Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected Antivirus 2009


  • This topic is locked This topic is locked
11 replies to this topic

#1 cardfan09

cardfan09

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:25 PM

Posted 12 January 2009 - 06:51 PM

Received a computer infected with antivirus 2009, ran through some recommended procedures to remove i.e. malwarebytes, spybot and ad-ware. Still received warning messages in explorer upon visiting avg indicating this site has malware, click to fix, obvious antivirus 2009 warnings. looked in add-ons and noticed winsystems.dll running, this was one of the files that were flagged as infected. Disabled add-on, warnings went away, I re-anabled add-on prior to this post to see if it showed itself to you guys.

I no longer receive any warnings but not convienced problem is solved... thanks for your help.


DDS (Ver_09-01-07.01) - NTFSx86
Run by Jerry at 17:28:12.71 on Mon 01/12/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.501 [GMT -6:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Compal\Wireless Select Switch\WLSS.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Compal\Wow Video&Audio\WVAMain.exe
C:\Program Files\Compal\Smart Battery\SMBTray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Common Files\AOL\1204218708\ee\AOLSoftware.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\AOL\1204218708\ee\AOLDesktop.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
c:\program files\aol toolbar\AolTbServer.exe
C:\PROGRA~1\AVG\AVG8\aAvgApi.exe
C:\Documents and Settings\Jerry\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.aol.com/
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: IAOLTBSearch Class: {ea756889-2338-43db-8f07-d1ca6fb9c90d} - c:\program files\aol toolbar\aoltb.dll
mURLSearchHooks: IAOLTBSearch Class: {ea756889-2338-43db-8f07-d1ca6fb9c90d} - c:\program files\aol toolbar\aoltb.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: &Research: {0b014b81-4e12-46f9-806f-55867af8fd3c} - c:\windows\system32\winsystems.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: AOL Toolbar Loader: {7c554162-8cb7-45a4-b8f4-8ea1c75885f9} - c:\program files\aol toolbar\aoltb.dll
BHO: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
TB: AOL Toolbar: {de9c389f-3316-41a7-809b-aa305ed9d922} - c:\program files\aol toolbar\aoltb.dll
TB: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [WLSS] c:\program files\compal\wireless select switch\WLSS.exe
mRun: [KTPWare] c:\program files\elantech\ktp.exe
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [Wow Video&Audio] c:\program files\compal\wow video&audio\WVAMain.exe
mRun: [SMBTray] c:\program files\compal\smart battery\SMBTray.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [SMSERIAL] c:\program files\motorola\smserial\sm56hlpr.exe
mRun: [NWEReboot]
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [HostManager] c:\program files\common files\aol\1204218708\ee\AOLSoftware.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
dRun: [Cognac] c:\windows\temp\2.tmp.exe
StartupFolder: c:\docume~1\jerry\startm~1\programs\startup\aoldes~1.lnk - c:\program files\common files\aol\launch\aollaunch.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
IE: &AOL Toolbar Search - c:\documents and settings\all users\application data\aol\ietoolbar\resources\en-us\local\search.html
IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R0 EMSC;COMPAL Embedded System Control;c:\windows\system32\drivers\EMSC.sys [2008-2-28 9856]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-1-12 97928]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-1-12 26824]
R3 Ktp;Elantech Touchpad;c:\windows\system32\drivers\Ktp.sys [2008-2-28 27776]
R4 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-9-10 611664]
R4 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-1-12 875288]
R4 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-1-12 231704]
R4 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-1-12 76040]
S3 KLSIENET;Driver for USB Ethernet Adapter;c:\windows\system32\drivers\usb101et.sys [2008-2-27 32384]

=============== Created Last 30 ================


==================== Find3M ====================

2009-01-12 15:04 76,487 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2008-10-23 06:36 286,720 a------- c:\windows\system32\gdi32.dll
2008-10-16 14:38 826,368 a------- c:\windows\system32\wininet.dll

============= FINISH: 17:28:37.20 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:11:25 PM

Posted 13 January 2009 - 06:14 AM

Hi,

* Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the log from ComboFix in your next reply.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 cardfan09

cardfan09
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:25 PM

Posted 13 January 2009 - 09:44 AM

Thanks Miekiemoes

results -

ComboFix 09-01-11.04 - Jerry 2009-01-13 8:35:16.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.571 [GMT -6:00]
Running from: c:\documents and settings\Jerry\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
E:\autorun.inf

----- BITS: Possible infected sites -----

hxxp://apexsearchgroup.info
.
((((((((((((((((((((((((( Files Created from 2008-12-13 to 2009-01-13 )))))))))))))))))))))))))))))))
.

2009-01-12 16:35 . 2009-01-12 16:35 <DIR> d-------- c:\program files\Trend Micro
2009-01-12 16:05 . 2009-01-12 16:05 <DIR> d-------- c:\program files\Lavasoft
2009-01-12 16:05 . 2009-01-12 16:05 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2009-01-12 16:04 . 2009-01-12 16:04 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2009-01-12 15:43 . 2009-01-12 16:02 <DIR> d--h----- C:\$AVG8.VAULT$
2009-01-12 15:38 . 2009-01-12 15:38 76,040 --a------ c:\windows\system32\drivers\avgtdix.sys
2009-01-12 15:38 . 2009-01-12 15:38 10,520 --a------ c:\windows\system32\avgrsstx.dll
2009-01-12 15:37 . 2009-01-12 15:39 <DIR> d-------- c:\windows\system32\drivers\Avg
2009-01-12 15:37 . 2009-01-12 15:37 <DIR> d-------- c:\program files\AVG
2009-01-12 15:37 . 2009-01-12 15:43 <DIR> d-------- c:\documents and settings\Jerry\Application Data\AVGTOOLBAR
2009-01-12 15:37 . 2009-01-12 15:37 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8
2009-01-12 15:37 . 2009-01-12 15:37 97,928 --a------ c:\windows\system32\drivers\avgldx86.sys
2009-01-12 15:03 . 2009-01-12 15:03 <DIR> d-------- c:\windows\system32\scripting
2009-01-12 15:03 . 2009-01-12 15:03 <DIR> d-------- c:\windows\system32\en
2009-01-12 15:03 . 2009-01-12 15:03 <DIR> d-------- c:\windows\system32\bits
2009-01-12 15:03 . 2009-01-12 15:03 <DIR> d-------- c:\windows\l2schemas
2009-01-12 15:01 . 2009-01-12 15:01 <DIR> d-------- c:\windows\ServicePackFiles
2009-01-12 14:58 . 2009-01-12 14:58 <DIR> d-------- c:\windows\EHome
2009-01-12 14:28 . 2009-01-12 14:48 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2009-01-12 14:28 . 2009-01-12 14:29 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-12 10:41 . 2009-01-12 10:41 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-12 10:41 . 2009-01-12 10:41 <DIR> d-------- c:\documents and settings\Jerry\Application Data\Malwarebytes
2009-01-12 10:41 . 2009-01-12 10:41 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-12 10:41 . 2009-01-04 18:39 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-12 10:41 . 2009-01-04 18:38 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-11 13:24 . 2004-08-04 00:56 24,576 --a------ c:\windows\system32\stu2.exe
2009-01-08 14:13 . 2009-01-08 14:13 <DIR> d-------- c:\program files\iTunes
2009-01-08 14:13 . 2009-01-08 14:13 <DIR> d-------- c:\program files\iPod
2009-01-08 14:13 . 2009-01-08 14:13 <DIR> d-------- c:\documents and settings\Jerry\Application Data\Apple Computer
2009-01-08 14:13 . 2009-01-08 14:13 <DIR> d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2009-01-08 14:13 . 2008-04-17 13:12 107,368 --a------ c:\windows\system32\GEARAspi.dll
2009-01-08 14:13 . 2008-04-17 13:12 15,464 --a------ c:\windows\system32\drivers\GEARAspiWDM.sys
2009-01-08 14:12 . 2009-01-08 14:12 <DIR> d-------- c:\program files\Bonjour
2009-01-08 14:12 . 2009-01-08 14:12 <DIR> d-------- c:\program files\Apple Software Update
2009-01-08 14:12 . 2009-01-08 14:12 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple Computer
2009-01-08 14:11 . 2009-01-08 14:11 <DIR> d-------- c:\program files\Common Files\Apple
2009-01-08 14:11 . 2009-01-08 14:11 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple
2008-12-19 22:43 . 2003-01-10 15:13 33,588 -ra------ c:\windows\system32\drivers\wanatw4.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-08 20:15 --------- d-----w c:\program files\QuickTime
2008-12-07 17:08 --------- d-----w c:\documents and settings\Jerry\Application Data\Viewpoint
2008-11-22 15:37 --------- d-----w c:\program files\Common Files\AOL
2008-11-22 15:37 --------- d-----w c:\program files\AOL Toolbar
2008-11-22 15:37 --------- d-----w c:\documents and settings\All Users\Application Data\AOL
2008-11-22 15:36 --------- d-----w c:\documents and settings\All Users\Application Data\AOL Downloads
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-10-16 20:38 826,368 ----a-w c:\windows\system32\wininet.dll
2008-10-16 20:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 20:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 20:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 20:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 20:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 20:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 20:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 20:08 34,328 ----a-w c:\windows\system32\wups.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-06-27 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-06-27 162328]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-06-27 137752]
"WLSS"="c:\program files\Compal\Wireless Select Switch\WLSS.exe" [2007-04-23 190000]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-06-01 823296]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-06-01 974848]
"Wow Video&Audio"="c:\program files\Compal\Wow Video&Audio\WVAMain.exe" [2007-05-03 951856]
"SMBTray"="c:\program files\Compal\Smart Battery\SMBTray.exe" [2007-06-04 521776]
"SMSERIAL"="c:\program files\Motorola\SMSERIAL\sm56hlpr.exe" [2007-01-17 634880]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 32768]
"HostManager"="c:\program files\Common Files\AOL\1204218708\ee\AOLSoftware.exe" [2008-06-24 41824]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-01-12 1261336]
"RTHDCPL"="RTHDCPL.EXE" [2007-06-13 c:\windows\RTHDCPL.exe]

c:\documents and settings\Jerry\Start Menu\Programs\Startup\
AOL Desktop.lnk - c:\program files\Common Files\AOL\Launch\aollaunch.exe [2008-06-24 41824]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-12-11 561213]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\3.0\\aoltpsd3.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\Common Files\\AOL\\1204218708\\ee\\aolsoftware.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\1204218708\\ee\\AOLDesktop.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

R0 EMSC;COMPAL Embedded System Control;c:\windows\system32\drivers\EMSC.sys [2008-02-28 9856]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-01-12 97928]
R3 Ktp;Elantech Touchpad;c:\windows\system32\drivers\Ktp.sys [2008-02-28 27776]
R4 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2009-01-12 875288]
R4 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-01-12 231704]
R4 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-01-12 76040]
S3 KLSIENET;Driver for USB Ethernet Adapter;c:\windows\system32\drivers\usb101et.sys [2008-02-27 32384]
.
Contents of the 'Scheduled Tasks' folder

2009-01-08 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2009-01-11 c:\windows\Tasks\At1.job
- c:\windows\system32\5k655okh.exe []

2009-01-11 c:\windows\Tasks\At10.job
- c:\windows\system32\5k655okh.exe []

2009-01-11 c:\windows\Tasks\At11.job
- c:\windows\system32\5k655okh.exe []

2009-01-11 c:\windows\Tasks\At12.job
- c:\windows\system32\5k655okh.exe []

2009-01-12 c:\windows\Tasks\At13.job
- c:\windows\system32\5k655okh.exe []

2009-01-11 c:\windows\Tasks\At14.job
- c:\windows\system32\5k655okh.exe []

2009-01-12 c:\windows\Tasks\At15.job
- c:\windows\system32\5k655okh.exe []

2009-01-12 c:\windows\Tasks\At16.job
- c:\windows\system32\5k655okh.exe []

2009-01-12 c:\windows\Tasks\At17.job
- c:\windows\system32\5k655okh.exe []

2009-01-11 c:\windows\Tasks\At18.job
- c:\windows\system32\5k655okh.exe []

2009-01-13 c:\windows\Tasks\At19.job
- c:\windows\system32\5k655okh.exe []

2009-01-11 c:\windows\Tasks\At2.job
- c:\windows\system32\5k655okh.exe []

2009-01-11 c:\windows\Tasks\At20.job
- c:\windows\system32\5k655okh.exe []

2009-01-11 c:\windows\Tasks\At21.job
- c:\windows\system32\5k655okh.exe []

2009-01-11 c:\windows\Tasks\At22.job
- c:\windows\system32\5k655okh.exe []

2009-01-11 c:\windows\Tasks\At23.job
- c:\windows\system32\5k655okh.exe []

2009-01-11 c:\windows\Tasks\At24.job
- c:\windows\system32\5k655okh.exe []

2009-01-11 c:\windows\Tasks\At25.job
- c:\windows\system32\5k655okh.exe []

2009-01-11 c:\windows\Tasks\At26.job
- c:\windows\system32\5k655okh.exe []

2009-01-11 c:\windows\Tasks\At27.job
- c:\windows\system32\5k655okh.exe []

2009-01-11 c:\windows\Tasks\At28.job
- c:\windows\system32\5k655okh.exe []

2009-01-11 c:\windows\Tasks\At29.job
- c:\windows\system32\5k655okh.exe []

2009-01-11 c:\windows\Tasks\At3.job
- c:\windows\system32\5k655okh.exe []

2009-01-11 c:\windows\Tasks\At30.job
- c:\windows\system32\5k655okh.exe []

2009-01-11 c:\windows\Tasks\At31.job
- c:\windows\system32\5k655okh.exe []

2009-01-11 c:\windows\Tasks\At32.job
- c:\windows\system32\5k655okh.exe []

2009-01-11 c:\windows\Tasks\At33.job
- c:\windows\system32\5k655okh.exe []

2009-01-11 c:\windows\Tasks\At34.job
- c:\windows\system32\5k655okh.exe []

2009-01-11 c:\windows\Tasks\At35.job
- c:\windows\system32\5k655okh.exe []

2009-01-11 c:\windows\Tasks\At36.job
- c:\windows\system32\5k655okh.exe []

2009-01-12 c:\windows\Tasks\At37.job
- c:\windows\system32\5k655okh.exe []

2009-01-11 c:\windows\Tasks\At38.job
- c:\windows\system32\5k655okh.exe []

2009-01-12 c:\windows\Tasks\At39.job
- c:\windows\system32\5k655okh.exe []

2009-01-11 c:\windows\Tasks\At4.job
- c:\windows\system32\5k655okh.exe []

2009-01-12 c:\windows\Tasks\At40.job
- c:\windows\system32\5k655okh.exe []

2009-01-12 c:\windows\Tasks\At41.job
- c:\windows\system32\5k655okh.exe []

2009-01-11 c:\windows\Tasks\At42.job
- c:\windows\system32\5k655okh.exe []

2009-01-13 c:\windows\Tasks\At43.job
- c:\windows\system32\5k655okh.exe []

2009-01-11 c:\windows\Tasks\At44.job
- c:\windows\system32\5k655okh.exe []

2009-01-11 c:\windows\Tasks\At45.job
- c:\windows\system32\5k655okh.exe []

2009-01-11 c:\windows\Tasks\At46.job
- c:\windows\system32\5k655okh.exe []

2009-01-11 c:\windows\Tasks\At47.job
- c:\windows\system32\5k655okh.exe []

2009-01-11 c:\windows\Tasks\At48.job
- c:\windows\system32\5k655okh.exe []

2009-01-11 c:\windows\Tasks\At5.job
- c:\windows\system32\5k655okh.exe []

2009-01-11 c:\windows\Tasks\At6.job
- c:\windows\system32\5k655okh.exe []

2009-01-11 c:\windows\Tasks\At7.job
- c:\windows\system32\5k655okh.exe []

2009-01-11 c:\windows\Tasks\At8.job
- c:\windows\system32\5k655okh.exe []

2009-01-11 c:\windows\Tasks\At9.job
- c:\windows\system32\5k655okh.exe []
.
- - - - ORPHANS REMOVED - - - -

BHO-{0B014B81-4E12-46F9-806F-55867AF8FD3C} - c:\windows\system32\winsystems.dll
HKLM-Run-KTPWare - c:\program files\Elantech\ktp.exe
HKLM-Run-NWEReboot - (no file)
HKU-Default-Run-Cognac - c:\windows\TEMP\2.tmp.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.aol.com/
uInternet Settings,ProxyOverride = *.local
IE: &AOL Toolbar Search - c:\documents and settings\All Users\Application Data\AOL\ieToolbar\resources\en-US\local\search.html
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-13 08:36:13
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(980)
c:\windows\system32\avgrsstx.dll

- - - - - - - > 'lsass.exe'(1044)
c:\windows\system32\avgrsstx.dll
.
Completion time: 2009-01-13 8:37:11
ComboFix-quarantined-files.txt 2009-01-13 14:37:09

Pre-Run: 112,498,171,904 bytes free
Post-Run: 112,600,674,304 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

269 --- E O F --- 2009-01-12 21:07:23

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:11:25 PM

Posted 13 January 2009 - 10:00 AM

Hi,

Much better already... Just some leftovers to delete..

Go to start > run and type: cmd
A command prompt window will open.

In the command prompt window, type:

del c:\windows\Tasks\At*.job

Hit enter.

Then, * Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Also, Go to next site:
http://www.virustotal.com/en/indexf.html
On top you'll find 'Browse'
Click the browse button and browse to next file:

c:\windows\system32\stu2.exe

Click open.
Then click the 'Send' button next to it.
This will scan the file. Please be patient.
Once scanned, copy and paste the results in your next reply.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 cardfan09

cardfan09
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:25 PM

Posted 13 January 2009 - 11:03 AM

results from virustotal.com..........



File stu2.exe received on 01.13.2009 16:49:27 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED


Result: 0/38 (0%)
Loading server information...
Your file is queued in position: 1.
Estimated start time is between 38 and 55 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:


Antivirus Version Last Update Result
a-squared 4.0.0.73 2009.01.13 -
AhnLab-V3 2009.1.13.3 2009.01.13 -
AntiVir 7.9.0.54 2009.01.13 -
Authentium 5.1.0.4 2009.01.13 -
Avast 4.8.1281.0 2009.01.13 -
AVG 8.0.0.229 2009.01.13 -
BitDefender 7.2 2009.01.13 -
CAT-QuickHeal 10.00 2009.01.12 -
ClamAV 0.94.1 2009.01.13 -
Comodo 927 2009.01.13 -
DrWeb 4.44.0.09170 2009.01.13 -
eSafe 7.0.17.0 2009.01.13 -
eTrust-Vet 31.6.6301 2009.01.10 -
F-Prot 4.4.4.56 2009.01.12 -
F-Secure 8.0.14470.0 2009.01.13 -
Fortinet 3.117.0.0 2009.01.13 -
GData 19 2009.01.13 -
Ikarus T3.1.1.45.0 2009.01.13 -
K7AntiVirus 7.10.584 2009.01.09 -
Kaspersky 7.0.0.125 2009.01.13 -
McAfee 5493 2009.01.12 -
McAfee+Artemis 5493 2009.01.12 -
Microsoft 1.4205 2009.01.13 -
NOD32 3762 2009.01.13 -
Norman 5.93.01 2009.01.13 -
Panda 9.5.1.2 2009.01.13 -
PCTools 4.4.2.0 2009.01.13 -
Prevx1 V2 2009.01.13 -
Rising 21.12.12.00 2009.01.13 -
SecureWeb-Gateway 6.7.6 2009.01.13 -
Sophos 4.37.0 2009.01.13 -
Sunbelt 3.2.1831.2 2009.01.09 -
Symantec 10 2009.01.13 -
TheHacker 6.3.1.4.218 2009.01.13 -
TrendMicro 8.700.0.1004 2009.01.13 -
VBA32 3.12.8.10 2009.01.12 -
ViRobot 2009.1.13.1556 2009.01.13 -
VirusBuster 4.5.11.0 2009.01.13 -
Additional information
File size: 24576 bytes
MD5...: 39b1ffb03c2296323832acbae50d2aff
SHA1..: e5aedcbe25a97c89101f1f3860ff846e94d70445
SHA256: 5b5d71718108e132d10bafb0c217f469a1e3cc13f79ff8d9cbe3bf4918aff7b7
SHA512: ae81b19b8d778a368cf460016a9678676dfd7b8bfdeb236e8f87ef9a6c755323
227b340924d0713698350ce30bb0b3d09789c90897710cd48b3fe84ddca4a551

ssdeep: 384:DNkhB/JD1CzaxzOV6s9cKmdPGFQ273eLXVBYkkjuv1hkNLdbaLa4CwUJuUCS
F4WL:gJDUaxgu5YEVBxkjuv7wbaLa4PU4b7

PEiD..: -
TrID..: File type identification
Win32 Executable MS Visual C++ (generic) (65.2%)
Win32 Executable Generic (14.7%)
Win32 Dynamic Link Library (generic) (13.1%)
Generic Win/DOS Executable (3.4%)
DOS Executable Generic (3.4%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x10050e5
timedatestamp.....: 0x41107b78 (Wed Aug 04 06:00:24 2004)
machinetype.......: 0x14c (I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x4db8 0x4e00 6.01 16aee663ed180007a0bf5bf24b845096
.data 0x6000 0x14c 0x200 1.86 cbb599f9267bf53209039d14a3574eb1
.rsrc 0x7000 0xb60 0xc00 3.27 b388ab1541ccd9727979fb26a23f72e1

( 7 imports )
> USER32.dll: CreateWindowExW, DestroyWindow, RegisterClassExW, DefWindowProcW, LoadRemoteFonts, wsprintfW, GetSystemMetrics, GetKeyboardLayout, SystemParametersInfoW, GetDesktopWindow, LoadStringW, MessageBoxW, ExitWindowsEx, CharNextW
> ADVAPI32.dll: RegOpenKeyExA, ReportEventW, RegisterEventSourceW, DeregisterEventSource, OpenProcessToken, RegCreateKeyExW, RegSetValueExW, GetUserNameW, RegQueryValueExW, RegOpenKeyExW, RegQueryInfoKeyW, RegCloseKey, RegQueryValueExA
> CRYPT32.dll: CryptProtectData
> WINSPOOL.DRV: SpoolerInit
> ntdll.dll: RtlLengthSid, RtlCopySid, _itow, RtlFreeUnicodeString, DbgPrint, wcslen, wcscpy, wcscat, wcscmp, RtlInitUnicodeString, NtOpenKey, NtClose, _wcsicmp, memmove, NtQueryInformationToken, RtlConvertSidToUnicodeString
> msvcrt.dll: _controlfp, _except_handler3, __set_app_type, __p__fmode, __p__commode, __setusermatherr, __getmainargs, _acmdln, exit, _cexit, _XcptFilter, _exit, _c_exit, _initterm, _adjust_fdiv
> KERNEL32.dll: GetVersionExW, LocalFree, LocalAlloc, GetEnvironmentVariableW, SetEnvironmentVariableW, lstrlenW, lstrcpyW, FreeLibrary, GetProcAddress, LoadLibraryW, CompareFileTime, CloseHandle, lstrcatW, WaitForSingleObject, DelayLoadFailureHook, GetStartupInfoA, GetModuleHandleA, SetUnhandledExceptionFilter, UnhandledExceptionFilter, TerminateProcess, GetSystemTimeAsFileTime, GetCurrentThreadId, GetTickCount, QueryPerformanceCounter, LoadLibraryA, InterlockedCompareExchange, LocalReAlloc, GetSystemTime, lstrcmpW, GetCurrentThread, SetThreadPriority, CreateThread, GetFileAttributesExW, GetSystemDirectoryW, SetCurrentDirectoryW, FormatMessageW, lstrcmpiW, GetCurrentProcess, GetUserDefaultLangID, GetCurrentProcessId, ExpandEnvironmentStringsW, SetEvent, OpenEventW, Sleep, GetLastError, SearchPathW, CreateProcessW

( 0 exports )

ThreatExpert info: <a href='http://www.threatexpert.com/report.aspx?md5=39b1ffb03c2296323832acbae50d2aff' target='_blank'>http://www.threatexpert.com/report.aspx?md5=39b1ffb03c2296323832acbae50d2aff</a>

#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:11:25 PM

Posted 13 January 2009 - 11:13 AM

Hi,

This looks OK. :thumbsup:

Let me know in your next reply how things are now.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 cardfan09

cardfan09
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:25 PM

Posted 13 January 2009 - 02:17 PM

Looks like I still have some issues. When I go to windows update site I get Internet Explorer encountered a problem and needs to close. Event log states faulting application iexplorer.exe, version #, faulting module unknown.

Also, Windows stalls on standby, mouse moves, but screen is stuck on standy screen. Have to hard reboot?

#8 cardfan09

cardfan09
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:25 PM

Posted 13 January 2009 - 02:24 PM

Forgot to mention ...other websites load fine, just win updates. I thought windows installed a BHO for their site, but I don't see one installed.

#9 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:11:25 PM

Posted 13 January 2009 - 02:30 PM

Hi,

For the iexplore.exe issue, This could be a add-on causing this.
Please try again with add-ons disabled as you've already done previously.

Also, Windows stalls on standby, mouse moves, but screen is stuck on standy screen. Have to hard reboot?

This may happen if some drivers are outdated or corrupted. Check your device manager and see if there are any yellow exclamation points.
On the other side, I have seen AVG causing this issue on some computers as well. The same for the Windows update site...

For the malware related problem...

Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!

Edited by miekiemoes, 13 January 2009 - 02:31 PM.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#10 cardfan09

cardfan09
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:25 PM

Posted 15 January 2009 - 09:49 AM

miekiemoes, just wanted to say thanks for the help! ...still working on the other issues, but system is clean.

#11 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:11:25 PM

Posted 15 January 2009 - 09:59 AM

You're most welcome :thumbsup:
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#12 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:11:25 PM

Posted 16 January 2009 - 05:47 AM

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users