Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Trojan.Agent and Trojan.DNSChanger


  • Please log in to reply
17 replies to this topic

#1 proletarian

proletarian

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:00 PM

Posted 27 May 2009 - 09:32 PM

Initially it was a browser hijack type thing, redirecting me to various anti-virus sites. Now, it seems to lock up my computer, crash my browser. I can run Malware Bytes, but only if I rename it. I've also tried Combofix and SDfix. I'm not positive, but I think I'm still infected. Any help would be greatly appreciated.



DDS (Ver_09-05-14.01) - NTFSx86
Run by AnarchyDave at 21:21:00.62 on Wed 05/27/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1423 [GMT -5:00]

AV: AVG Internet Security *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Kaspersky Anti-Virus *On-access scanning disabled* (Outdated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: AVG Firewall *enabled* {8decf618-9569-4340-b34a-d78d28969b66}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG\AVG8\IdentityProtection\agent\Bin\AVGIDSAgent.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\AVG\AVG8\IdentityProtection\agent\bin\AVGIDSUI.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\AVG\AVG8\IdentityProtection\agent\bin\AVGIDSMonitor.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgfws8.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\IdentityProtection\agent\Bin\AVGIDSWatcher.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTSvcCDA.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\SopCast\adv\SopAdver.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\AnarchyDave\Desktop\dds.scr

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Logitech Utility] Logi_MwX.Exe
uRun: [CTSysVol] "c:\program files\creative\sbaudigy2zs\surround mixer\CTSysVol.exe" /r
mRun: [nwiz] nwiz.exe /install
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [CTxfiHlp] CTXFIHLP.EXE
mRun: [CTHelper] CTHELPER.EXE
mRun: [CTDVDDET] "c:\program files\creative\sbaudigy2zs\dvdaudio\CTDVDDET.EXE"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [AVGIDS] "c:\program files\avg\avg8\identityprotection\agent\bin\AVGIDSUI.exe"
mRun: [Logitech Utility] Logi_MwX.Exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
LSP: xfire_lsp_10650.dll
Trusted Zone: aol.com\free
Trusted Zone: mcafee.com\home
DPF: DirectAnimation Java Classes
DPF: Microsoft XML Parser for Java
DPF: {00000032-0000-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/msnaudio.CAB
DPF: {00000075-0000-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/voxmsdec.CAB
DPF: {00000075-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/voxacm.CAB
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37825.8545717593
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\anarch~1\applic~1\mozilla\firefox\profiles\t64aqnee.default\
FF - prefs.js: browser.startup.homepage - hxxp://my.yahoo.com/
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - plugin: c:\program files\download manager\npfpdlm.dll
FF - plugin: c:\program files\veetle\player\npvlc.dll
FF - plugin: c:\program files\veetle\plugins\npVeetle.dll

============= SERVICES / DRIVERS ===============

R0 AVGIDSErHr;AVGIDSErHr;c:\windows\system32\drivers\AVGIDSErHr.sys [2009-2-26 25608]
R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2009-5-25 12552]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-3-22 64160]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-5-25 325896]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-5-25 27784]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-5-25 108552]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-5-25 298776]
R2 avgfws8;AVG8 Firewall;c:\progra~1\avg\avg8\avgfws8.exe [2009-5-25 1366904]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg8\identityprotection\agent\bin\AVGIDSAgent.exe [2009-2-26 5576712]
R2 AVGIDSWatcher;AVGIDSWatcher;c:\program files\avg\avg8\identityprotection\agent\bin\AVGIDSWatcher.exe [2009-2-26 563720]
R2 PfDetNT;PfDetNT;c:\windows\system32\drivers\pfmodnt.sys [2008-7-7 15896]
R3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [2009-5-25 29208]
R3 AVGIDSDriver;AVGIDSDriver;c:\program files\avg\avg8\identityprotection\agent\driver\platform_xp\AVGIDSDriver.sys [2009-2-26 121352]
R3 AVGIDSFilter;AVGIDSFilter;c:\program files\avg\avg8\identityprotection\agent\driver\platform_xp\AVGIDSFilter.sys [2009-2-26 30216]
R3 AVGIDSShim;AVGIDSShim;c:\program files\avg\avg8\identityprotection\agent\driver\platform_xp\AVGIDSShim.sys [2009-2-26 27232]
R3 COMMONFX.SYS;COMMONFX.SYS;c:\windows\system32\drivers\COMMONFX.sys [2008-6-27 99352]
R3 CTAUDFX.SYS;CTAUDFX.SYS;c:\windows\system32\drivers\CTAUDFX.sys [2008-6-27 555032]
R3 CTSBLFX.SYS;CTSBLFX.SYS;c:\windows\system32\drivers\CTSBLFX.sys [2008-6-27 566296]
S1 SABKUTIL;SABKUTIL; [x]
S2 PEVSystemStart;PEVSystemStart;cmd /k start /i "/dC:" "c:\combofix\hidec.exe" "c:\windows\system32\cf10677.exe" /c rd /s/q \$recycle.bin \recycler \RECYCLED --> cmd [?]
S2 xavp;xavp;c:\program files\kaspersky lab\kaspersky anti-virus 2009\xavp.exe [2008-11-11 206088]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [2009-5-25 29208]
S3 BEFCMU10;Linksys BEFCMU10 EtherFast Cable Modem with USB; [x]
S3 BEFCMU10V4XP;Linksys BEFCMU10 ver. 4 Cable Modem;c:\windows\system32\drivers\BEFCMU10V4XP.sys [2006-1-4 14336]
S3 COMMONFX;COMMONFX;c:\windows\system32\drivers\COMMONFX.sys [2008-6-27 99352]
S3 CTAUDFX;CTAUDFX;c:\windows\system32\drivers\CTAUDFX.sys [2008-6-27 555032]
S3 CTERFXFX.SYS;CTERFXFX.SYS;c:\windows\system32\drivers\CTERFXFX.sys [2008-6-27 100888]
S3 CTERFXFX;CTERFXFX;c:\windows\system32\drivers\CTERFXFX.sys [2008-6-27 100888]
S3 CTSBLFX;CTSBLFX;c:\windows\system32\drivers\CTSBLFX.sys [2008-6-27 566296]
S3 gtermddo;gtermddo; [x]
S3 KProcWatch;KProcWatch;\??\c:\windows\system32\drivers\kprocwatch.sys --> c:\windows\system32\drivers\KProcWatch.sys [?]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-3-9 953168]
S3 NdUsbMsn;ARESCOM USB Network Adapter;c:\windows\system32\drivers\NdusbMsn.sys [2003-7-23 18023]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-6 34064]
S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2008-12-10 7808]
S3 SaiH8000;SaiH8000;c:\windows\system32\drivers\SaiH8000.sys [2004-12-3 56576]

=============== Created Last 30 ================

2009-05-25 19:54 161,792 a------- c:\windows\SWREG.exe
2009-05-25 19:54 154,624 a------- c:\windows\PEV.exe
2009-05-25 19:54 98,816 a------- c:\windows\sed.exe
2009-05-25 17:10 <DIR> --d-h--- C:\$AVG8.VAULT$
2009-05-25 16:56 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Downloaded Installations
2009-05-25 16:56 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-05-25 16:56 12,552 a------- c:\windows\system32\drivers\avgrkx86.sys
2009-05-25 16:56 108,552 a------- c:\windows\system32\drivers\avgtdix.sys
2009-05-25 16:56 325,896 a------- c:\windows\system32\drivers\avgldx86.sys
2009-05-25 16:56 <DIR> --d----- c:\windows\system32\drivers\Avg
2009-05-25 16:56 <DIR> --d----- c:\docume~1\anarch~1\applic~1\AVGTOOLBAR
2009-05-25 16:54 50,968 a------- c:\windows\system32\avgfwdx.dll
2009-05-25 16:54 29,208 a------- c:\windows\system32\drivers\avgfwdx.sys
2009-05-25 16:54 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8
2009-05-25 16:48 <DIR> --d----- c:\docume~1\anarch~1\applic~1\AVG8
2009-05-25 14:51 <DIR> --d----- c:\program files\Kaspersky Lab
2009-05-25 14:51 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Kaspersky Lab
2009-05-25 14:22 <DIR> --d----- c:\program files\trend micro
2009-05-25 14:16 <DIR> --d----- c:\windows\system32\CatRoot2
2009-05-25 14:11 0 a------- C:\backup.reg
2009-05-25 14:11 135,168 a------- C:\zip.exe
2009-05-25 14:11 574 a------- C:\cleanup.bat
2009-05-24 19:56 <DIR> --d----- c:\windows\ERUNT
2009-05-24 18:23 4 a------- c:\windows\system32\gxvxccount
2009-05-23 21:52 <DIR> --d----- c:\program files\iPod
2009-05-23 21:52 <DIR> --d----- c:\program files\iTunes
2009-05-23 21:52 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-05-10 16:23 <DIR> --d----- c:\docume~1\anarch~1\applic~1\Juniper Networks
2009-04-29 16:19 41,808 ac------ c:\windows\system32\xfcodec.dll

==================== Find3M ====================

2009-05-27 00:48 410,984 a------- c:\windows\system32\deploytk.dll
2009-05-26 13:20 40,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-26 13:19 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-05-22 22:14 22,328 ac------ c:\windows\system32\drivers\PnkBstrK.sys
2009-05-22 22:14 107,832 ac------ c:\windows\system32\PnkBstrB.exe
2009-04-29 05:51 15,688 a------- c:\windows\system32\lsdelete.exe
2009-04-03 00:26 79,891 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-03-21 09:06 989,696 a------- c:\windows\system32\dllcache\kernel32.dll
2009-03-08 14:09 638,816 a------- c:\windows\system32\dllcache\iexplore.exe
2009-03-08 14:09 391,536 a------- c:\windows\system32\dllcache\iedkcs32.dll
2009-03-08 04:41 5,937,152 a------- c:\windows\system32\dllcache\mshtml.dll
2009-03-08 04:39 11,063,808 a------- c:\windows\system32\dllcache\ieframe.dll
2009-03-08 04:34 914,944 a------- c:\windows\system32\wininet.dll
2009-03-08 04:34 914,944 a------- c:\windows\system32\dllcache\wininet.dll
2009-03-08 04:34 1,206,784 a------- c:\windows\system32\dllcache\urlmon.dll
2009-03-08 04:34 236,544 a------- c:\windows\system32\dllcache\webcheck.dll
2009-03-08 04:34 43,008 a------- c:\windows\system32\licmgr10.dll
2009-03-08 04:34 43,008 a------- c:\windows\system32\dllcache\licmgr10.dll
2009-03-08 04:34 105,984 a------- c:\windows\system32\dllcache\url.dll
2009-03-08 04:34 193,536 a------- c:\windows\system32\dllcache\msrating.dll
2009-03-08 04:34 109,568 a------- c:\windows\system32\dllcache\occache.dll
2009-03-08 04:33 759,296 a------- c:\windows\system32\dllcache\vgx.dll
2009-03-08 04:33 18,944 a------- c:\windows\system32\dllcache\corpol.dll
2009-03-08 04:33 18,944 a------- c:\windows\system32\corpol.dll
2009-03-08 04:33 25,600 a------- c:\windows\system32\dllcache\jsproxy.dll
2009-03-08 04:33 726,528 a------- c:\windows\system32\dllcache\jscript.dll
2009-03-08 04:33 229,376 a------- c:\windows\system32\dllcache\ieaksie.dll
2009-03-08 04:33 420,352 a------- c:\windows\system32\vbscript.dll
2009-03-08 04:33 420,352 a------- c:\windows\system32\dllcache\vbscript.dll
2009-03-08 04:33 125,952 a------- c:\windows\system32\dllcache\ieakeng.dll
2009-03-08 04:32 72,704 a------- c:\windows\system32\dllcache\admparse.dll
2009-03-08 04:32 72,704 a------- c:\windows\system32\admparse.dll
2009-03-08 04:32 173,056 a------- c:\windows\system32\dllcache\ie4uinit.exe
2009-03-08 04:32 163,840 a------- c:\windows\system32\dllcache\ieakui.dll
2009-03-08 04:32 71,680 a------- c:\windows\system32\iesetup.dll
2009-03-08 04:32 71,680 a------- c:\windows\system32\dllcache\iesetup.dll
2009-03-08 04:32 55,808 a------- c:\windows\system32\dllcache\iernonce.dll
2009-03-08 04:32 128,512 a------- c:\windows\system32\dllcache\advpack.dll
2009-03-08 04:32 94,720 a------- c:\windows\system32\dllcache\inseng.dll
2009-03-08 04:32 594,432 a------- c:\windows\system32\dllcache\msfeeds.dll
2009-03-08 04:32 1,985,024 a------- c:\windows\system32\dllcache\iertutil.dll
2009-03-08 04:32 611,840 a------- c:\windows\system32\dllcache\mstime.dll
2009-03-08 04:24 68,608 a------- c:\windows\system32\dllcache\hmmapi.dll
2009-03-08 04:22 156,160 a------- c:\windows\system32\msls31.dll
2009-03-08 04:22 156,160 a------- c:\windows\system32\dllcache\msls31.dll
2009-03-08 04:11 445,952 a------- c:\windows\system32\dllcache\ieapfltr.dll
2009-03-06 09:22 284,160 a------- c:\windows\system32\pdh.dll
2009-03-06 09:22 284,160 a------- c:\windows\system32\dllcache\pdh.dll
2009-03-02 19:10 67,584 a------- c:\windows\system32\ff_vfw.dll
2009-02-27 23:55 105,984 a------- c:\windows\system32\dllcache\iecompat.dll
2009-02-26 21:47 2,255,360 a------- c:\windows\system32\x264vfw.dll
2008-06-07 19:18 22,328 a------- c:\docume~1\anarch~1\applic~1\PnkBstrK.sys
2006-05-03 23:00 1 ac------ c:\documents and settings\anarchydave\SI.bin
2004-05-01 17:32 10,955 ac------ c:\program files\RavenShield.ini
2003-08-12 18:05 784 ac------ c:\docume~1\anarch~1\applic~1\mpauth.dat
2002-09-11 09:26 63,730 ac------ c:\program files\viewsonicinstruct_xp.pdf

============= FINISH: 21:21:55.59 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 shelf life

shelf life

  • Malware Response Team
  • 2,682 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:03:00 PM

Posted 06 June 2009 - 07:24 AM

hi,

Sorry for dealy, no shortage of posters. If you still need help reply to my post.

How Can I Reduce My Risk to Malware?


#3 proletarian

proletarian
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:00 PM

Posted 06 June 2009 - 02:33 PM

Good afternoon,
Hope this message finds you well. Yes, please, if you don't mind taking a look at the logs. I'm still not confident it has been solved entirely. I'm still unable to run various programs, crashes and my mozilla browser is still stuck on Google stuff.

Any help will be immensely appreciated...

#4 shelf life

shelf life

  • Malware Response Team
  • 2,682 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:03:00 PM

Posted 07 June 2009 - 08:01 AM

Since you have combofix, rerun it. It should update automatically. Before you use it disable any antivirus or antimalware that may be running. I dont know if you installed the recovery console or not, you should also read this guide about combofix first:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

If you deleted the combofix icon then you can do this first:
start>run and type in:
combofix /u
click ok or enter
Note: a space after the x and before the /

this will remove combofix the right way, then just download a new copy from a link in the guide

How Can I Reduce My Risk to Malware?


#5 proletarian

proletarian
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:00 PM

Posted 07 June 2009 - 06:19 PM

I am unable to terminate or disable AVG as well as remove it. Therefore I can run Combofix, but at my own risk. Should I proceed? What do I do once I run combofix?

#6 shelf life

shelf life

  • Malware Response Team
  • 2,682 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:03:00 PM

Posted 07 June 2009 - 08:53 PM

you can run combofix but you will get a warning about your AV, which you can disregard. You will also get a warning about the recovery console not being installed, (if its not)most likely it will update also, if it cant it will run in a reduced mode.
once it runs you dont do anything other than follow the prompts. When its done it will generate a log which you can copy/paste back here.

If you dont feel comfortable running combofix, we can see what MBAM can dig up. you can update malwarebytes and do a full scan and post that log:

Once the program has loaded, check for any updates, next under the scan tab: select Perform FULL SCAN, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click **Remove Selected.**
**A restart of your computer most likely will be required to remove some items.**

When completed, a log will open in Notepad. please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
Post the MBAM log in your reply

How Can I Reduce My Risk to Malware?


#7 proletarian

proletarian
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:00 PM

Posted 08 June 2009 - 01:58 PM

According to MBAM there isn't virus. However, if I change the name of MBAM to its original name, it will not run, nor will Secunia or Kaspersky - most that I have tried.

Combo fix log is attached.








Malwarebytes' Anti-Malware 1.37
Database version: 2246
Windows 5.1.2600 Service Pack 3

6/8/2009 1:42:37 PM
mbam-log-2009-06-08 (13-42-37).txt

Scan type: Full Scan (C:\|)
Objects scanned: 435794
Time elapsed: 1 hour(s), 13 minute(s), 12 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Attached Files



#8 shelf life

shelf life

  • Malware Response Team
  • 2,682 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:03:00 PM

Posted 08 June 2009 - 08:02 PM

i pasted in the combofix log for easier viewing:

ComboFix 09-06-07.03 - AnarchyDave 06/08/2009 1:44.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1540 [GMT -5:00]
Running from: c:\documents and settings\AnarchyDave\Desktop\ComboFix.exe
AV: AVG Internet Security *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Kaspersky Anti-Virus *On-access scanning disabled* (Outdated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: AVG Firewall *enabled* {8decf618-9569-4340-b34a-d78d28969b66}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2009-05-08 to 2009-06-08 )))))))))))))))))))))))))))))))
.

2009-06-07 23:24 . 2003-12-18 14:50 94208 ----a-w- c:\windows\system32\FEELIT.DLL
2009-06-07 22:58 . 2009-06-07 22:58 -------- d-----w- c:\documents and settings\log
2009-06-06 03:56 . 2008-12-04 06:25 120832 ----a-w- c:\documents and settings\AnarchyDave\Application Data\Mozilla\Firefox\Profiles\t64aqnee.default\extensions\{77b819fa-95ad-4f2c-ac7c-486b356188a9}\plugins\npietab.dll
2009-05-25 22:10 . 2009-06-05 20:01 -------- d--h--w- C:\$AVG8.VAULT$
2009-05-25 21:56 . 2009-05-25 21:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Downloaded Installations
2009-05-25 21:56 . 2009-05-25 21:56 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-05-25 21:56 . 2009-05-25 21:56 12552 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2009-05-25 21:56 . 2009-05-25 21:56 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-05-25 21:56 . 2009-05-25 21:56 325896 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-05-25 21:56 . 2009-05-25 21:56 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-05-25 21:56 . 2009-06-07 21:58 -------- d-----w- c:\windows\system32\drivers\Avg
2009-05-25 21:56 . 2009-05-25 21:56 -------- d-----w- c:\documents and settings\AnarchyDave\Application Data\AVGTOOLBAR
2009-05-25 21:54 . 2009-05-25 21:54 50968 ----a-w- c:\windows\system32\avgfwdx.dll
2009-05-25 21:54 . 2009-05-25 21:54 29208 ----a-w- c:\windows\system32\drivers\avgfwdx.sys
2009-05-25 21:54 . 2009-05-26 23:50 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-05-25 21:48 . 2009-05-25 21:48 -------- d-----w- c:\documents and settings\AnarchyDave\Application Data\AVG8
2009-05-25 20:59 . 2009-05-25 20:59 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-05-25 20:50 . 2009-05-25 20:50 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2009-05-25 20:20 . 2009-05-25 20:29 -------- d-----w- c:\windows\BDOSCAN8
2009-05-25 19:51 . 2009-05-25 21:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab
2009-05-25 19:51 . 2009-05-25 19:51 -------- d-----w- c:\program files\Kaspersky Lab
2009-05-25 19:22 . 2009-05-27 05:18 -------- d-----w- c:\program files\trend micro
2009-05-25 19:22 . 2009-05-25 19:23 -------- d-----w- C:\rsit
2009-05-25 19:16 . 2009-06-08 06:44 -------- d-----w- c:\windows\system32\CatRoot2
2009-05-25 19:11 . 2009-05-25 19:11 0 ----a-w- C:\backup.reg
2009-05-25 19:11 . 2009-05-25 19:11 574 ----a-w- C:\cleanup.bat
2009-05-25 19:11 . 2009-05-25 19:11 135168 ----a-w- C:\zip.exe
2009-05-25 00:56 . 2009-05-25 00:56 -------- d-----w- c:\windows\ERUNT
2009-05-24 02:52 . 2009-05-24 02:52 -------- d-----w- c:\program files\iPod
2009-05-24 02:52 . 2009-05-24 02:53 -------- d-----w- c:\program files\iTunes
2009-05-24 02:52 . 2009-05-24 02:53 -------- d-----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-05-24 02:46 . 2009-05-24 02:46 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.1.1.10\SetupAdmin.exe
2009-05-10 21:23 . 2009-05-10 21:23 37230 ----a-w- c:\documents and settings\AnarchyDave\Application Data\Juniper Networks\Juniper Terminal Services Client\uninstall.exe
2009-05-10 21:23 . 2009-05-10 21:23 33220 ----a-w- c:\documents and settings\AnarchyDave\Application Data\Juniper Networks\setup\uninstall.exe
2009-05-10 21:23 . 2009-05-12 13:07 -------- d-----w- c:\documents and settings\AnarchyDave\Application Data\Juniper Networks

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-08 04:33 . 2007-08-12 02:05 22328 -c--a-w- c:\windows\system32\drivers\PnkBstrK.sys
2009-06-08 04:33 . 2007-08-12 02:05 107832 -c--a-w- c:\windows\system32\PnkBstrB.exe
2009-06-07 23:24 . 2005-03-04 01:06 -------- d-----w- c:\program files\Logitech
2009-06-04 04:13 . 2009-03-06 01:54 -------- d-----w- c:\program files\Full Tilt Poker
2009-06-01 01:07 . 2008-06-24 00:55 -------- d-----w- c:\documents and settings\AnarchyDave\Application Data\Azureus
2009-05-27 05:48 . 2009-03-10 02:04 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-05-27 05:48 . 2008-10-30 18:27 -------- d-----w- c:\program files\Java
2009-05-27 05:46 . 2009-03-30 19:07 152576 ----a-w- c:\documents and settings\AnarchyDave\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-05-27 04:45 . 2008-09-15 05:53 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-05-27 04:44 . 2008-10-24 03:04 3371383 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-05-26 18:20 . 2008-09-15 05:53 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-26 18:19 . 2008-09-15 05:53 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-05-25 19:44 . 2008-05-05 04:09 -------- d-----w- c:\program files\XoftSpySE
2009-05-25 01:29 . 2008-06-24 00:54 -------- d-----w- c:\program files\Vuze
2009-05-24 02:52 . 2008-07-05 22:30 -------- d-----w- c:\program files\Common Files\Apple
2009-05-22 05:33 . 2004-12-04 22:52 -------- d-----w- c:\documents and settings\AnarchyDave\Application Data\Xfire
2009-05-22 04:37 . 2004-12-04 22:51 -------- d-s---w- c:\program files\Xfire
2009-04-29 21:19 . 2009-04-29 21:19 41808 -c--a-w- c:\windows\system32\xfcodec.dll
2009-04-29 12:36 . 2009-03-12 23:42 -------- d-----w- c:\program files\Sony
2009-04-29 12:33 . 2008-06-13 03:38 -------- d-----w- c:\program files\GameSpot
2009-04-29 10:51 . 2009-04-29 10:51 299352 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\threatwork.exe
2009-04-29 10:51 . 2009-04-29 10:51 25440 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\savapibridge.dll
2009-04-29 10:51 . 2009-04-29 10:51 165728 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavamessage.dll
2009-04-29 10:51 . 2009-04-29 10:51 15688 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lsdelete.exe
2009-04-29 10:51 . 2009-03-23 02:14 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-04-29 10:51 . 2009-04-29 10:51 343888 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavalicense.dll
2009-04-29 10:51 . 2009-04-29 10:51 82784 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\ShellExt.dll
2009-04-29 10:51 . 2009-04-29 10:51 289632 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\UpdateManager.dll
2009-04-29 10:51 . 2009-04-29 10:51 1629024 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Resources.dll
2009-04-29 10:50 . 2009-04-29 10:50 64160 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Drivers\32\lbd.sys
2009-04-29 10:50 . 2009-04-29 10:50 632680 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\CEAPI.dll
2009-04-29 10:50 . 2009-04-29 10:50 40288 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\PrivacyClean.dll
2009-04-29 10:50 . 2009-04-29 10:50 212848 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\RPAPI.dll
2009-04-29 10:50 . 2009-04-29 10:50 539512 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareCommand.exe
2009-04-29 10:50 . 2009-04-29 10:50 552808 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareAdmin.exe
2009-04-29 10:50 . 2009-04-29 10:50 2324808 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-Aware.exe
2009-04-29 10:50 . 2009-04-29 10:50 626000 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWWSC.exe
2009-04-29 10:50 . 2009-04-29 10:50 516440 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWTray.exe
2009-04-29 10:50 . 2009-04-29 10:50 953168 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWService.exe
2009-04-21 00:04 . 2009-04-21 00:04 -------- d-----w- c:\program files\Veetle
2009-04-04 14:26 . 2003-07-23 22:51 42048 -c--a-w- c:\documents and settings\AnarchyDave\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-03 05:26 . 2002-09-03 13:58 79891 ----a-w- c:\windows\PCHealth\HelpCtr\OfflineCache\index.dat
2009-04-03 01:01 . 2004-12-13 01:53 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2009-03-24 11:03 . 2008-12-10 14:17 7808 ----a-w- c:\windows\system32\drivers\psi_mf.sys
2009-03-19 21:32 . 2009-03-19 21:32 23400 ----a-w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}\x86\x86\GEARAspiWDM.sys
2009-03-19 21:32 . 2008-01-29 17:01 23400 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-03-18 23:58 . 2009-03-10 02:02 152576 ----a-w- c:\documents and settings\AnarchyDave\Application Data\Sun\Java\jre1.6.0_11\lzma.dll
2009-03-16 06:50 . 2009-03-16 06:50 730 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_F95A7C7B07FCE1849AF4C75236AAA5DD.dll
2009-03-16 06:50 . 2009-03-16 06:50 3283 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_1E830E79DA1439C4CBCDA63249EA3E25.dll
2009-03-12 08:17 . 2009-03-22 19:56 2902048 -c--a-w- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}\Ad-AwareAE.exe
2009-03-11 02:54 . 2006-07-04 21:49 278984 -c--a-w- c:\windows\system32\drivers\atksgt.sys
2004-05-01 22:32 . 2004-05-01 22:32 10955 -c--a-w- c:\program files\RavenShield.ini
2002-09-11 14:26 . 2005-04-09 22:11 63730 -c--a-w- c:\program files\viewsonicinstruct_xp.pdf
.

((((((((((((((((((((((((((((( SnapShot@2009-05-26_01.31.56 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-06-07 23:26 . 2009-06-07 23:26 16384 c:\windows\temp\Perflib_Perfdata_48c.dat
+ 2009-06-07 23:24 . 2008-04-13 18:39 23040 c:\windows\SYSTEM32\ReinstallBackups\0018\DriverFiles\i386\mouclass.sys
- 2005-03-04 01:42 . 2004-08-04 06:58 23040 c:\windows\SYSTEM32\ReinstallBackups\0018\DriverFiles\i386\mouclass.sys
+ 2009-06-07 23:24 . 2008-04-13 19:18 52480 c:\windows\SYSTEM32\ReinstallBackups\0018\DriverFiles\i386\i8042prt.sys
- 2005-03-04 01:42 . 2003-12-18 15:50 16896 c:\windows\SYSTEM32\LMOUSE32.DLL
+ 2005-03-04 01:42 . 2003-12-18 14:50 16896 c:\windows\SYSTEM32\LMOUSE32.DLL
- 2005-03-04 01:42 . 2003-12-18 15:50 97792 c:\windows\SYSTEM32\LGUICOM.DLL
+ 2005-03-04 01:42 . 2003-12-18 14:50 97792 c:\windows\SYSTEM32\LGUICOM.DLL
+ 2009-04-03 02:46 . 2008-04-13 18:39 23040 c:\windows\SYSTEM32\DRIVERS\mouclass.sys
- 2009-04-03 02:46 . 2008-04-13 18:39 23040 c:\windows\SYSTEM32\DRIVERS\mouclass.sys
+ 2005-03-04 01:42 . 2003-12-11 14:50 37916 c:\windows\SYSTEM32\DRIVERS\LHIDUSB.SYS
- 2005-03-04 01:42 . 2003-12-11 09:50 37916 c:\windows\SYSTEM32\DRIVERS\LHIDUSB.SYS
+ 2005-03-04 01:42 . 2003-12-11 14:50 25630 c:\windows\SYSTEM32\DRIVERS\LHIDFLT2.SYS
- 2005-03-04 01:42 . 2003-12-11 09:50 25630 c:\windows\SYSTEM32\DRIVERS\LHIDFLT2.SYS
- 2005-03-04 01:42 . 2003-12-11 09:50 14092 c:\windows\SYSTEM32\DRIVERS\LCCFLTR.SYS
+ 2005-03-04 01:42 . 2003-12-11 14:50 14092 c:\windows\SYSTEM32\DRIVERS\LCCFLTR.SYS
- 2009-04-03 02:46 . 2008-04-13 18:39 23040 c:\windows\SYSTEM32\DLLCACHE\mouclass.sys
+ 2009-04-03 02:46 . 2008-04-13 18:39 23040 c:\windows\SYSTEM32\DLLCACHE\mouclass.sys
+ 2005-03-04 01:42 . 2003-12-18 14:50 3568 c:\windows\SYSTEM32\LMOUSE16.DLL
- 2005-03-04 01:42 . 2003-12-18 15:50 3568 c:\windows\SYSTEM32\LMOUSE16.DLL
- 2005-03-04 01:42 . 2003-12-11 09:50 152064 c:\windows\SYSTEM32\lmoufrc.dll
+ 2005-03-04 01:42 . 2003-12-11 14:50 152064 c:\windows\SYSTEM32\lmoufrc.dll
- 2009-03-30 19:09 . 2009-03-30 19:09 148888 c:\windows\SYSTEM32\javaws.exe
+ 2009-05-27 05:49 . 2009-05-27 05:48 148888 c:\windows\SYSTEM32\javaws.exe
- 2009-03-30 19:09 . 2009-03-30 19:09 144792 c:\windows\SYSTEM32\javaw.exe
+ 2009-05-27 05:49 . 2009-05-27 05:48 144792 c:\windows\SYSTEM32\javaw.exe
- 2009-03-30 19:09 . 2009-03-30 19:09 144792 c:\windows\SYSTEM32\java.exe
+ 2009-05-27 05:49 . 2009-05-27 05:48 144792 c:\windows\SYSTEM32\java.exe
- 2005-03-04 01:42 . 2003-12-18 15:50 104960 c:\windows\SYSTEM32\COMNCTR.DLL
+ 2005-03-04 01:42 . 2003-12-18 14:50 104960 c:\windows\SYSTEM32\COMNCTR.DLL
+ 2009-05-26 02:52 . 2009-05-26 02:52 352256 c:\windows\ERUNT\SDFIX\Users\00000002\UsrClass.dat
- 2009-05-25 00:56 . 2008-08-07 20:27 163328 c:\windows\ERUNT\SDFIX\ERDNT.EXE
+ 2009-05-26 02:52 . 2008-08-07 20:27 163328 c:\windows\ERUNT\SDFIX\ERDNT.EXE
- 2009-05-25 00:56 . 2009-05-25 00:56 9175040 c:\windows\ERUNT\SDFIX\Users\00000001\NTUSER.DAT
+ 2009-05-26 02:52 . 2009-05-26 02:52 9175040 c:\windows\ERUNT\SDFIX\Users\00000001\NTUSER.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"CTSysVol"="c:\program files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe" [2003-09-17 57344]
"Logitech Utility"="Logi_MwX.Exe" - c:\windows\LOGI_MWX.EXE [2003-12-11 20992]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-02-18 13680640]
"CTDVDDET"="c:\program files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE" [2003-06-18 45056]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-02-18 86016]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-05-25 1947928]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-27 148888]
"nwiz"="nwiz.exe" - c:\windows\SYSTEM32\nwiz.exe [2009-02-18 1657376]
"CTxfiHlp"="CTXFIHLP.EXE" - c:\windows\SYSTEM32\CTXFIHLP.EXE [2006-08-11 18944]
"CTHelper"="CTHELPER.EXE" - c:\windows\SYSTEM32\CtHelper.exe [2008-06-27 19456]
"Logitech Utility"="Logi_MwX.Exe" - c:\windows\LOGI_MWX.EXE [2003-12-11 20992]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-05-25 21:56 11952 ----a-w- c:\windows\SYSTEM32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Red Storm Entertainment\\RavenShield\\system\\RavenShield.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\ubi.com\\Core\\GS4.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Xfire\\ua_lsp_inst.exe"=
"c:\\Program Files\\Red Storm Entertainment\\RavenShield\\system\\UCC.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\SYSTEM32\\PnkBstrA.exe"=
"c:\\WINDOWS\\SYSTEM32\\PnkBstrB.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword_PitBoss.exe"=
"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\SopCast\\SopCast.exe"=
"c:\\Program Files\\TVAnts\\Tvants.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Documents and Settings\\AnarchyDave\\My Documents\\My Games\\Rainbow Six Vegas 2\\Binaries\\R6Vegas2_Game.exe"=
"c:\\Program Files\\Vuze\\Azureus.exe"=
"c:\\Program Files\\Xfire\\Xfire.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\K-Lite Codec Pack\\Media Player Classic\\mplayerc.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgam.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"15250:UDP"= 15250:UDP:GRAW
"13139:UDP"= 13139:UDP:GRAW
"13139:TCP"= 13139:TCP:GRAW
"6667:TCP"= 6667:TCP:GRAW
"28910:TCP"= 28910:TCP:GRAW
"29900:TCP"= 29900:TCP:GRAW
"29920:TCP"= 29920:TCP:GRAW
"29910:UDP"= 29910:UDP:GRAW
"1599:TCP"= 1599:TCP:Akamai NetSession Interface
"5000:UDP"= 5000:UDP:Akamai NetSession Interface

R0 AvgRkx86;avgrkx86.sys;c:\windows\SYSTEM32\DRIVERS\avgrkx86.sys [5/25/2009 4:56 PM 12552]
R0 Lbd;Lbd;c:\windows\SYSTEM32\DRIVERS\Lbd.sys [3/22/2009 2:59 PM 64160]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\SYSTEM32\DRIVERS\avgldx86.sys [5/25/2009 4:56 PM 325896]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\SYSTEM32\DRIVERS\avgtdix.sys [5/25/2009 4:56 PM 108552]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [5/25/2009 4:55 PM 298776]
R2 avgfws8;AVG8 Firewall;c:\progra~1\AVG\AVG8\avgfws8.exe [5/25/2009 4:56 PM 1366904]
R2 PfDetNT;PfDetNT;c:\windows\SYSTEM32\DRIVERS\pfmodnt.sys [7/7/2008 10:37 AM 15896]
R3 Avgfwdx;Avgfwdx;c:\windows\SYSTEM32\DRIVERS\avgfwdx.sys [5/25/2009 4:54 PM 29208]
R3 COMMONFX.SYS;COMMONFX.SYS;c:\windows\SYSTEM32\DRIVERS\COMMONFX.sys [6/27/2008 7:21 PM 99352]
R3 CTAUDFX.SYS;CTAUDFX.SYS;c:\windows\SYSTEM32\DRIVERS\CTAUDFX.sys [6/27/2008 7:21 PM 555032]
R3 CTSBLFX.SYS;CTSBLFX.SYS;c:\windows\SYSTEM32\DRIVERS\CTSBLFX.sys [6/27/2008 7:21 PM 566296]
S1 SABKUTIL;SABKUTIL; [x]
S2 xavp;xavp;c:\program files\Kaspersky Lab\Kaspersky Anti-Virus 2009\xavp.exe [11/11/2008 7:59 PM 206088]
S3 Avgfwfd;AVG network filter service;c:\windows\SYSTEM32\DRIVERS\avgfwdx.sys [5/25/2009 4:54 PM 29208]
S3 BEFCMU10;Linksys BEFCMU10 EtherFast Cable Modem with USB; [x]
S3 BEFCMU10V4XP;Linksys BEFCMU10 ver. 4 Cable Modem;c:\windows\SYSTEM32\DRIVERS\BEFCMU10V4XP.sys [1/4/2006 9:29 PM 14336]
S3 COMMONFX;COMMONFX;c:\windows\SYSTEM32\DRIVERS\COMMONFX.sys [6/27/2008 7:21 PM 99352]
S3 CTAUDFX;CTAUDFX;c:\windows\SYSTEM32\DRIVERS\CTAUDFX.sys [6/27/2008 7:21 PM 555032]
S3 CTERFXFX.SYS;CTERFXFX.SYS;c:\windows\SYSTEM32\DRIVERS\CTERFXFX.sys [6/27/2008 7:21 PM 100888]
S3 CTERFXFX;CTERFXFX;c:\windows\SYSTEM32\DRIVERS\CTERFXFX.sys [6/27/2008 7:21 PM 100888]
S3 CTSBLFX;CTSBLFX;c:\windows\SYSTEM32\DRIVERS\CTSBLFX.sys [6/27/2008 7:21 PM 566296]
S3 gtermddo;gtermddo; [x]
S3 KProcWatch;KProcWatch;\??\c:\windows\system32\drivers\KProcWatch.sys --> c:\windows\system32\drivers\KProcWatch.sys [?]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [3/9/2009 2:06 PM 953168]
S3 NdUsbMsn;ARESCOM USB Network Adapter;c:\windows\SYSTEM32\DRIVERS\NdusbMsn.sys [7/23/2003 6:05 PM 18023]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\SYSTEM32\DRIVERS\npf.sys [11/6/2007 3:22 PM 34064]
S3 PSI;PSI;c:\windows\SYSTEM32\DRIVERS\psi_mf.sys [12/10/2008 9:17 AM 7808]
S3 SaiH8000;SaiH8000;c:\windows\SYSTEM32\DRIVERS\SaiH8000.sys [12/3/2004 2:02 PM 56576]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-06-07 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 10:50]

2009-06-06 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:34]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
LSP: xfire_lsp_10650.dll
Trusted Zone: aol.com\free
Trusted Zone: mcafee.com\home
DPF: DirectAnimation Java Classes
DPF: Microsoft XML Parser for Java
FF - ProfilePath - c:\documents and settings\AnarchyDave\Application Data\Mozilla\Firefox\Profiles\t64aqnee.default\
FF - prefs.js: browser.startup.homepage - hxxp://my.yahoo.com/
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - plugin: c:\program files\Download Manager\npfpdlm.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Veetle\Player\npvlc.dll
FF - plugin: c:\program files\Veetle\plugins\npVeetle.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-08 01:49
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
CTHelper = CTHELPER.EXE?

scanning hidden files ...


c:\docume~1\ANARCH~1\LOCALS~1\Temp\Perflib_Perfdata_1088.dat 16384 bytes

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-464921486-2284760180-3272194052-1006\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"??"=hex:0a,fc,47,18,df,e9,f0,46,d0,1d,fc,f2,84,34,44,63,c1,f7,e4,e9,a1,81,a8,
08,cd,62,06,9e,0c,e2,9a,b5,c7,c9,2f,ec,2a,08,c0,24,27,bb,1a,d5,7f,c1,29,ef,\
"??"=hex:e5,1a,4b,bd,0c,1d,1f,ed,b4,bd,b7,fb,47,0c,f0,20

[HKEY_USERS\S-1-5-21-464921486-2284760180-3272194052-1006\Software\SecuROM\License information*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"datasecu"=hex:3c,7a,10,50,85,37,5e,2c,7c,13,11,63,d5,12,b6,30,7a,11,84,a6,04,
58,74,59,b1,92,ea,0e,55,85,42,65,76,8a,10,37,ac,3c,31,81,a6,04,12,3a,8a,25,\
"rkeysecu"=hex:fb,5e,de,14,41,7a,02,81,ae,5e,15,48,9b,0f,db,a9
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(1840)
c:\windows\system32\xfire_lsp_10650.dll

- - - - - - - > 'explorer.exe'(1304)
c:\program files\Logitech\MouseWare\System\LgWndHk.dll
c:\windows\system32\nview.dll
c:\program files\Common Files\Logitech\Scrolling\LgMsgHk.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-06-08 1:52
ComboFix-quarantined-files.txt 2009-06-08 06:52

Pre-Run: 49,411,088,384 bytes free
Post-Run: 50,510,950,400 bytes free

314 --- E O F --- 2009-05-13 13:58

How Can I Reduce My Risk to Malware?


#9 shelf life

shelf life

  • Malware Response Team
  • 2,682 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:03:00 PM

Posted 08 June 2009 - 08:28 PM

ok. the good news is combofix didnt remove anything and i dont recognize any malware in the log. looks like you have several anti-malware apps and have used several removal tools also. About the only thing left as check for malware is to do a online scan, which you may already have done. Have you tried to uninstalled MBAM via the add/remove program panel then reinstall it?

How Can I Reduce My Risk to Malware?


#10 proletarian

proletarian
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:00 PM

Posted 08 June 2009 - 09:55 PM

Yes, I have tried to remove MBAM, and reinstall it. One issue occurs, it will not reinstall unless I rename the exe file. I'm not sure if you're familiar with the program Secunia, but it also fails to run. About half the programs that require internet access, will not work. My Mozilla browser is also set to Google still.

How do I proceed? What should I attempt to uninstall and so forth...?

#11 proletarian

proletarian
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:00 PM

Posted 08 June 2009 - 09:57 PM

It has been a few weeks since running an online scan. I can't remember if it worked or not. In the interim, I'll shall try again and post the results tomorrow.

Thank you for all the help thus far!

#12 proletarian

proletarian
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:00 PM

Posted 09 June 2009 - 02:42 AM

This is a good example of what I've been experiencing. When attempting to run Kaspersky's online scanner the following error message popped up:

Update has failed. Program has failed to start. Close the Kaspersky Online Scanner 7.0 window and open it again to install the program.
You must be online to update the Kaspersky Online Scanner 7.0 database. With the latest database updates, you can find new viruses and other threats. Please go online to use Kaspersky Online Scanner 7.0. [ERROR: Invalid file signature]


Next?

#13 shelf life

shelf life

  • Malware Response Team
  • 2,682 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:03:00 PM

Posted 10 June 2009 - 07:29 PM

hi,

thanks for the info. Based on the logs it looks like you are malware free. I dont know why you are having problems with all the software that might require internet access, must not be malware related. You might think about doing a re-install.
You can remove combofix like this;
start>run and type in:
combofix /u
click ok or enter
Note; a space after the x and before the /

How Can I Reduce My Risk to Malware?


#14 proletarian

proletarian
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:00 PM

Posted 11 June 2009 - 06:33 AM

A reinstall of what?
While I appreciate having to wait a few weeks to be guided through the exact same process I had already been through; this does not really help. I actually came here because this was beyond my knowledge.

The problems did not occur previous to the virus, which was downloaded mistakenly, and continues to persist, MBAM log or not.

Are there any other steps I can take? Is there someone who will actually help me? Can someone tell me what virus I had?

#15 shelf life

shelf life

  • Malware Response Team
  • 2,682 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:03:00 PM

Posted 11 June 2009 - 05:12 PM

a reinstall of Windows. From what we have run, and all the tools you ran yourself you appear to be malware free. you can try setting IE back to its defaults. With IE open: tools>internet options>advanced tab, click the Reset button to reset IE.

How Can I Reduce My Risk to Malware?





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users