Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

antivirus system pro


  • This topic is locked This topic is locked
23 replies to this topic

#1 miztrniceguy

miztrniceguy

  • Members
  • 201 posts
  • OFFLINE
  •  
  • Local time:06:18 PM

Posted 22 September 2009 - 05:28 PM

i ran the dds tool and root repeal, or rather i tried to but they start and are interrupted. same with malwarebytes. superantispyware finds infections, but even when i keep running it and reboot it still finds infections and i keep getting false infections from the rogue program. also tried to run HJT. the programs start then disappear.


wife's
dell laptop
xp pro sp2

Asus P8Z77-V motherboard, Intel i5-3570K unlocked Quad Core cpu, 16GB Corsair Vengeance 1866Mhz ram
CoolerMaster Hyper 212 EVO cpu cooler, Samsung 128GB SSD with Win7 Pro, WD 500GB drive for data
Asus DVD writer, Corsair 600W PSU

 


BC AdBot (Login to Remove)

 


#2 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,210 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:08:18 PM

Posted 22 September 2009 - 07:26 PM

Hi, miztrniceguy :(

Welcome.

Please follow these steps:

Step 1

Please save this file to your desktop. Click on Start->Run, and copy-paste the following command (the bolded text) into the "Open" box, and click OK. When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here.

"%userprofile%\desktop\win32kdiag.exe" -f -r


Step 2

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**
  • If you are using Firefox, make sure that your download settings are as follows:
    • Tools->Options->Main tab
    • Set to "Always ask me where to Save the files".
  • During the download, rename Combofix to Combo-Fix as follows:

    Posted Image

    Posted Image

  • It is important you rename Combofix during the download, but not after.
  • Please do not rename Combofix to other names, but only to the one indicated.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      -----------------------------------------------------------

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------

  • Double click on combo-Fix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\Combo-Fix.txt" .
**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**


Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security.

Please do not install any new programs or update anything unless told to do so while we are fixing your problem.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#3 miztrniceguy

miztrniceguy
  • Topic Starter

  • Members
  • 201 posts
  • OFFLINE
  •  
  • Local time:06:18 PM

Posted 22 September 2009 - 09:35 PM

ok here's the win32diad log...going to run combofix now.
--------------------------------------

Running from: C:\Documents and Settings\Lizzie\desktop\win32kdiag.exe

Log file at : C:\Documents and Settings\Lizzie\Desktop\Win32kDiag.txt

Removing all found mount points.

Attempting to reset file permissions.

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...



Found mount point : C:\WINDOWS\addins\addins

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\addins\addins

Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\CustomMarshalers\CustomMarshalers

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\CustomMarshalers\CustomMarshalers

Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\mscorlib\mscorlib

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\mscorlib\mscorlib

Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\System\System

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\System\System

Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\System.Drawing\System.Drawing

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\System.Drawing\System.Drawing

Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\System.Windows.Forms\System.Windows.Forms

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\System.Windows.Forms\System.Windows.Forms

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAPA5.tmp\ZAPA5.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAPA5.tmp\ZAPA5.tmp

Found mount point : C:\WINDOWS\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\tmp\tmp

Found mount point : C:\WINDOWS\Config\Config

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Config\Config

Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Found mount point : C:\WINDOWS\CSC\d1\d1

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d1\d1

Found mount point : C:\WINDOWS\CSC\d2\d2

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d2\d2

Found mount point : C:\WINDOWS\CSC\d3\d3

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d3\d3

Found mount point : C:\WINDOWS\CSC\d4\d4

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d4\d4

Found mount point : C:\WINDOWS\CSC\d5\d5

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d5\d5

Found mount point : C:\WINDOWS\CSC\d6\d6

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d6\d6

Found mount point : C:\WINDOWS\CSC\d7\d7

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d7\d7

Found mount point : C:\WINDOWS\CSC\d8\d8

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d8\d8

Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPRO\Cbz\Cbz

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Help\SBSI\Training\WXPPRO\Cbz\Cbz

Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPRO\Lib\Lib

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Help\SBSI\Training\WXPPRO\Lib\Lib

Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPRO\Wave\Wave

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Help\SBSI\Training\WXPPRO\Wave\Wave

Found mount point : C:\WINDOWS\ime\chsime\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\chsime\applets\applets

Found mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets

Found mount point : C:\WINDOWS\ime\imejp\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imejp\applets\applets

Found mount point : C:\WINDOWS\ime\imejp98\imejp98

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imejp98\imejp98

Found mount point : C:\WINDOWS\ime\imjp8_1\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imjp8_1\applets\applets

Found mount point : C:\WINDOWS\ime\imkr6_1\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imkr6_1\applets\applets

Found mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts

Found mount point : C:\WINDOWS\ime\shared\res\res

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\shared\res\res

Found mount point : C:\WINDOWS\inf\IEM\0409\0409

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\inf\IEM\0409\0409

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\1F3B805BA42A0C233B0158879691FE82\2.1.21022\2.1.21022

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\1F3B805BA42A0C233B0158879691FE82\2.1.21022\2.1.21022

Found mount point : C:\WINDOWS\java\classes\classes

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\java\classes\classes

Found mount point : C:\WINDOWS\java\trustlib\trustlib

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\java\trustlib\trustlib

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Found mount point : C:\WINDOWS\msapps\msinfo\msinfo

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\msapps\msinfo\msinfo

Found mount point : C:\WINDOWS\pchealth\ERRORREP\QHEADLES\QHEADLES

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\ERRORREP\QHEADLES\QHEADLES

Found mount point : C:\WINDOWS\pchealth\ERRORREP\QSIGNOFF\QSIGNOFF

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\ERRORREP\QSIGNOFF\QSIGNOFF

Found mount point : C:\WINDOWS\pchealth\helpctr\BATCH\BATCH

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\BATCH\BATCH

Found mount point : C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint

Found mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles

Found mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs

Found mount point : C:\WINDOWS\pchealth\helpctr\System\DFS\DFS

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\System\DFS\DFS

Found mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp

Found mount point : C:\WINDOWS\PIF\PIF

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PIF\PIF

Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\Download

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\Download

Found mount point : C:\WINDOWS\SoftwareDistribution\SelfUpdate\SelfUpdate

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\SelfUpdate\SelfUpdate

Found mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Cannot access: C:\WINDOWS\system32\eventlog.dll

Attempting to restore permissions of : C:\WINDOWS\system32\eventlog.dll

[1] 2004-08-04 05:00:00 61952 C:\WINDOWS\system32\eventlog.dll ()

[2] 2004-08-04 05:00:00 55808 C:\WINDOWS\system32\logevent.dll (Microsoft Corporation)

[1] 2004-08-04 05:00:00 55808 C:\i386\eventlog.dll (Microsoft Corporation)



Found mount point : C:\WINDOWS\Temp\Temp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\Temp

Found mount point : C:\WINDOWS\Temp\_avast4_\_avast4_

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\_avast4_\_avast4_

Found mount point : C:\WINDOWS\twain_32\Dell\Dell

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\twain_32\Dell\Dell

Found mount point : C:\WINDOWS\WBEM\WBEM

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\WBEM\WBEM

Found mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp



Finished!

Asus P8Z77-V motherboard, Intel i5-3570K unlocked Quad Core cpu, 16GB Corsair Vengeance 1866Mhz ram
CoolerMaster Hyper 212 EVO cpu cooler, Samsung 128GB SSD with Win7 Pro, WD 500GB drive for data
Asus DVD writer, Corsair 600W PSU

 


#4 miztrniceguy

miztrniceguy
  • Topic Starter

  • Members
  • 201 posts
  • OFFLINE
  •  
  • Local time:06:18 PM

Posted 22 September 2009 - 10:11 PM

here's the combofix log:
--------------------------------

ComboFix 09-09-22.02 - Lizzie 09/22/2009 21:58.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1607 [GMT -5:00]
Running from: c:\documents and settings\Lizzie\Desktop\Combo-Fix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\ekorov.exe
c:\documents and settings\All Users\Application Data\salodafez.bat
c:\documents and settings\All Users\Application Data\ufihugi.vbs
c:\documents and settings\All Users\Documents\afovujuwa.bat
c:\documents and settings\All Users\Documents\gola.inf
c:\documents and settings\All Users\Documents\ticemob.inf
c:\documents and settings\Lizzie\Application Data\cusyhowela.inf
c:\documents and settings\Lizzie\Application Data\suxoxi.reg
c:\documents and settings\Lizzie\Application Data\uluzit.com
c:\documents and settings\Lizzie\Application Data\wudufukiva.vbs
c:\documents and settings\Lizzie\Application Data\xuruted._dl
c:\documents and settings\Lizzie\Application Data\zyfemosisu.sys
c:\documents and settings\Lizzie\Local Settings\Application Data\isyhi.com
c:\documents and settings\Lizzie\Local Settings\Application Data\tanuseton.exe
c:\documents and settings\Lizzie\Local Settings\Temporary Internet Files\cegegysizu.sys
c:\documents and settings\Lizzie\Local Settings\Temporary Internet Files\dekodazasu.bin
c:\documents and settings\Lizzie\Local Settings\Temporary Internet Files\dyjy.scr
c:\documents and settings\Lizzie\Local Settings\Temporary Internet Files\gatypotav.inf
c:\documents and settings\Lizzie\Local Settings\Temporary Internet Files\okodupagat.exe
c:\documents and settings\Lizzie\Local Settings\Temporary Internet Files\qicofo.exe
C:\pkusq.exe
c:\program files\\setup.exe
c:\program files\Common Files\ibobujesi._dl
c:\program files\Common Files\ilomykup.scr
c:\program files\Common Files\labixazic.vbs
c:\program files\Common Files\qisetu.dl
c:\program files\inyrcs
c:\program files\inyrcs\bovpsysguard.exe
c:\windows\anotopito.scr
c:\windows\boty.bin
c:\windows\guje.inf
c:\windows\ohyzekufuq.exe
c:\windows\run.log
c:\windows\sygu.dll
c:\windows\system32\amytugopi.dl
c:\windows\system32\cotufi.pif
c:\windows\system32\exyxyjo.dll
c:\windows\system32\felupyp.bin
c:\windows\system32\rubuxyry.dl
c:\windows\system32\wbem\proquota.exe
c:\windows\vyji.bat
C:\yhjj.exe
I:\install.exe

Infected copy of c:\windows\system32\eventlog.dll was found and disinfected
Restored copy from - c:\i386\eventlog.dll

c:\windows\system32\proquota.exe was missing
Restored copy from - c:\i386\proquota.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}


((((((((((((((((((((((((( Files Created from 2009-08-23 to 2009-09-23 )))))))))))))))))))))))))))))))
.

2009-09-23 03:01 . 2004-08-04 10:00 50176 ----a-w- c:\windows\system32\proquota.exe
2009-09-23 00:41 . 2009-09-23 00:41 -------- d-----w- c:\program files\Alwil Software
2009-09-23 00:28 . 2009-07-03 14:49 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-09-23 00:28 . 2009-09-23 00:28 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}
2009-09-23 00:28 . 2009-09-23 00:28 -------- d-----w- c:\program files\Lavasoft
2009-09-23 00:28 . 2009-09-23 00:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-09-22 22:26 . 2009-09-23 00:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-09-22 22:26 . 2009-09-23 00:16 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-09-22 21:49 . 2009-09-22 21:49 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-09-22 21:49 . 2009-09-22 21:49 -------- d-----w- c:\documents and settings\Lizzie\Application Data\SUPERAntiSpyware.com
2009-09-22 20:46 . 2009-09-22 20:46 19919 ----a-w- c:\windows\zibuzavu.dat
2009-09-22 20:46 . 2009-09-22 20:46 10911 ----a-w- c:\windows\nyjagage.com
2009-09-22 17:36 . 2009-09-22 17:36 12682 ----a-w- c:\windows\ykopa.dat
2009-09-22 16:22 . 2009-09-22 16:22 14336 ----a-w- C:\aoqwlrag.exe
2009-09-22 16:21 . 2009-09-22 16:22 29696 ----a-w- C:\cqfuy.exe
2009-09-22 15:56 . 2009-09-22 18:53 -------- d-----w- c:\program files\delete junk
2009-09-22 15:41 . 2009-09-22 15:41 94208 ----a-w- C:\flqihkhx.exe
2009-09-22 15:26 . 2009-09-23 02:45 0 ----a-r- c:\windows\win32k.sys
2009-09-22 15:26 . 2009-09-22 15:26 -------- d-----w- C:\spoolerlogs
2009-09-02 18:05 . 2009-09-02 18:05 392320 ----a-w- c:\windows\system32\drivers\timntr.sys
2009-09-02 18:05 . 2009-09-02 18:05 32768 ----a-w- c:\windows\system32\drivers\tifsfilt.sys
2009-09-02 18:05 . 2009-09-02 18:05 114048 ----a-w- c:\windows\system32\drivers\snapman.sys
2009-09-02 18:05 . 2009-09-02 18:05 -------- d-----w- c:\program files\Common Files\Acronis
2009-09-02 18:05 . 2009-09-02 18:05 -------- d-----w- c:\program files\Acronis
2009-09-02 17:25 . 2009-09-02 17:25 -------- d-----w- c:\documents and settings\All Users\Application Data\NCH Software
2009-09-01 15:50 . 2009-09-02 17:30 -------- d-----w- c:\documents and settings\All Users\Application Data\NCH Swift Sound
2009-09-01 15:50 . 2009-09-02 17:30 -------- d-----w- c:\program files\NCH Swift Sound
2009-09-01 15:50 . 2009-09-02 17:24 -------- d-----w- c:\documents and settings\Lizzie\Application Data\NCH Swift Sound

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-23 02:48 . 2009-09-23 00:05 182384 ----a-w- c:\documents and settings\Lizzie\Application Data\lizkavd.exe
2009-09-23 02:06 . 2009-05-25 22:40 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-09-23 00:07 . 2008-09-15 00:18 -------- d-----w- c:\documents and settings\Lizzie\Application Data\Lavasoft
2009-09-22 18:44 . 2008-04-15 09:00 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-09-22 18:41 . 2008-10-13 22:00 -------- d--h--w- c:\program files\InstallJammer Registry
2009-09-22 18:41 . 2008-05-20 19:53 -------- d-----w- c:\program files\calibre
2009-09-22 18:02 . 2008-05-04 12:32 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-09-22 17:36 . 2009-09-22 17:36 15081 ----a-w- c:\program files\Common Files\yqiqedutop.lib
2009-09-22 17:36 . 2009-09-22 17:36 12027 ----a-w- c:\program files\Common Files\gibyda.lib
2009-09-22 15:41 . 2009-09-22 15:41 204288 ----a-w- c:\documents and settings\Lizzie\Application Data\svcst.exe
2009-09-22 15:41 . 2009-09-22 15:41 204288 ----a-w- c:\documents and settings\Lizzie\Application Data\seres.exe
2009-09-22 15:29 . 2008-04-15 09:00 61064 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-13 03:58 . 2008-04-15 08:32 65902 ----a-w- c:\windows\system32\nvModes.dat
2009-09-06 03:52 . 2008-05-26 04:01 -------- d-----w- c:\documents and settings\Lizzie\Application Data\AdobeUM
2009-08-30 14:38 . 2008-04-29 20:53 -------- d-----w- c:\program files\KeyNote
2009-08-23 15:40 . 2009-08-20 04:06 -------- d---a-w- c:\documents and settings\All Users\Application Data\Namco Networks
2009-08-20 04:06 . 2009-08-20 04:06 -------- d-----w- c:\documents and settings\Lizzie\Application Data\Namco Networks
2009-08-20 04:05 . 2009-08-20 04:05 -------- d-----w- c:\program files\Namco
2009-08-18 15:33 . 2009-07-14 13:46 -------- d-----w- c:\documents and settings\Lizzie\Application Data\BitTorrent
2009-08-18 13:58 . 2009-05-25 22:40 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-08-18 13:58 . 2009-05-25 22:40 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-08-18 13:58 . 2008-04-29 20:50 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-08-14 11:58 . 2009-09-22 16:42 7396 ----a-w- c:\windows\system32\drivers\pctcore.cat
2009-08-12 21:41 . 2009-07-10 17:13 50 ----a-w- c:\windows\system32\bridf08b.dat
2009-08-12 21:40 . 2009-07-10 17:13 -------- d-----w- c:\program files\Brother
2009-08-12 21:40 . 2008-04-15 08:49 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-08-12 21:26 . 2009-08-12 21:26 -------- d-----w- c:\program files\Nuance
2009-08-12 21:25 . 2009-08-12 21:24 -------- d-----w- c:\documents and settings\All Users\Application Data\ScanSoft
2009-08-12 21:25 . 2009-08-12 21:25 -------- d-----w- c:\documents and settings\All Users\Application Data\InstallShield
2009-08-12 21:24 . 2009-08-12 21:24 -------- d-----w- c:\program files\Common Files\ScanSoft Shared
2009-08-12 21:24 . 2008-04-15 08:49 -------- d-----w- c:\program files\Common Files\InstallShield
2009-08-12 21:24 . 2009-08-12 21:24 -------- d-----w- c:\program files\ScanSoft
2009-08-03 03:58 . 2009-08-03 03:44 -------- d-----w- c:\program files\Email Extractor 2
2009-08-02 15:24 . 2009-08-02 15:24 -------- d-----w- c:\program files\TurboTax
2009-07-30 23:02 . 2009-02-21 01:00 -------- d-----w- c:\program files\7-Zip
2009-07-30 22:53 . 2008-06-25 16:48 -------- d-----w- c:\program files\Shorthand
2009-07-30 22:40 . 2009-04-03 14:14 -------- d-----w- c:\program files\OpenOffice.org 3
2009-07-28 13:56 . 2009-07-10 17:08 -------- d-----w- c:\program files\Quicken
2009-07-26 14:30 . 2008-10-13 22:00 -------- d-----w- c:\documents and settings\Lizzie\Application Data\calibre
2009-01-21 16:21 . 2009-01-21 16:21 128611035 ----a-w- c:\program files\openofficeorg1.cab
2009-01-21 16:14 . 2009-01-21 16:14 336 ----a-w- c:\program files\setup.ini
2009-01-21 16:14 . 2009-01-21 16:14 9780224 ----a-w- c:\program files\openofficeorg30.msi
2002-03-11 09:06 . 2002-03-11 09:06 1822520 ----a-w- c:\program files\instmsiw.exe
2002-03-11 08:45 . 2002-03-11 08:45 1708856 ----a-w- c:\program files\instmsia.exe
2008-07-16 05:31 . 2008-04-28 21:52 67696 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2008-07-16 05:31 . 2008-04-28 21:52 54376 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2008-07-16 05:31 . 2008-04-28 21:52 34952 ----a-w- c:\program files\mozilla firefox\components\myspell.dll
2008-07-16 05:31 . 2008-04-28 21:52 46720 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll
2008-07-16 05:31 . 2008-04-28 21:52 172144 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"mserv"="c:\documents and settings\Lizzie\Application Data\svcst.exe" [2009-09-22 204288]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]
"svchost"="c:\documents and settings\Lizzie\Application Data\svcst.exe" [2009-09-22 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-03-16 1392640]
"KADxMain"="c:\windows\system32\KADxMain.exe" [2006-11-02 282624]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-06-03 851968]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-01-29 8491008]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"NVHotkey"="nvHotkey.dll" - c:\windows\system32\nvhotkey.dll [2008-01-29 86016]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-18 13:58 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Dell\\MediaDirect\\PCMService.exe"=
"c:\\Program Files\\eBookwise Librarian\\EBWLibrarian.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"83:TCP"= 83:TCP:Web Dictate Web Server
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [9/22/2009 7:28 PM 64160]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [5/25/2009 5:40 PM 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [5/25/2009 5:40 PM 108552]
S1 SASDIFSV;SASDIFSV;\??\c:\superantispy\superantispyware\SASDIFSV.SYS --> c:\superantispy\superantispyware\SASDIFSV.SYS [?]
S1 SASKUTIL;SASKUTIL;\??\c:\superantispy\superantispyware\SASKUTIL.sys --> c:\superantispy\superantispyware\SASKUTIL.sys [?]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [7/3/2009 9:49 AM 1029456]
S3 eBook;eBook;c:\windows\system32\drivers\eBook.sys [5/17/2008 11:14 PM 22072]
S3 SASENUM;SASENUM;\??\c:\superantispy\superantispyware\SASENUM.SYS --> c:\superantispy\superantispyware\SASENUM.SYS [?]
S4 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe --> c:\progra~1\AVG\AVG8\avgemc.exe [?]
S4 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [5/25/2009 5:40 PM 297752]
.
Contents of the 'Scheduled Tasks' folder

2009-09-23 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-07-03 14:49]
.
.
------- Supplementary Scan -------
.
uStart Page = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=6080415
mStart Page = hxxp://www.dell.com
uInternet Connection Wizard,ShellNext = hxxp://partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=6080415
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
Trusted Zone: emdat.com
Trusted Zone: mytranscriptions.com
Trusted Zone: emdat.com
Trusted Zone: mytranscriptions.com
FF - ProfilePath - c:\documents and settings\Lizzie\Application Data\Mozilla\Firefox\Profiles\yb1x7uhc.default\
FF - prefs.js: browser.startup.homepage - file:///F:/bookmarks/Bookmarks/bookmarks/index.htm
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-EssentialPIM Pro Portable - f:\pimp\EssentialPIM.exe
HKCU-Run-SUPERAntiSpyware - c:\superantispy\superantispyware\SUPERANTISPYWARE.EXE
HKLM-Run-AVG8_TRAY - c:\progra~1\AVG\AVG8\avgtray.exe
AddRemove-TreePadLite4 - g:\treepadlite4\uninstall.exe
AddRemove-TreePadPLUS - g:\treepadplus_7\uninstall.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-22 22:04
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
@DACL=(02 0000)
"Installed"="1"
@=""

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
@DACL=(02 0000)
"NoChange"="1"
"Installed"="1"
@=""

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
@DACL=(02 0000)
"Installed"="1"
@=""
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1128)
c:\windows\System32\BCMLogon.dll
c:\windows\System32\MSVCP71.dll

- - - - - - - > 'lsass.exe'(1192)
c:\windows\system32\relog_ap.dll

- - - - - - - > 'explorer.exe'(1972)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\btncopy.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVG\AVG8\avgrsx.exe
c:\windows\system32\BCMWLTRY.EXE
c:\windows\system32\netdde.exe
c:\program files\Common Files\Acronis\Schedule2\schedul2.exe
c:\windows\system32\rundll32.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\documents and settings\Lizzie\Application Data\seres.exe
c:\windows\system32\nvsvc32.exe
c:\program files\AntivirusPro_2010\AntivirusPro_2010.exe
.
**************************************************************************
.
Completion time: 2009-09-23 22:07 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-23 03:07

Pre-Run: 61,786,755,072 bytes free
Post-Run: 61,806,313,472 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

276

Asus P8Z77-V motherboard, Intel i5-3570K unlocked Quad Core cpu, 16GB Corsair Vengeance 1866Mhz ram
CoolerMaster Hyper 212 EVO cpu cooler, Samsung 128GB SSD with Win7 Pro, WD 500GB drive for data
Asus DVD writer, Corsair 600W PSU

 


#5 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,210 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:08:18 PM

Posted 22 September 2009 - 10:43 PM

Hi, miztrniceguy :(
  • Copy the entire contents of the Quote Box below to Notepad.
  • Name the file as CFScript.txt
  • Change the Save as Type to All Files
  • and Save it on the desktop

http://www.bleepingcomputer.com/forums/ind...22&t=259574

Collect::[4]
c:\windows\zibuzavu.dat
c:\windows\nyjagage.com
c:\windows\ykopa.dat
C:\aoqwlrag.exe
C:\cqfuy.exe
C:\flqihkhx.exe
c:\windows\win32k.sys
c:\documents and settings\Lizzie\Application Data\lizkavd.exe
c:\program files\Common Files\yqiqedutop.lib
c:\program files\Common Files\gibyda.lib
c:\documents and settings\Lizzie\Application Data\svcst.exe
c:\documents and settings\Lizzie\Application Data\seres.exe

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"svchost"=-
"mserv"=-
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"=-

Posted Image

Once saved, referring to the picture above, drag CFScript.txt into ComboFix.exe, and post back the resulting report along with a Hijackthis log.

Additionally, when CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
  • Ensure you are connected to the internet and click OK on the message box.
Posted Image Please download Malwarebytes' Anti-Malware from Here.

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediatly.

Please run the F-Secure Online Scanner

Note: You must use Internet Explorer for this scan!
  • Accept the License Agreement.
  • Once the ActiveX installs click Full System Scan
  • Once the download completes, the scan will begin automatically.
  • The scan will take some time to finish, so please be patient.
  • When the scan completes, click the Automatic cleaning (recommended) button.
  • Click the Show Report button and copy and paste the entire report in your next reply.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#6 miztrniceguy

miztrniceguy
  • Topic Starter

  • Members
  • 201 posts
  • OFFLINE
  •  
  • Local time:06:18 PM

Posted 22 September 2009 - 11:51 PM

thanks for your help....the false warnings have stopped !!...progress!!!

new combofix log...and ck uploaded some files, too

ComboFix 09-09-22.02 - Lizzie 09/22/2009 22:53.2.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1521 [GMT -5:00]
Running from: c:\documents and settings\Lizzie\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Lizzie\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

file zipped: C:\aoqwlrag.exe
file zipped: C:\cqfuy.exe
file zipped: c:\documents and settings\Lizzie\Application Data\lizkavd.exe
file zipped: c:\documents and settings\Lizzie\Application Data\seres.exe
file zipped: c:\documents and settings\Lizzie\Application Data\svcst.exe
file zipped: C:\flqihkhx.exe
file zipped: c:\program files\Common Files\gibyda.lib
file zipped: c:\program files\Common Files\yqiqedutop.lib
file zipped: c:\windows\nyjagage.com
file zipped: c:\windows\win32k.sys
file zipped: c:\windows\ykopa.dat
file zipped: c:\windows\zibuzavu.dat
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\aoqwlrag.exe
C:\cqfuy.exe
c:\documents and settings\All Users\Application Data\ufatukuva.dl
c:\documents and settings\All Users\Application Data\vysor.pif
c:\documents and settings\All Users\Documents\luvogu.pif
c:\documents and settings\All Users\Documents\rafof.bat
c:\documents and settings\Lizzie\Application Data\kefymiheg.exe
c:\documents and settings\Lizzie\Application Data\lizkavd.exe
c:\documents and settings\Lizzie\Application Data\Microsoft\Internet Explorer\Quick Launch\AntivirusPro_2010.lnk
c:\documents and settings\Lizzie\Application Data\otunob.dll
c:\documents and settings\Lizzie\Application Data\seres.exe
c:\documents and settings\Lizzie\Application Data\svcst.exe
c:\documents and settings\Lizzie\Application Data\ynatob.bin
c:\documents and settings\Lizzie\Cookies\kewykuzyga.com
c:\documents and settings\Lizzie\Local Settings\Temporary Internet Files\ujadinu.inf
c:\documents and settings\Lizzie\Local Settings\Temporary Internet Files\usicavafeh.reg
c:\documents and settings\Lizzie\Start Menu\Programs\AntivirusPro_2010
c:\documents and settings\Lizzie\Start Menu\Programs\AntivirusPro_2010\AntivirusPro_2010.lnk
c:\documents and settings\Lizzie\Start Menu\Programs\AntivirusPro_2010\Uninstall.lnk
C:\flqihkhx.exe
c:\program files\AntivirusPro_2010
c:\program files\AntivirusPro_2010\AntivirusPro_2010.cfg
c:\program files\AntivirusPro_2010\AntivirusPro_2010.exe
c:\program files\AntivirusPro_2010\AVEngn.dll
c:\program files\AntivirusPro_2010\data\daily.cvd
c:\program files\AntivirusPro_2010\htmlayout.dll
c:\program files\AntivirusPro_2010\Microsoft.VC80.CRT\Microsoft.VC80.CRT.manifest
c:\program files\AntivirusPro_2010\Microsoft.VC80.CRT\msvcm80.dll
c:\program files\AntivirusPro_2010\Microsoft.VC80.CRT\msvcp80.dll
c:\program files\AntivirusPro_2010\Microsoft.VC80.CRT\msvcr80.dll
c:\program files\AntivirusPro_2010\pthreadVC2.dll
c:\program files\AntivirusPro_2010\Uninstall.exe
c:\program files\AntivirusPro_2010\wscui.cpl
c:\program files\Common Files\adytag.bat
c:\program files\Common Files\bepubakeze.dll
c:\program files\Common Files\gibyda.lib
c:\program files\Common Files\ojil.dl
c:\program files\Common Files\wenitu.com
c:\program files\Common Files\yqiqedutop.lib
c:\windows\enodefevo.scr
c:\windows\nyjagage.com
c:\windows\system32\_scui.cpl
c:\windows\system32\avemib.dl
c:\windows\umijerewuk.inf
c:\windows\win32k.sys
c:\windows\ykopa.dat
c:\windows\ywojyr.bin
c:\windows\zibuzavu.dat

.
((((((((((((((((((((((((( Files Created from 2009-08-23 to 2009-09-23 )))))))))))))))))))))))))))))))
.

2009-09-23 03:07 . 2009-09-23 03:07 19165 ----a-w- c:\documents and settings\Lizzie\Local Settings\Application Data\petexozebe.dat
2009-09-23 03:07 . 2009-09-23 03:07 12858 ----a-w- c:\windows\axyfocas.dat
2009-09-23 03:01 . 2004-08-04 10:00 50176 ----a-w- c:\windows\system32\proquota.exe
2009-09-23 00:41 . 2009-09-23 00:41 -------- d-----w- c:\program files\Alwil Software
2009-09-23 00:28 . 2009-07-03 14:49 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-09-23 00:28 . 2009-09-23 00:28 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}
2009-09-23 00:28 . 2009-09-23 00:28 -------- d-----w- c:\program files\Lavasoft
2009-09-23 00:28 . 2009-09-23 00:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-09-22 22:26 . 2009-09-23 00:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-09-22 22:26 . 2009-09-23 00:16 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-09-22 21:49 . 2009-09-22 21:49 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-09-22 21:49 . 2009-09-22 21:49 -------- d-----w- c:\documents and settings\Lizzie\Application Data\SUPERAntiSpyware.com
2009-09-22 15:56 . 2009-09-22 18:53 -------- d-----w- c:\program files\delete junk
2009-09-22 15:26 . 2009-09-22 15:26 -------- d-----w- C:\spoolerlogs
2009-09-02 18:05 . 2009-09-02 18:05 392320 ----a-w- c:\windows\system32\drivers\timntr.sys
2009-09-02 18:05 . 2009-09-02 18:05 32768 ----a-w- c:\windows\system32\drivers\tifsfilt.sys
2009-09-02 18:05 . 2009-09-02 18:05 114048 ----a-w- c:\windows\system32\drivers\snapman.sys
2009-09-02 18:05 . 2009-09-02 18:05 -------- d-----w- c:\program files\Common Files\Acronis
2009-09-02 18:05 . 2009-09-02 18:05 -------- d-----w- c:\program files\Acronis
2009-09-02 17:25 . 2009-09-02 17:25 -------- d-----w- c:\documents and settings\All Users\Application Data\NCH Software
2009-09-01 15:50 . 2009-09-02 17:30 -------- d-----w- c:\documents and settings\All Users\Application Data\NCH Swift Sound
2009-09-01 15:50 . 2009-09-02 17:30 -------- d-----w- c:\program files\NCH Swift Sound
2009-09-01 15:50 . 2009-09-02 17:24 -------- d-----w- c:\documents and settings\Lizzie\Application Data\NCH Swift Sound

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-23 03:07 . 2009-09-23 03:07 10871 ----a-w- c:\program files\Common Files\exisojo.lib
2009-09-23 02:06 . 2009-05-25 22:40 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-09-23 00:07 . 2008-09-15 00:18 -------- d-----w- c:\documents and settings\Lizzie\Application Data\Lavasoft
2009-09-22 18:44 . 2008-04-15 09:00 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-09-22 18:41 . 2008-10-13 22:00 -------- d--h--w- c:\program files\InstallJammer Registry
2009-09-22 18:41 . 2008-05-20 19:53 -------- d-----w- c:\program files\calibre
2009-09-22 18:02 . 2008-05-04 12:32 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-09-22 15:29 . 2008-04-15 09:00 61064 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-13 03:58 . 2008-04-15 08:32 65902 ----a-w- c:\windows\system32\nvModes.dat
2009-09-06 03:52 . 2008-05-26 04:01 -------- d-----w- c:\documents and settings\Lizzie\Application Data\AdobeUM
2009-08-30 14:38 . 2008-04-29 20:53 -------- d-----w- c:\program files\KeyNote
2009-08-23 15:40 . 2009-08-20 04:06 -------- d---a-w- c:\documents and settings\All Users\Application Data\Namco Networks
2009-08-20 04:06 . 2009-08-20 04:06 -------- d-----w- c:\documents and settings\Lizzie\Application Data\Namco Networks
2009-08-20 04:05 . 2009-08-20 04:05 -------- d-----w- c:\program files\Namco
2009-08-18 15:33 . 2009-07-14 13:46 -------- d-----w- c:\documents and settings\Lizzie\Application Data\BitTorrent
2009-08-18 13:58 . 2009-05-25 22:40 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-08-18 13:58 . 2009-05-25 22:40 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-08-18 13:58 . 2008-04-29 20:50 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-08-14 11:58 . 2009-09-22 16:42 7396 ----a-w- c:\windows\system32\drivers\pctcore.cat
2009-08-12 21:41 . 2009-07-10 17:13 50 ----a-w- c:\windows\system32\bridf08b.dat
2009-08-12 21:40 . 2009-07-10 17:13 -------- d-----w- c:\program files\Brother
2009-08-12 21:40 . 2008-04-15 08:49 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-08-12 21:26 . 2009-08-12 21:26 -------- d-----w- c:\program files\Nuance
2009-08-12 21:25 . 2009-08-12 21:24 -------- d-----w- c:\documents and settings\All Users\Application Data\ScanSoft
2009-08-12 21:25 . 2009-08-12 21:25 -------- d-----w- c:\documents and settings\All Users\Application Data\InstallShield
2009-08-12 21:24 . 2009-08-12 21:24 -------- d-----w- c:\program files\Common Files\ScanSoft Shared
2009-08-12 21:24 . 2008-04-15 08:49 -------- d-----w- c:\program files\Common Files\InstallShield
2009-08-12 21:24 . 2009-08-12 21:24 -------- d-----w- c:\program files\ScanSoft
2009-08-03 03:58 . 2009-08-03 03:44 -------- d-----w- c:\program files\Email Extractor 2
2009-08-02 15:24 . 2009-08-02 15:24 -------- d-----w- c:\program files\TurboTax
2009-07-30 23:02 . 2009-02-21 01:00 -------- d-----w- c:\program files\7-Zip
2009-07-30 22:53 . 2008-06-25 16:48 -------- d-----w- c:\program files\Shorthand
2009-07-30 22:40 . 2009-04-03 14:14 -------- d-----w- c:\program files\OpenOffice.org 3
2009-07-28 13:56 . 2009-07-10 17:08 -------- d-----w- c:\program files\Quicken
2009-07-26 14:30 . 2008-10-13 22:00 -------- d-----w- c:\documents and settings\Lizzie\Application Data\calibre
2009-01-21 16:21 . 2009-01-21 16:21 128611035 ----a-w- c:\program files\openofficeorg1.cab
2009-01-21 16:14 . 2009-01-21 16:14 336 ----a-w- c:\program files\setup.ini
2009-01-21 16:14 . 2009-01-21 16:14 9780224 ----a-w- c:\program files\openofficeorg30.msi
2002-03-11 09:06 . 2002-03-11 09:06 1822520 ----a-w- c:\program files\instmsiw.exe
2002-03-11 08:45 . 2002-03-11 08:45 1708856 ----a-w- c:\program files\instmsia.exe
2008-07-16 05:31 . 2008-04-28 21:52 67696 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2008-07-16 05:31 . 2008-04-28 21:52 54376 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2008-07-16 05:31 . 2008-04-28 21:52 34952 ----a-w- c:\program files\mozilla firefox\components\myspell.dll
2008-07-16 05:31 . 2008-04-28 21:52 46720 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll
2008-07-16 05:31 . 2008-04-28 21:52 172144 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-09-23_03.05.01 )))))))))))))))))))))))))))))))))))))))))
.
+ 2004-08-11 22:00 . 2009-09-23 03:09 71946 c:\windows\system32\perfc009.dat
- 2004-08-11 22:00 . 2009-09-23 02:55 71946 c:\windows\system32\perfc009.dat
+ 2004-08-11 22:00 . 2009-09-23 03:09 426068 c:\windows\system32\perfh009.dat
- 2004-08-11 22:00 . 2009-09-23 02:55 426068 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-03-16 1392640]
"KADxMain"="c:\windows\system32\KADxMain.exe" [2006-11-02 282624]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-06-03 851968]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-01-29 8491008]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"NVHotkey"="nvHotkey.dll" - c:\windows\system32\nvhotkey.dll [2008-01-29 86016]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-18 13:58 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Dell\\MediaDirect\\PCMService.exe"=
"c:\\Program Files\\eBookwise Librarian\\EBWLibrarian.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"83:TCP"= 83:TCP:Web Dictate Web Server
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [9/22/2009 7:28 PM 64160]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [5/25/2009 5:40 PM 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [5/25/2009 5:40 PM 108552]
S1 SASDIFSV;SASDIFSV;\??\c:\superantispy\superantispyware\SASDIFSV.SYS --> c:\superantispy\superantispyware\SASDIFSV.SYS [?]
S1 SASKUTIL;SASKUTIL;\??\c:\superantispy\superantispyware\SASKUTIL.sys --> c:\superantispy\superantispyware\SASKUTIL.sys [?]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [7/3/2009 9:49 AM 1029456]
S3 eBook;eBook;c:\windows\system32\drivers\eBook.sys [5/17/2008 11:14 PM 22072]
S3 SASENUM;SASENUM;\??\c:\superantispy\superantispyware\SASENUM.SYS --> c:\superantispy\superantispyware\SASENUM.SYS [?]
S4 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe --> c:\progra~1\AVG\AVG8\avgemc.exe [?]
S4 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [5/25/2009 5:40 PM 297752]
.
Contents of the 'Scheduled Tasks' folder

2009-09-23 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-07-03 14:49]
.
.
------- Supplementary Scan -------
.
uStart Page = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=6080415
mStart Page = hxxp://www.dell.com
uInternet Connection Wizard,ShellNext = hxxp://partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=6080415
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
Trusted Zone: emdat.com
Trusted Zone: mytranscriptions.com
Trusted Zone: emdat.com
Trusted Zone: mytranscriptions.com
FF - ProfilePath - c:\documents and settings\Lizzie\Application Data\Mozilla\Firefox\Profiles\yb1x7uhc.default\
FF - prefs.js: browser.startup.homepage - file:///F:/bookmarks/Bookmarks/bookmarks/index.htm
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-22 22:55
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
@DACL=(02 0000)
"Installed"="1"
@=""

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
@DACL=(02 0000)
"NoChange"="1"
"Installed"="1"
@=""

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
@DACL=(02 0000)
"Installed"="1"
@=""
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1128)
c:\windows\System32\BCMLogon.dll
c:\windows\System32\MSVCP71.dll

- - - - - - - > 'lsass.exe'(1192)
c:\windows\system32\relog_ap.dll
.
Completion time: 2009-09-23 22:57
ComboFix-quarantined-files.txt 2009-09-23 03:57
ComboFix2.txt 2009-09-23 03:07

Pre-Run: 61,789,716,480 bytes free
Post-Run: 61,749,374,976 bytes free

250
Upload was successful


-----------
hjtlog

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:02:57 PM, on 9/22/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\netdde.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\bcmwltry.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=6080415
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=6080415
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://partnerpage.google.com/smallbiz.del...amp;ibd=6080415
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - J:\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [KADxMain] C:\WINDOWS\system32\KADxMain.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - J:\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - J:\SPYBOT~1\SDHelper.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O15 - Trusted Zone: *.emdat.com (HKLM)
O15 - Trusted Zone: *.mytranscriptions.com (HKLM)
O16 - DPF: {814EA0DA-E0D9-4AA4-833C-A1A6D38E79E9} (DASWebDownload Class) - http://das.microsoft.com/activate/cab/x86/...tail/DASAct.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (file missing)
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lavasoft Ad-Aware Service - Unknown owner - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sony SCSI Helper Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\Fsk\SonySCSIHelperService.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 6034 bytes
------------
f-secure log

Scanning Report
Tuesday, September 22, 2009 23:23:31 - 23:46:51

Computer name: ELIZABETH
Scanning type: Scan system for malware, spyware and rootkits
Target: C:\ D:\ I:\
3 malware found
BehavesLike:Win32.Keylogger (spyware)

* System (Disinfected)

Trojan.Generic.2444734 (virus)

* C:\SYSTEM VOLUME INFORMATION\_RESTORE{46DE8921-1D39-44D2-A9E9-64119261F211}\RP283\A0076097.DLL (Renamed & Submitted)

BehavesLike:Win32.Keylogger (virus)

* C:\PROGRAM FILES\IOLO\SYSTEM MECHANIC 4 PROFESSIONAL\POPUPSTOPPER.EXE (Not cleaned)

Statistics
Scanned:

* Files: 41643
* System: 3226
* Not scanned: 14

Actions:

* Disinfected: 1
* Renamed: 1
* Deleted: 0
* Not cleaned: 1
* Submitted: 1

Files not scanned:

* C:\PAGEFILE.SYS
* C:\HIBERFIL.SYS
* C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
* C:\WINDOWS\SYSTEM32\CONFIG\SAM
* C:\WINDOWS\SYSTEM32\CONFIG\SECURITY
* C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE
* C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM
* C:\SYSTEM VOLUME INFORMATION\_RESTORE{46DE8921-1D39-44D2-A9E9-64119261F211}\RP283\A0076083.EXE
* C:\SYSTEM VOLUME INFORMATION\_RESTORE{46DE8921-1D39-44D2-A9E9-64119261F211}\RP283\A0076095.EXE
* C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\SPYBOTSD.EXE
* C:\PROGRAM FILES\LAVASOFT\AD-AWARE\AAWSERVICE.EXE
* C:\PROGRAM FILES\DELETE JUNK\MBAM.EXE
* C:\PROGRAM FILES\AVG\AVG8\AVGCSRVX.EXE
* C:\DOCUMENTS AND SETTINGS\LIZZIE\DESKTOP\ROOTREPEAL.EXE

Options
Scanning engines:

Scanning options:

* Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML XXX ANI AVB BAT CMD JOB LSP MAP MHT MIF PHP POT SWF WMF NWS TAR
* Use advanced heuristics

Copyright 1998-2009 Product support | Send virus sample to F-Secure
F-Secure assumes no responsibility for material created or published by third parties that F-Secure World Wide Web pages have a link to. Unless you have clearly stated otherwise, by submitting material to any of our servers, for example by E-mail or via our F-Secure's CGI E-mail, you agree that the material you make available may be published in the F-Secure World Wide Pages or hard-copy publications. You will reach F-Secure public web site by clicking on underlined links. While doing this, your access will be logged to our private access statistics with your domain name. This information will not be given to any third party. You agree not to take action against us in relation to material that you submit. Unless you have clearly stated otherwise, by submitting material you warrant that F-Secure may incorporate any concepts described in it in the F-Secure products/publications without liability.

-----------
mbam log

Malwarebytes' Anti-Malware 1.41
Database version: 2847
Windows 5.1.2600 Service Pack 2

9/22/2009 11:10:04 PM
mbam-log-2009-09-22 (23-10-04).txt

Scan type: Quick Scan
Objects scanned: 99797
Time elapsed: 1 minute(s), 54 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Asus P8Z77-V motherboard, Intel i5-3570K unlocked Quad Core cpu, 16GB Corsair Vengeance 1866Mhz ram
CoolerMaster Hyper 212 EVO cpu cooler, Samsung 128GB SSD with Win7 Pro, WD 500GB drive for data
Asus DVD writer, Corsair 600W PSU

 


#7 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,210 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:08:18 PM

Posted 23 September 2009 - 05:34 AM

Hi, miztrniceguy :(
  • Copy the entire contents of the Quote Box below to Notepad.
  • Name the file as CFScript.txt
  • Change the Save as Type to All Files
  • and Save it on the desktop

c:\windows\axyfocas.dat
c:\program files\Common Files\exisojo.lib


Posted Image

Once saved, referring to the picture above, drag CFScript.txt into ComboFix.exe, and post back the resulting report.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#8 miztrniceguy

miztrniceguy
  • Topic Starter

  • Members
  • 201 posts
  • OFFLINE
  •  
  • Local time:06:18 PM

Posted 23 September 2009 - 07:18 AM

ok here it is...thanks again.....by the way combofix says avg is running, but i can's seem to kill the process....i previously tried to uninstall it without success before we started working together.
----------------

ComboFix 09-09-22.02 - Lizzie 09/23/2009 7:09.3.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1613 [GMT -5:00]
Running from: c:\documents and settings\Lizzie\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Lizzie\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((( Files Created from 2009-08-23 to 2009-09-23 )))))))))))))))))))))))))))))))
.

2009-09-23 04:23 . 2009-09-23 04:23 -------- d-----w- c:\documents and settings\All Users\Application Data\F-Secure
2009-09-23 04:07 . 2009-09-23 04:07 -------- d-----w- c:\documents and settings\Lizzie\Application Data\Malwarebytes
2009-09-23 04:06 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-23 04:06 . 2009-09-23 04:06 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-23 04:06 . 2009-09-23 04:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-09-23 04:06 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-23 04:02 . 2009-09-23 04:02 -------- d-----w- c:\program files\Trend Micro
2009-09-23 03:07 . 2009-09-23 03:07 19165 ----a-w- c:\documents and settings\Lizzie\Local Settings\Application Data\petexozebe.dat
2009-09-23 03:07 . 2009-09-23 03:07 12858 ----a-w- c:\windows\axyfocas.dat
2009-09-23 03:01 . 2004-08-04 10:00 50176 ----a-w- c:\windows\system32\proquota.exe
2009-09-23 00:41 . 2009-09-23 00:41 -------- d-----w- c:\program files\Alwil Software
2009-09-23 00:28 . 2009-07-03 14:49 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-09-23 00:28 . 2009-09-23 00:28 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}
2009-09-23 00:28 . 2009-09-23 00:28 -------- d-----w- c:\program files\Lavasoft
2009-09-23 00:28 . 2009-09-23 00:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-09-22 22:26 . 2009-09-23 00:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-09-22 22:26 . 2009-09-23 00:16 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-09-22 21:49 . 2009-09-22 21:49 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-09-22 21:49 . 2009-09-22 21:49 -------- d-----w- c:\documents and settings\Lizzie\Application Data\SUPERAntiSpyware.com
2009-09-22 15:56 . 2009-09-22 18:53 -------- d-----w- c:\program files\delete junk
2009-09-22 15:26 . 2009-09-22 15:26 -------- d-----w- C:\spoolerlogs
2009-09-02 18:05 . 2009-09-02 18:05 392320 ----a-w- c:\windows\system32\drivers\timntr.sys
2009-09-02 18:05 . 2009-09-02 18:05 32768 ----a-w- c:\windows\system32\drivers\tifsfilt.sys
2009-09-02 18:05 . 2009-09-02 18:05 114048 ----a-w- c:\windows\system32\drivers\snapman.sys
2009-09-02 18:05 . 2009-09-02 18:05 -------- d-----w- c:\program files\Common Files\Acronis
2009-09-02 18:05 . 2009-09-02 18:05 -------- d-----w- c:\program files\Acronis
2009-09-02 17:25 . 2009-09-02 17:25 -------- d-----w- c:\documents and settings\All Users\Application Data\NCH Software
2009-09-01 15:50 . 2009-09-02 17:30 -------- d-----w- c:\documents and settings\All Users\Application Data\NCH Swift Sound
2009-09-01 15:50 . 2009-09-02 17:30 -------- d-----w- c:\program files\NCH Swift Sound
2009-09-01 15:50 . 2009-09-02 17:24 -------- d-----w- c:\documents and settings\Lizzie\Application Data\NCH Swift Sound

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-23 03:07 . 2009-09-23 03:07 10871 ----a-w- c:\program files\Common Files\exisojo.lib
2009-09-23 02:06 . 2009-05-25 22:40 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-09-23 00:07 . 2008-09-15 00:18 -------- d-----w- c:\documents and settings\Lizzie\Application Data\Lavasoft
2009-09-22 18:44 . 2008-04-15 09:00 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-09-22 18:41 . 2008-10-13 22:00 -------- d--h--w- c:\program files\InstallJammer Registry
2009-09-22 18:41 . 2008-05-20 19:53 -------- d-----w- c:\program files\calibre
2009-09-22 18:02 . 2008-05-04 12:32 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-09-22 15:29 . 2008-04-15 09:00 61064 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-13 03:58 . 2008-04-15 08:32 65902 ----a-w- c:\windows\system32\nvModes.dat
2009-09-06 03:52 . 2008-05-26 04:01 -------- d-----w- c:\documents and settings\Lizzie\Application Data\AdobeUM
2009-08-30 14:38 . 2008-04-29 20:53 -------- d-----w- c:\program files\KeyNote
2009-08-23 15:40 . 2009-08-20 04:06 -------- d---a-w- c:\documents and settings\All Users\Application Data\Namco Networks
2009-08-20 04:06 . 2009-08-20 04:06 -------- d-----w- c:\documents and settings\Lizzie\Application Data\Namco Networks
2009-08-20 04:05 . 2009-08-20 04:05 -------- d-----w- c:\program files\Namco
2009-08-18 15:33 . 2009-07-14 13:46 -------- d-----w- c:\documents and settings\Lizzie\Application Data\BitTorrent
2009-08-18 13:58 . 2009-05-25 22:40 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-08-18 13:58 . 2009-05-25 22:40 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-08-18 13:58 . 2008-04-29 20:50 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-08-14 11:58 . 2009-09-22 16:42 7396 ----a-w- c:\windows\system32\drivers\pctcore.cat
2009-08-12 21:41 . 2009-07-10 17:13 50 ----a-w- c:\windows\system32\bridf08b.dat
2009-08-12 21:40 . 2009-07-10 17:13 -------- d-----w- c:\program files\Brother
2009-08-12 21:40 . 2008-04-15 08:49 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-08-12 21:26 . 2009-08-12 21:26 -------- d-----w- c:\program files\Nuance
2009-08-12 21:25 . 2009-08-12 21:24 -------- d-----w- c:\documents and settings\All Users\Application Data\ScanSoft
2009-08-12 21:25 . 2009-08-12 21:25 -------- d-----w- c:\documents and settings\All Users\Application Data\InstallShield
2009-08-12 21:24 . 2009-08-12 21:24 -------- d-----w- c:\program files\Common Files\ScanSoft Shared
2009-08-12 21:24 . 2008-04-15 08:49 -------- d-----w- c:\program files\Common Files\InstallShield
2009-08-12 21:24 . 2009-08-12 21:24 -------- d-----w- c:\program files\ScanSoft
2009-08-03 03:58 . 2009-08-03 03:44 -------- d-----w- c:\program files\Email Extractor 2
2009-08-02 15:24 . 2009-08-02 15:24 -------- d-----w- c:\program files\TurboTax
2009-07-30 23:02 . 2009-02-21 01:00 -------- d-----w- c:\program files\7-Zip
2009-07-30 22:53 . 2008-06-25 16:48 -------- d-----w- c:\program files\Shorthand
2009-07-30 22:40 . 2009-04-03 14:14 -------- d-----w- c:\program files\OpenOffice.org 3
2009-07-28 13:56 . 2009-07-10 17:08 -------- d-----w- c:\program files\Quicken
2009-07-26 14:30 . 2008-10-13 22:00 -------- d-----w- c:\documents and settings\Lizzie\Application Data\calibre
2009-01-21 16:21 . 2009-01-21 16:21 128611035 ----a-w- c:\program files\openofficeorg1.cab
2009-01-21 16:14 . 2009-01-21 16:14 336 ----a-w- c:\program files\setup.ini
2009-01-21 16:14 . 2009-01-21 16:14 9780224 ----a-w- c:\program files\openofficeorg30.msi
2002-03-11 09:06 . 2002-03-11 09:06 1822520 ----a-w- c:\program files\instmsiw.exe
2002-03-11 08:45 . 2002-03-11 08:45 1708856 ----a-w- c:\program files\instmsia.exe
2008-07-16 05:31 . 2008-04-28 21:52 67696 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2008-07-16 05:31 . 2008-04-28 21:52 54376 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2008-07-16 05:31 . 2008-04-28 21:52 34952 ----a-w- c:\program files\mozilla firefox\components\myspell.dll
2008-07-16 05:31 . 2008-04-28 21:52 46720 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll
2008-07-16 05:31 . 2008-04-28 21:52 172144 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-09-23_03.05.01 )))))))))))))))))))))))))))))))))))))))))
.
+ 2004-08-11 22:00 . 2009-09-23 12:08 71946 c:\windows\system32\perfc009.dat
- 2004-08-11 22:00 . 2009-09-23 02:55 71946 c:\windows\system32\perfc009.dat
+ 2004-08-11 22:00 . 2009-09-23 12:08 426068 c:\windows\system32\perfh009.dat
- 2004-08-11 22:00 . 2009-09-23 02:55 426068 c:\windows\system32\perfh009.dat
+ 2009-07-10 15:39 . 2009-07-10 15:39 406640 c:\windows\Downloaded Program Files\fslauncher.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]
"EssentialPIM Pro Portable"="f:\pimp\EssentialPIM.exe" [BU]
"SUPERAntiSpyware"="c:\superantispy\superantispyware\SUPERANTISPYWARE.EXE" [BU]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-03-16 1392640]
"KADxMain"="c:\windows\system32\KADxMain.exe" [2006-11-02 282624]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-06-03 851968]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-01-29 8491008]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"NVHotkey"="nvHotkey.dll" - c:\windows\system32\nvhotkey.dll [2008-01-29 86016]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-18 13:58 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Dell\\MediaDirect\\PCMService.exe"=
"c:\\Program Files\\eBookwise Librarian\\EBWLibrarian.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"83:TCP"= 83:TCP:Web Dictate Web Server
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [9/22/2009 7:28 PM 64160]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [5/25/2009 5:40 PM 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [5/25/2009 5:40 PM 108552]
S1 SASDIFSV;SASDIFSV;\??\c:\superantispy\superantispyware\SASDIFSV.SYS --> c:\superantispy\superantispyware\SASDIFSV.SYS [?]
S1 SASKUTIL;SASKUTIL;\??\c:\superantispy\superantispyware\SASKUTIL.sys --> c:\superantispy\superantispyware\SASKUTIL.sys [?]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [7/3/2009 9:49 AM 1029456]
S3 eBook;eBook;c:\windows\system32\drivers\eBook.sys [5/17/2008 11:14 PM 22072]
S3 SASENUM;SASENUM;\??\c:\superantispy\superantispyware\SASENUM.SYS --> c:\superantispy\superantispyware\SASENUM.SYS [?]
S4 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe --> c:\progra~1\AVG\AVG8\avgemc.exe [?]
S4 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [5/25/2009 5:40 PM 297752]
.
Contents of the 'Scheduled Tasks' folder

2009-09-23 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-07-03 14:49]
.
.
------- Supplementary Scan -------
.
uStart Page = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=6080415
mStart Page = hxxp://www.dell.com
uInternet Connection Wizard,ShellNext = hxxp://partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=6080415
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
Trusted Zone: emdat.com
Trusted Zone: mytranscriptions.com
Trusted Zone: emdat.com
Trusted Zone: mytranscriptions.com
FF - ProfilePath - c:\documents and settings\Lizzie\Application Data\Mozilla\Firefox\Profiles\yb1x7uhc.default\
FF - prefs.js: browser.startup.homepage - file:///F:/bookmarks/Bookmarks/bookmarks/index.htm
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-mserv - c:\documents and settings\Lizzie\Application Data\svcst.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-23 07:12
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
@DACL=(02 0000)
"Installed"="1"
@=""

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
@DACL=(02 0000)
"NoChange"="1"
"Installed"="1"
@=""

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
@DACL=(02 0000)
"Installed"="1"
@=""
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(968)
c:\windows\System32\BCMLogon.dll
c:\windows\System32\MSVCP71.dll

- - - - - - - > 'lsass.exe'(1024)
c:\windows\system32\relog_ap.dll

- - - - - - - > 'explorer.exe'(2864)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-09-23 7:14
ComboFix-quarantined-files.txt 2009-09-23 12:14
ComboFix2.txt 2009-09-23 03:58
ComboFix3.txt 2009-09-23 03:07

Pre-Run: 61,462,687,744 bytes free
Post-Run: 61,732,634,624 bytes free

205

Asus P8Z77-V motherboard, Intel i5-3570K unlocked Quad Core cpu, 16GB Corsair Vengeance 1866Mhz ram
CoolerMaster Hyper 212 EVO cpu cooler, Samsung 128GB SSD with Win7 Pro, WD 500GB drive for data
Asus DVD writer, Corsair 600W PSU

 


#9 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,210 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:08:18 PM

Posted 23 September 2009 - 08:20 AM

The script was not effective. Please re-create the CFScript.txt once again. Drag and drop the file into Combofix and post the export.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#10 miztrniceguy

miztrniceguy
  • Topic Starter

  • Members
  • 201 posts
  • OFFLINE
  •  
  • Local time:06:18 PM

Posted 23 September 2009 - 08:29 AM

i will do it again...do you think avg could be interfering?

Asus P8Z77-V motherboard, Intel i5-3570K unlocked Quad Core cpu, 16GB Corsair Vengeance 1866Mhz ram
CoolerMaster Hyper 212 EVO cpu cooler, Samsung 128GB SSD with Win7 Pro, WD 500GB drive for data
Asus DVD writer, Corsair 600W PSU

 


#11 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,210 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:08:18 PM

Posted 23 September 2009 - 08:35 AM

i will do it again...do you think avg could be interfering?

I shouldn't. If this time around the files are not removed, we can always try manually.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#12 miztrniceguy

miztrniceguy
  • Topic Starter

  • Members
  • 201 posts
  • OFFLINE
  •  
  • Local time:06:18 PM

Posted 23 September 2009 - 08:48 AM

ok, it's scanning, and i will post as soon as it's done. i noticed mbam has a tool to delete locked files...that might work to delete the rest of avg. i don't know why it doesn't show in task manager as a running process.

Asus P8Z77-V motherboard, Intel i5-3570K unlocked Quad Core cpu, 16GB Corsair Vengeance 1866Mhz ram
CoolerMaster Hyper 212 EVO cpu cooler, Samsung 128GB SSD with Win7 Pro, WD 500GB drive for data
Asus DVD writer, Corsair 600W PSU

 


#13 miztrniceguy

miztrniceguy
  • Topic Starter

  • Members
  • 201 posts
  • OFFLINE
  •  
  • Local time:06:18 PM

Posted 23 September 2009 - 08:50 AM

here's the log

ComboFix 09-09-22.02 - Lizzie 09/23/2009 8:44.4.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1563 [GMT -5:00]
Running from: c:\documents and settings\Lizzie\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Lizzie\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((( Files Created from 2009-08-23 to 2009-09-23 )))))))))))))))))))))))))))))))
.

2009-09-23 04:23 . 2009-09-23 04:23 -------- d-----w- c:\documents and settings\All Users\Application Data\F-Secure
2009-09-23 04:07 . 2009-09-23 04:07 -------- d-----w- c:\documents and settings\Lizzie\Application Data\Malwarebytes
2009-09-23 04:06 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-23 04:06 . 2009-09-23 04:06 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-23 04:06 . 2009-09-23 04:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-09-23 04:06 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-23 04:02 . 2009-09-23 04:02 -------- d-----w- c:\program files\Trend Micro
2009-09-23 03:07 . 2009-09-23 03:07 19165 ----a-w- c:\documents and settings\Lizzie\Local Settings\Application Data\petexozebe.dat
2009-09-23 03:07 . 2009-09-23 03:07 12858 ----a-w- c:\windows\axyfocas.dat
2009-09-23 03:01 . 2004-08-04 10:00 50176 ----a-w- c:\windows\system32\proquota.exe
2009-09-23 00:41 . 2009-09-23 00:41 -------- d-----w- c:\program files\Alwil Software
2009-09-23 00:28 . 2009-07-03 14:49 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-09-23 00:28 . 2009-09-23 00:28 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}
2009-09-23 00:28 . 2009-09-23 00:28 -------- d-----w- c:\program files\Lavasoft
2009-09-23 00:28 . 2009-09-23 00:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-09-22 22:26 . 2009-09-23 00:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-09-22 22:26 . 2009-09-23 00:16 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-09-22 21:49 . 2009-09-22 21:49 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-09-22 21:49 . 2009-09-22 21:49 -------- d-----w- c:\documents and settings\Lizzie\Application Data\SUPERAntiSpyware.com
2009-09-22 15:56 . 2009-09-22 18:53 -------- d-----w- c:\program files\delete junk
2009-09-22 15:26 . 2009-09-22 15:26 -------- d-----w- C:\spoolerlogs
2009-09-02 18:05 . 2009-09-02 18:05 392320 ----a-w- c:\windows\system32\drivers\timntr.sys
2009-09-02 18:05 . 2009-09-02 18:05 32768 ----a-w- c:\windows\system32\drivers\tifsfilt.sys
2009-09-02 18:05 . 2009-09-02 18:05 114048 ----a-w- c:\windows\system32\drivers\snapman.sys
2009-09-02 18:05 . 2009-09-02 18:05 -------- d-----w- c:\program files\Common Files\Acronis
2009-09-02 18:05 . 2009-09-02 18:05 -------- d-----w- c:\program files\Acronis
2009-09-02 17:25 . 2009-09-02 17:25 -------- d-----w- c:\documents and settings\All Users\Application Data\NCH Software
2009-09-01 15:50 . 2009-09-02 17:30 -------- d-----w- c:\documents and settings\All Users\Application Data\NCH Swift Sound
2009-09-01 15:50 . 2009-09-02 17:30 -------- d-----w- c:\program files\NCH Swift Sound
2009-09-01 15:50 . 2009-09-02 17:24 -------- d-----w- c:\documents and settings\Lizzie\Application Data\NCH Swift Sound

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-23 03:07 . 2009-09-23 03:07 10871 ----a-w- c:\program files\Common Files\exisojo.lib
2009-09-23 02:06 . 2009-05-25 22:40 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-09-23 00:07 . 2008-09-15 00:18 -------- d-----w- c:\documents and settings\Lizzie\Application Data\Lavasoft
2009-09-22 18:44 . 2008-04-15 09:00 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-09-22 18:41 . 2008-10-13 22:00 -------- d--h--w- c:\program files\InstallJammer Registry
2009-09-22 18:41 . 2008-05-20 19:53 -------- d-----w- c:\program files\calibre
2009-09-22 18:02 . 2008-05-04 12:32 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-09-22 15:29 . 2008-04-15 09:00 61064 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-13 03:58 . 2008-04-15 08:32 65902 ----a-w- c:\windows\system32\nvModes.dat
2009-09-06 03:52 . 2008-05-26 04:01 -------- d-----w- c:\documents and settings\Lizzie\Application Data\AdobeUM
2009-08-30 14:38 . 2008-04-29 20:53 -------- d-----w- c:\program files\KeyNote
2009-08-23 15:40 . 2009-08-20 04:06 -------- d---a-w- c:\documents and settings\All Users\Application Data\Namco Networks
2009-08-20 04:06 . 2009-08-20 04:06 -------- d-----w- c:\documents and settings\Lizzie\Application Data\Namco Networks
2009-08-20 04:05 . 2009-08-20 04:05 -------- d-----w- c:\program files\Namco
2009-08-18 15:33 . 2009-07-14 13:46 -------- d-----w- c:\documents and settings\Lizzie\Application Data\BitTorrent
2009-08-18 13:58 . 2009-05-25 22:40 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-08-18 13:58 . 2009-05-25 22:40 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-08-18 13:58 . 2008-04-29 20:50 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-08-14 11:58 . 2009-09-22 16:42 7396 ----a-w- c:\windows\system32\drivers\pctcore.cat
2009-08-12 21:41 . 2009-07-10 17:13 50 ----a-w- c:\windows\system32\bridf08b.dat
2009-08-12 21:40 . 2009-07-10 17:13 -------- d-----w- c:\program files\Brother
2009-08-12 21:40 . 2008-04-15 08:49 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-08-12 21:26 . 2009-08-12 21:26 -------- d-----w- c:\program files\Nuance
2009-08-12 21:25 . 2009-08-12 21:24 -------- d-----w- c:\documents and settings\All Users\Application Data\ScanSoft
2009-08-12 21:25 . 2009-08-12 21:25 -------- d-----w- c:\documents and settings\All Users\Application Data\InstallShield
2009-08-12 21:24 . 2009-08-12 21:24 -------- d-----w- c:\program files\Common Files\ScanSoft Shared
2009-08-12 21:24 . 2008-04-15 08:49 -------- d-----w- c:\program files\Common Files\InstallShield
2009-08-12 21:24 . 2009-08-12 21:24 -------- d-----w- c:\program files\ScanSoft
2009-08-03 03:58 . 2009-08-03 03:44 -------- d-----w- c:\program files\Email Extractor 2
2009-08-02 15:24 . 2009-08-02 15:24 -------- d-----w- c:\program files\TurboTax
2009-07-30 23:02 . 2009-02-21 01:00 -------- d-----w- c:\program files\7-Zip
2009-07-30 22:53 . 2008-06-25 16:48 -------- d-----w- c:\program files\Shorthand
2009-07-30 22:40 . 2009-04-03 14:14 -------- d-----w- c:\program files\OpenOffice.org 3
2009-07-28 13:56 . 2009-07-10 17:08 -------- d-----w- c:\program files\Quicken
2009-07-26 14:30 . 2008-10-13 22:00 -------- d-----w- c:\documents and settings\Lizzie\Application Data\calibre
2009-01-21 16:21 . 2009-01-21 16:21 128611035 ----a-w- c:\program files\openofficeorg1.cab
2009-01-21 16:14 . 2009-01-21 16:14 336 ----a-w- c:\program files\setup.ini
2009-01-21 16:14 . 2009-01-21 16:14 9780224 ----a-w- c:\program files\openofficeorg30.msi
2002-03-11 09:06 . 2002-03-11 09:06 1822520 ----a-w- c:\program files\instmsiw.exe
2002-03-11 08:45 . 2002-03-11 08:45 1708856 ----a-w- c:\program files\instmsia.exe
2008-07-16 05:31 . 2008-04-28 21:52 67696 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2008-07-16 05:31 . 2008-04-28 21:52 54376 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2008-07-16 05:31 . 2008-04-28 21:52 34952 ----a-w- c:\program files\mozilla firefox\components\myspell.dll
2008-07-16 05:31 . 2008-04-28 21:52 46720 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll
2008-07-16 05:31 . 2008-04-28 21:52 172144 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-09-23_03.05.01 )))))))))))))))))))))))))))))))))))))))))
.
+ 2004-08-11 22:00 . 2009-09-23 12:08 71946 c:\windows\system32\perfc009.dat
- 2004-08-11 22:00 . 2009-09-23 02:55 71946 c:\windows\system32\perfc009.dat
+ 2004-08-11 22:00 . 2009-09-23 12:08 426068 c:\windows\system32\perfh009.dat
- 2004-08-11 22:00 . 2009-09-23 02:55 426068 c:\windows\system32\perfh009.dat
+ 2009-07-10 15:39 . 2009-07-10 15:39 406640 c:\windows\Downloaded Program Files\fslauncher.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]
"EssentialPIM Pro Portable"="f:\pimp\EssentialPIM.exe" [BU]
"SUPERAntiSpyware"="c:\superantispy\superantispyware\SUPERANTISPYWARE.EXE" [BU]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-03-16 1392640]
"KADxMain"="c:\windows\system32\KADxMain.exe" [2006-11-02 282624]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-06-03 851968]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-01-29 8491008]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"NVHotkey"="nvHotkey.dll" - c:\windows\system32\nvhotkey.dll [2008-01-29 86016]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-18 13:58 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Dell\\MediaDirect\\PCMService.exe"=
"c:\\Program Files\\eBookwise Librarian\\EBWLibrarian.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"83:TCP"= 83:TCP:Web Dictate Web Server
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [9/22/2009 7:28 PM 64160]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [5/25/2009 5:40 PM 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [5/25/2009 5:40 PM 108552]
S1 SASDIFSV;SASDIFSV;\??\c:\superantispy\superantispyware\SASDIFSV.SYS --> c:\superantispy\superantispyware\SASDIFSV.SYS [?]
S1 SASKUTIL;SASKUTIL;\??\c:\superantispy\superantispyware\SASKUTIL.sys --> c:\superantispy\superantispyware\SASKUTIL.sys [?]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [7/3/2009 9:49 AM 1029456]
S3 eBook;eBook;c:\windows\system32\drivers\eBook.sys [5/17/2008 11:14 PM 22072]
S3 SASENUM;SASENUM;\??\c:\superantispy\superantispyware\SASENUM.SYS --> c:\superantispy\superantispyware\SASENUM.SYS [?]
S4 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe --> c:\progra~1\AVG\AVG8\avgemc.exe [?]
S4 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [5/25/2009 5:40 PM 297752]
.
Contents of the 'Scheduled Tasks' folder

2009-09-23 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-07-03 14:49]
.
.
------- Supplementary Scan -------
.
uStart Page = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=6080415
mStart Page = hxxp://www.dell.com
uInternet Connection Wizard,ShellNext = hxxp://partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=6080415
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
Trusted Zone: emdat.com
Trusted Zone: mytranscriptions.com
Trusted Zone: emdat.com
Trusted Zone: mytranscriptions.com
FF - ProfilePath - c:\documents and settings\Lizzie\Application Data\Mozilla\Firefox\Profiles\yb1x7uhc.default\
FF - prefs.js: browser.startup.homepage - file:///F:/bookmarks/Bookmarks/bookmarks/index.htm
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-23 08:46
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
@DACL=(02 0000)
"Installed"="1"
@=""

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
@DACL=(02 0000)
"NoChange"="1"
"Installed"="1"
@=""

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
@DACL=(02 0000)
"Installed"="1"
@=""
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(968)
c:\windows\System32\BCMLogon.dll
c:\windows\System32\MSVCP71.dll

- - - - - - - > 'lsass.exe'(1024)
c:\windows\system32\relog_ap.dll

- - - - - - - > 'explorer.exe'(3376)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-09-23 8:48
ComboFix-quarantined-files.txt 2009-09-23 13:48
ComboFix2.txt 2009-09-23 12:14
ComboFix3.txt 2009-09-23 03:58
ComboFix4.txt 2009-09-23 03:07

Pre-Run: 61,739,253,760 bytes free
Post-Run: 61,726,326,784 bytes free

204

Asus P8Z77-V motherboard, Intel i5-3570K unlocked Quad Core cpu, 16GB Corsair Vengeance 1866Mhz ram
CoolerMaster Hyper 212 EVO cpu cooler, Samsung 128GB SSD with Win7 Pro, WD 500GB drive for data
Asus DVD writer, Corsair 600W PSU

 


#14 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,210 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:08:18 PM

Posted 23 September 2009 - 09:03 AM

Hi, miztrniceguy :(

Lets try manually:


Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete these files (if present):

c:\windows\axyfocas.dat
c:\program files\Common Files\exisojo.lib


Reset and Re-enable your System Restore to remove bad files that have been backed up by Windows. The files in System Restore are protected to prevent any programmes changing them. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected.)

To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

(Windows XP)

1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK..

Since the tools we used to scan the computer, as well as tools to delete files and folders, are no longer needed, they should be removed, as well as the folders created by these tools.

Follow these steps to uninstall Combofix
  • Click START then RUN
  • Now copy and paste "c:\documents and settings\Lizzie\Desktop\Combo-Fix.exe" /u in the runbox (including the quotation marks) and click OK. Note the space between the " and the /u, it needs to be there.

Any other tool used can be removed manually.

Create a Restore point (If the above process fails to do so):
  • Click Start, point to All Programs, point to Accessories, point to System Tools, and then click System Restore.
  • In the System Restore dialog box, click Create a restore point, and then click Next.
  • Type a description for your restore point, such as "After Cleanup", then click Create.
How is the computer doing?

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#15 miztrniceguy

miztrniceguy
  • Topic Starter

  • Members
  • 201 posts
  • OFFLINE
  •  
  • Local time:06:18 PM

Posted 23 September 2009 - 10:17 AM

ok, deleted all the logs and files etc per your previous instructions. all is going well.

i am getting an sql error on startup...something about not being able to find a file, otherwise no sign of infection!! i plan to install fresh copies oh malwarebytes and avast on the computer and superantispyware. any other recommendations?

i will restart and see if i get the sql error and post back with more info.

Thanks again for all your help.

Asus P8Z77-V motherboard, Intel i5-3570K unlocked Quad Core cpu, 16GB Corsair Vengeance 1866Mhz ram
CoolerMaster Hyper 212 EVO cpu cooler, Samsung 128GB SSD with Win7 Pro, WD 500GB drive for data
Asus DVD writer, Corsair 600W PSU

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users