Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Trojan.Agent.AWDE


  • This topic is locked This topic is locked
8 replies to this topic

#1 DenPar

DenPar

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:36 AM

Posted 26 January 2009 - 01:01 AM

My free spyware tells me that this is serious. It wants me to remove the file: C:\WINDOWS\SYSTEM32\DIGESTE.DLL. Everything I've read warns me not to mess with this. I don't know what to do.

I was on a website which I can't remember, some movie site. Anyway, everytime I try to adjust the volume control of my computer, I get a peep and the computer stops and restarts.

My spyware is Spyware Doctor. Below is the full message in Activity History:

Threat Name: Trojan.Agent.AWDE
Details: Spyware Doctor has blocked an application attempting to access a file.
Risk Level: Medium
Infection: C:\WINDOWS\SYSTEM32\DIGESTE.DLL


DDS (Ver_09-01-19.01) - NTFSx86
Run by Dennis Parmenter at 23:43:29.54 on Sun 01/25/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_04
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1534.972 [GMT -6:00]

AV: Spyware Doctor with AntiVirus *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\System32\alg.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Sony\VAIO Power Management\SPMgr.exe
C:\Program Files\ACT\ACT for Windows\Act.Outlook.Service.exe
C:\Program Files\StorageSync\StrgSync.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Verizon Wireless\VZAccess Manager\VZAccess Manager.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Dennis Parmenter\Local Settings\Temporary Internet Files\Content.IE5\A9FHR9AR\dds[1].scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.yahoo.com/search/ie.html
uWindow Title = Microsoft Internet Explorer presented by Comcast
mWindow Title = Microsoft Internet Explorer presented by Comcast
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: NoExplorer - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {3EE5C0A4-C6FD-4A6A-91BB-3FD8BE70B5CC} - No File
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_04\bin\ssv.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: Act.UI.InternetExplorer.Plugins.AttachFile.CAttachFile: {d5233fcd-d258-4903-89b8-fb1568e7413d} - mscoree.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - No File
TB: {724D43A0-0D85-11D4-9908-00400523E39A} - No File
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [Alcmtr] ALCMTR.EXE
mRun: [AzMixerSel] c:\program files\realtek\installshield\AzMixerSel.exe
mRun: [VAIO Recovery] c:\windows\sonysys\vaio recovery\PartSeal.exe
mRun: [SonyPowerCfg] c:\program files\sony\vaio power management\SPMgr.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [Act.Outlook.Service] "c:\program files\act\act for windows\Act.Outlook.Service.exe"
mRun: [Act! Preloader] "c:\program files\act\act for windows\ActSage.exe" -preload
mRun: [StrgSync.exe] c:\program files\storagesync\StrgSync.exe -w
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [Easy Dock]
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [ISTray] "c:\program files\spyware doctor\pctsTray.exe"
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_04\bin\ssv.dll
IE: {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
LSP: c:\program files\common files\pc tools\lsp\PCTLsp.dll
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - hxxp://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
TCP: {F5D0E0E7-DD30-4778-8BB7-DA0E14ECCFC8} = 66.174.92.14 66.174.95.44
Notify: efccvtmj - efcCvTmj.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
SEH: {6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} - c:\windows\system32\efcCvTmj.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, digeste.dll

============= SERVICES / DRIVERS ===============

R0 IKFileSec;File Security Driver;c:\windows\system32\drivers\ikfilesec.sys [2009-1-16 40840]
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2008-7-20 28544]
R1 IKSysFlt;System Filter Driver;c:\windows\system32\drivers\iksysflt.sys [2009-1-16 66952]
R1 IKSysSec;System Security Driver;c:\windows\system32\drivers\iksyssec.sys [2009-1-16 81288]
R1 pctfw2;pctfw2;c:\windows\system32\drivers\pctfw2.sys [2009-1-16 160792]
R3 dfmirage;dfmirage;c:\windows\system32\drivers\dfmirage.sys [2005-11-25 31896]
R3 PTDMBus;PANTECH USB Modem Composite Device Driver ;c:\windows\system32\drivers\PTDMBus.sys [2008-2-13 29952]
R3 PTDMMdm;PANTECH USB Modem Drivers ;c:\windows\system32\drivers\PTDMMdm.sys [2008-2-13 41856]
R3 PTDMVsp;PANTECH USB Modem Serial Port ;c:\windows\system32\drivers\PTDMVsp.sys [2008-2-13 39936]
R3 PTDMWWAN;PANTECH USB Modem WWAN Driver;c:\windows\system32\drivers\PTDMWWAN.sys [2008-2-13 59520]
R4 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-5-12 611664]
R4 MSSQL$ACT7;SQL Server (ACT7);c:\program files\microsoft sql server\mssql.1\mssql\binn\sqlservr.exe [2008-2-26 29183504]
R4 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2009-1-16 356920]
R4 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2009-1-16 1079176]
R4 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]

=============== Created Last 30 ================

2009-01-25 21:20 <DIR> --d----- c:\docume~1\dennis~1\applic~1\MalwareRemovalBot
2009-01-25 21:03 <DIR> --d----- c:\program files\common files\Download Manager
2009-01-25 20:25 <DIR> --d----- c:\program files\Enigma Software Group
2009-01-25 17:13 <DIR> --d----- c:\docume~1\dennis~1\applic~1\cogad
2009-01-25 17:12 1,968 a------- c:\windows\system32\geBtrRhe.dll
2009-01-25 17:12 20,480 a------- c:\windows\system32\digeste.dll
2009-01-16 13:40 3,606 a------- c:\windows\system32\PerfStringBackup.TMP
2009-01-16 13:38 160,792 a------- c:\windows\system32\drivers\pctfw2.sys
2009-01-16 13:38 81,288 a------- c:\windows\system32\drivers\iksyssec.sys
2009-01-16 13:38 66,952 a------- c:\windows\system32\drivers\iksysflt.sys
2009-01-16 13:38 40,840 a------- c:\windows\system32\drivers\ikfilesec.sys
2009-01-16 13:38 29,576 a------- c:\windows\system32\drivers\kcom.sys
2009-01-16 13:38 <DIR> --d----- c:\program files\Spyware Doctor
2009-01-16 13:38 <DIR> --d----- c:\docume~1\dennis~1\applic~1\PC Tools
2009-01-16 13:38 <DIR> --d----- c:\docume~1\alluse~1\applic~1\PC Tools
2008-12-31 13:36 <DIR> --d----- C:\My Recordings
2008-12-31 13:24 82 a------- c:\windows\EasyRip.ini

==================== Find3M ====================

2009-01-25 21:43 1,942 a--sh--- c:\windows\system32\KGyGaAvL.sys
2008-12-11 04:57 333,952 a------- c:\windows\system32\drivers\srv.sys
2008-04-18 05:46 32 a------- c:\docume~1\alluse~1\applic~1\ezsid.dat
2008-03-04 08:50 56,912 a------- c:\documents and settings\dennis parmenter\g2mdlhlpx.exe
2006-09-07 07:45 228 a------- c:\docume~1\dennis~1\applic~1\wklnhst.dat
2007-04-18 06:42 88 ---shr-- c:\windows\system32\ABF924EFB7.sys
2008-08-02 09:07 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008080220080803\index.dat

============= FINISH: 23:44:55.40 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:04:36 PM

Posted 26 January 2009 - 03:43 AM

Hi,

* Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the log from ComboFix in your next reply.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 DenPar

DenPar
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:36 AM

Posted 26 January 2009 - 09:54 PM

Here's the log...thank you very much for your help.

ComboFix 09-01-21.04 - Dennis Parmenter 2009-01-26 20:37:41.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1534.990 [GMT -6:00]
Running from: c:\documents and settings\Dennis Parmenter\Desktop\ComboFix.exe
AV: Spyware Doctor with AntiVirus *On-access scanning disabled* (Updated)
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Starware337
c:\documents and settings\All Users\Application Data\Starware337\buttons\epiRSS.bmp
c:\documents and settings\All Users\Application Data\Starware337\buttons\epiRSS.png
c:\documents and settings\All Users\Application Data\Starware337\buttons\epiSearch.bmp
c:\documents and settings\All Users\Application Data\Starware337\buttons\epiSearch.png
c:\documents and settings\All Users\Application Data\Starware337\buttons\FindIt.bmp
c:\documents and settings\All Users\Application Data\Starware337\buttons\FindItHot.bmp
c:\documents and settings\All Users\Application Data\Starware337\buttons\findithotxp.png
c:\documents and settings\All Users\Application Data\Starware337\buttons\finditxp.png
c:\documents and settings\All Users\Application Data\Starware337\buttons\Highlight.bmp
c:\documents and settings\All Users\Application Data\Starware337\buttons\HighlightHot.bmp
c:\documents and settings\All Users\Application Data\Starware337\buttons\highlighthotxp.png
c:\documents and settings\All Users\Application Data\Starware337\buttons\highlightxp.png
c:\documents and settings\All Users\Application Data\Starware337\buttons\Reference.bmp
c:\documents and settings\All Users\Application Data\Starware337\buttons\ReferenceHot.bmp
c:\documents and settings\All Users\Application Data\Starware337\buttons\referencehotxp.png
c:\documents and settings\All Users\Application Data\Starware337\buttons\referencexp.png
c:\documents and settings\All Users\Application Data\Starware337\buttons\starware_toolbar_icon.bmp
c:\documents and settings\All Users\Application Data\Starware337\buttons\Weather.bmp
c:\documents and settings\All Users\Application Data\Starware337\buttons\weatherhotxp.png
c:\documents and settings\All Users\Application Data\Starware337\buttons\weatherxp.png
c:\documents and settings\All Users\Application Data\Starware337\contexts\error.xml
c:\documents and settings\All Users\Application Data\Starware337\contexts\related.xml
c:\documents and settings\All Users\Application Data\Starware337\contexts\travel.xml
c:\documents and settings\Dennis Parmenter\Local Settings\Temporary Internet Files\fbk.sts
c:\program files\Starware337
c:\program files\Starware337\brand.bmp
c:\program files\Starware337\icons\star_16.ico
c:\program files\Starware337\Starware337Config.xml
c:\windows\a3kebook.ini
c:\windows\akebook.ini
c:\windows\ANS2000.INI
c:\windows\setup.exe
c:\windows\system32\digeste.dll
c:\windows\wiaserviv.log

.
((((((((((((((((((((((((( Files Created from 2008-12-27 to 2009-01-27 )))))))))))))))))))))))))))))))
.

2009-01-25 21:20 . 2009-01-25 21:20 <DIR> d-------- c:\documents and settings\Dennis Parmenter\Application Data\MalwareRemovalBot
2009-01-25 21:03 . 2009-01-25 21:03 <DIR> d-------- c:\program files\Common Files\Download Manager
2009-01-25 20:25 . 2009-01-25 20:25 <DIR> d-------- c:\program files\Enigma Software Group
2009-01-25 17:13 . 2009-01-25 17:13 <DIR> d-------- c:\documents and settings\Dennis Parmenter\Application Data\cogad
2009-01-25 17:12 . 2009-01-25 17:12 1,968 --a------ c:\windows\system32\geBtrRhe.dll
2009-01-16 13:40 . 2009-01-16 13:40 3,606 --a------ c:\windows\system32\PerfStringBackup.TMP
2009-01-16 13:38 . 2009-01-26 17:43 <DIR> d-------- c:\program files\Spyware Doctor
2009-01-16 13:38 . 2009-01-16 13:38 <DIR> d-------- c:\documents and settings\Dennis Parmenter\Application Data\PC Tools
2009-01-16 13:38 . 2009-01-16 13:38 <DIR> d-------- c:\documents and settings\All Users\Application Data\PC Tools
2009-01-16 13:38 . 2008-07-28 12:29 160,792 --a------ c:\windows\system32\drivers\pctfw2.sys
2009-01-16 13:38 . 2008-08-25 12:36 81,288 --a------ c:\windows\system32\drivers\iksyssec.sys
2009-01-16 13:38 . 2008-08-25 12:36 66,952 --a------ c:\windows\system32\drivers\iksysflt.sys
2009-01-16 13:38 . 2008-08-25 12:36 40,840 --a------ c:\windows\system32\drivers\ikfilesec.sys
2009-01-16 13:38 . 2008-06-02 16:19 29,576 --a------ c:\windows\system32\drivers\kcom.sys
2009-01-12 16:07 . 2009-01-12 17:54 <DIR> d-------- c:\documents and settings\Dennis Parmenter\Application Data\U3
2009-01-07 17:08 . 2009-01-07 17:08 <DIR> d-------- c:\documents and settings\Dennis Parmenter\Application Data\AdobeUM
2008-12-31 13:36 . 2008-12-31 13:36 <DIR> d-------- C:\My Recordings
2008-12-31 13:24 . 2008-12-31 14:12 82 --a------ c:\windows\EasyRip.ini

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-27 02:30 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-01-26 23:18 1,942 --sha-w c:\windows\system32\KGyGaAvL.sys
2009-01-16 19:39 --------- d-----w c:\program files\Common Files\PC Tools
2009-01-16 19:21 --------- d-----w c:\documents and settings\All Users\Application Data\Avg8
2008-12-24 20:08 --------- d-----w c:\program files\FileOpen
2008-12-24 20:08 --------- d-----w c:\documents and settings\Dennis Parmenter\Application Data\FileOpen
2008-12-24 20:08 --------- d-----w c:\documents and settings\All Users\Application Data\FileOpen
2008-12-21 16:13 --------- d-----w c:\program files\Microsoft Silverlight
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
2008-04-18 11:46 32 ----a-w c:\documents and settings\All Users\Application Data\ezsid.dat
2008-03-04 14:50 56,912 ----a-w c:\documents and settings\Dennis Parmenter\g2mdlhlpx.exe
2006-09-07 13:45 228 ----a-w c:\documents and settings\Dennis Parmenter\Application Data\wklnhst.dat
2007-04-18 12:42 88 --sh--r c:\windows\system32\ABF924EFB7.sys
2008-08-02 15:07 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008080220080803\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2003-11-07 114688]
"AzMixerSel"="c:\program files\Realtek\InstallShield\AzMixerSel.exe" [2005-04-29 45056]
"VAIO Recovery"="c:\windows\Sonysys\VAIO Recovery\PartSeal.exe" [2003-04-19 28672]
"SonyPowerCfg"="c:\program files\Sony\VAIO Power Management\SPMgr.exe" [2005-05-15 184320]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-06-09 6746112]
"Act.Outlook.Service"="c:\program files\ACT\ACT for Windows\Act.Outlook.Service.exe" [2007-03-28 9728]
"Act! Preloader"="c:\program files\ACT\ACT for Windows\ActSage.exe" [2007-03-28 1015808]
"StrgSync.exe"="c:\program files\StorageSync\StrgSync.exe" [2005-10-07 3032576]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"ISTray"="c:\program files\Spyware Doctor\pctsTray.exe" [2008-08-25 1168264]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-22 39264]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2007-11-09 972064]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.dvsd"= c:\progra~1\COMMON~1\SONYSH~1\VideoLib\sonydv.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=c:\windows\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Synchronizer.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Synchronizer.lnk
backup=c:\windows\pss\Adobe Acrobat Synchronizer.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
backup=c:\windows\pss\HP Image Zone Fast Start.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
--a------ 2008-10-14 21:38 623992 c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-04-13 18:12 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2005-02-16 22:11 49152 c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a------ 2005-06-29 15:33 94208 c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
--a------ 2005-06-29 15:33 114688 c:\windows\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TVTunerLib]
--a------ 2005-02-16 19:41 245760 c:\program files\Common Files\Sony Shared\TVTunerLib\TVTLInstTool.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
--a------ 2005-06-29 14:25 14720000 c:\windows\RTHDCPL.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"UPS"=3 (0x3)
"upnphost"=3 (0x3)
"TrkWks"=2 (0x2)
"SysmonLog"=3 (0x3)
"SSDPSRV"=3 (0x3)
"seclogon"=2 (0x2)
"SCardSvr"=3 (0x3)
"RDSessMgr"=3 (0x3)
"Nla"=3 (0x3)
"Netlogon"=3 (0x3)
"mnmsrvc"=3 (0x3)
"lanmanserver"=2 (0x2)
"FastUserSwitchingCompatibility"=3 (0x3)
"ERSvc"=2 (0x2)
"CiSvc"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2007\\QBDBMgrN.exe"=
"c:\\Program Files\\ACT\\Act for Windows\\ActSage.exe"=

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2008-07-20 28544]
R1 pctfw2;pctfw2;c:\windows\system32\drivers\pctfw2.sys [2009-01-16 160792]
R3 dfmirage;dfmirage;c:\windows\system32\drivers\dfmirage.sys [2005-11-25 31896]
R3 PTDMBus;PANTECH USB Modem Composite Device Driver ;c:\windows\system32\drivers\PTDMBus.sys [2008-02-13 29952]
R3 PTDMMdm;PANTECH USB Modem Drivers ;c:\windows\system32\drivers\PTDMMdm.sys [2008-02-13 41856]
R3 PTDMVsp;PANTECH USB Modem Serial Port ;c:\windows\system32\drivers\PTDMVsp.sys [2008-02-13 39936]
R3 PTDMWWAN;PANTECH USB Modem WWAN Driver;c:\windows\system32\drivers\PTDMWWAN.sys [2008-02-13 59520]
R4 MSSQL$ACT7;SQL Server (ACT7);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2008-02-26 29183504]
R4 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2009-01-16 356920]
R4 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
S1 cbbc0252;cbbc0252;c:\windows\system32\drivers\cbbc0252.sys --> c:\windows\system32\drivers\cbbc0252.sys [?]

--- Other Services/Drivers In Memory ---

*Deregistered* - mchInjDrv

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a11c0238-e0c8-11dd-8b27-0013ce7f77e3}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f70f1e16-e767-11dd-8b3a-0013ce7f77e3}]
\Shell\AutoRun\command - G:\rcaeasyrip_setup.exe
\Shell\install\command - G:\rcaeasyrip_setup.exe
\Shell\usermanualEnglish\command - G:\rcaeasyrip_setup.exe /pdf_English
\Shell\usermanualFrench\command - G:\rcaeasyrip_setup.exe /pdf_French
\Shell\usermanualSpanish\command - G:\rcaeasyrip_setup.exe /pdf_Spanish
.
Contents of the 'Scheduled Tasks' folder

2009-01-26 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 19:20]

2005-12-16 c:\windows\Tasks\Registration reminder 3.job
- c:\windows\system32\OOBE\oobebaln.exe [2008-04-13 18:12]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-Easy Dock - (no file)
Notify-efccvtmj - efcCvTmj.dll


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mWindow Title = Microsoft Internet Explorer presented by Comcast
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
LSP: c:\program files\Common Files\PC Tools\LSP\PCTLsp.dll
TCP: {F5D0E0E7-DD30-4778-8BB7-DA0E14ECCFC8} = 66.174.92.14 66.174.95.44
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-26 20:41:58
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(908)
c:\program files\Common Files\PC Tools\LSP\PCTLsp.dll
.
Completion time: 2009-01-26 20:44:47
ComboFix-quarantined-files.txt 2009-01-27 02:44:43

Pre-Run: 69,099,704,320 bytes free
Post-Run: 69,273,804,800 bytes free

224 --- E O F --- 2009-01-26 23:21:54

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:04:36 PM

Posted 27 January 2009 - 03:07 AM

Hi,

* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

File::
c:\windows\system32\drivers\cbbc0252.sys
c:\windows\system32\geBtrRhe.dll
Folder::
c:\documents and settings\Dennis Parmenter\Application Data\MalwareRemovalBot
c:\documents and settings\Dennis Parmenter\Application Data\cogad
Driver::
cbbc0252
Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"=dword:00000001


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 DenPar

DenPar
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:36 AM

Posted 27 January 2009 - 10:35 AM

Thanks again for your time and assistance...here's r=the log:

ComboFix 09-01-21.04 - Dennis Parmenter 2009-01-27 9:13:48.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1534.898 [GMT -6:00]
Running from: c:\documents and settings\Dennis Parmenter\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Dennis Parmenter\Desktop\CFScript.txt
AV: Spyware Doctor with AntiVirus *On-access scanning disabled* (Updated)
* Created a new restore point

FILE ::
c:\windows\system32\drivers\cbbc0252.sys
c:\windows\system32\geBtrRhe.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Dennis Parmenter\Application Data\cogad
c:\documents and settings\Dennis Parmenter\Application Data\cogad\cogad.exe
c:\documents and settings\Dennis Parmenter\Application Data\MalwareRemovalBot
c:\documents and settings\Dennis Parmenter\Application Data\MalwareRemovalBot\Log\2009 Jan 25 - 09_20_10 PM_484.log
c:\documents and settings\Dennis Parmenter\Application Data\MalwareRemovalBot\rs.dat
c:\documents and settings\Dennis Parmenter\Application Data\MalwareRemovalBot\Settings\ScanResults.pie
c:\windows\system32\geBtrRhe.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_cbbc0252


((((((((((((((((((((((((( Files Created from 2008-12-27 to 2009-01-27 )))))))))))))))))))))))))))))))
.

2009-01-26 22:19 . 2009-01-26 22:19 <DIR> d-------- c:\program files\Auslogics
2009-01-26 21:59 . 2009-01-26 21:59 <DIR> d-------- c:\program files\Cobian Backup 9
2009-01-26 21:33 . 2009-01-26 21:48 <DIR> d-------- c:\windows\system32\NtmsData
2009-01-25 21:03 . 2009-01-25 21:03 <DIR> d-------- c:\program files\Common Files\Download Manager
2009-01-25 20:25 . 2009-01-25 20:25 <DIR> d-------- c:\program files\Enigma Software Group
2009-01-16 13:40 . 2009-01-16 13:40 3,606 --a------ c:\windows\system32\PerfStringBackup.TMP
2009-01-16 13:38 . 2009-01-26 17:43 <DIR> d-------- c:\program files\Spyware Doctor
2009-01-16 13:38 . 2009-01-16 13:38 <DIR> d-------- c:\documents and settings\Dennis Parmenter\Application Data\PC Tools
2009-01-16 13:38 . 2009-01-16 13:38 <DIR> d-------- c:\documents and settings\All Users\Application Data\PC Tools
2009-01-16 13:38 . 2008-07-28 12:29 160,792 --a------ c:\windows\system32\drivers\pctfw2.sys
2009-01-16 13:38 . 2008-08-25 12:36 81,288 --a------ c:\windows\system32\drivers\iksyssec.sys
2009-01-16 13:38 . 2008-08-25 12:36 66,952 --a------ c:\windows\system32\drivers\iksysflt.sys
2009-01-16 13:38 . 2008-08-25 12:36 40,840 --a------ c:\windows\system32\drivers\ikfilesec.sys
2009-01-16 13:38 . 2008-06-02 16:19 29,576 --a------ c:\windows\system32\drivers\kcom.sys
2009-01-12 16:07 . 2009-01-12 17:54 <DIR> d-------- c:\documents and settings\Dennis Parmenter\Application Data\U3
2009-01-07 17:08 . 2009-01-07 17:08 <DIR> d-------- c:\documents and settings\Dennis Parmenter\Application Data\AdobeUM
2008-12-31 13:36 . 2008-12-31 13:36 <DIR> d-------- C:\My Recordings
2008-12-31 13:24 . 2008-12-31 14:12 82 --a------ c:\windows\EasyRip.ini

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-27 15:21 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-01-16 19:39 --------- d-----w c:\program files\Common Files\PC Tools
2009-01-16 19:21 --------- d-----w c:\documents and settings\All Users\Application Data\Avg8
2008-12-24 20:08 --------- d-----w c:\program files\FileOpen
2008-12-24 20:08 --------- d-----w c:\documents and settings\Dennis Parmenter\Application Data\FileOpen
2008-12-24 20:08 --------- d-----w c:\documents and settings\All Users\Application Data\FileOpen
2008-12-21 16:13 --------- d-----w c:\program files\Microsoft Silverlight
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
2008-04-18 11:46 32 ----a-w c:\documents and settings\All Users\Application Data\ezsid.dat
2008-03-04 14:50 56,912 ----a-w c:\documents and settings\Dennis Parmenter\g2mdlhlpx.exe
2006-09-07 13:45 228 ----a-w c:\documents and settings\Dennis Parmenter\Application Data\wklnhst.dat
2007-04-18 12:42 88 --sh--r c:\windows\system32\ABF924EFB7.sys
2008-08-02 15:07 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008080220080803\index.dat
.

((((((((((((((((((((((((((((( snapshot@2009-01-26_20.43.03.00 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-10-21 02:02:28 163,328 ----a-w c:\windows\ERDNT\subs\ERDNT.EXE
- 2009-01-26 23:18:05 1,942 --sha-w c:\windows\system32\KGyGaAvL.sys
+ 2009-01-27 15:22:34 1,942 --sha-w c:\windows\system32\KGyGaAvL.sys
+ 2009-01-27 15:19:20 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_308.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2003-11-07 114688]
"AzMixerSel"="c:\program files\Realtek\InstallShield\AzMixerSel.exe" [2005-04-29 45056]
"VAIO Recovery"="c:\windows\Sonysys\VAIO Recovery\PartSeal.exe" [2003-04-19 28672]
"SonyPowerCfg"="c:\program files\Sony\VAIO Power Management\SPMgr.exe" [2005-05-15 184320]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-06-09 6746112]
"Act.Outlook.Service"="c:\program files\ACT\ACT for Windows\Act.Outlook.Service.exe" [2007-03-28 9728]
"Act! Preloader"="c:\program files\ACT\ACT for Windows\ActSage.exe" [2007-03-28 1015808]
"StrgSync.exe"="c:\program files\StorageSync\StrgSync.exe" [2005-10-07 3032576]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"ISTray"="c:\program files\Spyware Doctor\pctsTray.exe" [2008-08-25 1168264]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-22 39264]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2007-11-09 972064]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.dvsd"= c:\progra~1\COMMON~1\SONYSH~1\VideoLib\sonydv.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=c:\windows\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Synchronizer.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Synchronizer.lnk
backup=c:\windows\pss\Adobe Acrobat Synchronizer.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
backup=c:\windows\pss\HP Image Zone Fast Start.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
--a------ 2008-10-14 21:38 623992 c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-04-13 18:12 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2005-02-16 22:11 49152 c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a------ 2005-06-29 15:33 94208 c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
--a------ 2005-06-29 15:33 114688 c:\windows\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TVTunerLib]
--a------ 2005-02-16 19:41 245760 c:\program files\Common Files\Sony Shared\TVTunerLib\TVTLInstTool.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
--a------ 2005-06-29 14:25 14720000 c:\windows\RTHDCPL.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"UPS"=3 (0x3)
"upnphost"=3 (0x3)
"TrkWks"=2 (0x2)
"SysmonLog"=3 (0x3)
"SSDPSRV"=3 (0x3)
"seclogon"=2 (0x2)
"SCardSvr"=3 (0x3)
"RDSessMgr"=3 (0x3)
"Nla"=3 (0x3)
"Netlogon"=3 (0x3)
"mnmsrvc"=3 (0x3)
"lanmanserver"=2 (0x2)
"FastUserSwitchingCompatibility"=3 (0x3)
"ERSvc"=2 (0x2)
"CiSvc"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2007\\QBDBMgrN.exe"=
"c:\\Program Files\\ACT\\Act for Windows\\ActSage.exe"=

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2008-07-20 28544]
R1 pctfw2;pctfw2;c:\windows\system32\drivers\pctfw2.sys [2009-01-16 160792]
R3 dfmirage;dfmirage;c:\windows\system32\drivers\dfmirage.sys [2005-11-25 31896]
R3 PTDMBus;PANTECH USB Modem Composite Device Driver ;c:\windows\system32\drivers\PTDMBus.sys [2008-02-13 29952]
R3 PTDMMdm;PANTECH USB Modem Drivers ;c:\windows\system32\drivers\PTDMMdm.sys [2008-02-13 41856]
R3 PTDMVsp;PANTECH USB Modem Serial Port ;c:\windows\system32\drivers\PTDMVsp.sys [2008-02-13 39936]
R3 PTDMWWAN;PANTECH USB Modem WWAN Driver;c:\windows\system32\drivers\PTDMWWAN.sys [2008-02-13 59520]
R4 MSSQL$ACT7;SQL Server (ACT7);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2008-02-26 29183504]
R4 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2009-01-16 356920]
R4 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-03 13592]

--- Other Services/Drivers In Memory ---

*Deregistered* - mchInjDrv

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a11c0238-e0c8-11dd-8b27-0013ce7f77e3}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f70f1e16-e767-11dd-8b3a-0013ce7f77e3}]
\Shell\AutoRun\command - G:\rcaeasyrip_setup.exe
\Shell\install\command - G:\rcaeasyrip_setup.exe
\Shell\usermanualEnglish\command - G:\rcaeasyrip_setup.exe /pdf_English
\Shell\usermanualFrench\command - G:\rcaeasyrip_setup.exe /pdf_French
\Shell\usermanualSpanish\command - G:\rcaeasyrip_setup.exe /pdf_Spanish
.
Contents of the 'Scheduled Tasks' folder

2009-01-27 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 19:20]

2005-12-16 c:\windows\Tasks\Registration reminder 3.job
- c:\windows\system32\OOBE\oobebaln.exe [2008-04-13 18:12]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mWindow Title = Microsoft Internet Explorer presented by Comcast
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
LSP: c:\program files\Common Files\PC Tools\LSP\PCTLsp.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-27 09:19:50
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(1092)
c:\program files\Common Files\PC Tools\LSP\PCTLsp.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\HPZipm12.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Spyware Doctor\pctsSvc.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\program files\Apoint\ApntEx.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-01-27 9:26:35 - machine was rebooted [Dennis Parmenter]
ComboFix-quarantined-files.txt 2009-01-27 15:26:29
ComboFix2.txt 2009-01-27 02:44:49

Pre-Run: 69,214,961,664 bytes free
Post-Run: 69,138,018,304 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect /PAE

225 --- E O F --- 2009-01-26 23:21:54

#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:04:36 PM

Posted 27 January 2009 - 10:45 AM

Hi,

This looks OK again.

* Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Let me know in your next reply how things are now.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 DenPar

DenPar
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:36 AM

Posted 27 January 2009 - 11:17 AM

All is well...thank you so much!

#8 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:04:36 PM

Posted 27 January 2009 - 11:25 AM

Glad I could help. :thumbup2:

Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:04:36 PM

Posted 30 January 2009 - 05:14 AM

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users