Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Computer infected, please help


  • This topic is locked This topic is locked
99 replies to this topic

#1 nisthana

nisthana

  • Members
  • 82 posts
  • OFFLINE
  •  
  • Local time:03:08 PM

Posted 17 July 2010 - 11:24 AM

I tried going through the steps and tried GMER twice but it resulted in blue screen. I am experiencing the following problems on my PC
1. When PC starts I get a Windows Genuine Advantage message. This never happened before
2. I get the messag that it cannot find c:\windows\system32\sstqn.exe It asks to remove the entry from the registry which I did by finding sstqn.exe and deleteing it but it still happens
3. I get a message error loading c:\windows\system32\avfbxyve.exe
4. Yesterday I saw a whole lot of wuaclt.exe running in the task manager and was unable to end the process using task manager
5. The PC get slow and utimately crashes
6. IE gets slower and slower.

Let me know if you need any more info. Thanks for the help
----------------------------------------------------------------------------------------------------

DDS Log


DDS (Ver_10-03-17.01) - NTFSx86
Run by nisthana at 20:56:07.09 on Wed 07/14/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2047.1174 [GMT -7:00]

AV: Avira AntiVir PersonalEdition *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\System32\svchost.exe -k NetworkService
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Apache Software Foundation\Apache2.2\bin\httpd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Application Updater\ApplicationUpdater.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\cvsnt\cvscontrol.exe
C:\Program Files\CVSNT\cvslock.exe
C:\Program Files\CVSNT\cvsservice.exe
C:\Program Files\Apache Software Foundation\Apache2.2\bin\httpd.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\MagicTune Premium\MagicTuneEngine.exe
C:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\PROGRA~1\NTS\ENTERN~1\app\pppoeservice.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrUI.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\Search Settings\SearchSettings.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HTC\HTC Sync\Application Launcher\Application Launcher.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Program Files\Citrix\GoToMeeting\456\g2mstart.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\MagicTune Premium\GammaTray.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\MagicTune Premium\MagicTune.exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\Program Files\Citrix\GoToMeeting\456\g2mcomm.exe
C:\Program Files\eFax Messenger 4.4\J2GTray.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files\Common Files\Teleca Shared\logger.exe
C:\Program Files\Citrix\GoToMeeting\456\g2mlauncher.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\HTC\HTC Sync\ClientInitiatedStarter\ClientInitiatedStarter.exe
C:\Program Files\HTC\HTC Sync\Mobile Phone Monitor\epmworker.exe
C:\Program Files\HTC\HTC Sync\Mobile Phone Monitor\DbgOut.exe
C:\Program Files\HTC\HTC Sync\Mobile Phone Monitor\HTCVBTServer.exe
C:\Program Files\HTC\HTC Sync\Mobile Phone Monitor\FsynSrvStarter.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\nisthana\Desktop\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
uSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
uURLSearchHooks: SearchSettings Class: {e312764e-7706-43f1-8dab-fcdd2b1e416d} - c:\program files\search settings\SearchSettings.dll
uWindows: load=c:\windows\system32\sstqn.exe
BHO: Dealio Toolbar: {01398b87-61af-4ffb-9ab5-1a1c5fb39a9c} - c:\program files\dealio toolbar\ie\4.0.2\dealioToolbarIE.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: {b6339b32-afee-8d79-0b24-7262d4b37861}: {16873b4d-2627-42b0-97d8-eefa23b9336b} - c:\windows\system32\bfgymggk.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0\bin\ssv.dll
{a677851a-aedf-4703-9e84-b66180b25f7b}
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.2.4204.1700\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll
BHO: {d7fd6c15-4927-4aae-bf12-fbdabd287eb1} - c:\windows\system32\urqonlm.dll
BHO: SearchSettings Class: {e312764e-7706-43f1-8dab-fcdd2b1e416d} - c:\program files\search settings\SearchSettings.dll
BHO: HttpWatch Basic: {f1f69322-008f-4895-b2bf-ad194219825a} - c:\program files\httpwatch\httpwatchsc.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn1\YTSingleInstance.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: Dealio Toolbar: {01398b87-61af-4ffb-9ab5-1a1c5fb39a9c} - c:\program files\dealio toolbar\ie\4.0.2\dealioToolbarIE.dll
TB: {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No File
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
EB: HttpWatch Basic: {2b4c4770-27fd-4a09-b17d-33ca580965fb} - c:\program files\httpwatch\httpwatch.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Messenger (Yahoo!)] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [Search Protection] c:\program files\yahoo!\search protection\SearchProtection.exe
uRun: [eFax 4.4] "c:\program files\efax messenger 4.4\J2GDllCmd.exe" /R
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\nero\lib\NMBgMonitor.exe"
uRun: [LightScribe Control Panel] c:\program files\common files\lightscribe\LightScribeControlPanel.exe -hidden
uRun: [GoToMeeting] "c:\program files\citrix\gotomeeting\456\g2mstart.exe" "/Trigger RunAtLogon"
mRun: [507c98ad] rundll32.exe "c:\windows\system32\avfbxyve.dll",b
mRun: [avgnt] "c:\program files\avira\antivir personaledition classic\avgnt.exe" /min
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [WD Drive Manager] c:\program files\western digital\wd drive manager\WDBtnMgrUI.exe
mRun: [YSearchProtection] "c:\program files\yahoo!\search protection\SearchProtection.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0\bin\jusched.exe"
mRun: [SearchSettings] c:\program files\search settings\SearchSettings.exe
mRun: [NeroFilterCheck] c:\program files\common files\nero\lib\NeroCheck.exe
mRun: [NBKeyScan] "c:\program files\nero\nero8\nero backitup\NBKeyScan.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [H2O] c:\program files\syncrosoft\pos\h2o\cledx.exe
mRun: [Mobile Connectivity Suite] "c:\program files\htc\htc sync\application launcher\Application Launcher.exe" /startoptions
mRun: [AdobeAAMUpdater-1.0] "c:\program files\common files\adobe\oobe\pdapp\uwa\UpdaterStartupUtility.exe"
mRun: [AdobeCS5ServiceManager] "c:\program files\common files\adobe\cs5servicemanager\CS5ServiceManager.exe" -launchedbylogin
mRun: [SwitchBoard] c:\program files\common files\adobe\switchboard\SwitchBoard.exe
StartupFolder: c:\docume~1\nisthana\startm~1\programs\startup\efax44~1.lnk - c:\program files\efax messenger 4.4\J2GTray.exe
StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\gammat~1.lnk - c:\program files\magictune premium\GammaTray.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {474F00F5-3853-492C-AC3A-476512BBC336} - hxxp://picasaweb.google.com/s/v/40.11/uploader2.cab
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scan8/oscan8.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1229620451687
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/products/plugin/1.4/jinstall-14_01-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {971127BB-259F-48C2-BD75-5F97A3331551} - hxxp://d-sjc-pd03.corp.ebay.com:8000/tsweb/msrdp.cab
DPF: {CAFEEFAC-0014-0001-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/1.4/jinstall-14_01-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_15-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://virtuoz.webex.com/client/T27L/webex/ieatgpc.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} - hxxps://webwork-rhv.corp.ebay.com/dana-cached/setup/JuniperSetupSP1.cab
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://webwork-rhv.corp.ebay.com/dana-cached/sc/JuniperSetupClient.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: NavLogon - c:\windows\system32\NavLogon.dll
Notify: urqonlm - urqonlm.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft.AntiSpyware.ShellExecuteHook.1: {9ef34ff2-3396-4527-9d27-04c8c1c67806} - c:\program files\microsoft antispyware\shellextension.dll
SEH: {d7fd6c15-4927-4aae-bf12-fbdabd287eb1} - c:\windows\system32\urqonlm.dll
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\nisthana\applic~1\mozilla\firefox\profiles\0hqn4tpv.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=greentree_ff1&ei=utf-8&type=867034&p=
FF - component: c:\program files\dealio toolbar\ff\components\dealioToolbarFF.dll
FF - component: c:\program files\search settings\ff\components\SearchSettingsFF.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjpi160.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPJPI141_01.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0015-0000-0015-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 10);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir personaledition classic\avgio.sys [2008-1-26 11608]
R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2006-9-6 337592]
R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2006-9-6 54968]
R2 AntiVirScheduler;AntiVir PersonalEdition Classic Scheduler;c:\program files\avira\antivir personaledition classic\sched.exe [2008-1-26 68865]
R2 AntiVirService;AntiVir PersonalEdition Classic Guard;c:\program files\avira\antivir personaledition classic\avguard.exe [2008-1-26 151297]
R2 Apache2.2;Apache2.2;c:\program files\apache software foundation\apache2.2\bin\httpd.exe [2007-9-5 24635]
R2 Application Updater;Application Updater;c:\program files\application updater\ApplicationUpdater.exe [2009-12-16 375296]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2006-7-19 192160]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2006-7-19 169632]
R2 CVSControl;CVSNT Control Panel;c:\cvsnt\cvscontrol.exe [2006-7-3 36864]
R2 PPPoEService;PPPoE Service;c:\progra~1\nts\entern~1\app\pppoeservice.exe [2006-11-19 49152]
R2 WDBtnMgrSvc.exe;WD Drive Manager Service;c:\program files\western digital\wd drive manager\WDBtnMgrSvc.exe [2008-7-24 102400]
R3 avgntflt;avgntflt;c:\program files\avira\antivir personaledition classic\avgntflt.sys [2008-1-26 52056]
R3 CLEDX;Team H2O CLEDX service;c:\windows\system32\drivers\cledx.sys [2010-1-17 33792]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-7-12 102448]
R3 MTXPARH;MTXPARH;c:\windows\system32\drivers\mtxparhm.sys [2006-2-21 452736]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20091227.004\naveng.sys [2009-12-27 84912]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20091227.004\navex15.sys [2009-12-27 1323568]
R3 NTSPPPOE;NTS Enternet P.P.P.o.E LAN Miniport Driver;c:\windows\system32\drivers\ntspppoe.sys [2006-11-19 159520]
R3 ps_1394;ps_1394;c:\windows\system32\drivers\ps_1394.sys [2006-2-21 97152]
R3 ps_avs;ps_avs;c:\windows\system32\drivers\ps_avs.sys [2006-2-21 24576]
R3 RAWESR;RAWESR;c:\progra~1\nts\entern~1\app\RAWESR.SYS [2006-11-19 9152]
R3 TAPBIND;TAPBIND;c:\progra~1\nts\entern~1\app\TAPBIND1.SYS [2006-11-19 17920]
S1 AaAAaAA;AaAAaAA;c:\windows\system32\drivers\AaAAaAA.sys [2001-8-23 295168]
S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2006-9-27 116464]
S3 SDTHOOK;SDTHOOK;c:\windows\system32\drivers\SDTHOOK.SYS [2008-1-24 44928]
S3 SwitchBoard;Adobe SwitchBoard;c:\program files\common files\adobe\switchboard\SwitchBoard.exe [2010-2-19 517096]
S3 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2006-9-27 1813232]
S3 SynasUSB;SynasUSB;c:\windows\system32\drivers\synasUSB.sys [2010-1-18 18432]

=============== Created Last 30 ================

2010-07-13 03:17:07 0 d-----w- c:\program files\TeaTimer (Spybot - Search & Destroy)
2010-07-13 03:17:07 0 d-----w- c:\program files\SDHelper (Spybot - Search & Destroy)
2010-07-11 06:06:32 0 d-----w- C:\C Drive Backup July 2010
2010-06-22 17:40:24 21504 -c--a-w- c:\windows\system32\dllcache\hidserv.dll
2010-06-22 17:40:24 21504 ----a-w- c:\windows\system32\hidserv.dll
2010-06-22 17:40:23 14848 -c--a-w- c:\windows\system32\dllcache\kbdhid.sys
2010-06-22 17:40:23 14848 ----a-w- c:\windows\system32\drivers\kbdhid.sys
2010-06-22 16:41:13 12160 -c--a-w- c:\windows\system32\dllcache\mouhid.sys
2010-06-22 16:41:13 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys

==================== Find3M ====================

2010-07-03 00:56:16 69792 ---ha-w- c:\windows\system32\mlfcache.dat
2010-05-29 15:13:35 1228400 ----a-w- C:\Photoshop_12_LS1.exe
2010-05-28 03:56:51 1228384 ----a-w- C:\Illustrator_15_LS1.exe
2010-05-06 10:41:53 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-04 06:12:15 720896 ----a-w- c:\windows\iun6002.exe
2010-05-02 05:56:34 1850880 ----a-w- c:\windows\system32\win32k.sys
2010-04-20 05:51:20 285696 ----a-w- c:\windows\system32\atmfd.dll
2008-01-27 19:18:52 13231 --sha-w- c:\windows\system32\nqtss.ini2

============= FINISH: 20:56:56.07 ===============

Wanted to mention that once I hard boot the PC, the PC works for few hours and then it hangs. I have to hard boot it every 12 hours or so.

Merged posts. ~ OB

Edited by Orange Blossom, 18 July 2010 - 02:49 PM.


BC AdBot (Login to Remove)

 


#2 IndiGenus

IndiGenus

    Anti-Malware Buddha


  • Members
  • 115 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:08 PM

Posted 23 July 2010 - 05:21 PM

Hello nisthana and welcome back to the forums here at BC.

Sorry for the delay in getting to your post. If you still need help please do the following:

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review.

IndiGenus

The help you receive here is free, but if you would like to help me continue the fight against Malware then Posted Image

"To find perfect composure in the midst of change is to find ourselves in nirvana."

Suzuki Roshi


#3 nisthana

nisthana
  • Topic Starter

  • Members
  • 82 posts
  • OFFLINE
  •  
  • Local time:03:08 PM

Posted 23 July 2010 - 06:19 PM

Thanks for the reply IndiGenus. Yes I am still having issues. PC is not usable since it hangs after every few hours. I am hard rebooting it several times a day. Since I didnt get a response, I tried doing couple of things. I renamed the wuactl.exe so it doesnt start up anymore.

I will try this combofix and respond.

#4 nisthana

nisthana
  • Topic Starter

  • Members
  • 82 posts
  • OFFLINE
  •  
  • Local time:03:08 PM

Posted 23 July 2010 - 07:53 PM

I started combofix but at stage 32, I received the message "windows explorer has encountered error". I clicked "dont submit to MS" button. combofix is stuck at stage 32 since last 45 mins or so. I see a findstr.exe process taking up CPU. I assume its the combofix. I will not touch the PC so am waiting for further instructions
Let me know how to proceed further.

#5 IndiGenus

IndiGenus

    Anti-Malware Buddha


  • Members
  • 115 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:08 PM

Posted 23 July 2010 - 08:07 PM

Hi,

This machine is pretty badly damaged by the Malware and/or the process of trying to remove it. Do you have good backups of all your data? If not then that should be something you consider doing before we proceed.

If combofix hasn't finished by the time you get this it probably won't. You can shut it down and reboot. We can try to do some cleanup with OTL then run it again.

Run OTL
  • Download OTL to your desktop.
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • Under the Custom Scan box paste this in
    CODE

    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    /md5stop
    CREATERESTOREPOINT


  • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them all in.

IndiGenus

The help you receive here is free, but if you would like to help me continue the fight against Malware then Posted Image

"To find perfect composure in the midst of change is to find ourselves in nirvana."

Suzuki Roshi


#6 nisthana

nisthana
  • Topic Starter

  • Members
  • 82 posts
  • OFFLINE
  •  
  • Local time:03:08 PM

Posted 23 July 2010 - 08:19 PM

Yes combofix is still running. I have the data backed up already. I will try OTL

#7 IndiGenus

IndiGenus

    Anti-Malware Buddha


  • Members
  • 115 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:08 PM

Posted 23 July 2010 - 08:20 PM

QUOTE(nisthana @ Jul 23 2010, 09:19 PM) View Post
Yes combofix is still running. I have the data backed up already. I will try OTL

Okay sounds good.
IndiGenus

The help you receive here is free, but if you would like to help me continue the fight against Malware then Posted Image

"To find perfect composure in the midst of change is to find ourselves in nirvana."

Suzuki Roshi


#8 nisthana

nisthana
  • Topic Starter

  • Members
  • 82 posts
  • OFFLINE
  •  
  • Local time:03:08 PM

Posted 23 July 2010 - 08:55 PM

OTL was running and it ended up in blue screen :-(( I will restart and try running it again.

#9 IndiGenus

IndiGenus

    Anti-Malware Buddha


  • Members
  • 115 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:08 PM

Posted 23 July 2010 - 08:59 PM

If that won't go try combofix in Safe Mode. It's worth a shot.

Press F8 shortly after start up and select Safe Mode from the menu.
IndiGenus

The help you receive here is free, but if you would like to help me continue the fight against Malware then Posted Image

"To find perfect composure in the midst of change is to find ourselves in nirvana."

Suzuki Roshi


#10 nisthana

nisthana
  • Topic Starter

  • Members
  • 82 posts
  • OFFLINE
  •  
  • Local time:03:08 PM

Posted 23 July 2010 - 10:11 PM

Ok it reached stage_50 in safe mode. Waiting for it to drop the log files

#11 nisthana

nisthana
  • Topic Starter

  • Members
  • 82 posts
  • OFFLINE
  •  
  • Local time:03:08 PM

Posted 24 July 2010 - 12:44 AM

Log of Combifix attached




ComboFix 10-07-23.01 - Administrator 07/23/2010 19:53:47.2.2 - x86 MINIMAL
Running from: c:\documents and settings\nisthana\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Administrator\Application Data\inst.exe
c:\documents and settings\nisthana\Application Data\inst.exe
c:\documents and settings\nisthana\g2mdlhlpx.exe
C:\install.exe
c:\program files\Search Settings
c:\program files\Search Settings\FF\chrome.manifest
c:\program files\Search Settings\FF\chrome\content\plugin.js
c:\program files\Search Settings\FF\chrome\content\plugin.xul
c:\program files\Search Settings\FF\chrome\content\protection.js
c:\program files\Search Settings\FF\chrome\content\utils.js
c:\program files\Search Settings\FF\chrome\locale\en-US\searchsettingsplugin.dtd
c:\program files\Search Settings\FF\chrome\locale\en-US\searchsettingsplugin.properties
c:\program files\Search Settings\FF\components\IFBHOSearch.xpt
c:\program files\Search Settings\FF\components\IFBHOSearchHelperEngine.xpt
c:\program files\Search Settings\FF\components\IFHelperPreferences.xpt
c:\program files\Search Settings\FF\components\SearchSettingsFF.dll
c:\program files\Search Settings\FF\install.rdf
c:\program files\Search Settings\SeARchsettings.dll
c:\program files\Search Settings\SearchSettings.exe
c:\program files\Search Settings\SearchSettingsRes409.dll
c:\windows\cookies.ini
c:\windows\jestertb.dll
c:\windows\system32\drivers\qdiexuftrwxd.sys
c:\windows\system32\evmlioxt.ini
c:\windows\system32\evyxbfva.ini
c:\windows\system32\fvdedbbp.ini
c:\windows\system32\nqtss.ini
c:\windows\system32\nqtss.ini2
c:\windows\system32\owpbsggj.ini
c:\windows\system32\Thumbs.db
c:\windows\system32\ucfuwvcr.ini
c:\windows\system32\wnstssv.exe
c:\windows\system32\xsrmclcf.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_DOMAINSERVICE
-------\Legacy_NTNDIS
-------\Legacy_qdiexuftrwxd
-------\Service_qdiexuftrwxd


((((((((((((((((((((((((( Files Created from 2010-06-24 to 2010-07-24 )))))))))))))))))))))))))))))))
.

2010-07-13 03:17 . 2010-07-13 03:17 -------- d-----w- c:\program files\TeaTimer (Spybot - Search & Destroy)
2010-07-13 03:17 . 2010-07-13 03:17 -------- d-----w- c:\program files\SDHelper (Spybot - Search & Destroy)
2010-07-11 06:06 . 2010-07-11 06:10 -------- d-----w- C:\C Drive Backup July 2010
2010-07-09 15:40 . 2010-07-09 15:40 -------- d-----w- c:\documents and settings\Administrator\Application Data\DivX
2010-07-09 02:38 . 2010-07-09 02:41 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Adobe
2010-07-08 17:15 . 2010-07-08 17:15 -------- d-----w- c:\documents and settings\Administrator\Application Data\Vso
2010-07-08 16:49 . 2010-07-08 16:49 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-19 14:49 . 2010-01-07 06:56 -------- d-----w- c:\program files\DivX
2010-07-19 06:25 . 2010-02-14 20:05 -------- d-----w- c:\program files\SlySoft
2010-07-19 01:34 . 2006-03-02 23:24 -------- d-----w- c:\program files\Common Files\Adobe
2010-07-18 20:07 . 2010-01-07 05:07 -------- d-----w- c:\documents and settings\nisthana\Application Data\vlc
2010-07-17 03:04 . 2006-11-13 23:23 -------- d-----w- c:\documents and settings\nisthana\Application Data\Skype
2010-07-16 17:05 . 2008-10-13 02:39 -------- d-----w- c:\documents and settings\nisthana\Application Data\skypePM
2010-07-16 15:20 . 2007-12-28 22:39 -------- d-----w- c:\documents and settings\nisthana\Application Data\gtk-2.0
2010-07-16 01:45 . 2010-07-16 01:45 1360250 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\Avira\AntiVir PersonalEdition Classic\TEMP\AVUPDATE_4c3fb978\ave2\aescript.dll
2010-07-16 01:45 . 2010-07-16 01:45 430452 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\Avira\AntiVir PersonalEdition Classic\TEMP\AVUPDATE_4c3fb978\ave2\aepack.dll
2010-07-16 01:45 . 2010-07-16 01:45 381299 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\Avira\AntiVir PersonalEdition Classic\TEMP\AVUPDATE_4c3fb978\ave2\aegen.dll
2010-07-16 01:45 . 2010-07-16 01:45 192886 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\Avira\AntiVir PersonalEdition Classic\TEMP\AVUPDATE_4c3fb978\ave2\aecore.dll
2010-07-13 04:06 . 2006-03-02 08:48 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-07-13 03:19 . 2006-03-02 08:48 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
2010-07-08 17:16 . 2008-01-05 19:46 -------- d-----w- c:\program files\FileZilla Client
2010-07-08 17:15 . 2010-07-08 17:15 47360 ----a-w- c:\documents and settings\Administrator\Application Data\pcouffin.sys
2010-07-08 17:15 . 2010-07-08 17:15 47360 ----a-w- c:\documents and settings\Administrator\Application Data\pcouffin.sys
2010-07-08 17:15 . 2009-08-24 06:49 -------- d-----w- c:\program files\CoffeeCup Software
2010-07-05 17:57 . 2010-06-14 16:31 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\NOS
2010-07-03 00:56 . 2010-05-28 15:57 69792 ---ha-w- c:\windows\system32\mlfcache.dat
2010-07-02 22:46 . 2006-12-06 17:22 -------- d-----w- c:\documents and settings\nisthana\Application Data\Canon
2010-06-14 16:31 . 2010-06-14 16:31 2605008 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\NOS\Adobe_Downloads\install_flash_player_ax.exe
2010-06-14 04:53 . 2010-05-28 05:50 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\regid.1986-12.com.adobe
2010-06-14 04:32 . 2010-06-14 04:32 81920 ----a-r- c:\documents and settings\nisthana\Application Data\Microsoft\Installer\{BC41C09D-FAA9-4346-9FE6-1E0017BC551A}\ARPPRODUCTICON.exe
2010-06-11 23:13 . 2010-03-14 16:29 -------- d-----w- c:\program files\Mozilla Thunderbird
2010-05-30 21:03 . 2006-02-21 21:56 91672 ----a-w- c:\documents and settings\nisthana\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-05-29 15:13 . 2010-05-29 15:13 1228400 ----a-w- C:\Photoshop_12_LS1.exe
2010-05-28 15:55 . 2010-05-28 15:55 -------- d-----w- c:\documents and settings\nisthana\Application Data\chc.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2010-05-28 05:44 . 2010-05-28 05:44 -------- d-----w- c:\program files\Adobe Media Player
2010-05-28 05:41 . 2010-05-28 05:41 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-05-28 05:41 . 2010-05-28 15:55 38784 ----a-w- c:\documents and settings\nisthana\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-05-28 03:56 . 2010-05-28 03:56 1228384 ----a-w- C:\Illustrator_15_LS1.exe
2010-05-06 10:41 . 2001-08-23 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-04 06:12 . 2010-05-04 06:12 720896 ----a-w- c:\windows\iun6002.exe
2010-05-02 05:56 . 2001-08-23 12:00 1850880 ----a-w- c:\windows\system32\win32k.sys
.
CODE
<pre>
c:\program files\Common Files\Real\Update_OB\realsched .exe
c:\program files\Zone Labs\ZoneAlarm\zlclient .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-05-27 4351216]
"Search Protection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-23 111856]
"eFax 4.4"="c:\program files\eFax Messenger 4.4\J2GDllCmd.exe" [2008-10-07 95744]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Nero\Lib\NMBgMonitor.exe" [2007-10-23 202024]
"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2007-09-20 455968]
"GoToMeeting"="c:\program files\Citrix\GoToMeeting\456\g2mstart.exe" [2010-04-08 39816]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"507c98ad"="c:\windows\system32\avfbxyve.dll" [N/A]
"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-10-10 266497]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-07-20 52896]
"WD Drive Manager"="c:\program files\Western Digital\WD Drive Manager\WDBtnMgrUI.exe" [2008-07-24 450560]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-23 111856]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0\bin\jusched.exe" [N/A]
"NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 153136]
"NBKeyScan"="c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2007-09-20 1836328]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-13 141600]
"H2O"="c:\program files\SyncroSoft\Pos\H2O\cledx.exe" [2007-12-11 307200]
"Mobile Connectivity Suite"="c:\program files\HTC\HTC Sync\Application Launcher\Application Launcher.exe" [2009-11-19 598016]
"AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-03-06 500208]
"SearchSettings"="c:\program files\Search Settings\SearchSettings.exe" [N/A]

c:\documents and settings\nisthana\Start Menu\Programs\Startup\
eFax 4.4.lnk - c:\program files\eFax Messenger 4.4\J2GTray.exe [2008-10-7 656896]

c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
GammaTray.lnk - c:\program files\MagicTune Premium\GammaTray.exe [2010-5-8 36864]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"midi4"=xgusb.cpl
"midi5"=xgusb.cpl

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-11-13 00:33 141600 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
c:\program files\Messenger\msmsgs.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NovaBackup 7 Tray Control]
2005-06-23 17:03 221184 ----a-w- c:\program files\NovaStor\NovaBACKUP\NBKCTRL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-11-11 07:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpyFalcon]
c:\program files\SpyFalcon\SpyFalcon.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ulead AutoDetector v2]
2005-03-16 18:56 90112 ----a-w- c:\program files\Common Files\Ulead Systems\AutoDetector\Monitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ulead Quick-Drop]
2005-04-29 01:59 102400 ----a-w- c:\program files\Ulead Systems\Ulead DVD MovieFactory 4 Suite Deluxe\Ulead Quick-Drop 1.0\Quick-Drop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\USIUDF_Eject_Monitor]
2004-12-24 01:27 81920 ------w- c:\program files\Common Files\Ulead Systems\DVD\USISrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"UleadBurningHelper"=2 (0x2)
"IDriverT"=3 (0x3)
"gearsec"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\LeechFTP\\Leechftp.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\MagicTune Premium\\MagicTune.exe"=

R2 Apache2.2;Apache2.2;c:\program files\Apache Software Foundation\Apache2.2\bin\httpd.exe [9/5/2007 9:59 AM 24635]
R2 Application Updater;Application Updater;c:\program files\Application Updater\ApplicationUpdater.exe [12/16/2009 6:38 PM 375296]
R2 CVSControl;CVSNT Control Panel;c:\cvsnt\cvscontrol.exe [7/3/2006 10:45 AM 36864]
R2 PPPoEService;PPPoE Service;c:\progra~1\NTS\ENTERN~1\app\pppoeservice.exe [11/19/2006 11:36 AM 49152]
R2 WDBtnMgrSvc.exe;WD Drive Manager Service;c:\program files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe [7/24/2008 3:22 PM 102400]
R3 CLEDX;Team H2O CLEDX service;c:\windows\system32\drivers\cledx.sys [1/17/2010 10:40 PM 33792]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [7/12/2010 11:39 PM 102448]
R3 MTXPARH;MTXPARH;c:\windows\system32\drivers\mtxparhm.sys [2/21/2006 2:47 PM 452736]
R3 NTSPPPOE;NTS Enternet P.P.P.o.E LAN Miniport Driver;c:\windows\system32\drivers\ntspppoe.sys [11/19/2006 10:51 AM 159520]
R3 ps_1394;ps_1394;c:\windows\system32\drivers\ps_1394.sys [2/21/2006 3:13 PM 97152]
R3 ps_avs;ps_avs;c:\windows\system32\drivers\ps_avs.sys [2/21/2006 3:13 PM 24576]
R3 RAWESR;RAWESR;c:\progra~1\NTS\ENTERN~1\app\RAWESR.SYS [11/19/2006 11:36 AM 9152]
R3 TAPBIND;TAPBIND;c:\progra~1\NTS\ENTERN~1\app\TAPBIND1.SYS [11/19/2006 11:36 AM 17920]
S1 AaAAaAA;AaAAaAA;c:\windows\system32\drivers\AaAAaAA.sys [8/23/2001 5:00 AM 295168]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [9/27/2006 8:33 PM 116464]
S3 SDTHOOK;SDTHOOK;c:\windows\system32\drivers\SDTHOOK.SYS [1/24/2008 10:48 PM 44928]
S3 SynasUSB;SynasUSB;c:\windows\system32\drivers\synasUSB.sys [1/18/2010 10:29 AM 18432]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2007-09-20 05:46 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder

2010-07-21 c:\windows\Tasks\AdobeAAMUpdater-1.0-NISHANT2-nisthana.job
- c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe [2010-06-14 10:44]

2010-07-22 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 20:34]

2010-07-24 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-03-25 05:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://webwork-rhv.corp.ebay.com/dana-cached/sc/JuniperSetupClient.cab
FF - ProfilePath -

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 10);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

BHO-{16873b4d-2627-42b0-97d8-eefa23b9336b} - c:\windows\system32\bfgymggk.dll
BHO-{A677851A-AEDF-4703-9E84-B66180B25F7B} - (no file)
WebBrowser-{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - (no file)
Notify-urqonlm - urqonlm.dll
Notify-WgaLogon - (no file)
SafeBoot-AaAAaAA
AddRemove-Magic DVD Copier_is1 - c:\program files\MagicDVDCopier\unins000.exe
AddRemove-PreSonus 1394 Audio Driver V1.20.0 (FIREBox) Setup - c:\program files\PreSonus\1394AudioDriver_FIREBox\uninst.exe Software\PreSonus\1394AudioDriver_FIREBox\Setup



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-23 21:23
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\MySQL]
"ImagePath"="\"c:\program files\MySQL\MySQL Server 5.0\bin\mysqld-nt\" --defaults-file=\"c:\program files\MySQL\MySQL Server 5.0\my.ini\" MySQL"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(4272)
c:\windows\system32\WININET.dll
c:\program files\TortoiseCVS\TortoiseShell.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
c:\program files\Avira\AntiVir PersonalEdition Classic\avguard.exe
c:\program files\Avira\AntiVir PersonalEdition Classic\sched.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\CVSNT\cvslock.exe
c:\program files\CVSNT\cvsservice.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\program files\Juniper Networks\Common Files\dsNcService.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\MagicTune Premium\MagicTuneEngine.exe
c:\program files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe
c:\program files\Citrix\GoToMeeting\456\g2mcomm.exe
c:\program files\Nero\Nero8\Nero BackItUp\NBService.exe
c:\program files\Citrix\GoToMeeting\456\g2mlauncher.exe
c:\progra~1\NTS\ENTERN~1\app\EnterNetFolder.Exe
c:\program files\RealVNC\VNC4\WinVNC4.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\windows\system32\rundll32.exe
c:\program files\Common Files\Teleca Shared\Generic.exe
c:\program files\Common Files\Nero\Lib\NMIndexingService.exe
c:\program files\Common Files\Teleca Shared\logger.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Common Files\Teleca Shared\CapabilityManager.exe
c:\program files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
c:\program files\HTC\HTC Sync\ClientInitiatedStarter\ClientInitiatedStarter.exe
c:\program files\MagicTune Premium\MagicTune.exe
c:\program files\HTC\HTC Sync\Mobile Phone Monitor\epmworker.exe
c:\program files\HTC\HTC Sync\Mobile Phone Monitor\DbgOut.exe
c:\program files\HTC\HTC Sync\Mobile Phone Monitor\HTCVBTServer.exe
c:\program files\HTC\HTC Sync\Mobile Phone Monitor\FsynSrvStarter.exe
c:\program files\Yahoo!\Messenger\ymsgr_tray.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2010-07-23 21:33:33 - machine was rebooted
ComboFix-quarantined-files.txt 2010-07-24 04:33

Pre-Run: 12,021,010,432 bytes free
Post-Run: 21,933,887,488 bytes free

- - End Of File - - 1389C32F20AD1E6E41E36AC6F257A4A9


#12 IndiGenus

IndiGenus

    Anti-Malware Buddha


  • Members
  • 115 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:08 PM

Posted 24 July 2010 - 08:06 AM

Well that took out quite a bit. Is the machine running a little better now? In Normal Mode? I would suggest you go ahead and try running combofix in Normal Mode.
IndiGenus

The help you receive here is free, but if you would like to help me continue the fight against Malware then Posted Image

"To find perfect composure in the midst of change is to find ourselves in nirvana."

Suzuki Roshi


#13 nisthana

nisthana
  • Topic Starter

  • Members
  • 82 posts
  • OFFLINE
  •  
  • Local time:03:08 PM

Posted 24 July 2010 - 10:07 AM

Oh yeah the machine is much better. I kept it running overnight and it didnt crash. I will run the combofix in normal mode now.

#14 IndiGenus

IndiGenus

    Anti-Malware Buddha


  • Members
  • 115 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:08 PM

Posted 24 July 2010 - 10:17 AM

thumbup.gif
IndiGenus

The help you receive here is free, but if you would like to help me continue the fight against Malware then Posted Image

"To find perfect composure in the midst of change is to find ourselves in nirvana."

Suzuki Roshi


#15 nisthana

nisthana
  • Topic Starter

  • Members
  • 82 posts
  • OFFLINE
  •  
  • Local time:03:08 PM

Posted 24 July 2010 - 11:37 AM

Not out of woods yet. I started Combi in normal mode, got stuck at one point. Then I restarted PC and started combi. I was unable to shut down Avira anti virus so I continued anyway. It finished the 50 stages and now its stuck at "Deleting files: c:\documents and...\nisthana\Recent\Thumbs.db" since 1/2 hour or so. The desktop is all blank and this is the only window I see. What should I do now? Did you find anything in the safemod logs?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users