Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unidentified infection


  • This topic is locked This topic is locked
17 replies to this topic

#1 Captainzoo

Captainzoo

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belmont, NSW
  • Local time:12:20 PM

Posted 30 July 2009 - 07:14 AM

Hi,

I have a serious infection in my PC. I have Pareto Logic's Anti-Virus PLUS installed but some weeks back (I can't recall the exact time) the security software did not autorun on startup to monitor my PC. Inadvertently I had an invasion of my Hotmail and Ebay accounts where my passwords were changed and account details violated. After rescuing my information and reinstating my accounts through support from both sites I turned my attention to the Anti-Virus PLUS problem. Pareto Logic's support team tried to get me to access certain settings from the Anti-Virus PLUS interface to solve the autorun issue. At this point Anti-Virus PLUS would crash every time I attempted to access the Settings, Custom Settings and Help menu.

At the same time IE8 would self start with random web pages. The Pareto Logic Support Team suggested running HijackThis and send log for analysis. HijackThis would not run. Support recomended I run Autoruns.exe to which I sent back the log file for analysis. In the first instance Support recommended I remove a suspicious scheduled task which may block HijackThis. After a reboot HijackThis still did not run. A second Autoruns log was sent and Support have suggested to run Combofix. As with HijackThis, Combofix will not run (even in Safe Mode) and Windows reports that it has stopped working.

While I am still pursuing a resolution through Pareto Logic's Support Team I would like to ask if someone from BleepingComputer would be kind enough to review the DDS logs below which I have run as advised in the Preparation Guide. If you require anymore information please do not hesitate to reply.


DDS (Ver_09-07-30.01) - NTFSx86
Run by Paul at 21:28:19.23 on Thu 30/07/2009
Internet Explorer: 8.0.6001.18783
Microsoft® Windows Vista™ Ultimate 6.0.6001.1.1252.61.1033.18.3070.2003 [GMT 10:00]

SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\System32\svchost.exe -k NetworkService
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\LSI SoftModem\agrsmsvc.exe
C:\Program Files\AMD\Fusion Media Explorer\MediaSource.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Windows\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Media Manager\Viiv\MediaManager.Service.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Program Files\nHancer\nHancerService.exe
C:\Windows\system32\oodag.exe
C:\Program Files\ParetoLogic\PGsurfer\InjectService.exe
C:\Windows\system32\IoctlSvc.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\PnkBstrA.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\oodtray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Windows\System32\nvSCPAPISvr.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Common Files\ParetoLogic\PLAS\plasservice.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k HPService
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Paul\Desktop\dds.scr
C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.telstra.com/
uStart Page = hxxp://www.bigpond.com/
uWindow Title = Telstra BigPond Home Internet Explorer
uInternet Settings,ProxyOverride = *.local
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\program files\paretologic\pgsurfer\PGsurfer.exe,
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: {6d6ab9f1-879a-31ae-afbc-95c0928af769} - D
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.15642\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: DAEMON Tools Toolbar: {32099aac-c132-4136-9e9a-4e364a424e17} - c:\program files\daemon tools toolbar\DTToolbar.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
mRun: [OODefragTray] c:\windows\system32\oodtray.exe
mRun: [<NO NAME>]
mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\9.0\sharedcom\RoxWatchTray9.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~4\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL
LSP: WebController.dll
LSP: c:\windows\system32\INetHTTPFilter.dll
Trusted Zone: microsoft.com\update
Trusted Zone: microsoft.com\windowsupdate
DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
DPF: {80AEEC0E-A2BE-4B8D-985F-350FE869DC40} - hxxp://h20264.www2.hp.com/ediags/dd/install/HPDriverDiagnosticsVista.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
TCP: NameServer = 85.255.112.206,85.255.112.116
TCP: {B3073184-1A85-4ACD-B448-90BC514E133C} = 85.255.112.206,85.255.112.116
TCP: {FFF1CC3C-7E52-4CA1-8BC6-39DA85F39F6A} = 85.255.112.206,85.255.112.116
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
STS: Windows DreamScene: {e31004d1-a431-41b8-826f-e902f9d95c81} - %SystemRoot%\System32\DreamScene.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

============= SERVICES / DRIVERS ===============

R0 amacpi;Microsoft Away Mode System;c:\windows\system32\drivers\null.sys [2009-1-2 4608]
R2 AMD Fusion Media Explorer Remote Content Service;AMD Fusion Media Explorer Remote Content Service;c:\program files\amd\fusion media explorer\MediaSource.exe [2009-4-3 766312]
R2 MediaManagerService;MediaManagerService;c:\program files\media manager\viiv\MediaManager.Service.exe [2008-3-4 34096]
R2 PctrlsInjectService;PctrlsInjectService;c:\program files\paretologic\pgsurfer\InjectService.exe [2007-10-25 176128]
R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\windows\system32\nvSCPAPISvr.exe [2009-6-10 232960]
R2 ZeppelinService;plasservice;c:\program files\common files\paretologic\plas\plasservice.exe [2008-12-23 587216]
R3 RTL8187;Realtek RTL8187 Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8187.sys [2008-6-27 335872]
S2 AcronisOSSReinstallSvc;Acronis OS Selector Reinstall Service; [x]
S2 gupdate1c9e7739d450f06;Google Update Service (gupdate1c9e7739d450f06);c:\program files\google\update\GoogleUpdate.exe [2009-6-7 133104]

=============== Created Last 30 ================

2009-07-30 19:16 <DIR> --d-h--- c:\windows\PIF
2009-07-29 22:35 <DIR> --d----- c:\program files\FSX Airport Design Editor
2009-07-29 22:13 <DIR> --d----- c:\program files\FSX Airport Scanner
2009-07-29 19:51 197,104 a---h--- c:\windows\system32\mlfcache.dat
2009-07-22 20:31 <DIR> --d----- c:\program files\iPod
2009-07-22 20:31 <DIR> --d----- c:\program files\iTunes
2009-07-22 16:40 <DIR> --d----- c:\programdata\Electronic Arts
2009-07-22 16:40 <DIR> --d----- c:\progra~2\Electronic Arts
2009-07-22 16:37 844 a------- c:\windows\system32\ealregsnapshot1.reg
2009-07-21 16:06 415,718,711 a------- c:\windows\MEMORY.DMP
2009-07-11 21:51 <DIR> --d----- c:\program files\THQ
2009-07-11 19:43 <DIR> --d----- c:\program files\GameSpy Arcade
2009-07-11 19:19 <DIR> --d----- c:\programdata\Media Center Programs
2009-07-11 19:19 <DIR> --d----- c:\progra~2\Media Center Programs
2009-07-11 19:14 <DIR> --d----- c:\program files\Sierra Entertainment
2009-07-10 22:37 <DIR> --d----- c:\programdata\Codemasters
2009-07-10 22:37 <DIR> --d----- c:\progra~2\Codemasters
2009-07-10 22:37 107,888 a------- c:\windows\system32\CmdLineExt.dll
2009-07-10 22:32 2,297,552 a------- c:\windows\system32\d3dx9_26.dll
2009-07-10 22:32 805,400 a----r-- c:\windows\system32\tmpA8EB.tmp
2009-07-10 22:29 <DIR> --d----- c:\program files\Codemasters
2009-07-10 22:18 <DIR> --d----- c:\programdata\Downloaded Installations
2009-07-10 22:18 <DIR> --d----- c:\progra~2\Downloaded Installations
2009-07-10 21:21 <DIR> --d----- c:\program files\common files\Logitech
2009-07-04 10:45 256 a------- c:\windows\system32\pool.bin
2009-07-04 10:45 <DIR> --d----- c:\users\paul\appdata\roaming\Research In Motion
2009-07-04 10:34 <DIR> --d----- c:\programdata\InstallShield
2009-07-04 10:34 <DIR> --d----- c:\programdata\Sonic
2009-07-04 10:32 <DIR> --d----- c:\program files\common files\PX Storage Engine
2009-07-04 10:31 <DIR> --d----- c:\program files\common files\Sonic Shared
2009-07-04 10:31 <DIR> --d----- c:\programdata\Roxio
2009-07-04 10:31 <DIR> --d----- c:\program files\Roxio
2009-07-04 10:26 26,496 a------- c:\windows\system32\drivers\RimSerial.sys
2009-07-04 10:26 <DIR> --d----- c:\program files\common files\Research In Motion
2009-07-04 10:25 <DIR> --d----- c:\program files\Research In Motion

==================== Find3M ====================

2009-07-30 21:20 244,734 a------- c:\programdata\nvModes.dat
2009-07-30 21:20 244,734 a------- c:\progra~2\nvModes.dat
2009-07-30 21:08 163,616,800 a--sh--- c:\windows\system32\drivers\fidbox.dat
2009-07-30 21:08 2,204,960 a--sh--- c:\windows\system32\drivers\fidbox.idx
2009-07-27 19:36 143,360 a------- c:\windows\inf\infstrng.dat
2009-07-27 19:36 86,016 a------- c:\windows\inf\infstor.dat
2009-07-27 19:36 51,200 a------- c:\windows\inf\infpub.dat
2009-07-12 00:12 138,464 a------- c:\windows\system32\drivers\PnkBstrK.sys
2009-07-12 00:11 111,928 a------- c:\windows\system32\PnkBstrB.exe
2009-07-10 22:33 444,952 a------- c:\windows\system32\wrap_oal.dll
2009-07-10 22:33 109,080 a------- c:\windows\system32\OpenAL32.dll
2009-06-20 16:57 116,843 a------- c:\windows\hpqins00.dat
2009-06-10 08:35 1,194,528 a------- c:\windows\system32\nvcplui.exe
2009-06-10 08:35 1,296,928 a------- c:\windows\system32\nvsvs.dll
2009-06-10 08:34 3,123,744 a------- c:\windows\system32\nvwss.dll
2009-06-10 08:34 4,045,344 a------- c:\windows\system32\nvvitvs.dll
2009-06-10 08:34 4,028,960 a------- c:\windows\system32\nvdisps.dll
2009-06-10 08:34 3,516,960 a------- c:\windows\system32\nvgames.dll
2009-06-10 08:34 1,288,736 a------- c:\windows\system32\nvmobls.dll
2009-06-10 08:34 211,488 a------- c:\windows\system32\nvvsvc.exe
2009-06-10 08:34 195,104 a------- c:\windows\system32\nvmccss.dll
2009-06-10 08:34 13,785,632 a------- c:\windows\system32\nvcpl.dll
2009-06-10 08:34 768,544 a------- c:\windows\system32\nvsvc.dll
2009-06-10 08:34 143,360 a------- c:\windows\system32\nvshext.dll
2009-06-10 08:34 92,704 a------- c:\windows\system32\nvmctray.dll
2009-06-10 06:33 244,736 a------- c:\windows\system32\nvStInst.exe
2009-06-10 06:33 467,968 a------- c:\windows\system32\nvstlink.exe
2009-06-10 06:33 3,953,152 a------- c:\windows\system32\nvstwiz.exe
2009-06-10 06:33 141,824 a------- c:\windows\system32\nvStereoApiI.dll
2009-06-10 06:33 171,520 a------- c:\windows\system32\nvStereoApiI64.dll
2009-06-10 06:33 232,960 a------- c:\windows\system32\nvSCPAPISvr.exe
2009-06-10 06:32 257,536 a------- c:\windows\system32\nvSCPAPI.dll
2009-06-10 06:32 301,568 a------- c:\windows\system32\nvSCPAPI64.dll
2009-06-10 06:32 3,293,184 a------- c:\windows\system32\nvstres.dll
2009-06-10 06:32 5,847 a------- c:\windows\system32\oglstreg.reg
2009-06-10 06:31 167,424 a------- c:\windows\system32\nvstreg.exe
2009-06-10 06:31 1,718,272 a------- c:\windows\system32\nvsttest.exe
2009-06-10 06:31 1,034,752 a------- c:\windows\system32\nvstview.exe
2009-06-10 06:31 89,088 a------- c:\windows\system32\nvimage.dll
2009-06-10 06:29 1,656 a------- c:\windows\system32\nvstdef.reg
2009-06-10 06:03 10,379,264 a------- c:\windows\system32\nvoglv32.dll
2009-06-10 06:03 9,899,296 a------- c:\windows\system32\drivers\nvlddmkm.sys
2009-06-10 06:03 7,611,904 a------- c:\windows\system32\nvd3dum.dll
2009-06-10 06:03 3,148,288 a------- c:\windows\system32\nvwgf2um.dll
2009-06-10 06:03 1,704,960 a------- c:\windows\system32\nvcuda.dll
2009-06-10 06:03 1,317,408 a------- c:\windows\system32\nvcuvenc.dll
2009-06-10 06:03 989,696 a------- c:\windows\system32\nvapi.dll
2009-06-10 06:03 678,432 a------- c:\windows\system32\nvcuvid.dll
2009-06-10 06:03 457,248 a------- c:\windows\system32\nvudisp.exe
2009-06-10 06:03 151,552 a------- c:\windows\system32\nvcod155.dll
2009-06-10 06:03 151,552 a------- c:\windows\system32\nvcod.dll
2009-06-10 06:03 4,224 a------- c:\windows\system32\drivers\nvBridge.kmd
2009-06-04 16:39 457,248 a------- c:\windows\system32\nvuninst.exe
2009-05-29 13:36 2,060,288 a------- c:\windows\system32\usbaaplrc.dll
2009-05-21 11:33 410,984 a------- c:\windows\system32\deploytk.dll
2009-05-20 20:48 286,720 a------- c:\windows\iun506.exe
2009-05-19 07:06 737,280 a------- c:\windows\iun6002.exe
2009-05-09 15:50 915,456 a------- c:\windows\system32\wininet.dll
2009-05-09 15:34 71,680 a------- c:\windows\system32\iesetup.dll
2009-05-02 07:02 90,112 a------- c:\windows\system32\dpl100.dll
2009-05-02 07:02 823,296 a------- c:\windows\system32\divx_xx0c.dll
2009-05-02 07:02 823,296 a------- c:\windows\system32\divx_xx07.dll
2009-05-02 07:02 815,104 a------- c:\windows\system32\divx_xx0a.dll
2009-05-02 07:02 811,008 a------- c:\windows\system32\divx_xx16.dll
2009-05-02 07:02 802,816 a------- c:\windows\system32\divx_xx11.dll
2009-05-02 07:02 685,056 a------- c:\windows\system32\DivX.dll
2009-03-12 17:58 9,244 a------- c:\program files\KB55792.exe
2009-03-12 17:57 9,243 a------- c:\program files\KB55576.exe
2009-03-12 17:45 9,245 a------- c:\program files\KB53241.exe
2009-03-11 22:36 9,244 a------- c:\program files\KB25511.exe
2009-03-11 21:17 9,241 a------- c:\program files\KB41980.exe
2009-01-25 23:27 22,328 a------- c:\users\paul\appdata\roaming\PnkBstrK.sys
2009-01-02 08:46 174 a--sh--- c:\program files\desktop.ini
2009-01-02 08:38 665,600 a------- c:\windows\inf\drvindex.dat
2009-01-02 00:26 81,920 a------- c:\users\paul\appdata\roaming\ezpinst.exe
2009-01-02 00:26 47,360 a------- c:\users\paul\appdata\roaming\pcouffin.sys
2006-11-02 22:40 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 22:40 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 22:40 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 22:40 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 19:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 19:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 19:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 19:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat
2009-01-27 23:48 61 ---sh--- c:\windows\cnerolf.bin
2009-04-23 20:22 16,384 a--sh--- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\history\history.ie5\index.dat
2009-04-23 20:22 32,768 a--sh--- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat
2009-04-23 20:22 16,384 a--sh--- c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows\cookies\index.dat
2009-01-17 17:38 1,441,783 a--sh--- c:\windows\system32\IOrqAJlm.ini2

============= FINISH: 21:28:45.52 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 DocSatan

DocSatan

    Bleepin' Wanna-Be


  • Members
  • 2,156 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston, Ma.
  • Local time:09:20 PM

Posted 08 August 2009 - 08:26 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

#3 Captainzoo

Captainzoo
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belmont, NSW
  • Local time:12:20 PM

Posted 12 August 2009 - 09:22 AM

Thanks for your response. I understand that there would be a lot of cries for help and I am more than grateful for any advice. I will give you an update on my situation. As mentioned in my original post, I have had Pareto Logic's Support Team helping me as well. At the time of posting my problem to BleepingComputer everything that was being suggested from Pareto's Support was meeting a dead end. However, about 1 week ago I had a breakthrough (not complete resolution though). I was instructed to run a rootkit scan utility called Gmer which eventually highlighted a file in the registery which was blocking HijackThis and Combofix (also recommended to be run by Pareto Support) and possibly Pareto Logic's Anti-Virus PLUS. Once this rootkit was deleted I could (and did) run HijackThis and Combofix. It appeared to have fixed the infection as once rebooted not only was the PC running faster but a full scan didn't show any serious infections.

Everything is not back to normal though. I cannot activate Anti-Virus PLUS after a re-install. I cannot access the Pareto website as I think it is being blocked. I installed Google Chrome to use as my browser instead of IE8 but through both browsers I have had intermittent redirections to unrequested websites. Windows Update cannot check for updates nor can Windows Defender. I'm unsure whether this is related to running the above mentioned utilities or whether there is still an infection on my PC. So below is the latest DDS scan log and I have attached the other txt file as requested.

I look forward to some advice/help if you can.

Thanks!


DDS (Ver_09-07-30.01) - NTFSx86
Run by Paul at 0:19:24.96 on Thu 13/08/2009
Internet Explorer: 8.0.6001.18783
Microsoft® Windows Vista™ Ultimate 6.0.6001.1.1252.61.1033.18.3070.1035 [GMT 10:00]

SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\LSI SoftModem\agrsmsvc.exe
C:\Program Files\AMD\Fusion Media Explorer\MediaSource.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Windows\system32\taskeng.exe
C:\Windows\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\nHancer\nHancerService.exe
C:\Windows\system32\oodag.exe
C:\Windows\system32\IoctlSvc.exe
C:\Windows\system32\PnkBstrA.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\System32\nvSCPAPISvr.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\svchost.exe -k HPService
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\oodtray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\nHancer\nHancer.exe
C:\Program Files\Common Files\ParetoLogic\PLAS\plasservice.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Microsoft Games\Microsoft Flight Simulator X\fsx.exe
C:\Program Files\Microsoft Games\Microsoft Flight Simulator X\fsdreamteam\couatl\couatl.exe
C:\Program Files\Adobe\Reader 9.0\Reader\AcroRd32.exe
C:\Users\Paul\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Paul\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Paul\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Paul\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.bigpond.com/
uSearch Bar = Preserve
uInternet Settings,ProxyOverride = *.local
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\program files\paretologic\pgsurfer\,c:\program files\paretologic\pgsurfer\PGsurfer.exe,
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.15642\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
uRun: [Google Update] "c:\users\paul\appdata\local\google\update\GoogleUpdate.exe" /c
mRun: [OODefragTray] c:\windows\system32\oodtray.exe
mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\9.0\sharedcom\RoxWatchTray9.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [ParetoLogic Anti-Virus PLUS] "c:\program files\paretologic\anti-virus plus\Pareto_AV.lnk" -NM -hidesplash
mRun: [PGsurfer] c:\program files\paretologic\pgsurfer\PGsurfer.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~4\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL
LSP: WebController.dll
LSP: c:\windows\system32\INetHTTPFilter.dll
Trusted Zone: microsoft.com\update
Trusted Zone: microsoft.com\windowsupdate
Trusted Zone: paretologic.com\www
DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
DPF: {80AEEC0E-A2BE-4B8D-985F-350FE869DC40} - hxxp://h20264.www2.hp.com/ediags/dd/install/HPDriverDiagnosticsVista.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
TCP: {B3073184-1A85-4ACD-B448-90BC514E133C} = 85.255.112.206,85.255.112.116
TCP: {FFF1CC3C-7E52-4CA1-8BC6-39DA85F39F6A} = 85.255.112.206,85.255.112.116
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
STS: Windows DreamScene: {e31004d1-a431-41b8-826f-e902f9d95c81} - %SystemRoot%\System32\DreamScene.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

============= SERVICES / DRIVERS ===============

R0 amacpi;Microsoft Away Mode System;c:\windows\system32\drivers\null.sys [2009-1-2 4608]
R2 AMD Fusion Media Explorer Remote Content Service;AMD Fusion Media Explorer Remote Content Service;c:\program files\amd\fusion media explorer\MediaSource.exe [2009-4-3 766312]
R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\windows\system32\nvSCPAPISvr.exe [2009-6-10 232960]
R2 ZeppelinService;plasservice;c:\program files\common files\paretologic\plas\plasservice.exe [2009-2-18 587216]
R3 RTL8187;Realtek RTL8187 Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8187.sys [2008-6-27 335872]
S2 AcronisOSSReinstallSvc;Acronis OS Selector Reinstall Service; [x]
S2 gupdate1c9e7739d450f06;Google Update Service (gupdate1c9e7739d450f06);c:\program files\google\update\GoogleUpdate.exe [2009-6-7 133104]
S2 MediaManagerService;MediaManagerService;c:\program files\media manager\viiv\MediaManager.Service.exe [2008-3-4 34096]
S2 PctrlsInjectService;PctrlsInjectService; [x]

=============== Created Last 30 ================

2009-08-11 00:25 <DIR> --d----- c:\program files\ParetoLogic
2009-08-06 07:03 <DIR> --dsh--- C:\$RECYCLE.BIN
2009-08-06 06:43 161,792 a------- c:\windows\SWREG.exe
2009-08-06 06:43 154,624 a------- c:\windows\PEV.exe
2009-08-06 06:43 98,816 a------- c:\windows\sed.exe
2009-08-06 06:41 <DIR> --ds---- C:\ComboFix
2009-07-30 19:16 <DIR> --d-h--- c:\windows\PIF
2009-07-29 22:35 <DIR> --d----- c:\program files\FSX Airport Design Editor
2009-07-29 22:13 <DIR> --d----- c:\program files\FSX Airport Scanner
2009-07-29 19:51 197,104 a---h--- c:\windows\system32\mlfcache.dat
2009-07-22 20:31 <DIR> --d----- c:\program files\iPod
2009-07-22 20:31 <DIR> --d----- c:\program files\iTunes
2009-07-22 16:40 <DIR> --d----- c:\programdata\Electronic Arts
2009-07-22 16:40 <DIR> --d----- c:\progra~2\Electronic Arts
2009-07-22 16:37 844 a------- c:\windows\system32\ealregsnapshot1.reg
2009-07-21 16:06 229,989,687 a------- c:\windows\MEMORY.DMP

==================== Find3M ====================

2009-08-13 00:05 166,473,248 a--sh--- c:\windows\system32\drivers\fidbox.dat
2009-08-12 16:04 244,734 a------- c:\programdata\nvModes.dat
2009-08-12 16:04 244,734 a------- c:\progra~2\nvModes.dat
2009-08-11 23:55 2,242,928 a--sh--- c:\windows\system32\drivers\fidbox.idx
2009-08-03 19:23 143,360 a------- c:\windows\inf\infstrng.dat
2009-08-03 19:23 51,200 a------- c:\windows\inf\infpub.dat
2009-07-27 19:36 86,016 a------- c:\windows\inf\infstor.dat
2009-07-22 16:48 107,888 a------- c:\windows\system32\CmdLineExt.dll
2009-07-12 00:12 138,464 a------- c:\windows\system32\drivers\PnkBstrK.sys
2009-07-12 00:11 111,928 a------- c:\windows\system32\PnkBstrB.exe
2009-07-10 22:33 444,952 a------- c:\windows\system32\wrap_oal.dll
2009-07-10 22:33 109,080 a------- c:\windows\system32\OpenAL32.dll
2009-07-04 17:42 52,224 a------- c:\windows\system32\MSIVXlvimncgpworirspkdiriwppgqytodvee.dll
2009-07-04 17:42 22,528 a------- c:\windows\system32\MSIVXxrfwwxqqqspdtvogxivqcscptwqribrf.dll
2009-06-20 16:57 116,843 a------- c:\windows\hpqins00.dat
2009-06-10 08:34 92,704 a------- c:\windows\system32\nvmctray.dll
2009-06-10 06:33 244,736 a------- c:\windows\system32\nvStInst.exe
2009-06-10 06:33 467,968 a------- c:\windows\system32\nvstlink.exe
2009-06-10 06:33 3,953,152 a------- c:\windows\system32\nvstwiz.exe
2009-06-10 06:33 141,824 a------- c:\windows\system32\nvStereoApiI.dll
2009-06-10 06:33 171,520 a------- c:\windows\system32\nvStereoApiI64.dll
2009-06-10 06:33 232,960 a------- c:\windows\system32\nvSCPAPISvr.exe
2009-06-10 06:32 257,536 a------- c:\windows\system32\nvSCPAPI.dll
2009-06-10 06:32 301,568 a------- c:\windows\system32\nvSCPAPI64.dll
2009-06-10 06:32 3,293,184 a------- c:\windows\system32\nvstres.dll
2009-06-10 06:32 5,847 a------- c:\windows\system32\oglstreg.reg
2009-06-10 06:31 167,424 a------- c:\windows\system32\nvstreg.exe
2009-06-10 06:31 1,718,272 a------- c:\windows\system32\nvsttest.exe
2009-06-10 06:31 1,034,752 a------- c:\windows\system32\nvstview.exe
2009-06-10 06:31 89,088 a------- c:\windows\system32\nvimage.dll
2009-06-10 06:29 1,656 a------- c:\windows\system32\nvstdef.reg
2009-06-10 06:03 151,552 a------- c:\windows\system32\nvcod155.dll
2009-06-04 16:39 457,248 a------- c:\windows\system32\nvuninst.exe
2009-05-29 13:36 2,060,288 a------- c:\windows\system32\usbaaplrc.dll
2009-05-21 11:33 410,984 a------- c:\windows\system32\deploytk.dll
2009-05-20 20:48 286,720 a------- c:\windows\iun506.exe
2009-05-19 07:06 737,280 a------- c:\windows\iun6002.exe
2009-03-12 17:58 9,244 a------- c:\program files\KB55792.exe
2009-03-12 17:57 9,243 a------- c:\program files\KB55576.exe
2009-03-12 17:45 9,245 a------- c:\program files\KB53241.exe
2009-03-11 22:36 9,244 a------- c:\program files\KB25511.exe
2009-03-11 21:17 9,241 a------- c:\program files\KB41980.exe
2009-01-25 23:27 22,328 a------- c:\users\paul\appdata\roaming\PnkBstrK.sys
2009-01-02 08:46 174 a--sh--- c:\program files\desktop.ini
2009-01-02 08:38 665,600 a------- c:\windows\inf\drvindex.dat
2009-01-02 00:26 81,920 a------- c:\users\paul\appdata\roaming\ezpinst.exe
2009-01-02 00:26 47,360 a------- c:\users\paul\appdata\roaming\pcouffin.sys
2006-11-02 22:40 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 22:40 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 22:40 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 22:40 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 19:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 19:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 19:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 19:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat
2009-01-27 23:48 90 ---sh--- c:\windows\cnerolf.bin
2009-05-01 23:14 2,048 a--sh--- c:\windows\serviceprofiles\localservice\appdata\local\lastalive0.dat
2009-05-01 23:14 2,048 a--sh--- c:\windows\serviceprofiles\localservice\appdata\local\lastalive1.dat
2009-01-17 17:38 1,441,783 a--sh--- c:\windows\system32\IOrqAJlm.ini2

============= FINISH: 0:19:55.98 ===============

Attached Files



#4 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:08:20 PM

Posted 15 August 2009 - 08:16 AM

Hello Captainzoo :thumbup2: Welcome to the BC HijackThis Log and Analysis forum. Sorry about your wait, but I will be assisting you in cleaning up your system from here on out.


I ask that you refrain from running tools other than those we suggest while we are performing the clean-up. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.



In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond the your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.





This is what I am going to need from you:


The ComboFix log which should be located at C:\ComboFix.txt. If you ran it more than once we may need to locate all of the others also but let's see that one first. Please do not run CF again unless I ask you to.



I need you to run GMER again. Delete any version you have now and follow the instructions below:


We need to scan for Rootkits with GMER
  • Please download GMER from one of the following locations, and save it to your desktop:
    • Main Mirror
      This version will download a randomly named file (Recommended)
    • Zip Mirror
      This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Close any and all open programs, as this process may crash your computer.
  • Double click Posted Image or Posted Image on your desktop.
  • Allow the gmer.sys driver to load if asked.
  • You may see this window. If you do, click No.
    Posted Image
  • Click on Posted Image and wait for the scan to finish.
  • If you see a rootkit warning window, click OK.
  • Push Posted Image and save the logfile to your desktop.
  • Copy and Paste the contents of that file in your next post.





When completed post both the ComboFix log and the one from GMER

Please do not post any logs as an attachment unless asked to do so.





Thanks,



thewall
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#5 Captainzoo

Captainzoo
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belmont, NSW
  • Local time:12:20 PM

Posted 16 August 2009 - 08:50 AM

Hi the wallThanks for attending to my problem. As mentioned previously any help at all is most appreciated. :)

To keep you abreast with progress from the ParetoLogic Support Team since my last post they requested another Hijackthis log. Based on that and my problem of not being able to access the ParetoLogic server they suggested I rest the Winsock. I did this but it hasn't fixed my problem so I'm grateful you are onboard to help.

Unfortunately Gmer.exe has crashed several times during the scanning process. It appears to do it at the same location when checking Devices. I have taken a screen dump and saved as a jpeg and can attach if you request but the line at the bottom of the Gmer scan utility is "\Device\HarddiskVolumeShadowCopy5" if this is of any help. :thumbup2:

In the meantime the following is the Combofix log as requested.

ComboFix 09-05-24.07 - Paul 06/08/2009 6:50.1 - NTFSx86
Microsoft® Windows Vista™ Ultimate 6.0.6001.1.1252.61.1033.18.3070.2126 [GMT 10:00]
Running from: c:\users\Paul\Desktop\ComboFix.exe
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.
- REDUCED FUNCTIONALITY MODE -
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\mcrh.tmp

.
((((((((((((((((((((((((( Files Created from 2009-07-05 to 2009-08-05 )))))))))))))))))))))))))))))))
.

2009-08-05 20:55 . 2009-08-05 20:59 -------- d-----w c:\users\Paul\AppData\Local\temp
2009-07-30 09:16 . 2009-07-30 09:16 -------- d--h--w c:\windows\PIF
2009-07-29 12:49 . 2009-07-29 12:49 -------- d-----w c:\users\Paul\AppData\Local\IsolatedStorage
2009-07-29 12:35 . 2009-07-29 12:35 -------- d-----w c:\program files\FSX Airport Design Editor
2009-07-29 12:13 . 2009-07-29 12:16 -------- d-----w c:\program files\FSX Airport Scanner
2009-07-29 09:51 . 2009-07-29 09:51 197104 ---ha-w c:\windows\system32\mlfcache.dat
2009-07-22 10:31 . 2009-07-22 10:31 -------- d-----w c:\program files\iPod
2009-07-22 10:31 . 2009-07-22 10:31 -------- d-----w c:\program files\iTunes
2009-07-22 10:27 . 2009-07-22 10:27 75040 ----a-w c:\programdata\Apple Computer\Installer Cache\iTunes 8.2.1.6\SetupAdmin.exe
2009-07-22 06:40 . 2009-07-22 06:47 -------- d-----w c:\programdata\Electronic Arts
2009-07-22 06:37 . 2009-07-22 06:37 844 ----a-w c:\windows\system32\ealregsnapshot1.reg
2009-07-22 06:26 . 2009-07-22 06:46 -------- d-----w c:\program files\Electronic Arts
2009-07-11 11:51 . 2009-07-11 11:51 -------- d-----w c:\program files\THQ
2009-07-11 11:03 . 2009-07-11 11:03 -------- d-----w c:\users\Paul\AppData\Local\World in Conflict
2009-07-11 09:43 . 2009-07-11 15:24 -------- d-----w c:\program files\GameSpy Arcade
2009-07-11 09:19 . 2009-07-11 09:19 -------- d-----w c:\programdata\Media Center Programs
2009-07-11 09:14 . 2009-07-11 09:14 -------- d-----w c:\program files\Sierra Entertainment
2009-07-11 08:50 . 2009-07-11 08:50 -------- d--h--r c:\users\Paul\AppData\Roaming\SecuROM
2009-07-11 07:58 . 2009-07-11 07:58 -------- d-----w c:\program files\Ubisoft
2009-07-10 13:51 . 2009-07-10 13:51 -------- d-----w c:\program files\Logitech
2009-07-10 12:37 . 2009-07-10 12:37 -------- d-----w c:\programdata\Codemasters
2009-07-10 12:37 . 2009-07-22 06:48 107888 ----a-w c:\windows\system32\CmdLineExt.dll
2009-07-10 12:32 . 2005-05-26 05:34 2297552 ----a-w c:\windows\system32\d3dx9_26.dll
2009-07-10 12:29 . 2009-07-11 09:27 -------- d-----w c:\program files\Codemasters
2009-07-10 12:18 . 2009-07-10 12:18 -------- d-----w c:\programdata\Downloaded Installations
2009-07-10 11:21 . 2009-07-10 13:51 -------- d-----w c:\program files\Common Files\Logitech

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-05 20:34 . 2008-12-30 09:59 -------- d-----w c:\programdata\NVIDIA
2009-08-05 20:34 . 2009-06-12 13:16 244734 ----a-w c:\programdata\nvModes.dat
2009-08-05 11:25 . 2008-12-30 05:41 1356 ----a-w c:\users\Paul\AppData\Local\d3d9caps.dat
2009-08-05 10:57 . 2009-01-02 00:24 2207504 --sha-w c:\windows\system32\drivers\fidbox.idx
2009-08-05 10:57 . 2009-01-02 00:24 165906976 --sha-w c:\windows\system32\drivers\fidbox.dat
2009-08-05 10:57 . 2009-03-07 05:17 12 ----a-w c:\windows\bthservsdp.dat
2009-08-04 11:57 . 2009-01-01 14:16 -------- d-----w c:\users\Paul\AppData\Roaming\Azureus
2009-08-03 09:27 . 2009-01-05 12:10 -------- d-----w c:\programdata\nHancer
2009-08-03 09:23 . 2009-01-05 12:00 -------- d-----w c:\program files\AGEIA Technologies
2009-08-03 09:23 . 2009-01-05 12:00 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-07-28 15:39 . 2009-01-01 14:15 -------- d-----w c:\program files\Vuze
2009-07-27 09:13 . 2009-02-11 13:23 -------- d-----w c:\program files\DivX
2009-07-24 21:15 . 2009-01-21 11:51 -------- d-----w c:\program files\Microsoft
2009-07-22 10:31 . 2009-03-14 09:29 -------- d-----w c:\program files\Common Files\Apple
2009-07-22 06:46 . 2009-01-03 13:22 -------- d--h--w c:\program files\InstallShield Installation Information
2009-07-17 08:41 . 2009-01-25 13:08 -------- d-----w c:\program files\Activision
2009-07-15 11:09 . 2009-04-23 11:47 -------- d-----w c:\program files\Java
2009-07-11 14:12 . 2009-01-25 09:40 138464 ----a-w c:\windows\system32\drivers\PnkBstrK.sys
2009-07-11 14:11 . 2009-01-25 09:40 111928 ----a-w c:\windows\system32\PnkBstrB.exe
2009-07-10 12:33 . 2009-05-12 10:28 444952 ----a-w c:\windows\system32\wrap_oal.dll
2009-07-10 12:33 . 2009-05-12 10:28 109080 ----a-w c:\windows\system32\OpenAL32.dll
2009-07-10 12:33 . 2009-05-12 10:28 -------- d-----w c:\program files\OpenAL
2009-07-10 12:19 . 2009-01-02 00:18 -------- d-----w c:\programdata\ParetoLogic
2009-07-10 12:19 . 2009-01-02 00:18 -------- d-----w c:\program files\ParetoLogic
2009-07-10 12:13 . 2009-01-01 13:36 -------- d-----w c:\program files\Common Files\Adobe
2009-07-04 13:43 . 2009-07-04 00:48 -------- d-----w c:\users\Paul\AppData\Roaming\Roxio
2009-07-04 13:43 . 2009-07-04 00:31 -------- d-----w c:\programdata\Roxio
2009-07-04 13:39 . 2009-07-04 00:45 256 ----a-w c:\windows\system32\pool.bin
2009-07-04 12:44 . 2009-01-08 13:12 -------- d-----w c:\users\Paul\AppData\Roaming\InstallShield
2009-07-04 07:42 . 2009-07-04 07:42 52224 ----a-w c:\windows\system32\MSIVXlvimncgpworirspkdiriwppgqytodvee.dll
2009-07-04 07:42 . 2009-07-04 07:42 22528 ----a-w c:\windows\system32\MSIVXxrfwwxqqqspdtvogxivqcscptwqribrf.dll
2009-07-04 00:45 . 2008-12-30 05:41 121560 ----a-w c:\users\Paul\AppData\Local\GDIPFONTCACHEV1.DAT
2009-07-04 00:45 . 2009-07-04 00:45 -------- d-----w c:\users\Paul\AppData\Roaming\Research In Motion
2009-07-04 00:34 . 2009-07-04 00:34 -------- d-----w c:\programdata\InstallShield
2009-07-04 00:34 . 2009-07-04 00:34 -------- d-----w c:\programdata\Sonic
2009-07-04 00:32 . 2009-07-04 00:31 -------- d-----w c:\program files\Common Files\Roxio Shared
2009-07-04 00:32 . 2009-07-04 00:32 -------- d-----w c:\program files\Common Files\PX Storage Engine
2009-07-04 00:32 . 2009-07-04 00:31 -------- d-----w c:\program files\Roxio
2009-07-04 00:31 . 2009-07-04 00:31 -------- d-----w c:\program files\Common Files\Sonic Shared
2009-07-04 00:31 . 2009-01-03 12:25 -------- d-----w c:\program files\Common Files\InstallShield
2009-07-04 00:26 . 2009-07-04 00:26 6502 ----a-r c:\users\Paul\AppData\Roaming\Microsoft\Installer\{14AD69CE-B59F-4EC2-BC3A-DB56105F3D62}\RedirectorEXE2_770DFD1204C24F4DA163D64FACCB5CBD.exe
2009-07-04 00:26 . 2009-07-04 00:26 6502 ----a-r c:\users\Paul\AppData\Roaming\Microsoft\Installer\{14AD69CE-B59F-4EC2-BC3A-DB56105F3D62}\RedirectorEXE1_770DFD1204C24F4DA163D64FACCB5CBD.exe
2009-07-04 00:26 . 2009-07-04 00:26 6502 ----a-r c:\users\Paul\AppData\Roaming\Microsoft\Installer\{14AD69CE-B59F-4EC2-BC3A-DB56105F3D62}\RedirectorEXE_770DFD1204C24F4DA163D64FACCB5CBD.exe
2009-07-04 00:26 . 2009-07-04 00:26 26694 ----a-r c:\users\Paul\AppData\Roaming\Microsoft\Installer\{14AD69CE-B59F-4EC2-BC3A-DB56105F3D62}\NewShortcut600_C6ABA3677F944B9FBB00F060701B0B5A.exe
2009-07-04 00:26 . 2009-07-04 00:26 26694 ----a-r c:\users\Paul\AppData\Roaming\Microsoft\Installer\{14AD69CE-B59F-4EC2-BC3A-DB56105F3D62}\NewShortcut60_C6ABA3677F944B9FBB00F060701B0B5A.exe
2009-07-04 00:26 . 2009-07-04 00:26 26694 ----a-r c:\users\Paul\AppData\Roaming\Microsoft\Installer\{14AD69CE-B59F-4EC2-BC3A-DB56105F3D62}\NewShortcut6_C6ABA3677F944B9FBB00F060701B0B5A.exe
2009-07-04 00:26 . 2009-07-04 00:26 26694 ----a-r c:\users\Paul\AppData\Roaming\Microsoft\Installer\{14AD69CE-B59F-4EC2-BC3A-DB56105F3D62}\NewShortcut5_C6ABA3677F944B9FBB00F060701B0B5A.exe
2009-07-04 00:26 . 2009-07-04 00:26 26694 ----a-r c:\users\Paul\AppData\Roaming\Microsoft\Installer\{14AD69CE-B59F-4EC2-BC3A-DB56105F3D62}\NewShortcut4_C6ABA3677F944B9FBB00F060701B0B5A.exe
2009-07-04 00:26 . 2009-07-04 00:26 26694 ----a-r c:\users\Paul\AppData\Roaming\Microsoft\Installer\{14AD69CE-B59F-4EC2-BC3A-DB56105F3D62}\NewShortcut3_C6ABA3677F944B9FBB00F060701B0B5A.exe
2009-07-04 00:26 . 2009-07-04 00:26 26694 ----a-r c:\users\Paul\AppData\Roaming\Microsoft\Installer\{14AD69CE-B59F-4EC2-BC3A-DB56105F3D62}\NewShortcut12_C6ABA3677F944B9FBB00F060701B0B5A.exe
2009-07-04 00:26 . 2009-07-04 00:26 69632 ----a-r c:\users\Paul\AppData\Roaming\Microsoft\Installer\{14AD69CE-B59F-4EC2-BC3A-DB56105F3D62}\DesktopMgr.exe
2009-07-04 00:26 . 2009-07-04 00:26 -------- d-----w c:\program files\Common Files\Research In Motion
2009-07-04 00:25 . 2009-07-04 00:25 -------- d-----w c:\program files\Research In Motion
2009-06-30 09:45 . 2009-03-14 09:33 -------- d-----w c:\users\Paul\AppData\Roaming\Apple Computer
2009-06-30 08:57 . 2009-03-14 09:29 -------- d-----w c:\programdata\Apple
2009-06-27 07:54 . 2009-06-27 07:54 -------- d-----w c:\program files\FSX XML Utility
2009-06-25 11:59 . 2009-06-06 01:52 -------- d-----w c:\programdata\Esellerate
2009-06-25 10:12 . 2009-06-25 08:30 -------- d-----w c:\users\Paul\AppData\Roaming\Virtuali
2009-06-22 09:26 . 2009-02-10 07:50 -------- d-----w c:\programdata\Microsoft Help
2009-06-21 22:42 . 2009-01-07 13:47 -------- d-----w c:\program files\FSX GA-Traffic
2009-06-20 06:57 . 2009-06-20 06:55 116843 ----a-w c:\windows\hpqins00.dat
2009-06-20 06:48 . 2009-06-20 06:48 10134 ----a-r c:\users\Paul\AppData\Roaming\Microsoft\Installer\{0EC7C406-B592-4686-BAC1-AD29A85EAE6A}\ARPPRODUCTICON.exe
2009-06-15 14:06 . 2009-06-15 14:06 -------- d-----w c:\program files\AMD
2009-06-13 04:44 . 2009-01-01 14:31 10638 ----a-w c:\programdata\DVDXStudio\CloneDVD4\MainApp.dll
2009-06-12 13:13 . 2009-01-05 11:08 -------- d-----w c:\program files\SystemRequirementsLab
2009-06-12 11:41 . 2009-04-13 09:52 -------- d-----w c:\program files\Microsoft Works
2009-06-12 01:19 . 2009-07-03 08:15 5246272 ----a-w c:\programdata\Microsoft\Windows Defender\Definition Updates\{E4207A56-7F75-48D7-AE94-CCF5C08372E0}\mpengine.dll
2009-06-09 22:34 . 2009-06-09 22:34 92704 ----a-w c:\windows\system32\nvmctray.dll
2009-06-09 20:33 . 2009-06-09 20:33 244736 ----a-w c:\windows\system32\nvStInst.exe
2009-06-09 20:33 . 2009-06-09 20:33 467968 ----a-w c:\windows\system32\nvstlink.exe
2009-06-09 20:33 . 2009-06-09 20:33 3953152 ----a-w c:\windows\system32\nvstwiz.exe
2009-06-09 20:33 . 2009-06-09 20:33 141824 ----a-w c:\windows\system32\nvStereoApiI.dll
2009-06-09 20:33 . 2009-06-09 20:33 171520 ----a-w c:\windows\system32\nvStereoApiI64.dll
2009-06-09 20:33 . 2009-06-09 20:33 232960 ----a-w c:\windows\system32\nvSCPAPISvr.exe
2009-06-09 20:32 . 2009-06-09 20:32 257536 ----a-w c:\windows\system32\nvSCPAPI.dll
2009-06-09 20:32 . 2009-06-09 20:32 301568 ----a-w c:\windows\system32\nvSCPAPI64.dll
2009-06-09 20:32 . 2009-06-09 20:32 3293184 ----a-w c:\windows\system32\nvstres.dll
2009-06-09 20:32 . 2009-06-09 20:32 5847 ----a-w c:\windows\system32\oglstreg.reg
2009-06-09 20:31 . 2009-06-09 20:31 167424 ----a-w c:\windows\system32\nvstreg.exe
2009-06-09 20:31 . 2009-06-09 20:31 1718272 ----a-w c:\windows\system32\nvsttest.exe
2009-06-09 20:31 . 2009-06-09 20:31 1034752 ----a-w c:\windows\system32\nvstview.exe
2009-06-09 20:31 . 2009-06-09 20:31 89088 ----a-w c:\windows\system32\nvimage.dll
2009-06-09 20:29 . 2009-06-09 20:29 1656 ----a-w c:\windows\system32\nvstdef.reg
2009-06-09 20:03 . 2009-06-09 20:03 151552 ----a-w c:\windows\system32\nvcod155.dll
2009-06-08 13:11 . 2009-06-08 13:11 -------- d-----w c:\programdata\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-06-08 13:10 . 2009-06-08 13:09 -------- d-----w c:\program files\QuickTime
2009-06-07 13:29 . 2009-01-18 10:24 -------- d-----w c:\program files\Google
2009-06-07 13:26 . 2009-06-07 13:26 -------- d-----w c:\program files\Common Files\DivX Shared
2009-06-07 12:49 . 2009-01-05 12:10 -------- d-----w c:\program files\nHancer
2009-06-07 12:45 . 2009-06-07 12:42 1976557 ----a-w c:\users\Paul\AppData\Roaming\nHancer\updates\Update 2.5.1\nHancer32_2.5.1_Setup.exe
2009-06-04 06:39 . 2007-11-06 09:00 457248 ----a-w c:\windows\system32\nvuninst.exe
2009-05-29 03:36 . 2009-05-29 03:36 39424 ----a-w c:\windows\system32\drivers\usbaapl.sys
2009-05-29 03:36 . 2009-05-29 03:36 2060288 ----a-w c:\windows\system32\usbaaplrc.dll
2009-05-21 01:33 . 2009-04-23 11:48 410984 ----a-w c:\windows\system32\deploytk.dll
2009-05-20 10:48 . 2009-05-20 10:43 286720 ----a-w c:\windows\iun506.exe
2009-05-18 21:06 . 2009-05-14 21:11 737280 ----a-w c:\windows\iun6002.exe
2009-05-09 05:50 . 2009-06-12 08:27 915456 ----a-w c:\windows\system32\wininet.dll
2009-05-09 05:34 . 2009-06-12 08:27 71680 ----a-w c:\windows\system32\iesetup.dll
2009-03-12 07:58 . 2009-03-12 07:58 9244 ----a-w c:\program files\KB55792.exe
2009-03-12 07:57 . 2009-03-12 07:57 9243 ----a-w c:\program files\KB55576.exe
2009-01-27 13:48 . 2009-01-27 13:48 90 --sh--w c:\windows\cnerolf.bin
2009-05-01 13:14 . 2009-04-30 07:57 2048 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
2009-05-01 13:14 . 2009-04-30 07:57 2048 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
2009-01-17 07:38 . 2009-01-17 07:35 1441783 --sha-w c:\windows\System32\IOrqAJlm.ini2
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-19 1233920]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-01-21 39408]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-10 218032]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OODefragTray"="c:\windows\system32\oodtray.exe" [2009-02-25 2553088]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2008-06-08 236016]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-21 148888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-04-30 13781536]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2008-3-25 214360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\system32\userinit.exe,c:\program files\ParetoLogic\PGsurfer\PGsurfer.exe,"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0OODBS

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PctrlsInjectService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
backup=c:\windows\pss\HP Digital Imaging Monitor.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^Users^Paul^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=c:\users\Paul\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=c:\windows\pss\Adobe Gamma.lnk.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Paul^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Microsoft Office Groove.lnk]
path=c:\users\Paul\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Office Groove.lnk
backup=c:\windows\pss\Microsoft Office Groove.lnkStartup

[HKLM\~\startupfolder\C:^Users^Paul^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-1874757216-1827274309-1936911829-1000]
"EnableNotificationsRef"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"TCP Query User{92B85EB3-6885-4988-9873-094A18328C48}c:\\program files\\vuze\\azureus.exe"= UDP:c:\program files\vuze\azureus.exe:Azureus
"UDP Query User{51806815-11DF-404C-A6C1-60D624282A7E}c:\\program files\\vuze\\azureus.exe"= TCP:c:\program files\vuze\azureus.exe:Azureus
"TCP Query User{F944AF59-6F55-47E2-9E94-D7ABB4873EF1}c:\\program files\\internet explorer\\iexplore.exe"= UDP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{72663529-FE8C-4495-831A-7EDDB3E904AC}c:\\program files\\internet explorer\\iexplore.exe"= TCP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"{AA5B23CF-4E28-4159-85B8-9BBFA3ED6358}"= UDP:c:\windows\System32\PnkBstrA.exe:PnkBstrA
"{F01BBF54-2621-49FE-8AE2-60F5E21FCA61}"= TCP:c:\windows\System32\PnkBstrA.exe:PnkBstrA
"{E64DE68B-2AC6-44A0-B8D4-E8984B788824}"= UDP:c:\windows\System32\PnkBstrB.exe:PnkBstrB
"{7D16EC9B-DFBE-4C0B-B818-E87E47035BDD}"= TCP:c:\windows\System32\PnkBstrB.exe:PnkBstrB
"{D2CDA33B-FEA0-4C59-8270-4730F48BAA77}"= Disabled:UDP:c:\users\Paul\AppData\Local\Temp\7zS18A6.tmp\setup\HPZnui01.exe:hpznui01.exe
"{BE1FD5AC-3B6B-40A8-8A1D-E3F7319835E0}"= Disabled:TCP:c:\users\Paul\AppData\Local\Temp\7zS18A6.tmp\setup\HPZnui01.exe:hpznui01.exe
"{EAEAA1FE-13A9-4531-9D3D-81D7C282BE92}"= Disabled:UDP:c:\users\Paul\AppData\Local\Temp\7zS744A.tmp\setup\HPZnui01.exe:hpznui01.exe
"{D521D7B1-F28C-49EC-A686-B3B1CC327AF1}"= Disabled:TCP:c:\users\Paul\AppData\Local\Temp\7zS744A.tmp\setup\HPZnui01.exe:hpznui01.exe
"TCP Query User{91913CC5-1578-44A2-ADF9-0E261262192E}c:\\program files\\common files\\nero\\nero web\\setupx.exe"= UDP:c:\program files\common files\nero\nero web\setupx.exe:Nero Installer
"UDP Query User{C8B4744B-A1A1-43D9-8792-CCC1A8B8DFA4}c:\\program files\\common files\\nero\\nero web\\setupx.exe"= TCP:c:\program files\common files\nero\nero web\setupx.exe:Nero Installer
"TCP Query User{864AD012-E5B6-4EB5-B836-D64A858E8B7D}c:\\users\\paul\\appdata\\local\\temp\\onlineupdate8\\setupxu.exe"= UDP:c:\users\paul\appdata\local\temp\onlineupdate8\setupxu.exe:setupxu.exe
"UDP Query User{998699FB-3746-4B3E-928B-F187090EB54F}c:\\users\\paul\\appdata\\local\\temp\\onlineupdate8\\setupxu.exe"= TCP:c:\users\paul\appdata\local\temp\onlineupdate8\setupxu.exe:setupxu.exe
"{2E7EA6D4-F390-4F09-B012-5C753DF874B3}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{D81CED34-F4E5-4C16-AC8B-3B7463FF7936}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"TCP Query User{DFC40C78-8D1B-483B-8B73-0B0A23AD1A0C}c:\\program files\\vuze\\azureus.exe"= UDP:c:\program files\vuze\azureus.exe:Azureus
"UDP Query User{D10FBE4A-8076-4B56-8C7B-0BB623F5F29B}c:\\program files\\vuze\\azureus.exe"= TCP:c:\program files\vuze\azureus.exe:Azureus
"{8A6647CC-6A9A-4D12-8E31-C1BB2F65472D}"= TCP:6004|c:\program files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{C2CAA765-B519-47E5-A305-71B46E43C857}"= UDP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{F788FF9C-3F4A-4DCC-9C03-506BB7387E67}"= TCP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{99305C46-7D2A-434A-88D9-C363C6C6DBA4}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{8DC13CC2-6F5F-438F-8C39-DED7D09A3BAA}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{6E6FE2D8-5FAE-4BF0-A28E-9CB9847BA430}"= Disabled:UDP:c:\users\Paul\AppData\Local\Temp\7zSD54B.tmp\setup\HPZnui01.exe:hpznui01.exe
"{64AE52CC-1A81-40C9-92B7-8EDA1AC01E80}"= Disabled:TCP:c:\users\Paul\AppData\Local\Temp\7zSD54B.tmp\setup\HPZnui01.exe:hpznui01.exe
"{3C56C6A5-DF52-4FC6-84EE-C26B5862A76D}"= UDP:c:\program files\Codemasters\GRID Demo\GRID.exe:GRID Demo
"{E4ECED75-7E2C-4C6C-97A9-5AC761E54AAB}"= TCP:c:\program files\Codemasters\GRID Demo\GRID.exe:GRID Demo
"{60BF2D60-5488-4192-904B-26BFFB419AD6}"= UDP:c:\program files\Sierra Entertainment\World in Conflict\wic.exe:World in Conflict
"{4DE57F7A-A5BB-46CA-AF6C-B962D597249C}"= TCP:c:\program files\Sierra Entertainment\World in Conflict\wic.exe:World in Conflict
"{80828F44-A158-4A6B-9C69-04BA0C452C6B}"= UDP:c:\program files\Sierra Entertainment\World in Conflict\wic_online.exe:World in Conflict - Online Only
"{A9AC2B6F-ED27-46E7-BF3E-8BE8FD2F6450}"= TCP:c:\program files\Sierra Entertainment\World in Conflict\wic_online.exe:World in Conflict - Online Only
"{201FB001-9DD2-4E09-BF38-A5D60111B0EF}"= UDP:c:\program files\Sierra Entertainment\World in Conflict\wic_ds.exe:World in Conflict - Dedicated Server
"{74AE3910-9891-4EFA-9C6F-C335EC2A763B}"= TCP:c:\program files\Sierra Entertainment\World in Conflict\wic_ds.exe:World in Conflict - Dedicated Server
"{51915FA5-73CB-4883-8CD3-362C176E5465}"= UDP:c:\program files\GameSpy Arcade\Aphex.exe:GameSpy Arcade
"{00D1C20B-9F5B-45A6-B5E1-881B6F07C285}"= TCP:c:\program files\GameSpy Arcade\Aphex.exe:GameSpy Arcade
"{32320765-A831-4BF4-B58B-0207BA8C07EB}"= UDP:c:\program files\Activision\Call of Duty - World at War\CoDWaW.exe:Call of Duty® - World at War™
"{19CF0967-0326-4C78-8E9A-C5CBAE0F6BA0}"= TCP:c:\program files\Activision\Call of Duty - World at War\CoDWaW.exe:Call of Duty® - World at War™
"{70A30661-EBE8-4F36-AFA4-8157ACC0568B}"= UDP:c:\program files\Activision\Call of Duty - World at War\CoDWaWmp.exe:Call of Duty® - World at War™
"{3D0336B2-CF61-46BB-8896-94F11F5A23C5}"= TCP:c:\program files\Activision\Call of Duty - World at War\CoDWaWmp.exe:Call of Duty® - World at War™
"TCP Query User{EECB49E1-28F2-40C6-A6D0-9C7A5335B9B8}c:\\program files\\electronic arts\\eadm\\core.exe"= UDP:c:\program files\electronic arts\eadm\core.exe:EA Download Manager
"UDP Query User{4BCE4EB0-844E-497D-97DA-05AB9FE1440F}c:\\program files\\electronic arts\\eadm\\core.exe"= TCP:c:\program files\electronic arts\eadm\core.exe:EA Download Manager
"{D0BB91B8-5E77-4AA7-AA8A-59CB6AE5AC25}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{5F180886-A186-4B70-AF71-00924311FF2D}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"{CB7C3DDE-1774-4FCC-B1EB-25F0765EC481}"= UDP:c:\program files\Hijackthis\HijackThis.exe:HijackThis.exe
"{8471A55B-0339-4B5F-96AF-AAD45B9DC005}"= TCP:c:\program files\Hijackthis\HijackThis.exe:HijackThis.exe

R0 amacpi;Microsoft Away Mode System;c:\windows\System32\drivers\null.sys [2/01/2009 8:21 AM 4608]
R2 AMD Fusion Media Explorer Remote Content Service;AMD Fusion Media Explorer Remote Content Service;c:\program files\AMD\Fusion Media Explorer\MediaSource.exe [3/04/2009 7:05 PM 766312]
R2 PctrlsInjectService;PctrlsInjectService;c:\program files\ParetoLogic\PGsurfer\InjectService.exe [25/10/2007 3:04 PM 176128]
R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\windows\System32\nvSCPAPISvr.exe [10/06/2009 6:33 AM 232960]
R2 ZeppelinService;plasservice;c:\program files\Common Files\ParetoLogic\PLAS\plasservice.exe [23/12/2008 9:11 AM 587216]
R3 RTL8187;Realtek RTL8187 Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;c:\windows\System32\drivers\RTL8187.sys [27/06/2008 12:40 AM 335872]
S2 AcronisOSSReinstallSvc;Acronis OS Selector Reinstall Service; [x]
S2 gupdate1c9e7739d450f06;Google Update Service (gupdate1c9e7739d450f06);c:\program files\Google\Update\GoogleUpdate.exe [7/06/2009 11:26 PM 133104]
S2 MediaManagerService;MediaManagerService;c:\program files\Media Manager\Viiv\MediaManager.Service.exe [4/03/2008 11:11 AM 34096]

--- Other Services/Drivers In Memory ---

*Deregistered* - aujasnkj
*Deregistered* - sptd

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
bthsvcs REG_MULTI_SZ BthServ
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a6efb6fe-6833-11de-8ffa-001bfccb3f66}]
\shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RECYCLER\S-0-5-19-100010744-100017092-100005686-7179.com g:\
\shell\Open\command - RECYCLER\S-0-5-19-100010744-100017092-100005686-7179.com g:\

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a6efb729-6833-11de-8ffa-001bfccb3f66}]
\shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RECYCLER\S-0-5-19-100010744-100017092-100005686-7179.com i:\
\shell\Open\command - RECYCLER\S-0-5-19-100010744-100017092-100005686-7179.com i:\

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\System32\rundll32.exe" "c:\windows\System32\iedkcs32.dll",BrandIEActiveSetup SIGNUP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7070D8E0-650A-46b3-B03C-9497582E6A74}]
%SystemRoot%\system32\soundschemes.exe /AddRegistration

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{B3688A53-AB2A-4b1d-8CEF-8F93D8C51C24}]
%SystemRoot%\system32\soundschemes2.exe /AddRegistration
.
Contents of the 'Scheduled Tasks' folder

2009-08-05 c:\windows\Tasks\GoogleUpdateTaskMachine.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-07 13:26]

2009-08-04 c:\windows\Tasks\ParetoLogic Anti-Virus PLUS.job
- c:\program files\ParetoLogic\Anti-Virus PLUS\Pareto_AV.exe [2009-02-18 03:43]

2009-08-03 c:\windows\Tasks\ParetoLogic Anti-Virus PLUS_dbsummary.job
- c:\program files\ParetoLogic\Anti-Virus PLUS\Pareto_AV.exe [2009-02-18 03:43]

2009-08-02 c:\windows\Tasks\ParetoLogic Anti-Virus PLUS_sch_6DBBF504-138E-11DE-8F4F-001BFCCB3F66.job
- c:\program files\ParetoLogic\Anti-Virus PLUS\Pareto_AV.exe [2009-02-18 03:43]

2009-08-03 c:\windows\Tasks\ParetoLogic Registration.job
- c:\program files\Common Files\ParetoLogic\UUS2\UUS.dll [2008-02-22 01:25]

2009-08-04 c:\windows\Tasks\ParetoLogic Update Version2.job
- c:\program files\Common Files\ParetoLogic\UUS2\Pareto_Update.exe [2008-02-22 01:25]

2009-08-05 c:\windows\Tasks\RegCure Program Check.job
- c:\program files\RegCure\RegCure.exe [2007-08-02 16:20]

2009-07-29 c:\windows\Tasks\RegCure.job
- c:\program files\RegCure\RegCure.exe [2007-08-02 16:20]

2009-08-05 c:\windows\Tasks\User_Feed_Synchronization-{1F91642C-378E-4986-A7B7-6B1D140AC5B5}.job
- c:\windows\system32\msfeedssync.exe [2009-04-06 11:31]
.
- - - - ORPHANS REMOVED - - - -

BHO-{6D6AB9F1-879A-31AE-AFBC-95C0928AF769} - (no file)
SafeBoot-procexp90.Sys


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.bigpond.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
LSP: WebController.dll
LSP: c:\windows\system32\INetHTTPFilter.dll
Trusted Zone: microsoft.com\update
Trusted Zone: microsoft.com\windowsupdate
TCP: {B3073184-1A85-4ACD-B448-90BC514E133C} = 85.255.112.206,85.255.112.116
TCP: {FFF1CC3C-7E52-4CA1-8BC6-39DA85F39F6A} = 85.255.112.206,85.255.112.116
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-06 06:59
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1874757216-1827274309-1936911829-1000\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:ae,a6,38,8a,40,d0,6f,02,12,ed,91,1b,2d,e8,04,51,a6,0e,0c,2b,97,fb,82,
34,84,46,91,59,a7,5f,d2,2b,20,de,43,c0,72,12,ab,fe,a5,e3,83,01,41,ec,b6,94,\
"??"=hex:b5,5e,67,b3,49,08,72,ad,41,a9,3a,9c,e3,bb,58,83

[HKEY_USERS\S-1-5-21-1874757216-1827274309-1936911829-1000\Software\SecuROM\License information*]
"datasecu"=hex:ac,ca,ca,5a,6e,e9,04,cd,12,f6,14,e4,af,18,c5,bd,b8,29,d8,43,42,
8a,09,b2,1b,1e,aa,60,bf,32,f7,5f,c7,21,88,f3,9b,86,70,72,8e,02,2d,51,83,4e,\
"rkeysecu"=hex:1c,3a,62,ce,8f,2d,e2,8b,e3,cf,5d,30,f6,d9,c2,c0

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2009-08-05 7:03
ComboFix-quarantined-files.txt 2009-08-05 21:02

Pre-Run: 75,816,988,672 bytes free
Post-Run: 87,716,917,248 bytes free

344 --- E O F --- 2009-07-03 08:15

#6 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:08:20 PM

Posted 16 August 2009 - 09:25 AM

Try running this and see if you have any luck:
  • Download RootRepeal from the following location and save it to your desktop.
  • Extract the contents of RootRepeal.zip, to your desktop.
  • Double click Posted Image on your desktop.
  • Click on the report tab, then click scan
  • Check all seven boxes:
    Drivers
    Files
    Processes
    SSDT
    Stealth Objects
    Hidden Services
    Shadow SSDT
  • Click Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, Click the Save Report button. Save the log as RootRepeal.txt and post it in your next reply.

If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#7 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:08:20 PM

Posted 20 August 2009 - 11:35 AM

Are you still requiring assistance?
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#8 Captainzoo

Captainzoo
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belmont, NSW
  • Local time:12:20 PM

Posted 20 August 2009 - 11:00 PM

Yes please!

I have been patiently awaiting the RootRepeal scan to complete so I can post the results. You did mention that it could take a while and it has been scanning for the last 72hrs. Is that too long? :)

As of this morning (Eastern Standard Time in Australia) it appeared to have completed the scan but the "Save Report" macro was not active. By the time I left for work it was still not active and was hoping :thumbup2: it would be ready to save and send tonight (EST)? My c:/ drive is 500GB with 75% used so there are a few files to scan.

I will post back here within the next 24hrs. Either with the RootRepeal report or asking for more advice. However, if you can suggest something else I will try that...

Thanks for your patience thewall :)

Edited by Captainzoo, 20 August 2009 - 11:07 PM.


#9 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:08:20 PM

Posted 21 August 2009 - 07:44 AM

Yes, that was way too long to have to wait for a scan. Sorry about that I wish you had asked me and I could have saved you all of that waiting.

Delete the version of GMER you have and download a new version from the link in Post #4 above. This time though deselect Devices and Sections from the options and see if it will run. If it still gives you trouble again then delete the version you have and try it with what I have below. Either way if you can't get it to work in a reasonable time let me know and we'll go from there.



Download GMER Rootkit Scanner from here to your desktop.
  • Double click the exe file.
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO, then use the following settings for a more complete scan.


    Posted Image
    Click the image to enlarge it


  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • Sections
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop, and post it in reply.
**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#10 Captainzoo

Captainzoo
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belmont, NSW
  • Local time:12:20 PM

Posted 22 August 2009 - 04:14 PM

It worked :thumbup2: As instructed, I unchecked Devices and Sections. Only took about 10hrs. Gmer report attached.

Hopefully there is something in there which might help solve the problem.

Attached Files

  • Attached File  gmer.txt   17.76KB   2 downloads


#11 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:08:20 PM

Posted 22 August 2009 - 04:38 PM

I want to try another run with ComboFix. Please delete the version you have on your Desktop and download one from the link below then run it and post the log.


Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Instruction can be found HERE
  • Double click on ComboFix.exe & follow the prompts.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#12 Captainzoo

Captainzoo
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belmont, NSW
  • Local time:12:20 PM

Posted 22 August 2009 - 06:29 PM

Combofix has completed successfully. Attached is the log. :thumbup2:

Attached Files



#13 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:08:20 PM

Posted 22 August 2009 - 09:15 PM

Did that help with the problems you have been experiencing?
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#14 Captainzoo

Captainzoo
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belmont, NSW
  • Local time:12:20 PM

Posted 23 August 2009 - 07:27 AM

Well to my surprise YES :thumbup2:

My Anti-Virus software started and performed the obligatory updates before opening. It appears that Windows Update is working again too. I haven't checked Windows Defender or accessing the Pareto website but will do this in the next 24hrs.

I can't thank you enough but THANK YOU thewall and BleepingComputer.

Question: Was there anything from the Gmer scan and Combofix log which highlighted a virus? If so do you know what it was that was so nasty to start crippling my system?

#15 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:08:20 PM

Posted 23 August 2009 - 09:22 AM

Check those things and let me know but be sure to come back because even if everything is running OK we still need to do some cleaning up of our tools and I'll have some suggestions for you to help in the future.

The GMER log really didn't show much but I suspected there was some things left over from the CF run that a newer version may pick up. There is also more to CF than just letting it run, that is why we advise people not to do it without assistance from those trained in it's use. We have whole sections dedicated to just using that particular tool.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users