Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

browser redirects randomly to a fake virus scan


  • This topic is locked This topic is locked
9 replies to this topic

#1 Dill_Worbridge

Dill_Worbridge

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Duncansville, PA
  • Local time:08:56 AM

Posted 25 February 2010 - 07:27 PM

Hi my fiances computer has a fake antivirus scan on it. it randomly occurs while we are on the computer. i am in a rush to get to work so i will post what i can. it tells me after I X the fake scan that i need to download On-Lines Personal Security Tool. I downloaded Avast, Comodo Firewall, Spybot, And Windows Defender yesterday and thought i removed it but it just popped up again today.

monday it redirected me to

hxxp://195.5.161.107/psx1/?vih=%3DnQz2TTuNjQ3LjE4MS4yNDImcGlkPTQwJnRpbWU9MTI2Mjg2OQ0OaA%3DN

today it redirected me to

hxxp://googlantivirust.com/psx1/?vih=p3T42TTuNzQ3LjE5MC4xOTkmcGlkPTQwczImdGltZT0xMjYyMMYOPARM

today the googl scan tried to get me to install this program

hxxp://googlantivirust.com/download/Setup_40s2.exe



Heres the Hijack this log. the gmer and the dds log are below it

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:20:41 PM, on 2/25/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe
C:\Program Files\WiFiConnector\NintendoWFCReg.exe
C:\Program Files\3M\PDNotes\PDNotes.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/?fr=fp-yie8
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://verizon.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
O1 - Hosts: ::1 localhost
O1 - Hosts: ??????????????? browser-security.microsoft.com
O1 - Hosts: ??????????????? antiwareprotect.com
O1 - Hosts: ??????????????? www.antiwareprotect.com
O2 - BHO: WOT Helper - {C920E44A-7F78-4E64-BDD7-A57026E7FEB7} - C:\Program Files\WOT\WOT.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: WOT - {71576546-354D-41c9-AAE8-31F2EC22BF0D} - C:\Program Files\WOT\WOT.dll
O3 - Toolbar: Post-it® Digital Notes - {735abc4c-9266-4008-9ef6-bc60be8de31f} - mscoree.dll (file missing)
O4 - HKLM\..\Run: [SoundMan] "C:\WINDOWS\SOUNDMAN.EXE"
O4 - HKLM\..\Run: [NeroFilterCheck] "C:\WINDOWS\system32\NeroCheck.exe"
O4 - HKLM\..\Run: [Verizon_McciTrayApp] "C:\Program Files\Verizon\McciTrayApp.exe"
O4 - HKLM\..\Run: [BootSkin Startup Jobs] "C:\PROGRA~1\STARDOCK\WINCUS~1\BOOTSKIN\BootSkin.exe" /StartupJobs
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\COMODO\COMODO Internet Security\cfp.exe" -h
O4 - HKLM\..\Run: [avast5] C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /nogui
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DW6] "C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe"
O4 - HKCU\..\RunOnce: [Shockwave Updater] C:\WINDOWS\system32\ADOBE\SHOCKW~1\SWHELP~1.EXE -Update -1100465 -"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; 3P_UVRM 1.00.1; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; yie8)" -"http://www.y8.com/games/Street_Fighter_Online"
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Global Startup: Run Registration Tool.lnk = C:\Program Files\WiFiConnector\NintendoWFCReg.exe
O4 - Global Startup: Post-it® Digital Notes.lnk = C:\Program Files\3M\PDNotes\PDNotes.exe
O8 - Extra context menu item: Add to Video Converter... - C:\Program Files\Media Player Utilities 5.15\AVIConverter\grab.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Create a Post-it® Note - C:\Program Files\3M\PDNotes\\PSNBookMark.html
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Owner\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.google.com
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemydsl.verizon.net/sdcCommon...20Installer.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - http://appldnld.apple.com.edgesuite.net/co...ex/qtplugin.cab
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.5.0.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {7A0D1738-10EA-47FF-92BE-4E137B5BE1A4} (Stm Class) - https://mpsnare.iesnare.com/StmOCX.cab
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.0...oUploader55.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun.com/ESD7/JSCDL/jdk/6u1...=javadl.sun.com
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://www.hotwaxsurfshop.com/AxisCamControl.cab
O16 - DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - http://blockade-runner.axiscam.net/activex/AMC.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: wot - {C2A44D6B-CB9F-4663-88A6-DF2F26E4D952} - C:\Program Files\WOT\WOT.dll
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - COMODO - C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe

--
End of file - 10585 bytes



DDS (Ver_09-12-01.01) - FAT32x86
Run by Owner at 18:41:07.06 on Thu 02/25/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_12
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.439 [GMT -5:00]

AV: avast! Antivirus *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: COMODO Firewall *enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe
C:\Program Files\WiFiConnector\NintendoWFCReg.exe
C:\Program Files\3M\PDNotes\PDNotes.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\System32\alg.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\E2ZQJSTT\dds[2].scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://verizon.yahoo.com
uSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
uDefault_Page_URL = hxxp://www.yahoo.com/?fr=fp-yie8
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
BHO: WOT Helper: {c920e44a-7f78-4e64-bdd7-a57026e7feb7} - c:\program files\wot\WOT.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll
TB: WOT: {71576546-354d-41c9-aae8-31f2ec22bf0d} - c:\program files\wot\WOT.dll
TB: Post-it® Digital Notes: {735abc4c-9266-4008-9ef6-bc60be8de31f} - mscoree.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [DW6] "c:\program files\the weather channel fw\desktop\DesktopWeather.exe"
uRunOnce: [Shockwave Updater] c:\windows\system32\adobe\shockw~1\SWHELP~1.EXE -Update -1100465 -"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; 3P_UVRM 1.00.1; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; yie8)" -"http://www.y8.com/games/Street_Fighter_Online"
mRun: [SoundMan] "c:\windows\SOUNDMAN.EXE"
mRun: [NeroFilterCheck] "c:\windows\system32\NeroCheck.exe"
mRun: [Verizon_McciTrayApp] "c:\program files\verizon\McciTrayApp.exe"
mRun: [BootSkin Startup Jobs] "c:\progra~1\stardock\wincus~1\bootskin\BootSkin.exe" /StartupJobs
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [COMODO Internet Security] "c:\program files\comodo\comodo internet security\cfp.exe" -h
mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui
StartupFolder: c:\docume~1\owner\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\runreg~1.lnk - c:\program files\wificonnector\NintendoWFCReg.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\post-i~1.lnk - c:\program files\3m\pdnotes\PDNotes.exe
IE: Add to Video Converter... - c:\program files\media player utilities 5.15\aviconverter\grab.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Create a Post-it® Note - c:\program files\3m\pdnotes\\PSNBookMark.html
IE: {d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\owner\start menu\programs\imvu\Run IMVU.lnk
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {01113300-3E00-11D2-8470-0060089874ED} - hxxps://activatemydsl.verizon.net/sdcCommon/download/DSL/Verizon%20High%20Speed%20Internet%20Installer.cab
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} - hxxp://dl.tvunetworks.com/TVUAx.cab
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.5.0.cab
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {7A0D1738-10EA-47FF-92BE-4E137B5BE1A4} - hxxps://mpsnare.iesnare.com/StmOCX.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://sdlc-esd.sun.com/ESD7/JSCDL/jdk/6u12-b04/jinstall-6u12-windows-i586-jc.cab?AuthParam=1235064985_374d02ab46829662d85962b590a3ec90&GroupName=JSC&FilePath=/ESD7/JSCDL/jdk/6u12-b04/jinstall-6u12-windows-i586-jc.cab&File=jinstall-6u12-windows-i586-jc.cab&BHost=javadl.sun.com
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} - hxxp://www.hotwaxsurfshop.com/AxisCamControl.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - hxxp://blockade-runner.axiscam.net/activex/AMC.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: wot - {C2A44D6B-CB9F-4663-88A6-DF2F26E4D952} - c:\program files\wot\WOT.dll
Notify: AtiExtEvent - Ati2evxx.dll
AppInit_DLLs: c:\windows\system32\guard32.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
LSA: Authentication Packages = msv1_0 c:\windows\system32\yayvUMEV
mASetup: {A509B1FF-37FF-4bFF-8CFF-4F3A747040FF} - c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,launchinfsectionex c:\program files\internet explorer\clrtour.inf,DefaultInstall.ResetTour,,12
Hosts: 127.0.0.1 www.spywareinfo.com

============= SERVICES / DRIVERS ===============

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-2-22 162512]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [2010-2-22 134344]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2010-2-22 25160]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-2-22 19024]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-2-22 40384]
R2 cmdAgent;COMODO Internet Security Helper Service;c:\program files\comodo\comodo internet security\cmdagent.exe [2010-2-22 723632]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-2-22 40384]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-2-22 40384]
R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [2005-8-22 231424]
S3 DCamUSBVeo532;Veo Web Camera;c:\windows\system32\drivers\ubveo532.sys --> c:\windows\system32\drivers\ubVeo532.sys [?]
S3 XDva281;XDva281;\??\c:\windows\system32\xdva281.sys --> c:\windows\system32\XDva281.sys [?]

=============== Created Last 30 ================

2010-02-25 23:37:52 0 ----a-w- c:\documents and settings\owner\defogger_reenable
2010-02-25 23:04:11 0 d-----w- c:\program files\TrendMicro
2010-02-25 22:52:38 45 ----a-w- c:\windows\system32\_WKERNEL.SYL
2010-02-25 22:52:11 544768 ----a-w- c:\windows\system32\wbocx.ocx
2010-02-25 22:52:10 56496 ----a-w- c:\windows\system32\wbhelp2.dll
2010-02-25 22:52:09 1706800 ----a-w- c:\windows\system32\gdiplus.dll
2010-02-25 22:52:08 33968 ----a-w- c:\windows\system32\anim.dll
2010-02-25 22:52:07 4608 ----a-w- c:\windows\system32\W95INF32.DLL
2010-02-25 22:52:06 2272 ----a-w- c:\windows\system32\W95INF16.DLL
2010-02-25 22:52:05 439 ----a-w- c:\windows\system32\shfolder.inf
2010-02-25 22:52:01 0 d-----w- c:\program files\WinUtilities
2010-02-25 22:42:02 0 d-----w- c:\program files\Nsasoft
2010-02-23 02:26:40 0 d-----w- c:\program files\3M
2010-02-23 02:23:39 0 d-----w- c:\docume~1\owner\applic~1\GetRightToGo
2010-02-22 17:21:25 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-22 17:17:58 0 d-----w- c:\docume~1\alluse~1\applic~1\Comodo
2010-02-22 17:17:55 25160 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
2010-02-22 17:17:55 171552 ----a-w- c:\windows\system32\guard32.dll
2010-02-22 17:17:55 134344 ----a-w- c:\windows\system32\drivers\cmdguard.sys
2010-02-22 17:17:53 0 d-----w- c:\program files\COMODO
2010-02-22 16:55:25 0 d-----w- c:\docume~1\owner\applic~1\Malwarebytes
2010-02-22 16:55:21 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-22 16:55:19 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-02-22 16:55:18 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-22 16:55:18 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-21 18:07:51 0 d-----w- c:\docume~1\owner\applic~1\firstobject
2010-02-21 18:07:50 0 d-----w- c:\program files\firstobject
2010-02-20 00:54:34 1104 ----a-w- c:\windows\system32\ealregsnapshot1.reg
2010-02-15 22:20:50 163712 ----a-w- c:\windows\system32\drivers\vidstub.sys
2010-02-15 22:20:50 0 d-----w- c:\program files\common files\Stardock
2010-02-15 22:20:49 0 d-----w- c:\program files\Stardock
2010-02-14 22:23:40 0 d-----w- c:\docume~1\alluse~1\applic~1\PopCap
2010-02-14 03:15:54 19805 ----a-r- c:\windows\system32\drivers\usbio.sys
2010-02-14 03:12:44 0 d-----w- c:\program files\Datel
2010-02-13 19:46:49 0 d-----w- c:\program files\WiFiConnector

==================== Find3M ====================

2010-02-25 22:57:52 268435456 --sha-w- c:\windows\system32\temppf.sys
2010-02-20 01:35:00 107888 ----a-w- c:\windows\system32\CmdLineExt.dll
2008-06-01 00:00:20 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008053120080601\index.dat
2009-05-03 05:02:28 49152 --sha-w- c:\windows\temp\temporary internet files\content.ie5\index.dat
2009-05-03 05:02:28 16384 --sha-w- c:\windows\temp\cookies\index.dat
2009-05-03 05:02:28 16384 --sha-w- c:\windows\temp\history\history.ie5\index.dat

============= FINISH: 18:42:16.46 ===============



GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-02-25 18:53:40
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\Owner\LOCALS~1\Temp\kwqyqkow.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwAdjustPrivilegesToken [0xEEA74BDA]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0xEE892C5A]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwConnectPort [0xEEA741B8]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwCreateFile [0xEEA74840]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0xEE892B16]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwCreatePort [0xEEA7409A]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwCreateSection [0xEEA7606A]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwCreateSymbolicLinkObject [0xEEA76302]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwCreateThread [0xEEA73C60]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteKey [0xEE8930CA]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xEE892FF4]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xEE8926EC]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwLoadDriver [0xEEA75CEC]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwMakeTemporaryObject [0xEEA7443C]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwOpenFile [0xEEA74A1C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xEE892BF0]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0xEE89262C]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwOpenSection [0xEEA746CC]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0xEE892690]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xEE892D10]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRenameKey [0xEE893198]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwRequestWaitReplyPort [0xEEA76648]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xEE892CD0]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwSecureConnectPort [0xEEA75A88]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwSetSecurityObject [0xEEA74DC0]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwSetSystemInformation [0xEEA75E9A]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0xEE892E50]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwShutdownSystem [0xEEA743D6]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwSystemDebugControl [0xEEA745C0]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwTerminateProcess [0xEEA73F64]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwTerminateThread [0xEEA73E32]

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ObInsertObject
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ObMakeTemporaryObject

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Fastfat \FatCdrom aswSP.SYS (avast! self protection module/ALWIL Software)

AttachedDevice \Driver\Tcpip \Device\Ip cmdhlp.sys (COMODO Internet Security Helper Driver/COMODO)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Tcp cmdhlp.sys (COMODO Internet Security Helper Driver/COMODO)
AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Udp cmdhlp.sys (COMODO Internet Security Helper Driver/COMODO)
AttachedDevice \Driver\Tcpip \Device\RawIp cmdhlp.sys (COMODO Internet Security Helper Driver/COMODO)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device \FileSystem\Fastfat \Fat aswSP.SYS (avast! self protection module/ALWIL Software)

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)

---- EOF - GMER 1.0.15 ----


Thank you for your help

Attached Files


Edited by Orange Blossom, 26 February 2010 - 01:26 AM.
Deactivate links. ~ OB


BC AdBot (Login to Remove)

 


#2 Ltangelic

Ltangelic

    Angel Annihilator of Malware


  • Members
  • 348 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Somewhere
  • Local time:08:56 PM

Posted 26 February 2010 - 02:42 AM

Hey Dill_Worbridge,

Welcome to Bleepingcomputer! I'm Ltangelic and I'll be helping you fix your computer problem.

Take note that I'm still in training, and my posts will have to be checked by an expert. This may cause delays in between my responses, I ask for your patience. Please stick with me until we get your computer cleaned up or it will be a wasted effort on both sides. ;)

I'm looking at your log now, and I'll post back with a fix when I'm ready. Thanks for your patience.

PS. If I've not been responding, and you wonder why, feel free to PM me and I'll give an explanation.

LT

Bleepingcomputer Malware Response Team

Posted Image

Posted Image

Please do NOT PM anyone with HJT logs, read this and post your logs here.


#3 Ltangelic

Ltangelic

    Angel Annihilator of Malware


  • Members
  • 348 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Somewhere
  • Local time:08:56 PM

Posted 28 February 2010 - 07:08 AM

Hey Dill_Worbridge,

There isn't much things in your log, let's run some preliminary scans to see what we can find. wink.gif

Please follow my instructions in the order they were given, and print out a copy of it as you may not have access to the forums during the fix.

Before we go on to run the tools, it would be advisable to temporarily disable your protection software(s) (Comodo Firewall and Avast anti-virus) as it/they may hinder the tools from running. Instructions is in the link below:

http://www.bleepingcomputer.com/forums/t/114351/how-to-temporarily-disable-your-anti-virus-firewall-and-anti-malware-programs/

1) Run ComboFix

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

2) Run OTS

To ensure that I get all the information this log will need to be attached (instructions at the end) if it is to large to attach then upload to Mediafire and post the sharing link.

Download OTS to your Desktop
  • Close ALL OTHER PROGRAMS.
  • Double-click on OTS.exe to start the program.
  • Check the box that says Scan All Users
  • Under Additional Scans check the following:
    • Reg - Shell Spawning
    • File - Lop Check
    • File - Purity Scan
    • Evnt - EvtViewer (last 10)
  • Under custom scans copy and paste the following
      netsvcs
      %SYSTEMDRIVE%\*.exe
      %SYSTEMDRIVE%\*.*
      %ProgramFiles%\Movie Maker\*.dll
      %ALLUSERSAPPDATA%\*.dll
      %SYSTEMROOT%\*.tmp
      %PROGRAMFILES%\Internet Explorer\*.dll
      %DriveLetter%\RECYCLER\*S-%d-%d-%d-%d%d%d-%d%d%d-%d%d%d-%d*.
      %systemroot%\system32\*.dll /lockedfiles
      /md5start
      eventlog.dll
      scecli.dll
      netlogon.dll
      cngaudit.dll
      sceclt.dll
      ntelogon.dll
      logevent.dll
      iaStor.sys
      nvstor.sys
      atapi.sys
      IdeChnDr.sys
      viasraid.sys
      AGP440.sys
      vaxscsi.sys
      nvatabus.sys
      viamraid.sys
      nvata.sys
      nvgts.sys
      iastorv.sys
      ViPrt.sys
      /md5stop
      %systemroot%\*. /mp /s
      %systemroot%\system32\*.dll /lockedfiles
      %systemroot%\Tasks\*.job /lockedfiles
      c:\$recycle.bin\*.* /s
      CREATERESTOREPOINT
  • Now click the Run Scan button on the toolbar.
  • Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
Please attach the log in your next post.

To attach a file, do the following:
  • Click Add Reply
  • Under the reply panel is the Attachments Panel
  • Browse for the attachment file you want to upload, then click the green Upload button
  • Once it has uploaded, click the Manage Current Attachments drop down box
  • Click on to insert the attachment into your post
Next reply (please include in your post):

ComboFix.txt
OTS.txt

Bleepingcomputer Malware Response Team

Posted Image

Posted Image

Please do NOT PM anyone with HJT logs, read this and post your logs here.


#4 Dill_Worbridge

Dill_Worbridge
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Duncansville, PA
  • Local time:08:56 AM

Posted 28 February 2010 - 11:39 AM

Thank you for the swift reply, the redirect hasnt happened since I posted on the forum, but of course thats what this has done for the past 6 months or so, it just kinda lays dormant till one day it pops up. last time it popped up avast or comodo poped up some thing to block it but whatever it blocked had nothing to do with the redirecting, just the program it was trying to install.

Heres the combofix and the OTS is attached in a zip file.

Thanks once again

ComboFix 10-02-27.04 - Owner 02/28/2010 10:55:53.2.1 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.545 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: COMODO Firewall *enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\msxml6.dll
.
---- Previous Run -------
.
c:\documents and settings\Owner\Application Data\inst.exe
c:\recycled\Dc169\VIDEO_TS\VTS_01_1.VOB
c:\recycled\Dc170\VIDEO_TS\VTS_01_2.VOB
c:\windows\Downloaded Program Files\popcaploader.inf
c:\windows\patchw.dll
c:\windows\system32\deploytk.dll

.
((((((((((((((((((((((((( Files Created from 2010-01-28 to 2010-02-28 )))))))))))))))))))))))))))))))
.

2010-02-26 00:20 . 2010-02-26 00:20 -------- d-----w- c:\program files\Trend Micro
2010-02-25 23:11 . 2010-02-25 23:11 -------- d-----w- c:\program files\ERUNT
2010-02-25 23:04 . 2010-02-25 23:04 388096 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
2010-02-25 23:04 . 2010-02-25 23:04 -------- d-----w- c:\program files\TrendMicro
2010-02-25 22:52 . 2007-08-31 17:52 56496 ----a-w- c:\windows\system32\wbhelp2.dll
2010-02-25 22:52 . 2001-08-24 13:25 1706800 ----a-w- c:\windows\system32\gdiplus.dll
2010-02-25 22:52 . 2007-08-31 17:52 33968 ----a-w- c:\windows\system32\anim.dll
2010-02-25 22:52 . 1999-11-22 20:50 4608 ----a-w- c:\windows\system32\W95INF32.DLL
2010-02-25 22:52 . 1999-11-22 20:50 2272 ----a-w- c:\windows\system32\W95INF16.DLL
2010-02-25 22:52 . 2010-02-25 22:52 -------- d-----w- c:\program files\WinUtilities
2010-02-25 22:42 . 2010-02-25 22:42 -------- d-----w- c:\program files\Nsasoft
2010-02-23 02:28 . 2010-02-23 02:28 -------- d-----w- c:\documents and settings\All Users\Application Data\TEMP
2010-02-23 02:27 . 2010-02-23 02:28 57 ----a-w- c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\eum1jy3g.default\extensions\pdnfirefox@3m.com
2010-02-23 02:26 . 2010-02-23 02:26 -------- d-----w- c:\program files\3M
2010-02-23 02:23 . 2010-02-23 02:23 -------- d-----w- c:\documents and settings\Owner\Application Data\GetRightToGo
2010-02-22 17:43 . 2010-02-11 18:42 162512 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-02-22 17:43 . 2010-02-11 18:38 19024 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-02-22 17:43 . 2010-02-11 18:39 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-02-22 17:43 . 2010-02-11 18:42 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-02-22 17:43 . 2010-02-11 18:38 100432 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-02-22 17:43 . 2010-02-11 18:38 94800 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-02-22 17:43 . 2010-02-11 18:38 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-02-22 17:43 . 2010-02-11 18:53 38848 ----a-w- c:\windows\system32\avastSS.scr
2010-02-22 17:43 . 2010-02-11 18:53 153184 ----a-w- c:\windows\system32\aswBoot.exe
2010-02-22 17:21 . 2010-02-24 14:16 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-22 17:17 . 2010-02-22 17:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Comodo
2010-02-22 17:17 . 2010-02-22 17:17 87104 ----a-w- c:\windows\system32\drivers\inspect.sys
2010-02-22 17:17 . 2010-02-22 17:17 25160 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
2010-02-22 17:17 . 2010-02-22 17:17 171552 ----a-w- c:\windows\system32\guard32.dll
2010-02-22 17:17 . 2010-02-22 17:17 134344 ----a-w- c:\windows\system32\drivers\cmdguard.sys
2010-02-22 17:17 . 2010-02-22 17:17 -------- d-----w- c:\program files\COMODO
2010-02-22 17:16 . 2010-02-22 17:16 -------- d-----w- c:\program files\Windows Defender
2010-02-22 16:56 . 2010-02-22 16:56 5115824 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-02-22 16:55 . 2010-02-22 16:55 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2010-02-22 16:55 . 2010-01-07 21:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-22 16:55 . 2010-02-22 16:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-02-22 16:55 . 2010-02-22 16:55 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-22 16:55 . 2010-01-07 21:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-21 18:07 . 2010-02-21 18:07 -------- d-----w- c:\documents and settings\Owner\Application Data\firstobject
2010-02-21 18:07 . 2010-02-21 18:07 -------- d-----w- c:\program files\firstobject
2010-02-20 00:54 . 2010-02-20 00:54 1104 ----a-w- c:\windows\system32\ealregsnapshot1.reg
2010-02-20 00:54 . 2010-02-20 00:54 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Downloaded Installations
2010-02-20 00:47 . 2010-02-20 00:47 -------- d-----w- c:\program files\Electronic Arts
2010-02-15 22:20 . 2010-02-15 23:17 163712 ----a-w- c:\windows\system32\drivers\vidstub.sys
2010-02-15 22:20 . 2010-02-15 22:20 -------- d-----w- c:\program files\Common Files\Stardock
2010-02-15 22:20 . 2010-02-15 22:20 -------- d-----w- c:\program files\Stardock
2010-02-14 22:23 . 2010-02-14 22:23 -------- d-----w- c:\documents and settings\All Users\Application Data\PopCap
2010-02-14 03:15 . 2001-05-07 10:56 19805 ----a-r- c:\windows\system32\drivers\usbio.sys
2010-02-14 03:12 . 2010-02-14 03:12 -------- d-----w- c:\program files\Datel
2010-02-13 19:46 . 2010-02-13 19:46 -------- d-----w- c:\program files\WiFiConnector

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-23 02:28 . 2008-04-20 14:01 21912 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-02-20 01:35 . 2008-03-19 16:16 107888 ----a-w- c:\windows\system32\CmdLineExt.dll
2010-01-24 14:26 . 2010-01-24 14:26 -------- d-----w- c:\program files\Alwil Software
2010-01-24 14:26 . 2010-01-24 14:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-01-16 20:29 . 2010-01-16 20:29 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Application Updater
2010-01-16 20:27 . 2010-01-16 20:27 -------- d-----w- c:\program files\The Weather Channel FW
2010-01-12 15:41 . 2010-01-12 15:41 -------- d-----w- c:\documents and settings\Owner\Application Data\U3
2010-01-02 02:56 . 2010-01-02 02:56 -------- d-----w- c:\program files\Common Files\DivX Shared
2009-12-10 04:27 . 2009-12-10 04:26 18536 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-05 16:30 . 2009-12-05 16:30 16262 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{8E79F5DD-4A0A-452B-B3F8-0651E4D24854}\_1BB2031A9AFFCD2B6C1917.exe
2009-12-05 16:30 . 2009-12-05 16:30 1518 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{8E79F5DD-4A0A-452B-B3F8-0651E4D24854}\_A7D63AD4672AFAA4A60DC4.exe
2009-12-05 16:30 . 2009-12-05 16:30 1078 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{8E79F5DD-4A0A-452B-B3F8-0651E4D24854}\_200FA1E96835F2D7438CB7.exe
2009-12-05 16:30 . 2009-12-05 16:30 10134 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{8E79F5DD-4A0A-452B-B3F8-0651E4D24854}\_BF19904BBE1609AB14E68F.exe
2008-06-25 21:44 . 2008-03-20 23:45 98 --sh--w- c:\windows\SAE914C3E.tmp
1601-01-01 00:00 . 1601-01-01 00:00 0 --sha-w- c:\windows\system32\temppf.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\BackupIconOverlayId]
@="{2EE61E5C-8F94-4AAB-8A80-D2A8CD1FEDAD}"
[HKEY_CLASSES_ROOT\CLSID\{2EE61E5C-8F94-4AAB-8A80-D2A8CD1FEDAD}]
2008-10-12 18:11 238968 ----a-w- c:\program files\Webroot\WebrootSecurity\Backup\CtxMenu_1_0_0_9.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"DW6"="c:\program files\The Weather Channel FW\Desktop\DesktopWeather.exe" [2009-10-08 818288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="c:\windows\SOUNDMAN.EXE" [2005-10-24 90112]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"BootSkin Startup Jobs"="c:\progra~1\STARDOCK\WINCUS~1\BOOTSKIN\BootSkin.exe" [2004-04-26 270336]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-04 866584]
"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2010-02-22 1800464]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-02-11 2756488]

c:\documents and settings\Owner\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Run Registration Tool.lnk - c:\program files\WiFiConnector\NintendoWFCReg.exe [2010-2-13 1175552]
Post-it® Digital Notes.lnk - c:\program files\3M\PDNotes\PDNotes.exe [2010-2-22 5812960]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\guard32.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ \0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=c:\windows\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=c:\windows\pss\Adobe Gamma.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Giggles.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Giggles.lnk
backup=c:\windows\pss\Giggles.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk
backup=c:\windows\pss\InterVideo WinCinema Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^LAN Chat.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\LAN Chat.lnk
backup=c:\windows\pss\LAN Chat.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=c:\documents and settings\Owner\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=c:\windows\pss\LimeWire On Startup.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0]
2008-04-23 07:08 483328 ----a-w- c:\program files\Adobe\Adobe Acrobat 7.0\Distillr\acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
2005-09-08 16:06 94208 ----a-w- c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DW6]
2009-10-08 17:13 818288 ----a-w- c:\program files\The Weather Channel FW\Desktop\DesktopWeather.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelliPoint]
2009-01-07 20:46 1468296 ----a-w- c:\program files\Microsoft IntelliPoint\ipoint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 01:12 1695232 ------w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpySweeper]
2008-10-12 18:18 6272888 ----a-w- c:\program files\Webroot\WebrootSecurity\SpySweeperUI.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-02-19 17:35 148888 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
2004-11-22 13:18 307200 ----a-r- c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AdobeUpdateManager.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\InterVideo\\DVD6\\WinDVD.exe"=
"c:\\WINDOWS\\PCHEALTH\\HELPCTR\\BINARIES\\HelpCtr.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Java\\JRE6\\BIN\\java.exe"=
"c:\\Program Files\\att-nap\\McciBrowser.exe"=
"c:\\Program Files\\ATT-HSI\\McciBrowser.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Program Files\\WiFiConnector\\NintendoWFCReg.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"58816:TCP"= 58816:TCP:Pando Media Booster
"58816:UDP"= 58816:UDP:Pando Media Booster

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2/22/2010 12:43 PM 162512]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [2/22/2010 12:17 PM 134344]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2/22/2010 12:17 PM 25160]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2/22/2010 12:43 PM 19024]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [8/22/2005 3:06 PM 231424]
S3 DCamUSBVeo532;Veo Web Camera;c:\windows\system32\Drivers\ubVeo532.sys --> c:\windows\system32\Drivers\ubVeo532.sys [?]
S3 XDva281;XDva281;\??\c:\windows\system32\XDva281.sys --> c:\windows\system32\XDva281.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
2009-03-08 09:32 128512 ----a-w- c:\windows\system32\advpack.dll
.
Contents of the 'Scheduled Tasks' folder

2010-02-28 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 00:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://verizon.yahoo.com
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
IE: Add to Video Converter... - c:\program files\Media Player Utilities 5.15\AVIConverter\grab.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Create a Post-it® Note - c:\program files\3M\PDNotes\\PSNBookMark.html
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\Owner\Start Menu\Programs\IMVU\Run IMVU.lnk
DPF: {7A0D1738-10EA-47FF-92BE-4E137B5BE1A4} - hxxps://mpsnare.iesnare.com/StmOCX.cab
DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - hxxp://blockade-runner.axiscam.net/activex/AMC.cab
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-Verizon_McciTrayApp - c:\program files\Verizon\McciTrayApp.exe
MSConfigStartUp-Adobe Version Cue CS2 - c:\program files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe
MSConfigStartUp-DrvIcon - c:\program files\Vista Drive Icon\DrvIcon.exe
MSConfigStartUp-iTunesHelper - c:\program files\iTunes\iTunesHelper.exe
MSConfigStartUp-Messenger (Yahoo!) - c:\program files\Yahoo!\Messenger\YahooMessenger.exe
MSConfigStartUp-QuickTime Task - c:\program files\QuickTime\qttask.exe
MSConfigStartUp-Search Protection - c:\program files\Yahoo!\Search Protection\SearchProtection.exe
MSConfigStartUp-SynTPStart - c:\program files\Synaptics\SynTP\SynTPStart.exe
MSConfigStartUp-system tool - c:\windows\sysguard.exe
MSConfigStartUp-ViGlance - c:\program files\ViGlance\ViGlance.exe
MSConfigStartUp-ViSplore - c:\program files\ViSplore\ViSplore.exe
MSConfigStartUp-Vista Rainbar - c:\program files\Vista Rainbar\launcher.exe
MSConfigStartUp-ViStart - c:\program files\ViStart\ViStart.exe
MSConfigStartUp-WinFlip - c:\program files\WinFlip\WinFlip.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-28 11:01
Windows 5.1.2600 Service Pack 3 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\docume~1\Owner\LOCALS~1\Temp\WERc87e.dir00\/ 7634944 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WERc87e.dir00\c 2981888 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WERc87e.dir00\o 3244032 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WERc87e.dir00\2 272007168 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WERc87e.dir00\a½c:\docume~1\Owner\LOCALS~1\Temp\WERc87e.dir00\    r 234913792 bytes
c:\docume~1\Owner\LOCALS~1\Temp\WERc87e.dir00\3 32768 bytes

scan completed successfully
hidden files: 7

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(876)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2010-02-28 11:05:21
ComboFix-quarantined-files.txt 2010-02-28 16:05

Pre-Run: 29,010,886,656 bytes free
Post-Run: 28,987,260,928 bytes free

- - End Of File - - C78CFFCB40BF801FFBA8CAA38FF8A8DD

Attached Files

  • Attached File  OTS.zip   21.01KB   5 downloads


#5 Ltangelic

Ltangelic

    Angel Annihilator of Malware


  • Members
  • 348 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Somewhere
  • Local time:08:56 PM

Posted 03 March 2010 - 07:54 PM

Hey Dill_Worbridge,

Your logs don't look too bad, just need a check on some files and some scans to do. ;)

Please follow my instructions in the order they were given, and print out a copy of it as you may not have access to the forums during the fix.

Before we go on to run the tools, it would be advisable to temporarily disable your protection software(s) (Avast anti-virus and Comodo Firewall) as it/they may hinder the tools from running. Instructions is in the link below:

http://www.bleepingcomputer.com/forums/t/114351/how-to-temporarily-disable-your-anti-virus-firewall-and-anti-malware-programs/

1) Run CFScript

1. Please open Notepad
  • Click Start , then Run
  • Type notepad.exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:

CODE
File::
c:\windows\SAE914C3E.tmp

Folder::
C:\Documents and Settings\All Users\Application Data\ORQLJZODYG
C:\Documents and Settings\All Users\Application Data\KBRLJZODYG
C:\Documents and Settings\All Users\Application Data\EIQLJZODYG
c:\docume~1\Owner\LOCALS~1\Temp\WERc87e.dir00

Registry::
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.



5. After reboot, (in case it asks to reboot), please post the following report/log into your next reply:
  • Combofix.txt .
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

2) Optional Removal

From your log, you seem to have LimeWire 5.3.6 installed.

Limewire is a peer-to-peer software that allows you to share files between computers. While it is not a harmful software in itself, it can bring about security risks to your computer. Please have a look at the article below:

http://www.microsoft.com/protect/data/down...ilesharing.aspx

Due to the dubious nature of these programs, it is highly recommended that you remove the programs via Add or Remove Programs in Control Panel and refrain from downloading these programs in the future. If you have made a decision to remove these programs, please do the following:

Please go to Add or Remove Programs and remove the following (if present):

LimeWire 5.3.6

Then use Windows Explorer and remove the following (if present):
C:\Program Files\LimeWire


Reboot your computer.

3) Upload files for analysis

To enable the viewing of Hidden files follow these steps:
  • Close all programs so that you are at your desktop.
  • Double-click on the My Computer icon.
  • Select the Tools menu and click Folder Options.
  • After the new window appears select the View tab.
  • Put a checkmark in the checkbox labeled Display the contents of system folders.
  • Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.
  • Remove the checkmark from the checkbox labeled Hide file extensions for known file types.
  • Remove the checkmark from the checkbox labeled Hide protected operating system files.
  • Press the Apply button and then the OK button and close My Computer.
  • Now your computer is configured to show all hidden files.
NEXT
  • Please go to VirSCAN.org FREE on-line scan service
  • Copy and paste the following file path into the "Suspicious files to scan"box on the top of the page:
    • c:\windows\system32\temppf.sys
  • Click on the Upload button
  • Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
  • Paste the contents of the Clipboard in your next reply.
  • Please do the same for the following files:

    c:\documents and settings\Owner\Application Data\Microsoft\Installer\{8E79F5DD-4A0A-452B-B3F8-0651E4D24854}\_1BB2031A9AFFCD2B6C1917.exe
    c:\documents and settings\Owner\Application Data\Microsoft\Installer\{8E79F5DD-4A0A-452B-B3F8-0651E4D24854}\_A7D63AD4672AFAA4A60DC4.exe
    c:\documents and settings\Owner\Application Data\Microsoft\Installer\{8E79F5DD-4A0A-452B-B3F8-0651E4D24854}\_200FA1E96835F2D7438CB7.exe
    c:\documents and settings\Owner\Application Data\Microsoft\Installer\{8E79F5DD-4A0A-452B-B3F8-0651E4D24854}\_BF19904BBE1609AB14E68F.exe
    C:\WINDOWS\System32\_WKERNEL.SYL
    c:\windows\system32\XDva281.sys
Next reply (please include in your post):
ComboFix.txt
7 virscan reports

Bleepingcomputer Malware Response Team

Posted Image

Posted Image

Please do NOT PM anyone with HJT logs, read this and post your logs here.


#6 Ltangelic

Ltangelic

    Angel Annihilator of Malware


  • Members
  • 348 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Somewhere
  • Local time:08:56 PM

Posted 07 March 2010 - 03:49 AM

Hey,

Are you still in need of assistance? If so, please reply as soon as possible. Thanks. ;)

Bleepingcomputer Malware Response Team

Posted Image

Posted Image

Please do NOT PM anyone with HJT logs, read this and post your logs here.


#7 Dill_Worbridge

Dill_Worbridge
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Duncansville, PA
  • Local time:08:56 AM

Posted 07 March 2010 - 12:45 PM

Yes, Im sorry I never recieved email notification of your last post, I am heading to work now but I will reply with what you need once I get back

#8 Dill_Worbridge

Dill_Worbridge
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Duncansville, PA
  • Local time:08:56 AM

Posted 10 March 2010 - 08:08 PM

okay here is what you requested, sorry for the delay..

Everytime i run combo fix i spend the next 10 minutes holding the enter button down to thousands of corrupt file errors from different folders esp ie5 in a temp folder... In the virscan.org report the file c:\windows\system32\XDva281.sys did not exsist and file c:\windows\system32\temppf.sys went through but upon it uploading over an elapsed time of 1 hour it still had 0 percent everytime but all the other ones worked fine. so temppf wont upload to be scanned.


Thank you for your patience. btw the redirect occured again 2 days ago



VirSCAN.org Scanned Report :
Scanned time : 2010/03/10 19:48:11 (EST)
Scanner results: Scanners did not find malware!
File Name : _1BB2031A9AFFCD2B6C1917.exe
File Size : 16262 byte
File Type : MPEG sequence
MD5 : 149ddc7dcaa34271b324a1441d7bedce
SHA1 : 167d5b3e4715e596c1dc9f00546989126baafd4d
Online report : http://virscan.org/report/ebe228e644be7acc...a62d360977.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 4.5.0.8 20100311063126 2010-03-11 4.54 -
AhnLab V3 2010.03.09.00 2010.03.09 2010-03-09 1.07 -
AntiVir 8.2.1.180 7.10.5.37 2010-03-10 0.08 -
Antiy 2.0.18 20100308.3980438 2010-03-08 0.02 -
Arcavir 2009 201003101754 2010-03-10 0.02 -
Authentium 5.1.1 201003101051 2010-03-10 1.28 -
AVAST! 4.7.4 100310-1 2010-03-10 0.00 -
AVG 8.5.720 271.1.1/2735 2010-03-11 0.27 -
BitDefender 7.81008.5431861 7.30714 2010-03-11 5.50 -
ClamAV 0.95.3 10549 2010-03-11 0.01 -
Comodo 3.13.579 4218 2010-03-10 0.92 -
CP Secure 1.3.0.5 2010.03.11 2010-03-11 0.01 -
Dr.Web 5.0.1.12222 2010.03.11 2010-03-11 5.81 -
F-Prot 4.4.4.56 20100310 2010-03-10 1.22 -
F-Secure 7.02.73807 2010.03.10.10 2010-03-10 6.85 -
Fortinet 11.567- 11.567 2010-03-10 0.18 -
GData 19.10773/19.810 20100310 2010-03-10 6.52 -
ViRobot 20100310 2010.03.10 2010-03-10 0.43 -
Ikarus T3.1.01.80 2010.03.10.75370 2010-03-10 4.98 -
JiangMin 13.0.900 2010.03.10 2010-03-10 4.79 -
Kaspersky 5.5.10 2010.03.10 2010-03-10 0.03 -
KingSoft 2009.2.5.15 2010.3.10.19 2010-03-10 0.56 -
McAfee 5.3.00 5916 2010-03-10 3.89 -
Microsoft 1.5502 2010.03.10 2010-03-10 6.56 -
Norman 6.01.09 6.01.00 2010-02-10 4.01 -
Panda 9.05.01 2010.03.10 2010-03-10 2.30 -
Trend Micro 9.120-1004 6.908.12 2010-03-10 0.03 -
Quick Heal 10.00 2010.03.10 2010-03-10 1.38 -
Rising 20.0 22.38.02.03 2010-03-10 0.27 -
Sophos 3.05.4 4.51 2010-03-11 3.30 -
Sunbelt 3.9.2408.2 5817 2010-03-10 3.29 -
Symantec 1.3.0.24 20100310.002 2010-03-10 0.05 -
nProtect 20100309.01 7671527 2010-03-09 4.66 -
The Hacker 6.5.2.0 v00229 2010-03-10 0.35 -
VBA32 3.12.12.2 20100308.2152 2010-03-08 2.61 -
VirusBuster 4.5.11.10 10.121.14/2030753 2010-03-11 2.33 -




VirSCAN.org Scanned Report :
Scanned time : 2010/03/10 19:51:07 (EST)
Scanner results: Scanners did not find malware!
File Name : _A7D63AD4672AFAA4A60DC4.exe
File Size : 1518 byte
File Type : MPEG sequence
MD5 : e0e6d93f325e87727a3ab244b2aa6210
SHA1 : 0bb94003a333ae94afd5c5f3126c9d460a897aff
Online report : http://virscan.org/report/bd7ab243a5f850cd...cd41dfaec9.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 4.5.0.8 20100311063126 2010-03-11 5.13 -
AhnLab V3 2010.03.09.00 2010.03.09 2010-03-09 1.09 -
AntiVir 8.2.1.180 7.10.5.37 2010-03-10 0.16 -
Antiy 2.0.18 20100308.3980438 2010-03-08 0.03 -
Arcavir 2009 201003101754 2010-03-10 0.10 -
Authentium 5.1.1 201003101051 2010-03-10 4.27 -
AVAST! 4.7.4 100310-1 2010-03-10 0.00 -
AVG 8.5.720 271.1.1/2735 2010-03-11 0.58 -
BitDefender 7.81008.5431861 7.30714 2010-03-11 5.47 -
ClamAV 0.95.3 10549 2010-03-11 0.01 -
Comodo 3.13.579 4218 2010-03-10 0.89 -
CP Secure 1.3.0.5 2010.03.11 2010-03-11 0.00 -
Dr.Web 5.0.1.12222 2010.03.11 2010-03-11 5.87 -
F-Prot 4.4.4.56 20100310 2010-03-10 1.23 -
F-Secure 7.02.73807 2010.03.10.10 2010-03-10 0.07 -
Fortinet 11.567- 11.567 2010-03-10 0.16 -
GData 19.10773/19.810 20100310 2010-03-10 5.90 -
ViRobot 20100310 2010.03.10 2010-03-10 0.42 -
Ikarus T3.1.01.80 2010.03.10.75370 2010-03-10 6.16 -
JiangMin 13.0.900 2010.03.10 2010-03-10 8.26 -
Kaspersky 5.5.10 2010.03.10 2010-03-10 0.04 -
KingSoft 2009.2.5.15 2010.3.10.19 2010-03-10 0.77 -
McAfee 5.3.00 5916 2010-03-10 4.02 -
Microsoft 1.5502 2010.03.10 2010-03-10 6.79 -
Norman 6.01.09 6.01.00 2010-02-10 4.02 -
Panda 9.05.01 2010.03.10 2010-03-10 2.21 -
Trend Micro 9.120-1004 6.908.12 2010-03-10 0.02 -
Quick Heal 10.00 2010.03.10 2010-03-10 1.37 -
Rising 20.0 22.38.02.03 2010-03-10 0.27 -
Sophos 3.05.4 4.51 2010-03-11 3.48 -
Sunbelt 3.9.2408.2 5817 2010-03-10 3.79 -
Symantec 1.3.0.24 20100310.002 2010-03-10 0.05 -
nProtect 20100309.01 7671527 2010-03-09 4.56 -
The Hacker 6.5.2.0 v00229 2010-03-10 0.36 -
VBA32 3.12.12.2 20100308.2152 2010-03-08 2.70 -
VirusBuster 4.5.11.10 10.121.14/2030753 2010-03-11 2.34 -





VirSCAN.org Scanned Report :
Scanned time : 2010/03/10 19:54:35 (EST)
Scanner results: Scanners did not find malware!
File Name : _200FA1E96835F2D7438CB7.exe
File Size : 1078 byte
File Type : MPEG sequence
MD5 : e470f9397fccbc2449caef2ecda2cceb
SHA1 : 666b8d81d4645e17896ec0a1fcc0a9bdc6219f85
Online report : http://virscan.org/report/a84bb77ee2db5b05...a4e090e0ec.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 4.5.0.8 20100311063126 2010-03-11 4.79 -
AhnLab V3 2010.03.09.00 2010.03.09 2010-03-09 1.13 -
AntiVir 8.2.1.180 7.10.5.37 2010-03-10 0.20 -
Antiy 2.0.18 20100308.3980438 2010-03-08 0.02 -
Arcavir 2009 201003101754 2010-03-10 0.03 -
Authentium 5.1.1 201003101051 2010-03-10 1.29 -
AVAST! 4.7.4 100310-1 2010-03-10 0.00 -
AVG 8.5.720 271.1.1/2735 2010-03-11 0.22 -
BitDefender 7.81008.5431861 7.30714 2010-03-11 5.40 -
ClamAV 0.95.3 10549 2010-03-11 0.00 -
Comodo 3.13.579 4218 2010-03-10 0.87 -
CP Secure 1.3.0.5 2010.03.11 2010-03-11 0.00 -
Dr.Web 5.0.1.12222 2010.03.11 2010-03-11 5.80 -
F-Prot 4.4.4.56 20100310 2010-03-10 1.23 -
F-Secure 7.02.73807 2010.03.10.10 2010-03-10 0.05 -
Fortinet 11.567- 11.567 2010-03-10 0.21 -
GData 19.10773/19.810 20100310 2010-03-10 6.81 -
ViRobot 20100310 2010.03.10 2010-03-10 0.43 -
Ikarus T3.1.01.80 2010.03.10.75370 2010-03-10 5.25 -
JiangMin 13.0.900 2010.03.10 2010-03-10 6.61 -
Kaspersky 5.5.10 2010.03.10 2010-03-10 0.03 -
KingSoft 2009.2.5.15 2010.3.10.19 2010-03-10 0.58 -
McAfee 5.3.00 5916 2010-03-10 3.67 -
Microsoft 1.5502 2010.03.10 2010-03-10 6.51 -
Norman 6.01.09 6.01.00 2010-02-10 4.02 -
Panda 9.05.01 2010.03.10 2010-03-10 1.71 -
Trend Micro 9.120-1004 6.908.12 2010-03-10 0.02 -
Quick Heal 10.00 2010.03.10 2010-03-10 1.37 -
Rising 20.0 22.38.02.03 2010-03-10 0.27 -
Sophos 3.05.4 4.51 2010-03-11 3.32 -
Sunbelt 3.9.2408.2 5817 2010-03-10 3.21 -
Symantec 1.3.0.24 20100310.002 2010-03-10 0.26 -
nProtect 20100309.01 7671527 2010-03-09 4.46 -
The Hacker 6.5.2.0 v00229 2010-03-10 0.45 -
VBA32 3.12.12.2 20100308.2152 2010-03-08 2.60 -
VirusBuster 4.5.11.10 10.121.14/2030753 2010-03-11 2.32 -





VirSCAN.org Scanned Report :
Scanned time : 2010/03/10 19:56:46 (EST)
Scanner results: Scanners did not find malware!
File Name : _BF19904BBE1609AB14E68F.exe
File Size : 10134 byte
File Type : MPEG sequence
MD5 : fe9e27e4184bfec29a737d6be17a5327
SHA1 : 2ce98c51977855dedb54b9b03c9edbe0ee915ec4
Online report : http://virscan.org/report/89f1ee09901cbfb7...a665b55179.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 4.5.0.8 20100311063126 2010-03-11 4.42 -
AhnLab V3 2010.03.09.00 2010.03.09 2010-03-09 1.02 -
AntiVir 8.2.1.180 7.10.5.37 2010-03-10 0.41 -
Antiy 2.0.18 20100308.3980438 2010-03-08 0.02 -
Arcavir 2009 201003101754 2010-03-10 0.02 -
Authentium 5.1.1 201003101051 2010-03-10 1.23 -
AVAST! 4.7.4 100310-1 2010-03-10 0.00 -
AVG 8.5.720 271.1.1/2735 2010-03-11 0.22 -
BitDefender 7.81008.5431861 7.30714 2010-03-11 5.40 -
ClamAV 0.95.3 10549 2010-03-11 0.01 -
Comodo 3.13.579 4218 2010-03-10 0.88 -
CP Secure 1.3.0.5 2010.03.11 2010-03-11 0.01 -
Dr.Web 5.0.1.12222 2010.03.11 2010-03-11 5.79 -
F-Prot 4.4.4.56 20100310 2010-03-10 1.21 -
F-Secure 7.02.73807 2010.03.10.10 2010-03-10 2.95 -
Fortinet 11.567- 11.567 2010-03-10 0.16 -
GData 19.10773/19.810 20100310 2010-03-10 6.42 -
ViRobot 20100310 2010.03.10 2010-03-10 0.42 -
Ikarus T3.1.01.80 2010.03.10.75370 2010-03-10 4.96 -
JiangMin 13.0.900 2010.03.10 2010-03-10 5.77 -
Kaspersky 5.5.10 2010.03.10 2010-03-10 0.03 -
KingSoft 2009.2.5.15 2010.3.10.19 2010-03-10 0.55 -
McAfee 5.3.00 5916 2010-03-10 3.62 -
Microsoft 1.5502 2010.03.10 2010-03-10 6.48 -
Norman 6.01.09 6.01.00 2010-02-10 4.01 -
Panda 9.05.01 2010.03.10 2010-03-10 2.00 -
Trend Micro 9.120-1004 6.908.12 2010-03-10 0.03 -
Quick Heal 10.00 2010.03.10 2010-03-10 1.37 -
Rising 20.0 22.38.02.03 2010-03-10 0.27 -
Sophos 3.05.4 4.51 2010-03-11 3.31 -
Sunbelt 3.9.2408.2 5817 2010-03-10 3.25 -
Symantec 1.3.0.24 20100310.002 2010-03-10 0.05 -
nProtect 20100309.01 7671527 2010-03-09 4.46 -
The Hacker 6.5.2.0 v00229 2010-03-10 0.35 -
VBA32 3.12.12.2 20100308.2152 2010-03-08 2.89 -
VirusBuster 4.5.11.10 10.121.14/2030753 2010-03-11 2.33 -





VirSCAN.org Scanned Report :
Scanned time : 2010/03/10 19:58:54 (EST)
Scanner results: Scanners did not find malware!
File Name : _WKERNEL.SYL
File Size : 45 byte
File Type : ASCII text, with CRLF line terminators
MD5 : 19abca44569e34fb0edef7b0b8d5b6e9
SHA1 : c9b2e798ab746df69dbd334e20d914738b1587bd
Online report : http://virscan.org/report/71de6ac5002c7e52...d2b2a30232.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 4.5.0.8 20100311063126 2010-03-11 4.45 -
AhnLab V3 2010.03.09.00 2010.03.09 2010-03-09 1.01 -
AntiVir 8.2.1.180 7.10.5.37 2010-03-10 0.33 -
Antiy 2.0.18 20100308.3980438 2010-03-08 0.02 -
Arcavir 2009 201003101754 2010-03-10 0.02 -
Authentium 5.1.1 201003101051 2010-03-10 1.29 -
AVAST! 4.7.4 100310-1 2010-03-10 0.00 -
AVG 8.5.720 271.1.1/2735 2010-03-11 0.23 -
BitDefender 7.81008.5431861 7.30714 2010-03-11 5.50 -
ClamAV 0.95.3 10549 2010-03-11 0.00 -
Comodo 3.13.579 4218 2010-03-10 0.88 -
CP Secure 1.3.0.5 2010.03.11 2010-03-11 0.00 -
Dr.Web 5.0.1.12222 2010.03.11 2010-03-11 5.81 -
F-Prot 4.4.4.56 20100310 2010-03-10 1.27 -
F-Secure 7.02.73807 2010.03.10.10 2010-03-10 4.51 -
Fortinet 11.567- 11.567 2010-03-10 0.15 -
GData 19.10773/19.810 20100310 2010-03-10 6.44 -
ViRobot 20100310 2010.03.10 2010-03-10 0.41 -
Ikarus T3.1.01.80 2010.03.10.75370 2010-03-10 4.99 -
JiangMin 13.0.900 2010.03.10 2010-03-10 6.73 -
Kaspersky 5.5.10 2010.03.10 2010-03-10 0.03 -
KingSoft 2009.2.5.15 2010.3.10.19 2010-03-10 0.58 -
McAfee 5.3.00 5916 2010-03-10 3.66 -
Microsoft 1.5502 2010.03.10 2010-03-10 6.56 -
Norman 6.01.09 6.01.00 2010-02-10 4.01 -
Panda 9.05.01 2010.03.10 2010-03-10 1.68 -
Trend Micro 9.120-1004 6.908.12 2010-03-10 0.02 -
Quick Heal 10.00 2010.03.10 2010-03-10 1.39 -
Rising 20.0 22.38.02.03 2010-03-10 0.24 -
Sophos 3.05.4 4.51 2010-03-11 3.30 -
Sunbelt 3.9.2408.2 5817 2010-03-10 3.96 -
Symantec 1.3.0.24 20100310.002 2010-03-10 0.20 -
nProtect 20100309.01 7671527 2010-03-09 4.49 -
The Hacker 6.5.2.0 v00229 2010-03-10 0.35 -
VBA32 3.12.12.2 20100308.2152 2010-03-08 3.05 -
VirusBuster 4.5.11.10 10.121.14/2030753 2010-03-11 2.42 -







#9 Ltangelic

Ltangelic

    Angel Annihilator of Malware


  • Members
  • 348 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Somewhere
  • Local time:08:56 PM

Posted 12 March 2010 - 02:40 AM

Hey Dill_Worbridge,

Since ComboFix won't run properly, let's try a stronger tool. smile.gif

Please follow my instructions in the order they were given, and print out a copy of it as you may not have access to the forums during the fix.

Before we go on to run the tools, it would be advisable to temporarily disable your protection software(s) (Avast anti-virus and Comodo Firewall) as it/they may hinder the tools from running. Instructions is in the link below:

http://www.bleepingcomputer.com/forums/t/114351/how-to-temporarily-disable-your-anti-virus-firewall-and-anti-malware-programs/

1) Run Avenger

1. Please download The Avenger by Swandog46 to your Desktop.
  • Right click on the Avenger.zip folder and select "Extract All..."
  • Follow the prompts and extract the Avenger folder to your desktop
  • Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.
2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

CODE
Begin copying here:

Files to delete:
c:\windows\SAE914C3E.tmp
Folders to delete:
C:\Documents and Settings\All Users\Application Data\ORQLJZODYG
C:\Documents and Settings\All Users\Application Data\KBRLJZODYG
C:\Documents and Settings\All Users\Application Data\EIQLJZODYG
c:\docume~1\Owner\LOCALS~1\Temp\WERc87e.dir00


Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


3. Now, open the avenger folder and start The Avenger program by clicking on its icon.
  • Right click on the window under Input script here:, and select Paste.
  • You can also click on this window and press (Ctrl+V) to paste the contents of the clipboard.
  • Click on Execute
  • Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply.

2) Fix with registry script

Important! Registry edit is a dangerous process and any mistakes can corrupt the entire registry, rendering your system unbootable or unrepairable. Thus, it is important to always back up your registry before attempting any registry edits. Please do the following:
  1. Go to Start>Run and type regedit.
  2. On the left panel, highlight My Computer.
  3. Click on File>Export, and save the file as registrybackup.reg in a safe location. (Make sure you remember the location where you saved the backup)
Please open notepad, and copy/paste the following text (including REGEDIT4) into the notepad window:

CODE
REGEDIT4

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00
  • Save the file above as fixit.reg on deskstop.
  • Double click on it. A window will open and prompt you if you want to merge it with the registry, click "Yes".
  • Another window will pop up informing you the merge was successful.
3) Run GMER

Download the GMER Rootkit Scanner. Unzip it to your Desktop.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

Double-click gmer.exe. The program will begin to run.

**Caution**
These types of scans can produce false positives. Do NOT take any action on any
"<--- ROOKIT" entries unless advised!

If possible rootkit activity is found, you will be asked if you would like to perform a full scan.
  • Click NO
  • In the right panel, you will see a bunch of boxes that have been checked ... leave everything checked and ensure the Show all box is un-checked.
  • Now click the Scan button.
    Once the scan is complete, you may receive another notice about rootkit activity.
  • Click OK.
  • GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "GMER.txt"
  • Save it where you can easily find it, such as your desktop.
Post the contents of GMER.txt in your next reply.

Next reply (please include in your post):

Avenger.txt
GMER.txt

Bleepingcomputer Malware Response Team

Posted Image

Posted Image

Please do NOT PM anyone with HJT logs, read this and post your logs here.


#10 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:01:56 PM

Posted 17 March 2010 - 12:23 PM

Due to the lack of feedback, this topic is now closed.
If you need this topic reopened, please PM a staff member and we will reopen it for you (include the address of this thread in your request). This applies to the original topic starter only. Everyone else with similar problems, please start a new topic.
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users