Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Issues With Updating


  • This topic is locked This topic is locked
8 replies to this topic

#1 Earth

Earth

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:12 AM

Posted 04 February 2009 - 11:31 AM

My internet is running okay, but I can't get updates for various programs
AVG / Malwarebytes / Java..ect.



DDS (Ver_09-02-01.01) - NTFSx86
Run by Tony at 9:23:29.42 on 04/02/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.223 [GMT -7:00]

AV: AVG 7.5.516 *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\Program Files\Sierra Wireless Inc\Watcher\WaHelper.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\LightSurf\Common\IconMgr.exe
C:\Program Files\CASIO\Photo Loader\Plauto.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Documents and Settings\Tony\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.ca/
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - No File
EB: &Discuss: {bdeade7f-c265-11d0-bced-00a0c90ab50f} - shdocvw.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MoneyAgent] "c:\program files\microsoft money\system\mnyexpr.exe"
uRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NVMCTRAY.DLL,NvTaskbarInit
uRunOnce: [<NO NAME>] c:\program files\internet explorer\iexplore.exe http://www.symantec.com/techsupp/servlet/P...0000e6.0000026d
uRunOnce: [//www.symantec.com/techsupp/servlet/ProductMessages?module=2009&error=0&language=en&product=SymNRT&version=2009.0.0.41&build=Symantec&a=00000082.0000001f.0000004b&b=00000082.00000049.000000b9&c=00000082.000000e6] c:\program files\internet explorer\iexplore.exe http://www.symantec.com/techsupp/servlet/P...0000e6.0000026d
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [WatcherHelper] "c:\program files\sierra wireless inc\watcher\WaHelper.exe"
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [RemoteControl] "c:\program files\cyberlink dvd solution\powerdvd\PDVDServ.exe"
mRun: [AVG7_CC] c:\progra~1\grisoft\avg7\avgcc.exe /STARTUP
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [AVG7_Run] c:\progra~1\grisoft\avg7\avgw.exe /RUNONCE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hppsc2~1.lnk - c:\program files\hewlett-packard\digital imaging\bin\hpobnz08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpoddt~1.lnk - c:\program files\hewlett-packard\digital imaging\bin\hpotdd01.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\lights~1.lnk - c:\program files\lightsurf\common\IconMgr.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\photol~1.lnk - c:\program files\casio\photo loader\Plauto.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1163640623361
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab

============= SERVICES / DRIVERS ===============

R1 Avg7Core;AVG7 Kernel;c:\windows\system32\drivers\avg7core.sys [2009-1-31 821856]
R1 Avg7RsW;AVG7 Wrap Driver;c:\windows\system32\drivers\avg7rsw.sys [2009-1-31 4224]
R1 Avg7RsXP;AVG7 Resident Driver XP;c:\windows\system32\drivers\avg7rsxp.sys [2009-1-31 27776]
R1 AvgClean;AVG7 Clean Driver;c:\windows\system32\drivers\avgclean.sys [2009-1-31 10760]
R2 Avg7Alrt;AVG7 Alert Manager Server;c:\progra~1\grisoft\avg7\avgamsvr.exe [2009-1-31 418816]
R2 Avg7UpdSvc;AVG7 Update Service;c:\progra~1\grisoft\avg7\avgupsvc.exe [2009-1-31 49664]
R2 AVGEMS;AVG E-mail Scanner;c:\progra~1\grisoft\avg7\avgemc.exe [2009-1-31 406528]
R2 AvgTdi;AVG Network Redirector;c:\windows\system32\drivers\avgtdi.sys [2009-1-31 4960]
R3 AvcPWilo;Adaptec Willow PCI;c:\windows\system32\drivers\avcpwilo.sys [2005-9-20 722656]
S3 SetupNTGLM7X;SetupNTGLM7X;\??\d:\ntglm7x.sys --> d:\NTGLM7X.sys [?]

=============== Created Last 30 ================

2009-02-03 15:49 <DIR> a-dshr-- C:\cmdcons
2009-02-03 15:46 161,792 a------- c:\windows\SWREG.exe
2009-02-03 15:46 98,816 a------- c:\windows\sed.exe
2009-02-03 15:46 <DIR> --d----- C:\ComboFix
2009-02-03 14:38 <DIR> --d----- c:\program files\CCleaner
2009-02-03 09:59 410,984 a------- c:\windows\system32\deploytk.dll
2009-02-03 09:59 73,728 a------- c:\windows\system32\javacpl.cpl
2009-02-02 10:33 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-02-02 10:33 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-02-02 10:21 <DIR> --d----- c:\docume~1\tony\applic~1\wsInspector
2009-02-02 10:20 <DIR> --d----- c:\program files\Startup Inspector for Windows
2009-01-31 10:39 <DIR> --d----- c:\docume~1\tony\applic~1\AVG7
2009-01-31 10:36 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Grisoft
2009-01-30 12:54 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-01-30 12:54 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-30 12:54 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-01-30 12:32 <DIR> --d----- c:\program files\Trend Micro
2009-01-30 12:06 <DIR> --d----- c:\program files\CleanUp!
2009-01-26 07:58 135,168 a----r-- c:\windows\system32\WinSys.exe
2009-01-12 12:07 <DIR> --d----- c:\docume~1\tony\applic~1\MalwareRemovalBot
2009-01-05 15:46 60,800 a------- c:\windows\system32\S32EVNT1.DLL
2009-01-05 15:46 123,952 a------- c:\windows\system32\drivers\SYMEVENT.SYS
2009-01-05 15:45 <DIR> --d----- c:\program files\Symantec

==================== Find3M ====================

2009-01-29 11:41 6,140 a------- c:\docume~1\tony\applic~1\wklnhst.dat
2009-01-26 07:20 10,563 a------- c:\windows\system32\drivers\SYMEVENT.CAT
2009-01-26 07:20 805 a------- c:\windows\system32\drivers\SYMEVENT.INF
2008-12-11 03:57 333,952 a------- c:\windows\system32\drivers\srv.sys
2008-11-27 11:47 10,240 a------- c:\windows\system32\RtNicProp32.dll
2006-08-05 16:05 159 ac--h--- c:\documents and settings\tony\hpothb07.dat
2005-11-25 22:34 63,848 ac------ c:\docume~1\tony\applic~1\GDIPFONTCACHEV1.DAT
2004-03-11 13:27 40,960 a------- c:\program files\Uninstall_CDS.exe
2008-08-28 10:22 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008082820080829\index.dat

============= FINISH: 9:24:09.39 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:10:12 AM

Posted 08 February 2009 - 03:17 PM

Hello, Earth
:thumbup2: to BleepingComputer.com

My name is Billy O'Neal and I will be helping you. (Billy or Bill is fine, if you like.)
Please give me some time to look over your computer's log(s).
Please take note of the following:
  • In the meantime, please refrain from making any changes to your computer.
  • Also, even if things appear to be running better, there is no guarantee that everything is finished. Please continue to check this forum post in order to ensure we get your system completely clean. We do not want to clean you part-way up, only to have the system re-infect itself. :)
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  • Finally, please reply using the Posted Image button in the lower left hand corner of your screen.
We need to scan for Rootkits with GMER
  • Please download GMER from one of the following mirrors:
  • Close any and all open programs, as this process may crash your computer.
  • Unzip the downloaded file to your desktop.
  • Double click Posted Image on your desktop.
  • Allow the gmer.sys driver to load if asked.
  • You may see this window. If you do, click No.
    Posted Image
  • Click on Posted Image and wait for the scan to finish.
  • If you see a rootkit warning window, click OK.
  • Push Posted Image and save the logfile to your desktop.
  • Copy and Paste the contents of that file in your next post.
In your next reply, please include the following:
  • GMER's Log

BillyIII
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#3 Earth

Earth
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:12 AM

Posted 09 February 2009 - 01:03 PM

Hey Bill.
First off thanks for taking on this challange.

I downloaded the gmer.exe to my desktop..extracted it..and have tried to run it about 4 times now..all with the same outcome, at first the program opens, I click on scan..it runs for anywhere from 10-30 seconds, then it shuts down and restarts.
Where do I go from here?

#4 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:10:12 AM

Posted 10 February 2009 - 06:04 PM

Hello, Earth
Please rename gmer to something random such as "Blobfinder.exe" and try again. Also, run ComboFix as specified below.

We Need to Run ComboFix

Note to readers of this post other than the starter of this thread:
ComboFix is a VERY POWERFUL tool which should NOT BE USED without guidance of an expert.

If this tool helped you, please consider a donation to it's author: Posted Image

How to run ComboFix:
  • Please download ComboFix from one of the following mirrors, and save it to your desktop.
  • Disable any running Anti-Virus or Anti-Malware programs. This includes Firewalls, Anti-Virus, Spyware Scanners, etc. Any or all of them may interfere with the running of ComboFix.
  • Double click Posted Image on your desktop.
  • Read and accept (Press Yes) to the disclaimer.
  • For Windows XP Systems: Install the Recovery Console:
    • If you are using Windows XP and do not already have the Recovery Console installed, please ensure your internet connection is active (if possible), and press Yes. If for some reason your internet is not working, please press No. If you are not using Windows XP, you will not be prompted.
    • When prompted to accept the EULA, press OK.
    • Accept Microsoft's EULA (Press Yes).
    • When you are told that the RC is installed correctly, please press YES to continue scanning for malware.
  • ComboFix will run. Simply wait for it to finish.
  • When it finishes, ComboFix will produce a log. Please post that log in your next reply here :thumbup2:
NOTE: If ComboFix will not run, please rename it to GlobRemover.exe and try again!

In your next reply, please include the following:
  • ComboFix.txt

BillyIII
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#5 Earth

Earth
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:12 AM

Posted 11 February 2009 - 11:11 AM

ComboFix 09-02-10.03 - Tony 2009-02-11 9:05:09.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.252 [GMT -7:00]
Running from: c:\documents and settings\Tony\Desktop\ComboFix.exe
AV: AVG 7.5.516 *On-access scanning enabled* (Outdated)
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2009-01-11 to 2009-02-11 )))))))))))))))))))))))))))))))
.

2009-02-09 10:50 . 2009-02-09 11:00 250 --a------ c:\windows\gmer.ini
2009-02-03 15:23 . 2009-02-03 15:23 <DIR> d-------- c:\windows\Sun
2009-02-03 14:38 . 2009-02-03 14:38 <DIR> d-------- c:\program files\CCleaner
2009-02-03 09:59 . 2009-02-03 09:58 410,984 --a------ c:\windows\system32\deploytk.dll
2009-02-03 09:59 . 2009-02-03 09:58 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-02-03 09:58 . 2009-02-03 09:58 <DIR> d-------- c:\program files\Java
2009-02-02 10:33 . 2009-02-02 10:33 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2009-02-02 10:33 . 2009-02-02 10:39 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-02-02 10:21 . 2009-02-02 11:17 <DIR> d-------- c:\documents and settings\Tony\Application Data\wsInspector
2009-02-02 10:20 . 2009-02-02 10:20 <DIR> d-------- c:\program files\Startup Inspector for Windows
2009-01-31 10:46 . 2009-01-31 10:46 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-01-31 10:46 . 2009-01-31 10:51 <DIR> d-------- c:\documents and settings\Administrator\Application Data\AVG7
2009-01-31 10:45 . 2009-01-31 10:45 <DIR> d-------- c:\documents and settings\Administrator
2009-01-31 10:39 . 2009-01-31 10:39 <DIR> d-------- c:\documents and settings\Tony\Application Data\AVG7
2009-01-31 10:36 . 2009-01-31 10:36 <DIR> d-------- c:\documents and settings\LocalService\Application Data\AVG7
2009-01-31 10:36 . 2009-01-31 10:36 <DIR> d-------- c:\documents and settings\All Users\Application Data\Grisoft
2009-01-31 10:36 . 2009-01-31 10:39 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg7
2009-01-30 12:54 . 2009-01-30 12:54 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-30 12:54 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-30 12:54 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-30 12:32 . 2009-01-30 12:32 <DIR> d-------- c:\program files\Trend Micro
2009-01-30 12:06 . 2009-01-30 12:06 <DIR> d-------- c:\program files\CleanUp!
2009-01-27 20:44 . 2009-01-27 20:44 <DIR> d-------- c:\documents and settings\All Users\Application Data\CyberLink
2009-01-26 07:58 . 2003-09-21 23:31 135,168 -ra------ c:\windows\system32\WinSys.exe
2009-01-12 12:07 . 2009-01-12 12:15 <DIR> d-------- c:\documents and settings\Tony\Application Data\MalwareRemovalBot

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-31 18:45 --------- d-----w c:\program files\Common Files\InstallShield
2009-01-31 18:26 --------- d--h--w c:\program files\InstallShield Installation Information
2009-01-31 17:15 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-01-31 17:11 --------- d-----w c:\program files\Google
2009-01-30 19:46 --------- d-----w c:\program files\Common Files\Adobe
2009-01-30 19:24 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-01-30 19:13 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2009-01-29 18:41 6,140 ----a-w c:\documents and settings\Tony\Application Data\wklnhst.dat
2009-01-28 15:24 --------- d-----w c:\program files\Symantec
2009-01-28 03:46 --------- d-----w c:\program files\CyberLink DVD Solution
2009-01-28 03:44 --------- d-----w c:\program files\CyberLink
2009-01-26 14:20 805 ----a-w c:\windows\system32\drivers\SYMEVENT.INF
2009-01-26 14:20 60,800 ----a-w c:\windows\system32\S32EVNT1.DLL
2009-01-26 14:20 123,952 ----a-w c:\windows\system32\drivers\SYMEVENT.SYS
2009-01-26 14:20 10,563 ----a-w c:\windows\system32\drivers\SYMEVENT.CAT
2009-01-25 16:46 --------- d-----w c:\program files\Windows Live Toolbar
2009-01-25 16:46 --------- d-----w c:\program files\LightSurf
2009-01-25 00:45 --------- d-----w c:\program files\Windows Live
2009-01-18 15:48 --------- d-----w c:\program files\Hewlett-Packard
2009-01-05 23:28 --------- d-----w c:\documents and settings\Tony\Application Data\Symantec
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
2008-11-27 18:47 10,240 ----a-w c:\windows\system32\RtNicProp32.dll
2006-08-05 23:05 159 -c-ha-w c:\documents and settings\Tony\hpothb07.dat
2005-11-26 05:34 63,848 -c--a-w c:\documents and settings\Tony\Application Data\GDIPFONTCACHEV1.DAT
2004-03-11 20:27 40,960 ----a-w c:\program files\Uninstall_CDS.exe
2008-08-28 17:22 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008082820080829\index.dat
.

((((((((((((((((((((((((((((( snapshot@2009-02-03_15.52.38.57 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-02-09 17:50:08 884,736 ----a-w c:\windows\gmer.dll
+ 2008-04-18 04:13:02 811,008 ----a-r c:\windows\gmer.exe
+ 2009-02-09 17:50:08 85,969 ----a-w c:\windows\system32\drivers\gmer.sys
+ 2009-02-11 15:55:41 16,384 ----atw c:\windows\temp\Perflib_Perfdata_758.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"MoneyAgent"="c:\program files\Microsoft Money\System\mnyexpr.exe" [2003-06-18 200704]
"NvMediaCenter"="c:\windows\system32\NVMCTRAY.DLL" [2003-07-28 49152]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"//www.symantec.com/techsupp/servlet/ProductMessages?module=2009&error=0&language=en&product=SymNRT&version=2009.0.0.41&build=Symantec&a=00000082.0000001f.0000004b&b=00000082.00000049.000000b9&c=00000082.000000e6"="c:\program files\Internet Explorer\iexplore.exe" [?]
"<NO NAME>"="c:\program files\Internet Explorer\iexplore.exe" [2008-10-15 633632]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2003-07-28 4841472]
"WatcherHelper"="c:\program files\Sierra Wireless Inc\Watcher\WaHelper.exe" [2008-05-28 114688]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2003-07-28 49152]
"RemoteControl"="c:\program files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" [2003-12-08 32768]
"AVG7_CC"="c:\progra~1\Grisoft\AVG7\avgcc.exe" [2009-01-31 579072]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-02-03 136600]
"nwiz"="nwiz.exe" [2003-07-28 c:\windows\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-13 15360]
"AVG7_Run"="c:\progra~1\Grisoft\AVG7\avgw.exe" [2009-01-31 219136]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
hp psc 2000 Series.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe [2003-04-06 323646]
hpoddt01.exe.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-04-06 28672]
LightSurf.lnk - c:\program files\LightSurf\Common\IconMgr.exe [2005-02-17 98304]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]
Photo Loader supervisory.lnk - c:\program files\CASIO\Photo Loader\Plauto.exe [2005-11-24 217088]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1723:TCP"= 1723:TCP:@xpsp2res.dll,-22015
"1701:UDP"= 1701:UDP:@xpsp2res.dll,-22016
"500:UDP"= 500:UDP:@xpsp2res.dll,-22017

R3 AvcPWilo;Adaptec Willow PCI;c:\windows\system32\drivers\avcpwilo.sys [2005-09-20 722656]
S3 SetupNTGLM7X;SetupNTGLM7X;\??\d:\ntglm7x.sys --> d:\NTGLM7X.sys [?]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0440a4d0-8384-11dd-b200-000c76af18bc}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL AppLaunch.exe AUTORUN=1

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9f7571f5-8a6d-11dd-b20d-000c76af18bc}]
\Shell\Auto\command - E:\autorun.bat
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL autorun.bat
\Shell\explore\Command - E:\autorun.bat
.
Contents of the 'Scheduled Tasks' folder

2009-01-25 c:\windows\Tasks\MalwareRemovalBot Scheduled Scan.job
- c:\program files\MalwareRemovalBot\MalwareRemovalBot.exe []

2009-01-25 c:\windows\Tasks\MalwareRemovalBot Scheduled Scan.job
- c:\program files\MalwareRemovalBot []
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ca/
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-11 09:07:59
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-02-11 9:09:51
ComboFix-quarantined-files.txt 2009-02-11 16:09:48
ComboFix2.txt 2009-02-03 22:53:52

Pre-Run: 62,317,449,216 bytes free
Post-Run: 62,307,688,448 bytes free

156 --- E O F --- 2009-01-26 15:11:18

#6 Earth

Earth
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:12 AM

Posted 11 February 2009 - 11:16 AM

Another note. I did rename the gmer.exe file, tried scanning again, it looks like it finds somthing right around the start of the scan, but then it powers the system down again.

Edited by Earth, 11 February 2009 - 11:32 AM.


#7 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:10:12 AM

Posted 11 February 2009 - 06:07 PM

Hello, Earth
We need to re-run ComboFix with some additonal directives.
  • Please disable any running anti-virus programs.

    If you are unsure how to do this, see this topic: http://www.bleepingcomputer.com/forums/t/114351/how-to-temporarily-disable-your-anti-virus-firewall-and-anti-malware-programs/

  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Open notepad and copy/paste the text in the quotebox below into it:
    http://www.bleepingcomputer.com/forums/t/200596/issues-with-updating/
    collect::[54]
    c:\windows\system32\WinSys.exe
    file::
    E:\autorun.bat
    c:\windows\Tasks\MalwareRemovalBot Scheduled Scan.job
    folder::
    c:\documents and settings\Tony\Application Data\MalwareRemovalBot
    registry::
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
    "//www.symantec.com/techsupp/servlet/ProductMessages?module=2009&error=0&language=en&product=SymNRT&version=2009.0.0.41&build=Symantec&a=00000082.0000001f.0000004b&b=00000082.00000049.000000b9&c=00000082.000000e6"=-
    "<NO NAME>"=-
    [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0440a4d0-8384-11dd-b200-000c76af18bc}]
    [-HKEY_CLASSES_ROOT\CLSID\{0440a4d0-8384-11dd-b200-000c76af18bc}]
    [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9f7571f5-8a6d-11dd-b20d-000c76af18bc}]
    [-HKEY_CLASSES_ROOT\CLSID\{9f7571f5-8a6d-11dd-b20d-000c76af18bc}]
    driver::
    SetupNTGLM7X
  • Save this as CFScript.txt, in the same location as ComboFix.exe
  • Posted Image
    Refering to the picture above, drag CFScript into ComboFix.exe
  • When finished, it shall produce a log for you at "C:\ComboFix.txt". Please copy and paste that report here.
Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

Please navigate to the download page of Avira AntiRootkit and click on Download to save it to your Destop.
  • You should now find a file called: antivir_rootkit.zip on your Desktop.
  • Extract the file to your Desktop (you may then delete the zip file).
  • You should now have a folder with Setup.exe and some other files within it on your Desktop.
  • Double-click Setup.exe.
  • Click Next.
  • Highlight the radio button to acceppt the license agreement and then click Next.
  • Then click Next and Install to finalise the installation process.
  • Click Finish (you may now also delete the folder with the extracted files from the zip archive)
You successfully installed Avira AntiRootkit!
  • Please now navigate to Start > All Programs > Avira RootKit Detection. Then select: Avira RootKit Detection
  • Click OK when a message window pops up
  • Click Start scan and let it run
  • Click View report and copy the entire contents into your next reply.
In your next reply, please include the following:
  • ComboFix.txt

BillyIII
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#8 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:10:12 AM

Posted 14 February 2009 - 05:24 PM

Hello, Earth
Are you still here?

BillyIII
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#9 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:10:12 AM

Posted 16 February 2009 - 04:53 PM

Hello, Earth
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please send me or another moderator a PM.

Everyone else please begin a new topic.

BillyIII
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users