Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Computer was infected. Ran combofix and I have the logs


  • This topic is locked This topic is locked
2 replies to this topic

#1 KellieI

KellieI

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:09:54 PM

Posted 03 October 2010 - 01:08 AM

My computer was majorly infected. I had invisible ad come on in the background, I couldn't see them but I could hear them. The volume settings would always disable themselves so I would have to go to services.msc (or something like that) and click start every 30 minutes. I also had problems with the browser. When I would click on any site from Google, it would take me to ad sites instead of the site I was actually wanting.. so I could only go to the site if I clicked "cached." When combofix was running, it said I had a rootkit activity (I'm not sure if that's important.) I'm just trying to figure out if everything harmful is off my computer, and if not then what all else I need to do. I would appreciate it if anyone cold help me. Thanks! smile.gif

This is the log I received from Combofix:

ComboFix 10-10-01.07 - Jaco 10/03/2010 0:37:03.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1497 [GMT -5:00]
Running from: C:Documents and SettingsJacoMy DocumentsDownloadsComboFix.exe
AV: AVG Anti-Virus Free Edition 2011 *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:WINDOWScleanmgr.exe
C:WINDOWSsystem32AutoRun.inf
C:WINDOWSsystem32spoolprtprocsw32x86CNMPD9F.DLL
C:WINDOWSsystem32spoolprtprocsw32x86CNMPP9F.DLL
C:WINDOWSsystem32STEC3.sys
E:Autorun.inf

Infected copy of C:WINDOWSsystem32driversviaide.sys was found and disinfected
Restored copy from - Kitty had a snack tongue.gif
.
.PhysicalDrive0 - Bootkit Whistler was found and disinfected
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------Legacy_STEC3
-------Service_STEC3


((((((((((((((((((((((((( Files Created from 2010-09-03 to 2010-10-03 )))))))))))))))))))))))))))))))
.

2010-10-02 04:26:12 . 2010-04-29 20:39:38 38224 ----a-w- C:WINDOWSsystem32driversmbamswissarmy.sys
2010-10-02 04:24:55 . 2010-10-02 04:26:17 -------- d-----w- C:Program FilesMalwarebytes' Anti-Malware
2010-10-02 04:24:55 . 2010-04-29 20:39:26 20952 ----a-w- C:WINDOWSsystem32driversmbam.sys
2010-10-01 21:32:18 . 2010-10-01 21:32:18 0 ----a-w- C:Documents and SettingsJacosettings.dat
2010-10-01 03:20:02 . 2010-10-01 03:20:02 -------- d-----w- C:Documents and SettingsJacoLocal SettingsApplication DataHP
2010-10-01 03:19:17 . 2010-10-01 03:19:17 -------- d-----w- C:Program FilesCommon FilesHP
2010-10-01 03:19:17 . 2010-10-01 03:19:17 -------- d-----w- C:Documents and SettingsAll UsersApplication DataHP
2010-10-01 03:18:38 . 2010-10-01 03:19:59 19548 ----a-w- C:WINDOWShpqins13.dat
2010-10-01 03:16:13 . 2010-10-01 03:17:15 -------- d-----w- C:Documents and SettingsJacoApplication DataImage Zone Express
2010-10-01 03:09:11 . 2003-03-10 02:30:42 237568 ----a-w- C:WINDOWSsystem32HPZc3212.dll
2010-10-01 02:13:56 . 2010-10-01 02:13:56 -------- d-----w- C:Documents and SettingsJacoApplication DataAVG10
2010-10-01 02:12:13 . 2010-10-03 00:25:59 -------- d-----w- C:WINDOWSsystem32driversAVG
2010-10-01 01:30:12 . 2010-10-01 01:30:12 -------- d-----w- C:WINDOWSsystem32wbemRepository
2010-09-30 06:50:12 . 2010-10-01 01:44:25 -------- d-----w- C:Program FilesCommon FilesAdobe AIR(2)
2010-09-29 08:17:50 . 2010-09-29 08:17:50 -------- d-----w- C:Documents and SettingsAll UsersApplication DataCommon Files
2010-09-29 08:17:01 . 2010-10-01 02:12:14 -------- d-----w- C:Documents and SettingsAll UsersApplication DataAVG10
2010-09-29 08:17:01 . 2010-09-30 17:08:40 -------- d-----w- C:WINDOWSsystem32driversAVG(2)
2010-09-29 08:16:30 . 2010-09-29 08:16:30 -------- d-----w- C:Program FilesAVG
2010-09-29 08:05:08 . 2010-09-29 08:16:37 -------- d-----w- C:Documents and SettingsAll UsersApplication DataMFAData
2010-09-27 23:41:00 . 2010-09-27 23:41:00 -------- d-----w- C:Documents and SettingsAll UsersApplication DataDriver Mender
2010-09-27 01:36:55 . 2010-09-27 01:36:55 -------- d-----w- C:Program FilesBitTorrent
2010-09-27 01:34:19 . 2010-10-01 01:44:22 -------- d-----w- C:Documents and SettingsJacoApplication DataBitTorrent
2010-09-26 04:22:23 . 2010-09-26 04:22:23 0 ----a-w- C:WINDOWSativpsrm.bin
2010-09-26 03:22:30 . 2010-09-26 03:22:30 -------- d-----w- C:Documents and SettingsJacoApplication DataTific
2010-09-26 03:22:24 . 2010-09-26 03:22:24 -------- d-----w- C:Documents and SettingsJacoLocal SettingsApplication DataSymantec
2010-09-23 04:42:39 . 2010-09-23 04:42:39 -------- d-----w- C:Program FilesWindows Sidebar
2010-09-20 06:21:53 . 2010-09-20 06:21:53 503808 ----a-w- C:Documents and SettingsJacoApplication DataSunJavaDeploymentSystemCache6.047ec4bf04-4c844195-nmsvcp71.dll
2010-09-20 06:21:53 . 2010-09-20 06:21:53 499712 ----a-w- C:Documents and SettingsJacoApplication DataSunJavaDeploymentSystemCache6.047ec4bf04-4c844195-njmc.dll
2010-09-20 06:21:53 . 2010-09-20 06:21:53 348160 ----a-w- C:Documents and SettingsJacoApplication DataSunJavaDeploymentSystemCache6.047ec4bf04-4c844195-nmsvcr71.dll
2010-09-20 06:21:50 . 2010-09-20 06:21:50 61440 ----a-w- C:Documents and SettingsJacoApplication DataSunJavaDeploymentSystemCache6.0424488892a-6424b9dc-ndecora-sse.dll
2010-09-20 06:21:50 . 2010-09-20 06:21:50 12800 ----a-w- C:Documents and SettingsJacoApplication DataSunJavaDeploymentSystemCache6.0424488892a-6424b9dc-ndecora-d3d.dll
2010-09-20 06:21:43 . 2010-07-17 10:00:04 423656 ----a-w- C:WINDOWSsystem32deployJava1.dll
2010-09-20 06:07:34 . 2010-09-20 19:20:07 -------- d-----w- C:Documents and SettingsJacoApplication DataDVD Flick
2010-09-20 06:07:07 . 2003-01-26 18:41:24 40960 ----a-w- C:WINDOWSsystem32ssubtmr6.dll
2010-09-20 06:07:05 . 2010-09-20 06:07:13 -------- d-----w- C:Program FilesDVD Flick
2010-09-20 06:01:55 . 2010-09-20 06:01:55 -------- d-----w- C:Documents and SettingsAll UsersApplication DataNCH Software
2010-09-20 05:53:48 . 2010-09-20 05:53:48 -------- d-----w- C:Documents and SettingsJacoApplication DataAshampoo
2010-09-20 05:53:29 . 2010-09-20 05:53:29 -------- d-----w- C:Documents and SettingsJacoLocal SettingsApplication Dataashampoo
2010-09-20 05:53:29 . 2010-09-20 05:53:29 -------- d-----w- C:Documents and SettingsAll UsersApplication Dataashampoo
2010-09-13 21:27:24 . 2010-09-13 21:27:24 25680 ----a-w- C:WINDOWSsystem32driversAVGIDSEH.sys
2010-09-08 06:58:38 . 2010-09-08 07:10:35 -------- d-----w- C:Documents and SettingsJacoLocal SettingsApplication DataWMTools Downloaded Files
2010-09-07 08:49:00 . 2010-09-07 08:49:00 298448 ----a-w- C:WINDOWSsystem32driversavgtdix.sys
2010-09-07 08:48:56 . 2010-09-07 08:48:56 34384 ----a-w- C:WINDOWSsystem32driversavgmfx86.sys
2010-09-07 08:48:54 . 2010-09-07 08:48:54 249424 ----a-w- C:WINDOWSsystem32driversavgldx86.sys
2010-09-07 08:48:50 . 2010-09-07 08:48:50 26064 ----a-w- C:WINDOWSsystem32driversavgrkx86.sys
2010-09-04 07:29:44 . 2010-09-04 07:29:44 310208 ----a-w- C:Documents and SettingsJacoApplication DataAzureuspluginsmlabShaperProbeC.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-10-03 05:47:21 . 2010-04-19 17:41:37 -------- d-----w- C:Program FilesGoogle
2010-10-03 05:47:04 . 2007-03-14 03:35:07 -------- d-----w- C:Program FilesCommon FilesAdobe
2010-10-03 05:18:38 . 2007-06-23 12:23:19 -------- d-----w- C:Program FilesTrend Micro
2010-10-01 08:59:51 . 2007-03-16 20:52:06 -------- d-----w- C:Program FilesJava
2010-10-01 08:59:36 . 2010-10-01 08:59:36 0 ----a-w- C:WINDOWSsystem32REN129.tmp
2010-10-01 08:59:36 . 2010-10-01 08:59:36 0 ----a-w- C:WINDOWSsystem32REN128.tmp
2010-10-01 08:59:36 . 2010-10-01 08:59:36 0 ----a-w- C:WINDOWSsystem32REN127.tmp
2010-10-01 01:39:01 . 2007-03-14 20:51:32 82480 ----a-w- C:Documents and SettingsJacoLocal SettingsApplication DataGDIPFONTCACHEV1.DAT
2010-09-29 08:17:14 . 2010-07-18 05:31:17 -------- d-----w- C:Documents and SettingsJacoApplication DataSkype
2010-09-29 08:00:46 . 2010-07-18 05:32:46 -------- d-----w- C:Documents and SettingsJacoApplication DataskypePM
2010-09-27 01:45:10 . 2007-03-16 00:36:35 -------- d-----w- C:Documents and SettingsJacoApplication DataAzureus
2010-09-20 06:41:12 . 2009-02-27 03:22:05 -------- d-----w- C:Program FilesNCH Swift Sound
2010-09-20 06:19:39 . 2009-02-27 03:23:22 -------- d-----w- C:Program FilesNCH Software
2010-09-17 05:14:02 . 2010-07-18 05:30:44 -------- d-----r- C:Program FilesSkype
2010-09-16 05:51:12 . 2010-07-09 02:57:17 5049 ----a-w- C:WINDOWSOtijadikujikapa.dat
2010-09-04 07:31:06 . 2010-04-21 15:58:13 4177856 ----a-w- C:Documents and SettingsJacoApplication DataAzureuspluginsazempvuzeplayer.exe
2010-09-04 07:30:54 . 2010-08-21 00:15:28 -------- d-----w- C:Program FilesiTunes
2010-09-04 07:28:11 . 2009-01-12 21:03:02 -------- d-----w- C:Program FilesVuze
2010-08-27 16:24:04 . 2010-08-27 16:24:04 63572 ---ha-w- C:WINDOWSsystem32mlfcache.dat
2010-08-23 03:29:58 . 2010-08-23 03:29:58 55 ----a-w- C:Documents and SettingsAll UsersApplication DataSkypePluginsPluginsF3053EF74652448F98A5C45703106076install.bat
2010-08-23 03:29:58 . 2010-08-23 03:29:58 323584 ----a-w- C:Documents and SettingsAll UsersApplication DataSkypePluginsPluginsF3053EF74652448F98A5C45703106076libswt-win32-3232.dll
2010-08-21 00:22:28 . 2007-04-23 20:40:49 -------- d-----w- C:Documents and SettingsJacoApplication DataApple Computer
2010-08-21 00:16:07 . 2010-08-21 00:15:28 -------- d-----w- C:Documents and SettingsAll UsersApplication Data{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-08-21 00:15:34 . 2010-08-21 00:15:34 -------- d-----w- C:Program FilesiPod
2010-08-21 00:14:54 . 2009-03-16 17:11:19 -------- d-----w- C:Program FilesQuickTime
2010-08-21 00:14:31 . 2007-04-03 00:59:56 -------- d-----w- C:Documents and SettingsAll UsersApplication DataApple Computer
2010-08-21 00:13:16 . 2010-08-21 00:13:15 -------- d-----w- C:Program FilesApple Software Update
2010-08-21 00:09:54 . 2009-01-07 05:15:44 -------- d-----w- C:Program FilesCommon FilesApple
2010-08-20 02:42:38 . 2010-08-20 02:42:38 30288 ----a-w- C:WINDOWSsystem32driversAVGIDSFilter.sys
2010-08-20 02:42:36 . 2010-08-20 02:42:36 123472 ----a-w- C:WINDOWSsystem32driversAVGIDSDriver.sys
2010-08-20 02:42:34 . 2010-08-20 02:42:34 26192 ----a-w- C:WINDOWSsystem32driversAVGIDSShim.sys
2010-07-21 21:30:16 . 2010-07-21 21:30:16 73000 ----a-w- C:Documents and SettingsAll UsersApplication DataApple ComputerInstaller CacheiTunes 9.2.1.5SetupAdmin.exe
2010-07-18 05:32:50 . 2010-07-18 05:32:50 56 ---ha-w- C:WINDOWSsystem32ezsidmv.dat
2010-07-11 05:43:11 . 2010-07-09 02:57:17 0 ----a-w- C:WINDOWSWfatifopaniya.bin
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRun]
"CTSyncU.exe"="C:Program FilesCreativeSync Manager UnicodeCTSyncU.exe" [2007-07-17 16:03:38 868352]

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
"Ptipbmf"="ptipbmf.dll" [2003-06-20 20:06:00 118784]
"hpqSRMon"="C:Program FilesHewlett-PackardDigital ImagingbinhpqSRMon.exe" [2008-08-20 15:54:08 150016]
"AVG_TRAY"="C:Program FilesAVGAVG10avgtray.exe" [2010-09-15 10:29:10 2745696]
"QuickTime Task"="C:Program FilesQuickTimeqttask.exe" [2010-03-19 03:16:10 421888]

[HKEY_USERS.DEFAULTSoftwareMicrosoftWindowsCurrentVersionRun]
"DWQueuedReporting"="C:PROGRA~1COMMON~1MICROS~1DWdwtrig20.exe" [2006-10-27 00:48:14 434528]

[HKEY_USERS.DEFAULTSoftwareMicrosoftWindowsCurrentVersionRunOnce]
"FlashPlayerUpdate"="C:WINDOWSsystem32MacromedFlashFlashUtil10e.exe" [2010-01-27 00:58:38 256280]

[hkey_local_machinesoftwaremicrosoftwindowscurrentversionexplorerShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "C:Program FilesWindows Desktop SearchMSNLNamespaceMgr.dll" [2006-03-13 18:11:14 233472]

[HKEY_LOCAL_MACHINEsystemcurrentcontrolsetcontrolsession manager]
BootExecute REG_MULTI_SZ autocheck autochk *0C:PROGRA~1AVGAVG10avgchsvx.exe /sync0C:PROGRA~1AVGAVG10avgrsx.exe /sync /restart

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregANIWZCS2Service]
2007-01-19 17:49:04 49152 ----a-w- C:Program FilesANIANIWZCS2 ServiceWZCSLDR2.exe

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregATICCC]
2005-08-12 19:43:58 45056 ----a-w- C:Program FilesATI TechnologiesATI.ACECLI.exe

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregCTSyncU.exe]
2007-07-17 16:03:38 868352 ------w- C:Program FilesCreativeSync Manager UnicodeCTSyncU.exe

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregD-Link Wireless G WDA-1320]
2007-08-29 21:16:04 1662976 ----a-w- C:Program FilesD-LinkWireless G WDA-1320AirGCFG.exe

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregEchovoice Gamer Statistics]
2006-11-28 21:52:00 53248 ----a-w- C:Program FilesEchovoiceGamer StatisticsG15 Echovoice Gamer Statistics.exe

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregGrooveMonitor]
2006-10-27 05:47:42 31016 ----a-w- C:Program FilesMicrosoft OfficeOffice12GrooveMonitor.exe

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregISUSScheduler]
2005-02-16 21:15:20 81920 ----a-w- C:Program FilesCommon FilesInstallShieldUpdateServiceissch.exe

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregKernel and Hardware Abstraction Layer]
2007-09-21 09:10:12 55824 ----a-w- C:WINDOWSKHALMNPR.Exe

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregLogitech Hardware Abstraction Layer]
2007-09-21 09:10:12 55824 ----a-w- C:WINDOWSKHALMNPR.Exe

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregNeroFilterCheck]
2006-01-12 20:40:44 155648 ----a-w- C:Program FilesCommon FilesAheadLibNeroCheck.exe

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregQuickTime Task]
2010-03-19 03:16:10 421888 ----a-w- C:Program FilesQuickTimeQTTask.exe

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregSoundMan]
2004-02-26 08:53:30 65024 ----a-w- C:WINDOWSSOUNDMAN.EXE

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregStartCCC]
2006-11-10 17:35:24 90112 ----a-w- C:Program FilesATI TechnologiesATI.ACECore-StaticCLIStart.exe

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigservices]
"helpsvc"=2 (0x2)
"CCALib8"=2 (0x2)
"WMPNetworkSvc"=3 (0x3)
"YahooAUService"=2 (0x2)
"Bonjour Service"=2 (0x2)
"ATI Smart"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)
"Apple Mobile Device"=2 (0x2)

[HKLM~servicessharedaccessparametersfirewallpolicystandardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM~servicessharedaccessparametersfirewallpolicystandardprofileAuthorizedApplicationsList]
"%windir%Network Diagnosticxpnetdiag.exe"=
"C:WINDOWSsystem32mmc.exe"=
"C:WINDOWSsystem32dplaysvr.exe"=
"C:Program FilesNeroNero 7Nero ShowTimeShowTime.exe"=
"C:Program FilesMicrosoft OfficeOffice12OUTLOOK.EXE"=
"C:Program FilesMicrosoft OfficeOffice12GROOVE.EXE"=
"C:Program FilesMicrosoft OfficeOffice12ONENOTE.EXE"=
"%windir%system32sessmgr.exe"=
"C:Program FilesVuzeAzureus.exe"=
"C:Program FilesSmartFTP ClientSmartFTP.exe"=
"C:Program FilesKODAKKODAK Software Updater7288971ProgrambackWeb-7288971.exe"=
"C:Program FilesPando NetworksMedia BoosterPMB.exe"=
"C:Riot GamesLeague of LegendsairLolClient.exe"=
"C:Riot GamesLeague of LegendsgameLeague of Legends.exe"=
"C:Program FilesAVGAVG10avgdiagex.exe"=
"C:Program FilesAVGAVG10avgnsx.exe"=
"C:Program FilesAVGAVG10avgmfapx.exe"=
"C:Program FilesAVGAVG10avgemcx.exe"=

[HKLM~servicessharedaccessparametersfirewallpolicystandardprofileGloballyOpenPortsList]
"57441:TCP"= 57441:TCP:Pando Media Booster
"57441:UDP"= 57441:UDP:Pando Media Booster
"8378:TCP"= 8378:TCP:League of Legends Launcher
"8378:UDP"= 8378:UDP:League of Legends Launcher
"6966:TCP"= 6966:TCP:League of Legends Launcher
"6966:UDP"= 6966:UDP:League of Legends Launcher
"6894:TCP"= 6894:TCP:League of Legends Launcher
"6894:UDP"= 6894:UDP:League of Legends Launcher
"6923:TCP"= 6923:TCP:League of Legends Launcher
"6923:UDP"= 6923:UDP:League of Legends Launcher
"6915:TCP"= 6915:TCP:League of Legends Launcher
"6915:UDP"= 6915:UDP:League of Legends Launcher
"6967:TCP"= 6967:TCP:League of Legends Launcher
"6967:UDP"= 6967:UDP:League of Legends Launcher
"6927:TCP"= 6927:TCP:League of Legends Launcher
"6927:UDP"= 6927:UDP:League of Legends Launcher
"6968:TCP"= 6968:TCP:League of Legends Launcher
"6968:UDP"= 6968:UDP:League of Legends Launcher
"8380:TCP"= 8380:TCP:League of Legends Launcher
"8380:UDP"= 8380:UDP:League of Legends Launcher
"6895:TCP"= 6895:TCP:League of Legends Launcher
"6895:UDP"= 6895:UDP:League of Legends Launcher
"6951:TCP"= 6951:TCP:League of Legends Launcher
"6951:UDP"= 6951:UDP:League of Legends Launcher
"6911:TCP"= 6911:TCP:League of Legends Launcher
"6911:UDP"= 6911:UDP:League of Legends Launcher

R0 AVGIDSEH;AVGIDSEH;C:WINDOWSsystem32driversAVGIDSEH.sys [9/13/2010 4:27:24 PM 25680]
R0 Avgrkx86;AVG Anti-Rootkit Driver;C:WINDOWSsystem32driversavgrkx86.sys [9/7/2010 3:48:50 AM 26064]
R0 viasraid;viasraid;C:WINDOWSsystem32driversviasraid.sys [3/7/2007 11:59:15 AM 77312]
R1 Avgldx86;AVG AVI Loader Driver;C:WINDOWSsystem32driversavgldx86.sys [9/7/2010 3:48:54 AM 249424]
R1 Avgtdix;AVG TDI Driver;C:WINDOWSsystem32driversavgtdix.sys [9/7/2010 3:49:00 AM 298448]
R2 AVGIDSAgent;AVGIDSAgent;C:Program FilesAVGAVG10Identity ProtectionAgentBinAVGIDSAgent.exe [9/3/2010 10:35:50 AM 6104144]
R2 avgwd;AVG WatchDog;C:Program FilesAVGAVG10avgwdsvc.exe [9/10/2010 1:45:22 AM 265400]
R3 AVGIDSDriver;AVGIDSDriver;C:WINDOWSsystem32driversAVGIDSDriver.sys [8/19/2010 9:42:36 PM 123472]
R3 AVGIDSFilter;AVGIDSFilter;C:WINDOWSsystem32driversAVGIDSFilter.sys [8/19/2010 9:42:38 PM 30288]
R3 AVGIDSShim;AVGIDSShim;C:WINDOWSsystem32driversAVGIDSShim.sys [8/19/2010 9:42:34 PM 26192]
R3 JSWSCIMD;jswscimd Service;C:WINDOWSsystem32driversjswscimd.sys [12/10/2008 9:48:15 PM 57376]
S1 amdtools;AMD Special Tools Driver;C:WINDOWSsystem32DRIVERSamdtools.sys --> C:WINDOWSsystem32DRIVERSamdtools.sys [?]
S2 gupdate;Google Update Service (gupdate);C:Program FilesGoogleUpdateGoogleUpdate.exe [4/19/2010 12:41:42 PM 136176]
S3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);C:WINDOWSsystem32driversA3AB.sys [12/10/2008 9:48:15 PM 547744]
S3 jswpsapi;Jumpstart Wifi Protected Setup;C:Program FilesD-LinkWireless G WDA-1320JSWUtiljswpsapi.exe [12/10/2008 9:48:15 PM 352338]
S3 PIXMCV;JVC Communication PIX-MCV Driver;C:WINDOWSsystem32driverspixmcvc.sys [11/19/2007 9:23:35 AM 32000]
S4 sptd;sptd;C:WINDOWSsystem32driverssptd.sys [3/25/2007 6:22:19 PM 685816]

[HKEY_LOCAL_MACHINEsoftwaremicrosoftwindows ntcurrentversionsvchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2010-09-25 C:WINDOWSTasksAppleSoftwareUpdate.job
- C:Program FilesApple Software UpdateSoftwareUpdate.exe [2009-10-22 16:50:20 . 2009-10-22 16:50:20]

2008-12-13 C:WINDOWSTasksFRU Task 2003-04-10 00:56:27ewlett-Packard2003-04-10 00:56:27p psc 1200 series272A572217594EBCF1CEE215E352B92AD073FDE4206817551.job
- C:Program FilesHewlett-PackardDigital ImagingBinhpqfrucl.exe [2003-04-09 22:56:28 . 2003-04-09 22:56:28]

2010-10-03 C:WINDOWSTasksGoogleUpdateTaskMachineCore.job
- C:Program FilesGoogleUpdateGoogleUpdate.exe [2010-04-19 17:41:42 . 2010-04-19 17:41:36]

2010-10-03 C:WINDOWSTasksGoogleUpdateTaskMachineUA.job
- C:Program FilesGoogleUpdateGoogleUpdate.exe [2010-04-19 17:41:42 . 2010-04-19 17:41:36]

2010-10-01 C:WINDOWSTasksGoogleUpdateTaskUserS-1-5-21-436374069-179605362-839522115-1004Core.job
- C:Documents and SettingsJacoLocal SettingsApplication DataGoogleUpdateGoogleUpdate.exe [2010-09-23 03:38:30 . 2010-06-16 22:02:03]

2010-10-03 C:WINDOWSTasksGoogleUpdateTaskUserS-1-5-21-436374069-179605362-839522115-1004UA.job
- C:Documents and SettingsJacoLocal SettingsApplication DataGoogleUpdateGoogleUpdate.exe [2010-09-23 03:38:30 . 2010-06-16 22:02:03]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://dsl.sbc.yahoo.com/
mWindow Title = Windows Internet Explorer provided by Comcast
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local;localhost
IE: E&xport to Microsoft Excel - C:PROGRA~1MICROS~2Office12EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - C:Program FilesWIDCOMMBluetooth Softwarebtsendto_ie_ctx.htm
FF - ProfilePath - C:Documents and SettingsJacoApplication DataMozillaFirefoxProfilesol583pcy.default
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: network.proxy.type - 0
FF - component: C:Program FilesAVGAVG10Firefoxcomponentsavgssff.dll
FF - plugin: C:Documents and SettingsJacoApplication DataMove Networkspluginsnpqmp071505000010.dll
FF - plugin: C:Documents and SettingsJacoApplication DataMove Networkspluginsnpqmp071505000011.dll
FF - plugin: C:Program FilesGoogleUpdate1.2.183.29npGoogleOneClick8.dll
FF - plugin: C:Program FilesMozilla Firefoxpluginsnpunagi2.dll
FF - plugin: C:Program FilesPando NetworksMedia BoosternpPandoWebPlugin.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:WINDOWSMicrosoft.NETFrameworkv3.5Windows Presentation FoundationDotNetAssistantExtension

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true);user_pref(general.useragent.extra.zencast, Creative ZENcast v2.01.01C:Program FilesMozilla Firefoxgreprefsall.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
C:Program FilesMozilla Firefoxgreprefsall.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
C:Program FilesMozilla Firefoxdefaultspreffirefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-SunJavaUpdateSched - C:Program FilesJavajre6binjusched.exe
ShellExecuteHooks-{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - (no file)
MSConfigStartUp-Adobe Reader Speed Launcher - C:Program FilesAdobeReader 8.0ReaderReader_sl.exe
MSConfigStartUp-Aim6 - C:Program FilesAIM6aim6.exe
MSConfigStartUp-DAEMON Tools - C:Program FilesDAEMON Toolsdaemon.exe
MSConfigStartUp-ISUSPM Startup - C:PROGRA~1COMMON~1INSTAL~1UPDATE~1ISUSPM.exe
MSConfigStartUp-Messenger (Yahoo!) - C:Program FilesYahoo!MessengerYahooMessenger.exe
MSConfigStartUp-SSBkgdUpdate - C:Program FilesCommon FilesScansoft SharedSSBkgdUpdateSSBkgdupdate.exe
MSConfigStartUp-Steam - C:Program FilesSteamSteam.exe
MSConfigStartUp-SunJavaUpdateSched - C:Program FilesJavajre1.5.0_11binjusched.exe
ActiveSetup-ccc-core-static - msiexec
AddRemove-Adobe AIR - c:Program FilesCommon FilesAdobe AIRVersions1.0ResourcesAdobe AIR Updater.exe
AddRemove-Switch - C:Program FilesNCH Swift SoundSwitchuninst.exe
AddRemove-System Requirements Lab - C:Program FilesCommon FilesSystemRequirementsLabUninstall.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-10-03 00:47:14
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1224)
C:WINDOWSsystem32Ati2evxx.dll

- - - - - - - > 'explorer.exe'(4024)
C:WINDOWSsystem32WININET.dll
C:WINDOWSsystem32ieframe.dll
C:WINDOWSsystem32WPDShServiceObj.dll
C:WINDOWSsystem32btncopy.dll
C:WINDOWSsystem32PortableDeviceTypes.dll
C:WINDOWSsystem32PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
C:PROGRA~1AVGAVG10avgchsvx.exe
C:Program FilesANIANIWZCS2 ServiceANIWZCSdS.exe
C:Program FilesWIDCOMMBluetooth Softwarebinbtwdins.exe
C:Program FilesCanonIJPLMIJPLMSVC.EXE
C:Program FilesGoogleUpdate1.2.183.29GoogleCrashHandler.exe
C:Program FilesPromise Technology, IncPromise Array ManagementMsgSvr.exe
C:Program FilesAVGAVG10avgnsx.exe
C:Program FilesAVGAVG10avgemcx.exe
C:Program FilesAVGAVG10Identity Protectionagentbinavgidsmonitor.exe
C:WINDOWSsystem32wscntfy.exe
C:PROGRA~1AVGAVG10avgrsx.exe
C:Program FilesAVGAVG10avgcsrvx.exe
.
**************************************************************************
.
Completion time: 2010-10-03 00:52:02 - machine was rebooted
ComboFix-quarantined-files.txt 2010-10-03 05:51:58

Pre-Run: 262,993,637,376 bytes free
Post-Run: 262,977,871,872 bytes free

Current=2 Default=2 Failed=1 LastKnownGood=4 Sets=1,2,3,4
- - End Of File - - B012D338F464478CC3F6D0FE50553A60

I also ran AVG after I did combo fix and got an error that says: Virus identified Win32/Patched.DX
So I guess not everything is fixed afterall......
I was reading and I guess AVG doesn't have protection against rootkits? Is this true? And if so, what virus program could I get in replace of AVG?

EDIT: Posts merged ~BP

I ran Combofix last night and posted my log on here, but nobody has gotten around to checking it for me yet. I figured out that I have "Bootkit Whistler" when I ran Bootkit Remover. I just don't know how to get rid of it. Any help would be greatly appreciated. Thanks! smile.gif

Bootkit Remover
2009 eSage Lab
www.esagelab.com

Program version: 1.2.0.0
OS Version: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)

System volume is \\.\C:
\\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`00007e00
ATA_Read(): DeviceIoControl() ERROR 1
Boot sector MD5 is: 6def5ffcbcdbdb4082f1015625e597bd

Size Device Name MBR Status
--------------------------------------------
298 GB \\.\PhysicalDrive0 OK (DOS/Win32 Boot code found)

EDIT: Topic and post merged from AII ~BP

Edited by Budapest, 04 October 2010 - 12:53 AM.


BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:54 AM

Posted 09 October 2010 - 04:33 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks thumbup2.gif
Posted Image
m0le is a proud member of UNITE

#3 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:54 AM

Posted 13 October 2010 - 06:13 PM

This topic has been closed.

If you're the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users