Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan Horse Generic 19.HBP


  • This topic is locked This topic is locked
2 replies to this topic

#1 TaeyangxSolar

TaeyangxSolar

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:10:57 PM

Posted 27 September 2010 - 05:27 PM

EDIT: merged posts, Split from AII topic as No DDS, HijackThis, or ComboFix logs should be posted in this forum.
and moved to Virus, Trojan, Spyware, and Malware Removal Logs for review~~boopme



my computer won't let me go into safe mode it just shows an empty black screen with the windows name on top etc.
have the same problem as the guy up there ^

Log Report

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4301

Windows 6.0.6000
Internet Explorer 7.0.6000.16809

9/26/2010 2:54:29 PM
mbam-log-2010-09-26 (14-54-29).txt

Scan type: Quick scan
Objects scanned: 135091
Time elapsed: 13 minute(s), 37 second(s)

Memory Processes Infected: 2
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 3
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
C:UsersJimmayAppDataRoamingMicrosoftsvchost.exe (Backdoor.Bot) -> Unloaded process successfully.
C:UsersJimmayuserinit.exe (Heuristics.Reserved.Word.Exploit) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunsvchost (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS.DEFAULTSOFTWAREMicrosoftWindowsCurrentVersionRunrundll32 (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.
HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRunrundll32 (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:UsersJimmayAppDataRoamingMicrosoftsvchost.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:WINDOWSSystem32configSystemProfileuserinit.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.
C:UsersJimmayuserinit.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.

@TaeyangxSolar by Boopme

You have Backdoor bots.. This means your passwords and such were most likely stolen and sent home. A Backdoor.IRC.Bot is a type of Trojan that it also often referred to as a 'bot' that opens a back door that allows a remote attacker to take control of the compromised computer.
http://www.symantec.com/security_response/...-102711-3533-99

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.

once again combofix has saved me for the third time

i dont really use my computer for anything financially only games/emails etc. nothing personal or important. Never ever do put SS # online and i put fake bdays so not really much info? (HS senior)

oh and thanks a lot for your hard work! thumbup2.gif

--Log from combofix-- if you need it

ComboFix 10-09-27.03 - Jimmay 09/27/2010 19:06:25.4.2 - x86
Microsoft® Windows Vistaâ„¢ Home Premium 6.0.6000.0.1252.1.1033.18.958.462 [GMT -4:00]
Running from: c:usersJimmayDownloadsComboFix.exe
SP: Windows Defender *enabled* (Outdated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:usersJimmayAppDataRoamingMicrosoftsvchost.exe
c:usersJimmaypizda_ntload.dll
c:usersJimmayuserinit.exe
c:windowssystem32configsystemprofilepizda_ntload.dll
c:windowssystem32ntdevice.exe

.
((((((((((((((((((((((((( Files Created from 2010-08-27 to 2010-09-27 )))))))))))))))))))))))))))))))
.

2010-09-27 23:20 . 2010-09-27 23:23 -------- d-----w- c:usersJimmayAppDataLocaltemp
2010-09-27 23:20 . 2010-09-27 23:20 -------- d-----w- c:usersPublicAppDataLocaltemp
2010-09-27 23:20 . 2010-09-27 23:20 -------- d-----w- c:usersDefaultAppDataLocaltemp
2010-09-27 22:21 . 2010-09-27 23:04 -------- d-----w- C:32788R22FWJFW
2010-09-26 22:33 . 2010-09-27 00:21 -------- d-----w- C:Traphik
2010-09-20 23:05 . 2010-09-20 23:05 -------- d-----w- c:usersJimmayAppDataRoamingLolClient
2010-09-20 22:58 . 2008-07-12 12:18 467984 ----a-w- c:windowssystem32d3dx10_39.dll
2010-09-20 22:58 . 2008-07-12 12:18 1493528 ----a-w- c:windowssystem32D3DCompiler_39.dll
2010-09-20 22:58 . 2008-07-12 12:18 3851784 ----a-w- c:windowssystem32D3DX9_39.dll
2010-09-20 22:52 . 2010-09-20 22:52 -------- d-----w- C:Riot Games
2010-09-12 21:27 . 2010-09-14 11:23 -------- d-----w- c:program filesMZ U.T
2010-09-12 21:26 . 2010-09-12 21:26 -------- d-----w- c:usersJimmayAppDataRoamingIObit
2010-09-12 21:04 . 2010-09-12 21:04 -------- d-----w- c:usersJimmayAppDataRoamingNPLUTO Corporation
2010-09-12 19:32 . 2010-03-24 20:57 713312 ----a-w- c:windowssystem32ijjiSetup.exe
2010-09-12 19:32 . 2010-03-24 20:56 62048 ----a-w- c:windowssystem32ijjiProcessRestarter.exe
2010-09-12 19:03 . 2010-09-12 19:03 -------- d-----w- C:HanTemp
2010-09-12 19:01 . 2010-09-12 21:00 -------- d-----w- c:program filesREACTOR
2010-09-11 00:34 . 2010-09-11 00:34 -------- d-----w- c:usersJimmayAppDataRoamingRoxio
2010-09-04 00:12 . 2010-09-04 00:12 -------- d-----w- c:program filesZodiac Online
2010-09-03 22:39 . 2010-09-03 23:57 780783494 ----a-w- C:ZodiacOnlineOpenBeta20100730.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-27 23:26 . 2009-04-13 22:05 41804 ----a-w- c:programdatanvModes.dat
2010-09-27 23:22 . 2006-12-18 20:46 12 ----a-w- c:windowsbthservsdp.dat
2010-09-27 20:07 . 2010-09-26 18:16 80896 ----a-w- c:usersJimmayAppDataRoamingMicrosoftWindowsshell.exe
2010-09-26 16:17 . 2010-02-27 21:08 -------- d-----w- c:programdataavg9
2010-09-23 15:45 . 2010-09-23 15:45 4093792 ----a-w- c:programdataavg9updatebackupavgui.exe
2010-09-23 15:45 . 2010-09-23 15:45 3586912 ----a-w- c:programdataavg9updatebackupsetup.exe
2010-09-23 15:45 . 2010-09-23 15:45 620896 ----a-w- c:programdataavg9updatebackupavgnsx.exe
2010-09-23 15:45 . 2010-09-23 15:45 1619296 ----a-w- c:programdataavg9updatebackupavgssie.dll
2010-09-23 15:45 . 2010-09-23 15:45 1377632 ----a-w- c:programdataavg9updatebackupavgssff.dll
2010-09-23 15:45 . 2010-09-23 15:45 598368 ----a-w- c:programdataavg9updatebackupavgsrmx.dll
2010-09-23 15:45 . 2010-09-23 15:45 942432 ----a-w- c:programdataavg9updatebackupavgcfgx.dll
2010-09-23 15:45 . 2010-09-23 15:45 4371296 ----a-w- c:programdataavg9updatebackupavgcorex.dll
2010-09-23 15:45 . 2010-09-23 15:45 300896 ----a-w- c:programdataavg9updatebackupavgchclx.dll
2010-09-23 15:29 . 2010-09-23 15:29 1690952 ----a-w- c:programdataavg9updatebackupavgupd.dll
2010-09-20 23:00 . 2010-07-12 14:13 -------- d-----w- c:program filesprivate server
2010-09-20 22:52 . 2006-12-18 21:06 -------- d--h--w- c:program filesInstallShield Installation Information
2010-09-20 20:45 . 2009-06-21 20:14 -------- d-----w- c:programdataPMB Files
2010-09-20 15:50 . 2009-04-04 19:44 -------- d-----w- c:program filesWarcraft III
2010-09-17 00:15 . 2009-06-20 18:59 -------- d-----w- c:program filesDriftCity
2010-09-11 00:33 . 2006-12-18 21:14 -------- d-----w- c:programdataSonic
2010-09-10 20:12 . 2010-09-10 20:12 12575488 ----a-w- c:usersJimmayAppDataRoamingMacromediaFlash Playerwww.macromedia.combinairinstaller2x0airinstaller2x0.exe
2010-07-31 05:27 . 2009-06-20 19:06 -------- d-----w- c:program filesCCleaner
2010-07-31 05:23 . 2010-01-05 01:59 -------- d-----w- c:program filesWakfu
2010-07-30 19:44 . 2010-04-11 01:04 765952 ----a-w- c:programdataNexonUSNGMNGMDll.dll
2010-07-23 13:03 . 2010-07-23 13:03 6944 ----a-w- c:usersJimmayAppDataLocald3d9caps.dat
2010-07-15 19:00 . 2009-08-21 23:41 243024 ----a-w- c:windowssystem32driversavgtdix.sys
2010-07-15 19:00 . 2010-07-15 19:00 12536 ----a-w- c:windowssystem32avgrsstx.dll
2010-07-15 18:57 . 2009-08-21 23:41 216400 ----a-w- c:windowssystem32driversavgldx86.sys
2010-07-09 23:11 . 2010-07-09 23:11 53632 ----a-w- c:usersDefaultAppDataRoamingMacromediaFlash Playerwww.macromedia.combinairappinstallerairappinstaller.exe
2009-05-23 22:57 . 2009-05-23 22:56 876186128 ---ha-w- c:program filesMSSetup55.exe
2009-05-23 22:54 . 2009-05-23 22:53 876186128 ---ha-w- c:program filesGlobalMapleStoryV55.exe
2009-02-24 19:34 . 2009-02-24 19:34 1044480 ----a-w- c:program filesmozilla firefoxpluginslibdivx.dll
2009-02-24 19:34 . 2009-02-24 19:34 200704 ----a-w- c:program filesmozilla firefoxpluginsssldivx.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerURLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:program filesAVGAVG9ToolbarIEToolbar.dll" [2010-04-19 2117704]

[HKEY_CLASSES_ROOTclsid{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE~Browser Helper Objects{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2010-04-19 14:25 2117704 ----a-w- c:program filesAVGAVG9ToolbarIEToolbar.dll

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerToolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:program filesAVGAVG9ToolbarIEToolbar.dll" [2010-04-19 2117704]

[HKEY_CLASSES_ROOTclsid{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerToolbarWebbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:program filesAVGAVG9ToolbarIEToolbar.dll" [2010-04-19 2117704]

[HKEY_CLASSES_ROOTclsid{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRun]
"msnmsgr"="c:program filesWindows LiveMessengermsnmsgr.exe" [2009-07-26 3883856]
"VeohPlugin"="c:program filesVeoh NetworksVeohWebPlayerveohwebplayer.exe" [2010-01-26 2633976]
"WMPNSCFG"="c:program filesWindows Media PlayerWMPNSCFG.exe" [2006-11-02 201728]

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
"Windows Defender"="c:program filesWindows DefenderMSASCui.exe" [2006-11-02 1004136]
"WAWifiMessage"="c:program filesHewlett-PackardHP Wireless AssistantWiFiMsg.exe" [2006-10-18 317152]
"hpWirelessAssistant"="c:program filesHewlett-PackardHP Wireless AssistantHPWAMain.exe" [2006-10-18 472800]
"NvCplDaemon"="c:windowssystem32NvCpl.dll" [2008-12-04 13556256]
"NvMediaCenter"="c:windowssystem32NvMcTray.dll" [2008-12-04 92704]
"Adobe Reader Speed Launcher"="c:program filesAdobeReader 8.0ReaderReader_sl.exe" [2008-10-15 39792]
"AVG9_TRAY"="c:progra~1AVGAVG9avgtray.exe" [2010-07-15 2065760]
"SynTPEnh"="c:program filesSynapticsSynTPSynTPEnh.exe" [2006-11-15 815104]

c:programdataMicrosoftWindowsStart MenuProgramsStartup
Compaq Connections.lnk - c:program filesCompaq Connections3572475ProgramCompaq Connections.exe [2006-12-18 34520]

[HKEY_LOCAL_MACHINEsoftwaremicrosoftwindowscurrentversionpoliciessystem]
"EnableLUA"= 0 (0x0)

[HKEY_LOCAL_MACHINEsoftwaremicrosoftwindows ntcurrentversionwindows]
"AppInit_DLLs"=c:windowsSystem32avgrsstx.dll

[HKEY_LOCAL_MACHINEsoftwaremicrosoftwindows ntcurrentversiondrivers32]
"aux1"=wdmaud.drv

[HKLM~startupfolderC:^Users^Jimmay^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Connection Keeper.lnk]
backup=c:windowspssConnection Keeper.lnk.Startup
backupExtension=.Startup

[HKLM~startupfolderC:^Users^Jimmay^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:usersJimmayAppDataRoamingMicrosoftWindowsStart MenuProgramsStartupOneNote 2007 Screen Clipper and Launcher.lnk
backup=c:windowspssOneNote 2007 Screen Clipper and Launcher.lnk.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregHP Health Check Scheduler]
2006-11-28 23:42 46704 ----a-w- c:program filesHewlett-PackardHP Health CheckHPHC_Scheduler.exe

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregHPAdvisor]
2006-11-22 00:36 1474560 ----a-w- c:program filesHewlett-PackardHP AdvisorHPAdvisor.exe

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregLogitechQuickCamRibbon]
2008-12-20 12:50 2656528 ----a-w- c:program filesLogitechQuickCamQuickcam.exe

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregPando Media Booster]
2010-04-10 21:35 2937528 ----a-w- c:program filesPando NetworksMedia BoosterPMB.exe

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregQlbCtrl]
2006-11-06 18:58 159744 ----a-w- c:program filesHewlett-PackardHP Quick Launch ButtonsQLBCTRL.exe

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregQPService]
2006-11-24 23:33 167936 ----a-w- c:program filesHPQuickPlayQPService.exe

[HKEY_LOCAL_MACHINEsoftwaremicrosoftsecurity centerMonitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINEsoftwaremicrosoftsecurity centerMonitoringSymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINEsoftwaremicrosoftsecurity centerMonitoringSymantecFirewall]
"DisableMonitoring"=dword:00000001

R2 gupdate1c9c5685c8ff3d6;Google Update Service (gupdate1c9c5685c8ff3d6);c:program filesGoogleUpdateGoogleUpdate.exe [2009-04-25 133104]
R3 npggsvc;nProtect GameGuard Service;c:windowssystem32GameMon.des [2010-03-08 3519560]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:windowsSystem32Driversavgldx86.sys [2010-07-15 216400]
S1 AvgTdiX;AVG Free8 Network Redirector;c:windowsSystem32Driversavgtdix.sys [2010-07-15 243024]
S1 ElRawDisk;ElRawDisk;c:windowssystem32driverselrawdsk.sys [2008-12-09 20392]
S2 avg9emc;AVG Free E-mail Scanner;c:program filesAVGAVG9avgemc.exe [2010-07-20 921952]
S2 avg9wd;AVG Free WatchDog;c:program filesAVGAVG9avgwdsvc.exe [2010-07-15 308136]
S2 NPF;NetGroup Packet Filter Driver;c:windowssystem32driversnpf.sys [2009-10-20 50704]


[HKEY_LOCAL_MACHINEsoftwaremicrosoftwindows ntcurrentversionsvchost]
bthsvcs REG_MULTI_SZ BthServ
.
Contents of the 'Scheduled Tasks' folder

2010-09-27 c:windowsTasksGoogleUpdateTaskMachineCore.job
- c:program filesGoogleUpdateGoogleUpdate.exe [2009-04-25 05:39]

2010-09-27 c:windowsTasksGoogleUpdateTaskMachineUA.job
- c:program filesGoogleUpdateGoogleUpdate.exe [2009-04-25 05:39]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.ask.com?o=15153&l=dis
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=71&bd=Pavilion&pf=laptop
uInternet Settings,ProxyServer = http=127.0.0.1:50370
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:progra~1MICROS~3Office12EXCEL.EXE/3000
LSP: %SystemRoot%system32PrxerDrv.dll
FF - ProfilePath - c:usersJimmayAppDataRoamingMozillaFirefoxProfilesf45ntjib.default
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - google.com
FF - prefs.js: keyword.URL - hxxp://us.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_us&p=
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 50370
FF - prefs.js: network.proxy.type - 1
FF - plugin: c:program filesDivXDivX Plus Web Playernpdivx32.dll
FF - plugin: c:program filesGoogleUpdate1.2.183.27npGoogleOneClick8.dll
FF - plugin: c:program filesJavajre1.6.0binnpjava11.dll
FF - plugin: c:program filesJavajre1.6.0binnpjava12.dll
FF - plugin: c:program filesJavajre1.6.0binnpjava13.dll
FF - plugin: c:program filesJavajre1.6.0binnpjava14.dll
FF - plugin: c:program filesJavajre1.6.0binnpjava32.dll
FF - plugin: c:program filesJavajre1.6.0binnpjpi160.dll
FF - plugin: c:program filesJavajre1.6.0binnpoji610.dll
FF - plugin: c:program filesMozilla Firefoxpluginsnpijjiautoinstallpluginff.dll
FF - plugin: c:program filesMozilla FirefoxpluginsnpPandoWebInst.dll
FF - plugin: c:programdataNexonUSNGMnpNxGameUS.dll
FF - plugin: c:windowssystem32npOGPPlugin.dll

---- FIREFOX POLICIES ----
FF - user.js: network.http.pipelining - true
FF - user.js: network.http.proxy.pipelining - true
FF - user.js: network.http.pipelining.maxrequests - 8
FF - user.js: content.notify.backoffcount - 5
FF - user.js: plugin.expose_full_path - true
FF - user.js: ui.submenuDelay - 0
FF - user.js: browser.xul.error_pages.enabled - true
FF - user.js: content.interrupt.parsing - true
FF - user.js: content.max.tokenizing.time - 3000000
FF - user.js: content.maxtextrun - 8191
FF - user.js: content.notify.interval - 750000
FF - user.js: content.notify.ontimer - true
FF - user.js: content.switch.threshold - 750000
FF - user.js: network.http.max-connections - 32
FF - user.js: network.http.max-connections-per-server - 8
FF - user.js: network.http.max-persistent-connections-per-proxy - 8
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: nglayout.initialpaint.delay - 0
FF - user.js: browser.cache.memory.capacity - 65536c:program filesMozilla Firefoxgreprefsall.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:program filesMozilla Firefoxgreprefsall.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
.
.
------- File Associations -------
.
JSEFile=NOTEPAD.EXE %1
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
HKCU-Run-qdaojsuw - c:usersJimmayAppDataLocaloxbvxxoqcvmvbjfxuqiw.exe
HKCU-Run-MzRamBooster - c:program filesMZ U.TMzRamBooster.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-27 19:26
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINESYSTEMControlSet001Servicesnpggsvc]
"ImagePath"="c:windowssystem32GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINESYSTEMControlSet001ControlClass{4D36E96D-E325-11CE-BFC1-08002BE10318}0000AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(8096)
c:windowsTEMPlogishrdLVPrcInj01.dll
.
------------------------ Other Running Processes ------------------------
.
c:windowssystem32nvvsvc.exe
c:windowssystem32rundll32.exe
c:windowssystem32WLANExt.exe
c:windowsSystem32rundll32.exe
c:program filesAVGAVG9avgtray.exe
c:program filesHPQuickPlayKernelTVCLCapSvc.exe
c:program filesHewlett-PackardHP Health Checkhphc_service.exe
c:program filesAVGAVG9avgnsx.exe
c:program filesCommon FilesLightScribeLSSrvc.exe
c:program filesCommon FilesLogiShrdLVMVFMLVPrcSrv.exe
c:windowssystem32DRIVERSxaudio.exe
c:program filesHPQuickPlayKernelTVCLSched.exe
c:program filesHewlett-PackardSharedhpqwmiex.exe
c:program filesAVGAVG9avgcsrvx.exe
c:program filesAVGAVG9avgrsx.exe
c:program filesAVGAVG9avgchsvx.exe
c:program filesAVGAVG9avgcsrvx.exe
c:progra~1HEWLET~1SharedHPQTOA~1.EXE
c:windowsservicingTrustedInstaller.exe
.
**************************************************************************
.
Completion time: 2010-09-27 19:32:22 - machine was rebooted
ComboFix-quarantined-files.txt 2010-09-27 23:32
ComboFix2.txt 2010-09-09 21:57
ComboFix3.txt 2010-09-08 23:35
ComboFix4.txt 2010-07-12 10:18

Pre-Run: 36,393,811,968 bytes free
Post-Run: 36,526,411,776 bytes free

- - End Of File - - 30AE7FEC8112FD27AA687B9E27D5CFC2

Edited by boopme, 27 September 2010 - 10:08 PM.


BC AdBot (Login to Remove)

 


#2 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:57 PM

Posted 01 October 2010 - 06:57 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process. Please also continue to work with me until I give you the all clear. Even if your computer appears to act better, you may still be infected.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.

Once we start working together, please reply back within 3 days or this thread may be closed so we can help others who are waiting.

We need to create an OTL report,
  • Please download OTL from this link.
  • Save it to your desktop.
  • Double click on the icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Under the Custom Scan box paste this in:

    netsvcs
    msconfig
    drivers32 /all
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\system32\*.sys /90
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\System32\config\*.sav
    %SYSTEMDRIVE%\*.*
    %systemroot%\system32\Spool\prtprocs\w32x86\*.dll
    %systemroot%\*. /mp /s
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32
    ahcix86s.sys
    nvrd32.sys
    user32.dll
    ws2_32.dll
    /md5stop
    %systemroot%\*. /mp /s
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    CREATERESTOREPOINT

  • Click the Quick Scan button.
  • The scan should take a few minutes.
  • Please copy and paste both logs in your reply.

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new OTL log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


In your reply, please post both OTL logs and the GMER log.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#3 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:57 PM

Posted 07 October 2010 - 07:21 AM

Due to the lack of feedback, this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users