Hello,
(Tashi advised me to start a new topic)
I think that I have some malware, because my computer wouldn't let me start Spybot (it says that I don't have permission) or Ad-ware.
I can't provide you with HJT logs, either, because the computer won't let me run HijackThis anymore, either. I just installed it, but after a while the window disappeared. Now I can't start the application at all.
Thanks in advance.
Can anyone help?
Here's my ComboFix Log:
ComboFix 09-09-12.A0 - Nana 09/13/2009 11:00.2.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1251.1.1033.18.1022.441 [GMT -5:00]
Running from: D:\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\somgomiselfr.exe
.
---- Previous Run -------
.
c:\windows\keysetup.1700[1].exe
c:\windows\msa.exe
c:\windows\pp21cn.dll
c:\windows\run.log
c:\windows\sonce122730.dat
c:\windows\system32\lowsec
c:\windows\system32\lowsec\local.ds
c:\windows\system32\lowsec\user.ds
c:\windows\system32\Memman.vxd
c:\windows\system32\skinboxer43.dll
c:\windows\wiaserviv.log
Infected copy of c:\windows\system32\eventlog.dll was found and disinfected
Restored copy from - c:\i386\eventlog.dll
-- Previous Run --
Infected copy of c:\windows\system32\eventlog.dll was found and disinfected
Restored copy from - c:\i386\eventlog.dll
--------
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_UACd.sys
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Service_UACd.sys
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
((((((((((((((((((((((((( Files Created from 2009-08-13 to 2009-09-13 )))))))))))))))))))))))))))))))
.
2009-09-12 23:41 . 2009-09-12 23:41 47616 ----a-w- C:\Win32kDiagonal.exe
2009-09-12 05:05 . 2009-09-12 05:05 -------- d-----w- c:\program files\Trend Micro
2009-09-12 04:54 . 2009-09-12 14:21 -------- d-----w- c:\program files\Spybot - Search & Destroytest
2009-09-12 04:40 . 2009-09-12 04:40 -------- d-----w- c:\program files\VS Revo Group
2009-09-12 04:12 . 2009-09-13 15:59 -------- d--h--w- c:\windows\PIF
2009-09-12 02:26 . 2009-09-12 02:26 -------- d-----w- c:\program files\CleanUp!
2009-09-12 02:13 . 2009-07-03 14:49 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-09-12 02:11 . 2009-09-12 04:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-09-11 23:50 . 2009-09-12 04:42 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-09-11 17:21 . 2009-09-11 17:21 4825088 ----a-w- c:\program files\neob.exe
2009-09-10 05:13 . 2009-09-11 23:05 -------- d-----w- c:\program files\Spybot - Search & Destroy1
2009-09-09 01:47 . 2009-09-09 02:48 -------- d-----w- C:\NbN assistant editors
2009-09-05 00:57 . 2009-09-05 01:41 -------- d-----w- c:\documents and settings\EYJA winners trip Berlin
2009-08-16 18:10 . 2009-08-16 18:10 -------- d-----w- c:\program files\Freeware PDF Unlocker
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-13 15:52 . 2006-10-03 01:19 -------- d-----w- c:\documents and settings\Nana\Application Data\Skype
2009-09-13 13:09 . 2008-02-28 03:09 -------- d-----w- c:\documents and settings\Nana\Application Data\skypePM
2009-09-12 14:40 . 2009-05-02 15:45 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-09-12 14:21 . 2006-11-08 07:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-09-11 23:17 . 2009-05-03 03:25 5632 --sha-w- c:\program files\Thumbs.db
2009-09-11 23:07 . 2006-11-08 07:23 -------- d-----w- c:\program files\spybot
2009-09-10 19:18 . 2006-09-27 00:19 -------- d-----w- c:\program files\Google
2009-09-10 03:13 . 2009-09-10 03:13 991741 ----a-w- c:\windows\system32\xa.tmp
2009-09-05 00:53 . 2009-08-09 16:02 -------- d-----w- c:\documents and settings\Nana\Application Data\FileZilla
2009-08-28 14:42 . 2009-05-02 15:45 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-08-28 14:42 . 2009-05-02 15:45 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-08-28 14:42 . 2007-03-13 18:34 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-08-10 12:07 . 2009-08-09 16:06 -------- d-----w- c:\program files\FileZilla Server
2009-08-10 04:35 . 2009-08-10 04:33 39160414 ----a-w- c:\program files\ManageEngine_EventLogAnalyzer.exe
2009-08-09 16:02 . 2009-08-09 16:02 -------- d-----w- c:\program files\FileZilla FTP Client
2009-08-09 16:02 . 2009-08-09 16:02 2873754 ----a-w- c:\program files\FileZilla_Server-0_9_32.exe
2009-08-09 16:01 . 2009-08-09 16:01 4001773 ----a-w- c:\program files\FileZilla_3.2.6.1_win32-setup.exe
2009-08-06 18:30 . 2009-08-06 18:30 -------- d-----w- c:\program files\ffdshow
2009-08-06 18:26 . 2009-08-06 18:26 -------- d-----w- c:\program files\PlayFLV
2009-07-27 22:26 . 2009-07-27 22:14 -------- d-----w- c:\program files\Favorite-Games
2009-06-07 14:28 . 2009-06-07 14:28 3168382 ----a-w- c:\program files\SopCast_3.0.3_by_Myp2p.eu_official.zip
2009-06-07 14:22 . 2009-06-07 14:21 3006976 ----a-w- c:\program files\TvantsSetup.exe
2009-05-02 15:40 . 2009-05-02 15:39 64470784 ----a-w- c:\program files\avg_free_stf_en_85_325a1500.exe
2009-03-30 18:12 . 2009-03-30 18:11 13440584 ----a-w- c:\program files\Install_AIM.exe
2009-03-21 18:13 . 2009-03-21 18:13 267372 ----a-w- c:\program files\21032009(001).jpg
2009-03-21 14:10 . 2009-03-21 14:03 22285608 ----a-w- c:\program files\SkypeSetup.exe
2009-03-16 14:30 . 2009-03-16 14:30 1301304 ----a-w- c:\program files\WindowsXP-KB917021-v3-x86-ENU.exe
2007-11-26 02:18 . 2007-11-26 02:18 28868320 ----a-w- c:\program files\FileFormatConverters.exe
2007-11-26 02:15 . 2007-11-26 02:15 25685128 ----a-w- c:\program files\wordview_en-us.exe
2006-12-28 11:03 . 2006-12-28 11:03 1914 ----a-w- c:\program files\NADYA.sv2i
2006-12-28 11:03 . 2006-12-28 11:03 5636096 ----a-w- c:\program files\D_Drive001.v2i
2007-10-09 21:50 . 2006-10-04 18:26 168 --sh--r- c:\windows\system32\8B206616FF.sys
2007-10-09 21:50 . 2006-10-04 18:26 6580 --sha-w- c:\windows\system32\KGyGaAvL.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"Octoshape Streaming Services"="c:\program files\Octoshape Streaming Services\Nana\OctoshapeClient.exe" [2006-02-13 214648]
"Aim6"="c:\program files\AIM6\aim6.exe" [2009-05-19 49968]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2005-12-19 1347584]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]
"PCMService"="c:\program files\Dell\Media Experience\PCMService.exe" [2004-04-12 290816]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-10 49152]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-02-16 282624]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-12-03 185896]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-03-15 257088]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Elements 6.0\apdproxy.exe" [2007-09-11 67488]
"Sony Ericsson PC Suite"="c:\program files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2007-05-28 528384]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"Skype Recorder"="c:\program files\Skype Recorder\Skype Recorder.exe" [2010-12-04 748544]
"FileZilla Server Interface"="c:\program files\FileZilla Server\FileZilla Server Interface.exe" [2009-06-21 1226240]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-08-28 2007832]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2006-03-24 282624]
c:\documents and settings\Nana\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-12-28 113664]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-12-28 113664]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-9-26 24576]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
VPN Client.lnk - c:\windows\Installer\{14FCFE7C-AB86-428A-9D2E-BFB6F5A7AA6E}\Icon3E5562ED7.ico [2008-10-8 6144]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-28 14:42 11952 ----a-w- c:\windows\system32\avgrsstx.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Sopcast\\SopCast.exe"=
"c:\\Program Files\\TVants\\Tvants.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Octoshape Streaming Services\\Nana\\OctoshapeClient.exe"=
"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\ICQ6\\ICQ.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\SmartFTP Client\\SmartFTP.exe"=
"c:\\Documents and Settings\\Nana\\Application Data\\Macromedia\\Flash Player\\www.macromedia.com\\bin\\octoshape\\octoshape.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9741:TCP"= 9741:TCP:BitComet 9741 TCP
"9741:UDP"= 9741:UDP:BitComet 9741 UDP
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [9/11/2009 9:13 PM 64160]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [5/2/2009 10:45 AM 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [5/2/2009 10:45 AM 108552]
R2 AdobeActiveFileMonitor6.0;Adobe Active File Monitor V6;c:\program files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe [9/11/2007 1:45 AM 124832]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [5/2/2009 10:45 AM 297752]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [3/30/2009 1:13 PM 24652]
S2 AdobeActiveFileMonitor6.0Alerter;Adobe Active File Monitor V6 AdobeActiveFileMonitor6.0Alerter;c:\documents and settings\Nana\wpv401237130579.cpx run --> c:\documents and settings\Nana\wpv401237130579.cpx run [?]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;"c:\program files\Lavasoft\Ad-Aware\AAWService.exe" --> c:\program files\Lavasoft\Ad-Aware\AAWService.exe [?]
S3 s716bus;Sony Ericsson Device 716 driver (WDM);c:\windows\system32\drivers\s716bus.sys [12/4/2008 9:11 PM 83208]
S3 s716mdfl;Sony Ericsson Device 716 USB WMC Modem Filter;c:\windows\system32\drivers\s716mdfl.sys [12/4/2008 9:13 PM 15112]
S3 s716mdm;Sony Ericsson Device 716 USB WMC Modem Driver;c:\windows\system32\drivers\s716mdm.sys [12/4/2008 9:13 PM 108552]
S3 s716mgmt;Sony Ericsson Device 716 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s716mgmt.sys [12/4/2008 9:13 PM 100360]
S3 s716nd5;Sony Ericsson Device 716 USB Ethernet Emulation SEMC716 (NDIS);c:\windows\system32\drivers\s716nd5.sys [12/4/2008 9:14 PM 23176]
S3 s716obex;Sony Ericsson Device 716 USB WMC OBEX Interface;c:\windows\system32\drivers\s716obex.sys [12/4/2008 9:13 PM 98568]
S3 s716unic;Sony Ericsson Device 716 USB Ethernet Emulation SEMC716 (WDM);c:\windows\system32\drivers\s716unic.sys [12/4/2008 9:14 PM 98952]
.
Contents of the 'Scheduled Tasks' folder
2009-09-12 c:\windows\Tasks\User_Feed_Synchronization-{8DC78ABA-12EA-4701-ABD1-03B9EAD7A800}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 16:58]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoomail.com/
uInternet Settings,ProxyOverride = *.local
IE: &AIM Toolbar Search - c:\documents and settings\All Users\Application Data\AIM Toolbar\ieToolbar\resources\en-US\local\search.html
IE: Add to AMV Convert Tool... - c:\program files\MP3 Player Utilities 4.00\AMVConverter\grab.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000
IE: MediaManager tool grab multimedia file - c:\program files\MP3 Player Utilities 4.00\MediaManager\grab.html
DPF: {028C3B99-F9B0-4188-8C2C-D71CA84824D5} - hxxp://83.228.43.70:9999/program/SonySncCs1011View.cab
DPF: {6C0AE182-9095-4377-8DC9-CD586E31E486} - hxxp://80.253.55.165/c20viewer.cab
DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - hxxp://www.rusenski.info/activex/AMC.cab
FF - ProfilePath - c:\documents and settings\Nana\Application Data\Mozilla\Firefox\Profiles\mo9hd92j.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrie7&query=
FF - prefs.js: browser.search.selectedEngine - ICQ Search
FF - prefs.js: browser.startup.homepage - www.yahoomail.com
FF - prefs.js: keyword.URL - hxxp://search.icq.com/search/afe_results.php?ch_id=afex&q=
FF - plugin: c:\documents and settings\Nana\Application Data\Mozilla\plugins\npoctoshape.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPOJI610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Octoshape Streaming Services\Nana\octoprogram-L03-NMS0810164_SUA_000\npoctoshape.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.
- - - - ORPHANS REMOVED - - - -
WebBrowser-{4F11ACBB-393F-4C86-A214-FF3D0D155CC3} - (no file)
HKLM-Run-ppmate - c:\program files\PPMate\PPMate\ppmate.exe
Notify-NavLogon - (no file)
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-13 11:29
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\AdobeActiveFileMonitor6.0Alerter]
"ImagePath"="c:\documents and settings\Nana\wpv401237130579.cpx run"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(1276)
c:\windows\system32\Ati2evxx.dll
- - - - - - - > 'explorer.exe'(2228)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\BCMWLTRY.EXE
c:\windows\system32\ati2evxx.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\program files\FileZilla Server\FileZilla server.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Dell\QuickSet\NicConfigSvc.exe
c:\program files\Common Files\Protexis\License Service\PSIService.exe
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\AIM6\aolsoftware.exe
.
**************************************************************************
.
Completion time: 2009-09-13 11:36 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-13 16:36
Pre-Run: 54,962,405,376 bytes free
Post-Run: 54,850,732,032 bytes free
256 --- E O F --- 2007-09-25 11:22
===========================
Edit: FYI
"BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance)
Do NOT run 'FIXES' before helpers have analyzed the HJT logIf the infection prevents HJT from running, please start a topic, make note of the situation and wait for a response. Please do not add logs from other scans.
The Waiting RoomNOTE: ComboFix is not a general purpose cleaning tool!
It should only be run under the supervision of someone who has been trained and continues their education in its use.
Post here if still waiting for help in the Malware Forum, (AFTER) FOUR days