Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

H8SRT rootkit, trojan vundo, ect..


  • Please log in to reply
14 replies to this topic

#1 LegitMisfit

LegitMisfit

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:01:06 PM

Posted 14 January 2010 - 06:03 PM

Referred from here: http://www.bleepingcomputer.com/forums/t/286055/redirecting-virus/ ~ OB

ok so i am infected with the H8srt and trojan vundo and probably more, anyways I would just like my computer back at some point, so if there is any way to help me rid of this pest and maybe tell me how I received it and how to prevent it that would be great. I started a post and have been getting help from some one there but they redirected me here and I am going to post my dds log, and I have attached the attach log as told, I tried running root repleal twice now and it has just froze on me after scanning for a while, I was able to scan and get a log in the past but not anymore.. Anyways thank you for your help in the meantime!


DDS (Ver_09-12-01.01) - NTFSx86
Run by Administrator at 14:31:53.56 on Thu 01/14/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1015.571 [GMT -8:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\NETGEAR\WG111v2\WG111v2.exe
C:\PROGRA~1\hpq\Shared\HPQTOA~1.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\dwwin.exe
C:\Documents and Settings\Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.disinfo.com/
uInternet Connection Wizard,ShellNext = hxxp://www.hp.com/
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [SoundMAXPnP] c:\program files\analog devices\soundmax\SMax4PNP.exe
mRun: [SoundMAX] c:\program files\analog devices\soundmax\Smax4.exe /tray
mRun: [Cpqset] c:\program files\hpq\default settings\cpqset.exe
mRun: [eabconfg.cpl] c:\program files\hpq\quick launch buttons\EabServr.exe /Start
mRun: [UpdateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [WatchDog] c:\program files\intervideo\dvd check\DVDCheck.exe
mRun: [hpWirelessAssistant] c:\program files\hpq\hp wireless assistant\HP Wireless Assistant.exe
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [SynTPStart] c:\program files\synaptics\syntp\SynTPStart.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\dvdche~1.lnk - c:\program files\intervideo\dvd check\DVDCheck.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\netgea~1.lnk - c:\program files\netgear\wg111v2\WG111v2.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1262599292156
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\x2am5gt8.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.disinfo.com/
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-1-5 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-1-5 74480]
R3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [2006-7-20 87936]
S3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;c:\windows\system32\drivers\wg111v2.sys [2006-3-27 167808]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2010-1-5 7408]

=============== Created Last 30 ================

2010-01-12 23:01:20 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2010-01-12 04:21:39 0 d-----w- c:\docume~1\admini~1\applic~1\Malwarebytes
2010-01-12 04:13:55 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-12 04:13:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-12 02:32:55 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-01-12 02:28:41 0 d-----w- c:\program files\SUPERAntiSpyware
2010-01-12 02:28:41 0 d-----w- c:\docume~1\admini~1\applic~1\SUPERAntiSpyware.com
2010-01-12 02:28:14 0 d-----w- c:\program files\common files\Wise Installation Wizard
2010-01-12 01:21:27 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-12 01:21:27 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-01-09 09:14:48 21035 ----a-w- c:\windows\system32\drivers\AegisP.sys
2010-01-09 09:14:31 0 d-----w- c:\program files\NETGEAR
2010-01-06 00:48:30 79872 -c----w- c:\windows\system32\dllcache\msxml6r.dll
2010-01-06 00:48:30 1372672 -c----w- c:\windows\system32\dllcache\msxml6.dll
2010-01-06 00:47:44 10752 ------w- c:\windows\system32\smtpapi.dll
2010-01-06 00:47:43 9728 ------w- c:\windows\system32\rwnh.dll
2010-01-06 00:47:36 81920 ------w- c:\windows\system32\ieencode.dll
2010-01-06 00:47:31 19569 ----a-w- c:\windows\005993_.tmp
2010-01-05 05:17:24 594432 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2010-01-05 05:17:23 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2010-01-05 05:17:22 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2010-01-05 05:17:22 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2010-01-05 05:17:18 1985536 -c----w- c:\windows\system32\dllcache\iertutil.dll
2010-01-05 05:17:10 11069952 -c----w- c:\windows\system32\dllcache\ieframe.dll
2010-01-05 05:15:31 92160 -c----w- c:\windows\system32\dllcache\iecompat.dll
2010-01-05 05:14:43 337408 -c----w- c:\windows\system32\dllcache\netapi32.dll
2010-01-05 05:14:26 1206508 -c----w- c:\windows\system32\dllcache\sysmain.sdb
2010-01-05 05:14:25 215552 -c----w- c:\windows\system32\dllcache\wordpad.exe
2010-01-05 05:13:30 79872 -c----w- c:\windows\system32\dllcache\raschap.dll
2010-01-05 05:13:30 149504 -c----w- c:\windows\system32\dllcache\rastls.dll
2010-01-05 05:13:27 1435648 -c----w- c:\windows\system32\dllcache\query.dll
2010-01-05 05:07:51 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
2010-01-05 05:04:29 128512 -c----w- c:\windows\system32\dllcache\dhtmled.ocx
2010-01-05 05:02:33 58880 -c----w- c:\windows\system32\dllcache\msasn1.dll
2010-01-05 05:01:51 203136 -c----w- c:\windows\system32\dllcache\rmcast.sys
2010-01-05 05:01:43 455296 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2010-01-05 05:01:37 333952 -c----w- c:\windows\system32\dllcache\srv.sys
2010-01-05 05:01:32 331776 -c----w- c:\windows\system32\dllcache\msadce.dll
2010-01-05 05:01:26 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll
2010-01-05 05:00:47 691712 -c----w- c:\windows\system32\dllcache\inetcomm.dll
2010-01-05 05:00:22 270336 -c----w- c:\windows\system32\dllcache\oakley.dll
2010-01-05 04:59:53 2066432 -c----w- c:\windows\system32\dllcache\mstscax.dll
2010-01-05 04:10:50 274288 ----a-w- c:\windows\system32\mucltui.dll
2010-01-05 04:10:50 16736 ----a-w- c:\windows\system32\mucltui.dll.mui
2010-01-04 10:55:09 0 d-----w- c:\windows\system32\wbem\Repository.001
2010-01-04 10:41:35 7208 ------w- c:\windows\system32\secupd.sig
2010-01-04 10:41:35 4569 ------w- c:\windows\system32\secupd.dat
2010-01-04 10:41:28 57667 ----a-w- c:\windows\system32\ieuinit.inf
2010-01-04 10:05:55 18944 ----a-w- c:\windows\system32\qmgrprxy.dll
2010-01-04 10:05:54 354816 ----a-w- c:\windows\system32\winhttp.dll
2010-01-04 09:59:02 217816 ----a-w- c:\windows\system32\wuaucpl.cpl
2010-01-04 09:54:13 135168 ----a-w- c:\windows\system32\igfxres.dll
2010-01-04 09:36:45 92416 -c--a-w- c:\windows\system32\dllcache\mga.sys
2010-01-04 09:35:52 18944 -c--a-w- c:\windows\system32\dllcache\cprofile.exe
2010-01-04 09:34:34 25065 ----a-w- c:\windows\system32\wmpscheme.xml
2010-01-04 09:34:32 299552 ----a-w- c:\windows\WMSysPrx.prx
2010-01-04 09:33:20 488 ---ha-r- c:\windows\system32\logonui.exe.manifest
2010-01-04 09:33:14 749 ---ha-r- c:\windows\WindowsShell.Manifest
2010-01-04 09:33:14 749 ---ha-r- c:\windows\system32\wuaucpl.cpl.manifest
2010-01-04 09:33:14 749 ---ha-r- c:\windows\system32\sapi.cpl.manifest
2010-01-04 09:33:14 749 ---ha-r- c:\windows\system32\nwc.cpl.manifest
2010-01-04 09:33:14 749 ---ha-r- c:\windows\system32\ncpa.cpl.manifest
2010-01-04 09:30:58 68608 ----a-w- c:\windows\system32\access.cpl
2010-01-04 09:29:57 28160 ----a-w- c:\windows\system32\irmon.dll
2010-01-04 09:29:56 88192 ----a-w- c:\windows\system32\drivers\irda.sys
2010-01-04 09:29:56 8192 ----a-w- c:\windows\system32\wshirda.dll
2010-01-04 09:29:56 380416 ----a-w- c:\windows\system32\irprops.cpl
2010-01-04 09:29:56 151552 ----a-w- c:\windows\system32\irftp.exe
2010-01-04 09:29:04 52864 ----a-w- c:\windows\system32\drivers\dmusic.sys
2010-01-04 09:28:59 6272 ----a-w- c:\windows\system32\drivers\splitter.sys
2010-01-04 09:28:40 57600 ----a-w- c:\windows\system32\drivers\redbook.sys
2010-01-04 09:26:20 4096 ----a-w- c:\windows\system32\ksuser.dll
2010-01-04 09:26:19 129536 ----a-w- c:\windows\system32\ksproxy.ax
2010-01-04 09:25:26 19584 ----a-w- c:\windows\system32\drivers\rasirda.sys
2010-01-04 09:25:15 196224 ----a-w- c:\windows\system32\drivers\rdpdr.sys
2010-01-04 09:25:11 40840 ----a-w- c:\windows\system32\drivers\termdd.sys
2010-01-04 01:14:40 1064779776 ----a-w- c:\windows\MEMORY.DMP
2009-12-31 03:30:54 5632 ----a-w- c:\windows\system32\ptpusb.dll
2009-12-31 03:30:52 159232 ----a-w- c:\windows\system32\ptpusd.dll
2009-12-31 03:30:50 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
2009-12-30 08:34:58 0 d-----w- c:\program files\VideoLAN

==================== Find3M ====================

2010-01-04 09:31:35 23444 ----a-w- c:\windows\system32\emptyregdb.dat
2009-10-29 07:45:38 916480 ----a-w- c:\windows\system32\wininet.dll
2009-10-21 05:38:36 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38:36 25088 ----a-w- c:\windows\system32\httpapi.dll

============= FINISH: 14:33:34.04 ===============

Attached Files


Edited by Orange Blossom, 14 January 2010 - 10:22 PM.


BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:02:06 PM

Posted 17 January 2010 - 10:45 PM

Hello LegitMisfit,

I notice that you never scanned with an Antivirus previously before starting this thread - because you don't even have an Antivirus installed !
This is somewhat suicidal in today's digital world. wacko.gif
That's why I want you to install one!!

Please install Avira Antivirus: http://www.free-av.com/
This is a free Antivirus :!:

Perform a full scan with Avira and let it delete everything it is finding.
Then reboot.
After reboot, open your Avira and select "reports".
There doubleclick the report from the Full scan you have done. Click the "Report File" button and copy and paste this report in your next reply together with a new HijackThis log.

Then we'll start from there, because it really makes no sense otherwise that we clean this up manually if an Antivirus scan is not present which should be able to deal with most and prevent further reinfection.


If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 LegitMisfit

LegitMisfit
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:01:06 PM

Posted 21 January 2010 - 09:42 PM

here is my hijackthis log, and my rootrepeal log, I will include my avira log in the next reply, I cant seem to open it right now.. also thank you for your help and sorry for the wait on my reply, maybe it was because of the virus but my computer wasnt letting me go to the bleeping computer website.. again thank you for your help


DDS (Ver_09-12-01.01) - NTFSx86
Run by Administrator at 18:22:08.79 on Thu 01/21/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1015.634 [GMT -8:00]

AV: AntiVir Desktop *On-access scanning disabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
svchost.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\NETGEAR\WG111v2\WG111v2.exe
C:\PROGRA~1\hpq\Shared\HPQTOA~1.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Documents and Settings\Administrator\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.disinfo.com/
uInternet Connection Wizard,ShellNext = hxxp://www.hp.com/
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [SoundMAXPnP] c:\program files\analog devices\soundmax\SMax4PNP.exe
mRun: [SoundMAX] c:\program files\analog devices\soundmax\Smax4.exe /tray
mRun: [Cpqset] c:\program files\hpq\default settings\cpqset.exe
mRun: [eabconfg.cpl] c:\program files\hpq\quick launch buttons\EabServr.exe /Start
mRun: [UpdateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [WatchDog] c:\program files\intervideo\dvd check\DVDCheck.exe
mRun: [hpWirelessAssistant] c:\program files\hpq\hp wireless assistant\HP Wireless Assistant.exe
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [SynTPStart] c:\program files\synaptics\syntp\SynTPStart.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\dvdche~1.lnk - c:\program files\intervideo\dvd check\DVDCheck.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\netgea~1.lnk - c:\program files\netgear\wg111v2\WG111v2.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1262599292156
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\x2am5gt8.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.disinfo.com/
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2010-1-21 11608]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-1-5 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-1-5 74480]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-1-21 108289]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-1-21 185089]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-1-21 56816]
R3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [2006-7-20 87936]
S3 rootrepeal;rootrepeal;\??\c:\windows\system32\drivers\rootrepeal.sys --> c:\windows\system32\drivers\rootrepeal.sys [?]
S3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;c:\windows\system32\drivers\wg111v2.sys [2006-3-27 167808]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2010-1-5 7408]

=============== Created Last 30 ================

2010-01-21 23:14:03 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-01-21 23:14:00 0 d-----w- c:\program files\Avira
2010-01-21 23:14:00 0 d-----w- c:\docume~1\alluse~1\applic~1\Avira
2010-01-12 23:01:20 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2010-01-12 04:21:39 0 d-----w- c:\docume~1\admini~1\applic~1\Malwarebytes
2010-01-12 04:13:55 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-12 04:13:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-12 02:32:55 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-01-12 02:28:41 0 d-----w- c:\program files\SUPERAntiSpyware
2010-01-12 02:28:41 0 d-----w- c:\docume~1\admini~1\applic~1\SUPERAntiSpyware.com
2010-01-12 02:28:14 0 d-----w- c:\program files\common files\Wise Installation Wizard
2010-01-12 01:21:27 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-12 01:21:27 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-01-09 09:14:48 21035 ----a-w- c:\windows\system32\drivers\AegisP.sys
2010-01-09 09:14:31 0 d-----w- c:\program files\NETGEAR
2010-01-06 00:48:30 79872 -c----w- c:\windows\system32\dllcache\msxml6r.dll
2010-01-06 00:48:30 1372672 -c----w- c:\windows\system32\dllcache\msxml6.dll
2010-01-06 00:47:44 10752 ------w- c:\windows\system32\smtpapi.dll
2010-01-06 00:47:43 9728 ------w- c:\windows\system32\rwnh.dll
2010-01-06 00:47:36 81920 ------w- c:\windows\system32\ieencode.dll
2010-01-06 00:47:31 19569 ----a-w- c:\windows\005993_.tmp
2010-01-05 05:17:24 594432 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2010-01-05 05:17:23 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2010-01-05 05:17:22 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2010-01-05 05:17:22 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2010-01-05 05:17:18 1985536 -c----w- c:\windows\system32\dllcache\iertutil.dll
2010-01-05 05:17:10 11070464 -c----w- c:\windows\system32\dllcache\ieframe.dll
2010-01-05 05:15:31 92160 -c----w- c:\windows\system32\dllcache\iecompat.dll
2010-01-05 05:14:43 337408 -c----w- c:\windows\system32\dllcache\netapi32.dll
2010-01-05 05:14:26 1206508 -c----w- c:\windows\system32\dllcache\sysmain.sdb
2010-01-05 05:14:25 215552 -c----w- c:\windows\system32\dllcache\wordpad.exe
2010-01-05 05:13:30 79872 -c----w- c:\windows\system32\dllcache\raschap.dll
2010-01-05 05:13:30 149504 -c----w- c:\windows\system32\dllcache\rastls.dll
2010-01-05 05:13:27 1435648 -c----w- c:\windows\system32\dllcache\query.dll
2010-01-05 05:07:51 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
2010-01-05 05:04:29 128512 -c----w- c:\windows\system32\dllcache\dhtmled.ocx
2010-01-05 05:02:33 58880 -c----w- c:\windows\system32\dllcache\msasn1.dll
2010-01-05 05:01:51 203136 -c----w- c:\windows\system32\dllcache\rmcast.sys
2010-01-05 05:01:43 455296 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2010-01-05 05:01:37 333952 -c----w- c:\windows\system32\dllcache\srv.sys
2010-01-05 05:01:32 331776 -c----w- c:\windows\system32\dllcache\msadce.dll
2010-01-05 05:01:26 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll
2010-01-05 05:00:47 691712 -c----w- c:\windows\system32\dllcache\inetcomm.dll
2010-01-05 05:00:22 270336 -c----w- c:\windows\system32\dllcache\oakley.dll
2010-01-05 04:59:53 2066432 -c----w- c:\windows\system32\dllcache\mstscax.dll
2010-01-05 04:10:50 274288 ----a-w- c:\windows\system32\mucltui.dll
2010-01-05 04:10:50 16736 ----a-w- c:\windows\system32\mucltui.dll.mui
2010-01-04 10:55:09 0 d-----w- c:\windows\system32\wbem\Repository.001
2010-01-04 10:41:35 7208 ------w- c:\windows\system32\secupd.sig
2010-01-04 10:41:35 4569 ------w- c:\windows\system32\secupd.dat
2010-01-04 10:41:28 57667 ----a-w- c:\windows\system32\ieuinit.inf
2010-01-04 10:05:55 18944 ----a-w- c:\windows\system32\qmgrprxy.dll
2010-01-04 10:05:54 354816 ----a-w- c:\windows\system32\winhttp.dll
2010-01-04 09:59:02 217816 ----a-w- c:\windows\system32\wuaucpl.cpl
2010-01-04 09:54:13 135168 ----a-w- c:\windows\system32\igfxres.dll
2010-01-04 09:36:45 92416 -c--a-w- c:\windows\system32\dllcache\mga.sys
2010-01-04 09:35:52 18944 -c--a-w- c:\windows\system32\dllcache\cprofile.exe
2010-01-04 09:34:34 25065 ----a-w- c:\windows\system32\wmpscheme.xml
2010-01-04 09:34:32 299552 ----a-w- c:\windows\WMSysPrx.prx
2010-01-04 09:33:20 488 ---ha-r- c:\windows\system32\logonui.exe.manifest
2010-01-04 09:33:14 749 ---ha-r- c:\windows\WindowsShell.Manifest
2010-01-04 09:33:14 749 ---ha-r- c:\windows\system32\wuaucpl.cpl.manifest
2010-01-04 09:33:14 749 ---ha-r- c:\windows\system32\sapi.cpl.manifest
2010-01-04 09:33:14 749 ---ha-r- c:\windows\system32\nwc.cpl.manifest
2010-01-04 09:33:14 749 ---ha-r- c:\windows\system32\ncpa.cpl.manifest
2010-01-04 09:30:58 68608 ----a-w- c:\windows\system32\access.cpl
2010-01-04 09:29:57 28160 ----a-w- c:\windows\system32\irmon.dll
2010-01-04 09:29:56 88192 ----a-w- c:\windows\system32\drivers\irda.sys
2010-01-04 09:29:56 8192 ----a-w- c:\windows\system32\wshirda.dll
2010-01-04 09:29:56 380416 ----a-w- c:\windows\system32\irprops.cpl
2010-01-04 09:29:56 151552 ----a-w- c:\windows\system32\irftp.exe
2010-01-04 09:29:04 52864 ----a-w- c:\windows\system32\drivers\dmusic.sys
2010-01-04 09:28:59 6272 ----a-w- c:\windows\system32\drivers\splitter.sys
2010-01-04 09:28:40 57600 ----a-w- c:\windows\system32\drivers\redbook.sys
2010-01-04 09:26:20 4096 ----a-w- c:\windows\system32\ksuser.dll
2010-01-04 09:26:19 129536 ----a-w- c:\windows\system32\ksproxy.ax
2010-01-04 09:25:26 19584 ----a-w- c:\windows\system32\drivers\rasirda.sys
2010-01-04 09:25:15 196224 ----a-w- c:\windows\system32\drivers\rdpdr.sys
2010-01-04 09:25:11 40840 ----a-w- c:\windows\system32\drivers\termdd.sys
2010-01-04 01:14:40 1064779776 ----a-w- c:\windows\MEMORY.DMP
2009-12-31 03:30:54 5632 ----a-w- c:\windows\system32\ptpusb.dll
2009-12-31 03:30:52 159232 ----a-w- c:\windows\system32\ptpusd.dll
2009-12-31 03:30:50 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
2009-12-30 08:34:58 0 d-----w- c:\program files\VideoLAN

==================== Find3M ====================

2010-01-04 09:31:35 23444 ----a-w- c:\windows\system32\emptyregdb.dat
2009-12-21 19:14:05 916480 ----a-w- c:\windows\system32\wininet.dll

============= FINISH: 18:23:33.39 ===============





ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2010/01/21 18:25
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dkctip.sys
Image Path: dkctip.sys
Address: 0xF7607000 Size: 54016 File Visible: No Signed: -
Status: -

Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xAACDA000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7B37000 Size: 8192 File Visible: No Signed: -
Status: -

Name: H8SRTujixbrqrxo.sys
Image Path: C:\WINDOWS\system32\drivers\H8SRTujixbrqrxo.sys
Address: 0xAAEE3000 Size: 118784 File Visible: - Signed: -
Status: Hidden from the Windows API!

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA9BED000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\H8SRTdorbduqflu.dat
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\H8SRTixnrvalkvp.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\H8SRTjllclamttk.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\H8SRTkpvlcatjew.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\h8srtkrl32mainweq.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\H8SRTrwqvhlypdu.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\h8srtshsyst.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\H8SRT8f42.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\H8SRT9637.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\H8SRT97ae.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\H8SRT9ccc.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\H8SRTa76a.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\H8SRTd40b.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\H8SRTf5a5.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\H8SRTfc.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\H8SRTfc4c.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\H8SRTfeec.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\h8srtmainqt.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\H8SRT3a7b.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\H8SRT6b4c.tmp
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\All Users\Application Data\h8srtkrl32mainweq.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\drivers\H8SRTujixbrqrxo.sys
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\H8SRTe2c5.tmp
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\h8srtmainqt.dll
Status: Invisible to the Windows API!

Stealth Objects
-------------------
Object: Hidden Module [Name: H8SRTfeec.tmplamttk.dll]
Process: svchost.exe (PID: 1152) Address: 0x027f0000 Size: 86016

Object: Hidden Module [Name: H8SRTrwqvhlypdu.dll]
Process: svchost.exe (PID: 1152) Address: 0x10000000 Size: 65536

Object: Hidden Module [Name: H8SRTixnrvalkvp.dll]
Process: RootRepeal.exe (PID: 2108) Address: 0x10000000 Size: 36864

Hidden Services
-------------------
Service Name: H8SRTd.sys
Image Path: C:\WINDOWS\system32\drivers\H8SRTujixbrqrxo.sys

==EOF==


#4 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:02:06 PM

Posted 21 January 2010 - 10:02 PM

Hi LegitMisfit,

Your very welcome. smile.gif

Since you hare heavily infected, we will run ComboFix.

You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an Malware Removal Expert, not for private use.

Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.
Please read Combofix's Disclaimer.
Further, ComboFix logs are not permitted outside the HijackThis forums and then only when requested by a HJT Team member.

You need to disable your Avira AntiVir Antivirus before running ComboFix, as it will prevent it from running.

To disable Avira Antivirus:  
Please navigate to the system tray on the bottom right hand corner and look for an open white umbrella on red background (looks to this: )
  • right click it-> untick the option AntiVir Guard enable.
  • You should now see a closed, white umbrella on a red background (looks to this: )
You succesfully disabled the AntiVir Guard.

Note: If you already have a copy of ComboFix on your system it is essential that you delete it before downloading this copy.

As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console


Please visit this webpage for instructions for downloading and running ComboFix:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

To work properly, you must install ComboFix on the Desktop. <==IMPORTANT

A caution -
Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
Do not run Combofix more than once.
Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

Post the ComboFix log. The log will be save as C:\ComboFix.txt

Edited by SifuMike, 21 January 2010 - 10:03 PM.
typo

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 LegitMisfit

LegitMisfit
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:01:06 PM

Posted 21 January 2010 - 11:02 PM

ok I ran combofix and here is my log

ComboFix 10-01-21.02 - Administrator 01/21/2010 19:48:18.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1015.719 [GMT -8:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\recycler\S-1-5-21-1107553577-2431106566-2500835634-500
c:\recycler\S-1-5-21-1577194143-360530932-130625872-500
c:\recycler\S-1-5-21-2056210870-3410876443-304146723-500
c:\recycler\S-1-5-21-343818398-1979792683-725345543-500
c:\windows\system32\drivers\H8SRTujixbrqrxo.sys
c:\windows\system32\H8SRTdorbduqflu.dat
c:\windows\system32\H8SRTixnrvalkvp.dll
c:\windows\system32\H8SRTjllclamttk.dll
c:\windows\system32\H8SRTkpvlcatjew.dll
c:\windows\system32\h8srtkrl32mainweq.dll
c:\windows\system32\H8SRTrwqvhlypdu.dll
c:\windows\system32\h8srtshsyst.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_H8SRTd.sys
-------\Legacy_H8SRTd.sys


((((((((((((((((((((((((( Files Created from 2009-12-22 to 2010-01-22 )))))))))))))))))))))))))))))))
.

2010-01-21 23:14 . 2010-01-22 00:24 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-01-21 23:14 . 2009-03-30 17:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2010-01-21 23:14 . 2009-02-13 19:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2010-01-21 23:14 . 2009-02-13 19:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2010-01-21 23:14 . 2010-01-21 23:14 -------- d-----w- c:\program files\Avira
2010-01-21 23:14 . 2010-01-21 23:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2010-01-21 22:29 . 2010-01-22 03:40 753 ----a-w- c:\documents and settings\All Users\Application Data\h8srtkrl32mainweq.dll
2010-01-12 23:01 . 2009-11-21 15:51 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2010-01-12 04:21 . 2010-01-12 04:21 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-01-12 04:13 . 2010-01-08 00:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-12 04:13 . 2010-01-08 00:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-12 02:34 . 2010-01-12 02:34 52224 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-01-12 02:34 . 2010-01-19 02:36 117760 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-01-12 02:32 . 2010-01-12 02:32 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-01-12 02:28 . 2010-01-19 02:34 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-01-12 02:28 . 2010-01-12 02:28 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2010-01-12 02:28 . 2010-01-12 02:28 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-01-12 01:21 . 2010-01-12 04:13 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-12 01:21 . 2010-01-12 01:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-01-09 09:14 . 2010-01-09 09:14 21035 ----a-w- c:\windows\system32\drivers\AegisP.sys
2010-01-09 09:14 . 2010-01-09 09:14 -------- d-----w- c:\program files\NETGEAR
2010-01-06 00:48 . 2009-07-31 18:05 1372672 -c----w- c:\windows\system32\dllcache\msxml6.dll
2010-01-06 00:48 . 2008-04-14 02:57 79872 -c----w- c:\windows\system32\dllcache\msxml6r.dll
2010-01-06 00:47 . 2008-04-14 00:12 10752 ------w- c:\windows\system32\smtpapi.dll
2010-01-06 00:47 . 2008-04-14 00:12 9728 ------w- c:\windows\system32\rwnh.dll
2010-01-06 00:47 . 2008-04-14 09:41 81920 ------w- c:\windows\system32\ieencode.dll
2010-01-05 05:17 . 2009-12-21 19:14 594432 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2010-01-05 05:17 . 2009-12-21 19:14 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2010-01-05 05:17 . 2009-12-21 19:14 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2010-01-05 05:17 . 2009-12-21 19:14 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2010-01-05 05:17 . 2009-12-21 19:14 1985536 -c----w- c:\windows\system32\dllcache\iertutil.dll
2010-01-05 05:17 . 2009-12-21 19:14 11070464 -c----w- c:\windows\system32\dllcache\ieframe.dll
2010-01-05 05:15 . 2009-10-02 04:44 92160 -c----w- c:\windows\system32\dllcache\iecompat.dll
2010-01-05 05:14 . 2008-10-15 16:34 337408 -c----w- c:\windows\system32\dllcache\netapi32.dll
2010-01-05 05:14 . 2008-04-21 12:08 215552 -c----w- c:\windows\system32\dllcache\wordpad.exe
2010-01-05 05:13 . 2009-10-12 13:38 149504 -c----w- c:\windows\system32\dllcache\rastls.dll
2010-01-05 05:13 . 2009-10-12 13:38 79872 -c----w- c:\windows\system32\dllcache\raschap.dll
2010-01-05 05:13 . 2009-07-17 16:22 1435648 -c----w- c:\windows\system32\dllcache\query.dll
2010-01-05 05:07 . 2009-06-21 21:44 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
2010-01-05 05:02 . 2009-09-04 21:03 58880 -c----w- c:\windows\system32\dllcache\msasn1.dll
2010-01-05 05:01 . 2008-05-08 14:02 203136 -c----w- c:\windows\system32\dllcache\rmcast.sys
2010-01-05 05:01 . 2008-10-24 11:21 455296 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2010-01-05 05:01 . 2008-12-11 10:57 333952 -c----w- c:\windows\system32\dllcache\srv.sys
2010-01-05 05:01 . 2008-05-01 14:33 331776 -c----w- c:\windows\system32\dllcache\msadce.dll
2010-01-05 05:01 . 2009-07-10 13:27 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll
2010-01-05 05:00 . 2008-04-11 19:04 691712 -c----w- c:\windows\system32\dllcache\inetcomm.dll
2010-01-05 05:00 . 2009-10-13 10:30 270336 -c----w- c:\windows\system32\dllcache\oakley.dll
2010-01-05 04:59 . 2009-06-10 17:19 2066432 -c----w- c:\windows\system32\dllcache\mstscax.dll
2010-01-05 04:10 . 2009-08-07 03:23 274288 ----a-w- c:\windows\system32\mucltui.dll
2010-01-04 10:55 . 2010-01-04 11:00 -------- d-----w- c:\windows\system32\wbem\Repository.001
2010-01-04 10:41 . 2004-08-02 22:20 4569 ------w- c:\windows\system32\secupd.dat
2010-01-04 10:05 . 2008-04-14 00:12 18944 ----a-w- c:\windows\system32\qmgrprxy.dll
2010-01-04 10:05 . 2009-08-25 09:17 354816 ----a-w- c:\windows\system32\winhttp.dll
2010-01-04 09:54 . 2005-10-19 14:15 135168 ----a-w- c:\windows\system32\igfxres.dll
2010-01-04 09:36 . 2003-03-31 19:00 92416 -c--a-w- c:\windows\system32\dllcache\mga.sys
2010-01-04 09:35 . 2003-03-31 19:00 18944 -c--a-w- c:\windows\system32\dllcache\cprofile.exe
2010-01-04 09:32 . 2008-04-14 00:12 45568 ----a-w- c:\windows\system32\safrslv.dll
2010-01-04 09:30 . 2008-04-14 00:12 131584 ----a-w- c:\windows\system32\sndrec32.exe
2010-01-04 09:29 . 2008-04-14 00:11 28160 ----a-w- c:\windows\system32\irmon.dll
2010-01-04 09:29 . 2008-04-14 00:12 151552 ----a-w- c:\windows\system32\irftp.exe
2010-01-04 09:29 . 2008-04-14 00:12 8192 ----a-w- c:\windows\system32\wshirda.dll
2010-01-04 09:29 . 2008-04-13 18:54 88192 ----a-w- c:\windows\system32\drivers\irda.sys
2010-01-04 09:29 . 2008-04-13 18:45 52864 ----a-w- c:\windows\system32\drivers\dmusic.sys
2010-01-04 09:28 . 2008-04-13 18:45 6272 ----a-w- c:\windows\system32\drivers\splitter.sys
2010-01-04 09:28 . 2008-04-13 18:40 57600 ----a-w- c:\windows\system32\drivers\redbook.sys
2010-01-04 09:26 . 2008-04-14 00:11 4096 ----a-w- c:\windows\system32\ksuser.dll
2010-01-04 09:25 . 2001-08-17 21:51 19584 ----a-w- c:\windows\system32\drivers\rasirda.sys
2010-01-04 09:25 . 2008-04-13 18:32 196224 ----a-w- c:\windows\system32\drivers\rdpdr.sys
2010-01-04 09:25 . 2008-04-14 00:13 40840 ----a-w- c:\windows\system32\drivers\termdd.sys
2010-01-04 09:23 . 2008-04-14 00:12 146432 ----a-w- c:\windows\system\winspool.drv
2010-01-04 09:23 . 2008-04-13 18:54 11264 ----a-w- c:\windows\system32\drivers\irenum.sys
2010-01-04 09:23 . 2003-03-31 19:00 24661 -c--a-w- c:\windows\system32\dllcache\spxcoins.dll
2010-01-04 09:23 . 2003-03-31 19:00 24661 ----a-w- c:\windows\system32\spxcoins.dll
2010-01-04 09:23 . 2003-03-31 19:00 13312 -c--a-w- c:\windows\system32\dllcache\irclass.dll
2010-01-04 09:23 . 2003-03-31 19:00 13312 ----a-w- c:\windows\system32\irclass.dll
2010-01-04 09:23 . 2008-04-14 00:12 74752 ----a-w- c:\windows\system32\storprop.dll
2010-01-04 09:21 . 2010-01-04 09:21 -------- d-s---w- c:\windows\system32\config\systemprofile\History
2010-01-04 00:11 . 2010-01-04 00:11 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2010-01-02 23:02 . 2010-01-02 23:02 0 ----a-w- c:\windows\nsreg.dat
2010-01-02 23:02 . 2010-01-02 23:02 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2010-01-02 08:19 . 2010-01-02 08:19 -------- d-----w- c:\documents and settings\Administrator\Application Data\dvdcss
2009-12-31 03:30 . 2001-08-18 06:36 5632 ----a-w- c:\windows\system32\ptpusb.dll
2009-12-31 03:30 . 2004-08-04 07:56 159232 ----a-w- c:\windows\system32\ptpusd.dll
2009-12-31 03:30 . 2008-04-13 18:45 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
2009-12-31 00:59 . 2009-12-31 00:59 -------- d-----w- c:\documents and settings\Administrator\Application Data\Leadertech
2009-12-30 08:36 . 2010-01-21 11:03 -------- d-----w- c:\documents and settings\Administrator\Application Data\vlc
2009-12-30 08:34 . 2009-12-30 08:34 -------- d-----w- c:\program files\VideoLAN
2009-12-30 00:20 . 2009-12-30 00:20 -------- d-----w- c:\documents and settings\Administrator\Application Data\Apple Computer
2009-12-28 01:03 . 2008-04-14 09:42 26624 ----a-w- c:\documents and settings\LocalService\Application Data\Microsoft\UPnP Device Host\upnphost\udhisapi.dll
2009-12-26 10:02 . 2009-12-26 10:02 -------- d-----w- c:\windows\Sun
2009-12-26 08:52 . 2009-12-26 08:52 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Identities
2009-12-25 16:53 . 2009-12-25 16:53 -------- d-----w- c:\documents and settings\Administrator\Application Data\InterVideo
2009-12-25 07:43 . 2009-12-25 17:49 79488 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-09 09:15 . 2006-07-20 19:03 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-01-04 09:31 . 2006-07-20 18:17 23444 ----a-w- c:\windows\system32\emptyregdb.dat
2009-12-31 00:34 . 2009-05-01 18:54 -------- d-----w- c:\program files\Common Files\Adobe
2009-12-30 00:19 . 2006-07-20 20:43 87752 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-21 19:14 . 2003-03-31 19:00 916480 ----a-w- c:\windows\system32\wininet.dll
2009-11-21 15:51 . 2003-03-31 19:00 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-10-14 1388544]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2004-09-07 213054]
"eabconfg.cpl"="c:\program files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-12-03 290816]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2005-04-27 122941]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-09-15 1015808]
"WatchDog"="c:\program files\InterVideo\DVD Check\DVDCheck.exe" [2004-12-08 184320]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2005-12-13 507904]
"AGRSMMSG"="AGRSMMSG.exe" [2005-04-13 88209]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-01 148888]
"SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-09-15 102400]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-10-19 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-10-19 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-10-19 114688]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
DVD Check.lnk - c:\program files\InterVideo\DVD Check\DVDCheck.exe [2006-7-20 184320]
NETGEAR WG111v2 Smart Wizard.lnk - c:\program files\NETGEAR\WG111v2\WG111v2.exe [2006-5-17 2297856]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [1/5/2010 7:56 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [1/5/2010 7:56 AM 74480]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [1/21/2010 3:14 PM 108289]
R3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [7/20/2006 12:16 PM 87936]
S3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;c:\windows\system32\drivers\wg111v2.sys [3/27/2006 5:53 PM 167808]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [1/5/2010 7:56 AM 7408]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.disinfo.com/
uInternet Connection Wizard,ShellNext = hxxp://www.hp.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\x2am5gt8.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.disinfo.com/
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-PHIME2002ASync - c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE
HKLM-Run-PHIME2002A - c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE
Notify-NavLogon - (no file)
AddRemove-KB913433 - c:\windows\system32\MacroMed\Flash\genuinst.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-21 19:55
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe????????5?1?0?0??????? ???B???????????????B? ??????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2148302949-2995510037-515869514-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,33,4b,85,b8,79,e1,6e,40,b9,28,db,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,33,4b,85,b8,79,e1,6e,40,b9,28,db,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(912)
c:\windows\system32\RtlGina2.dll
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(3624)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\SCardSvr.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Analog Devices\SoundMAX\SMAgent.exe
c:\windows\AGRSMMSG.exe
c:\windows\system32\igfxsrvc.exe
c:\progra~1\hpq\Shared\HPQTOA~1.EXE
.
**************************************************************************
.
Completion time: 2010-01-21 19:59:51 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-22 03:59

Pre-Run: 24,121,851,904 bytes free
Post-Run: 24,102,805,504 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

Current=1 Default=1 Failed=0 LastKnownGood=5 Sets=1,2,3,4,5
- - End Of File - - 97F65C449AA785EA386E273E7272B612


#6 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:02:06 PM

Posted 22 January 2010 - 01:34 AM

Hi LegitMisfit,

You need to disable your Avira AntiVir Antivirus before running ComboFix, as it will prevent it from running.

To disable Avira Antivirus:  
Please navigate to the system tray on the bottom right hand corner and look for an open white umbrella on red background (looks to this: )
  • right click it-> untick the option AntiVir Guard enable.
  • You should now see a closed, white umbrella on a red background (looks to this: )
You succesfully disabled the AntiVir Guard.


Click Start, then Run and type Notepad and click OK.
Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the code box below into notepad:

CODE
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000000
"AntiVirusOverride"=dword:00000000
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"=dword:00000001


Name the Notepad file CFScript.txt and Save it to your desktop.

IMPORTANT: The above script was written specifically for this infection on this person's computer. It is NOT to be used on another computer, as it may cause damage that could result in a format!

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.




This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.
The combofix log can also be found at C:\ComboFix.txt.



If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 LegitMisfit

LegitMisfit
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:01:06 PM

Posted 22 January 2010 - 06:58 PM

ok well i tried to post the log but i was told it was too long of a message so i will attach the file. So far my computer has been working fine, again thank you for all this help , I though my computer would never run this good again. You guys at bleepingcomputer rule!

Attached Files

  • Attached File  log.zip   123.73KB   3 downloads

Edited by LegitMisfit, 22 January 2010 - 06:59 PM.


#8 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:02:06 PM

Posted 22 January 2010 - 07:23 PM

I cant read attached zipped file. wacko.gif If you can post it, then attach it in txt format.

The log is saved on your computer at C:\ComboFix.txt

Edited by SifuMike, 22 January 2010 - 07:25 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 LegitMisfit

LegitMisfit
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:01:06 PM

Posted 22 January 2010 - 07:52 PM

ok well i tried to attach it in .txt format but it says its too large to upload, and its way too long to post on here, so maybe this will work...

i saved the log in 4 parts so i can attach it hopefully that works

Attached Files


Edited by LegitMisfit, 22 January 2010 - 07:53 PM.


#10 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:02:06 PM

Posted 22 January 2010 - 07:56 PM

I see what the problem is.

If you edit out (delete) almost all the lines in the
QUOTE
(((((((((((((((((((((((((((( SnapShot@2010-01-22_03.55.56 )))))))))))))))))))))))))))))))))))))))))
section then you can post it rather than attach it.

Edited by SifuMike, 22 January 2010 - 07:57 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 LegitMisfit

LegitMisfit
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:01:06 PM

Posted 22 January 2010 - 07:59 PM

i dont know it keeps telling me to make the files smaller, any ideas to make this easier? i broke it into about 5 parts and its still not lettig me post it

#12 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:02:06 PM

Posted 22 January 2010 - 08:05 PM

You should not have to break it into 5 parts and you should not have to attach it.
Attaching it makes it hard to read.

Read my last post (post #10).

Edited by SifuMike, 22 January 2010 - 08:27 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 LegitMisfit

LegitMisfit
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:01:06 PM

Posted 22 January 2010 - 09:46 PM

ok well im still not sure what lines you want me to delete

#14 LegitMisfit

LegitMisfit
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:01:06 PM

Posted 22 January 2010 - 09:54 PM

ok, sorry about the confusion, I think I fixed the problem. Here is the log, and hopefully everything you need is there..

ComboFix 10-01-21.08 - Administrator 01/22/2010 15:14:14.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1015.616 [GMT -8:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}


.

((((((((((((((((((((((((( Files Created from 2009-12-22 to 2010-01-22 )))))))))))))))))))))))))))))))
.

2010-01-21 23:14 . 2010-01-22 00:24 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-01-21 23:14 . 2009-03-30 17:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2010-01-21 23:14 . 2009-02-13 19:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2010-01-21 23:14 . 2009-02-13 19:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2010-01-21 23:14 . 2010-01-21 23:14 -------- d-----w- c:\program files\Avira
2010-01-21 23:14 . 2010-01-21 23:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2010-01-21 22:29 . 2010-01-22 03:40 753 ----a-w- c:\documents and settings\All Users\Application Data\h8srtkrl32mainweq.dll
2010-01-12 23:01 . 2009-11-21 15:51 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2010-01-12 04:21 . 2010-01-12 04:21 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-01-12 04:13 . 2010-01-08 00:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-12 04:13 . 2010-01-08 00:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-12 02:34 . 2010-01-12 02:34 52224 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-01-12 02:34 . 2010-01-19 02:36 117760 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-01-12 02:32 . 2010-01-12 02:32 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-01-12 02:28 . 2010-01-19 02:34 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-01-12 02:28 . 2010-01-12 02:28 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2010-01-12 02:28 . 2010-01-12 02:28 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-01-12 01:21 . 2010-01-12 04:13 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-12 01:21 . 2010-01-12 01:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-01-09 09:14 . 2010-01-09 09:14 21035 ----a-w- c:\windows\system32\drivers\AegisP.sys
2010-01-09 09:14 . 2010-01-09 09:14 -------- d-----w- c:\program files\NETGEAR
2010-01-06 00:48 . 2009-07-31 18:05 1372672 -c----w- c:\windows\system32\dllcache\msxml6.dll
2010-01-06 00:48 . 2008-04-14 02:57 79872 -c----w- c:\windows\system32\dllcache\msxml6r.dll
2010-01-06 00:47 . 2008-04-14 00:12 10752 ------w- c:\windows\system32\smtpapi.dll
2010-01-06 00:47 . 2008-04-14 00:12 9728 ------w- c:\windows\system32\rwnh.dll
2010-01-06 00:47 . 2008-04-14 09:41 81920 ------w- c:\windows\system32\ieencode.dll
2010-01-05 05:17 . 2009-12-21 19:14 594432 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2010-01-05 05:17 . 2009-12-21 19:14 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2010-01-05 05:17 . 2009-12-21 19:14 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2010-01-05 05:17 . 2009-12-21 19:14 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2010-01-05 05:17 . 2009-12-21 19:14 1985536 -c----w- c:\windows\system32\dllcache\iertutil.dll
2010-01-05 05:17 . 2009-12-21 19:14 11070464 -c----w- c:\windows\system32\dllcache\ieframe.dll
2010-01-05 05:15 . 2009-10-02 04:44 92160 -c----w- c:\windows\system32\dllcache\iecompat.dll
2010-01-05 05:14 . 2008-10-15 16:34 337408 -c----w- c:\windows\system32\dllcache\netapi32.dll
2010-01-05 05:14 . 2008-04-21 12:08 215552 -c----w- c:\windows\system32\dllcache\wordpad.exe
2010-01-05 05:13 . 2009-10-12 13:38 149504 -c----w- c:\windows\system32\dllcache\rastls.dll
2010-01-05 05:13 . 2009-10-12 13:38 79872 -c----w- c:\windows\system32\dllcache\raschap.dll
2010-01-05 05:13 . 2009-07-17 16:22 1435648 -c----w- c:\windows\system32\dllcache\query.dll
2010-01-05 05:07 . 2009-06-21 21:44 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
2010-01-05 05:02 . 2009-09-04 21:03 58880 -c----w- c:\windows\system32\dllcache\msasn1.dll
2010-01-05 05:01 . 2008-05-08 14:02 203136 -c----w- c:\windows\system32\dllcache\rmcast.sys
2010-01-05 05:01 . 2008-10-24 11:21 455296 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2010-01-05 05:01 . 2008-12-11 10:57 333952 -c----w- c:\windows\system32\dllcache\srv.sys
2010-01-05 05:01 . 2008-05-01 14:33 331776 -c----w- c:\windows\system32\dllcache\msadce.dll
2010-01-05 05:01 . 2009-07-10 13:27 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll
2010-01-05 05:00 . 2008-04-11 19:04 691712 -c----w- c:\windows\system32\dllcache\inetcomm.dll
2010-01-05 05:00 . 2009-10-13 10:30 270336 -c----w- c:\windows\system32\dllcache\oakley.dll
2010-01-05 04:59 . 2009-06-10 17:19 2066432 -c----w- c:\windows\system32\dllcache\mstscax.dll
2010-01-05 04:10 . 2009-08-07 03:23 274288 ----a-w- c:\windows\system32\mucltui.dll
2010-01-04 10:55 . 2010-01-04 11:00 -------- d-----w- c:\windows\system32\wbem\Repository.001
2010-01-04 10:41 . 2004-08-02 22:20 4569 ------w- c:\windows\system32\secupd.dat
2010-01-04 10:05 . 2008-04-14 00:12 18944 ----a-w- c:\windows\system32\qmgrprxy.dll
2010-01-04 10:05 . 2009-08-25 09:17 354816 ----a-w- c:\windows\system32\winhttp.dll
2010-01-04 09:54 . 2005-10-19 14:15 135168 ----a-w- c:\windows\system32\igfxres.dll
2010-01-04 09:36 . 2003-03-31 19:00 92416 -c--a-w- c:\windows\system32\dllcache\mga.sys
2010-01-04 09:35 . 2003-03-31 19:00 18944 -c--a-w- c:\windows\system32\dllcache\cprofile.exe
2010-01-04 09:32 . 2008-04-14 00:12 45568 ----a-w- c:\windows\system32\safrslv.dll
2010-01-04 09:30 . 2008-04-14 00:12 131584 ----a-w- c:\windows\system32\sndrec32.exe
2010-01-04 09:29 . 2008-04-14 00:11 28160 ----a-w- c:\windows\system32\irmon.dll
2010-01-04 09:29 . 2008-04-14 00:12 151552 ----a-w- c:\windows\system32\irftp.exe
2010-01-04 09:29 . 2008-04-14 00:12 8192 ----a-w- c:\windows\system32\wshirda.dll
2010-01-04 09:29 . 2008-04-13 18:54 88192 ----a-w- c:\windows\system32\drivers\irda.sys
2010-01-04 09:29 . 2008-04-13 18:45 52864 ----a-w- c:\windows\system32\drivers\dmusic.sys
2010-01-04 09:28 . 2008-04-13 18:45 6272 ----a-w- c:\windows\system32\drivers\splitter.sys
2010-01-04 09:28 . 2008-04-13 18:40 57600 ----a-w- c:\windows\system32\drivers\redbook.sys
2010-01-04 09:26 . 2008-04-14 00:11 4096 ----a-w- c:\windows\system32\ksuser.dll
2010-01-04 09:25 . 2001-08-17 21:51 19584 ----a-w- c:\windows\system32\drivers\rasirda.sys
2010-01-04 09:25 . 2008-04-13 18:32 196224 ----a-w- c:\windows\system32\drivers\rdpdr.sys
2010-01-04 09:25 . 2008-04-14 00:13 40840 ----a-w- c:\windows\system32\drivers\termdd.sys
2010-01-04 09:23 . 2008-04-14 00:12 146432 ----a-w- c:\windows\system\winspool.drv
2010-01-04 09:23 . 2008-04-13 18:54 11264 ----a-w- c:\windows\system32\drivers\irenum.sys
2010-01-04 09:23 . 2003-03-31 19:00 24661 -c--a-w- c:\windows\system32\dllcache\spxcoins.dll
2010-01-04 09:23 . 2003-03-31 19:00 24661 ----a-w- c:\windows\system32\spxcoins.dll
2010-01-04 09:23 . 2003-03-31 19:00 13312 -c--a-w- c:\windows\system32\dllcache\irclass.dll
2010-01-04 09:23 . 2003-03-31 19:00 13312 ----a-w- c:\windows\system32\irclass.dll
2010-01-04 09:23 . 2008-04-14 00:12 74752 ----a-w- c:\windows\system32\storprop.dll
2010-01-04 09:21 . 2010-01-04 09:21 -------- d-s---w- c:\windows\system32\config\systemprofile\History
2010-01-04 00:11 . 2010-01-04 00:11 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2010-01-02 23:02 . 2010-01-02 23:02 0 ----a-w- c:\windows\nsreg.dat
2010-01-02 23:02 . 2010-01-02 23:02 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2010-01-02 08:19 . 2010-01-02 08:19 -------- d-----w- c:\documents and settings\Administrator\Application Data\dvdcss
2009-12-31 03:30 . 2001-08-18 06:36 5632 ----a-w- c:\windows\system32\ptpusb.dll
2009-12-31 03:30 . 2004-08-04 07:56 159232 ----a-w- c:\windows\system32\ptpusd.dll
2009-12-31 03:30 . 2008-04-13 18:45 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
2009-12-31 00:59 . 2009-12-31 00:59 -------- d-----w- c:\documents and settings\Administrator\Application Data\Leadertech
2009-12-30 08:36 . 2010-01-22 20:33 -------- d-----w- c:\documents and settings\Administrator\Application Data\vlc
2009-12-30 08:34 . 2009-12-30 08:34 -------- d-----w- c:\program files\VideoLAN
2009-12-30 00:20 . 2009-12-30 00:20 -------- d-----w- c:\documents and settings\Administrator\Application Data\Apple Computer
2009-12-28 01:03 . 2008-04-14 09:42 26624 ----a-w- c:\documents and settings\LocalService\Application Data\Microsoft\UPnP Device Host\upnphost\udhisapi.dll
2009-12-26 10:02 . 2009-12-26 10:02 -------- d-----w- c:\windows\Sun
2009-12-26 08:52 . 2009-12-26 08:52 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Identities
2009-12-25 16:53 . 2009-12-25 16:53 -------- d-----w- c:\documents and settings\Administrator\Application Data\InterVideo
2009-12-25 07:43 . 2009-12-25 17:49 79488 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-09 09:15 . 2006-07-20 19:03 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-01-04 09:31 . 2006-07-20 18:17 23444 ----a-w- c:\windows\system32\emptyregdb.dat
2009-12-31 00:34 . 2009-05-01 18:54 -------- d-----w- c:\program files\Common Files\Adobe
2009-12-30 00:19 . 2006-07-20 20:43 87752 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-21 19:14 . 2003-03-31 19:00 916480 ------w- c:\windows\system32\wininet.dll
2009-11-21 15:51 . 2003-03-31 19:00 471552 ----a-w- c:\windows\AppPatch\aclayers.dll

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-10-14 1388544]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2004-09-07 213054]
"eabconfg.cpl"="c:\program files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-12-03 290816]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2005-04-27 122941]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-09-15 1015808]
"WatchDog"="c:\program files\InterVideo\DVD Check\DVDCheck.exe" [2004-12-08 184320]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2005-12-13 507904]
"AGRSMMSG"="AGRSMMSG.exe" [2005-04-13 88209]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-01 148888]
"SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-09-15 102400]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-10-19 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-10-19 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-10-19 114688]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
DVD Check.lnk - c:\program files\InterVideo\DVD Check\DVDCheck.exe [2006-7-20 184320]
NETGEAR WG111v2 Smart Wizard.lnk - c:\program files\NETGEAR\WG111v2\WG111v2.exe [2006-5-17 2297856]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [1/5/2010 7:56 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [1/5/2010 7:56 AM 74480]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [1/21/2010 3:14 PM 108289]
R3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [7/20/2006 12:16 PM 87936]
S3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;c:\windows\system32\drivers\wg111v2.sys [3/27/2006 5:53 PM 167808]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [1/5/2010 7:56 AM 7408]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.disinfo.com/
uInternet Connection Wizard,ShellNext = hxxp://www.hp.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\x2am5gt8.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.disinfo.com/
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-22 15:18
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe????????5?1?0?0??????? ???B???????????????B? ??????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2148302949-2995510037-515869514-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,33,4b,85,b8,79,e1,6e,40,b9,28,db,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,33,4b,85,b8,79,e1,6e,40,b9,28,db,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(912)
c:\windows\system32\RtlGina2.dll
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(828)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-01-22 15:20:18
ComboFix-quarantined-files.txt 2010-01-22 23:20
ComboFix2.txt 2010-01-22 03:59

Pre-Run: 24,962,478,080 bytes free
Post-Run: 24,947,544,064 bytes free

Current=1 Default=1 Failed=0 LastKnownGood=5 Sets=1,2,3,4,5
- - End Of File - - 6DF60204E9DBE68FC9E49D686022084A


#15 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:02:06 PM

Posted 22 January 2010 - 09:56 PM

QUOTE
I think I fixed the problem. Here is the log, and hopefully everything you need is there..


Much better. smile.gif
How did you fix the problem?


Please do an online scan with Kaspersky WebScanner

Attention!
Kaspersky Online Scanner 7.0 may fail to start if another anti-virus program is already installed and running on your computer. Please deactivate the anti-virus software installed on your computer prior to starting Kaspersky Online Scanner 7.0.


Please note: Kaspersky requires Java Runtime Environment (JRE) be installed before scanning for malware, as ActiveX is no longer being used.)
  1. Read through the requirements and privacy statement and click on Accept button.
  2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  3. When the downloads have finished, click on Settings.
  4. Make sure the following is checked.
      Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  5. Click on My Computer under Scan.
  6. Once the scan is complete, it will display the results. Click on View Scan Report.
  7. You will see a list of infected items there. Click on Save Report As....
  8. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  9. Please post this log in your next reply.


You can refer to this animation by sundavis if needed.

Edited by SifuMike, 22 January 2010 - 10:07 PM.
added Kaspersky Scanner

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users