51\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Outdated)
FW: COMODO Firewall Pro *enabled*
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_utm5nta4


((((((((((((((((((((((((( Files Created from 2008-11-28 to 2008-12-28 )))))))))))))))))))))))))))))))
.

2008-12-24 02:51 . 2002-11-02 09:53 57,344 --a------ c:\windows\system32\WNASPINT.DLL
2008-12-24 02:32 . 2008-12-24 02:32 873 --a------ C:\WinELF.html
2008-12-20 17:16 . 2008-12-20 17:16 <DIR> d-------- C:\ERDNT
2008-12-18 13:27 . 2008-12-18 16:27 245,792 --ahs---- c:\windows\system32\drivers\fidbox.dat
2008-12-18 13:27 . 2008-12-18 16:27 3,956 --ahs---- c:\windows\system32\drivers\fidbox.idx
2008-12-17 18:42 . 2008-12-17 18:42 578,560 --a--c--- c:\windows\system32\dllcache\user32.dll
2008-12-17 18:35 . 2008-12-17 18:36 <DIR> d-------- c:\windows\ERUNT
2008-12-17 18:21 . 2008-12-17 19:05 <DIR> d-------- C:\SDFix
2008-12-17 13:37 . 2008-12-27 20:06 <DIR> d-------- c:\windows\system32\NtmsData
2008-12-17 13:11 . 2008-12-17 13:17 48,242,688 --a------ c:\windows\sectest.db
2008-12-17 13:06 . 2008-12-25 14:10 <DIR> d-------- c:\windows\system32\CatRoot2
2008-12-15 16:56 . 2008-12-15 16:56 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2008-12-15 15:14 . 2008-12-17 05:01 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-15 15:14 . 2008-12-03 19:54 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-15 15:14 . 2008-12-03 19:54 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-14 13:52 . 2007-05-09 01:10 237,552 --a------ c:\windows\system32\tpuninst.exe
2008-12-14 12:51 . 2008-12-25 08:12 <DIR> d-------- c:\program files\SUPERAntiSpyware
2008-12-14 12:51 . 2008-12-25 08:12 <DIR> d-------- c:\documents and settings\Owner.YOUR-9552AE6F51\Application Data\SUPERAntiSpyware.com
2008-12-14 02:28 . 2008-12-14 02:28 <DIR> d-------- c:\program files\AskSBar
2008-12-14 02:28 . 2008-12-14 02:28 249,592 --a------ c:\windows\system32\cssdll32.dll
2008-12-14 02:27 . 2008-12-14 02:26 143,104 --a------ c:\windows\system32\guard32.dll
2008-12-14 02:27 . 2008-12-14 02:26 87,056 --a------ c:\windows\system32\drivers\cmdguard.sys
2008-12-14 02:27 . 2008-12-14 02:26 24,208 --a------ c:\windows\system32\drivers\cmdhlp.sys
2008-12-12 16:15 . 2008-12-12 16:15 <DIR> d-------- c:\windows\system32\XPSViewer
2008-12-12 16:15 . 2008-12-12 16:15 <DIR> d-------- c:\program files\MSBuild
2008-12-12 16:14 . 2008-12-12 16:14 <DIR> d-------- c:\program files\Reference Assemblies
2008-12-12 16:13 . 2006-06-29 13:07 14,048 --a------ c:\windows\system32\spmsg2.dll
2008-12-12 15:41 . 2008-12-13 09:33 <DIR> d-------- c:\windows\SxsCaPendDel
2008-12-12 02:25 . 2000-05-22 00:00 647,872 --a------ c:\windows\system32\MSCOMCT2.OCX
2008-12-08 23:42 . 2008-12-15 04:06 <DIR> d-------- c:\program files\Raptor
2008-12-06 02:14 . 2008-12-06 02:14 50 --a------ c:\windows\MegaManager.INI
2008-12-05 07:54 . 2008-12-05 07:56 <DIR> d-------- c:\program files\iTunes
2008-12-05 07:54 . 2008-12-05 07:56 <DIR> d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-05 07:49 . 2008-12-05 07:50 <DIR> d-------- c:\program files\QuickTime
2008-12-05 01:49 . 2008-12-05 01:49 <DIR> d-------- c:\documents and settings\Owner.YOUR-9552AE6F51\Application Data\Megaupload
2008-12-05 01:44 . 2008-12-05 01:44 <DIR> d-------- c:\program files\Megaupload
2008-11-30 04:26 . 2008-12-25 08:12 <DIR> d-------- c:\program files\Unlocker

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-28 01:21 --------- d-----w c:\documents and settings\Owner.YOUR-9552AE6F51\Application Data\Orbit
2008-12-22 03:49 --------- d-----w c:\program files\X-WIRE
2008-12-15 09:12 --------- d-----w c:\documents and settings\Owner.YOUR-9552AE6F51\Application Data\MegauploadToolbar
2008-12-14 17:38 --------- d-----w c:\program files\Trend Micro
2008-12-14 06:15 --------- d-----w c:\documents and settings\Owner.YOUR-9552AE6F51\Application Data\AVGTOOLBAR
2008-12-13 23:36 --------- d-----w c:\documents and settings\Owner.YOUR-9552AE6F51\Application Data\uTorrent
2008-12-11 23:27 --------- d-----w c:\program files\FinePixViewer
2008-12-11 04:21 --------- d-----w c:\documents and settings\Owner.YOUR-9552AE6F51\Application Data\Move Networks
2008-12-07 02:51 --------- d-----w c:\documents and settings\All Users\Application Data\avg8
2008-12-05 12:55 --------- d-----w c:\program files\iPod
2008-12-05 12:55 --------- d-----w c:\program files\Common Files\Apple
2008-12-05 06:45 --------- d-----w c:\program files\MegauploadToolbar
2008-12-05 06:44 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-28 22:49 --------- d-----w c:\program files\Eudemons Online
2008-11-20 15:24 --------- d-----w c:\program files\VerbAce
2008-11-18 00:07 --------- d-----w c:\program files\Common Files\INCA Shared
2008-11-17 08:24 --------- d-----w c:\program files\iPodLibrary
2008-11-17 08:07 --------- d-----w c:\program files\Softnyx
2008-11-15 01:55 --------- d-----w c:\program files\Conference
2008-11-13 19:03 --------- d-----w c:\documents and settings\Owner.YOUR-9552AE6F51\Application Data\EmailNotifier
2008-11-13 19:03 --------- d-----w c:\documents and settings\All Users\Application Data\Megaupload
2008-11-13 19:03 --------- d-----w c:\documents and settings\All Users\Application Data\EmailNotifier
2008-11-06 07:03 --------- d-----w c:\program files\Gateway
2008-11-05 10:14 --------- d-----w c:\program files\ICE Book Reader Professional
2008-11-05 10:09 --------- d-----w c:\documents and settings\Owner.YOUR-9552AE6F51\Application Data\Azureus
2008-11-04 02:35 --------- d-----w c:\documents and settings\Owner.YOUR-9552AE6F51\Application Data\vlc
2008-11-04 02:19 --------- d-----w c:\program files\VideoLAN
2008-10-30 04:33 --------- d-----w c:\documents and settings\All Users\Application Data\Azureus
2008-10-30 04:23 --------- d-----w c:\program files\Java
2008-10-30 04:14 --------- d-----w c:\documents and settings\Owner.YOUR-9552AE6F51\Application Data\mIRC
2008-10-30 04:05 --------- d-----w c:\program files\mIRC
2008-10-29 01:58 60,744 ----a-w c:\documents and settings\Owner.YOUR-9552AE6F51\g2mdlhlpx.exe
2008-10-29 01:58 --------- d-----w c:\program files\Citrix
2008-10-28 02:41 --------- d-----w c:\program files\ABC Amber LIT Converter
2008-10-22 20:52 47,360 ----a-w c:\documents and settings\Owner.YOUR-9552AE6F51\Application Data\pcouffin.sys
2008-10-03 02:16 73,216 ----a-w c:\windows\ST6UNST.EXE
2008-10-03 02:16 286,720 ----a-w c:\windows\Setup1.exe
2007-09-09 02:26 52 ----a-w c:\documents and settings\Owner.YOUR-9552AE6F51\Application Data\wklnhst.dat
2006-10-12 03:09 94,208 --sha-w c:\windows\system32\SalaatTime.dll
2007-09-09 03:22 6,144 --sha-w c:\windows\system32\ss.drv
.

((((((((((((((((((((((((((((( snapshot@2008-12-17_10.03.13.39 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-08-07 20:27:04 163,328 ----a-w c:\windows\ERUNT\SDFIX\ERDNT.EXE
+ 2008-12-17 23:37:34 12,234,752 ----a-w c:\windows\ERUNT\SDFIX\Users\00000001\NTUSER.DAT
+ 2008-12-17 23:37:35 540,672 ----a-w c:\windows\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2008-08-07 20:27:04 163,328 ----a-w c:\windows\ERUNT\SDFIX_First_Run\ERDNT.EXE
+ 2008-12-17 23:36:40 12,234,752 ----a-w c:\windows\ERUNT\SDFIX_First_Run\Users\00000001\NTUSER.DAT
+ 2008-12-17 23:36:40 540,672 ----a-w c:\windows\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat
- 2008-12-13 14:34:41 1,615,504 ----a-w c:\windows\system32\FNTCACHE.DAT
+ 2008-12-17 18:37:00 1,615,504 ----a-w c:\windows\system32\FNTCACHE.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"NBJ"="c:\program files\Ahead\Nero BackItUp\NBJ.exe" [2005-06-02 1957888]
"SalaatTime"="c:\program files\Salaat Time\SalaatTime.exe" [2007-08-26 13443072]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2008-07-24 490952]
"Sony Ericsson PC Suite"="c:\program files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe" [2008-02-20 356352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 32768]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-05 98394]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-05 688218]
"HostManager"="c:\program files\Common Files\AOL\1155127143\EE\AOLHostManager.exe" [2004-11-03 125528]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-04-28 344064]
"REGSHAVE"="c:\program files\REGSHAVE\REGSHAVE.EXE" [2002-02-04 53248]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-11-29 1261336]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-03 111936]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-10-29 136600]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]

c:\documents and settings\Owner.YOUR-9552AE6F51\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 113664]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
ExifLauncher2.lnk - c:\program files\FinePixViewer\QuickDCF2.exe [2008-05-25 303104]
Orbit.lnk - c:\program files\Orbitdownloader\orbitdm.exe [2008-03-18 1703112]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.l3acm"= l3codecp.acm
"vidc.DIV3"= DIVXc32.dll
"vidc.DIV4"= DIVXc32f.dll
"msacm.divxa32"= DivXa32.acm

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"avg8emc"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Orbitdownloader\\orbitnet.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-10-07 97928]
R1 cmdGuard;COMODO Firewall Pro Sandbox Driver;c:\windows\system32\DRIVERS\cmdguard.sys [2008-12-14 87056]
R1 cmdHlp;COMODO Firewall Pro Helper Driver;c:\windows\system32\DRIVERS\cmdhlp.sys [2008-12-14 24208]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2008-10-07 875288]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-10-07 231704]
R2 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\Drivers\avgtdix.sys [2008-10-07 76040]
R3 HSFHWATI;HSFHWATI;c:\windows\system32\DRIVERS\HSFHWATI.sys [2006-08-09 200576]
S2 ioloFileInfoList;iolo FileInfoList Service;c:\program files\iolo\common\lib\ioloServiceManager.exe []
S2 ioloSystemService;iolo System Service;c:\program files\iolo\common\lib\ioloServiceManager.exe []
S3 el575nd5;3Com Megahertz 10/100 LAN CardBus PC Card Driver;c:\windows\system32\DRIVERS\el575nd5.sys [2006-08-09 69692]
S3 ir100;ir100;c:\windows\system32\DRIVERS\ir100.sys [2007-08-23 16896]
S3 pwi_bus;Curitel PC Card Composite Device driver (WDM);c:\windows\system32\DRIVERS\pwi_bus.sys [2006-11-11 55344]
S3 pwi_mdfl;Curitel PC Card Filter;c:\windows\system32\DRIVERS\pwi_mdfl.sys [2006-11-11 9200]
S3 pwi_mdm;Curitel PC Card Drivers;c:\windows\system32\DRIVERS\pwi_mdm.sys [2006-11-11 89936]
S3 pwi_oflt;Curitel PC Card OHCI Filter;c:\windows\system32\DRIVERS\pwi_oflt.sys [2006-11-11 9472]
S3 pwi_serd;Curitel PC Card Diagnostic Serial Port (WDM);c:\windows\system32\DRIVERS\pwi_serd.sys [2006-11-11 69632]
S3 s3017bus;Sony Ericsson Device 3017 driver (WDM);c:\windows\system32\DRIVERS\s3017bus.sys [2008-09-27 83880]
S3 s3017mdfl;Sony Ericsson Device 3017 USB WMC Modem Filter;c:\windows\system32\DRIVERS\s3017mdfl.sys [2008-09-27 15016]
S3 s3017mdm;Sony Ericsson Device 3017 USB WMC Modem Driver;c:\windows\system32\DRIVERS\s3017mdm.sys [2008-09-27 110632]
S3 s3017mgmt;Sony Ericsson Device 3017 USB WMC Device Management Drivers (WDM);c:\windows\system32\DRIVERS\s3017mgmt.sys [2008-09-27 104616]
S3 s3017nd5;Sony Ericsson Device 3017 USB Ethernet Emulation SEMC3017 (NDIS);c:\windows\system32\DRIVERS\s3017nd5.sys [2008-09-27 25512]
S3 s3017obex;Sony Ericsson Device 3017 USB WMC OBEX Interface;c:\windows\system32\DRIVERS\s3017obex.sys [2008-09-27 100648]
S3 s3017unic;Sony Ericsson Device 3017 USB Ethernet Emulation SEMC3017 (WDM);c:\windows\system32\DRIVERS\s3017unic.sys [2008-09-27 110120]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\I]
\Shell\AutoRun\command - I:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{157ced9c-f150-11dc-b163-0014a542f703}]
\Shell\AutoRun\command - H:\autorun.exe
\Shell\phone\command - H:\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{293f5fa7-aac5-11dd-b1dc-0014a542f703}]
\Shell\AutoRun\command - f:\wd_windows_tools\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{92695312-733a-11dd-b1a7-0014a542f703}]
\Shell\AutoRun\command - H:\LaunchU3.exe -a

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{582610B8-E496-4813-993C-4B027173FE38}]
c:\program files\PixiePack Codec Pack\InstallerHelper.exe
.
Contents of the 'Scheduled Tasks' folder

2008-12-26 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Awasu workpad - c:\docume~1\OWNER~1.YOU\LOCALS~1\Temp\awasu4
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Open in Awasu - c:\docume~1\OWNER~1.YOU\LOCALS~1\Temp\awasu5
IE: Open in default browser - c:\docume~1\OWNER~1.YOU\LOCALS~1\Temp\awasu6
IE: Subscribe in A&wasu - c:\docume~1\OWNER~1.YOU\LOCALS~1\Temp\awasu7
FF - ProfilePath - c:\documents and settings\Owner.YOUR-9552AE6F51\Application Data\Mozilla\Firefox\Profiles\wxplvy0l.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=utf-8&fr=megaup&p=
FF - plugin: c:\program files\Microsoft Silverlight\2.0.30523.8\npctrl.dll
FF - plugin: c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.1.0.30716.0.dll
FF - plugin: c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPAskSBr.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-27 20:18:58
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(528)
c:\windows\system32\Ati2evxx.dll
c:\windows\System32\BCMLogon.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\windows\system32\WLTRYSVC.EXE
c:\windows\system32\BCMWLTRY.EXE
c:\program files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\program files\AVG\AVG8\avgrsx.exe
c:\windows\system32\wscntfy.exe
c:\windows\ehome\ehmsas.exe
c:\progra~1\COMMON~1\AOL\115512~1\EE\AOLServiceHost.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Orbitdownloader\orbitnet.exe
c:\program files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
.
**************************************************************************
.
Completion time: 2008-12-27 20:25:33 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-28 01:25:27
ComboFix2.txt 2008-12-27 07:46:08
ComboFix3.txt 2008-12-17 15:54:46
ComboFix4.txt 2008-12-17 15:04:12

Pre-Run: 33,939,329,024 bytes free
Post-Run: 33,860,567,040 bytes free

258 --- E O F --- 2008-12-12 08:19:06

After the laptop had rebooted I reconnected the wire but still got the limited or no connectivity error and the problem renewing IP erro when I tried repairing the connection. So I cant do the online scan. (I saw combofix made some more texts in a folder calledQoobox do you need those to?)

#10 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:12:07 PM

Posted 27 December 2008 - 09:14 PM

(I saw combofix made some more texts in a folder calledQoobox do you need those to?)

No.. and don't go running stuff in there. That's where ComboFix puts stuff that it removes that's infected. Don't want you getting reinfected :thumbsup:

Please try uninstalling Comodo Firewall and let me know if the conneciton problems continue.

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#11 zronin99

zronin99
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:07 PM

Posted 27 December 2008 - 09:45 PM

I already uninstalled it from windows about a week ago, so its normaly folders are gone, but I dont know how to get to those things that the uninstall decided to leave behind that are still showing up in my scans. Do you know how I could get to the files your finding and delete them?

Edited by zronin99, 27 December 2008 - 11:07 PM.


#12 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:12:07 PM

Posted 28 December 2008 - 05:55 PM

Hello, zronin99

Some big parts of commodo are still running on here. This will rip 'em out :thumbsup:

Let me know if your internet works now :)

We need to re-run ComboFix with some additonal directives.
  • Please disable any running anti-virus programs.

    If you are unsure how to do this, see this topic: http://www.bleepingcomputer.com/forums/t/114351/how-to-temporarily-disable-your-anti-virus-firewall-and-anti-malware-programs/

  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Open notepad and copy/paste the text in the quotebox below into it:
    driver::
    cmdGuard
    cmdHlp
    ioloFileInfoList
    ioloSystemService
    file::
    c:\windows\system32\DRIVERS\cmdhlp.sys
    c:\windows\system32\DRIVERS\cmdguard.sys
  • Save this as CFScript.txt, in the same location as ComboFix.exe
  • Posted Image
    Refering to the picture above, drag CFScript into ComboFix.exe
  • When finished, it shall produce a log for you at "C:\ComboFix.txt". Please copy and paste that report here.
Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

In your next reply, please include the following:
  • ComboFix.txt

BillyIII
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#13 zronin99

zronin99
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:07 PM

Posted 28 December 2008 - 09:05 PM

Still limited or no connectivity... :thumbsup:

ComboFix 08-12-28.01 - Owner 2008-12-28 20:40:10.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1470.1022 [GMT -5:00]
Running from: c:\documents and settings\Owner.YOUR-9552AE6F51\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner.YOUR-9552AE6F51\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Outdated)
FW: COMODO Firewall Pro *enabled*

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
c:\windows\system32\DRIVERS\cmdguard.sys
c:\windows\system32\DRIVERS\cmdhlp.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\DRIVERS\cmdguard.sys
c:\windows\system32\DRIVERS\cmdhlp.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CMDGUARD
-------\Legacy_CMDHLP
-------\Legacy_IOLOFILEINFOLIST
-------\Legacy_IOLOSYSTEMSERVICE
-------\Service_cmdGuard
-------\Service_cmdHlp
-------\Service_ioloFileInfoList
-------\Service_ioloSystemService


((((((((((((((((((((((((( Files Created from 2008-11-28 to 2008-12-29 )))))))))))))))))))))))))))))))
.

2008-12-24 02:51 . 2002-11-02 09:53 57,344 --a------ c:\windows\system32\WNASPINT.DLL
2008-12-24 02:32 . 2008-12-24 02:32 873 --a------ C:\WinELF.html
2008-12-20 17:16 . 2008-12-20 17:16 <DIR> d-------- C:\ERDNT
2008-12-18 13:27 . 2008-12-18 16:27 245,792 --ahs---- c:\windows\system32\drivers\fidbox.dat
2008-12-18 13:27 . 2008-12-18 16:27 3,956 --ahs---- c:\windows\system32\drivers\fidbox.idx
2008-12-17 18:42 . 2008-12-17 18:42 578,560 --a--c--- c:\windows\system32\dllcache\user32.dll
2008-12-17 18:35 . 2008-12-17 18:36 <DIR> d-------- c:\windows\ERUNT
2008-12-17 18:21 . 2008-12-17 19:05 <DIR> d-------- C:\SDFix
2008-12-17 13:37 . 2008-12-28 20:37 <DIR> d-------- c:\windows\system32\NtmsData
2008-12-17 13:11 . 2008-12-17 13:17 48,242,688 --a------ c:\windows\sectest.db
2008-12-17 13:06 . 2008-12-25 14:10 <DIR> d-------- c:\windows\system32\CatRoot2
2008-12-15 16:56 . 2008-12-15 16:56 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2008-12-15 15:14 . 2008-12-17 05:01 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-15 15:14 . 2008-12-03 19:54 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-15 15:14 . 2008-12-03 19:54 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-14 13:52 . 2007-05-09 01:10 237,552 --a------ c:\windows\system32\tpuninst.exe
2008-12-14 12:51 . 2008-12-25 08:12 <DIR> d-------- c:\program files\SUPERAntiSpyware
2008-12-14 12:51 . 2008-12-25 08:12 <DIR> d-------- c:\documents and settings\Owner.YOUR-9552AE6F51\Application Data\SUPERAntiSpyware.com
2008-12-14 02:28 . 2008-12-14 02:28 <DIR> d-------- c:\program files\AskSBar
2008-12-14 02:28 . 2008-12-14 02:28 249,592 --a------ c:\windows\system32\cssdll32.dll
2008-12-14 02:27 . 2008-12-14 02:26 143,104 --a------ c:\windows\system32\guard32.dll
2008-12-12 16:15 . 2008-12-12 16:15 <DIR> d-------- c:\windows\system32\XPSViewer
2008-12-12 16:15 . 2008-12-12 16:15 <DIR> d-------- c:\program files\MSBuild
2008-12-12 16:14 . 2008-12-12 16:14 <DIR> d-------- c:\program files\Reference Assemblies
2008-12-12 16:13 . 2006-06-29 13:07 14,048 --a------ c:\windows\system32\spmsg2.dll
2008-12-12 15:41 . 2008-12-13 09:33 <DIR> d-------- c:\windows\SxsCaPendDel
2008-12-12 02:25 . 2000-05-22 00:00 647,872 --a------ c:\windows\system32\MSCOMCT2.OCX
2008-12-08 23:42 . 2008-12-15 04:06 <DIR> d-------- c:\program files\Raptor
2008-12-06 02:14 . 2008-12-06 02:14 50 --a------ c:\windows\MegaManager.INI
2008-12-05 07:54 . 2008-12-05 07:56 <DIR> d-------- c:\program files\iTunes
2008-12-05 07:54 . 2008-12-05 07:56 <DIR> d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-05 07:49 . 2008-12-05 07:50 <DIR> d-------- c:\program files\QuickTime
2008-12-05 01:49 . 2008-12-05 01:49 <DIR> d-------- c:\documents and settings\Owner.YOUR-9552AE6F51\Application Data\Megaupload
2008-12-05 01:44 . 2008-12-05 01:44 <DIR> d-------- c:\program files\Megaupload
2008-11-30 04:26 . 2008-12-25 08:12 <DIR> d-------- c:\program files\Unlocker

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-29 01:52 --------- d-----w c:\documents and settings\Owner.YOUR-9552AE6F51\Application Data\Orbit
2008-12-22 03:49 --------- d-----w c:\program files\X-WIRE
2008-12-15 09:12 --------- d-----w c:\documents and settings\Owner.YOUR-9552AE6F51\Application Data\MegauploadToolbar
2008-12-14 17:38 --------- d-----w c:\program files\Trend Micro
2008-12-14 06:15 --------- d-----w c:\documents and settings\Owner.YOUR-9552AE6F51\Application Data\AVGTOOLBAR
2008-12-13 23:36 --------- d-----w c:\documents and settings\Owner.YOUR-9552AE6F51\Application Data\uTorrent
2008-12-11 23:27 --------- d-----w c:\program files\FinePixViewer
2008-12-11 04:21 --------- d-----w c:\documents and settings\Owner.YOUR-9552AE6F51\Application Data\Move Networks
2008-12-07 02:51 --------- d-----w c:\documents and settings\All Users\Application Data\avg8
2008-12-05 12:55 --------- d-----w c:\program files\iPod
2008-12-05 12:55 --------- d-----w c:\program files\Common Files\Apple
2008-12-05 06:45 --------- d-----w c:\program files\MegauploadToolbar
2008-12-05 06:44 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-28 22:49 --------- d-----w c:\program files\Eudemons Online
2008-11-20 15:24 --------- d-----w c:\program files\VerbAce
2008-11-18 00:07 --------- d-----w c:\program files\Common Files\INCA Shared
2008-11-17 08:24 --------- d-----w c:\program files\iPodLibrary
2008-11-17 08:07 --------- d-----w c:\program files\Softnyx
2008-11-15 01:55 --------- d-----w c:\program files\Conference
2008-11-13 19:03 --------- d-----w c:\documents and settings\Owner.YOUR-9552AE6F51\Application Data\EmailNotifier
2008-11-13 19:03 --------- d-----w c:\documents and settings\All Users\Application Data\Megaupload
2008-11-13 19:03 --------- d-----w c:\documents and settings\All Users\Application Data\EmailNotifier
2008-11-06 07:03 --------- d-----w c:\program files\Gateway
2008-11-05 10:14 --------- d-----w c:\program files\ICE Book Reader Professional
2008-11-05 10:09 --------- d-----w c:\documents and settings\Owner.YOUR-9552AE6F51\Application Data\Azureus
2008-11-04 02:35 --------- d-----w c:\documents and settings\Owner.YOUR-9552AE6F51\Application Data\vlc
2008-11-04 02:19 --------- d-----w c:\program files\VideoLAN
2008-10-30 04:33 --------- d-----w c:\documents and settings\All Users\Application Data\Azureus
2008-10-30 04:23 --------- d-----w c:\program files\Java
2008-10-30 04:14 --------- d-----w c:\documents and settings\Owner.YOUR-9552AE6F51\Application Data\mIRC
2008-10-30 04:05 --------- d-----w c:\program files\mIRC
2008-10-29 01:58 60,744 ----a-w c:\documents and settings\Owner.YOUR-9552AE6F51\g2mdlhlpx.exe
2008-10-29 01:58 --------- d-----w c:\program files\Citrix
2008-10-28 02:41 --------- d-----w c:\program files\ABC Amber LIT Converter
2008-10-22 20:52 47,360 ----a-w c:\documents and settings\Owner.YOUR-9552AE6F51\Application Data\pcouffin.sys
2008-10-03 02:16 73,216 ----a-w c:\windows\ST6UNST.EXE
2008-10-03 02:16 286,720 ----a-w c:\windows\Setup1.exe
2007-09-09 02:26 52 ----a-w c:\documents and settings\Owner.YOUR-9552AE6F51\Application Data\wklnhst.dat
2006-10-12 03:09 94,208 --sha-w c:\windows\system32\SalaatTime.dll
2007-09-09 03:22 6,144 --sha-w c:\windows\system32\ss.drv
.

((((((((((((((((((((((((((((( snapshot@2008-12-17_10.03.13.39 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-08-07 20:27:04 163,328 ----a-w c:\windows\ERUNT\SDFIX\ERDNT.EXE
+ 2008-12-17 23:37:34 12,234,752 ----a-w c:\windows\ERUNT\SDFIX\Users\00000001\NTUSER.DAT
+ 2008-12-17 23:37:35 540,672 ----a-w c:\windows\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2008-08-07 20:27:04 163,328 ----a-w c:\windows\ERUNT\SDFIX_First_Run\ERDNT.EXE
+ 2008-12-17 23:36:40 12,234,752 ----a-w c:\windows\ERUNT\SDFIX_First_Run\Users\00000001\NTUSER.DAT
+ 2008-12-17 23:36:40 540,672 ----a-w c:\windows\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat
- 2008-12-13 14:34:41 1,615,504 ----a-w c:\windows\system32\FNTCACHE.DAT
+ 2008-12-17 18:37:00 1,615,504 ----a-w c:\windows\system32\FNTCACHE.DAT
+ 2008-12-29 01:49:40 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_7f0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"NBJ"="c:\program files\Ahead\Nero BackItUp\NBJ.exe" [2005-06-02 1957888]
"SalaatTime"="c:\program files\Salaat Time\SalaatTime.exe" [2007-08-26 13443072]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2008-07-24 490952]
"Sony Ericsson PC Suite"="c:\program files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe" [2008-02-20 356352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 32768]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-05 98394]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-05 688218]
"HostManager"="c:\program files\Common Files\AOL\1155127143\EE\AOLHostManager.exe" [2004-11-03 125528]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-04-28 344064]
"REGSHAVE"="c:\program files\REGSHAVE\REGSHAVE.EXE" [2002-02-04 53248]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-11-29 1261336]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-03 111936]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-10-29 136600]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-05-10 185896]

c:\documents and settings\Owner.YOUR-9552AE6F51\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 113664]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
ExifLauncher2.lnk - c:\program files\FinePixViewer\QuickDCF2.exe [2008-05-25 303104]
Orbit.lnk - c:\program files\Orbitdownloader\orbitdm.exe [2008-03-18 1703112]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.l3acm"= l3codecp.acm
"vidc.DIV3"= DIVXc32.dll
"vidc.DIV4"= DIVXc32f.dll
"msacm.divxa32"= DivXa32.acm

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"avg8emc"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Orbitdownloader\\orbitnet.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-10-07 97928]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2008-10-07 875288]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-10-07 231704]
R2 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\Drivers\avgtdix.sys [2008-10-07 76040]
R3 HSFHWATI;HSFHWATI;c:\windows\system32\DRIVERS\HSFHWATI.sys [2006-08-09 200576]
S3 el575nd5;3Com Megahertz 10/100 LAN CardBus PC Card Driver;c:\windows\system32\DRIVERS\el575nd5.sys [2006-08-09 69692]
S3 ir100;ir100;c:\windows\system32\DRIVERS\ir100.sys [2007-08-23 16896]
S3 pwi_bus;Curitel PC Card Composite Device driver (WDM);c:\windows\system32\DRIVERS\pwi_bus.sys [2006-11-11 55344]
S3 pwi_mdfl;Curitel PC Card Filter;c:\windows\system32\DRIVERS\pwi_mdfl.sys [2006-11-11 9200]
S3 pwi_mdm;Curitel PC Card Drivers;c:\windows\system32\DRIVERS\pwi_mdm.sys [2006-11-11 89936]
S3 pwi_oflt;Curitel PC Card OHCI Filter;c:\windows\system32\DRIVERS\pwi_oflt.sys [2006-11-11 9472]
S3 pwi_serd;Curitel PC Card Diagnostic Serial Port (WDM);c:\windows\system32\DRIVERS\pwi_serd.sys [2006-11-11 69632]
S3 s3017bus;Sony Ericsson Device 3017 driver (WDM);c:\windows\system32\DRIVERS\s3017bus.sys [2008-09-27 83880]
S3 s3017mdfl;Sony Ericsson Device 3017 USB WMC Modem Filter;c:\windows\system32\DRIVERS\s3017mdfl.sys [2008-09-27 15016]
S3 s3017mdm;Sony Ericsson Device 3017 USB WMC Modem Driver;c:\windows\system32\DRIVERS\s3017mdm.sys [2008-09-27 110632]
S3 s3017mgmt;Sony Ericsson Device 3017 USB WMC Device Management Drivers (WDM);c:\windows\system32\DRIVERS\s3017mgmt.sys [2008-09-27 104616]
S3 s3017nd5;Sony Ericsson Device 3017 USB Ethernet Emulation SEMC3017 (NDIS);c:\windows\system32\DRIVERS\s3017nd5.sys [2008-09-27 25512]
S3 s3017obex;Sony Ericsson Device 3017 USB WMC OBEX Interface;c:\windows\system32\DRIVERS\s3017obex.sys [2008-09-27 100648]
S3 s3017unic;Sony Ericsson Device 3017 USB Ethernet Emulation SEMC3017 (WDM);c:\windows\system32\DRIVERS\s3017unic.sys [2008-09-27 110120]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\I]
\Shell\AutoRun\command - I:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{157ced9c-f150-11dc-b163-0014a542f703}]
\Shell\AutoRun\command - H:\autorun.exe
\Shell\phone\command - H:\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{293f5fa7-aac5-11dd-b1dc-0014a542f703}]
\Shell\AutoRun\command - f:\wd_windows_tools\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{92695312-733a-11dd-b1a7-0014a542f703}]
\Shell\AutoRun\command - H:\LaunchU3.exe -a

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{582610B8-E496-4813-993C-4B027173FE38}]
c:\program files\PixiePack Codec Pack\InstallerHelper.exe
.
Contents of the 'Scheduled Tasks' folder

2008-12-26 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Awasu workpad - c:\docume~1\OWNER~1.YOU\LOCALS~1\Temp\awasu4
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Open in Awasu - c:\docume~1\OWNER~1.YOU\LOCALS~1\Temp\awasu5
IE: Open in default browser - c:\docume~1\OWNER~1.YOU\LOCALS~1\Temp\awasu6
IE: Subscribe in A&wasu - c:\docume~1\OWNER~1.YOU\LOCALS~1\Temp\awasu7
FF - ProfilePath - c:\documents and settings\Owner.YOUR-9552AE6F51\Application Data\Mozilla\Firefox\Profiles\wxplvy0l.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=utf-8&fr=megaup&p=
FF - plugin: c:\program files\Microsoft Silverlight\2.0.30523.8\npctrl.dll
FF - plugin: c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.1.0.30716.0.dll
FF - plugin: c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPAskSBr.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-28 20:50:07
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(512)
c:\windows\system32\Ati2evxx.dll
c:\windows\System32\BCMLogon.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\windows\system32\WLTRYSVC.EXE
c:\windows\system32\BCMWLTRY.EXE
c:\program files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\ehome\ehrecvr.exe
c:\program files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
c:\windows\ehome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\program files\AVG\AVG8\avgrsx.exe
c:\windows\ehome\ehmsas.exe
c:\progra~1\COMMON~1\AOL\115512~1\EE\AOLServiceHost.exe
c:\program files\Orbitdownloader\orbitnet.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-12-28 20:56:30 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-29 01:56:17
ComboFix2.txt 2008-12-27 07:46:08
ComboFix3.txt 2008-12-17 15:54:46
ComboFix4.txt 2008-12-17 15:04:12

Pre-Run: 36,575,260,672 bytes free
Post-Run: 36,497,182,720 bytes free

267 --- E O F --- 2008-12-12 08:19:06

#14 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:12:07 PM

Posted 29 December 2008 - 10:06 AM

Hello, zronin99
We need to execute a Batch File
  • Go to Start -> Run, and type "notepad" into the box.
  • Press ok.
  • Copy and paste the following code into notepad:
    @echo off
    ipconfig /all > log.txt
    start notepad log.txt
    nircmd wait 1000
    del log.txt
    del fix.bat
  • Go to File -> Save
  • To the right of "Save as Type:" in the bottom of the window, change the ComboBox to "All Files"
  • Enter fix.bat into the "File name:" box just above the "Save as Type" box.
  • Double click fix.bat on your desktop.
BillyIII
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#15 zronin99

zronin99
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:07 PM

Posted 29 December 2008 - 06:25 PM

Here you go:



Windows IP Configuration



Host Name . . . . . . . . . . . . : YOUR-9552AE6F51

Primary Dns Suffix . . . . . . . :

Node Type . . . . . . . . . . . . : Broadcast

IP Routing Enabled. . . . . . . . : No

WINS Proxy Enabled. . . . . . . . : No



Ethernet adapter Local Area Connection:



Media State . . . . . . . . . . . : Media disconnected

Description . . . . . . . . . . . : Marvell Yukon 88E8036 PCI-E Fast Ethernet Controller

Physical Address. . . . . . . . . : 00-E0-B8-8D-BC-EB




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users