Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malwarebytes is finding stuff but cant solve.


  • This topic is locked This topic is locked
2 replies to this topic

#1 Nateg90

Nateg90

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:13 AM

Posted 24 April 2010 - 06:04 PM

Hey guys, recently i acquired some form of virus, but all i know is that it is disengaging my firewall and opening a bunch of pop up sites while browsing. (Sometimes, I'll click on a link from google to a tech support site like this, and it will take me to one of the adds?). I read on another form that you guys use Combo-Fix and Hijack this, so i did both and wodered if you guys might be able to help me. I do appologize on repost but i figured that even though some problems are similar, not all symptoms are the same.
Here is the HijackThis Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:56:05 PM, on 4/24/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\VirusScan Enterprise\engineserver.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\WINDOWS\system32\mfevtps.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PSIService.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WMP54GSv1_1.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\WINDOWS\system32\Tablet.exe
C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe
C:\Program Files\lg_fwupdate\fwupdate.exe
C:\Program Files\McAfee\Common Framework\udaterui.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\X3watch\x3watch.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://xxxchurch.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptsn.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O4 - HKLM\..\Run: [LGODDFU] "C:\Program Files\lg_fwupdate\fwupdate.exe" blrun
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\udaterui.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [x3watch] C:\Program Files\X3watch\x3watch.exe
O4 - HKLM\..\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [DivXUpdate] "C:\Program Files\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\Download Manager\DLM.exe /windowsstart /startifwork
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: PokerStars.net - {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - C:\Program Files\PokerStars.NET\PokerStarsUpdate.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvlsp.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuite.net/co...ex/qtplugin.cab
O16 - DPF: {140E4DF8-9E14-4A34-9577-C77561ED7883} (SysInfo Class) - http://content.systemrequirementslab.com.s...ri_4.1.71.0.cab
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo...sreqlab_nvd.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.10.115.cab
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.5.0.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {784797A8-342D-4072-9486-03C8D0F2F0A1} (Battlefield Heroes Updater) - https://www.battlefieldheroes.com/static/up...er_4.0.53.0.cab
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.0...oUploader55.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...727/mcfscan.cab
O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcpitstop.com/Optimize3/pcpitstop2.dll
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: McAfee Engine Service (McAfeeEngineService) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\engineserver.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
O23 - Service: McAfee Validation Trust Protection Service (mfevtp) - McAfee, Inc. - C:\WINDOWS\system32\mfevtps.exe
O23 - Service: ForceWare IP service (nSvcIp) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
O23 - Service: WMP54GSSVC - GEMTEKS - C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exe

--
End of file - 11459 bytes


AND the Combo-Fix Log:

ComboFix 10-04-21.01 - USER 04/24/2010 18:41:54.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2814.2317 [GMT -4:00]
Running from: c:\documents and settings\USER\Desktop\Combo-Fix.exe
AV: McAfee VirusScan Enterprise *On-access scanning disabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Read Me.txt
c:\recycler\S-1-5-21-2408282326-2526512963-3363877115-1005
c:\windows\system32\Config.ini
c:\windows\system32\driVERs\uibrpy.sys
c:\windows\system32\VB6KO.DLL

Infected copy of c:\windows\system32\drivers\cdrom.sys was found and disinfected
Restored copy from - Kitty had a snack tongue.gif
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_uibrpy
-------\Service_uibrpy


((((((((((((((((((((((((( Files Created from 2010-03-24 to 2010-04-24 )))))))))))))))))))))))))))))))
.

2010-04-24 22:05 . 2010-04-24 22:05 -------- d-----w- c:\program files\Trend Micro
2010-04-23 15:54 . 2010-04-23 15:54 -------- d-----w- c:\program files\Download Manager
2010-04-23 15:53 . 2010-04-23 15:54 -------- d-----w- c:\documents and settings\USER\Application Data\IGN_DLM
2010-04-21 19:00 . 2010-04-21 19:00 -------- d-sh--w- c:\documents and settings\LocalService\PrivacIE
2010-04-21 14:36 . 2010-04-21 14:36 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-04-21 14:36 . 2010-04-23 14:43 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-04-21 14:28 . 2010-04-21 14:28 118 ----a-w- C:\tujserrew.bat
2010-04-15 12:35 . 2010-04-15 12:35 15086 ----a-r- c:\documents and settings\USER\Application Data\Microsoft\Installer\{A2E23800-051D-4F35-8169-85F5739A04C5}\icons.exe
2010-04-15 12:35 . 2010-04-15 12:35 -------- d-----w- c:\program files\portalgraphics
2010-04-12 18:07 . 2010-04-12 18:07 -------- d-----w- c:\documents and settings\USER\Application Data\acccore
2010-04-12 18:07 . 2010-04-12 18:07 -------- d-----w- c:\documents and settings\USER\Local Settings\Application Data\AOL OCP
2010-04-12 18:07 . 2010-04-12 18:07 -------- d-----w- c:\documents and settings\USER\Local Settings\Application Data\AOL
2010-04-02 17:40 . 2010-03-26 22:01 358944 ----a-w- c:\windows\vncutil.exe
2010-04-02 17:40 . 2010-03-26 22:01 51232 ----a-w- c:\windows\system32\RtkCoInstXP.dll
2010-04-02 17:40 . 2010-03-26 22:01 129568 ----a-w- c:\windows\RtkAudioService.exe
2010-04-02 17:40 . 2009-11-18 11:17 1395800 ----a-w- c:\windows\system32\drivers\Monfilt.sys
2010-04-02 17:40 . 2009-11-18 11:16 1691480 ----a-w- c:\windows\system32\drivers\Ambfilt.sys
2010-04-02 16:59 . 2010-04-02 16:59 -------- d-----w- c:\documents and settings\USER\Local Settings\Application Data\RadarSync
2010-04-02 15:18 . 2010-04-02 15:18 516480 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\EmailScannerAddin.dll
2010-04-02 15:18 . 2010-04-02 15:18 17632 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\WSCUpdate.dll
2010-03-31 13:40 . 2010-03-31 13:40 138056 ----a-w- c:\documents and settings\USER\Application Data\PnkBstrK.sys
2010-03-31 13:39 . 2010-03-31 13:39 2407792 ----a-w- c:\windows\system32\pbsvc_heroes.exe
2010-03-31 01:47 . 2010-03-31 01:47 -------- d-----w- c:\documents and settings\USER\Local Settings\Application Data\HP
2010-03-31 00:52 . 2010-03-31 00:52 -------- d-----w- c:\documents and settings\USER\Application Data\FarStone

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-24 22:50 . 2010-01-21 16:11 -------- d-----w- c:\program files\Common Files\Akamai
2010-04-24 22:49 . 2010-03-11 19:34 -------- d-----w- c:\documents and settings\All Users\Application Data\x3watch
2010-04-24 22:49 . 2009-06-30 12:24 -------- d-----w- c:\program files\lg_fwupdate
2010-04-24 22:49 . 2010-03-11 19:42 -------- d-----w- c:\documents and settings\USER\Application Data\WTablet
2010-04-24 22:39 . 2008-04-14 12:00 62976 ----a-w- c:\windows\system32\drivers\cdrom.sys
2010-04-24 19:49 . 2009-09-21 14:06 -------- d-----w- c:\program files\Steam
2010-04-23 15:56 . 2009-12-25 14:34 -------- d-----w- c:\program files\World of Warcraft
2010-04-15 01:43 . 2009-06-30 12:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-04-12 13:16 . 2009-06-30 12:34 -------- d-----w- c:\program files\Common Files\Adobe
2010-04-08 14:47 . 2009-08-19 21:52 -------- d-----w- c:\program files\SystemRequirementsLab
2010-04-07 23:28 . 2009-07-01 15:30 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-04-06 15:18 . 2010-01-12 16:17 966104 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\CEAPI.dll
2010-04-06 15:18 . 2010-01-12 16:17 1265264 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWService.exe
2010-04-03 12:09 . 2009-07-03 16:27 139456 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2010-04-03 12:08 . 2009-07-03 16:27 190160 ----a-w- c:\windows\system32\PnkBstrB.exe
2010-04-02 18:30 . 2009-11-04 01:45 -------- d-----w- c:\program files\PokerStars.NET
2010-04-02 18:28 . 2009-07-25 23:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2010-04-02 17:23 . 2009-06-30 12:18 -------- d-----w- c:\program files\NVIDIA Corporation
2010-04-02 17:15 . 2010-01-03 17:08 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-03-31 21:19 . 2010-01-07 20:34 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-31 21:17 . 2010-03-07 00:29 5918776 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-03-31 13:39 . 2009-07-03 16:27 75064 ----a-w- c:\windows\system32\PnkBstrA.exe
2010-03-30 04:46 . 2010-01-07 20:34 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-30 04:45 . 2010-01-07 20:34 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-26 22:21 . 2009-07-01 03:11 5883936 ----a-w- c:\windows\system32\drivers\RtkHDAud.sys
2010-03-26 22:01 . 2009-07-01 03:11 84512 ----a-w- c:\windows\SOUNDMAN.EXE
2010-03-26 22:01 . 2009-07-01 03:11 1833504 ----a-w- c:\windows\SkyTel.exe
2010-03-26 22:01 . 2009-07-01 03:11 9721888 ----a-w- c:\windows\RTLCPL.EXE
2010-03-26 22:01 . 2009-07-01 03:11 1489440 ----a-w- c:\windows\RtlUpd.exe
2010-03-26 22:01 . 2009-07-01 03:11 19522592 ----a-w- c:\windows\RTHDCPL.EXE
2010-03-26 22:01 . 2009-07-01 03:11 2177568 ----a-w- c:\windows\MicCal.exe
2010-03-26 22:01 . 2009-07-01 03:11 64032 ----a-w- c:\windows\ALCMTR.EXE
2010-03-26 22:01 . 2009-07-01 03:11 2815520 ----a-w- c:\windows\ALCWZRD.EXE
2010-03-22 18:22 . 2009-07-01 03:10 1247776 ----a-w- c:\windows\RtlExUpd.dll
2010-03-21 22:46 . 2010-03-21 22:46 -------- d-----w- c:\documents and settings\USER\Application Data\HP
2010-03-16 07:37 . 2010-03-16 07:37 278120 ----a-w- c:\windows\system32\nvmccs.dll
2010-03-16 07:37 . 2010-03-16 07:37 154216 ----a-w- c:\windows\system32\nvsvc32.exe
2010-03-16 07:37 . 2010-03-16 07:37 145000 ----a-w- c:\windows\system32\nvcolor.exe
2010-03-16 07:37 . 2010-03-16 07:37 13670504 ----a-w- c:\windows\system32\nvcpl.dll
2010-03-16 07:37 . 2010-03-16 07:37 110696 ----a-w- c:\windows\system32\nvmctray.dll
2010-03-16 07:37 . 2010-03-16 07:37 81920 ----a-w- c:\windows\system32\nvwddi.dll
2010-03-15 14:53 . 2009-07-05 22:44 -------- d-----w- c:\program files\X3watch
2010-03-14 21:05 . 2010-03-14 21:05 -------- d-----w- c:\documents and settings\USER\Application Data\Malwarebytes
2010-03-13 13:55 . 2010-03-13 13:55 30528 ----a-w- c:\documents and settings\USER\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-13 13:23 . 2010-03-13 13:23 -------- d-----w- c:\documents and settings\USER\Application Data\Nvu
2010-03-13 13:23 . 2010-03-13 13:22 -------- d-----w- c:\program files\Nvu
2010-03-12 20:40 . 2010-03-11 23:24 -------- d-----w- c:\documents and settings\USER\Application Data\BitTorrent
2010-03-12 15:26 . 2009-06-30 12:16 600680 ----a-w- c:\windows\system32\NVUNINST.EXE
2010-03-11 23:37 . 2010-03-11 23:37 -------- d--h--r- c:\documents and settings\USER\Application Data\SecuROM
2010-03-11 19:59 . 2010-03-11 19:59 -------- d-----w- c:\documents and settings\USER\Application Data\Autodesk
2010-03-11 19:42 . 2010-03-11 19:42 -------- d-----w- c:\documents and settings\USER\Application Data\x3watch
2010-03-11 19:24 . 2009-07-04 16:35 -------- d-----w- c:\documents and settings\LocalService\Application Data\WTablet
2010-03-10 06:15 . 2008-04-14 12:00 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-06 21:47 . 2010-04-21 21:13 171178 ----a-w- c:\windows\pchealth\helpctr\Config\Cache\Professional_32_1033.dat
2010-02-25 06:24 . 2008-04-14 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 13:11 . 2008-04-14 12:00 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-20 21:04 . 2010-02-20 21:04 1024 ----a-w- c:\windows\system32\Image2PDF.dat
2010-02-20 17:32 . 2010-02-20 17:32 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-02-20 17:32 . 2010-02-20 17:32 95024 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Drivers\SBREDrv.sys
2010-02-20 17:32 . 2010-02-20 17:32 598368 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\EmailScanner.dll
2010-02-20 17:32 . 2010-02-20 17:32 566608 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\sbap.dll
2010-02-20 17:32 . 2010-01-27 16:18 15880 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lsdelete.exe
2010-02-20 17:32 . 2010-01-12 17:12 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-02-20 17:32 . 2010-02-20 17:32 1230160 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\SBTE.dll
2010-02-20 17:32 . 2010-02-20 17:32 247120 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\SBRE.dll
2010-02-20 17:32 . 2010-01-12 16:17 6330848 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Resources.dll
2010-02-20 17:32 . 2010-02-20 17:32 17480 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\EmailScannerBridge.dll
2010-02-16 14:08 . 2008-04-14 12:00 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 2008-04-14 00:01 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:33 . 2008-04-14 12:00 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-11 12:02 . 2008-04-14 12:00 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
2010-02-04 16:23 . 2010-01-20 16:18 3803208 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AutoLaunch.exe
2010-02-04 15:53 . 2010-02-20 17:31 2954656 -c--a-w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}\Ad-AwareInstaller.exe
2010-02-04 15:53 . 2010-01-12 16:19 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-01-27 16:18 . 2010-01-12 16:18 8 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Savapibridge.dll
1999-07-07 00:00 . 1999-07-07 00:00 6 --sh--r- c:\windows\@@desktop.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-06 3885408]
"igndlm.exe"="c:\program files\Download Manager\DLM.exe" [2009-10-27 1103216]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LGODDFU"="c:\program files\lg_fwupdate\fwupdate.exe" [2009-10-27 557056]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2007-01-09 52256]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\udaterui.exe" [2008-03-14 136512]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2008-09-29 124240]
"x3watch"="c:\program files\X3watch\x3watch.exe" [2008-06-02 299008]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-08-20 150016]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-03-16 13670504]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-03-16 110696]
"RTHDCPL"="RTHDCPL.EXE" [2010-03-26 19522592]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-04-12 1135912]

c:\documents and settings\USER\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\McAfeeEngineService]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Ubisoft\\Ghost Recon Advanced Warfighter\\GRAW.exe"=
"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\Crysis.exe"=
"c:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\CrysisDedicatedServer.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=
"c:\\Program Files\\Electronic Arts\\Crytek\\Crysis Wars\\Bin32\\Crysis.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Steam\\steam.exe"=
"c:\\Program Files\\Microsoft Games\\Halo Trial\\halo.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\dragon age orgins character creator\\DAOriginsLauncher.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpse.exe"=
"c:\\Program Files\\Common Files\\HP\\Digital Imaging\\bin\\hpqPhotoCrm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqsudi.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpsapp.exe"=
"c:\\Program Files\\EA Games\\Battlefield 2\\BF2.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\left 4 dead\\left4dead.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.1.3.9947-to-3.2.0.10192-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.2.2.10482-to-3.2.2.10505-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.2.2.10505-to-3.3.0.10958-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\Launcher.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\aliens vs predator demo\\AvP.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
"1031:TCP"= 1031:TCP:Akamai NetSession Interface
"5000:UDP"= 5000:UDP:Akamai NetSession Interface

R0 FGXSCSI;FGXSCSI;c:\windows\system32\drivers\fgxscsi.sys [11/25/2009 7:17 PM 71680]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [1/12/2010 12:19 PM 64288]
R2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe -k Akamai [4/14/2008 8:00 AM 14336]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2/4/2010 11:52 AM 1265264]
R2 McAfeeEngineService;McAfee Engine Service;c:\program files\McAfee\VirusScan Enterprise\engineserver.exe [9/29/2008 11:07 AM 19456]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [7/1/2009 12:36 PM 67904]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [4/2/2010 1:40 PM 1691480]
S3 HidCom;USB-HID -> COM Driver Service;c:\windows\system32\drivers\BdHidCom.sys [9/25/2009 1:35 PM 17408]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [7/1/2009 12:36 PM 64432]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - GTNDIS5

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
Akamai REG_MULTI_SZ Akamai
.
Contents of the 'Scheduled Tasks' folder

2010-04-24 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 15:18]

2010-03-31 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://xxxchurch.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: {{FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - c:\program files\PokerStars.NET\PokerStarsUpdate.exe
LSP: %SYSTEMROOT%\system32\nvLsp.dll
DPF: {140E4DF8-9E14-4A34-9577-C77561ED7883} - hxxp://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_cyri_4.1.71.0.cab
DPF: {784797A8-342D-4072-9486-03C8D0F2F0A1} - hxxps://www.battlefieldheroes.com/static/updater/BFHUpdater_4.0.53.0.cab
.
- - - - ORPHANS REMOVED - - - -

BHO-{5123CCA0-B3E7-3449-B275-F72C904C7A4D} - (no file)
HKCU-Run-Aim6 - (no file)
HKLM-Run-nwiz - nwiz.exe
AddRemove-NVIDIA Display Control Panel - c:\program files\NVIDIA Corporation\Uninstall\nvuninst.exe
AddRemove-_{0C180787-F8C8-42FD-A9D3-689BA44BEAAF} - c:\program files\Corel\Corel Painter Essentials 3\MSILauncher {0C180787-F8C8-42FD-A9D3-689BA44BEAAF}
AddRemove-{D5BB0907-4BB2-46A3-AA68-0173D111058D} - c:\program files\FarStone\GameDrive\Setup.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-24 18:51
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1644491937-1682526488-1417001333-1009\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:ef,b8,07,a0,29,20,93,ea,87,9f,26,02,ff,b2,66,dc,7b,9b,4f,20,f6,65,c5,
85,c1,d8,77,1a,9f,7d,8b,f7,c4,cb,97,ca,86,1e,0f,50,0f,57,ac,85,8c,71,8a,77,\
"??"=hex:92,ca,aa,a2,5d,f8,b4,04,fa,13,cb,ca,c5,99,c0,95

[HKEY_USERS\S-1-5-21-1644491937-1682526488-1417001333-1009\Software\SecuROM\License information*]
"datasecu"=hex:fb,2f,e8,62,4b,db,0b,99,90,51,5d,09,86,18,21,73,09,10,f1,49,d9,
ce,7e,3c,9c,3a,e6,2b,c9,30,1e,87,c1,b1,aa,ad,c1,ca,f7,ea,9c,c0,9c,49,68,e2,\
"rkeysecu"=hex:4a,26,f8,c3,4a,ef,81,b8,fd,61,cf,28,e5,42,9b,b5
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(992)
c:\windows\system32\nvLsp.dll

- - - - - - - > 'explorer.exe'(1808)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\McAfee\Common Framework\FrameworkService.exe
c:\program files\McAfee\VirusScan Enterprise\vstskmgr.exe
c:\program files\McAfee\Common Framework\naPrdMgr.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\PSIService.exe
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\windows\system32\Tablet.exe
c:\program files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exe
c:\program files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WMP54GSv1_1.exe
c:\program files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe
c:\windows\system32\WTablet\TabUserW.exe
c:\windows\system32\Tablet.exe
c:\program files\McAfee\VirusScan Enterprise\mcshield.exe
c:\program files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe
c:\program files\McAfee\VirusScan Enterprise\mfeann.exe
c:\program files\McAfee\Common Framework\McTray.exe
c:\windows\system32\RUNDLL32.EXE
c:\windows\RTHDCPL.EXE
c:\windows\system32\wbem\unsecapp.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\program files\HP\Digital Imaging\bin\hpqbam08.exe
c:\program files\HP\Digital Imaging\bin\hpqgpc01.exe
c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
.
**************************************************************************
.
Completion time: 2010-04-24 18:54:23 - machine was rebooted
ComboFix-quarantined-files.txt 2010-04-24 22:54

Pre-Run: 194,661,765,120 bytes free
Post-Run: 195,439,951,872 bytes free

- - End Of File - - 3B14CC7C83FD369996879D65E8D4F75E

EDIT: Moved from XP forum to Malware Removal Logs ~ Hamluis.

Edited by hamluis, 24 April 2010 - 06:12 PM.


BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:10:13 AM

Posted 29 April 2010 - 06:46 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks thumbup2.gif
Posted Image
m0le is a proud member of UNITE

#3 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:10:13 AM

Posted 05 May 2010 - 05:51 PM

This topic has been closed.

If you're the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users