Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Slow, removed some malware, still slow and HJT list shows additional items.


  • This topic is locked This topic is locked
20 replies to this topic

#1 SS369

SS369

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:30 AM

Posted 29 October 2009 - 10:24 AM

Hello Good People,

I come for help. My pc has dramatically slowed down, not only in web browsing (Firefox) but in general operations.
I've completed a virus scan, no virus found.
Spybot S&D found a few items which I chose it to fix.
Adaware found a few and I had it fix them.
I have checked all that I know to check in my operating system, XP, and cannot determine what is out of line.

The change of speed (lack of) now is imperceptible and I would love some help please.
I'll post the dds log file here and await your suggestions.

The rootrepeal application took 15 minutes to initialize and then gave me error warnings and so the report is unavailable at this time.

Thank you in advance.

SS


DDS (Ver_09-10-26.01) - NTFSx86
Run by Scott at 10:51:23.25 on Thu 10/29/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.254.25 [GMT -4:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\Program Files\NetLimiter 2 Pro\nlsvc.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe
C:\Program Files\Nero\Nero 7\InCD\InCD.exe
C:\Program Files\NetLimiter 2 Pro\NLClient.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Scott\Desktop\HIJACKTHIS\NEWPrograms\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
mStart Page = www.yahoo.com
mSearch Page = hxxp://www.google.com
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\windows\system32\sdra64.exe,
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0\bin\ssv.dll
BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [Update Service] "c:\program files\common files\teknum systems\update.exe" /startup
uRun: [RealPlayer] "c:\program files\real\realplayer\realplay.exe" /RunUPGToolCommandReBoot
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [LightScribe Control Panel] c:\program files\common files\lightscribe\LightScribeControlPanel.exe -hidden
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
uRun: [TomTomHOME.exe] "c:\program files\tomtom home 2\TomTomHOMERunner.exe"
mRun: [RoxioEngineUtility] "c:\program files\common files\roxio shared\system\EngUtil.exe"
mRun: [RoxioAudioCentral] "c:\program files\roxio\easy cd creator 6\audiocentral\RxMon.exe"
mRun: [PestPatrol Control Center] c:\progra~1\pestpa~1\PPControl.exe
mRun: [PPMemCheck] c:\progra~1\pestpa~1\PPMemCheck.exe
mRun: [CookiePatrol] c:\progra~1\pestpa~1\CookiePatrol.exe
mRun: [EmsaBandwidthMonitor] c:\documents and settings\scott\my documents\2transfer\!!! 2burn !!!\apps\bandwidthmonitoremsafreewareunzipped\bandwidthmonitor\BandwidthMonitor.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Acrobat Assistant 7.0] "c:\program files\adobe\acrobat 7.0\distillr\Acrotray.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [VirtualCloneDrive] "c:\program files\elaborate bytes\virtualclonedrive\VCDDaemon.exe" /s
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [SecurDisc] c:\program files\nero\nero 7\incd\NBHGui.exe
mRun: [InCD] c:\program files\nero\nero 7\incd\InCD.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Download Flash with Flash Capture - c:\program files\flash capture\dl.htm
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0\bin\ssv.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {0DB074F0-617E-4EE9-912C-2965CF2AA5A4} - hxxp://download.microsoft.com/download/7/0/7/707a44ad-52ad-49af-b7ef-e21b6b0656e4/VirtualEarth3D.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} - hxxp://eu-housecall.trendmicro-europe.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} - hxxp://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
DPF: {33564D57-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/wmv9dmo.cab
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} - hxxp://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} - hxxp://www.bitdefender.com/scan/Msie/bitdefender.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38096.1421180556
DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\scott\applic~1\mozilla\firefox\profiles\1id3iffm.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com
FF - plugin: c:\progra~1\mozill~1\plugins\np_gp.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjava11.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjava12.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjava13.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjava14.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjava32.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjpi160.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npoji610.dll
FF - plugin: c:\program files\virtual earth 3d\npVE3D.dll

============= SERVICES / DRIVERS ===============

R? getPlus® Helper;getPlus® Helper
R? hrxkafoa;hrxkafoa
R? Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service
R? N;N
R? NeroRegInCDSrv;Nero Registry InCD Service
R? NPF;NetGroup Packet Filter Driver
S? avg8emc;AVG8 E-mail Scanner
S? avg8wd;AVG8 WatchDog
S? AvgLdx86;AVG AVI Loader Driver x86
S? AvgTdiX;AVG8 Network Redirector
S? Lbd;Lbd
S? nltdi;nltdi
S? TomTomHOMEService;TomTomHOMEService

=============== Created Last 30 ================


==================== Find3M ====================

2009-09-21 23:32:32 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-08-17 14:49:55 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2001-08-23 19:00:00 66048 ----a-w- c:\program files\Notepad.exe
2005-05-13 22:12:00 217073 --sha-r- c:\windows\meta4.exe
2005-10-24 16:13:58 66560 --sha-r- c:\windows\MOTA113.exe
2005-10-14 02:27:00 422400 --sha-r- c:\windows\x2.64.exe
2005-10-08 02:14:52 308224 --sha-r- c:\windows\system32\avisynth.dll
2005-07-14 19:31:20 27648 --sha-r- c:\windows\system32\AVSredirect.dll
2007-02-22 15:52:07 966709 --sh--w- c:\windows\system32\aycdd.bak1
2005-06-26 22:32:28 616448 --sha-r- c:\windows\system32\cygwin1.dll
2005-06-22 04:37:42 45568 --sha-r- c:\windows\system32\cygz.dll
2004-01-25 07:00:00 70656 --sha-r- c:\windows\system32\i420vfw.dll
2007-02-20 17:04:37 966547 --sh--w- c:\windows\system32\prutv.bak1
2006-04-27 17:24:24 2945024 --sha-r- c:\windows\system32\Smab.dll
2005-02-28 20:16:22 240128 --sha-r- c:\windows\system32\x.264.exe
2004-01-25 07:00:00 70656 --sha-r- c:\windows\system32\yv12vfw.dll

============= FINISH: 10:54:32.90 ===============

BC AdBot (Login to Remove)

 


#2 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:10:30 AM

Posted 04 November 2009 - 01:02 PM

One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and Download and Execute files

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the Trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

However, if you do not have the resources to reinstall your computer and would like me to attempt to clean it, I will be happy to do so.
Should you have any questions, please feel free to ask.

Please let us know what you have decided to do in your next post.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#3 SS369

SS369
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:30 AM

Posted 09 November 2009 - 08:53 PM

Thank you for answering.
Due to slowness of this machine I have not checked here for a reply. Nor have I gotten an email notification though I do have the box checked and the address is correct.
Yes I would like help cleaning this machine.
I do not online banking , etc. so that is not an issue.
I've been trying solo to fix it myself and have cleaned various found items using Avira and malwarebytes programs.
It seems that the machine is running wide open, the activity light is constantly blinking at a high rate and if and when I manage to get a file or folder open the time is outrageously slow.
When I closed a program, file or folder the screen wipes down slowly as well.

Thank you ahead of time for your offer to help.
I will ask that if I can be helped so that I can get the important items backed up first? Before anything traumatic is done.

#4 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:10:30 AM

Posted 10 November 2009 - 01:11 AM

Hi,

Please post both parts of fresh DDS log and I'll see what can be done :(

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#5 SS369

SS369
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:30 AM

Posted 10 November 2009 - 09:30 AM

Hello Blade81 and thank you.
Here are the requested:


DDS (Ver_09-10-26.01) - NTFSx86
Run by Scott at 9:16:11.23 on Tue 11/10/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.254.78 [GMT -5:00]

AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
svchost.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\NetLimiter 2 Pro\nlsvc.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\NetLimiter 2 Pro\NLClient.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Uniblue\ProcessQuickLink 2\ProcessQuickLink2.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Scott\Desktop\HIJACKTHIS\NEWPrograms\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
mStart Page = www.yahoo.com
mSearch Page = hxxp://www.google.com
mURLSearchHooks: H - No File
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\windows\system32\sdra64.exe,
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0\bin\ssv.dll
BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [Update Service] "c:\program files\common files\teknum systems\update.exe" /startup
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
mRun: [RoxioEngineUtility] "c:\program files\common files\roxio shared\system\EngUtil.exe"
mRun: [RoxioAudioCentral] "c:\program files\roxio\easy cd creator 6\audiocentral\RxMon.exe"
mRun: [PestPatrol Control Center] c:\progra~1\pestpa~1\PPControl.exe
mRun: [PPMemCheck] c:\progra~1\pestpa~1\PPMemCheck.exe
mRun: [EmsaBandwidthMonitor] c:\documents and settings\scott\my documents\2transfer\!!! 2burn !!!\apps\bandwidthmonitoremsafreewareunzipped\bandwidthmonitor\BandwidthMonitor.exe
mRun: [Acrobat Assistant 7.0] "c:\program files\adobe\acrobat 7.0\distillr\Acrotray.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [VirtualCloneDrive] "c:\program files\elaborate bytes\virtualclonedrive\VCDDaemon.exe" /s
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\winzip~1.lnk - c:\program files\winzip\WZQKPICK.EXE
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Download Flash with Flash Capture - c:\program files\flash capture\dl.htm
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0\bin\ssv.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {0DB074F0-617E-4EE9-912C-2965CF2AA5A4} - hxxp://download.microsoft.com/download/7/0/7/707a44ad-52ad-49af-b7ef-e21b6b0656e4/VirtualEarth3D.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} - hxxp://eu-housecall.trendmicro-europe.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} - hxxp://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
DPF: {33564D57-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/wmv9dmo.cab
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} - hxxp://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} - hxxp://www.bitdefender.com/scan/Msie/bitdefender.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38096.1421180556
DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\scott\applic~1\mozilla\firefox\profiles\1id3iffm.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com
FF - plugin: c:\documents and settings\scott\application data\mozilla\firefox\profiles\1id3iffm.default\extensions\{e2883e8f-472f-4fb0-9522-ac9bf37916a7}\plugins\np_gp.dll
FF - plugin: c:\progra~1\mozill~1\plugins\np_gp.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjava11.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjava12.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjava13.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjava14.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjava32.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjpi160.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npoji610.dll
FF - plugin: c:\program files\virtual earth 3d\npVE3D.dll

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2009-11-08 00:18:41 0 d-----w- c:\docume~1\scott\applic~1\Malwarebytes
2009-11-08 00:18:26 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-08 00:18:22 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-08 00:18:22 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-11-08 00:18:21 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-04 03:25:32 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-11-04 03:24:50 0 d-----w- c:\program files\Avira
2009-11-04 03:24:50 0 d-----w- c:\docume~1\alluse~1\applic~1\Avira
2009-10-31 17:59:24 4153 ----a-w- c:\documents and settings\scott\.recently-used.xbel

==================== Find3M ====================

2009-09-21 23:32:32 15688 ----a-w- c:\windows\system32\lsdelete.exe
2001-08-23 19:00:00 66048 ----a-w- c:\program files\Notepad.exe
2005-05-13 22:12:00 217073 --sha-r- c:\windows\meta4.exe
2005-10-24 16:13:58 66560 --sha-r- c:\windows\MOTA113.exe
2005-10-14 02:27:00 422400 --sha-r- c:\windows\x2.64.exe
2005-10-08 02:14:52 308224 --sha-r- c:\windows\system32\avisynth.dll
2005-07-14 19:31:20 27648 --sha-r- c:\windows\system32\AVSredirect.dll
2007-02-22 15:52:07 966709 --sh--w- c:\windows\system32\aycdd.bak1
2005-06-26 22:32:28 616448 --sha-r- c:\windows\system32\cygwin1.dll
2005-06-22 04:37:42 45568 --sha-r- c:\windows\system32\cygz.dll
2004-01-25 07:00:00 70656 --sha-r- c:\windows\system32\i420vfw.dll
2007-02-20 17:04:37 966547 --sh--w- c:\windows\system32\prutv.bak1
2006-04-27 17:24:24 2945024 --sha-r- c:\windows\system32\Smab.dll
2005-02-28 20:16:22 240128 --sha-r- c:\windows\system32\x.264.exe
2004-01-25 07:00:00 70656 --sha-r- c:\windows\system32\yv12vfw.dll

============= FINISH: 9:18:06.16 ===============

Attached Files



#6 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:10:30 AM

Posted 10 November 2009 - 10:20 AM

Hi again,


uTorrent

Above listed ones are P2P file sharing programs. P2P downloads are nowadays one of those things that most likely bring infection into the system. My recommendation is to uninstall these (and other if present) P2P file sharing programs.


Please visit this webpage for download links, and instructions for running ComboFix tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link
    Remember to re-enable them afterwards.

  • Click Yes to allow ComboFix to continue scanning for malware.
When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New dds log.

Edited by Blade81, 10 November 2009 - 10:21 AM.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#7 SS369

SS369
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:30 AM

Posted 10 November 2009 - 02:10 PM

All is done as requested. Here are the logs.
Thanks you Blade81.

ComboFix 09-11-09.01 - Scott 11/10/2009 11:46.2.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.254.76 [GMT -5:00]
Running from: c:\documents and settings\Scott\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\bt.log
c:\documents and settings\All Users\Start Menu\HP Image Zone .lnk
c:\program files\Internet Explorer\fxavx.ini
c:\windows\patch.exe
c:\windows\system32\aybeg.ini
c:\windows\system32\aycdd.bak1
c:\windows\system32\aycdd.ini
c:\windows\system32\prutv.bak1
c:\windows\system32\prutv.ini
c:\windows\system32\skinboxer43.dll

Infected copy of c:\windows\system32\drivers\vaxscsi.sys was found and disinfected
Restored copy from - Kitty ate it :(
.
((((((((((((((((((((((((( Files Created from 2009-10-10 to 2009-11-10 )))))))))))))))))))))))))))))))
.

2009-11-08 00:18 . 2009-11-08 00:18 -------- d-----w- c:\documents and settings\Scott\Application Data\Malwarebytes
2009-11-08 00:18 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-08 00:18 . 2009-11-08 00:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-11-08 00:18 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-08 00:18 . 2009-11-08 00:18 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-04 23:44 . 2009-09-23 21:37 34112 ----a-w- c:\documents and settings\Scott\Application Data\Mozilla\Firefox\Profiles\1id3iffm.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\chrome\content\getPlusPlus_Adobe_reg_bootstrap.exe
2009-11-04 23:44 . 2009-09-23 21:37 32448 ----a-w- c:\documents and settings\Scott\Application Data\Mozilla\Firefox\Profiles\1id3iffm.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
2009-11-04 23:44 . 2009-09-23 21:37 22352 ----a-w- c:\documents and settings\Scott\Application Data\Mozilla\Firefox\Profiles\1id3iffm.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\chrome\content\getPlusPlus_Adobe_reg.exe
2009-11-04 03:25 . 2009-11-04 04:07 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-11-04 03:25 . 2009-03-30 15:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2009-11-04 03:25 . 2009-02-13 17:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2009-11-04 03:25 . 2009-02-13 17:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2009-11-04 03:24 . 2009-11-04 03:24 -------- d-----w- c:\program files\Avira
2009-11-04 03:24 . 2009-11-04 03:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2009-10-28 20:27 . 2009-01-19 23:46 6944624 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\aaw2008_upd.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-10 14:56 . 2008-03-29 22:42 -------- d-----w- c:\program files\Replay AV 8
2009-11-04 23:49 . 2009-01-15 02:33 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-11-01 15:06 . 2004-10-11 14:14 -------- d-----w- c:\program files\PestPatrol
2009-10-31 17:59 . 2009-05-21 23:16 -------- d-----w- c:\documents and settings\Scott\Application Data\gtk-2.0
2009-10-28 20:51 . 2009-01-20 00:30 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800}
2009-10-20 22:47 . 2004-02-21 17:00 -------- d-----w- c:\program files\DC++
2009-10-19 23:32 . 2009-09-21 23:32 3695616 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AutoLaunch.exe
2009-10-19 23:32 . 2009-06-22 23:33 2353992 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-Aware.exe
2009-10-18 14:40 . 2006-09-18 05:04 -------- d-----w- c:\program files\Codec Pack - All In 1
2009-10-18 14:40 . 2004-03-07 20:53 -------- d-----w- c:\program files\DivX
2009-10-03 20:23 . 2009-09-27 01:13 -------- d-----w- c:\program files\bbbbyh
2009-10-02 13:02 . 2009-10-02 13:02 -------- d-----w- c:\program files\GIMP-2.0
2001-08-23 19:00 . 2004-09-29 06:11 66048 ----a-w- c:\program files\Notepad.exe
2005-05-13 22:12 . 2005-05-13 22:12 217073 --sha-r- c:\windows\meta4.exe
2005-10-24 16:13 . 2005-10-24 16:13 66560 --sha-r- c:\windows\MOTA113.exe
2007-12-31 00:42 . 2007-12-31 00:42 0 --sh--w- c:\windows\S62C13959.tmp
2005-10-14 02:27 . 2005-10-14 02:27 422400 --sha-r- c:\windows\x2.64.exe
2005-10-08 02:14 . 2005-10-08 02:14 308224 --sha-r- c:\windows\system32\avisynth.dll
2005-07-14 19:31 . 2005-07-14 19:31 27648 --sha-r- c:\windows\system32\AVSredirect.dll
2005-06-26 22:32 . 2005-06-26 22:32 616448 --sha-r- c:\windows\system32\cygwin1.dll
2005-06-22 04:37 . 2006-05-24 16:37 45568 --sha-r- c:\windows\system32\cygz.dll
2004-01-25 07:00 . 2004-01-25 07:00 70656 --sha-r- c:\windows\system32\i420vfw.dll
2006-04-27 17:24 . 2006-04-27 17:24 2945024 --sha-r- c:\windows\system32\Smab.dll
2005-02-28 20:16 . 2005-02-28 20:16 240128 --sha-r- c:\windows\system32\x.264.exe
2004-01-25 07:00 . 2004-01-25 07:00 70656 --sha-r- c:\windows\system32\yv12vfw.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-06-28 152872]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RoxioEngineUtility"="c:\program files\Common Files\Roxio Shared\System\EngUtil.exe" [2003-05-02 65536]
"RoxioAudioCentral"="c:\program files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe" [2003-07-15 319488]
"PestPatrol Control Center"="c:\progra~1\PESTPA~1\PPControl.exe" [2004-11-15 98304]
"PPMemCheck"="c:\progra~1\PESTPA~1\PPMemCheck.exe" [2003-04-19 148480]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2005-09-24 483328]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-10-26 282624]
"VirtualCloneDrive"="c:\program files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" [2006-04-29 94208]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-09-21 520024]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2009-6-11 389120]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=c:\windows\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
backup=c:\windows\pss\HP Image Zone Fast Start.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Scott^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=c:\documents and settings\Scott\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=c:\windows\pss\Adobe Gamma.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Documents and Settings\\Scott\\My Documents\\Strongdc205\\StrongDC.exe"=
"c:\\Documents and Settings\\Scott\\My Documents\\LCD++\\LDCPlusPlus.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Documents and Settings\\Scott\\Desktop\\++\\OLDDC++PROGRAMS\\STRONGDC\\SDC213\\StrongDC.exe"=
"c:\\Documents and Settings\\Scott\\Desktop\\++\\OLDDC++PROGRAMS\\STRONGDC\\StrongDC2.2\\StrongDC.exe"=
"c:\\Documents and Settings\\Scott\\Desktop\\++\\OLDDC++PROGRAMS\\STRONGDC\\SDC221\\StrongDC.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\NewTech Infosystems\\NTI CD-Maker\\LiveUpdate.exe"=

R0 hrxkafoa;hrxkafoa;c:\windows\system32\drivers\xpkqiqbi.sys [x]
R2 NeroRegInCDSrv;Nero Registry InCD Service;c:\program files\Nero\Nero 7\InCD\NBHRegInCDSrv.exe [x]
R3 getPlusHelper;getPlus® Helper;c:\windows\System32\svchost.exe [2004-08-04 14336]
R3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-09-21 1028432]
R3 N;N;c:\docume~1\Scott\LOCALS~1\Temp\N.exe [x]
R3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2005-08-02 32512]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2009-04-27 64160]
S1 nltdi;nltdi;c:\windows\system32\drivers\nltdi.sys [2005-12-18 141184]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2009-05-13 108289]


--- Other Services/Drivers In Memory ---

*NewlyCreated* - MBR
*Deregistered* - mbr
*Deregistered* - PROCEXP113

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder

2009-11-10 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-01-18 23:32]

2009-11-01 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2006-10-11 01:13]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mStart Page = www.yahoo.com
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Download Flash with Flash Capture - c:\program files\Flash Capture\dl.htm
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} - hxxp://eu-housecall.trendmicro-europe.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
FF - ProfilePath - c:\documents and settings\Scott\Application Data\Mozilla\Firefox\Profiles\1id3iffm.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com
FF - plugin: c:\documents and settings\Scott\Application Data\Mozilla\Firefox\Profiles\1id3iffm.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
FF - plugin: c:\progra~1\MOZILL~1\plugins\np_gp.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava11.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava12.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava13.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava14.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava32.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjpi160.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npoji610.dll
FF - plugin: c:\program files\Virtual Earth 3D\npVE3D.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Update Service - c:\program files\Common Files\Teknum Systems\update.exe
HKLM-Run-EmsaBandwidthMonitor - c:\documents and settings\Scott\My Documents\2transfer\!!! 2BURN !!!\Apps\BandwidthMonitorEmsaFreewareUnzipped\BandwidthMonitor\BandwidthMonitor.exe
SafeBoot-AVG Anti-Spyware Driver
SafeBoot-AVG Anti-Spyware Guard
AddRemove-HijackThis - c:\documents and settings\Scott\Desktop\SPYWARESTUFF\HijackThis.exe
AddRemove-SiSoftware Sandra Standard 2004.SP1 (Win32 x86)_is1 - c:\program files\SiSoftware\SiSoftware Sandra Standard 2004.SP1
AddRemove-{B8971880-0060-11D8-87CB-C2A1A3E71907}_is1 - c:\program files\Indexdatviewer\Index.dat



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-10 12:24
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe catchme.sys >>UNKNOWN [0x8135DA40]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> 0x8135da40
Warning: possible MBR rootkit infection !
user & kernel MBR OK
Use "Recovery Console" command "fixmbr" to clear infection !

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1482476501-1078081533-1417001333-1004\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
Completion time: 2009-11-10 13:14
ComboFix-quarantined-files.txt 2009-11-10 18:14
ComboFix2.txt 2007-11-26 02:03

Pre-Run: 23,471,505,408 bytes free
Post-Run: 23,754,342,400 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

- - End Of File - - 0B2180AD23436CDB799BBE2BA282F4A6

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

DDS (Ver_09-10-26.01) - NTFSx86
Run by Scott at 14:03:37.43 on Tue 11/10/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.254.30 [GMT -5:00]

AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
svchost.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\NetLimiter 2 Pro\nlsvc.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
C:\Program Files\NetLimiter 2 Pro\NLClient.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Scott\Desktop\HIJACKTHIS\NEWPrograms\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
mStart Page = www.yahoo.com
mURLSearchHooks: H - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0\bin\ssv.dll
BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [RoxioEngineUtility] "c:\program files\common files\roxio shared\system\EngUtil.exe"
mRun: [RoxioAudioCentral] "c:\program files\roxio\easy cd creator 6\audiocentral\RxMon.exe"
mRun: [PestPatrol Control Center] c:\progra~1\pestpa~1\PPControl.exe
mRun: [PPMemCheck] c:\progra~1\pestpa~1\PPMemCheck.exe
mRun: [Acrobat Assistant 7.0] "c:\program files\adobe\acrobat 7.0\distillr\Acrotray.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [VirtualCloneDrive] "c:\program files\elaborate bytes\virtualclonedrive\VCDDaemon.exe" /s
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\winzip~1.lnk - c:\program files\winzip\WZQKPICK.EXE
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Download Flash with Flash Capture - c:\program files\flash capture\dl.htm
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0\bin\ssv.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {0DB074F0-617E-4EE9-912C-2965CF2AA5A4} - hxxp://download.microsoft.com/download/7/0/7/707a44ad-52ad-49af-b7ef-e21b6b0656e4/VirtualEarth3D.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} - hxxp://eu-housecall.trendmicro-europe.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} - hxxp://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
DPF: {33564D57-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/wmv9dmo.cab
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} - hxxp://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} - hxxp://www.bitdefender.com/scan/Msie/bitdefender.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38096.1421180556
DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\scott\applic~1\mozilla\firefox\profiles\1id3iffm.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com
FF - plugin: c:\documents and settings\scott\application data\mozilla\firefox\profiles\1id3iffm.default\extensions\{e2883e8f-472f-4fb0-9522-ac9bf37916a7}\plugins\np_gp.dll
FF - plugin: c:\progra~1\mozill~1\plugins\np_gp.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjava11.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjava12.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjava13.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjava14.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjava32.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjpi160.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npoji610.dll
FF - plugin: c:\program files\virtual earth 3d\npVE3D.dll

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-1-19 64160]
S0 hrxkafoa;hrxkafoa;c:\windows\system32\drivers\xpkqiqbi.sys --> c:\windows\system32\drivers\xpkqiqbi.sys [?]

=============== Created Last 30 ================

2009-11-10 16:28:59 0 d-sha-r- C:\cmdcons
2009-11-10 16:24:20 98816 ----a-w- c:\windows\sed.exe
2009-11-10 16:24:20 77312 ----a-w- c:\windows\MBR.exe
2009-11-10 16:24:20 267264 ----a-w- c:\windows\PEV.exe
2009-11-10 16:24:20 161792 ----a-w- c:\windows\SWREG.exe
2009-11-08 00:18:41 0 d-----w- c:\docume~1\scott\applic~1\Malwarebytes
2009-11-08 00:18:26 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-08 00:18:22 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-08 00:18:22 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-11-08 00:18:21 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-04 03:25:32 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-11-04 03:24:50 0 d-----w- c:\program files\Avira
2009-11-04 03:24:50 0 d-----w- c:\docume~1\alluse~1\applic~1\Avira
2009-10-31 17:59:24 4153 ----a-w- c:\documents and settings\scott\.recently-used.xbel

==================== Find3M ====================

2009-09-21 23:32:32 15688 ----a-w- c:\windows\system32\lsdelete.exe
2001-08-23 19:00:00 66048 ----a-w- c:\program files\Notepad.exe
2005-05-13 22:12:00 217073 --sha-r- c:\windows\meta4.exe
2005-10-24 16:13:58 66560 --sha-r- c:\windows\MOTA113.exe
2005-10-14 02:27:00 422400 --sha-r- c:\windows\x2.64.exe
2005-10-08 02:14:52 308224 --sha-r- c:\windows\system32\avisynth.dll
2005-07-14 19:31:20 27648 --sha-r- c:\windows\system32\AVSredirect.dll
2005-06-26 22:32:28 616448 --sha-r- c:\windows\system32\cygwin1.dll
2005-06-22 04:37:42 45568 --sha-r- c:\windows\system32\cygz.dll
2004-01-25 07:00:00 70656 --sha-r- c:\windows\system32\i420vfw.dll
2006-04-27 17:24:24 2945024 --sha-r- c:\windows\system32\Smab.dll
2005-02-28 20:16:22 240128 --sha-r- c:\windows\system32\x.264.exe
2004-01-25 07:00:00 70656 --sha-r- c:\windows\system32\yv12vfw.dll

============= FINISH: 14:05:27.07 ===============

Attached Files



#8 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:10:30 AM

Posted 10 November 2009 - 02:48 PM

Hi,

Could you please uninstall VirtualCloneDrive until we've finished here? It may disturb the process.

When done, run ComboFix again.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#9 SS369

SS369
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:30 AM

Posted 10 November 2009 - 05:54 PM

Done as requested.
A question: Should I have disconnected from the internet during these? Not knowing if to or not to I chose the disconnect since I did disable the protections that I have. I hope that was correct.
During the running of ComboFix it paused and displayed a small window indicating there was rootkit activity and needed to reboot. I ok'd that.
During shutdown another small window popped up with something about a "catchme.exe or.dll" that I didn't get copied down fast enough.

Here's the Combo log

++++++++++++++++

ComboFix 09-11-09.01 - Scott 11/10/2009 16:41.3.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.254.77 [GMT -5:00]
Running from: c:\documents and settings\Scott\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

Infected copy of c:\windows\system32\drivers\vaxscsi.sys was found and disinfected
Restored copy from - Kitty ate it :(
.
((((((((((((((((((((((((( Files Created from 2009-10-10 to 2009-11-10 )))))))))))))))))))))))))))))))
.

2009-11-08 00:18 . 2009-11-08 00:18 -------- d-----w- c:\documents and settings\Scott\Application Data\Malwarebytes
2009-11-08 00:18 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-08 00:18 . 2009-11-08 00:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-11-08 00:18 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-08 00:18 . 2009-11-08 00:18 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-04 23:44 . 2009-09-23 21:37 34112 ----a-w- c:\documents and settings\Scott\Application Data\Mozilla\Firefox\Profiles\1id3iffm.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\chrome\content\getPlusPlus_Adobe_reg_bootstrap.exe
2009-11-04 23:44 . 2009-09-23 21:37 32448 ----a-w- c:\documents and settings\Scott\Application Data\Mozilla\Firefox\Profiles\1id3iffm.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
2009-11-04 23:44 . 2009-09-23 21:37 22352 ----a-w- c:\documents and settings\Scott\Application Data\Mozilla\Firefox\Profiles\1id3iffm.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\chrome\content\getPlusPlus_Adobe_reg.exe
2009-11-04 03:25 . 2009-11-04 04:07 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-11-04 03:25 . 2009-03-30 15:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2009-11-04 03:25 . 2009-02-13 17:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2009-11-04 03:25 . 2009-02-13 17:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2009-11-04 03:24 . 2009-11-04 03:24 -------- d-----w- c:\program files\Avira
2009-11-04 03:24 . 2009-11-04 03:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2009-10-28 20:27 . 2009-01-19 23:46 6944624 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\aaw2008_upd.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-10 21:35 . 2004-04-10 23:58 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-11-10 21:25 . 2004-04-10 23:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-11-10 21:02 . 2007-12-31 01:05 -------- d-----w- c:\program files\Elaborate Bytes
2009-11-10 14:56 . 2008-03-29 22:42 -------- d-----w- c:\program files\Replay AV 8
2009-11-04 23:49 . 2009-01-15 02:33 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-11-01 15:06 . 2004-10-11 14:14 -------- d-----w- c:\program files\PestPatrol
2009-10-31 17:59 . 2009-05-21 23:16 -------- d-----w- c:\documents and settings\Scott\Application Data\gtk-2.0
2009-10-28 20:51 . 2009-01-20 00:30 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800}
2009-10-20 22:47 . 2004-02-21 17:00 -------- d-----w- c:\program files\DC++
2009-10-19 23:32 . 2009-09-21 23:32 3695616 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AutoLaunch.exe
2009-10-19 23:32 . 2009-06-22 23:33 2353992 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-Aware.exe
2009-10-18 14:40 . 2006-09-18 05:04 -------- d-----w- c:\program files\Codec Pack - All In 1
2009-10-18 14:40 . 2004-03-07 20:53 -------- d-----w- c:\program files\DivX
2009-10-03 20:23 . 2009-09-27 01:13 -------- d-----w- c:\program files\bbbbyh
2009-10-02 13:02 . 2009-10-02 13:02 -------- d-----w- c:\program files\GIMP-2.0
2001-08-23 19:00 . 2004-09-29 06:11 66048 ----a-w- c:\program files\Notepad.exe
2005-05-13 22:12 . 2005-05-13 22:12 217073 --sha-r- c:\windows\meta4.exe
2005-10-24 16:13 . 2005-10-24 16:13 66560 --sha-r- c:\windows\MOTA113.exe
2007-12-31 00:42 . 2007-12-31 00:42 0 --sh--w- c:\windows\S62C13959.tmp
2005-10-14 02:27 . 2005-10-14 02:27 422400 --sha-r- c:\windows\x2.64.exe
2005-10-08 02:14 . 2005-10-08 02:14 308224 --sha-r- c:\windows\system32\avisynth.dll
2005-07-14 19:31 . 2005-07-14 19:31 27648 --sha-r- c:\windows\system32\AVSredirect.dll
2005-06-26 22:32 . 2005-06-26 22:32 616448 --sha-r- c:\windows\system32\cygwin1.dll
2005-06-22 04:37 . 2006-05-24 16:37 45568 --sha-r- c:\windows\system32\cygz.dll
2004-01-25 07:00 . 2004-01-25 07:00 70656 --sha-r- c:\windows\system32\i420vfw.dll
2006-04-27 17:24 . 2006-04-27 17:24 2945024 --sha-r- c:\windows\system32\Smab.dll
2005-02-28 20:16 . 2005-02-28 20:16 240128 --sha-r- c:\windows\system32\x.264.exe
2004-01-25 07:00 . 2004-01-25 07:00 70656 --sha-r- c:\windows\system32\yv12vfw.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-11-10_17.25.05 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-08-03 13:43 . 2009-11-10 21:38 32768 c:\windows\TEMP\Temporary Internet Files\Content.IE5\index.dat
- 2008-08-03 13:43 . 2009-11-10 16:42 32768 c:\windows\TEMP\Temporary Internet Files\Content.IE5\index.dat
- 2008-08-03 13:43 . 2009-11-10 16:42 49152 c:\windows\TEMP\History\History.IE5\index.dat
+ 2008-08-03 13:43 . 2009-11-10 21:38 49152 c:\windows\TEMP\History\History.IE5\index.dat
+ 2008-08-03 13:43 . 2009-11-10 21:38 16384 c:\windows\TEMP\Cookies\index.dat
- 2008-08-03 13:43 . 2009-11-10 16:42 16384 c:\windows\TEMP\Cookies\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-06-28 152872]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RoxioEngineUtility"="c:\program files\Common Files\Roxio Shared\System\EngUtil.exe" [2003-05-02 65536]
"RoxioAudioCentral"="c:\program files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe" [2003-07-15 319488]
"PestPatrol Control Center"="c:\progra~1\PESTPA~1\PPControl.exe" [2004-11-15 98304]
"PPMemCheck"="c:\progra~1\PESTPA~1\PPMemCheck.exe" [2003-04-19 148480]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2005-09-24 483328]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-10-26 282624]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-09-21 520024]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2009-6-11 389120]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=c:\windows\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
backup=c:\windows\pss\HP Image Zone Fast Start.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Scott^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=c:\documents and settings\Scott\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=c:\windows\pss\Adobe Gamma.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Documents and Settings\\Scott\\My Documents\\Strongdc205\\StrongDC.exe"=
"c:\\Documents and Settings\\Scott\\My Documents\\LCD++\\LDCPlusPlus.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Documents and Settings\\Scott\\Desktop\\++\\OLDDC++PROGRAMS\\STRONGDC\\SDC213\\StrongDC.exe"=
"c:\\Documents and Settings\\Scott\\Desktop\\++\\OLDDC++PROGRAMS\\STRONGDC\\StrongDC2.2\\StrongDC.exe"=
"c:\\Documents and Settings\\Scott\\Desktop\\++\\OLDDC++PROGRAMS\\STRONGDC\\SDC221\\StrongDC.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\NewTech Infosystems\\NTI CD-Maker\\LiveUpdate.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [1/19/2009 7:32 PM 64160]
R1 nltdi;nltdi;c:\windows\system32\drivers\nltdi.sys [12/18/2005 5:58 PM 141184]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [11/3/2009 10:25 PM 108289]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [4/24/2009 6:57 AM 92008]
S0 hrxkafoa;hrxkafoa;c:\windows\system32\drivers\xpkqiqbi.sys --> c:\windows\system32\drivers\xpkqiqbi.sys [?]
S2 NeroRegInCDSrv;Nero Registry InCD Service;c:\program files\Nero\Nero 7\InCD\NBHRegInCDSrv.exe --> c:\program files\Nero\Nero 7\InCD\NBHRegInCDSrv.exe [?]
S3 getPlusHelper;getPlus® Helper;c:\windows\System32\svchost.exe -k getPlusHelper [8/29/2002 7:00 AM 14336]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [1/18/2009 4:34 PM 1028432]
S3 N;N;c:\docume~1\Scott\LOCALS~1\Temp\N.exe --> c:\docume~1\Scott\LOCALS~1\Temp\N.exe [?]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [8/2/2005 4:10 PM 32512]

--- Other Services/Drivers In Memory ---

*Deregistered* - mbr
*Deregistered* - PROCEXP113

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder

2009-11-10 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-01-18 23:32]

2009-11-01 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2006-10-11 01:13]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mStart Page = www.yahoo.com
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Download Flash with Flash Capture - c:\program files\Flash Capture\dl.htm
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} - hxxp://eu-housecall.trendmicro-europe.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
FF - ProfilePath - c:\documents and settings\Scott\Application Data\Mozilla\Firefox\Profiles\1id3iffm.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com
FF - plugin: c:\documents and settings\Scott\Application Data\Mozilla\Firefox\Profiles\1id3iffm.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
FF - plugin: c:\progra~1\MOZILL~1\plugins\np_gp.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava11.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava12.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava13.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava14.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava32.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjpi160.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npoji610.dll
FF - plugin: c:\program files\Virtual Earth 3D\npVE3D.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-10 17:03
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe catchme.sys >>UNKNOWN [0x81325EB0]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> 0x81325eb0
Warning: possible MBR rootkit infection !
user & kernel MBR OK
Use "Recovery Console" command "fixmbr" to clear infection !

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1482476501-1078081533-1417001333-1004\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
Completion time: 2009-11-10 17:21
ComboFix-quarantined-files.txt 2009-11-10 22:21
ComboFix2.txt 2009-11-10 18:14
ComboFix3.txt 2007-11-26 02:03

Pre-Run: 23,685,693,440 bytes free
Post-Run: 23,652,626,432 bytes free

- - End Of File - - 362DF3BED1B4A074D7AF83993E3E059E

#10 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:10:30 AM

Posted 11 November 2009 - 01:10 AM

Hi,

Please run ComboFix one more time and let it update itself (have internet connection enabled). Post back its report.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#11 SS369

SS369
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:30 AM

Posted 11 November 2009 - 10:21 PM

Hello Blade81, ran combofix and it updated.

Here's the log and thank you.

+++++++++++++++++

ComboFix 09-11-11.02 - Scott 11/11/2009 20:55.4.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.254.60 [GMT -5:00]
Running from: c:\documents and settings\Scott\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

Infected copy of c:\windows\system32\drivers\vaxscsi.sys was found and disinfected
Restored copy from - Kitty ate it :(
.
((((((((((((((((((((((((( Files Created from 2009-10-12 to 2009-11-12 )))))))))))))))))))))))))))))))
.

2009-11-08 00:18 . 2009-11-08 00:18 -------- d-----w- c:\documents and settings\Scott\Application Data\Malwarebytes
2009-11-08 00:18 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-08 00:18 . 2009-11-08 00:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-11-08 00:18 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-08 00:18 . 2009-11-08 00:18 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-04 23:44 . 2009-09-23 21:37 34112 ----a-w- c:\documents and settings\Scott\Application Data\Mozilla\Firefox\Profiles\1id3iffm.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\chrome\content\getPlusPlus_Adobe_reg_bootstrap.exe
2009-11-04 23:44 . 2009-09-23 21:37 32448 ----a-w- c:\documents and settings\Scott\Application Data\Mozilla\Firefox\Profiles\1id3iffm.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
2009-11-04 23:44 . 2009-09-23 21:37 22352 ----a-w- c:\documents and settings\Scott\Application Data\Mozilla\Firefox\Profiles\1id3iffm.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\chrome\content\getPlusPlus_Adobe_reg.exe
2009-11-04 03:25 . 2009-11-04 04:07 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-11-04 03:25 . 2009-03-30 15:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2009-11-04 03:25 . 2009-02-13 17:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2009-11-04 03:25 . 2009-02-13 17:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2009-11-04 03:24 . 2009-11-04 03:24 -------- d-----w- c:\program files\Avira
2009-11-04 03:24 . 2009-11-04 03:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2009-10-28 20:27 . 2009-01-19 23:46 6944624 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\aaw2008_upd.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-10 21:35 . 2004-04-10 23:58 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-11-10 21:25 . 2004-04-10 23:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-11-10 21:02 . 2007-12-31 01:05 -------- d-----w- c:\program files\Elaborate Bytes
2009-11-10 14:56 . 2008-03-29 22:42 -------- d-----w- c:\program files\Replay AV 8
2009-11-04 23:49 . 2009-01-15 02:33 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-11-01 15:06 . 2004-10-11 14:14 -------- d-----w- c:\program files\PestPatrol
2009-10-31 17:59 . 2009-05-21 23:16 -------- d-----w- c:\documents and settings\Scott\Application Data\gtk-2.0
2009-10-28 20:51 . 2009-01-20 00:30 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800}
2009-10-20 22:47 . 2004-02-21 17:00 -------- d-----w- c:\program files\DC++
2009-10-19 23:32 . 2009-09-21 23:32 3695616 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AutoLaunch.exe
2009-10-19 23:32 . 2009-06-22 23:33 2353992 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-Aware.exe
2009-10-18 14:40 . 2006-09-18 05:04 -------- d-----w- c:\program files\Codec Pack - All In 1
2009-10-18 14:40 . 2004-03-07 20:53 -------- d-----w- c:\program files\DivX
2009-10-03 20:23 . 2009-09-27 01:13 -------- d-----w- c:\program files\bbbbyh
2009-10-02 13:02 . 2009-10-02 13:02 -------- d-----w- c:\program files\GIMP-2.0
2001-08-23 19:00 . 2004-09-29 06:11 66048 ----a-w- c:\program files\Notepad.exe
2005-05-13 22:12 . 2005-05-13 22:12 217073 --sha-r- c:\windows\meta4.exe
2005-10-24 16:13 . 2005-10-24 16:13 66560 --sha-r- c:\windows\MOTA113.exe
2007-12-31 00:42 . 2007-12-31 00:42 0 --sh--w- c:\windows\S62C13959.tmp
2005-10-14 02:27 . 2005-10-14 02:27 422400 --sha-r- c:\windows\x2.64.exe
2005-10-08 02:14 . 2005-10-08 02:14 308224 --sha-r- c:\windows\system32\avisynth.dll
2005-07-14 19:31 . 2005-07-14 19:31 27648 --sha-r- c:\windows\system32\AVSredirect.dll
2005-06-26 22:32 . 2005-06-26 22:32 616448 --sha-r- c:\windows\system32\cygwin1.dll
2005-06-22 04:37 . 2006-05-24 16:37 45568 --sha-r- c:\windows\system32\cygz.dll
2004-01-25 07:00 . 2004-01-25 07:00 70656 --sha-r- c:\windows\system32\i420vfw.dll
2006-04-27 17:24 . 2006-04-27 17:24 2945024 --sha-r- c:\windows\system32\Smab.dll
2005-02-28 20:16 . 2005-02-28 20:16 240128 --sha-r- c:\windows\system32\x.264.exe
2004-01-25 07:00 . 2004-01-25 07:00 70656 --sha-r- c:\windows\system32\yv12vfw.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-11-10_17.25.05 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-08-03 13:43 . 2009-11-12 01:51 32768 c:\windows\TEMP\Temporary Internet Files\Content.IE5\index.dat
- 2008-08-03 13:43 . 2009-11-10 16:42 32768 c:\windows\TEMP\Temporary Internet Files\Content.IE5\index.dat
- 2008-08-03 13:43 . 2009-11-10 16:42 49152 c:\windows\TEMP\History\History.IE5\index.dat
+ 2008-08-03 13:43 . 2009-11-12 01:51 49152 c:\windows\TEMP\History\History.IE5\index.dat
+ 2008-08-03 13:43 . 2009-11-12 01:51 16384 c:\windows\TEMP\Cookies\index.dat
- 2008-08-03 13:43 . 2009-11-10 16:42 16384 c:\windows\TEMP\Cookies\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-06-28 152872]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RoxioEngineUtility"="c:\program files\Common Files\Roxio Shared\System\EngUtil.exe" [2003-05-02 65536]
"RoxioAudioCentral"="c:\program files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe" [2003-07-15 319488]
"PestPatrol Control Center"="c:\progra~1\PESTPA~1\PPControl.exe" [2004-11-15 98304]
"PPMemCheck"="c:\progra~1\PESTPA~1\PPMemCheck.exe" [2003-04-19 148480]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2005-09-24 483328]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-10-26 282624]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-09-21 520024]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2009-6-11 389120]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=c:\windows\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
backup=c:\windows\pss\HP Image Zone Fast Start.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Scott^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=c:\documents and settings\Scott\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=c:\windows\pss\Adobe Gamma.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Documents and Settings\\Scott\\My Documents\\Strongdc205\\StrongDC.exe"=
"c:\\Documents and Settings\\Scott\\My Documents\\LCD++\\LDCPlusPlus.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Documents and Settings\\Scott\\Desktop\\++\\OLDDC++PROGRAMS\\STRONGDC\\SDC213\\StrongDC.exe"=
"c:\\Documents and Settings\\Scott\\Desktop\\++\\OLDDC++PROGRAMS\\STRONGDC\\StrongDC2.2\\StrongDC.exe"=
"c:\\Documents and Settings\\Scott\\Desktop\\++\\OLDDC++PROGRAMS\\STRONGDC\\SDC221\\StrongDC.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\NewTech Infosystems\\NTI CD-Maker\\LiveUpdate.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [1/19/2009 7:32 PM 64160]
R1 nltdi;nltdi;c:\windows\system32\drivers\nltdi.sys [12/18/2005 5:58 PM 141184]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [11/3/2009 10:25 PM 108289]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [4/24/2009 6:57 AM 92008]
S0 hrxkafoa;hrxkafoa;c:\windows\system32\drivers\xpkqiqbi.sys --> c:\windows\system32\drivers\xpkqiqbi.sys [?]
S2 NeroRegInCDSrv;Nero Registry InCD Service;c:\program files\Nero\Nero 7\InCD\NBHRegInCDSrv.exe --> c:\program files\Nero\Nero 7\InCD\NBHRegInCDSrv.exe [?]
S3 getPlusHelper;getPlus® Helper;c:\windows\System32\svchost.exe -k getPlusHelper [8/29/2002 7:00 AM 14336]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [1/18/2009 4:34 PM 1028432]
S3 N;N;c:\docume~1\Scott\LOCALS~1\Temp\N.exe --> c:\docume~1\Scott\LOCALS~1\Temp\N.exe [?]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [8/2/2005 4:10 PM 32512]

--- Other Services/Drivers In Memory ---

*Deregistered* - mbr
*Deregistered* - PROCEXP113

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder

2009-11-10 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-01-18 23:32]

2009-11-01 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2006-10-11 01:13]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mStart Page = www.yahoo.com
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Download Flash with Flash Capture - c:\program files\Flash Capture\dl.htm
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} - hxxp://eu-housecall.trendmicro-europe.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
FF - ProfilePath - c:\documents and settings\Scott\Application Data\Mozilla\Firefox\Profiles\1id3iffm.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com
FF - plugin: c:\documents and settings\Scott\Application Data\Mozilla\Firefox\Profiles\1id3iffm.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
FF - plugin: c:\progra~1\MOZILL~1\plugins\np_gp.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava11.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava12.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava13.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava14.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava32.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjpi160.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npoji610.dll
FF - plugin: c:\program files\Virtual Earth 3D\npVE3D.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-11 21:24
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe catchme.sys >>UNKNOWN [0x81325EB0]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> 0x81325eb0
Warning: possible MBR rootkit infection !
user & kernel MBR OK
Use "Recovery Console" command "fixmbr" to clear infection !

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1482476501-1078081533-1417001333-1004\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
Completion time: 2009-11-12 21:42
ComboFix-quarantined-files.txt 2009-11-12 02:42
ComboFix2.txt 2009-11-10 22:21
ComboFix3.txt 2009-11-10 18:14
ComboFix4.txt 2007-11-26 02:03

Pre-Run: 22,811,574,272 bytes free
Post-Run: 22,779,203,584 bytes free

- - End Of File - - 78E3DA1272371D524A7056FF73AD2762

#12 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:10:30 AM

Posted 12 November 2009 - 01:11 AM

Hi again,


uTorrent
DC++


Both above listed are P2P file sharing programs. P2P downloads are nowadays one of those things that most likely bring infection into the system. My recommendation is to uninstall these (and other if present) P2P file sharing programs.


Open notepad and copy/paste the text in the quotebox below into it:

Driver::
hrxkafoa
N
File::
c:\windows\system32\drivers\xpkqiqbi.sys
c:\docume~1\Scott\LOCALS~1\Temp\N.exe
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000000


Save this as
CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.

Posted Image

Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.


Uninstall old Adobe Reader versions and get the latest one (9.2) here or get Foxit Reader here. Make sure you don't install toolbar if choose Foxit Reader! You may also check free readers introduced here.

Uninstall Macromedia Flash Player 8


Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update to the latest version...

Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 6 Update 17.
  • Click the
    Download
    button to the right.
  • Select Windows on platform combobox and check the box that says:
    Accept License Agreement. Click continue.
  • The page will refresh.
  • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u17-windows-i586-p.exe to install the newest version. Uncheck Carbonite online backup trial if it's offered there.


Download ATF (Atribune Temp File) Cleanerę by Atribune to your desktop.

Double-click ATF Cleaner.exe to open it

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache

*The other boxes are optional*
Then click the Empty Selected button.

If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.


Please run an online scan with Kaspersky Online Scanner as instructed in the screenshot here.


Post back its report, a fresh dds.txt log and above mentioned ComboFix resultant log. Post also description of remaining symptoms.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#13 SS369

SS369
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:30 AM

Posted 13 November 2009 - 06:49 AM

Hello Blade81, I have done as suggested and here are the reports.
There still remains some sluggishness in the machine, but I will reboot it later and see if it is it or just me.
Thank You

+++++++++++++

ComboFix 09-11-13.04 - Scott 11/12/2009 18:38.5.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.254.65 [GMT -5:00]
Running from: c:\documents and settings\Scott\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Scott\Desktop\CFScript.txt
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

FILE ::
"c:\docume~1\Scott\LOCALS~1\Temp\N.exe"
"c:\windows\system32\drivers\xpkqiqbi.sys"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

Infected copy of c:\windows\system32\drivers\vaxscsi.sys was found and disinfected
Restored copy from - Kitty ate it :(
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_HRXKAFOA
-------\Legacy_N
-------\Service_hrxkafoa
-------\Service_N


((((((((((((((((((((((((( Files Created from 2009-10-13 to 2009-11-13 )))))))))))))))))))))))))))))))
.

2009-11-08 00:18 . 2009-11-08 00:18 -------- d-----w- c:\documents and settings\Scott\Application Data\Malwarebytes
2009-11-08 00:18 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-08 00:18 . 2009-11-08 00:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-11-08 00:18 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-08 00:18 . 2009-11-08 00:18 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-04 23:44 . 2009-09-23 21:37 34112 ----a-w- c:\documents and settings\Scott\Application Data\Mozilla\Firefox\Profiles\1id3iffm.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\chrome\content\getPlusPlus_Adobe_reg_bootstrap.exe
2009-11-04 23:44 . 2009-09-23 21:37 32448 ----a-w- c:\documents and settings\Scott\Application Data\Mozilla\Firefox\Profiles\1id3iffm.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
2009-11-04 23:44 . 2009-09-23 21:37 22352 ----a-w- c:\documents and settings\Scott\Application Data\Mozilla\Firefox\Profiles\1id3iffm.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\chrome\content\getPlusPlus_Adobe_reg.exe
2009-11-04 03:25 . 2009-11-04 04:07 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-11-04 03:25 . 2009-03-30 15:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2009-11-04 03:25 . 2009-02-13 17:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2009-11-04 03:25 . 2009-02-13 17:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2009-11-04 03:24 . 2009-11-04 03:24 -------- d-----w- c:\program files\Avira
2009-11-04 03:24 . 2009-11-04 03:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2009-10-28 20:27 . 2009-01-19 23:46 6944624 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\aaw2008_upd.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-12 23:16 . 2004-02-04 02:25 -------- d-----w- c:\program files\Common Files\Adobe
2009-11-12 23:03 . 2004-02-02 17:54 -------- d-----w- c:\program files\Common Files\InstallShield
2009-11-12 23:03 . 2004-02-02 17:55 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-11-12 23:03 . 2006-05-07 20:51 -------- d-----w- c:\program files\Google
2009-11-12 22:57 . 2007-01-02 01:35 -------- d-----w- c:\program files\Java
2009-11-12 03:32 . 2008-03-29 22:42 -------- d-----w- c:\program files\Replay AV 8
2009-11-10 21:35 . 2004-04-10 23:58 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-11-10 21:25 . 2004-04-10 23:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-11-10 21:02 . 2007-12-31 01:05 -------- d-----w- c:\program files\Elaborate Bytes
2009-11-04 23:49 . 2009-01-15 02:33 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-11-01 15:06 . 2004-10-11 14:14 -------- d-----w- c:\program files\PestPatrol
2009-10-31 17:59 . 2009-05-21 23:16 -------- d-----w- c:\documents and settings\Scott\Application Data\gtk-2.0
2009-10-28 20:51 . 2009-01-20 00:30 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800}
2009-10-20 22:47 . 2004-02-21 17:00 -------- d-----w- c:\program files\DC++
2009-10-19 23:32 . 2009-09-21 23:32 3695616 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AutoLaunch.exe
2009-10-19 23:32 . 2009-06-22 23:33 2353992 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-Aware.exe
2009-10-18 14:40 . 2006-09-18 05:04 -------- d-----w- c:\program files\Codec Pack - All In 1
2009-10-18 14:40 . 2004-03-07 20:53 -------- d-----w- c:\program files\DivX
2009-10-03 20:23 . 2009-09-27 01:13 -------- d-----w- c:\program files\bbbbyh
2009-10-02 13:02 . 2009-10-02 13:02 -------- d-----w- c:\program files\GIMP-2.0
2001-08-23 19:00 . 2004-09-29 06:11 66048 ----a-w- c:\program files\Notepad.exe
2005-05-13 22:12 . 2005-05-13 22:12 217073 --sha-r- c:\windows\meta4.exe
2005-10-24 16:13 . 2005-10-24 16:13 66560 --sha-r- c:\windows\MOTA113.exe
2007-12-31 00:42 . 2007-12-31 00:42 0 --sh--w- c:\windows\S62C13959.tmp
2005-10-14 02:27 . 2005-10-14 02:27 422400 --sha-r- c:\windows\x2.64.exe
2005-10-08 02:14 . 2005-10-08 02:14 308224 --sha-r- c:\windows\system32\avisynth.dll
2005-07-14 19:31 . 2005-07-14 19:31 27648 --sha-r- c:\windows\system32\AVSredirect.dll
2005-06-26 22:32 . 2005-06-26 22:32 616448 --sha-r- c:\windows\system32\cygwin1.dll
2005-06-22 04:37 . 2006-05-24 16:37 45568 --sha-r- c:\windows\system32\cygz.dll
2004-01-25 07:00 . 2004-01-25 07:00 70656 --sha-r- c:\windows\system32\i420vfw.dll
2006-04-27 17:24 . 2006-04-27 17:24 2945024 --sha-r- c:\windows\system32\Smab.dll
2005-02-28 20:16 . 2005-02-28 20:16 240128 --sha-r- c:\windows\system32\x.264.exe
2004-01-25 07:00 . 2004-01-25 07:00 70656 --sha-r- c:\windows\system32\yv12vfw.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-11-10_17.25.05 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-08-03 13:43 . 2009-11-13 00:23 32768 c:\windows\TEMP\Temporary Internet Files\Content.IE5\index.dat
- 2008-08-03 13:43 . 2009-11-10 16:42 32768 c:\windows\TEMP\Temporary Internet Files\Content.IE5\index.dat
+ 2009-11-12 23:12 . 2009-11-13 00:30 32768 c:\windows\TEMP\History\History.IE5\MSHist012009111220091113\index.dat
+ 2008-08-03 13:43 . 2009-11-13 00:23 49152 c:\windows\TEMP\History\History.IE5\index.dat
- 2008-08-03 13:43 . 2009-11-10 16:42 49152 c:\windows\TEMP\History\History.IE5\index.dat
+ 2008-08-03 13:43 . 2009-11-13 00:23 16384 c:\windows\TEMP\Cookies\index.dat
- 2008-08-03 13:43 . 2009-11-10 16:42 16384 c:\windows\TEMP\Cookies\index.dat
+ 2009-11-12 23:17 . 2009-11-12 23:17 3940352 c:\windows\Installer\45742ae.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-06-28 152872]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RoxioEngineUtility"="c:\program files\Common Files\Roxio Shared\System\EngUtil.exe" [2003-05-02 65536]
"RoxioAudioCentral"="c:\program files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe" [2003-07-15 319488]
"PestPatrol Control Center"="c:\progra~1\PESTPA~1\PPControl.exe" [2004-11-15 98304]
"PPMemCheck"="c:\progra~1\PESTPA~1\PPMemCheck.exe" [2003-04-19 148480]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2005-09-24 483328]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-10-26 282624]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-09-21 520024]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2009-6-11 389120]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=c:\windows\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
backup=c:\windows\pss\HP Image Zone Fast Start.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Scott^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=c:\documents and settings\Scott\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=c:\windows\pss\Adobe Gamma.lnkStartup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Documents and Settings\\Scott\\My Documents\\Strongdc205\\StrongDC.exe"=
"c:\\Documents and Settings\\Scott\\My Documents\\LCD++\\LDCPlusPlus.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Documents and Settings\\Scott\\Desktop\\++\\OLDDC++PROGRAMS\\STRONGDC\\SDC213\\StrongDC.exe"=
"c:\\Documents and Settings\\Scott\\Desktop\\++\\OLDDC++PROGRAMS\\STRONGDC\\StrongDC2.2\\StrongDC.exe"=
"c:\\Documents and Settings\\Scott\\Desktop\\++\\OLDDC++PROGRAMS\\STRONGDC\\SDC221\\StrongDC.exe"=
"c:\\Program Files\\NewTech Infosystems\\NTI CD-Maker\\LiveUpdate.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [1/19/2009 7:32 PM 64160]
R1 nltdi;nltdi;c:\windows\system32\drivers\nltdi.sys [12/18/2005 5:58 PM 141184]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [11/3/2009 10:25 PM 108289]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [4/24/2009 6:57 AM 92008]
S2 NeroRegInCDSrv;Nero Registry InCD Service;c:\program files\Nero\Nero 7\InCD\NBHRegInCDSrv.exe --> c:\program files\Nero\Nero 7\InCD\NBHRegInCDSrv.exe [?]
S3 getPlusHelper;getPlus® Helper;c:\windows\System32\svchost.exe -k getPlusHelper [8/29/2002 7:00 AM 14336]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [1/18/2009 4:34 PM 1028432]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [8/2/2005 4:10 PM 32512]

--- Other Services/Drivers In Memory ---

*Deregistered* - mbr

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder

2009-11-10 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-01-18 23:32]

2009-11-01 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2006-10-11 01:13]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mStart Page = www.yahoo.com
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Download Flash with Flash Capture - c:\program files\Flash Capture\dl.htm
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} - hxxp://eu-housecall.trendmicro-europe.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
FF - ProfilePath - c:\documents and settings\Scott\Application Data\Mozilla\Firefox\Profiles\1id3iffm.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com
FF - plugin: c:\documents and settings\Scott\Application Data\Mozilla\Firefox\Profiles\1id3iffm.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
FF - plugin: c:\progra~1\MOZILL~1\plugins\np_gp.dll
FF - plugin: c:\program files\Virtual Earth 3D\npVE3D.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-12 19:25
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe >>UNKNOWN [0x8135CC78]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> 0x8135cc78
Warning: possible MBR rootkit infection !
user & kernel MBR OK
Use "Recovery Console" command "fixmbr" to clear infection !

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1482476501-1078081533-1417001333-1004\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware 2007\aawservice.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Nero\Nero 7\InCD\InCDsrv.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\NetLimiter 2 Pro\nlsvc.exe
c:\windows\system32\HPZipm12.exe
c:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
c:\windows\system32\wdfmgr.exe
c:\windows\System32\MsPMSPSv.exe
c:\program files\NetLimiter 2 Pro\NLClient.exe
c:\windows\system32\wscntfy.exe
c:\program files\Common Files\Ahead\Lib\NMIndexingService.exe
c:\program files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
c:\program files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
.
**************************************************************************
.
Completion time: 2009-11-12 19:56 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-13 00:56
ComboFix2.txt 2009-11-12 02:42
ComboFix3.txt 2009-11-10 22:21
ComboFix4.txt 2009-11-10 18:14
ComboFix5.txt 2009-11-12 23:24

Pre-Run: 22,542,626,816 bytes free
Post-Run: 22,511,583,232 bytes free

- - End Of File - - 66E9C680CC23557CD07314C3E53B3321


+++++++++++++++++++++++++++++++++++

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Friday, November 13, 2009
Operating system: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Friday, November 13, 2009 00:55:25
Records in database: 3198592
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\
K:\

Scan statistics:
Objects scanned: 135731
Threats found: 2
Infected objects found: 2
Suspicious objects found: 0
Scan duration: 07:08:24


File name / Threat / Threats count
C:\Documents and Settings\Scott\Application Data\Sun\Java\Deployment\cache\6.0\49\6b800f31-1b48b4c2 Infected: Trojan-Downloader.Java.OpenConnection.at 1
C:\Documents and Settings\Scott\Desktop\DVD\DVD\Alcohol120_trial_1.9.5.4212.exe Infected: Trojan.Win32.Hrup.a 1

Selected area has been scanned.

+++++++
Attach file attached

Attached Files



#14 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:10:30 AM

Posted 13 November 2009 - 10:22 AM

Hi,

Uninstall Alcohol 120 and then run ComboFix once again. Have you defragged hard drive lately?

Delete C:\Documents and Settings\Scott\Application Data\Sun\Java\Deployment\cache\6.0\49\6b800f31-1b48b4c2 file.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#15 SS369

SS369
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:30 AM

Posted 13 November 2009 - 09:17 PM

Hello Blade81,
I tried to uninstall Alcohol using windows add/remove, it did not show there at all. I tried to use the uninstall in the program and apparently the file is missing. I did only what I could think of next and that was to delete all that was in the program folder. I hope that did the task.
As for defragmenting, yes I did do a recent defrag just before asking for help.
Here is the new combofix log as requested and btw, the machine is running very fast now.
Thank you!

+++++++++++++

ComboFix 09-11-14.01 - Scott 11/13/2009 20:42.6.1 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.766.477 [GMT -5:00]
Running from: c:\documents and settings\Scott\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

Infected copy of c:\windows\system32\drivers\vaxscsi.sys was found and disinfected
Restored copy from - Kitty ate it :(
.
((((((((((((((((((((((((( Files Created from 2009-10-14 to 2009-11-14 )))))))))))))))))))))))))))))))
.

2009-11-13 01:15 . 2009-11-13 01:15 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-11-08 00:18 . 2009-11-08 00:18 -------- d-----w- c:\documents and settings\Scott\Application Data\Malwarebytes
2009-11-08 00:18 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-08 00:18 . 2009-11-08 00:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-11-08 00:18 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-08 00:18 . 2009-11-08 00:18 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-04 23:44 . 2009-09-23 21:37 34112 ----a-w- c:\documents and settings\Scott\Application Data\Mozilla\Firefox\Profiles\1id3iffm.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\chrome\content\getPlusPlus_Adobe_reg_bootstrap.exe
2009-11-04 23:44 . 2009-09-23 21:37 32448 ----a-w- c:\documents and settings\Scott\Application Data\Mozilla\Firefox\Profiles\1id3iffm.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
2009-11-04 23:44 . 2009-09-23 21:37 22352 ----a-w- c:\documents and settings\Scott\Application Data\Mozilla\Firefox\Profiles\1id3iffm.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\chrome\content\getPlusPlus_Adobe_reg.exe
2009-11-04 03:25 . 2009-11-04 04:07 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-11-04 03:25 . 2009-03-30 15:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2009-11-04 03:25 . 2009-02-13 17:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2009-11-04 03:25 . 2009-02-13 17:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2009-11-04 03:24 . 2009-11-04 03:24 -------- d-----w- c:\program files\Avira
2009-11-04 03:24 . 2009-11-04 03:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2009-10-28 20:27 . 2009-01-19 23:46 6944624 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\aaw2008_upd.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-13 01:14 . 2007-01-02 01:35 -------- d-----w- c:\program files\Java
2009-11-12 23:16 . 2004-02-04 02:25 -------- d-----w- c:\program files\Common Files\Adobe
2009-11-12 23:03 . 2004-02-02 17:54 -------- d-----w- c:\program files\Common Files\InstallShield
2009-11-12 23:03 . 2004-02-02 17:55 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-11-12 23:03 . 2006-05-07 20:51 -------- d-----w- c:\program files\Google
2009-11-12 03:32 . 2008-03-29 22:42 -------- d-----w- c:\program files\Replay AV 8
2009-11-10 21:35 . 2004-04-10 23:58 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-11-10 21:25 . 2004-04-10 23:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-11-10 21:02 . 2007-12-31 01:05 -------- d-----w- c:\program files\Elaborate Bytes
2009-11-04 23:49 . 2009-01-15 02:33 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-11-01 15:06 . 2004-10-11 14:14 -------- d-----w- c:\program files\PestPatrol
2009-10-31 17:59 . 2009-05-21 23:16 -------- d-----w- c:\documents and settings\Scott\Application Data\gtk-2.0
2009-10-28 20:51 . 2009-01-20 00:30 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800}
2009-10-20 22:47 . 2004-02-21 17:00 -------- d-----w- c:\program files\DC++
2009-10-19 23:32 . 2009-09-21 23:32 3695616 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AutoLaunch.exe
2009-10-19 23:32 . 2009-06-22 23:33 2353992 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-Aware.exe
2009-10-18 14:40 . 2006-09-18 05:04 -------- d-----w- c:\program files\Codec Pack - All In 1
2009-10-18 14:40 . 2004-03-07 20:53 -------- d-----w- c:\program files\DivX
2009-10-03 20:23 . 2009-09-27 01:13 -------- d-----w- c:\program files\bbbbyh
2009-10-02 13:02 . 2009-10-02 13:02 -------- d-----w- c:\program files\GIMP-2.0
2001-08-23 19:00 . 2004-09-29 06:11 66048 ----a-w- c:\program files\Notepad.exe
2005-05-13 22:12 . 2005-05-13 22:12 217073 --sha-r- c:\windows\meta4.exe
2005-10-24 16:13 . 2005-10-24 16:13 66560 --sha-r- c:\windows\MOTA113.exe
2007-12-31 00:42 . 2007-12-31 00:42 0 --sh--w- c:\windows\S62C13959.tmp
2005-10-14 02:27 . 2005-10-14 02:27 422400 --sha-r- c:\windows\x2.64.exe
2005-10-08 02:14 . 2005-10-08 02:14 308224 --sha-r- c:\windows\system32\avisynth.dll
2005-07-14 19:31 . 2005-07-14 19:31 27648 --sha-r- c:\windows\system32\AVSredirect.dll
2005-06-26 22:32 . 2005-06-26 22:32 616448 --sha-r- c:\windows\system32\cygwin1.dll
2005-06-22 04:37 . 2006-05-24 16:37 45568 --sha-r- c:\windows\system32\cygz.dll
2004-01-25 07:00 . 2004-01-25 07:00 70656 --sha-r- c:\windows\system32\i420vfw.dll
2006-04-27 17:24 . 2006-04-27 17:24 2945024 --sha-r- c:\windows\system32\Smab.dll
2005-02-28 20:16 . 2005-02-28 20:16 240128 --sha-r- c:\windows\system32\x.264.exe
2004-01-25 07:00 . 2004-01-25 07:00 70656 --sha-r- c:\windows\system32\yv12vfw.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-11-10_17.25.05 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-08-03 13:43 . 2009-11-14 01:40 32768 c:\windows\TEMP\Temporary Internet Files\Content.IE5\index.dat
- 2008-08-03 13:43 . 2009-11-10 16:42 32768 c:\windows\TEMP\Temporary Internet Files\Content.IE5\index.dat
+ 2009-11-14 01:40 . 2009-11-14 01:40 16384 c:\windows\TEMP\Perflib_Perfdata_2a4.dat
+ 2008-08-03 13:43 . 2009-11-14 01:40 49152 c:\windows\TEMP\History\History.IE5\index.dat
- 2008-08-03 13:43 . 2009-11-10 16:42 49152 c:\windows\TEMP\History\History.IE5\index.dat
- 2008-08-03 13:43 . 2009-11-10 16:42 16384 c:\windows\TEMP\Cookies\index.dat
+ 2008-08-03 13:43 . 2009-11-14 01:40 16384 c:\windows\TEMP\Cookies\index.dat
+ 2009-11-13 01:15 . 2009-11-13 01:15 149280 c:\windows\system32\javaws.exe
+ 2009-11-13 01:15 . 2009-11-13 01:15 145184 c:\windows\system32\javaw.exe
+ 2009-11-13 01:15 . 2009-11-13 01:15 145184 c:\windows\system32\java.exe
+ 2009-11-12 23:17 . 2009-11-12 23:17 3940352 c:\windows\Installer\45742ae.msi
+ 2009-11-13 01:14 . 2009-11-13 01:14 1757696 c:\windows\Installer\325a54.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-06-28 152872]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RoxioEngineUtility"="c:\program files\Common Files\Roxio Shared\System\EngUtil.exe" [2003-05-02 65536]
"RoxioAudioCentral"="c:\program files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe" [2003-07-15 319488]
"PestPatrol Control Center"="c:\progra~1\PESTPA~1\PPControl.exe" [2004-11-15 98304]
"PPMemCheck"="c:\progra~1\PESTPA~1\PPMemCheck.exe" [2003-04-19 148480]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2005-09-24 483328]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-10-26 282624]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-09-21 520024]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-11-13 149280]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2009-6-11 389120]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=c:\windows\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
backup=c:\windows\pss\HP Image Zone Fast Start.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Scott^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=c:\documents and settings\Scott\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=c:\windows\pss\Adobe Gamma.lnkStartup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Documents and Settings\\Scott\\My Documents\\Strongdc205\\StrongDC.exe"=
"c:\\Documents and Settings\\Scott\\My Documents\\LCD++\\LDCPlusPlus.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Documents and Settings\\Scott\\Desktop\\++\\OLDDC++PROGRAMS\\STRONGDC\\SDC213\\StrongDC.exe"=
"c:\\Documents and Settings\\Scott\\Desktop\\++\\OLDDC++PROGRAMS\\STRONGDC\\StrongDC2.2\\StrongDC.exe"=
"c:\\Documents and Settings\\Scott\\Desktop\\++\\OLDDC++PROGRAMS\\STRONGDC\\SDC221\\StrongDC.exe"=
"c:\\Program Files\\NewTech Infosystems\\NTI CD-Maker\\LiveUpdate.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [1/19/2009 7:32 PM 64160]
R1 nltdi;nltdi;c:\windows\system32\drivers\nltdi.sys [12/18/2005 5:58 PM 141184]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [11/3/2009 10:25 PM 108289]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [4/24/2009 6:57 AM 92008]
S2 NeroRegInCDSrv;Nero Registry InCD Service;c:\program files\Nero\Nero 7\InCD\NBHRegInCDSrv.exe --> c:\program files\Nero\Nero 7\InCD\NBHRegInCDSrv.exe [?]
S3 getPlusHelper;getPlus® Helper;c:\windows\System32\svchost.exe -k getPlusHelper [8/29/2002 7:00 AM 14336]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [1/18/2009 4:34 PM 1028432]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [8/2/2005 4:10 PM 32512]

--- Other Services/Drivers In Memory ---

*Deregistered* - mbr
*Deregistered* - PROCEXP113

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder

2009-11-10 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-01-18 23:32]

2009-11-01 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2006-10-11 01:13]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mStart Page = www.yahoo.com
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Download Flash with Flash Capture - c:\program files\Flash Capture\dl.htm
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} - hxxp://eu-housecall.trendmicro-europe.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
FF - ProfilePath - c:\documents and settings\Scott\Application Data\Mozilla\Firefox\Profiles\1id3iffm.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com
FF - plugin: c:\documents and settings\Scott\Application Data\Mozilla\Firefox\Profiles\1id3iffm.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
FF - plugin: c:\progra~1\MOZILL~1\plugins\np_gp.dll
FF - plugin: c:\program files\Virtual Earth 3D\npVE3D.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-13 20:59
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe catchme.sys >>UNKNOWN [0x82F8D0E8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> 0x82f8d0e8
Warning: possible MBR rootkit infection !
user & kernel MBR OK
Use "Recovery Console" command "fixmbr" to clear infection !

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1482476501-1078081533-1417001333-1004\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
Completion time: 2009-11-13 21:04
ComboFix-quarantined-files.txt 2009-11-14 02:03
ComboFix2.txt 2009-11-13 00:56
ComboFix3.txt 2009-11-12 02:42
ComboFix4.txt 2009-11-10 22:21
ComboFix5.txt 2009-11-14 01:35

Pre-Run: 22,334,353,408 bytes free
Post-Run: 22,395,183,104 bytes free

- - End Of File - - AF8F41C5ABBAA1ADBFEE50865A180385




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users