Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Brastk and buddies back again...


  • This topic is locked This topic is locked
19 replies to this topic

#1 mach430

mach430

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:04:38 PM

Posted 22 January 2009 - 04:32 PM

Previous post - http://www.bleepingcomputer.com/forums/t/190631/infected-with-easier-to-list-what-i-dont-have/ - Problem was fixed last week and has now returned. Appears to be the same.


Edit - Found g2mdlhlpx.exe which was too my knowledge not previously on my pc. Will delete file and Citrix folder while waiting for reply.

Hijack log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:31:59 PM, on 1/22/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Common Files\Portrait Displays\Shared\DTSRVC.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Folding@Home Windows SMP Client V1.01\smpd.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\Program Files\SiSoftware\SiSoftware Sandra Professional Business XII.SP2c\RpcAgentSrv.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ASUS\AI Suite\AiNap\AiNap.exe
C:\Program Files\ASUS\AI Suite\AiGear3\CpuPowerMonitor.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Portrait Displays\Pivot Software\wpctrl.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Portrait Displays\Pivot Software\floater.exe
C:\Program Files\Gateway\EzTune\DTHtml.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Portrait Displays\Shared\HookManager.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Garmin\gStart.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = google.net-studio.org
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [Ai Nap] "C:\Program Files\ASUS\AI Suite\AiNap\AiNap.exe"
O4 - HKLM\..\Run: [CPU Power Monitor] "C:\Program Files\ASUS\AI Suite\AiGear3\CpuPowerMonitor.exe"
O4 - HKLM\..\Run: [Cpu Level Up help] C:\Program Files\ASUS\AI Suite\CpuLevelUpHelp.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [PivotSoftware] "C:\Program Files\Portrait Displays\Pivot Software\wpctrl.exe"
O4 - HKLM\..\Run: [DT GWY] C:\Program Files\Common Files\Portrait Displays\Shared\DT_startup.exe -GWY
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
O4 - HKCU\..\Run: [gStart] C:\Garmin\gStart.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [apimon] C:\WINDOWS\system32\zcfsvgvy.exe
O4 - HKCU\..\Run: [UtilApl] C:\WINDOWS\system32\bgvovsbk.exe
O4 - HKCU\..\Run: [brastk] C:\WINDOWS\system32\brastk.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX Advanced) - https://eagent.farmersinsurance.com/PLA/eAg...ctiveX/smsx.cab
O16 - DPF: {354D91A8-E3C9-491F-BB89-0FB27DEEED86} (ImgXTwain6.ImgXTwain) - https://eagent.farmersinsurance.com/PLA/eAg...ImgXTwain61.cab
O16 - DPF: {45EEDB84-57BC-4FBD-8065-7AB8E971B545} (ImgXDialog6.ImgXDialog) - https://eagent.farmersinsurance.com/PLA/eAg...mgXDialog61.cab
O16 - DPF: {7E8DC73D-69CD-4F67-99B1-8DC6E42F6246} (Atalasoft ImgXCtrl6.ImgXCtrl (CAB)) - https://eagent.farmersinsurance.com/PLA/eAg...iveX/ImgX61.cab
O16 - DPF: {C77FB8C0-8B6D-440E-AC26-2BD39E97E8F2} (SpdTCtl Class) - http://speedtest.adelphia.net/customerdiag...TESTACTIVEX.CAB
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} (Java Plug-in 1.5.0_06) -
O16 - DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} (Java Plug-in 1.5.0_09) -
O16 - DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} (Java Plug-in 1.5.0_10) -
O16 - DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} (Java Plug-in 1.5.0_11) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4E228CDE-AC0A-42B4-803D-95198D3EFBA4}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{5106D11C-18C5-486F-9498-E25D92231CDB}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{A0BA3F31-868A-4BC4-8B54-FE30B8985C81}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{B0A39218-5632-41CF-99A2-739DD85DD748}: NameServer = 208.67.220.220,208.67.222.222
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Portrait Displays Display Tune Service (DTSRVC) - Unknown owner - C:\Program Files\Common Files\Portrait Displays\Shared\DTSRVC.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe
O23 - Service: MPICH2 Process Manager, Argonne National Lab (mpich2_smpd) - Unknown owner - C:\Program Files\Folding@Home Windows SMP Client V1.01\smpd.exe
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: SiSoftware Deployment Agent Service (SandraAgentSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Professional Business XII.SP2c\RpcAgentSrv.exe

--
End of file - 11245 bytes


Please help, thanks

Attached Files


Edited by mach430, 22 January 2009 - 07:55 PM.


BC AdBot (Login to Remove)

 


#2 Hoov

Hoov

  • Malware Response Team
  • 3,519 posts
  • OFFLINE
  •  
  • Location:Mikado Michigan
  • Local time:04:38 PM

Posted 01 February 2009 - 03:29 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a description of your problem, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.
Also please explain your problem as fully as possible. Each little detail will help in getting your system cleaned up and functional again.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scans:

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install. Alternatively, you can update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.
On the Scanner tab:
  • Make sure the "Perform Full Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you after scanning with MBAM. Please temporarily disable such programs or permit them to allow the changes.



* Download DDS by sUBs from one of the following links. Save it to your desktop.
DDS.com
DDS.scr
DDS.pif

* Double click on the DDS icon, allow it to run.
* A small box will open, with an explaination about the tool. No input is needed, the scan is running.
* Notepad will open with the results, click no to the Optional_Scan
* Follow the instructions that pop up for posting the results.
* Close the program window, and delete the program from your desktop.

Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

After your response, someone will be with you soon.
Visiting From SpywareHammer.com and DonHoover.net

Tilting at windmills hurts you more than the windmills.
-From the Notebooks of Lazarus Long
Senior of the Howard Families

Posted Image

#3 mach430

mach430
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:04:38 PM

Posted 02 February 2009 - 10:48 AM

New DDS/Attach Logs. MBAM File to come.

Attached Files



#4 mach430

mach430
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:04:38 PM

Posted 02 February 2009 - 11:36 AM

MBAM Log:
Malwarebytes' Anti-Malware 1.33
Database version: 1715
Windows 5.1.2600 Service Pack 3

2/2/2009 8:36:09 AM
mbam-log-2009-02-02 (08-36-09).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 158377
Time elapsed: 43 minute(s), 44 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\brastk (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


---

After running MBAM, bratsk, bgvovsbk, and acfsvgvy are still in my msconfig.

Thank you for continuing to help.

Edited by mach430, 02 February 2009 - 11:37 AM.


#5 Hoov

Hoov

  • Malware Response Team
  • 3,519 posts
  • OFFLINE
  •  
  • Location:Mikado Michigan
  • Local time:04:38 PM

Posted 03 February 2009 - 07:48 PM

can you do a screen shot of the msconfig panel that still have these entries? Are you seeing any problems, or is this just remnants of the old infection?
Visiting From SpywareHammer.com and DonHoover.net

Tilting at windmills hurts you more than the windmills.
-From the Notebooks of Lazarus Long
Senior of the Howard Families

Posted Image

#6 mach430

mach430
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:04:38 PM

Posted 04 February 2009 - 10:38 AM

This is identical to the old problem, which appeared to be completely removed when Chrissy helped me in the previous post mentioned at the beginning of this thread. Approximately 1 week later, I noticed that it was back. Whether it is the same problem or a new one, I could not say.

I have not noticed any irregularities in the computer operating.

http://img440.imageshack.us/img440/340/21940883dl8.th.jpg

Attached Files



#7 Hoov

Hoov

  • Malware Response Team
  • 3,519 posts
  • OFFLINE
  •  
  • Location:Mikado Michigan
  • Local time:04:38 PM

Posted 04 February 2009 - 10:55 AM

run ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Also make sure you close all your browsers just before the instructions tell you to start the scanner.

Please include the C:\ComboFix.txt in your next reply for further review.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall

But before running it, reboot into safe mode.
Visiting From SpywareHammer.com and DonHoover.net

Tilting at windmills hurts you more than the windmills.
-From the Notebooks of Lazarus Long
Senior of the Howard Families

Posted Image

#8 mach430

mach430
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:04:38 PM

Posted 04 February 2009 - 11:27 AM

ComboFix 09-02-03.01 - Ben 2009-02-04 8:16:43.4 - NTFSx86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3327.3001 [GMT -8:00]
Running from: c:\documents and settings\Ben\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
.

((((((((((((((((((((((((( Files Created from 2009-01-04 to 2009-02-04 )))))))))))))))))))))))))))))))
.

2009-01-24 21:29 . 2009-01-24 21:29 <DIR> d-------- c:\program files\Ventrilo
2009-01-24 21:29 . 2009-01-24 21:29 262 --a------ c:\windows\{789289CA-F73A-4A16-A331-54D498CE069F}_WiseFW.ini
2009-01-17 09:09 . 2009-01-17 09:09 410,984 --a------ c:\windows\system32\deploytk.dll
2009-01-17 08:58 . 2009-01-17 09:05 <DIR> d-------- c:\documents and settings\Ben\.SunDownloadManager
2009-01-17 08:57 . 2009-01-17 08:57 <DIR> d-------- c:\program files\Common Files\Adobe AIR
2009-01-17 08:54 . 2009-01-17 15:48 <DIR> d-------- c:\program files\NOS
2009-01-17 08:54 . 2009-01-17 15:48 <DIR> d-------- c:\documents and settings\All Users\Application Data\NOS
2009-01-13 10:17 . 2009-01-13 10:17 <DIR> d-------- c:\documents and settings\All Users\Application Data\NortonInstaller
2009-01-12 11:48 . 2009-01-12 11:48 <DIR> d-------- c:\program files\Trend Micro
2009-01-09 18:00 . 2009-01-09 18:00 <DIR> d-------- c:\windows\nview
2009-01-09 18:00 . 2009-01-09 18:00 <DIR> d-------- c:\windows\A7E07C2B2220441587E3784D5814BC93.TMP
2009-01-09 18:00 . 2009-02-04 07:13 201,151 --a------ c:\windows\system32\nvapps.xml
2009-01-08 16:00 . 2009-01-08 16:00 <DIR> d-------- c:\windows\system32\AGEIA
2009-01-08 16:00 . 2009-01-08 16:00 <DIR> d-------- c:\program files\AGEIA Technologies
2009-01-08 15:59 . 2009-01-24 21:29 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2009-01-08 15:57 . 2009-01-08 15:57 <DIR> d-------- c:\program files\SystemRequirementsLab
2009-01-08 15:57 . 2009-01-08 15:57 <DIR> d-------- c:\documents and settings\Ben\Application Data\SystemRequirementsLab

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-03 21:58 --------- d-----w c:\program files\Steam
2009-02-03 16:28 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2009-01-29 18:06 --------- d-----w c:\documents and settings\All Users\Application Data\avg8
2009-01-29 18:05 325,128 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-01-29 18:05 10,520 ----a-w c:\windows\system32\avgrsstx.dll
2009-01-25 05:31 --------- d-----w c:\documents and settings\Ben\Application Data\Ventrilo
2009-01-17 17:09 --------- d-----w c:\program files\Java
2009-01-17 16:57 --------- d-----w c:\program files\Common Files\Adobe
2009-01-16 18:48 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-01-15 00:11 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-15 00:11 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-01-02 05:21 --------- d-----w c:\documents and settings\Ben\Application Data\GARMIN
2009-01-02 05:21 --------- d-----w c:\documents and settings\All Users\Application Data\GARMIN
2009-01-02 05:06 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-12-29 05:15 --------- d-----w c:\documents and settings\Ben\Application Data\Malwarebytes
2008-12-29 05:15 --------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-29 05:03 --------- d-----w c:\program files\Exterminate It!
2008-12-28 23:51 --------- d-----w c:\documents and settings\Ben\Application Data\TeamViewer
2008-12-28 23:25 --------- dc-h--w c:\documents and settings\All Users\Application Data\~0
2008-12-28 23:12 --------- d-----w c:\documents and settings\Ben\Application Data\Uniblue
2008-12-26 08:08 801,312 ----a-w c:\windows\system32\nvcplui.exe
2008-12-26 08:08 453,152 ----a-w c:\windows\system32\nvudisp.exe
2008-12-24 05:58 453,152 ----a-w c:\windows\system32\NVUNINST.EXE
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
2008-01-25 16:50 22,328 ----a-w c:\documents and settings\Ben\Application Data\PnkBstrK.sys
2005-05-31 23:33 33,992 ----a-w c:\documents and settings\Ben\Application Data\GDIPFONTCACHEV1.DAT
2008-09-21 22:54 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008092120080922\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVIDIA nTune"="c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-09-04 81920]
"gStart"="c:\garmin\gStart.exe" [2008-08-13 1891416]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Ai Nap"="c:\program files\ASUS\AI Suite\AiNap\AiNap.exe" [2007-09-06 1426432]
"CPU Power Monitor"="c:\program files\ASUS\AI Suite\AiGear3\CpuPowerMonitor.exe" [2007-10-16 626176]
"Cpu Level Up help"="c:\program files\ASUS\AI Suite\CpuLevelUpHelp.exe" [2007-09-11 880640]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-01-29 1601304]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-12-10 49152]
"PivotSoftware"="c:\program files\Portrait Displays\Pivot Software\wpctrl.exe" [2007-02-09 694008]
"DT GWY"="c:\program files\Common Files\Portrait Displays\Shared\DT_startup.exe" [2007-10-09 81920]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-22 116040]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-07-30 289064]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-10-07 13574144]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-10-07 86016]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-17 136600]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-02-29 c:\windows\KHALMNPR.Exe]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-02-29 c:\windows\KHALMNPR.Exe]
"nwiz"="nwiz.exe" [2008-10-07 c:\windows\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-13 c:\windows\system32\narrator.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-01-02 210520]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2008-08-31 805392]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-05-02 01:42 72208 c:\program files\Common Files\Logitech\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-01-29 10:05 10520 c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0sprestrt

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk
backup=c:\windows\pss\HP Photosmart Premier Fast Start.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HPAiODevice(hp officejet g series) - 1.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HPAiODevice(hp officejet g series) - 1.lnk
backup=c:\windows\pss\HPAiODevice(hp officejet g series) - 1.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk
backup=c:\windows\pss\Logitech Desktop Messenger.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk
backup=c:\windows\pss\Logitech SetPoint.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PersTray.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\PersTray.lnk
backup=c:\windows\pss\PersTray.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
--a------ 2005-06-06 22:46 57344 c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-04-13 16:12 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DT GWY]
--a------ 2007-10-09 16:45 81920 c:\program files\Common Files\Portrait Displays\Shared\DT_Startup.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eFax 4.2]
--a------ 2006-07-14 12:36 107008 c:\program files\eFax Messenger 4.2\J2GDllCmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
--a------ 2006-05-09 16:24 50760 c:\program files\Common Files\AOL\1141980085\ee\aolsoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2006-12-10 20:52 49152 c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelliPoint]
--a------ 2006-07-07 15:15 600896 c:\program files\Microsoft IntelliPoint\ipoint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IPHSend]
--a------ 2006-02-17 08:59 124520 c:\program files\Common Files\AOL\IPHSend\IPHSend.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-07-30 09:47 289064 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\itype]
--a------ 2006-07-07 15:14 576320 c:\program files\Microsoft IntelliType Pro\itype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LDM]
--a------ 2005-11-03 16:38 36864 c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2008-04-13 16:12 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 10:50 155648 c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2008-10-07 13:33 13574144 c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVIDIA nTune]
--a------ 2007-09-04 19:25 81920 c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2008-10-07 13:33 86016 c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PivotSoftware]
--a------ 2007-02-09 11:17 694008 c:\program files\Portrait Displays\Pivot Software\wpCtrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-05-27 09:50 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-02-22 03:25 144784 c:\program files\Java\jre1.6.0_05\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Kernel and Hardware Abstraction Layer]
--a------ 2008-02-29 02:12 76304 c:\windows\KHALMNPR.Exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Hardware Abstraction Layer]
--a------ 2008-02-29 02:12 76304 c:\windows\KHALMNPR.Exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2008-10-07 13:33 1630208 c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
-ra------ 2004-11-15 02:20 77824 c:\windows\SOUNDMAN.EXE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=c:\windows\system32\ctfmon.exe
"brastk"=c:\windows\system32\brastk.exe
"apimon"=c:\windows\system32\zcfsvgvy.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\msiexec.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Program Files\\Steam\\SteamApps\\mach430\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\1141980085\\ee\\aolsoftware.exe"=
"c:\\Program Files\\Common Files\\AOL\\1141980085\\ee\\aim6.exe"=
"c:\\Program Files\\Steam\\SteamApps\\mach430\\day of defeat source\\hl2.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\Folding@Home Windows SMP Client V1.01\\mpiexec.exe"=
"c:\\Program Files\\Folding@Home Windows SMP Client V1.01\\smpd.exe"=
"c:\\Program Files\\SiSoftware\\SiSoftware Sandra Professional Business XII.SP2c\\RpcAgentSrv.exe"=
"c:\\Program Files\\SiSoftware\\SiSoftware Sandra Professional Business XII.SP2c\\WNt500x86\\RpcSandraSrv.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Steam\\SteamApps\\mach430\\age of chivalry\\hl2.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\left 4 dead\\left4dead.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
S1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-05-28 325128]
S2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-05-28 298264]
S2 mpich2_smpd;MPICH2 Process Manager, Argonne National Lab;c:\program files\Folding@Home Windows SMP Client V1.01\smpd.exe [2008-05-28 1135616]
S2 MtxVideo;Matrox WDM capture/crossbar driver;c:\windows\system32\drivers\mtxvideo.sys [2005-05-24 103296]
S2 SandraAgentSrv;SiSoftware Deployment Agent Service;c:\program files\SiSoftware\SiSoftware Sandra Professional Business XII.SP2c\RpcAgentSrv.exe [2008-05-30 98488]
S3 BULKUSB;Plantronics USB Bulk Driver;c:\windows\system32\drivers\USBPLANT.sys [2005-05-24 10756]
S3 G200;G200;c:\windows\system32\drivers\G200m.sys [2005-05-24 320384]
S3 uisp;Motorola USB ICP driver;c:\windows\system32\Drivers\usbicp.sys --> c:\windows\system32\Drivers\usbicp.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
HPService REG_MULTI_SZ HPSLPSVC

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cacd5cc2-cc70-11d9-a079-806d6172696f}]
\Shell\AutoRun\command - D:\ASUSACPI.exe
.
Contents of the 'Scheduled Tasks' folder

2009-02-03 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2009-02-04 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 18:20]
.
.
------- Supplementary Scan -------
.
uLocal Page = google.net-studio.org
uStart Page = www.yahoo.com/
uInternet Settings,ProxyOverride = localhost;<local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: {4E228CDE-AC0A-42B4-803D-95198D3EFBA4} = 208.67.220.220,208.67.222.222
TCP: {5106D11C-18C5-486F-9498-E25D92231CDB} = 208.67.220.220,208.67.222.222
TCP: {A0BA3F31-868A-4BC4-8B54-FE30B8985C81} = 208.67.220.220,208.67.222.222
TCP: {B0A39218-5632-41CF-99A2-739DD85DD748} = 208.67.220.220,208.67.222.222
DPF: {C77FB8C0-8B6D-440E-AC26-2BD39E97E8F2} - hxxp://speedtest.adelphia.net/customerdiag/speedtest/SPEEDTESTACTIVEX.CAB
FF - ProfilePath - c:\documents and settings\Ben\Application Data\Mozilla\Firefox\Profiles\2q3wqm7p.default\
FF - prefs.js: browser.startup.homepage - www.yahoo.com
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG8\ToolbarFF\components\vmAVGConnector.dll
FF - plugin: c:\documents and settings\Ben\Application Data\Mozilla\Firefox\Profiles\2q3wqm7p.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp07074039.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1368.5602\npCIDetect13.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-04 08:20:03
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\TelnetServer\1.0\ReadConfig]
@DACL=(02 0000)
"Defaults"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(252)
c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
c:\program files\common files\logitech\bluetooth\LBTServ.dll
.
Completion time: 2009-02-04 8:22:01
ComboFix-quarantined-files.txt 2009-02-04 16:21:39
ComboFix2.txt 2009-02-04 16:11:13
ComboFix3.txt 2009-01-14 22:28:54

Pre-Run: 99,084,926,976 bytes free
Post-Run: 99,066,290,176 bytes free

274 --- E O F --- 2009-02-02 15:21:49

#9 Hoov

Hoov

  • Malware Response Team
  • 3,519 posts
  • OFFLINE
  •  
  • Location:Mikado Michigan
  • Local time:04:38 PM

Posted 04 February 2009 - 12:17 PM

Well it looks as if it didn't come back.

Please download RunScanner
  • Save it to a folder you create such as C:\Runscanner (this assumes Windows is installed on your C: drive).
  • Launch Runscanner by double-clicking runscanner.exe within the C:\Runscanner folder.
  • Vista users must also click Continue to open Runscanner when prompted by User Account Control (UAC)
  • Check Beginner Mode
  • Click Scan computer
  • Your will see a "Runscanner scan in progress" window displayed while Runscanner scans your system
  • At the conclusion of the scan, save the run file called runscanner.run to your documents folder or directly to the Runscanner folder. This is the file you will need to upload.
  • A runscanner.log file will automatically open in Notepad. Just close the Notepad window because, it is ONLY the runscanner.run file that we are interested in.
  • Next, zip up the runscanner.run file that you just saved.
  • I want you to upload the zipped runscanner.run file as an attachment in your next reply
  • To do that you need to use the browse button just below and to the left of the text box in your next reply.
  • Browse to the zipped RUN file location and then click the "open" button to attach the file.
  • I will review the run file, and then upload it back to you with items marked for deletion.
  • Please await my directions and the returned RUN file, and do not delete anything in the interim

Visiting From SpywareHammer.com and DonHoover.net

Tilting at windmills hurts you more than the windmills.
-From the Notebooks of Lazarus Long
Senior of the Howard Families

Posted Image

#10 mach430

mach430
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:04:38 PM

Posted 04 February 2009 - 12:52 PM

Hmm... I'm confused as to how it disappeared from my MSConfig for at least a week and has now reappeared.

See attached,
Thank you

Attached Files



#11 Hoov

Hoov

  • Malware Response Team
  • 3,519 posts
  • OFFLINE
  •  
  • Location:Mikado Michigan
  • Local time:04:38 PM

Posted 04 February 2009 - 01:06 PM

I am not sure how or why they cam back. SO lets go the easiest route. Download Startup Control Panel (the control panel version not the stand alone version) and run it. It will install. First you need to disable Spybot's Teatimer. Then go to the control panel and run the startup control panel. Look thru the tabs and see if those three files show up. When you find them, right click on them and select delete. Once all three are gone reboot your computer and see if they are back. If they are not, re enable Teatimer and reboot again. Check to see if the entries are back. Let me know.
Visiting From SpywareHammer.com and DonHoover.net

Tilting at windmills hurts you more than the windmills.
-From the Notebooks of Lazarus Long
Senior of the Howard Families

Posted Image

#12 mach430

mach430
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:04:38 PM

Posted 04 February 2009 - 01:49 PM

Lol, one of the steps we took earlier must have removed it. I can not find it when running the control panel or when going to msconfig directly. Will continue to monitor over the next couple days and report if clear or not.

Is it possible that disabliing teatimer or anything removed it?

Thanks!

#13 mach430

mach430
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:04:38 PM

Posted 04 February 2009 - 01:51 PM

After reenabling TeaTimer, the entries have returned. Is it possible that they are saved in TeaTimer?

Here's what is listed in TeaTimer:

1/22/2009 4:20:41 PM Allowed (based on user decision) value "ctfmon.exe" (new data: "") deleted in System Startup user entry!
1/22/2009 4:20:45 PM Denied (based on user blacklist) value "brastk" (new data: "") deleted in System Startup user entry!
1/22/2009 4:20:46 PM Denied (based on user blacklist) value "apimon" (new data: "") deleted in System Startup user entry!
1/22/2009 5:01:21 PM Denied (based on user blacklist) value "apimon" (new data: "") deleted in System Startup user entry!
1/22/2009 5:01:21 PM Denied (based on user blacklist) value "UtilApl" (new data: "") deleted in System Startup user entry!
1/22/2009 5:01:21 PM Denied (based on user blacklist) value "brastk" (new data: "") deleted in System Startup user entry!
1/23/2009 7:34:44 AM Denied (based on user decision) value "ctfmon.exe" (new data: "C:\WINDOWS\system32\ctfmon.exe") added in System Startup user entry!
1/23/2009 2:57:32 PM Denied (based on user blacklist) value "ctfmon.exe" (new data: "C:\WINDOWS\system32\ctfmon.exe") added in System Startup user entry!
1/23/2009 3:45:34 PM Denied (based on user blacklist) value "ctfmon.exe" (new data: "C:\WINDOWS\system32\ctfmon.exe") added in System Startup user entry!
1/23/2009 6:31:36 PM Denied (based on user blacklist) value "ctfmon.exe" (new data: "C:\WINDOWS\system32\ctfmon.exe") added in System Startup user entry!
1/23/2009 8:41:38 PM Denied (based on user blacklist) value "ctfmon.exe" (new data: "C:\WINDOWS\system32\ctfmon.exe") added in System Startup user entry!
1/24/2009 9:47:32 AM Denied (based on user blacklist) value "ctfmon.exe" (new data: "C:\WINDOWS\system32\ctfmon.exe") added in System Startup user entry!
1/24/2009 11:50:29 AM Denied (based on user blacklist) value "ctfmon.exe" (new data: "C:\WINDOWS\system32\ctfmon.exe") added in System Startup user entry!
1/24/2009 9:24:17 PM Denied (based on user blacklist) value "ctfmon.exe" (new data: "C:\WINDOWS\system32\ctfmon.exe") added in System Startup user entry!
1/25/2009 8:31:47 AM Denied (based on user blacklist) value "ctfmon.exe" (new data: "C:\WINDOWS\system32\ctfmon.exe") added in System Startup user entry!
1/25/2009 1:29:21 PM Denied (based on user blacklist) value "ctfmon.exe" (new data: "C:\WINDOWS\system32\ctfmon.exe") added in System Startup user entry!
1/25/2009 7:03:06 PM Denied (based on user blacklist) value "ctfmon.exe" (new data: "C:\WINDOWS\system32\ctfmon.exe") added in System Startup user entry!
1/26/2009 8:02:01 AM Denied (based on user blacklist) value "ctfmon.exe" (new data: "C:\WINDOWS\system32\ctfmon.exe") added in System Startup user entry!
1/26/2009 1:49:37 PM Denied (based on user blacklist) value "ctfmon.exe" (new data: "C:\WINDOWS\system32\ctfmon.exe") added in System Startup user entry!
1/27/2009 7:38:34 AM Denied (based on user blacklist) value "ctfmon.exe" (new data: "C:\WINDOWS\system32\ctfmon.exe") added in System Startup user entry!
1/27/2009 10:49:51 AM Denied (based on user blacklist) value "ctfmon.exe" (new data: "C:\WINDOWS\system32\ctfmon.exe") added in System Startup user entry!
1/28/2009 7:31:25 AM Denied (based on user blacklist) value "ctfmon.exe" (new data: "C:\WINDOWS\system32\ctfmon.exe") added in System Startup user entry!
1/28/2009 10:09:51 AM Denied (based on user blacklist) value "ctfmon.exe" (new data: "C:\WINDOWS\system32\ctfmon.exe") added in System Startup user entry!
1/28/2009 1:46:36 PM Denied (based on user blacklist) value "ctfmon.exe" (new data: "C:\WINDOWS\system32\ctfmon.exe") added in System Startup user entry!
1/28/2009 4:44:05 PM Denied (based on user blacklist) value "ctfmon.exe" (new data: "C:\WINDOWS\system32\ctfmon.exe") added in System Startup user entry!
1/29/2009 7:39:00 AM Denied (based on user blacklist) value "ctfmon.exe" (new data: "C:\WINDOWS\system32\ctfmon.exe") added in System Startup user entry!
1/29/2009 10:04:42 AM Denied (based on user blacklist) value "ctfmon.exe" (new data: "C:\WINDOWS\system32\ctfmon.exe") added in System Startup user entry!
1/29/2009 10:05:00 AM Allowed (based on user decision) value "avgrsstarter" (new data: "") added in Winlogon Notifiers!
1/29/2009 2:08:19 PM Denied (based on user blacklist) value "ctfmon.exe" (new data: "C:\WINDOWS\system32\ctfmon.exe") added in System Startup user entry!
1/29/2009 9:09:20 PM Denied (based on user blacklist) value "ctfmon.exe" (new data: "C:\WINDOWS\system32\ctfmon.exe") added in System Startup user entry!
1/30/2009 7:09:38 AM Denied (based on user blacklist) value "ctfmon.exe" (new data: "C:\WINDOWS\system32\ctfmon.exe") added in System Startup user entry!
1/30/2009 7:51:04 AM Denied (based on user blacklist) value "brastk" (new data: "") deleted in System Startup user entry!
1/30/2009 1:27:55 PM Denied (based on user blacklist) value "ctfmon.exe" (new data: "C:\WINDOWS\system32\ctfmon.exe") added in System Startup user entry!
1/31/2009 9:26:25 AM Denied (based on user blacklist) value "ctfmon.exe" (new data: "C:\WINDOWS\system32\ctfmon.exe") added in System Startup user entry!
1/31/2009 3:59:48 PM Denied (based on user blacklist) value "ctfmon.exe" (new data: "C:\WINDOWS\system32\ctfmon.exe") added in System Startup user entry!
1/31/2009 4:27:37 PM Denied (based on user blacklist) value "ctfmon.exe" (new data: "C:\WINDOWS\system32\ctfmon.exe") added in System Startup user entry!
2/1/2009 10:42:44 AM Denied (based on user blacklist) value "ctfmon.exe" (new data: "C:\WINDOWS\system32\ctfmon.exe") added in System Startup user entry!
2/1/2009 2:54:29 PM Denied (based on user blacklist) value "ctfmon.exe" (new data: "C:\WINDOWS\system32\ctfmon.exe") added in System Startup user entry!
2/2/2009 7:20:41 AM Denied (based on user blacklist) value "ctfmon.exe" (new data: "C:\WINDOWS\system32\ctfmon.exe") added in System Startup user entry!
2/2/2009 8:36:09 AM Denied (based on user blacklist) value "brastk" (new data: "") deleted in System Startup user entry!
2/2/2009 2:36:59 PM Denied (based on user blacklist) value "ctfmon.exe" (new data: "C:\WINDOWS\system32\ctfmon.exe") added in System Startup user entry!
2/3/2009 8:00:57 AM Denied (based on user blacklist) value "ctfmon.exe" (new data: "C:\WINDOWS\system32\ctfmon.exe") added in System Startup user entry!
2/3/2009 1:27:59 PM Denied (based on user blacklist) value "ctfmon.exe" (new data: "C:\WINDOWS\system32\ctfmon.exe") added in System Startup user entry!
2/3/2009 3:48:21 PM Denied (based on user blacklist) value "ctfmon.exe" (new data: "C:\WINDOWS\system32\ctfmon.exe") added in System Startup user entry!
2/4/2009 7:18:04 AM Denied (based on user blacklist) value "ctfmon.exe" (new data: "C:\WINDOWS\system32\ctfmon.exe") added in System Startup user entry!
2/4/2009 10:51:16 AM Denied (based on user blacklist) value "ctfmon.exe" (new data: "C:\WINDOWS\system32\ctfmon.exe") added in System Startup user entry!
2/4/2009 10:51:16 AM Denied (based on user blacklist) value "apimon" (new data: "") deleted in System Startup user entry!
2/4/2009 10:51:16 AM Denied (based on user blacklist) value "UtilApl" (new data: "") deleted in System Startup user entry!
2/4/2009 10:51:16 AM Denied (based on user blacklist) value "brastk" (new data: "") deleted in System Startup user entry!
2/4/2009 10:51:24 AM Allowed (based on user decision) value "DisableCMD" (new data: "") deleted in Disable Command!
2/4/2009 10:51:24 AM Denied (based on user blacklist) value "NoFind" (new data: "") deleted in Disable Find!

Edited by mach430, 04 February 2009 - 01:53 PM.


#14 Hoov

Hoov

  • Malware Response Team
  • 3,519 posts
  • OFFLINE
  •  
  • Location:Mikado Michigan
  • Local time:04:38 PM

Posted 04 February 2009 - 02:42 PM

If you had asked me that question 2 days ago I would have said No, but yesterday I ran into the same problem with another user, and we found out the answer is yes. Here is what you need to do,

To reset TeaTimer so that it does not remember any previous entries:

1. Edit the entries that TeaTimer uses to automatically "Allow" or "Deny" changes that were based on the use of "Remember this decision" as follows:

* Right click on the TeaTimer system tray icon and select Settings. This will bring up TeaTimer's "White & Black List". There are four (4) Buttons across the top of the "White & Black List":
o Allowed processes
o Blocked processes
o Allowed registry changes
o Blocked registry changes

Note: If you don't see all four buttons, try expanding the window to the right.

* The entries that you should review are in "Allowed registry changes" and "Blocked registry changes". You can delete entries by clicking on the scripted black "X" to the right of the entry that you want to delete and then clicking the "OK" button when you're done. This will in effect make TeaTimer forget what you told it to remember so that during future changes to these items TeaTimer will issue a pop-up dialog rather then just a notification pop-up.

2. Reset TeaTimers snapshot files:

* TeaTimer takes snapshots of Registry entries and compares these with the Registry at startup. Until these snapshots are updated you are likely to get pop-ups (at startup) of changes you made in the past. In other words, TeaTimer attempts to return the Registry to the state it was in when the snapshot was taken. This happens primarily when you reboot the system. To refresh TeaTimer's snapshot files:
o Right click Spybot's TeaTimer System Tray Icon > click Exit Spybot-S&D Resident.
+ TeaTimer closes.
+ TeaTimer's snapshot files are refreshed at this time.
o Restart TeaTimer:
+ Using Windows Explorer, navigate to C:\Program Files\Spybot - Search & Destroy.
+ Double click TeaTimer.exe to start it.
Visiting From SpywareHammer.com and DonHoover.net

Tilting at windmills hurts you more than the windmills.
-From the Notebooks of Lazarus Long
Senior of the Howard Families

Posted Image

#15 mach430

mach430
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:04:38 PM

Posted 04 February 2009 - 03:08 PM

All Clear, Thank you.

Edited by mach430, 04 February 2009 - 03:15 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users