Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Heur Virus


  • This topic is locked This topic is locked
1 reply to this topic

#1 lexia

lexia

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:10:33 PM

Posted 02 June 2009 - 06:54 AM

To whom it may concern,

I have a custom made computer
The system it runs on is:
Microsoft Windows XP
Professional
Version 2002
Service Pack 3

It has:
Intel® Core™2 Due CPU
E8200@ 2.66GHz
2.67 GHz, 2.00 GB of RAM
NVIDIA GeForce 9600 GT

(Not sure if you need to know anymore in the computer department)

So basically my problem started a couple of days ago when my friend stupidly infected my computer with some virus/malware whatever it is.
I ran AVG version 8.5 and it detected it and said it was going to remove it on a reboot but it didn't.
I ran Avast! but that didn't help either so I just got rid of that.
Then I realised my computer was getting slower and popups in Chinese started showing up with the URL address "http://dywt.com.cn". I also would get Internet Explorer popping up randomly and directing me to Chinese websites.
So I had a look at the process that was making these popups appear and it was a program called "F5AA40.exe" apparently it's in system32.
I also noticed in the past couple of days the amount of virus/malware thingos that were appearing in relation to this Heur virus kept increasing in AVG scan.

Anyway I finally read somewhere that someone on this website would help me if I posted a Combofix. So I followed all the instructions to get a Combofix log and am now here writing on this forum.

Also I just noticed a popup from this Heur virus popup just now so obviously it hasn't been fixed :thumbsup:

So please to anyone who can help direct me what to do next I would be most appreciative.

Thanks in advance,
Lexia


COMBOFIX LOG BELOW:

------------------------------------------------------------------------------
ComboFix 09-05-31.06 - User 06/02/2009 21:18.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1408 [GMT 10:00]
Running from: c:\documents and settings\User\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\User\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\User\LOCALS~1\Temp\E_N4
c:\docume~1\User\LOCALS~1\Temp\E_N4\cnvpe.fne
c:\docume~1\User\LOCALS~1\Temp\E_N4\dp1.fne
c:\docume~1\User\LOCALS~1\Temp\E_N4\eAPI.fne
c:\docume~1\User\LOCALS~1\Temp\E_N4\HtmlView.fne
c:\docume~1\User\LOCALS~1\Temp\E_N4\internet.fne
c:\docume~1\User\LOCALS~1\Temp\E_N4\krnln.fnr
c:\docume~1\User\LOCALS~1\Temp\E_N4\shell.fne
c:\docume~1\User\LOCALS~1\Temp\E_N4\spec.fne

.
((((((((((((((((((((((((( Files Created from 2009-05-02 to 2009-06-02 )))))))))))))))))))))))))))))))
.

2009-05-29 15:01 . 2009-06-02 11:21 93984 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2009-05-29 15:01 . 2009-06-02 11:21 24733216 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-05-29 14:27 . 2009-05-30 02:44 -------- d-----w- c:\documents and settings\All Users\Application Data\ParetoLogic
2009-05-29 14:27 . 2009-05-29 14:27 -------- d-----w- c:\documents and settings\All Users\Application Data\ParetoLogic Anti-Virus PLUS
2009-05-29 11:45 . 2009-05-29 11:45 -------- d-----w- c:\program files\Alwil Software
2009-05-29 10:34 . 2009-05-29 10:59 -------- d-----w- c:\program files\Windows Live Safety Center
2009-05-29 09:52 . 2009-06-02 10:47 -------- d--h--w- c:\windows\system32\E739BB
2009-05-29 09:52 . 2009-06-02 09:22 -------- d--h--w- c:\windows\system32\1908FB
2009-05-29 09:52 . 2009-05-29 10:07 -------- d--h--w- c:\windows\system32\9642B6
2009-05-29 09:52 . 2009-05-29 09:52 -------- d--h--w- c:\windows\system32\2D5726
2009-05-29 04:11 . 2009-05-29 04:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Blizzard
2009-05-19 02:38 . 2009-05-06 07:59 2051864 ----a-w- c:\documents and settings\All Users\Application Data\Avg8\update\backup\avgcorex.dll
2009-05-19 02:38 . 2009-05-06 07:59 354584 ----a-w- c:\documents and settings\All Users\Application Data\Avg8\update\backup\avgxch32.dll
2009-05-19 02:38 . 2009-05-06 07:59 3288344 ----a-w- c:\documents and settings\All Users\Application Data\Avg8\update\backup\setup.exe
2009-05-19 02:38 . 2009-05-06 07:59 424472 ----a-w- c:\documents and settings\All Users\Application Data\Avg8\update\backup\avgwdwsc.dll
2009-05-19 02:38 . 2009-05-06 07:59 312088 ----a-w- c:\documents and settings\All Users\Application Data\Avg8\update\backup\avglngx.dll
2009-05-19 02:38 . 2009-05-06 07:59 177432 ----a-w- c:\documents and settings\All Users\Application Data\Avg8\update\backup\avgmail.dll
2009-05-19 02:38 . 2009-05-06 07:59 486168 ----a-w- c:\documents and settings\All Users\Application Data\Avg8\update\backup\avgrsx.exe
2009-05-19 02:37 . 2009-05-06 07:54 755992 ----a-w- c:\documents and settings\All Users\Application Data\Avg8\update\backup\avginet.dll
2009-05-19 02:37 . 2009-05-06 07:54 1437464 ----a-w- c:\documents and settings\All Users\Application Data\Avg8\update\backup\avgupd.dll
2009-05-14 02:10 . 2009-05-14 02:10 -------- d-----w- c:\program files\iPod
2009-05-14 02:10 . 2009-05-14 02:10 -------- d-----w- c:\program files\iTunes
2009-05-14 02:10 . 2009-05-14 02:10 -------- d-----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-05-14 02:05 . 2009-05-14 02:05 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.1.1.10\SetupAdmin.exe
2009-05-13 23:01 . 2009-05-06 07:59 3399960 ----a-w- c:\documents and settings\All Users\Application Data\Avg8\update\backup\avgui.exe
2009-05-13 23:01 . 2009-05-06 07:59 2302232 ----a-w- c:\documents and settings\All Users\Application Data\Avg8\update\backup\avguiadv.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-02 11:22 . 2008-07-31 08:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Avg8
2009-06-02 11:21 . 2008-11-22 01:53 -------- d-----w- c:\program files\DNA
2009-06-02 11:21 . 2008-11-22 01:53 -------- d-----w- c:\documents and settings\User\Application Data\DNA
2009-06-02 11:20 . 2009-05-29 15:01 9812 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2009-06-02 11:20 . 2009-05-29 15:01 332252 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-05-29 10:49 . 2009-04-05 04:33 -------- d-----w- c:\documents and settings\User\Application Data\Orbit
2009-05-29 10:34 . 2008-11-22 01:53 -------- d-----w- c:\program files\AskBarDis
2009-05-17 07:43 . 2008-07-31 09:44 -------- d-----w- c:\documents and settings\User\Application Data\AVGTOOLBAR
2009-05-15 14:42 . 2009-03-05 07:22 -------- d-----w- c:\program files\Google
2009-05-14 10:29 . 2009-05-29 23:45 170788 ----a-w- c:\windows\pchealth\helpctr\Config\Cache\Professional_32_1033.dat
2009-05-14 02:22 . 2008-08-10 04:21 -------- d-----w- c:\program files\Apple Software Update
2009-05-14 02:09 . 2008-08-10 04:21 -------- d-----w- c:\program files\QuickTime
2009-05-14 02:01 . 2008-08-28 10:45 -------- d-----w- c:\program files\Bonjour
2009-05-13 14:25 . 2008-07-28 13:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-05-07 13:56 . 2008-11-22 01:53 -------- d-----w- c:\documents and settings\User\Application Data\BitTorrent
2009-05-06 07:59 . 2008-07-31 09:44 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-05-06 07:59 . 2008-07-31 09:44 325896 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-05-06 07:59 . 2008-07-31 09:44 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-05-06 07:59 . 2008-07-31 09:44 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-04-26 10:14 . 2008-08-26 12:20 -------- d-----w- c:\documents and settings\User\Application Data\LimeWire
2009-04-23 11:46 . 2009-04-23 11:46 -------- d-----w- c:\documents and settings\All Users\Application Data\PopCap
2009-04-23 11:45 . 2009-04-14 12:32 -------- d-----w- c:\program files\PopCap Games
2009-04-15 09:12 . 2009-04-14 12:32 23 ----a-w- c:\windows\popcinfot.dat
2009-04-15 08:31 . 2008-07-19 11:35 89824 ----a-w- c:\documents and settings\User\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-14 12:32 . 2009-04-14 12:32 0 ----a-w- c:\windows\popcreg.dat
2009-04-11 13:51 . 2009-04-11 13:51 -------- d-----w- c:\program files\Microsoft Works
2009-04-11 13:51 . 2009-04-11 13:51 -------- d-----w- c:\program files\MSBuild
2009-04-11 13:50 . 2009-04-11 13:50 -------- d-----w- c:\program files\Microsoft.NET
2009-04-11 13:49 . 2008-07-28 13:00 -------- d-----w- c:\program files\Microsoft Visual Studio 8
2009-04-05 04:33 . 2009-04-05 04:33 -------- d-----w- c:\program files\Orbitdownloader
2009-04-01 22:56 . 2009-04-01 22:56 152576 ----a-w- c:\documents and settings\User\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-03-19 06:32 . 2009-03-19 06:32 23400 ----a-w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}\x86\x86\GEARAspiWDM.sys
2009-03-19 06:32 . 2008-01-29 02:01 23400 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-03-08 18:19 . 2008-12-16 12:01 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-03-06 14:22 . 2004-10-01 12:00 284160 ----a-w- c:\windows\system32\pdh.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2008-09-29 06:24 325000 ----a-w- c:\program files\AskBarDis\bar\bin\askBar.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2008-10-16 4347120]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2008-12-16 342848]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-10-01 208952]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-10-01 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-10-01 455168]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-09-05 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-09-05 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-09-05 137752]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-02-19 13500416]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-02-19 86016]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-05-06 1947928]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-01-11 623992]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-08 148888]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-23 33648]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-03-26 177472]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]
"F5AA40"="c:\windows\system32\1908FB\F5AA40.EXE" [2009-05-31 1407840]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2008-02-13 16857600]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2008-02-19 1626112]

c:\documents and settings\User\Start Menu\Programs\Startup\
F5AA40.lnk - c:\windows\system32\1908FB\F5AA40.EXE [2009-5-31 1407840]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-7-25 113664]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2008-8-14 118784]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-26 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-05-06 07:59 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\World of Warcraft\\WoW-2.3.0-enUS-downloader.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\WINDOWS\\system32\\rtcshare.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\World of Warcraft\\BackgroundDownloader.exe"=
"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=
"c:\\Program Files\\Autodesk\\Maya2008\\bin\\maya.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\QuickTime\\QuickTimePlayer.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\helpctr.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Orbitdownloader\\orbitdm.exe"=
"c:\\Program Files\\Orbitdownloader\\orbitnet.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\World of Warcraft\\Launcher.exe"=
"c:\\World of Warcraft\\WoW-3.0.9.9551-to-3.1.0.9767-enUS-downloader.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6112:TCP"= 6112:TCP:Blizzard Downloader
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
"3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [7/31/2008 7:44 PM 325896]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [7/31/2008 7:44 PM 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [7/31/2008 7:44 PM 908568]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [7/31/2008 7:44 PM 298776]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [3/24/2009 10:18 PM 55152]
S2 gupdate1c99d63305eff28;Google Update Service (gupdate1c99d63305eff28);c:\program files\Google\Update\GoogleUpdate.exe [3/5/2009 5:22 PM 133104]
S3 fsssvc;Windows Live Family Safety;c:\program files\Windows Live\Family Safety\fsssvc.exe [2/6/2009 5:08 PM 533360]
S3 RDID1009;EDIROL UM-1;c:\windows\system32\drivers\Rdwm1009.sys [8/21/2008 9:08 PM 79393]
.
Contents of the 'Scheduled Tasks' folder

2009-05-21 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 02:34]

2009-06-02 c:\windows\Tasks\GoogleUpdateTaskMachine.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-05 07:22]

2009-06-02 c:\windows\Tasks\OGADaily.job
- c:\windows\system32\OGAVerify.exe [2008-12-31 06:04]

2009-06-02 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAVerify.exe [2008-12-31 06:04]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-EA Core - c:\program files\Electronic Arts\EADM\Core.exe
SafeBoot-procexp90.Sys


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.ask.com/?o=101852&l=dis
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: &Download by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/204
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Do&wnload selected by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/202
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8} - hxxps://secure.gopetslive.com/dev/GoPetsWeb.cab
FF - ProfilePath - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\39a4quqb.default\
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start2.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG8\ToolbarFF\components\vmAVGConnector.dll
FF - plugin: c:\program files\Google\Update\1.2.145.5\npGoogleOneClick8.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npOGAPlugin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\nppopcaploader.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-02 21:21
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(176)
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\rundll32.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\windows\system32\searchindexer.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\system32\wscntfy.exe
c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Yahoo!\Messenger\Ymsgr_tray.exe
c:\program files\AVG\AVG8\avgscanx.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
.
**************************************************************************
.
Completion time: 2009-06-02 21:27 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-02 11:27

Pre-Run: 410,634,399,744 bytes free
Post-Run: 410,994,257,920 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

274 --- E O F --- 2009-05-27 05:12

BC AdBot (Login to Remove)

 


#2 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:08:33 AM

Posted 02 June 2009 - 10:32 AM

ComboFix logs should not to be posted or discussed outside the HijackThis forums. It is an extremely powerful tool which should only be used when instructed to do so by someone who has been properly trained. ComboFix is intended by its creator to be "used under the guidance and supervision of an expert", NOT for private use. Please read Combofix's Disclaimer. Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.

Please create a new topic in the Am I Infected forum.
http://www.bleepingcomputer.com/forums/f/103/am-i-infected-what-do-i-do/
Explain the nature of your problem. Describe pop-ups and system tray or desktop icons that have appeared. Explain what is "going wrong" with your computer. Note any tools you have used and their respective results.

If needed, we will direct you to our HJT Preparation Guide.

This topic is now closed.
The BC Staff
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users