Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Incidious Virus - Trojan - Spyware - Malware -- Probably ALL


  • This topic is locked This topic is locked
5 replies to this topic

#1 JCasey

JCasey

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:42 PM

Posted 24 June 2010 - 06:29 PM

I am at my witts end! At the time of my infection, I had McAfee Internet Security running
with updated .dat files and the firewall enabled. I originally noticed my CPU running at 100%
I opened procexp.exe to view running processes, noticed I had DPC's using about 78% of the
processor. I ran Malwarebytes, AVG9.0, Spybot-Search and Destroy, SmitfraudFix, CCleaner,
eScan anti-virus and spyware toolkit, ComboFix, Vundofix, and FixVirut. I did use Defogger
before cleaning.

I've run these in Safe Mode as well as Normal. All have reported locked files and
registery keys. I've restored my registery with a backup created by Registery Booster
some months earlier. All have removed some items, and freed up the processor. But none have
completely resolved the issue,the processer is back to 100% in short order.

After restoring my registery, AVG reported N.PIF attempting to install in my registery keys. I
blocked the install, and (80) n.pif associated items were deleted. That didn't block anything,
because I'm already infected with this horrible, incedious software. Google Chrome is jacked up,
as well as Explorer and Firefox...so bad that I uninstalled Firefox.

I have a new partition, taking up 2.5 Gigs, identified as a healthy, primary partition.
This partition does not have a drive letter. I also have my C:\ and D:\Recovery, and
an EISA partition.



I believe I received whatever I have from email.

In addition to the n.pif, mentioned above, I've removed various spyware infections,

Your Protection
My Web Search
Spywarekey Prowler Corrupted
RegSort Corrupted
User Account Control (Fake)
funwebproducts
ClosetMaid

and a couple of trojan's

Orifice2k
Joke.Program BadJoke


I have shortcuts in my Control Panel to all of the utilities, an $Admin account, the recycling
bin is throughout the computer as, $Recycle.bin, I have hidden shares, a new, unnamed partition,
desktop.ini files throughout my system that re-proprogate after deletion along with the $Recycle
bin, locked folders because of the addition of DENY EVERYBODY group inserted in permissions.
The time display in my system tray has changed to military time. Some security applicaitons
will not run, to include gmer. My browsers are redirected, and I've witnessed multiple
remote ports open if a browser is opened. I'm using CPorts to monitor port usage. I cannot
always close the remote connections. The last time I connected to the Internet and opened
Explorer, I had (6) established connection to cds17.lon9.msecn.net and (1) to
cds23.lon9.msecn.net.

I'm trying not to format and reinstall, but I'm beginning to think it's the only option.

I can normally / NORMALLY clean unwanted nasties off of OHTER PEOPLE'S computers, because
I don't get viruses on mine... but this time it is me, and I cannot get rid of this mess.
Please help me find a repair for my laptop!! I appreciate any assistance you are able to
provide. Thank you in advance.~Jackie

================================

HJT LOG -
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 19:18:56, on 6/24/2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18928)
Boot mode: Safe mode with network support

Running processes:
C:\Windows\Explorer.EXE
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Users\Jackie\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [dldtmon.exe] "C:\Program Files\Dell V305\dldtmon.exe"
O4 - HKLM\..\Run: [dldtamon] "C:\Program Files\Dell V305\dldtamon.exe"
O4 - HKLM\..\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\sttray.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\MediaDirect\PCMService.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [dellsupportcenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P dellsupportcenter
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] c:\program files\uniblue\registrybooster 2\StartRegistryBooster.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [cdloader] "C:\Users\Jackie\AppData\Roaming\mjusbsp\cdloader2.exe" MAGICJACK
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: Andrea ST Filters Service (AESTFilters) - Andrea Electronics Corporation - C:\Windows\system32\aestsrv.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: ATI WebPAM (ATIWebPAM) - Unknown owner - C:\Program Files\ATI\WebPAM\jetty\extra\win32\Wrapper.exe
O23 - Service: AVG WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: AVG Firewall (avgfws9) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgfws9.exe
O23 - Service: AVG9IDSAgent (AVGIDSAgent) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\Identity Protection\Agent\Bin\AVGIDSAgent.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: Trend Micro RUBotted Service (RUBotted) - Trend Micro Inc. - C:\Program Files\Trend Micro\RUBotted\TMRUBotted.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: SigmaTel Audio Service (STacSV) - IDT, Inc. - C:\Windows\system32\STacSV.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 5401 bytes


DDS LOG -


DDS (Ver_10-03-17.01) - NTFSx86 NETWORK
Run by Jackie at 19:26:06.39 on Thu 06/24/2010
Internet Explorer: 7.0.6001.18000 BrowserJavaVersion: 1.6.0_11
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.1917.1180 [GMT -4:00]

SP: Spybot - Search and Destroy *disabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Lavasoft Ad-Watch Live! *disabled* (Updated) {67844DAE-4F77-4D69-9457-98E8CFFDAA22}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\Explorer.EXE
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Users\Jackie\Desktop\HijackThis.exe
C:\Users\Jackie\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uURLSearchHooks: H - No File
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} -
TB: {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - No File
TB: {D7E97865-918F-41E4-9CD0-25AB1C574CE8} - No File
TB: {FEEA54B4-D80F-41C7-87B9-DC08E6D3255F} - No File
uRun: [Uniblue RegistryBooster 2] c:\program files\uniblue\registrybooster 2\StartRegistryBooster.exe
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [cdloader] "c:\users\jackie\appdata\roaming\mjusbsp\cdloader2.exe" MAGICJACK
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\9.0\sharedcom\RoxWatchTray9.exe"
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
mRun: [dldtmon.exe] "c:\program files\dell v305\dldtmon.exe"
mRun: [dldtamon] "c:\program files\dell v305\dldtamon.exe"
mRun: [Apoint] c:\program files\delltpad\Apoint.exe
mRun: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\sttray.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [PCMService] "c:\program files\dell\mediadirect\PCMService.exe"
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [dellsupportcenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P dellsupportcenter
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

============= SERVICES / DRIVERS ===============

R0 AVGIDSErHrvtx;AVG9IDSErHr;c:\windows\system32\drivers\AVGIDSvx.sys [2010-6-17 25168]
R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2010-6-17 52872]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-7-28 64160]
R1 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwd6x.sys [2010-6-17 24856]
R1 AvgTdiX;AVG Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-6-17 243024]
S1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2010-6-17 216400]
S1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2010-6-17 29584]
S1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2007-9-24 214664]
S2 AESTFilters;Andrea ST Filters Service;c:\windows\system32\AEstSrv.exe [2009-11-11 73728]
S2 ATIWebPAM;ATI WebPAM;c:\program files\ati\webpam\jetty\extra\win32\Wrapper.exe [2003-9-29 110592]
S2 avg9wd;AVG WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-6-22 308136]
S2 avgfws9;AVG Firewall;c:\program files\avg\avg9\avgfws9.exe [2010-6-22 2331032]
S2 AVGIDSAgent;AVG9IDSAgent;c:\program files\avg\avg9\identity protection\agent\bin\AVGIDSAgent.exe [2010-6-22 5897808]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-12-25 135664]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-1-18 1029456]
S2 RUBotted;Trend Micro RUBotted Service;c:\program files\trend micro\rubotted\TMRUBotted.exe [2010-6-17 582992]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2010-6-10 1153368]
S3 AVGIDSDrivervtx;AVG9IDSDriver;c:\program files\avg\avg9\identity protection\agent\driver\platform_vista\AVGIDSDriver.sys [2010-6-17 122448]
S3 AVGIDSFiltervtx;AVG9IDSFilter;c:\program files\avg\avg9\identity protection\agent\driver\platform_vista\AVGIDSFilter.sys [2010-6-17 30288]
S3 AVGIDSShimvtx;AVG9IDSShim;c:\program files\avg\avg9\identity protection\agent\driver\platform_vista\AVGIDSShim.sys [2010-6-17 27216]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-9-25 21504]
S3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2007-9-24 79816]
S3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2007-9-24 35272]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2007-9-24 34248]
S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2007-9-24 40552]
S3 PSSDK42;PSSDK42;c:\windows\system32\drivers\pssdk42.sys [2009-10-22 38976]
S3 TMPassthru;Trend Micro Passthru Ndis Service;c:\windows\system32\drivers\TMPassthru.sys [2010-6-17 206608]
S3 TMPassthruMP;TMPassthruMP;c:\windows\system32\drivers\TMPassthru.sys [2010-6-17 206608]
S3 USBPNPA;USB PnP Sound Device Interface;c:\windows\system32\drivers\CM108.sys [2007-6-28 1310720]
S3 VReadMemDriver;VReadMemDriver;c:\windows\system32\drivers\vreadmem.sys [2010-6-17 3189]
S3 VUALFDrv;SONIX Audio Filter Driver;c:\windows\system32\drivers\VUALFDrv.sys [2007-2-1 47066]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2008-5-6 11520]
S3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\drivers\WSDPrint.sys [2008-9-25 16896]
S4 dldt_device;dldt_device;c:\windows\system32\dldtcoms.exe -service --> c:\windows\system32\dldtcoms.exe -service [?]
S4 dldtCATSCustConnectService;dldtCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\dldtserv.exe [2008-2-25 98984]
S4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-12-30 24652]

=============== Created Last 30 ================

2010-06-24 21:36:57 0 ----a-w- c:\users\jackie\defogger_reenable
2010-06-24 19:31:58 0 d-sh--w- C:\$RECYCLE.BIN
2010-06-24 05:15:12 20200186 ----a-w- c:\windows\REGBK01.ZIP
2010-06-23 18:51:47 65536 --sha-w- c:\users\jackie\ntuser.dat{26e4c658-7ef8-11df-b35f-8de26c7bc184}.TM.blf
2010-06-23 18:51:47 524288 --sha-w- c:\users\jackie\ntuser.dat{26e4c658-7ef8-11df-b35f-8de26c7bc184}.TMContainer00000000000000000002.regtrans-ms
2010-06-23 18:51:47 524288 --sha-w- c:\users\jackie\ntuser.dat{26e4c658-7ef8-11df-b35f-8de26c7bc184}.TMContainer00000000000000000001.regtrans-ms
2010-06-23 16:22:07 98816 ----a-w- c:\windows\sed.exe
2010-06-23 16:22:07 77312 ----a-w- c:\windows\MBR.exe
2010-06-23 16:22:07 31232 ----a-w- c:\windows\NIRCMD.exe.mwt
2010-06-23 16:22:07 256512 ----a-w- c:\windows\PEV.exe
2010-06-23 16:22:07 161792 ----a-w- c:\windows\SWREG.exe
2010-06-22 21:45:26 12536 ----a-w- c:\windows\system32\avgrsstx.dll
2010-06-22 20:20:39 0 d-----w- c:\programdata\Kaspersky Lab Setup Files
2010-06-22 17:41:58 0 d-----w- C:\SDFix
2010-06-22 17:21:30 0 d-----w- C:\VundoFix Backups
2010-06-19 20:18:33 0 d-----w- c:\users\jackie\appdata\roaming\AVG9
2010-06-19 12:27:48 93056 ----a-w- C:\pwryqpoc.sys
2010-06-19 08:46:07 0 d-----w- C:\$AVG
2010-06-17 22:01:52 0 d-----w- c:\windows\system32\log
2010-06-17 14:35:54 25168 ----a-w- c:\windows\system32\drivers\AVGIDSvx.sys
2010-06-17 14:35:53 52872 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2010-06-17 14:35:51 243024 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-06-17 14:34:14 216400 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-06-17 14:33:55 0 d-----w- c:\windows\system32\drivers\Avg
2010-06-17 14:33:19 0 d-----w- c:\programdata\AVG Security Toolbar
2010-06-17 14:30:08 24856 ----a-w- c:\windows\system32\drivers\avgfwd6x.sys
2010-06-17 14:30:06 0 d-----w- c:\program files\AVG
2010-06-17 14:29:16 0 d-----w- c:\programdata\avg9
2010-06-17 13:51:43 206608 ----a-w- c:\windows\system32\drivers\TMPassthru.sys
2010-06-17 10:22:10 3189 ----a-r- c:\windows\system32\drivers\vreadmem.sys
2010-06-16 20:29:19 0 d-----w- c:\program files\Panda Security
2010-06-16 15:46:56 18067138 ----a-w- c:\windows\REGBK00.ZIP
2010-06-16 15:46:53 0 d---a-w- c:\windows\VDLL.DLL
2010-06-16 15:46:53 0 d---a-w- c:\windows\system32\runouce.exe
2010-06-16 15:46:53 0 d---a-w- c:\windows\RUNDL132.EXE
2010-06-16 15:46:53 0 d---a-w- c:\windows\logo_1.exe
2010-06-16 15:44:51 53 ----a-w- c:\windows\Lic.xxx
2010-06-16 15:44:23 522 ----a-w- c:\windows\system32\Microsoft.VC80.CRT.manifest
2010-06-16 15:44:23 34048 ----a-w- c:\windows\system32\eEmpty.exe
2010-06-16 15:44:18 0 d-----w- c:\program files\common files\MicroWorld
2010-06-16 15:44:13 0 d-----w- c:\programdata\MicroWorld
2010-06-10 09:22:28 0 d-----w- c:\programdata\Spybot - Search & Destroy
2010-06-10 09:22:28 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-06-09 09:40:45 0 d-----w- c:\program files\CCleaner
2010-06-09 03:48:54 289792 ----a-w- c:\windows\system32\atmfd.dll
2010-06-09 03:48:53 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-06-09 03:48:15 67072 ----a-w- c:\windows\system32\asycfilt.dll
2010-05-26 08:44:34 2048 ----a-w- c:\windows\system32\tzres.dll

==================== Find3M ====================

2010-06-17 14:30:22 51200 ----a-w- c:\windows\inf\infpub.dat
2010-06-17 14:30:22 143360 ----a-w- c:\windows\inf\infstrng.dat
2010-06-17 14:30:21 143360 ----a-w- c:\windows\inf\infstor.dat
2010-05-21 15:41:21 0 ----a-w- c:\windows\system32\drivers\lvuvc.hs
2010-05-12 15:21:16 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-04 05:59:21 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-04 05:55:42 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-05-04 05:55:42 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-05-04 04:31:05 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-05-01 14:13:48 2037248 ----a-w- c:\windows\system32\win32k.sys
2010-04-29 19:39:38 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 19:39:26 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-08 17:20:02 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-04-08 17:20:02 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-03-29 19:27:41 20 ---h--w- c:\programdata\PKP_DLdw.DAT
2010-01-09 12:51:07 302 ----a-w- c:\program files\temp995.bat
2009-11-17 08:24:49 665600 ----a-w- c:\windows\inf\drvindex.dat
2009-01-25 07:00:19 174 --sha-w- c:\program files\desktop.ini
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2010-03-19 18:54:35 16384 --sha-w- c:\windows\serviceprofiles\localservice\appdata\local\temp\cookies\index.dat
2010-03-19 18:54:35 16384 --sha-w- c:\windows\serviceprofiles\localservice\appdata\local\temp\history\history.ie5\index.dat
2010-03-19 18:54:35 32768 --sha-w- c:\windows\serviceprofiles\localservice\appdata\local\temp\temporary internet files\content.ie5\index.dat
2010-01-01 00:37:56 245760 --sha-w- c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows\ietldcache\index.dat
2009-10-15 09:42:26 16384 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\windows\history\history.ie5\index.dat
2009-10-15 09:42:26 32768 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat
2009-10-15 09:42:26 16384 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\cookies\index.dat
2009-10-15 09:42:26 245760 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\ietldcache\index.dat
2009-10-22 15:29:35 32768 --sha-w- c:\windows\system32\config\systemprofile\appdata\local\microsoft\feeds cache\index.dat
2009-10-22 15:29:35 32768 --sha-w- c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\history\history.ie5\mshist012009102220091023\index.dat
2009-10-22 15:29:35 32768 --sha-w- c:\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\privacie\index.dat
2007-02-21 19:49:52 8192 --sha-w- c:\windows\users\default\NTUSER.DAT

============= FINISH: 19:26:34.35 ===============

Attached Files


Edited by JCasey, 24 June 2010 - 06:31 PM.


BC AdBot (Login to Remove)

 


#2 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,091 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:11:42 PM

Posted 30 June 2010 - 07:09 AM

Hello ,
And welcome.gif to the Bleeping Computer Malware Removal Forum
. My name is Elise and I'll be glad to help you with your computer problems.


I will be working on your malware issues, this may or may not solve other issues you may have with your machine.

Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.
  • The cleaning process is not instant. Logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.
  • Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic.
  • The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.
You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.
-----------------------------------------------------------

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

If you have already posted a log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the button.
  • Two reports will open, copy and paste them in a reply here:
    • OTListIt.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

-------------------------------------------------------------
In the meantime please, do NOT install any new programs or update anything unless told to do so while we are fixing your problem

If you still need help, please include the following in your next reply
  • A detailed description of your problems
  • A new OTL log (don't forget extra.txt)
  • GMER log

Thanks and again sorry for the delay.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#3 JCasey

JCasey
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:42 PM

Posted 01 July 2010 - 01:50 PM

Hi Elise,

Sorry for the delayed response to your post, above. Anyway....

As I said above, I am unable to run GMER. I will run OTL and post the results from OTL, but I am unable to run GMER.

Cheers,
Jackie

#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,091 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:11:42 PM

Posted 01 July 2010 - 02:08 PM

Okay, please post me the OTL logs. If you ran Combofix, please post also the log at c:\combofix.txt

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#5 JCasey

JCasey
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:42 PM

Posted 01 July 2010 - 08:02 PM

Hi again, Elise.

Well, whatever IT was, locked me out of OTL, too. I gave in to the REFORMAT / REINSTALL devil who had been on my shoulder for over a week. Thanks for your offer of assistance, but I've 'fixed' it, and my laptop is running great again! Ugh.

Cheers,
Jackie

#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,091 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:11:42 PM

Posted 02 July 2010 - 05:06 AM

I'm sorry to hear you had to reformat, but luckily things are fine now smile.gif

I will now close this topic.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users