Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with unknown virus/malware blocking scans and updates


  • This topic is locked This topic is locked
20 replies to this topic

#1 helilarry

helilarry

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:09:33 PM

Posted 19 September 2009 - 08:53 PM

Hello! Thanks in advance for taking the time to listen to my proble.

This all started when I received an email from my ISP giving a 1st Abuse warning that one of our devices was "...sending out spam attached emails.." so I began ensuring all PCs were up-to-date with windows updates and virus scans. When I attempted a Windows Update on this PC I received the error "Cannot display the page" after hitting either the "Express" or "Custom" button on the update site.

AVG and Spybot S&D did not find anything during scans. I then downloaded and attempted to run Malwarebytes Anti-Malware which was going fine untill the system self rebooted half way throught. I now get a "Run-time error '0'" when I attempt to run Malware Bytes. I have followed the instructions on your site and unfortunately not been able to get RootRepeal to run. When it starts a screen saying "Initializing please wait.." comes up and stays up (I have tried overnight and for an hour). Task Manger reveals RootRepeal is using a constant 50% of CPU.

Thanks for your help I look forward to hearing from you -larry :(
__________________________________________________________________


DDS (Ver_09-07-30.01) - NTFSx86
Run by Owner at 0:24:01.39 on Sun 20/09/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2046.1149 [GMT 10:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:WINDOWSsystem32svchost -k DcomLaunch
svchost.exe
C:WINDOWSSystem32svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:WINDOWSsystem32spoolsv.exe
svchost.exe
C:WINDOWSATKKBService.exe
C:PROGRA~1AVGAVG8avgwdsvc.exe
C:WINDOWSsystem32DVDRAMSV.exe
C:Program FilesNeroNero 7InCDInCDsrv.exe
C:WINDOWSsystem32nvsvc32.exe
C:Program FilesCyberLinkShared FilesRichVideo.exe
C:Program FilesCommon FilesUlead SystemsDVDULCDRSvr.exe
C:PROGRA~1AVGAVG8avgemc.exe
C:PROGRA~1AVGAVG8avgrsx.exe
C:PROGRA~1AVGAVG8avgnsx.exe
C:Program FilesAVGAVG8avgcsrvx.exe
C:WINDOWSExplorer.EXE
C:Program FilesAVGAVG8avgcsrvx.exe
C:WINDOWSRTHDCPL.EXE
C:WINDOWSSkyTel.EXE
C:Program FilesSOUNDGRAPHiMONiMON.exe
C:Program FilesUnlockerUnlockerAssistant.exe
C:Program FilesCyberLink DVD SolutionPowerDVDPDVDServ.exe
C:Program FilesNeroNero 7InCDNBHGui.exe
C:Program FilesNeroNero 7InCDInCD.exe
C:Program FilesDVICOFusionHDTVFusionHdtvTray.exe
C:Program FilesDVICOFusionHDTVRemoteFusionRc.exe
C:WINDOWSsystem32RUNDLL32.EXE
C:Program FilesQuickTimeqttask.exe
C:PROGRA~1AVGAVG8avgtray.exe
C:WINDOWSsystem32ctfmon.exe
C:Program FilesGenie-SoftGBMLite7GBMAgent.exe
C:Program FilesCommon FilesAheadLibNMBgMonitor.exe
C:Program FilesGoogleGoogleToolbarNotifierGoogleToolbarNotifier.exe
C:Program FilesDVICOFusionHDTVResManager.exe
C:Program FilesSpybot - Search & DestroyTeaTimer.exe
C:Program FilesCommon FilesAheadLibNMIndexingService.exe
C:Program FilesCommon FilesAheadLibNMIndexStoreSvr.exe
C:WINDOWSsystem32RAMASST.exe
C:WINDOWSSystem32svchost.exe -k HTTPFilter
C:Program FilesMozilla Firefoxfirefox.exe
C:WINDOWSsystem32svchost.exe -k imgsvc
C:Documents and SettingsOwnerMy DocumentsDownloadsdds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://au.tv.yahoo.com/tv-guide/index.html?hour=13&min=27&date=06&mon=05&year=2007&tvrg=101
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:program filescommon filesadobeacrobatactivexAcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:program filesavgavg8avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:program filesspybot - search & destroySDHelper.dll
BHO: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:progra~1avgavg8AVGTOO~1.DLL
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:program filesgooglegoogle toolbarGoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:program filesgooglegoogletoolbarnotifier5.1.1309.15642swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:program filesgooglegoogle toolbarcomponentfastsearch_A8904FB862BD9564.dll
TB: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:progra~1avgavg8AVGTOO~1.DLL
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:program filesgooglegoogle toolbarGoogleToolbar.dll
uRun: [CTFMON.EXE] c:windowssystem32ctfmon.exe
uRun: [Steam] "c:program filessteamSteam.exe" -silent
uRun: [GBMLite7Agent] c:program filesgenie-softgbmlite7GBMAgent.exe
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:program filescommon filesaheadlibNMBgMonitor.exe"
uRun: [swg] c:program filesgooglegoogletoolbarnotifierGoogleToolbarNotifier.exe
uRun: [SpybotSD TeaTimer] c:program filesspybot - search & destroyTeaTimer.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [SkyTel] SkyTel.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [JMB36X Configure] c:windowssystem32JMRaidTool.exe boot
mRun: [NvCplDaemon] RUNDLL32.EXE c:windowssystem32NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [iMON] c:program filessoundgraphimoniMON.exe /startup
mRun: [UnlockerAssistant] "c:program filesunlockerUnlockerAssistant.exe"
mRun: [GBMLite7Agent] c:program filesgenie-softgbmlite7GBMAgent.exe
mRun: [RemoteControl] "c:program filescyberlink dvd solutionpowerdvdPDVDServ.exe"
mRun: [NeroFilterCheck] c:program filescommon filesaheadlibNeroCheck.exe
mRun: [SecurDisc] c:program filesneronero 7incdNBHGui.exe
mRun: [InCD] c:program filesneronero 7incdInCD.exe
mRun: [FusionTrayAgent] c:program filesdvicofusionhdtvFusionHdtvTray.exe
mRun: [FusionRemote] c:program filesdvicofusionhdtvremoteFusionRc.exe
mRun: [NvMediaCenter] RUNDLL32.EXE c:windowssystem32NvMcTray.dll,NvTaskbarInit
mRun: [QuickTime Task] "c:program filesquicktimeqttask.exe" -atboottime
mRun: [AVG8_TRAY] c:progra~1avgavg8avgtray.exe
mRun: [Adobe Reader Speed Launcher] "c:program filesadobereader 8.0readerReader_sl.exe"
dRun: [CTFMON.EXE] c:windowssystem32CTFMON.EXE
StartupFolder: c:docume~1alluse~1startm~1programsstartupcompro~1.lnk - c:program filescommon filesvideomateComproSchedulerDTV.exe
StartupFolder: c:docume~1alluse~1startm~1programsstartupramasst.lnk - c:windowssystem32RAMASST.exe
IE: Add to Google Photos Screensa&ver - c:windowssystem32GPhotos.scr/200
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:program filesmessengermsmsgs.exe
IE: {dfb852a3-47f8-48c4-a200-58cab36fd2a2} - {53707962-6F74-2D53-2644-206D7942484F} - c:program filesspybot - search & destroySDHelper.dll
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.0/srl_bin/sysreqlab3.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1179713641343
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:program filesgooglegoogle toolbarcomponentfastsearch_A8904FB862BD9564.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:program filesavgavg8avgpp.dll
Notify: avgrsstarter - avgrsstx.dll

================= FIREFOX ===================

FF - ProfilePath - c:docume~1ownerapplic~1mozillafirefoxprofiles28a4qe9j.default
FF - plugin: c:program filesgooglepicasa3npPicasa3.dll

---- FIREFOX POLICIES ----
c:program filesmozilla firefoxgreprefsall.js - pref("media.enforce_same_site_origin", false);
c:program filesmozilla firefoxgreprefsall.js - pref("media.cache_size", 51200);
c:program filesmozilla firefoxgreprefsall.js - pref("media.ogg.enabled", true);
c:program filesmozilla firefoxgreprefsall.js - pref("media.wave.enabled", true);
c:program filesmozilla firefoxgreprefsall.js - pref("media.autoplay.enabled", true);
c:program filesmozilla firefoxgreprefsall.js - pref("browser.urlbar.autocomplete.enabled", true);
c:program filesmozilla firefoxgreprefsall.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:program filesmozilla firefoxgreprefsall.js - pref("dom.storage.default_quota", 5120);
c:program filesmozilla firefoxgreprefsall.js - pref("content.sink.event_probe_rate", 3);
c:program filesmozilla firefoxgreprefsall.js - pref("network.http.prompt-temp-redirect", true);
c:program filesmozilla firefoxgreprefsall.js - pref("layout.css.dpi", -1);
c:program filesmozilla firefoxgreprefsall.js - pref("layout.css.devPixelsPerPx", -1);
c:program filesmozilla firefoxgreprefsall.js - pref("gestures.enable_single_finger_input", true);
c:program filesmozilla firefoxgreprefsall.js - pref("dom.max_chrome_script_run_time", 0);
c:program filesmozilla firefoxgreprefsall.js - pref("network.tcp.sendbuffer", 131072);
c:program filesmozilla firefoxgreprefsall.js - pref("geo.enabled", true);
c:program filesmozilla firefoxgreprefssecurity-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:program filesmozilla firefoxdefaultspreffirefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:program filesmozilla firefoxdefaultspreffirefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("extensions.blocklist.level", 2);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("browser.urlbar.restrict.typed", "~");
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("browser.urlbar.default.behavior", 0);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("privacy.clearOnShutdown.history", true);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("privacy.clearOnShutdown.cache", true);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("privacy.cpd.history", true);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("privacy.cpd.formdata", true);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("privacy.cpd.passwords", false);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("privacy.cpd.downloads", true);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("privacy.cpd.cookies", true);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("privacy.cpd.cache", true);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("privacy.cpd.sessions", true);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("privacy.cpd.offlineApps", false);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("privacy.cpd.siteSettings", false);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("browser.ssl_override_behavior", 2);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("browser.privatebrowsing.autostart", false);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");

============= SERVICES / DRIVERS ===============

R0 BsStor;B.H.A Storage Helper Driver;c:windowssystem32driversBsStor.sys [2007-10-2 9344]
R0 SiWinAcc;SiWinAcc;c:windowssystem32driversSiWinAcc.sys [2005-5-5 10368]
R0 UGURU;UGURU;c:windowssystem32driversuGuru.sys [2007-4-23 14592]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:windowssystem32driversavgldx86.sys [2009-3-26 335240]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:windowssystem32driversavgmfx86.sys [2007-6-12 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:windowssystem32driversavgtdix.sys [2009-3-26 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:progra~1avgavg8avgemc.exe [2009-3-26 908056]
R2 avg8wd;AVG Free8 WatchDog;c:progra~1avgavg8avgwdsvc.exe [2009-3-26 297752]
R2 npf;NetGroup Packet Filter Driver;c:windowssystem32driversnpf.sys [2007-11-16 34064]
R3 AvsBluebird;FusionHDTV USB, AVStream Capture;c:windowssystem32driversbluebird2.sys [2007-6-12 360704]
S1 c23199bd;c23199bd;c:windowssystem32driversc23199bd.sys [2009-8-24 0]
S2 cx88xbar;FusionHDTV 88x, Crossbar;c:windowssystem32driverszl88xbar.sys --> c:windowssystem32driverszl88xbar.sys [?]
S2 Zulu88Ts;FusionHDTV 88x, Transport Stream Capture (ATSC-A);c:windowssystem32driverszl88tcap.sys --> c:windowssystem32driverszl88tcap.sys [?]
S2 Zulu88Vid;FusionHDTV 88x, Video Capture;c:windowssystem32driverszl88vcap.sys --> c:windowssystem32driverszl88vcap.sys [?]
S3 CXAVSAUD;FusionHDTV 880, Audio Capture;c:windowssystem32driverszl88aud.sys --> c:windowssystem32driverszl88aud.sys [?]
S3 getPlus® Helper;getPlus® Helper;c:program filesnosbingetplus_helpersvc.exe --> c:program filesnosbingetPlus_HelperSvc.exe [?]
S3 MBAMSwissArmy;MBAMSwissArmy;c:windowssystem32driversmbamswissarmy.sys [2009-9-19 38224]
S3 Memctl;Memctl;c:program filesabitblackboxMEMCTL.SYS [2007-4-23 4047]
S3 VMHybrid;VMHybrid service;c:windowssystem32driversVMHybrid.sys [2007-5-21 994304]

=============== Created Last 30 ================

2009-09-19 15:15 <DIR> --d----- c:docume~1ownerapplic~1Malwarebytes
2009-09-19 15:15 38,224 a------- c:windowssystem32driversmbamswissarmy.sys
2009-09-19 15:15 19,160 a------- c:windowssystem32driversmbam.sys
2009-09-19 15:15 <DIR> --d----- c:program filesMalwarebytes' Anti-Malware
2009-09-19 15:15 <DIR> --d----- c:docume~1alluse~1applic~1Malwarebytes
2009-08-24 18:30 <DIR> --d----- c:program filesWinPcap
2009-08-24 18:28 <DIR> --d----- c:docume~1alluse~1applic~111695784
2009-08-24 18:27 0 a------- c:windowssystem32driversc23199bd.sys
2009-08-23 03:03 <DIR> --d----- C:a8dbb0bc92db2e73c6
2009-08-23 03:03 <DIR> --d----- c:windowsSxsCaPendDel

==================== Find3M ====================

2009-08-22 19:00 335,240 a------- c:windowssystem32driversavgldx86.sys
2009-08-22 19:00 11,952 a------- c:windowssystem32avgrsstx.dll
2009-08-05 19:11 204,800 a------- c:windowssystem32mswebdvd.dll
2009-07-18 04:55 58,880 a------- c:windowssystem32atl.dll
2009-07-13 02:18 233,472 a------- c:windowssystem32wmpdxm.dll
2009-06-27 02:18 659,456 a------- c:windowssystem32wininet.dll
2009-06-27 02:18 81,920 a------- c:windowssystem32ieencode.dll
2007-12-04 13:42 1,565,715 a------- c:program files36 Peninsula paving 003.jpg
2007-05-23 05:06 1,440,857 a------- c:program files4 wd weeeknd away with Rubicon 022.jpg
2003-12-19 22:36 40,960 a------- c:program filesUninstall_CDS.exe
2003-11-01 17:56 762,172 a------- c:program files103_0346.JPG

============= FINISH: 0:24:24.34 ===============

Sorry I forgot a chain of events that happened prior to this which is most likely where the problem started and from my small knowledge base gained from your site most likely involves a rootkit. The PC did become infected with a Rogue, I think it might have been called "Total Security". I googled it and i did not appear to have all the files that should have come with it but deleted the ones I could find which I think was only two. It never came up again so I thought it was gone. :(
-larry

Merged posts. ~ OB

Attached Files


Edited by Orange Blossom, 20 September 2009 - 10:40 PM.


BC AdBot (Login to Remove)

 


#2 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:07:33 AM

Posted 06 October 2009 - 08:37 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#3 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,774 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:01:33 PM

Posted 14 October 2009 - 12:44 PM

Due to lack of feedback, this topic is now Closed

If you need this topic reopened, please send me a PM.
Please include the address of this thread in your request.
This applies only to the original topic starter.

Everyone else please start a new topic.

With Regards,
_temp_

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#4 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,774 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:01:33 PM

Posted 26 October 2009 - 08:54 AM

Hi,

please provide a new log as indicated by blade. :(

regards _temp_

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#5 helilarry

helilarry
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:09:33 PM

Posted 01 November 2009 - 10:09 PM

Thanks for reopening the topic, I was on holidays when the first response was sent.

Here is a current DDS and zip attached. Malwarebytes still won't run.

Thanks

Larry

DDS (Ver_09-10-26.01) - NTFSx86
Run by Owner at 14:01:30.57 on Mon 02/11/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2046.1098 [GMT 11:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\ATKKBService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\SkyTel.EXE
C:\Program Files\SOUNDGRAPH\iMON\iMON.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Genie-Soft\GBMLite7\GBMAgent.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe
C:\Program Files\Nero\Nero 7\InCD\InCD.exe
C:\Program Files\DVICO\FusionHDTV\FusionHdtvTray.exe
C:\Program Files\DVICO\FusionHDTV\Remote\FusionRc.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\DVICO\FusionHDTV\ResManager.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner\My Documents\Downloads\dds(2).scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://au.tv.yahoo.com/tv-guide/index.html?hour=13&min=27&date=06&mon=05&year=2007&tvrg=101
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.15642\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
TB: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [Steam] "c:\program files\steam\Steam.exe" -silent
uRun: [GBMLite7Agent] c:\program files\genie-soft\gbmlite7\GBMAgent.exe
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [SkyTel] SkyTel.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [JMB36X Configure] c:\windows\system32\JMRaidTool.exe boot
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [iMON] c:\program files\soundgraph\imon\iMON.exe /startup
mRun: [UnlockerAssistant] "c:\program files\unlocker\UnlockerAssistant.exe"
mRun: [GBMLite7Agent] c:\program files\genie-soft\gbmlite7\GBMAgent.exe
mRun: [RemoteControl] "c:\program files\cyberlink dvd solution\powerdvd\PDVDServ.exe"
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [SecurDisc] c:\program files\nero\nero 7\incd\NBHGui.exe
mRun: [InCD] c:\program files\nero\nero 7\incd\InCD.exe
mRun: [FusionTrayAgent] c:\program files\dvico\fusionhdtv\FusionHdtvTray.exe
mRun: [FusionRemote] c:\program files\dvico\fusionhdtv\remote\FusionRc.exe
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\compro~1.lnk - c:\program files\common files\videomate\ComproSchedulerDTV.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ramasst.lnk - c:\windows\system32\RAMASST.exe
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {dfb852a3-47f8-48c4-a200-58cab36fd2a2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.0/srl_bin/sysreqlab3.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1179713641343
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\28a4qe9j.default\
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll

============= SERVICES / DRIVERS ===============

R0 BsStor;B.H.A Storage Helper Driver;c:\windows\system32\drivers\BsStor.sys [2007-10-3 9344]
R0 SiWinAcc;SiWinAcc;c:\windows\system32\drivers\SiWinAcc.sys [2005-5-5 10368]
R0 UGURU;UGURU;c:\windows\system32\drivers\uGuru.sys [2007-4-23 14592]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-3-26 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-3-26 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-3-26 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-3-26 297752]
R2 npf;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-16 34064]
R3 AvsBluebird;FusionHDTV USB, AVStream Capture;c:\windows\system32\drivers\bluebird2.sys [2007-6-12 360704]
S1 c23199bd;c23199bd;c:\windows\system32\drivers\c23199bd.sys [2009-8-24 0]
S2 cx88xbar;FusionHDTV 88x, Crossbar;c:\windows\system32\drivers\zl88xbar.sys --> c:\windows\system32\drivers\zl88xbar.sys [?]
S2 Zulu88Ts;FusionHDTV 88x, Transport Stream Capture (ATSC-A);c:\windows\system32\drivers\zl88tcap.sys --> c:\windows\system32\drivers\zl88tcap.sys [?]
S2 Zulu88Vid;FusionHDTV 88x, Video Capture;c:\windows\system32\drivers\zl88vcap.sys --> c:\windows\system32\drivers\zl88vcap.sys [?]
S3 CXAVSAUD;FusionHDTV 880, Audio Capture;c:\windows\system32\drivers\zl88aud.sys --> c:\windows\system32\drivers\zl88aud.sys [?]
S3 getPlus® Helper;getPlus® Helper;c:\program files\nos\bin\getplus_helpersvc.exe --> c:\program files\nos\bin\getPlus_HelperSvc.exe [?]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-9-19 38224]
S3 Memctl;Memctl;c:\program files\abit\blackbox\MEMCTL.SYS [2007-4-23 4047]
S3 rootrepeal;rootrepeal;\??\c:\windows\system32\drivers\rootrepeal.sys --> c:\windows\system32\drivers\rootrepeal.sys [?]
S3 VMHybrid;VMHybrid service;c:\windows\system32\drivers\VMHybrid.sys [2007-5-21 994304]

=============== Created Last 30 ================


==================== Find3M ====================

2009-09-12 04:56:35 0 ----a-w- c:\windows\system32\drivers\c23199bd.sys
2009-09-10 04:54:06 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 04:53:50 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-22 09:00:38 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-08-05 09:11:47 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2007-12-04 03:42:58 1565715 ----a-w- c:\program files\36 Peninsula paving 003.jpg
2007-05-22 19:06:06 1440857 ----a-w- c:\program files\4 wd weeeknd away with Rubicon 022.jpg
2003-12-19 12:36:56 40960 ----a-w- c:\program files\Uninstall_CDS.exe
2003-11-01 07:56:54 762172 ----a-w- c:\program files\103_0346.JPG

============= FINISH: 14:02:00.19 ===============

Attached Files



#6 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:02:33 PM

Posted 04 November 2009 - 04:55 AM

Hi Larry,

Please visit this webpage for download links, and instructions for running ComboFix tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link
    Remember to re-enable them afterwards.

  • Click Yes to allow ComboFix to continue scanning for malware.
When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New dds log.


A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#7 helilarry

helilarry
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:09:33 PM

Posted 05 November 2009 - 08:16 PM

Hi Blade81

Thanks for your help. Combofix then dds reports follow. Both files attached

Thanks
Larry

ComboFix 09-11-05.01 - Owner 06/11/2009 11:36.1.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2046.1498 [GMT 11:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Owner\Application Data\wiaserva.log
c:\program files\WinPCap
c:\program files\WinPCap\rpcapd.exe
c:\windows\system32\drivers\npf.sys
c:\windows\system32\Packet.dll
c:\windows\system32\pthreadVC.dll
c:\windows\system32\WanPacket.dll
c:\windows\system32\wpcap.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_npf
-------\Service_npf


((((((((((((((((((((((((( Files Created from 2009-10-06 to 2009-11-06 )))))))))))))))))))))))))))))))
.

No new files created in this timespan

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-06 00:43 . 2007-04-29 06:27 -------- d-----w- c:\documents and settings\Owner\Application Data\SOUNDGRAPH
2009-11-06 00:43 . 2007-06-30 15:31 -------- d-----w- c:\program files\Steam
2009-11-02 03:41 . 2007-10-08 10:35 -------- d-----w- c:\program files\OziExplorer
2009-09-19 05:26 . 2007-10-04 14:41 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-09-19 05:15 . 2009-09-19 05:15 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2009-09-19 05:15 . 2009-09-19 05:15 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-19 05:15 . 2009-09-19 05:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-09-12 04:56 . 2009-08-24 08:27 0 ----a-w- c:\windows\system32\drivers\c23199bd.sys
2009-09-10 04:54 . 2009-09-19 05:15 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 04:53 . 2009-09-19 05:15 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-22 17:16 . 2007-04-29 06:28 27024 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-22 09:00 . 2009-03-26 11:28 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-08-22 09:00 . 2009-03-26 11:28 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-08-22 09:00 . 2007-06-12 08:11 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-08-16 07:51 . 2009-08-16 07:51 0 ----a-w- c:\windows\nsreg.dat
2007-12-04 03:42 . 2008-02-09 07:20 1565715 ----a-w- c:\program files\36 Peninsula paving 003.jpg
2007-05-22 19:06 . 2008-02-09 05:17 1440857 ----a-w- c:\program files\4 wd weeeknd away with Rubicon 022.jpg
2003-12-19 12:36 . 2007-10-02 13:46 40960 ----a-w- c:\program files\Uninstall_CDS.exe
2003-11-01 07:56 . 2008-02-09 05:00 762172 ----a-w- c:\program files\103_0346.JPG
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="c:\program files\Steam\Steam.exe" [2009-11-06 1217808]
"GBMLite7Agent"="c:\program files\Genie-Soft\GBMLite7\GBMAgent.exe" [2007-02-27 204800]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-06-27 152872]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-07-31 39408]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"JMB36X Configure"="c:\windows\system32\JMRaidTool.exe" [2006-04-25 385024]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-02-09 13680640]
"iMON"="c:\program files\SOUNDGRAPH\iMON\iMON.exe" [2007-05-04 2179072]
"UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2006-09-07 15872]
"GBMLite7Agent"="c:\program files\Genie-Soft\GBMLite7\GBMAgent.exe" [2007-02-27 204800]
"RemoteControl"="c:\program files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" [2003-12-08 32768]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]
"SecurDisc"="c:\program files\Nero\Nero 7\InCD\NBHGui.exe" [2007-06-25 1629480]
"InCD"="c:\program files\Nero\Nero 7\InCD\InCD.exe" [2007-06-25 1057064]
"FusionTrayAgent"="c:\program files\DVICO\FusionHDTV\FusionHdtvTray.exe" [2008-08-05 1828352]
"FusionRemote"="c:\program files\DVICO\FusionHDTV\Remote\FusionRc.exe" [2007-12-21 2670592]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-02-09 86016]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-02-21 282624]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-08-22 2007832]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2006-05-04 16206848]
"SkyTel"="SkyTel.EXE" - c:\windows\SkyTel.exe [2006-04-24 1448960]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2009-02-09 1657376]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-22 09:00 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Azureus\\Azureus.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Program Files\\FlightGear\\bin\\win32\\fgfs.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\CyberLink\\PowerDirector\\PDR.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

R0 BsStor;B.H.A Storage Helper Driver;c:\windows\system32\drivers\BsStor.sys [3/10/2007 12:47 AM 9344]
R0 SiWinAcc;SiWinAcc;c:\windows\system32\drivers\SiWinAcc.sys [5/05/2005 2:00 AM 10368]
R0 UGURU;UGURU;c:\windows\system32\drivers\uGuru.sys [23/04/2007 4:29 PM 14592]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [26/03/2009 10:28 PM 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [26/03/2009 10:28 PM 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [26/03/2009 10:28 PM 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [26/03/2009 10:28 PM 297752]
R3 AvsBluebird;FusionHDTV USB, AVStream Capture;c:\windows\system32\drivers\bluebird2.sys [12/06/2007 3:45 PM 360704]
S1 c23199bd;c23199bd;c:\windows\system32\drivers\c23199bd.sys [24/08/2009 7:27 PM 0]
S2 cx88xbar;FusionHDTV 88x, Crossbar;c:\windows\system32\drivers\zl88xbar.sys --> c:\windows\system32\drivers\zl88xbar.sys [?]
S2 Zulu88Ts;FusionHDTV 88x, Transport Stream Capture (ATSC-A);c:\windows\system32\drivers\zl88tcap.sys --> c:\windows\system32\drivers\zl88tcap.sys [?]
S2 Zulu88Vid;FusionHDTV 88x, Video Capture;c:\windows\system32\drivers\zl88vcap.sys --> c:\windows\system32\drivers\zl88vcap.sys [?]
S3 CXAVSAUD;FusionHDTV 880, Audio Capture;c:\windows\system32\drivers\zl88aud.sys --> c:\windows\system32\drivers\zl88aud.sys [?]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [19/09/2009 4:15 PM 38224]
S3 VMHybrid;VMHybrid service;c:\windows\system32\drivers\VMHybrid.sys [21/05/2007 1:20 PM 994304]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - MBR
*Deregistered* - mbr
.
Contents of the 'Scheduled Tasks' folder

2009-10-25 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2009-08-24 05:31]

2009-10-25 c:\windows\Tasks\Spybot - Search & Destroy Updater - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SDUpdate.exe [2009-08-24 05:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://au.tv.yahoo.com/tv-guide/index.html?hour=13&min=27&date=06&mon=05&year=2007&tvrg=101
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\28a4qe9j.default\
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
.
- - - - ORPHANS REMOVED - - - -

Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
AddRemove-KB923789 - c:\windows\system32\MacroMed\Flash\genuinst.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-06 11:41
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2516)
c:\program files\Unlocker\UnlockerHook.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\ATKKBService.exe
c:\windows\system32\DVDRAMSV.exe
c:\program files\Nero\Nero 7\InCD\InCDsrv.exe
c:\windows\system32\nvsvc32.exe
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
c:\windows\system32\wdfmgr.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\RUNDLL32.EXE
c:\program files\Common Files\Ahead\Lib\NMIndexingService.exe
c:\program files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
c:\program files\DVICO\FusionHDTV\ResManager.exe
c:\windows\system32\RAMASST.exe
.
**************************************************************************
.
Completion time: 2009-11-06 11:48 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-06 00:48

Pre-Run: 7,203,696,640 bytes free
Post-Run: 7,249,903,616 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - 14AB2EAF907FB802A3F79D8EC04A7228






DDS (Ver_09-10-26.01) - NTFSx86
Run by Owner at 12:08:40.79 on Fri 06/11/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2046.1298 [GMT 11:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\ATKKBService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\SkyTel.EXE
C:\Program Files\SOUNDGRAPH\iMON\iMON.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Genie-Soft\GBMLite7\GBMAgent.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe
C:\Program Files\Nero\Nero 7\InCD\InCD.exe
C:\Program Files\DVICO\FusionHDTV\FusionHdtvTray.exe
C:\Program Files\DVICO\FusionHDTV\Remote\FusionRc.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\DVICO\FusionHDTV\ResManager.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Steam\Steam.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Owner\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://au.tv.yahoo.com/tv-guide/index.html?hour=13&min=27&date=06&mon=05&year=2007&tvrg=101
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.15642\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
TB: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
uRun: [Steam] "c:\program files\steam\Steam.exe" -silent
uRun: [GBMLite7Agent] c:\program files\genie-soft\gbmlite7\GBMAgent.exe
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [SkyTel] SkyTel.EXE
mRun: [JMB36X Configure] c:\windows\system32\JMRaidTool.exe boot
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [iMON] c:\program files\soundgraph\imon\iMON.exe /startup
mRun: [UnlockerAssistant] "c:\program files\unlocker\UnlockerAssistant.exe"
mRun: [GBMLite7Agent] c:\program files\genie-soft\gbmlite7\GBMAgent.exe
mRun: [RemoteControl] "c:\program files\cyberlink dvd solution\powerdvd\PDVDServ.exe"
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [SecurDisc] c:\program files\nero\nero 7\incd\NBHGui.exe
mRun: [InCD] c:\program files\nero\nero 7\incd\InCD.exe
mRun: [FusionTrayAgent] c:\program files\dvico\fusionhdtv\FusionHdtvTray.exe
mRun: [FusionRemote] c:\program files\dvico\fusionhdtv\remote\FusionRc.exe
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\compro~1.lnk - c:\program files\common files\videomate\ComproSchedulerDTV.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ramasst.lnk - c:\windows\system32\RAMASST.exe
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {dfb852a3-47f8-48c4-a200-58cab36fd2a2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.0/srl_bin/sysreqlab3.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1179713641343
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\28a4qe9j.default\
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll

============= SERVICES / DRIVERS ===============

R0 BsStor;B.H.A Storage Helper Driver;c:\windows\system32\drivers\BsStor.sys [2007-10-3 9344]
R0 SiWinAcc;SiWinAcc;c:\windows\system32\drivers\SiWinAcc.sys [2005-5-5 10368]
R0 UGURU;UGURU;c:\windows\system32\drivers\uGuru.sys [2007-4-23 14592]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-3-26 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-3-26 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-3-26 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-3-26 297752]
R3 AvsBluebird;FusionHDTV USB, AVStream Capture;c:\windows\system32\drivers\bluebird2.sys [2007-6-12 360704]
S1 c23199bd;c23199bd;c:\windows\system32\drivers\c23199bd.sys [2009-8-24 0]
S2 cx88xbar;FusionHDTV 88x, Crossbar;c:\windows\system32\drivers\zl88xbar.sys --> c:\windows\system32\drivers\zl88xbar.sys [?]
S2 Zulu88Ts;FusionHDTV 88x, Transport Stream Capture (ATSC-A);c:\windows\system32\drivers\zl88tcap.sys --> c:\windows\system32\drivers\zl88tcap.sys [?]
S2 Zulu88Vid;FusionHDTV 88x, Video Capture;c:\windows\system32\drivers\zl88vcap.sys --> c:\windows\system32\drivers\zl88vcap.sys [?]
S3 CXAVSAUD;FusionHDTV 880, Audio Capture;c:\windows\system32\drivers\zl88aud.sys --> c:\windows\system32\drivers\zl88aud.sys [?]
S3 getPlus® Helper;getPlus® Helper;c:\program files\nos\bin\getplus_helpersvc.exe --> c:\program files\nos\bin\getPlus_HelperSvc.exe [?]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-9-19 38224]
S3 Memctl;Memctl;c:\program files\abit\blackbox\MEMCTL.SYS [2007-4-23 4047]
S3 VMHybrid;VMHybrid service;c:\windows\system32\drivers\VMHybrid.sys [2007-5-21 994304]

=============== Created Last 30 ================

2009-11-06 00:33:03 0 d-sha-r- C:\cmdcons
2009-11-06 00:31:52 98816 ----a-w- c:\windows\sed.exe
2009-11-06 00:31:52 77312 ----a-w- c:\windows\MBR.exe
2009-11-06 00:31:52 267264 ----a-w- c:\windows\PEV.exe
2009-11-06 00:31:52 161792 ----a-w- c:\windows\SWREG.exe
2009-11-06 00:31:46 0 d-----w- C:\ComboFix

==================== Find3M ====================

2009-09-12 04:56:35 0 ----a-w- c:\windows\system32\drivers\c23199bd.sys
2009-09-10 04:54:06 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 04:53:50 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-22 09:00:38 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2007-12-04 03:42:58 1565715 ----a-w- c:\program files\36 Peninsula paving 003.jpg
2007-05-22 19:06:06 1440857 ----a-w- c:\program files\4 wd weeeknd away with Rubicon 022.jpg
2003-12-19 12:36:56 40960 ----a-w- c:\program files\Uninstall_CDS.exe
2003-11-01 07:56:54 762172 ----a-w- c:\program files\103_0346.JPG

============= FINISH: 12:08:55.75 ===============

Attached Files



#8 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:02:33 PM

Posted 06 November 2009 - 01:04 AM

Hi again,


Open notepad and copy/paste the text in the quotebox below into it:

http://www.bleepingcomputer.com/forums/t/258841/infected-with-unknown-virusmalware-blocking-scans-and-updates/?p=1487522
Driver::
c23199bd
Collect::
c:\windows\system32\drivers\c23199bd.sys


Save this as
CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.

Posted Image

Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.


Do you use Acrobat 5 for other purposes than converting files to pdfs?


Uninstall old Adobe Reader versions and get the latest one (9.2) here or get Foxit Reader here. Make sure you don't install toolbar if choose Foxit Reader! You may also check free readers introduced here.



Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.

Double-click ATF Cleaner.exe to open it

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache

*The other boxes are optional*
Then click the Empty Selected button.

If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.


* Go here to run an online scanner from ESET.
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • Make sure that the option Remove found threats is UNchecked.
  • Click Scan
  • Wait for the scan to finish
  • Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Post back its report, a fresh dds.txt log and above mentioned ComboFix resultant log.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#9 helilarry

helilarry
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:09:33 PM

Posted 08 November 2009 - 02:39 AM

Hi Blase81

3 logs as requested

Thanks
Larry

DDS (Ver_09-10-26.01) - NTFSx86
Run by Owner at 18:29:43.50 on Sun 08/11/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2046.1305 [GMT 11:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\ATKKBService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\SkyTel.EXE
C:\Program Files\SOUNDGRAPH\iMON\iMON.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Nero\Nero 7\InCD\InCD.exe
C:\Program Files\DVICO\FusionHDTV\Remote\FusionRc.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Steam\Steam.exe
C:\Program Files\Genie-Soft\GBMLite7\GBMAgent.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\DllHost.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Documents and Settings\Owner\Desktop\dds(3).scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://au.tv.yahoo.com/tv-guide/index.html?hour=13&min=27&date=06&mon=05&year=2007&tvrg=101
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.3.4501.1418\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
TB: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
uRun: [Steam] "c:\program files\steam\Steam.exe" -silent
uRun: [GBMLite7Agent] c:\program files\genie-soft\gbmlite7\GBMAgent.exe
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [SkyTel] SkyTel.EXE
mRun: [JMB36X Configure] c:\windows\system32\JMRaidTool.exe boot
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [iMON] c:\program files\soundgraph\imon\iMON.exe /startup
mRun: [UnlockerAssistant] "c:\program files\unlocker\UnlockerAssistant.exe"
mRun: [GBMLite7Agent] c:\program files\genie-soft\gbmlite7\GBMAgent.exe
mRun: [RemoteControl] "c:\program files\cyberlink dvd solution\powerdvd\PDVDServ.exe"
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [SecurDisc] c:\program files\nero\nero 7\incd\NBHGui.exe
mRun: [InCD] c:\program files\nero\nero 7\incd\InCD.exe
mRun: [FusionTrayAgent] c:\program files\dvico\fusionhdtv\FusionHdtvTray.exe
mRun: [FusionRemote] c:\program files\dvico\fusionhdtv\remote\FusionRc.exe
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRunOnce: [Uninstall Adobe Download Manager] "c:\windows\system32\rundll32.exe" "c:\program files\nos\bin\getPlus_Helper.dll",Uninstall /IE2883E8F-472F-4fb0-9522-AC9BF37916A7 /Get1noarp
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\compro~1.lnk - c:\program files\common files\videomate\ComproSchedulerDTV.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ramasst.lnk - c:\windows\system32\RAMASST.exe
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {dfb852a3-47f8-48c4-a200-58cab36fd2a2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.0/srl_bin/sysreqlab3.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1179713641343
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\28a4qe9j.default\
FF - plugin: c:\documents and settings\owner\application data\mozilla\firefox\profiles\28a4qe9j.default\extensions\{e2883e8f-472f-4fb0-9522-ac9bf37916a7}\plugins\np_gp.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll

============= SERVICES / DRIVERS ===============

R0 BsStor;B.H.A Storage Helper Driver;c:\windows\system32\drivers\BsStor.sys [2007-10-3 9344]
R0 SiWinAcc;SiWinAcc;c:\windows\system32\drivers\SiWinAcc.sys [2005-5-5 10368]
R0 UGURU;UGURU;c:\windows\system32\drivers\uGuru.sys [2007-4-23 14592]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-3-26 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-3-26 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-3-26 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-3-26 297752]
R3 AvsBluebird;FusionHDTV USB, AVStream Capture;c:\windows\system32\drivers\bluebird2.sys [2007-6-12 360704]
S2 cx88xbar;FusionHDTV 88x, Crossbar;c:\windows\system32\drivers\zl88xbar.sys --> c:\windows\system32\drivers\zl88xbar.sys [?]
S2 Zulu88Ts;FusionHDTV 88x, Transport Stream Capture (ATSC-A);c:\windows\system32\drivers\zl88tcap.sys --> c:\windows\system32\drivers\zl88tcap.sys [?]
S2 Zulu88Vid;FusionHDTV 88x, Video Capture;c:\windows\system32\drivers\zl88vcap.sys --> c:\windows\system32\drivers\zl88vcap.sys [?]
S3 CXAVSAUD;FusionHDTV 880, Audio Capture;c:\windows\system32\drivers\zl88aud.sys --> c:\windows\system32\drivers\zl88aud.sys [?]
S3 getPlusHelper;getPlus® Helper;c:\windows\system32\svchost.exe -k getPlusHelper [2004-8-4 14336]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-9-19 38224]
S3 Memctl;Memctl;c:\program files\abit\blackbox\MEMCTL.SYS [2007-4-23 4047]
S3 VMHybrid;VMHybrid service;c:\windows\system32\drivers\VMHybrid.sys [2007-5-21 994304]

=============== Created Last 30 ================

2009-11-08 06:10:50 0 d-----w- c:\program files\ESET
2009-11-08 05:32:04 0 d-----w- C:\ComboFix
2009-11-06 00:33:03 0 d-sha-r- C:\cmdcons
2009-11-06 00:31:52 98816 ----a-w- c:\windows\sed.exe
2009-11-06 00:31:52 77312 ----a-w- c:\windows\MBR.exe
2009-11-06 00:31:52 267264 ----a-w- c:\windows\PEV.exe
2009-11-06 00:31:52 161792 ----a-w- c:\windows\SWREG.exe

==================== Find3M ====================

2009-09-10 04:54:06 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 04:53:50 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-22 09:00:38 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2007-12-04 03:42:58 1565715 ----a-w- c:\program files\36 Peninsula paving 003.jpg
2007-05-22 19:06:06 1440857 ----a-w- c:\program files\4 wd weeeknd away with Rubicon 022.jpg
2003-12-19 12:36:56 40960 ----a-w- c:\program files\Uninstall_CDS.exe
2003-11-01 07:56:54 762172 ----a-w- c:\program files\103_0346.JPG

============= FINISH: 18:29:57.06 ===============



ComboFix 09-11-07.02 - Owner 08/11/2009 16:33.2.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2046.1262 [GMT 11:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

file zipped: c:\windows\system32\drivers\c23199bd.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\c23199bd.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_npf
-------\Service_c23199bd


((((((((((((((((((((((((( Files Created from 2009-10-08 to 2009-11-08 )))))))))))))))))))))))))))))))
.

No new files created in this timespan

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-08 05:44 . 2007-06-30 15:31 -------- d-----w- c:\program files\Steam
2009-11-08 05:44 . 2007-04-29 06:27 -------- d-----w- c:\documents and settings\Owner\Application Data\SOUNDGRAPH
2009-11-02 03:41 . 2007-10-08 10:35 -------- d-----w- c:\program files\OziExplorer
2009-09-19 05:26 . 2007-10-04 14:41 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-09-19 05:15 . 2009-09-19 05:15 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2009-09-19 05:15 . 2009-09-19 05:15 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-19 05:15 . 2009-09-19 05:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-09-10 04:54 . 2009-09-19 05:15 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 04:53 . 2009-09-19 05:15 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-22 17:16 . 2007-04-29 06:28 27024 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-22 09:00 . 2009-03-26 11:28 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-08-22 09:00 . 2009-03-26 11:28 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-08-22 09:00 . 2007-06-12 08:11 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-08-16 07:51 . 2009-08-16 07:51 0 ----a-w- c:\windows\nsreg.dat
2007-12-04 03:42 . 2008-02-09 07:20 1565715 ----a-w- c:\program files\36 Peninsula paving 003.jpg
2007-05-22 19:06 . 2008-02-09 05:17 1440857 ----a-w- c:\program files\4 wd weeeknd away with Rubicon 022.jpg
2003-12-19 12:36 . 2007-10-02 13:46 40960 ----a-w- c:\program files\Uninstall_CDS.exe
2003-11-01 07:56 . 2008-02-09 05:00 762172 ----a-w- c:\program files\103_0346.JPG
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="c:\program files\Steam\Steam.exe" [2009-11-06 1217808]
"GBMLite7Agent"="c:\program files\Genie-Soft\GBMLite7\GBMAgent.exe" [2007-02-27 204800]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-06-27 152872]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-07-31 39408]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"JMB36X Configure"="c:\windows\system32\JMRaidTool.exe" [2006-04-25 385024]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-02-09 13680640]
"iMON"="c:\program files\SOUNDGRAPH\iMON\iMON.exe" [2007-05-04 2179072]
"UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2006-09-07 15872]
"GBMLite7Agent"="c:\program files\Genie-Soft\GBMLite7\GBMAgent.exe" [2007-02-27 204800]
"RemoteControl"="c:\program files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" [2003-12-08 32768]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]
"SecurDisc"="c:\program files\Nero\Nero 7\InCD\NBHGui.exe" [2007-06-25 1629480]
"InCD"="c:\program files\Nero\Nero 7\InCD\InCD.exe" [2007-06-25 1057064]
"FusionTrayAgent"="c:\program files\DVICO\FusionHDTV\FusionHdtvTray.exe" [2008-08-05 1828352]
"FusionRemote"="c:\program files\DVICO\FusionHDTV\Remote\FusionRc.exe" [2007-12-21 2670592]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-02-09 86016]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-02-21 282624]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-08-22 2007832]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2006-05-04 16206848]
"SkyTel"="SkyTel.EXE" - c:\windows\SkyTel.exe [2006-04-24 1448960]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2009-02-09 1657376]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-22 09:00 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Azureus\\Azureus.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Program Files\\FlightGear\\bin\\win32\\fgfs.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\CyberLink\\PowerDirector\\PDR.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

R0 BsStor;B.H.A Storage Helper Driver;c:\windows\system32\drivers\BsStor.sys [3/10/2007 12:47 AM 9344]
R0 SiWinAcc;SiWinAcc;c:\windows\system32\drivers\SiWinAcc.sys [5/05/2005 2:00 AM 10368]
R0 UGURU;UGURU;c:\windows\system32\drivers\uGuru.sys [23/04/2007 4:29 PM 14592]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [26/03/2009 10:28 PM 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [26/03/2009 10:28 PM 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [26/03/2009 10:28 PM 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [26/03/2009 10:28 PM 297752]
R3 AvsBluebird;FusionHDTV USB, AVStream Capture;c:\windows\system32\drivers\bluebird2.sys [12/06/2007 3:45 PM 360704]
S2 cx88xbar;FusionHDTV 88x, Crossbar;c:\windows\system32\drivers\zl88xbar.sys --> c:\windows\system32\drivers\zl88xbar.sys [?]
S2 Zulu88Ts;FusionHDTV 88x, Transport Stream Capture (ATSC-A);c:\windows\system32\drivers\zl88tcap.sys --> c:\windows\system32\drivers\zl88tcap.sys [?]
S2 Zulu88Vid;FusionHDTV 88x, Video Capture;c:\windows\system32\drivers\zl88vcap.sys --> c:\windows\system32\drivers\zl88vcap.sys [?]
S3 CXAVSAUD;FusionHDTV 880, Audio Capture;c:\windows\system32\drivers\zl88aud.sys --> c:\windows\system32\drivers\zl88aud.sys [?]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [19/09/2009 4:15 PM 38224]
S3 VMHybrid;VMHybrid service;c:\windows\system32\drivers\VMHybrid.sys [21/05/2007 1:20 PM 994304]

--- Other Services/Drivers In Memory ---

*Deregistered* - mbr
.
Contents of the 'Scheduled Tasks' folder

2009-10-25 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2009-08-24 05:31]

2009-10-25 c:\windows\Tasks\Spybot - Search & Destroy Updater - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SDUpdate.exe [2009-08-24 05:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://au.tv.yahoo.com/tv-guide/index.html?hour=13&min=27&date=06&mon=05&year=2007&tvrg=101
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\28a4qe9j.default\
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
.
- - - - ORPHANS REMOVED - - - -

Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)



**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3436)
c:\program files\Unlocker\UnlockerHook.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\ATKKBService.exe
c:\windows\system32\DVDRAMSV.exe
c:\program files\Nero\Nero 7\InCD\InCDsrv.exe
c:\windows\system32\nvsvc32.exe
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
c:\windows\system32\wdfmgr.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\RUNDLL32.EXE
c:\windows\system32\RAMASST.exe
c:\program files\Common Files\Ahead\Lib\NMIndexingService.exe
c:\program files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
.
**************************************************************************
.
Completion time: 2009-11-08 16:48 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-08 05:47
ComboFix2.txt 2009-11-06 00:48

Pre-Run: 7,182,577,664 bytes free
Post-Run: 7,135,739,904 bytes free

- - End Of File - - 22952537AE2800B91F390179A62AC1DF

ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=734ec9bd3c5cdd46a9bc521ee63b3205
# end=finished
# remove_checked=false
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2009-11-08 06:59:21
# local_time=2009-11-08 05:59:21 (+1000, AUS Eastern Daylight Time)
# country="Australia"
# lang=1033
# osver=5.1.2600 NT Service Pack 2
# compatibility_mode=1024 16777175 100 0 19594101 19594101 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=83499
# found=1
# cleaned=0
# scan_time=2544
C:\Documents and Settings\Owner\Desktop\Nero 7 Premium Reloaded 7.10.1.0_eng (+keygen)\Nero-7.10.1.0_eng_trial_wch.exe Win32/Toolbar.AskSBar application 00000000000000000000000000000000 I

#10 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:02:33 PM

Posted 08 November 2009 - 08:15 AM

Hi,

Look for a zip file that name begins as [4]-Submit in c:\qoobox\quarantine folder and upload it here.

Kindly include a link to this topic in the message.


Delete following folder:
C:\Documents and Settings\Owner\Desktop\Nero 7 Premium Reloaded 7.10.1.0_eng (+keygen)

Since it seems your Nero 7 Premium is used illegally I have to ask you to uninstall it. We don't support cracks and piracy here. There're good free options, like ImgBurn, if commercial ones are too expensive to buy.


Also, you didn't answer this yet:

Do you use Acrobat 5 for other purposes than converting files to pdfs?


Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#11 helilarry

helilarry
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:09:33 PM

Posted 08 November 2009 - 08:44 PM

Hi Blade81

I have uploaded the Qoobox file where you requsted.

Nero7 has been deleted, I have other burning software that came with the drive and I will try your freeware suggestion, thanks.

I have no idea what acrobat 5 was used for, I don't convert anything to pdfs only read them so I only require a reader.

Thanks
Larry

#12 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:02:33 PM

Posted 09 November 2009 - 12:56 AM

Ok. I recommend to uninstall Acrobat 5 then since it's badly outdated and puts your system under risk getting infected. How's the system running now? Any symptoms left?

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#13 helilarry

helilarry
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:09:33 PM

Posted 09 November 2009 - 02:05 AM

I have removed Acrobat 5. Still can't perform windows updates. After updating the installer I get

Cannot display the page
The Web page you are trying to view cannot be displayed. It could be that the page is no longer available, or that the Web site is currently offline. Please try again later, or try another page.

Larry

#14 helilarry

helilarry
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:09:33 PM

Posted 09 November 2009 - 02:08 AM

Hang on. I tried it in another window and it appears to be working. I will update then try to run malwarebytes.

Thanks
Larry

#15 helilarry

helilarry
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:09:33 PM

Posted 09 November 2009 - 02:15 AM

Hi Blade81

When I click on "I accept" to install SP# it goes straight to a screen that says "Not installed: Service Pack 3" Any ideas why that may be?

Thanks
Larry




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users