Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unnamed Virus/Malware etc.


  • Please log in to reply
1 reply to this topic

#1 pebbles711

pebbles711

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:09:10 PM

Posted 08 June 2010 - 04:25 PM

I do not know the specific name of what has infected my computer or what, exactly it is. When I do an Internet search, when the results come up I am not able to click on the links. If I click on them it will redirect me to another random website. I have run ComboFIx on my computer on the advice of my computer technician. It did fix many of the previous problems I was having; however, this one remains I have attached the log here. I tried to run gmer and my computer crashed. Please let me know how to proceed. thank you! below are the text results!

ComboFix 10-06-08.01 - Owner 06/08/2010 13:33:59.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.552 [GMT -6:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\test.txt
D:\Autorun.inf

Infected copy of c:\windows\system32\drivers\ultra.sys was found and disinfected
Restored copy from - Kitty had a snack tongue.gif
.
((((((((((((((((((((((((( Files Created from 2010-05-08 to 2010-06-08 )))))))))))))))))))))))))))))))
.

2010-06-08 13:53 . 2010-06-08 13:53 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-06-08 01:05 . 2010-06-08 01:05 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2010-06-08 01:04 . 2010-04-29 21:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-06-08 01:04 . 2010-06-08 01:04 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-08 01:04 . 2010-06-08 01:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-06-08 01:04 . 2010-04-29 21:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-06-07 21:23 . 2010-06-07 21:23 39296 ----a-w- c:\windows\system32\drivers\pdrv.sys
2010-06-07 21:23 . 2010-06-07 21:23 19968 ----a-w- c:\windows\system32\pdrv.dll
2010-06-05 14:20 . 2010-06-05 14:20 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2010-06-05 04:07 . 2010-06-05 04:07 -------- d-sh--w- c:\documents and settings\Julian Hill\IECompatCache
2010-06-02 15:28 . 2010-06-02 15:28 29512 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgmfx86.sys
2010-06-02 15:28 . 2010-06-02 15:28 242896 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtdix.sys
2010-05-26 01:31 . 2010-05-26 02:04 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\king.com
2010-05-26 01:29 . 2010-05-26 01:31 -------- d-----w- c:\windows\system32\Adobe
2010-05-24 18:54 . 2010-05-24 18:54 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Broderbund Software
2010-05-24 18:54 . 2010-05-24 18:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Broderbund Software
2010-05-24 18:06 . 2004-10-08 01:16 35840 ----a-w- c:\windows\system32\drivers\AFS2K.SYS
2010-05-24 18:06 . 2010-05-25 13:05 -------- d-----w- c:\program files\Web Publish
2010-05-24 18:05 . 2003-07-08 18:45 970752 ----a-w- c:\windows\system32\cdintf210.dll
2010-05-24 17:53 . 2010-05-24 17:55 -------- d-----w- c:\program files\Common Files\Broderbund
2010-05-24 17:52 . 2010-05-24 18:54 -------- d-----w- c:\program files\The Print Shop 22
2010-05-20 19:50 . 2010-05-20 19:50 -------- d-----w- c:\documents and settings\Julian Hill\Application Data\CallingID
2010-05-20 19:50 . 2010-05-20 19:50 -------- d-sh--w- c:\documents and settings\Julian Hill\PrivacIE
2010-05-20 18:01 . 2010-05-20 18:01 -------- d-sh--w- c:\documents and settings\Kids\IECompatCache
2010-05-20 17:39 . 2010-05-20 18:03 -------- d-----w- c:\documents and settings\Kids\Application Data\CallingID
2010-05-20 17:39 . 2010-05-20 17:39 -------- d-sh--w- c:\documents and settings\Kids\PrivacIE
2010-05-19 18:32 . 2010-05-19 18:32 -------- d-----w- C:\$AVG
2010-05-18 14:44 . 2009-08-07 01:23 274288 ----a-w- c:\windows\system32\mucltui.dll
2010-05-18 14:44 . 2009-08-07 01:23 215920 ----a-w- c:\windows\system32\muweb.dll
2010-05-17 22:27 . 2010-06-04 22:23 -------- d-----w- c:\program files\Microsoft Silverlight
2010-05-16 20:47 . 2010-04-19 16:25 2117704 ----a-w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar\IEToolbar.dll
2010-05-16 20:40 . 2010-05-16 20:40 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-05-16 20:40 . 2010-06-02 15:28 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-05-16 20:40 . 2010-05-16 20:40 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-05-16 20:40 . 2010-06-02 15:28 29584 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-05-16 20:40 . 2010-06-07 03:59 -------- d-----w- c:\windows\system32\drivers\Avg
2010-05-16 20:40 . 2010-05-24 15:49 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2010-05-16 20:36 . 2010-05-16 20:36 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-05-15 05:02 . 2010-05-15 05:02 -------- d-----w- c:\program files\gs
2010-05-15 05:01 . 2010-05-15 05:01 -------- d-----w- c:\program files\PlotSoft
2010-05-15 05:01 . 2010-05-15 05:01 -------- d-----w- c:\documents and settings\All Users\Application Data\PlotSoft
2010-05-15 04:05 . 2010-05-20 17:39 -------- d-----w- c:\documents and settings\Kids\Application Data\comcasttb
2010-05-15 04:05 . 2010-05-15 04:05 -------- d-sh--w- c:\documents and settings\Kids\IETldCache
2010-05-15 03:50 . 2010-05-20 19:50 -------- d-----w- c:\documents and settings\Julian Hill\Application Data\comcasttb
2010-05-15 03:12 . 2010-05-15 03:12 -------- d--h--w- c:\windows\system32\GroupPolicy
2010-05-15 03:01 . 2010-05-15 03:01 -------- d-----w- c:\documents and settings\Julian Hill\Local Settings\Application Data\Intuit
2010-05-15 03:00 . 2010-05-15 03:00 -------- d-----w- c:\documents and settings\Julian Hill\Local Settings\Application Data\SupportSoft
2010-05-15 02:59 . 2010-05-15 02:59 -------- d-sh--w- c:\documents and settings\Julian Hill\IETldCache
2010-05-15 00:28 . 2010-06-04 21:30 778272 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-05-14 23:31 . 2010-05-14 23:31 -------- d-----w- c:\program files\AVG
2010-05-14 23:07 . 2010-05-14 23:07 -------- d-----w- c:\windows\system32\scripting
2010-05-14 23:07 . 2010-05-14 23:07 -------- d-----w- c:\windows\l2schemas
2010-05-14 23:06 . 2010-05-14 23:06 -------- d-----w- c:\windows\system32\en
2010-05-14 23:06 . 2010-05-14 23:06 -------- d-----w- c:\windows\system32\bits
2010-05-14 22:50 . 2010-05-14 22:50 -------- d-sh--w- c:\documents and settings\Owner\IECompatCache
2010-05-14 22:49 . 2010-05-14 22:49 -------- d-sh--w- c:\documents and settings\Owner\PrivacIE
2010-05-14 22:49 . 2010-05-14 22:49 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-05-14 22:49 . 2010-05-14 22:49 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-05-14 22:48 . 2010-05-14 22:48 -------- d-sh--w- c:\documents and settings\Owner\IETldCache
2010-05-14 22:46 . 2010-02-25 06:24 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2010-05-14 22:46 . 2010-02-25 06:24 594432 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2010-05-14 22:46 . 2010-02-25 06:24 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2010-05-14 22:46 . 2010-02-25 17:54 11070976 -c----w- c:\windows\system32\dllcache\ieframe.dll
2010-05-14 22:46 . 2010-02-25 06:24 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2010-05-14 22:46 . 2010-02-25 06:24 1985536 -c----w- c:\windows\system32\dllcache\iertutil.dll
2010-05-14 22:46 . 2010-05-15 14:04 -------- d-----w- c:\windows\ie8updates
2010-05-14 22:45 . 2010-02-16 04:50 64000 -c----w- c:\windows\system32\dllcache\iecompat.dll
2010-05-14 22:44 . 2010-05-14 22:45 -------- dc-h--w- c:\windows\ie8
2010-05-14 22:31 . 2010-05-14 22:31 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\WMTools Downloaded Files
2010-05-14 22:13 . 2010-05-15 03:55 -------- d-----w- c:\documents and settings\All Users\Application Data\SupportSoft
2010-05-14 22:12 . 2010-05-14 22:15 -------- d-----w- c:\documents and settings\Owner\Application Data\CallingID
2010-05-14 22:12 . 2010-05-14 22:12 -------- d-----w- c:\program files\Common Files\scanner
2010-05-14 22:12 . 2010-05-14 22:12 -------- d-----w- c:\program files\CA
2010-05-14 22:11 . 2010-05-14 22:16 -------- d-----w- c:\documents and settings\Owner\Application Data\comcasttb
2010-05-14 22:11 . 2010-05-14 22:12 -------- d-----w- c:\program files\comcasttb
2010-05-14 22:07 . 2010-05-14 23:05 -------- d-----w- c:\windows\ServicePackFiles
2010-05-14 22:00 . 2004-08-04 04:29 73216 ------w- c:\windows\system32\drivers\atintuxx.sys
2010-05-14 21:58 . 2010-05-14 21:58 -------- d-----w- c:\program files\Common Files\Adobe
2010-05-14 21:48 . 2008-06-13 11:05 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
2010-05-14 21:48 . 2008-06-13 11:05 272128 ------w- c:\windows\system32\drivers\bthport.sys
2010-05-14 21:48 . 2008-05-08 14:02 203136 -c----w- c:\windows\system32\dllcache\rmcast.sys
2010-05-14 21:48 . 2009-10-15 16:28 81920 -c----w- c:\windows\system32\dllcache\fontsub.dll
2010-05-14 21:48 . 2009-10-15 16:28 119808 -c----w- c:\windows\system32\dllcache\t2embed.dll
2010-05-14 21:48 . 2009-12-31 16:50 353792 -c----w- c:\windows\system32\dllcache\srv.sys
2010-05-14 21:48 . 2009-10-23 15:28 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe
2010-05-14 21:48 . 2008-05-01 14:33 331776 -c----w- c:\windows\system32\dllcache\msadce.dll
2010-05-14 21:47 . 2009-06-21 21:44 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
2010-05-14 21:44 . 2009-11-21 15:51 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2010-05-14 21:44 . 2010-02-24 13:11 455680 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2010-05-14 21:43 . 2009-11-27 17:11 17920 -c----w- c:\windows\system32\dllcache\msyuv.dll
2010-05-14 21:43 . 2009-11-27 17:11 1291776 -c----w- c:\windows\system32\dllcache\quartz.dll
2010-05-14 21:42 . 2009-06-10 15:19 2066432 -c----w- c:\windows\system32\dllcache\mstscax.dll
2010-05-14 21:41 . 2008-10-15 16:34 337408 -c----w- c:\windows\system32\dllcache\netapi32.dll
2010-05-14 21:41 . 2009-07-31 04:35 1172480 -c----w- c:\windows\system32\dllcache\msxml3.dll
2010-05-14 21:41 . 2008-05-03 11:55 2560 ------w- c:\windows\system32\xpsp4res.dll
2010-05-14 21:41 . 2008-04-21 12:08 215552 -c----w- c:\windows\system32\dllcache\wordpad.exe
2010-05-14 21:27 . 2010-05-14 21:26 787760 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2010\Components\SyncMgr\OCD\Sybase10\dblgen10.dll
2010-05-14 21:27 . 2010-05-14 21:26 496944 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2010\Components\SyncMgr\OCD\Sybase10\mlrsa10.dll
2010-05-14 21:27 . 2010-05-14 21:26 423216 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2010\Components\SyncMgr\OCD\Sybase10\dbmlsync.exe
2010-05-14 21:27 . 2010-05-14 21:26 296240 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2010\Components\SyncMgr\OCD\Sybase10\mlsock10.dll
2010-05-14 21:27 . 2010-05-14 21:26 263472 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2010\Components\SyncMgr\OCD\Sybase10\mlcrsa10.dll
2010-05-14 21:26 . 2010-05-14 21:26 850736 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2010\Components\SyncMgr\OCD\dblgen11.dll
2010-05-14 21:26 . 2010-05-14 21:26 763184 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2010\Components\SyncMgr\OCD\Sybase10\dblib10.dll
2010-05-14 21:26 . 2010-05-14 21:26 570672 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2010\Components\SyncMgr\OCD\Sybase10\mlhttps10.dll
2010-05-14 21:26 . 2010-05-14 21:26 398640 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2010\Components\SyncMgr\OCD\Sybase10\dbcon10.dll
2010-05-14 21:26 . 2010-05-14 21:26 34056 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2010\Components\SyncMgr\OCD\Interop.QBInstanceFinder.dll
2010-05-14 21:26 . 2010-05-14 21:26 2151728 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2010\Components\SyncMgr\OCD\iAnywhere.Data.SQLAnywhere.dll
2010-05-14 21:26 . 2010-05-14 21:26 211720 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2010\Components\SyncMgr\OCD\IntuitSyncManagerPatch.exe
2010-05-14 21:26 . 2010-05-14 21:26 192512 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2010\Components\SyncMgr\OCD\ICSharpCode.SharpZipLib.dll
2010-05-14 21:26 . 2010-05-14 21:26 1352968 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2010\Components\SyncMgr\OCD\IntuitSyncManager.exe
2010-05-14 21:26 . 2010-05-14 21:26 1152304 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2010\Components\SyncMgr\OCD\Sybase10\dbtool10.dll
2010-05-14 21:04 . 2010-05-14 21:04 975136 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2010\Components\DownloadQB20\Patch\qbpatch2.exe
2010-05-14 21:04 . 2010-05-14 21:04 44832 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2010\Components\DownloadQB20\Patch\qbpatch.exe
2010-05-14 21:04 . 2010-05-14 21:04 499712 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2010\Components\DownloadQB20\Patch\msvcp71.dll
2010-05-14 21:04 . 2010-05-14 21:04 348160 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2010\Components\DownloadQB20\Patch\msvcr71.dll
2010-05-14 20:37 . 2010-05-14 20:37 -------- d-----w- c:\documents and settings\Owner\Application Data\AdobeUM
2010-05-14 17:49 . 2007-04-09 19:23 28552 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\mdippr.dll
2010-05-14 17:49 . 2007-04-09 19:23 28040 ----a-w- c:\windows\system32\mdimon.dll
2010-05-14 17:49 . 2010-05-14 17:49 -------- d-----w- c:\program files\Microsoft ActiveSync
2010-05-14 17:48 . 2010-05-14 17:49 -------- d-----w- c:\windows\SHELLNEW
2010-05-14 17:48 . 2010-05-14 17:48 -------- d-----w- c:\program files\Microsoft.NET
2010-05-14 17:41 . 2010-05-14 17:41 -------- d-----r- C:\MSOCache
2010-05-14 16:18 . 2010-05-14 16:18 -------- d-----w- c:\documents and settings\All Users\Application Data\NVIDIA Corporation
2010-05-14 16:18 . 2010-05-14 16:18 -------- d-----w- c:\program files\NVIDIA Corporation
2010-05-13 23:49 . 2010-05-13 23:49 -------- d-sh--w- c:\documents and settings\Owner\UserData

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-05 21:44 . 2009-06-01 21:39 -------- d-----w- c:\program files\Blue Cow Games
2010-05-24 18:27 . 2006-06-19 04:25 340888 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-05-15 03:01 . 2006-12-29 18:29 38192 ----a-w- c:\documents and settings\Julian Hill\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-05-14 23:09 . 2006-06-17 09:39 86811 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2010-05-14 22:39 . 2006-10-18 17:00 -------- d-----w- c:\program files\Google
2010-05-14 22:25 . 2006-10-18 17:02 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-05-11 17:53 . 2010-05-11 17:53 -------- d-----w- c:\program files\MSBuild
2010-05-11 17:53 . 2010-05-11 17:53 -------- d-----w- c:\program files\Reference Assemblies
2010-05-11 16:53 . 2006-10-18 17:11 -------- d-----w- c:\program files\BigFix
2010-05-10 22:30 . 2006-12-29 03:11 -------- d-----w- c:\documents and settings\Kids\Application Data\McAfee.com Personal Firewall
2010-05-10 19:21 . 2010-05-10 19:19 -------- d-----w- c:\program files\Lexmark 5400 Series
2010-05-10 18:58 . 2006-12-29 02:57 -------- d-----w- c:\documents and settings\Owner\Application Data\McAfee.com Personal Firewall
2010-05-10 18:57 . 2006-10-18 17:14 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee.com Personal Firewall
2010-05-06 21:46 . 2006-10-18 17:06 -------- d-----w- c:\program files\Gateway Games
2010-05-06 21:44 . 2006-10-18 17:06 -------- d-----w- c:\documents and settings\All Users\Application Data\WildTangent
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-04-19 2117704]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2010-04-19 16:25 2117704 ----a-w- c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-04-19 2117704]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-04-19 2117704]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="NA" [X]
"ComcastAntispyClient"="c:\program files\comcasttb\ComcastSpywareScan\ComcastAntispy.exe" [2009-08-19 1589208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]
"readericon"="c:\program files\Digital Media Reader\readericon45G.exe" [2005-12-10 139264]
"RTHDCPL"="RTHDCPL.EXE" [2006-04-17 16143872]
"CHotkey"="zHotkey.exe" [2004-12-09 550912]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2005-02-26 966656]
"lxctmon.exe"="c:\program files\Lexmark 5400 Series\lxctmon.exe" [2007-03-19 291760]
"Lexmark 5400 Series Fax Server"="c:\program files\Lexmark 5400 Series\fm3032.exe" [2007-03-19 304048]
"EzPrint"="c:\program files\Lexmark 5400 Series\ezprint.exe" [2007-03-19 82864]
"Intuit SyncManager"="c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe" [2010-01-27 1337608]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-09-28 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-09-28 13918208]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
"LXCTCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXCTtime.dll" [2006-11-21 106496]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-10-18 98304]

c:\documents and settings\Owner\Start Menu\Programs\Startup\
PowerReg Scheduler.exe [2007-1-16 256000]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2010-3-24 1154848]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-05-16 20:40 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\WINDOWS\\system32\\lxctcoms.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2010\\QBDBMgrN.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"135:TCP"= 135:TCP:TCP Port 135
"5000:TCP"= 5000:TCP:TCP Port 5000
"5001:TCP"= 5001:TCP:TCP Port 5001
"5002:TCP"= 5002:TCP:TCP Port 5002
"5003:TCP"= 5003:TCP:TCP Port 5003
"5004:TCP"= 5004:TCP:TCP Port 5004
"5005:TCP"= 5005:TCP:TCP Port 5005
"5006:TCP"= 5006:TCP:TCP Port 5006
"5007:TCP"= 5007:TCP:TCP Port 5007
"5008:TCP"= 5008:TCP:TCP Port 5008
"5009:TCP"= 5009:TCP:TCP Port 5009
"5010:TCP"= 5010:TCP:TCP Port 5010
"5011:TCP"= 5011:TCP:TCP Port 5011
"5012:TCP"= 5012:TCP:TCP Port 5012
"5013:TCP"= 5013:TCP:TCP Port 5013
"5014:TCP"= 5014:TCP:TCP Port 5014
"5015:TCP"= 5015:TCP:TCP Port 5015
"5016:TCP"= 5016:TCP:TCP Port 5016
"5017:TCP"= 5017:TCP:TCP Port 5017
"5018:TCP"= 5018:TCP:TCP Port 5018
"5019:TCP"= 5019:TCP:TCP Port 5019
"5020:TCP"= 5020:TCP:TCP Port 5020
"8085:TCP"= 8085:TCP:pdrv

R?2 ppdrv;ppdrv;c:\windows\system32\svchost.exe -k ppdrv [6/17/2006 3:23 AM 14336]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [5/16/2010 2:40 PM 216200]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [5/16/2010 2:40 PM 242896]
R1 PDRV;PDRV;c:\windows\system32\drivers\pdrv.sys [6/7/2010 3:23 PM 39296]
R2 AntiSpywareService;Comcast AntiSpyware;c:\program files\comcasttb\ComcastSpywareScan\ComcastAntiSpyService.exe [6/17/2009 11:49 AM 616408]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [5/16/2010 2:38 PM 308064]
S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\AVG\AVG9\Toolbar\ToolbarBroker.exe [5/16/2010 2:40 PM 430152]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
ppdrv REG_MULTI_SZ ppdrv
.
Contents of the 'Scheduled Tasks' folder

2006-12-29 c:\windows\Tasks\ISP signup reminder 1.job
- c:\windows\system32\OOBE\oobebaln.exe [2006-06-17 00:12]

2006-12-29 c:\windows\Tasks\ISP signup reminder 2.job
- c:\windows\system32\OOBE\oobebaln.exe [2006-06-17 00:12]

2006-12-29 c:\windows\Tasks\ISP signup reminder 3.job
- c:\windows\system32\OOBE\oobebaln.exe [2006-06-17 00:12]

2010-06-08 c:\windows\Tasks\User_Feed_Synchronization-{7276ADD4-6055-4432-999F-CC6BB06C21D6}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 10:31]

2010-06-08 c:\windows\Tasks\User_Feed_Synchronization-{882C0A9D-4DCA-4A24-90E2-31708F8529FA}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 10:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uInternet Connection Wizard,ShellNext = hxxp://127.0.0.1:4664/first_usage&s=PnthcVfNGqauNC38tqDczJnnpbM
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll
Handler: intu-help-qb3 - {c5e479ea-0a65-4b05-8c6c-2fc8cc682eb4} - c:\program files\Intuit\QuickBooks 2010\HelpAsyncPluggableProtocol.dll
DPF: {45A0A292-ECC6-4D8F-9EA9-A4BD411D24C1} - hxxp://games.king.com/ctl/kingcomie.cab
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-MSKDetectorExe - c:\program files\McAfee\SpamKiller\MSKDetct.exe
HKLM-Run-nwiz - c:\program files\NVIDIA Corporation\nView\nwiz.exe
AddRemove-NVIDIA nView Desktop Manager - c:\program files\NVIDIA Corporation\nView\nViewSetup.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-08 13:41
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXCTCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXCTtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(556)
c:\windows\system32\Ati2evxx.dll
c:\program files\CA\PPRT\bin\CACheck.dll
c:\program files\CA\PPRT\bin\CAHook.dll
c:\program files\CA\PPRT\bin\CAServer.dll
.
Completion time: 2010-06-08 13:43:11
ComboFix-quarantined-files.txt 2010-06-08 19:43

Pre-Run: 120,573,239,296 bytes free
Post-Run: 121,962,188,800 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

- - End Of File - - 9578D0592B5D4C216D754D4F2947CE95

Attached Files

  • Attached File  log.txt   24.63KB   4 downloads

Edited by pebbles711, 08 June 2010 - 04:29 PM.


BC AdBot (Login to Remove)

 


#2 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:09:10 PM

Posted 12 June 2010 - 06:52 AM

Hi pebbles711 welcome to Bleeping Computer.


One or more of the identified infections is a backdoor trojan or rootkit.

This type of infection has the capabilities to allows hacker to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identity Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.

Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users