New to this Forum: AVG (Free Ed.) not a valid win32 Application - Safer-Networking Forums

Hglenn · 2008-01-31, 19:10

Hello_ I am new to this forum - my first time posting.

Hopefully someone can help resolve this,as none of my kids will admit to what they did on the PC last night. I am at work now, but will be home later on.

AVG is no longer running. I tried to reinstall but get not a valid win32 Application

I ran Kapsersky and Combofix.
Here is the Combofix report below ran before I left for work:

ComboFix 08-01-31.4 - Glenn 2008-01-31 5:41:19.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.136 [GMT -5:00]
Running from: C:\Documents and Settings\Glenn\Local Settings\Temporary Internet Files\Content.IE5\WCYF2V69\ComboFix[1].exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\drivers\hldrrr.exe
C:\WINDOWS\system32\drivers\srosa.sys
C:\WINDOWS\system32\mdelk.exe
C:\WINDOWS\system32\wintems.exe
C:\Documents and Settings\Glenn\Application Data\macromedia\Flash Player\#SharedObjects\HPRVB4TP\www.broadcaster.com
C:\Documents and Settings\Glenn\Application Data\macromedia\Flash Player\#SharedObjects\HPRVB4TP\www.broadcaster.com\played_list.sol
C:\Documents and Settings\Glenn\Application Data\macromedia\Flash Player\#SharedObjects\HPRVB4TP\www.broadcaster.com\video_queue.sol
C:\Documents and Settings\Glenn\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\Documents and Settings\Glenn\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol
C:\install.exe
C:\WINDOWS\system32\drivers\down
C:\WINDOWS\system32\drivers\down\119296.exe
C:\WINDOWS\system32\drivers\hldrrr.exe
C:\WINDOWS\system32\drivers\srosa.sys
C:\WINDOWS\system32\mdelk.exe
C:\WINDOWS\system32\wintems.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_SROSA
-------\srosa

((((((((((((((((((((((((( Files Created from 2007-12-28 to 2008-01-31 )))))))))))))))))))))))))))))))
.

2008-01-31 05:54 . 2008-01-31 05:54 d-------- C:\WINDOWS\SYSTEM32\DRIVERS\down
2008-01-30 19:31 . 2008-01-30 19:31 d-------- C:\WINDOWS\SYSTEM32\Kaspersky Lab
2008-01-30 19:31 . 2008-01-30 19:31 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-01-28 21:04 . 2008-01-28 21:06 d-------- C:\Program Files\Truck Dismount
2008-01-28 20:59 . 2008-01-28 20:59 d-------- C:\Program Files\Porrasturvat - Stair Dismount
2008-01-26 07:11 . 2008-01-26 07:11 d-------- C:\Documents and Settings\Glenn\Application Data\Uniblue
2008-01-26 07:10 . 2008-01-26 07:10 d-------- C:\Program Files\Uniblue
2008-01-20 18:32 . 2008-01-20 18:34 d-------- C:\Program Files\CA
2008-01-17 19:48 . 2008-01-17 19:51 d-------- C:\Documents and Settings\Glenn\.housecall6.6
2008-01-17 19:48 . 2008-01-31 05:21 102,664 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\tmcomm.sys
2008-01-15 18:41 . 2008-01-15 18:41 d-------- C:\Program Files\e frontier
2008-01-15 18:06 . 2008-01-15 18:06 34,504 --a------ C:\WINDOWS\SYSTEM32\nlsdl32.dll
2008-01-15 17:14 . 2008-01-31 05:54 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-15 17:14 . 2008-01-15 17:14 1,409 --a------ C:\WINDOWS\QTFont.for
2008-01-10 15:27 . 2008-01-10 15:27 90,112 --a------ C:\WINDOWS\SYSTEM32\QuickTimeVR.qtx
2008-01-10 15:27 . 2008-01-10 15:27 57,344 --a------ C:\WINDOWS\SYSTEM32\QuickTime.qts
2008-01-09 17:58 . 2008-01-09 17:58 22,328 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\PnkBstrK.sys
2008-01-09 17:57 . 2008-01-09 17:57 107,832 --a------ C:\WINDOWS\SYSTEM32\PnkBstrB.exe
2008-01-09 17:57 . 2008-01-09 17:57 66,872 --a------ C:\WINDOWS\SYSTEM32\PnkBstrA.exe
2008-01-09 15:44 . 2008-01-09 15:44 d-------- C:\Documents and Settings\Glenn\Application Data\IGN_DLM
2008-01-08 21:37 . 2008-01-08 21:37 d-------- C:\Program Files\SystemRequirementsLab
2008-01-08 16:47 . 2008-01-15 17:25 d-------- C:\Program Files\EA GAMES
2008-01-05 17:04 . 2008-01-05 17:04 32,948 --a------ C:\MARILYN HELFORD Resume 1.5.08_doc.eml
2008-01-04 21:04 . 2008-01-04 21:04 d-------- C:\Torque
2008-01-03 18:01 . 2008-01-03 18:01 d-------- C:\WINDOWS\solcache
2008-01-03 18:00 . 2008-01-03 18:01 d-------- C:\Program Files\Sierra On-Line
2008-01-03 18:00 . 2008-01-03 18:00 d-------- C:\Dynamix
2008-01-03 17:59 . 2008-01-07 20:40 148 --a------ C:\WINDOWS\Sierra.ini
2008-01-01 16:39 . 2008-01-01 16:39 63,915 --a------ C:\ScreenHunter_004.jpg
2008-01-01 16:38 . 2008-01-01 16:38 53,913 --a------ C:\ScreenHunter_002.jpg
2007-12-24 20:58 . 2008-01-29 18:37 d-------- C:\Program Files\eMule
2007-12-12 20:05 . 2007-12-12 20:05 d-------- C:\Documents and Settings\LocalService\Application Data\Ahead
2007-12-08 21:37 . 2006-11-29 01:06 860,211 --a-s---- C:\WINDOWS\SYSTEM32\XSIFtk-3.6.2.1.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-31 10:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2008-01-30 22:03 --------- d-----w C:\Documents and Settings\Glenn\Application Data\LimeWire
2008-01-29 23:41 --------- d-----w C:\Program Files\Microsoft AntiSpyware
2008-01-29 23:33 --------- d-----w C:\Documents and Settings\Glenn\Application Data\AVG7
2008-01-22 22:48 --------- d-----w C:\Program Files\LimeWire
2008-01-15 22:24 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-15 22:09 --------- d-----w C:\Program Files\QuickTime
2008-01-15 07:39 30,464 ----a-w C:\WINDOWS\system32\drivers\usbaapl.sys
2008-01-13 15:57 --------- d-----w C:\Documents and Settings\Glenn\Application Data\Azureus
2008-01-11 23:47 --------- d-----w C:\Program Files\Azureus
2008-01-08 21:34 --------- d-----w C:\Program Files\Magic FPS
2008-01-05 02:07 --------- d-----w C:\Program Files\Torque
2008-01-03 23:02 2,044 ----a-w C:\Program Files\AT&T Special Offer.lnk
2007-12-30 03:52 --------- d-----w C:\Program Files\Pivot Stickfigure Animator
2007-12-25 02:32 --------- d-----w C:\Program Files\Common Files\Adobe
2007-12-22 14:06 --------- d-----w C:\Program Files\Paint.NET
2007-12-11 00:06 --------- d-----w C:\Program Files\Best Buy Rhapsody
2007-12-08 14:02 --------- d-----w C:\Program Files\AC3D 6.1
2007-12-08 14:01 --------- d-----w C:\Program Files\A C 3D
2007-09-14 21:03 59,246,605 ----a-w C:\Program Files\Ac3d_6.1.zip
2007-09-03 13:42 92,128 ----a-w C:\Documents and Settings\Glenn\Application Data\GDIPFONTCACHEV1.DAT
2007-08-18 23:12 532,616 ----a-w C:\Program Files\ImageResizerPowertoySetup.exe
2007-05-19 10:52 2,000,239 ----a-w C:\Program Files\noteburner.exe
2007-01-24 01:38 8,696,643 ----a-w C:\Program Files\TUNE UP 2006 V 5.3.2343.rar
2006-12-09 16:57 3,165,518 ----a-w C:\Program Files\uiso8_pe.exe
2006-06-23 22:48 15,937,652 ----a-w C:\Program Files\NLDemo155.exe
2005-11-26 15:43 557,056 ----a-w C:\Documents and Settings\Glenn\chatlnk.exe
2004-12-01 23:34 716 ---ha-w C:\Documents and Settings\All Users\Application Data\pb7msys.dat
2004-06-19 10:15 2,569 --sha-w C:\WINDOWS\bmvhi.dat
2004-08-04 05:56 73,728 --sha-w C:\WINDOWS\RegisteredPackages\{DD90D410-1823-43EB-9A16-A2331BF08799}$BACKUP$\System\wmplayer.exe
2007-10-20 18:19 56 --sh--r C:\WINDOWS\SYSTEM32\9F0EFAF752.sys
2004-04-28 06:09 2,569 --sha-w C:\WINDOWS\SYSTEM32\ddagh.dat
2004-06-13 03:40 2,569 --sha-w C:\WINDOWS\SYSTEM32\huace.dat
2007-10-20 18:19 1,890 --sha-w C:\WINDOWS\SYSTEM32\KGyGaAvL.sys
2004-06-06 16:42 2,569 --sha-w C:\WINDOWS\SYSTEM32\rphrp.dat

*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8B172E5A-5846-4678-BEFB-89CB2EADDF36}]
2008-01-15 18:06 34504 --a------ C:\WINDOWS\system32\nlsdl32.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATI Remote Control"="C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe" [2004-03-12 09:09 686794]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56 15360]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-03-12 12:49 153136]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" [ ]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-03 21:32 208952]
"gcasServ"="C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" [2008-01-31 05:49 473928]
"NvCplDaemon"="NvQTwk" []
"ATI DeviceDetect"="C:\Program Files\ATI Multimedia\main\ATIDtct.EXE" [2004-06-15 21:17 69705]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-01-31 05:49 579072]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-07-10 20:10 339968]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-09-13 10:51 185632]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-09 17:53 153136]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-26 13:42 267064]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-01-10 15:27 385024]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-01-31 05:30 219136]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"SpecifyDefaultButtons"= 0 (0x0)
"Btn_Search"= 0 (0x0)
"NoBandCustomize"= 0 (0x0)
"NoToolbarCustomize"= 0 (0x0)

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
backup=C:\WINDOWS\pss\HP Image Zone Fast Start.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak software updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak software updater.lnk
backup=C:\WINDOWS\pss\Kodak software updater.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2005-02-16 23:11 49152 C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2007-09-26 13:42 267064 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot]
C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mm_server]
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_server.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\pccguide.exe]
C:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pop-Up Stopper]
C:\Program Files\Panicware\Pop-Up Stopper\dpps2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-01-10 15:27 385024 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2005-11-10 13:03 36975 C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2007-09-13 10:51 185632 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
--a------ 2005-10-24 15:53 307200 C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
"IMEKRMIG6.1"=C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
"KernelFaultCheck"=%systemroot%\system32\dumprep 0 -k

R2 cpextender;Check Point SSL Network Extender;C:\Program Files\CheckPoint\SSL Network Extender\slimsvc.exe [2005-09-26 10:28]
R2 UxTuneUp;TuneUp Design Expansion;C:\WINDOWS\System32\svchost.exe [2004-08-03 23:56]
R3 SCREAMINGBDRIVER;Screaming Bee Audio;C:\WINDOWS\system32\drivers\ScreamingBAudio.sys [2006-09-26 23:21]
R3 VNA;Check Point Virtual Network Adapter;C:\WINDOWS\system32\DRIVERS\vna.sys [2005-09-26 10:28]
S0 ntcdrdrv;ntcdrdrv;C:\WINDOWS\system32\DRIVERS\ntcdrdrv.sys []
S3 NMSCFG;NIC Management Service Configuration Driver;C:\WINDOWS\system32\drivers\NMSCFG.SYS [2002-05-03 12:30]
S3 NMSSvc;Intel(R) NMS;C:\WINDOWS\System32\NMSSvc.exe [2002-05-03 12:29]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

.
Contents of the 'Scheduled Tasks' folder
"2008-01-25 22:17:54 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- C:\Program Files\TuneUp Utilities 2006\SystemOptimizer.exe
"2008-01-24 18:45:06 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-01-31 08:23:26 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
"2008-01-31 11:04:16 C:\WINDOWS\Tasks\User_Feed_Synchronization-{C8A4869B-9408-4C41-8D12-BA3DD576E149}.job"
- C:\WINDOWS\system32\msfeedssync.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, »www.gmer.net
Rootkit scan 2008-01-31 05:54:19
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
C:\Program Files\CheckPoint\SSL Network Extender\slimsvc.exe
C:\Program Files\CA\SharedComponents\iTechnology\igateway.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\RioMSC.exe
C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
C:\WINDOWS\System32\snmp.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\iPod\bin\iPodService.exe
*********************************************
Completion time: 2008-01-31 6:09:10 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-31 11:09:06
.
2008-01-10 11:47:43 --- E O F ---
# # #
That's it. Hopefully this can be fixed without me having to wipe the C drive clean and reinstall. Thanks in advance.

**Shaba** · 2008-02-03, 11:45

Hi Hglenn

You are running combofix from IE temp folder:

Running from: C:\Documents and Settings\Glenn\Local Settings\Temporary Internet Files\Content.IE5\WCYF2V69\ComboFix[1].exe

1. Download combofix from any of these links and save it to Desktop:
Link 1
Link 2
Link 3

**Note: It is important that it is saved directly to your desktop**

2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you (C:\ComboFix.txt). Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

If you have problems with Combofix usage, see here

Post:

- a fresh HijackThis log
- combofix report

**Shaba** · 2008-02-08, 11:02

Due to the lack of feedback this Topic is closed.

If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than five days since your last response and you need the thread re-opened, please send a private message (pm). A valid, working link to the closed topic is required.

Everyone else please begin a New Topic.

2008-01-31, 19:10	#1
Hglenn Junior Member Join Date: Jan 2008 Location: Long Island Posts: 1	New to this Forum: AVG (Free Ed.) not a valid win32 Application Hello_ I am new to this forum - my first time posting. Hopefully someone can help resolve this,as none of my kids will admit to what they did on the PC last night. I am at work now, but will be home later on. AVG is no longer running. I tried to reinstall but get not a valid win32 Application I ran Kapsersky and Combofix. Here is the Combofix report below ran before I left for work: ComboFix 08-01-31.4 - Glenn 2008-01-31 5:41:19.1 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.136 [GMT -5:00] Running from: C:\Documents and Settings\Glenn\Local Settings\Temporary Internet Files\Content.IE5\WCYF2V69\ComboFix[1].exe * Created a new restore point WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\WINDOWS\system32\drivers\hldrrr.exe C:\WINDOWS\system32\drivers\srosa.sys C:\WINDOWS\system32\mdelk.exe C:\WINDOWS\system32\wintems.exe C:\Documents and Settings\Glenn\Application Data\macromedia\Flash Player\#SharedObjects\HPRVB4TP\www.broadcaster.com C:\Documents and Settings\Glenn\Application Data\macromedia\Flash Player\#SharedObjects\HPRVB4TP\www.broadcaster.com\played_list.sol C:\Documents and Settings\Glenn\Application Data\macromedia\Flash Player\#SharedObjects\HPRVB4TP\www.broadcaster.com\video_queue.sol C:\Documents and Settings\Glenn\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com C:\Documents and Settings\Glenn\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol C:\install.exe C:\WINDOWS\system32\drivers\down C:\WINDOWS\system32\drivers\down\119296.exe C:\WINDOWS\system32\drivers\hldrrr.exe C:\WINDOWS\system32\drivers\srosa.sys C:\WINDOWS\system32\mdelk.exe C:\WINDOWS\system32\wintems.exe . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\LEGACY_SROSA -------\srosa ((((((((((((((((((((((((( Files Created from 2007-12-28 to 2008-01-31 ))))))))))))))))))))))))))))))) . 2008-01-31 05:54 . 2008-01-31 05:54 d-------- C:\WINDOWS\SYSTEM32\DRIVERS\down 2008-01-30 19:31 . 2008-01-30 19:31 d-------- C:\WINDOWS\SYSTEM32\Kaspersky Lab 2008-01-30 19:31 . 2008-01-30 19:31 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab 2008-01-28 21:04 . 2008-01-28 21:06 d-------- C:\Program Files\Truck Dismount 2008-01-28 20:59 . 2008-01-28 20:59 d-------- C:\Program Files\Porrasturvat - Stair Dismount 2008-01-26 07:11 . 2008-01-26 07:11 d-------- C:\Documents and Settings\Glenn\Application Data\Uniblue 2008-01-26 07:10 . 2008-01-26 07:10 d-------- C:\Program Files\Uniblue 2008-01-20 18:32 . 2008-01-20 18:34 d-------- C:\Program Files\CA 2008-01-17 19:48 . 2008-01-17 19:51 d-------- C:\Documents and Settings\Glenn\.housecall6.6 2008-01-17 19:48 . 2008-01-31 05:21 102,664 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\tmcomm.sys 2008-01-15 18:41 . 2008-01-15 18:41 d-------- C:\Program Files\e frontier 2008-01-15 18:06 . 2008-01-15 18:06 34,504 --a------ C:\WINDOWS\SYSTEM32\nlsdl32.dll 2008-01-15 17:14 . 2008-01-31 05:54 54,156 --ah----- C:\WINDOWS\QTFont.qfn 2008-01-15 17:14 . 2008-01-15 17:14 1,409 --a------ C:\WINDOWS\QTFont.for 2008-01-10 15:27 . 2008-01-10 15:27 90,112 --a------ C:\WINDOWS\SYSTEM32\QuickTimeVR.qtx 2008-01-10 15:27 . 2008-01-10 15:27 57,344 --a------ C:\WINDOWS\SYSTEM32\QuickTime.qts 2008-01-09 17:58 . 2008-01-09 17:58 22,328 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\PnkBstrK.sys 2008-01-09 17:57 . 2008-01-09 17:57 107,832 --a------ C:\WINDOWS\SYSTEM32\PnkBstrB.exe 2008-01-09 17:57 . 2008-01-09 17:57 66,872 --a------ C:\WINDOWS\SYSTEM32\PnkBstrA.exe 2008-01-09 15:44 . 2008-01-09 15:44 d-------- C:\Documents and Settings\Glenn\Application Data\IGN_DLM 2008-01-08 21:37 . 2008-01-08 21:37 d-------- C:\Program Files\SystemRequirementsLab 2008-01-08 16:47 . 2008-01-15 17:25 d-------- C:\Program Files\EA GAMES 2008-01-05 17:04 . 2008-01-05 17:04 32,948 --a------ C:\MARILYN HELFORD Resume 1.5.08_doc.eml 2008-01-04 21:04 . 2008-01-04 21:04 d-------- C:\Torque 2008-01-03 18:01 . 2008-01-03 18:01 d-------- C:\WINDOWS\solcache 2008-01-03 18:00 . 2008-01-03 18:01 d-------- C:\Program Files\Sierra On-Line 2008-01-03 18:00 . 2008-01-03 18:00 d-------- C:\Dynamix 2008-01-03 17:59 . 2008-01-07 20:40 148 --a------ C:\WINDOWS\Sierra.ini 2008-01-01 16:39 . 2008-01-01 16:39 63,915 --a------ C:\ScreenHunter_004.jpg 2008-01-01 16:38 . 2008-01-01 16:38 53,913 --a------ C:\ScreenHunter_002.jpg 2007-12-24 20:58 . 2008-01-29 18:37 d-------- C:\Program Files\eMule 2007-12-12 20:05 . 2007-12-12 20:05 d-------- C:\Documents and Settings\LocalService\Application Data\Ahead 2007-12-08 21:37 . 2006-11-29 01:06 860,211 --a-s---- C:\WINDOWS\SYSTEM32\XSIFtk-3.6.2.1.dll . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-01-31 10:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7 2008-01-30 22:03 --------- d-----w C:\Documents and Settings\Glenn\Application Data\LimeWire 2008-01-29 23:41 --------- d-----w C:\Program Files\Microsoft AntiSpyware 2008-01-29 23:33 --------- d-----w C:\Documents and Settings\Glenn\Application Data\AVG7 2008-01-22 22:48 --------- d-----w C:\Program Files\LimeWire 2008-01-15 22:24 --------- d--h--w C:\Program Files\InstallShield Installation Information 2008-01-15 22:09 --------- d-----w C:\Program Files\QuickTime 2008-01-15 07:39 30,464 ----a-w C:\WINDOWS\system32\drivers\usbaapl.sys 2008-01-13 15:57 --------- d-----w C:\Documents and Settings\Glenn\Application Data\Azureus 2008-01-11 23:47 --------- d-----w C:\Program Files\Azureus 2008-01-08 21:34 --------- d-----w C:\Program Files\Magic FPS 2008-01-05 02:07 --------- d-----w C:\Program Files\Torque 2008-01-03 23:02 2,044 ----a-w C:\Program Files\AT&T Special Offer.lnk 2007-12-30 03:52 --------- d-----w C:\Program Files\Pivot Stickfigure Animator 2007-12-25 02:32 --------- d-----w C:\Program Files\Common Files\Adobe 2007-12-22 14:06 --------- d-----w C:\Program Files\Paint.NET 2007-12-11 00:06 --------- d-----w C:\Program Files\Best Buy Rhapsody 2007-12-08 14:02 --------- d-----w C:\Program Files\AC3D 6.1 2007-12-08 14:01 --------- d-----w C:\Program Files\A C 3D 2007-09-14 21:03 59,246,605 ----a-w C:\Program Files\Ac3d_6.1.zip 2007-09-03 13:42 92,128 ----a-w C:\Documents and Settings\Glenn\Application Data\GDIPFONTCACHEV1.DAT 2007-08-18 23:12 532,616 ----a-w C:\Program Files\ImageResizerPowertoySetup.exe 2007-05-19 10:52 2,000,239 ----a-w C:\Program Files\noteburner.exe 2007-01-24 01:38 8,696,643 ----a-w C:\Program Files\TUNE UP 2006 V 5.3.2343.rar 2006-12-09 16:57 3,165,518 ----a-w C:\Program Files\uiso8_pe.exe 2006-06-23 22:48 15,937,652 ----a-w C:\Program Files\NLDemo155.exe 2005-11-26 15:43 557,056 ----a-w C:\Documents and Settings\Glenn\chatlnk.exe 2004-12-01 23:34 716 ---ha-w C:\Documents and Settings\All Users\Application Data\pb7msys.dat 2004-06-19 10:15 2,569 --sha-w C:\WINDOWS\bmvhi.dat 2004-08-04 05:56 73,728 --sha-w C:\WINDOWS\RegisteredPackages\{DD90D410-1823-43EB-9A16-A2331BF08799}$BACKUP$\System\wmplayer.exe 2007-10-20 18:19 56 --sh--r C:\WINDOWS\SYSTEM32\9F0EFAF752.sys 2004-04-28 06:09 2,569 --sha-w C:\WINDOWS\SYSTEM32\ddagh.dat 2004-06-13 03:40 2,569 --sha-w C:\WINDOWS\SYSTEM32\huace.dat 2007-10-20 18:19 1,890 --sha-w C:\WINDOWS\SYSTEM32\KGyGaAvL.sys 2004-06-06 16:42 2,569 --sha-w C:\WINDOWS\SYSTEM32\rphrp.dat Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8B172E5A-5846-4678-BEFB-89CB2EADDF36}] 2008-01-15 18:06 34504 --a------ C:\WINDOWS\system32\nlsdl32.dll [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ATI Remote Control"="C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe" [2004-03-12 09:09 686794] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56 15360] "BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-03-12 12:49 153136] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" [ ] "IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-03 21:32 208952] "gcasServ"="C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" [2008-01-31 05:49 473928] "NvCplDaemon"="NvQTwk" [] "ATI DeviceDetect"="C:\Program Files\ATI Multimedia\main\ATIDtct.EXE" [2004-06-15 21:17 69705] "AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-01-31 05:49 579072] "ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-07-10 20:10 339968] "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-09-13 10:51 185632] "NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-09 17:53 153136] "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-26 13:42 267064] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-01-10 15:27 385024] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-01-31 05:30 219136] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "EnableLUA"= 0 (0x0) [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "SpecifyDefaultButtons"= 0 (0x0) "Btn_Search"= 0 (0x0) "NoBandCustomize"= 0 (0x0) "NoToolbarCustomize"= 0 (0x0) [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk backup=C:\WINDOWS\pss\HP Image Zone Fast Start.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk backup=C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak software updater.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak software updater.lnk backup=C:\WINDOWS\pss\Kodak software updater.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader] C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update] --a------ 2005-02-16 23:11 49152 C:\Program Files\HP\HP Software Update\HPWuSchd2.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] --a------ 2007-09-26 13:42 267064 C:\Program Files\iTunes\iTunesHelper.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mm_server] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_server.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\pccguide.exe] C:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pop-Up Stopper] C:\Program Files\Panicware\Pop-Up Stopper\dpps2.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] --a------ 2008-01-10 15:27 385024 C:\Program Files\QuickTime\qttask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] --a------ 2005-11-10 13:03 36975 C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe] --a------ 2007-09-13 10:51 185632 C:\Program Files\Common Files\Real\Update_OB\realsched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr] --a------ 2005-10-24 15:53 307200 C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-] "updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1 [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot "IMEKRMIG6.1"=C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE "KernelFaultCheck"=%systemroot%\system32\dumprep 0 -k R2 cpextender;Check Point SSL Network Extender;C:\Program Files\CheckPoint\SSL Network Extender\slimsvc.exe [2005-09-26 10:28] R2 UxTuneUp;TuneUp Design Expansion;C:\WINDOWS\System32\svchost.exe [2004-08-03 23:56] R3 SCREAMINGBDRIVER;Screaming Bee Audio;C:\WINDOWS\system32\drivers\ScreamingBAudio.sys [2006-09-26 23:21] R3 VNA;Check Point Virtual Network Adapter;C:\WINDOWS\system32\DRIVERS\vna.sys [2005-09-26 10:28] S0 ntcdrdrv;ntcdrdrv;C:\WINDOWS\system32\DRIVERS\ntcdrdrv.sys [] S3 NMSCFG;NIC Management Service Configuration Driver;C:\WINDOWS\system32\drivers\NMSCFG.SYS [2002-05-03 12:30] S3 NMSSvc;Intel(R) NMS;C:\WINDOWS\System32\NMSSvc.exe [2002-05-03 12:29] HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs UxTuneUp . Contents of the 'Scheduled Tasks' folder "2008-01-25 22:17:54 C:\WINDOWS\Tasks\1-Click Maintenance.job" - C:\Program Files\TuneUp Utilities 2006\SystemOptimizer.exe "2008-01-24 18:45:06 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job" - C:\Program Files\Apple Software Update\SoftwareUpdate.exe "2008-01-31 08:23:26 C:\WINDOWS\Tasks\Symantec NetDetect.job" - C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE "2008-01-31 11:04:16 C:\WINDOWS\Tasks\User_Feed_Synchronization-{C8A4869B-9408-4C41-8D12-BA3DD576E149}.job" - C:\WINDOWS\system32\msfeedssync.exe . ************************************************************************ catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, »www.gmer.net Rootkit scan 2008-01-31 05:54:19 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ********************************************************************** . ------------------------ Other Running Processes ------------------------ . C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe C:\Program Files\CheckPoint\SSL Network Extender\slimsvc.exe C:\Program Files\CA\SharedComponents\iTechnology\igateway.exe C:\WINDOWS\system32\HPZipm12.exe C:\WINDOWS\system32\PnkBstrA.exe C:\WINDOWS\system32\RioMSC.exe C:\Program Files\ATI Multimedia\main\ATIDtct.EXE C:\WINDOWS\System32\snmp.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe C:\WINDOWS\wanmpsvc.exe C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe C:\Program Files\iPod\bin\iPodService.exe ******************************************* Completion time: 2008-01-31 6:09:10 - machine was rebooted ComboFix-quarantined-files.txt 2008-01-31 11:09:06 . 2008-01-10 11:47:43 --- E O F --- # # # That's it. Hopefully this can be fixed without me having to wipe the C drive clean and reinstall. Thanks in advance.

2008-02-03, 11:45	#2
Shaba Security Expert Join Date: Oct 2006 Location: Finland Posts: 29,548	Hi Hglenn You are running combofix from IE temp folder: Running from: C:\Documents and Settings\Glenn\Local Settings\Temporary Internet Files\Content.IE5\WCYF2V69\ComboFix[1].exe 1. Download combofix from any of these links and save it to Desktop: Link 1 Link 2 Link 3 Note: It is important that it is saved directly to your desktop 2. Double click combofix.exe & follow the prompts. 3. When finished, it shall produce a log for you (C:\ComboFix.txt). Post that log in your next reply Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall Combofix should never take more that 20 minutes including the reboot if malware is detected. If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue. If that happened we want to know, and also what process you had to end. If you have problems with Combofix usage, see here Post: - a fresh HijackThis log - combofix report __________________ Microsoft MVP Consumer Security 2008 2009 2010 Member of ASAP and UNITE since 2006 Please don't use PMs for requesting help. The Forums are there for a reason.

2008-02-08, 11:02	#3
Shaba Security Expert Join Date: Oct 2006 Location: Finland Posts: 29,548	Due to the lack of feedback this Topic is closed. If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread. If it has been less than five days since your last response and you need the thread re-opened, please send a private message (pm). A valid, working link to the closed topic is required. Everyone else please begin a New Topic. __________________ Microsoft MVP Consumer Security 2008 2009 2010 Member of ASAP and UNITE since 2006 Please don't use PMs for requesting help. The Forums are there for a reason.

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode