Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Win32/Cryptor and Antivirus Sytem Pro


  • This topic is locked This topic is locked
16 replies to this topic

#1 foodeatingmonkey

foodeatingmonkey

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:32 AM

Posted 11 August 2009 - 12:48 AM

Hi. I have a Dell Inspiron 1200 running Microsoft Windows XP Home Edition Service Pack 2.
My anti-virus software is AVG free, my firewall is Windows own.
About a month ago, I was infected by Antivirus System Pro but removed it after downloading and using MBAM.
I have been infected with Antivirus System Pro again twice since, each time I have removed it using MBAM but the most recent time (about a week ago), it comes back immediately after I restart the computer (the pop-up is there as soon as I log in to Windows, even if I have just ran MBAM, removed AVSP & restarted). The only way it doesn't come back is if I only use Safe Mode.
I ran an AVG scan in normal mode and came up with 50+ files infected by Win32/Cryptor. AVG appeared unable to remove them (asked me if I wanted to remove as power user; I clicked yes but the file was not removed or quarantined)

My current state:
I have run MBAM in Safe Mode, removed the AVSP infected files and restarted in Safe Mode. The infection remains removed on a restart in Safe Mode.
I have run an AVG scan in Safe Mode. From the pre-scan options I chose to move infected files to the virus vault. The scan identified many files and processes infected with Win32/Cryptor. It is unclear to me what exactly AVG has done as a result of finding these files (In Safe Mode it runs in a shell window, with which I am less familiar).
I have run DDS:

DDS (Ver_09-07-30.01) - NTFSx86 NETWORK
Run by the chavez family at 6:21:08.50 on 11/08/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_14
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1271.872 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:WINDOWSsystem32svchost -k DcomLaunch
svchost.exe
svchost.exe
svchost.exe
C:WINDOWSExplorer.EXE
svchost
C:WINDOWSSystem32svchost.exe -k netsvcs
C:WINDOWSsystem32taskmgr.exe
E:dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
uDefault_Page_URL = hxxp://www.dell.co.uk/myway
uSearch Bar = hxxp://bfc.myway.com/search/de_srchlft.html?p=DK
uInternet Connection Wizard,ShellNext = iexplore
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:program fileshpsmart web printinghpswp_printenhancer.dll
BHO: HP Print Clips: {053f9267-dc04-4294-a72c-58f732d338c0} - c:program fileshpsmart web printinghpswp_framework.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:program filesadobeacrobat 7.0activexAcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:program filesavgavg8avgssie.dll
BHO: : {4d25f921-b9fe-4682-bf72-8ab8210d6d75} - c:program filesmywaysasrchasde1.bindeSrcAs.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:windowssystem32dlatfswshx.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:program filesjavajre6binjp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:program filesjavajre6libdeployjqsiejqs_plugin.dll
TB: {BA52B914-B692-46c4-B683-905236F6F655} - No File
uRun: [ctfmon.exe] c:windowssystem32ctfmon.exe
uRun: [BitTorrent] "c:program filesbittorrentbittorrent.exe" --force_start_minimized
uRun: [updateMgr] "c:program filesadobeacrobat 7.0readerAdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
mRun: [SynTPLpr] c:program filessynapticssyntpSynTPLpr.exe
mRun: [SynTPEnh] c:program filessynapticssyntpSynTPEnh.exe
mRun: [PRONoMgrWired] c:program filesintelprosetwiredncsprosetPRONoMgr.exe
mRun: [DVDLauncher] "c:program filescyberlinkpowerdvdDVDLauncher.exe"
mRun: [dla] c:windowssystem32dlatfswctrl.exe
mRun: [ISUSPM Startup] c:progra~1common~1instal~1update~1ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:program filescommon filesinstallshieldupdateserviceissch.exe" -start
mRun: [USB Storage Toolbox] c:program filesusb disk win98 driverRes.EXE
mRun: [LVCOMSX] c:windowssystem32LVCOMSX.EXE
mRun: [LogitechCameraAssistant] c:program fileslogitechvideoCameraAssistant.exe
mRun: [LogitechVideo[inspector]] c:program fileslogitechvideoInstallHelper.exe /inspect
mRun: [LogitechCameraService(E)] c:windowssystem32ElkCtrl.exe /automation
mRun: [Dell QuickSet] c:program filesdellquicksetQuickset.exe
mRun: [DLBTCATS] rundll32 c:windowssystem32spooldriversw32x863DLBTtime.dll,_RunDLLEntry@16
mRun: [EPSON PictureMate Deluxe] c:windowssystem32spooldriversw32x863E_FATI9TA.EXE /P24 "EPSON PictureMate Deluxe" /O6 "USB002" /M "PictureMate Deluxe"
mRun: [HP Software Update] c:program fileshphp software updateHPWuSchd2.exe
mRun: [AVG8_TRAY] c:progra~1avgavg8avgtray.exe
mRun: [QuickTime Task] "c:program filesquicktimeQTTask.exe" -atboottime
mRun: [iTunesHelper] "c:program filesitunesiTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:program filesjavajre6binjusched.exe"
mRunOnce: [Malwarebytes Anti-Malware (reboot)] "c:program filesmalwarebytes' anti-malwarembam.exe" /runcleanupscript
dRun: [CTFMON.EXE] c:windowssystem32CTFMON.EXE
StartupFolder: c:docume~1alluse~1startm~1programsstartupadober~1.lnk - c:program filesadobeacrobat 7.0readerreader_sl.exe
StartupFolder: c:docume~1alluse~1startm~1programsstartupdigita~1.lnk - c:program filesdigital line detectDLG.exe
StartupFolder: c:docume~1alluse~1startm~1programsstartupmicros~2.lnk - c:program filesmicrosoft officeofficeFINDFAST.EXE
StartupFolder: c:docume~1alluse~1startm~1programsstartupoffice~1.lnk - c:program filesmicrosoft officeofficeOSA.EXE
uPolicies-system: EnableProfileQuota = 1 (0x1)
IE: {95B3F550-91C4-4627-BCC4-521288C52977} - c:program filespplivePPLive.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%Network Diagnosticxpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:program filesmessengermsmsgs.exe
IE: {58ECB495-38F0-49cb-A538-10282ABF65E7} - {E763472E-A716-4CD9-89BD-DBDA6122F741} - c:program fileshpsmart web printinghpswp_extensions.dll
IE: {700259D7-1666-479a-93B1-3250410481E8} - {A93C41D8-01F8-4F8B-B14C-DE20B117E636} - c:program fileshpsmart web printinghpswp_extensions.dll
DPF: {37A273C2-5129-11D5-BF37-00A0CCE8754B} - hxxp://asp.mathxl.com/wizmodules/testgen/installers/TestGenXInstall.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:program filesavgavg8avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:progra~1common~1skypeSKYPE4~1.DLL
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:windowssystem32WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:docume~1thecha~1applic~1mozillafirefoxprofileszehxuxus.default
FF - prefs.js: browser.startup.homepage - hxxp://www.bbc.co.uk/
FF - component: c:program filesavgavg8firefoxcomponentsavgssff.dll
FF - plugin: c:documents and settingsthe chavez familyapplication datamove networkspluginsnpqmp071504000001.dll
FF - plugin: c:documents and settingsthe chavez familyapplication datamozillafirefoxprofileszehxuxus.defaultextensionsfirefox@tvunetworks.compluginsnpTVUAx.dll
FF - plugin: c:program filesmozilla firefoxpluginsnpbittorrent.dll
FF - plugin: c:program filesviewpointviewpoint experience technologynpViewpoint.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:program filesmozilla firefoxextensions{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:program filesmozilla firefoxextensions{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:program filesmozilla firefoxextensions{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:program filesmozilla firefoxextensions{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:program filesmozilla firefoxextensions{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:program filesmozilla firefoxextensions{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R1 AvgTdiX;AVG8 Network Redirector;c:windowssystem32driversavgtdix.sys [2008-5-5 108552]
S1 AvgLdx86;AVG AVI Loader Driver x86;c:windowssystem32driversavgldx86.sys [2008-5-5 335752]
S1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:windowssystem32driversavgmfx86.sys [2006-11-30 27784]
S2 AntipPro2009_12;AntipyPro_12;c:windowssvchast.exe [2009-8-2 176128]
S2 avg8emc;AVG8 E-mail Scanner;c:progra~1avgavg8avgemc.exe [2009-6-26 907032]
S2 avg8wd;AVG8 WatchDog;c:progra~1avgavg8avgwdsvc.exe [2008-7-3 298776]
S2 bmao;bmao;c:windowssystem32driversmbqkumh.sys [2009-8-11 61440]
S3 PhSerUsb;PHILOG USB Serial Driver;c:windowssystem32driversPhSerUsb.sys [2009-5-30 48896]

=============== Created Last 30 ================

2009-08-11 05:26 <DIR> --d----- c:program filescommon filesWise Installation Wizard
2009-08-11 05:10 61,440 a------- c:windowssystem32driversmbqkumh.sys
2009-08-02 19:26 9 a------- c:windowssystem32bennuar.old
2009-08-02 19:25 36 a------- c:windowssystem32sysnet.dat
2009-08-02 19:25 176,128 a------- c:windowssvchast.exe
2009-08-02 19:25 100 a------- c:windowssystem32sonhelp.htm
2009-08-02 19:25 64 a------- c:windowsppp4.dat
2009-08-02 19:25 1 a------- c:windowsppp3.dat
2009-08-02 19:23 <DIR> --d----- c:program filesWindows Antivirus Pro
2009-07-21 06:42 <DIR> --d----- c:docume~1alluse~1applic~1iTunesFolderWatch
2009-07-21 06:41 <DIR> --d----- c:program filesJezSoft
2009-07-19 04:20 <DIR> --d----- c:program filesKreatives.org
2009-07-12 15:32 <DIR> --d----- C:FavoriteVideo
2009-07-12 15:32 <DIR> --d----- c:docume~1thecha~1applic~1PPLiveVA
2009-07-12 15:32 <DIR> --d----- c:program filesPPLiveVA
2009-07-12 15:31 1,073,741,824 a---h--- C:pfsvoddata.bbv
2009-07-12 15:31 <DIR> --d----- c:docume~1alluse~1applic~1PPLiveVA
2009-07-12 15:31 <DIR> --d----- c:docume~1thecha~1applic~1PPLive
2009-07-12 15:30 <DIR> --d----- c:docume~1alluse~1applic~1PPLive
2009-07-12 15:30 <DIR> --d----- c:docume~1alluse~1applic~1Jlcm
2009-07-12 15:30 <DIR> --d----- c:program filesPPLive

==================== Find3M ====================

2009-07-12 04:04 335,752 a------- c:windowssystem32driversavgldx86.sys
2009-06-26 16:16 11,952 a------- c:windowssystem32avgrsstx.dll
2009-06-17 11:27 38,160 a------- c:windowssystem32driversmbamswissarmy.sys
2009-06-17 11:27 19,096 a------- c:windowssystem32driversmbam.sys
2009-05-21 11:33 410,984 a------- c:windowssystem32deploytk.dll
2008-03-03 17:31 32 a------- c:docume~1alluse~1applic~1ezsid.dat

============= FINISH: 6:22:56.90 ===============

Thank you dearly for any help you can offer.

Oh, and I checked my internet options and the home page has been changed to 123.sogou.com. Not sure if this is related / relevant.

Thanks again.

Merged posts. ~ OB

Attached Files


Edited by Orange Blossom, 11 August 2009 - 12:53 AM.


BC AdBot (Login to Remove)

 


#2 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:01:32 PM

Posted 11 August 2009 - 05:55 AM

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix.. Please visit HERE if you don't know how.. Please re-enable them back after performing all steps given..

Please download ComboFix by sUBs from HERE or HERE and save it to your Desktop.

During the download, rename Combofix to Combo-Fix as follows:

Posted Image

Posted Image


It is important you rename Combofix during the download, but not after.

**NOTE: If you are using Firefox, make sure that your download settings are as follows:
  • Tools->Options->Main tab
  • Set to "Always ask me where to Save the files".

After that, double-click and run Combo-Fix. Let it finish its job and post the log here

If ComboFix asked you to install Recovery Console, please do so.. It will be your best interest..

Note: DON'T do anything with your computer while ComboFix is running.. Let ComboFix finishes its job..

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#3 foodeatingmonkey

foodeatingmonkey
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:32 AM

Posted 11 August 2009 - 07:09 AM

Thanks for the quick reply. Should I run ComboFix in Safe Mode or not?

#4 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:01:32 PM

Posted 11 August 2009 - 07:39 AM

Any mode will do, but preferably Normal Mode

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#5 foodeatingmonkey

foodeatingmonkey
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:32 AM

Posted 11 August 2009 - 07:25 PM

ComboFix 09-08-10.06 - the chavez family 12/08/2009 1:11.1.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1271.830 [GMT -5:00]
Running from: c:\documents and settings\the chavez family\Desktop\Combo-Fix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\recycler\S-1-5-21-1780229129-2151850602-606757671-1003
c:\windows\010112010146118114.dat
c:\windows\0101120101464849.dat
c:\windows\svchast.exe
c:\windows\system32\AutoRun.inf
c:\windows\system32\dddesot.dll
c:\windows\system32\desot.exe
c:\windows\system32\drivers\geyekrucbnmpxr.sys
c:\windows\system32\geyekrfrnisgtb.dat
c:\windows\system32\geyekrfumfalqj.dat
c:\windows\system32\geyekrkllldnow.dll
c:\windows\system32\geyekrscfyxymx.dll
c:\windows\system32\wbem\proquota.exe


c:\windows\system32\proquota.exe was missing
Restored copy from - c:\i386\proquota.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_geyekrriqhpjxd
-------\Legacy_geyekrriqhpjxd
-------\Legacy_AntipPro2009_12
-------\Service_AntipPro2009_12


((((((((((((((((((((((((( Files Created from 2009-07-12 to 2009-08-12 )))))))))))))))))))))))))))))))
.

2009-08-12 06:18 . 2004-08-04 10:00 50176 ----a-w- c:\windows\system32\proquota.exe
2009-08-12 06:18 . 2004-08-04 10:00 50176 ----a-w- c:\windows\system32\dllcache\proquota.exe
2009-08-11 10:26 . 2009-08-11 10:26 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-08-03 00:25 . 2009-08-03 00:25 36 ----a-w- c:\windows\system32\sysnet.dat
2009-08-03 00:25 . 2009-08-12 06:17 64 ----a-w- c:\windows\ppp4.dat
2009-08-03 00:25 . 2009-08-12 06:17 1 ----a-w- c:\windows\ppp3.dat
2009-08-03 00:23 . 2009-08-03 00:26 -------- d-----w- c:\program files\Windows Antivirus Pro
2009-07-21 11:42 . 2009-07-21 11:55 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\iTunesFolderWatch
2009-07-21 11:41 . 2009-07-21 11:41 -------- d-----w- c:\program files\JezSoft
2009-07-19 09:20 . 2009-07-19 09:20 -------- d-----w- c:\program files\Kreatives.org
2009-07-14 09:01 . 2009-07-14 09:01 127921 ----a-w- c:\documents and settings\the chavez family\Application Data\Move Networks\uninstall.exe
2009-07-14 09:00 . 2009-07-14 09:01 1686744 ----a-w- c:\documents and settings\the chavez family\Application Data\Move Networks\MoveMediaPlayerWin_071504000001.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-02 18:45 . 2009-07-12 20:30 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\PPLive
2009-08-02 18:45 . 2009-07-12 20:31 -------- d-----w- c:\documents and settings\the chavez family\Application Data\PPLive
2009-08-02 18:45 . 2009-07-12 20:30 -------- d-----w- c:\program files\PPLive
2009-07-28 00:40 . 2007-09-24 20:54 -------- d-----w- c:\program files\dl_Cats
2009-07-15 01:56 . 2008-06-09 20:09 -------- d-----w- c:\documents and settings\the chavez family\Application Data\Move Networks
2009-07-14 09:01 . 2009-06-17 07:52 4183416 ----a-w- c:\documents and settings\the chavez family\Application Data\Move Networks\plugins\npqmp071504000001.dll
2009-07-12 20:32 . 2009-07-12 20:31 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\PPLiveVA
2009-07-12 20:32 . 2009-07-12 20:32 -------- d-----w- c:\documents and settings\the chavez family\Application Data\PPLiveVA
2009-07-12 20:32 . 2009-07-12 20:32 -------- d-----w- c:\program files\PPLiveVA
2009-07-12 20:30 . 2009-07-12 20:30 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Jlcm
2009-07-12 09:04 . 2008-05-05 19:17 335752 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-07-11 14:57 . 2009-07-05 14:38 -------- d---a-w- c:\docume~1\ALLUSE~1\APPLIC~1\TEMP
2009-07-05 14:16 . 2009-07-03 15:25 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-04 08:02 . 2009-07-04 08:02 -------- d-----w- c:\program files\MSXML 4.0
2009-07-03 15:25 . 2009-07-03 15:25 -------- d-----w- c:\documents and settings\the chavez family\Application Data\Malwarebytes
2009-07-03 15:25 . 2009-07-03 15:25 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Malwarebytes
2009-06-26 21:16 . 2008-05-05 19:17 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-06-26 21:16 . 2006-11-30 14:47 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-06-17 16:27 . 2009-07-03 15:25 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-17 16:27 . 2009-07-03 15:25 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-17 07:52 . 2009-06-17 07:52 97144 ----a-w- c:\documents and settings\the chavez family\Application Data\Move Networks\ie_bin\MovePlayerUpgrade.exe
2009-06-09 16:41 . 2009-06-09 16:41 152576 ----a-w- c:\documents and settings\the chavez family\Application Data\Sun\Java\jre1.6.0_14\lzma.dll
2009-05-21 16:33 . 2008-12-26 21:20 410984 ----a-w- c:\windows\system32\deploytk.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-05-13 98304]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-05-14 536576]
"PRONoMgrWired"="c:\program files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe" [2004-12-09 86016]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"USB Storage Toolbox"="c:\program files\USB Disk Win98 Driver\Res.EXE" [2005-07-11 73728]
"LVCOMSX"="c:\windows\system32\LVCOMSX.EXE" [2005-12-09 225280]
"LogitechCameraAssistant"="c:\program files\Logitech\Video\CameraAssistant.exe" [2006-01-05 489472]
"LogitechVideo[inspector]"="c:\program files\Logitech\Video\InstallHelper.exe" [2006-01-05 08:15 73728]
"LogitechCameraService(E)"="c:\windows\system32\ElkCtrl.exe" [2004-11-01 262144]
"Dell QuickSet"="c:\program files\Dell\QuickSet\Quickset.exe" [2005-03-04 606208]
"DLBTCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLBTtime.dll" [2007-02-22 73728]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-11 49152]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-06-26 1948440]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-03-28 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-03-30 267048]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-21 148888]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]

c:\docume~1\ALLUSE~1\STARTM~1\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-6-28 24576]
Microsoft Find Fast.lnk - c:\program files\Microsoft Office\Office\FINDFAST.EXE [1997-7-31 111376]
Office Startup.lnk - c:\program files\Microsoft Office\Office\OSA.EXE [1997-7-31 51984]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-06-26 21:16 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\StubInstaller.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\uTorrent\\utorrent.exe"=
"c:\\Program Files\\SopCast\\SopCast.exe"=
"c:\\Documents and Settings\\the chavez family\\Application Data\\SopCast\\adv\\SopAdver.exe"=
"c:\\WINDOWS\\system32\\dlbtcoms.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\SopCast\\sopvod.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\TVUPlayer\\TVUPlayer.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\PPLiveVA\\PPLiveVA.exe"=
"c:\\Program Files\\PPLive\\PPLive.exe"=

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [05/05/2008 14:17 335752]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [05/05/2008 14:17 108552]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [26/06/2009 16:16 907032]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [03/07/2008 12:07 298776]
S3 PhSerUsb;PHILOG USB Serial Driver;c:\windows\system32\drivers\PhSerUsb.sys [30/05/2009 12:19 48896]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-BitTorrent - c:\program files\BitTorrent\bittorrent.exe
HKLM-Run-EPSON PictureMate Deluxe - c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATI9TA.EXE


.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Connection Wizard,ShellNext = iexplore
FF - ProfilePath - c:\docume~1\THECHA~1\APPLIC~1\Mozilla\Firefox\Profiles\zehxuxus.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.bbc.co.uk/
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\the chavez family\Application Data\Move Networks\plugins\npqmp071504000001.dll
FF - plugin: c:\documents and settings\the chavez family\Application Data\Mozilla\Firefox\Profiles\zehxuxus.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-12 01:20
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLBTCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\DLBTtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(6132)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Logitech\LVMVFM\LVPrcSrv.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\dlbtcoms.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Dell\NicConfigSvc\NicConfigSvc.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-08-12 1:25 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-12 06:25

Pre-Run: 2,821,181,440 bytes free
Post-Run: 3,399,876,608 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

213 --- E O F --- 2009-07-04 16:28

#6 foodeatingmonkey

foodeatingmonkey
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:32 AM

Posted 11 August 2009 - 07:29 PM

Since running ComboFix and restarting in Normal Mode, the Antivirus System Pro has not re-appeared. Everything seems ok, although I have not actually carried out any virus scans since running ComboFix. I have turned the AVG scanner back on.

#7 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:01:32 PM

Posted 11 August 2009 - 10:45 PM

1. Please open Notepad
  • If you don't know how, just go to Start >> Run >> copy/paste notepad.exe >> Enter
2. Now copy/paste the entire content of the codebox below into the Notepad window:

KillAll::

File::
c:\windows\system32\sysnet.dat
c:\windows\ppp4.dat
c:\windows\ppp3.dat

Folder::
c:\program files\Windows Antivirus Pro

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#8 foodeatingmonkey

foodeatingmonkey
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:32 AM

Posted 12 August 2009 - 10:23 PM

New ComboFix logfile:

ComboFix 09-08-10.06 - the chavez family 13/08/2009 4:08.2.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1271.701 [GMT -5:00]
Running from: c:\documents and settings\the chavez family\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\the chavez family\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

FILE ::
"c:\windows\ppp3.dat"
"c:\windows\ppp4.dat"
"c:\windows\system32\sysnet.dat"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Windows Antivirus Pro
c:\program files\Windows Antivirus Pro\msvcm80.dll
c:\program files\Windows Antivirus Pro\msvcp80.dll
c:\program files\Windows Antivirus Pro\msvcr80.dll
c:\program files\Windows Antivirus Pro\tmp\dbsinit.exe
c:\program files\Windows Antivirus Pro\tmp\images\i1.gif
c:\program files\Windows Antivirus Pro\tmp\images\i2.gif
c:\program files\Windows Antivirus Pro\tmp\images\i3.gif
c:\program files\Windows Antivirus Pro\tmp\images\j1.gif
c:\program files\Windows Antivirus Pro\tmp\images\j2.gif
c:\program files\Windows Antivirus Pro\tmp\images\j3.gif
c:\program files\Windows Antivirus Pro\tmp\images\jj1.gif
c:\program files\Windows Antivirus Pro\tmp\images\jj2.gif
c:\program files\Windows Antivirus Pro\tmp\images\jj3.gif
c:\program files\Windows Antivirus Pro\tmp\images\l1.gif
c:\program files\Windows Antivirus Pro\tmp\images\l2.gif
c:\program files\Windows Antivirus Pro\tmp\images\l3.gif
c:\program files\Windows Antivirus Pro\tmp\images\pix.gif
c:\program files\Windows Antivirus Pro\tmp\images\t1.gif
c:\program files\Windows Antivirus Pro\tmp\images\t2.gif
c:\program files\Windows Antivirus Pro\tmp\images\up1.gif
c:\program files\Windows Antivirus Pro\tmp\images\up2.gif
c:\program files\Windows Antivirus Pro\tmp\images\w1.gif
c:\program files\Windows Antivirus Pro\tmp\images\w11.gif
c:\program files\Windows Antivirus Pro\tmp\images\w2.gif
c:\program files\Windows Antivirus Pro\tmp\images\w3.gif
c:\program files\Windows Antivirus Pro\tmp\images\w3.jpg
c:\program files\Windows Antivirus Pro\tmp\images\wt1.gif
c:\program files\Windows Antivirus Pro\tmp\images\wt2.gif
c:\program files\Windows Antivirus Pro\tmp\images\wt3.gif
c:\program files\Windows Antivirus Pro\tmp\wispex.html
c:\windows\ppp3.dat
c:\windows\ppp4.dat
c:\windows\system32\sysnet.dat


.
((((((((((((((((((((((((( Files Created from 2009-07-13 to 2009-08-13 )))))))))))))))))))))))))))))))
.

2009-08-12 06:18 . 2004-08-04 10:00 50176 ----a-w- c:\windows\system32\proquota.exe
2009-08-12 06:18 . 2004-08-04 10:00 50176 ----a-w- c:\windows\system32\dllcache\proquota.exe
2009-08-11 10:26 . 2009-08-11 10:26 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-07-21 11:42 . 2009-07-21 11:55 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\iTunesFolderWatch
2009-07-21 11:41 . 2009-07-21 11:41 -------- d-----w- c:\program files\JezSoft
2009-07-19 09:20 . 2009-07-19 09:20 -------- d-----w- c:\program files\Kreatives.org

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-02 18:45 . 2009-07-12 20:30 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\PPLive
2009-08-02 18:45 . 2009-07-12 20:31 -------- d-----w- c:\documents and settings\the chavez family\Application Data\PPLive
2009-08-02 18:45 . 2009-07-12 20:30 -------- d-----w- c:\program files\PPLive
2009-07-28 00:40 . 2007-09-24 20:54 -------- d-----w- c:\program files\dl_Cats
2009-07-15 01:56 . 2008-06-09 20:09 -------- d-----w- c:\documents and settings\the chavez family\Application Data\Move Networks
2009-07-14 09:01 . 2009-07-14 09:01 127921 ----a-w- c:\documents and settings\the chavez family\Application Data\Move Networks\uninstall.exe
2009-07-14 09:01 . 2009-06-17 07:52 4183416 ----a-w- c:\documents and settings\the chavez family\Application Data\Move Networks\plugins\npqmp071504000001.dll
2009-07-14 09:01 . 2009-07-14 09:00 1686744 ----a-w- c:\documents and settings\the chavez family\Application Data\Move Networks\MoveMediaPlayerWin_071504000001.exe
2009-07-12 20:32 . 2009-07-12 20:31 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\PPLiveVA
2009-07-12 20:32 . 2009-07-12 20:32 -------- d-----w- c:\documents and settings\the chavez family\Application Data\PPLiveVA
2009-07-12 20:32 . 2009-07-12 20:32 -------- d-----w- c:\program files\PPLiveVA
2009-07-12 20:30 . 2009-07-12 20:30 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Jlcm
2009-07-12 09:04 . 2008-05-05 19:17 335752 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-07-11 14:57 . 2009-07-05 14:38 -------- d---a-w- c:\docume~1\ALLUSE~1\APPLIC~1\TEMP
2009-07-05 14:16 . 2009-07-03 15:25 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-04 08:02 . 2009-07-04 08:02 -------- d-----w- c:\program files\MSXML 4.0
2009-07-03 15:25 . 2009-07-03 15:25 -------- d-----w- c:\documents and settings\the chavez family\Application Data\Malwarebytes
2009-07-03 15:25 . 2009-07-03 15:25 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Malwarebytes
2009-06-26 21:16 . 2008-05-05 19:17 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-06-26 21:16 . 2006-11-30 14:47 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-06-17 16:27 . 2009-07-03 15:25 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-17 16:27 . 2009-07-03 15:25 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-17 07:52 . 2009-06-17 07:52 97144 ----a-w- c:\documents and settings\the chavez family\Application Data\Move Networks\ie_bin\MovePlayerUpgrade.exe
2009-06-09 16:41 . 2009-06-09 16:41 152576 ----a-w- c:\documents and settings\the chavez family\Application Data\Sun\Java\jre1.6.0_14\lzma.dll
2009-05-21 16:33 . 2008-12-26 21:20 410984 ----a-w- c:\windows\system32\deploytk.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-08-12_06.20.45 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-08-13 09:15 . 2009-08-13 09:15 16384 c:\windows\temp\Perflib_Perfdata_5a4.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-05-13 98304]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-05-14 536576]
"PRONoMgrWired"="c:\program files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe" [2004-12-09 86016]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"USB Storage Toolbox"="c:\program files\USB Disk Win98 Driver\Res.EXE" [2005-07-11 73728]
"LVCOMSX"="c:\windows\system32\LVCOMSX.EXE" [2005-12-09 225280]
"LogitechCameraAssistant"="c:\program files\Logitech\Video\CameraAssistant.exe" [2006-01-05 489472]
"LogitechVideo[inspector]"="c:\program files\Logitech\Video\InstallHelper.exe" [2006-01-05 08:15 73728]
"LogitechCameraService(E)"="c:\windows\system32\ElkCtrl.exe" [2004-11-01 262144]
"Dell QuickSet"="c:\program files\Dell\QuickSet\Quickset.exe" [2005-03-04 606208]
"DLBTCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLBTtime.dll" [2007-02-22 73728]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-11 49152]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-06-26 1948440]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-03-28 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-03-30 267048]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-21 148888]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]

c:\docume~1\ALLUSE~1\STARTM~1\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-6-28 24576]
Microsoft Find Fast.lnk - c:\program files\Microsoft Office\Office\FINDFAST.EXE [1997-7-31 111376]
Office Startup.lnk - c:\program files\Microsoft Office\Office\OSA.EXE [1997-7-31 51984]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-06-26 21:16 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\StubInstaller.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\uTorrent\\utorrent.exe"=
"c:\\Program Files\\SopCast\\SopCast.exe"=
"c:\\Documents and Settings\\the chavez family\\Application Data\\SopCast\\adv\\SopAdver.exe"=
"c:\\WINDOWS\\system32\\dlbtcoms.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\SopCast\\sopvod.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\TVUPlayer\\TVUPlayer.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\PPLiveVA\\PPLiveVA.exe"=
"c:\\Program Files\\PPLive\\PPLive.exe"=

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [05/05/2008 14:17 335752]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [05/05/2008 14:17 108552]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [26/06/2009 16:16 907032]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [03/07/2008 12:07 298776]
S3 PhSerUsb;PHILOG USB Serial Driver;c:\windows\system32\drivers\PhSerUsb.sys [30/05/2009 12:19 48896]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Connection Wizard,ShellNext = iexplore
FF - ProfilePath - c:\docume~1\THECHA~1\APPLIC~1\Mozilla\Firefox\Profiles\zehxuxus.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.bbc.co.uk/
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\the chavez family\Application Data\Move Networks\plugins\npqmp071504000001.dll
FF - plugin: c:\documents and settings\the chavez family\Application Data\Mozilla\Firefox\Profiles\zehxuxus.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-13 04:16
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLBTCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\DLBTtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(5212)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Logitech\LVMVFM\LVPrcSrv.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\dlbtcoms.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Dell\NicConfigSvc\NicConfigSvc.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-08-13 4:21 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-13 09:21
ComboFix2.txt 2009-08-12 06:25

Pre-Run: 3,410,149,376 bytes free
Post-Run: 3,373,223,936 bytes free

223 --- E O F --- 2009-07-04 16:28


HJT logfile:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 04:26:16, on 13/08/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16850)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\dlbtcoms.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\USB Disk Win98 Driver\Res.EXE
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\CameraAssistant.exe
C:\WINDOWS\system32\ElkCtrl.exe
C:\Program Files\Dell\QuickSet\Quickset.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll (file missing)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [PRONoMgrWired] C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [USB Storage Toolbox] C:\Program Files\USB Disk Win98 Driver\Res.EXE
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechCameraAssistant] C:\Program Files\Logitech\Video\CameraAssistant.exe
O4 - HKLM\..\Run: [LogitechVideo[inspector]] C:\Program Files\Logitech\Video\InstallHelper.exe /inspect
O4 - HKLM\..\Run: [LogitechCameraService(E)] C:\WINDOWS\system32\ElkCtrl.exe /automation
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\Quickset.exe
O4 - HKLM\..\Run: [DLBTCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLBTtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: PPLive - {95B3F550-91C4-4627-BCC4-521288C52977} - C:\Program Files\PPLive\PPLive.exe
O9 - Extra 'Tools' menuitem: PPLive - {95B3F550-91C4-4627-BCC4-521288C52977} - C:\Program Files\PPLive\PPLive.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {37A273C2-5129-11D5-BF37-00A0CCE8754B} (TTestGenXInstallObject) - http://asp.mathxl.com/wizmodules/testgen/i...GenXInstall.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: dlbt_device - - C:\WINDOWS\system32\dlbtcoms.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe

--
End of file - 8974 bytes

#9 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:01:32 PM

Posted 12 August 2009 - 10:40 PM

Please download Malwarebytes' Anti-Malware from HERE or HERE

Note: If you already have Malwarebytes' Anti-Malware, just run and update it.. Then do a "Perform Full Scan"

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.




Please run a free online scan with the ESET Online Scanner
Note: You will need to use Internet Explorer for this scan.
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the ActiveX control to install
  • Click Start
  • Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  • Click Scan
    Wait for the scan to finish
  • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic
How's the computer now? :thumbup2:

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#10 foodeatingmonkey

foodeatingmonkey
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:32 AM

Posted 13 August 2009 - 01:14 PM

MBAM log:

Malwarebytes' Anti-Malware 1.40
Database version: 2551
Windows 5.1.2600 Service Pack 2

13/08/2009 19:18:07
mbam-log-2009-08-13 (19-18-07).txt

Scan type: Full Scan (C:\|)
Objects scanned: 150604
Time elapsed: 46 minute(s), 39 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 16

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_USERS\S-1-5-18\SOFTWARE\Windows antiVirus pro (Rogue.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Qoobox\Quarantine\C\Program Files\Windows Antivirus Pro\tmp\dbsinit.exe.vir (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\svchast.exe.vir (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\dddesot.dll.vir (Rogue.ASC-AntiSpyware) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\desot.exe.vir (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\geyekrkllldnow.dll.vir (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\wbem\proquota.exe.vir (Worm.KoobFace) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP921\A0075983.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP926\A0080516.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP926\A0080522.exe (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP927\A0080535.exe (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP927\A0080545.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP927\A0080547.exe (Worm.KoobFace) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP927\A0080669.exe (Rogue.WindowsAntivirus) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP927\A0080695.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\bennuar.old (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sonhelp.htm (Malware.Trace) -> Quarantined and deleted successfully.



I haven't had chance to do the ESET scan yet. I'll update the topic when I do. No need for you to reply yet, unless you see something drastic.

#11 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:01:32 PM

Posted 13 August 2009 - 01:26 PM

No need for you to reply yet, unless you see something drastic.


Ok :)

ooppss :thumbup2:

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#12 foodeatingmonkey

foodeatingmonkey
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:32 AM

Posted 13 August 2009 - 05:20 PM

Ok, here's the ESET log, too:

ESETSmartInstaller@High as downloader log:
all ok
# version=6
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6048
# api_version=3.0.2
# EOSSerial=cb72b0af3ee03f43803b977f014075b6
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2009-08-14 04:20:43
# local_time=2009-08-13 11:20:43 (-0600, Central Daylight Time)
# country="United Kingdom"
# lang=1033
# osver=5.1.2600 NT Service Pack 2
# compatibility_mode=1026 21 83 97 22846980625000
# scanned=56980
# found=4
# cleaned=4
# scan_time=2526
C:\data probably a variant of JS/TrojanDownloader.IstBar trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\the chavez family\My Documents\My Music\iTunes\iTunes Music\Mardi Gras - The Grammophone's song.mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan (cleaned - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\Program Files\Windows Antivirus Pro\tmp\wispex.html.vir Win32/Adware.WinAntiVirus application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\Downloaded Program Files\ClientAX.dll probably a variant of Win32/Adware.180Solutions application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C


How does it look?

#13 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:01:32 PM

Posted 14 August 2009 - 12:31 AM

Looks good to me.. Lets do some cleanup...


Please download OTC and save it to Desktop.
  • Make sure you have internet connection..
  • Double-click OTC
  • Click the CleanUp! button.
  • Select Yes when the "Begin cleanup Process?" prompt appears.
  • If you are prompted to Reboot during the cleanup, select Yes


Please read these excellent articles write by my friends:
Preventing Malware and Safe Computing by Rorschach112
What makes your machine slow? by Artellos


Also, please read these excellent articles by miekiemoes :
Help! My computer is slow!
How to prevent Malware


Read these great info's about safe internet surfing..

http://www.pcpitstop.com/spycheck/safesurfing.asp
http://bluefive.pair.com/practice_safe_surfing.htm




Please reply to this thread once more and tell us about the computer behaviour before we can close this thread :thumbup2:



Have a safe and happy computing day!


Regards
fenzodahl512

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#14 foodeatingmonkey

foodeatingmonkey
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:32 AM

Posted 15 August 2009 - 09:57 AM

I ran OTC, it took all of 30 seconds and did not report anything. Wow. Thanks. That is quite a weight off of my mind.

I read the articles that you posted and used ERUNT and SysRestorePoint to back up my registry and create a new restore point. I installed some of the other software and so currently have:

Firefox browser
AVG free antivirus
MBAM
SpywareGuard
NoScript
Windows firewall

I do have a couple of quick questions:

1. Will the above protection programmes cause any conflicts, or are these all safe to run in conjunction?
2. Re: browsers, what do you think of Google Chrome? I am considering trying it out, although I doubt I will prefer it to Firefox.
3. Is there a way that I can donate to this site or, if not, another site with which you are affiliated? I really appreciate your help.

Thanks again!

#15 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:01:32 PM

Posted 15 August 2009 - 11:09 AM

1. Will the above protection programmes cause any conflicts, or are these all safe to run in conjunction?


That will do just fine.. If you wish to use third party firewall, I suggest PC Tools Firewall Plus (since its easy).. Link below..
http://www.pctools.com/firewall/

2. Re: browsers, what do you think of Google Chrome? I am considering trying it out, although I doubt I will prefer it to Firefox.


I use only firefox and nothing else ;)

3. Is there a way that I can donate to this site or, if not, another site with which you are affiliated? I really appreciate your help.


You can pm Grinler about that.. He's the owner of this forum ;)

http://www.bleepingcomputer.com/forums/u/3/grinler/

Anymore questions? :thumbup2:

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users