Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected Win32/Patched/CG


  • This topic is locked This topic is locked
69 replies to this topic

#1 oasi5

oasi5

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Local time:02:42 PM

Posted 18 March 2010 - 05:45 PM

Recently was hit with fake virus scans and google redirect virus. My avg picked up this in my resident shield detection list "Virus identified Win32/Patched/CG. Was able to fix the fake virus scans and google redirect virus. I used my windows recovery disk to replace the atapi.sys as I thought it was the cause of the win32/patched.cg but it still shows the infection message in my resident shield detection list. Don't know if that infection should still be there if it got fixed or if it got fixed in the first place. Here are my DDS logs and GMER log



DDS (Ver_10-03-17.01) - NTFSx86
Run by John Le at 14:04:10.18 on Thu 03/18/2010
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_16
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.99 [GMT -7:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\System32\WLTRAY.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Dell AIO Printer A940\dlbabmon.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\John Le\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = https://www.espn.com/
uSearch Page = hxxp://www.google.com
mSearch Page = hxxp://www.google.com
mStart Page = hxxp://www.cnn.com
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: H - No File
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [BCMSMMSG] BCMSMMSG.exe
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /installquiet
mRun: [DadApp] c:\program files\dell\accessdirect\dadapp.exe
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [StorageGuard] "c:\program files\common files\sonic\update manager\sgtray.exe" /r
mRun: [PCMService] "c:\program files\dell\media experience\PCMService.exe"
mRun: [Dell AIO Printer A940] "c:\program files\dell aio printer a940\dlbabmgr.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [UnlockerAssistant] "c:\program files\unlocker\UnlockerAssistant.exe" -H
mRun: [WinampAgent] c:\program files\winamp\winampa.exe
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
StartupFolder: c:\documents and settings\john le\start menu\programs\startup\PowerReg Scheduler V3.exe
uPolicies-explorer: NoActiveDesktopChanges = 30
uPolicies-explorer: NoSetActiveDesktop = 30
mPolicies-system: EnableLUA = 0 (0x0)
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Trusted Zone: aol.com\free
DPF: {33564D57-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/D/0/D/D0DD87DA-994F-4334-8B55-AF2E4D98ED0C/wmv9dmo.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
AppInit_DLLs: nizedage.dll c:\windows\system32\yeyapoyu.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Notification Packages = scecli scecli scecli duredidi.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\johnle~1\applic~1\mozilla\firefox\profiles\9tksewgj.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.imdb.com/?c=1
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\xpavgtbapi.dll
FF - component: c:\program files\real\realplayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll
FF - plugin: c:\program files\ace mega codecs pack\systems\realmedia\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-10-24 335240]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-10-24 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-10-24 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-10-24 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-10-24 297752]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-1-11 24652]
S0 namjrx;namjrx;c:\windows\system32\drivers\namjrx.sys [2010-2-18 0]
S0 zmideree;zmideree; [x]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2009-2-13 11520]

=============== Created Last 30 ================

2010-03-18 21:00:37 0 ----a-w- c:\documents and settings\john le\defogger_reenable
2010-03-16 13:00:45 116224 -c--a-w- c:\windows\system32\dllcache\xrxwiadr.dll
2010-03-16 13:00:44 23040 -c--a-w- c:\windows\system32\dllcache\xrxwbtmp.dll
2010-03-16 13:00:43 18944 -c--a-w- c:\windows\system32\dllcache\xrxscnui.dll
2010-03-16 13:00:42 27648 -c--a-w- c:\windows\system32\dllcache\xrxftplt.exe
2010-03-16 13:00:41 4608 -c--a-w- c:\windows\system32\dllcache\xrxflnch.exe
2010-03-16 13:00:22 99865 -c--a-w- c:\windows\system32\dllcache\xlog.exe
2010-03-16 13:00:21 28288 -c--a-w- c:\windows\system32\dllcache\xjis.nls
2010-03-16 13:00:16 16970 -c--a-w- c:\windows\system32\dllcache\xem336n5.sys
2010-03-16 13:00:14 19455 -c--a-w- c:\windows\system32\dllcache\wvchntxx.sys
2010-03-16 13:00:08 12063 -c--a-w- c:\windows\system32\dllcache\wsiintxx.sys
2010-03-16 13:00:05 8192 -c--a-w- c:\windows\system32\dllcache\wshirda.dll
2010-03-16 12:59:14 8832 -c--a-w- c:\windows\system32\dllcache\wmiacpi.sys
2010-03-16 12:59:08 34890 -c--a-w- c:\windows\system32\dllcache\wlandrv2.sys
2010-03-16 12:59:08 154624 -c--a-w- c:\windows\system32\dllcache\wlluc48.sys
2010-03-16 12:57:58 26112 -c--a-w- c:\windows\system32\dllcache\usbser.sys
2010-03-16 12:56:59 30688 -c--a-w- c:\windows\system32\dllcache\sym_u3.sys
2010-03-16 12:55:53 91294 -c--a-w- c:\windows\system32\dllcache\skfpwin.sys
2010-03-16 12:54:59 82432 -c--a-w- c:\windows\system32\dllcache\rwia450.dll
2010-03-16 12:53:58 8832 -c--a-w- c:\windows\system32\dllcache\powerfil.sys
2010-03-16 12:52:59 51552 -c--a-w- c:\windows\system32\dllcache\ntgrip.sys
2010-03-16 12:51:55 2944 -c--a-w- c:\windows\system32\dllcache\msmpu401.sys
2010-03-16 12:50:59 58880 -c--a-w- c:\windows\system32\dllcache\m3092dc.dll
2010-03-16 12:49:55 6144 -c--a-w- c:\windows\system32\dllcache\kbd106.dll
2010-03-16 12:48:57 372824 -c--a-w- c:\windows\system32\dllcache\iconf32.dll
2010-03-16 12:47:59 73279 -c--a-w- c:\windows\system32\dllcache\hsf_spkp.sys
2010-03-16 12:46:59 34173 -c--a-w- c:\windows\system32\dllcache\forehe.sys
2010-03-16 12:45:53 20992 -c--a-w- c:\windows\system32\dllcache\dshowext.ax
2010-03-16 12:44:59 110592 -c--a-w- c:\windows\system32\dllcache\dc260usd.dll
2010-03-16 12:43:59 980034 -c--a-w- c:\windows\system32\dllcache\cicap.sys
2010-03-16 12:42:59 66082 -c--a-w- c:\windows\system32\dllcache\c_1147.nls
2010-03-16 12:41:59 56960 -c--a-w- c:\windows\system32\dllcache\aic78xx.sys
2010-03-16 12:41:59 27678 -c--a-w- c:\windows\system32\dllcache\ali5261.sys
2010-03-16 12:41:58 55168 -c--a-w- c:\windows\system32\dllcache\aic78u2.sys
2010-03-16 12:41:58 12800 -c--a-w- c:\windows\system32\dllcache\aha154x.sys
2010-03-16 12:41:48 24576 -c--a-w- c:\windows\system32\dllcache\agcgauge.ax
2010-03-16 12:37:38 66048 -c--a-w- c:\windows\system32\dllcache\s3legacy.dll
2010-02-18 21:16:30 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-18 21:16:26 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-18 21:16:26 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-18 21:15:33 5115824 ----a-w- c:\program files\mbam-setup.exe
2010-02-18 17:21:31 0 ----a-w- c:\windows\system32\drivers\namjrx.sys

==================== Find3M ====================

2010-03-16 11:36:01 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-02-27 22:19:37 7036 ----a-w- c:\windows\system32\d3d9caps.dat
2010-02-14 15:31:38 3843464 ----a-w- c:\program files\rrsetup.exe
2010-02-14 06:53:16 54016 ----a-w- c:\windows\system32\drivers\lwleg.sys
2010-01-13 04:57:15 16369 ----a-w- c:\windows\system32\nvModes.dat
2010-01-13 04:54:22 720896 ----a-w- c:\windows\iun6002ev.exe
2010-01-09 06:53:25 10327518 ----a-w- c:\program files\avidemux_2.5.2_win32.exe
2010-01-05 10:00:29 832512 ----a-w- c:\windows\system32\wininet.dll
2010-01-05 10:00:21 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-05 10:00:20 17408 ------w- c:\windows\system32\corpol.dll
2009-12-28 01:20:43 18030130 ----a-w- c:\program files\vlc-1.0.3-win32.exe
2009-12-23 19:52:13 220454 ----a-w- c:\program files\unlocker1.8.8.exe
2009-12-01 18:40:47 14890721 ----a-w- c:\program files\K-Lite_Codec_Pack_544_Full.exe
2009-11-25 11:40:13 486424 ----a-w- c:\program files\RealPlayerSPGold.exe
2008-09-26 22:19:06 1507 ----a-w- c:\program files\AVG Free 8.0.lnk
2008-09-26 22:16:56 49996376 ----a-w- c:\program files\avg_free_stf_en_8_169a1359.exe
2007-07-26 23:04:48 49943864 ----a-w- c:\program files\iTunesSetup.exe
2007-02-09 05:20:37 12684992 -c--a-w- c:\program files\winamp532_full_bundle_emusic-7plus.exe
2007-02-04 20:40:17 1767552 -c--a-w- c:\program files\LinksysWebConnectPC.exe
2006-03-09 14:05:37 1014477 -c--a-w- c:\program files\wrar351.exe
2006-03-09 14:03:43 13112400 -c--a-w- c:\program files\DivXCreate.exe
2006-03-09 13:57:17 12652784 -c--a-w- c:\program files\mp10setup.exe
2006-03-09 13:51:32 5846632 -c--a-w- c:\program files\winzip100.exe
2006-03-09 13:41:15 5640784 -c--a-w- c:\program files\winamp52_full_emusic-7plus.exe
2004-11-05 04:02:22 18946721 ----a-w- c:\program files\BeJeweled 2 Deluxe.exe
2008-09-18 10:44:22 32768 -csha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008091820080919\index.dat

============= FINISH: 14:05:24.51 ===============




Attached Files



BC AdBot (Login to Remove)

 


#2 Ltangelic

Ltangelic

    Angel Annihilator of Malware


  • Members
  • 348 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Somewhere
  • Local time:05:42 AM

Posted 19 March 2010 - 04:54 AM

Hey oasi5,

Welcome to BleepingComputer Forums! I'm Ltangelic and I'll be helping you fix your computer problem.

Take note that I'm still in training, and my posts will have to be checked by an expert. This may cause delays in between my responses, I ask for your patience. Please stick with me until we get your computer cleaned up or it will be a wasted effort on both sides. ;)

I'm looking at your log now, and I'll post back with a fix when I'm ready. Thanks for your patience.

PS. If I've not been responding, and you wonder why, feel free to PM me and I'll give an explanation.

LT


Bleepingcomputer Malware Response Team

Posted Image

Posted Image

Please do NOT PM anyone with HJT logs, read this and post your logs here.


#3 oasi5

oasi5
  • Topic Starter

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Local time:02:42 PM

Posted 19 March 2010 - 06:56 PM

Hello, thanks for helping me out but i got a problem.....when i turned my computer on today it opened with one of those fake antivirus scans called "Antivirus Soft." I was told on my last post not to make any changes to my computer unless advised by a MRT Team member so I won't until told what to do by you.

#4 Ltangelic

Ltangelic

    Angel Annihilator of Malware


  • Members
  • 348 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Somewhere
  • Local time:05:42 AM

Posted 19 March 2010 - 09:25 PM

Hi,

You did the right thing in not doing any fixing or changes with your computer. I have posted a fix and am still waiting for an expert to approve it. Thank you for your patience. ;)

Bleepingcomputer Malware Response Team

Posted Image

Posted Image

Please do NOT PM anyone with HJT logs, read this and post your logs here.


#5 oasi5

oasi5
  • Topic Starter

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Local time:02:42 PM

Posted 20 March 2010 - 04:30 AM

Hey Ltangelic,

I have a couple of questions while I'm waiting for your instructions to help me fix my computer difficulties. There is important work that requires me to use my computer since I need to use certain files on my computer to go online and do the work and I was wondering am I still able to go online while I'm waiting for your instructions or should I not use my computer all together until i resolve the issues with my computer? Secondly, since i guess i picked up another fake antivirus scan since posting my logs do I need to post a new set of logs with this fake antivirus included? Once again thank you for taking the time in trying to help me in my very annoying computer problems. I greatly appreciate what you and other helpers are doing to help those like myself. Hope to hear from you soon. Take care

#6 Ltangelic

Ltangelic

    Angel Annihilator of Malware


  • Members
  • 348 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Somewhere
  • Local time:05:42 AM

Posted 20 March 2010 - 08:23 AM

Hey oasi5,

QUOTE(oasi5 @ Mar 20 2010, 05:30 PM) View Post
Hey Ltangelic,

I have a couple of questions while I'm waiting for your instructions to help me fix my computer difficulties. There is important work that requires me to use my computer since I need to use certain files on my computer to go online and do the work and I was wondering am I still able to go online while I'm waiting for your instructions or should I not use my computer all together until i resolve the issues with my computer? Secondly, since i guess i picked up another fake antivirus scan since posting my logs do I need to post a new set of logs with this fake antivirus included? Once again thank you for taking the time in trying to help me in my very annoying computer problems. I greatly appreciate what you and other helpers are doing to help those like myself. Hope to hear from you soon. Take care


If you have access to any other clean computer, it would be best that you use that computer to do your work. If it is not possible, you can use your current computer, but please don't download anything or fix anything and backup your work constantly.

You don't need to post new logs at this point of time. ;)

I don't see much problems in your logs, let's run some preliminary scans. smile.gif

Please follow my instructions in the order they were given, and print out a copy of it as you may not have access to the forums during the fix.

Before we go on to run the tools, it would be advisable to temporarily disable your protection software(s) (AVG anti-virus) as it/they may hinder the tools from running. Instructions is in the link below:

http://www.bleepingcomputer.com/forums/t/114351/how-to-temporarily-disable-your-anti-virus-firewall-and-anti-malware-programs/

1)Run ComboFix

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

2)Run OTS

To ensure that I get all the information this log will need to be attached (instructions at the end) if it is to large to attach then upload to Mediafire and post the sharing link.

Download OTS to your Desktop
  • Close ALL OTHER PROGRAMS.
  • Double-click on OTS.exe to start the program.
  • Check the box that says Scan All Users
  • Under Additional Scans check the following:
    • Reg - Shell Spawning
    • File - Lop Check
    • File - Purity Scan
    • Evnt - EvtViewer (last 10)
  • Under custom scans copy and paste the following
      netsvcs
      %SYSTEMDRIVE%\*.exe
      %SYSTEMDRIVE%\*.*
      %ProgramFiles%\Movie Maker\*.dll
      %ALLUSERSAPPDATA%\*.dll
      %SYSTEMROOT%\*.tmp
      %PROGRAMFILES%\Internet Explorer\*.dll
      %DriveLetter%\RECYCLER\*S-%d-%d-%d-%d%d%d-%d%d%d-%d%d%d-%d*.
      %systemroot%\system32\*.dll /lockedfiles
      /md5start
      eventlog.dll
      scecli.dll
      netlogon.dll
      cngaudit.dll
      sceclt.dll
      ntelogon.dll
      logevent.dll
      iaStor.sys
      nvstor.sys
      atapi.sys
      IdeChnDr.sys
      viasraid.sys
      AGP440.sys
      vaxscsi.sys
      nvatabus.sys
      viamraid.sys
      nvata.sys
      nvgts.sys
      iastorv.sys
      ViPrt.sys
      /md5stop
      %systemroot%\*. /mp /s
      %systemroot%\system32\*.dll /lockedfiles
      %systemroot%\Tasks\*.job /lockedfiles
      c:\$recycle.bin\*.* /s
      CREATERESTOREPOINT
  • Now click the Run Scan button on the toolbar.
  • Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
Please attach the log in your next post.

To attach a file, do the following:
  • Click Add Reply
  • Under the reply panel is the Attachments Panel
  • Browse for the attachment file you want to upload, then click the green Upload button
  • Once it has uploaded, click the Manage Current Attachments drop down box
  • Click on to insert the attachment into your post
Next reply (please include in your post):

OTS log (attached)
ComboFix.txt

Edited by Ltangelic, 20 March 2010 - 08:23 AM.

Bleepingcomputer Malware Response Team

Posted Image

Posted Image

Please do NOT PM anyone with HJT logs, read this and post your logs here.


#7 oasi5

oasi5
  • Topic Starter

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Local time:02:42 PM

Posted 20 March 2010 - 04:25 PM

Hey,

thanks for the feedback and here are the logs you wanted. thumbup2.gif




Attached File  OTS.Txt   310.82KB   12 downloads



ComboFix 10-03-19.08 - John Le 03/20/2010 13:41:22.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.179 [GMT -7:00]
Running from: c:\documents and settings\John Le\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Microsoft PData
c:\documents and settings\John Le\Local Settings\Application Data\ave.exe
c:\windows\run.log
c:\windows\system32\driVERs\namjrx.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_SSHNAS
-------\Legacy_namjrx
-------\Service_namjrx


((((((((((((((((((((((((( Files Created from 2010-02-20 to 2010-03-20 )))))))))))))))))))))))))))))))
.

2010-03-19 07:56 . 2010-03-20 20:30 -------- d-----w- c:\documents and settings\John Le\Local Settings\Application Data\alkvsk
2010-03-16 13:00 . 2008-04-14 00:12 116224 -c--a-w- c:\windows\system32\dllcache\xrxwiadr.dll
2010-03-16 13:00 . 2001-08-18 05:36 23040 -c--a-w- c:\windows\system32\dllcache\xrxwbtmp.dll
2010-03-16 13:00 . 2008-04-14 00:12 18944 -c--a-w- c:\windows\system32\dllcache\xrxscnui.dll
2010-03-16 13:00 . 2001-08-18 05:37 27648 -c--a-w- c:\windows\system32\dllcache\xrxftplt.exe
2010-03-16 13:00 . 2001-08-18 05:37 4608 -c--a-w- c:\windows\system32\dllcache\xrxflnch.exe
2010-03-16 13:00 . 2001-08-18 05:37 99865 -c--a-w- c:\windows\system32\dllcache\xlog.exe
2010-03-16 13:00 . 2001-08-17 19:11 16970 -c--a-w- c:\windows\system32\dllcache\xem336n5.sys
2010-03-16 13:00 . 2004-08-04 05:29 19455 -c--a-w- c:\windows\system32\dllcache\wvchntxx.sys
2010-03-16 13:00 . 2004-08-04 05:29 12063 -c--a-w- c:\windows\system32\dllcache\wsiintxx.sys
2010-03-16 13:00 . 2008-04-14 00:12 8192 -c--a-w- c:\windows\system32\dllcache\wshirda.dll
2010-03-16 12:59 . 2008-04-13 18:36 8832 -c--a-w- c:\windows\system32\dllcache\wmiacpi.sys
2010-03-16 12:59 . 2002-08-29 06:59 154624 -c--a-w- c:\windows\system32\dllcache\wlluc48.sys
2010-03-16 12:59 . 2001-08-17 19:12 34890 -c--a-w- c:\windows\system32\dllcache\wlandrv2.sys
2010-03-16 12:57 . 2008-04-13 18:45 26112 -c--a-w- c:\windows\system32\dllcache\usbser.sys
2010-03-16 12:56 . 2001-08-17 21:07 30688 -c--a-w- c:\windows\system32\dllcache\sym_u3.sys
2010-03-16 12:55 . 2002-08-29 06:59 63547 -c--a-w- c:\windows\system32\dllcache\sla30nd5.sys
2010-03-16 12:54 . 2001-08-18 05:36 82432 -c--a-w- c:\windows\system32\dllcache\rwia450.dll
2010-03-16 12:53 . 2008-04-13 18:40 8832 -c--a-w- c:\windows\system32\dllcache\powerfil.sys
2010-03-16 12:52 . 2001-08-17 19:49 51552 -c--a-w- c:\windows\system32\dllcache\ntgrip.sys
2010-03-16 12:51 . 2001-08-17 21:00 2944 -c--a-w- c:\windows\system32\dllcache\msmpu401.sys
2010-03-16 12:50 . 2001-08-18 05:36 58880 -c--a-w- c:\windows\system32\dllcache\m3092dc.dll
2010-03-16 12:49 . 2008-04-14 00:09 6144 -c--a-w- c:\windows\system32\dllcache\kbd106.dll
2010-03-16 12:48 . 2001-08-18 05:36 372824 -c--a-w- c:\windows\system32\dllcache\iconf32.dll
2010-03-16 12:47 . 2001-08-17 20:28 73279 -c--a-w- c:\windows\system32\dllcache\hsf_spkp.sys
2010-03-16 12:46 . 2004-08-04 05:31 34173 -c--a-w- c:\windows\system32\dllcache\forehe.sys
2010-03-16 12:45 . 2001-08-17 19:20 334208 -c--a-w- c:\windows\system32\dllcache\ds1wdm.sys
2010-03-16 12:44 . 2001-08-18 05:36 110592 -c--a-w- c:\windows\system32\dllcache\dc260usd.dll
2010-03-16 12:43 . 2001-08-17 19:13 980034 -c--a-w- c:\windows\system32\dllcache\cicap.sys
2010-03-16 12:42 . 2001-08-17 20:51 13824 -c--a-w- c:\windows\system32\dllcache\bulltlp3.sys
2010-03-16 12:41 . 2001-08-17 21:07 56960 -c--a-w- c:\windows\system32\dllcache\aic78xx.sys
2010-03-16 12:41 . 2001-08-17 19:11 27678 -c--a-w- c:\windows\system32\dllcache\ali5261.sys
2010-03-16 12:41 . 2001-08-17 21:07 55168 -c--a-w- c:\windows\system32\dllcache\aic78u2.sys
2010-03-16 12:41 . 2001-08-17 20:52 12800 -c--a-w- c:\windows\system32\dllcache\aha154x.sys
2010-03-16 12:37 . 2001-08-17 21:56 66048 -c--a-w- c:\windows\system32\dllcache\s3legacy.dll
2010-03-16 03:02 . 2010-03-16 03:02 200704 --sha-w- c:\documents and settings\John Le\Local Settings\Application Data\23755159.dll
2010-03-15 19:56 . 2010-03-15 20:27 200704 --sha-w- c:\documents and settings\John Le\Local Settings\Application Data\1974712374.dll
2010-02-18 21:16 . 2010-01-08 00:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-18 21:16 . 2010-02-18 21:16 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-18 21:16 . 2010-01-08 00:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-18 21:15 . 2010-02-18 21:15 5115824 ----a-w- c:\program files\mbam-setup.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-20 20:29 . 2009-10-24 11:20 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2010-03-19 05:59 . 2010-01-13 06:54 16 ----a-w- c:\windows\popcinfo.dat
2010-03-17 08:57 . 2010-01-09 06:56 -------- d-----w- c:\program files\Avidemux 2.5
2010-03-16 11:36 . 2006-03-12 08:24 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-03-11 14:54 . 2006-04-26 22:56 -------- d-----w- c:\program files\Power Tab Software
2010-03-10 06:58 . 2010-03-10 06:58 118784 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimwmp.dll
2010-03-10 06:58 . 2010-03-10 06:58 118784 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimswf.dll
2010-03-10 06:58 . 2010-03-10 06:58 118784 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimrp.dll
2010-03-10 06:58 . 2010-03-10 06:58 118784 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimqt.dll
2010-03-10 06:58 . 2010-03-10 06:58 118784 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\Components\nprpffbrowserrecordext.dll
2010-03-10 06:58 . 2010-03-10 06:58 300616 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Common\rpmainbrowserrecordplugin.dll
2010-03-10 06:58 . 2010-03-10 06:58 329312 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
2010-03-10 06:58 . 2010-03-10 06:58 118784 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Chrome\Hook\rpchromebrowserrecordhelper.dll
2010-03-10 06:57 . 2006-03-09 12:24 -------- d-----w- c:\program files\Real
2010-03-02 10:01 . 2006-12-30 05:02 -------- d-----w- c:\documents and settings\John Le\Application Data\U3
2010-03-01 09:29 . 2009-12-28 02:01 -------- d-----w- c:\documents and settings\John Le\Application Data\vlc
2010-02-27 22:19 . 2008-06-27 07:50 7036 ----a-w- c:\windows\system32\d3d9caps.dat
2010-02-22 01:38 . 2006-03-09 11:54 -------- d-----w- c:\program files\Modem Helper
2010-02-19 07:53 . 2006-05-24 06:39 -------- d-----w- c:\program files\Common Files\Adobe
2010-02-14 15:33 . 2010-02-14 15:32 -------- d-----w- c:\program files\Glary Registry Repair
2010-02-14 15:32 . 2010-02-14 15:32 -------- d-----w- c:\documents and settings\John Le\Application Data\GlarySoft
2010-02-14 15:31 . 2010-02-14 15:31 3843464 ----a-w- c:\program files\rrsetup.exe
2010-02-14 10:38 . 2008-12-07 09:33 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-02-14 09:22 . 2010-02-14 09:22 -------- d-----w- c:\documents and settings\Administrator.GNR\Application Data\Malwarebytes
2010-02-14 06:53 . 2010-02-14 06:53 54016 ----a-w- c:\windows\system32\drivers\lwleg.sys
2010-02-14 05:25 . 2010-02-14 05:25 664 ----a-w- c:\documents and settings\NetworkService\Local Settings\Application Data\d3d9caps.tmp
2010-02-14 05:14 . 2010-02-14 05:14 144 ----a-w- c:\windows\tempfile2.bat
2010-01-13 04:57 . 2006-03-09 11:05 16369 ----a-w- c:\windows\system32\nvModes.dat
2010-01-13 04:54 . 2010-01-13 04:55 720896 ----a-w- c:\windows\iun6002ev.exe
2010-01-09 06:53 . 2010-01-09 06:52 10327518 ----a-w- c:\program files\avidemux_2.5.2_win32.exe
2010-01-05 10:00 . 2006-03-12 08:25 832512 ----a-w- c:\windows\system32\wininet.dll
2010-01-05 10:00 . 2004-08-04 07:56 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-05 10:00 . 2006-03-12 08:25 17408 ------w- c:\windows\system32\corpol.dll
2009-12-31 16:50 . 2006-03-12 08:24 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-28 01:20 . 2009-12-28 01:17 18030130 ----a-w- c:\program files\vlc-1.0.3-win32.exe
2009-12-23 19:52 . 2009-12-23 19:52 220454 ----a-w- c:\program files\unlocker1.8.8.exe
2009-12-01 18:40 . 2009-12-01 18:39 14890721 ----a-w- c:\program files\K-Lite_Codec_Pack_544_Full.exe
2009-11-25 11:40 . 2009-11-25 11:40 486424 ----a-w- c:\program files\RealPlayerSPGold.exe
2008-09-26 22:19 . 2008-09-26 22:19 1507 ----a-w- c:\program files\AVG Free 8.0.lnk
2008-09-26 22:16 . 2008-09-26 22:11 49996376 ----a-w- c:\program files\avg_free_stf_en_8_169a1359.exe
2007-07-26 23:04 . 2007-07-26 23:03 49943864 ----a-w- c:\program files\iTunesSetup.exe
2007-02-09 05:20 . 2007-02-09 05:13 12684992 -c--a-w- c:\program files\winamp532_full_bundle_emusic-7plus.exe
2007-02-04 20:40 . 2007-02-04 20:40 1767552 -c--a-w- c:\program files\LinksysWebConnectPC.exe
2006-03-09 14:05 . 2006-03-09 14:05 1014477 -c--a-w- c:\program files\wrar351.exe
2006-03-09 14:03 . 2006-03-09 14:03 13112400 -c--a-w- c:\program files\DivXCreate.exe
2006-03-09 13:57 . 2006-03-09 13:56 12652784 -c--a-w- c:\program files\mp10setup.exe
2006-03-09 13:51 . 2006-03-09 13:51 5846632 -c--a-w- c:\program files\winzip100.exe
2006-03-09 13:41 . 2006-03-09 13:40 5640784 -c--a-w- c:\program files\winamp52_full_emusic-7plus.exe
2004-11-05 04:02 . 2010-01-13 04:52 18946721 ----a-w- c:\program files\BeJeweled 2 Deluxe.exe
2009-09-25 16:41 . 2009-09-25 16:41 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-09-25 16:41 . 2009-09-25 16:41 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 122880]
"Broadcom Wireless Manager UI"="c:\windows\System32\WLTRAY.exe" [2005-12-19 1347584]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2004-01-08 4866048]
"nwiz"="nwiz.exe" [2004-01-08 323584]
"DadApp"="c:\program files\Dell\AccessDirect\dadapp.exe" [2003-03-07 209800]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2003-08-06 114741]
"StorageGuard"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-02-13 155648]
"PCMService"="c:\program files\Dell\Media Experience\PCMService.exe" [2003-12-12 217088]
"Dell AIO Printer A940"="c:\program files\Dell AIO Printer A940\dlbabmgr.exe" [2003-06-25 294998]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-01-06 290088]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2010-03-18 2046816]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2009-10-26 15872]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2006-11-21 35328]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2003-08-15 110592]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2003-08-15 618496]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-03-10 202256]

c:\documents and settings\John Le\Start Menu\Programs\Startup\
PowerReg Scheduler V3.exe [2006-3-30 225280]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-10-24 11:32 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\StubInstaller.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iPod\\bin\\iPodService.exe"=
"c:\\WINDOWS\\system32\\WLTRYSVC.EXE"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\LEXPPS.EXE"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [10/24/2009 4:20 AM 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [10/24/2009 4:20 AM 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [10/24/2009 4:31 AM 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [10/24/2009 4:31 AM 297752]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [1/11/2007 3:53 AM 24652]
S0 zmideree;zmideree; [x]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2/13/2009 12:02 PM 11520]
.
Contents of the 'Scheduled Tasks' folder

2010-03-13 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 20:34]

2010-03-20 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-776561741-2025429265-1801674531-1004.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 06:09]

2010-03-18 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-776561741-2025429265-1801674531-1004.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 06:09]
.
.
------- Supplementary Scan -------
.
uStart Page = https://www.espn.com/
mStart Page = hxxp://www.cnn.com
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:5555
Trusted Zone: aol.com\free
FF - ProfilePath - c:\documents and settings\John Le\Application Data\Mozilla\Firefox\Profiles\9tksewgj.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.imdb.com/?c=1
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll
FF - component: c:\program files\Real\RealPlayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-jdqrvyqc - c:\documents and settings\John Le\Local Settings\Application Data\alkvsk\yecbsftav.exe
HKLM-Run-QuickTime Task - c:\program files\QuickTime\qttask.exe
HKLM-Run-jdqrvyqc - c:\documents and settings\John Le\Local Settings\Application Data\alkvsk\yecbsftav.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-20 13:53
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3048)
c:\windows\system32\WININET.dll
c:\program files\Unlocker\UnlockerHook.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\System32\nvsvc32.exe
c:\windows\System32\WLTRYSVC.EXE
c:\windows\System32\bcmwltry.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\system32\wscntfy.exe
c:\windows\BCMSMMSG.exe
c:\program files\Dell AIO Printer A940\dlbabmon.exe
c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2010-03-20 14:02:45 - machine was rebooted
ComboFix-quarantined-files.txt 2010-03-20 21:02

Pre-Run: 14,342,520,832 bytes free
Post-Run: 14,365,032,448 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

- - End Of File - - 0E5F97021A8FC5820BCA813DF7E9CBEF


#8 oasi5

oasi5
  • Topic Starter

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Local time:02:42 PM

Posted 23 March 2010 - 08:42 PM

Hey ltangelic,


Thank you very much for your reply. It have given me some relief knowing you are still there helping me. The one thing that I did notice since running the programs you told me to use is that my internet is working faster than usual which I see is a really good thing. Also, I noticed that my roommate in trying to help me with my problem 2 weeks ago downloaded a program called Glary Registry Repair on my computer. I was wondering since reading some posts that registry cleaners aren't always good to use and would like to know if I should delete the program when given the chance to. Thanks again

#9 Ltangelic

Ltangelic

    Angel Annihilator of Malware


  • Members
  • 348 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Somewhere
  • Local time:05:42 AM

Posted 23 March 2010 - 08:45 PM

Hi oasi5,

Indeed, it is dangerous to use a registry cleaner if you are not sure how the registry works. As I have told you before, it is advisable that you do not do any fixing or downloading without telling me beforehand and waiting for my instructions. Therefore, I would advise you not to run the registry cleaner at all.

Please be patient, I'll be back with a fix latest by tomorrow. Thank you very much. thumbup2.gif

Bleepingcomputer Malware Response Team

Posted Image

Posted Image

Please do NOT PM anyone with HJT logs, read this and post your logs here.


#10 oasi5

oasi5
  • Topic Starter

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Local time:02:42 PM

Posted 23 March 2010 - 08:48 PM

Hey ltangelic,

I haven't used the registry cleaner or downloaded it while you have advised me on my computer problems. I was just wondering if the program could be the cause of my problems since my roommate used it in an attempt to fix my computer 2 weeks ago.

#11 Ltangelic

Ltangelic

    Angel Annihilator of Malware


  • Members
  • 348 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Somewhere
  • Local time:05:42 AM

Posted 24 March 2010 - 01:36 AM

Hey oasi5,

QUOTE(oasi5 @ Mar 24 2010, 09:48 AM) View Post
Hey ltangelic,

I haven't used the registry cleaner or downloaded it while you have advised me on my computer problems. I was just wondering if the program could be the cause of my problems since my roommate used it in an attempt to fix my computer 2 weeks ago.


What problems are you referring to here? From your logs, you do have infections on your computer though.

Thank you for posting the logs. Look like ComboFix took some baddies from there. There's still work to do though, hang in there. ;)

Please follow my instructions in the order they were given, and print out a copy of it as you may not have access to the forums during the fix.

Before we go on to run the tools, it would be advisable to temporarily disable your protection software(s) (AVG anti-virus) as it/they may hinder the tools from running. Instructions is in the link below:

http://www.bleepingcomputer.com/forums/t/114351/how-to-temporarily-disable-your-anti-virus-firewall-and-anti-malware-programs/

1) Run CFScript

1. Please open Notepad
  • Click Start , then Run
  • Type notepad.exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:

CODE
DDS::
uInternet Settings,ProxyServer = http=127.0.0.1:5555

File::
c:\windows\system32\yeyapoyu.dll
c:\documents and settings\John Le\Local Settings\Application Data\23755159.dll
c:\documents and settings\John Le\Local Settings\Application Data\1974712374.dll

Folder::
c:\documents and settings\John Le\Local Settings\Application Data\alkvsk
C:\Documents and Settings\John Le\Local Settings\Application Data\QJyrk5wvCU1
C:\Documents and Settings\All Users\Application Data\QJyrk5wvCU1
C:\Documents and Settings\John Le\Local Settings\Application Data\21mn5E
C:\Documents and Settings\All Users\Application Data\21mn5E
C:\WINDOWS\System32\gefisigu
C:\Documents and Settings\John Le\Application Data\Leawo
C:\Documents and Settings\John Le\Application Data\Moyea

Driver::
zmideree

Registry::
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Notification Package"=hex(7):73,63,65,63,6c,69,00,73,63,65,63,6c,69,00,73,63,65,63,6c,69,00,00


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.



5. After reboot, (in case it asks to reboot), please post the following report/log into your next reply:
  • Combofix.txt .
2) Upload files for analysis

To enable the viewing of Hidden files follow these steps:
  • Close all programs so that you are at your desktop.
  • Double-click on the My Computer icon.
  • Select the Tools menu and click Folder Options.
  • After the new window appears select the View tab.
  • Put a checkmark in the checkbox labeled Display the contents of system folders.
  • Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.
  • Remove the checkmark from the checkbox labeled Hide file extensions for known file types.
  • Remove the checkmark from the checkbox labeled Hide protected operating system files.
  • Press the Apply button and then the OK button and close My Computer.
  • Now your computer is configured to show all hidden files.
NEXT
  • Please go to VirSCAN.org FREE on-line scan service
  • Copy and paste the following file path into the "Suspicious files to scan"box on the top of the page:
    • c:\windows\system32\drivers\lwleg.sys
  • Click on the Upload button
  • Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
  • Paste the contents of the Clipboard in your next reply.
  • Do the same for the files below:

    c:\windows\tempfile2.bat
    c:\program files\rrsetup.exe
    c:\windows\iun6002ev.exe
3) Scan with MBAM
  • Open Malwarebytes by clicking on its shortcut on desktop. Please click on the "Update" tab and click "Check for Updates".
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

Next reply (please include in your post):

OTS log (Re-run OTS)
ComboFix.txt (after running CFScript)
4 Virscan reports
MBAM scan log

Bleepingcomputer Malware Response Team

Posted Image

Posted Image

Please do NOT PM anyone with HJT logs, read this and post your logs here.


#12 oasi5

oasi5
  • Topic Starter

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Local time:02:42 PM

Posted 24 March 2010 - 04:03 AM

hey ltangelic,

I'm little bit confused using the virscan.org scan. It didn't let me past the file path in the "Suspicioius files to scan" box so when the file upload box opened I just put the file path in the file name spot and ran the scan. Also I was confused about the clipboard thing as well because when i clicked on it it really didn't do anything so I justed copied what i saw and posted it. Here are the 4 virscan reports. I really hope they are the ones you need.


File Name : tdjgbjyc.sys
File Size : 54016 byte
File Type : PE32 executable for MS Windows (native) Intel 80386 32-bit
MD5 : e6d35f3aa51a65eb35c1f2340154a25e
SHA1 : aabbd57e20d2e7041f9e7abce6cfd8a53c366537

Scanner results
Scanner results : Scanners did not find malware!
Time : 2010/03/19 16:38:33 (CST)
Scanner ↓ Engine Ver Sig Ver Sig Date Scan result Time
a-squared 4.5.0.8 20100319063127 2010-03-19
-
10.268
AhnLab V3 2010.03.19.03 2010.03.19 2010-03-19
-
3.209
AntiVir 8.2.1.194 7.10.5.136 2010-03-18
-
0.155
Antiy 2.0.18 20100318.4019584 2010-03-18
-
0.018
Arcavir 2009 201003181827 2010-03-18
-
0.039
Authentium 5.1.1 201003182251 2010-03-18
-
1.843
AVAST! 4.7.4 100318-1 2010-03-18
-
0.007
AVG 8.5.720 271.1.1/2755 2010-03-19
-
0.256
BitDefender 7.81008.5473997 7.30840 2010-03-19
-
6.065
ClamAV 0.95.3 10596 2010-03-19
-
0.015
Comodo 3.13.579 4315 2010-03-19
-
2.050
CP Secure 1.3.0.5 2010.03.18 2010-03-18
-
0.051
Dr.Web 5.0.1.12222 2010.03.19 2010-03-19
-
6.006
F-Prot 4.4.4.56 20100318 2010-03-18
-
1.807
F-Secure 7.02.73807 2010.03.19.04 2010-03-19
-
6.679
Fortinet 4.0.14 11.596 2010-03-18
-
0.458
GData 19.10827/19.829 20100319 2010-03-19
-
7.253
Ikarus T3.1.01.80 2010.03.19.75433 2010-03-19
-
5.339
JiangMin 13.0.900 2010.03.19 2010-03-19
-
18.061
Kaspersky 5.5.10 2010.03.19 2010-03-19
-
0.081
KingSoft 2009.2.5.15 2010.3.19.14 2010-03-19
-
0.734
McAfee 5.3.00 5924 2010-03-18
-
3.698
Microsoft 1.5605 2010.03.19 2010-03-19
-
6.842
Norman 6.01.09 6.01.00 2010-02-10
-
4.010
nProtect 20100318.01 7775972 2010-03-18
-
6.826
Panda 9.05.01 2010.03.18 2010-03-18
-
7.376
Quick Heal 10.00 2010.03.19 2010-03-19
-
2.327
Rising 20.0 22.39.04.04 2010-03-19
-
1.148
Sophos 3.05.4 4.51 2010-03-19
-
3.872
Sunbelt 3.9.2410.2 5963 2010-03-18
-
4.778
Symantec 1.3.0.24 20100311.002 2010-03-11
-
0.364
The Hacker 6.5.2.0 v00238 2010-03-19
-
0.398
Trend Micro 9.120-1004 6.934.02 2010-03-18
-
0.033
VBA32 3.12.12.2 20100316.2232 2010-03-16
-
2.677
ViRobot 20100318 2010.03.18 2010-03-18
-
0.505
VirusBuster 4.5.11.10 10.122.3/2002821 2010-03-18
-
2.413


File Name : tempfile2.bat
File Size : 144 byte
File Type : shell archive or script for antique kernel text
MD5 : ad4bd33ffc16139990bb586f55e75071
SHA1 : ab82fbc7c409627d7d6564e0e69b82408290cfe5

Scanner results
Scanner results : Scanners did not find malware!
Time : 2010/03/24 16:48:55 (CST)
Scanner ↓ Engine Ver Sig Ver Sig Date Scan result Time
a-squared 4.5.0.8 20100324063135 2010-03-24
-
4.925
AhnLab V3 2010.03.24.01 2010.03.24 2010-03-24
-
1.194
AntiVir 8.2.1.196 7.10.5.162 2010-03-22
-
12.024
Antiy 2.0.18 20100323.4049481 2010-03-23
-
0.122
Arcavir 2009 201003231503 2010-03-23
-
0.015
Authentium 5.1.1 201003232227 2010-03-23
-
1.262
AVAST! 4.7.4 100323-1 2010-03-23
-
0.002
AVG 8.5.720 271.1.1/2766 2010-03-24
-
0.223
BitDefender 7.81008.5554163 7.30913 2010-03-24
-
4.707
ClamAV 0.95.3 10613 2010-03-24
-
0.005
Comodo 3.13.579 4366 2010-03-24
-
1.509
CP Secure 1.3.0.5 2010.03.24 2010-03-24
-
0.004
Dr.Web 5.0.1.12222 2010.03.24 2010-03-24
-
6.249
F-Prot 4.4.4.56 20100323 2010-03-23
-
1.310
F-Secure 7.02.73807 2010.03.24.05 2010-03-24
-
0.089
Fortinet 4.0.14 11.611 2010-03-23
-
0.146
GData 19.10867/19.838 20100324 2010-03-24
-
9.059
Ikarus T3.1.01.80 2010.03.24.75468 2010-03-24
-
5.433
JiangMin 13.0.900 2010.03.24 2010-03-24
-
5.383
Kaspersky 5.5.10 2010.03.24 2010-03-24
-
0.033
KingSoft 2009.2.5.15 2010.3.24.14 2010-03-24
-
1.648
McAfee 5.3.00 5927 2010-03-21
-
3.642
Microsoft 1.5605 2010.03.24 2010-03-24
-
6.409
Norman 6.04.09 6.04.00 2010-03-20
-
6.007
nProtect 20100321.01 7824511 2010-03-21
-
6.754
Panda 9.05.01 2010.03.23 2010-03-23
-
1.846
Quick Heal 10.00 2010.03.24 2010-03-24
-
1.474
Rising 20.0 22.40.02.03 2010-03-24
-
0.257
Sophos 3.05.4 4.51 2010-03-24
-
3.778
Sunbelt 3.9.2412.2 6054 2010-03-23
-
6.766
Symantec 1.3.0.24 20100323.033 2010-03-23
-
0.112
The Hacker 6.5.2.0 v00241 2010-03-20
-
0.372
Trend Micro 9.120-1004 6.947.00 2010-03-23
-
0.021
VBA32 3.12.12.2 20100322.2246 2010-03-22
-
2.900
ViRobot 20100323 2010.03.23 2010-03-23
-
0.425
VirusBuster 4.5.11.10 10.122.10/2018287 2010-03-24
-
2.318


File Name : rrsetup.exe
File Size : 3843464 byte
File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5 : 6c96c7149fc1b6b2755b257977c08681
SHA1 : 893da32656f3fc911321e648c610b7bc6930d913

Scanner results
Scanner results : Scanners did not find malware!
Time : 2010/03/24 16:55:24 (CST)
Scanner ↓ Engine Ver Sig Ver Sig Date Scan result Time
a-squared 4.5.0.8 20100324063135 2010-03-24
-
6.507
AhnLab V3 2010.03.24.01 2010.03.24 2010-03-24
-
1.206
AntiVir 8.2.1.196 7.10.5.162 2010-03-22
-
12.024
Antiy 2.0.18 20100323.4049481 2010-03-23
-
0.429
Arcavir 2009 201003231503 2010-03-23
-
1.002
Authentium 5.1.1 201003232227 2010-03-23
-
1.587
AVAST! 4.7.4 100323-1 2010-03-23
-
0.329
AVG 8.5.720 271.1.1/2766 2010-03-24
-
1.660
BitDefender 7.81008.5554163 7.30913 2010-03-24
-
5.432
ClamAV 0.95.3 10613 2010-03-24
-
0.540
Comodo 3.13.579 4366 2010-03-24
-
0.949
CP Secure 1.3.0.5 2010.03.24 2010-03-24
-
0.591
Dr.Web 5.0.1.12222 2010.03.24 2010-03-24
-
10.208
F-Prot 4.4.4.56 20100323 2010-03-23
-
1.662
F-Secure 7.02.73807 2010.03.24.05 2010-03-24
-
13.502
Fortinet 4.0.14 11.611 2010-03-23
-
0.352
GData 19.10867/19.838 20100324 2010-03-24
-
8.712
Ikarus T3.1.01.80 2010.03.24.75468 2010-03-24
-
5.729
JiangMin 13.0.900 2010.03.24 2010-03-24
-
5.291
Kaspersky 5.5.10 2010.03.24 2010-03-24
-
1.624
KingSoft 2009.2.5.15 2010.3.24.14 2010-03-24
-
0.664
McAfee 5.3.00 5927 2010-03-21
-
3.685
Microsoft 1.5605 2010.03.24 2010-03-24
-
10.811
Norman 6.04.09 6.04.00 2010-03-20
-
4.006
nProtect 20100321.01 7824511 2010-03-21
-
7.645
Panda 9.05.01 2010.03.23 2010-03-23
-
3.431
Quick Heal 10.00 2010.03.24 2010-03-24
-
5.065
Rising 20.0 22.40.02.03 2010-03-24
-
1.497
Sophos 3.05.4 4.51 2010-03-24
-
12.743
Sunbelt 3.9.2412.2 6054 2010-03-23
-
5.959
Symantec 1.3.0.24 20100323.033 2010-03-23
-
0.333
The Hacker 6.5.2.0 v00241 2010-03-20
-
0.737
Trend Micro 9.120-1004 6.947.00 2010-03-23
-
0.033
VBA32 3.12.12.2 20100322.2246 2010-03-22
-
3.158
ViRobot 20100323 2010.03.23 2010-03-23
-
0.668
VirusBuster 4.5.11.10 10.122.10/2018287 2010-03-24
-
3.778


File Name : iun6002ev.exe
File Size : 720896 byte
File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5 : 0624aca3d98f8a24897983e6d34e670c
SHA1 : 161b95598341912b3e37475d25ba71c9d9334b94

Scanner results
Scanner results : 3% Scanner(s) (1/37) found malware!
Time : 2009/09/15 21:08:37 (CST)
Scanner ↓ Engine Ver Sig Ver Sig Date Scan result Time
a-squared 4.5.0.8 20090915200235 2009-09-15
-
4.294
AhnLab V3 2009.09.15.04 2009.09.15 2009-09-15
-
1.048
AntiVir 8.2.1.14 7.1.5.245 2009-09-15
-
0.081
Antiy 2.0.18 20090915.2811554 2009-09-15
-
0.119
Arcavir 2009 200909141314 2009-09-14
-
0.088
Authentium 5.1.1 200909150854 2009-09-15
-
3.773
AVAST! 4.7.4 090914-0 2009-09-14
-
0.048
AVG 8.5.288 270.13.99/2372 2009-09-15
-
0.344
BitDefender 7.81008.4181394 7.27707 2009-09-15
-
3.596
CA (VET) 9.0.0.143 31.6.6737 2009-09-15
-
9.567
ClamAV 0.95.2 9805 2009-09-15
-
0.127
Comodo 3.11 2325 2009-09-15
-
0.728
CP Secure 1.3.0.5 2009.09.15 2009-09-15
-
0.103
Dr.Web 4.44.0.9170 2009.09.15 2009-09-15
-
5.637
F-Prot 4.4.4.56 20090915 2009-09-15
-
3.578
F-Secure 7.02.73807 2009.09.15.01 2009-09-15
-
0.161
Fortinet 2.81-3.120 10.834 2009-09-15
-
0.421
GData 19.7862/19.475 20090915 2009-09-15
-
5.644
Ikarus T3.1.01.72 2009.09.15.73618 2009-09-15
-
4.234
JiangMin 11.0.800 2009.09.14 2009-09-14
-
9.632
Kaspersky 5.5.10 2009.09.15 2009-09-15
-
0.112
KingSoft 2009.2.5.15 2009.9.15.18 2009-09-15
-
1.493
McAfee 5.3.00 5741 2009-09-14
-
3.486
Microsoft 1.5005 2009.09.15 2009-09-15
-
7.345
Norman 6.01.09 6.01.00 2009-09-14
-
4.008
nProtect 20090915.01 5485934 2009-09-15
-
7.045
Panda 9.05.01 2009.09.14 2009-09-14
-
2.130
Quick Heal 10.00 2009.09.15 2009-09-15
-
1.360
Rising 20.0 21.47.14.00 2009-09-15
-
0.936
Sophos 2.90.1 4.45 2009-09-15
-
4.042
Sunbelt 5391 5391 2009-09-14
Trojan.Win32.Generic!BT
1.454
Symantec 1.3.0.24 20090914.003 2009-09-14
-
0.093
The Hacker 6.3.4.4 v00404 2009-09-14
-
0.715
Trend Micro 8.700-1004 6.444.03 2009-09-14
-
0.043
VBA32 3.12.10.10 20090914.1504 2009-09-14
-
2.220
ViRobot 20090915 2009.09.15 2009-09-15
-
0.428
VirusBuster 4.5.11.10 10.112.37/1864413 2009-09-14
-
2.450

I will post the rest of the logs in my next reply

#13 oasi5

oasi5
  • Topic Starter

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Local time:02:42 PM

Posted 24 March 2010 - 04:49 AM

Hello again,


Here are the new ots log (mediafire link as it was too big to attach), ComboFix log, and MBAM log. thumbup.gif Thanks again!


OTS log http://www.mediafire.com/?etujyayzqwi



ComboFix 10-03-23.03 - John Le 03/24/2010 1:00.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.175 [GMT -7:00]
Running from: c:\documents and settings\John Le\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\John Le\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
* Created a new restore point

FILE ::
"c:\documents and settings\John Le\Local Settings\Application Data\1974712374.dll"
"c:\documents and settings\John Le\Local Settings\Application Data\23755159.dll"
"c:\windows\system32\yeyapoyu.dll"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\John Le\Application Data\Leawo
c:\documents and settings\John Le\Application Data\Leawo\AVI2Video\CustomProfile\UserDefine.xml
c:\documents and settings\John Le\Application Data\Leawo\AVI2Video\Myego.dat
c:\documents and settings\John Le\Application Data\Leawo\AVI2Video\UserData.ini
c:\documents and settings\John Le\Application Data\Moyea
c:\documents and settings\John Le\Application Data\Moyea\FLV to Video Converter Pro 2\CodecProfile.xml
c:\documents and settings\John Le\Application Data\Moyea\FLV to Video Converter Pro 2\DefProfile.xml
c:\documents and settings\John Le\Application Data\Moyea\FLV to Video Converter Pro 2\Flv2VJobs.xml
c:\documents and settings\John Le\Application Data\Moyea\FLV to Video Converter Pro 2\log.txt
c:\documents and settings\John Le\Application Data\Moyea\FLV to Video Converter Pro 2\UserInfo.ini
c:\documents and settings\John Le\Application Data\Moyea\Update\FLV to Video Trial.xml
c:\documents and settings\John Le\Local Settings\Application Data\1974712374.dll
c:\documents and settings\John Le\Local Settings\Application Data\23755159.dll
c:\documents and settings\John Le\Local Settings\Application Data\alkvsk

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_zmideree


((((((((((((((((((((((((( Files Created from 2010-02-24 to 2010-03-24 )))))))))))))))))))))))))))))))
.

2010-03-16 13:00 . 2008-04-14 00:12 116224 -c--a-w- c:\windows\system32\dllcache\xrxwiadr.dll
2010-03-16 13:00 . 2001-08-18 05:36 23040 -c--a-w- c:\windows\system32\dllcache\xrxwbtmp.dll
2010-03-16 13:00 . 2008-04-14 00:12 18944 -c--a-w- c:\windows\system32\dllcache\xrxscnui.dll
2010-03-16 13:00 . 2001-08-18 05:37 27648 -c--a-w- c:\windows\system32\dllcache\xrxftplt.exe
2010-03-16 13:00 . 2001-08-18 05:37 4608 -c--a-w- c:\windows\system32\dllcache\xrxflnch.exe
2010-03-16 13:00 . 2001-08-18 05:37 99865 -c--a-w- c:\windows\system32\dllcache\xlog.exe
2010-03-16 13:00 . 2001-08-17 19:11 16970 -c--a-w- c:\windows\system32\dllcache\xem336n5.sys
2010-03-16 13:00 . 2004-08-04 05:29 19455 -c--a-w- c:\windows\system32\dllcache\wvchntxx.sys
2010-03-16 13:00 . 2004-08-04 05:29 12063 -c--a-w- c:\windows\system32\dllcache\wsiintxx.sys
2010-03-16 13:00 . 2008-04-14 00:12 8192 -c--a-w- c:\windows\system32\dllcache\wshirda.dll
2010-03-16 12:59 . 2008-04-13 18:36 8832 -c--a-w- c:\windows\system32\dllcache\wmiacpi.sys
2010-03-16 12:59 . 2002-08-29 06:59 154624 -c--a-w- c:\windows\system32\dllcache\wlluc48.sys
2010-03-16 12:59 . 2001-08-17 19:12 34890 -c--a-w- c:\windows\system32\dllcache\wlandrv2.sys
2010-03-16 12:57 . 2008-04-13 18:45 26112 -c--a-w- c:\windows\system32\dllcache\usbser.sys
2010-03-16 12:56 . 2001-08-17 21:07 30688 -c--a-w- c:\windows\system32\dllcache\sym_u3.sys
2010-03-16 12:55 . 2002-08-29 06:59 63547 -c--a-w- c:\windows\system32\dllcache\sla30nd5.sys
2010-03-16 12:54 . 2001-08-18 05:36 82432 -c--a-w- c:\windows\system32\dllcache\rwia450.dll
2010-03-16 12:53 . 2008-04-13 18:40 8832 -c--a-w- c:\windows\system32\dllcache\powerfil.sys
2010-03-16 12:52 . 2001-08-17 19:49 51552 -c--a-w- c:\windows\system32\dllcache\ntgrip.sys
2010-03-16 12:51 . 2001-08-17 21:00 2944 -c--a-w- c:\windows\system32\dllcache\msmpu401.sys
2010-03-16 12:50 . 2001-08-18 05:36 58880 -c--a-w- c:\windows\system32\dllcache\m3092dc.dll
2010-03-16 12:49 . 2008-04-14 00:09 6144 -c--a-w- c:\windows\system32\dllcache\kbd106.dll
2010-03-16 12:48 . 2001-08-18 05:36 372824 -c--a-w- c:\windows\system32\dllcache\iconf32.dll
2010-03-16 12:47 . 2001-08-17 20:28 73279 -c--a-w- c:\windows\system32\dllcache\hsf_spkp.sys
2010-03-16 12:46 . 2004-08-04 05:31 34173 -c--a-w- c:\windows\system32\dllcache\forehe.sys
2010-03-16 12:45 . 2001-08-17 19:20 334208 -c--a-w- c:\windows\system32\dllcache\ds1wdm.sys
2010-03-16 12:44 . 2001-08-18 05:36 110592 -c--a-w- c:\windows\system32\dllcache\dc260usd.dll
2010-03-16 12:43 . 2001-08-17 19:13 980034 -c--a-w- c:\windows\system32\dllcache\cicap.sys
2010-03-16 12:42 . 2001-08-17 20:51 13824 -c--a-w- c:\windows\system32\dllcache\bulltlp3.sys
2010-03-16 12:41 . 2001-08-17 21:07 56960 -c--a-w- c:\windows\system32\dllcache\aic78xx.sys
2010-03-16 12:41 . 2001-08-17 19:11 27678 -c--a-w- c:\windows\system32\dllcache\ali5261.sys
2010-03-16 12:41 . 2001-08-17 21:07 55168 -c--a-w- c:\windows\system32\dllcache\aic78u2.sys
2010-03-16 12:41 . 2001-08-17 20:52 12800 -c--a-w- c:\windows\system32\dllcache\aha154x.sys
2010-03-16 12:37 . 2001-08-17 21:56 66048 -c--a-w- c:\windows\system32\dllcache\s3legacy.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-20 20:29 . 2009-10-24 11:20 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2010-03-19 05:59 . 2010-01-13 06:54 16 ----a-w- c:\windows\popcinfo.dat
2010-03-17 08:57 . 2010-01-09 06:56 -------- d-----w- c:\program files\Avidemux 2.5
2010-03-16 11:36 . 2006-03-12 08:24 96512 ------w- c:\windows\system32\drivers\atapi.sys
2010-03-11 14:54 . 2006-04-26 22:56 -------- d-----w- c:\program files\Power Tab Software
2010-03-10 06:58 . 2010-03-10 06:58 118784 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimwmp.dll
2010-03-10 06:58 . 2010-03-10 06:58 118784 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimswf.dll
2010-03-10 06:58 . 2010-03-10 06:58 118784 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimrp.dll
2010-03-10 06:58 . 2010-03-10 06:58 118784 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimqt.dll
2010-03-10 06:58 . 2010-03-10 06:58 118784 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\Components\nprpffbrowserrecordext.dll
2010-03-10 06:58 . 2010-03-10 06:58 300616 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Common\rpmainbrowserrecordplugin.dll
2010-03-10 06:58 . 2010-03-10 06:58 329312 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
2010-03-10 06:58 . 2010-03-10 06:58 118784 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Chrome\Hook\rpchromebrowserrecordhelper.dll
2010-03-10 06:57 . 2006-03-09 12:24 -------- d-----w- c:\program files\Real
2010-03-02 10:01 . 2006-12-30 05:02 -------- d-----w- c:\documents and settings\John Le\Application Data\U3
2010-03-01 09:29 . 2009-12-28 02:01 -------- d-----w- c:\documents and settings\John Le\Application Data\vlc
2010-02-27 22:19 . 2008-06-27 07:50 7036 ----a-w- c:\windows\system32\d3d9caps.dat
2010-02-22 01:38 . 2006-03-09 11:54 -------- d-----w- c:\program files\Modem Helper
2010-02-19 07:53 . 2006-05-24 06:39 -------- d-----w- c:\program files\Common Files\Adobe
2010-02-18 21:16 . 2010-02-18 21:16 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-18 21:15 . 2010-02-18 21:15 5115824 ----a-w- c:\program files\mbam-setup.exe
2010-02-14 15:33 . 2010-02-14 15:32 -------- d-----w- c:\program files\Glary Registry Repair
2010-02-14 15:32 . 2010-02-14 15:32 -------- d-----w- c:\documents and settings\John Le\Application Data\GlarySoft
2010-02-14 15:31 . 2010-02-14 15:31 3843464 ----a-w- c:\program files\rrsetup.exe
2010-02-14 10:38 . 2008-12-07 09:33 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-02-14 09:22 . 2010-02-14 09:22 -------- d-----w- c:\documents and settings\Administrator.GNR\Application Data\Malwarebytes
2010-02-14 06:53 . 2010-02-14 06:53 54016 ----a-w- c:\windows\system32\drivers\lwleg.sys
2010-02-14 05:25 . 2010-02-14 05:25 664 ----a-w- c:\documents and settings\NetworkService\Local Settings\Application Data\d3d9caps.tmp
2010-02-14 05:14 . 2010-02-14 05:14 144 ----a-w- c:\windows\tempfile2.bat
2010-01-13 04:57 . 2006-03-09 11:05 16369 ----a-w- c:\windows\system32\nvModes.dat
2010-01-13 04:54 . 2010-01-13 04:55 720896 ----a-w- c:\windows\iun6002ev.exe
2010-01-09 06:53 . 2010-01-09 06:52 10327518 ----a-w- c:\program files\avidemux_2.5.2_win32.exe
2010-01-08 00:07 . 2010-02-18 21:16 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-08 00:07 . 2010-02-18 21:16 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-05 10:00 . 2006-03-12 08:25 832512 ------w- c:\windows\system32\wininet.dll
2010-01-05 10:00 . 2004-08-04 07:56 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-05 10:00 . 2006-03-12 08:25 17408 ------w- c:\windows\system32\corpol.dll
2009-12-31 16:50 . 2006-03-12 08:24 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-28 01:20 . 2009-12-28 01:17 18030130 ----a-w- c:\program files\vlc-1.0.3-win32.exe
2009-12-23 19:52 . 2009-12-23 19:52 220454 ----a-w- c:\program files\unlocker1.8.8.exe
2009-12-01 18:40 . 2009-12-01 18:39 14890721 ----a-w- c:\program files\K-Lite_Codec_Pack_544_Full.exe
2009-11-25 11:40 . 2009-11-25 11:40 486424 ----a-w- c:\program files\RealPlayerSPGold.exe
2008-09-26 22:19 . 2008-09-26 22:19 1507 ----a-w- c:\program files\AVG Free 8.0.lnk
2008-09-26 22:16 . 2008-09-26 22:11 49996376 ----a-w- c:\program files\avg_free_stf_en_8_169a1359.exe
2007-07-26 23:04 . 2007-07-26 23:03 49943864 ----a-w- c:\program files\iTunesSetup.exe
2007-02-09 05:20 . 2007-02-09 05:13 12684992 -c--a-w- c:\program files\winamp532_full_bundle_emusic-7plus.exe
2007-02-04 20:40 . 2007-02-04 20:40 1767552 -c--a-w- c:\program files\LinksysWebConnectPC.exe
2006-03-09 14:05 . 2006-03-09 14:05 1014477 -c--a-w- c:\program files\wrar351.exe
2006-03-09 14:03 . 2006-03-09 14:03 13112400 -c--a-w- c:\program files\DivXCreate.exe
2006-03-09 13:57 . 2006-03-09 13:56 12652784 -c--a-w- c:\program files\mp10setup.exe
2006-03-09 13:51 . 2006-03-09 13:51 5846632 -c--a-w- c:\program files\winzip100.exe
2006-03-09 13:41 . 2006-03-09 13:40 5640784 -c--a-w- c:\program files\winamp52_full_emusic-7plus.exe
2004-11-05 04:02 . 2010-01-13 04:52 18946721 ----a-w- c:\program files\BeJeweled 2 Deluxe.exe
2009-09-25 16:41 . 2009-09-25 16:41 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-09-25 16:41 . 2009-09-25 16:41 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 122880]
"Broadcom Wireless Manager UI"="c:\windows\System32\WLTRAY.exe" [2005-12-19 1347584]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2004-01-08 4866048]
"nwiz"="nwiz.exe" [2004-01-08 323584]
"DadApp"="c:\program files\Dell\AccessDirect\dadapp.exe" [2003-03-07 209800]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2003-08-06 114741]
"StorageGuard"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-02-13 155648]
"PCMService"="c:\program files\Dell\Media Experience\PCMService.exe" [2003-12-12 217088]
"Dell AIO Printer A940"="c:\program files\Dell AIO Printer A940\dlbabmgr.exe" [2003-06-25 294998]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-01-06 290088]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2010-03-18 2046816]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2009-10-26 15872]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2006-11-21 35328]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2003-08-15 110592]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2003-08-15 618496]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-03-10 202256]

c:\documents and settings\John Le\Start Menu\Programs\Startup\
PowerReg Scheduler V3.exe [2006-3-30 225280]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-10-24 11:32 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Package REG_MULTI_SZ scecli scecli scecli

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\StubInstaller.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iPod\\bin\\iPodService.exe"=
"c:\\WINDOWS\\system32\\WLTRYSVC.EXE"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\LEXPPS.EXE"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [10/24/2009 4:20 AM 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [10/24/2009 4:20 AM 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [10/24/2009 4:31 AM 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [10/24/2009 4:31 AM 297752]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [1/11/2007 3:53 AM 24652]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2/13/2009 12:02 PM 11520]
.
Contents of the 'Scheduled Tasks' folder

2010-03-13 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 20:34]

2010-03-24 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-776561741-2025429265-1801674531-1004.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 06:09]

2010-03-18 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-776561741-2025429265-1801674531-1004.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 06:09]
.
.
------- Supplementary Scan -------
.
uStart Page = https://www.espn.com/
mStart Page = hxxp://www.cnn.com
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = <local>
Trusted Zone: aol.com\free
FF - ProfilePath - c:\documents and settings\John Le\Application Data\Mozilla\Firefox\Profiles\9tksewgj.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.imdb.com/?c=1
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll
FF - component: c:\program files\Real\RealPlayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-24 01:11
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3396)
c:\windows\system32\WININET.dll
c:\program files\Unlocker\UnlockerHook.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\System32\nvsvc32.exe
c:\windows\System32\WLTRYSVC.EXE
c:\windows\System32\bcmwltry.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\system32\wscntfy.exe
c:\windows\BCMSMMSG.exe
c:\program files\Dell AIO Printer A940\dlbabmon.exe
c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2010-03-24 01:21:32 - machine was rebooted
ComboFix-quarantined-files.txt 2010-03-24 08:21
ComboFix2.txt 2010-03-20 21:02

Pre-Run: 14,430,707,712 bytes free
Post-Run: 14,416,478,208 bytes free

- - End Of File - - BA18FC12AF03C62740ECED95D42B6DBB


Malwarebytes' Anti-Malware 1.44
Database version: 3907
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

3/24/2010 2:15:29 AM
mbam-log-2010-03-24 (02-15-29).txt

Scan type: Quick Scan
Objects scanned: 127339
Time elapsed: 7 minute(s), 40 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\John Le\Local Settings\Application Data\ave.exe" /START "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode) Good: (firefox.exe -safe-mode) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


#14 Ltangelic

Ltangelic

    Angel Annihilator of Malware


  • Members
  • 348 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Somewhere
  • Local time:05:42 AM

Posted 24 March 2010 - 05:40 AM

Hi,

How is your computer running? Any problems or issues? smile.gif

I'll get back with a fix as soon as I'm ready.

Bleepingcomputer Malware Response Team

Posted Image

Posted Image

Please do NOT PM anyone with HJT logs, read this and post your logs here.


#15 oasi5

oasi5
  • Topic Starter

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Local time:02:42 PM

Posted 24 March 2010 - 05:55 AM

Hey,

Since I'm not very computer literate I can only say that it's running fine but don't really know what to look for. I still have my antivirus disabled. Not sure if i should turn it on since I wasn't told to by you. Really worried not to make any changes unless advised by you. Only thing I can say is when i ran the ComboFix it told me to update which I did to run the scan. Hopefully it was the right move. From what I saw in the scans it picked up 2 different malware. Hope to hear a reply from you soon. Take care




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users