Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Computer infected with H8SRT and krl32mainweq.dll


  • This topic is locked This topic is locked
9 replies to this topic

#1 bucketofbeef

bucketofbeef

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:09:46 PM

Posted 30 December 2009 - 09:38 AM

A computer running XP Pro didn't boot correctly. I stalled with a blackscreen and a working pointer right after the Windows XP logo an progressbar. From there nothing could be done.
After failing into a BSOD with SAFE MODE the computer could eventually be started into the Desktop by choosing the "Last known configuration"

When getting to the Desktop. The computer is supposedly to have McAfee installed. but it wasn't present on the System tray.

I ran an Antivirus, TrendMicro houseCall and got these results. http://i49.tinypic.com/14akccg.jpg
After rebooting it as the same. So i ran MalwareBytes AntiMalware (I had to do the rename thing for it to run). The program (AntiMalware) found even more. Removed it and rebooted.

The computer seems to boot fine if the networkcable is not connected. That is it boots into the desktop. The Antivirus loads fine etc. but if I boot it with a working internet connection the screen stays black with a working mousepointer.

Hope this info helps. I'd be glad for any kind assistance. Thanks. Here are my logs:

---
DDS (Ver_09-12-01.01) - NTFSx86
Run by Guy at 13:33:49,54 on 2009-12-30
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.46.1053.18.1022.168 [GMT 1:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\Program\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\Explorer.EXE
C:\Program\Delade filer\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program\Bonjour\mDNSResponder.exe
C:\Program\Spyware Doctor\BDT\BDTUpdateService.exe
C:\WINDOWS\system32\svchost.exe -k bthsvcs
C:\Program\Belkin\Bluetooth Software\bin\btwdins.exe
C:\Program\McAfee\SiteAdvisor\McSACore.exe
C:\Program\McAfee\MSC\mcmscsvc.exe
C:\Program\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\WINDOWS\system32\rundll32.exe
c:\program\DELADE~1\mcafee\mna\mcnasvc.exe
c:\program\DELADE~1\mcafee\mcproxy\mcproxy.exe
C:\Program\McAfee\VIRUSS~1\mcshield.exe
C:\Program\HP\HP Software Update\HPWuSchd2.exe
C:\Program\McAfee.com\Agent\mcagent.exe
C:\Program\Delade filer\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program\iTunes\iTunesHelper.exe
C:\Program\Windows Defender\MSASCui.exe
C:\Program\Spyware Doctor\pctsTray.exe
C:\Program\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program\Messenger\msmsgs.exe
C:\Program\Nokia\Nokia PC Suite 7\PCSuite.exe
C:\Program\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program\McAfee\MSK\MskSrver.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program\Spyware Doctor\pctsAuxs.exe
C:\Program\Spyware Doctor\pctsSvc.exe
C:\Program\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program\Personal\bin\Personal.exe
C:\Program\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program\TeamViewer\Version5\TeamViewer_Service.exe
C:\Program\DELADE~1\Nokia\MPLATF~1\NOKIAM~1.EXE
C:\Program\iPod\bin\iPodService.exe
C:\Program\PC Connectivity Solution\ServiceLayer.exe
C:\Program\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program\PC Connectivity Solution\Transports\NclMSBTSrv.exe
C:\Program\PC Connectivity Solution\Transports\NclBCBTSrv.exe
C:\WINDOWS\System32\alg.exe
C:\Program\PC Connectivity Solution\Transports\NclUSBSrv.exe
C:\Program\PC Connectivity Solution\Transports\NclRSSrv.exe
C:\Program\MICROS~2\OFFICE11\OUTLOOK.EXE
C:\Program\SMS från Datorn Outlook\GWServer.exe
C:\Program\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program\Malwarebytes' Anti-Malware\go.exe
C:\Program\TeamViewer\Version5\TeamViewer.exe
C:\Documents and Settings\Guy\Skrivbord\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = www.google.se/
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\program\mcafee\msk\mskapbho.dll
BHO: PC Tools Browser Guard BHO: {2a0f3d1b-0909-4ff4-b272-609cce6054e7} - c:\program\spyware doctor\bdt\PCTBrowserDefender.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program\java\jre1.6.0_03\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program\mcafee\virusscan\scriptsn.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program\google\googletoolbar1.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program\google\googletoolbarnotifier\5.4.4525.1752\swg.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\program\mcafee\sitead~1\mcieplg.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program\google\googletoolbar1.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\program\mcafee\sitead~1\mcieplg.dll
TB: PC Tools Browser Guard: {472734ea-242a-422b-adf8-83d1e48cc825} - c:\program\spyware doctor\bdt\PCTBrowserDefender.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [MSMSGS] "c:\program\messenger\msmsgs.exe" /background
uRun: [PC Suite Tray] "c:\program\nokia\nokia pc suite 7\PCSuite.exe" -onlytray
uRun: [SUPERAntiSpyware] c:\program\superantispyware\SUPERAntiSpyware.exe
mRun: [ATIPTA] c:\program\ati technologies\ati control panel\atiptaxx.exe
mRun: [Acrobat Assistant 7.0] "c:\program\adobe\acrobat 7.0\distillr\Acrotray.exe"
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [Nokia FastStart] "c:\program\nokia\nokia music\NokiaMusic.exe" /command:faststart
mRun: [HP Software Update] c:\program\hp\hp software update\HPWuSchd2.exe
mRun: [mcagent_exe] "c:\program\mcafee.com\agent\mcagent.exe" /runkey
mRun: [QuickTime Task] "c:\program\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program\itunes\iTunesHelper.exe"
mRun: [Windows Defender] "c:\program\windows defender\MSASCui.exe" -hide
mRun: [ISTray] "c:\program\spyware doctor\pctsTray.exe"
StartupFolder: c:\docume~1\alluse~1\start-~1\program\autost~1\adobea~1.lnk - c:\windows\installer\{ac76ba86-1044-f000-ba7e-000000000002}\SC_Acrobat.exe
StartupFolder: c:\docume~1\alluse~1\start-~1\program\autost~1\bttray.lnk - c:\program\belkin\bluetooth software\BTTray.exe
StartupFolder: c:\docume~1\alluse~1\start-~1\program\autost~1\hpdigi~1.lnk - c:\program\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\start-~1\program\autost~1\nokian~1.lnk - c:\program\nokia\nnpcs\RunLauncher.exe
StartupFolder: c:\docume~1\alluse~1\start-~1\program\autost~1\personal.lnk - c:\program\personal\bin\Personal.exe
IE: Konvertera länkmål till Adobe PDF - c:\program\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Konvertera länkmål till befintlig PDF - c:\program\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Konvertera markering till Adobe PDF - c:\program\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Konvertera markering till befintlig PDF - c:\program\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Konvertera till Adobe PDF - c:\program\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Konvertera till befintlig PDF - c:\program\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Konvertera valda länkar till Adobe PDF - c:\program\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Konvertera valda länkar till befintlig PDF - c:\program\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program\belkin\bluetooth software\btsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC} - c:\program\java\jre1.6.0_03\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\program\micros~2\office11\REFIEBAR.DLL
DPF: Garmin Communicator Plug-In - hxxps://my.garmin.com/static/m/cab/2.8.3/GarminAxControl.CAB
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8942.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1208942868546
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\program\mcafee\sitead~1\McIEPlg.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program\delade~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\program\superantispyware\SASWINLO.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\program\wifd1f~1\MpShHook.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\guy\applic~1\mozilla\firefox\profiles\ms90v1vw.default\
FF - component: c:\program\mcafee\siteadvisor\components\McFFPlg.dll
FF - plugin: c:\program\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program\personal\bin\np_prsnl.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
c:\program\mozilla firefox\greprefs\all.js - pref("browser.visited_color", "#551A8B");
c:\program\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program\mozilla firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".se");
c:\program\mozilla firefox\defaults\pref\firefox.js - pref("browser.videoFeeds.handler", "ask");

============= SERVICES / DRIVERS ===============

R0 DiagnosticScan;DiagnosticScan;c:\windows\system32\drivers\DiagnosticScan.SYS [2009-11-11 17408]
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-12-29 207792]
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-7-8 214664]
R1 SASDIFSV;SASDIFSV;c:\program\superantispyware\sasdifsv.sys [2009-12-16 9968]
R1 SASKUTIL;SASKUTIL;c:\program\superantispyware\SASKUTIL.SYS [2009-12-16 74480]
R1 Start1Driver;Start1Driver;c:\windows\system32\drivers\Start1Driver.SYS [2009-11-11 5120]
R2 Browser Defender Update Service;Browser Defender Update Service;c:\program\spyware doctor\bdt\BDTUpdateService.exe [2009-12-29 112592]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program\mcafee\siteadvisor\McSACore.exe [2009-8-29 206112]
R2 McProxy;McAfee Proxy Service;c:\program\delade~1\mcafee\mcproxy\mcproxy.exe [2009-8-29 359952]
R2 McShield;McAfee Real-time Scanner;c:\program\mcafee\viruss~1\mcshield.exe [2009-8-29 144704]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program\spyware doctor\pctsAuxs.exe [2009-12-29 359624]
R2 sdCoreService;PC Tools Security Service;c:\program\spyware doctor\pctsSvc.exe [2009-12-29 1141712]
R2 TeamViewer5;TeamViewer 5;c:\program\teamviewer\version5\TeamViewer_Service.exe [2009-12-17 185640]
R2 WinDefend;Windows Defender;c:\program\windows defender\MsMpEng.exe [2006-11-3 13592]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-12-30 38224]
R3 McSysmon;McAfee SystemGuards;c:\program\mcafee\viruss~1\mcsysmon.exe [2009-8-29 606736]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-8-29 79816]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-8-29 35272]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-8-29 40552]
R3 SASENUM;SASENUM;c:\program\superantispyware\SASENUM.SYS [2009-12-16 7408]
S0 idbmoody;idbmoody;c:\windows\system32\drivers\hfwj.sys --> c:\windows\system32\drivers\hfwj.sys [?]
S0 tgbqfdq;tgbqfdq;c:\windows\system32\drivers\peygibwu.sys --> c:\windows\system32\drivers\peygibwu.sys [?]
S2 AV Engine Scanning Service;AV Engine Scanning Service;C:/Program/Delade filer/Common Toolkit Suite/AVEngine/AVScanningService.exe --> C:/Program/Delade filer/Common Toolkit Suite/AVEngine/AVScanningService.exe [?]
S2 Common Toolkit Service;Common Toolkit Service;c:\program\delade filer\common toolkit suite\fightersuiteservice.exe --> c:\program\delade filer\common toolkit suite\FighterSuiteService.exe [?]
S2 gupdate;Google Update Service (gupdate);c:\program\google\update\GoogleUpdate.exe [2009-10-22 133104]
S3 AVFSFilter;AVFSFilter;c:\windows\system32\drivers\avfsfilter.sys [2009-12-29 10264]
S3 BVRPMPR5;BVRPMPR5 NDIS Protocol Driver;c:\windows\system32\drivers\BVRPMPR5.SYS [2008-10-22 44224]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-8-29 34248]

=============== Created Last 30 ================

2009-12-30 10:29:25 678 ----a-w- c:\windows\system32\krl32mainweq.dll
2009-12-30 10:28:23 202 ----a-w- c:\windows\system32\srcr.dat
2009-12-30 09:42:09 0 d-----w- c:\docume~1\guy\applic~1\TeamViewer
2009-12-30 09:41:46 0 d-----w- c:\program\TeamViewer
2009-12-30 09:40:28 0 d-----w- c:\documents and settings\guy\temp
2009-12-30 09:38:32 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-12-30 09:38:12 0 d-----w- c:\program\SUPERAntiSpyware
2009-12-30 09:38:12 0 d-----w- c:\docume~1\guy\applic~1\SUPERAntiSpyware.com
2009-12-30 09:37:54 0 d-----w- c:\program\delade filer\Wise Installation Wizard
2009-12-30 09:13:38 0 d-----w- c:\docume~1\guy\applic~1\Malwarebytes
2009-12-30 09:12:03 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-30 09:12:02 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-30 09:12:02 0 d-----w- c:\program\Malwarebytes' Anti-Malware
2009-12-30 09:12:02 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-12-30 08:44:44 0 d-----w- C:\COMBOFIX
2009-12-30 08:38:45 157712 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-12-29 13:24:14 10264 ----a-w- c:\windows\system32\drivers\avfsfilter.sys
2009-12-29 12:44:54 883 ----a-w- c:\windows\RegSDImport.xml
2009-12-29 12:44:54 880 ----a-w- c:\windows\RegISSImport.xml
2009-12-29 12:44:54 767952 ----a-w- c:\windows\BDTSupport.dll
2009-12-29 12:44:54 149456 ----a-w- c:\windows\SGDetectionTool.dll
2009-12-29 12:44:54 131 ----a-w- c:\windows\IDB.zip
2009-12-29 12:44:54 1152444 ----a-w- c:\windows\UDB.zip
2009-12-29 12:44:53 165840 ----a-w- c:\windows\PCTBDRes.dll
2009-12-29 12:44:53 1640400 ----a-w- c:\windows\PCTBDCore.dll
2009-12-29 12:43:46 7387 ----a-w- c:\windows\system32\drivers\pctgntdi.cat
2009-12-29 12:43:46 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2009-12-29 12:43:42 87784 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2009-12-29 12:43:42 7412 ----a-w- c:\windows\system32\drivers\PCTAppEvent.cat
2009-12-29 12:43:42 7383 ----a-w- c:\windows\system32\drivers\pctcore.cat
2009-12-29 12:43:42 207792 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2009-12-29 12:43:35 7383 ----a-w- c:\windows\system32\drivers\pctplsg.cat
2009-12-29 12:43:35 70408 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2009-12-29 12:43:29 0 d-----w- c:\program\delade filer\PC Tools
2009-12-29 12:43:28 0 d-----w- c:\program\Spyware Doctor
2009-12-29 12:43:28 0 d-----w- c:\docume~1\guy\applic~1\PC Tools
2009-12-29 12:43:28 0 d-----w- c:\docume~1\alluse~1\applic~1\PC Tools
2009-12-29 12:11:02 0 d-----w- c:\docume~1\alluse~1\applic~1\clp
2009-12-29 12:10:19 0 d-----w- c:\docume~1\guy\applic~1\Common Toolkit Suite
2009-12-29 12:09:11 0 d-----w- c:\docume~1\alluse~1\applic~1\Common Toolkit Suite
2009-12-29 12:03:50 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{7516B6E8-5C01-4895-B079-DFC32A4ADEE1}
2009-12-29 12:03:18 0 d-----w- c:\docume~1\guy\applic~1\Fighters

==================== Find3M ====================

2009-12-10 02:26:11 87268 ----a-w- c:\windows\system32\perfc01D.dat
2009-12-10 02:26:11 453996 ----a-w- c:\windows\system32\perfh01D.dat
2009-11-15 21:48:16 17408 ----a-w- c:\windows\system32\drivers\DiagnosticScan.SYS
2009-11-02 19:42:06 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-10-29 07:44:35 916480 ----a-w- c:\windows\system32\wininet.dll
2009-10-21 05:40:44 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:40:44 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-13 10:38:09 270848 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:40:17 79872 ----a-w- c:\windows\system32\raschap.dll
2009-10-12 13:40:17 150016 ----a-w- c:\windows\system32\rastls.dll
2008-08-14 15:52:44 32768 -csha-w- c:\windows\system32\config\systemprofile\lokala inställningar\tidigare\history.ie5\mshist012008081420080815\index.dat

============= FINISH: 13:36:27,07 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:10:46 PM

Posted 30 December 2009 - 02:28 PM

Hi bucketofbeef,

Welcome to BC HijackThis forum. I am farbar. I am going to assist you with your problem.

Please refrain from making any changes to your system (scanning or running other tools, updating Windows, installing applications, removing files, etc.) from now on as it might interfere with our fixes. Please let me know in your next reply if you agree with this.
  • We need to disable your Windows Defender Real-time Protection as it may interfere with the fixes that we need to make.
    • Open Windows Defender.
    • Click on Tools, Options.
    • Scroll down the list of options to select "Real-time Protection Options."
    • Uncheck "Use Real-Time Protection (Recommended)".
    • After you uncheck this, click on the Save button and close Windows Defender.

      Note:After all of the fixes are complete and I give you the clean sign you enable Real-time Protection again.
  • You have two antispyware (Spyware Doctor and SUPERAntiSpyware) running at the same time. Please make sure one of them will not start with Windows and is not running. You may even uninstall one of them. Having Malwarebytes on the system makes either of them unneeded. they might even clash and crash the system.

  • Open your Malwarebytes' Anti-Malware.
    • First update it, to do that under the Update tab press "Check for Updates".
    • Under Scanner tab select "Perform Quick Scan", then click Scan.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked, and click Remove Selected.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • Copy&Paste the MBAM log.
    Extra Note:
    If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.


  • Download ComboFix from one of these locations:

    Link 1
    Link 2
    Link 3

    * IMPORTANT !!! Save ComboFix.exe to your Desktop

    • Disable your AntiVirus and AntiSpyware applications. They may otherwise interfere with our tools. (Information on A/V control HERE)
    • Double click on ComboFix.exe & follow the prompts.
    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

    Posted Image


    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    Posted Image


    Click on Yes, to continue scanning for malware.

    When finished, it shall produce a log for you. Please copy and paste the C:\ComboFix.txt in your next reply.


#3 bucketofbeef

bucketofbeef
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:09:46 PM

Posted 31 December 2009 - 02:39 PM

We need to disable your Windows Defender Real-time Protection as it may interfere with the fixes that we need to make.

I was unable to disable Windows Defender nicely. I got the error:

MSASCui.exe Program Error:
Coulnd't initialize the program correctly (0x80000003). Press OK to terminate the program


I opened the taskmanager and killed the MSASCui.exe that was in the process list. I also killed MsMpEng.exe since these two seemed related.

I uninstalled SUPERAntiSPYware. And SPywaredoctor is now disabled.

Then I ran MalwareBytes AntiMalware

Here is the Malware Bytes AntiMalware log:

-----
Malwarebytes' Anti-Malware 1.43
Database version: 3462
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

2009-12-31 16:38:06
mbam-log-2009-12-31 (16-38-06).txt

Scan type: Quick Scan
Objects scanned: 119003
Time elapsed: 5 minute(s), 55 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\H8SRT (Rootkit.TDSS) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\krl32mainweq.dll (Trojan.DNSChanger) -> Quarantined and deleted successfully.

--------


Rebooted as instructed. After reboot I attempted to run COMBOFIX. I downloaded it from the recommended URL. Combofix wouldn't start. After renaming it it started.

This is the log from ComboFix

ComboFix 09-12-31.01 - Guy 2009-12-31 18:12:06.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.46.1053.18.1022.550 [GMT 1:00]
Körs från: c:\combofix\JumboFax.exe
AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Andra raderingar ))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\Guy\LOKALA~1\Temp\install_flash_player.exe
c:\windows\system32\drivers\H8SRTedkyjualpw.sys
c:\windows\system32\H8SRTjhndqopulv.dll
c:\windows\system32\H8SRTlaaukaatvq.dll
c:\windows\system32\H8SRTncyurnbdcv.dll
c:\windows\system32\H8SRTuobcdccpdw.dat
c:\windows\system32\pagefileconfig.vbs
c:\windows\system32\srcr.dat

.
((((((((((((((((((((((((((((((((((((((( Drivrutiner/Tjänster )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_H8SRTd.sys
-------\Legacy_H8SRTd.sys


(((((((((((((((((((((((( Filer Skapade från 2009-11-28 till 2009-12-31 ))))))))))))))))))))))))))))))
.

2009-12-31 16:02 . 2009-12-31 16:02 879 ----a-w- c:\windows\system32\krl32mainweq.dll
2009-12-30 09:42 . 2009-12-30 09:42 -------- d-----w- c:\documents and settings\Guy\Application Data\TeamViewer
2009-12-30 09:41 . 2009-12-30 09:41 -------- d-----w- c:\program\TeamViewer
2009-12-30 09:40 . 2009-12-30 09:40 -------- d-----w- c:\documents and settings\Guy\temp
2009-12-30 09:38 . 2009-12-30 09:38 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-12-30 09:38 . 2009-12-31 15:04 -------- d-----w- c:\program\SUPERAntiSpyware
2009-12-30 09:38 . 2009-12-30 09:38 -------- d-----w- c:\documents and settings\Guy\Application Data\SUPERAntiSpyware.com
2009-12-30 09:13 . 2009-12-30 09:13 -------- d-----w- c:\documents and settings\Guy\Application Data\Malwarebytes
2009-12-30 09:12 . 2009-12-30 13:55 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-30 09:12 . 2009-12-31 15:20 -------- d-----w- c:\program\Malwarebytes' Anti-Malware
2009-12-30 09:12 . 2009-12-30 13:54 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-30 09:12 . 2009-12-30 09:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-12-30 08:44 . 2009-12-31 16:52 -------- d-----w- C:\COMBOFIX
2009-12-30 08:42 . 2009-12-30 08:42 0 ----a-w- c:\windows\nsreg.dat
2009-12-30 08:38 . 2009-05-07 07:04 157712 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-12-29 13:24 . 2009-12-11 12:34 10264 ----a-w- c:\windows\system32\drivers\avfsfilter.sys
2009-12-29 12:44 . 2009-11-10 09:28 149456 ----a-w- c:\windows\SGDetectionTool.dll
2009-12-29 12:44 . 2009-11-10 09:26 767952 ----a-w- c:\windows\BDTSupport.dll
2009-12-29 12:44 . 2009-10-28 00:36 1152444 ----a-w- c:\windows\UDB.zip
2009-12-29 12:44 . 2008-11-26 11:08 131 ----a-w- c:\windows\IDB.zip
2009-12-29 12:44 . 2009-11-10 09:28 165840 ----a-w- c:\windows\PCTBDRes.dll
2009-12-29 12:44 . 2009-11-10 09:28 1640400 ----a-w- c:\windows\PCTBDCore.dll
2009-12-29 12:43 . 2009-10-30 10:11 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2009-12-29 12:43 . 2009-11-09 10:20 207792 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2009-12-29 12:43 . 2009-10-06 15:31 87784 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2009-12-29 12:43 . 2009-09-03 08:45 70408 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2009-12-29 12:43 . 2009-12-29 12:45 -------- d-----w- c:\program\Delade filer\PC Tools
2009-12-29 12:43 . 2009-12-31 15:01 -------- d-----w- c:\program\Spyware Doctor
2009-12-29 12:43 . 2009-12-29 12:43 -------- d-----w- c:\documents and settings\Guy\Application Data\PC Tools
2009-12-29 12:43 . 2009-12-29 12:43 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2009-12-29 12:11 . 2009-12-29 12:11 -------- d-----w- c:\documents and settings\All Users\Application Data\clp
2009-12-29 12:10 . 2009-12-29 13:24 -------- d-----w- c:\documents and settings\Guy\Application Data\Common Toolkit Suite
2009-12-29 12:09 . 2009-12-29 13:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Common Toolkit Suite
2009-12-29 12:03 . 2009-12-29 12:10 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{7516B6E8-5C01-4895-B079-DFC32A4ADEE1}
2009-12-29 12:03 . 2009-12-29 12:03 -------- d-----w- c:\documents and settings\Guy\Application Data\Fighters
2009-12-09 09:21 . 2009-12-09 09:21 -------- d-----w- c:\program\Delade filer\Skype

.
(((((((((((((((((((((((((((((((((((((((( Find3M Rapport )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-31 17:23 . 2009-11-16 18:45 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-12-31 15:12 . 2009-12-31 15:12 5061520 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-12-31 14:57 . 2009-11-17 20:17 -------- d-----w- c:\program\Windows Defender
2009-12-30 10:52 . 2008-06-27 17:44 -------- d-----w- c:\documents and settings\Guy\Application Data\OutlookAddin
2009-12-30 09:39 . 2009-12-30 09:39 52224 ----a-w- c:\documents and settings\Guy\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2009-12-30 09:39 . 2009-12-30 09:39 117760 ----a-w- c:\documents and settings\Guy\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-12-30 08:36 . 2006-11-03 11:20 -------- d-----w- c:\documents and settings\Guy\Application Data\Skype
2009-12-30 08:31 . 2007-12-04 09:34 -------- d-----w- c:\documents and settings\Guy\Application Data\skypePM
2009-12-29 12:37 . 2008-10-01 20:26 -------- d-----w- c:\documents and settings\LocalService\Application Data\SACore
2009-12-18 06:34 . 2009-11-11 15:45 -------- d-----w- c:\program\AA
2009-12-11 12:44 . 2009-12-29 12:10 2969208 -c--a-w- c:\documents and settings\All Users\Application Data\{7516B6E8-5C01-4895-B079-DFC32A4ADEE1}\SPYWAREfighter.exe
2009-12-11 12:44 . 2009-12-29 12:04 463496 -c--a-w- c:\documents and settings\All Users\Application Data\{7516B6E8-5C01-4895-B079-DFC32A4ADEE1}\Toolkit\25C348B6\7973EFCA\FighterSuiteClient.dll
2009-12-11 12:44 . 2009-12-29 12:04 676488 -c--a-w- c:\documents and settings\All Users\Application Data\{7516B6E8-5C01-4895-B079-DFC32A4ADEE1}\Toolkit\1EE46BE9\7973EFCA\FighterSuiteService.exe
2009-12-11 12:44 . 2009-12-29 12:04 225928 -c--a-w- c:\documents and settings\All Users\Application Data\{7516B6E8-5C01-4895-B079-DFC32A4ADEE1}\Toolkit\6C72E19E\7973EFCA\FighterLauncher.exe
2009-12-11 12:44 . 2009-12-29 12:04 774792 -c--a-w- c:\documents and settings\All Users\Application Data\{7516B6E8-5C01-4895-B079-DFC32A4ADEE1}\SWPRO\53462D78\3C94288E\swpro.dll
2009-12-11 12:44 . 2009-12-29 12:04 2330248 -c--a-w- c:\documents and settings\All Users\Application Data\{7516B6E8-5C01-4895-B079-DFC32A4ADEE1}\SWPRO\6904C2BB\3C94288E\sfhtml.dll
2009-12-11 12:44 . 2009-12-29 12:04 574088 -c--a-w- c:\documents and settings\All Users\Application Data\{7516B6E8-5C01-4895-B079-DFC32A4ADEE1}\SWPRO\2C0CE245\3C94288E\swproTray.exe
2009-12-11 12:34 . 2009-12-29 12:03 13720 -c--a-w- c:\documents and settings\All Users\Application Data\{7516B6E8-5C01-4895-B079-DFC32A4ADEE1}\Common\1AAF4B16\784E0F06\avfsfilter.sys
2009-12-11 12:34 . 2009-12-29 12:03 10264 -c--a-w- c:\documents and settings\All Users\Application Data\{7516B6E8-5C01-4895-B079-DFC32A4ADEE1}\Common\A9BBB5E0\22F9FC7F\avfsfilter.sys
2009-12-11 12:34 . 2009-12-29 12:04 659456 -c--a-w- c:\documents and settings\All Users\Application Data\{7516B6E8-5C01-4895-B079-DFC32A4ADEE1}\SWPRO\9D95263A\B0EB1015\QtNetwork4.dll
2009-12-11 12:34 . 2009-12-29 12:04 344064 -c--a-w- c:\documents and settings\All Users\Application Data\{7516B6E8-5C01-4895-B079-DFC32A4ADEE1}\SWPRO\9D95263A\B0EB1015\QtXml4.dll
2009-12-11 12:34 . 2009-12-29 12:04 2121728 -c--a-w- c:\documents and settings\All Users\Application Data\{7516B6E8-5C01-4895-B079-DFC32A4ADEE1}\SWPRO\9D95263A\B0EB1015\QtCore4.dll
2009-12-11 12:34 . 2009-12-29 12:03 661888 -c--a-w- c:\documents and settings\All Users\Application Data\{7516B6E8-5C01-4895-B079-DFC32A4ADEE1}\Common\1282CB8D\B0EB1015\AVScanningService.exe
2009-12-11 12:34 . 2009-12-29 12:03 659456 -c--a-w- c:\documents and settings\All Users\Application Data\{7516B6E8-5C01-4895-B079-DFC32A4ADEE1}\Common\B22E4B26\B0EB1015\QtNetwork4.dll
2009-12-11 12:34 . 2009-12-29 12:03 373488 -c--a-w- c:\documents and settings\All Users\Application Data\{7516B6E8-5C01-4895-B079-DFC32A4ADEE1}\Common\B22E4B26\B0EB1015\VBAdapter.dll
2009-12-11 12:34 . 2009-12-29 12:03 344064 -c--a-w- c:\documents and settings\All Users\Application Data\{7516B6E8-5C01-4895-B079-DFC32A4ADEE1}\Common\B22E4B26\B0EB1015\QtXml4.dll
2009-12-11 12:34 . 2009-12-29 12:03 241648 -c--a-w- c:\documents and settings\All Users\Application Data\{7516B6E8-5C01-4895-B079-DFC32A4ADEE1}\Common\D075E43B\B0EB1015\AVEngine.dll
2009-12-11 12:34 . 2009-12-29 12:03 2121728 -c--a-w- c:\documents and settings\All Users\Application Data\{7516B6E8-5C01-4895-B079-DFC32A4ADEE1}\Common\B22E4B26\B0EB1015\QtCore4.dll
2009-12-11 12:34 . 2009-12-29 12:03 1205720 -c--a-w- c:\documents and settings\All Users\Application Data\{7516B6E8-5C01-4895-B079-DFC32A4ADEE1}\Common\B22E4B26\B0EB1015\vbengnt.dll
2009-12-11 09:03 . 2009-12-11 09:03 59904 ----a-w- c:\documents and settings\Guy\Application Data\Agency9\3DMapsK1\3DMapsK1\natives\32\zlib1.dll
2009-12-11 09:03 . 2009-12-11 09:03 315392 ----a-w- c:\documents and settings\Guy\Application Data\Agency9\3DMapsK1\3DMapsK1\natives\32\jogl.dll
2009-12-11 09:03 . 2009-12-11 09:03 20480 ----a-w- c:\documents and settings\Guy\Application Data\Agency9\3DMapsK1\3DMapsK1\natives\32\jogl_awt.dll
2009-12-11 09:03 . 2009-12-11 09:03 90112 ----a-w- c:\documents and settings\Guy\Application Data\Agency9\3DMapsK1\3DMapsK1\natives\32\DXPlugin.dll
2009-12-11 09:03 . 2009-12-11 09:03 69632 ----a-w- c:\documents and settings\Guy\Application Data\Agency9\3DMapsK1\3DMapsK1\natives\32\SystemInfo.dll
2009-12-11 09:03 . 2009-12-11 09:03 6656 ----a-w- c:\documents and settings\Guy\Application Data\Agency9\3DMapsK1\3DMapsK1\natives\32\NativeDiskfree.dll
2009-12-11 09:03 . 2009-12-11 09:03 61440 ----a-w- c:\documents and settings\Guy\Application Data\Agency9\3DMapsK1\3DMapsK1\natives\32\NativeUnzip.dll
2009-12-11 09:03 . 2009-12-11 09:03 57344 ----a-w- c:\documents and settings\Guy\Application Data\Agency9\3DMapsK1\3DMapsK1\natives\32\DXT.dll
2009-12-11 09:03 . 2009-12-11 09:03 20480 ----a-w- c:\documents and settings\Guy\Application Data\Agency9\3DMapsK1\3DMapsK1\natives\32\gluegen-rt.dll
2009-12-11 09:03 . 2009-12-11 09:03 155648 ----a-w- c:\documents and settings\Guy\Application Data\Agency9\3DMapsK1\3DMapsK1\natives\32\NativeJpegDecoder.dll
2009-12-10 02:26 . 2004-08-04 10:00 87268 ----a-w- c:\windows\system32\perfc01D.dat
2009-12-10 02:26 . 2004-08-04 10:00 453996 ----a-w- c:\windows\system32\perfh01D.dat
2009-12-09 09:26 . 2006-11-03 15:30 -------- d-----w- c:\program\Google
2009-12-09 09:21 . 2006-11-03 11:20 -------- d-----r- c:\program\Skype
2009-12-09 09:21 . 2007-05-01 07:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2009-12-04 08:09 . 2009-08-29 18:06 -------- d-----w- c:\program\McAfee
2009-11-21 12:53 . 2009-11-21 12:53 -------- d-----w- c:\documents and settings\Guy\Application Data\GARMIN
2009-11-21 12:44 . 2009-11-21 12:44 -------- d-----w- c:\program\Garmin
2009-11-21 12:44 . 2006-11-06 16:56 -------- d-----w- c:\program\DIFX
2009-11-16 16:21 . 2006-11-02 20:04 -------- d-----w- c:\program\WLPlus
2009-11-15 21:48 . 2009-11-11 15:45 17408 ----a-w- c:\windows\system32\drivers\DiagnosticScan.SYS
2009-11-12 12:25 . 2009-11-10 20:52 -------- d-----w- c:\program\Windows Live Safety Center
2009-11-03 16:15 . 2009-11-03 16:14 -------- d-----w- c:\program\iTunes
2009-11-03 16:14 . 2009-11-03 16:14 -------- d-----w- c:\program\iPod
2009-11-03 16:14 . 2007-08-12 07:54 -------- d-----w- c:\program\Delade filer\Apple
2009-11-03 16:07 . 2009-11-03 16:07 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
2009-11-02 19:42 . 2009-11-17 20:18 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-11-01 09:49 . 2009-04-28 15:29 90112 -c--a-w- c:\documents and settings\Guy\Application Data\Agency9\3DMapsK1\3DMapsK1\natives\DXPlugin.dll
2009-11-01 09:49 . 2009-04-28 15:29 69632 -c--a-w- c:\documents and settings\Guy\Application Data\Agency9\3DMapsK1\3DMapsK1\natives\SystemInfo.dll
2009-11-01 09:49 . 2009-04-28 15:29 6656 -c--a-w- c:\documents and settings\Guy\Application Data\Agency9\3DMapsK1\3DMapsK1\natives\NativeDiskfree.dll
2009-11-01 09:49 . 2009-04-28 15:29 61440 -c--a-w- c:\documents and settings\Guy\Application Data\Agency9\3DMapsK1\3DMapsK1\natives\NativeUnzip.dll
2009-11-01 09:49 . 2009-04-28 15:29 59904 -c--a-w- c:\documents and settings\Guy\Application Data\Agency9\3DMapsK1\3DMapsK1\natives\zlib1.dll
2009-11-01 09:49 . 2009-04-28 15:29 57344 -c--a-w- c:\documents and settings\Guy\Application Data\Agency9\3DMapsK1\3DMapsK1\natives\DXT.dll
2009-11-01 09:49 . 2009-04-28 15:29 315392 -c--a-w- c:\documents and settings\Guy\Application Data\Agency9\3DMapsK1\3DMapsK1\natives\jogl.dll
2009-11-01 09:49 . 2009-04-28 15:29 20480 -c--a-w- c:\documents and settings\Guy\Application Data\Agency9\3DMapsK1\3DMapsK1\natives\jogl_awt.dll
2009-11-01 09:49 . 2009-04-28 15:29 20480 -c--a-w- c:\documents and settings\Guy\Application Data\Agency9\3DMapsK1\3DMapsK1\natives\gluegen-rt.dll
2009-11-01 09:49 . 2009-04-28 15:29 155648 -c--a-w- c:\documents and settings\Guy\Application Data\Agency9\3DMapsK1\3DMapsK1\natives\NativeJpegDecoder.dll
2009-10-29 07:44 . 2006-03-04 03:36 916480 ----a-w- c:\windows\system32\wininet.dll
2009-10-21 05:40 . 2004-08-04 10:00 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:40 . 2004-08-04 10:00 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2004-08-04 10:00 265728 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-19 09:21 . 2009-11-11 15:45 5120 ----a-w- c:\windows\system32\drivers\Start1Driver.SYS
2009-10-13 10:38 . 2004-08-04 10:00 270848 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:40 . 2004-08-04 10:00 79872 ----a-w- c:\windows\system32\raschap.dll
2009-10-12 13:40 . 2004-08-04 10:00 150016 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 11:05 . 2009-10-12 11:05 3351812 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{F983B4FE-547B-4C44-BAF7-4F4DBA93D548}\Installer\CommonCustomActions\msxml6Exec.exe
2009-10-12 11:05 . 2009-10-12 11:05 36864 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{F983B4FE-547B-4C44-BAF7-4F4DBA93D548}\Installer\CommonCustomActions\Sleep.exe
2009-10-12 11:05 . 2009-10-12 11:05 3181612 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{F983B4FE-547B-4C44-BAF7-4F4DBA93D548}\Installer\CommonCustomActions\vcredistExec.exe
2009-10-12 11:04 . 2009-10-12 11:05 24514368 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{F983B4FE-547B-4C44-BAF7-4F4DBA93D548}\NokiaSoftwareUpdaterSetup_se[1].exe
2009-10-12 10:50 . 2009-10-12 10:50 95232 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{3D39E775-DDDA-4327-B747-0BDC5F191331}\Installer\CommonCustomActions\pcswpcsi.exe
2009-10-12 10:50 . 2009-10-12 10:50 8192 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{3D39E775-DDDA-4327-B747-0BDC5F191331}\Installer\CommonCustomActions\UninstCCD.exe
2009-10-12 10:50 . 2009-10-12 10:50 61440 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{3D39E775-DDDA-4327-B747-0BDC5F191331}\Installer\CommonCustomActions\UninstPCSFEMsi.exe
2009-10-12 10:50 . 2009-10-12 10:50 10240 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{3D39E775-DDDA-4327-B747-0BDC5F191331}\Installer\CommonCustomActions\UninstPCS.exe
2009-10-12 10:49 . 2009-10-12 10:50 33843192 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{3D39E775-DDDA-4327-B747-0BDC5F191331}\Nokia_PC_Suite_7_1_30_9_swe_web[1].exe
.

(((((((((((((((((((((((((((((((((( Startpunkter i registret )))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Not* Tomma poster & legitima standardposter visas inte.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-09-14 68856]
"MSMSGS"="c:\program\Messenger\msmsgs.exe" [2008-04-14 1695232]
"PC Suite Tray"="c:\program\Nokia\Nokia PC Suite 7\PCSuite.exe" [2009-06-25 1414144]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-05-31 344064]
"Acrobat Assistant 7.0"="c:\program\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2008-04-23 483328]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"Nokia FastStart"="c:\program\Nokia\Nokia Music\NokiaMusic.exe" [2008-10-17 2323680]
"HP Software Update"="c:\program\HP\HP Software Update\HPWuSchd2.exe" [2005-05-11 49152]
"mcagent_exe"="c:\program\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
"QuickTime Task"="c:\program\QuickTime\qttask.exe" [2009-09-04 417792]
"iTunesHelper"="c:\program\iTunes\iTunesHelper.exe" [2009-10-28 141600]
"Windows Defender"="c:\program\Windows Defender\MSASCui.exe" [2006-11-03 866584]

c:\documents and settings\All Users\Start-meny\Program\Autostart\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1044-F000-BA7E-000000000002}\SC_Acrobat.exe [2006-11-2 25214]
BTTray.lnk - c:\program\Belkin\Bluetooth Software\BTTray.exe [2003-9-16 499779]
HP Digital Imaging Monitor.lnk - c:\program\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-11 282624]
Nokia Nseries PC Suite.lnk - c:\program\Nokia\NNPCS\RunLauncher.exe [2008-5-8 943568]
Personal.lnk - c:\program\Personal\bin\Personal.exe [2009-7-6 939536]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program\\Bonjour\\mDNSResponder.exe"=
"c:\\Program\\Delade filer\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program\\iTunes\\iTunes.exe"=
"c:\\Program\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program\\Skype\\Phone\\Skype.exe"=
"c:\\Program\\TeamViewer\\Version5\\TeamViewer.exe"=

R0 DiagnosticScan;DiagnosticScan;c:\windows\system32\drivers\DiagnosticScan.SYS [2009-11-11 17408]
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-12-29 207792]
R1 Start1Driver;Start1Driver;c:\windows\system32\drivers\Start1Driver.SYS [2009-11-11 5120]
R2 Browser Defender Update Service;Browser Defender Update Service;c:\program\Spyware Doctor\BDT\BDTUpdateService.exe [2009-12-29 112592]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program\McAfee\SiteAdvisor\McSACore.exe [2009-08-29 206112]
R2 TeamViewer5;TeamViewer 5;c:\program\TeamViewer\Version5\TeamViewer_Service.exe [2009-12-17 185640]
R2 WinDefend;Windows Defender;c:\program\Windows Defender\MsMpEng.exe [2006-11-03 13592]
S0 gaiw;gaiw;c:\windows\system32\drivers\yeecf.sys --> c:\windows\system32\drivers\yeecf.sys [?]
S0 idbmoody;idbmoody;c:\windows\system32\drivers\hfwj.sys --> c:\windows\system32\drivers\hfwj.sys [?]
S0 tgbqfdq;tgbqfdq;c:\windows\system32\drivers\peygibwu.sys --> c:\windows\system32\drivers\peygibwu.sys [?]
S1 SASKUTIL;SASKUTIL;\??\c:\program\SUPERAntiSpyware\SASKUTIL.sys --> c:\program\SUPERAntiSpyware\SASKUTIL.sys [?]
S2 AV Engine Scanning Service;AV Engine Scanning Service;C:/Program/Delade filer/Common Toolkit Suite/AVEngine/AVScanningService.exe --> C:/Program/Delade filer/Common Toolkit Suite/AVEngine/AVScanningService.exe [?]
S2 Common Toolkit Service;Common Toolkit Service;c:\program\Delade filer\Common Toolkit Suite\FighterSuiteService.exe --> c:\program\Delade filer\Common Toolkit Suite\FighterSuiteService.exe [?]
S2 gupdate;Google Update Service (gupdate);c:\program\Google\Update\GoogleUpdate.exe [2009-10-22 133104]
S3 AVFSFilter;AVFSFilter;c:\windows\system32\drivers\avfsfilter.sys [2009-12-29 10264]
S3 BVRPMPR5;BVRPMPR5 NDIS Protocol Driver;c:\windows\system32\drivers\BVRPMPR5.SYS [2008-10-22 44224]
S3 SASENUM;SASENUM;\??\c:\program\SUPERAntiSpyware\SASENUM.SYS --> c:\program\SUPERAntiSpyware\SASENUM.SYS [?]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program\Spyware Doctor\pctsAuxs.exe [2009-12-29 359624]
.
Innehållet i mappen 'Schemalagda aktiviteter':

2009-12-15 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2009-12-31 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program\Google\Update\GoogleUpdate.exe [2009-10-22 10:25]

2009-12-31 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program\Google\Update\GoogleUpdate.exe [2009-10-22 10:25]

2009-12-15 c:\windows\Tasks\McDefragTask.job
- c:\program\mcafee\mqc\QcConsol.exe [2009-08-29 10:22]

2009-12-01 c:\windows\Tasks\McQcTask.job
- c:\program\mcafee\mqc\QcConsol.exe [2009-08-29 10:22]

2009-12-31 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program\Windows Defender\MpCmdRun.exe [2006-11-03 18:20]

2009-12-30 c:\windows\Tasks\OGADaily.job
- c:\windows\system32\OGAVerify.exe [2008-12-31 16:04]

2009-12-31 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAVerify.exe [2008-12-31 16:04]

2009-12-31 c:\windows\Tasks\User_Feed_Synchronization-{2B049807-2A06-462C-AC85-85C594E4757D}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 02:31]
.
.
------- Extra genomsökning -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = www.google.se/
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Konvertera länkmål till Adobe PDF - c:\program\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Konvertera länkmål till befintlig PDF - c:\program\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Konvertera markering till Adobe PDF - c:\program\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Konvertera markering till befintlig PDF - c:\program\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Konvertera till Adobe PDF - c:\program\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Konvertera till befintlig PDF - c:\program\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Konvertera valda länkar till Adobe PDF - c:\program\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Konvertera valda länkar till befintlig PDF - c:\program\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
DPF: Garmin Communicator Plug-In - hxxps://my.garmin.com/static/m/cab/2.8.3/GarminAxControl.CAB
FF - ProfilePath - c:\documents and settings\Guy\Application Data\Mozilla\Firefox\Profiles\ms90v1vw.default\
FF - component: c:\program\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - plugin: c:\program\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program\Personal\bin\np_prsnl.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICY ----
c:\program\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".se");
.
- - - - FÖRÄLDRALÖSA POSTER SOM TAGITS BORT - - - -

HKCU-Run-SUPERAntiSpyware - c:\program\SUPERAntiSpyware\SUPERAntiSpyware.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-31 18:24
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\TEMP\TMP000000199BAC5384EF6FD59B 524288 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\AV Engine Scanning Service]
"ImagePath"="C:/Program/Delade filer/Common Toolkit Suite/AVEngine/AVScanningService.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\AV Engine Scanning Service]
"ImagePath"="C:/Program/Delade filer/Common Toolkit Suite/AVEngine/AVScanningService.exe"
.
--------------------- LÅSTA REGISTERNYCKLAR ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\ؕ€|˙˙˙˙•€|ų•6~*]
"D140AC1900063D11C8EF10054038389C"="C?\\WINDOWS\\system32\\FM20ENU.DLL"
.
--------------------- DLLer som "laddats" under processer som körs ---------------------

- - - - - - - > 'explorer.exe'(2176)
c:\program\McAfee\SiteAdvisor\saHook.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\btncopy.dll
c:\program\Nokia\Nokia PC Suite 7\PhoneBrowser.dll
c:\program\Nokia\Nokia PC Suite 7\NGSCM.DLL
c:\program\Nokia\Nokia PC Suite 7\Lang\PhoneBrowser_swe.nlr
c:\program\Nokia\Nokia PC Suite 7\Resource\PhoneBrowser_Nokia.ngr
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Andra processer som körs ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program\Delade filer\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program\Bonjour\mDNSResponder.exe
c:\program\Belkin\Bluetooth Software\bin\btwdins.exe
c:\program\McAfee\MSC\mcmscsvc.exe
c:\program\McAfee\VIRUSS~1\mcshield.exe
c:\program\Delade filer\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\HPZipm12.exe
c:\program\TeamViewer\Version5\TeamViewer.exe
c:\windows\system32\rundll32.exe
c:\program\McAfee\VIRUSS~1\mcsysmon.exe
c:\program\HP\Digital Imaging\bin\hpqSTE08.exe
c:\program\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
c:\program\iPod\bin\iPodService.exe
c:\program\PC Connectivity Solution\ServiceLayer.exe
c:\program\PC Connectivity Solution\Transports\NclMSBTSrv.exe
c:\program\PC Connectivity Solution\Transports\NclBCBTSrv.exe
c:\program\PC Connectivity Solution\Transports\NclUSBSrv.exe
c:\program\PC Connectivity Solution\Transports\NclRSSrv.exe
c:\program\DELADE~1\Nokia\MPLATF~1\NOKIAM~1.EXE
.
**************************************************************************
.
Sluttid: 2009-12-31 18:40:58 - datorn startades om.
ComboFix-quarantined-files.txt 2009-12-31 17:40

Före genomsökningen: 135 198 482 432 byte ledigt
Efter genomsökningen: 135 312 818 176 byte ledigt

WindowsXP-KB310994-SP2-Pro-BootDisk-SVE.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

Current=2 Default=2 Failed=3 LastKnownGood=4 Sets=1,2,3,4
- - End Of File - - 58769423C0DF184CB4E3E0D8DA2EA3AD


I haven't done anything with the computer after that. i hope this will help. Once again, thank you for the assistance.

#4 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:10:46 PM

Posted 31 December 2009 - 10:57 PM

Well done. :(

I see some entries on the log I don't recognize and can't find anything conclusive about them:

S2 AV Engine Scanning Service;AV Engine Scanning Service;C:/Program/Delade filer/Common Toolkit Suite/AVEngine/AVScanningService.exe --> C:/Program/Delade filer/Common Toolkit Suite/AVEngine/AVScanningService.exe [?]
S2 Common Toolkit Service;Common Toolkit Service;c:\program\Delade filer\Common Toolkit Suite\FighterSuiteService.exe --> c:\program\Delade filer\Common Toolkit Suite\FighterSuiteService.exe [?]
S3 AVFSFilter;AVFSFilter;c:\windows\system32\drivers\avfsfilter.sys [2009-12-29 10264]

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\AV Engine Scanning Service]
"ImagePath"="C:/Program/Delade filer/Common Toolkit Suite/AVEngine/AVScanningService.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\AV Engine Scanning Service]
"ImagePath"="C:/Program/Delade filer/Common Toolkit Suite/AVEngine/AVScanningService.exe"

Do you know Delade filer or AV Engine Scanning Service?

#5 bucketofbeef

bucketofbeef
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:09:46 PM

Posted 01 January 2010 - 08:27 AM

It's a Swedish Windows XP Pro. Whereas "Delade Filer" is what's called "Common Files" on an English Version of XP

When I tried to find it through Windows Explorer I couldn't find the folder called "C:/Program/Delade filer/Common Toolkit Suite/" anymore.
only C:/Program/Delade filer exist. Therefore i cannot not give you any more info about the folder you're asking for.
I've made sure that these files are accessible from explorer. (Hidden files and operating system files are visible)

Another thing. Unfortunately, I left the computer unattended (this computer is not mine). When I got back in to it. The owner had intentionally run Malware Bytes AntiMalware and performed a Full Scan. Would this interfere with the process?

Here are the results. I figured I might as well post them
http://i48.tinypic.com/2n22qsz.jpg

I haven't tried to remove the found objects with MBAM though.
Im also posting the log from MBAM.

Attached Files


Edited by bucketofbeef, 01 January 2010 - 08:31 AM.


#6 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:10:46 PM

Posted 01 January 2010 - 10:06 AM

  • Open notepad and copy/paste the text in the code box below into it:

    http://www.bleepingcomputer.com/forums/t/282791/computer-infected-with-h8srt-and-krl32mainweqdll/
    
    Collect::
    c:\windows\system32\krl32mainweq.dll
    Driver::
    gaiw
    idbmoody
    tgbqfdq
    SASKUTIL
    SASENUM
    AV Engine Scanning Service
    Common Toolkit Service
    AVFSFilter
    Folder::
    C:/Program/Delade filer/Common Toolkit Suite
    File::
    c:\windows\system32\drivers\avfsfilter.sys
    Registry::
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
    "DisableMonitoring"=-
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
    "DisableMonitoring"=-

    Save this as CFScript.txt


    Posted Image


    Referring to the picture above, drag CFScript.txt into ComboFix.exe

    When finished, it shall produce a log for you. Please copy and paste that log in your next reply.

    **Important Note**

    When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.

  • Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
    • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
    • Look for "Java Runtime Environment (JRE)" JRE 6 Update 17.
    • Click the Download button to the right.
    • Select your Platform: "Windows".
    • Select your Language: "Multi-language".
    • Read the License Agreement, and then check the box that says: "Accept License Agreement".
    • Click Continue and the page will refresh.
    • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
    • Close any programs you may have running - especially your web browser.
    Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
    • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
    • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
    • Repeat as many times as necessary to remove each Java versions.
    • Reboot your computer once all Java components are removed.
    • Then from your desktop double-click on jre-6u17-windows-i586.exe to install the newest version.
  • Tell me also how is the computer running.


#7 bucketofbeef

bucketofbeef
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:09:46 PM

Posted 01 January 2010 - 02:56 PM

I did everything according to instructions.

Java JRE is now updated.

I haven't updated other Software such as Acrobat Reader yet.

The computer seems to be running ok. The black screen that ocurred after every boot is now gone. But Since running ComboFix from the last post, the computer hasn't been rebooted. Also the MCAfee Security Suite is still disabled. Should I reenable it?

Also, I haven't used the computer for anything after the steps on prior post above.

Should I run MBAM to see if there is still something? Thanks

Here is the log from ComboFix:

ComboFix 09-12-31.A1 - Guy 2010-01-01 16:25:58.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.46.1053.18.1022.270 [GMT 1:00]
Körs från: c:\documents and settings\Guy\Skrivbord\ComboFix.exe
Använda kommandoväxlar :: c:\documents and settings\Guy\Skrivbord\CFScript.txt
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

FILE ::
"c:\windows\system32\drivers\avfsfilter.sys"

file zipped: c:\windows\system32\krl32mainweq.dll
.

((((((((((((((((((((((((((((((((((((((( Andra raderingar ))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\avfsfilter.sys
c:\windows\system32\krl32mainweq.dll

.
((((((((((((((((((((((((((((((((((((((( Drivrutiner/Tjänster )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_AVFSFILTER
-------\Legacy_AV_ENGINE_SCANNING_SERVICE
-------\Legacy_COMMON_TOOLKIT_SERVICE
-------\Legacy_SASENUM
-------\Legacy_SASKUTIL
-------\Service_AV Engine Scanning Service
-------\Service_AVFSFilter
-------\Service_Common Toolkit Service
-------\Service_gaiw
-------\Service_idbmoody
-------\Service_SASENUM
-------\Service_SASKUTIL
-------\Service_tgbqfdq


(((((((((((((((((((((((( Filer Skapade från 2009-12-01 till 2010-01-01 ))))))))))))))))))))))))))))))
.

2009-12-30 09:42 . 2009-12-30 09:42 -------- d-----w- c:\documents and settings\Guy\Application Data\TeamViewer
2009-12-30 09:41 . 2009-12-30 09:41 -------- d-----w- c:\program\TeamViewer
2009-12-30 09:40 . 2009-12-30 09:40 -------- d-----w- c:\documents and settings\Guy\temp
2009-12-30 09:38 . 2009-12-30 09:38 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-12-30 09:38 . 2009-12-31 15:04 -------- d-----w- c:\program\SUPERAntiSpyware
2009-12-30 09:38 . 2009-12-30 09:38 -------- d-----w- c:\documents and settings\Guy\Application Data\SUPERAntiSpyware.com
2009-12-30 09:13 . 2009-12-30 09:13 -------- d-----w- c:\documents and settings\Guy\Application Data\Malwarebytes
2009-12-30 09:12 . 2009-12-30 13:55 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-30 09:12 . 2009-12-31 15:20 -------- d-----w- c:\program\Malwarebytes' Anti-Malware
2009-12-30 09:12 . 2009-12-30 13:54 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-30 09:12 . 2009-12-30 09:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-12-30 08:42 . 2009-12-30 08:42 0 ----a-w- c:\windows\nsreg.dat
2009-12-30 08:38 . 2009-05-07 07:04 157712 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-12-29 12:44 . 2009-11-10 09:28 149456 ----a-w- c:\windows\SGDetectionTool.dll
2009-12-29 12:44 . 2009-11-10 09:26 767952 ----a-w- c:\windows\BDTSupport.dll
2009-12-29 12:44 . 2009-10-28 00:36 1152444 ----a-w- c:\windows\UDB.zip
2009-12-29 12:44 . 2008-11-26 11:08 131 ----a-w- c:\windows\IDB.zip
2009-12-29 12:44 . 2009-11-10 09:28 165840 ----a-w- c:\windows\PCTBDRes.dll
2009-12-29 12:44 . 2009-11-10 09:28 1640400 ----a-w- c:\windows\PCTBDCore.dll
2009-12-29 12:43 . 2009-10-30 10:11 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2009-12-29 12:43 . 2009-11-09 10:20 207792 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2009-12-29 12:43 . 2009-10-06 15:31 87784 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2009-12-29 12:43 . 2009-09-03 08:45 70408 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2009-12-29 12:43 . 2009-12-29 12:45 -------- d-----w- c:\program\Delade filer\PC Tools
2009-12-29 12:43 . 2009-12-31 15:01 -------- d-----w- c:\program\Spyware Doctor
2009-12-29 12:43 . 2009-12-29 12:43 -------- d-----w- c:\documents and settings\Guy\Application Data\PC Tools
2009-12-29 12:43 . 2009-12-29 12:43 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2009-12-29 12:11 . 2009-12-29 12:11 -------- d-----w- c:\documents and settings\All Users\Application Data\clp
2009-12-29 12:10 . 2009-12-29 13:24 -------- d-----w- c:\documents and settings\Guy\Application Data\Common Toolkit Suite
2009-12-29 12:09 . 2009-12-29 13:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Common Toolkit Suite
2009-12-29 12:03 . 2009-12-29 12:10 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{7516B6E8-5C01-4895-B079-DFC32A4ADEE1}
2009-12-29 12:03 . 2009-12-29 12:03 -------- d-----w- c:\documents and settings\Guy\Application Data\Fighters
2009-12-09 09:21 . 2009-12-09 09:21 -------- d-----w- c:\program\Delade filer\Skype

.
(((((((((((((((((((((((((((((((((((((((( Find3M Rapport )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-01 15:33 . 2009-11-16 18:45 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-12-31 15:12 . 2009-12-31 15:12 5061520 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-12-31 14:57 . 2009-11-17 20:17 -------- d-----w- c:\program\Windows Defender
2009-12-30 10:52 . 2008-06-27 17:44 -------- d-----w- c:\documents and settings\Guy\Application Data\OutlookAddin
2009-12-30 09:39 . 2009-12-30 09:39 52224 ----a-w- c:\documents and settings\Guy\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2009-12-30 09:39 . 2009-12-30 09:39 117760 ----a-w- c:\documents and settings\Guy\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-12-30 08:36 . 2006-11-03 11:20 -------- d-----w- c:\documents and settings\Guy\Application Data\Skype
2009-12-30 08:31 . 2007-12-04 09:34 -------- d-----w- c:\documents and settings\Guy\Application Data\skypePM
2009-12-29 12:37 . 2008-10-01 20:26 -------- d-----w- c:\documents and settings\LocalService\Application Data\SACore
2009-12-18 06:34 . 2009-11-11 15:45 -------- d-----w- c:\program\AA
2009-12-11 12:44 . 2009-12-29 12:10 2969208 -c--a-w- c:\documents and settings\All Users\Application Data\{7516B6E8-5C01-4895-B079-DFC32A4ADEE1}\SPYWAREfighter.exe
2009-12-11 12:44 . 2009-12-29 12:04 463496 -c--a-w- c:\documents and settings\All Users\Application Data\{7516B6E8-5C01-4895-B079-DFC32A4ADEE1}\Toolkit\25C348B6\7973EFCA\FighterSuiteClient.dll
2009-12-11 12:44 . 2009-12-29 12:04 676488 -c--a-w- c:\documents and settings\All Users\Application Data\{7516B6E8-5C01-4895-B079-DFC32A4ADEE1}\Toolkit\1EE46BE9\7973EFCA\FighterSuiteService.exe
2009-12-11 12:44 . 2009-12-29 12:04 225928 -c--a-w- c:\documents and settings\All Users\Application Data\{7516B6E8-5C01-4895-B079-DFC32A4ADEE1}\Toolkit\6C72E19E\7973EFCA\FighterLauncher.exe
2009-12-11 12:44 . 2009-12-29 12:04 774792 -c--a-w- c:\documents and settings\All Users\Application Data\{7516B6E8-5C01-4895-B079-DFC32A4ADEE1}\SWPRO\53462D78\3C94288E\swpro.dll
2009-12-11 12:44 . 2009-12-29 12:04 2330248 -c--a-w- c:\documents and settings\All Users\Application Data\{7516B6E8-5C01-4895-B079-DFC32A4ADEE1}\SWPRO\6904C2BB\3C94288E\sfhtml.dll
2009-12-11 12:44 . 2009-12-29 12:04 574088 -c--a-w- c:\documents and settings\All Users\Application Data\{7516B6E8-5C01-4895-B079-DFC32A4ADEE1}\SWPRO\2C0CE245\3C94288E\swproTray.exe
2009-12-11 12:34 . 2009-12-29 12:03 13720 -c--a-w- c:\documents and settings\All Users\Application Data\{7516B6E8-5C01-4895-B079-DFC32A4ADEE1}\Common\1AAF4B16\784E0F06\avfsfilter.sys
2009-12-11 12:34 . 2009-12-29 12:03 10264 -c--a-w- c:\documents and settings\All Users\Application Data\{7516B6E8-5C01-4895-B079-DFC32A4ADEE1}\Common\A9BBB5E0\22F9FC7F\avfsfilter.sys
2009-12-11 12:34 . 2009-12-29 12:04 659456 -c--a-w- c:\documents and settings\All Users\Application Data\{7516B6E8-5C01-4895-B079-DFC32A4ADEE1}\SWPRO\9D95263A\B0EB1015\QtNetwork4.dll
2009-12-11 12:34 . 2009-12-29 12:04 344064 -c--a-w- c:\documents and settings\All Users\Application Data\{7516B6E8-5C01-4895-B079-DFC32A4ADEE1}\SWPRO\9D95263A\B0EB1015\QtXml4.dll
2009-12-11 12:34 . 2009-12-29 12:04 2121728 -c--a-w- c:\documents and settings\All Users\Application Data\{7516B6E8-5C01-4895-B079-DFC32A4ADEE1}\SWPRO\9D95263A\B0EB1015\QtCore4.dll
2009-12-11 12:34 . 2009-12-29 12:03 661888 -c--a-w- c:\documents and settings\All Users\Application Data\{7516B6E8-5C01-4895-B079-DFC32A4ADEE1}\Common\1282CB8D\B0EB1015\AVScanningService.exe
2009-12-11 12:34 . 2009-12-29 12:03 659456 -c--a-w- c:\documents and settings\All Users\Application Data\{7516B6E8-5C01-4895-B079-DFC32A4ADEE1}\Common\B22E4B26\B0EB1015\QtNetwork4.dll
2009-12-11 12:34 . 2009-12-29 12:03 373488 -c--a-w- c:\documents and settings\All Users\Application Data\{7516B6E8-5C01-4895-B079-DFC32A4ADEE1}\Common\B22E4B26\B0EB1015\VBAdapter.dll
2009-12-11 12:34 . 2009-12-29 12:03 344064 -c--a-w- c:\documents and settings\All Users\Application Data\{7516B6E8-5C01-4895-B079-DFC32A4ADEE1}\Common\B22E4B26\B0EB1015\QtXml4.dll
2009-12-11 12:34 . 2009-12-29 12:03 241648 -c--a-w- c:\documents and settings\All Users\Application Data\{7516B6E8-5C01-4895-B079-DFC32A4ADEE1}\Common\D075E43B\B0EB1015\AVEngine.dll
2009-12-11 12:34 . 2009-12-29 12:03 2121728 -c--a-w- c:\documents and settings\All Users\Application Data\{7516B6E8-5C01-4895-B079-DFC32A4ADEE1}\Common\B22E4B26\B0EB1015\QtCore4.dll
2009-12-11 12:34 . 2009-12-29 12:03 1205720 -c--a-w- c:\documents and settings\All Users\Application Data\{7516B6E8-5C01-4895-B079-DFC32A4ADEE1}\Common\B22E4B26\B0EB1015\vbengnt.dll
2009-12-11 09:03 . 2009-12-11 09:03 59904 ----a-w- c:\documents and settings\Guy\Application Data\Agency9\3DMapsK1\3DMapsK1\natives\32\zlib1.dll
2009-12-11 09:03 . 2009-12-11 09:03 315392 ----a-w- c:\documents and settings\Guy\Application Data\Agency9\3DMapsK1\3DMapsK1\natives\32\jogl.dll
2009-12-11 09:03 . 2009-12-11 09:03 20480 ----a-w- c:\documents and settings\Guy\Application Data\Agency9\3DMapsK1\3DMapsK1\natives\32\jogl_awt.dll
2009-12-11 09:03 . 2009-12-11 09:03 90112 ----a-w- c:\documents and settings\Guy\Application Data\Agency9\3DMapsK1\3DMapsK1\natives\32\DXPlugin.dll
2009-12-11 09:03 . 2009-12-11 09:03 69632 ----a-w- c:\documents and settings\Guy\Application Data\Agency9\3DMapsK1\3DMapsK1\natives\32\SystemInfo.dll
2009-12-11 09:03 . 2009-12-11 09:03 6656 ----a-w- c:\documents and settings\Guy\Application Data\Agency9\3DMapsK1\3DMapsK1\natives\32\NativeDiskfree.dll
2009-12-11 09:03 . 2009-12-11 09:03 61440 ----a-w- c:\documents and settings\Guy\Application Data\Agency9\3DMapsK1\3DMapsK1\natives\32\NativeUnzip.dll
2009-12-11 09:03 . 2009-12-11 09:03 57344 ----a-w- c:\documents and settings\Guy\Application Data\Agency9\3DMapsK1\3DMapsK1\natives\32\DXT.dll
2009-12-11 09:03 . 2009-12-11 09:03 20480 ----a-w- c:\documents and settings\Guy\Application Data\Agency9\3DMapsK1\3DMapsK1\natives\32\gluegen-rt.dll
2009-12-11 09:03 . 2009-12-11 09:03 155648 ----a-w- c:\documents and settings\Guy\Application Data\Agency9\3DMapsK1\3DMapsK1\natives\32\NativeJpegDecoder.dll
2009-12-10 02:26 . 2004-08-04 10:00 87268 ----a-w- c:\windows\system32\perfc01D.dat
2009-12-10 02:26 . 2004-08-04 10:00 453996 ----a-w- c:\windows\system32\perfh01D.dat
2009-12-09 09:26 . 2006-11-03 15:30 -------- d-----w- c:\program\Google
2009-12-09 09:21 . 2006-11-03 11:20 -------- d-----r- c:\program\Skype
2009-12-09 09:21 . 2007-05-01 07:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2009-12-04 08:09 . 2009-08-29 18:06 -------- d-----w- c:\program\McAfee
2009-11-21 12:53 . 2009-11-21 12:53 -------- d-----w- c:\documents and settings\Guy\Application Data\GARMIN
2009-11-21 12:44 . 2009-11-21 12:44 -------- d-----w- c:\program\Garmin
2009-11-21 12:44 . 2006-11-06 16:56 -------- d-----w- c:\program\DIFX
2009-11-16 16:21 . 2006-11-02 20:04 -------- d-----w- c:\program\WLPlus
2009-11-15 21:48 . 2009-11-11 15:45 17408 ----a-w- c:\windows\system32\drivers\DiagnosticScan.SYS
2009-11-12 12:25 . 2009-11-10 20:52 -------- d-----w- c:\program\Windows Live Safety Center
2009-11-03 16:15 . 2009-11-03 16:14 -------- d-----w- c:\program\iTunes
2009-11-03 16:14 . 2009-11-03 16:14 -------- d-----w- c:\program\iPod
2009-11-03 16:14 . 2007-08-12 07:54 -------- d-----w- c:\program\Delade filer\Apple
2009-11-03 16:07 . 2009-11-03 16:07 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
2009-11-02 19:42 . 2009-11-17 20:18 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-11-01 09:49 . 2009-04-28 15:29 90112 -c--a-w- c:\documents and settings\Guy\Application Data\Agency9\3DMapsK1\3DMapsK1\natives\DXPlugin.dll
2009-11-01 09:49 . 2009-04-28 15:29 69632 -c--a-w- c:\documents and settings\Guy\Application Data\Agency9\3DMapsK1\3DMapsK1\natives\SystemInfo.dll
2009-11-01 09:49 . 2009-04-28 15:29 6656 -c--a-w- c:\documents and settings\Guy\Application Data\Agency9\3DMapsK1\3DMapsK1\natives\NativeDiskfree.dll
2009-11-01 09:49 . 2009-04-28 15:29 61440 -c--a-w- c:\documents and settings\Guy\Application Data\Agency9\3DMapsK1\3DMapsK1\natives\NativeUnzip.dll
2009-11-01 09:49 . 2009-04-28 15:29 59904 -c--a-w- c:\documents and settings\Guy\Application Data\Agency9\3DMapsK1\3DMapsK1\natives\zlib1.dll
2009-11-01 09:49 . 2009-04-28 15:29 57344 -c--a-w- c:\documents and settings\Guy\Application Data\Agency9\3DMapsK1\3DMapsK1\natives\DXT.dll
2009-11-01 09:49 . 2009-04-28 15:29 315392 -c--a-w- c:\documents and settings\Guy\Application Data\Agency9\3DMapsK1\3DMapsK1\natives\jogl.dll
2009-11-01 09:49 . 2009-04-28 15:29 20480 -c--a-w- c:\documents and settings\Guy\Application Data\Agency9\3DMapsK1\3DMapsK1\natives\jogl_awt.dll
2009-11-01 09:49 . 2009-04-28 15:29 20480 -c--a-w- c:\documents and settings\Guy\Application Data\Agency9\3DMapsK1\3DMapsK1\natives\gluegen-rt.dll
2009-11-01 09:49 . 2009-04-28 15:29 155648 -c--a-w- c:\documents and settings\Guy\Application Data\Agency9\3DMapsK1\3DMapsK1\natives\NativeJpegDecoder.dll
2009-10-29 07:44 . 2006-03-04 03:36 916480 ------w- c:\windows\system32\wininet.dll
2009-10-21 05:40 . 2004-08-04 10:00 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:40 . 2004-08-04 10:00 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2004-08-04 10:00 265728 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-19 09:21 . 2009-11-11 15:45 5120 ----a-w- c:\windows\system32\drivers\Start1Driver.SYS
2009-10-13 10:38 . 2004-08-04 10:00 270848 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:40 . 2004-08-04 10:00 79872 ----a-w- c:\windows\system32\raschap.dll
2009-10-12 13:40 . 2004-08-04 10:00 150016 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 11:05 . 2009-10-12 11:05 3351812 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{F983B4FE-547B-4C44-BAF7-4F4DBA93D548}\Installer\CommonCustomActions\msxml6Exec.exe
2009-10-12 11:05 . 2009-10-12 11:05 36864 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{F983B4FE-547B-4C44-BAF7-4F4DBA93D548}\Installer\CommonCustomActions\Sleep.exe
2009-10-12 11:05 . 2009-10-12 11:05 3181612 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{F983B4FE-547B-4C44-BAF7-4F4DBA93D548}\Installer\CommonCustomActions\vcredistExec.exe
2009-10-12 11:04 . 2009-10-12 11:05 24514368 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{F983B4FE-547B-4C44-BAF7-4F4DBA93D548}\NokiaSoftwareUpdaterSetup_se[1].exe
2009-10-12 10:50 . 2009-10-12 10:50 95232 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{3D39E775-DDDA-4327-B747-0BDC5F191331}\Installer\CommonCustomActions\pcswpcsi.exe
2009-10-12 10:50 . 2009-10-12 10:50 8192 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{3D39E775-DDDA-4327-B747-0BDC5F191331}\Installer\CommonCustomActions\UninstCCD.exe
2009-10-12 10:50 . 2009-10-12 10:50 61440 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{3D39E775-DDDA-4327-B747-0BDC5F191331}\Installer\CommonCustomActions\UninstPCSFEMsi.exe
2009-10-12 10:50 . 2009-10-12 10:50 10240 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{3D39E775-DDDA-4327-B747-0BDC5F191331}\Installer\CommonCustomActions\UninstPCS.exe
2009-10-12 10:49 . 2009-10-12 10:50 33843192 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{3D39E775-DDDA-4327-B747-0BDC5F191331}\Nokia_PC_Suite_7_1_30_9_swe_web[1].exe
.

(((((((((((((((((((((((((((((((((( Startpunkter i registret )))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Not* Tomma poster & legitima standardposter visas inte.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-09-14 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-05-31 344064]
"Acrobat Assistant 7.0"="c:\program\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2008-04-23 483328]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"Nokia FastStart"="c:\program\Nokia\Nokia Music\NokiaMusic.exe" [2008-10-17 2323680]
"HP Software Update"="c:\program\HP\HP Software Update\HPWuSchd2.exe" [2005-05-11 49152]
"QuickTime Task"="c:\program\QuickTime\qttask.exe" [2009-09-04 417792]
"iTunesHelper"="c:\program\iTunes\iTunesHelper.exe" [2009-10-28 141600]

c:\documents and settings\All Users\Start-meny\Program\Autostart\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1044-F000-BA7E-000000000002}\SC_Acrobat.exe [2006-11-2 25214]
BTTray.lnk - c:\program\Belkin\Bluetooth Software\BTTray.exe [2003-9-16 499779]
HP Digital Imaging Monitor.lnk - c:\program\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-11 282624]
Personal.lnk - c:\program\Personal\bin\Personal.exe [2009-7-6 939536]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start-meny^Program^Autostart^Nokia Nseries PC Suite.lnk]
path=c:\documents and settings\All Users\Start-meny\Program\Autostart\Nokia Nseries PC Suite.lnk
backup=c:\windows\pss\Nokia Nseries PC Suite.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mcagent_exe]
2009-10-29 05:54 1218008 ----a-w- c:\program\McAfee.com\Agent\mcagent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 16:05 1695232 ----a-w- c:\program\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PC Suite Tray]
2009-06-25 13:12 1414144 ----a-w- c:\program\Nokia\Nokia PC Suite 7\PCSuite.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
2006-11-03 18:20 866584 ----a-w- c:\program\Windows Defender\MSASCui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program\\Bonjour\\mDNSResponder.exe"=
"c:\\Program\\Delade filer\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program\\iTunes\\iTunes.exe"=
"c:\\Program\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program\\Skype\\Phone\\Skype.exe"=
"c:\\Program\\TeamViewer\\Version5\\TeamViewer.exe"=

R0 DiagnosticScan;DiagnosticScan;c:\windows\system32\drivers\DiagnosticScan.SYS [2009-11-11 17408]
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-12-29 207792]
R1 Start1Driver;Start1Driver;c:\windows\system32\drivers\Start1Driver.SYS [2009-11-11 5120]
R2 Browser Defender Update Service;Browser Defender Update Service;c:\program\Spyware Doctor\BDT\BDTUpdateService.exe [2009-12-29 112592]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program\McAfee\SiteAdvisor\McSACore.exe [2009-08-29 206112]
R2 TeamViewer5;TeamViewer 5;c:\program\TeamViewer\Version5\TeamViewer_Service.exe [2009-12-17 185640]
R2 WinDefend;Windows Defender;c:\program\Windows Defender\MsMpEng.exe [2006-11-03 13592]
S2 gupdate;Google Update Service (gupdate);c:\program\Google\Update\GoogleUpdate.exe [2009-10-22 133104]
S3 BVRPMPR5;BVRPMPR5 NDIS Protocol Driver;c:\windows\system32\drivers\BVRPMPR5.SYS [2008-10-22 44224]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-12-30 38224]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program\Spyware Doctor\pctsAuxs.exe [2009-12-29 359624]
.
Innehållet i mappen 'Schemalagda aktiviteter':

2009-12-15 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2010-01-01 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program\Google\Update\GoogleUpdate.exe [2009-10-22 10:25]

2010-01-01 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program\Google\Update\GoogleUpdate.exe [2009-10-22 10:25]

2009-12-15 c:\windows\Tasks\McDefragTask.job
- c:\program\mcafee\mqc\QcConsol.exe [2009-08-29 10:22]

2010-01-01 c:\windows\Tasks\McQcTask.job
- c:\program\mcafee\mqc\QcConsol.exe [2009-08-29 10:22]

2010-01-01 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program\Windows Defender\MpCmdRun.exe [2006-11-03 18:20]

2009-12-31 c:\windows\Tasks\OGADaily.job
- c:\windows\system32\OGAVerify.exe [2008-12-31 16:04]

2010-01-01 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAVerify.exe [2008-12-31 16:04]

2010-01-01 c:\windows\Tasks\User_Feed_Synchronization-{2B049807-2A06-462C-AC85-85C594E4757D}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 02:31]
.
.
------- Extra genomsökning -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = www.google.se/
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Konvertera länkmål till Adobe PDF - c:\program\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Konvertera länkmål till befintlig PDF - c:\program\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Konvertera markering till Adobe PDF - c:\program\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Konvertera markering till befintlig PDF - c:\program\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Konvertera till Adobe PDF - c:\program\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Konvertera till befintlig PDF - c:\program\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Konvertera valda länkar till Adobe PDF - c:\program\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Konvertera valda länkar till befintlig PDF - c:\program\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
DPF: Garmin Communicator Plug-In - hxxps://my.garmin.com/static/m/cab/2.8.3/GarminAxControl.CAB
FF - ProfilePath - c:\documents and settings\Guy\Application Data\Mozilla\Firefox\Profiles\ms90v1vw.default\
FF - component: c:\program\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - plugin: c:\program\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program\Personal\bin\np_prsnl.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICY ----
c:\program\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".se");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-01 16:36
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LÅSTA REGISTERNYCKLAR ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\ؕ€|˙˙˙˙•€|ų•6~*]
"D140AC1900063D11C8EF10054038389C"="C?\\WINDOWS\\system32\\FM20ENU.DLL"
.
--------------------- DLLer som "laddats" under processer som körs ---------------------

- - - - - - - > 'explorer.exe'(324)
c:\program\McAfee\SiteAdvisor\saHook.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\btncopy.dll
c:\program\Nokia\Nokia PC Suite 7\PhoneBrowser.dll
c:\program\Nokia\Nokia PC Suite 7\NGSCM.DLL
c:\program\Nokia\Nokia PC Suite 7\Lang\PhoneBrowser_swe.nlr
c:\program\Nokia\Nokia PC Suite 7\Resource\PhoneBrowser_Nokia.ngr
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Andra processer som körs ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\rundll32.exe
c:\program\HP\Digital Imaging\bin\hpqSTE08.exe
c:\program\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
c:\program\Delade filer\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program\Bonjour\mDNSResponder.exe
c:\program\Belkin\Bluetooth Software\bin\btwdins.exe
c:\program\McAfee\MSC\mcmscsvc.exe
c:\program\McAfee\VIRUSS~1\mcshield.exe
c:\program\Delade filer\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\HPZipm12.exe
c:\program\TeamViewer\Version5\TeamViewer.exe
c:\program\DELADE~1\Nokia\MPLATF~1\NOKIAM~1.EXE
c:\program\iPod\bin\iPodService.exe
c:\program\McAfee\VIRUSS~1\mcsysmon.exe
c:\program\PC Connectivity Solution\ServiceLayer.exe
c:\program\PC Connectivity Solution\Transports\NclMSBTSrv.exe
c:\program\PC Connectivity Solution\Transports\NclBCBTSrv.exe
c:\program\PC Connectivity Solution\Transports\NclUSBSrv.exe
c:\program\PC Connectivity Solution\Transports\NclRSSrv.exe
.
**************************************************************************
.
Sluttid: 2010-01-01 16:43:20 - datorn startades om.
ComboFix-quarantined-files.txt 2010-01-01 15:43
ComboFix2.txt 2009-12-31 17:41

Före genomsökningen: 135 352 971 264 byte ledigt
Efter genomsökningen: 135 227 256 832 byte ledigt

Current=2 Default=2 Failed=3 LastKnownGood=4 Sets=1,2,3,4
- - End Of File - - 31832A2D48D9A35C1B44DA0080436FD3



#8 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:10:46 PM

Posted 01 January 2010 - 05:06 PM

It looks good. :(

You may enable McAfee right after uninstalling ComboFix. You may also run MBAM or any other scanner later on.
  • Go to Start => Run => copy and paste next command in the field then hit enter:

    ComboFix /Uninstall

    This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

    It makes a clean Restore Point and clears all the old restore points in order to prevent possible reinfection from an old one through system restore.

  • You Adobe Acrobat is outdated. I strongly recommend you to update your Adobe Acrobat to the latest version to avoid being infected through its security holes.
Happy Surfing. :(

#9 bucketofbeef

bucketofbeef
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:09:46 PM

Posted 04 January 2010 - 10:14 AM

I'd like to thank you so much for the help. The computer is now working properly without trojans.

I've told the owner to be more security conscious and hopefully this won't occur again. Once again thanks for the help.

#10 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:10:46 PM

Posted 04 January 2010 - 12:00 PM

You are most welcome. :(

This thread will now be closed since the issue seems to be resolved.

If you need this topic reopened, please send me a PM and I will reopen it for you.

If you should have a new issue, please start a new topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users