Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google search hijack, slow broadband speed, multiple infections.


  • This topic is locked This topic is locked
6 replies to this topic

#1 Shads

Shads

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:04:12 PM

Posted 08 August 2009 - 12:57 PM

Hey,
I consider myself fairly good at removing and fixing any problems that arise with my pc, but it seems like im in a lil over my head here.
The girlfriend accidentally infected my machine last week with a virus, it presented itself as a fake anti virus constantly popping up, calling fake infections.
I managed to remove that (completely I think), but the last few days I've noticed some bigger problems.
My google search results are getting continuously being redirected to random websites, my internet speed is fluctuating from the usual 10meg down to 0.5.

Ive ran so far:
An AVG full system scan which found several tracking cookies.

Malwarebytes Anti-Malware which found several infections:

Malwarebytes' Anti-Malware 1.40
Database version: 2580
Windows 5.1.2600 Service Pack 2

08/08/2009 17:25:12
mbam-log-2009-08-08 (17-25-12).txt

Scan type: Full Scan (C:\|F:\|G:\|)
Objects scanned: 121689
Time elapsed: 49 minute(s), 10 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 6
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494e6cec-7483-a4ee-0938-895519a84bc7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494e6cec-7483-a4ee-0938-895519a84bc7} (Backdoor.Bot) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\All Users\Application Data\17942814\17942814.exe (Rogue.SystemSecurity) -> Quarantined and deleted successfully.


And a Spybot scan which also found several problems
Posted Image

However after all that the problem seems to still be around, and im at a loss. Any help would be greatly appreciated.





DDS LOG:

DDS (Ver_09-07-30.01) - NTFSx86
Run by Scott at 18:37:31.90 on 08/08/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Home Edition 5.1.2600.2.1252.44.1033.18.2047.1277 [GMT 1:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: ZoneAlarm Pro Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\PROGRA~1\COMMON~1\Stardock\SDMCP.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
G:\Program Files\Virgin Broadband Wireless\AffinegyService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
G:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
g:\Program Files\CDBurnerXP\NMSAccessU.exe
g:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\Program Files\WinPcap\rpcapd.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\SOUNDMAN.EXE
G:\Zone Labs\ZoneAlarm\zlclient.exe
G:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
G:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe
C:\WINDOWS\CTHELPER.EXE
C:\WINDOWS\system32\CTXFIHLP.EXE
G:\Program Files\Virgin Broadband Wireless\Wireless Manager.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
G:\Rainlendar2\Rainlendar2.exe
G:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
G:\Stardock\ObjectDock\ObjectDock.exe
G:\Program Files\Virgin Broadband Wireless\ndis_events.exe
C:\Program Files\Creative\ShareDLL\CADI\NotiMan.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
G:\Mozilla Firefox\firefox.exe
G:\Firefoxdownloadsrawr\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.mytalktalk.co.uk/
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://search.aol.co.uk/web?isinit=true&query=%s
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_02\bin\ssv.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
uRun: [MsnMsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background
uRun: [Rainlendar2] g:\rainlendar2\Rainlendar2.exe
uRun: [Creative Detector] "g:\program files\creative\mediasource\detector\CTDetect.exe" /R
uRun: [NVIDIA nTune] "g:\program files\nvidia corporation\ntune\nTuneCmd.exe" clear
uRun: [PlayNC Launcher]
uRun: [NCsoft Launcher] c:\program files\ncsoft\launcher\NCLauncher.exe /Minimized
uRun: [Sony Ericsson PC Suite] "c:\program files\sony ericsson\sony ericsson pc suite\SEPCSuite.exe" /systray /nologon
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [Zone Labs Client] "g:\zone labs\zonealarm\zlclient.exe"
mRun: [CTDVDDET] "g:\program files\creative\sound blaster x-fi\dvdaudio\CTDVDDET.EXE"
mRun: [RCSystem] "c:\program files\creative\shared files\module loader\DLLML.exe" RCSystem * -Startup
mRun: [AudioDrvEmulator] "c:\program files\creative\shared files\module loader\dllml.exe" -1 audiodrvemulator "c:\program files\creative\shared files\module loader\audio emulator\AudDrvEm.dll"
mRun: [VolPanel] "g:\program files\creative\sound blaster x-fi\volume panel\VolPanel.exe" /r
mRun: [CTHelper] CTHELPER.EXE
mRun: [CTxfiHlp] CTXFIHLP.EXE
mRun: [Wireless Manager] "g:\program files\virgin broadband wireless\Wireless Manager.exe" startup
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [RivaTunerStartupDaemon] "g:\program files\rivatuner v2.24\RivaTuner.exe" /S
StartupFolder: c:\docume~1\scott\startm~1\programs\startup\stardo~1.lnk - g:\stardock\objectdock\ObjectDock.exe
IE: Locate Spot on Map by GPS - g:\program files\opanda\iexif 2.3\IExifMap.htm
IE: View Exif/GPS/IPTC with IExif - g:\program files\opanda\iexif 2.3\IExifCom.htm
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0008-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_08-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
Notify: avgrsstarter - avgrsstx.dll
Notify: MCPClient - c:\progra~1\common~1\stardock\mcpstub.dll
SSODL: 0aMCPClient - {F5DF91F9-15E9-416B-A7C3-7519B11ECBFC} - c:\progra~1\common~1\stardock\MCPCore.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\scott\applic~1\mozilla\firefox\profiles\zc4rennv.default\
FF - prefs.js: browser.startup.homepage - www.google.co.uk
FF - plugin: c:\documents and settings\all users\application data\id software\quakelive\npquakezero.dll
FF - plugin: c:\documents and settings\scott\local settings\application data\google\update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: g:\program files\divx\divx player\npDivxPlayerPlugin.dll
FF - plugin: g:\program files\itunes\mozilla plugins\npitunes.dll
FF - plugin: g:\program files\quicktime\plugins\npqtplugin.dll
FF - plugin: g:\program files\quicktime\plugins\npqtplugin2.dll
FF - plugin: g:\program files\quicktime\plugins\npqtplugin3.dll
FF - plugin: g:\program files\quicktime\plugins\npqtplugin4.dll
FF - plugin: g:\program files\quicktime\plugins\npqtplugin5.dll
FF - plugin: g:\program files\quicktime\plugins\npqtplugin6.dll
FF - plugin: g:\program files\quicktime\plugins\npqtplugin7.dll
FF - plugin: g:\program files\real alternative\browser\plugins\nppl3260.dll
FF - plugin: g:\program files\real alternative\browser\plugins\nprpjplug.dll
FF - HiddenExtension: Java Console: No Registry Reference - g:\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-4-11 335752]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2006-12-26 27784]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2006-12-26 394872]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-4-11 298776]
R2 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\drivers\EAPPkt.sys [2007-10-9 38144]
R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2006-10-17 35072]
S3 mak800c;mak800c;c:\windows\system32\drivers\mak800c.sys [2007-2-9 24784]
S3 mak800m;mak800m;c:\windows\system32\drivers\mak800m.sys [2007-2-9 25044]
S3 mak800u;mak800u;c:\windows\system32\drivers\mak800u.sys [2007-2-9 55552]
S3 PciCon;PciCon;\??\e:\pcicon.sys --> e:\PciCon.sys [?]
S3 RTL8187B;NETGEAR WG111v3 54Mbps Wireless USB 2.0 Adapter Vista Driver;c:\windows\system32\drivers\wg111v3.sys [2007-12-28 287232]
S3 s0016bus;Sony Ericsson Device 0016 driver (WDM);c:\windows\system32\drivers\s0016bus.sys [2008-10-27 89256]
S3 s0016mdfl;Sony Ericsson Device 0016 USB WMC Modem Filter;c:\windows\system32\drivers\s0016mdfl.sys [2008-10-27 15016]
S3 s0016mdm;Sony Ericsson Device 0016 USB WMC Modem Driver;c:\windows\system32\drivers\s0016mdm.sys [2008-10-27 120744]
S3 s0016mgmt;Sony Ericsson Device 0016 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s0016mgmt.sys [2008-10-27 114216]
S3 s0016nd5;Sony Ericsson Device 0016 USB Ethernet Emulation SEMC0016 (NDIS);c:\windows\system32\drivers\s0016nd5.sys [2008-10-27 25512]
S3 s0016obex;Sony Ericsson Device 0016 USB WMC OBEX Interface;c:\windows\system32\drivers\s0016obex.sys [2008-10-27 110632]
S3 s0016unic;Sony Ericsson Device 0016 USB Ethernet Emulation SEMC0016 (WDM);c:\windows\system32\drivers\s0016unic.sys [2008-10-27 115752]

=============== Created Last 30 ================

2009-08-02 20:54 <DIR> --d----- c:\docume~1\alluse~1\applic~1\17942814
2009-07-25 21:09 148,736 a------- c:\docume~1\alluse~1\applic~1\hpe1C7.dll
2009-07-25 21:09 <DIR> --d----- c:\program files\Sony Ericsson
2009-07-25 21:09 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Sony Ericsson
2009-07-13 14:41 212 a------- c:\windows\system32\QuickTime.qtp
2009-07-13 14:41 27,136 a------- c:\windows\system32\QTUninst.dll
2009-07-13 14:41 6,047,744 a------- c:\windows\system32\QuickTime.qts
2009-07-13 14:41 2,124,288 a------- c:\windows\system32\QuickTimeMusicalInstruments.qtx
2009-07-13 14:41 969,216 a------- c:\windows\system32\qd3d.dll
2009-07-13 14:41 747,008 a------- c:\windows\system32\Indeo4.qtx
2009-07-13 14:41 596,992 a------- c:\windows\system32\rave.dll
2009-07-13 14:41 370,176 a------- c:\windows\system32\QuickTimeVR.qtx
2009-07-13 14:41 253,952 a------- c:\windows\system32\QD3D_IR2.q3x
2009-07-13 14:41 202,240 a------- c:\windows\system32\QuickTime.cpl
2009-07-13 14:41 126,976 a------- c:\windows\system32\3DViewer.dll
2009-07-13 14:41 44,032 a------- c:\windows\system32\QD3DCustomElements.q3x
2009-07-13 14:38 0 -------- c:\windows\QTW.ini
2009-07-13 14:38 <DIR> --d----- c:\windows\BBSTORE

==================== Find3M ====================

2009-08-08 18:03 4,212 ----h--- c:\windows\system32\zllictbl.dat
2009-08-03 13:36 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-03 13:36 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-07-29 15:54 335,752 a------- c:\windows\system32\drivers\avgldx86.sys
2009-06-30 16:24 137,888 a------- c:\windows\system32\drivers\PnkBstrK.sys
2009-06-30 16:24 189,288 a------- c:\windows\system32\PnkBstrB.exe
2009-06-29 08:57 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-06-28 22:49 18,600 a---h--- c:\windows\system32\mlfcache.dat
2009-06-26 17:18 659,456 a------- c:\windows\system32\wininet.dll
2009-06-26 17:18 81,920 a------- c:\windows\system32\ieencode.dll
2009-06-16 15:55 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 15:55 82,432 a------- c:\windows\system32\fontsub.dll
2009-06-12 22:27 413,696 a------- c:\windows\system32\wrap_oal.dll
2009-06-12 22:27 110,592 a------- c:\windows\system32\OpenAL32.dll
2009-06-10 08:28 3,510,272 a------- c:\windows\system32\nvgames.dll
2009-06-10 08:28 4,022,272 a------- c:\windows\system32\nvdisps.dll
2009-06-10 08:28 13,758,464 a------- c:\windows\system32\nvcpl.dll
2009-06-10 08:28 168,004 a------- c:\windows\system32\nvsvc32.exe
2009-06-10 08:28 143,360 a------- c:\windows\system32\nvcolor.exe
2009-06-10 08:28 86,016 a------- c:\windows\system32\nvmctray.dll
2009-06-10 08:28 229,376 a------- c:\windows\system32\nvmccs.dll
2009-06-10 06:03 9,998,336 a------- c:\windows\system32\nvoglnt.dll
2009-06-10 06:03 8,087,712 a------- c:\windows\system32\drivers\nv4_mini.sys
2009-06-10 06:03 5,908,608 a------- c:\windows\system32\nv4_disp.dll
2009-06-10 06:03 1,720,320 a------- c:\windows\system32\nvcuda.dll
2009-06-10 06:03 1,580,550 a------- c:\windows\system32\nvdata.bin
2009-06-10 06:03 1,310,720 a------- c:\windows\system32\nvcuvenc.dll
2009-06-10 06:03 815,104 a------- c:\windows\system32\nvapi.dll
2009-06-10 06:03 671,744 a------- c:\windows\system32\nvcuvid.dll
2009-06-10 06:03 457,248 a------- c:\windows\system32\nvudisp.exe
2009-06-10 06:03 151,552 a------- c:\windows\system32\nvcodins.dll
2009-06-10 06:03 151,552 a------- c:\windows\system32\nvcod.dll
2009-06-04 16:39 457,248 a------- c:\windows\system32\NVUNINST.EXE
2009-06-03 20:27 1,290,752 a------- c:\windows\system32\quartz.dll
2009-03-16 18:54 22,328 a------- c:\docume~1\scott\applic~1\PnkBstrK.sys
2008-12-07 00:17 0 ----h--- c:\docume~1\alluse~1\applic~1\PKP_DLds.DAT
2007-12-31 00:53 20 ----h--- c:\docume~1\alluse~1\applic~1\PKP_DLec.DAT
2007-12-28 16:02 287,232 a------- c:\windows\inf\wg111v3\wg111v3.sys
2007-12-28 15:59 342,528 a------- c:\windows\inf\wg111v3\vista64\wg111v3.sys
2007-11-27 18:53 63,488 a------- c:\windows\inf\wg111v3\SetDrv64.exe
2007-11-27 18:52 32,768 a------- c:\windows\inf\wg111v3\SetDrv.exe
2007-07-30 15:34 52,329,617 a------- c:\documents and settings\scott\WoW-2.1.3.6898-to-0.2.0.6932-enGB-patch.exe
2006-12-15 12:30 315,392 a------- c:\windows\inf\wg111v3\InstallDriver.exe
2006-12-15 12:30 212,992 a------- c:\windows\inf\wg111v3\CopyWHQLDriver.exe
2006-12-15 12:30 98,304 a------- c:\windows\inf\wg111v3\UScanM.exe
2006-12-15 12:30 20,480 a------- c:\windows\inf\wg111v3\RTWUPath.exe
2006-12-15 12:30 19,968 a------- c:\windows\inf\wg111v3\RTWREFU.EXE

============= FINISH: 18:39:13.82 ===============



And a Hijack this log:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:40:44, on 08/08/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\PROGRA~1\COMMON~1\Stardock\SDMCP.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
G:\Program Files\Virgin Broadband Wireless\AffinegyService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
G:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\System32\svchost.exe
g:\Program Files\CDBurnerXP\NMSAccessU.exe
g:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\Program Files\WinPcap\rpcapd.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\SOUNDMAN.EXE
G:\Zone Labs\ZoneAlarm\zlclient.exe
G:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
G:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe
C:\WINDOWS\CTHELPER.EXE
C:\WINDOWS\system32\CTXFIHLP.EXE
G:\Program Files\Virgin Broadband Wireless\Wireless Manager.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
G:\Rainlendar2\Rainlendar2.exe
G:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
G:\Stardock\ObjectDock\ObjectDock.exe
G:\Program Files\Virgin Broadband Wireless\ndis_events.exe
C:\Program Files\Creative\ShareDLL\CADI\NotiMan.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
G:\Mozilla Firefox\firefox.exe
G:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mytalktalk.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.aol.co.uk/web?isinit=true&query=%s
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Zone Labs Client] "G:\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [CTDVDDET] "G:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [RCSystem] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" RCSystem * -Startup
O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"
O4 - HKLM\..\Run: [VolPanel] "G:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" /r
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [Wireless Manager] "G:\Program Files\Virgin Broadband Wireless\Wireless Manager.exe" startup
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [RivaTunerStartupDaemon] "G:\Program Files\RivaTuner v2.24\RivaTuner.exe" /S
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Rainlendar2] G:\Rainlendar2\Rainlendar2.exe
O4 - HKCU\..\Run: [Creative Detector] "G:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [NVIDIA nTune] "g:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
O4 - HKCU\..\Run: [NCsoft Launcher] C:\program files\ncsoft\launcher\NCLauncher.exe /Minimized
O4 - HKCU\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe" /systray /nologon
O4 - Startup: Stardock ObjectDock.lnk = G:\Stardock\ObjectDock\ObjectDock.exe
O8 - Extra context menu item: Locate Spot on Map by GPS - g:\Program Files\Opanda\IExif 2.3\IExifMap.htm
O8 - Extra context menu item: View Exif/GPS/IPTC with IExif - g:\Program Files\Opanda\IExif 2.3\IExifCom.htm
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AffinegyService - Affinegy, Inc. - G:\Program Files\Virgin Broadband Wireless\AffinegyService.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Diskeeper - Diskeeper Corporation - G:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - G:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NMSAccessU - Unknown owner - g:\Program Files\CDBurnerXP\NMSAccessU.exe
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)
O23 - Service: nTune Service (nTuneService) - NVIDIA - g:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Unknown owner - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: SiSoftware Deployment Agent Service (SandraAgentSrv) - SiSoftware - g:\Program Files\SiSoftware\SiSoftware Sandra Lite 2009.SP1\RpcAgentSrv.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O24 - Desktop Component 0: (no name) - (no file)

--
End of file - 8401 bytes


Any help would be greatly appreciated.

Attached Files



BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:10:12 AM

Posted 09 August 2009 - 06:01 PM

Hello! :thumbup2:
My name is Sam and I will be helping you.

In order to see what's going on with your computer I'll ask for you to post various logs from the tools that we will use to resolve your issue. Please also share with me any information about how your computer is reacting and behaving each step of the way as we work through this process.



Please download ComboFix from one of these locations:

Link 1
Link 2
Link 3

Important!
You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an Malware Removal Expert, not for private use.
Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.



Make sure that you save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 Shads

Shads
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:04:12 PM

Posted 10 August 2009 - 03:06 PM

Hey, ran the combo fix, it popped up an error while running though. "Dumphive.cfexe has encountered a problem and needs to close...." then rebooted and scanned fine.

ComboFix 09-08-09.04 - Scott 10/08/2009 11:46.1.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.44.1033.18.2047.1518 [GMT 1:00]
Running from: g:\firefoxdownloadsrawr\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: ZoneAlarm Pro Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\ALLUSE~1\STARTM~1\Programs\Windows Live Messenger .lnk
c:\documents and settings\Scott\Application Data\.#
c:\documents and settings\Scott\Application Data\.#\MBX@E04@A141A8.###
c:\documents and settings\Scott\Application Data\.#\MBX@E04@A141D8.###
c:\documents and settings\Scott\Application Data\.#\MBX@E04@A14208.###
C:\test.txt
c:\windows\Installer\fed686.msp
c:\windows\run.log
c:\windows\system32\setup.exe.tmp
G:\install.exe

.
((((((((((((((((((((((((( Files Created from 2009-07-10 to 2009-08-10 )))))))))))))))))))))))))))))))
.

2009-08-08 19:53 . 2009-08-08 19:53 -------- d-----w- c:\documents and settings\Scott\Application Data\Nero
2009-08-08 19:14 . 2009-08-08 19:14 -------- d-----w- c:\program files\Common Files\Nero
2009-08-08 19:14 . 2009-08-08 19:14 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Nero
2009-08-02 19:54 . 2009-08-08 16:25 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\17942814
2009-07-25 20:10 . 2009-07-25 20:10 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\BVRP Software
2009-07-25 20:10 . 2009-07-25 20:10 -------- d-----w- c:\documents and settings\Scott\Local Settings\Application Data\Sony Ericsson
2009-07-25 20:09 . 2009-07-25 20:09 -------- d-----w- c:\program files\Sony Ericsson
2009-07-25 20:09 . 2009-07-25 20:09 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Sony Ericsson
2009-07-17 18:05 . 2009-08-01 01:05 -------- d-----w- c:\documents and settings\Scott\Local Settings\Application Data\Temp
2009-07-13 13:41 . 1998-06-03 08:08 27136 ----a-w- c:\windows\system32\QTUninst.dll
2009-07-13 13:41 . 2009-07-13 13:41 -------- d-----w- c:\program files\QuickTime
2009-07-13 13:41 . 1998-03-20 12:41 596992 ----a-w- c:\windows\system32\rave.dll
2009-07-13 13:41 . 1998-03-20 12:39 969216 ----a-w- c:\windows\system32\qd3d.dll
2009-07-13 13:41 . 1998-03-20 12:38 126976 ----a-w- c:\windows\system32\3DViewer.dll
2009-07-13 13:38 . 2009-07-13 13:38 -------- d-----w- c:\windows\BBSTORE

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-10 01:16 . 2007-03-29 21:22 -------- d-----w- c:\documents and settings\Scott\Application Data\foobar2000
2009-08-08 17:03 . 2006-12-26 12:25 4212 ---h--w- c:\windows\system32\zllictbl.dat
2009-08-08 15:26 . 2008-12-26 10:10 -------- d-----w- c:\program files\Bonjour
2009-08-03 12:36 . 2009-05-18 22:52 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-03 12:36 . 2009-05-18 22:52 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-02 20:08 . 2009-08-02 20:32 2290688 ----a-w- c:\windows\Internet Logs\xDB24.tmp
2009-08-02 20:04 . 2009-08-02 20:07 2290688 ----a-w- c:\windows\Internet Logs\xDB23.tmp
2009-08-02 19:45 . 2008-10-15 20:16 -------- d-----w- c:\documents and settings\Scott\Application Data\uTorrent
2009-08-02 17:29 . 2007-11-01 20:59 -------- d-----w- c:\documents and settings\Scott\Application Data\dvdcss
2009-08-01 14:48 . 2007-02-09 20:03 25136058 ----a-w- c:\windows\Internet Logs\tvDebug.zip
2009-07-29 14:54 . 2009-04-11 09:08 335752 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-07-25 20:09 . 2009-07-25 20:09 148736 ----a-w- c:\docume~1\ALLUSE~1\APPLIC~1\hpe1C7.dll
2009-07-25 20:09 . 2006-12-26 11:35 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-07-25 20:03 . 2006-12-26 18:53 -------- d-----w- c:\program files\Common Files\Teleca Shared
2009-07-22 20:53 . 2007-12-04 10:56 -------- d-----w- c:\documents and settings\Scott\Application Data\OpenOffice.org2
2009-07-22 20:49 . 2007-12-04 10:56 1 ----a-w- c:\documents and settings\Scott\Application Data\OpenOffice.org2\user\uno_packages\cache\stamp.sys
2009-07-09 13:06 . 2009-07-09 13:06 -------- d-----w- c:\program files\Creative Labs
2009-07-05 10:46 . 2009-07-05 10:46 -------- d-----w- c:\program files\Common Files\INCA Shared
2009-07-05 00:21 . 2009-07-05 00:21 -------- d-----w- c:\program files\NCSoft
2009-07-05 00:19 . 2009-07-05 00:17 -------- d-----w- c:\documents and settings\Scott\Application Data\GetRightToGo
2009-06-30 15:24 . 2007-04-26 16:31 137888 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2009-06-30 15:24 . 2007-04-26 16:28 189288 ----a-w- c:\windows\system32\PnkBstrB.exe
2009-06-29 07:57 . 2009-04-11 09:08 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-06-29 07:57 . 2006-12-26 12:21 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-06-28 21:49 . 2009-06-28 21:49 18600 ---ha-w- c:\windows\system32\mlfcache.dat
2009-06-28 21:48 . 2006-12-26 18:58 -------- d-----w- c:\documents and settings\Scott\Application Data\Apple Computer
2009-06-26 16:18 . 2004-08-04 12:00 659456 ----a-w- c:\windows\system32\wininet.dll
2009-06-26 16:18 . 2004-08-04 12:00 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-06-22 23:20 . 2009-06-22 23:22 2134528 ----a-w- c:\windows\Internet Logs\xDB22.tmp
2009-06-18 20:46 . 2009-06-18 20:46 54329 ----a-w- c:\windows\Internet Logs\zlclient_2nd_2009_06_18_21_44_56_small.dmp.zip
2009-06-18 20:46 . 2009-06-18 20:46 56324 ----a-w- c:\windows\Internet Logs\zlclient_2nd_2009_06_18_21_44_45_small.dmp.zip
2009-06-18 20:25 . 2009-06-18 20:27 2130944 ----a-w- c:\windows\Internet Logs\xDB21.tmp
2009-06-18 20:01 . 2009-06-18 20:03 2135040 ----a-w- c:\windows\Internet Logs\xDB1F.tmp
2009-06-16 14:55 . 2004-08-04 12:00 82432 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:55 . 2004-08-04 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-15 23:57 . 2009-06-15 20:38 -------- d-----w- c:\documents and settings\Scott\Application Data\Azureus
2009-06-15 20:38 . 2009-06-15 20:38 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Azureus
2009-06-15 20:38 . 2009-06-15 20:38 -------- d-----w- c:\program files\Vuze
2009-06-13 18:50 . 2007-10-31 22:35 -------- d-----w- c:\program files\SystemRequirementsLab
2009-06-13 18:49 . 2007-10-31 22:35 -------- d-----w- c:\documents and settings\Scott\Application Data\SystemRequirementsLab
2009-06-13 18:49 . 2009-06-13 18:49 207872 ----a-w- c:\documents and settings\Scott\Application Data\SystemRequirementsLab\SRLProxy_srl_4.dll
2009-06-13 18:49 . 2009-06-13 18:49 207872 ----a-w- c:\documents and settings\Scott\Application Data\SystemRequirementsLab\SRLProxy_srl_3.dll
2009-06-13 18:49 . 2009-06-13 18:49 207872 ----a-w- c:\documents and settings\Scott\Application Data\SystemRequirementsLab\SRLProxy_srl_2.dll
2009-06-13 18:49 . 2009-06-13 18:49 207872 ----a-w- c:\documents and settings\Scott\Application Data\SystemRequirementsLab\SRLProxy_srl_1.dll
2009-06-12 21:27 . 2007-02-07 12:52 413696 ----a-w- c:\windows\system32\wrap_oal.dll
2009-06-12 21:27 . 2005-04-13 12:34 110592 ----a-w- c:\windows\system32\OpenAL32.dll
2009-06-10 07:28 . 2009-06-10 07:28 3510272 ----a-w- c:\windows\system32\nvgames.dll
2009-06-10 07:28 . 2009-06-10 07:28 4022272 ----a-w- c:\windows\system32\nvdisps.dll
2009-06-10 07:28 . 2009-06-10 07:28 86016 ----a-w- c:\windows\system32\nvmctray.dll
2009-06-10 07:28 . 2009-06-10 07:28 168004 ----a-w- c:\windows\system32\nvsvc32.exe
2009-06-10 07:28 . 2009-06-10 07:28 143360 ----a-w- c:\windows\system32\nvcolor.exe
2009-06-10 07:28 . 2009-06-10 07:28 13758464 ----a-w- c:\windows\system32\nvcpl.dll
2009-06-10 07:28 . 2009-06-10 07:28 229376 ----a-w- c:\windows\system32\nvmccs.dll
2009-06-10 05:03 . 2009-06-10 05:03 1580550 ----a-w- c:\windows\system32\nvdata.bin
2009-06-10 05:03 . 2009-06-10 05:03 1310720 ----a-w- c:\windows\system32\nvcuvenc.dll
2009-06-10 05:03 . 2009-03-27 09:03 671744 ----a-w- c:\windows\system32\nvcuvid.dll
2009-06-10 05:03 . 2008-02-05 22:56 457248 ----a-w- c:\windows\system32\nvudisp.exe
2009-06-10 05:03 . 2007-12-05 01:41 8087712 ----a-w- c:\windows\system32\drivers\nv4_mini.sys
2009-06-10 05:03 . 2007-12-05 01:41 5908608 ----a-w- c:\windows\system32\nv4_disp.dll
2009-06-10 05:03 . 2007-12-05 01:41 1720320 ----a-w- c:\windows\system32\nvcuda.dll
2009-06-10 05:03 . 2007-12-05 00:41 9998336 ----a-w- c:\windows\system32\nvoglnt.dll
2009-06-10 05:03 . 2007-12-05 00:41 815104 ----a-w- c:\windows\system32\nvapi.dll
2009-06-10 05:03 . 2007-12-05 00:41 151552 ----a-w- c:\windows\system32\nvcodins.dll
2009-06-10 05:03 . 2007-12-05 00:41 151552 ----a-w- c:\windows\system32\nvcod.dll
2009-06-04 15:39 . 2006-12-26 11:58 457248 ----a-w- c:\windows\system32\NVUNINST.EXE
2009-06-03 19:27 . 2004-08-04 12:00 1290752 ----a-w- c:\windows\system32\quartz.dll
2009-05-20 14:56 . 2009-05-20 14:56 272384 ----a-w- c:\documents and settings\Scott\Application Data\Acreon\WowMatrix\Modules\curl.exe
2009-05-20 14:56 . 2009-05-20 14:56 258048 ----a-w- c:\documents and settings\Scott\Application Data\Acreon\WowMatrix\Libraries\wmzip.dll
2009-05-20 14:56 . 2009-05-20 14:56 192512 ----a-w- c:\documents and settings\Scott\Application Data\Acreon\WowMatrix\Libraries\wmweb.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"Rainlendar2"="g:\rainlendar2\Rainlendar2.exe" [2006-10-28 981504]
"Creative Detector"="g:\program files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-02 102400]
"NVIDIA nTune"="g:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-09-04 81920]
"NCsoft Launcher"="c:\program files\ncsoft\launcher\NCLauncher.exe" [2009-07-22 38184]
"Sony Ericsson PC Suite"="c:\program files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe" [2009-04-01 405504]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Zone Labs Client"="g:\zone labs\ZoneAlarm\zlclient.exe" [2006-06-18 968696]
"CTDVDDET"="g:\program files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE" [2003-06-18 45056]
"RCSystem"="c:\program files\Creative\Shared Files\Module Loader\DLLML.exe" [2005-06-16 49152]
"AudioDrvEmulator"="c:\program files\Creative\Shared Files\Module Loader\DLLML.exe" [2005-06-16 49152]
"VolPanel"="g:\program files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" [2005-07-11 122880]
"Wireless Manager"="g:\program files\Virgin Broadband Wireless\Wireless Manager.exe" [2008-05-26 585728]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-06-29 1948440]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-06-10 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-06-10 13758464]
"RivaTunerStartupDaemon"="g:\program files\RivaTuner v2.24\RivaTuner.exe" [2009-02-25 2781184]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\SOUNDMAN.EXE [2005-04-15 77824]
"CTHelper"="CTHELPER.EXE" - c:\windows\CTHELPER.EXE [2005-08-07 16384]
"CTxfiHlp"="CTXFIHLP.EXE" - c:\windows\system32\CTXFIHLP.EXE [2005-08-07 18944]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2009-06-10 1657376]

c:\documents and settings\Scott\Start Menu\Programs\Startup\
Stardock ObjectDock.lnk - g:\stardock\ObjectDock\ObjectDock.exe [2006-12-26 2860792]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\MCPClient]
2005-01-31 14:13 49152 ----a-w- c:\progra~1\COMMON~1\Stardock\MCPStub.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-06-29 07:57 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Alarm Clock 4 Free.LNK]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Alarm Clock 4 Free.LNK
backup=c:\windows\pss\Alarm Clock 4 Free.LNKCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NETGEAR WG111v3 Smart Wizard.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\NETGEAR WG111v3 Smart Wizard.lnk
backup=c:\windows\pss\NETGEAR WG111v3 Smart Wizard.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NkbMonitor.exe.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\NkbMonitor.exe.lnk
backup=c:\windows\pss\NkbMonitor.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Scott^Start Menu^Programs^Startup^Cyber-shot Viewer Media Check Tool.lnk]
path=c:\documents and settings\Scott\Start Menu\Programs\Startup\Cyber-shot Viewer Media Check Tool.lnk
backup=c:\windows\pss\Cyber-shot Viewer Media Check Tool.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Scott^Start Menu^Programs^Startup^OpenOffice.org 2.3.lnk]
path=c:\documents and settings\Scott\Start Menu\Programs\Startup\OpenOffice.org 2.3.lnk
backup=c:\windows\pss\OpenOffice.org 2.3.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"g:\\Program Files\\uTorrent\\uTorrent.exe"=
"g:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite 2009.SP1\\RpcAgentSrv.exe"=
"g:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite 2009.SP1\\WNt500x86\\RpcSandraSrv.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"g:\\Program Files\\iTunes\\iTunes.exe"=
"g:\\Program Files\\Steam\\steamapps\\common\\rome total war gold\\RomeTW.exe"=
"g:\\Program Files\\Steam\\steamapps\\common\\rome total war gold\\RomeTW-BI.exe"=
"g:\\Program Files\\Bohemia Interactive\\ArmA\\ArmA\\arma.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"g:\\Program Files\\Curse\\CurseClient.exe"=
"g:\\Program Files\\BitComet\\BitComet.exe"=
"g:\\Program Files\\Steam\\steamapps\\common\\america's army 3\\Binaries\\AA3Game.exe"=
"g:\\Program Files\\Steam\\steamapps\\common\\left 4 dead\\left4dead.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"21423:TCP"= 21423:TCP:BitComet 21423 TCP
"21423:UDP"= 21423:UDP:BitComet 21423 UDP

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [11/04/2009 10:08 335752]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [11/04/2009 10:07 298776]
R2 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\drivers\EAPPkt.sys [09/10/2007 14:13 38144]
R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [17/10/2006 19:09 35072]
S3 mak800c;mak800c;c:\windows\system32\drivers\mak800c.sys [09/02/2007 22:02 24784]
S3 mak800m;mak800m;c:\windows\system32\drivers\mak800m.sys [09/02/2007 22:02 25044]
S3 mak800u;mak800u;c:\windows\system32\drivers\mak800u.sys [09/02/2007 22:02 55552]
S3 PciCon;PciCon;\??\e:\pcicon.sys --> e:\PciCon.sys [?]
S3 RTL8187B;NETGEAR WG111v3 54Mbps Wireless USB 2.0 Adapter Vista Driver;c:\windows\system32\drivers\wg111v3.sys [28/12/2007 16:02 287232]
S3 s0016bus;Sony Ericsson Device 0016 driver (WDM);c:\windows\system32\drivers\s0016bus.sys [27/10/2008 21:29 89256]
S3 s0016mdfl;Sony Ericsson Device 0016 USB WMC Modem Filter;c:\windows\system32\drivers\s0016mdfl.sys [27/10/2008 21:29 15016]
S3 s0016mdm;Sony Ericsson Device 0016 USB WMC Modem Driver;c:\windows\system32\drivers\s0016mdm.sys [27/10/2008 21:29 120744]
S3 s0016mgmt;Sony Ericsson Device 0016 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s0016mgmt.sys [27/10/2008 21:29 114216]
S3 s0016nd5;Sony Ericsson Device 0016 USB Ethernet Emulation SEMC0016 (NDIS);c:\windows\system32\drivers\s0016nd5.sys [27/10/2008 21:29 25512]
S3 s0016obex;Sony Ericsson Device 0016 USB WMC OBEX Interface;c:\windows\system32\drivers\s0016obex.sys [27/10/2008 21:29 110632]
S3 s0016unic;Sony Ericsson Device 0016 USB Ethernet Emulation SEMC0016 (WDM);c:\windows\system32\drivers\s0016unic.sys [27/10/2008 21:29 115752]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-PlayNC Launcher - (no file)
Notify-AtiExtEvent - (no file)
Notify-WgaLogon - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.mytalktalk.co.uk/
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://search.aol.co.uk/web?isinit=true&query=%s
IE: Locate Spot on Map by GPS - g:\program files\Opanda\IExif 2.3\IExifMap.htm
IE: View Exif/GPS/IPTC with IExif - g:\program files\Opanda\IExif 2.3\IExifCom.htm
FF - ProfilePath - c:\docume~1\Scott\APPLIC~1\Mozilla\Firefox\Profiles\zc4rennv.default\
FF - prefs.js: browser.startup.homepage - www.google.co.uk
FF - plugin: c:\documents and settings\All Users\Application Data\id Software\QuakeLive\npquakezero.dll
FF - plugin: c:\documents and settings\Scott\Local Settings\Application Data\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: g:\program files\DivX\DivX Player\npDivxPlayerPlugin.dll
FF - plugin: g:\program files\iTunes\Mozilla Plugins\npitunes.dll
FF - plugin: g:\program files\Real Alternative\browser\plugins\nppl3260.dll
FF - plugin: g:\program files\Real Alternative\browser\plugins\nprpjplug.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-10 11:54
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(776)
c:\progra~1\COMMON~1\Stardock\mcpstub.dll
.
Completion time: 2009-08-10 11:57
ComboFix-quarantined-files.txt 2009-08-10 10:56

Pre-Run: 1,965,195,264 bytes free
Post-Run: 2,433,798,144 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[Boot Loader]
Timeout=2
Default=c:\$win_nt$.~bt\BOOTSECT.DAT
[Operating Systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
c:\$win_nt$.~bt\BOOTSECT.DAT="Microsoft Windows XP Setup"

252 --- E O F --- 2009-07-30 02:00

You'll notice on my boot i have a windows xp installation trying to install, its because I was going to format a while ago but realised my dvdrw was broken so couldn't back up.

#4 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:10:12 AM

Posted 11 August 2009 - 10:09 AM

Are you still experiencing the redirected searches?


Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, in the menu, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
Note: If you have problems with DrWeb shutting down before it completes the scan you can perform a custom scan and select individual folders to scan. In that case start with C:\Windows\System32


Please post the contents of the log from DrWeb in your next reply.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#5 Shads

Shads
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:04:12 PM

Posted 16 August 2009 - 10:19 AM

Hey, apologies for the late reply, had a family emergency, sister went into hospital so obviously that came first.

My searches are still being redirected and AVG has started finding a virus each scan:

First on the 11th
"C:\Program Files\Common Files\SupportSoft\bin\AVManagerUnified.dll";"Trojan horse Downloader.Generic8.BHDV";"Moved to Virus Vault"

14th:
"C:\WINDOWS\system32\vsfoceoivxtfgn.dll";"Virus identified Win32/Cryptor";"Moved to Virus Vault"

And the 16th:
"C:\System Volume Information\_restore{EE9625BA-C1E3-4A18-9920-56CC01032ED7}\RP983\A0218328.dll";"Virus identified Win32/Cryptor";"Moved to Virus Vault"

Drweb scans are running now, I just thought id reply as soon as I could to let you know im still active.

#6 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:10:12 AM

Posted 16 August 2009 - 12:29 PM

No problem on the delay. Hopefully all is well with your family.

Just post back with the log from DrWeb when you can. I'll be around. :thumbup2:
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#7 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:10:12 AM

Posted 05 September 2009 - 10:23 AM

Unfortunately there has been no response. :thumbup2:
This thread will now be closed.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users