Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with antivirus 2009!


  • This topic is locked This topic is locked
6 replies to this topic

#1 brandonmacey

brandonmacey

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:11:17 PM

Posted 28 January 2009 - 12:31 AM

:thumbup2: I have antivirus 2009, I get random internet explorer popups asking me to purchase the full version. I get messages down by the clock area of my computer in a bubble extending from a red shield icon with an X in the middle, stateing that my computer is infected and that I should "click here". please help!!

DDS (Ver_09-01-19.01) - NTFSx86
Run by Owner at 21:22:08.53 on Tue 01/27/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1022.484 [GMT -8:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)
AV: Norton Internet Security *On-access scanning enabled* (Updated)
FW: Norton Internet Security *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\McAfee\McAfee AntiSpyware\Msssrv.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\WINDOWS\zHotkey.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\McAfee\McAfee AntiSpyware\MssCli.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\My Essentials\USB ME1001-USB\Wireless Utility\O-Maxwcui.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\SMC\SMCWUSB-G 802.11g Wireless USB 2.0 Adapter\SMCWGUTI.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\AdBlocking\NSMdtr.exe
C:\PROGRA~1\AVG\AVG8\aAvgApi.exe
"C:\Documents and Settings\Owner\svchost.exe"
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Bar = hxxp://www.google.com/ie
mStart Page = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = hxxp://google.com/
BHO: My Search BHO: {014da6c1-189f-421a-88cd-07cfe51cff10} - c:\program files\mysearch\bar\1.bin\S4BAR.DLL
BHO: {4bf2a899-6908-4f51-bb03-67e4b1c678fd} - c:\windows\system32\pmnlJBrr.dll
BHO: {6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} - c:\windows\system32\byXoPIAr.dll
BHO: {7e215ba3-f2e0-4384-b6c9-f1b7876ac04d} - c:\windows\system32\wuvotifa.dll
BHO: {c67d8bee-9149-361b-0424-1d2c0352b3f8}: {8f3b2530-c2d1-4240-b163-9419eeb8d76c} - c:\windows\system32\ayfttu.dll
BHO: {d6901836-93f5-421d-8db9-63ac1005d781} - c:\windows\system32\mlJYsSIb.dll
BHO: {e789fc9a-796f-4a4b-bd53-8776f3c4b40d} - c:\windows\system32\bootvi.dll
TB: Norton Internet Security: {0b53eac3-8d69-4b9e-9b19-a37c9a5676a7} - c:\program files\common files\symantec shared\adblocking\NISShExt.dll
TB: Norton AntiVirus: {42cdd1bf-3ffb-4238-8ad1-7859df00b1d6} - c:\program files\norton internet security\norton antivirus\NavShExt.dll
TB: AOL Toolbar: {4982d40a-c53b-4615-b15b-b5b5e98d167c} - c:\program files\aol toolbar\toolbar.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
TB: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
TB: My Search Bar: {014da6c9-189f-421a-88cd-07cfe51cff10} - c:\program files\mysearch\bar\1.bin\S4BAR.DLL
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [brastk] c:\windows\system32\brastk.exe
uRun: [cogad] "c:\documents and settings\owner\application data\cogad\cogad.exe" 61A847B5BBF72813338B2B27128065E9C084320161C4661227A755E9C2933154389A
uRun: [Twain] c:\documents and settings\owner\application data\twain\Twain.exe
uRun: [SpeedRunner] c:\documents and settings\owner\application data\speedrunner\SpeedRunner.exe
uRun: [VnrPack22] "c:\program files\vnrpack\VnrPack22.exe"
uRun: [GetModule35] "c:\program files\getmodule\GetModule35.exe"
uRun: [GetPack28] "c:\program files\getpack\GetPack28.exe"
uRun: [MS AntiSpyware 2009] "c:\documents and settings\all users\application data\crucialsoft ltd\ms antispyware 2009\msas2009.exe" /autorun
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [IS CfgWiz] c:\program files\norton internet security\cfgwiz.exe /GUID {257BBC47-1B26-432e-9F84-188603799DD3} /MODE CfgWiz /CMDLINE "REBOOT"
mRun: [URLLSTCK.exe] c:\program files\norton internet security\UrlLstCk.exe
mRun: [SSC_UserPrompt] c:\program files\common files\symantec shared\security center\UsrPrmpt.exe
mRun: [SunKistEM] c:\program files\digital media reader\shwiconem.exe
mRun: [<NO NAME>]
mRun: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
mRun: [AOL Spyware Protection] "c:\progra~1\common~1\aol\aolspy~1\AOLSP Scheduler.exe"
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [CHotkey] zHotkey.exe
mRun: [ShowWnd] ShowWnd.exe
mRun: [MCAgentExe] c:\progra~1\mcafee.com\agent\mcagent.exe
mRun: [MCUpdateExe] c:\progra~1\mcafee.com\agent\mcupdate.exe
mRun: [_AntiSpyware] c:\program files\mcafee\mcafee antispyware\MssCli.exe
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [AlcWzrd] ALCWZRD.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [brastk] c:\windows\system32\brastk.exe
mRun: [riburitine] Rundll32.exe "c:\windows\system32\ruginefo.dll",s
mRun: [68a37ba3] rundll32.exe "c:\windows\system32\wveppiqf.dll",b
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\bigfix.lnk - c:\program files\bigfix\BigFix.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\myesse~1.lnk - c:\program files\my essentials\usb me1001-usb\wireless utility\O-Maxwcui.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\smcwus~1.lnk - c:\program files\smc\smcwusb-g 802.11g wireless usb 2.0 adapter\SMCWGUTI.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - c:\program files\aol toolbar\toolbar.dll
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: byXoPIAr - byXoPIAr.dll
Notify: iifdawUo - iifdawUo.dll
AppInit_DLLs: avgrsstx.dll xhejil.dll,c:\windows\system32\veseyusi.dll ayfttu.dll
SEH: McAfee AntiSpyware Shell Extension: {f2a0229a-c4ca-4789-b606-973d24dcdd1c} - c:\program files\mcafee\mcafee antispyware\MssShell.dll
SEH: {a63e645f-13bd-45ed-b15f-6e8c1bd57279} - c:\windows\system32\iifdawUo.dll
SEH: {6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} - c:\windows\system32\byXoPIAr.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, msansspc.dll, digeste.dll
LSA: Authentication Packages = msv1_0 c:\windows\system32\pmnlJBrr
LSA: Notification Packages = scecli c:\windows\system32\veseyusi.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\hktledba.default\
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - component: c:\program files\avg\avg8\toolbarff\components\vmAVGConnector.dll
FF - plugin: c:\program files\java\j2re1.4.2\bin\NPJava11.dll
FF - plugin: c:\program files\java\j2re1.4.2\bin\NPJava12.dll
FF - plugin: c:\program files\java\j2re1.4.2\bin\NPJava13.dll
FF - plugin: c:\program files\java\j2re1.4.2\bin\NPJava14.dll
FF - plugin: c:\program files\java\j2re1.4.2\bin\NPJava32.dll
FF - plugin: c:\program files\java\j2re1.4.2\bin\NPJPI142.dll
FF - plugin: c:\program files\java\j2re1.4.2\bin\NPOJI610.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npkimi.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPMySrch.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-11-16 97928]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-11-16 26824]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20040811.020\NAVENG.SYS [2008-11-15 68168]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20040811.020\NAVEX15.SYS [2008-11-15 617288]
R3 OMAWGU(Belkin Corporation);My Essential G USB Adapter(Belkin Corporation);c:\windows\system32\drivers\OMAWGU.sys [2008-12-28 408064]
R3 SAVRT;SAVRT;c:\program files\norton internet security\norton antivirus\savrt.sys [2004-7-23 335504]
R4 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2008-11-16 875288]
R4 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-11-16 231704]
R4 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-11-16 76040]
R4 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2004-8-27 197752]
R4 ccProxy;Symantec Network Proxy;c:\program files\common files\symantec shared\ccProxy.exe [2004-8-27 234616]
R4 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2004-8-27 164984]
R4 McAfeeAntiSpyware;McAfee AntiSpyware Real-Time Scanner;c:\program files\mcafee\mcafee antispyware\Msssrv.exe [2004-11-17 90112]
R4 navapsvc;Norton AntiVirus Auto-Protect Service;c:\program files\norton internet security\norton antivirus\navapsvc.exe [2004-8-30 176768]
R4 SAVRTPEL;SAVRTPEL;c:\program files\norton internet security\norton antivirus\Savrtpel.sys [2004-7-23 49808]
S3 ccPwdSvc;Symantec Password Validation;c:\program files\common files\symantec shared\ccPwdSvc.exe [2004-8-27 78968]
S3 mcupdmgr.exe;McAfee SecurityCenter Update Manager;c:\progra~1\mcafee.com\agent\mcupdmgr.exe [2008-11-15 249856]
S3 SAVScan;SAVScan;c:\program files\norton internet security\norton antivirus\SAVScan.exe [2004-7-23 197864]
S3 SMCWGU(SMC);SMCWUSB-G 802.11g Wireless USB 2.0 Adapter(SMC);c:\windows\system32\drivers\SMCWGU.sys [2008-11-15 408064]
S4 SBService;ScriptBlocking Service;c:\progra~1\common~1\symant~1\script~1\SBServ.exe [2004-8-30 66688]

=============== Created Last 30 ================

2009-01-27 20:45 <DIR> --d----- c:\docume~1\alluse~1\applic~1\CrucialSoft Ltd
2009-01-27 20:45 81,931 a------- c:\documents and settings\owner\svchost.exe
2009-01-27 18:11 129,024 a------- c:\windows\system32\ayfttu.dll
2009-01-27 18:11 1,516,535 ---sh--- c:\windows\system32\fqippevw.ini
2009-01-27 18:11 129,024 a------- c:\windows\system32\gneyloac.dll
2009-01-27 18:10 72,704 a------- c:\windows\system32\wveppiqf.dll
2009-01-27 18:09 378,184 a--sh--- c:\windows\system32\rrBJlnmp.ini2
2009-01-27 18:09 378,184 a--sh--- c:\windows\system32\rrBJlnmp.ini
2009-01-27 18:09 315,904 a------- c:\windows\system32\pmnlJBrr.dll
2009-01-26 20:49 <DIR> --d----- c:\program files\GetPack
2009-01-26 18:56 3,729 ---sh--- c:\windows\system32\zehejevo.exe
2009-01-26 00:56 1,473,502 ---sh--- c:\windows\system32\ovevahud.ini
2009-01-24 20:52 <DIR> --d----- c:\program files\InetGet2
2009-01-24 20:37 <DIR> --d----- c:\program files\VnrPack
2009-01-24 20:32 <DIR> --d----- c:\docume~1\owner\applic~1\SpeedRunner
2009-01-24 20:27 <DIR> --d----- c:\docume~1\owner\applic~1\Twain
2009-01-24 20:21 <DIR> --d----- c:\program files\WebShow
2009-01-24 20:16 <DIR> --d----- c:\program files\Mjcore
2009-01-24 20:16 <DIR> --d----- c:\docume~1\owner\applic~1\cogad
2009-01-24 20:16 36,352 a------- c:\windows\system32\byXoPIAr.dll
2009-01-24 20:16 <DIR> --d----- c:\program files\iCheck
2009-01-24 20:16 <DIR> --d----- c:\program files\GetModule
2009-01-14 23:00 33,846 a------- c:\windows\system32\SpoonUninstall-dBpoweramp Music Converter.bmp
2009-01-14 23:00 13,853 a------- c:\windows\system32\SpoonUninstall-dBpoweramp Music Converter.dat
2009-01-14 18:51 <DIR> --d----- c:\program files\AudioJack
2009-01-14 18:49 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-01-14 18:11 90 a------- c:\windows\cdplayer.ini
2009-01-14 18:10 <DIR> --d----- c:\program files\MySearch
2009-01-14 18:10 <DIR> --d----- c:\docume~1\alluse~1\applic~1\FreeRIP
2009-01-14 18:10 <DIR> --d----- c:\program files\FreeRIP3
2009-01-14 18:05 966,144 a------- c:\windows\system32\NCTAudioInformation2.dll
2009-01-14 18:05 877,568 a------- c:\windows\system32\NCTAudioFile2.dll
2009-01-14 18:05 376,832 a------- c:\windows\system32\cmd22.dll
2009-01-14 18:05 102,400 a------- c:\windows\system32\ccrpprg6.ocx
2009-01-14 18:05 724,992 a------- c:\windows\system32\ebCrypt.dll
2009-01-14 18:05 389,120 a------- c:\windows\system32\actskn43.ocx
2009-01-14 18:05 253,952 a------- c:\windows\system32\SkinBoxer43.dll
2009-01-14 18:05 237,568 a------- c:\windows\system32\lame_enc.dll
2009-01-14 18:05 401,408 a------- c:\windows\system32\srmInfo.dll
2009-01-14 18:05 <DIR> --d----- c:\program files\FLAC Ripper
2009-01-14 17:57 <DIR> --d----- c:\program files\FLAC to MP3 Converter
2009-01-14 17:52 1,287 a------- C:\net_save.dna
2009-01-14 17:52 <DIR> --d----- c:\program files\support.com
2009-01-14 17:51 <DIR> --d----- c:\program files\common files\SupportSoft
2009-01-10 13:24 <DIR> --d----- c:\program files\Imikimi
2009-01-08 21:41 <DIR> --d----- c:\docume~1\owner\applic~1\Symantec

==================== Find3M ====================

2009-01-14 19:22 5,082,488 a------- c:\windows\system32\SpoonUninstall.exe
2008-11-30 07:36 2,987 a------- c:\windows\system32\SpoonUninstall-dBpoweramp FLAC Codec.dat
2008-11-17 23:54 899,211 a--sh--- c:\windows\system32\bISsYJlm.ini2
2008-11-16 09:39 10,520 a------- c:\windows\system32\avgrsstx.dll

============= FINISH: 21:23:30.03 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:09:17 AM

Posted 28 January 2009 - 06:06 AM

Hi,

Your system is severly infected. Problem with these infections nowadays is, it causes a lot of damage. Even if we clean the malware off your system, I can't guarantee that your system will be clean afterwards, because these infections/bundles leave a lot of leftovers behind that most scanners won't even recognise and logs won't show.
Also, I can't promise you we can repair all the damage it caused... Even after cleaning the malware, you can still get errors afterwards because of the damage. Solving these is not always possible since it will be searching for a needle in a haystack to find the right cause and solution.
So, we can try to clean this up and do what we can, but keep in mind that we can't solve ALL problems this malware already caused.

In light of this it would be wise for you to back up any files and folders that you don't want to lose before we start. Reason I am telling this is because when a system is so terribly infected and we try to clean this up manually, the damage that is already present may interfere with our removal attempts.

I notice from your log that there's more than 1 Antivirus installed. AVG, McAfee and Norton.
Never install more than one Antivirus and Firewall! Rather than giving you extra protection, it will decrease the reliability of it seriously!
The reason for this is that if both products have their automatic (Real-Time) protection switched on, your system may lock up due to both software products attempting to access the same file at the same time.
Also because more than one Antivirus and Firewall installed are not compatible with eachother, it can cause system performance problems and a serious system slowdown.

So you have to make a decision here and keep the Antivirus you prefer and uninstall the other one.
Then reboot after uninstalling.

Also, uninstall My Search Bar, SpeedRunner and Viewpoint media player via software > add & remove programs.
Reboot once again.

Then, * Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the log from ComboFix in your next reply.

Edited by miekiemoes, 28 January 2009 - 06:07 AM.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 brandonmacey

brandonmacey
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:11:17 PM

Posted 28 January 2009 - 01:36 PM

:thumbup2: :) :step4: :step1:
THANK YOU SO MUCH FOR HELPING ME! I dont know why you help people you dont even know for free but I am so thankful!
here is the log for combo fix

ComboFix 09-01-21.04 - Owner 2009-01-28 9:50:15.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1022.638 [GMT -8:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\Owner\LOCALS~1\Temp\tmp2.tmp
c:\documents and settings\All Users\Application Data\CrucialSoft Ltd
c:\documents and settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\LOG\20090127204639890.log
c:\documents and settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\LOG\20090128093947468.log
c:\documents and settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\msas2009.exe
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\Owner\Application Data\SpeedRunner
c:\documents and settings\Owner\Application Data\SpeedRunner\config.cfg
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\fbk.sts
c:\documents and settings\Owner\svchost.exe
c:\program files\GetModule
c:\program files\GetPack
c:\program files\GetPack\dictame.gz
c:\program files\GetPack\trgtame.gz
c:\program files\iCheck
c:\program files\iCheck\Uninstall.exe
c:\program files\inetget2
c:\program files\Mjcore
c:\program files\VnrPack
c:\program files\VnrPack\dicts.gz
c:\program files\VnrPack\trgts.gz
c:\program files\VnrPack\VnrPack22.exe
c:\windows\IE4 Error Log.txt
c:\windows\system32\ayfttu.dll
c:\windows\system32\bISsYJlm.ini
c:\windows\system32\bISsYJlm.ini2
c:\windows\system32\byXoPIAr.dll
c:\windows\system32\DelSelf.bat
c:\windows\system32\gneyloac.dll
c:\windows\system32\mcrh.tmp
c:\windows\system32\NCTAudioFile2.dll
c:\windows\system32\pmnlJBrr.dll
c:\windows\system32\rrBJlnmp.ini
c:\windows\system32\rrBJlnmp.ini2
c:\windows\system32\skinboxer43.dll
c:\windows\system32\ssqrqNhH.dll
c:\windows\system32\wveppiqf.dll
c:\windows\wiaserviv.log
D:\Autorun.inf

----- BITS: Possible infected sites -----

hxxp://77.74.48.101
.
((((((((((((((((((((((((( Files Created from 2008-12-28 to 2009-01-28 )))))))))))))))))))))))))))))))
.

2009-01-28 10:22 . 2009-01-28 10:22 <DIR> d-------- c:\program files\MSXML 4.0
2009-01-28 10:21 . 2009-01-28 10:26 <DIR> d-------- c:\windows\LastGood
2009-01-27 18:11 . 2009-01-27 23:27 1,516,544 --ahs---- c:\windows\system32\fqippevw.ini
2009-01-26 18:56 . 2009-01-26 18:56 3,729 --ahs---- c:\windows\system32\zehejevo.exe
2009-01-26 00:56 . 2009-01-27 00:56 1,473,502 --ahs---- c:\windows\system32\ovevahud.ini
2009-01-24 20:27 . 2009-01-24 20:27 <DIR> d-------- c:\documents and settings\Owner\Application Data\Twain
2009-01-24 20:21 . 2009-01-24 20:22 <DIR> d-------- c:\program files\WebShow
2009-01-24 20:16 . 2009-01-24 21:38 <DIR> d-------- c:\documents and settings\Owner\Application Data\cogad
2009-01-14 23:00 . 2009-01-14 23:00 33,846 --a------ c:\windows\system32\SpoonUninstall-dBpoweramp Music Converter.bmp
2009-01-14 23:00 . 2009-01-14 23:00 13,853 --a------ c:\windows\system32\SpoonUninstall-dBpoweramp Music Converter.dat
2009-01-14 18:51 . 2009-01-16 13:01 <DIR> d-------- c:\program files\AudioJack
2009-01-14 18:49 . 2009-01-14 18:49 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2009-01-14 18:11 . 2009-01-14 18:11 90 --a------ c:\windows\cdplayer.ini
2009-01-14 18:10 . 2009-01-14 18:10 <DIR> d-------- c:\program files\MySearch
2009-01-14 18:10 . 2009-01-14 18:10 <DIR> d-------- c:\program files\FreeRIP3
2009-01-14 18:10 . 2009-01-14 18:10 <DIR> d-------- c:\documents and settings\All Users\Application Data\FreeRIP
2009-01-14 18:05 . 2009-01-14 18:05 <DIR> d-------- c:\program files\FLAC Ripper
2009-01-14 18:05 . 2005-06-01 12:15 966,144 --a------ c:\windows\system32\NCTAudioInformation2.dll
2009-01-14 18:05 . 2002-04-07 22:14 724,992 --a------ c:\windows\system32\ebCrypt.dll
2009-01-14 18:05 . 2007-12-14 00:11 401,408 --a------ c:\windows\system32\srmInfo.dll
2009-01-14 18:05 . 2003-05-15 12:07 389,120 --a------ c:\windows\system32\actskn43.ocx
2009-01-14 18:05 . 2007-01-04 22:47 376,832 --a------ c:\windows\system32\cmd22.dll
2009-01-14 18:05 . 2003-08-07 15:01 237,568 --a------ c:\windows\system32\lame_enc.dll
2009-01-14 18:05 . 2000-01-28 13:58 102,400 --a------ c:\windows\system32\ccrpprg6.ocx
2009-01-14 17:57 . 2009-01-14 17:58 <DIR> d-------- c:\program files\FLAC to MP3 Converter
2009-01-14 17:57 . 2009-01-14 17:57 <DIR> d-------- c:\documents and settings\All Users\Application Data\TEMP
2009-01-14 17:52 . 2009-01-14 17:52 <DIR> d-------- c:\program files\support.com
2009-01-14 17:52 . 2009-01-14 17:52 1,287 --a------ C:\net_save.dna
2009-01-14 17:51 . 2009-01-14 17:51 <DIR> d-------- c:\program files\Common Files\SupportSoft
2009-01-10 13:24 . 2009-01-10 13:24 <DIR> d-------- c:\program files\Imikimi
2009-01-08 21:41 . 2009-01-08 21:41 <DIR> d-------- c:\documents and settings\Owner\Application Data\Symantec
2008-12-28 15:04 . 2006-08-03 23:55 408,064 -ra------ c:\windows\system32\drivers\OMAWGU.sys
2008-12-28 14:55 . 2008-12-28 14:55 <DIR> d-------- c:\program files\My Essentials

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-28 17:38 --------- d-----w c:\program files\Symantec
2009-01-28 17:38 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2009-01-28 17:36 --------- d-----w c:\documents and settings\Owner\Application Data\uTorrent
2009-01-15 03:22 5,082,488 ----a-w c:\windows\system32\SpoonUninstall.exe
2008-12-22 22:11 --------- d-----w c:\documents and settings\Owner\Application Data\Costco Photo Viewer US
2008-12-20 23:34 --------- d-----w c:\program files\America Online 9.0
2008-12-20 23:34 --------- d-----w c:\documents and settings\All Users\Application Data\AOL
2008-12-13 07:49 --------- d-----w c:\documents and settings\Owner\Application Data\dBpoweramp
2008-11-30 15:36 --------- d-----w c:\program files\Illustrate
2008-11-30 15:36 --------- d-----w c:\documents and settings\Owner\Application Data\AccurateRip
2008-11-30 15:29 --------- d-----w c:\program files\Common Files\AVSMedia
2008-11-30 15:29 --------- d-----w c:\program files\AVS4YOU
2008-11-30 15:29 --------- d-----w c:\documents and settings\Owner\Application Data\AVS4YOU
2008-11-30 15:29 --------- d-----w c:\documents and settings\All Users\Application Data\AVS4YOU
2008-11-16 17:39 10,520 ----a-w c:\windows\system32\avgrsstx.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-08-04 1667584]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-13 212992]
"SunKistEM"="c:\program files\Digital Media Reader\shwiconem.exe" [2004-11-15 135168]
"AOL Spyware Protection"="c:\progra~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe" [2004-03-19 78960]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 32768]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-11-27 1261336]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]
"High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" [2004-03-17 c:\windows\system32\Hdaudpropshortcut.exe]
"CHotkey"="zHotkey.exe" [2004-05-17 c:\windows\zHotkey.exe]
"ShowWnd"="ShowWnd.exe" [2003-09-19 c:\windows\ShowWnd.exe]
"SoundMan"="SOUNDMAN.EXE" [2004-09-23 c:\windows\SOUNDMAN.EXE]
"AlcWzrd"="ALCWZRD.EXE" [2004-09-24 c:\windows\ALCWZRD.EXE]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
BigFix.lnk - c:\program files\BigFix\BigFix.exe [2008-11-15 1742384]
My Essentials Wireless USB Utility.lnk - c:\program files\My Essentials\USB ME1001-USB\Wireless Utility\O-Maxwcui.exe [2006-09-11 1568768]
SMCWUSB-G 802.11g Wireless USB Utility.lnk - c:\program files\SMC\SMCWUSB-G 802.11g Wireless USB 2.0 Adapter\SMCWGUTI.exe [2006-01-18 442368]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-11-16 97928]
R3 OMAWGU(Belkin Corporation);My Essential G USB Adapter(Belkin Corporation);c:\windows\system32\drivers\OMAWGU.sys [2008-12-28 408064]
R4 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2008-11-16 875288]
R4 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-11-16 231704]
R4 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-11-16 76040]
S3 SMCWGU(SMC);SMCWUSB-G 802.11g Wireless USB 2.0 Adapter(SMC);c:\windows\system32\drivers\SMCWGU.sys [2008-11-15 408064]
S4 spupdsvc;Windows Service Pack Installer update service;c:\windows\system32\spupdsvc.exe [2008-11-16 22752]
.
Contents of the 'Scheduled Tasks' folder

2009-01-27 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
.
- - - - ORPHANS REMOVED - - - -

BHO-{5038FBE3-838E-41ED-BADC-3D91CF40243A} - c:\windows\system32\pmnlJBrr.dll
BHO-{7e215ba3-f2e0-4384-b6c9-f1b7876ac04d} - c:\windows\system32\wuvotifa.dll
BHO-{8f3b2530-c2d1-4240-b163-9419eeb8d76c} - c:\windows\system32\ayfttu.dll
BHO-{D6901836-93F5-421D-8DB9-63AC1005D781} - c:\windows\system32\mlJYsSIb.dll
BHO-{E789FC9A-796F-4A4B-BD53-8776F3C4B40D} - c:\windows\system32\bootvi.dll
HKCU-Run-brastk - c:\windows\system32\brastk.exe
HKCU-Run-cogad - c:\documents and settings\Owner\Application Data\cogad\cogad.exe
HKCU-Run-VnrPack22 - c:\program files\VnrPack\VnrPack22.exe
HKCU-Run-GetModule35 - c:\program files\GetModule\GetModule35.exe
HKCU-Run-GetPack28 - c:\program files\GetPack\GetPack28.exe
HKCU-Run-MS AntiSpyware 2009 - c:\documents and settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\msas2009.exe
HKLM-Run-riburitine - c:\windows\system32\ruginefo.dll
Notify-iifdawUo - iifdawUo.dll


.
------- Supplementary Scan -------
.
mStart Page = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = hxxp://google.com/
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\hktledba.default\
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG8\ToolbarFF\components\vmAVGConnector.dll
FF - plugin: c:\program files\Java\j2re1.4.2\bin\NPJava11.dll
FF - plugin: c:\program files\Java\j2re1.4.2\bin\NPJava12.dll
FF - plugin: c:\program files\Java\j2re1.4.2\bin\NPJava13.dll
FF - plugin: c:\program files\Java\j2re1.4.2\bin\NPJava14.dll
FF - plugin: c:\program files\Java\j2re1.4.2\bin\NPJava32.dll
FF - plugin: c:\program files\Java\j2re1.4.2\bin\NPJPI142.dll
FF - plugin: c:\program files\Java\j2re1.4.2\bin\NPOJI610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npkimi.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-28 10:26:29
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\system32\wuapi.dll.wusetup.437234.bak 549720 bytes executable
c:\windows\system32\wuauclt.exe.wusetup.438453.bak 53080 bytes executable
c:\windows\system32\wuaueng.dll.wusetup.439546.bak 1712984 bytes executable

scan completed successfully
hidden files: 3

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\progra~1\COMMON~1\AOL\ACS\AOLacsd.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\windows\system32\wdfmgr.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\msiexec.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\msdtc.exe
c:\windows\system32\wbem\wmiadap.exe
.
**************************************************************************
.
Completion time: 2009-01-28 10:28:02 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-28 18:27:59

Pre-Run: 59,453,014,016 bytes free
Post-Run: 70,394,392,576 bytes free

224 --- E O F --- 2009-01-28 18:26:31

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:09:17 AM

Posted 28 January 2009 - 01:52 PM

Hi,

We're not finished yet.

I recommend that you allow Combofix to install the recovery console, because this is a very useful addition you can use in the future as well.
Also, please disable your AVG Antivirus during the Combofix run, because it will interfere otherwise.

In anyway, it looks like your Windows is in a middle of an update, so make sure the update is finished after you proceed with the following steps.. otherwise you would have big problems.
Reboot after the updates are installed. In case no updates are downloading and installing at this moment, skip that step and proceed with the following step.

Then,

* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

File::
c:\windows\system32\fqippevw.ini
c:\windows\system32\zehejevo.exe
c:\windows\system32\ovevahud.ini
Folder::
c:\documents and settings\Owner\Application Data\Twain
c:\program files\WebShow
c:\documents and settings\Owner\Application Data\cogad
c:\program files\MySearch
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000000
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"=dword:00000001


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 brandonmacey

brandonmacey
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:11:17 PM

Posted 28 January 2009 - 03:42 PM

I tried to disable AVG but combofix still said it was running, sorry.

ComboFix 09-01-21.04 - Owner 2009-01-28 12:37:11.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1022.707 [GMT -8:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)
* Created a new restore point

FILE ::
c:\windows\system32\fqippevw.ini
c:\windows\system32\ovevahud.ini
c:\windows\system32\zehejevo.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Owner\Application Data\cogad
c:\documents and settings\Owner\Application Data\Twain
c:\program files\MySearch
c:\program files\MySearch\bar\History\search2
c:\program files\MySearch\bar\Settings\prevcfg2.htm
c:\program files\WebShow
c:\windows\system32\fqippevw.ini
c:\windows\system32\hkllxayn.ini
c:\windows\system32\ovevahud.ini
c:\windows\system32\ydbrwctx.ini
c:\windows\system32\zehejevo.exe

.
((((((((((((((((((((((((( Files Created from 2008-12-28 to 2009-01-28 )))))))))))))))))))))))))))))))
.

2009-01-28 10:22 . 2009-01-28 10:22 <DIR> d-------- c:\program files\MSXML 4.0
2009-01-14 23:00 . 2009-01-14 23:00 33,846 --a------ c:\windows\system32\SpoonUninstall-dBpoweramp Music Converter.bmp
2009-01-14 23:00 . 2009-01-14 23:00 13,853 --a------ c:\windows\system32\SpoonUninstall-dBpoweramp Music Converter.dat
2009-01-14 18:51 . 2009-01-16 13:01 <DIR> d-------- c:\program files\AudioJack
2009-01-14 18:49 . 2009-01-14 18:49 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2009-01-14 18:11 . 2009-01-14 18:11 90 --a------ c:\windows\cdplayer.ini
2009-01-14 18:10 . 2009-01-14 18:10 <DIR> d-------- c:\program files\FreeRIP3
2009-01-14 18:10 . 2009-01-14 18:10 <DIR> d-------- c:\documents and settings\All Users\Application Data\FreeRIP
2009-01-14 18:05 . 2009-01-14 18:05 <DIR> d-------- c:\program files\FLAC Ripper
2009-01-14 18:05 . 2005-06-01 12:15 966,144 --a------ c:\windows\system32\NCTAudioInformation2.dll
2009-01-14 18:05 . 2002-04-07 22:14 724,992 --a------ c:\windows\system32\ebCrypt.dll
2009-01-14 18:05 . 2007-12-14 00:11 401,408 --a------ c:\windows\system32\srmInfo.dll
2009-01-14 18:05 . 2003-05-15 12:07 389,120 --a------ c:\windows\system32\actskn43.ocx
2009-01-14 18:05 . 2007-01-04 22:47 376,832 --a------ c:\windows\system32\cmd22.dll
2009-01-14 18:05 . 2003-08-07 15:01 237,568 --a------ c:\windows\system32\lame_enc.dll
2009-01-14 18:05 . 2000-01-28 13:58 102,400 --a------ c:\windows\system32\ccrpprg6.ocx
2009-01-14 17:57 . 2009-01-14 17:58 <DIR> d-------- c:\program files\FLAC to MP3 Converter
2009-01-14 17:57 . 2009-01-14 17:57 <DIR> d-------- c:\documents and settings\All Users\Application Data\TEMP
2009-01-14 17:52 . 2009-01-14 17:52 <DIR> d-------- c:\program files\support.com
2009-01-14 17:52 . 2009-01-14 17:52 1,287 --a------ C:\net_save.dna
2009-01-14 17:51 . 2009-01-14 17:51 <DIR> d-------- c:\program files\Common Files\SupportSoft
2009-01-10 13:24 . 2009-01-10 13:24 <DIR> d-------- c:\program files\Imikimi
2009-01-08 21:41 . 2009-01-08 21:41 <DIR> d-------- c:\documents and settings\Owner\Application Data\Symantec
2008-12-28 15:04 . 2006-08-03 23:55 408,064 -ra------ c:\windows\system32\drivers\OMAWGU.sys
2008-12-28 14:55 . 2008-12-28 14:55 <DIR> d-------- c:\program files\My Essentials

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-28 20:37 --------- d-----w c:\documents and settings\Owner\Application Data\uTorrent
2009-01-28 19:18 --------- d-----w c:\documents and settings\All Users\Application Data\avg8
2009-01-28 17:38 --------- d-----w c:\program files\Symantec
2009-01-28 17:38 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2009-01-15 03:22 5,082,488 ----a-w c:\windows\system32\SpoonUninstall.exe
2008-12-22 22:11 --------- d-----w c:\documents and settings\Owner\Application Data\Costco Photo Viewer US
2008-12-20 23:34 --------- d-----w c:\program files\America Online 9.0
2008-12-20 23:34 --------- d-----w c:\documents and settings\All Users\Application Data\AOL
2008-12-13 07:49 --------- d-----w c:\documents and settings\Owner\Application Data\dBpoweramp
2008-11-30 15:36 --------- d-----w c:\program files\Illustrate
2008-11-30 15:36 --------- d-----w c:\documents and settings\Owner\Application Data\AccurateRip
2008-11-30 15:29 --------- d-----w c:\program files\Common Files\AVSMedia
2008-11-30 15:29 --------- d-----w c:\program files\AVS4YOU
2008-11-30 15:29 --------- d-----w c:\documents and settings\Owner\Application Data\AVS4YOU
2008-11-30 15:29 --------- d-----w c:\documents and settings\All Users\Application Data\AVS4YOU
2008-11-16 17:39 10,520 ----a-w c:\windows\system32\avgrsstx.dll
.

((((((((((((((((((((((((((((( snapshot@2009-01-28_10.27.18.92 )))))))))))))))))))))))))))))))))))))))))
.
- 2004-08-04 19:00:00 1,016,832 ------w c:\windows\system32\browseui.dll
+ 2008-08-20 05:38:45 1,023,488 ----a-w c:\windows\system32\browseui.dll
- 2007-07-31 03:19:20 92,504 ----a-w c:\windows\system32\cdm.dll
+ 2008-10-16 22:09:44 92,696 ----a-w c:\windows\system32\cdm.dll
- 2007-07-31 03:19:20 92,504 -c--a-w c:\windows\system32\dllcache\cdm.dll
+ 2008-10-16 22:09:44 92,696 -c--a-w c:\windows\system32\dllcache\cdm.dll
- 2007-07-31 03:19:36 549,720 -c--a-w c:\windows\system32\dllcache\wuapi.dll
+ 2008-10-16 22:12:20 561,688 -c--a-w c:\windows\system32\dllcache\wuapi.dll
- 2007-07-31 03:19:16 53,080 -c--a-w c:\windows\system32\dllcache\wuauclt.exe
+ 2008-10-16 22:09:44 51,224 -c--a-w c:\windows\system32\dllcache\wuauclt.exe
- 2007-07-31 03:19:42 1,712,984 -c--a-w c:\windows\system32\dllcache\wuaueng.dll
+ 2008-10-16 22:13:40 1,809,944 -c--a-w c:\windows\system32\dllcache\wuaueng.dll
- 2007-07-31 03:19:32 325,976 -c--a-w c:\windows\system32\dllcache\wucltui.dll
+ 2008-10-16 22:12:22 323,608 -c--a-w c:\windows\system32\dllcache\wucltui.dll
- 2007-07-31 03:18:40 33,624 -c--a-w c:\windows\system32\dllcache\wups.dll
+ 2008-10-16 22:08:58 34,328 -c--a-w c:\windows\system32\dllcache\wups.dll
- 2007-07-31 03:19:28 203,096 -c--a-w c:\windows\system32\dllcache\wuweb.dll
+ 2008-10-16 22:13:40 202,776 -c--a-w c:\windows\system32\dllcache\wuweb.dll
- 2004-08-04 19:00:00 243,200 ------w c:\windows\system32\es.dll
+ 2008-07-07 20:32:22 253,952 ----a-w c:\windows\system32\es.dll
- 2008-11-16 02:12:17 205,712 ----a-w c:\windows\system32\FNTCACHE.DAT
+ 2009-01-28 19:15:16 205,712 ----a-w c:\windows\system32\FNTCACHE.DAT
- 2004-08-04 19:00:00 73,728 ------w c:\windows\system32\mscms.dll
+ 2008-06-24 16:23:05 74,240 ----a-w c:\windows\system32\mscms.dll
- 2004-08-04 19:00:00 3,003,392 ------w c:\windows\system32\mshtml.dll
+ 2008-08-20 05:38:47 3,060,224 ----a-w c:\windows\system32\mshtml.dll
- 2004-08-04 19:00:00 1,236,480 ------w c:\windows\system32\msxml3.dll
+ 2008-09-04 16:42:02 1,106,944 ----a-w c:\windows\system32\msxml3.dll
- 2004-08-04 19:00:00 332,288 ------w c:\windows\system32\netapi32.dll
+ 2008-10-15 16:57:55 332,800 ----a-w c:\windows\system32\netapi32.dll
- 2004-08-04 19:00:00 1,483,264 ------w c:\windows\system32\shdocvw.dll
+ 2008-08-20 05:38:42 1,494,528 ----a-w c:\windows\system32\shdocvw.dll
- 2004-08-04 19:00:00 473,600 ------w c:\windows\system32\shlwapi.dll
+ 2008-08-20 05:38:44 474,112 ----a-w c:\windows\system32\shlwapi.dll
+ 2008-10-16 22:08:58 34,328 ----a-w c:\windows\system32\SoftwareDistribution\Setup\ServiceStartup\wups.dll\7.2.6001.788\wups.dll
+ 2008-10-16 22:09:44 43,544 ----a-w c:\windows\system32\SoftwareDistribution\Setup\ServiceStartup\wups2.dll\7.2.6001.788\wups2.dll
- 2004-08-04 19:00:00 601,088 ------w c:\windows\system32\urlmon.dll
+ 2008-08-20 05:38:45 615,936 ----a-w c:\windows\system32\urlmon.dll
- 2004-08-04 19:00:00 656,384 ------w c:\windows\system32\wininet.dll
+ 2008-08-20 05:38:43 659,456 ----a-w c:\windows\system32\wininet.dll
- 2007-07-31 03:19:36 549,720 ----a-w c:\windows\system32\wuapi.dll
+ 2008-10-16 22:12:20 561,688 ----a-w c:\windows\system32\wuapi.dll
- 2007-07-31 03:19:16 53,080 ----a-w c:\windows\system32\wuauclt.exe
+ 2008-10-16 22:09:44 51,224 ----a-w c:\windows\system32\wuauclt.exe
- 2007-07-31 03:19:42 1,712,984 ----a-w c:\windows\system32\wuaueng.dll
+ 2008-10-16 22:13:40 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
- 2007-07-31 03:19:32 325,976 ----a-w c:\windows\system32\wucltui.dll
+ 2008-10-16 22:12:22 323,608 ----a-w c:\windows\system32\wucltui.dll
- 2007-07-31 03:18:40 33,624 ----a-w c:\windows\system32\wups.dll
+ 2008-10-16 22:08:58 34,328 ----a-w c:\windows\system32\wups.dll
- 2007-07-31 03:19:12 43,352 ----a-w c:\windows\system32\wups2.dll
+ 2008-10-16 22:09:44 43,544 ----a-w c:\windows\system32\wups2.dll
- 2007-07-31 03:19:28 203,096 ----a-w c:\windows\system32\wuweb.dll
+ 2008-10-16 22:13:40 202,776 ----a-w c:\windows\system32\wuweb.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-08-04 1667584]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-13 212992]
"SunKistEM"="c:\program files\Digital Media Reader\shwiconem.exe" [2004-11-15 135168]
"AOL Spyware Protection"="c:\progra~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe" [2004-03-19 78960]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 32768]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-11-27 1261336]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]
"High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" [2004-03-17 c:\windows\system32\Hdaudpropshortcut.exe]
"CHotkey"="zHotkey.exe" [2004-05-17 c:\windows\zHotkey.exe]
"ShowWnd"="ShowWnd.exe" [2003-09-19 c:\windows\ShowWnd.exe]
"SoundMan"="SOUNDMAN.EXE" [2004-09-23 c:\windows\SOUNDMAN.EXE]
"AlcWzrd"="ALCWZRD.EXE" [2004-09-24 c:\windows\ALCWZRD.EXE]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
BigFix.lnk - c:\program files\BigFix\BigFix.exe [2008-11-15 1742384]
My Essentials Wireless USB Utility.lnk - c:\program files\My Essentials\USB ME1001-USB\Wireless Utility\O-Maxwcui.exe [2006-09-11 1568768]
SMCWUSB-G 802.11g Wireless USB Utility.lnk - c:\program files\SMC\SMCWUSB-G 802.11g Wireless USB 2.0 Adapter\SMCWGUTI.exe [2006-01-18 442368]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2008-11-16 09:39 10520 c:\windows\system32\avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-11-16 97928]
R3 OMAWGU(Belkin Corporation);My Essential G USB Adapter(Belkin Corporation);c:\windows\system32\drivers\OMAWGU.sys [2008-12-28 408064]
R4 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-11-16 76040]
S3 SMCWGU(SMC);SMCWUSB-G 802.11g Wireless USB 2.0 Adapter(SMC);c:\windows\system32\drivers\SMCWGU.sys [2008-11-15 408064]
S4 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2008-11-16 875288]
S4 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-11-16 231704]
.
Contents of the 'Scheduled Tasks' folder

2009-01-27 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
.
.
------- Supplementary Scan -------
.
mStart Page = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = hxxp://google.com/
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\hktledba.default\
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG8\ToolbarFF\components\vmAVGConnector.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-28 12:38:17
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-01-28 12:39:12
ComboFix-quarantined-files.txt 2009-01-28 20:39:10
ComboFix2.txt 2009-01-28 18:28:04

Pre-Run: 70,174,027,776 bytes free
Post-Run: 70,219,227,136 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

211 --- E O F --- 2009-01-28 18:26:31

#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:09:17 AM

Posted 29 January 2009 - 03:01 AM

Hi,

This looks OK again.

* Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Let me know in your next reply how things are now.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:09:17 AM

Posted 05 February 2009 - 06:56 AM

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users