Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

random error beeps after virus cleaned - antivirus 2009


  • This topic is locked This topic is locked
10 replies to this topic

#1 tiggin

tiggin

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:20 AM

Posted 26 January 2009 - 08:22 PM

I was getting a bunch of pop ups for antivirus 2009. After installing Malwarebytes' Anti-Malware it all got cleared up I unfortunately deleted the logs so dont have a record of what got cleaned as I thought my problems were done. Since then I got a random beep which I believe is the "Windows XP Critical Stop.wav". I installed AVG and it didn't find anything, I also used trend micro's housecall and those both gave me a clean bill. I restarted my comp and didn't touch it. About half an hour later it gave the same sound but I hadn't started any programs or anything so I'm wondering if something is lingering from the previous viruses.
Thanks for any help :thumbup2:


DDS (Ver_09-01-19.01) - NTFSx86
Run by Michael at 17:13:53.12 on Mon 01/26/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional

5.1.2600.3.1252.1.1033.18.2047.1424 [GMT -8:00]

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ASUS WiFi-AP Solo\RtWLan.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\Michael\Desktop\dds.scr

============== Pseudo HJT Report ===============

BHO: Adobe PDF Reader Link Helper:

{06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common

files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} -

c:\program files\avg\avg8\avgssie.dll
BHO: Java™ Plug-In SSV Helper:

{761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program

files\java\jre6\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper:

{dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program

files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class:

{e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program

files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Aim6]
mRun: [NvCplDaemon] RUNDLL32.EXE

c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader

8.0\reader\Reader_sl.exe"
mRun: [SoundMAXPnP] c:\program files\analog

devices\core\smax4pnp.exe
mRun: [SoundMAX] "c:\program files\analog

devices\soundmax\Smax4.exe" /tray
mRun: [PrinTray]

c:\windows\system32\spool\drivers\w32x86\3\printray.exe
mRun: [SunJavaUpdateSched] "c:\program

files\java\jre6\bin\jusched.exe"
mRun: [NvMediaCenter] RUNDLL32.EXE

c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
StartupFolder:

c:\docume~1\alluse~1\startm~1\programs\startup\asuswi~1.lnk -

c:\program files\asus wifi-ap solo\RtWLan.exe
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program

files\aim\aim.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network

Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program

files\messenger\msmsgs.exe
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} -

hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86

/client/wuweb_site.cab?1232996586484
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} -

hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.ca

b
DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} -

hxxp://www.linksysfix.com/netcheck/67/install/gtdownls.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} -

hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.ca

b
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} -

hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.ca

b
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} -

hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.ca

b
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} -

hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.ca

b
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} -

hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash

.cab
DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45}
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} -

c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} -

c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath -

c:\docume~1\michael\applic~1\mozilla\firefox\profiles\a5863cfh.def

ault\
FF - prefs.js: browser.startup.homepage -

hxxp://www.pandora.com/|http://us.mc368.mail.yahoo.com/mc/welcome?

&.rand=1528759025&noFlush|http://forums.magictraders.com/Ultimate.

cgi
FF - component: c:\program

files\avg\avg8\firefox\components\avgssff.dll
FF - plugin: c:\program files\mozilla

firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint media

player\npViewpoint.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver

x86;c:\windows\system32\drivers\avgldx86.sys [2009-1-26 325128]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver

x86;c:\windows\system32\drivers\avgmfx86.sys [2009-1-26 27656]
R1 AvgTdiX;AVG Free8 Network

Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-1-26

107272]
R4 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe

[2009-1-26 298264]
R4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program

files\viewpoint\common\ViewpointService.exe [2008-12-3 24652]
S3 RTLWUSB;Realtek RTL8187 Wireless 802.11g 54Mbps USB 2.0 Network

Adapter;c:\windows\system32\drivers\RTL8187.sys [2008-4-1 176128]
S3 SjyPkt;SjyPkt;c:\windows\system32\drivers\SjyPkt.sys [2008-4-1

13532]

=============== Created Last 30 ================

2009-01-26 13:45 <DIR> --d-h--- C:\$AVG8.VAULT$
2009-01-26 13:40 107,272 a-------

c:\windows\system32\drivers\avgtdix.sys
2009-01-26 13:40 10,520 a-------

c:\windows\system32\avgrsstx.dll
2009-01-26 13:40 325,128 a-------

c:\windows\system32\drivers\avgldx86.sys
2009-01-26 13:40 <DIR> --d-----

c:\windows\system32\drivers\Avg
2009-01-26 13:40 <DIR> --d----- c:\program

files\AVG
2009-01-26 13:40 <DIR> --d-----

c:\docume~1\alluse~1\applic~1\avg8
2009-01-26 11:03 23,576 a-------

c:\windows\system32\wuapi.dll.mui
2009-01-24 23:43 <DIR> --d-----

c:\docume~1\michael\applic~1\Malwarebytes
2009-01-24 23:43 15,504 a-------

c:\windows\system32\drivers\mbam.sys
2009-01-24 23:43 38,496 a-------

c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-24 23:43 <DIR> --d----- c:\program

files\Malwarebytes' Anti-Malware
2009-01-24 23:43 <DIR> --d-----

c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-01-24 22:10 <DIR> --d-----

c:\docume~1\michael\applic~1\cogad
2009-01-02 19:08 <DIR> --d-----

c:\windows\system32\AGEIA

==================== Find3M ====================

2008-12-11 02:57 333,952 a-------

c:\windows\system32\drivers\srv.sys
2008-11-12 13:45 453,152 a-------

c:\windows\system32\NVUNINST.EXE
2008-11-10 05:43 410,984 a-------

c:\windows\system32\deploytk.dll
2006-06-22 22:48 32,768 a----r--

c:\windows\inf\UpdateUSB.exe
2008-05-18 08:01 32,768 a--sh---

c:\windows\system32\config\systemprofile\local

settings\history\history.ie5\mshist012008051820080519\index.dat

============= FINISH: 17:13:59.23 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:20 AM

Posted 07 February 2009 - 02:40 PM

Hello. I am PropagandaPanda (Panda or PP for short), and I will be helping you.

Disable Realtime Protection
Antimalware programs can interfere with ComboFix and other tools we need to run. Please temporarily disable all realtime protections you have enabled. Refer to this page, if you are unsure how.

To disable AVG:
  • Please navigate to the system tray on the bottom right hand corner and look for this Posted Image sign.
  • Right click it-> select Quit Control Center.
  • A warning will pop up, click Yes
Download and Run ComboFix
If you have already run ComboFix, delete your copy and download a new one. If the computer in question is unable to download ComboFix, transfer it using a removable media (CDs, flash drive).

Download Combofix by sUBs from any of the links below, and save it to your desktop.
Link 1, Link 2, Link 3
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Double click on ComboFix.exe and follow the prompts. If you are using Windows Vista, right click the icon and select "Run as Administrator". You will not recieve the prompts below if you are not using Windows XP. ComboFix will check to see if you have the Windows Recovery Console installed.
  • If you did not have it installed, you will see the prompt below. Choose YES.
    Posted ImagePosted Image

  • When the Recovery Console has been installed, you will see the prompt below. Choose YES.
    Posted Image
  • When finished, ComboFix will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running. ComboFix will restart your computer if malware is found; allow it to do so.

In your next reply include:
-the ComboFix log
-a new HijackThis or DDS log

Please also tell me of any changes you have made to your computer since you started your topic.

With Regards,
The Panda

#3 tiggin

tiggin
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:20 AM

Posted 08 February 2009 - 03:54 AM

Thanks for taking the time to look into this for me. There hasn't been any major changes I've made. Logs to follow

ComboFix 09-02-06.04 - Michael 2009-02-08 0:42:31.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1601 [GMT -8:00]
Running from: c:\documents and settings\Michael\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Michael\Local Settings\Temporary Internet Files\fbk.sts
c:\windows\Tasks\anvyhggh.job
c:\windows\wiaserviv.log

.
((((((((((((((((((((((((( Files Created from 2009-01-08 to 2009-02-08 )))))))))))))))))))))))))))))))
.

2100-02-23 13:35 . 2001-02-22 08:54 768 --a------ c:\windows\x73_lut.dat
2100-02-08 14:53 . 2009-02-01 19:56 1,447 --a------ c:\windows\GtX73.ini
2009-02-03 10:43 . 2009-02-03 10:43 <DIR> d-------- c:\documents and settings\Michael\Application Data\id Software
2009-02-03 10:41 . 2009-02-03 10:41 <DIR> d-------- c:\documents and settings\All Users\Application Data\id Software
2009-02-03 10:41 . 2009-02-03 10:41 2,246,144 --a------ c:\windows\system32\pbsvc.exe
2009-02-03 10:41 . 2009-02-03 14:33 189,576 --a------ c:\windows\system32\PnkBstrB.exe
2009-02-03 10:41 . 2009-02-03 14:33 138,624 --a------ c:\windows\system32\drivers\PnkBstrK.sys
2009-02-03 10:41 . 2009-02-03 14:33 70,968 --a------ c:\windows\system32\PnkBstrA.exe
2009-02-03 10:41 . 2009-02-03 10:41 22,328 --a------ c:\documents and settings\Michael\Application Data\PnkBstrK.sys
2009-02-01 23:22 . 2009-02-01 23:22 <DIR> d-------- c:\program files\Curse
2009-02-01 17:16 . 2009-02-01 19:58 1,676,878 --a------ C:\X73_DS.bmp
2009-02-01 17:13 . 2009-02-01 19:56 360,054 --a------ c:\windows\bound.bmp
2009-01-27 12:05 . 2009-01-27 12:05 <DIR> d-------- c:\program files\Ventrilo
2009-01-27 12:05 . 2009-01-27 12:05 262 --a------ c:\windows\{789289CA-F73A-4A16-A331-54D498CE069F}_WiseFW.ini
2009-01-26 13:45 . 2009-02-01 15:17 <DIR> d--h----- C:\$AVG8.VAULT$
2009-01-26 13:40 . 2009-02-07 11:42 <DIR> d-------- c:\windows\system32\drivers\Avg
2009-01-26 13:40 . 2009-01-26 13:40 <DIR> d-------- c:\program files\AVG
2009-01-26 13:40 . 2009-01-26 13:40 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8
2009-01-26 13:40 . 2009-01-26 13:40 325,128 --a------ c:\windows\system32\drivers\avgldx86.sys
2009-01-26 13:40 . 2009-01-26 13:40 107,272 --a------ c:\windows\system32\drivers\avgtdix.sys
2009-01-26 13:40 . 2009-01-26 13:40 10,520 --a------ c:\windows\system32\avgrsstx.dll
2009-01-26 11:03 . 2008-10-16 14:07 23,576 --a------ c:\windows\system32\wuapi.dll.mui
2009-01-24 23:43 . 2009-01-24 23:43 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-24 23:43 . 2009-01-24 23:43 <DIR> d-------- c:\documents and settings\Michael\Application Data\Malwarebytes
2009-01-24 23:43 . 2009-01-24 23:43 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-24 23:43 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-24 23:43 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-02 01:13 --------- d-----w c:\program files\LexmarkX73
2009-01-27 20:24 --------- d-----w c:\documents and settings\Michael\Application Data\Ventrilo
2009-01-27 20:05 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-01-03 03:08 --------- d-----w c:\program files\AGEIA Technologies
2008-12-20 18:55 --------- d-----w c:\documents and settings\Michael\Application Data\Wizards of the Coast
2008-12-20 18:47 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-20 18:47 --------- d-----w c:\program files\Wizards of the Coast
2008-12-20 18:46 --------- d-----w c:\documents and settings\Michael\Application Data\InstallShield
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
2008-12-09 18:23 --------- d-----w c:\program files\Java
2008-11-12 21:45 453,152 ----a-w c:\windows\system32\NVUNINST.EXE
2008-11-10 13:43 410,984 ----a-w c:\windows\system32\deploytk.dll
2006-06-23 06:48 32,768 ----a-r c:\windows\inf\UpdateUSB.exe
2008-05-18 16:01 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008051820080519\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"CurseClient"="c:\program files\Curse\CurseClient.exe" [2008-10-10 4789760]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-11-12 13672448]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2006-12-18 868352]
"PrinTray"="c:\windows\System32\spool\DRIVERS\W32X86\3\printray.exe" [2001-10-12 36864]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-10 136600]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-11-12 86016]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-01-26 1601304]
"nwiz"="nwiz.exe" [2008-11-12 c:\windows\system32\nwiz.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
ASUS WiFi-AP Solo.lnk - c:\program files\ASUS WiFi-AP Solo\RtWLan.exe [2008-04-01 987136]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-01-26 13:40 10520 c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark X73 Button Manager]
--a------ 2001-07-11 11:08 53248 c:\progra~1\LEXMAR~1\AcBtnMgr_X73.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark X73 Button Monitor]
--a------ 2001-10-08 15:21 53248 c:\progra~1\LEXMAR~1\ACMonitor_X73.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-BurningCrusade-enUS-Installer-downloader.exe"=
"c:\\Program Files\\Steam\\steamapps\\aauqac@hotmail.com\\counter-strike\\hl.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\Curse\\CurseClient.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader
"6112:TCP"= 6112:TCP:Blizzard Downloader

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-01-26 325128]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-01-26 107272]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-01-26 298264]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2008-12-03 24652]
S3 RTLWUSB;Realtek RTL8187 Wireless 802.11g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8187.sys [2008-04-01 176128]
S3 SjyPkt;SjyPkt;c:\windows\system32\drivers\SjyPkt.sys [2008-04-01 13532]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Aim6 - (no file)
Notify-WgaLogon - (no file)


.
------- Supplementary Scan -------
.
FF - ProfilePath - c:\documents and settings\Michael\Application Data\Mozilla\Firefox\Profiles\a5863cfh.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.pandora.com/|http://us.mc368.mail.yahoo.com/mc/welcome?&.rand=1528759025&noFlush|http://forums.magictraders.com/Ultimate.cgi
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\All Users\Application Data\id Software\QuakeLive\npquakezero.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-08 00:43:09
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-02-08 0:43:47
ComboFix-quarantined-files.txt 2009-02-08 08:43:45

Pre-Run: 85,882,605,568 bytes free
Post-Run: 87,265,812,480 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

148















DDS (Ver_09-02-01.01) - NTFSx86
Run by Michael at 0:49:58.71 on Sun 02/08/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1469 [GMT -8:00]

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Curse\CurseClient.exe
C:\Program Files\ASUS WiFi-AP Solo\RtWLan.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Michael\Desktop\dds.scr

============== Pseudo HJT Report ===============

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [CurseClient] c:\program files\curse\CurseClient.exe -silent
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [PrinTray] c:\windows\system32\spool\drivers\w32x86\3\printray.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\asuswi~1.lnk - c:\program files\asus wifi-ap solo\RtWLan.exe
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1232996586484
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} - hxxp://www.linksysfix.com/netcheck/67/install/gtdownls.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\michael\applic~1\mozilla\firefox\profiles\a5863cfh.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.pandora.com/|http://us.mc368.mail.yahoo.com/mc/welcome?&.rand=1528759025&noFlush|http://forums.magictraders.com/Ultimate.cgi
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\all users\application data\id software\quakelive\npquakezero.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-1-26 325128]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-1-26 27656]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-1-26 107272]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-1-26 298264]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-12-3 24652]
S3 RTLWUSB;Realtek RTL8187 Wireless 802.11g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8187.sys [2008-4-1 176128]
S3 SjyPkt;SjyPkt;c:\windows\system32\drivers\SjyPkt.sys [2008-4-1 13532]

=============== Created Last 30 ================

2009-02-08 00:42 <DIR> a-dshr-- C:\cmdcons
2009-02-08 00:41 161,792 a------- c:\windows\SWREG.exe
2009-02-08 00:41 98,816 a------- c:\windows\sed.exe
2009-02-08 00:40 <DIR> --d----- C:\ComboFix
2009-02-03 10:43 <DIR> --d----- c:\docume~1\michael\applic~1\id Software
2009-02-03 10:41 138,624 a------- c:\windows\system32\drivers\PnkBstrK.sys
2009-02-03 10:41 22,328 a------- c:\docume~1\michael\applic~1\PnkBstrK.sys
2009-02-03 10:41 189,576 a------- c:\windows\system32\PnkBstrB.exe
2009-02-03 10:41 2,246,144 a------- c:\windows\system32\pbsvc.exe
2009-02-03 10:41 70,968 a------- c:\windows\system32\PnkBstrA.exe
2009-02-03 10:41 <DIR> --d----- c:\docume~1\alluse~1\applic~1\id Software
2009-02-01 23:22 <DIR> --d----- c:\program files\Curse
2009-02-01 17:16 1,676,878 a------- C:\X73_DS.bmp
2009-02-01 17:13 360,054 a------- c:\windows\bound.bmp
2009-01-27 12:05 <DIR> --d----- c:\program files\Ventrilo
2009-01-27 12:05 262 a------- c:\windows\{789289CA-F73A-4A16-A331-54D498CE069F}_WiseFW.ini
2009-01-26 13:45 <DIR> --d-h--- C:\$AVG8.VAULT$
2009-01-26 13:40 107,272 a------- c:\windows\system32\drivers\avgtdix.sys
2009-01-26 13:40 10,520 a------- c:\windows\system32\avgrsstx.dll
2009-01-26 13:40 325,128 a------- c:\windows\system32\drivers\avgldx86.sys
2009-01-26 13:40 <DIR> --d----- c:\windows\system32\drivers\Avg
2009-01-26 13:40 <DIR> --d----- c:\program files\AVG
2009-01-26 13:40 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8
2009-01-26 11:03 23,576 a------- c:\windows\system32\wuapi.dll.mui
2009-01-24 23:43 <DIR> --d----- c:\docume~1\michael\applic~1\Malwarebytes
2009-01-24 23:43 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-01-24 23:43 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-24 23:43 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-01-24 23:43 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes

==================== Find3M ====================

2008-12-11 02:57 333,952 a------- c:\windows\system32\drivers\srv.sys
2008-11-12 13:45 453,152 a------- c:\windows\system32\NVUNINST.EXE
2008-11-10 05:43 410,984 a------- c:\windows\system32\deploytk.dll
2006-06-22 22:48 32,768 a----r-- c:\windows\inf\UpdateUSB.exe
2008-05-18 08:01 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008051820080519\index.dat

============= FINISH: 0:50:03.71 ===============

Attached Files



#4 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:20 AM

Posted 08 February 2009 - 11:53 AM

Hello.

It looks clean. Are those issues still occuring?

Download and Run ATFCleaner
Please download ATF Cleaner by Atribune. This program will clear out temporary files and settings. You will likely be logged out of the forum where you are recieving help.

This program is for XP and Windows 2000 only.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main Select Files to Delete choose: Select All.
  • Click the Empty Selected button.
F-Secure Online Scan
Please run F-Secure Online Scanner.
This scan is for Internet Explorer only.
  • It is suggested that you disable security programs and close any other windows during the scan. While your security is disabled, please refrain from surfing on other sites. Refer to this page if you are unsure how.
  • Go to F-Secure Online Scanner
  • Follow the instructions here for installation.
  • Accept the License Agreement.
  • Once the ActiveX installs, click Full System Scan
  • Once the download completes, the scan will begin automatically. The scan will take some time to finish, so please be patient.
  • When the scan completes, click the Automatic cleaning (recommended) button.
  • Click the Show Report button and copy the entire report in your next reply.
  • Be sure to re-enable any security programs.

With Regards,
The Panda

#5 tiggin

tiggin
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:20 AM

Posted 08 February 2009 - 03:13 PM

Yah the issue occurs but its very occasionally; every other day with even regular use of the computer. It will occur with me using the computer or even after a fresh reboot and nothing being ran. It didn't start til after I had gotten infected so I had assumed they were linked however its very possible it isn't linked. Worst case this computer is due for a format soon any how.

#6 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:20 AM

Posted 08 February 2009 - 03:28 PM

Hello.

Please run F-Secure. Maybe it can find something we've missed.

With Regards,
The Panda

#7 tiggin

tiggin
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:20 AM

Posted 08 February 2009 - 04:11 PM

f-secure only found some cookies.

#8 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:20 AM

Posted 08 February 2009 - 04:56 PM

Hello.

Let's see what we can find..

Download and Run MalwareByte's RogueRemover
  • Download rr-free-setup.exe to your desktop.
  • Double click the installer to run it. Follow the prompts and leave the values at default.
  • When installation is complete, RogueRemover will open. A message box will appear saying "This is your first time running the program. Please update the database.". Click OK.
  • The "Check for Updates" window will open. Select Check for Updates. Click OK for any messages you recieve. Click the Download button when asked to. The updates should take a moment to install. Click Close on the update window to go to the main program screen.
  • Select the first option, Scan.
  • When the scan is finished, click Remove.
  • A log report will be created at C:\Program Files\RogueRemover FREE\RRxxxxxxx.txt.
View Point Program
Viewpoint Manager and Viewpoint Media Player are considered as foistware instead of malware since it is installed without users approval, but does not have malicious effects. This changed from what we know in 2006 read this article.

I suggest you remove the program(s) through Add and Remove Programs.

With Regards,
The Panda

Edited by PropagandaPanda, 08 February 2009 - 04:56 PM.


#9 tiggin

tiggin
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:20 AM

Posted 09 February 2009 - 03:26 AM

rogueremover didn't find anything.

Uninstalled viewpoint.

No way to confirm the problem still exists due to the inconsistent nature of it, but since I haven't found any problems to fix I'd have to assume the original problem is still there.

#10 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:20 AM

Posted 09 February 2009 - 04:53 PM

Hello.

Let's let this one sit for a couple days. Tell me if it occurs again.

With Regards,
The Panda

#11 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:20 AM

Posted 18 February 2009 - 06:59 PM

Hello.

There had been no reply from the topic starter in 5 days. Due to inactivity, this topic is now closed.
If you are the topic starter and need this topic reopened, send me a message.

Everyone else, please begin a new topic.

With Regards,
The Panda




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users