Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijack log-please help


  • This topic is locked This topic is locked
8 replies to this topic

#1 MiloMoonwalker

MiloMoonwalker

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:33 PM

Posted 12 January 2009 - 04:34 AM

Hi I hope someone can help me with this one please,

I get bad error messages constantly. Ive downloaded and scanned with ; spybot, RSIT, anti-malware and now jijack this.

I've heard the thing to do now is to download combofix...(?)

Would you like to see the hijack log before I run a scan with combofix and see if you identify the corrupt files i need to download and avoid deleting the files i need for my system to work.

Here is the log please help me in any way you can. I would be very grateful;


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:54:45, on 08/01/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AskBarDis\bar\bin\AskService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Saitek\Software\Profiler.exe
C:\Program Files\Saitek\Software\SaiMfd.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Kontiki\KHost.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Spybot\TeaTimer.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\PROGRA~1\Grisoft\AVG7\avgw.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Documents and Settings\Pumpkin\Desktop\HJTsetup.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O1 - Hosts: 66.98.148.65 auto.search.msn.com
O1 - Hosts: 66.98.148.65 auto.search.msn.es
O2 - BHO: (no name) - {0B2609CF-F19E-4918-A3B0-45BCAD218036} - (no file)
O2 - BHO: (no name) - {339b8700-7a8c-48d9-9729-45114b7821a0} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O4 - HKLM\..\Run: [StormCodec_Helper] "C:\Program Files\Ringz Studio\Storm Codec\StormSet.exe" /S /opti
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [Profiler] C:\Program Files\Saitek\Software\Profiler.exe
O4 - HKLM\..\Run: [SaiMfd] C:\Program Files\Saitek\Software\SaiMfd.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\Ringz Studio\Storm Codec\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [kdx] "C:\Program Files\Kontiki\KHost.exe" -all
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe -all
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot\TeaTimer.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV03.EXE
O4 - Global Startup: LAN Chat.lnk = C:\Program Files\Fomine LAN Chat\LANChat.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.srtest.com/srl_bin/sysreqlab_srl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by18fd.bay18.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1141509253890
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe.com/p...obat/nos/gp.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: darrhg.dll
O23 - Service: ASKService - Unknown owner - C:\Program Files\AskBarDis\bar\bin\AskService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: getPlusŪ Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

--
End of file - 8857 bytes



Thank you very much for your help

Milo

BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:05:33 PM

Posted 12 January 2009 - 05:58 AM

Hi,

I see you are running Teatimer.
I suggest you to disable it because it can interfere with the changes you'll make on your system.
When everything is done and your log is clean again, you can enable it again.
If teatimer gives you a warning afterwards that some changes were made, allow this instead of blocking it.
How to disable TeaTimer <== click me for instructions.
After you disabled Teatimer, download ResetTeaTimer.bat to your desktop. (In case you use Firefox, rightclick the link and choose "save as").
Doubleclick ResetTeaTimer.bat and let it run.
This will only take a few seconds.

Then,

Please uninstall AVG7 and update to the latest version of AVG (AVG8)
Then reboot.

After reboot, * Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the log from ComboFix in your next reply.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 MiloMoonwalker

MiloMoonwalker
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:33 PM

Posted 12 January 2009 - 02:41 PM

Thanks so much for the rapid reply. Here's the log you requested....



ComboFix 09-01-11.04 - Pumpkin 2009-01-12 19:29:36.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.569 [GMT 0:00]
Running from: c:\documents and settings\Pumpkin\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Outdated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Pumpkin\Local Settings\Temporary Internet Files\fbk.sts
c:\windows\IE4 Error Log.txt
c:\windows\system32\ap
c:\windows\system32\darrhg.dll
c:\windows\system32\tmp43.tmp
c:\windows\system32\ytetnpte.dll
c:\windows\ynh.dx

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_seneka


((((((((((((((((((((((((( Files Created from 2008-12-12 to 2009-01-12 )))))))))))))))))))))))))))))))
.

2009-01-12 19:08 . 2009-01-12 19:08 97,928 --a------ c:\windows\system32\drivers\avgldx86.sys
2009-01-12 19:08 . 2009-01-12 19:08 10,520 --a------ c:\windows\system32\avgrsstx.dll
2009-01-12 19:07 . 2009-01-12 19:07 <DIR> d-------- c:\windows\system32\drivers\Avg
2009-01-12 19:07 . 2009-01-12 19:18 <DIR> d-------- c:\documents and settings\Pumpkin\Application Data\AVGTOOLBAR
2009-01-12 19:07 . 2009-01-12 19:07 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8
2009-01-08 01:22 . 2009-01-08 01:28 <DIR> d-------- C:\rsit
2009-01-08 01:22 . 2009-01-08 01:29 <DIR> d-------- c:\program files\trend micro
2009-01-08 00:15 . 2009-01-08 00:15 <DIR> d-------- c:\documents and settings\Pumpkin\Application Data\Malwarebytes
2009-01-08 00:14 . 2009-01-08 00:15 <DIR> d-------- c:\program files\Malwarebytes
2009-01-08 00:14 . 2009-01-08 00:14 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-08 00:14 . 2009-01-04 18:38 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-08 00:14 . 2009-01-04 18:38 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-07 20:08 . 2009-01-07 20:08 95 --a------ c:\windows\wininit.ini
2009-01-07 19:54 . 2009-01-07 19:54 <DIR> d-------- c:\program files\Spybot
2009-01-07 19:54 . 2009-01-07 20:07 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-07 19:10 . 2009-01-07 19:10 73,216 --a------ c:\windows\system32\ffkuz.dll
2009-01-07 14:15 . 2009-01-07 14:15 <DIR> d-------- c:\temp\REX81
2009-01-07 14:15 . 2009-01-07 20:08 <DIR> d-------- C:\Temp
2009-01-06 16:39 . 2006-11-17 05:40 18,804,736 --a------ c:\windows\system32\alsndmgr.cpl
2009-01-06 16:39 . 2006-12-08 15:20 10,528,768 --a------ c:\windows\system32\RTLCPL.exe
2009-01-06 16:39 . 2008-09-24 10:40 4,122,368 -ra------ c:\windows\system32\drivers\alcxwdm.sys
2009-01-06 16:39 . 2007-04-16 15:28 577,536 --a------ c:\windows\soundman.exe
2009-01-06 16:39 . 2006-10-18 02:53 147,456 --a------ c:\windows\system32\RtlCPAPI.dll
2009-01-06 16:39 . 2002-02-05 13:54 141,016 --a------ c:\windows\system32\alsndmgr.wav
2009-01-06 16:39 . 2006-08-01 15:02 49,152 --a------ c:\windows\system32\ChCfg.exe
2009-01-06 16:38 . 2006-07-31 11:19 315,392 --a------ c:\windows\alcupd.exe
2009-01-06 16:38 . 2006-07-31 11:27 217,088 --a------ c:\windows\alcrmv.exe
2009-01-06 13:50 . 2009-01-06 13:50 <DIR> d-------- c:\windows\system32\scripting
2009-01-06 13:50 . 2009-01-06 13:50 <DIR> d-------- c:\windows\system32\en
2009-01-06 13:50 . 2009-01-06 13:50 <DIR> d-------- c:\windows\system32\bits
2009-01-06 13:50 . 2009-01-06 13:50 <DIR> d-------- c:\windows\l2schemas
2009-01-06 13:45 . 2009-01-06 13:51 <DIR> d-------- c:\windows\ServicePackFiles
2009-01-02 18:34 . 2009-01-12 14:32 183,112 --a------ c:\windows\system32\PnkBstrB.exe
2009-01-02 18:34 . 2009-01-12 14:33 138,184 --a------ c:\windows\system32\drivers\PnkBstrK.sys
2009-01-02 18:34 . 2009-01-04 23:06 66,872 --a------ c:\windows\system32\PnkBstrA.exe
2009-01-02 17:15 . 2009-01-02 17:15 <DIR> d-------- c:\documents and settings\Pumpkin\Application Data\Leadertech
2009-01-02 17:07 . 2009-01-02 17:07 <DIR> d-------- c:\program files\EA Games
2008-12-16 14:59 . 2008-12-16 14:59 <DIR> d-------- c:\documents and settings\Pumpkin\Application Data\Activision
2008-12-16 14:59 . 2008-12-16 14:59 <DIR> d-------- c:\documents and settings\All Users\Application Data\Activision

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-12 19:33 --------- d-----w c:\documents and settings\All Users\Application Data\Kontiki
2009-01-12 19:07 --------- d-----w c:\program files\AVG
2009-01-12 17:01 --------- d-----w c:\program files\MSN Messenger
2009-01-06 16:43 96,384 ----a-w c:\windows\system32\drivers\sptd4221.sys
2009-01-06 16:38 --------- d--h--w c:\program files\InstallShield Installation Information
2009-01-06 16:38 --------- d-----w c:\program files\Realtek AC97
2009-01-05 19:58 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-01-05 16:08 --------- d-----w c:\documents and settings\Pumpkin\Application Data\Azureus
2009-01-02 10:02 --------- d-----w c:\documents and settings\Pumpkin\Application Data\LimeWire
2008-12-02 19:35 --------- d-----w c:\program files\Kontiki
2008-12-01 19:38 --------- d-----w c:\program files\LimeWire
2008-11-22 08:57 --------- d-----w c:\program files\Vuze
2008-11-16 19:57 --------- d-----w c:\program files\Microsoft Windows Vista Upgrade Advisor
2008-11-16 19:57 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Corporation
2008-11-15 21:28 --------- d-----w c:\program files\Microsoft Works
2008-11-14 22:50 --------- d-----w c:\documents and settings\All Users\Application Data\ATI
2008-11-14 22:34 --------- d-----w c:\program files\ATI Technologies
2008-11-14 21:48 --------- d-----w c:\documents and settings\Pumpkin\Application Data\AdobeUM
2008-11-14 21:47 --------- d-----w c:\program files\Common Files\Adobe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-10-02 325000]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-04 68856]
"kdx"="c:\program files\Kontiki\KHost.exe" [2007-04-23 1032640]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StormCodec_Helper"="c:\program files\Ringz Studio\Storm Codec\StormSet.exe" [2005-06-24 95662]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_09\bin\jusched.exe" [2006-10-12 49263]
"Profiler"="c:\program files\Saitek\Software\Profiler.exe" [2005-06-14 159744]
"SaiMfd"="c:\program files\Saitek\Software\SaiMfd.exe" [2005-06-17 126976]
"QuickTime Task"="c:\program files\Ringz Studio\Storm Codec\qttask.exe" [2007-06-29 286720]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-08-15 271672]
"kdx"="c:\program files\Kontiki\KHost.exe" [2007-04-23 1032640]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-29 61440]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-01-12 1261336]
"SoundMan"="SOUNDMAN.EXE" [2007-04-16 c:\windows\soundman.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [9/23/2005 10:05:26 PM 29696]
EPSON Status Monitor 3 Environment Check.lnk - c:\windows\system32\spool\drivers\w32x86\3\E_SRCV03.EXE [9/18/2000 2:04:00 AM 121856]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=darrhg.dll,avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.MJPG"= pvmjpg21.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
-ra------ 2006-03-30 16:45 313472 c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Vuze\\Azureus.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=
"c:\\Program Files\\Kontiki\\KService.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [1/12/2009 7:08:00 PM 97928]
R3 SaiHFF0D;SaiHFF0D;c:\windows\system32\drivers\SaiHFF0D.sys [6/14/2006 1:36:34 PM 176000]
R3 SaiUFF0D;SaiUFF0D;c:\windows\system32\drivers\SaiUFF0D.sys [6/14/2006 1:36:40 PM 27136]
R4 ASKService;ASKService;c:\program files\AskBarDis\bar\bin\AskService.exe [10/16/2008 3:25:54 PM 460168]
R4 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [1/12/2009 7:07:50 PM 231704]
S3 getPlus® Helper;getPlus® Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [10/16/2008 10:08:33 PM 33752]
.
Contents of the 'Scheduled Tasks' folder

2009-01-05 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-07-25 12:15]

2009-01-12 c:\windows\Tasks\vlcthisz.job
- c:\windows\system32\rundll32.exe [2008-04-14 00:12]
.
- - - - ORPHANS REMOVED - - - -

BHO-{0B2609CF-F19E-4918-A3B0-45BCAD218036} - (no file)
BHO-{339b8700-7a8c-48d9-9729-45114b7821a0} - (no file)
HKCU-Run-BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} - c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-12 19:34:01
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1085031214-823518204-839522115-1003\Software\SecuROM\License information*]
"datasecu"=hex:c1,36,35,21,34,ec,81,df,3c,7f,88,e5,f3,ac,f2,93,ec,04,f5,91,6e,
ac,21,c7,e8,6c,30,d3,2a,b8,c8,1e,f9,f4,94,2e,7e,37,31,75,ea,32,1b,f3,03,2a,\
"rkeysecu"=hex:70,32,4b,90,04,0d,35,a6,86,7c,4a,80,ed,a8,e2,a5
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(724)
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Kontiki\KService.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\PnkBstrA.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\windows\system32\WgaTray.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
c:\windows\SoftwareDistribution\Download\1201b6f74bae1015eceeea43baed9814\update\update.exe
.
**************************************************************************
.
Completion time: 2009-01-12 19:38:19 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-12 19:38:04

Pre-Run: 14,752,714,752 bytes free
Post-Run: 14,931,841,024 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
d:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

213 --- E O F --- 2009-01-12 19:38:19




Milo

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:05:33 PM

Posted 13 January 2009 - 05:12 AM

Hi,

Almost done :thumbsup:

Please uninstall the Ask Toolbar via software > add & remove programs.
Reboot afterwards.
After reboot,

* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

File::
c:\windows\Tasks\vlcthisz.job
c:\windows\system32\ffkuz.dll
Folder::
c:\temp\REX81
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000000
"UpdatesDisableNotify"=dword:00000000
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"="avgrsstx.dll"


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 MiloMoonwalker

MiloMoonwalker
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:33 PM

Posted 13 January 2009 - 05:41 AM

Hi...




ComboFix 09-01-11.04 - Pumpkin 2009-01-13 10:33:58.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.576 [GMT 0:00]
Running from: c:\documents and settings\Pumpkin\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Pumpkin\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
* Created a new restore point

FILE ::
c:\windows\system32\ffkuz.dll
c:\windows\Tasks\vlcthisz.job
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\temp\REX81
c:\temp\REX81\BDF.log
c:\windows\system32\ffkuz.dll
c:\windows\Tasks\vlcthisz.job

.
((((((((((((((((((((((((( Files Created from 2008-12-13 to 2009-01-13 )))))))))))))))))))))))))))))))
.

2009-01-13 10:23 . 2009-01-13 10:23 <DIR> d-------- c:\documents and settings\All Users\Application Data\ATI
2009-01-12 19:08 . 2009-01-12 19:08 97,928 --a------ c:\windows\system32\drivers\avgldx86.sys
2009-01-12 19:08 . 2009-01-12 19:08 10,520 --a------ c:\windows\system32\avgrsstx.dll
2009-01-12 19:07 . 2009-01-13 09:57 <DIR> d-------- c:\windows\system32\drivers\Avg
2009-01-12 19:07 . 2009-01-12 19:18 <DIR> d-------- c:\documents and settings\Pumpkin\Application Data\AVGTOOLBAR
2009-01-12 19:07 . 2009-01-13 10:20 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8
2009-01-08 00:15 . 2009-01-08 00:15 <DIR> d-------- c:\documents and settings\Pumpkin\Application Data\Malwarebytes
2009-01-08 00:14 . 2009-01-08 00:15 <DIR> d-------- c:\program files\Malwarebytes
2009-01-08 00:14 . 2009-01-08 00:14 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-08 00:14 . 2009-01-04 18:38 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-08 00:14 . 2009-01-04 18:38 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-07 20:08 . 2009-01-07 20:08 95 --a------ c:\windows\wininit.ini
2009-01-07 19:54 . 2009-01-12 19:47 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-07 14:15 . 2009-01-13 10:34 <DIR> d-------- C:\Temp
2009-01-06 16:39 . 2006-11-17 05:40 18,804,736 --a------ c:\windows\system32\alsndmgr.cpl
2009-01-06 16:39 . 2006-12-08 15:20 10,528,768 --a------ c:\windows\system32\RTLCPL.exe
2009-01-06 16:39 . 2008-09-24 10:40 4,122,368 -ra------ c:\windows\system32\drivers\alcxwdm.sys
2009-01-06 16:39 . 2007-04-16 15:28 577,536 --a------ c:\windows\soundman.exe
2009-01-06 16:39 . 2006-10-18 02:53 147,456 --a------ c:\windows\system32\RtlCPAPI.dll
2009-01-06 16:39 . 2002-02-05 13:54 141,016 --a------ c:\windows\system32\alsndmgr.wav
2009-01-06 16:39 . 2006-08-01 15:02 49,152 --a------ c:\windows\system32\ChCfg.exe
2009-01-06 16:38 . 2006-07-31 11:19 315,392 --a------ c:\windows\alcupd.exe
2009-01-06 16:38 . 2006-07-31 11:27 217,088 --a------ c:\windows\alcrmv.exe
2009-01-06 13:50 . 2009-01-06 13:50 <DIR> d-------- c:\windows\system32\scripting
2009-01-06 13:50 . 2009-01-06 13:50 <DIR> d-------- c:\windows\system32\en
2009-01-06 13:50 . 2009-01-06 13:50 <DIR> d-------- c:\windows\system32\bits
2009-01-06 13:50 . 2009-01-06 13:50 <DIR> d-------- c:\windows\l2schemas
2009-01-06 13:45 . 2009-01-06 13:51 <DIR> d-------- c:\windows\ServicePackFiles
2009-01-02 18:34 . 2009-01-13 00:15 183,112 --a------ c:\windows\system32\PnkBstrB.exe
2009-01-02 18:34 . 2009-01-13 00:15 138,184 --a------ c:\windows\system32\drivers\PnkBstrK.sys
2009-01-02 18:34 . 2009-01-04 23:06 66,872 --a------ c:\windows\system32\PnkBstrA.exe
2009-01-02 17:15 . 2009-01-02 17:15 <DIR> d-------- c:\documents and settings\Pumpkin\Application Data\Leadertech
2009-01-02 17:07 . 2009-01-02 17:07 <DIR> d-------- c:\program files\EA Games
2008-12-16 14:59 . 2008-12-16 14:59 <DIR> d-------- c:\documents and settings\Pumpkin\Application Data\Activision

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-13 10:34 --------- d-----w c:\documents and settings\All Users\Application Data\Kontiki
2009-01-12 19:07 --------- d-----w c:\program files\AVG
2009-01-12 17:01 --------- d-----w c:\program files\MSN Messenger
2009-01-06 16:43 96,384 ----a-w c:\windows\system32\drivers\sptd4221.sys
2009-01-06 16:38 --------- d--h--w c:\program files\InstallShield Installation Information
2009-01-06 16:38 --------- d-----w c:\program files\Realtek AC97
2009-01-05 19:58 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-01-05 16:08 --------- d-----w c:\documents and settings\Pumpkin\Application Data\Azureus
2009-01-02 17:16 3,624 ----a-w c:\windows\system32\ealregsnapshot1.reg
2009-01-02 10:02 --------- d-----w c:\documents and settings\Pumpkin\Application Data\LimeWire
2008-12-02 19:35 --------- d-----w c:\program files\Kontiki
2008-12-01 19:38 --------- d-----w c:\program files\LimeWire
2008-11-22 08:57 --------- d-----w c:\program files\Vuze
2008-11-16 19:57 --------- d-----w c:\program files\Microsoft Windows Vista Upgrade Advisor
2008-11-16 19:57 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Corporation
2008-11-15 21:28 --------- d-----w c:\program files\Microsoft Works
2008-11-14 22:34 --------- d-----w c:\program files\ATI Technologies
2008-11-14 21:48 --------- d-----w c:\documents and settings\Pumpkin\Application Data\AdobeUM
2008-11-14 21:47 --------- d-----w c:\program files\Common Files\Adobe
2008-10-31 19:23 107,888 ----a-w c:\windows\system32\CmdLineExt.dll
2008-10-29 02:23 425,984 ----a-w c:\windows\system32\ATIDEMGX.dll
2008-10-29 02:22 314,880 ----a-w c:\windows\system32\ati2dvag.dll
2008-10-29 02:11 43,520 ----a-w c:\windows\system32\ati2edxx.dll
2008-10-29 02:11 26,112 ----a-w c:\windows\system32\Ati2mdxx.exe
2008-10-29 02:11 188,416 ----a-w c:\windows\system32\atipdlxx.dll
2008-10-29 02:11 147,456 ----a-w c:\windows\system32\Oemdspif.dll
2008-10-29 02:10 143,360 ----a-w c:\windows\system32\ati2evxx.dll
2008-10-29 02:10 10,973,184 ----a-w c:\windows\system32\atioglxx.dll
2008-10-29 02:09 585,728 ----a-w c:\windows\system32\ati2evxx.exe
2008-10-29 02:07 53,248 ----a-w c:\windows\system32\ATIDDC.DLL
2008-10-29 01:57 4,041,472 ----a-w c:\windows\system32\ati3duag.dll
2008-10-29 01:49 307,200 ----a-w c:\windows\system32\atiiiexx.dll
2008-10-29 01:41 2,472,832 ----a-w c:\windows\system32\ativvaxx.dll
2008-10-29 01:25 48,640 ----a-w c:\windows\system32\amdpcom32.dll
2008-10-29 01:21 389,120 ----a-w c:\windows\system32\atikvmag.dll
2008-10-29 01:19 44,032 ----a-w c:\windows\system32\atiadlxx.dll
2008-10-29 01:19 17,408 ----a-w c:\windows\system32\atitvo32.dll
2008-10-29 01:18 253,952 ----a-w c:\windows\system32\atiok3x2.dll
2008-10-29 01:12 577,536 ----a-w c:\windows\system32\ati2cqag.dll
2008-10-28 21:05 593,920 ------w c:\windows\system32\ati2sgag.exe
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-10-21 17:51 118,784 ----a-w c:\windows\system32\atibrtmon.exe
2008-10-16 14:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 14:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 14:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 14:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 14:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 14:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 14:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 14:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 14:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 14:06 208,744 ----a-w c:\windows\system32\muweb.dll
2008-10-16 01:00 666,112 ----a-w c:\windows\system32\wininet.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-04 68856]
"kdx"="c:\program files\Kontiki\KHost.exe" [2007-04-23 1032640]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StormCodec_Helper"="c:\program files\Ringz Studio\Storm Codec\StormSet.exe" [2005-06-24 95662]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_09\bin\jusched.exe" [2006-10-12 49263]
"Profiler"="c:\program files\Saitek\Software\Profiler.exe" [2005-06-14 159744]
"SaiMfd"="c:\program files\Saitek\Software\SaiMfd.exe" [2005-06-17 126976]
"QuickTime Task"="c:\program files\Ringz Studio\Storm Codec\qttask.exe" [2007-06-29 286720]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-08-15 271672]
"kdx"="c:\program files\Kontiki\KHost.exe" [2007-04-23 1032640]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-29 61440]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-01-12 1261336]
"SoundMan"="SOUNDMAN.EXE" [2007-04-16 c:\windows\soundman.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]
EPSON Status Monitor 3 Environment Check.lnk - c:\windows\system32\spool\drivers\w32x86\3\E_SRCV03.EXE [2000-09-18 121856]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.MJPG"= pvmjpg21.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
-ra------ 2006-03-30 16:45 313472 c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Vuze\\Azureus.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=
"c:\\Program Files\\Kontiki\\KService.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-01-12 97928]
R3 SaiHFF0D;SaiHFF0D;c:\windows\system32\drivers\SaiHFF0D.sys [2006-06-14 176000]
R3 SaiUFF0D;SaiUFF0D;c:\windows\system32\drivers\SaiUFF0D.sys [2006-06-14 27136]
R4 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-01-12 231704]
S3 getPlus® Helper;getPlus® Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [2008-10-16 33752]
.
Contents of the 'Scheduled Tasks' folder

2009-01-12 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-07-25 12:15]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-13 10:34:57
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1085031214-823518204-839522115-1003\Software\SecuROM\License information*]
"datasecu"=hex:c1,36,35,21,34,ec,81,df,3c,7f,88,e5,f3,ac,f2,93,ec,04,f5,91,6e,
ac,21,c7,e8,6c,30,d3,2a,b8,c8,1e,f9,f4,94,2e,7e,37,31,75,ea,32,1b,f3,03,2a,\
"rkeysecu"=hex:70,32,4b,90,04,0d,35,a6,86,7c,4a,80,ed,a8,e2,a5
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(720)
c:\windows\system32\avgrsstx.dll
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'lsass.exe'(832)
c:\windows\system32\avgrsstx.dll
.
Completion time: 2009-01-13 10:36:21
ComboFix-quarantined-files.txt 2009-01-13 10:36:09

Pre-Run: 14,896,910,336 bytes free
Post-Run: 14,891,036,672 bytes free

205 --- E O F --- 2009-01-12 19:38:19



Thanks, milo

#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:05:33 PM

Posted 13 January 2009 - 05:44 AM

Hi,

This looks OK again.

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.
Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 6 Update 11.
  • Scroll down to where it says "Java Runtime Environment (JRE) 6 Update 11".
  • Click the "Download" button to the right.
  • For Platform, select "Windows"
  • For language, select your language
  • Read the License agreement and then Check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement".
  • Click Continue
  • Click on the link to download Windows Offline Installation and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
    - Examples of older versions in Add or Remove Programs:
    • Java 2 Runtime Environment, SE v1.4.2
    • J2SE Runtime Environment 5.0
    • Java™ 6 Update 5
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u11-windows-i586-p.exe to install the newest version.
Then, * Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Let me know in your next reply how things are now.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 MiloMoonwalker

MiloMoonwalker
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:33 PM

Posted 13 January 2009 - 11:47 AM

Hey man thanks for your help, I really appreciate it.

The one little thing is although the problem has been solved and I don't get that error message up anymore, I do get one single error sound that comes out of nowhere about 2 minutes after the computer has restarted. Do you know what this means? It's no big problem I suppose.

And if you have chance, could you list me some vital applications that I can download from download.com to ultimately protect my pc?
You have opened my eyes to new programs and I would hate for this to happen again. e.g what anti-virus is best? etc.


Anyway, again, thanks for your help-I will be recommending this site.

Milo

#8 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:05:33 PM

Posted 13 January 2009 - 11:56 AM

I do get one single error sound that comes out of nowhere about 2 minutes after the computer has restarted. Do you know what this means? It's no big problem I suppose.

That could be anything since it only gives a sound. If everything is functioning properly, I wouldn't worry about this though.
What you can do is, go to start > run and type: msconfig
This will open your system configuration tool
Select the tab startup
In there, you'll see all programs starting up with Windows (the ones that are checked)
Uncheck them all except for your AVG.
Then reboot.
If the error disappears, then one of the programs you have unchecked is the culprit. So then it will be a matter of enabling them (checking) one by one in msconfig > startup again.

But as I said, I wouldn't worry about it too much though.

And if you have chance, could you list me some vital applications that I can download from download.com to ultimately protect my pc?

I rather recommend to download software from the developers site instead of download.com, because then you can be sure it's safe.

Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:05:33 PM

Posted 16 January 2009 - 05:45 AM

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users