Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Problem with svchost.exe and iexplorer.exe


  • This topic is locked This topic is locked
17 replies to this topic

#1 noonionclub

noonionclub

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:23 AM

Posted 30 August 2012 - 07:33 PM

AVG keeps popping up and tells me something is wrong with the svchost.exe - Agent3.bzep. I also noticed iexplorer.exe popping up in my taskmanager even though I don't use Internet Explorer.

Here are logs from DDS and GMER.


DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 10.5.1
Run by Noonionclub at 5:01:03 on 2012-08-30
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.988 [GMT -8:00]
.
AV: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Noonionclub\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Autodesk\Content Service\Connect.Service.ContentService.exe
C:\Program Files\AVG\AVG2012\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\jqs.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\AVG\AVG2012\avgnsx.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe
C:\Program Files\AVG\AVG2012\avgrsx.exe
C:\Program Files\AVG\AVG2012\avgcsrvx.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\ctfmon.exe
C:\DOCUME~1\NOONIO~1\LOCALS~1\Temp\nsi1C6.tmp\MBR.DAT
.
============== Pseudo HJT Report ===============
.
uInternet Settings,ProxyServer = http=;ftp=;https=;
uURLSearchHooks: AIM Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll
uURLSearchHooks: AOLSearchHook Class: {54eb34ea-e6be-4cfd-9f4f-c4a0c2eafa22} - c:\program files\aim search\AOLSearch.dll
mURLSearchHooks: AIM Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll
mURLSearchHooks: AOLSearchHook Class: {54eb34ea-e6be-4cfd-9f4f-c4a0c2eafa22} - c:\program files\aim search\AOLSearch.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Do Not Track: {31332eef-cb9f-458f-afeb-d30e9a66b6ba} - c:\program files\avg\avg2012\avgdtiex.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg2012\avgssie.dll
BHO: AOLSearchHook Class: {54eb34ea-e6be-4cfd-9f4f-c4a0c2eafa22} - c:\program files\aim search\AOLSearch.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\oracle\javafx 2.1 runtime\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: AIM Toolbar Loader: {b0cda128-b425-4eef-a174-61a11ac5dbf8} - c:\program files\aim toolbar\aimtb.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\oracle\javafx 2.1 runtime\bin\jp2ssv.dll
BHO: FlashFXP Helper for Internet Explorer: {e5a1691b-d188-4419-ad02-90002030b8ee} - c:\progra~1\flashfxp\IEFlash.dll
TB: AIM Toolbar: {61539ecd-cc67-4437-a03c-9aaccbd14326} - c:\program files\aim toolbar\aimtb.dll
uRun: [SansaDispatch] c:\documents and settings\noonionclub\application data\sandisk\sansa updater\SansaDispatch.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {68BCFFE1-A2DA-4B40-9068-87ECBFC19D16} - {68BCFFE1-A2DA-4B40-9068-87ECBFC19D16} - c:\program files\avg\avg2012\avgdtiex.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - hxxp://www.pcpitstop.com/betapit/PCPitStop.CAB
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{8D94D39B-5BFC-46B7-954A-8105C0A4E73A} : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{D17E5C56-F489-49A4-8A27-7826C190519D} : DhcpNameServer = 172.27.35.1
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg2012\avgpp.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\wpdshserviceobj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\noonionclub\application data\mozilla\firefox\profiles\jfxwj1eg.default\
FF - prefs.js: browser.search.defaulturl - hxxp://aim.search.aol.com/search/search?query={searchTerms}&invocationType=tb50-ff-aim-chromesbox-en-us
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxps://mail.google.com/mail/?shva=1#inbox|http://www.facebook.com/|http://football.fantasysports.yahoo.com/f1/126931
FF - prefs.js: keyword.URL - hxxp://search.search-go.net/?sid=10101052100&s=
FF - prefs.js: network.proxy.gopher -
FF - prefs.js: network.proxy.gopher_port - 0
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\documents and settings\noonionclub\local settings\application data\google\update\1.3.21.115\npGoogleUpdate3.dll
FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60531.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npMozCouponPrinter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npPandoWebInst.dll
FF - plugin: c:\program files\oracle\javafx 2.1 runtime\bin\dtplugin\npdeployJava1.dll
FF - plugin: c:\program files\oracle\javafx 2.1 runtime\bin\plugin2\npjp2.dll
FF - plugin: c:\program files\veetle\player\npvlc.dll
FF - plugin: c:\program files\veetle\plugins\npVeetle.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_4_402_265.dll
FF - plugin: c:\windows\system32\tvuax\npTVUAx.dll
.
---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSHX;AVGIDSHX;c:\windows\system32\drivers\avgidshx.sys [2012-4-19 24896]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2010-9-7 31952]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2010-9-7 235216]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2010-9-7 41040]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2010-9-7 301248]
R2 Autodesk Content Service;Autodesk Content Service;c:\program files\autodesk\content service\Connect.Service.ContentService.exe [2011-2-2 18656]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg2012\avgidsagent.exe [2012-7-4 5160568]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg2012\avgwdsvc.exe [2012-2-14 193288]
R2 cpuz133;cpuz133;c:\windows\system32\drivers\cpuz133_x32.sys [2010-6-21 20968]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2009-11-3 655944]
R3 AR2425;abit AirPace Wi-Fi Wireless Network Adapter Service;c:\windows\system32\drivers\aw5006.sys [2009-11-2 556832]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\avgidsdriverx.sys [2011-12-23 139856]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\avgidsfilterx.sys [2011-12-23 24144]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\avgidsshimx.sys [2011-12-23 17232]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2009-11-3 22344]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-4-3 250568]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2009-11-2 1684736]
S3 dg_ssudbus;SAMSUNG Mobile USB Composite Device Driver (DEVGURU Ver.);c:\windows\system32\drivers\ssudbus.sys [2012-7-28 77624]
S3 HTCAND32;HTC Device Driver;c:\windows\system32\drivers\ANDROIDUSB.sys [2010-9-14 24576]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\mozilla maintenance service\maintenanceservice.exe [2012-4-25 114144]
S3 pbfilter;pbfilter;\??\c:\program files\peerblock\pbfilter.sys --> c:\program files\peerblock\pbfilter.sys [?]
S3 ssudmdm;SAMSUNG Mobile USB Modem Drivers (DEVGURU Ver.);c:\windows\system32\drivers\ssudmdm.sys [2012-7-28 181432]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== File Associations ===============
.
.scr=AutoCADScriptFile
.
=============== Created Last 30 ================
.
2012-08-30 10:55:46 638 ----a-w- c:\documents and settings\all users\application data\gttmaaa.tmp
2012-08-30 10:26:28 -------- d-----w- C:\ComboFix
2012-08-30 10:08:47 -------- d-sha-r- C:\cmdcons
2012-08-30 10:07:10 98816 ----a-w- c:\windows\sed.exe
2012-08-30 10:07:10 518144 ----a-w- c:\windows\SWREG.exe
2012-08-30 10:07:10 256000 ----a-w- c:\windows\PEV.exe
2012-08-30 10:07:10 208896 ----a-w- c:\windows\MBR.exe
2012-08-29 22:57:33 73696 ----a-w- c:\program files\mozilla firefox\breakpadinjector.dll
2012-08-24 03:14:23 -------- d-----w- c:\program files\Oracle
2012-08-24 03:14:11 -------- d-----w- c:\documents and settings\noonionclub\local settings\application data\Sun
2012-08-24 03:14:07 772592 ----a-w- c:\windows\system32\npDeployJava1.dll
2012-08-24 03:14:07 687504 ----a-w- c:\windows\system32\deployJava1.dll
2012-08-22 06:06:06 -------- d-sh--w- c:\documents and settings\noonionclub\PrivacIE
2012-08-22 06:02:03 -------- d-sh--w- c:\documents and settings\noonionclub\IETldCache
2012-08-22 05:55:42 81920 ----a-w- c:\windows\system32\ieencode.dll
2012-08-22 05:55:42 81920 ----a-w- c:\windows\system32\dllcache\ieencode.dll
2012-08-22 05:55:27 -------- d--h--w- c:\windows\msdownld.tmp
2012-08-22 02:19:09 77312 ----a-w- c:\windows\system32\ztvunace26.dll
2012-08-22 02:19:09 77072 ----a-w- c:\windows\system32\ztvcabinet.dll
2012-08-22 02:19:09 75264 ----a-w- c:\windows\system32\unacev2.dll
2012-08-22 02:19:09 605968 ----a-w- c:\windows\system32\ztv7z.dll
2012-08-22 02:19:09 185616 ----a-w- c:\windows\system32\ztvunrar39.dll
2012-08-22 02:19:09 169744 ----a-w- c:\windows\system32\ztvunrar36.dll
2012-08-22 02:19:09 153088 ----a-w- c:\windows\system32\UNRAR3.dll
2012-08-22 01:47:01 -------- d-----w- C:\TDSSKiller_Quarantine
2012-08-22 01:35:05 -------- d-----w- c:\program files\PC Tools
2012-08-22 01:24:09 203120 ----a-w- c:\windows\system32\drivers\PCTSD.sys
2012-08-22 01:24:09 -------- d-----w- c:\program files\common files\PC Tools
2012-08-22 01:23:16 -------- d-----w- c:\documents and settings\all users\application data\PC Tools
2012-08-22 01:23:15 -------- d-----w- c:\documents and settings\noonionclub\application data\TestApp
.
==================== Find3M ====================
.
2012-08-28 17:53:56 73416 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-08-28 17:53:56 696520 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-07-03 21:46:44 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
.
============= FINISH: 5:01:12.64 ===============




GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-08-30 17:19:38
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP3T0L0-7 ST31000528AS rev.CC37
Running: gmer.exe; Driver: C:\DOCUME~1\NOONIO~1\LOCALS~1\Temp\fgloiaog.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwNotifyChangeKey [0xB467A004]
SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwNotifyChangeMultipleKeys [0xB467A0D4]
SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwOpenProcess [0xB4679D76]
SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateProcess [0xB4679E1E]
SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateThread [0xB4679EBA]
SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwWriteVirtualMemory [0xB4679F56]

---- Kernel code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB7CFA3A0, 0x592C35, 0xE8000020]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\svchost.exe[880] kernel32.dll!CreateProcessInternalW 7C81979C 5 Bytes JMP 0063483D
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[1004] USER32.dll!DefWindowProcA + 11A 7E42C298 7 Bytes JMP 105C8F94 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[1004] USER32.dll!SetWindowLongA + 19 7E42C2B6 7 Bytes JMP 105C8F23 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[1004] USER32.dll!GetWindowInfo 7E42C49C 5 Bytes JMP 1040F66F C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[1004] USER32.dll!GetMenuContextHelpId + 1A 7E465319 7 Bytes JMP 1040FCA8 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\firefox.exe[1488] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 02B56C40 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\firefox.exe[1488] kernel32.dll!lstrlenW + 43 7C809ADC 7 Bytes JMP 02D92DBF C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\firefox.exe[1488] kernel32.dll!MapViewOfFileEx + 6A 7C80B990 7 Bytes JMP 02D92D9C C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\firefox.exe[1488] kernel32.dll!ValidateLocale + B1E8 7C8449F8 7 Bytes JMP 02B5FE71 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\firefox.exe[1488] GDI32.dll!SetDIBitsToDevice + 209 77F19E04 7 Bytes JMP 02D92D1D C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\WINDOWS\Explorer.EXE[1628] kernel32.dll!CreateProcessInternalW 7C81979C 5 Bytes JMP 009E483D

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs avgidsfilterx.sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )
AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xBE 0x04 0xA0 0x69 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xC9 0xFE 0xF5 0xA2 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x20 0x8B 0xB0 0x04 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x73 0x5C 0x9C 0x11 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xC9 0xFE 0xF5 0xA2 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xCC 0xE5 0xA9 0x6E ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x73 0x5C 0x9C 0x11 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xC9 0xFE 0xF5 0xA2 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x20 0x8B 0xB0 0x04 ...

---- Files - GMER 1.0.15 ----

File C:\Documents and Settings\All Users\Application Data\qgvmaaa.tmp 669 bytes
File C:\WINDOWS\Temp\REG2AE.tmp 824 bytes
File C:\WINDOWS\Temp\REG2AF.tmp 32 bytes
File C:\WINDOWS\Temp\REG2B0.tmp 0 bytes
File C:\WINDOWS\Temp\REG2B1.tmp 0 bytes

---- EOF - GMER 1.0.15 ----

BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:23 AM

Posted 30 August 2012 - 09:52 PM

Greetings and Welcome to The Forums!!

My name is Gringo and I'll be glad to help you with your computer problems.

I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of us

  • Please do not run any tools unless instructed to do so.
    • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
  • Please do not attach logs or use code boxes, just copy and paste the text.
    • Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.
  • Please read every post completely before doing anything.
    • Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.
  • Please provide feedback about your experience as we go.
    • A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.
NOTE: At the top of your post, click on the Watch Topic Button, select Immediate Notification, and click on Proceed. This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of hartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.

Security Check

  • Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.



Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 noonionclub

noonionclub
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:23 AM

Posted 31 August 2012 - 02:19 AM

Hi Gringo. Thanks for the help. Here are the logs. I ran combofix a couple of times because it got stuck on "Preparing a log" screen and I had to restart the computer. It also said something about my recycle bin being corrupted or something like that.



Results of screen317's Security Check version 0.99.49
Windows XP Service Pack 3 x86
Internet Explorer 6 Out of date!
``````````````Antivirus/Firewall Check:``````````````
Windows Firewall Enabled!
AVG Anti-Virus Free Edition 2012
Antivirus up to date!
`````````Anti-malware/Other Utilities Check:`````````
Out of date HijackThis installed!
Malwarebytes Anti-Malware version 1.62.0.1300
HijackThis 2.0.2
AVG PC Tuneup 2011
JavaFX 2.1.1
Java™ 6 Update 17
Java™ 7 Update 5
Java version out of Date!
Adobe Flash Player 11.4.402.265
Adobe Reader 9 Adobe Reader out of Date!
Mozilla Firefox (15.0)
Google Chrome 4.0.249.89
````````Process Check: objlist.exe by Laurent````````
Malwarebytes Anti-Malware mbamservice.exe
AVG avgwdsvc.exe
AVG avgrsx.exe
AVG avgnsx.exe
AVG avgemc.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C:: 3%
````````````````````End of Log``````````````````````






ComboFix 12-08-30.05 - Noonionclub 08/31/2012 0:02.5.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1457 [GMT -8:00]
Running from: c:\documents and settings\Noonionclub\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-- Previous Run --
.
c:\windows\system32\winlogon.exe . . . is infected!!
.
c:\windows\system32\winlogon.exe . . . is infected!!
.
c:\windows\system32\svchost.exe . . . is infected!!
.
c:\windows\system32\winlogon.exe . . . is infected!!
.
c:\windows\system32\svchost.exe . . . is infected!!
.
c:\windows\explorer.exe . . . is infected!!
.
-- Previous Run --
.
c:\windows\system32\winlogon.exe . . . is infected!!
.
c:\windows\system32\winlogon.exe . . . is infected!!
.
c:\windows\system32\svchost.exe . . . is infected!!
.
c:\windows\system32\winlogon.exe . . . is infected!!
.
c:\windows\system32\svchost.exe . . . is infected!!
.
c:\windows\explorer.exe . . . is infected!!
.
--------
.
c:\windows\system32\winlogon.exe . . . is infected!!
.
-- Previous Run --
.
c:\windows\system32\winlogon.exe . . . is infected!!
.
c:\windows\system32\winlogon.exe . . . is infected!!
.
c:\windows\system32\svchost.exe . . . is infected!!
.
c:\windows\system32\winlogon.exe . . . is infected!!
.
c:\windows\system32\svchost.exe . . . is infected!!
.
c:\windows\explorer.exe . . . is infected!!
.
--------
.
c:\windows\system32\winlogon.exe . . . is infected!!
.
c:\windows\system32\svchost.exe . . . is infected!!
.
-- Previous Run --
.
c:\windows\system32\winlogon.exe . . . is infected!!
.
c:\windows\system32\winlogon.exe . . . is infected!!
.
c:\windows\system32\svchost.exe . . . is infected!!
.
c:\windows\system32\winlogon.exe . . . is infected!!
.
c:\windows\system32\svchost.exe . . . is infected!!
.
c:\windows\explorer.exe . . . is infected!!
.
--------
.
c:\windows\system32\winlogon.exe . . . is infected!!
.
c:\windows\system32\svchost.exe . . . is infected!!
.
c:\windows\explorer.exe . . . is infected!!
.
--------
.
c:\windows\system32\winlogon.exe . . . is infected!!
.
c:\windows\system32\svchost.exe . . . is infected!!
.
c:\windows\explorer.exe . . . is infected!!
.
.
((((((((((((((((((((((((( Files Created from 2012-07-28 to 2012-08-31 )))))))))))))))))))))))))))))))
.
.
2012-08-29 22:57 . 2012-08-29 22:57 73696 ----a-w- c:\program files\Mozilla Firefox\breakpadinjector.dll
2012-08-24 03:15 . 2012-08-24 03:15 -------- d-----w- c:\program files\Common Files\Java
2012-08-24 03:14 . 2012-08-24 03:14 -------- d-----w- c:\program files\Oracle
2012-08-24 03:14 . 2012-08-24 03:14 -------- d-----w- c:\documents and settings\Noonionclub\Local Settings\Application Data\Sun
2012-08-24 03:14 . 2012-08-24 03:14 -------- d-----w- c:\documents and settings\Noonionclub\Application Data\Oracle
2012-08-24 03:14 . 2012-08-24 03:13 772592 ----a-w- c:\windows\system32\npDeployJava1.dll
2012-08-24 03:14 . 2012-05-05 03:29 687504 ----a-w- c:\windows\system32\deployJava1.dll
2012-08-24 03:13 . 2012-08-24 03:13 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2012-08-22 06:07 . 2012-08-22 06:07 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2012-08-22 06:07 . 2012-08-22 06:07 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2012-08-22 06:06 . 2012-08-22 06:06 -------- d-sh--w- c:\documents and settings\Noonionclub\PrivacIE
2012-08-22 06:02 . 2012-08-22 06:02 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2012-08-22 06:02 . 2012-08-22 06:02 -------- d-sh--w- c:\documents and settings\Noonionclub\IETldCache
2012-08-22 05:55 . 2008-04-14 05:41 81920 ----a-w- c:\windows\system32\ieencode.dll
2012-08-22 05:55 . 2008-04-14 05:41 81920 ----a-w- c:\windows\system32\dllcache\ieencode.dll
2012-08-22 05:55 . 2012-08-22 06:00 -------- d--h--w- c:\windows\msdownld.tmp
2012-08-22 02:19 . 2012-06-16 00:39 169744 ----a-w- c:\windows\system32\ztvunrar36.dll
2012-08-22 02:19 . 2012-06-16 00:35 185616 ----a-w- c:\windows\system32\ztvunrar39.dll
2012-08-22 02:19 . 2012-06-16 00:33 605968 ----a-w- c:\windows\system32\ztv7z.dll
2012-08-22 02:19 . 2012-06-16 00:33 77072 ----a-w- c:\windows\system32\ztvcabinet.dll
2012-08-22 02:19 . 2005-08-26 09:50 77312 ----a-w- c:\windows\system32\ztvunace26.dll
2012-08-22 02:19 . 2003-02-03 04:06 153088 ----a-w- c:\windows\system32\UNRAR3.dll
2012-08-22 02:19 . 2002-03-06 09:00 75264 ----a-w- c:\windows\system32\unacev2.dll
2012-08-22 01:47 . 2012-08-22 01:47 -------- d-----w- C:\TDSSKiller_Quarantine
2012-08-22 01:39 . 2012-08-22 01:39 -------- d-----w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\Threat Expert
2012-08-22 01:35 . 2012-08-22 02:05 -------- d-----w- c:\program files\PC Tools
2012-08-22 01:24 . 2012-08-22 02:05 -------- d-----w- c:\program files\Common Files\PC Tools
2012-08-22 01:24 . 2012-06-22 23:34 203120 ----a-w- c:\windows\system32\drivers\PCTSD.sys
2012-08-22 01:23 . 2012-08-22 02:03 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2012-08-22 01:23 . 2012-08-22 01:23 -------- d-----w- c:\documents and settings\Noonionclub\Application Data\TestApp
2012-08-22 00:17 . 2012-08-22 00:17 -------- d-----w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\AIM Toolbar
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-08-28 17:53 . 2012-04-03 15:40 696520 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-08-28 17:53 . 2011-05-26 07:03 73416 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-07-03 21:46 . 2009-11-03 19:56 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-08-29 22:57 . 2011-03-24 18:33 266720 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2008-04-14 . 08900F8E45CF624536FA2D6CA3326521 . 544768 . . [5.1.2600.5512] . . c:\windows\system32\winlogon.exe
.
[-] 2008-04-14 . B51FE383EF487C361C077584D479E02C . 39424 . . [5.1.2600.5512] . . c:\windows\system32\svchost.exe
.
[-] 2008-04-14 . 45DBECC32D8AF47229AF5AFA52249EED . 1058304 . . [6.00.2900.5512] . . c:\windows\explorer.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SansaDispatch"="c:\documents and settings\Noonionclub\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe" [2009-12-16 79872]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-06-08 13902440]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG2012\avgrsx.exe /sync /restart
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Noonionclub^Start Menu^Programs^Startup^DING!.lnk]
path=c:\documents and settings\Noonionclub\Start Menu\Programs\Startup\DING!.lnk
backup=c:\windows\pss\DING!.lnkStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Noonionclub^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\documents and settings\Noonionclub\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Noonionclub^Start Menu^Programs^Startup^ViiKiiDesktopPlugin.lnk]
path=c:\documents and settings\Noonionclub\Start Menu\Programs\Startup\ViiKiiDesktopPlugin.lnk
backup=c:\windows\pss\ViiKiiDesktopPlugin.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2012-07-11 19:00 919008 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2012-07-31 11:20 38872 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim]
2009-10-06 18:15 3634024 ----a-w- c:\program files\AIM\aim.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AirPaceWifi]
2007-02-08 22:17 2240512 ----a-w- c:\program files\abit\abit uGuru\AirPacewifi.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Akamai NetSession Interface]
2012-03-13 13:37 3331872 ----a-w- c:\documents and settings\Noonionclub\Local Settings\Application Data\Akamai\netsession_win.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APSDaemon]
2011-11-02 07:25 59240 ----a-w- c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG_TRAY]
2012-04-05 13:12 2587008 ----a-w- c:\program files\AVG\AVG2012\avgtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
2007-06-28 03:03 152872 ----a-w- c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 05:42 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
2010-09-16 20:04 1164584 ----a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2012-03-02 08:43 136176 ----atw- c:\documents and settings\Noonionclub\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2008-10-25 19:44 31072 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2012-01-17 01:22 421736 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechQuickCamRibbon]
2009-10-14 20:36 2793304 ----a-w- c:\program files\Logitech\Logitech WebCam Software\LWS.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes Anti-Malware (reboot)]
2012-07-03 21:46 973488 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbam.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes' Anti-Malware]
2012-07-03 21:46 462920 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2010-04-17 05:12 3872080 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2007-03-01 23:57 153136 ----a-w- c:\program files\Common Files\Ahead\Lib\NeroCheck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2010-06-08 00:34 13902440 ----a-w- c:\windows\system32\nvcpl.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2010-06-08 00:34 110696 ----a-w- c:\windows\system32\nvmctray.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2010-06-03 07:48 1753192 ----a-w- c:\program files\NVIDIA Corporation\nView\nwiz.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pando Media Booster]
2010-03-29 05:38 2937528 ----a-w- c:\program files\Pando Networks\Media Booster\PMB.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-09-08 19:17 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2009-09-22 08:25 18749440 ----a-w- c:\windows\RTHDCPL.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2012-01-17 19:07 252296 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\uTorrent]
2011-10-23 02:35 399224 ----a-w- c:\program files\uTorrent\uTorrent.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
2009-07-01 16:37 37888 ----a-w- c:\program files\Winamp\winampa.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"QBFCService"=3 (0x3)
"QBCFMonitorService"=2 (0x2)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2007\\QBDBMgrN.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\StarCraft II Beta\\StarCraft II.exe"=
"c:\\Program Files\\StarCraft II Beta\\Versions\\Base15133\\SC2.exe"=
"c:\\Program Files\\StarCraft II Beta\\Versions\\Base15449\\SC2.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\ViiKiiDesktopPlugin\\ViiKiiDesktopPlugin.exe"=
"c:\\Program Files\\StarCraft II\\StarCraft II.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\FlashFXP\\FlashFXP.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Documents and Settings\\Noonionclub\\Local Settings\\Application Data\\Akamai\\netsession_win.exe"=
"c:\\Program Files\\Mozilla Firefox\\plugin-container.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgmfapx.exe"=
"c:\\Program Files\\Opera\\pluginwrapper\\opera_plugin_wrapper.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgnsx.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgemcx.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"58131:TCP"= 58131:TCP:*:Disabled:Pando Media Booster
"58131:UDP"= 58131:UDP:*:Disabled:Pando Media Booster
.
R0 AVGIDSHX;AVGIDSHX;c:\windows\system32\drivers\avgidshx.sys [4/19/2012 4:50 AM 24896]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [9/7/2010 2:48 AM 31952]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [9/7/2010 2:48 AM 235216]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [9/7/2010 2:49 AM 301248]
R2 Autodesk Content Service;Autodesk Content Service;c:\program files\Autodesk\Content Service\Connect.Service.ContentService.exe [2/2/2011 2:08 PM 18656]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG2012\avgidsagent.exe [7/4/2012 5:25 PM 5160568]
R2 avgwd;AVG WatchDog;c:\program files\AVG\AVG2012\avgwdsvc.exe [2/14/2012 4:53 AM 193288]
R2 cpuz133;cpuz133;c:\windows\system32\drivers\cpuz133_x32.sys [6/21/2010 11:20 AM 20968]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [11/3/2009 11:56 AM 655944]
R3 AR2425;abit AirPace Wi-Fi Wireless Network Adapter Service;c:\windows\system32\drivers\aw5006.sys [11/2/2009 3:22 PM 556832]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\avgidsdriverx.sys [12/23/2011 1:32 PM 139856]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\avgidsfilterx.sys [12/23/2011 1:32 PM 24144]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\avgidsshimx.sys [12/23/2011 1:32 PM 17232]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [11/3/2009 11:56 AM 22344]
R3 pcouffin;VSO Software pcouffin;c:\windows\system32\drivers\pcouffin.sys [3/4/2010 11:29 AM 47360]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [4/3/2012 7:40 AM 250568]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [11/2/2009 3:25 PM 1684736]
S3 dg_ssudbus;SAMSUNG Mobile USB Composite Device Driver (DEVGURU Ver.);c:\windows\system32\drivers\ssudbus.sys [7/28/2012 3:06 PM 77624]
S3 HTCAND32;HTC Device Driver;c:\windows\system32\drivers\ANDROIDUSB.sys [9/14/2010 3:21 PM 24576]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [4/25/2012 6:25 PM 114144]
S3 pbfilter;pbfilter;\??\c:\program files\PeerBlock\pbfilter.sys --> c:\program files\PeerBlock\pbfilter.sys [?]
S3 ssudmdm;SAMSUNG Mobile USB Modem Drivers (DEVGURU Ver.);c:\windows\system32\drivers\ssudmdm.sys [7/28/2012 3:06 PM 181432]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [11/3/2009 11:57 AM 691696]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Akamai REG_MULTI_SZ Akamai
.
Contents of the 'Scheduled Tasks' folder
.
2012-08-31 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-03 17:53]
.
2012-08-25 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 01:57]
.
2012-08-31 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-73586283-2111687655-682003330-1003Core.job
- c:\documents and settings\Noonionclub\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-03-02 08:43]
.
2012-08-31 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-73586283-2111687655-682003330-1003UA.job
- c:\documents and settings\Noonionclub\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-03-02 08:43]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyServer = http=;ftp=;https=;
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\documents and settings\Noonionclub\Application Data\Mozilla\Firefox\Profiles\jfxwj1eg.default\
FF - prefs.js: browser.search.defaulturl - hxxp://aim.search.aol.com/search/search?query={searchTerms}&invocationType=tb50-ff-aim-chromesbox-en-us
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxps://mail.google.com/mail/?shva=1#inbox|http://www.facebook.com/|http://football.fantasysports.yahoo.com/f1/126931
FF - prefs.js: keyword.URL - hxxp://search.search-go.net/?sid=10101052100&s=
FF - prefs.js: network.proxy.gopher -
FF - prefs.js: network.proxy.gopher_port - 0
FF - prefs.js: network.proxy.type - 0
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
.
------- File Associations -------
.
.scr=AutoCADScriptFile
.
- - - - ORPHANS REMOVED - - - -
.
URLSearchHooks-HookURL - (no file)
URLSearchHooks-Rank - (no file)
MSConfigStartUp-DAEMON Tools Lite - c:\program files\DAEMON Tools Lite\DTLite.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-08-31 00:09
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
SansaDispatch = c:\documents and settings\Noonionclub\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe?<%???_?F?????????RESS_ITEMS> var j=0;?? while (j<=1000) j++; setTimeout("pr
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,ad,3a,b6,d8,79,16,03,43,b3,bd,fd,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,ad,3a,b6,d8,79,16,03,43,b3,bd,fd,\
.
Completion time: 2012-08-31 00:11:05
ComboFix-quarantined-files.txt 2012-08-31 08:10
ComboFix2.txt 2012-08-30 10:33
.
Pre-Run: 321,709,776,896 bytes free
Post-Run: 321,693,626,368 bytes free
.
- - End Of File - - 30C91B1C77C3E6AB0CEEFA1C81A7AC66

#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:23 AM

Posted 31 August 2012 - 05:24 AM

SystemLook:

Please download SystemLook from one of the links below and save it to your Desktop.

Download Mirror #1
Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
:filefind
explorer.exe
svchost.exe
winlogon.exe
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 noonionclub

noonionclub
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:23 AM

Posted 31 August 2012 - 12:28 PM

Here is the log. Thanks.



SystemLook 30.07.11 by jpshortstuff
Log created at 10:21 on 31/08/2012 by Noonionclub
Administrator - Elevation successful

========== filefind ==========

Searching for "explorer.exe"
C:\WINDOWS\explorer.exe --a---- 1058304 bytes [05:42 14/04/2008] [05:42 14/04/2008] 45DBECC32D8AF47229AF5AFA52249EED

Searching for "svchost.exe"
C:\Program Files\Malwarebytes' Anti-Malware\Chameleon\svchost.exe --a---- 217672 bytes [10:17 08/01/2012] [21:46 03/07/2012] 8A7F34F0BBD076EC3815680A7309114F
C:\WINDOWS\system32\svchost.exe --a---- 39424 bytes [05:42 14/04/2008] [05:42 14/04/2008] B51FE383EF487C361C077584D479E02C

Searching for "winlogon.exe"
C:\Program Files\Malwarebytes' Anti-Malware\Chameleon\winlogon.exe --a---- 217672 bytes [10:17 08/01/2012] [21:46 03/07/2012] 8A7F34F0BBD076EC3815680A7309114F
C:\WINDOWS\system32\winlogon.exe --a---- 544768 bytes [05:42 14/04/2008] [05:42 14/04/2008] 08900F8E45CF624536FA2D6CA3326521

-= EOF =-

#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:23 AM

Posted 31 August 2012 - 12:35 PM

Greetings

It does not look like you have replacments for these files - I need to know if you have another XP computer we can copy the files from?


SystemLook:

Please download SystemLook from one of the links below and save it to your Desktop.

Download Mirror #1
Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
:filefind
explorer.*
svchost.*
winlogon.*
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 noonionclub

noonionclub
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:23 AM

Posted 31 August 2012 - 12:41 PM

I'm going to my friend's house later and he has a computer with XP. How would I copy the files?

#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:23 AM

Posted 31 August 2012 - 12:50 PM

Greetings

We need to get copies of these files from these locations

C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\winlogon.exe

Put them on a pen drive and then take the to the infected computer

Move them to the C: drive so they will be like this (don't try to move them to the correct location as windows will not allow you to do it)

C:\explorer.exe
C:\svchost.exe
C:\winlogon.exe

when this is complete rerun system look for me so I can see they are in the correct place

gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 noonionclub

noonionclub
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:23 AM

Posted 31 August 2012 - 01:07 PM

I had my friend email me the files.


SystemLook 30.07.11 by jpshortstuff
Log created at 11:01 on 31/08/2012 by Noonionclub
Administrator - Elevation successful

========== filefind ==========

Searching for "explorer.*"
C:\explorer.exe --a---- 1033728 bytes [19:00 31/08/2012] [06:42 14/04/2008] 12896823FB95BFB3DC9B46BCAEDC9923
C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\Explorer.zip --a---- 20394 bytes [06:48 07/03/2006] [06:48 07/03/2006] B469409C2B2A33C542190B720E11BD79
C:\WINDOWS\explorer.exe --a---- 1058304 bytes [05:42 14/04/2008] [05:42 14/04/2008] 45DBECC32D8AF47229AF5AFA52249EED
C:\WINDOWS\explorer.scf --a---- 80 bytes [12:00 23/08/2001] [12:00 23/08/2001] A3975A7D2C98B30A2AE010754FFB9392

Searching for "svchost.*"
C:\svchost.exe --a---- 14336 bytes [19:00 31/08/2012] [06:42 14/04/2008] 27C6D03BCDB8CFEB96B716F3D8BE3E18
C:\Program Files\Malwarebytes' Anti-Malware\Chameleon\svchost.exe --a---- 217672 bytes [10:17 08/01/2012] [21:46 03/07/2012] 8A7F34F0BBD076EC3815680A7309114F
C:\WINDOWS\Prefetch\SVCHOST.EXE-3530F672.pf --a---- 18034 bytes [17:29 30/08/2012] [18:17 31/08/2012] D776A453A392035CF85B69B9F3EEC2AF
C:\WINDOWS\system32\svchost.exe --a---- 39424 bytes [05:42 14/04/2008] [05:42 14/04/2008] B51FE383EF487C361C077584D479E02C

Searching for "winlogon.*"
C:\winlogon.exe --a---- 507904 bytes [19:00 31/08/2012] [06:42 14/04/2008] ED0EF0A136DEC83DF69F04118870003E
C:\Program Files\Malwarebytes' Anti-Malware\Chameleon\winlogon.exe --a---- 217672 bytes [10:17 08/01/2012] [21:46 03/07/2012] 8A7F34F0BBD076EC3815680A7309114F
C:\WINDOWS\system32\winlogon.exe --a---- 544768 bytes [05:42 14/04/2008] [05:42 14/04/2008] 08900F8E45CF624536FA2D6CA3326521

-= EOF =-

#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:23 AM

Posted 31 August 2012 - 01:10 PM

Greetings

That is perfect!!

Lets run this now.

Blitzblank.

Download BlitzBlank and save it to your desktop. Open Blitzblank.exe

  • Click OK at the warning (and take note of it, this is a VERY powerful tool!).
  • Click the Script tab and copy/paste the following text there:
CopyFile:
C:\explorer.exe C:\WINDOWS\explorer.exe
C:\svchost.exe C:\WINDOWS\system32\svchost.exe
C:\winlogon.exe C:\WINDOWS\system32\winlogon.exe
C:\explorer.exe C:\WINDOWS\system32\dllcache\explorer.exe
C:\winlogon.exe C:\WINDOWS\system32\dllcache\winlogon.exe
C:\svchost.exe C:\WINDOWS\system32\dllcache\svchost.exe
  • Click Execute Now. Your computer will need to reboot in order to replace the files.
  • When done, post me the report created by Blitzblank. you can find it at the root of the drive Normaly C:\

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 noonionclub

noonionclub
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:23 AM

Posted 31 August 2012 - 01:20 PM

BlitzBlank 1.0.0.32

File/Registry Modification Engine native application
CopyFileOnReboot: sourceFile = "\??\c:\explorer.exe", destinationFile = "\??\c:\windows\explorer.exe"CopyFileOnReboot: sourceFile = "\??\c:\svchost.exe", destinationFile = "\??\c:\windows\system32\svchost.exe"CopyFileOnReboot: sourceFile = "\??\c:\winlogon.exe", destinationFile = "\??\c:\windows\system32\winlogon.exe"CopyFileOnReboot: sourceFile = "\??\c:\explorer.exe", destinationFile = "\??\c:\windows\system32\dllcache\explorer.exe"CopyFileOnReboot: sourceFile = "\??\c:\winlogon.exe", destinationFile = "\??\c:\windows\system32\dllcache\winlogon.exe"CopyFileOnReboot: sourceFile = "\??\c:\svchost.exe", destinationFile = "\??\c:\windows\system32\dllcache\svchost.exe"

#12 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:23 AM

Posted 31 August 2012 - 03:09 PM

please rerun combofix for me now


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#13 noonionclub

noonionclub
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:23 AM

Posted 31 August 2012 - 07:30 PM

ComboFix 12-08-31.07 - Noonionclub 08/31/2012 17:18:35.6.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1576 [GMT -8:00]
Running from: c:\documents and settings\Noonionclub\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\wfsmaaa.tmp
C:\explorer.exe
C:\svchost.exe
C:\winlogon.exe
.
.
((((((((((((((((((((((((( Files Created from 2012-08-01 to 2012-09-01 )))))))))))))))))))))))))))))))
.
.
2012-08-31 19:15 . 2012-08-31 19:15 507904 -c--a-w- c:\windows\system32\dllcache\winlogon.exe
2012-08-31 19:15 . 2012-08-31 19:15 14336 -c--a-w- c:\windows\system32\dllcache\svchost.exe
2012-08-31 19:15 . 2012-08-31 19:15 1033728 -c--a-w- c:\windows\system32\dllcache\explorer.exe
2012-08-29 22:57 . 2012-08-29 22:57 73696 ----a-w- c:\program files\Mozilla Firefox\breakpadinjector.dll
2012-08-24 03:15 . 2012-08-24 03:15 -------- d-----w- c:\program files\Common Files\Java
2012-08-24 03:14 . 2012-08-24 03:14 -------- d-----w- c:\program files\Oracle
2012-08-24 03:14 . 2012-08-24 03:14 -------- d-----w- c:\documents and settings\Noonionclub\Local Settings\Application Data\Sun
2012-08-24 03:14 . 2012-08-24 03:14 -------- d-----w- c:\documents and settings\Noonionclub\Application Data\Oracle
2012-08-24 03:14 . 2012-08-24 03:13 772592 ----a-w- c:\windows\system32\npDeployJava1.dll
2012-08-24 03:14 . 2012-05-05 03:29 687504 ----a-w- c:\windows\system32\deployJava1.dll
2012-08-24 03:13 . 2012-08-24 03:13 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2012-08-22 06:07 . 2012-08-22 06:07 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2012-08-22 06:07 . 2012-08-22 06:07 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2012-08-22 06:06 . 2012-08-22 06:06 -------- d-sh--w- c:\documents and settings\Noonionclub\PrivacIE
2012-08-22 06:02 . 2012-08-22 06:02 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2012-08-22 06:02 . 2012-08-22 06:02 -------- d-sh--w- c:\documents and settings\Noonionclub\IETldCache
2012-08-22 05:55 . 2008-04-14 05:41 81920 ----a-w- c:\windows\system32\ieencode.dll
2012-08-22 05:55 . 2008-04-14 05:41 81920 ----a-w- c:\windows\system32\dllcache\ieencode.dll
2012-08-22 05:55 . 2012-08-22 06:00 -------- d--h--w- c:\windows\msdownld.tmp
2012-08-22 02:19 . 2012-06-16 00:39 169744 ----a-w- c:\windows\system32\ztvunrar36.dll
2012-08-22 02:19 . 2012-06-16 00:35 185616 ----a-w- c:\windows\system32\ztvunrar39.dll
2012-08-22 02:19 . 2012-06-16 00:33 605968 ----a-w- c:\windows\system32\ztv7z.dll
2012-08-22 02:19 . 2012-06-16 00:33 77072 ----a-w- c:\windows\system32\ztvcabinet.dll
2012-08-22 02:19 . 2005-08-26 09:50 77312 ----a-w- c:\windows\system32\ztvunace26.dll
2012-08-22 02:19 . 2003-02-03 04:06 153088 ----a-w- c:\windows\system32\UNRAR3.dll
2012-08-22 02:19 . 2002-03-06 09:00 75264 ----a-w- c:\windows\system32\unacev2.dll
2012-08-22 01:47 . 2012-08-22 01:47 -------- d-----w- C:\TDSSKiller_Quarantine
2012-08-22 01:39 . 2012-08-22 01:39 -------- d-----w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\Threat Expert
2012-08-22 01:35 . 2012-08-22 02:05 -------- d-----w- c:\program files\PC Tools
2012-08-22 01:24 . 2012-08-22 02:05 -------- d-----w- c:\program files\Common Files\PC Tools
2012-08-22 01:24 . 2012-06-22 23:34 203120 ----a-w- c:\windows\system32\drivers\PCTSD.sys
2012-08-22 01:23 . 2012-08-22 02:03 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2012-08-22 01:23 . 2012-08-22 01:23 -------- d-----w- c:\documents and settings\Noonionclub\Application Data\TestApp
2012-08-22 00:17 . 2012-08-22 00:17 -------- d-----w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\AIM Toolbar
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-08-31 19:15 . 2008-04-14 05:42 507904 ----a-w- c:\windows\system32\winlogon.exe
2012-08-31 19:15 . 2008-04-14 05:42 14336 ----a-w- c:\windows\system32\svchost.exe
2012-08-31 19:15 . 2008-04-14 05:42 1033728 ----a-w- c:\windows\explorer.exe
2012-08-28 17:53 . 2012-04-03 15:40 696520 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-08-28 17:53 . 2011-05-26 07:03 73416 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-07-03 21:46 . 2009-11-03 19:56 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-08-29 22:57 . 2011-03-24 18:33 266720 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2012-08-31_08.09.37 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-09-01 01:04 . 2012-09-01 01:04 16384 c:\windows\Temp\Perflib_Perfdata_748.dat
+ 2009-11-02 23:20 . 2012-08-31 19:13 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2009-11-02 23:20 . 2012-08-31 07:11 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2012-08-31 08:11 . 2012-08-31 19:13 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2012-08-30 10:33 . 2012-08-31 07:11 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SansaDispatch"="c:\documents and settings\Noonionclub\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe" [2009-12-16 79872]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-06-08 13902440]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG2012\avgrsx.exe /sync /restart
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Noonionclub^Start Menu^Programs^Startup^DING!.lnk]
path=c:\documents and settings\Noonionclub\Start Menu\Programs\Startup\DING!.lnk
backup=c:\windows\pss\DING!.lnkStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Noonionclub^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\documents and settings\Noonionclub\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Noonionclub^Start Menu^Programs^Startup^ViiKiiDesktopPlugin.lnk]
path=c:\documents and settings\Noonionclub\Start Menu\Programs\Startup\ViiKiiDesktopPlugin.lnk
backup=c:\windows\pss\ViiKiiDesktopPlugin.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2012-07-11 19:00 919008 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2012-07-31 11:20 38872 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim]
2009-10-06 18:15 3634024 ----a-w- c:\program files\AIM\aim.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AirPaceWifi]
2007-02-08 22:17 2240512 ----a-w- c:\program files\abit\abit uGuru\AirPacewifi.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Akamai NetSession Interface]
2012-03-13 13:37 3331872 ----a-w- c:\documents and settings\Noonionclub\Local Settings\Application Data\Akamai\netsession_win.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APSDaemon]
2011-11-02 07:25 59240 ----a-w- c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG_TRAY]
2012-04-05 13:12 2587008 ----a-w- c:\program files\AVG\AVG2012\avgtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
2007-06-28 03:03 152872 ----a-w- c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 05:42 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
2010-09-16 20:04 1164584 ----a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2012-03-02 08:43 136176 ----atw- c:\documents and settings\Noonionclub\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2008-10-25 19:44 31072 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2012-01-17 01:22 421736 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechQuickCamRibbon]
2009-10-14 20:36 2793304 ----a-w- c:\program files\Logitech\Logitech WebCam Software\LWS.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes Anti-Malware (reboot)]
2012-07-03 21:46 973488 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbam.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes' Anti-Malware]
2012-07-03 21:46 462920 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2010-04-17 05:12 3872080 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2007-03-01 23:57 153136 ----a-w- c:\program files\Common Files\Ahead\Lib\NeroCheck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2010-06-08 00:34 13902440 ----a-w- c:\windows\system32\nvcpl.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2010-06-08 00:34 110696 ----a-w- c:\windows\system32\nvmctray.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2010-06-03 07:48 1753192 ----a-w- c:\program files\NVIDIA Corporation\nView\nwiz.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pando Media Booster]
2010-03-29 05:38 2937528 ----a-w- c:\program files\Pando Networks\Media Booster\PMB.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-09-08 19:17 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2009-09-22 08:25 18749440 ----a-w- c:\windows\RTHDCPL.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2012-01-17 19:07 252296 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\uTorrent]
2011-10-23 02:35 399224 ----a-w- c:\program files\uTorrent\uTorrent.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
2009-07-01 16:37 37888 ----a-w- c:\program files\Winamp\winampa.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"QBFCService"=3 (0x3)
"QBCFMonitorService"=2 (0x2)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2007\\QBDBMgrN.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\StarCraft II Beta\\StarCraft II.exe"=
"c:\\Program Files\\StarCraft II Beta\\Versions\\Base15133\\SC2.exe"=
"c:\\Program Files\\StarCraft II Beta\\Versions\\Base15449\\SC2.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\ViiKiiDesktopPlugin\\ViiKiiDesktopPlugin.exe"=
"c:\\Program Files\\StarCraft II\\StarCraft II.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\FlashFXP\\FlashFXP.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Documents and Settings\\Noonionclub\\Local Settings\\Application Data\\Akamai\\netsession_win.exe"=
"c:\\Program Files\\Mozilla Firefox\\plugin-container.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgmfapx.exe"=
"c:\\Program Files\\Opera\\pluginwrapper\\opera_plugin_wrapper.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgnsx.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgemcx.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"58131:TCP"= 58131:TCP:*:Disabled:Pando Media Booster
"58131:UDP"= 58131:UDP:*:Disabled:Pando Media Booster
.
R0 AVGIDSHX;AVGIDSHX;c:\windows\system32\drivers\avgidshx.sys [4/19/2012 4:50 AM 24896]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [9/7/2010 2:48 AM 31952]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [9/7/2010 2:48 AM 235216]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [9/7/2010 2:49 AM 301248]
R2 Autodesk Content Service;Autodesk Content Service;c:\program files\Autodesk\Content Service\Connect.Service.ContentService.exe [2/2/2011 2:08 PM 18656]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG2012\avgidsagent.exe [7/4/2012 5:25 PM 5160568]
R2 avgwd;AVG WatchDog;c:\program files\AVG\AVG2012\avgwdsvc.exe [2/14/2012 4:53 AM 193288]
R2 cpuz133;cpuz133;c:\windows\system32\drivers\cpuz133_x32.sys [6/21/2010 11:20 AM 20968]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [11/3/2009 11:56 AM 655944]
R3 AR2425;abit AirPace Wi-Fi Wireless Network Adapter Service;c:\windows\system32\drivers\aw5006.sys [11/2/2009 3:22 PM 556832]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\avgidsdriverx.sys [12/23/2011 1:32 PM 139856]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\avgidsfilterx.sys [12/23/2011 1:32 PM 24144]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\avgidsshimx.sys [12/23/2011 1:32 PM 17232]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [11/3/2009 11:56 AM 22344]
R3 pcouffin;VSO Software pcouffin;c:\windows\system32\drivers\pcouffin.sys [3/4/2010 11:29 AM 47360]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [4/3/2012 7:40 AM 250568]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [11/2/2009 3:25 PM 1684736]
S3 dg_ssudbus;SAMSUNG Mobile USB Composite Device Driver (DEVGURU Ver.);c:\windows\system32\drivers\ssudbus.sys [7/28/2012 3:06 PM 77624]
S3 HTCAND32;HTC Device Driver;c:\windows\system32\drivers\ANDROIDUSB.sys [9/14/2010 3:21 PM 24576]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [4/25/2012 6:25 PM 114144]
S3 pbfilter;pbfilter;\??\c:\program files\PeerBlock\pbfilter.sys --> c:\program files\PeerBlock\pbfilter.sys [?]
S3 ssudmdm;SAMSUNG Mobile USB Modem Drivers (DEVGURU Ver.);c:\windows\system32\drivers\ssudmdm.sys [7/28/2012 3:06 PM 181432]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [11/3/2009 11:57 AM 691696]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Akamai REG_MULTI_SZ Akamai
.
Contents of the 'Scheduled Tasks' folder
.
2012-08-31 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-03 17:53]
.
2012-08-25 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 01:57]
.
2012-08-31 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-73586283-2111687655-682003330-1003Core.job
- c:\documents and settings\Noonionclub\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-03-02 08:43]
.
2012-08-31 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-73586283-2111687655-682003330-1003UA.job
- c:\documents and settings\Noonionclub\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-03-02 08:43]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyServer = http=;ftp=;https=;
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\documents and settings\Noonionclub\Application Data\Mozilla\Firefox\Profiles\jfxwj1eg.default\
FF - prefs.js: browser.search.defaulturl - hxxp://aim.search.aol.com/search/search?query={searchTerms}&invocationType=tb50-ff-aim-chromesbox-en-us
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxps://mail.google.com/mail/?shva=1#inbox|http://www.facebook.com/|http://football.fantasysports.yahoo.com/f1/126931
FF - prefs.js: keyword.URL - hxxp://search.search-go.net/?sid=10101052100&s=
FF - prefs.js: network.proxy.gopher -
FF - prefs.js: network.proxy.gopher_port - 0
FF - prefs.js: network.proxy.type - 0
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
.
------- File Associations -------
.
.scr=AutoCADScriptFile
.
- - - - ORPHANS REMOVED - - - -
.
URLSearchHooks-HookURL - (no file)
URLSearchHooks-Rank - (no file)
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-08-31 17:26
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
SansaDispatch = c:\documents and settings\Noonionclub\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe?<%???_?F?????????RESS_ITEMS> var j=0;?? while (j<=1000) j++; setTimeout("pr
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,ad,3a,b6,d8,79,16,03,43,b3,bd,fd,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,ad,3a,b6,d8,79,16,03,43,b3,bd,fd,\
.
Completion time: 2012-08-31 17:27:35
ComboFix-quarantined-files.txt 2012-09-01 01:27
ComboFix2.txt 2012-08-31 08:11
ComboFix3.txt 2012-08-30 10:33
.
Pre-Run: 321,406,423,040 bytes free
Post-Run: 321,442,598,912 bytes free
.
- - End Of File - - 809B285B634F3C18128F47E6AA29FF93

#14 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:23 AM

Posted 31 August 2012 - 08:45 PM

I would like to know how the computer is doing now


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#15 noonionclub

noonionclub
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:23 AM

Posted 31 August 2012 - 08:57 PM

It looks fine. Iexplorer.exe and svchost.exe are not giving me any problems anymore. Thanks for the help.

Edited by noonionclub, 31 August 2012 - 08:57 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users