Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virus keeps coming back and cannot detect the root of it


  • This topic is locked This topic is locked
12 replies to this topic

#1 fagong428

fagong428

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:28 AM

Posted 08 February 2011 - 09:59 PM

Referred from here: http://www.bleepingcomputer.com/forums/topic378271.html ~ OB

Hello!

I am encountering a problem this past weeks. It seems that something is creating a virus over and over again on my system. I run a Malwarebytes fullscan and my AntiVirus is Avira premium but to no avail the problem keeps coming back.

My Antivirus blocks this kind of virus(12.exe,96.exe,36.exe,igfxdkp2.exe) over and over again in different intervals.

Malwarebytes also detect 3 infection but after i restart the infection is back again.

I hope someone can help me :blink:

And for some times there is a "Generic Host32" error something then my audio stops working (but after I restart its back to normal again).


Here is my DDS log



DDS (Ver_10-12-12.02) - NTFSx86
Run by Marc at 10:03:32.59 on Wed 02/09/2011
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_23
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1210 [GMT 8:00]

AV: AntiVir Desktop *Enabled/Updated* {C19476D9-52BC-4E93-8AF3-CCF59F7AE8FE}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\cFosSpeed\spd.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\SysTrayX\SYSTRAYX.EXE
C:\Program Files\cFosSpeed\cFosSpeed.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\WinTools Software\RAM Saver Professional\ramsaverpro.exe
C:\Program Files\VIA Technologies, Inc\VIA Audio Driver Setup Program\AudioDeck\AudioDeck.exe
C:\Program Files\Avira\AntiVir Desktop\avmailc.exe
C:\Program Files\Avira\AntiVir Desktop\AVWEBGRD.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Sun Broadband Wireless\Sun Broadband Wireless.exe
C:\WINDOWS\system32\net.exe
C:\WINDOWS\system32\net1.exe
C:\Documents and Settings\Marc\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Marc\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Marc\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Marc\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Marc\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Marc\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Marc\Desktop\gmer.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Documents and Settings\Marc\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\VideoLAN\VLC\vlc.exe
C:\Documents and Settings\Marc\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.ask.com?o=102866&l=dis&gct=hp
mStart Page = hxxp://www.yahoo.com
uInternet Connection Wizard,ShellNext = hxxp://google.com/
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
uURLSearchHooks: UrlSearchHook Class: {00000000-6e41-4fd3-8538-502f5495e5fc} - c:\program files\ask.com\GenericAskToolbar.dll
uURLSearchHooks: H - No File
uURLSearchHooks: Vuze Remote Toolbar: {ba14329e-9550-4989-b3f2-9732e92d17cc} - c:\program files\vuze_remote\prxtbVuze.dll
BHO: ThunderAtOnce Class: {01443aec-0fd1-40fd-9c87-e93d1494c233} - e:\mac\thunder\comdlls\TDAtOnce_Now.dll
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 5.0\reader\activex\AcroIEHelper.ocx
BHO: Yahooo Search Protection: {25bc7718-0bfa-40ea-b381-4b2d9732d686} - c:\program files\yahoo!\search protection\ysp.dll
BHO: Conduit Engine: {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\prxConduitEngine.dll
BHO: BitComet Helper: {39f7e362-828a-4b5a-bcaf-5b79bfdfea60} - c:\program files\bitcomet\tools\BitCometBHO_1.4.12.6.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
BHO: Vuze Remote Toolbar: {ba14329e-9550-4989-b3f2-9732e92d17cc} - c:\program files\vuze_remote\prxtbVuze.dll
BHO: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: DAEMON Tools Toolbar: {32099aac-c132-4136-9e9a-4e364a424e17} - c:\program files\daemon tools toolbar\DTToolbar.dll
TB: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
TB: Vuze Remote Toolbar: {ba14329e-9550-4989-b3f2-9732e92d17cc} - c:\program files\vuze_remote\prxtbVuze.dll
TB: Conduit Engine: {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\prxConduitEngine.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
uRun: [RAMSaverPro] c:\program files\wintools software\ram saver professional\ramsaverpro.exe
uRun: [Google Update] "c:\documents and settings\marc\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [cFosSpeed] c:\program files\cfosspeed\cFosSpeed.exe
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [VTPreset] VTPreset.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [nwiz] nwiz.exe /install
mRun: [conime] conime.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRun: [EssSpkPhone] essspk1.exe -c
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [Intel Display Driver] c:\windows\system32\igfxman32.exe
mRunOnce: [SYSTRAYX] c:\systrayx\RUNSTX.EXE
StartupFolder: c:\docume~1\marc\startm~1\programs\startup\systrayx.lnk - c:\systrayx\SysTrayX.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\audiod~1.lnk - c:\program files\via technologies, inc\via audio driver setup program\audiodeck\AudioDeck.exe
IE: &D&ownload &with BitComet - c:\program files\bitcomet\BitComet.exe/AddLink.htm
IE: &D&ownload all with BitComet - c:\program files\bitcomet\BitComet.exe/AddAllLink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: ʹÓÃѸÀ×ÏÂÔØ - e:\mac\thunder\program\geturl.htm
IE: ʹÓÃѸÀ×ÏÂÔØÈ«²¿Á´½Ó - e:\mac\thunder\program\getallurl.htm
IE: {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://c:\program files\bitcomet\tools\BitCometBHO_1.4.12.6.dll/206
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {BBF74FB9-ABCD-4678-880A-2511DAABB5E1} - {25BC7718-0BFA-40EA-B381-4B2D9732D686} - c:\program files\yahoo!\search protection\ysp.dll
LSP: c:\program files\avira\antivir desktop\avsda.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~2\office12\GR99D3~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\marc\applic~1\mozilla\firefox\profiles\adky7eg5.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.search.selectedEngine - Ask.com
FF - prefs.js: browser.startup.homepage - hxxp://www.ask.com?o=102866&l=dis&gct=hp
FF - prefs.js: keyword.URL - hxxp://websearch.ask.com/redirect?client=ff&src=kw&tb=STT&o=102866&locale=en_US&apn_uid=5B4029DA-7D7A-423F-9454-69CED02F7A9B&apn_ptnrs=5N&apn_sauid=463DA0E8-7CE2-45B7-B91F-C6E157EC5FB5&apn_dtid=YYYYYYYYPH&q=
FF - component: c:\documents and settings\marc\application data\mozilla\firefox\profiles\adky7eg5.default\extensions\{b042753d-f57e-4e8e-a01b-7379a6d4cefb}\components\IBitCometExtension.dll
FF - component: c:\documents and settings\marc\application data\mozilla\firefox\profiles\adky7eg5.default\extensions\mintrayr@tn123.ath.cx\components\trayToolkit.dll
FF - plugin: c:\documents and settings\marc\local settings\application data\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: DownloadHelper: {b9db16a4-6edc-47ec-a1f4-b86292ed211d} - %profile%\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
FF - Ext: Fasterfox Lite: FasterFox_Lite@BigRedBrent - %profile%\extensions\FasterFox_Lite@BigRedBrent
FF - Ext: Flashblock: {3d7eb24f-2740-49df-8937-200b1cc08f8a} - %profile%\extensions\{3d7eb24f-2740-49df-8937-200b1cc08f8a}
FF - Ext: DownThemAll!: {DDC359D1-844A-42a7-9AA1-88A850A938A8} - %profile%\extensions\{DDC359D1-844A-42a7-9AA1-88A850A938A8}
FF - Ext: MinimizeToTray revived (MinTrayR): mintrayr@tn123.ath.cx - %profile%\extensions\mintrayr@tn123.ath.cx
FF - Ext: BitComet Video Downloader: {B042753D-F57E-4e8e-A01B-7379A6D4CEFB} - %profile%\extensions\{B042753D-F57E-4e8e-A01B-7379A6D4CEFB}
FF - Ext: Ask Toolbar: toolbar@ask.com - %profile%\extensions\toolbar@ask.com
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff

---- FIREFOX POLICIES ----
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true);user_pref(yahoo.homepage.dontask, true

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2010-6-28 11608]
R2 AntiVirMailService;Avira AntiVir MailGuard;c:\program files\avira\antivir desktop\avmailc.exe [2010-6-28 339624]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-6-28 135336]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-6-28 267944]
R2 AntiVirWebService;Avira AntiVir WebGuard;c:\program files\avira\antivir desktop\avwebgrd.exe [2010-6-28 403624]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-6-28 61960]
R2 supersafer;supersafer;c:\windows\system32\drivers\supersafer.sys [2010-6-29 354176]
R3 cwrwdm;SoundFusion™ WDM Driver;c:\windows\system32\drivers\cwrwdm.sys [2010-6-28 89952]
R3 ewusbnet;HUAWEI USB-NDIS miniport;c:\windows\system32\drivers\ewusbnet.sys [2010-11-30 113280]
R4 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2010-8-25 20952]
R4 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2010-8-25 363344]
S3 hwusbdev;Huawei DataCard USB PNP Device;c:\windows\system32\drivers\ewusbdev.sys [2010-11-30 100736]
S3 Vsp;Vsp;c:\windows\system32\drivers\vsp.sys [2010-6-28 3351]

=============== Created Last 30 ================

2011-02-09 00:55:07 200704 --sh--r- c:\windows\system32\igfxman32.exe
2011-02-09 00:54:58 200704 ----a-w- c:\windows\system32\xkmq85.exe@
2011-02-08 16:43:56 -------- d-----w- c:\program files\ESET
2011-02-08 16:24:00 98816 ----a-w- c:\windows\sed.exe
2011-02-08 16:24:00 89088 ----a-w- c:\windows\MBR.exe
2011-02-08 16:24:00 256512 ----a-w- c:\windows\PEV.exe
2011-02-08 16:24:00 161792 ----a-w- c:\windows\SWREG.exe
2011-02-05 06:23:09 -------- d-----w- c:\program files\Legacy of Kain - Defiance
2011-02-05 04:55:01 -------- d-----w- c:\program files\Wireshark
2011-01-22 08:08:20 -------- d-sh--r- C:\cwsandbox
2011-01-21 23:10:19 21840 ----a-w- c:\windows\system32\SIntfNT.dll
2011-01-21 23:10:19 17212 ----a-w- c:\windows\system32\SIntf32.dll
2011-01-21 23:10:18 12067 ----a-w- c:\windows\system32\SIntf16.dll
2011-01-19 05:34:17 -------- d-----w- c:\program files\Fox
2011-01-16 10:04:52 236 ----a-w- c:\windows\system32\06.exe
2011-01-16 09:48:14 236 ----a-w- c:\windows\system32\71.exe
2011-01-15 23:51:18 -------- d-----w- c:\docume~1\marc\applic~1\mIRC
2011-01-15 23:51:17 -------- d-----w- c:\program files\mIRC
2011-01-13 16:50:28 -------- d-----w- c:\docume~1\marc\applic~1\Azureus
2011-01-13 16:48:33 -------- d-----w- c:\program files\Conduit
2011-01-13 16:48:32 -------- d-----w- c:\docume~1\marc\locals~1\applic~1\Vuze_Remote
2011-01-13 16:48:28 -------- d-----w- c:\program files\ConduitEngine
2011-01-13 16:48:28 -------- d-----w- c:\docume~1\marc\locals~1\applic~1\ConduitEngine
2011-01-13 16:48:23 -------- d-----w- c:\program files\Vuze_Remote
2011-01-13 16:48:23 -------- d-----w- c:\docume~1\marc\locals~1\applic~1\Conduit
2011-01-13 09:55:32 -------- d-----w- c:\docume~1\marc\applic~1\tixati
2011-01-13 09:55:15 -------- d-----w- c:\program files\tixati
2011-01-13 08:35:33 -------- d-----w- c:\docume~1\marc\locals~1\applic~1\AskToolbar
2011-01-11 09:58:42 331184 ------w- c:\windows\system32\difxapi.dll
2011-01-11 09:58:42 -------- d-----w- c:\program files\VIA

==================== Find3M ====================

2010-12-27 08:00:00 80896 ----a-w- c:\windows\system32\ff_vfw.dll
2010-12-07 18:40:22 183808 ----a-w- c:\windows\system32\xvidvfw.dll
2010-12-07 18:22:46 810496 ----a-w- c:\windows\system32\xvidcore.dll
2010-11-12 10:53:06 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-11-12 08:34:10 73728 ----a-w- c:\windows\system32\javacpl.cpl

============= FINISH: 10:12:17.73 ===============


Also attached the Attach.txt and ark.txt file

Attached Files


Edited by Orange Blossom, 08 February 2011 - 11:26 PM.


BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:07:28 AM

Posted 09 February 2011 - 03:43 AM

Hi,

* Please download the Suspicious File Packer from here:
http://www.safer-networking.org/files/sfp.zip
Unzip it to the desktop and run it.

Paste the following bold part into the Suspicious File Packer window:

c:\windows\system32\igfxman32.exe
c:\windows\system32\xkmq85.exe@
c:\windows\system32\06.exe
c:\windows\system32\71.exe


Allow SFP to pack the file. This will generate a CAB archive on your desktop.
Go to << link removed, to prevent others sending me the same files all the time >>
Enter the url of this thread in the first field.
Where it says, browse to the file that you want to submit, click the browse button next to the second field and browse to the CAB archive that was been created on your desktop.
The cab file will be called requested-files[*].cab (the * stands for the date and hour).
Then click the Send File button below.



Then, AFTER you have done the above, since I really need those samples, please Update Malwarebytes (using the Update button) and rescan again.
Post the latest Malwarebytes log in your next reply together with a new DDS log

Edited by miekiemoes, 11 February 2011 - 01:31 AM.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 fagong428

fagong428
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:28 AM

Posted 09 February 2011 - 11:17 AM

Latest MBAM logs


Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5689

Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512

2/10/2011 12:01:39 AM
mbam-log-2011-02-10 (00-01-39).txt

Scan type: Full scan (A:\|C:\|D:\|E:\|G:\|H:\|)
Objects scanned: 188742
Time elapsed: 49 minute(s), 1 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 8

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore\DisableConfig (Windows.Tool.Disabled) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\Marc\ms.exe (Worm.Zeroll) -> Quarantined and deleted successfully.
c:\documents and settings\Marc\local settings\temporary internet files\Content.IE5\Y90RMTMT\ms[1].exe (Worm.Zeroll) -> Quarantined and deleted successfully.
c:\documents and settings\networkservice\local settings\temporary internet files\Content.IE5\OLQVC5EF\t96[1].exe (Trojan.Autorun) -> Quarantined and deleted successfully.
c:\system volume information\_restore{28816223-977e-4f1a-8678-2b5825aee0be}\RP52\A0084557.exe (Rogue.WindowsDisk) -> Quarantined and deleted successfully.
c:\system volume information\_restore{28816223-977e-4f1a-8678-2b5825aee0be}\RP52\A0084573.exe (Rogue.WindowsDisk) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\22.exe (Trojan.Autorun) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\34.exe (Trojan.Autorun) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\36.exe (Trojan.Autorun) -> Quarantined and deleted successfully.

_______________________________________________________________________

DDS logs


DDS (Ver_10-12-12.02) - NTFSx86
Run by Marc at 0:06:50.32 on Thu 02/10/2011
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_23
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1510 [GMT 8:00]

AV: AntiVir Desktop *Enabled/Updated* {C19476D9-52BC-4E93-8AF3-CCF59F7AE8FE}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\cFosSpeed\spd.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\SysTrayX\SYSTRAYX.EXE
C:\Program Files\cFosSpeed\cFosSpeed.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\WinTools Software\RAM Saver Professional\ramsaverpro.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\VIA Technologies, Inc\VIA Audio Driver Setup Program\AudioDeck\AudioDeck.exe
C:\Program Files\Avira\AntiVir Desktop\avmailc.exe
C:\Program Files\Avira\AntiVir Desktop\AVWEBGRD.EXE
C:\Program Files\Sun Broadband Wireless\Sun Broadband Wireless.exe
C:\Documents and Settings\Marc\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Marc\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Marc\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Marc\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Marc\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.ask.com?o=102866&l=dis&gct=hp
mStart Page = hxxp://www.yahoo.com
uInternet Connection Wizard,ShellNext = hxxp://google.com/
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
uURLSearchHooks: UrlSearchHook Class: {00000000-6e41-4fd3-8538-502f5495e5fc} - c:\program files\ask.com\GenericAskToolbar.dll
uURLSearchHooks: H - No File
uURLSearchHooks: Vuze Remote Toolbar: {ba14329e-9550-4989-b3f2-9732e92d17cc} - c:\program files\vuze_remote\prxtbVuze.dll
BHO: ThunderAtOnce Class: {01443aec-0fd1-40fd-9c87-e93d1494c233} - e:\mac\thunder\comdlls\TDAtOnce_Now.dll
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 5.0\reader\activex\AcroIEHelper.ocx
BHO: Yahooo Search Protection: {25bc7718-0bfa-40ea-b381-4b2d9732d686} - c:\program files\yahoo!\search protection\ysp.dll
BHO: Conduit Engine: {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\prxConduitEngine.dll
BHO: BitComet Helper: {39f7e362-828a-4b5a-bcaf-5b79bfdfea60} - c:\program files\bitcomet\tools\BitCometBHO_1.4.12.6.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
BHO: Vuze Remote Toolbar: {ba14329e-9550-4989-b3f2-9732e92d17cc} - c:\program files\vuze_remote\prxtbVuze.dll
BHO: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: DAEMON Tools Toolbar: {32099aac-c132-4136-9e9a-4e364a424e17} - c:\program files\daemon tools toolbar\DTToolbar.dll
TB: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
TB: Vuze Remote Toolbar: {ba14329e-9550-4989-b3f2-9732e92d17cc} - c:\program files\vuze_remote\prxtbVuze.dll
TB: Conduit Engine: {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\prxConduitEngine.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
uRun: [RAMSaverPro] c:\program files\wintools software\ram saver professional\ramsaverpro.exe
uRun: [Google Update] "c:\documents and settings\marc\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [cFosSpeed] c:\program files\cfosspeed\cFosSpeed.exe
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [VTPreset] VTPreset.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [nwiz] nwiz.exe /install
mRun: [conime] conime.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRun: [EssSpkPhone] essspk1.exe -c
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [Intel Display Driver] c:\windows\system32\igfxman32.exe
mRunOnce: [SYSTRAYX] c:\systrayx\RUNSTX.EXE
StartupFolder: c:\docume~1\marc\startm~1\programs\startup\systrayx.lnk - c:\systrayx\SysTrayX.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\audiod~1.lnk - c:\program files\via technologies, inc\via audio driver setup program\audiodeck\AudioDeck.exe
IE: &D&ownload &with BitComet - c:\program files\bitcomet\BitComet.exe/AddLink.htm
IE: &D&ownload all with BitComet - c:\program files\bitcomet\BitComet.exe/AddAllLink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: 使用迅雷下载 - e:\mac\thunder\program\geturl.htm
IE: 使用迅雷下载全部链接 - e:\mac\thunder\program\getallurl.htm
IE: {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://c:\program files\bitcomet\tools\BitCometBHO_1.4.12.6.dll/206
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {BBF74FB9-ABCD-4678-880A-2511DAABB5E1} - {25BC7718-0BFA-40EA-B381-4B2D9732D686} - c:\program files\yahoo!\search protection\ysp.dll
LSP: c:\program files\avira\antivir desktop\avsda.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~2\office12\GR99D3~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\marc\applic~1\mozilla\firefox\profiles\adky7eg5.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.search.selectedEngine - Ask.com
FF - prefs.js: browser.startup.homepage - hxxp://www.ask.com?o=102866&l=dis&gct=hp
FF - prefs.js: keyword.URL - hxxp://websearch.ask.com/redirect?client=ff&src=kw&tb=STT&o=102866&locale=en_US&apn_uid=5B4029DA-7D7A-423F-9454-69CED02F7A9B&apn_ptnrs=5N&apn_sauid=463DA0E8-7CE2-45B7-B91F-C6E157EC5FB5&apn_dtid=YYYYYYYYPH&q=
FF - component: c:\documents and settings\marc\application data\mozilla\firefox\profiles\adky7eg5.default\extensions\{b042753d-f57e-4e8e-a01b-7379a6d4cefb}\components\IBitCometExtension.dll
FF - component: c:\documents and settings\marc\application data\mozilla\firefox\profiles\adky7eg5.default\extensions\mintrayr@tn123.ath.cx\components\trayToolkit.dll
FF - plugin: c:\documents and settings\marc\local settings\application data\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: DownloadHelper: {b9db16a4-6edc-47ec-a1f4-b86292ed211d} - %profile%\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
FF - Ext: Fasterfox Lite: FasterFox_Lite@BigRedBrent - %profile%\extensions\FasterFox_Lite@BigRedBrent
FF - Ext: Flashblock: {3d7eb24f-2740-49df-8937-200b1cc08f8a} - %profile%\extensions\{3d7eb24f-2740-49df-8937-200b1cc08f8a}
FF - Ext: DownThemAll!: {DDC359D1-844A-42a7-9AA1-88A850A938A8} - %profile%\extensions\{DDC359D1-844A-42a7-9AA1-88A850A938A8}
FF - Ext: MinimizeToTray revived (MinTrayR): mintrayr@tn123.ath.cx - %profile%\extensions\mintrayr@tn123.ath.cx
FF - Ext: BitComet Video Downloader: {B042753D-F57E-4e8e-A01B-7379A6D4CEFB} - %profile%\extensions\{B042753D-F57E-4e8e-A01B-7379A6D4CEFB}
FF - Ext: Ask Toolbar: toolbar@ask.com - %profile%\extensions\toolbar@ask.com
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff

---- FIREFOX POLICIES ----
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true);user_pref(yahoo.homepage.dontask, true

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2010-6-28 11608]
R2 AntiVirMailService;Avira AntiVir MailGuard;c:\program files\avira\antivir desktop\avmailc.exe [2010-6-28 339624]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-6-28 135336]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-6-28 267944]
R2 AntiVirWebService;Avira AntiVir WebGuard;c:\program files\avira\antivir desktop\avwebgrd.exe [2010-6-28 403624]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-6-28 61960]
R2 supersafer;supersafer;c:\windows\system32\drivers\supersafer.sys [2010-6-29 354176]
R3 cwrwdm;SoundFusion™ WDM Driver;c:\windows\system32\drivers\cwrwdm.sys [2010-6-28 89952]
R3 ewusbnet;HUAWEI USB-NDIS miniport;c:\windows\system32\drivers\ewusbnet.sys [2010-11-30 113280]
S3 hwusbdev;Huawei DataCard USB PNP Device;c:\windows\system32\drivers\ewusbdev.sys [2010-11-30 100736]
S3 Vsp;Vsp;c:\windows\system32\drivers\vsp.sys [2010-6-28 3351]

=============== Created Last 30 ================

2011-02-09 05:52:50 40960 ----a-w- C:\xdx.exe
2011-02-09 00:55:07 200704 --sh--r- c:\windows\system32\igfxman32.exe
2011-02-09 00:54:58 200704 ----a-w- c:\windows\system32\xkmq85.exe@
2011-02-08 16:43:56 -------- d-----w- c:\program files\ESET
2011-02-08 16:24:00 98816 ----a-w- c:\windows\sed.exe
2011-02-08 16:24:00 89088 ----a-w- c:\windows\MBR.exe
2011-02-08 16:24:00 256512 ----a-w- c:\windows\PEV.exe
2011-02-08 16:24:00 161792 ----a-w- c:\windows\SWREG.exe
2011-02-05 06:23:09 -------- d-----w- c:\program files\Legacy of Kain - Defiance
2011-02-05 04:55:01 -------- d-----w- c:\program files\Wireshark
2011-01-22 08:08:20 -------- d-sh--r- C:\cwsandbox
2011-01-21 23:10:19 21840 ----a-w- c:\windows\system32\SIntfNT.dll
2011-01-21 23:10:19 17212 ----a-w- c:\windows\system32\SIntf32.dll
2011-01-21 23:10:18 12067 ----a-w- c:\windows\system32\SIntf16.dll
2011-01-19 05:34:17 -------- d-----w- c:\program files\Fox
2011-01-16 10:04:52 236 ----a-w- c:\windows\system32\06.exe
2011-01-16 09:48:14 236 ----a-w- c:\windows\system32\71.exe
2011-01-15 23:51:18 -------- d-----w- c:\docume~1\marc\applic~1\mIRC
2011-01-15 23:51:17 -------- d-----w- c:\program files\mIRC
2011-01-13 16:50:28 -------- d-----w- c:\docume~1\marc\applic~1\Azureus
2011-01-13 16:48:33 -------- d-----w- c:\program files\Conduit
2011-01-13 16:48:32 -------- d-----w- c:\docume~1\marc\locals~1\applic~1\Vuze_Remote
2011-01-13 16:48:28 -------- d-----w- c:\program files\ConduitEngine
2011-01-13 16:48:28 -------- d-----w- c:\docume~1\marc\locals~1\applic~1\ConduitEngine
2011-01-13 16:48:23 -------- d-----w- c:\program files\Vuze_Remote
2011-01-13 16:48:23 -------- d-----w- c:\docume~1\marc\locals~1\applic~1\Conduit
2011-01-13 09:55:32 -------- d-----w- c:\docume~1\marc\applic~1\tixati
2011-01-13 09:55:15 -------- d-----w- c:\program files\tixati
2011-01-13 08:35:33 -------- d-----w- c:\docume~1\marc\locals~1\applic~1\AskToolbar
2011-01-11 09:58:42 331184 ------w- c:\windows\system32\difxapi.dll
2011-01-11 09:58:42 -------- d-----w- c:\program files\VIA

==================== Find3M ====================

2010-12-27 08:00:00 80896 ----a-w- c:\windows\system32\ff_vfw.dll
2010-12-07 18:40:22 183808 ----a-w- c:\windows\system32\xvidvfw.dll
2010-12-07 18:22:46 810496 ----a-w- c:\windows\system32\xvidcore.dll
2010-11-12 10:53:06 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-11-12 08:34:10 73728 ----a-w- c:\windows\system32\javacpl.cpl

============= FINISH: 0:09:07.12 ===============


Another thing is everytime when I try to start my PC this window disk error "Exception Processing Message c0000013 Parameters 75b6bf7c 75b6bf7c 75b6bf7c "

I doubt that this is the latest update of MBAM but everytime i click on the check updates it says "you have the latest database version".

Attached Files



#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:07:28 AM

Posted 09 February 2011 - 11:31 AM

Hi,

First of all, uninstall the following not recommended toolbars:

Ask Toolbar
Conduit Engine
DAEMON Tools Toolbar
Vuze Remote Toolbar

Reboot afterwards.

Then,

Your database doesn't have the latest updates though.

Do the following instead..
Navigate to the following folder:

C:\Documents and settings\All users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware

In there, you should find the file rules.ref
Please delete that file.

Then start malwarebytes again. Malwarebytes will give an error and tell you that the database is missing and if you want to download it again. Please click Ok in order to download the latest rules set.
Then perform a new scan again. Please select "Quick scan" instead of full scan, as that one is much faster & powerful.

Post the new Malwarebytes log in your next reply together with a new DDS log.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 fagong428

fagong428
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:28 AM

Posted 09 February 2011 - 12:00 PM

I tried deleting the rules.ref but when I start MBAM again it prompt me to download a new copy and when I click yes it informs me that I have the latest database version (although MBAM didnt download anything) and throws this error PROGRAM_ERROR_LOAD_DATABASE.

Now I cant use MBAM... should I reinstall it?

#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:07:28 AM

Posted 09 February 2011 - 12:35 PM

It looks like you have probably not installed it in the proper/default location before, which causes confusion for malwarebytes.

  • Uninstall Malwarebytes' Anti-Malware using Add/Remove programs in the control panel.
  • Restart your computer (very important).
  • Download and run this utility. mbam-clean.exe
  • It will ask to restart your computer (please allow it to).

If you had Malwarebytes installed in another location, for example on your D:\, please delete all Malwarebytes folders there as well.

Then redownload & reinstall malwarebytes
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 fagong428

fagong428
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:28 AM

Posted 09 February 2011 - 12:56 PM

New MBAM log


Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5721

Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512

2/10/2011 1:48:33 AM
mbam-log-2011-02-10 (01-48-33).txt

Scan type: Quick scan
Objects scanned: 132771
Time elapsed: 5 minute(s), 38 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Intel Display Driver (Trojan.Agent) -> Value: Intel Display Driver -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore\DisableConfig (Windows.Tool.Disabled) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\system32\igfxman32.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\xdx.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\xkmq85.exe@ (Trojan.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\Marc\local settings\temporary internet files\Content.IE5\U1IZEXML\udv[1].exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\networkservice\local settings\temporary internet files\Content.IE5\49QZ496F\udv[1].exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\networkservice\local settings\temporary internet files\Content.IE5\OLQVC5EF\5[1].zip (Trojan.Agent) -> Quarantined and deleted successfully.


----------------------------------------------------------

New DDS log



DDS (Ver_10-12-12.02) - NTFSx86
Run by Marc at 1:49:25.50 on Thu 02/10/2011
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_23
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1429 [GMT 8:00]

AV: AntiVir Desktop *Enabled/Updated* {C19476D9-52BC-4E93-8AF3-CCF59F7AE8FE}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\cFosSpeed\spd.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\SysTrayX\SYSTRAYX.EXE
C:\Program Files\Avira\AntiVir Desktop\avmailc.exe
C:\Program Files\Avira\AntiVir Desktop\AVWEBGRD.EXE
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\cFosSpeed\cFosSpeed.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\WinTools Software\RAM Saver Professional\ramsaverpro.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\VIA Technologies, Inc\VIA Audio Driver Setup Program\AudioDeck\AudioDeck.exe
C:\Program Files\Sun Broadband Wireless\Sun Broadband Wireless.exe
C:\Documents and Settings\Marc\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Documents and Settings\Marc\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Marc\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Marc\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Marc\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.ask.com?o=102866&l=dis&gct=hp
mStart Page = hxxp://www.yahoo.com
uInternet Connection Wizard,ShellNext = hxxp://google.com/
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
uURLSearchHooks: H - No File
BHO: ThunderAtOnce Class: {01443aec-0fd1-40fd-9c87-e93d1494c233} - e:\mac\thunder\comdlls\TDAtOnce_Now.dll
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 5.0\reader\activex\AcroIEHelper.ocx
BHO: Yahooo Search Protection: {25bc7718-0bfa-40ea-b381-4b2d9732d686} - c:\program files\yahoo!\search protection\ysp.dll
BHO: BitComet Helper: {39f7e362-828a-4b5a-bcaf-5b79bfdfea60} - c:\program files\bitcomet\tools\BitCometBHO_1.4.12.6.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {32099AAC-C132-4136-9E9A-4E364A424E17} - No File
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
uRun: [RAMSaverPro] c:\program files\wintools software\ram saver professional\ramsaverpro.exe
uRun: [Google Update] "c:\documents and settings\marc\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [cFosSpeed] c:\program files\cfosspeed\cFosSpeed.exe
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [VTPreset] VTPreset.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [nwiz] nwiz.exe /install
mRun: [conime] conime.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [EssSpkPhone] essspk1.exe -c
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRunOnce: [SYSTRAYX] c:\systrayx\RUNSTX.EXE
StartupFolder: c:\docume~1\marc\startm~1\programs\startup\systrayx.lnk - c:\systrayx\SysTrayX.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\audiod~1.lnk - c:\program files\via technologies, inc\via audio driver setup program\audiodeck\AudioDeck.exe
IE: &D&ownload &with BitComet - c:\program files\bitcomet\BitComet.exe/AddLink.htm
IE: &D&ownload all with BitComet - c:\program files\bitcomet\BitComet.exe/AddAllLink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: 使用迅雷下载 - e:\mac\thunder\program\geturl.htm
IE: 使用迅雷下载全部链接 - e:\mac\thunder\program\getallurl.htm
IE: {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://c:\program files\bitcomet\tools\BitCometBHO_1.4.12.6.dll/206
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {BBF74FB9-ABCD-4678-880A-2511DAABB5E1} - {25BC7718-0BFA-40EA-B381-4B2D9732D686} - c:\program files\yahoo!\search protection\ysp.dll
LSP: c:\program files\avira\antivir desktop\avsda.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~2\office12\GR99D3~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\marc\applic~1\mozilla\firefox\profiles\adky7eg5.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.search.selectedEngine - Ask.com
FF - prefs.js: browser.startup.homepage - hxxp://www.ask.com?o=102866&l=dis&gct=hp
FF - component: c:\documents and settings\marc\application data\mozilla\firefox\profiles\adky7eg5.default\extensions\{b042753d-f57e-4e8e-a01b-7379a6d4cefb}\components\IBitCometExtension.dll
FF - component: c:\documents and settings\marc\application data\mozilla\firefox\profiles\adky7eg5.default\extensions\mintrayr@tn123.ath.cx\components\trayToolkit.dll
FF - plugin: c:\documents and settings\marc\local settings\application data\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: DownloadHelper: {b9db16a4-6edc-47ec-a1f4-b86292ed211d} - %profile%\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
FF - Ext: Fasterfox Lite: FasterFox_Lite@BigRedBrent - %profile%\extensions\FasterFox_Lite@BigRedBrent
FF - Ext: Flashblock: {3d7eb24f-2740-49df-8937-200b1cc08f8a} - %profile%\extensions\{3d7eb24f-2740-49df-8937-200b1cc08f8a}
FF - Ext: DownThemAll!: {DDC359D1-844A-42a7-9AA1-88A850A938A8} - %profile%\extensions\{DDC359D1-844A-42a7-9AA1-88A850A938A8}
FF - Ext: MinimizeToTray revived (MinTrayR): mintrayr@tn123.ath.cx - %profile%\extensions\mintrayr@tn123.ath.cx
FF - Ext: BitComet Video Downloader: {B042753D-F57E-4e8e-A01B-7379A6D4CEFB} - %profile%\extensions\{B042753D-F57E-4e8e-A01B-7379A6D4CEFB}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff

---- FIREFOX POLICIES ----
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true);user_pref(yahoo.homepage.dontask, true

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2010-6-28 11608]
R2 AntiVirMailService;Avira AntiVir MailGuard;c:\program files\avira\antivir desktop\avmailc.exe [2010-6-28 339624]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-6-28 135336]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-6-28 267944]
R2 AntiVirWebService;Avira AntiVir WebGuard;c:\program files\avira\antivir desktop\avwebgrd.exe [2010-6-28 403624]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-6-28 61960]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2010-8-25 363344]
R2 supersafer;supersafer;c:\windows\system32\drivers\supersafer.sys [2010-6-29 354176]
R3 cwrwdm;SoundFusion™ WDM Driver;c:\windows\system32\drivers\cwrwdm.sys [2010-6-28 89952]
R3 ewusbnet;HUAWEI USB-NDIS miniport;c:\windows\system32\drivers\ewusbnet.sys [2010-11-30 113280]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2010-8-25 20952]
S3 hwusbdev;Huawei DataCard USB PNP Device;c:\windows\system32\drivers\ewusbdev.sys [2010-11-30 100736]
S3 Vsp;Vsp;c:\windows\system32\drivers\vsp.sys [2010-6-28 3351]

=============== Created Last 30 ================

2011-02-09 17:49:08 54016 ----a-w- c:\windows\system32\drivers\iyhxq.sys
2011-02-09 17:19:30 709456 ----a-w- c:\windows\isRS-000.tmp
2011-02-08 16:43:56 -------- d-----w- c:\program files\ESET
2011-02-08 16:24:00 98816 ----a-w- c:\windows\sed.exe
2011-02-08 16:24:00 89088 ----a-w- c:\windows\MBR.exe
2011-02-08 16:24:00 256512 ----a-w- c:\windows\PEV.exe
2011-02-08 16:24:00 161792 ----a-w- c:\windows\SWREG.exe
2011-02-05 06:23:09 -------- d-----w- c:\program files\Legacy of Kain - Defiance
2011-02-05 04:55:01 -------- d-----w- c:\program files\Wireshark
2011-01-22 08:08:20 -------- d-sh--r- C:\cwsandbox
2011-01-21 23:10:19 21840 ----a-w- c:\windows\system32\SIntfNT.dll
2011-01-21 23:10:19 17212 ----a-w- c:\windows\system32\SIntf32.dll
2011-01-21 23:10:18 12067 ----a-w- c:\windows\system32\SIntf16.dll
2011-01-19 05:34:17 -------- d-----w- c:\program files\Fox
2011-01-16 10:04:52 236 ----a-w- c:\windows\system32\06.exe
2011-01-16 09:48:14 236 ----a-w- c:\windows\system32\71.exe
2011-01-15 23:51:18 -------- d-----w- c:\docume~1\marc\applic~1\mIRC
2011-01-15 23:51:17 -------- d-----w- c:\program files\mIRC
2011-01-13 16:50:28 -------- d-----w- c:\docume~1\marc\applic~1\Azureus
2011-01-11 09:58:42 331184 ------w- c:\windows\system32\difxapi.dll
2011-01-11 09:58:42 -------- d-----w- c:\program files\VIA

==================== Find3M ====================

2010-12-27 08:00:00 80896 ----a-w- c:\windows\system32\ff_vfw.dll
2010-12-07 18:40:22 183808 ----a-w- c:\windows\system32\xvidvfw.dll
2010-12-07 18:22:46 810496 ----a-w- c:\windows\system32\xvidcore.dll
2010-11-12 10:53:06 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-11-12 08:34:10 73728 ----a-w- c:\windows\system32\javacpl.cpl

============= FINISH: 1:52:59.73 ===============


-------------------------------------------------------------

Attached Files



#8 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:07:28 AM

Posted 09 February 2011 - 01:09 PM

Hi,

This is much better already...

Go to this page.
Enter the url of this thread in the first field.
Where it says, browse to the file that you want to submit, click the browse button next to it and browse to next file:

c:\windows\system32\drivers\iyhxq.sys

Select it and click ok:
Then click the Send File button below.


Then navigate to and delete the following files:

c:\windows\system32\06.exe
c:\windows\system32\71.exe

they are basically harmless files, just html files masked as an exe, but they were downloaded by the malware you were dealing with before.

Then, since we need to delete some registry leftovers, HijackThis may be the easiest tool to use here:

* Download HijackThis from here:
http://free.antivirus.com/hijackthis/
HijackThis will open after install. Press the Scan button below.
This will start the scan and open a log.
Copy and paste the contents of the log in your next reply.

Edited by miekiemoes, 09 February 2011 - 01:10 PM.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 fagong428

fagong428
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:28 AM

Posted 09 February 2011 - 01:24 PM

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 2:22:24 AM, on 2/10/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\cFosSpeed\spd.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\SysTrayX\SYSTRAYX.EXE
C:\Program Files\Avira\AntiVir Desktop\avmailc.exe
C:\Program Files\Avira\AntiVir Desktop\AVWEBGRD.EXE
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\cFosSpeed\cFosSpeed.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\WinTools Software\RAM Saver Professional\ramsaverpro.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\VIA Technologies, Inc\VIA Audio Driver Setup Program\AudioDeck\AudioDeck.exe
C:\Program Files\Sun Broadband Wireless\Sun Broadband Wireless.exe
C:\Documents and Settings\Marc\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Marc\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Marc\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Marc\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Documents and Settings\Marc\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ask.com?o=102866&l=dis&gct=hp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://google.com/
R3 - URLSearchHook: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Thunder AtOnce - {01443AEC-0FD1-40fd-9C87-E93D1494C233} - E:\mac\Thunder\ComDlls\TDAtOnce_Now.dll
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: YSPManager - {25BC7718-0BFA-40EA-B381-4B2D9732D686} - C:\Program Files\Yahoo!\Search Protection\ysp.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.4.12.6.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [cFosSpeed] C:\Program Files\cFosSpeed\cFosSpeed.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [VTPreset] VTPreset.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [conime] conime.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [EssSpkPhone] essspk1.exe -c
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\RunOnce: [SYSTRAYX] C:\SysTrayX\RUNSTX.EXE
O4 - HKCU\..\Run: [RAMSaverPro] C:\Program Files\WinTools Software\RAM Saver Professional\ramsaverpro.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Marc\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: SYSTRAYX.LNK = C:\SysTrayX\SysTrayX.EXE
O4 - Global Startup: AudioDeck.lnk = C:\Program Files\VIA Technologies, Inc\VIA Audio Driver Setup Program\AudioDeck\AudioDeck.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: 使用迅雷下载 - E:\mac\Thunder\Program\geturl.htm
O8 - Extra context menu item: 使用迅雷下载全部链接 - E:\mac\Thunder\Program\getallurl.htm
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {BBF74FB9-ABCD-4678-880A-2511DAABB5E1} - C:\Program Files\Yahoo!\Search Protection\ysp.dll
O9 - Extra 'Tools' menuitem: Yahoo! Search Protection - {BBF74FB9-ABCD-4678-880A-2511DAABB5E1} - C:\Program Files\Yahoo!\Search Protection\ysp.dll
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.4.12.6.dll/206 (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Avira AntiVir MailGuard (AntiVirMailService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avmailc.exe
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Avira AntiVir WebGuard (AntiVirWebService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\AVWEBGRD.EXE
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
O23 - Service: cFosSpeed System Service (cFosSpeedS) - cFos Software GmbH - C:\Program Files\cFosSpeed\spd.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

--
End of file - 8972 bytes

#10 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:07:28 AM

Posted 09 February 2011 - 01:30 PM

Hi,

The file you sent me is Ok. It's a part of The Avenger, its driver, which is a removal tool.

Please scan with HijackThis again and select the following entries in it:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ask.com?o=102866&l=dis&gct=hp
R3 - URLSearchHook: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Thunder AtOnce - {01443AEC-0FD1-40fd-9C87-E93D1494C233} - E:\mac\Thunder\ComDlls\TDAtOnce_Now.dll <== this browser helper object is not recommended either
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)

Then click the Fix checked button below.
Make sure your Internet Explorer is closed when you do this.

Then let me know in your next reply how things are now...
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 fagong428

fagong428
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:28 AM

Posted 09 February 2011 - 04:57 PM

Thank you very much! Will post back if something strange happen again within a day

#12 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:07:28 AM

Posted 10 February 2011 - 01:49 AM

Ok, I read you later (if needed) :)

In a meanwhile, please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:07:28 AM

Posted 16 February 2011 - 01:53 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users