Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Whatever it is really got me bad


  • This topic is locked This topic is locked
36 replies to this topic

#16 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:45 AM

Posted 13 January 2009 - 03:16 PM

That's fine with me.

The Panda

BC AdBot (Login to Remove)

 


#17 dryice1987

dryice1987
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:04:45 AM

Posted 14 January 2009 - 08:46 PM

OK, Panda, ran what you suggested.

Log was as follows, also attaching the text file:

ComboFix 09-01-13.03 - Mark 2009-01-13 19:04:24.5 - NTFSx86 NETWORK
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.511.282 [GMT -6:00]
Running from: c:\documents and settings\Mark\My Documents\Combo-Fix.exe
Command switches used :: c:\documents and settings\Mark\Desktop\CFScript.txt
FW: McAfee Personal Firewall *enabled*
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NENUM13E
-------\Legacy_WINCI63
-------\Legacy_WINDQ32
-------\Legacy_WINEL16
-------\Legacy_WINHF11
-------\Legacy_WINHM52
-------\Legacy_WINNM73
-------\Legacy_WINQG02
-------\Legacy_WINRU63
-------\Legacy_WINSN80
-------\Legacy_WINVM42
-------\Legacy_WINVY64
-------\Legacy_WINYI13
-------\Service_nenum13E
-------\Service_Winci63
-------\Service_Windq32
-------\Service_Winel16
-------\Service_Winhf11
-------\Service_Winhm52
-------\Service_Winnm73
-------\Service_Winqg02
-------\Service_Winru63
-------\Service_Winsn80
-------\Service_Winvm42
-------\Service_Winvy64
-------\Service_Winyi13


((((((((((((((((((((((((( Files Created from 2008-12-14 to 2009-01-14 )))))))))))))))))))))))))))))))
.

2009-01-11 16:34 . 2009-01-11 16:38 250 --a------ c:\windows\gmer.ini
2009-01-09 14:21 . 2009-01-09 14:22 <DIR> d-------- c:\documents and settings\TEMP.D4PQXV31.001
2009-01-07 21:01 . 2009-01-07 21:01 <DIR> d-------- c:\documents and settings\TEMP.D4PQXV31.000
2009-01-07 19:23 . 2009-01-07 19:23 <DIR> d-------- c:\documents and settings\TEMP.D4PQXV31
2009-01-05 20:07 . 2009-01-05 20:07 <DIR> d-------- c:\program files\Alwil Software
2009-01-03 14:46 . 2009-01-03 14:46 164 --a------ C:\install.dat
2009-01-01 17:40 . 2009-01-01 17:40 <DIR> d-------- c:\documents and settings\Administrator.D4PQXV31\Application Data\Malwarebytes
2009-01-01 17:39 . 2003-12-03 16:27 <DIR> d-------- c:\documents and settings\Administrator.D4PQXV31\Application Data\Sonic
2009-01-01 17:39 . 2003-12-03 16:25 <DIR> d-------- c:\documents and settings\Administrator.D4PQXV31\Application Data\Jasc Software Inc
2009-01-01 17:39 . 2007-07-26 19:52 <DIR> d-------- c:\documents and settings\Administrator.D4PQXV31\Application Data\Gtek
2009-01-01 17:39 . 2003-12-03 16:17 <DIR> d-------- c:\documents and settings\Administrator.D4PQXV31\Application Data\Creative
2009-01-01 17:39 . 2009-01-01 17:39 <DIR> d-------- c:\documents and settings\Administrator.D4PQXV31
2008-12-30 19:30 . 2008-12-30 19:30 <DIR> d-------- c:\documents and settings\Andy\Application Data\Malwarebytes
2008-12-29 21:11 . 2008-12-29 21:11 <DIR> d-------- c:\documents and settings\Dan\Application Data\Malwarebytes
2008-12-29 17:37 . 2008-12-29 17:37 <DIR> d-------- c:\documents and settings\TEMP
2008-12-28 13:55 . 2008-12-28 13:55 <DIR> d-------- c:\program files\Trend Micro

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-12 00:13 --------- d-----w c:\documents and settings\Mark\Application Data\Yahoo!
2008-12-28 22:36 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-12-02 00:48 --------- d-----w c:\documents and settings\Dan\Application Data\Grisoft
2008-12-02 00:39 --------- d-----w c:\documents and settings\All Users\Application Data\McAfee
2008-12-02 00:38 --------- d-----w c:\documents and settings\Dan\Application Data\McAfee
2008-12-01 21:32 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-30 02:04 --------- d-----w c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-11-29 03:17 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-11-29 02:04 --------- d-----w c:\program files\CCleaner
2008-11-27 14:32 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2008-11-27 14:31 --------- d-----w c:\program files\TrojanHunter 5.0
2008-11-25 22:08 --------- d-----w c:\program files\McAfee
2008-11-25 21:56 --------- d-----w c:\program files\LimeWire
2008-11-25 21:55 --------- d-----w c:\program files\DVDVideoSoft
2008-11-25 21:55 --------- d-----w c:\program files\Common Files\DVDVIDEOSOFT
2008-11-23 19:18 --------- d-----w c:\documents and settings\Mark\Application Data\Malwarebytes
2008-11-23 19:18 --------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2008-11-22 14:17 --------- d-----w c:\documents and settings\Dan\Application Data\Move Networks
2008-10-30 23:38 103,856 ----a-w c:\documents and settings\Dan\Application Data\GDIPFONTCACHEV1.DAT
2008-07-10 15:51 643,072 ----a-w c:\program files\iPodUpdaterExt.dll
2008-07-10 15:51 5,692 ----a-w c:\program files\About iTunes.rtf
2008-07-10 15:51 438,272 ----a-w c:\program files\CDDBControlApple.dll
2008-07-10 15:51 289,064 ----a-w c:\program files\iTunesHelper.exe
2008-07-10 15:51 283,136 ----a-w c:\program files\iTunesOutlookAddIn.dll
2008-07-10 15:51 20,246,824 ----a-w c:\program files\iTunes.exe
2008-07-10 15:51 172,544 ----a-w c:\program files\iTunesPhotoSupport.dll
2008-07-10 15:51 132,392 ----a-w c:\program files\iTunesMiniPlayer.dll
2008-07-10 15:51 116,008 ----a-w c:\program files\ITDetector.ocx
2008-07-10 15:51 108,328 ----a-w c:\program files\iTunesAdmin.dll
2008-07-10 15:48 8,356 ----a-w c:\program files\Acknowledgements.rtf
2006-09-21 01:34 102,656 -c--a-w c:\documents and settings\Andy\Application Data\GDIPFONTCACHEV1.DAT
2006-02-12 23:42 97,952 -c--a-w c:\documents and settings\Mark\Application Data\GDIPFONTCACHEV1.DAT
2006-01-06 03:15 20,921,040 -c--a-w c:\program files\AdbeRdr705_enu_full.exe
2005-10-13 23:39 97,560 -c--a-w c:\documents and settings\Sandy\Application Data\GDIPFONTCACHEV1.DAT
2005-03-26 02:54 3,566,394 ----a-w c:\program files\windowsinstaller.zip
2004-08-04 07:56 35,741 -c--a-w c:\documents and settings\Andy\08770877.dat
2002-08-29 11:00 35,741 -c--a-w c:\documents and settings\Mark\08770877.dat
2008-08-26 21:16 32,768 --sha-w c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\MSHist012008082620080827\index.dat
2008-08-26 21:16 49,152 --sha-w c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\MSHist012008082720080828\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"EasyLinkAdvisor"="c:\program files\Linksys EasyLink Advisor\LinksysAgent.exe" [2007-03-15 454784]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil9f.exe" [2008-03-24 218496]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="c:\program files\Intel\Intel Application Accelerator\iaanotif.exe" [2005-03-10 126976]
"CTSysVol"="c:\program files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe" [2005-03-10 49152]
"CTDVDDet"="c:\program files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE" [2005-03-10 45056]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2005-03-10 28672]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-12-10 7311360]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2008-07-11 641208]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 144784]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-10 116040]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696]
"iTunesHelper"="c:\program files\iTunesHelper.exe" [2008-07-10 289064]
"THGuard"="c:\program files\TrojanHunter 5.0\THGuard.exe" [2008-10-24 1056928]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2008-10-22 1261200]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-11-26 81000]
"Logitech Utility"="Logi_MwX.Exe" [2003-03-04 c:\windows\LOGI_MWX.EXE]
"nwiz"="nwiz.exe" [2005-12-10 c:\windows\SYSTEM32\nwiz.exe]
"CTHelper"="CTHELPER.EXE" [2005-12-08 c:\windows\CTHELPER.EXE]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2008-10-22 399504]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.XFR1"= xfcodec.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mfehidk.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mferkdk.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SBC Self Support Tool.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\SBC Self Support Tool.lnk
backup=c:\windows\pss\SBC Self Support Tool.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^John^Start Menu^Programs^Startup^PowerReg Scheduler.exe]
path=c:\documents and settings\John\Start Menu\Programs\Startup\PowerReg Scheduler.exe
backup=c:\windows\pss\PowerReg Scheduler.exeStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDSentry]
--a------ 2005-03-10 20:23 28672 c:\windows\SYSTEM32\DSentry.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot]
--a------ 2005-03-09 19:10 11776 c:\progra~1\MUSICM~1\MUSICM~2\mimboot.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Motive SmartBridge]
--a------ 2005-03-10 20:23 380928 c:\progra~1\SBCSEL~1\SMARTB~1\MotiveSB.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 10:24 1694208 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PRONoMgr.exe]
--a------ 2005-03-10 20:23 86016 c:\program files\Intel\NCS\PROSet\PRONoMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-05-27 09:50 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YBrowser]
--a------ 2003-12-09 11:03 57344 c:\progra~1\Yahoo!\browser\ybrwicon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YOP]
--a------ 2005-04-22 18:49 397312 c:\progra~1\Yahoo!\YOP\yop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BCMSMMSG]
--a------ 2003-08-29 04:59 122880 c:\windows\BCMSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2005-12-10 03:06 1519616 c:\windows\SYSTEM32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SetDefaultMIDI]
--a------ 2005-12-08 10:51 25600 c:\windows\MIDIDEF.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"YPCService"=3 (0x3)
"DownloadManagerLite"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

R0 PzWDM;PzWDM;c:\windows\SYSTEM32\DRIVERS\PzWDM.sys [2008-03-10 15172]
S1 aswSP;avast! Self Protection;c:\windows\SYSTEM32\DRIVERS\aswSP.sys [2009-01-05 111184]
S4 aswFsBlk;aswFsBlk;c:\windows\SYSTEM32\DRIVERS\aswFsBlk.sys [2009-01-05 20560]
S4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2008-10-12 24652]
.
Contents of the 'Scheduled Tasks' folder

2008-11-15 c:\windows\Tasks\McDefragTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2008-07-09 17:10]

2008-11-01 c:\windows\Tasks\McQcTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2008-07-09 17:10]
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-Winyi13.sys


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
Trusted Zone: *.yahoo.com
TCP: {87379A36-DA09-4AD0-A855-2EFAB293650B} = 208.67.220.220,208.67.222.222
TCP: {CEDABB45-14B4-4979-AFCC-64A88D2F189E} = 208.67.220.220,208.67.222.222

O16 -: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd

- c:\windows\Downloaded Program Files\RhapX.inf

c:\windows\SYSTEM32\msvbvm60.dll - c:\windows\SYSTEM32\oleaut32.dll
c:\windows\SYSTEM32\olepro32.dll
c:\windows\SYSTEM32\asycfilt.dll
c:\windows\SYSTEM32\stdole2.tlb
c:\windows\SYSTEM32\comcat.dll
O16 -: {3527C5BD-4A46-4362-94B6-12341D087A4B}
hxxp://echospin.com/wizard/files/esWizard.cab
c:\windows\Downloaded Program Files\esProxy.inf
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-13 19:13:57
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(608)
c:\windows\system32\l3codeca.acm
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\program files\McAfee\MPF\MpfSrv.exe
c:\progra~1\McAfee.com\Agent\mcagent.exe
.
**************************************************************************
.
Completion time: 2009-01-13 19:24:13 - machine was rebooted [Mark]
ComboFix-quarantined-files.txt 2009-01-14 01:24:10
ComboFix2.txt 2009-01-13 01:40:27

Pre-Run: 28,315,353,088 bytes free
Post-Run: 28,288,294,912 bytes free

244 --- E O F --- 2008-10-24 03:27:03

Attached Files

  • Attached File  log.txt   15.11KB   20 downloads


#18 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:45 AM

Posted 15 January 2009 - 08:25 AM

Hello.

Looks good. Let's check for anything left.

Download and Run ATFCleaner
Please download ATF Cleaner by Atribune. This program will clear out temporary files and settings. You will likely be logged out of the forum where you are recieving help.

This program is for XP and Windows 2000 only.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main Select Files to Delete choose: Select All.
  • Click the Empty Selected button.
If you use Firefox browser also...
  • Click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser also...
  • Click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
F-Secure Online Scan
Please run F-Secure Online Scanner.
This scan is for Internet Explorer only.
  • It is suggested that you disable security programs and close any other windows during the scan. While your security is disabled, please refrain from surfing on other sites. Refer to this page if you are unsure how.
  • Go to F-Secure Online Scanner
  • Follow the instructions here for installation.
  • Accept the License Agreement.
  • Once the ActiveX installs, click Full System Scan
  • Once the download completes, the scan will begin automatically. The scan will take some time to finish, so please be patient.
  • When the scan completes, click the Automatic cleaning (recommended) button.
  • Click the Show Report button and copy the entire report in your next reply.
  • Be sure to re-enable any security programs.

Please also include a fresh DDS or HijackThis log.

With Regards,
The Panda

#19 dryice1987

dryice1987
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:04:45 AM

Posted 15 January 2009 - 09:23 AM

Thanks. Panda...I'll run these other two scans tonite, then will run another HJT scan and post the log.

#20 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:45 AM

Posted 15 January 2009 - 11:56 AM

Okay.

The Panda

#21 dryice1987

dryice1987
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:04:45 AM

Posted 15 January 2009 - 08:00 PM

Panda:

Ran the ATF with no problem. The FSecure did not load. When I hit the "start scan" I just got what looked to be an initial start page wiht the frame, but nothing inside it, or that would let me even click on a tab. It said "done" in the lower corner, and I left it on for a while. Went to their FAQ's to try and troubleshoot it without success. Maybe it doesn't load in Safe Mode?

Anyway, here is the latest HJT log. Hope it helps

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:53:48 PM, on 1/15/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptsn.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunesHelper.exe"
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 5.0\THGuard.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9f.exe
O4 - HKUS\S-1-5-21-3553749729-4063834217-364244784-1010\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup (User 'John')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2DFF31F9-7893-4922-AF66-C9A1EB4EBB31} (Rhapsody Player Engine) - http://forms.real.com/real/player/download...ne_Inst_Win.cab
O16 - DPF: {3527C5BD-4A46-4362-94B6-12341D087A4B} - http://echospin.com/wizard/files/esWizard.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...84/mcinsctl.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://download.divx.com/webplayer/stage6/...owserPlugin.cab
O16 - DPF: {A9F8D9EC-3D0A-4A60-BD82-FBD64BAD370D} (DDRevision Class) - http://h20264.www2.hp.com/ediags/dd/instal...nosticsxp2k.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,21/mcgdmgr.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{87379A36-DA09-4AD0-A855-2EFAB293650B}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{CEDABB45-14B4-4979-AFCC-64A88D2F189E}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Unknown owner - C:\WINDOWS\System32\CTsvcCDA.exe (file missing)
O23 - Service: IAA Event Monitor (IAANTMon) - Intel - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NMSAccess - Unknown owner - C:\Program Files\Cheetah Burner\Cheetah CD Burner\NMSAccess.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 9655 bytes

#22 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:45 AM

Posted 16 January 2009 - 08:05 AM

Hello.

Are you able to boot into normal mode? If so run all tools from normal mode.
Please uninstall one antivirus and post back a new HijackThis log from after.

With Regards,
The Panda

#23 dryice1987

dryice1987
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:04:45 AM

Posted 16 January 2009 - 02:30 PM

Ok, I'll try this over the weekend. I tried to boot up on normal mode a couple nights ago. Didn't work. After the Windows screen appaeared, it just went black for a really long time, then BSOD. I'll try again. Assuming that I can get it booted in normal mode, do you want me to start from teh beginning with the whole Combofix. gmer, Combofix with CF Script, ATF progression?

You also mention to uninstall one antivirus. Not sure what that means. Which one? Or does it matter?

Thanks again

#24 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:45 AM

Posted 16 January 2009 - 04:23 PM

Hello.

No, there is no need to repeat those.

You should only have one AV installed. It doesn't matter which is removed.

With Regards,
The Panda

#25 dryice1987

dryice1987
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:04:45 AM

Posted 16 January 2009 - 05:32 PM

OK, just so I am clear, what tools should I run if I can boot in normal mode?


I'll drop all the extra AV.

Thanks

#26 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:45 AM

Posted 16 January 2009 - 05:47 PM

Let's just see if we can get it booting in normal mode.

The Panda

#27 dryice1987

dryice1987
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:04:45 AM

Posted 16 January 2009 - 06:06 PM

Ok, that's what we'll do. Thanks for your continued help

#28 dryice1987

dryice1987
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:04:45 AM

Posted 19 January 2009 - 09:11 PM

OK, tried to boot up twice in normal mode, neither worked. Goes to Windows screen then goes black for about two minutes. Then to blue screen. But both times blue screen had the following message:

"Problem has been detected and Windows has shut down. Problem seems to be caused by the follwing file: nv4_dsp.

Device driver got stuck in an infinite loop. This usually indicates a problem with the device itself or with the device driver programming the hardware incorrectly."



Any ideas what this might be??

#29 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:45 AM

Posted 20 January 2009 - 08:22 AM

Hello..

That file is related to Nvidia graphics cards.

Could you give me some info on your card?

We could try installing an update for the driver.

With Regards,
The Panda

#30 dryice1987

dryice1987
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:04:45 AM

Posted 20 January 2009 - 04:22 PM

OK, I'll check tonite for graphics card info




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users