Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

So many things wrong i don't know where to start


  • This topic is locked This topic is locked
11 replies to this topic

#1 mmrbunny

mmrbunny

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:43 PM

Posted 23 January 2010 - 07:14 AM

My computer is bleeding from places then a guy in OZ.
So if you guys can give me any help it would be great thanks.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:00:06, on 23/01/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16981)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Voyager 105 ADSL Modem\dslstat.exe
C:\Program Files\Voyager 105 ADSL Modem\dslagent.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Game Guide EPOS\Game Guide EPOS.exe
C:\Program Files\AVG\AVG9\avgscanx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Documents and Settings\FPI\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Documents and Settings\FPI\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\FPI\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://en.uk.acer.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = "C:\Program Files\Outlook Express\msimn.exe"
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - *{EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O1 - Hosts: ::1 localhost
O1 - Hosts: 91.212.127.227 aviraplatinum2009.microsoft.com
O1 - Hosts: 91.212.127.227 aviraplatinum2009.com
O1 - Hosts: 91.212.127.227 www.aviraplatinum2009.com
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: Canon Easy Web Print Helper - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\Voyager 105 ADSL Modem\dslagent.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [ISW] "C:\Program Files\CheckPoint\ZAForceField\ForceField.exe" /icon="hidden"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\FPI\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKUS\S-1-5-21-1053342274-709656192-4260935533-1005\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-21-1053342274-709656192-4260935533-1005\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1 (User '?')
O4 - HKUS\S-1-5-21-1053342274-709656192-4260935533-1005\..\Run: [Google Update] "C:\Documents and Settings\FPI\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c (User '?')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User '?')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - http://a1540.g.akamai.net/7/1540/52/200612...ex/qtplugin.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4CCA4E80-9259-11D9-AC6E-444553544200} (FixController Control) - http://h30155.www3.hp.com/ediags/dd/instal...llMgr_v01_4.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - https://fpdownload.macromedia.com/get/shock...ash/swflash.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3495BE11-0639-419B-B3CA-B1F74C5D7833}: NameServer = 212.159.6.10 212.159.6.9
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 7514 bytes

BC AdBot (Login to Remove)

 


#2 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:43 PM

Posted 29 January 2010 - 02:24 PM

Hi,

My name is Extremeboy (or EB for short), and I will be helping you with your log.

We apologize for the delay of response.

Do you still require help?

If you still require assistance we would like to see the current condition of your system so please post a new set of DDS Logs as well as a RootRepeal log and a description of any remaining problems or symptoms you may still have please.

If for any reason you did not post a DDS log or RootRepeal log please refer to this page and in step #6 and Step #7 for further instructions on downloading and running DDS & RootRepeal. If you have any problems when running the tools or unable to produce a report for any reason, just let me know in your next reply.


For your next reply I would like to see:
-The DDS logs
---DDS.txt and Attach logs
-RootRepeal logs
-Description of any remaining problems you may still have.


Thanks again and we apologize for the delay.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#3 mmrbunny

mmrbunny
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:43 PM

Posted 31 January 2010 - 12:14 PM

Hi i do still need help and i will post these first things monday morning for you.


#4 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:43 PM

Posted 31 January 2010 - 02:53 PM

Okay, thanks for letting me know.
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#5 mmrbunny

mmrbunny
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:43 PM

Posted 01 February 2010 - 06:16 AM


DDS (Ver_09-12-01.01) - NTFSx86
Run by FPI at 11:02:25.59 on 01/02/2010
Internet Explorer: 7.0.5730.11
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============


============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.uk/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = hxxp://en.uk.acer.yahoo.com
uInternet Connection Wizard,ShellNext = "c:\program files\outlook express\msimn.exe"
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
uURLSearchHooks: H - No File
uURLSearchHooks: H - No File
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: EWPBrowseObject Class: {68f9551e-0411-48e4-9aaf-4bc42a6a46be} - c:\program files\canon\easy-webprint\EWPBrowseLoader.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:\program files\canon\easy-webprint\Toolband.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
uRun: [Google Update] "c:\documents and settings\fpi\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe
mRun: [Easy-PrintToolBox] c:\program files\canon\easy-printtoolbox\BJPSMAIN.EXE /logon
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [ISW] "c:\program files\checkpoint\zaforcefield\ForceField.exe" /icon="hidden"
mRun: [DSLSTATEXE] c:\program files\voyager 105 adsl modem\dslstat.exe icon
mRun: [DSLAGENTEXE] c:\program files\voyager 105 adsl modem\dslagent.exe
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://a1540.g.akamai.net/7/1540/52/20061205/qtinstall.info.apple.com/qtactivex/qtplugin.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {4CCA4E80-9259-11D9-AC6E-444553544200} - hxxp://h30155.www3.hp.com/ediags/dd/install/HPInstallMgr_v01_4.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxps://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: {3495BE11-0639-419B-B3CA-B1F74C5D7833} = 212.159.6.10 212.159.6.9
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
Hosts: 91.212.127.227 aviraplatinum2009.microsoft.com
Hosts: 91.212.127.227 aviraplatinum2009.com
Hosts: 91.212.127.227 www.aviraplatinum2009.com

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2010-01-28 13:52:28 160951 ------w- c:\windows\system32\drivers\gtipdsp_.bin
2010-01-28 13:52:26 24576 ----a-w- c:\windows\system32\CoInst.dll
2010-01-28 13:52:26 148338 ----a-w- c:\windows\system32\drivers\gwausb.sys
2010-01-28 13:52:18 16950 ------w- c:\windows\wwdslcfg.ini
2010-01-28 13:52:18 12288 ------w- c:\windows\system32\CplEng.dll
2010-01-28 13:52:17 0 d-----w- c:\program files\Voyager 105 ADSL Modem
2010-01-28 12:45:51 3917 ----a-w- c:\windows\DslTest.html
2010-01-28 12:45:50 521 ----a-w- c:\windows\dsltest.cfg
2010-01-28 10:18:16 3923 ----a-w- c:\documents and settings\fpi\DslTest.html
2010-01-28 10:18:15 521 ----a-w- c:\documents and settings\fpi\dsltest.cfg
2010-01-23 11:59:15 0 d-----w- c:\program files\Trend Micro
2010-01-22 12:21:47 116224 -c--a-w- c:\windows\system32\dllcache\xrxwiadr.dll
2010-01-22 12:21:43 23040 -c--a-w- c:\windows\system32\dllcache\xrxwbtmp.dll
2010-01-22 12:21:41 18944 -c--a-w- c:\windows\system32\dllcache\xrxscnui.dll
2010-01-22 12:21:37 27648 -c--a-w- c:\windows\system32\dllcache\xrxftplt.exe
2010-01-22 12:21:33 4608 -c--a-w- c:\windows\system32\dllcache\xrxflnch.exe
2010-01-22 12:21:04 99865 -c--a-w- c:\windows\system32\dllcache\xlog.exe
2010-01-22 12:20:59 16970 -c--a-w- c:\windows\system32\dllcache\xem336n5.sys
2010-01-22 12:20:58 19455 -c--a-w- c:\windows\system32\dllcache\wvchntxx.sys
2010-01-22 12:20:53 19200 -c--a-w- c:\windows\system32\dllcache\wstcodec.sys
2010-01-22 12:20:51 12063 -c--a-w- c:\windows\system32\dllcache\wsiintxx.sys
2010-01-22 12:20:49 8192 -c--a-w- c:\windows\system32\dllcache\wshirda.dll
2010-01-22 12:20:31 8832 -c--a-w- c:\windows\system32\dllcache\wmiacpi.sys
2010-01-22 12:20:27 154624 -c--a-w- c:\windows\system32\dllcache\wlluc48.sys
2010-01-22 12:20:23 34890 -c--a-w- c:\windows\system32\dllcache\wlandrv2.sys
2010-01-22 12:20:14 771581 -c--a-w- c:\windows\system32\dllcache\winacisa.sys
2010-01-22 12:20:09 53760 -c--a-w- c:\windows\system32\dllcache\wiamsmud.dll
2010-01-22 12:20:05 87040 -c--a-w- c:\windows\system32\dllcache\wiafbdrv.dll
2010-01-22 12:18:56 687999 -c--a-w- c:\windows\system32\dllcache\usrwdxjs.sys
2010-01-22 12:18:52 765884 -c--a-w- c:\windows\system32\dllcache\usrti.sys
2010-01-22 12:18:48 113762 -c--a-w- c:\windows\system32\dllcache\usrpda.sys
2010-01-22 12:18:44 7556 -c--a-w- c:\windows\system32\dllcache\usroslba.sys
2010-01-22 12:18:38 224802 -c--a-w- c:\windows\system32\dllcache\usr1807a.sys
2010-01-22 12:18:34 794399 -c--a-w- c:\windows\system32\dllcache\usr1806v.sys
2010-01-22 12:18:30 793598 -c--a-w- c:\windows\system32\dllcache\usr1806.sys
2010-01-22 12:18:16 794654 -c--a-w- c:\windows\system32\dllcache\usr1801.sys
2010-01-22 12:18:12 20480 -c--a-w- c:\windows\system32\dllcache\usbuhci.sys
2010-01-22 12:18:11 26112 -c--a-w- c:\windows\system32\dllcache\usbser.sys
2010-01-22 12:18:09 60032 -c--a-w- c:\windows\system32\dllcache\usbaudio.sys
2010-01-22 12:18:07 32384 -c--a-w- c:\windows\system32\dllcache\usb101et.sys
2010-01-22 12:18:00 94720 -c--a-w- c:\windows\system32\dllcache\umaxud32.dll
2010-01-22 12:16:57 315520 -c--a-w- c:\windows\system32\dllcache\trid3d.dll
2010-01-22 12:15:56 36640 -c--a-w- c:\windows\system32\dllcache\t2r4mini.sys
2010-01-22 12:14:58 48736 -c--a-w- c:\windows\system32\dllcache\srwlnd5.sys
2010-01-22 12:13:57 35913 -c--a-w- c:\windows\system32\dllcache\smcirda.sys
2010-01-22 12:12:58 68608 -c--a-w- c:\windows\system32\dllcache\sis6306p.sys
2010-01-22 12:11:58 16640 -c--a-w- c:\windows\system32\dllcache\scmstcs.sys
2010-01-22 12:10:59 29696 -c--a-w- c:\windows\system32\dllcache\rw450ext.dll
2010-01-22 12:10:58 27648 -c--a-w- c:\windows\system32\dllcache\rw430ext.dll
2010-01-22 12:10:55 20992 -c--a-w- c:\windows\system32\dllcache\rtl8139.sys
2010-01-22 12:10:52 19017 -c--a-w- c:\windows\system32\dllcache\rtl8029.sys
2010-01-22 12:10:48 30720 -c--a-w- c:\windows\system32\dllcache\rthwcls.sys
2010-01-22 12:10:44 9216 -c--a-w- c:\windows\system32\dllcache\rsmgrstr.dll
2010-01-22 12:10:39 3840 -c--a-w- c:\windows\system32\dllcache\rpfun.sys
2010-01-22 12:10:36 79104 -c--a-w- c:\windows\system32\dllcache\rocket.sys
2010-01-22 12:10:32 37563 -c--a-w- c:\windows\system32\dllcache\rlnet5.sys
2010-01-22 12:10:27 86097 -c--a-w- c:\windows\system32\dllcache\reslog32.dll
2010-01-22 12:10:14 19584 -c--a-w- c:\windows\system32\dllcache\rasirda.sys
2010-01-22 12:10:07 714762 -c--a-w- c:\windows\system32\dllcache\r2mdmkxx.sys
2010-01-22 12:08:57 75776 -c--a-w- c:\windows\system32\dllcache\philcam1.sys
2010-01-22 12:07:58 31872 -c--a-w- c:\windows\system32\dllcache\ovce.sys
2010-01-22 12:06:56 32840 -c--a-w- c:\windows\system32\dllcache\ngrpci.sys
2010-01-22 12:05:59 21888 -c--a-w- c:\windows\system32\dllcache\mxcard.sys
2010-01-22 12:04:58 235648 -c--a-w- c:\windows\system32\dllcache\mgaud.dll
2010-01-22 12:03:59 25065 -c--a-w- c:\windows\system32\dllcache\lmndis3.sys
2010-01-22 12:02:43 372824 -c--a-w- c:\windows\system32\dllcache\iconf32.dll
2010-01-22 12:01:59 8192 -c--a-w- c:\windows\system32\dllcache\i2omgmt.sys
2010-01-22 12:00:58 93696 -c--a-w- c:\windows\system32\dllcache\hpgt42.dll
2010-01-22 11:59:56 442240 -c--a-w- c:\windows\system32\dllcache\fpnpbase.sys
2010-01-22 11:58:58 72192 -c--a-w- c:\windows\system32\dllcache\es1969.sys
2010-01-22 11:57:59 334208 -c--a-w- c:\windows\system32\dllcache\ds1wdm.sys
2010-01-22 11:56:57 419357 -c--a-w- c:\windows\system32\dllcache\dgconfig.dll
2010-01-22 11:55:59 96256 -c--a-w- c:\windows\system32\dllcache\ctlsb16.sys
2010-01-22 11:53:30 14208 -c--a-w- c:\windows\system32\dllcache\OLD1980.tmp
2010-01-22 11:53:29 36128 -c--a-w- c:\windows\system32\dllcache\OLD197C.tmp
2010-01-22 11:52:22 12800 -c--a-w- c:\windows\system32\dllcache\OLD18B6.tmp
2010-01-22 11:47:10 17024 -c--a-w- c:\windows\system32\dllcache\ccdecode.sys
2010-01-22 11:47:09 714698 -c--a-w- c:\windows\system32\dllcache\cbmdmkxx.sys
2010-01-22 11:47:07 46108 -c--a-w- c:\windows\system32\dllcache\cben5.sys
2010-01-22 11:47:06 39680 -c--a-w- c:\windows\system32\dllcache\cb325.sys
2010-01-22 11:47:05 37916 -c--a-w- c:\windows\system32\dllcache\cb102.sys
2010-01-22 11:47:00 32256 -c--a-w- c:\windows\system32\dllcache\diapi2NT.dll
2010-01-22 11:45:59 15360 -c--a-w- c:\windows\system32\dllcache\brmfbidi.dll
2010-01-22 11:44:59 382592 -c--a-w- c:\windows\system32\dllcache\atidrab.dll
2010-01-22 11:41:56 66048 -c--a-w- c:\windows\system32\dllcache\s3legacy.dll
2010-01-14 15:12:42 0 d-----w- c:\windows\Internet Logs
2010-01-14 15:02:23 0 d-----w- c:\docume~1\fpi\applic~1\CheckPoint
2010-01-14 15:02:01 0 d-----w- c:\program files\CheckPoint
2010-01-06 14:08:59 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-01-06 14:08:55 664 ----a-w- c:\windows\system32\d3d9caps.dat

==================== Find3M ====================

2010-01-16 10:42:07 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-01-07 16:07:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 16:07:04 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-05 10:00:29 832512 ----a-w- c:\windows\system32\wininet.dll
2010-01-05 10:00:21 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-05 10:00:20 17408 ----a-w- c:\windows\system32\corpol.dll
2009-11-21 11:18:20 1673216 ----a-w- c:\windows\system32\BootMan.exe
2008-05-23 08:44:08 1511 ----a-w- c:\program files\AVG Free 8.0.lnk
2007-06-29 09:06:09 761 ----a-w- c:\program files\Canon iP3300 User Registration.LNK
2007-06-29 09:05:00 799 ----a-w- c:\program files\Canon Easy-PrintToolBox.lnk
2007-06-29 09:04:50 812 ----a-w- c:\program files\Easy-PhotoPrint.lnk
2007-06-29 09:03:58 1874 ----a-w- c:\program files\iP3300 On-screen Manual.lnk

============= FINISH: 11:04:37.21 ===============

Attached Files



#6 mmrbunny

mmrbunny
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:43 PM

Posted 01 February 2010 - 06:17 AM

Hope i've done it right this time.
Sorry for not getting it right the first time though.
Let me know if there is anything else i can do to help.
Thanks a bunch MmrBunny

#7 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:43 PM

Posted 01 February 2010 - 01:08 PM

Hello.

Thanks for those logs. Let's start with Combofix.

Download and Run Combofix

Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page on instructions on doing so.

Please include the C:\ComboFix.txt in your next reply for further review.

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#8 mmrbunny

mmrbunny
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:43 PM

Posted 02 February 2010 - 05:54 AM

Here is the combo log.
Cheers Mmr Bunny

Attached Files

  • Attached File  log.txt   20.25KB   3 downloads


#9 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:43 PM

Posted 02 February 2010 - 04:19 PM

Hello.

Yes it appears one of the infection Combofix removed was a backdoor unfortunately.

Let me know if you wish to continue the disinfection process or not.

Unfortunatly One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#10 mmrbunny

mmrbunny
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:43 PM

Posted 05 February 2010 - 06:52 AM

I would love to see if we can carry on and see if that will help but i will think about formatting.


#11 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:43 PM

Posted 06 February 2010 - 02:38 PM

Okay. CF disinfected it though, so that's good. Let's get an online scan done.

Run Scan with Kaspersky

Please do a scan with Kaspersky Online Scanner. Please note: Kaspersky requires Java Runtime Environment (JRE) be installed before scanning for malware, as ActiveX is no longer being used.)

If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

  • Open the Kaspersky WebScanner
    page.
  • Click on the button on the main page.
  • The program will launch and fill in the Information section on the left.
  • Read the "Requirements and Limitations" then press the button.
  • The program will begin downloading the latest program and definition files. It may take a while so please be patient and let it finish.
  • Once the files have been downloaded, click on the ...button.
    In the scan settings make sure the following are selected:
    • Detect malicious programs of the following categories:
      Viruses, Worms, Trojan Horses, Rootkits
      Spyware, Adware, Dialers and other potentially dangerous programs
    • Scan compound files (doesn't apply to the File scan area):
      Archives
      Mail databases
      By default the above items should already be checked.
    • Click the button, if you made any changes.
  • Now under the Scan section on the left:

    Select My Computer
  • The program will now start and scan your system. This will run for a while, be patient and let it finish.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
You can refer to this animation by sundavis if needed.

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#12 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:43 PM

Posted 12 February 2010 - 04:35 PM

Hello.

Due to Lack of feedback, this topic is now Closed

If you need this topic reopened, please Send Me a Message. In your message please include the address of this thread in your request.
This applies only to the original topic starter.

Everyone else please start a new topic.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users