Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

theres somthing in there...


  • This topic is locked This topic is locked
10 replies to this topic

#1 Metalchic

Metalchic

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:14 AM

Posted 29 April 2010 - 12:13 PM

its like the spinter you get, you pull the splinter out but it still hurts becasue theres a little tiny tip still in there. thats likethis problem, none of my anyvirus o spyware apps are going off but my world of warcraft account got hacked again so there must be somthing still in here. gimer crashed the entire computer while scanning Drivers/0000007E i belive it was. i do have a DDS log tho as per the introduction post.

Attached Files

  • Attached File  DDS.txt   11.05KB   9 downloads


BC AdBot (Login to Remove)

 


#2 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:06:14 AM

Posted 03 May 2010 - 10:44 AM

Hello and and Welcome to Bleepingcomputer

Please note we are very busy, so if I don't hear from you within 5 days the topic will be closed, If you have since
resolved your issues I would appreciate if you would let me no so I can close this topic.


We need to create an OTL Report
  1. Please download OTL from one of the following mirrors:
  2. Save it to your desktop.
  3. Double click on the icon on your desktop.
  4. Click the "Scan All Users" checkbox.
    Under the Custom Scans/Fixes box at the bottom, paste in the following bold text.
    %appdata%\*.*
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %SYSTEMDRIVE%\*.exe
    netsvcs
    msconfig
    /md5start
    proquota.exe
    sfcfiles.dll
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    beep.sys
    iaStor.sys
    nvstor.sys
    atapi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    iastorv.sys
    /md5stop
    CREATERESTOREPOINT

  5. Push the button.
  6. Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

Thanks

unite.jpg


#3 Metalchic

Metalchic
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:14 AM

Posted 03 May 2010 - 05:33 PM

the text documents were very large so i uploaded them as .txt instaid i hope that was ok

Attached Files



#4 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:06:14 AM

Posted 03 May 2010 - 05:51 PM

Hi Metalchic,

I would prefer that you copy and paste the logs instead, even if you need to use a couple of posts, it makes it easier for me to review them, thanks.

I have had a brief look at your logs and don't see anything, apart from your WOW account being hacked, have you had any other problems like unusual slowness, redirects or popups?


Download and Run MBR Rootkit Scan
  • Please download MBR Rootkit Detector and save it on your desktop.
  • Go to Start >> Run then copy and paste the following line into the run box
    "%userprofile%\desktop\mbr.exe" -t

  • Select Run when you recieve a Security Warning
  • The process is automatic, a black DOS window will appear and disappear suddenly. This is normal.
  • A log file will the be created on your desktop where you ran mbr.exe from.
  • Copy and paste the contents of mbr.log on your next reply.

unite.jpg


#5 Metalchic

Metalchic
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:14 AM

Posted 03 May 2010 - 09:29 PM

ok well i followed a guide from http://home.comcast.net/~SupportCD/OptimizeXP.html malware removal and prevention guide beore posting i was afraid more than just my wow account would be hijacked if i spent to much time surfing around the web, the only issue i've had is Avira telling me that it found a malware instance inside of the System restore but i'm not sure how to determine witch point i need to delete to get rid of that one instance. i guess if it was the prefered method to copy paste the logs into posts then it should be explicitly stated (i didnt want to violate the whole no double posting rule that is almost unspoken on most sites but on some is a ban on sight offence)

oh, there was one thing, i had to downgrade back to Windows XP bceasue when i was running windows vista every single flash add in excsistance that could open up to be wider or had a video to play would start automaticly at full volume. i dont know what could have caused it i dont know if it might be related to a spyware/adware/whateverware problem or just a conflic of IE8 for Vista Home Premium and the latest flash but whatever i can make a new topic for this problem if its so needed.

Edited by Metalchic, 03 May 2010 - 09:41 PM.


#6 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:06:14 AM

Posted 04 May 2010 - 08:18 AM

QUOTE
i guess if it was the prefered method to copy paste the logs into posts then it should be explicitly stated (i didnt want to violate the whole no double posting rule that is almost unspoken on most sites but on some is a ban on sight offence)


It really is not that big a deal, some people may prefer them to be attached some don't.

We can deal with the threats in the restore point when we have finished checking, can you post the other log
I asked for please

unite.jpg


#7 Metalchic

Metalchic
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:14 AM

Posted 04 May 2010 - 04:26 PM

ok heres the log you asked for

CODE
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys
kernel: MBR read successfully
user & kernel MBR OK


#8 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:06:14 AM

Posted 05 May 2010 - 08:06 AM

I still don't see anything wrong there, let's run one more tool to make sure.

Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed, click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

unite.jpg


#9 Metalchic

Metalchic
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:14 AM

Posted 06 May 2010 - 10:34 AM

ok here we go.
CODE
ComboFix 10-05-05.0B - Metalchic 05/06/2010   8:20.1.2 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.2046.1460 [GMT -7:00]
Running from: c:\documents and settings\Metalchic\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Metalchic\Start Menu\Programs\Startup\MagicDisc.lnk

.
(((((((((((((((((((((((((   Files Created from 2010-04-06 to 2010-05-06  )))))))))))))))))))))))))))))))
.

2010-05-05 21:55 . 2010-05-05 21:55    --------    d-----w-    c:\program files\MagicISO
2010-05-05 11:04 . 2009-10-07 01:32    327168    ----a-w-    c:\windows\system32\cutil32.dll
2010-05-05 11:04 . 2009-08-04 03:25    285696    ----a-w-    c:\windows\system32\cudart.dll
2010-05-05 11:04 . 2010-05-05 11:04    --------    d-----w-    c:\program files\CPUID
2010-05-02 18:33 . 2010-05-02 18:33    664    ----a-w-    c:\windows\system32\d3d9caps.dat
2010-05-02 10:28 . 2010-05-02 10:28    --------    d-----w-    c:\documents and settings\All Users\Application Data\Messenger Plus!
2010-05-02 10:20 . 2010-05-02 10:21    --------    d-----w-    c:\program files\Messenger Plus! Live
2010-05-01 23:40 . 2010-05-01 23:42    13195    ----a-w-    c:\documents and settings\Metalchic\zguicfgw.dat
2010-05-01 23:33 . 2010-05-01 23:42    --------    d-----w-    c:\documents and settings\Metalchic\zziptmp_.__z
2010-05-01 04:57 . 2010-05-01 04:57    --------    d-----w-    c:\program files\Bethesda Softworks
2010-05-01 04:53 . 2010-05-01 04:53    107888    ----a-w-    c:\windows\system32\CmdLineExt.dll
2010-05-01 04:53 . 2010-05-01 04:53    --------    d--h--r-    c:\documents and settings\Metalchic\Application Data\SecuROM
2010-05-01 04:53 . 2010-05-01 05:12    --------    d-----w-    c:\documents and settings\Metalchic\Local Settings\Application Data\Oblivion
2010-05-01 04:32 . 2009-02-25 01:42    116736    ----a-w-    c:\windows\system32\drivers\mcdbus.sys
2010-05-01 04:32 . 2010-05-01 04:32    --------    d-----w-    c:\program files\MagicDisc
2010-04-30 01:28 . 2007-04-05 01:55    261480    ----a-w-    c:\windows\system32\xactengine2_7.dll
2010-04-30 01:26 . 2010-04-30 01:26    --------    d-----w-    c:\windows\Logs
2010-04-30 01:00 . 2010-04-30 01:00    --------    d-----w-    C:\CCR INC
2010-04-29 04:48 . 2010-04-29 04:48    --------    d-----w-    c:\windows\ShellNew
2010-04-29 04:48 . 2010-04-29 04:48    --------    d-----w-    c:\program files\AutoHotkey
2010-04-29 04:45 . 2010-04-29 04:45    --------    d-----w-    c:\program files\GameCommanderPro2
2010-04-29 04:13 . 2010-04-29 04:13    --------    d-----w-    c:\program files\GameCommanderPro
2010-04-28 15:41 . 2010-04-28 15:41    388096    ----a-r-    c:\documents and settings\Metalchic\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-04-28 15:41 . 2010-04-28 15:41    --------    d-----w-    c:\program files\Trend Micro
2010-04-28 04:47 . 2010-04-28 04:47    --------    d-sh--w-    c:\documents and settings\NetworkService\IETldCache
2010-04-28 04:28 . 2010-02-24 17:16    181632    ------w-    c:\windows\system32\MpSigStub.exe
2010-04-28 04:27 . 2010-04-28 04:27    --------    d-----w-    c:\program files\Windows Defender
2010-04-28 04:24 . 2010-04-28 15:44    --------    d-----w-    c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-04-28 04:24 . 2010-04-28 04:30    --------    d-----w-    c:\program files\Spybot - Search & Destroy
2010-04-28 04:16 . 2010-04-28 04:16    161296    ----a-w-    c:\windows\system32\drivers\tmcomm.sys
2010-04-25 22:34 . 2010-05-06 03:07    --------    d-----w-    c:\documents and settings\Metalchic\Tracing
2010-04-25 22:33 . 2010-04-25 22:33    --------    d-----w-    c:\program files\Microsoft
2010-04-25 22:33 . 2010-04-25 22:33    --------    d-----w-    c:\program files\Windows Live SkyDrive
2010-04-25 22:32 . 2010-04-25 22:33    --------    d-----w-    c:\program files\Windows Live
2010-04-25 22:17 . 2010-04-25 22:17    --------    d-----w-    c:\program files\Common Files\Windows Live
2010-04-24 09:26 . 2010-04-24 09:26    --------    d-----w-    c:\program files\Common Files\Blizzard Entertainment
2010-04-24 02:44 . 2010-04-24 02:44    --------    d-----w-    c:\windows\Downloaded Installations
2010-04-23 17:41 . 2010-04-23 17:41    --------    d-sh--w-    c:\documents and settings\Metalchic\IECompatCache
2010-04-21 19:34 . 2008-04-14 00:12    26624    ----a-w-    c:\documents and settings\LocalService\Application Data\Microsoft\UPnP Device Host\upnphost\udhisapi.dll
2010-04-21 19:33 . 2010-04-21 19:33    --------    d-sh--w-    c:\documents and settings\Metalchic\PrivacIE
2010-04-21 19:30 . 2010-04-21 19:30    --------    d-sh--w-    c:\documents and settings\LocalService\IETldCache
2010-04-21 19:29 . 2010-04-21 19:29    --------    d-sh--w-    c:\documents and settings\Metalchic\IETldCache
2010-04-21 16:15 . 2010-02-25 18:54    11070976    -c----w-    c:\windows\system32\dllcache\ieframe.dll
2010-04-21 16:15 . 2010-02-25 06:24    12800    -c----w-    c:\windows\system32\dllcache\xpshims.dll
2010-04-21 16:15 . 2010-02-25 06:24    594432    -c----w-    c:\windows\system32\dllcache\msfeeds.dll
2010-04-21 16:15 . 2010-02-25 06:24    55296    -c----w-    c:\windows\system32\dllcache\msfeedsbs.dll
2010-04-21 16:15 . 2010-02-25 06:24    247808    -c----w-    c:\windows\system32\dllcache\ieproxy.dll
2010-04-21 16:15 . 2010-02-25 06:24    1985536    -c----w-    c:\windows\system32\dllcache\iertutil.dll
2010-04-21 16:15 . 2010-04-21 16:15    --------    d-----w-    c:\windows\ie8updates
2010-04-21 16:15 . 2010-02-16 04:50    64000    -c----w-    c:\windows\system32\dllcache\iecompat.dll
2010-04-21 16:13 . 2010-04-21 16:14    --------    dc-h--w-    c:\windows\ie8
2010-04-21 16:11 . 2010-04-21 16:11    --------    d-----w-    c:\documents and settings\Metalchic\Application Data\Media Player Classic
2010-04-21 16:10 . 2010-04-21 16:11    --------    d-----w-    c:\program files\Combined Community Codec Pack
2010-04-21 08:39 . 2010-04-21 08:39    --------    d-----w-    c:\documents and settings\Metalchic\Application Data\Windows Desktop Search
2010-04-21 08:38 . 2010-04-21 08:38    --------    d-----w-    c:\windows\system32\GroupPolicy
2010-04-21 08:38 . 2010-04-21 08:38    --------    d-----w-    c:\program files\Windows Desktop Search
2010-04-21 08:38 . 2008-03-07 17:02    98304    -c----w-    c:\windows\system32\dllcache\nlhtml.dll
2010-04-21 08:38 . 2008-03-07 17:02    29696    -c----w-    c:\windows\system32\dllcache\mimefilt.dll
2010-04-21 08:38 . 2008-03-07 17:02    192000    -c----w-    c:\windows\system32\dllcache\offfilt.dll
2010-04-21 08:37 . 2010-04-21 08:37    --------    d-----w-    c:\program files\Windows Media Connect 2
2010-04-21 08:37 . 2010-04-21 08:37    --------    d-----w-    c:\windows\system32\drivers\UMDF
2010-04-21 08:37 . 2010-04-21 08:37    --------    d-----w-    c:\windows\system32\LogFiles
2010-04-21 08:35 . 2010-04-21 08:35    --------    d-----w-    c:\windows\system32\URTTEMP
2010-04-21 08:34 . 2010-02-24 13:11    455680    -c----w-    c:\windows\system32\dllcache\mrxsmb.sys
2010-04-21 08:33 . 2009-10-23 15:28    3558912    -c----w-    c:\windows\system32\dllcache\moviemk.exe
2010-04-21 08:33 . 2009-12-31 16:50    353792    -c----w-    c:\windows\system32\dllcache\srv.sys
2010-04-21 08:32 . 2009-10-15 16:28    81920    -c----w-    c:\windows\system32\dllcache\fontsub.dll
2010-04-21 08:32 . 2009-10-15 16:28    119808    -c----w-    c:\windows\system32\dllcache\t2embed.dll
2010-04-21 08:32 . 2009-11-21 15:51    471552    -c----w-    c:\windows\system32\dllcache\aclayers.dll
2010-04-21 08:30 . 2009-06-21 21:44    153088    -c----w-    c:\windows\system32\dllcache\triedit.dll
2010-04-21 08:29 . 2009-07-10 13:27    1315328    -c----w-    c:\windows\system32\dllcache\msoe.dll
2010-04-21 08:27 . 2009-07-31 04:35    1172480    -c----w-    c:\windows\system32\dllcache\msxml3.dll
2010-04-21 08:27 . 2008-10-15 16:34    337408    -c----w-    c:\windows\system32\dllcache\netapi32.dll
2010-04-21 08:27 . 2008-05-01 14:33    331776    -c----w-    c:\windows\system32\dllcache\msadce.dll
2010-04-21 08:27 . 2008-04-11 19:04    691712    -c----w-    c:\windows\system32\dllcache\inetcomm.dll
2010-04-21 08:26 . 2008-06-13 11:05    272128    -c----w-    c:\windows\system32\dllcache\bthport.sys
2010-04-21 08:26 . 2008-05-08 14:02    203136    -c----w-    c:\windows\system32\dllcache\rmcast.sys
2010-04-21 08:18 . 2010-04-21 08:18    --------    d-----w-    c:\windows\system32\scripting
2010-04-21 08:18 . 2010-04-21 08:18    --------    d-----w-    c:\windows\system32\en
2010-04-21 08:18 . 2010-04-21 08:18    --------    d-----w-    c:\windows\system32\bits
2010-04-21 08:18 . 2010-04-21 08:18    --------    d-----w-    c:\windows\l2schemas
2010-04-21 08:16 . 2010-04-21 08:16    --------    d-----w-    c:\windows\ServicePackFiles
2010-04-21 07:57 . 2010-04-21 16:19    --------    d--h--w-    c:\windows\$hf_mig$
2010-04-21 07:55 . 2009-08-07 02:24    44768    ----a-w-    c:\windows\system32\wups2.dll

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-05 22:22 . 2009-01-18 05:38    127888    ----a-w-    c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-05-04 22:00 . 2010-05-04 22:00    103    ----a-w-    c:\program files\revenant.eq
2010-05-04 21:46 . 2010-05-04 21:46    108    ----a-w-    c:\program files\woofail.eq
2010-05-04 21:27 . 2009-01-18 04:32    --------    d-----w-    c:\program files\World of Warcraft Model Viewer
2010-05-01 04:57 . 2009-01-17 08:20    --------    d--h--w-    c:\program files\InstallShield Installation Information
2010-04-29 00:34 . 2010-04-29 00:34    117    ----a-w-    c:\program files\batahgears.eq
2010-04-25 22:34 . 2009-01-17 08:01    13688    ----a-w-    c:\documents and settings\Metalchic\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-04-21 08:20 . 2009-01-17 08:34    86327    ----a-w-    c:\windows\pchealth\helpctr\OfflineCache\index.dat
2010-03-03 04:21 . 2009-01-17 09:46    4630016    ----a-w-    c:\windows\system32\drivers\ati2mtag.sys
2010-03-03 04:07 . 2009-01-17 09:46    311296    ----a-w-    c:\windows\system32\atiiiexx.dll
2010-03-03 04:02 . 2009-01-17 09:46    45056    ----a-w-    c:\windows\system32\aticalrt.dll
2010-03-03 04:02 . 2009-01-17 09:46    45056    ----a-w-    c:\windows\system32\aticalcl.dll
2010-03-03 04:01 . 2009-01-17 09:46    3641344    ----a-w-    c:\windows\system32\aticaldd.dll
2010-03-03 03:44 . 2009-01-17 09:46    14262272    ----a-w-    c:\windows\system32\atioglxx.dll
2010-03-03 03:40 . 2009-01-17 09:46    446464    ----a-w-    c:\windows\system32\ATIDEMGX.dll
2010-03-03 03:40 . 2009-01-17 09:46    3616096    ----a-w-    c:\windows\system32\ati3duag.dll
2010-03-03 03:39 . 2009-01-17 09:46    301056    ----a-w-    c:\windows\system32\ati2dvag.dll
2010-03-03 03:24 . 2009-01-17 09:46    208896    ----a-w-    c:\windows\system32\atipdlxx.dll
2010-03-03 03:24 . 2009-01-17 09:46    2232320    ----a-w-    c:\windows\system32\ativvaxx.dll
2010-03-03 03:24 . 2009-01-17 09:46    155648    ----a-w-    c:\windows\system32\Oemdspif.dll
2010-03-03 03:24 . 2009-01-17 09:46    887724    ----a-w-    c:\windows\system32\ativva6x.dat
2010-03-03 03:24 . 2009-01-17 09:46    3    ----a-w-    c:\windows\system32\ativva5x.dat
2010-03-03 03:24 . 2009-01-17 09:46    26112    ----a-w-    c:\windows\system32\Ati2mdxx.exe
2010-03-03 03:24 . 2009-01-17 09:46    43520    ----a-w-    c:\windows\system32\ati2edxx.dll
2010-03-03 03:23 . 2009-01-17 09:46    159744    ----a-w-    c:\windows\system32\ati2evxx.dll
2010-03-03 03:22 . 2009-01-17 09:46    602112    ----a-w-    c:\windows\system32\ati2evxx.exe
2010-03-03 03:21 . 2009-01-17 09:46    53248    ----a-w-    c:\windows\system32\ATIDDC.DLL
2010-03-03 03:20 . 2009-01-17 09:46    143360    ----a-w-    c:\windows\system32\atiapfxx.exe
2010-03-03 03:16 . 2009-01-17 09:46    565248    ----a-w-    c:\windows\system32\atikvmag.dll
2010-03-03 03:15 . 2009-01-17 09:46    184320    ----a-w-    c:\windows\system32\atiadlxx.dll
2010-03-03 03:14 . 2009-01-17 09:46    17408    ----a-w-    c:\windows\system32\atitvo32.dll
2010-03-03 03:14 . 2009-01-17 09:46    393216    ----a-w-    c:\windows\system32\atiok3x2.dll
2010-03-03 03:09 . 2009-01-17 09:46    638976    ----a-w-    c:\windows\system32\ati2cqag.dll
2010-03-03 03:07 . 2009-01-17 09:46    53248    ----a-w-    c:\windows\system32\drivers\ati2erec.dll
2010-03-03 03:07 . 2009-01-17 09:46    65024    ----a-w-    c:\windows\system32\atimpc32.dll
2010-03-03 03:07 . 2009-01-17 09:46    65024    ----a-w-    c:\windows\system32\amdpcom32.dll
2010-03-01 17:05 . 2009-01-18 01:06    124784    ----a-w-    c:\windows\system32\drivers\avipbb.sys
2010-02-26 05:43 . 2010-02-26 05:43    81920    ------w-    c:\windows\system32\ieencode.dll
2010-02-25 19:55 . 2009-01-17 09:46    201875    ----a-w-    c:\windows\system32\atiicdxx.dat
2010-02-25 06:24 . 2004-08-04 12:00    916480    ----a-w-    c:\windows\system32\wininet.dll
2010-02-24 13:11 . 2004-08-04 12:00    455680    ----a-w-    c:\windows\system32\drivers\mrxsmb.sys
2010-02-16 21:24 . 2009-01-18 01:06    60936    ----a-w-    c:\windows\system32\drivers\avgntflt.sys
2010-02-16 14:08 . 2004-08-04 12:00    2146304    ----a-w-    c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 2004-08-03 22:59    2024448    ----a-w-    c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:33 . 2004-08-04 12:00    100864    ----a-w-    c:\windows\system32\6to4svc.dll
2010-02-11 12:02 . 2004-08-04 12:00    226880    ----a-w-    c:\windows\system32\drivers\tcpip6.sys
2009-01-18 05:12 . 2009-01-18 05:12    109    ----a-w-    c:\program files\wrathfull fury warrior.eq
2009-01-18 04:45 . 2009-01-18 04:45    110    ----a-w-    c:\program files\shaman wrathful.eq
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-03-03 98304]
"HDAudDeck"="c:\program files\VIA\VIAudioi\HDADeck\HDeck.exe" [2009-01-21 33587200]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-03-02 282792]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-04 866584]

c:\documents and settings\Metalchic\Start Menu\Programs\Startup\
CurseClientStartup.ccip [2009-1-17 0]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-27 304128]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Documents and Settings\\Metalchic\\Local Settings\\Apps\\2.0\\D2KO67OD.3PW\\178DVC09.48V\\curs..tion_eee711038731a406_0004.0000_152ef8e82e8f5a48\\CurseClient.exe"=

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [1/17/2009 6:06 PM 135336]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
R3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [1/11/2009 12:18 PM 1050112]
.
Contents of the 'Scheduled Tasks' folder

2010-05-06 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 02:20]

2010-05-06 c:\windows\Tasks\User_Feed_Synchronization-{9413B994-066A-4A62-8923-116194414B4F}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 11:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/webhp?hl=en&source=hp&btnG=Google+Search&aq=f&aqi=&oq=&gs_rfai=
DPF: {640044E9-92A3-4B89-A615-1F65354D3A65} - hxxp://rfonline-full.gscdn.com/gscdn/ccr_downloader.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-06 08:27
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...  

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
  HDAudDeck = c:\program files\VIA\VIAudioi\HDADeck\HDeck.exe 1????????????????????????????????????????????????

scanning hidden files ...  

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(540)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\atiadlxx.dll
.
Completion time: 2010-05-06  08:28:50
ComboFix-quarantined-files.txt  2010-05-06 15:28

Pre-Run: 46,651,478,016 bytes free
Post-Run: 47,716,220,928 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 6682105D79BAE8EB89C2C4A522E17C35


#10 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:06:14 AM

Posted 06 May 2010 - 11:57 AM

Your logs look fine so you should ask in the appropriate forum for what ever issues you are having.


Uninstall ComboFix
  • Click START then RUN
  • Now type Combofix /uninstall in the run box and click OK. Note the space between the X and the /, it needs to be there.



Download and Run OTC

We will now remove the tools we used during this fix using OTC.
  • Download OTC by OldTimer and save it to your desktop.
  • Double click icon to start the program. If you are using Vista, please right-click and choose run as administrator
  • Then Click the big button.
  • You will get a prompt saying "Begin Cleanup Process". Please select Yes.
  • Restart your computer when prompted.


Congratulations! You now appear clean! thumbup.gif

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

Keeping Windows updated
It is extremely important to keep windows up to date with the latest service pack and patches. This will prevent you
from getting the malware which uses vulnerabilities found in windows to exploit your computer. The easiest way to
do this this is by making sure that Automatic Updates are always enabled.

To do this Click on Start >> Control Panel >> Automatic updates and click Automatic (recommended) then Apply and Ok

Update your AntiVirus Software
It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not
update your antivirus software then it will not be able to catch any of the new variants that may come out. If you
use a commercial antivirus program you must make sure you keep renewing your subscription. Otherwise, once your
subscription runs out, you may not be able to update the programs virus definitions.

Make sure all programs are updated
It is also possible for other programs on your computer to have security vulnerability that can allow malware to infect you.
Therefore, it is also a good idea to check for the latest versions of commonly installed applications that are regularly
patched to fix vulnerabilities. You can check these by visiting Calendar of Updates or you can install Secunia PSI.

Install a Firewall
I can not stress how important it is that you use a third party Firewall on your computer. Without a firewall your computer
is susceptible to being hacked and taken over. Windows firewall is good for blocking inbound connections but it does
not block outbound connections. So if Malware manages to get onto your computer it will be able to send data out when
it wants. Here are some free firewalls, you only need to install one of these.

Zone Alarm
Outpost
PC Tools

After you install the third party firewall disable your Windows firewall. Go to My Computer >> Control Panel >> Windows Firewall
and choose Off (not recommended) option. Then click Apply and Ok.

Install Sanboxie
Sandboxie is a great program to help protect you against malware, working inside Sandboxie will basically mean that,
what you are doing will not make a permenant changes to your system, unless you allow it too. So you can be surfing
the web inside Sandboxie then if you happen to stumble upon a bad site and get infected, you can simply delete the
Sanbox and all is gone. Having said that, it can not be considered 100% secure as no program can be, but it can be
a great help and is an excellent program. You can find a download link and more information about the program here.

Secure your browsing
Firefox is generally considered to be a lot safer that Internet Explorer, I would recommend that you install Firefox and
install some addons that will make the browser even safer. You can download the latest version of Firefox here, if
you already have firefox these are some good addons.

Recommended addons
NoScript
Adblock Plus
WOT

Install SpywareBlaster
SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you
from running and downloading known malicious programs. You can find a tutorial and download link here.

Use MVPS hosts file
Using a custom host file like the MVPS HOSTS file can help to block ads, banners, 3rd party Cookies,
3rd party page counters, web bugs, and even most hijackers. It doesn't use up any extra system resources
and may even speed up the loading of web pages. You can download and find instructions here.


Follow this list and your potential for being infected again will reduce dramatically.

Happy surfing smile.gif
Syler

unite.jpg


#11 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:06:14 AM

Posted 07 May 2010 - 06:56 PM

Since this issue appears resolved ... this Topic is closed. Glad we could help.

If you need this topic reopened, please request this by sending me a PM
with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.

unite.jpg





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users