Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Antivirus 2009


  • This topic is locked This topic is locked
14 replies to this topic

#1 Adi11968

Adi11968

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:07:41 PM

Posted 07 January 2009 - 06:43 PM

Hi
I have a problem with my computet because of a fake of microsoft antivirus 2009...I've already tried to repair it by using Malwarebytes' Anti-Malaware and I've deleted all the 85 Infected files (HKEY _CLASSES, HKEY_LOCAL_MACHINE, HKEY_CURRENT_USER, system32) and my internet still shows me this message and I can't get rid of it:
Posted Image

it also show me the fake google tip...


PLEASE HELP ME!!!

here is the DDS document:

DDS (Ver_09-01-07.01) - NTFSx86
Run by Administrator at 1:21:33.64 on Thu 01/08/2009
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.5.0_12
Microsoft Windows XP Professional 5.1.2600.3.1255.972.1037.18.446.113 [GMT 2:00]

AV: AVG 7.5.524 *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\VIAudioi\SBADeck\ADeck.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\VTtrayp.exe
C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe
C:\Program Files\Lexmark 1200 Series\lxczbmon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\Prismsvr.exe
C:\Program Files\802.11g USB2.0 adapter\WiFiCFG.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\BGames\GPlayer.exe
C:\Program Files\Media Key\MagicKey.exe
C:\Program Files\Media Key\OSD.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\eMule\emule.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Administrator\שולחן העבודה\dds.scr

============== Pseudo HJT Report ===============

uSearch Page = hxxp://google.icq.com
uSearch Bar = hxxp://google.icq.com/search/search_frame.php
uStart Page = hxxp://awesomestart.com/ledzeppelin/
mDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: &Research: {0b014b81-4e12-46f9-806f-55867af8fd3c} - c:\windows\system32\winsystems.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: DealioBHO Class: {6a87b991-a31f-4130-ae72-6d0c294bf082} - c:\program files\dealio\kb106\Dealio.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Megaupload Toolbar: {a057a204-bacc-4d26-c39e-35f1d2a32ec8} - c:\progra~1\megaup~2\MEGAUP~1.DLL
BHO: IeMonitorBho Class: {bf00e119-21a3-4fd1-b178-3b8537e75c92} - c:\program files\megaupload\mega manager\MegaIEMn.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Dealio: {e67c74f4-a00a-4f2c-9fec-fd9dc004a67f} - c:\program files\dealio\kb106\Dealio.dll
TB: Megaupload Toolbar: {a057a204-bacc-4d26-c39e-35f1d2a32ec8} - c:\progra~1\megaup~2\MEGAUP~1.DLL
TB: {855F3B16-6D32-4FE6-8A56-BBB695989046} - No File
EB: Dealio: {5c4c24d0-28b6-4b6b-b70f-e09848367f10} - c:\program files\dealio\kb106\Dealio.dll
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Google Update] "c:\documents and settings\administrator\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [Exetender] c:\program files\bgames\GPlayer.exe /runonstartup
mRun: [AudioDeck] c:\program files\viaudioi\sbadeck\ADeck.exe 1
mRun: [VTTimer] VTTimer.exe
mRun: [VTTrayp] VTtrayp.exe
mRun: [Lexmark 1200 Series] "c:\program files\lexmark 1200 series\lxczbmgr.exe"
mRun: [NWEReboot]
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [AVG7_CC] c:\progra~1\grisoft\avgfre~1\avgcc.exe /STARTUP
mRun: [PRISMSVR.EXE] Prismsvr.exe /apply
mRun: [WiFiCFG.EXE] c:\program files\802.11g usb2.0 adapter\WiFiCFG.EXE
mRun: [au] c:\program files\dealio\DealioAU.exe
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [WinampAgent] "c:\program files\winamp\winampa.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [My Web Search Bar] rundll32 c:\progra~1\mywebs~1\bar\2.bin\MWSBAR.DLL,S
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [AVG7_Run] c:\progra~1\grisoft\avgfre~1\avgw.exe /RUNONCE
StartupFolder: c:\docume~1\alluse~1\94ae~1\d9f0~1\76ef~1\mediak~1.lnk - c:\program files\media key\MagicKey.exe
IE: &Search
IE: &יצא ל- Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Compare Prices with &Dealio - c:\program files\dealio\kb106\res\DealioSearch.html
IE: Download Link Using Mega Manager... - c:\program files\megaupload\mega manager\mm_file.htm
IE: {B863453A-26C3-4e1f-A54D-A2CD196348E9} - c:\program files\icqlite\ICQLite.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {E59EB121-F339-4851-A3BA-FE49C35617C2} - c:\program files\icq6\ICQ.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {E908B145-C847-4e85-B315-07E2E70DECF8} - {9F038672-0425-4792-BC9C-36DE3308E8AA} - c:\program files\dealio\kb106\Dealio.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R1 Avg7Core;AVG7 Kernel;c:\windows\system32\drivers\avg7core.sys [2007-2-25 821856]
R1 Avg7RsW;AVG7 Wrap Driver;c:\windows\system32\drivers\avg7rsw.sys [2007-2-25 4224]
R1 Avg7RsXP;AVG7 Resident Driver XP;c:\windows\system32\drivers\avg7rsxp.sys [2007-2-25 27776]
R1 AvgClean;AVG7 Clean Driver;c:\windows\system32\drivers\avgclean.sys [2007-2-25 10760]
R1 kbfilter;Keyboard Filter Driver;c:\windows\system32\drivers\kbfilter.sys [2008-10-25 12856]
R1 UsbFltr;WayTechUSBFilterDriver;c:\windows\system32\drivers\UsbFltr.sys [2008-10-25 9291]
R4 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-9-10 611664]
R4 Avg7Alrt;AVG7 Alert Manager Server;c:\progra~1\grisoft\avgfre~1\avgamsvr.exe [2007-2-25 418816]
R4 Avg7UpdSvc;AVG7 Update Service;c:\progra~1\grisoft\avgfre~1\avgupsvc.exe [2007-2-25 49664]
R4 AVGEMS;AVG E-mail Scanner;c:\progra~1\grisoft\avgfre~1\avgemc.exe [2007-2-25 406528]
R4 AvgTdi;AVG Network Redirector;c:\windows\system32\drivers\avgtdi.sys [2007-2-25 4960]
R4 X4HSX32Ex;X4HSX32Ex;c:\program files\bgames\X4HSX32Ex.sys [2008-9-15 29856]
S4 MyWebSearchService;My Web Search Service;c:\progra~1\mywebs~1\bar\2.bin\mwssvc.exe --> c:\progra~1\mywebs~1\bar\2.bin\mwssvc.exe [?]

=============== Created Last 30 ================

2009-01-08 00:32 <DIR> --d----- c:\docume~1\admini~1\applic~1\Malwarebytes
2009-01-08 00:31 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-01-08 00:31 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-08 00:31 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-01-08 00:31 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-01-07 19:10 <DIR> --d----- c:\program files\Lavasoft
2009-01-07 19:08 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-01-07 14:46 53,248 a------- c:\windows\system32\ddcCUkhh.dll
2009-01-07 14:43 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Babylon
2009-01-07 14:43 <DIR> --d----- c:\docume~1\admini~1\applic~1\Babylon
2009-01-07 13:30 <DIR> --d----- c:\program files\YoGen
2009-01-06 13:32 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SRS Labs
2009-01-05 22:46 <DIR> --d----- c:\program files\KaraFun
2009-01-05 22:46 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Recisio
2009-01-05 22:13 <DIR> --d----- c:\docume~1\alluse~1\applic~1\YoGen
2009-01-05 22:03 <DIR> --d----- c:\windows\system32\XPSViewer
2009-01-05 22:01 1,676,288 -c------ c:\windows\system32\dllcache\xpssvcs.dll
2009-01-05 22:01 597,504 -c------ c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-01-05 22:01 575,488 -c------ c:\windows\system32\dllcache\xpsshhdr.dll
2009-01-05 22:01 89,088 -c------ c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-01-05 22:01 1,676,288 -------- c:\windows\system32\xpssvcs.dll
2009-01-05 22:01 575,488 -------- c:\windows\system32\xpsshhdr.dll
2009-01-05 22:01 117,760 -------- c:\windows\system32\prntvpt.dll
2009-01-05 22:01 <DIR> --d----- C:\1508c0a53d16e90310224cbfb87b
2009-01-05 21:59 <DIR> --d----- c:\program files\AnalogX
2009-01-02 00:53 <DIR> --d----- c:\docume~1\admini~1\applic~1\Megaupload
2009-01-02 00:52 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Megaupload
2009-01-02 00:52 <DIR> --d----- c:\docume~1\alluse~1\applic~1\EmailNotifier
2009-01-02 00:52 <DIR> --d----- c:\docume~1\admini~1\applic~1\EmailNotifier
2009-01-02 00:52 <DIR> --d----- c:\program files\MegauploadToolbar
2009-01-02 00:52 <DIR> --d----- c:\docume~1\admini~1\applic~1\MegauploadToolbar
2009-01-02 00:52 <DIR> --d----- c:\program files\Megaupload
2008-12-23 16:52 <DIR> --d----- c:\program files\iTunes
2008-12-23 16:52 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-19 16:04 73,728 a------- c:\windows\system32\javacpl.cpl
2008-12-15 01:18 26,112 ac------ c:\windows\system32\dllcache\usbser.sys
2008-12-15 01:18 26,112 a------- c:\windows\system32\drivers\usbser.sys
2008-12-12 11:18 87,336 a------- c:\windows\system32\dns-sd.exe
2008-12-12 11:11 61,440 a------- c:\windows\system32\dnssd.dll

==================== Find3M ====================

2009-01-05 22:05 345,584 a------- c:\windows\system32\perfh00d.dat
2009-01-05 22:05 67,296 a------- c:\windows\system32\perfc00d.dat
2009-01-05 21:54 737,280 a------- c:\windows\iun6002.exe
2008-12-19 16:03 410,984 a------- c:\windows\system32\deploytk.dll
2008-11-17 02:14 2,828 a--sh--- c:\docume~1\alluse~1\applic~1\KGyGaAvL.sys
2008-11-16 23:32 8 ---shr-- c:\docume~1\alluse~1\applic~1\81DA373DB8.sys
2008-10-23 14:36 286,720 a------- c:\windows\system32\gdi32.dll
2008-10-16 03:01 662,528 a------- c:\windows\system32\wininet.dll
2008-09-28 11:15 25,600 a------- c:\documents and settings\administrator\usbsermptxp.sys
2008-09-28 11:15 22,768 a------- c:\documents and settings\administrator\usbsermpt.sys
2008-07-29 16:47 87,608 a------- c:\docume~1\admini~1\applic~1\inst.exe
2008-07-29 16:47 47,360 a------- c:\docume~1\admini~1\applic~1\pcouffin.sys

============= FINISH: 1:22:12.53 ===============

Edited by Adi11968, 07 January 2009 - 06:54 PM.


BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:02:41 AM

Posted 08 January 2009 - 04:32 AM

Hi,

Please update your AVG to AVG8, because you're still running an older version.

Then, * Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 Adi11968

Adi11968
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:07:41 PM

Posted 08 January 2009 - 06:39 AM

Thank for your reply...
Here's the ComboFix log:


ComboFix 09-01-07.02 - Administrator 01/08/2009 13:25:54.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1255.1.1037.18.446.170 [GMT 2:00]
Running from: c:\documents and settings\Administrator\שולחן העבודה\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\שולחן העבודה\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
AV: Norton Internet Security *On-access scanning disabled* (Updated)
FW: Norton Internet Security *enabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\admxxx\_INSTALL.EXE
c:\documents and settings\Administrator\Application Data\FunWebProducts
c:\documents and settings\Administrator\Application Data\inst.exe
c:\windows\Downloaded Program Files\setup.inf
c:\windows\IE4 Error Log.txt
c:\windows\system32\ddcCUkhh.dll
c:\windows\system32\win32.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MYWEBSEARCHSERVICE
-------\Service_MyWebSearchService


((((((((((((((((((((((((( Files Created from 2008-12-08 to 2009-01-08 )))))))))))))))))))))))))))))))
.

No new files created in this timespan

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2015-07-12 14:54 --------- d-----w c:\program files\Player Tool
2015-07-11 18:25 --------- d-----w c:\program files\Ubisoft
2015-07-11 17:26 --------- d-----w c:\documents and settings\Administrator\Application Data\CyberLink
2015-07-11 17:23 --------- d-----w c:\program files\CyberLink
2015-07-11 17:23 --------- d-----w c:\documents and settings\All Users\Application Data\CyberLink
2015-07-09 09:48 --------- d-----w c:\program files\Dealio
2015-06-22 15:09 --------- d-----w c:\program files\Secured_eMule
2015-06-22 15:01 --------- d-----w c:\documents and settings\All Users\Application Data\BufferZone
2015-06-21 19:06 --------- d-----w c:\program files\ICQToolbar
2015-06-08 17:36 --------- d-----w c:\program files\Setup
2015-05-29 17:48 --------- d-----w c:\documents and settings\Administrator\Application Data\DivX
2015-05-29 10:17 --------- d-----w c:\program files\ICQLite
2015-05-28 17:14 --------- d-----w c:\documents and settings\Administrator\Application Data\BSplayer Pro
2015-05-28 11:16 --------- d-----w c:\documents and settings\Administrator\Application Data\Talkback
2015-05-28 09:51 --------- d-----w c:\documents and settings\Administrator\Application Data\ICQLite
2015-05-27 13:14 15,781 ----a-w c:\windows\system32\drivers\mdc8021x.sys
2015-05-27 13:14 --------- d-----w c:\program files\802.11g USB2.0 adapter
2015-05-27 13:14 --------- d-----w c:\documents and settings\All Users\Application Data\Prism
2009-01-08 00:18 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-01-08 00:15 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2009-01-08 00:13 806 ----a-w c:\windows\system32\drivers\SYMEVENT.INF
2009-01-08 00:13 60,808 ----a-w c:\windows\system32\S32EVNT1.DLL
2009-01-08 00:13 124,464 ----a-w c:\windows\system32\drivers\SYMEVENT.SYS
2009-01-08 00:13 10,635 ----a-w c:\windows\system32\drivers\SYMEVENT.CAT
2009-01-08 00:13 --------- d-----w c:\program files\Symantec
2009-01-08 00:13 --------- d-----w c:\documents and settings\All Users\Application Data\Norton
2009-01-08 00:12 35,888 ----a-r c:\windows\system32\drivers\SymIM.sys
2009-01-08 00:12 --------- d-----w c:\program files\Windows Sidebar
2009-01-08 00:12 --------- d-----w c:\program files\Norton Internet Security
2009-01-08 00:11 --------- d-----w c:\program files\NortonInstaller
2009-01-08 00:06 --------- d-----w c:\documents and settings\All Users\Application Data\avg7
2009-01-08 00:05 --------- d-----w c:\documents and settings\All Users\Application Data\NortonInstaller
2009-01-07 22:59 --------- d-----w c:\documents and settings\Administrator\Application Data\MegauploadToolbar
2009-01-07 22:56 --------- d-----w c:\program files\eMule
2009-01-07 22:32 --------- d-----w c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-01-07 22:31 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-01-07 22:31 --------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-07 17:12 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2009-01-07 17:10 --------- d-----w c:\program files\Lavasoft
2009-01-07 17:08 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-01-07 15:33 --------- d-----w c:\documents and settings\Administrator\Application Data\AVG7
2009-01-07 13:31 --------- d-----w c:\program files\AviSynth 2.5
2009-01-07 12:43 --------- d-----w c:\documents and settings\All Users\Application Data\Babylon
2009-01-07 12:43 --------- d-----w c:\documents and settings\Administrator\Application Data\Babylon
2009-01-07 11:30 --------- d-----w c:\program files\YoGen
2009-01-06 11:32 --------- d-----w c:\documents and settings\All Users\Application Data\SRS Labs
2009-01-05 20:46 --------- d-----w c:\program files\KaraFun
2009-01-05 20:46 --------- d-----w c:\documents and settings\All Users\Application Data\Recisio
2009-01-05 20:40 --------- d-----w c:\documents and settings\All Users\Application Data\YoGen
2009-01-05 20:03 --------- d-----w c:\program files\MSBuild
2009-01-05 20:02 --------- d-----w c:\program files\Reference Assemblies
2009-01-05 19:59 --------- d-----w c:\program files\AnalogX
2009-01-05 19:54 737,280 ----a-w c:\windows\iun6002.exe
2009-01-04 16:39 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-04 16:38 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-01-01 22:53 --------- d-----w c:\documents and settings\Administrator\Application Data\Megaupload
2009-01-01 22:52 --------- d--h--w c:\program files\InstallShield Installation Information
2009-01-01 22:52 --------- d-----w c:\program files\MegauploadToolbar
2009-01-01 22:52 --------- d-----w c:\program files\Megaupload
2009-01-01 22:52 --------- d-----w c:\documents and settings\All Users\Application Data\Megaupload
2009-01-01 22:52 --------- d-----w c:\documents and settings\All Users\Application Data\EmailNotifier
2009-01-01 22:52 --------- d-----w c:\documents and settings\Administrator\Application Data\EmailNotifier
2009-01-01 21:08 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-12-23 15:20 --------- d-----w c:\program files\Apple Software Update
2008-12-23 15:19 --------- d-----w c:\program files\Bonjour
2008-12-23 14:53 --------- d-----w c:\program files\iTunes
2008-12-23 14:53 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-23 14:52 --------- d-----w c:\program files\iPod
2008-12-23 14:50 --------- d-----w c:\program files\QuickTime
2008-12-23 14:24 --------- d-----w c:\program files\Safari
2008-12-19 14:03 410,984 ----a-w c:\windows\system32\deploytk.dll
2008-12-19 14:03 --------- d-----w c:\program files\Java
2008-12-18 01:07 --------- d-----w c:\program files\mobile PhoneTools
2008-12-14 23:18 --------- d-----w c:\documents and settings\All Users\Application Data\BVRP Software
2008-12-14 23:13 --------- d-----w c:\program files\Banner Maker Pro 7
2008-12-12 09:18 87,336 ----a-w c:\windows\system32\dns-sd.exe
2008-12-12 09:11 61,440 ----a-w c:\windows\system32\dnssd.dll
2008-12-01 13:10 --------- d-----w c:\program files\Microsoft Silverlight
2008-12-01 12:29 --------- d-----w c:\documents and settings\Administrator\Application Data\gtk-2.0
2008-11-30 22:54 --------- d-----w c:\program files\Microsoft GIF Animator
2008-11-29 18:28 --------- d-----w c:\program files\K-Lite Codec Pack
2008-11-29 18:27 --------- d-----w c:\program files\AML Products
2008-11-29 18:20 --------- d-----w c:\program files\SoundInDepth.com
2008-11-26 17:57 --------- d-----w c:\program files\Windows Media Connect 2
2008-11-26 17:33 --------- d-----w c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2008-11-17 14:40 --------- d-----w c:\program files\Common Files\Adobe
2008-11-17 00:22 --------- d-----w c:\program files\Corel
2008-11-17 00:14 2,828 --sha-w c:\documents and settings\All Users\Application Data\KGyGaAvL.sys
2008-11-16 22:30 --------- d-----w c:\documents and settings\All Users\Application Data\FLEXnet
2008-11-16 21:56 --------- d-----w c:\program files\Common Files\Macrovision Shared
2008-11-16 21:32 8 --sh--r c:\documents and settings\All Users\Application Data\81DA373DB8.sys
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-10-16 12:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 12:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 12:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 12:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 12:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 12:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 12:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 12:08 34,328 ----a-w c:\windows\system32\wups.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0B014B81-4E12-46F9-806F-55867AF8FD3C}]
08/03/2004 10:59 PM 311808 --a------ c:\windows\system32\winsystems.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A057A204-BACC-4D26-C39E-35F1D2A32EC8}]
08/04/2008 10:44 PM 1947080 --a------ c:\progra~1\MEGAUP~2\MEGAUP~1.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{A057A204-BACC-4D26-C39E-35F1D2A32EC8}"= "c:\progra~1\MEGAUP~2\MEGAUP~1.DLL" [08/04/2008 10:44 PM 1947080]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{A057A204-BACC-4D26-C39E-35F1D2A32EC8}"= "c:\progra~1\MEGAUP~2\MEGAUP~1.DLL" [08/04/2008 10:44 PM 1947080]

[HKEY_CLASSES_ROOT\clsid\{a057a204-bacc-4d26-c39e-35f1d2a32ec8}]
[HKEY_CLASSES_ROOT\megauploadtoolbar.MEGAUPLOADTOOLBAR]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [06/01/2006 01:32 PM 94208]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [04/14/2008 04:17 AM 15360]
"Google Update"="c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [09/05/2008 12:54 PM 133104]
"Exetender"="c:\program files\BGames\GPlayer.exe" [05/15/2008 01:49 PM 1958400]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AudioDeck"="c:\program files\VIAudioi\SBADeck\ADeck.exe" [09/15/2006 12:04 AM 540672]
"Lexmark 1200 Series"="c:\program files\Lexmark 1200 Series\lxczbmgr.exe" [07/13/2006 07:28 AM 57344]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [01/12/2006 04:40 PM 155648]
"WiFiCFG.EXE"="c:\program files\802.11g" [BU]
"au"="c:\program files\Dealio\DealioAU.exe" [06/27/2007 12:46 PM 238936]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [10/31/2003 07:42 PM 32768]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [08/04/2008 01:02 AM 36352]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 10:16 PM 39792]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [08/25/2008 08:08 PM 185896]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [12/19/2008 04:03 PM 136600]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [11/04/2008 10:30 AM 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [11/20/2008 01:20 PM 290088]
"VTTimer"="VTTimer.exe" [09/15/2006 12:07 AM 53248 c:\windows\system32\VTTimer.exe]
"VTTrayp"="VTtrayp.exe" [09/15/2006 12:07 AM 176128 c:\windows\system32\VTTrayp.exe]
"NWEReboot"="" [BU]
"PRISMSVR.EXE"="Prismsvr.exe" [03/21/2005 01:24 PM 295001 c:\windows\system32\PRISMSVR.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [04/14/2008 04:17 AM 15360]

c:\documents and settings\All Users\š šŒ\šš\Œ\
Media Key.lnk - c:\program files\Media Key\MagicKey.exe [2008-10-25 159744]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\ICQ6\\ICQ.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\eMule\\emule.exe"=
"c:\\Program Files\\QuickTime\\QuickTimePlayer.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NIS\1000000.07D\SymEFA.sys [2009-01-08 309296]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\NIS\1000000.07D\BHDrvx86.sys [2009-01-08 254512]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NIS\1000000.07D\ccHPx86.sys [2009-01-08 362544]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20081220.001\IDSxpx86.sys [2009-01-08 274808]
R1 kbfilter;Keyboard Filter Driver;c:\windows\system32\drivers\kbfilter.sys [2008-10-25 12856]
R1 UsbFltr;WayTechUSBFilterDriver;c:\windows\system32\drivers\UsbFltr.sys [2008-10-25 9291]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-01-08 99376]
R4 Norton Internet Security;Norton Internet Security;c:\program files\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe [2009-01-08 115560]
R4 X4HSX32Ex;X4HSX32Ex;c:\program files\BGames\X4HSX32Ex.sys [2008-09-15 29856]
S4 .norton2009Reset;Norton2009 Reset;c:\program files\Norton2009Reset.exe [2008-09-17 549159]
.
Contents of the 'Scheduled Tasks' folder

2009-01-07 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [07/30/2008 12:34 PM]

2009-01-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1409082233-706699826-725345543-500.job
- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [09/05/2008 12:54 PM]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://awesomestart.com/ledzeppelin/
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Search
IE: &יצא ל- Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Compare Prices with &Dealio - c:\program files\Dealio\kb106\res\DealioSearch.html
IE: Download Link Using Mega Manager... - c:\program files\Megaupload\Mega Manager\mm_file.htm
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-08 13:27:51
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
AudioDeck = c:\program files\VIAudioi\SBADeck\ADeck.exe 1???\ ?|????D:\VIA chips???????|???|?????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Norton Internet Security]
"ImagePath"="\"c:\program files\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe\" /s \"Norton Internet Security\" /m \"c:\program files\Norton Internet Security\Engine\16.0.0.125\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\Administrator\Software\Microsoft\  M*NULL*i*NULL*c*NULL*r*NULL*o*NULL*s*NULL*o*NULL*f*NULL*t*NULL* *NULL*M*NULL*a*NULL*n*NULL*a*NULL*g*NULL*e*NULL*m*NULL*e*NULL*n*NULL*t*NULL* *NULL*C*NULL*o*NULL*n*NULL*s*NULL*o*NULL*l*NULL*e*NULL*\Recent File List]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"File1"="c:\\WINDOWS\\system32\\services.msc"
"File2"="c:\\WINDOWS\\system32\\devmgmt.msc"
.
Completion time: 01/08/2009 13:32:11
ComboFix-quarantined-files.txt 2009-01-08 11:32:07

Pre-Run: 62,560,292,864 bytes free
Post-Run: 62,549,544,960 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

250 --- E O F --- 2008-12-18 01:01:27

#4 Adi11968

Adi11968
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:07:41 PM

Posted 08 January 2009 - 06:41 AM

And here the HijackThis log:

DDS (Ver_09-01-07.01) - NTFSx86
Run by Administrator at 13:35:22.73 on Thu 01/08/2009
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.5.0_12
Microsoft Windows XP Professional 5.1.2600.3.1255.972.1037.18.446.69 [GMT 2:00]

AV: Norton Internet Security *On-access scanning disabled* (Updated)
FW: Norton Internet Security *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\VIAudioi\SBADeck\ADeck.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\VTtrayp.exe
C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe
C:\Program Files\Lexmark 1200 Series\lxczbmon.exe
C:\WINDOWS\system32\Prismsvr.exe
C:\Program Files\802.11g USB2.0 adapter\WiFiCFG.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\BGames\GPlayer.exe
C:\Program Files\Media Key\MagicKey.exe
C:\Program Files\Media Key\OSD.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Administrator\שולחן העבודה\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://awesomestart.com/ledzeppelin/
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: &Research: {0b014b81-4e12-46f9-806f-55867af8fd3c} - c:\windows\system32\winsystems.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton internet security\engine\16.0.0.125\coIEPlg.dll
BHO: DealioBHO Class: {6a87b991-a31f-4130-ae72-6d0c294bf082} - c:\program files\dealio\kb106\Dealio.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton internet security\engine\16.0.0.125\IPSBHO.DLL
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Megaupload Toolbar: {a057a204-bacc-4d26-c39e-35f1d2a32ec8} - c:\progra~1\megaup~2\MEGAUP~1.DLL
BHO: IeMonitorBho Class: {bf00e119-21a3-4fd1-b178-3b8537e75c92} - c:\program files\megaupload\mega manager\MegaIEMn.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Dealio: {e67c74f4-a00a-4f2c-9fec-fd9dc004a67f} - c:\program files\dealio\kb106\Dealio.dll
TB: Megaupload Toolbar: {a057a204-bacc-4d26-c39e-35f1d2a32ec8} - c:\progra~1\megaup~2\MEGAUP~1.DLL
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton internet security\engine\16.0.0.125\coIEPlg.dll
TB: {855F3B16-6D32-4FE6-8A56-BBB695989046} - No File
EB: Dealio: {5c4c24d0-28b6-4b6b-b70f-e09848367f10} - c:\program files\dealio\kb106\Dealio.dll
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Google Update] "c:\documents and settings\administrator\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [Exetender] c:\program files\bgames\GPlayer.exe /runonstartup
mRun: [AudioDeck] c:\program files\viaudioi\sbadeck\ADeck.exe 1
mRun: [VTTimer] VTTimer.exe
mRun: [VTTrayp] VTtrayp.exe
mRun: [Lexmark 1200 Series] "c:\program files\lexmark 1200 series\lxczbmgr.exe"
mRun: [NWEReboot]
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [PRISMSVR.EXE] Prismsvr.exe /apply
mRun: [WiFiCFG.EXE] c:\program files\802.11g usb2.0 adapter\WiFiCFG.EXE
mRun: [au] c:\program files\dealio\DealioAU.exe
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [WinampAgent] "c:\program files\winamp\winampa.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\94ae~1\d9f0~1\76ef~1\mediak~1.lnk - c:\program files\media key\MagicKey.exe
IE: &Search
IE: &יצא ל- Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Compare Prices with &Dealio - c:\program files\dealio\kb106\res\DealioSearch.html
IE: Download Link Using Mega Manager... - c:\program files\megaupload\mega manager\mm_file.htm
IE: {B863453A-26C3-4e1f-A54D-A2CD196348E9} - c:\program files\icqlite\ICQLite.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {E59EB121-F339-4851-A3BA-FE49C35617C2} - c:\program files\icq6\ICQ.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {E908B145-C847-4e85-B315-07E2E70DECF8} - {9F038672-0425-4792-BC9C-36DE3308E8AA} - c:\program files\dealio\kb106\Dealio.dll
AppInit_DLLs: avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nis\1000000.07d\SymEFA.sys [2009-1-8 309296]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\nis\1000000.07d\BHDrvx86.sys [2009-1-8 254512]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nis\1000000.07d\ccHPx86.sys [2009-1-8 362544]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20081220.001\IDSxpx86.sys [2009-1-8 274808]
R1 kbfilter;Keyboard Filter Driver;c:\windows\system32\drivers\kbfilter.sys [2008-10-25 12856]
R1 UsbFltr;WayTechUSBFilterDriver;c:\windows\system32\drivers\UsbFltr.sys [2008-10-25 9291]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-1-8 99376]
R4 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-9-10 611664]
R4 Norton Internet Security;Norton Internet Security;c:\program files\norton internet security\engine\16.0.0.125\ccSvcHst.exe [2009-1-8 115560]
R4 X4HSX32Ex;X4HSX32Ex;c:\program files\bgames\X4HSX32Ex.sys [2008-9-15 29856]
S3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20090107.032\NAVENG.SYS [2009-1-7 89104]
S3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20090107.032\NAVEX15.SYS [2009-1-7 876112]
S4 .norton2009Reset;Norton2009 Reset;c:\program files\Norton2009Reset.exe [2008-9-17 549159]

=============== Created Last 30 ================

2009-01-08 13:22 <DIR> a-dshr-- C:\cmdcons
2009-01-08 13:19 <DIR> --d----- C:\ComboFix
2009-01-08 12:48 161,792 a------- c:\windows\SWREG.exe
2009-01-08 12:48 98,816 a------- c:\windows\sed.exe
2009-01-08 03:07 <DIR> --d----- C:\_OTMoveIt
2009-01-08 02:13 35,888 a----r-- c:\windows\system32\drivers\SymIM.sys
2009-01-08 02:13 124,464 a------- c:\windows\system32\drivers\SYMEVENT.SYS
2009-01-08 02:13 60,808 a------- c:\windows\system32\S32EVNT1.DLL
2009-01-08 02:13 10,635 a------- c:\windows\system32\drivers\SYMEVENT.CAT
2009-01-08 02:13 806 a------- c:\windows\system32\drivers\SYMEVENT.INF
2009-01-08 02:12 <DIR> --d----- c:\windows\system32\drivers\NIS
2009-01-08 02:12 <DIR> --d----- c:\program files\Norton Internet Security
2009-01-08 02:12 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Norton
2009-01-08 02:11 <DIR> --d----- c:\program files\NortonInstaller
2009-01-08 02:05 <DIR> --d----- c:\docume~1\alluse~1\applic~1\NortonInstaller
2009-01-08 00:32 <DIR> --d----- c:\docume~1\admini~1\applic~1\Malwarebytes
2009-01-08 00:31 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-01-08 00:31 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-08 00:31 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-01-08 00:31 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-01-07 19:10 <DIR> --d----- c:\program files\Lavasoft
2009-01-07 19:08 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-01-07 14:43 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Babylon
2009-01-07 14:43 <DIR> --d----- c:\docume~1\admini~1\applic~1\Babylon
2009-01-07 13:30 <DIR> --d----- c:\program files\YoGen
2009-01-06 13:32 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SRS Labs
2009-01-05 22:46 <DIR> --d----- c:\program files\KaraFun
2009-01-05 22:46 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Recisio
2009-01-05 22:13 <DIR> --d----- c:\docume~1\alluse~1\applic~1\YoGen
2009-01-05 22:03 <DIR> --d----- c:\windows\system32\XPSViewer
2009-01-05 22:01 1,676,288 -c------ c:\windows\system32\dllcache\xpssvcs.dll
2009-01-05 22:01 597,504 -c------ c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-01-05 22:01 575,488 -c------ c:\windows\system32\dllcache\xpsshhdr.dll
2009-01-05 22:01 89,088 -c------ c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-01-05 22:01 1,676,288 -------- c:\windows\system32\xpssvcs.dll
2009-01-05 22:01 575,488 -------- c:\windows\system32\xpsshhdr.dll
2009-01-05 22:01 117,760 -------- c:\windows\system32\prntvpt.dll
2009-01-05 22:01 <DIR> --d----- C:\1508c0a53d16e90310224cbfb87b
2009-01-05 21:59 <DIR> --d----- c:\program files\AnalogX
2009-01-02 00:53 <DIR> --d----- c:\docume~1\admini~1\applic~1\Megaupload
2009-01-02 00:52 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Megaupload
2009-01-02 00:52 <DIR> --d----- c:\docume~1\alluse~1\applic~1\EmailNotifier
2009-01-02 00:52 <DIR> --d----- c:\docume~1\admini~1\applic~1\EmailNotifier
2009-01-02 00:52 <DIR> --d----- c:\program files\MegauploadToolbar
2009-01-02 00:52 <DIR> --d----- c:\docume~1\admini~1\applic~1\MegauploadToolbar
2009-01-02 00:52 <DIR> --d----- c:\program files\Megaupload
2008-12-23 16:52 <DIR> --d----- c:\program files\iTunes
2008-12-23 16:52 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-19 16:04 73,728 a------- c:\windows\system32\javacpl.cpl
2008-12-15 01:18 26,112 ac------ c:\windows\system32\dllcache\usbser.sys
2008-12-15 01:18 26,112 a------- c:\windows\system32\drivers\usbser.sys
2008-12-12 11:18 87,336 a------- c:\windows\system32\dns-sd.exe
2008-12-12 11:11 61,440 a------- c:\windows\system32\dnssd.dll

==================== Find3M ====================

2009-01-05 22:05 345,584 a------- c:\windows\system32\perfh00d.dat
2009-01-05 22:05 67,296 a------- c:\windows\system32\perfc00d.dat
2009-01-05 21:54 737,280 a------- c:\windows\iun6002.exe
2008-12-19 16:03 410,984 a------- c:\windows\system32\deploytk.dll
2008-11-17 02:14 2,828 a--sh--- c:\docume~1\alluse~1\applic~1\KGyGaAvL.sys
2008-11-16 23:32 8 ---shr-- c:\docume~1\alluse~1\applic~1\81DA373DB8.sys
2008-10-23 14:36 286,720 a------- c:\windows\system32\gdi32.dll
2008-10-16 03:01 662,528 a------- c:\windows\system32\wininet.dll
2008-09-28 11:15 25,600 a------- c:\documents and settings\administrator\usbsermptxp.sys
2008-09-28 11:15 22,768 a------- c:\documents and settings\administrator\usbsermpt.sys
2008-09-17 15:16 549,159 a--shr-- c:\program files\Norton2009Reset.exe
2008-07-29 16:47 47,360 a------- c:\docume~1\admini~1\applic~1\pcouffin.sys

============= FINISH: 13:36:04.92 ===============

#5 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:02:41 AM

Posted 08 January 2009 - 09:02 AM

Hi,

I see you have the Megaupload Toolbar installed. I do not recommend this one. That's why I suggest you uninstall it.
Also, your Norton Internet Security, is this is legitimate version or a hacked version? Did you download it from the Symantec site or somewhere else? This is important to know, because I see a questionable related file present which *may be malware - this also because it runs as a hidden system file service which makes it more suspicious. The strange thing is, I only see it with this version of Norton Internet Security and not with others. That's why I have the feeling that this is a "hacked" version and not downloaded via the norton-symantec site. Please correct me if wrong.

* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

File::
c:\windows\system32\winsystems.dll
Suspect::[8]
c:\program files\Norton2009Reset.exe
DDS::
IE: &Search
Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{855F3B16-6D32-4FE6-8A56-BBB695989046}"=-
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000000
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0B014B81-4E12-46F9-806F-55867AF8FD3C}]


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again.
Then, please visit this site:
http://www.bleepingcomputer.com/submit-malware.php?channel=8
Where it says: "Browse to the file you want to submit", use the Browse button to navigate to the following file: C:\Qoobox\Quarantine\[8]-Submit_date_time.zip (date_time will be replaced with the date and time when this file was created)
Then click the "Send File" button below in order to upload it.

After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#6 Adi11968

Adi11968
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:07:41 PM

Posted 08 January 2009 - 05:51 PM

Hi,
First of all thank you so much for your help, the computer seems to work way better now :thumbsup:
I've uninstalled the megaupload toolbar as you've recommended. I've got this Norton version from a friend yesterday...I've installed it because I was extremely scared that something will happen to my PC if I won't install an antivirus software...


Here's the ComboFix log:
ComboFix 09-01-07.02 - Administrator 01/09/2009 0:14:48.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1255.1.1037.18.446.158 [GMT 2:00]
Running from: c:\documents and settings\Administrator\שולחן העבודה\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\שולחן העבודה\CFScript.txt
AV: Norton Internet Security *On-access scanning enabled* (Updated)
FW: Norton Internet Security *enabled*
* Created a new restore point

FILE ::
c:\windows\system32\winsystems.dll
.

((((((((((((((((((((((((( Files Created from 2008-12-08 to 2009-01-08 )))))))))))))))))))))))))))))))
.

No new files created in this timespan

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2015-07-12 14:54 --------- d-----w c:\program files\Player Tool
2015-07-11 18:25 --------- d-----w c:\program files\Ubisoft
2015-07-11 17:26 --------- d-----w c:\documents and settings\Administrator\Application Data\CyberLink
2015-07-11 17:23 --------- d-----w c:\program files\CyberLink
2015-07-11 17:23 --------- d-----w c:\documents and settings\All Users\Application Data\CyberLink
2015-07-09 09:48 --------- d-----w c:\program files\Dealio
2015-06-22 15:09 --------- d-----w c:\program files\Secured_eMule
2015-06-22 15:01 --------- d-----w c:\documents and settings\All Users\Application Data\BufferZone
2015-06-21 19:06 --------- d-----w c:\program files\ICQToolbar
2015-06-08 17:36 --------- d-----w c:\program files\Setup
2015-05-29 17:48 --------- d-----w c:\documents and settings\Administrator\Application Data\DivX
2015-05-29 10:17 --------- d-----w c:\program files\ICQLite
2015-05-28 17:14 --------- d-----w c:\documents and settings\Administrator\Application Data\BSplayer Pro
2015-05-28 11:16 --------- d-----w c:\documents and settings\Administrator\Application Data\Talkback
2015-05-28 09:51 --------- d-----w c:\documents and settings\Administrator\Application Data\ICQLite
2015-05-27 13:14 15,781 ----a-w c:\windows\system32\drivers\mdc8021x.sys
2015-05-27 13:14 --------- d-----w c:\program files\802.11g USB2.0 adapter
2015-05-27 13:14 --------- d-----w c:\documents and settings\All Users\Application Data\Prism
2009-01-08 00:18 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-01-08 00:15 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2009-01-08 00:13 806 ----a-w c:\windows\system32\drivers\SYMEVENT.INF
2009-01-08 00:13 124,464 ----a-w c:\windows\system32\drivers\SYMEVENT.SYS
2009-01-08 00:13 10,635 ----a-w c:\windows\system32\drivers\SYMEVENT.CAT
2009-01-08 00:13 --------- d-----w c:\program files\Symantec
2009-01-08 00:13 --------- d-----w c:\documents and settings\All Users\Application Data\Norton
2009-01-08 00:12 35,888 ----a-r c:\windows\system32\drivers\SymIM.sys
2009-01-08 00:12 --------- d-----w c:\program files\Windows Sidebar
2009-01-08 00:12 --------- d-----w c:\program files\Norton Internet Security
2009-01-08 00:11 --------- d-----w c:\program files\NortonInstaller
2009-01-08 00:06 --------- d-----w c:\documents and settings\All Users\Application Data\avg7
2009-01-08 00:05 --------- d-----w c:\documents and settings\All Users\Application Data\NortonInstaller
2009-01-07 22:56 --------- d-----w c:\program files\eMule
2009-01-07 22:32 --------- d-----w c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-01-07 22:31 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-01-07 22:31 --------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-07 17:12 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2009-01-07 17:10 --------- d-----w c:\program files\Lavasoft
2009-01-07 17:08 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-01-07 15:33 --------- d-----w c:\documents and settings\Administrator\Application Data\AVG7
2009-01-07 13:31 --------- d-----w c:\program files\AviSynth 2.5
2009-01-07 12:43 --------- d-----w c:\documents and settings\All Users\Application Data\Babylon
2009-01-07 12:43 --------- d-----w c:\documents and settings\Administrator\Application Data\Babylon
2009-01-07 11:30 --------- d-----w c:\program files\YoGen
2009-01-06 11:32 --------- d-----w c:\documents and settings\All Users\Application Data\SRS Labs
2009-01-05 20:46 --------- d-----w c:\program files\KaraFun
2009-01-05 20:46 --------- d-----w c:\documents and settings\All Users\Application Data\Recisio
2009-01-05 20:40 --------- d-----w c:\documents and settings\All Users\Application Data\YoGen
2009-01-05 20:03 --------- d-----w c:\program files\MSBuild
2009-01-05 20:02 --------- d-----w c:\program files\Reference Assemblies
2009-01-05 19:59 --------- d-----w c:\program files\AnalogX
2009-01-05 19:54 737,280 ----a-w c:\windows\iun6002.exe
2009-01-04 16:39 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-04 16:38 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-01-01 22:53 --------- d-----w c:\documents and settings\Administrator\Application Data\Megaupload
2009-01-01 22:52 --------- d--h--w c:\program files\InstallShield Installation Information
2009-01-01 22:52 --------- d-----w c:\program files\Megaupload
2009-01-01 22:52 --------- d-----w c:\documents and settings\All Users\Application Data\Megaupload
2009-01-01 22:52 --------- d-----w c:\documents and settings\All Users\Application Data\EmailNotifier
2009-01-01 22:52 --------- d-----w c:\documents and settings\Administrator\Application Data\EmailNotifier
2009-01-01 21:08 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-12-23 15:20 --------- d-----w c:\program files\Apple Software Update
2008-12-23 15:19 --------- d-----w c:\program files\Bonjour
2008-12-23 14:53 --------- d-----w c:\program files\iTunes
2008-12-23 14:53 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-23 14:52 --------- d-----w c:\program files\iPod
2008-12-23 14:50 --------- d-----w c:\program files\QuickTime
2008-12-23 14:24 --------- d-----w c:\program files\Safari
2008-12-19 14:03 --------- d-----w c:\program files\Java
2008-12-18 01:07 --------- d-----w c:\program files\mobile PhoneTools
2008-12-14 23:18 --------- d-----w c:\documents and settings\All Users\Application Data\BVRP Software
2008-12-14 23:13 --------- d-----w c:\program files\Banner Maker Pro 7
2008-12-01 13:10 --------- d-----w c:\program files\Microsoft Silverlight
2008-12-01 12:29 --------- d-----w c:\documents and settings\Administrator\Application Data\gtk-2.0
2008-11-30 22:54 --------- d-----w c:\program files\Microsoft GIF Animator
2008-11-29 18:28 --------- d-----w c:\program files\K-Lite Codec Pack
2008-11-29 18:27 --------- d-----w c:\program files\AML Products
2008-11-29 18:20 --------- d-----w c:\program files\SoundInDepth.com
2008-11-26 17:57 --------- d-----w c:\program files\Windows Media Connect 2
2008-11-26 17:33 --------- d-----w c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2008-11-17 14:40 --------- d-----w c:\program files\Common Files\Adobe
2008-11-17 00:22 --------- d-----w c:\program files\Corel
2008-11-17 00:14 2,828 --sha-w c:\documents and settings\All Users\Application Data\KGyGaAvL.sys
2008-11-16 22:30 --------- d-----w c:\documents and settings\All Users\Application Data\FLEXnet
2008-11-16 21:56 --------- d-----w c:\program files\Common Files\Macrovision Shared
2008-11-16 21:32 8 --sh--r c:\documents and settings\All Users\Application Data\81DA373DB8.sys
2008-09-28 09:15 25,600 ----a-w c:\documents and settings\Administrator\usbsermptxp.sys
2008-09-28 09:15 22,768 ----a-w c:\documents and settings\Administrator\usbsermpt.sys
2008-09-17 13:16 549,159 --sha-r c:\program files\Norton2009Reset.exe
2008-07-29 14:47 47,360 ----a-w c:\documents and settings\Administrator\Application Data\pcouffin.sys
.

((((((((((((((((((((((((((((( snapshot@Thu 01-08-2009_13.08.13.90 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-12-12 03:29:18 255,536 ----a-w c:\windows\system32\drivers\NIS\1002000.007\BHDrvx86.sys
+ 2009-01-08 00:12:51 362,544 ----a-w c:\windows\system32\drivers\NIS\1002000.007\cchpx86.sys
+ 2008-12-12 03:29:18 306,736 ----a-w c:\windows\system32\drivers\NIS\1002000.007\srtsp.sys
+ 2008-12-12 03:29:18 43,696 ----a-w c:\windows\system32\drivers\NIS\1002000.007\srtspx.sys
+ 2008-12-12 03:29:18 12,976 ----a-w c:\windows\system32\drivers\NIS\1002000.007\symdns.sys
+ 2008-12-12 03:29:19 309,296 ----a-w c:\windows\system32\drivers\NIS\1002000.007\SymEFA.sys
+ 2008-12-12 03:29:19 89,904 ----a-w c:\windows\system32\drivers\NIS\1002000.007\symfw.sys
+ 2008-12-12 03:29:19 34,608 ----a-w c:\windows\system32\drivers\NIS\1002000.007\symids.sys
+ 2008-12-12 03:29:20 37,424 ----a-w c:\windows\system32\drivers\NIS\1002000.007\symndis.sys
+ 2008-12-12 03:29:20 40,496 ----a-w c:\windows\system32\drivers\NIS\1002000.007\symndisv.sys
+ 2008-12-12 03:29:20 24,624 ----a-w c:\windows\system32\drivers\NIS\1002000.007\symredrv.sys
+ 2008-12-12 03:29:20 198,192 ----a-w c:\windows\system32\drivers\NIS\1002000.007\symtdi.sys
+ 2009-01-08 12:58:46 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_14c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [06/01/2006 01:32 PM 94208]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [04/14/2008 04:17 AM 15360]
"Google Update"="c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [09/05/2008 12:54 PM 133104]
"Exetender"="c:\program files\BGames\GPlayer.exe" [05/15/2008 01:49 PM 1958400]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AudioDeck"="c:\program files\VIAudioi\SBADeck\ADeck.exe" [09/15/2006 12:04 AM 540672]
"Lexmark 1200 Series"="c:\program files\Lexmark 1200 Series\lxczbmgr.exe" [07/13/2006 07:28 AM 57344]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [01/12/2006 04:40 PM 155648]
"WiFiCFG.EXE"="c:\program files\802.11g" [BU]
"au"="c:\program files\Dealio\DealioAU.exe" [06/27/2007 12:46 PM 238936]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [10/31/2003 07:42 PM 32768]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [08/04/2008 01:02 AM 36352]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 10:16 PM 39792]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [08/25/2008 08:08 PM 185896]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [12/19/2008 04:03 PM 136600]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [11/04/2008 10:30 AM 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [11/20/2008 01:20 PM 290088]
"VTTimer"="VTTimer.exe" [09/15/2006 12:07 AM 53248 c:\windows\system32\VTTimer.exe]
"VTTrayp"="VTtrayp.exe" [09/15/2006 12:07 AM 176128 c:\windows\system32\VTTrayp.exe]
"NWEReboot"="" [BU]
"PRISMSVR.EXE"="Prismsvr.exe" [03/21/2005 01:24 PM 295001 c:\windows\system32\PRISMSVR.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [04/14/2008 04:17 AM 15360]

c:\documents and settings\All Users\š šŒ\šš\Œ\
Media Key.lnk - c:\program files\Media Key\MagicKey.exe [2008-10-25 159744]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\ICQ6\\ICQ.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\eMule\\emule.exe"=
"c:\\Program Files\\QuickTime\\QuickTimePlayer.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NIS\1000000.07D\SymEFA.sys [2009-01-08 309296]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\NIS\1000000.07D\BHDrvx86.sys [2009-01-08 254512]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NIS\1000000.07D\ccHPx86.sys [2009-01-08 362544]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20081220.001\IDSxpx86.sys [2009-01-08 274808]
R1 kbfilter;Keyboard Filter Driver;c:\windows\system32\drivers\kbfilter.sys [2008-10-25 12856]
R1 UsbFltr;WayTechUSBFilterDriver;c:\windows\system32\drivers\UsbFltr.sys [2008-10-25 9291]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-01-08 99376]
R4 Norton Internet Security;Norton Internet Security;c:\program files\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe [2009-01-08 115560]
R4 X4HSX32Ex;X4HSX32Ex;c:\program files\BGames\X4HSX32Ex.sys [2008-09-15 29856]
S4 .norton2009Reset;Norton2009 Reset;c:\program files\Norton2009Reset.exe [2008-09-17 549159]
.
Contents of the 'Scheduled Tasks' folder

2009-01-07 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [07/30/2008 12:34 PM]

2009-01-08 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1409082233-706699826-725345543-500.job
- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [09/05/2008 12:54 PM]
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{A057A204-BACC-4D26-C39E-35F1D2A32EC8} - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://awesomestart.com/ledzeppelin/
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Search
IE: &יצא ל- Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Compare Prices with &Dealio - c:\program files\Dealio\kb106\res\DealioSearch.html
IE: Download Link Using Mega Manager... - c:\program files\Megaupload\Mega Manager\mm_file.htm
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-09 00:22:27
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
AudioDeck = c:\program files\VIAudioi\SBADeck\ADeck.exe 1???\ ?|????D:\VIA chips???????|???|?????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Norton Internet Security]
"ImagePath"="\"c:\program files\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe\" /s \"Norton Internet Security\" /m \"c:\program files\Norton Internet Security\Engine\16.0.0.125\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\Administrator\Software\Microsoft\  M*NULL*i*NULL*c*NULL*r*NULL*o*NULL*s*NULL*o*NULL*f*NULL*t*NULL* *NULL*M*NULL*a*NULL*n*NULL*a*NULL*g*NULL*e*NULL*m*NULL*e*NULL*n*NULL*t*NULL* *NULL*C*NULL*o*NULL*n*NULL*s*NULL*o*NULL*l*NULL*e*NULL*\Recent File List]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"File1"="c:\\WINDOWS\\system32\\services.msc"
"File2"="c:\\WINDOWS\\system32\\devmgmt.msc"
.
Completion time: 01/09/2009 0:29:44
ComboFix-quarantined-files.txt 2009-01-08 22:29:32
ComboFix2.txt 2009-01-08 11:32:13

Pre-Run: 62,382,370,816 bytes free
Post-Run: 62,310,883,328 bytes free

224 --- E O F --- 2008-12-18 01:01:27

#7 Adi11968

Adi11968
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:07:41 PM

Posted 08 January 2009 - 05:52 PM

And here's the HijackThis log:



DDS (Ver_09-01-07.01) - NTFSx86
Run by Administrator at 0:38:56.18 on Fri 01/09/2009
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.5.0_12
Microsoft Windows XP Professional 5.1.2600.3.1255.972.1037.18.446.139 [GMT 2:00]

AV: Norton Internet Security *On-access scanning enabled* (Updated)
FW: Norton Internet Security *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\VIAudioi\SBADeck\ADeck.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\VTtrayp.exe
C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe
C:\Program Files\Lexmark 1200 Series\lxczbmon.exe
C:\WINDOWS\system32\Prismsvr.exe
C:\Program Files\802.11g USB2.0 adapter\WiFiCFG.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\BGames\GPlayer.exe
C:\Program Files\Media Key\MagicKey.exe
C:\Program Files\Media Key\OSD.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe
C:\WINDOWS\system32\dumprep.exe
C:\WINDOWS\system32\dumprep.exe
C:\WINDOWS\system32\dumprep.exe
C:\WINDOWS\system32\dumprep.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Administrator\שולחן העבודה\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://awesomestart.com/ledzeppelin/
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton internet security\engine\16.0.0.125\coIEPlg.dll
BHO: DealioBHO Class: {6a87b991-a31f-4130-ae72-6d0c294bf082} - c:\program files\dealio\kb106\Dealio.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton internet security\engine\16.0.0.125\IPSBHO.DLL
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: IeMonitorBho Class: {bf00e119-21a3-4fd1-b178-3b8537e75c92} - c:\program files\megaupload\mega manager\MegaIEMn.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Dealio: {e67c74f4-a00a-4f2c-9fec-fd9dc004a67f} - c:\program files\dealio\kb106\Dealio.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton internet security\engine\16.0.0.125\coIEPlg.dll
TB: {855F3B16-6D32-4FE6-8A56-BBB695989046} - No File
EB: Dealio: {5c4c24d0-28b6-4b6b-b70f-e09848367f10} - c:\program files\dealio\kb106\Dealio.dll
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Google Update] "c:\documents and settings\administrator\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [Exetender] c:\program files\bgames\GPlayer.exe /runonstartup
mRun: [AudioDeck] c:\program files\viaudioi\sbadeck\ADeck.exe 1
mRun: [VTTimer] VTTimer.exe
mRun: [VTTrayp] VTtrayp.exe
mRun: [Lexmark 1200 Series] "c:\program files\lexmark 1200 series\lxczbmgr.exe"
mRun: [NWEReboot]
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [PRISMSVR.EXE] Prismsvr.exe /apply
mRun: [WiFiCFG.EXE] c:\program files\802.11g usb2.0 adapter\WiFiCFG.EXE
mRun: [au] c:\program files\dealio\DealioAU.exe
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [WinampAgent] "c:\program files\winamp\winampa.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\94ae~1\d9f0~1\76ef~1\mediak~1.lnk - c:\program files\media key\MagicKey.exe
IE: &Search
IE: &יצא ל- Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Compare Prices with &Dealio - c:\program files\dealio\kb106\res\DealioSearch.html
IE: Download Link Using Mega Manager... - c:\program files\megaupload\mega manager\mm_file.htm
IE: {B863453A-26C3-4e1f-A54D-A2CD196348E9} - c:\program files\icqlite\ICQLite.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {E59EB121-F339-4851-A3BA-FE49C35617C2} - c:\program files\icq6\ICQ.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {E908B145-C847-4e85-B315-07E2E70DECF8} - {9F038672-0425-4792-BC9C-36DE3308E8AA} - c:\program files\dealio\kb106\Dealio.dll
AppInit_DLLs: avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nis\1000000.07d\SymEFA.sys [2009-1-8 309296]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\nis\1000000.07d\BHDrvx86.sys [2009-1-8 254512]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nis\1000000.07d\ccHPx86.sys [2009-1-8 362544]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20081220.001\IDSxpx86.sys [2009-1-8 274808]
R1 kbfilter;Keyboard Filter Driver;c:\windows\system32\drivers\kbfilter.sys [2008-10-25 12856]
R1 UsbFltr;WayTechUSBFilterDriver;c:\windows\system32\drivers\UsbFltr.sys [2008-10-25 9291]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-1-8 99376]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20090108.007\NAVENG.SYS [2009-1-8 89104]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20090108.007\NAVEX15.SYS [2009-1-8 876112]
R4 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-9-10 611664]
R4 Norton Internet Security;Norton Internet Security;c:\program files\norton internet security\engine\16.0.0.125\ccSvcHst.exe [2009-1-8 115560]
R4 X4HSX32Ex;X4HSX32Ex;c:\program files\bgames\X4HSX32Ex.sys [2008-9-15 29856]
S4 .norton2009Reset;Norton2009 Reset;c:\program files\Norton2009Reset.exe [2008-9-17 549159]

=============== Created Last 30 ================

2009-01-08 13:22 <DIR> a-dshr-- C:\cmdcons
2009-01-08 12:48 161,792 a------- c:\windows\SWREG.exe
2009-01-08 12:48 98,816 a------- c:\windows\sed.exe
2009-01-08 03:07 <DIR> --d----- C:\_OTMoveIt
2009-01-08 02:13 35,888 a----r-- c:\windows\system32\drivers\SymIM.sys
2009-01-08 02:13 124,464 a------- c:\windows\system32\drivers\SYMEVENT.SYS
2009-01-08 02:13 60,808 a------- c:\windows\system32\S32EVNT1.DLL
2009-01-08 02:13 10,635 a------- c:\windows\system32\drivers\SYMEVENT.CAT
2009-01-08 02:13 806 a------- c:\windows\system32\drivers\SYMEVENT.INF
2009-01-08 02:12 <DIR> --d----- c:\windows\system32\drivers\NIS
2009-01-08 02:12 <DIR> --d----- c:\program files\Norton Internet Security
2009-01-08 02:12 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Norton
2009-01-08 02:11 <DIR> --d----- c:\program files\NortonInstaller
2009-01-08 02:05 <DIR> --d----- c:\docume~1\alluse~1\applic~1\NortonInstaller
2009-01-08 00:32 <DIR> --d----- c:\docume~1\admini~1\applic~1\Malwarebytes
2009-01-08 00:31 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-01-08 00:31 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-08 00:31 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-01-08 00:31 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-01-07 19:10 <DIR> --d----- c:\program files\Lavasoft
2009-01-07 19:08 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-01-07 14:43 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Babylon
2009-01-07 14:43 <DIR> --d----- c:\docume~1\admini~1\applic~1\Babylon
2009-01-07 13:30 <DIR> --d----- c:\program files\YoGen
2009-01-06 13:32 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SRS Labs
2009-01-05 22:46 <DIR> --d----- c:\program files\KaraFun
2009-01-05 22:46 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Recisio
2009-01-05 22:13 <DIR> --d----- c:\docume~1\alluse~1\applic~1\YoGen
2009-01-05 22:03 <DIR> --d----- c:\windows\system32\XPSViewer
2009-01-05 22:01 1,676,288 -c------ c:\windows\system32\dllcache\xpssvcs.dll
2009-01-05 22:01 597,504 -c------ c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-01-05 22:01 575,488 -c------ c:\windows\system32\dllcache\xpsshhdr.dll
2009-01-05 22:01 89,088 -c------ c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-01-05 22:01 1,676,288 -------- c:\windows\system32\xpssvcs.dll
2009-01-05 22:01 575,488 -------- c:\windows\system32\xpsshhdr.dll
2009-01-05 22:01 117,760 -------- c:\windows\system32\prntvpt.dll
2009-01-05 22:01 <DIR> --d----- C:\1508c0a53d16e90310224cbfb87b
2009-01-05 21:59 <DIR> --d----- c:\program files\AnalogX
2009-01-02 00:53 <DIR> --d----- c:\docume~1\admini~1\applic~1\Megaupload
2009-01-02 00:52 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Megaupload
2009-01-02 00:52 <DIR> --d----- c:\docume~1\alluse~1\applic~1\EmailNotifier
2009-01-02 00:52 <DIR> --d----- c:\docume~1\admini~1\applic~1\EmailNotifier
2009-01-02 00:52 <DIR> --d----- c:\program files\Megaupload
2008-12-23 16:52 <DIR> --d----- c:\program files\iTunes
2008-12-23 16:52 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-19 16:04 73,728 a------- c:\windows\system32\javacpl.cpl
2008-12-15 01:18 26,112 ac------ c:\windows\system32\dllcache\usbser.sys
2008-12-15 01:18 26,112 a------- c:\windows\system32\drivers\usbser.sys
2008-12-12 11:18 87,336 a------- c:\windows\system32\dns-sd.exe
2008-12-12 11:11 61,440 a------- c:\windows\system32\dnssd.dll

==================== Find3M ====================

2009-01-05 22:05 345,584 a------- c:\windows\system32\perfh00d.dat
2009-01-05 22:05 67,296 a------- c:\windows\system32\perfc00d.dat
2009-01-05 21:54 737,280 a------- c:\windows\iun6002.exe
2008-12-19 16:03 410,984 a------- c:\windows\system32\deploytk.dll
2008-11-17 02:14 2,828 a--sh--- c:\docume~1\alluse~1\applic~1\KGyGaAvL.sys
2008-11-16 23:32 8 ---shr-- c:\docume~1\alluse~1\applic~1\81DA373DB8.sys
2008-10-23 14:36 286,720 a------- c:\windows\system32\gdi32.dll
2008-10-16 03:01 662,528 a------- c:\windows\system32\wininet.dll
2008-09-28 11:15 25,600 a------- c:\documents and settings\administrator\usbsermptxp.sys
2008-09-28 11:15 22,768 a------- c:\documents and settings\administrator\usbsermpt.sys
2008-09-17 15:16 549,159 a--shr-- c:\program files\Norton2009Reset.exe
2008-07-29 16:47 47,360 a------- c:\docume~1\admini~1\applic~1\pcouffin.sys

============= FINISH: 0:40:43.40 ===============

#8 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:02:41 AM

Posted 08 January 2009 - 06:00 PM

Hi,

I've got this Norton version from a friend yesterday...I've installed it because I was extremely scared that something will happen to my PC if I won't install an antivirus software...

I suggest you uninstall it again, because I really don't trust the version you are using. That Norton2009Reset.exe file is way too suspicious looking. Also the fact that it is hidden makes it even more suspicious + the fact that I also see it in logs where Norton was already removed.
Reboot after uninstalling Norton.

Then install another Antivirus. Look in my signature below under Antivirus for the ones I recommend. As you'll see, there are a lot of free ones. Only install 1 Antivirus though.

Then reboot once again.

Then,

* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

File::
c:\program files\Norton2009Reset.exe
Driver::
.norton2009Reset


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 Adi11968

Adi11968
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:07:41 PM

Posted 08 January 2009 - 07:46 PM

Hi,
I've uninstalled Norton and installed AVG 8.0 Free instead (thanks for the link)...

Here's the ComboFix log:

ComboFix 09-01-07.02 - Administrator 01/09/2009 2:19:52.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1255.1.1037.18.446.132 [GMT 2:00]
Running from: c:\documents and settings\Administrator\שולחן העבודה\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\שולחן העבודה\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)
* Created a new restore point

FILE ::
c:\program files\Norton2009Reset.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Administrator\שולחן העבודה\Antivirus 2009.lnk
c:\program files\Norton2009Reset.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_.norton2009Reset


((((((((((((((((((((((((( Files Created from 2008-12-09 to 2009-01-09 )))))))))))))))))))))))))))))))
.

No new files created in this timespan

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2015-07-12 14:54 --------- d-----w c:\program files\Player Tool
2015-07-11 18:25 --------- d-----w c:\program files\Ubisoft
2015-07-11 17:26 --------- d-----w c:\documents and settings\Administrator\Application Data\CyberLink
2015-07-11 17:23 --------- d-----w c:\program files\CyberLink
2015-07-11 17:23 --------- d-----w c:\documents and settings\All Users\Application Data\CyberLink
2015-07-09 09:48 --------- d-----w c:\program files\Dealio
2015-06-22 15:09 --------- d-----w c:\program files\Secured_eMule
2015-06-22 15:01 --------- d-----w c:\documents and settings\All Users\Application Data\BufferZone
2015-06-21 19:06 --------- d-----w c:\program files\ICQToolbar
2015-06-08 17:36 --------- d-----w c:\program files\Setup
2015-05-29 17:48 --------- d-----w c:\documents and settings\Administrator\Application Data\DivX
2015-05-29 10:17 --------- d-----w c:\program files\ICQLite
2015-05-28 17:14 --------- d-----w c:\documents and settings\Administrator\Application Data\BSplayer Pro
2015-05-28 11:16 --------- d-----w c:\documents and settings\Administrator\Application Data\Talkback
2015-05-28 09:51 --------- d-----w c:\documents and settings\Administrator\Application Data\ICQLite
2015-05-27 13:14 15,781 ----a-w c:\windows\system32\drivers\mdc8021x.sys
2015-05-27 13:14 --------- d-----w c:\program files\802.11g USB2.0 adapter
2015-05-27 13:14 --------- d-----w c:\documents and settings\All Users\Application Data\Prism
2009-01-09 00:12 --------- d-----w c:\documents and settings\Administrator\Application Data\AVGTOOLBAR
2009-01-09 00:05 97,928 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-01-09 00:05 76,040 ----a-w c:\windows\system32\drivers\avgtdix.sys
2009-01-09 00:04 --------- d-----w c:\program files\AVG
2009-01-09 00:04 --------- d-----w c:\documents and settings\All Users\Application Data\avg8
2009-01-08 23:58 --------- d-----w c:\program files\Symantec
2009-01-08 23:58 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-01-08 23:58 --------- d-----w c:\documents and settings\All Users\Application Data\Norton
2009-01-08 00:15 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2009-01-08 00:05 --------- d-----w c:\documents and settings\All Users\Application Data\NortonInstaller
2009-01-07 22:56 --------- d-----w c:\program files\eMule
2009-01-07 22:32 --------- d-----w c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-01-07 22:31 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-01-07 22:31 --------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-07 17:12 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2009-01-07 17:10 --------- d-----w c:\program files\Lavasoft
2009-01-07 17:08 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-01-07 13:31 --------- d-----w c:\program files\AviSynth 2.5
2009-01-07 12:43 --------- d-----w c:\documents and settings\All Users\Application Data\Babylon
2009-01-07 12:43 --------- d-----w c:\documents and settings\Administrator\Application Data\Babylon
2009-01-07 11:30 --------- d-----w c:\program files\YoGen
2009-01-06 11:32 --------- d-----w c:\documents and settings\All Users\Application Data\SRS Labs
2009-01-05 20:46 --------- d-----w c:\program files\KaraFun
2009-01-05 20:46 --------- d-----w c:\documents and settings\All Users\Application Data\Recisio
2009-01-05 20:40 --------- d-----w c:\documents and settings\All Users\Application Data\YoGen
2009-01-05 20:03 --------- d-----w c:\program files\MSBuild
2009-01-05 20:02 --------- d-----w c:\program files\Reference Assemblies
2009-01-05 19:59 --------- d-----w c:\program files\AnalogX
2009-01-05 19:54 737,280 ----a-w c:\windows\iun6002.exe
2009-01-04 16:39 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-04 16:38 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-01-01 22:53 --------- d-----w c:\documents and settings\Administrator\Application Data\Megaupload
2009-01-01 22:52 --------- d--h--w c:\program files\InstallShield Installation Information
2009-01-01 22:52 --------- d-----w c:\program files\Megaupload
2009-01-01 22:52 --------- d-----w c:\documents and settings\All Users\Application Data\Megaupload
2009-01-01 22:52 --------- d-----w c:\documents and settings\All Users\Application Data\EmailNotifier
2009-01-01 22:52 --------- d-----w c:\documents and settings\Administrator\Application Data\EmailNotifier
2009-01-01 21:08 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-12-23 15:20 --------- d-----w c:\program files\Apple Software Update
2008-12-23 15:19 --------- d-----w c:\program files\Bonjour
2008-12-23 14:53 --------- d-----w c:\program files\iTunes
2008-12-23 14:53 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-23 14:52 --------- d-----w c:\program files\iPod
2008-12-23 14:50 --------- d-----w c:\program files\QuickTime
2008-12-23 14:24 --------- d-----w c:\program files\Safari
2008-12-19 14:03 --------- d-----w c:\program files\Java
2008-12-18 01:07 --------- d-----w c:\program files\mobile PhoneTools
2008-12-14 23:18 --------- d-----w c:\documents and settings\All Users\Application Data\BVRP Software
2008-12-14 23:13 --------- d-----w c:\program files\Banner Maker Pro 7
2008-12-01 13:10 --------- d-----w c:\program files\Microsoft Silverlight
2008-12-01 12:29 --------- d-----w c:\documents and settings\Administrator\Application Data\gtk-2.0
2008-11-30 22:54 --------- d-----w c:\program files\Microsoft GIF Animator
2008-11-29 18:28 --------- d-----w c:\program files\K-Lite Codec Pack
2008-11-29 18:27 --------- d-----w c:\program files\AML Products
2008-11-29 18:20 --------- d-----w c:\program files\SoundInDepth.com
2008-11-26 17:57 --------- d-----w c:\program files\Windows Media Connect 2
2008-11-26 17:33 --------- d-----w c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2008-11-17 14:40 --------- d-----w c:\program files\Common Files\Adobe
2008-11-17 00:22 --------- d-----w c:\program files\Corel
2008-11-17 00:14 2,828 --sha-w c:\documents and settings\All Users\Application Data\KGyGaAvL.sys
2008-11-16 22:30 --------- d-----w c:\documents and settings\All Users\Application Data\FLEXnet
2008-11-16 21:56 --------- d-----w c:\program files\Common Files\Macrovision Shared
2008-11-16 21:32 8 --sh--r c:\documents and settings\All Users\Application Data\81DA373DB8.sys
2008-09-28 09:15 25,600 ----a-w c:\documents and settings\Administrator\usbsermptxp.sys
2008-09-28 09:15 22,768 ----a-w c:\documents and settings\Administrator\usbsermpt.sys
2008-07-29 14:47 47,360 ----a-w c:\documents and settings\Administrator\Application Data\pcouffin.sys
.

((((((((((((((((((((((((((((( snapshot@Thu 01-08-2009_13.08.13.90 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-01-09 00:05:32 10,520 ----a-w c:\windows\system32\avgrsstx.dll
+ 2009-01-09 00:05:26 26,824 ----a-w c:\windows\system32\drivers\avgmfx86.sys
+ 2009-01-09 00:28:41 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_2b8.dat
+ 2006-12-01 20:56:00 96,256 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_cbb27474\ATL80.dll
+ 2006-12-01 22:25:52 1,101,824 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfc80.dll
+ 2006-12-01 22:25:56 1,093,120 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfc80u.dll
+ 2006-12-01 22:25:58 69,632 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfcm80.dll
+ 2006-12-01 22:26:00 57,856 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfcm80u.dll
+ 2006-12-01 22:08:00 40,960 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80CHS.dll
+ 2006-12-01 22:08:00 45,056 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80CHT.dll
+ 2006-12-01 22:08:00 65,536 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80DEU.dll
+ 2006-12-01 22:08:00 57,344 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80ENU.dll
+ 2006-12-01 22:08:00 61,440 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80ESP.dll
+ 2006-12-01 22:08:00 61,440 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80FRA.dll
+ 2006-12-01 22:08:00 61,440 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80ITA.dll
+ 2006-12-01 22:08:00 49,152 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80JPN.dll
+ 2006-12-01 22:08:00 49,152 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80KOR.dll
+ 2006-12-01 22:46:44 65,536 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.OpenMP_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6c18549a\vcomp.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [06/01/2006 01:32 PM 94208]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [04/14/2008 04:17 AM 15360]
"Google Update"="c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [09/05/2008 12:54 PM 133104]
"Exetender"="c:\program files\BGames\GPlayer.exe" [05/15/2008 01:49 PM 1958400]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AudioDeck"="c:\program files\VIAudioi\SBADeck\ADeck.exe" [09/15/2006 12:04 AM 540672]
"Lexmark 1200 Series"="c:\program files\Lexmark 1200 Series\lxczbmgr.exe" [07/13/2006 07:28 AM 57344]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [01/12/2006 04:40 PM 155648]
"WiFiCFG.EXE"="c:\program files\802.11g" [BU]
"au"="c:\program files\Dealio\DealioAU.exe" [06/27/2007 12:46 PM 238936]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [10/31/2003 07:42 PM 32768]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [08/04/2008 01:02 AM 36352]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 10:16 PM 39792]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [08/25/2008 08:08 PM 185896]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [12/19/2008 04:03 PM 136600]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [11/04/2008 10:30 AM 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [11/20/2008 01:20 PM 290088]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [01/09/2009 02:05 AM 1261336]
"VTTimer"="VTTimer.exe" [09/15/2006 12:07 AM 53248 c:\windows\system32\VTTimer.exe]
"VTTrayp"="VTtrayp.exe" [09/15/2006 12:07 AM 176128 c:\windows\system32\VTTrayp.exe]
"NWEReboot"="" [BU]
"PRISMSVR.EXE"="Prismsvr.exe" [03/21/2005 01:24 PM 295001 c:\windows\system32\PRISMSVR.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [04/14/2008 04:17 AM 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\ICQ6\\ICQ.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\eMule\\emule.exe"=
"c:\\Program Files\\QuickTime\\QuickTimePlayer.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-01-09 97928]
R1 kbfilter;Keyboard Filter Driver;c:\windows\system32\drivers\kbfilter.sys [2008-10-25 12856]
R1 UsbFltr;WayTechUSBFilterDriver;c:\windows\system32\drivers\UsbFltr.sys [2008-10-25 9291]
R4 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2009-01-09 875288]
R4 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-01-09 231704]
R4 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-01-09 76040]
R4 X4HSX32Ex;X4HSX32Ex;c:\program files\BGames\X4HSX32Ex.sys [2008-09-15 29856]
.
Contents of the 'Scheduled Tasks' folder

2009-01-07 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [07/30/2008 12:34 PM]

2009-01-08 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1409082233-706699826-725345543-500.job
- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [09/05/2008 12:54 PM]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://awesomestart.com/ledzeppelin/
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Search
IE: &יצא ל- Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Compare Prices with &Dealio - c:\program files\Dealio\kb106\res\DealioSearch.html
IE: Download Link Using Mega Manager... - c:\program files\Megaupload\Mega Manager\mm_file.htm
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-09 02:29:35
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
AudioDeck = c:\program files\VIAudioi\SBADeck\ADeck.exe 1???\ ?|????D:\VIA chips???????|???|?????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\Administrator\Software\Microsoft\  M*NULL*i*NULL*c*NULL*r*NULL*o*NULL*s*NULL*o*NULL*f*NULL*t*NULL* *NULL*M*NULL*a*NULL*n*NULL*a*NULL*g*NULL*e*NULL*m*NULL*e*NULL*n*NULL*t*NULL* *NULL*C*NULL*o*NULL*n*NULL*s*NULL*o*NULL*l*NULL*e*NULL*\Recent File List]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"File1"="c:\\WINDOWS\\system32\\services.msc"
"File2"="c:\\WINDOWS\\system32\\devmgmt.msc"
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Lexmark 1200 Series\lxczbmon.exe
c:\program files\802.11g USB2.0 adapter\WiFiCfg.exe
c:\program files\Media Key\MagicKey.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\program files\Media Key\OSD.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 01/09/2009 2:39:45 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-09 00:39:39
ComboFix2.txt 2009-01-08 22:29:53
ComboFix3.txt 2009-01-08 11:32:13

Pre-Run: 62,826,913,792 bytes free
Post-Run: 62,833,115,136 bytes free

242 --- E O F --- 2008-12-18 01:01:27

#10 Adi11968

Adi11968
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:07:41 PM

Posted 08 January 2009 - 07:47 PM

And here's the HijackThis log:


DDS (Ver_09-01-07.01) - NTFSx86
Run by Administrator at 2:40:54.45 on Fri 01/09/2009
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.5.0_12
Microsoft Windows XP Professional 5.1.2600.3.1255.972.1037.18.446.86 [GMT 2:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\VIAudioi\SBADeck\ADeck.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\VTtrayp.exe
C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe
C:\Program Files\Lexmark 1200 Series\lxczbmon.exe
C:\WINDOWS\system32\Prismsvr.exe
C:\Program Files\802.11g USB2.0 adapter\WiFiCFG.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\BGames\GPlayer.exe
C:\Program Files\Media Key\MagicKey.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\Media Key\OSD.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Administrator\שולחן העבודה\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://awesomestart.com/ledzeppelin/
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: DealioBHO Class: {6a87b991-a31f-4130-ae72-6d0c294bf082} - c:\program files\dealio\kb106\Dealio.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
BHO: IeMonitorBho Class: {bf00e119-21a3-4fd1-b178-3b8537e75c92} - c:\program files\megaupload\mega manager\MegaIEMn.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Dealio: {e67c74f4-a00a-4f2c-9fec-fd9dc004a67f} - c:\program files\dealio\kb106\Dealio.dll
TB: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
TB: {855F3B16-6D32-4FE6-8A56-BBB695989046} - No File
EB: Dealio: {5c4c24d0-28b6-4b6b-b70f-e09848367f10} - c:\program files\dealio\kb106\Dealio.dll
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Google Update] "c:\documents and settings\administrator\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [Exetender] c:\program files\bgames\GPlayer.exe /runonstartup
mRun: [AudioDeck] c:\program files\viaudioi\sbadeck\ADeck.exe 1
mRun: [VTTimer] VTTimer.exe
mRun: [VTTrayp] VTtrayp.exe
mRun: [Lexmark 1200 Series] "c:\program files\lexmark 1200 series\lxczbmgr.exe"
mRun: [NWEReboot]
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [PRISMSVR.EXE] Prismsvr.exe /apply
mRun: [WiFiCFG.EXE] c:\program files\802.11g usb2.0 adapter\WiFiCFG.EXE
mRun: [au] c:\program files\dealio\DealioAU.exe
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [WinampAgent] "c:\program files\winamp\winampa.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\94ae~1\d9f0~1\76ef~1\mediak~1.lnk - c:\program files\media key\MagicKey.exe
IE: &Search
IE: &יצא ל- Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Compare Prices with &Dealio - c:\program files\dealio\kb106\res\DealioSearch.html
IE: Download Link Using Mega Manager... - c:\program files\megaupload\mega manager\mm_file.htm
IE: {B863453A-26C3-4e1f-A54D-A2CD196348E9} - c:\program files\icqlite\ICQLite.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {E59EB121-F339-4851-A3BA-FE49C35617C2} - c:\program files\icq6\ICQ.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {E908B145-C847-4e85-B315-07E2E70DECF8} - {9F038672-0425-4792-BC9C-36DE3308E8AA} - c:\program files\dealio\kb106\Dealio.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
AppInit_DLLs: avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-1-9 97928]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-1-9 26824]
R1 kbfilter;Keyboard Filter Driver;c:\windows\system32\drivers\kbfilter.sys [2008-10-25 12856]
R1 UsbFltr;WayTechUSBFilterDriver;c:\windows\system32\drivers\UsbFltr.sys [2008-10-25 9291]
R4 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-9-10 611664]
R4 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-1-9 875288]
R4 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-1-9 231704]
R4 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-1-9 76040]
R4 X4HSX32Ex;X4HSX32Ex;c:\program files\bgames\X4HSX32Ex.sys [2008-9-15 29856]

=============== Created Last 30 ================

2009-01-09 02:05 76,040 a------- c:\windows\system32\drivers\avgtdix.sys
2009-01-09 02:05 10,520 a------- c:\windows\system32\avgrsstx.dll
2009-01-09 02:05 97,928 a------- c:\windows\system32\drivers\avgldx86.sys
2009-01-09 02:05 <DIR> --d----- c:\windows\system32\drivers\Avg
2009-01-09 02:05 <DIR> --d----- c:\docume~1\admini~1\applic~1\AVGTOOLBAR
2009-01-09 02:04 <DIR> --d----- c:\program files\AVG
2009-01-09 02:04 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8
2009-01-08 13:22 <DIR> a-dshr-- C:\cmdcons
2009-01-08 12:48 161,792 a------- c:\windows\SWREG.exe
2009-01-08 12:48 98,816 a------- c:\windows\sed.exe
2009-01-08 03:07 <DIR> --d----- C:\_OTMoveIt
2009-01-08 02:12 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Norton
2009-01-08 02:05 <DIR> --d----- c:\docume~1\alluse~1\applic~1\NortonInstaller
2009-01-08 00:32 <DIR> --d----- c:\docume~1\admini~1\applic~1\Malwarebytes
2009-01-08 00:31 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-01-08 00:31 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-08 00:31 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-01-08 00:31 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-01-07 19:10 <DIR> --d----- c:\program files\Lavasoft
2009-01-07 19:08 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-01-07 14:43 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Babylon
2009-01-07 14:43 <DIR> --d----- c:\docume~1\admini~1\applic~1\Babylon
2009-01-07 13:30 <DIR> --d----- c:\program files\YoGen
2009-01-06 13:32 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SRS Labs
2009-01-05 22:46 <DIR> --d----- c:\program files\KaraFun
2009-01-05 22:46 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Recisio
2009-01-05 22:13 <DIR> --d----- c:\docume~1\alluse~1\applic~1\YoGen
2009-01-05 22:03 <DIR> --d----- c:\windows\system32\XPSViewer
2009-01-05 22:01 1,676,288 -c------ c:\windows\system32\dllcache\xpssvcs.dll
2009-01-05 22:01 597,504 -c------ c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-01-05 22:01 575,488 -c------ c:\windows\system32\dllcache\xpsshhdr.dll
2009-01-05 22:01 89,088 -c------ c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-01-05 22:01 1,676,288 -------- c:\windows\system32\xpssvcs.dll
2009-01-05 22:01 575,488 -------- c:\windows\system32\xpsshhdr.dll
2009-01-05 22:01 117,760 -------- c:\windows\system32\prntvpt.dll
2009-01-05 22:01 <DIR> --d----- C:\1508c0a53d16e90310224cbfb87b
2009-01-05 21:59 <DIR> --d----- c:\program files\AnalogX
2009-01-02 00:53 <DIR> --d----- c:\docume~1\admini~1\applic~1\Megaupload
2009-01-02 00:52 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Megaupload
2009-01-02 00:52 <DIR> --d----- c:\docume~1\alluse~1\applic~1\EmailNotifier
2009-01-02 00:52 <DIR> --d----- c:\docume~1\admini~1\applic~1\EmailNotifier
2009-01-02 00:52 <DIR> --d----- c:\program files\Megaupload
2008-12-23 16:52 <DIR> --d----- c:\program files\iTunes
2008-12-23 16:52 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-19 16:04 73,728 a------- c:\windows\system32\javacpl.cpl
2008-12-15 01:18 26,112 ac------ c:\windows\system32\dllcache\usbser.sys
2008-12-15 01:18 26,112 a------- c:\windows\system32\drivers\usbser.sys
2008-12-12 11:18 87,336 a------- c:\windows\system32\dns-sd.exe
2008-12-12 11:11 61,440 a------- c:\windows\system32\dnssd.dll

==================== Find3M ====================

2009-01-05 22:05 345,584 a------- c:\windows\system32\perfh00d.dat
2009-01-05 22:05 67,296 a------- c:\windows\system32\perfc00d.dat
2009-01-05 21:54 737,280 a------- c:\windows\iun6002.exe
2008-12-19 16:03 410,984 a------- c:\windows\system32\deploytk.dll
2008-11-17 02:14 2,828 a--sh--- c:\docume~1\alluse~1\applic~1\KGyGaAvL.sys
2008-11-16 23:32 8 ---shr-- c:\docume~1\alluse~1\applic~1\81DA373DB8.sys
2008-10-23 14:36 286,720 a------- c:\windows\system32\gdi32.dll
2008-10-16 03:01 662,528 a------- c:\windows\system32\wininet.dll
2008-09-28 11:15 25,600 a------- c:\documents and settings\administrator\usbsermptxp.sys
2008-09-28 11:15 22,768 a------- c:\documents and settings\administrator\usbsermpt.sys
2008-07-29 16:47 47,360 a------- c:\docume~1\admini~1\applic~1\pcouffin.sys

============= FINISH: 2:42:20.06 ===============

#11 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:02:41 AM

Posted 09 January 2009 - 05:04 AM

Hi,

This looks OK again.

* Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Let me know in your next reply how things are now.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#12 Adi11968

Adi11968
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:07:41 PM

Posted 09 January 2009 - 06:39 AM

My PC is back to normal thanks to you... Thank you so much for helping me!!! :thumbsup:

#13 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:02:41 AM

Posted 09 January 2009 - 06:41 AM

Glad I could help. :thumbsup:

Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#14 Adi11968

Adi11968
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:07:41 PM

Posted 09 January 2009 - 06:45 AM

Thanks again for the info! :thumbsup:

#15 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:02:41 AM

Posted 12 January 2009 - 06:28 AM

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users