Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google redirection, infected explorer.exe and winlogon.exe


  • This topic is locked This topic is locked
18 replies to this topic

#1 quarky

quarky

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:47 PM

Posted 08 October 2010 - 12:52 PM

Hello,

I seem to have caught a nasty infection. As mentioned, I am getting google redirects in Chrome. I have run several AV scans and malware scans without much success.

Contents of DDS.LOG



DDS (Ver_10-10-05.01) - NTFSx86
Run by Greg at 18:29:21.11 on 08/10/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.1919.1066 [GMT 1:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\logonui.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\WinTV\TVServer\HAUPPA~1.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\UPHClean\uphclean.exe
C:\WINDOWS\system32\vmnat.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\WINDOWS\system32\rdpclip.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\VMware\VMware Workstation\vmware-tray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WinTV\WinTV7\WinTVTray.exe
C:\WINDOWS\system32\logon.scr
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\explorer.exe
D:\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
uURLSearchHooks: H - No File
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
uRun: [Google Update] "c:\documents and settings\greg\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [vmware-tray] "c:\program files\vmware\vmware workstation\vmware-tray.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N
StartupFolder: c:\docume~1\greg\startm~1\programs\startup\bbcipl~1.lnk - c:\program files\bbc iplayer desktop\BBC iPlayer Desktop.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\wintvr~1.lnk - c:\program files\wintv\wintv7\WinTVTray.exe
mPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)
mPolicies-explorer: ForceClassicControlPanel = 1 (0x1)
mPolicies-explorer: MaxRecentDocs = 18 (0x12)
mPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)
mPolicies-explorer: NoRecentDocsNetHood = 1 (0x1)
mPolicies-explorer: MemCheckBoxInRunDlg = 1 (0x1)
LSP: c:\program files\vmware\vmware workstation\vsocklib.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
TCP: {F615C0E8-ED11-4B38-8A3C-F02F138B0F1F} = 192.168.1.1
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-10-8 64288]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-7-31 335240]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-7-31 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-7-31 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-7-31 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-7-31 297752]
R2 HauppaugeTVServer;HauppaugeTVServer;c:\progra~1\wintv\tvserver\HAUPPA~1.EXE [2009-7-31 434176]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-8-12 1357464]
R2 vmci;VMware vmci;c:\windows\system32\drivers\vmci.sys [2008-10-29 54960]
R3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\lavasoft\ad-aware\kernexplorer.sys [2010-8-12 15008]
S4 ASKService;ASKService;c:\program files\askbardis\bar\bin\AskService.exe [2009-8-31 464264]
S4 ASKUpgrade;ASKUpgrade;c:\program files\askbardis\bar\bin\ASKUpgrade.exe [2009-8-31 234888]

=============== Created Last 30 ================

2010-10-08 16:33:32 -------- d-----w- C:\ComboFix
2010-10-08 14:53:12 -------- d-sha-r- C:\cmdcons
2010-10-08 14:48:51 98816 ----a-w- c:\windows\sed.exe
2010-10-08 14:48:51 77312 ----a-w- c:\windows\MBR.exe
2010-10-08 14:48:51 256512 ----a-w- c:\windows\PEV.exe
2010-10-08 14:48:51 161792 ----a-w- c:\windows\SWREG.exe
2010-10-08 13:35:36 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-10-08 13:35:32 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-10-08 13:32:34 -------- d-----w- c:\docume~1\greg\locals~1\applic~1\Sunbelt Software
2010-10-08 13:32:13 -------- dc-h--w- c:\docume~1\alluse~1\applic~1\{ECC164E0-3133-4C70-A831-F08DB2940F70}
2010-10-08 13:31:56 -------- d-----w- c:\program files\Lavasoft
2010-09-09 09:28:18 -------- d-----w- c:\program files\Raptr
2010-09-09 09:28:18 -------- d-----w- c:\docume~1\greg\applic~1\Raptr

==================== Find3M ====================


============= FINISH: 18:29:43.50 ===============






Contents of Combofix log:


ComboFix 10-10-07.02 - Greg 08/10/2010 17:35:32.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.1919.974 [GMT 1:00]
Running from: D:\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\winlogon.exe . . . is infected!!

c:\windows\explorer.exe . . . is infected!!

.
((((((((((((((((((((((((( Files Created from 2010-09-08 to 2010-10-08 )))))))))))))))))))))))))))))))
.

2010-10-08 13:36 . 2010-10-08 13:36 262144 ----a-w- c:\windows\system32\default_user_class.dat
2010-10-08 13:35 . 2010-08-12 12:15 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-10-08 13:35 . 2010-10-08 13:35 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-10-08 13:32 . 2010-10-08 13:32 -------- d-----w- c:\documents and settings\Greg\Local Settings\Application Data\Sunbelt Software
2010-10-08 13:32 . 2010-10-08 13:32 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{ECC164E0-3133-4C70-A831-F08DB2940F70}
2010-10-08 13:32 . 2010-08-12 12:16 2979848 -c--a-w- c:\documents and settings\All Users\Application Data\{ECC164E0-3133-4C70-A831-F08DB2940F70}\Ad-AwareInstall.exe
2010-10-08 13:31 . 2010-10-08 13:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-10-08 13:31 . 2010-10-08 13:31 -------- d-----w- c:\program files\Lavasoft
2010-09-09 09:28 . 2010-09-29 21:19 -------- d-----w- c:\program files\Raptr
2010-09-09 09:28 . 2010-09-29 21:19 -------- d-----w- c:\documents and settings\Greg\Application Data\Raptr

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-10-08 13:38 . 2010-01-25 14:39 -------- d-----w- c:\documents and settings\LocalService\Application Data\VMware
2010-10-08 13:38 . 2010-01-25 14:37 -------- d-----w- c:\documents and settings\All Users\Application Data\VMware
2010-10-07 11:29 . 2009-07-31 10:36 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-10-04 20:10 . 2009-08-01 22:48 -------- d-----w- c:\documents and settings\Greg\Application Data\Azureus
2010-10-03 12:19 . 2009-08-01 22:32 -------- d-----w- c:\documents and settings\Greg\Application Data\vlc
2010-09-09 09:26 . 2009-11-06 21:22 4146688 ----a-w- c:\documents and settings\Greg\Application Data\Azureus\plugins\vuzexcode\mediainfo.exe
2010-09-09 09:26 . 2009-11-06 21:22 7288256 ----a-w- c:\documents and settings\Greg\Application Data\Azureus\plugins\vuzexcode\ffmpeg.exe
2010-09-09 09:00 . 2009-08-01 22:46 -------- d-----w- c:\program files\Vuze
2010-08-30 08:39 . 2009-10-04 15:02 -------- d-----w- c:\documents and settings\Greg\Application Data\dvdcss
2010-08-30 07:38 . 2009-09-14 10:03 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-08-29 18:40 . 2010-08-30 07:39 53632 ----a-w- c:\documents and settings\Greg\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-08-15 06:19 . 2009-08-03 22:45 0 ----a-w- c:\windows\system32\drivers\lvuvc.hs
2010-07-23 09:08 . 2010-07-23 09:08 648048 ----a-w- c:\documents and settings\Greg\Application Data\Seiz System Engineering\AbelCam\install\BB0E1E1\AbelCamUpdater.exe
.

------- Sigcheck -------

[-] 2009-04-20 . BA8C046D98345129723E6BCAA1E8AB99 . 361600 . . [5.1.2600.5649] . . c:\windows\system32\drivers\tcpip.sys

[-] 2009-04-20 . B8911B7BE2344F18DAF994D1E7C59EED . 509440 . . [5.1.2600.5739] . . c:\windows\system32\winlogon.exe

[-] 2009-04-20 . 45957FC2C8EA3F261F4B61792DD42F00 . 1033728 . . [6.00.2900.5634] . . c:\windows\explorer.exe


c:\windows\System32\wscntfy.exe ... is missing !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-11-25 13:03 1230080 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\Greg\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-07-31 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-14 208952]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2010-07-09 2048352]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2005-05-19 925696]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-07-13 7626752]
"nwiz"="nwiz.exe" [2006-07-13 1519616]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-07-13 86016]
"vmware-tray"="c:\program files\VMware\VMware Workstation\vmware-tray.exe" [2008-10-28 96816]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"_nltide_3"="advpack.dll" [2009-04-20 128512]

c:\documents and settings\Greg\Start Menu\Programs\Startup\
BBC iPlayer Desktop.lnk - c:\program files\BBC iPlayer Desktop\BBC iPlayer Desktop.exe [2010-4-4 95232]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
WinTV Recording Status..lnk - c:\program files\WinTV\WinTV7\WinTVTray.exe [2009-7-31 98304]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
"MaxRecentDocs"= 18 (0x12)
"NoSMConfigurePrograms"= 1 (0x1)
"NoRecentDocsNetHood"= 1 (0x1)
"MemCheckBoxInRunDlg"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-07-31 10:16 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\Pinnacle\\Studio 11\\programs\\RM.exe"=
"c:\\Program Files\\Pinnacle\\Studio 11\\programs\\Studio.exe"=
"c:\\Program Files\\Pinnacle\\Studio 11\\programs\\PMSRegisterFile.exe"=
"c:\\Program Files\\Pinnacle\\Studio 11\\programs\\umi.exe"=
"c:\\Program Files\\VMware\\VMware Workstation\\vmware-authd.exe"=
"c:\\Program Files\\VMware\\VMware Workstation\\vmware.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\Program Files\\AbelCam\\SetCulture.exe"=
"c:\\Program Files\\AbelCam\\AbelCam.exe"=
"c:\\WINDOWS\\system32\\ftp.exe"=
"c:\\Program Files\\Vuze\\Azureus.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [08/10/2010 14:35 64288]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [31/07/2009 11:16 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [31/07/2009 11:16 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [31/07/2009 11:16 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [31/07/2009 11:16 297752]
R2 HauppaugeTVServer;HauppaugeTVServer;c:\progra~1\WinTV\TVServer\HAUPPA~1.EXE [31/07/2009 14:37 434176]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [12/08/2010 13:15 1357464]
R2 vmci;VMware vmci;c:\windows\system32\drivers\vmci.sys [29/10/2008 00:08 54960]
R3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\Lavasoft\Ad-Aware\kernexplorer.sys [12/08/2010 13:15 15008]
S4 ASKService;ASKService;c:\program files\AskBarDis\bar\bin\AskService.exe [31/08/2009 20:11 464264]
S4 ASKUpgrade;ASKUpgrade;c:\program files\AskBarDis\bar\bin\ASKUpgrade.exe [31/08/2009 20:11 234888]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - LAVASOFT_KERNEXPLORER
*Deregistered* - uphcleanhlp
.
Contents of the 'Scheduled Tasks' folder

2010-10-08 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-08-12 13:35]

2010-10-08 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-515967899-484763869-1708537768-1003Core.job
- c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-07-31 09:55]

2010-10-08 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-515967899-484763869-1708537768-1003UA.job
- c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-07-31 09:55]

2010-10-08 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-515967899-484763869-1708537768-1005Core.job
- c:\documents and settings\Greg\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-07-31 14:44]

2010-10-08 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-515967899-484763869-1708537768-1005UA.job
- c:\documents and settings\Greg\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-07-31 14:44]

2010-10-08 c:\windows\Tasks\User_Feed_Synchronization-{02E12D8E-D7F3-470A-B04E-7811BCCB5D7A}.job
- c:\windows\system32\msfeedssync.exe [2009-04-20 18:22]

2010-10-08 c:\windows\Tasks\User_Feed_Synchronization-{E9E37F56-1DC0-4702-A82F-B7D9ABFB6A9E}.job
- c:\windows\system32\msfeedssync.exe [2009-04-20 18:22]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
LSP: c:\program files\VMware\VMware Workstation\vsocklib.dll
TCP: {F615C0E8-ED11-4B38-8A3C-F02F138B0F1F} = 192.168.1.1
.
.
Completion time: 2010-10-08 17:44:20
ComboFix-quarantined-files.txt 2010-10-08 16:44
ComboFix2.txt 2010-10-08 15:12

Pre-Run: 7,311,564,800 bytes free
Post-Run: 7,300,861,952 bytes free

- - End Of File - - 212B1262C032FDD436D7CAC5CA365C8B




Any help greatly appreciated!!

Attached Files


Edited by quarky, 08 October 2010 - 12:52 PM.


BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:07:47 PM

Posted 16 October 2010 - 11:17 AM

Hello quarky ,



Sorry for the delay. sad.gif If you still need help, please post a new DDS/HijackThis log and I'll be happy to look at it. smile.gif

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 quarky

quarky
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:47 PM

Posted 16 October 2010 - 02:15 PM

Hi Teacup,

Thanks for the reply, much appreciated. Don't apologize about the delay either, it looks very busy ;)

Since those scans, I installed Ad-aware and Malwarebytes, and ran scans with both of those. Malwarebytes found something (whose name escapes me, but I will try and find it). I still had the problem though.

So I uninstalled Chrome, moved the USERDATA folder, wrote explorer.exe and winlogon.exe to a CD, and replaced the existing files after going into the recovery console (for some reason I couldn't expand the compressed versions in the recovery console, it gave me an error about being unable to expand it (to any location)).

After installing Chrome again, all seems OK (IE appears OK but I don't really use it).

So on to the logs!!

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 20:14:57, on 16/10/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\logonui.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\WinTV\TVServer\HAUPPA~1.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\UPHClean\uphclean.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\rdpclip.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\VMware\VMware Workstation\vmware-tray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WinTV\WinTV7\WinTVTray.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\logon.scr
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Greg\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Greg\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Greg\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [vmware-tray] "C:\Program Files\VMware\VMware Workstation\vmware-tray.exe"
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Greg\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O4 - Startup: BBC iPlayer Desktop.lnk = C:\Program Files\BBC iPlayer Desktop\BBC iPlayer Desktop.exe
O4 - Global Startup: WinTV Recording Status..lnk = C:\Program Files\WinTV\WinTV7\WinTVTray.exe
O10 - Unknown file in Winsock LSP: c:\program files\vmware\vmware workstation\vsocklib.dll
O10 - Unknown file in Winsock LSP: c:\program files\vmware\vmware workstation\vsocklib.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{F615C0E8-ED11-4B38-8A3C-F02F138B0F1F}: NameServer = 192.168.1.1
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - avgrsstx.dll (file missing)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: HauppaugeTVServer - Hauppauge Computer Works - C:\PROGRA~1\WinTV\TVServer\HAUPPA~1.EXE
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: NMSAccessU - Unknown owner - C:\Program Files\CDBurnerXP\NMSAccessU.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PCLEPCI - Pinnacle Systems GmbH - C:\WINDOWS\system32\drivers\pclepci.sys
O23 - Service: VMware Agent Service (ufad-ws60) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-ufad.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe

--
End of file - 6682 bytes




DDS (Ver_10-10-05.01) - NTFSx86
Run by Greg at 18:51:39.65 on 16/10/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.1919.1086 [GMT 1:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\logonui.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\WinTV\TVServer\HAUPPA~1.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\UPHClean\uphclean.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\rdpclip.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\VMware\VMware Workstation\vmware-tray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WinTV\WinTV7\WinTVTray.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\system32\logon.scr
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\explorer.exe
D:\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
uURLSearchHooks: H - No File
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
uRun: [Google Update] "c:\documents and settings\greg\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [vmware-tray] "c:\program files\vmware\vmware workstation\vmware-tray.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N
StartupFolder: c:\docume~1\greg\startm~1\programs\startup\bbcipl~1.lnk - c:\program files\bbc iplayer desktop\BBC iPlayer Desktop.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\wintvr~1.lnk - c:\program files\wintv\wintv7\WinTVTray.exe
mPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)
mPolicies-explorer: MaxRecentDocs = 18 (0x12)
mPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)
mPolicies-explorer: NoRecentDocsNetHood = 1 (0x1)
mPolicies-explorer: MemCheckBoxInRunDlg = 1 (0x1)
LSP: c:\program files\vmware\vmware workstation\vsocklib.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
TCP: {F615C0E8-ED11-4B38-8A3C-F02F138B0F1F} = 192.168.1.1
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-10-8 64288]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-7-31 335240]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-7-31 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-7-31 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-7-31 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-7-31 297752]
R2 HauppaugeTVServer;HauppaugeTVServer;c:\progra~1\wintv\tvserver\HAUPPA~1.EXE [2009-7-31 434176]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-8-12 1357464]
R2 vmci;VMware vmci;c:\windows\system32\drivers\vmci.sys [2008-10-29 54960]
R3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\lavasoft\ad-aware\kernexplorer.sys [2010-8-12 15008]
S4 ASKService;ASKService;c:\program files\askbardis\bar\bin\AskService.exe [2009-8-31 464264]
S4 ASKUpgrade;ASKUpgrade;c:\program files\askbardis\bar\bin\ASKUpgrade.exe [2009-8-31 234888]

=============== Created Last 30 ================


==================== Find3M ====================

2010-09-18 11:23:26 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53:25 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53:25 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53:25 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-10 05:58:08 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-10 05:58:06 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-10 05:58:06 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2010-09-01 11:48:34 285824 ----a-w- c:\windows\system32\atmfd.dll
2010-08-31 13:38:48 1861888 ----a-w- c:\windows\system32\win32k.sys
2010-08-27 08:02:29 119808 ----a-w- c:\windows\system32\t2embed.dll
2010-08-27 06:05:07 99840 ----a-w- c:\windows\system32\srvsvc.dll
2010-08-26 13:37:50 357248 ----a-w- c:\windows\system32\drivers\srv.sys
2010-08-26 12:52:45 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-08-23 16:12:04 617472 ----a-w- c:\windows\system32\comctl32.dll
2010-08-17 13:17:06 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-08-16 08:43:28 590848 ----a-w- c:\windows\system32\rpcrt4.dll

============= FINISH: 18:52:13.40 ===============



It would be good to know if all looks clean now (not sure if that URLSearchHook in HJThis is a problem?)?

Cheers
Greg


#4 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:07:47 PM

Posted 16 October 2010 - 02:48 PM

Hello,

You can fix that line with HijackThis...it will reset it back to default. The (no file) says there is no real problem....maybe just a leftover from a previous setting. smile.gif Have another run with ComboFix and see what it says this time. I'd like to give you a clean bill of health, but after all that I want to be sure first. smile.gif Is MBAM coming up clean now?

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#5 quarky

quarky
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:47 PM

Posted 16 October 2010 - 04:30 PM

Yep, MBAM is now clean, and here is the report from combofix.



ComboFix 10-10-16.01 - Greg 16/10/2010 22:22:13.7.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.1919.1184 [GMT 1:00]
Running from: D:\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2010-09-16 to 2010-10-16 )))))))))))))))))))))))))))))))
.

2010-10-16 19:14 . 2010-10-16 19:14 388096 ----a-r- c:\documents and settings\Greg\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-10-16 19:14 . 2010-10-16 19:14 -------- d-----w- c:\program files\Trend Micro
2010-10-15 09:04 . 2010-08-27 06:05 99840 ------w- c:\windows\system32\dllcache\srvsvc.dll
2010-10-15 09:04 . 2010-04-27 13:54 2146304 ------w- c:\windows\system32\dllcache\ntkrnlmp.exe
2010-10-15 09:04 . 2010-04-27 13:50 2190080 ------w- c:\windows\system32\dllcache\ntoskrnl.exe
2010-10-15 09:04 . 2010-04-27 13:14 2024448 ------w- c:\windows\system32\dllcache\ntkrpamp.exe
2010-10-15 09:03 . 2009-08-25 09:27 354816 ------w- c:\windows\system32\dllcache\winhttp.dll
2010-10-15 09:03 . 2010-10-15 09:03 -------- d-----w- c:\program files\BBC iPlayer Desktop
2010-10-15 09:03 . 2009-10-21 05:38 75776 ------w- c:\windows\system32\dllcache\strmfilt.dll
2010-10-15 09:03 . 2009-10-21 05:38 25088 ------w- c:\windows\system32\dllcache\httpapi.dll
2010-10-15 09:03 . 2009-10-20 16:20 265728 ------w- c:\windows\system32\dllcache\http.sys
2010-10-15 05:51 . 2010-10-15 05:51 -------- d-----w- c:\windows\system32\URTTemp
2010-10-15 05:36 . 2010-10-15 09:05 -------- d--h--w- c:\windows\$hf_mig$
2010-10-15 05:34 . 2010-08-16 08:43 590848 ------w- c:\windows\system32\dllcache\rpcrt4.dll
2010-10-15 05:34 . 2010-09-01 11:48 285824 ------w- c:\windows\system32\dllcache\atmfd.dll
2010-10-15 05:34 . 2010-08-31 13:38 1861888 ------w- c:\windows\system32\dllcache\win32k.sys
2010-10-15 05:33 . 2010-09-18 06:53 954368 ------w- c:\windows\system32\dllcache\mfc40.dll
2010-10-15 05:33 . 2010-09-18 06:53 953856 ------w- c:\windows\system32\dllcache\mfc40u.dll
2010-10-15 05:33 . 2010-09-18 06:53 974848 ------w- c:\windows\system32\dllcache\mfc42.dll
2010-10-15 05:31 . 2010-08-23 16:12 617472 ------w- c:\windows\system32\dllcache\comctl32.dll
2010-10-15 05:31 . 2010-07-12 13:02 218112 ------w- c:\windows\system32\dllcache\wordpad.exe
2010-10-15 05:31 . 2010-07-16 12:04 1289216 ------w- c:\windows\system32\dllcache\ole32.dll
2010-10-15 05:30 . 2010-08-17 13:17 58880 ------w- c:\windows\system32\dllcache\spoolsv.exe
2010-10-15 05:30 . 2010-06-18 17:43 293376 ------w- c:\windows\system32\dllcache\winsrv.dll
2010-10-15 05:29 . 2010-04-16 15:36 406016 ------w- c:\windows\system32\dllcache\usp10.dll
2010-10-15 05:29 . 2010-06-14 07:39 1172480 ------w- c:\windows\system32\dllcache\msxml3.dll
2010-10-15 05:29 . 2010-08-26 13:37 357248 ------w- c:\windows\system32\dllcache\srv.sys
2010-10-15 05:27 . 2010-07-27 06:28 8463360 ------w- c:\windows\system32\dllcache\shell32.dll
2010-10-12 18:16 . 2010-10-12 18:16 -------- d-----w- c:\documents and settings\Greg\Application Data\Malwarebytes
2010-10-12 18:16 . 2010-10-12 18:16 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-10-12 18:16 . 2010-10-12 18:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-10-12 18:16 . 2010-04-29 14:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-10-12 18:16 . 2010-04-29 14:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-10-11 00:36 . 2010-08-12 12:15 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-10-10 21:19 . 2010-10-10 21:19 -------- d-----w- c:\windows\system32\xircom
2010-10-10 21:19 . 2010-10-10 21:19 -------- d-----w- c:\windows\system32\wbem\snmp
2010-10-10 21:19 . 2010-10-10 21:19 -------- d-----w- c:\windows\system32\oobe
2010-10-10 21:19 . 2010-10-10 21:19 -------- d-----w- c:\program files\microsoft frontpage
2010-10-08 13:35 . 2010-08-12 12:15 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-10-08 13:35 . 2010-10-08 13:35 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-10-08 13:32 . 2010-10-08 13:32 -------- d-----w- c:\documents and settings\Greg\Local Settings\Application Data\Sunbelt Software
2010-10-08 13:32 . 2010-10-08 13:32 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{ECC164E0-3133-4C70-A831-F08DB2940F70}
2010-10-08 13:31 . 2010-10-08 13:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-10-08 13:31 . 2010-10-08 13:31 -------- d-----w- c:\program files\Lavasoft
2010-09-18 11:23 . 2010-09-18 11:23 974848 ------w- c:\windows\system32\dllcache\mfc42u.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.

------- Sigcheck -------

[-] 2009-04-20 . BA8C046D98345129723E6BCAA1E8AB99 . 361600 . . [5.1.2600.5649] . . c:\windows\system32\drivers\tcpip.sys


c:\windows\System32\wscntfy.exe ... is missing !!
.
((((((((((((((((((((((((((((( SnapShot_2010-10-15_13.29.52 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-10-16 19:14 . 2010-10-16 19:14 1094656 c:\windows\Installer\736edc9.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-11-25 13:03 1230080 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\Greg\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-10-14 136176]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-14 208952]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2010-07-09 2048352]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2005-05-19 925696]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-07-13 7626752]
"nwiz"="nwiz.exe" [2006-07-13 1519616]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-07-13 86016]
"vmware-tray"="c:\program files\VMware\VMware Workstation\vmware-tray.exe" [2008-10-28 96816]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"_nltide_3"="advpack.dll" [2009-04-20 128512]

c:\documents and settings\Greg\Start Menu\Programs\Startup\
BBC iPlayer Desktop.lnk - c:\program files\BBC iPlayer Desktop\BBC iPlayer Desktop.exe [2010-10-15 142336]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
WinTV Recording Status..lnk - c:\program files\WinTV\WinTV7\WinTVTray.exe [2009-7-31 98304]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"MaxRecentDocs"= 18 (0x12)
"NoSMConfigurePrograms"= 1 (0x1)
"NoRecentDocsNetHood"= 1 (0x1)
"MemCheckBoxInRunDlg"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-07-31 10:16 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\Pinnacle\\Studio 11\\programs\\RM.exe"=
"c:\\Program Files\\Pinnacle\\Studio 11\\programs\\Studio.exe"=
"c:\\Program Files\\Pinnacle\\Studio 11\\programs\\PMSRegisterFile.exe"=
"c:\\Program Files\\Pinnacle\\Studio 11\\programs\\umi.exe"=
"c:\\Program Files\\VMware\\VMware Workstation\\vmware-authd.exe"=
"c:\\Program Files\\VMware\\VMware Workstation\\vmware.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\Program Files\\AbelCam\\SetCulture.exe"=
"c:\\Program Files\\AbelCam\\AbelCam.exe"=
"c:\\WINDOWS\\system32\\ftp.exe"=
"c:\\Program Files\\Vuze\\Azureus.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [08/10/2010 14:35 64288]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [31/07/2009 11:16 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [31/07/2009 11:16 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [31/07/2009 11:16 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [31/07/2009 11:16 297752]
R2 HauppaugeTVServer;HauppaugeTVServer;c:\progra~1\WinTV\TVServer\HAUPPA~1.EXE [31/07/2009 14:37 434176]
R2 vmci;VMware vmci;c:\windows\system32\drivers\vmci.sys [29/10/2008 00:08 54960]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [12/08/2010 13:15 1357464]
S4 ASKService;ASKService;c:\program files\AskBarDis\bar\bin\AskService.exe [31/08/2009 20:11 464264]
S4 ASKUpgrade;ASKUpgrade;c:\program files\AskBarDis\bar\bin\ASKUpgrade.exe [31/08/2009 20:11 234888]

--- Other Services/Drivers In Memory ---

*Deregistered* - Lavasoft Kernexplorer
*Deregistered* - uphcleanhlp
.
Contents of the 'Scheduled Tasks' folder

2010-10-15 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-08-12 13:35]

2010-10-16 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-515967899-484763869-1708537768-1003Core.job
- c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-07-31 09:55]

2010-10-16 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-515967899-484763869-1708537768-1003UA.job
- c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-07-31 09:55]

2010-10-16 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-515967899-484763869-1708537768-1005Core.job
- c:\documents and settings\Greg\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-10-14 06:27]

2010-10-16 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-515967899-484763869-1708537768-1005UA.job
- c:\documents and settings\Greg\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-10-14 06:27]

2010-10-16 c:\windows\Tasks\User_Feed_Synchronization-{02E12D8E-D7F3-470A-B04E-7811BCCB5D7A}.job
- c:\windows\system32\msfeedssync.exe [2009-04-20 18:22]

2010-10-16 c:\windows\Tasks\User_Feed_Synchronization-{E9E37F56-1DC0-4702-A82F-B7D9ABFB6A9E}.job
- c:\windows\system32\msfeedssync.exe [2009-04-20 18:22]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
LSP: c:\program files\VMware\VMware Workstation\vsocklib.dll
TCP: {F615C0E8-ED11-4B38-8A3C-F02F138B0F1F} = 192.168.1.1
.
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1468)
c:\windows\system32\WININET.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-10-16 22:29:08
ComboFix-quarantined-files.txt 2010-10-16 21:29
ComboFix2.txt 2010-10-15 13:30
ComboFix3.txt 2010-10-13 18:05
ComboFix4.txt 2010-10-12 10:42
ComboFix5.txt 2010-10-16 21:21

Pre-Run: 10,734,714,880 bytes free
Post-Run: 10,724,786,176 bytes free

- - End Of File - - BFEDC93A6DFF8482AF6FCCA39B497112




Cheers
Greg


#6 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:07:47 PM

Posted 18 October 2010 - 10:16 AM

Hi there,

2 files still in danger from what I see....would you please do a search for them and tell me what you find? I need exact paths to where they are, please:

wscntfy.exe (Part of Windows Security Center. It's there, just not where it should be) and tcpip.sys (failed sigcheck so I'd like to replace it to be sure it's all right)

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#7 quarky

quarky
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:47 PM

Posted 18 October 2010 - 11:42 AM

A search doesn't find wscntfy.exe at all, I believe it has gone. tcpip.sys appears in c:\windows\system32\drivers.

Shall I replace them both with the SP3 versions (I am running SP3)?

#8 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:07:47 PM

Posted 18 October 2010 - 11:45 AM

You can.... wscntfy.exe didn't come out until SP2, so it *should* be in the SP3 pack. I'm surprised you didn't find a copy of tcpip.sys elsewhere. You got it all right? If so, when you're done, please run ComboFix again so we can see if those files are all right now. :)

tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#9 quarky

quarky
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:47 PM

Posted 18 October 2010 - 02:59 PM

Thanks for your help Teabag.

Replaced those two files and ran combofix again. It still complains about TCPIP.SYS, although to be honest, I am not sure why. It is the same size, but I don't know what the checksum details should be.

On the machine with the problems, it is this:

File: tcpip.sys
CRC-32: c7935406
MD4: fa801583bbdaf0898e8f0662dc54a532
MD5: 9aefa14bd6b182d61e3119fa5f436d3d
SHA-1: 67e432a0c6a588e3b9aad49424b457db47a79b15

I haven't been able to find the checksum details on my other machines though so don't have a lot to compare it too....




ComboFix 10-10-17.04 - Greg 18/10/2010 20:34:47.8.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.1919.1303 [GMT 1:00]
Running from: D:\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2010-09-18 to 2010-10-18 )))))))))))))))))))))))))))))))
.

2010-10-16 19:14 . 2010-10-16 19:14 388096 ----a-r- c:\documents and settings\Greg\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-10-16 19:14 . 2010-10-16 19:14 -------- d-----w- c:\program files\Trend Micro
2010-10-15 09:04 . 2010-08-27 06:05 99840 ------w- c:\windows\system32\dllcache\srvsvc.dll
2010-10-15 09:04 . 2010-04-27 13:54 2146304 ------w- c:\windows\system32\dllcache\ntkrnlmp.exe
2010-10-15 09:04 . 2010-04-27 13:50 2190080 ------w- c:\windows\system32\dllcache\ntoskrnl.exe
2010-10-15 09:04 . 2010-04-27 13:14 2024448 ------w- c:\windows\system32\dllcache\ntkrpamp.exe
2010-10-15 09:03 . 2009-08-25 09:27 354816 ------w- c:\windows\system32\dllcache\winhttp.dll
2010-10-15 09:03 . 2010-10-15 09:03 -------- d-----w- c:\program files\BBC iPlayer Desktop
2010-10-15 09:03 . 2009-10-21 05:38 75776 ------w- c:\windows\system32\dllcache\strmfilt.dll
2010-10-15 09:03 . 2009-10-21 05:38 25088 ------w- c:\windows\system32\dllcache\httpapi.dll
2010-10-15 09:03 . 2009-10-20 16:20 265728 ------w- c:\windows\system32\dllcache\http.sys
2010-10-15 05:51 . 2010-10-15 05:51 -------- d-----w- c:\windows\system32\URTTemp
2010-10-15 05:36 . 2010-10-15 09:05 -------- d--h--w- c:\windows\$hf_mig$
2010-10-15 05:34 . 2010-08-16 08:43 590848 ------w- c:\windows\system32\dllcache\rpcrt4.dll
2010-10-15 05:34 . 2010-09-01 11:48 285824 ------w- c:\windows\system32\dllcache\atmfd.dll
2010-10-15 05:34 . 2010-08-31 13:38 1861888 ------w- c:\windows\system32\dllcache\win32k.sys
2010-10-15 05:33 . 2010-09-18 06:53 954368 ------w- c:\windows\system32\dllcache\mfc40.dll
2010-10-15 05:33 . 2010-09-18 06:53 953856 ------w- c:\windows\system32\dllcache\mfc40u.dll
2010-10-15 05:33 . 2010-09-18 06:53 974848 ------w- c:\windows\system32\dllcache\mfc42.dll
2010-10-15 05:31 . 2010-08-23 16:12 617472 ------w- c:\windows\system32\dllcache\comctl32.dll
2010-10-15 05:31 . 2010-07-12 13:02 218112 ------w- c:\windows\system32\dllcache\wordpad.exe
2010-10-15 05:31 . 2010-07-16 12:04 1289216 ------w- c:\windows\system32\dllcache\ole32.dll
2010-10-15 05:30 . 2010-08-17 13:17 58880 ------w- c:\windows\system32\dllcache\spoolsv.exe
2010-10-15 05:30 . 2010-06-18 17:43 293376 ------w- c:\windows\system32\dllcache\winsrv.dll
2010-10-15 05:29 . 2010-04-16 15:36 406016 ------w- c:\windows\system32\dllcache\usp10.dll
2010-10-15 05:29 . 2010-06-14 07:39 1172480 ------w- c:\windows\system32\dllcache\msxml3.dll
2010-10-15 05:29 . 2010-08-26 13:37 357248 ------w- c:\windows\system32\dllcache\srv.sys
2010-10-15 05:27 . 2010-07-27 06:28 8463360 ------w- c:\windows\system32\dllcache\shell32.dll
2010-10-12 18:16 . 2010-10-12 18:16 -------- d-----w- c:\documents and settings\Greg\Application Data\Malwarebytes
2010-10-12 18:16 . 2010-10-12 18:16 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-10-12 18:16 . 2010-10-12 18:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-10-12 18:16 . 2010-04-29 14:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-10-12 18:16 . 2010-04-29 14:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-10-11 00:36 . 2010-08-12 12:15 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-10-10 21:19 . 2010-10-10 21:19 -------- d-----w- c:\windows\system32\xircom
2010-10-10 21:19 . 2010-10-10 21:19 -------- d-----w- c:\windows\system32\wbem\snmp
2010-10-10 21:19 . 2010-10-10 21:19 -------- d-----w- c:\windows\system32\oobe
2010-10-10 21:19 . 2010-10-10 21:19 -------- d-----w- c:\program files\microsoft frontpage
2010-10-08 13:35 . 2010-08-12 12:15 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-10-08 13:35 . 2010-10-08 13:35 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-10-08 13:32 . 2010-10-08 13:32 -------- d-----w- c:\documents and settings\Greg\Local Settings\Application Data\Sunbelt Software
2010-10-08 13:32 . 2010-10-08 13:32 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{ECC164E0-3133-4C70-A831-F08DB2940F70}
2010-10-08 13:31 . 2010-10-08 13:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-10-08 13:31 . 2010-10-08 13:31 -------- d-----w- c:\program files\Lavasoft

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.

------- Sigcheck -------

[-] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((( SnapShot_2010-10-15_13.29.52 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-10-18 19:16 . 2010-10-18 19:16 16384 c:\windows\Temp\Perflib_Perfdata_250.dat
+ 2008-04-14 04:42 . 2008-04-14 04:42 13824 c:\windows\system32\wscntfy.exe
+ 2008-04-14 12:00 . 2010-10-18 19:21 72386 c:\windows\system32\perfc009.dat
- 2008-04-14 12:00 . 2010-10-15 11:41 72386 c:\windows\system32\perfc009.dat
+ 2008-04-14 12:00 . 2010-10-18 19:21 444116 c:\windows\system32\perfh009.dat
- 2008-04-14 12:00 . 2010-10-15 11:41 444116 c:\windows\system32\perfh009.dat
+ 2010-10-16 19:14 . 2010-10-16 19:14 1094656 c:\windows\Installer\736edc9.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-11-25 13:03 1230080 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\Greg\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-10-14 136176]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-14 208952]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2010-07-09 2048352]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2005-05-19 925696]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-07-13 7626752]
"nwiz"="nwiz.exe" [2006-07-13 1519616]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-07-13 86016]
"vmware-tray"="c:\program files\VMware\VMware Workstation\vmware-tray.exe" [2008-10-28 96816]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"_nltide_3"="advpack.dll" [2009-04-20 128512]

c:\documents and settings\Greg\Start Menu\Programs\Startup\
BBC iPlayer Desktop.lnk - c:\program files\BBC iPlayer Desktop\BBC iPlayer Desktop.exe [2010-10-15 142336]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
WinTV Recording Status..lnk - c:\program files\WinTV\WinTV7\WinTVTray.exe [2009-7-31 98304]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"MaxRecentDocs"= 18 (0x12)
"NoSMConfigurePrograms"= 1 (0x1)
"NoRecentDocsNetHood"= 1 (0x1)
"MemCheckBoxInRunDlg"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-07-31 10:16 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\Pinnacle\\Studio 11\\programs\\RM.exe"=
"c:\\Program Files\\Pinnacle\\Studio 11\\programs\\Studio.exe"=
"c:\\Program Files\\Pinnacle\\Studio 11\\programs\\PMSRegisterFile.exe"=
"c:\\Program Files\\Pinnacle\\Studio 11\\programs\\umi.exe"=
"c:\\Program Files\\VMware\\VMware Workstation\\vmware-authd.exe"=
"c:\\Program Files\\VMware\\VMware Workstation\\vmware.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\Program Files\\AbelCam\\SetCulture.exe"=
"c:\\Program Files\\AbelCam\\AbelCam.exe"=
"c:\\WINDOWS\\system32\\ftp.exe"=
"c:\\Program Files\\Vuze\\Azureus.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [08/10/2010 14:35 64288]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [31/07/2009 11:16 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [31/07/2009 11:16 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [31/07/2009 11:16 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [31/07/2009 11:16 297752]
R2 HauppaugeTVServer;HauppaugeTVServer;c:\progra~1\WinTV\TVServer\HAUPPA~1.EXE [31/07/2009 14:37 434176]
R2 vmci;VMware vmci;c:\windows\system32\drivers\vmci.sys [29/10/2008 00:08 54960]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [12/08/2010 13:15 1357464]
S4 ASKService;ASKService;c:\program files\AskBarDis\bar\bin\AskService.exe [31/08/2009 20:11 464264]
S4 ASKUpgrade;ASKUpgrade;c:\program files\AskBarDis\bar\bin\ASKUpgrade.exe [31/08/2009 20:11 234888]

--- Other Services/Drivers In Memory ---

*Deregistered* - uphcleanhlp
.
Contents of the 'Scheduled Tasks' folder

2010-10-18 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-08-12 13:35]

2010-10-18 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-515967899-484763869-1708537768-1003Core.job
- c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-07-31 09:55]

2010-10-18 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-515967899-484763869-1708537768-1003UA.job
- c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-07-31 09:55]

2010-10-18 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-515967899-484763869-1708537768-1005Core.job
- c:\documents and settings\Greg\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-10-14 06:27]

2010-10-18 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-515967899-484763869-1708537768-1005UA.job
- c:\documents and settings\Greg\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-10-14 06:27]

2010-10-18 c:\windows\Tasks\User_Feed_Synchronization-{02E12D8E-D7F3-470A-B04E-7811BCCB5D7A}.job
- c:\windows\system32\msfeedssync.exe [2009-04-20 18:22]

2010-10-18 c:\windows\Tasks\User_Feed_Synchronization-{E9E37F56-1DC0-4702-A82F-B7D9ABFB6A9E}.job
- c:\windows\system32\msfeedssync.exe [2009-04-20 18:22]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
LSP: c:\program files\VMware\VMware Workstation\vsocklib.dll
TCP: {F615C0E8-ED11-4B38-8A3C-F02F138B0F1F} = 192.168.1.1
.
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1228)
c:\windows\system32\WININET.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-10-18 20:40:46
ComboFix-quarantined-files.txt 2010-10-18 19:40
ComboFix2.txt 2010-10-16 21:29
ComboFix3.txt 2010-10-15 13:30
ComboFix4.txt 2010-10-13 18:05
ComboFix5.txt 2010-10-18 19:33

Pre-Run: 10,612,363,264 bytes free
Post-Run: 10,615,336,960 bytes free

- - End Of File - - FF2F5376124568505A26BD57E0906A29

#10 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:07:47 PM

Posted 18 October 2010 - 03:09 PM

Hi there,

Teabag? :) So what are you trying to say hmmmmm? :)

Not a problem....let's see how it does this way:

* Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the quote box below into notepad:

FCOPY::
c:\windows\ServicePackFiles\i386\tcpip.sys | c:\windows\system32\drivers\tcpip.sys


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again.

After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#11 quarky

quarky
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:47 PM

Posted 18 October 2010 - 04:19 PM

Ha ha, sorry Teacup61, I was just thinking of your logo :)

Log attached. I had a browse and don't have a c:\windows\ServicePackFiles so I am guessing that it didn't do much...




ComboFix 10-10-17.04 - Greg 18/10/2010 21:56:00.10.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.1919.1334 [GMT 1:00]
Running from: D:\ComboFix.exe
Command switches used :: D:\cfscript.txt
.

((((((((((((((((((((((((( Files Created from 2010-09-18 to 2010-10-18 )))))))))))))))))))))))))))))))
.

2010-10-16 19:14 . 2010-10-16 19:14 388096 ----a-r- c:\documents and settings\Greg\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-10-16 19:14 . 2010-10-16 19:14 -------- d-----w- c:\program files\Trend Micro
2010-10-15 09:04 . 2010-08-27 06:05 99840 ------w- c:\windows\system32\dllcache\srvsvc.dll
2010-10-15 09:04 . 2010-04-27 13:54 2146304 ------w- c:\windows\system32\dllcache\ntkrnlmp.exe
2010-10-15 09:04 . 2010-04-27 13:50 2190080 ------w- c:\windows\system32\dllcache\ntoskrnl.exe
2010-10-15 09:04 . 2010-04-27 13:14 2024448 ------w- c:\windows\system32\dllcache\ntkrpamp.exe
2010-10-15 09:03 . 2009-08-25 09:27 354816 ------w- c:\windows\system32\dllcache\winhttp.dll
2010-10-15 09:03 . 2010-10-15 09:03 -------- d-----w- c:\program files\BBC iPlayer Desktop
2010-10-15 09:03 . 2009-10-21 05:38 75776 ------w- c:\windows\system32\dllcache\strmfilt.dll
2010-10-15 09:03 . 2009-10-21 05:38 25088 ------w- c:\windows\system32\dllcache\httpapi.dll
2010-10-15 09:03 . 2009-10-20 16:20 265728 ------w- c:\windows\system32\dllcache\http.sys
2010-10-15 05:51 . 2010-10-15 05:51 -------- d-----w- c:\windows\system32\URTTemp
2010-10-15 05:36 . 2010-10-15 09:05 -------- d--h--w- c:\windows\$hf_mig$
2010-10-15 05:34 . 2010-08-16 08:43 590848 ------w- c:\windows\system32\dllcache\rpcrt4.dll
2010-10-15 05:34 . 2010-09-01 11:48 285824 ------w- c:\windows\system32\dllcache\atmfd.dll
2010-10-15 05:34 . 2010-08-31 13:38 1861888 ------w- c:\windows\system32\dllcache\win32k.sys
2010-10-15 05:33 . 2010-09-18 06:53 954368 ------w- c:\windows\system32\dllcache\mfc40.dll
2010-10-15 05:33 . 2010-09-18 06:53 953856 ------w- c:\windows\system32\dllcache\mfc40u.dll
2010-10-15 05:33 . 2010-09-18 06:53 974848 ------w- c:\windows\system32\dllcache\mfc42.dll
2010-10-15 05:31 . 2010-08-23 16:12 617472 ------w- c:\windows\system32\dllcache\comctl32.dll
2010-10-15 05:31 . 2010-07-12 13:02 218112 ------w- c:\windows\system32\dllcache\wordpad.exe
2010-10-15 05:31 . 2010-07-16 12:04 1289216 ------w- c:\windows\system32\dllcache\ole32.dll
2010-10-15 05:30 . 2010-08-17 13:17 58880 ------w- c:\windows\system32\dllcache\spoolsv.exe
2010-10-15 05:30 . 2010-06-18 17:43 293376 ------w- c:\windows\system32\dllcache\winsrv.dll
2010-10-15 05:29 . 2010-04-16 15:36 406016 ------w- c:\windows\system32\dllcache\usp10.dll
2010-10-15 05:29 . 2010-06-14 07:39 1172480 ------w- c:\windows\system32\dllcache\msxml3.dll
2010-10-15 05:29 . 2010-08-26 13:37 357248 ------w- c:\windows\system32\dllcache\srv.sys
2010-10-15 05:27 . 2010-07-27 06:28 8463360 ------w- c:\windows\system32\dllcache\shell32.dll
2010-10-12 18:16 . 2010-10-12 18:16 -------- d-----w- c:\documents and settings\Greg\Application Data\Malwarebytes
2010-10-12 18:16 . 2010-10-12 18:16 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-10-12 18:16 . 2010-10-12 18:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-10-12 18:16 . 2010-04-29 14:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-10-12 18:16 . 2010-04-29 14:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-10-11 00:36 . 2010-08-12 12:15 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-10-10 21:19 . 2010-10-10 21:19 -------- d-----w- c:\windows\system32\xircom
2010-10-10 21:19 . 2010-10-10 21:19 -------- d-----w- c:\windows\system32\wbem\snmp
2010-10-10 21:19 . 2010-10-10 21:19 -------- d-----w- c:\windows\system32\oobe
2010-10-10 21:19 . 2010-10-10 21:19 -------- d-----w- c:\program files\microsoft frontpage
2010-10-08 13:35 . 2010-08-12 12:15 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-10-08 13:35 . 2010-10-08 13:35 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-10-08 13:32 . 2010-10-08 13:32 -------- d-----w- c:\documents and settings\Greg\Local Settings\Application Data\Sunbelt Software
2010-10-08 13:32 . 2010-10-08 13:32 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{ECC164E0-3133-4C70-A831-F08DB2940F70}
2010-10-08 13:31 . 2010-10-08 13:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-10-08 13:31 . 2010-10-08 13:31 -------- d-----w- c:\program files\Lavasoft

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.

------- Sigcheck -------

[-] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((( SnapShot_2010-10-15_13.29.52 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-10-18 19:16 . 2010-10-18 19:16 16384 c:\windows\Temp\Perflib_Perfdata_250.dat
+ 2008-04-14 04:42 . 2008-04-14 04:42 13824 c:\windows\system32\wscntfy.exe
+ 2008-04-14 12:00 . 2010-10-18 19:21 72386 c:\windows\system32\perfc009.dat
- 2008-04-14 12:00 . 2010-10-15 11:41 72386 c:\windows\system32\perfc009.dat
+ 2008-04-14 12:00 . 2010-10-18 19:21 444116 c:\windows\system32\perfh009.dat
- 2008-04-14 12:00 . 2010-10-15 11:41 444116 c:\windows\system32\perfh009.dat
+ 2010-10-16 19:14 . 2010-10-16 19:14 1094656 c:\windows\Installer\736edc9.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-11-25 13:03 1230080 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\Greg\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-10-14 136176]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-14 208952]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2010-07-09 2048352]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2005-05-19 925696]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-07-13 7626752]
"nwiz"="nwiz.exe" [2006-07-13 1519616]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-07-13 86016]
"vmware-tray"="c:\program files\VMware\VMware Workstation\vmware-tray.exe" [2008-10-28 96816]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"_nltide_3"="advpack.dll" [2009-04-20 128512]

c:\documents and settings\Greg\Start Menu\Programs\Startup\
BBC iPlayer Desktop.lnk - c:\program files\BBC iPlayer Desktop\BBC iPlayer Desktop.exe [2010-10-15 142336]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
WinTV Recording Status..lnk - c:\program files\WinTV\WinTV7\WinTVTray.exe [2009-7-31 98304]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"MaxRecentDocs"= 18 (0x12)
"NoSMConfigurePrograms"= 1 (0x1)
"NoRecentDocsNetHood"= 1 (0x1)
"MemCheckBoxInRunDlg"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-07-31 10:16 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\Pinnacle\\Studio 11\\programs\\RM.exe"=
"c:\\Program Files\\Pinnacle\\Studio 11\\programs\\Studio.exe"=
"c:\\Program Files\\Pinnacle\\Studio 11\\programs\\PMSRegisterFile.exe"=
"c:\\Program Files\\Pinnacle\\Studio 11\\programs\\umi.exe"=
"c:\\Program Files\\VMware\\VMware Workstation\\vmware-authd.exe"=
"c:\\Program Files\\VMware\\VMware Workstation\\vmware.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\Program Files\\AbelCam\\SetCulture.exe"=
"c:\\Program Files\\AbelCam\\AbelCam.exe"=
"c:\\WINDOWS\\system32\\ftp.exe"=
"c:\\Program Files\\Vuze\\Azureus.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [08/10/2010 14:35 64288]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [31/07/2009 11:16 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [31/07/2009 11:16 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [31/07/2009 11:16 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [31/07/2009 11:16 297752]
R2 HauppaugeTVServer;HauppaugeTVServer;c:\progra~1\WinTV\TVServer\HAUPPA~1.EXE [31/07/2009 14:37 434176]
R2 vmci;VMware vmci;c:\windows\system32\drivers\vmci.sys [29/10/2008 00:08 54960]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [12/08/2010 13:15 1357464]
S4 ASKService;ASKService;c:\program files\AskBarDis\bar\bin\AskService.exe [31/08/2009 20:11 464264]
S4 ASKUpgrade;ASKUpgrade;c:\program files\AskBarDis\bar\bin\ASKUpgrade.exe [31/08/2009 20:11 234888]

--- Other Services/Drivers In Memory ---

*Deregistered* - uphcleanhlp
.
Contents of the 'Scheduled Tasks' folder

2010-10-18 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-08-12 13:35]

2010-10-18 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-515967899-484763869-1708537768-1003Core.job
- c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-07-31 09:55]

2010-10-18 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-515967899-484763869-1708537768-1003UA.job
- c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-07-31 09:55]

2010-10-18 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-515967899-484763869-1708537768-1005Core.job
- c:\documents and settings\Greg\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-10-14 06:27]

2010-10-18 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-515967899-484763869-1708537768-1005UA.job
- c:\documents and settings\Greg\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-10-14 06:27]

2010-10-18 c:\windows\Tasks\User_Feed_Synchronization-{02E12D8E-D7F3-470A-B04E-7811BCCB5D7A}.job
- c:\windows\system32\msfeedssync.exe [2009-04-20 18:22]

2010-10-18 c:\windows\Tasks\User_Feed_Synchronization-{E9E37F56-1DC0-4702-A82F-B7D9ABFB6A9E}.job
- c:\windows\system32\msfeedssync.exe [2009-04-20 18:22]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
LSP: c:\program files\VMware\VMware Workstation\vsocklib.dll
TCP: {F615C0E8-ED11-4B38-8A3C-F02F138B0F1F} = 192.168.1.1
.
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3744)
c:\windows\system32\WININET.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-10-18 22:02:37
ComboFix-quarantined-files.txt 2010-10-18 21:02
ComboFix2.txt 2010-10-18 20:25
ComboFix3.txt 2010-10-18 19:40
ComboFix4.txt 2010-10-16 21:29
ComboFix5.txt 2010-10-18 20:55

Pre-Run: 10,620,153,856 bytes free
Post-Run: 10,609,004,544 bytes free

- - End Of File - - 4CDF8AFB9E4446B8DD6237A62B179C17

#12 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:07:47 PM

Posted 18 October 2010 - 04:39 PM

Hmmm....Go here and upload the file : http://www.virustotal.com/ it'll verify if the MD5 is good or not, for sure. Not sure why CF is still griping either, but I'd rather be safe than sorry. :)

tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#13 quarky

quarky
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:47 PM

Posted 18 October 2010 - 04:44 PM

Cheers, done that.

It said:

le already submitted: The file sent has already been analysed by VirusTotal in the past. This is same basic info regarding the sample itself and its last analysis:

MD5: 9aefa14bd6b182d61e3119fa5f436d3d
Date first seen: 2009-02-19 13:13:25 (UTC)
Date last seen: 2010-10-14 20:42:14 (UTC)
Detection ratio: 0/41
What do you wish to do?



I clicked "reanalyze" and it came back with:

File name: tcpip.sys
Submission date: 2010-10-18 21:42:18 (UTC)
Current status: finished
Result: 0/ 43 (0.0%)


So I guess it looks OK?

#14 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:07:47 PM

Posted 18 October 2010 - 04:49 PM

Well I trust it, for sure. :)

Okay then....still seeing that outdated AVG8! That needs to be updated to the latest build and make sure the old is uninstalled. Also, you have a piece of worthless garbage running around....uninstall anything to do with Ask in Add/Remove programs, reboot.

Uninstall ComboFix : Click Start>Run> type in, or copy and paste ComboFix /Uninstall > hit OK

Still running all right then? :)

tea

Edited by teacup61, 18 October 2010 - 04:49 PM.
added bold text

Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#15 quarky

quarky
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:47 PM

Posted 18 October 2010 - 04:51 PM

Cheers. I will remove AVG8 and get the latest version, and remove ASK. Then remove combofix.

Apart from that, do I get a clean bill of health from the logs files you have seen?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users