Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

IE Hijacked AV and Malwarebytes not helping


  • This topic is locked This topic is locked
12 replies to this topic

#1 Amish Pirate

Amish Pirate

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:05:59 PM

Posted 08 February 2011 - 12:14 PM

We have a PC that seems jinxed, IE continually gets hijacked and will just start opening window after window basically rendering it useless. I can start in Safe Mode without an issue and was able to run a full AV scan with my installed, up to date ESET and nothing. Ran Malwarebytes and it picks up a Trojan.Pincher on the C: drive and in the start menu and will clean it. However after a short time (30 minutes to a couple hours) it will start doing it again, even if we've basically done nothing but let the machine sit there that entire time. We've tried reformatting and a clean OS (Win7) install 3 times now and again the same thing will happen.

These logs are pre the last Malwarebytes cleaning run.


DDS (Ver_10-12-12.02) - NTFSx86 NETWORK
Run by operator at 11:02:46.07 on Tue 02/08/2011
Internet Explorer: 8.0.7600.16385
Microsoft Windows 7 Professional 6.1.7600.0.1252.1.1033.18.3292.2884 [GMT -5:00]

SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\Explorer.EXE
C:\Windows\system32\ctfmon.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\wbem\wmiprvse.exe
C:\Users\operator\Desktop\dds.scr
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = <local>
uRun: [avserver] c:\windows\system32\avserver.exe
mRun: [RtHDVCpl] c:\program files\realtek\audio\hda\RtDCpl.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [avserver] c:\windows\system32\avserver.exe
StartupFolder: c:\programdata\microsoft\windows\start menu\programs\startup\avserver.exe
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 0 (0x0)
mPolicies-system: EnableInstallerDetection = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableSecureUIAPaths = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: EnableVirtualization = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
Notify: igfxcui - igfxdev.dll

============= SERVICES / DRIVERS ===============

S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 k57nd60x;Broadcom NetLink ™ Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\k57nd60x.sys [2009-6-20 273448]
S3 StorSvc;Storage Service;c:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992]

=============== Created Last 30 ================

2011-02-08 14:24:58 102912 ----a-w- c:\progra~2\microsoft\windows\start menu\programs\startup\avserver.exe
2011-02-08 14:03:01 156312 ----a-w- c:\windows\system32\RemoteExecAgent.exe
2011-02-08 13:51:02 102912 ----a-w- c:\windows\system32\avserver.exe
2011-02-08 13:33:15 102912 ----a-w- C:\avserver.exe
2011-02-07 23:24:49 -------- d-----w- c:\windows\Panther
2011-02-07 23:24:26 -------- d-----w- c:\windows\system32\oem
2011-02-07 21:15:29 -------- d-----w- c:\users\operator\appdata\local\Jack Henry and Associates
2011-02-07 21:15:23 -------- d-----w- c:\program files\Jack Henry & Associates
2011-02-07 21:12:58 -------- d-----w- c:\progra~2\Jack Henry and Associates
2011-02-07 21:12:36 5890896 ----a-w- c:\progra~2\microsoft\windows defender\definition updates\{07b57882-5543-45de-aa5f-38dc3df066b4}\mpengine.dll
2011-02-07 20:36:57 398848 ----a-w- c:\windows\system32\TVWizudlg.exe
2011-02-07 20:36:57 140288 ----a-w- c:\windows\system32\igfxtvcx.dll
2011-02-07 20:34:45 -------- d-----w- c:\windows\system32\BioAPIFFDB
2011-02-07 20:33:04 -------- d-----w- c:\program files\Broadcom
2011-02-07 20:32:42 -------- d-----w- c:\windows\system32\wbem\Performance
2011-02-07 20:32:01 -------- d-----w- c:\windows\system32\RTCOM
2011-02-07 20:29:36 -------- d-sh--w- C:\Recovery

==================== Find3M ====================


============= FINISH: 11:03:00.81 ===============

Additional note the C:\avserver.exe the same file in StartUp were deleted by Malwarebytes as the pincher trojan, but it has done this before as well.

EDIT: Posts merged ~BP

Attached Files


Edited by Budapest, 08 February 2011 - 04:14 PM.


BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:12:59 AM

Posted 09 February 2011 - 02:51 AM

Hi,

It looks like you are dealing with an autorun worm. Have you been using a flashdrive after you have formatted and reinstalled Windows? Because that may explain a lot.
Can you update and rescan with Malwarebytes? This because I want to see it detects all instances of avserver.exe here.
Please post the log from Malwarebytes in your next reply + a NEW DDS log after deletion of what malwarebytes found. Note, the DDS log should be made after reboot, after malwarebytes removal.

Edited by miekiemoes, 09 February 2011 - 02:51 AM.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 Amish Pirate

Amish Pirate
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:05:59 PM

Posted 09 February 2011 - 10:50 AM

Overnight it seems to have gotten infected again but a different file this time then the first. No USB devices other then keyboard and mouse have been plugged into this machine.

Malwarebytes and DDS log below.

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5720

Windows 6.1.7600 (Safe Mode)
Internet Explorer 8.0.7600.16385

2/9/2011 10:40:05 AM
mbam-log-2011-02-09 (10-40-05).txt

Scan type: Full scan (C:\|)
Objects scanned: 227699
Time elapsed: 5 minute(s), 47 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Spyware Protection (Rogue.SecurityCentral) -> Value: Spyware Protection -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\defender.exe (Rogue.SecurityCentral) -> Quarantined and deleted successfully.
c:\programdata\microsoft\Windows\start menu\Programs\Startup\defender.exe (Rogue.SecurityCentral) -> Quarantined and deleted successfully.


------------------------------------------------------------------


DDS (Ver_10-12-12.02) - NTFSx86
Run by tdavidson at 10:43:12.11 on Wed 02/09/2011
Internet Explorer: 8.0.7600.16385
Microsoft Windows 7 Professional 6.1.7600.0.1252.1.1033.18.3292.2652 [GMT -5:00]

SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k regsvc
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\Explorer.EXE
C:\Windows\system32\Dwm.exe
C:\Program Files\Realtek\Audio\HDA\RtDCpl.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\System32\WScript.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\sppsvc.exe
C:\Users\operator\Desktop\dds.scr
C:\Windows\system32\conhost.exe

============== Pseudo HJT Report ===============

mStart Page = hxxp://www.google.com/
mSearch Bar = Preserve
uInternet Settings,ProxyOverride = <local>
mRun: [RtHDVCpl] c:\program files\realtek\audio\hda\RtDCpl.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [avserver] c:\windows\system32\avserver.exe
mRun: [F-PROT Antivirus Tray application] c:\program files\frisk software\f-prot antivirus for windows\FProtTray.exe
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 0 (0x0)
mPolicies-system: EnableInstallerDetection = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableSecureUIAPaths = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: EnableVirtualization = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
Trusted Zone: intuit.com\ttlc
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: {2B9A0A7B-FBBD-4131-BBAB-1F472E5341E4} = 192.168.248.1,192.168.248.7
Notify: igfxcui - igfxdev.dll

============= SERVICES / DRIVERS ===============

R1 FPAV_RTP;FPAV_RTP;c:\windows\system32\drivers\FPAV_RTP.sys [2011-2-8 693080]
R3 k57nd60x;Broadcom NetLink ™ Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\k57nd60x.sys [2009-6-20 273448]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 StorSvc;Storage Service;c:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992]
S4 FPAVServer;F-PROT Antivirus for Windows system;"c:\program files\frisk software\f-prot antivirus for windows\fpavserver.exe" --> c:\program files\frisk software\f-prot antivirus for windows\FPAVServer.exe [?]

=============== Created Last 30 ================

2011-02-09 15:15:54 -------- d-----w- c:\users\tdavid~1\appdata\roaming\Malwarebytes
2011-02-09 14:40:14 178430 ----a-w- c:\windows\iesettings.reg
2011-02-09 13:05:40 -------- d-----w- c:\users\tdavid~1\appdata\local\Microsoft Help
2011-02-09 08:05:10 4247040 ----a-w- c:\program files\windows nt\accessories\wordpad.exe
2011-02-09 08:05:10 1413632 ----a-w- c:\windows\system32\ole32.dll
2011-02-09 08:05:03 1286016 ----a-w- c:\windows\system32\drivers\tcpip.sys
2011-02-09 08:04:40 257024 ----a-w- c:\windows\system32\msv1_0.dll
2011-02-09 08:04:32 172032 ----a-w- c:\windows\system32\wintrust.dll
2011-02-09 08:04:26 316928 ----a-w- c:\windows\system32\spoolsv.exe
2011-02-09 08:04:04 99176 ----a-w- c:\windows\system32\PresentationHostProxy.dll
2011-02-09 08:04:04 49472 ----a-w- c:\windows\system32\netfxperf.dll
2011-02-09 08:04:04 297808 ----a-w- c:\windows\system32\mscoree.dll
2011-02-09 08:04:04 295264 ----a-w- c:\windows\system32\PresentationHost.exe
2011-02-09 08:04:04 1130824 ----a-w- c:\windows\system32\dfshim.dll
2011-02-09 08:02:57 37376 ----a-w- c:\windows\system32\rtutils.dll
2011-02-09 08:01:56 84480 ----a-w- c:\windows\system32\mciavi32.dll
2011-02-08 22:05:11 2421760 ----a-w- c:\windows\system32\wucltux.dll
2011-02-08 22:05:04 87552 ----a-w- c:\windows\system32\wudriver.dll
2011-02-08 22:04:57 33792 ----a-w- c:\windows\system32\wuapp.exe
2011-02-08 22:04:57 171608 ----a-w- c:\windows\system32\wuwebv.dll
2011-02-08 20:39:49 693080 ----a-w- c:\windows\system32\drivers\FPAV_RTP.sys
2011-02-08 20:39:47 -------- d-----w- c:\program files\FRISK Software
2011-02-08 20:39:47 -------- d-----w- c:\progra~2\FRISK Software
2011-02-08 20:37:26 -------- d-----w- c:\users\tdavid~1\appdata\local\Jack Henry and Associates
2011-02-08 16:15:24 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-02-08 16:15:24 -------- d-----w- c:\progra~2\Malwarebytes
2011-02-08 16:15:21 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-02-08 16:15:21 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-02-08 14:03:01 156312 ----a-w- c:\windows\system32\RemoteExecAgent.exe
2011-02-08 13:51:02 102912 ----a-w- c:\windows\system32\avserver.exe
2011-02-07 23:24:49 -------- d-----w- c:\windows\Panther
2011-02-07 23:24:26 -------- d-----w- c:\windows\system32\oem
2011-02-07 21:15:23 -------- d-----w- c:\program files\Jack Henry & Associates
2011-02-07 21:12:58 -------- d-----w- c:\progra~2\Jack Henry and Associates
2011-02-07 21:12:36 5890896 ----a-w- c:\progra~2\microsoft\windows defender\definition updates\{07b57882-5543-45de-aa5f-38dc3df066b4}\mpengine.dll
2011-02-07 20:39:31 -------- d-----w- C:\import
2011-02-07 20:36:57 398848 ----a-w- c:\windows\system32\TVWizudlg.exe
2011-02-07 20:36:57 140288 ----a-w- c:\windows\system32\igfxtvcx.dll
2011-02-07 20:34:45 -------- d-----w- c:\windows\system32\BioAPIFFDB
2011-02-07 20:33:04 -------- d-----w- c:\program files\Broadcom
2011-02-07 20:32:42 -------- d-----w- c:\windows\system32\wbem\Performance
2011-02-07 20:32:01 -------- d-----w- c:\windows\system32\RTCOM
2011-02-07 20:29:36 -------- d-sh--w- C:\Recovery

==================== Find3M ====================


============= FINISH: 10:43:35.51 ===============

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:12:59 AM

Posted 09 February 2011 - 11:08 AM

Hi,

First of all, Go to this page.
Enter the url of this thread in the first field.
Where it says, browse to the file that you want to submit, click the browse button next to it and browse to next file:

c:\windows\system32\avserver.exe

Select it and click ok:
Then click the Send File button below.

Then,

* Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the log from ComboFix in your next reply.

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix..This because Security Software may see some components ComboFix uses (prep.com for example) as suspicious and blocks the tool, or even deletes it. Please visit HERE if you don't know how.

Edited by miekiemoes, 09 February 2011 - 11:10 AM.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 Amish Pirate

Amish Pirate
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:05:59 PM

Posted 09 February 2011 - 01:59 PM

File submitted, running combofix now.

#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:12:59 AM

Posted 09 February 2011 - 02:03 PM

Hi,

The file you submitted appears to be a "dummy" file. I guess this happened, because the "defender" file came in place afterwards.
Anyway, we will deal with the rest via Combofix.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 Amish Pirate

Amish Pirate
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:05:59 PM

Posted 09 February 2011 - 02:49 PM

ComboFix log:

ComboFix 11-02-09.02 - operator 02/09/2011 14:04:14.1.2 - x86
Microsoft Windows 7 Professional 6.1.7600.0.1252.1.1033.18.3292.2561 [GMT -5:00]
Running from: c:\users\operator\Desktop\ComboFix.exe
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\programdata\Microsoft\Network\Downloader\qmgr0.dat
c:\programdata\Microsoft\Network\Downloader\qmgr1.dat

----- BITS: Possible infected sites -----

hxxp://uecusecurity:8530
.
((((((((((((((((((((((((( Files Created from 2011-01-09 to 2011-02-09 )))))))))))))))))))))))))))))))
.

2011-02-09 19:06 . 2011-02-09 19:06 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-02-09 18:13 . 2011-02-09 18:13 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-02-09 14:40 . 2011-02-09 14:35 178430 ----a-w- c:\windows\iesettings.reg
2011-02-09 13:05 . 2011-02-09 13:09 -------- d-----w- c:\programdata\Microsoft Help
2011-02-09 08:05 . 2010-06-29 05:02 1413632 ----a-w- c:\windows\system32\ole32.dll
2011-02-09 08:05 . 2010-06-29 04:57 4247040 ----a-w- c:\program files\Windows NT\Accessories\wordpad.exe
2011-02-09 08:05 . 2010-06-14 06:12 1286016 ----a-w- c:\windows\system32\drivers\tcpip.sys
2011-02-09 08:04 . 2009-09-10 05:52 257024 ----a-w- c:\windows\system32\msv1_0.dll
2011-02-09 08:04 . 2009-12-29 06:55 172032 ----a-w- c:\windows\system32\wintrust.dll
2011-02-09 08:04 . 2010-08-21 05:32 316928 ----a-w- c:\windows\system32\spoolsv.exe
2011-02-09 08:04 . 2009-11-25 17:47 99176 ----a-w- c:\windows\system32\PresentationHostProxy.dll
2011-02-09 08:04 . 2009-11-25 17:47 49472 ----a-w- c:\windows\system32\netfxperf.dll
2011-02-09 08:04 . 2009-11-25 17:47 297808 ----a-w- c:\windows\system32\mscoree.dll
2011-02-09 08:04 . 2009-11-25 17:47 295264 ----a-w- c:\windows\system32\PresentationHost.exe
2011-02-09 08:04 . 2009-11-25 17:47 1130824 ----a-w- c:\windows\system32\dfshim.dll
2011-02-09 08:02 . 2010-06-19 06:23 37376 ----a-w- c:\windows\system32\rtutils.dll
2011-02-09 08:01 . 2009-12-19 09:02 12288 ----a-w- c:\windows\system32\tsbyuv.dll
2011-02-08 22:05 . 2009-08-07 02:24 44768 ----a-w- c:\windows\system32\wups2.dll
2011-02-08 22:05 . 2009-08-07 02:24 53472 ----a-w- c:\windows\system32\wuauclt.exe
2011-02-08 22:05 . 2009-08-07 02:23 1929952 ----a-w- c:\windows\system32\wuaueng.dll
2011-02-08 22:05 . 2009-08-07 01:45 2421760 ----a-w- c:\windows\system32\wucltux.dll
2011-02-08 22:05 . 2009-08-07 02:24 35552 ----a-w- c:\windows\system32\wups.dll
2011-02-08 22:05 . 2009-08-07 02:23 575704 ----a-w- c:\windows\system32\wuapi.dll
2011-02-08 22:05 . 2009-08-07 01:44 87552 ----a-w- c:\windows\system32\wudriver.dll
2011-02-08 22:04 . 2009-08-07 00:23 171608 ----a-w- c:\windows\system32\wuwebv.dll
2011-02-08 22:04 . 2009-08-06 23:44 33792 ----a-w- c:\windows\system32\wuapp.exe
2011-02-08 20:39 . 2010-09-22 17:47 693080 ----a-w- c:\windows\system32\drivers\FPAV_RTP.sys
2011-02-08 20:39 . 2011-02-09 14:53 -------- d-----w- c:\program files\FRISK Software
2011-02-08 20:39 . 2011-02-08 20:39 -------- d-----w- c:\programdata\FRISK Software
2011-02-08 20:36 . 2011-02-08 20:36 -------- d-----w- c:\users\tdavidson
2011-02-08 19:26 . 2011-02-08 19:26 -------- d-----w- c:\windows\system32\Macromed
2011-02-08 16:15 . 2011-02-08 16:15 -------- d-----w- c:\programdata\Malwarebytes
2011-02-08 16:15 . 2010-12-20 23:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-02-08 16:15 . 2010-12-20 23:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-02-08 14:03 . 2011-02-08 14:03 156312 ----a-w- c:\windows\system32\RemoteExecAgent.exe
2011-02-08 13:51 . 2011-02-08 13:29 102912 ----a-w- c:\windows\system32\avserver.exe
2011-02-08 13:33 . 2011-02-08 20:34 -------- d-----w- c:\users\opsadmin
2011-02-07 23:24 . 2011-02-07 20:29 -------- d-----w- c:\windows\Panther
2011-02-07 23:24 . 2011-02-07 23:24 -------- d-----w- c:\windows\system32\oem
2011-02-07 21:15 . 2011-02-07 21:15 -------- d-----w- c:\program files\Jack Henry & Associates
2011-02-07 21:13 . 2011-02-07 21:13 -------- d-----w- c:\users\buadmin
2011-02-07 21:12 . 2011-02-07 21:12 -------- d-----w- c:\programdata\Jack Henry and Associates
2011-02-07 21:12 . 2011-02-02 22:10 5890896 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{07B57882-5543-45DE-AA5F-38DC3DF066B4}\mpengine.dll
2011-02-07 20:39 . 2011-02-07 20:39 -------- d-----w- C:\import
2011-02-07 20:39 . 2011-02-07 21:14 -------- d-----w- c:\users\operator
2011-02-07 20:36 . 2011-02-07 20:36 -------- d-----w- c:\program files\Intel
2011-02-07 20:36 . 2009-08-13 19:16 398848 ----a-w- c:\windows\system32\TVWizudlg.exe
2011-02-07 20:36 . 2009-08-13 19:16 140288 ----a-w- c:\windows\system32\igfxtvcx.dll
2011-02-07 20:34 . 2011-02-07 20:34 -------- d-----w- c:\windows\system32\BioAPIFFDB
2011-02-07 20:33 . 2011-02-07 20:33 -------- d-----w- c:\program files\Broadcom
2011-02-07 20:32 . 2011-02-09 18:31 -------- d-----w- c:\windows\system32\wbem\Performance
2011-02-07 20:32 . 2011-02-07 20:32 -------- d-----w- c:\windows\system32\RTCOM
2011-02-07 20:29 . 2011-02-07 20:29 -------- d-----w- c:\users\admin
2011-02-07 20:29 . 2011-02-07 20:29 -------- d-----w- C:\Recovery

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avserver"="c:\windows\system32\avserver.exe" [2011-02-08 102912]
"Spyware Protection"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-12-20 963976]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtDCpl.exe" [2009-08-26 2691072]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-08-21 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-08-21 174104]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-08-21 151064]
"avserver"="c:\windows\system32\avserver.exe" [2011-02-08 102912]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 0 (0x0)
"EnableInstallerDetection"= 0 (0x0)
"EnableLUA"= 0 (0x0)
"EnableSecureUIAPaths"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"EnableVirtualization"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1978083912-2069900401-452798024-1112\Scripts\Logoff\0\0]
"Script"=logoff.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1978083912-2069900401-452798024-1112\Scripts\Logon\0\0]
"Script"=login.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1978083912-2069900401-452798024-1112\Scripts\Logon\0\1]
"Script"=FolderWatch.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1978083912-2069900401-452798024-3262\Scripts\Logoff\0\0]
"Script"=logoff.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1978083912-2069900401-452798024-3262\Scripts\Logon\0\0]
"Script"=login.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1978083912-2069900401-452798024-3262\Scripts\Logon\0\1]
"Script"=FolderWatch.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1978083912-2069900401-452798024-3297\Scripts\Logoff\0\0]
"Script"=logoff.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1978083912-2069900401-452798024-3297\Scripts\Logon\0\0]
"Script"=login.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1978083912-2069900401-452798024-3297\Scripts\Logon\0\1]
"Script"=FolderWatch.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1978083912-2069900401-452798024-3705\Scripts\Logoff\0\0]
"Script"=logoff.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1978083912-2069900401-452798024-3705\Scripts\Logon\0\0]
"Script"=login.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1978083912-2069900401-452798024-3705\Scripts\Logon\0\1]
"Script"=FolderWatch.vbs

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\FPAVServer]
@="Service"

R3 PSEXESVC;PsExec;c:\windows\PSEXESVC.EXE [x]
R4 FPAVServer;F-PROT Antivirus for Windows system;c:\program files\FRISK Software\F-PROT Antivirus for Windows\FPAVServer.exe [x]
S1 FPAV_RTP;FPAV_RTP;c:\windows\system32\DRIVERS\FPAV_RTP.sys [2010-09-22 693080]
S3 k57nd60x;Broadcom NetLink ™ Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\k57nd60x.sys [2009-06-20 273448]


--- Other Services/Drivers In Memory ---

*NewlyCreated* - WUDFPF
.
.
------- Supplementary Scan -------
.
mStart Page = hxxp://www.google.com/
mSearch Bar = Preserve
uInternet Settings,ProxyOverride = <local>
Trusted Zone: intuit.com\ttlc
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-F-PROT Antivirus Tray application - c:\program files\FRISK Software\F-PROT Antivirus for Windows\FProtTray.exe


.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2011-02-09 14:07:29
ComboFix-quarantined-files.txt 2011-02-09 19:07

Pre-Run: 303,195,316,224 bytes free
Post-Run: 303,168,552,960 bytes free

- - End Of File - - 357172A032A1EEEDC3E50054103E3860

#8 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:12:59 AM

Posted 09 February 2011 - 02:54 PM

Hi,

* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

File::
c:\windows\system32\avserver.exe
Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avserver"=-
"Spyware Protection"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avserver"=-


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 Amish Pirate

Amish Pirate
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:05:59 PM

Posted 10 February 2011 - 07:13 AM

Ok...script run

ComboFix 11-02-09.02 - operator 02/10/2011 7:04.2.2 - x86
Microsoft Windows 7 Professional 6.1.7600.0.1252.1.1033.18.3292.2802 [GMT -5:00]
Running from: c:\users\operator\Desktop\ComboFix.exe
Command switches used :: c:\users\operator\Desktop\CFScript.txt
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

FILE ::
"c:\windows\system32\avserver.exe"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\avserver.exe

.
((((((((((((((((((((((((( Files Created from 2011-01-10 to 2011-02-10 )))))))))))))))))))))))))))))))
.

2011-02-10 12:06 . 2011-02-10 12:06 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-02-09 18:13 . 2011-02-09 18:13 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-02-09 14:40 . 2011-02-09 14:35 178430 ----a-w- c:\windows\iesettings.reg
2011-02-09 13:05 . 2011-02-09 13:09 -------- d-----w- c:\programdata\Microsoft Help
2011-02-09 08:05 . 2010-06-29 05:02 1413632 ----a-w- c:\windows\system32\ole32.dll
2011-02-09 08:05 . 2010-06-29 04:57 4247040 ----a-w- c:\program files\Windows NT\Accessories\wordpad.exe
2011-02-09 08:05 . 2010-06-14 06:12 1286016 ----a-w- c:\windows\system32\drivers\tcpip.sys
2011-02-09 08:04 . 2009-09-10 05:52 257024 ----a-w- c:\windows\system32\msv1_0.dll
2011-02-09 08:04 . 2009-12-29 06:55 172032 ----a-w- c:\windows\system32\wintrust.dll
2011-02-09 08:04 . 2010-08-21 05:32 316928 ----a-w- c:\windows\system32\spoolsv.exe
2011-02-09 08:04 . 2009-11-25 17:47 99176 ----a-w- c:\windows\system32\PresentationHostProxy.dll
2011-02-09 08:04 . 2009-11-25 17:47 49472 ----a-w- c:\windows\system32\netfxperf.dll
2011-02-09 08:04 . 2009-11-25 17:47 297808 ----a-w- c:\windows\system32\mscoree.dll
2011-02-09 08:04 . 2009-11-25 17:47 295264 ----a-w- c:\windows\system32\PresentationHost.exe
2011-02-09 08:04 . 2009-11-25 17:47 1130824 ----a-w- c:\windows\system32\dfshim.dll
2011-02-09 08:02 . 2010-06-19 06:23 37376 ----a-w- c:\windows\system32\rtutils.dll
2011-02-09 08:01 . 2009-12-19 09:02 12288 ----a-w- c:\windows\system32\tsbyuv.dll
2011-02-08 22:05 . 2009-08-07 02:24 44768 ----a-w- c:\windows\system32\wups2.dll
2011-02-08 22:05 . 2009-08-07 02:24 53472 ----a-w- c:\windows\system32\wuauclt.exe
2011-02-08 22:05 . 2009-08-07 02:23 1929952 ----a-w- c:\windows\system32\wuaueng.dll
2011-02-08 22:05 . 2009-08-07 01:45 2421760 ----a-w- c:\windows\system32\wucltux.dll
2011-02-08 22:05 . 2009-08-07 02:24 35552 ----a-w- c:\windows\system32\wups.dll
2011-02-08 22:05 . 2009-08-07 02:23 575704 ----a-w- c:\windows\system32\wuapi.dll
2011-02-08 22:05 . 2009-08-07 01:44 87552 ----a-w- c:\windows\system32\wudriver.dll
2011-02-08 22:04 . 2009-08-07 00:23 171608 ----a-w- c:\windows\system32\wuwebv.dll
2011-02-08 22:04 . 2009-08-06 23:44 33792 ----a-w- c:\windows\system32\wuapp.exe
2011-02-08 20:39 . 2010-09-22 17:47 693080 ----a-w- c:\windows\system32\drivers\FPAV_RTP.sys
2011-02-08 20:39 . 2011-02-09 14:53 -------- d-----w- c:\program files\FRISK Software
2011-02-08 20:39 . 2011-02-08 20:39 -------- d-----w- c:\programdata\FRISK Software
2011-02-08 20:36 . 2011-02-08 20:36 -------- d-----w- c:\users\tdavidson
2011-02-08 19:26 . 2011-02-08 19:26 -------- d-----w- c:\windows\system32\Macromed
2011-02-08 16:15 . 2011-02-08 16:15 -------- d-----w- c:\programdata\Malwarebytes
2011-02-08 16:15 . 2010-12-20 23:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-02-08 16:15 . 2010-12-20 23:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-02-08 14:03 . 2011-02-08 14:03 156312 ----a-w- c:\windows\system32\RemoteExecAgent.exe
2011-02-08 13:33 . 2011-02-08 20:34 -------- d-----w- c:\users\opsadmin
2011-02-07 23:24 . 2011-02-07 20:29 -------- d-----w- c:\windows\Panther
2011-02-07 23:24 . 2011-02-07 23:24 -------- d-----w- c:\windows\system32\oem
2011-02-07 21:15 . 2011-02-07 21:15 -------- d-----w- c:\program files\Jack Henry & Associates
2011-02-07 21:13 . 2011-02-07 21:13 -------- d-----w- c:\users\buadmin
2011-02-07 21:12 . 2011-02-07 21:12 -------- d-----w- c:\programdata\Jack Henry and Associates
2011-02-07 21:12 . 2011-02-02 22:10 5890896 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{07B57882-5543-45DE-AA5F-38DC3DF066B4}\mpengine.dll
2011-02-07 20:39 . 2011-02-07 20:39 -------- d-----w- C:\import
2011-02-07 20:39 . 2011-02-07 21:14 -------- d-----w- c:\users\operator
2011-02-07 20:36 . 2011-02-07 20:36 -------- d-----w- c:\program files\Intel
2011-02-07 20:36 . 2009-08-13 19:16 398848 ----a-w- c:\windows\system32\TVWizudlg.exe
2011-02-07 20:36 . 2009-08-13 19:16 140288 ----a-w- c:\windows\system32\igfxtvcx.dll
2011-02-07 20:34 . 2011-02-07 20:34 -------- d-----w- c:\windows\system32\BioAPIFFDB
2011-02-07 20:33 . 2011-02-07 20:33 -------- d-----w- c:\program files\Broadcom
2011-02-07 20:32 . 2011-02-09 19:56 -------- d-----w- c:\windows\system32\wbem\Performance
2011-02-07 20:32 . 2011-02-07 20:32 -------- d-----w- c:\windows\system32\RTCOM
2011-02-07 20:29 . 2011-02-07 20:29 -------- d-----w- c:\users\admin
2011-02-07 20:29 . 2011-02-07 20:29 -------- d-----w- C:\Recovery

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtDCpl.exe" [2009-08-26 2691072]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-08-21 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-08-21 174104]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-08-21 151064]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 0 (0x0)
"EnableInstallerDetection"= 0 (0x0)
"EnableLUA"= 0 (0x0)
"EnableSecureUIAPaths"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"EnableVirtualization"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1978083912-2069900401-452798024-1112\Scripts\Logoff\0\0]
"Script"=logoff.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1978083912-2069900401-452798024-1112\Scripts\Logon\0\0]
"Script"=login.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1978083912-2069900401-452798024-1112\Scripts\Logon\0\1]
"Script"=FolderWatch.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1978083912-2069900401-452798024-3262\Scripts\Logoff\0\0]
"Script"=logoff.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1978083912-2069900401-452798024-3262\Scripts\Logon\0\0]
"Script"=login.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1978083912-2069900401-452798024-3262\Scripts\Logon\0\1]
"Script"=FolderWatch.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1978083912-2069900401-452798024-3297\Scripts\Logoff\0\0]
"Script"=logoff.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1978083912-2069900401-452798024-3297\Scripts\Logon\0\0]
"Script"=login.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1978083912-2069900401-452798024-3297\Scripts\Logon\0\1]
"Script"=FolderWatch.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1978083912-2069900401-452798024-3705\Scripts\Logoff\0\0]
"Script"=logoff.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1978083912-2069900401-452798024-3705\Scripts\Logon\0\0]
"Script"=login.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1978083912-2069900401-452798024-3705\Scripts\Logon\0\1]
"Script"=FolderWatch.vbs

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\FPAVServer]
@="Service"

R3 PSEXESVC;PsExec;c:\windows\PSEXESVC.EXE [x]
R4 FPAVServer;F-PROT Antivirus for Windows system;c:\program files\FRISK Software\F-PROT Antivirus for Windows\FPAVServer.exe [x]
S1 FPAV_RTP;FPAV_RTP;c:\windows\system32\DRIVERS\FPAV_RTP.sys [2010-09-22 693080]
S3 k57nd60x;Broadcom NetLink ™ Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\k57nd60x.sys [2009-06-20 273448]


--- Other Services/Drivers In Memory ---

*NewlyCreated* - WUDFPF
.
.
------- Supplementary Scan -------
.
mStart Page = hxxp://www.google.com/
mSearch Bar = Preserve
uInternet Settings,ProxyOverride = <local>
Trusted Zone: intuit.com\ttlc
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2011-02-10 07:07:29
ComboFix-quarantined-files.txt 2011-02-10 12:07
ComboFix2.txt 2011-02-09 19:07

Pre-Run: 303,206,211,584 bytes free
Post-Run: 303,162,671,104 bytes free

- - End Of File - - C98A3C1628854845B10F5BE5B1C87ED8

#10 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:12:59 AM

Posted 10 February 2011 - 08:01 AM

Hi,

This looks OK again. How are things now?

By the way, I suggest you install a more powerful Antivirus than F-Prot. See my signature below under Antivirus for the ones I recommend.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 Amish Pirate

Amish Pirate
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:05:59 PM

Posted 10 February 2011 - 08:05 AM

So far, so good.

Thanks for your help.

FYI normally we use ESET NOD32, was just trying different things with the F Protect since nothing seemed to be helping

#12 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:12:59 AM

Posted 10 February 2011 - 08:09 AM

While FProt isn't bad at all, if I were you, I would stick with Eset ;)

Glad I could help. :)

Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!

Edited by miekiemoes, 10 February 2011 - 08:10 AM.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:12:59 AM

Posted 16 February 2011 - 01:53 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users