freshwater
2009-09-12, 07:11
Hello,
(Tashi advised me to start a new topic)
I think that I have some malware, because my computer wouldn't let me start Spybot (it says that I don't have permission) or Ad-ware.
I can't provide you with HJT logs, either, because the computer won't let me run HijackThis anymore, either. I just installed it, but after a while the window disappeared. Now I can't start the application at all.
Thanks in advance.
Can anyone help?
Here's my ComboFix Log:
ComboFix 09-09-12.A0 - Nana 09/13/2009 11:00.2.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1251.1.1033.18.1022.441 [GMT -5:00]
Running from: D:\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\somgomiselfr.exe
.
---- Previous Run -------
.
c:\windows\keysetup.1700[1].exe
c:\windows\msa.exe
c:\windows\pp21cn.dll
c:\windows\run.log
c:\windows\sonce122730.dat
c:\windows\system32\lowsec
c:\windows\system32\lowsec\local.ds
c:\windows\system32\lowsec\user.ds
c:\windows\system32\Memman.vxd
c:\windows\system32\skinboxer43.dll
c:\windows\wiaserviv.log
Infected copy of c:\windows\system32\eventlog.dll was found and disinfected
Restored copy from - c:\i386\eventlog.dll
-- Previous Run --
Infected copy of c:\windows\system32\eventlog.dll was found and disinfected
Restored copy from - c:\i386\eventlog.dll
--------
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_UACd.sys
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Service_UACd.sys
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
((((((((((((((((((((((((( Files Created from 2009-08-13 to 2009-09-13 )))))))))))))))))))))))))))))))
.
2009-09-12 23:41 . 2009-09-12 23:41 47616 ----a-w- C:\Win32kDiagonal.exe
2009-09-12 05:05 . 2009-09-12 05:05 -------- d-----w- c:\program files\Trend Micro
2009-09-12 04:54 . 2009-09-12 14:21 -------- d-----w- c:\program files\Spybot - Search & Destroytest
2009-09-12 04:40 . 2009-09-12 04:40 -------- d-----w- c:\program files\VS Revo Group
2009-09-12 04:12 . 2009-09-13 15:59 -------- d--h--w- c:\windows\PIF
2009-09-12 02:26 . 2009-09-12 02:26 -------- d-----w- c:\program files\CleanUp!
2009-09-12 02:13 . 2009-07-03 14:49 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-09-12 02:11 . 2009-09-12 04:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-09-11 23:50 . 2009-09-12 04:42 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-09-11 17:21 . 2009-09-11 17:21 4825088 ----a-w- c:\program files\neob.exe
2009-09-10 05:13 . 2009-09-11 23:05 -------- d-----w- c:\program files\Spybot - Search & Destroy1
2009-09-09 01:47 . 2009-09-09 02:48 -------- d-----w- C:\NbN assistant editors
2009-09-05 00:57 . 2009-09-05 01:41 -------- d-----w- c:\documents and settings\EYJA winners trip Berlin
2009-08-16 18:10 . 2009-08-16 18:10 -------- d-----w- c:\program files\Freeware PDF Unlocker
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-13 15:52 . 2006-10-03 01:19 -------- d-----w- c:\documents and settings\Nana\Application Data\Skype
2009-09-13 13:09 . 2008-02-28 03:09 -------- d-----w- c:\documents and settings\Nana\Application Data\skypePM
2009-09-12 14:40 . 2009-05-02 15:45 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-09-12 14:21 . 2006-11-08 07:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-09-11 23:17 . 2009-05-03 03:25 5632 --sha-w- c:\program files\Thumbs.db
2009-09-11 23:07 . 2006-11-08 07:23 -------- d-----w- c:\program files\spybot
2009-09-10 19:18 . 2006-09-27 00:19 -------- d-----w- c:\program files\Google
2009-09-10 03:13 . 2009-09-10 03:13 991741 ----a-w- c:\windows\system32\xa.tmp
2009-09-05 00:53 . 2009-08-09 16:02 -------- d-----w- c:\documents and settings\Nana\Application Data\FileZilla
2009-08-28 14:42 . 2009-05-02 15:45 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-08-28 14:42 . 2009-05-02 15:45 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-08-28 14:42 . 2007-03-13 18:34 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-08-10 12:07 . 2009-08-09 16:06 -------- d-----w- c:\program files\FileZilla Server
2009-08-10 04:35 . 2009-08-10 04:33 39160414 ----a-w- c:\program files\ManageEngine_EventLogAnalyzer.exe
2009-08-09 16:02 . 2009-08-09 16:02 -------- d-----w- c:\program files\FileZilla FTP Client
2009-08-09 16:02 . 2009-08-09 16:02 2873754 ----a-w- c:\program files\FileZilla_Server-0_9_32.exe
2009-08-09 16:01 . 2009-08-09 16:01 4001773 ----a-w- c:\program files\FileZilla_3.2.6.1_win32-setup.exe
2009-08-06 18:30 . 2009-08-06 18:30 -------- d-----w- c:\program files\ffdshow
2009-08-06 18:26 . 2009-08-06 18:26 -------- d-----w- c:\program files\PlayFLV
2009-07-27 22:26 . 2009-07-27 22:14 -------- d-----w- c:\program files\Favorite-Games
2009-06-07 14:28 . 2009-06-07 14:28 3168382 ----a-w- c:\program files\SopCast_3.0.3_by_Myp2p.eu_official.zip
2009-06-07 14:22 . 2009-06-07 14:21 3006976 ----a-w- c:\program files\TvantsSetup.exe
2009-05-02 15:40 . 2009-05-02 15:39 64470784 ----a-w- c:\program files\avg_free_stf_en_85_325a1500.exe
2009-03-30 18:12 . 2009-03-30 18:11 13440584 ----a-w- c:\program files\Install_AIM.exe
2009-03-21 18:13 . 2009-03-21 18:13 267372 ----a-w- c:\program files\21032009(001).jpg
2009-03-21 14:10 . 2009-03-21 14:03 22285608 ----a-w- c:\program files\SkypeSetup.exe
2009-03-16 14:30 . 2009-03-16 14:30 1301304 ----a-w- c:\program files\WindowsXP-KB917021-v3-x86-ENU.exe
2007-11-26 02:18 . 2007-11-26 02:18 28868320 ----a-w- c:\program files\FileFormatConverters.exe
2007-11-26 02:15 . 2007-11-26 02:15 25685128 ----a-w- c:\program files\wordview_en-us.exe
2006-12-28 11:03 . 2006-12-28 11:03 1914 ----a-w- c:\program files\NADYA.sv2i
2006-12-28 11:03 . 2006-12-28 11:03 5636096 ----a-w- c:\program files\D_Drive001.v2i
2007-10-09 21:50 . 2006-10-04 18:26 168 --sh--r- c:\windows\system32\8B206616FF.sys
2007-10-09 21:50 . 2006-10-04 18:26 6580 --sha-w- c:\windows\system32\KGyGaAvL.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"Octoshape Streaming Services"="c:\program files\Octoshape Streaming Services\Nana\OctoshapeClient.exe" [2006-02-13 214648]
"Aim6"="c:\program files\AIM6\aim6.exe" [2009-05-19 49968]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2005-12-19 1347584]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]
"PCMService"="c:\program files\Dell\Media Experience\PCMService.exe" [2004-04-12 290816]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-10 49152]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-02-16 282624]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-12-03 185896]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-03-15 257088]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Elements 6.0\apdproxy.exe" [2007-09-11 67488]
"Sony Ericsson PC Suite"="c:\program files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2007-05-28 528384]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"Skype Recorder"="c:\program files\Skype Recorder\Skype Recorder.exe" [2010-12-04 748544]
"FileZilla Server Interface"="c:\program files\FileZilla Server\FileZilla Server Interface.exe" [2009-06-21 1226240]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-08-28 2007832]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2006-03-24 282624]
c:\documents and settings\Nana\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-12-28 113664]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-12-28 113664]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-9-26 24576]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
VPN Client.lnk - c:\windows\Installer\{14FCFE7C-AB86-428A-9D2E-BFB6F5A7AA6E}\Icon3E5562ED7.ico [2008-10-8 6144]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-28 14:42 11952 ----a-w- c:\windows\system32\avgrsstx.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Sopcast\\SopCast.exe"=
"c:\\Program Files\\TVants\\Tvants.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Octoshape Streaming Services\\Nana\\OctoshapeClient.exe"=
"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\ICQ6\\ICQ.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\SmartFTP Client\\SmartFTP.exe"=
"c:\\Documents and Settings\\Nana\\Application Data\\Macromedia\\Flash Player\\www.macromedia.com\\bin\\octoshape\\octoshape.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9741:TCP"= 9741:TCP:BitComet 9741 TCP
"9741:UDP"= 9741:UDP:BitComet 9741 UDP
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [9/11/2009 9:13 PM 64160]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [5/2/2009 10:45 AM 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [5/2/2009 10:45 AM 108552]
R2 AdobeActiveFileMonitor6.0;Adobe Active File Monitor V6;c:\program files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe [9/11/2007 1:45 AM 124832]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [5/2/2009 10:45 AM 297752]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [3/30/2009 1:13 PM 24652]
S2 AdobeActiveFileMonitor6.0Alerter;Adobe Active File Monitor V6 AdobeActiveFileMonitor6.0Alerter;c:\documents and settings\Nana\wpv401237130579.cpx run --> c:\documents and settings\Nana\wpv401237130579.cpx run [?]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;"c:\program files\Lavasoft\Ad-Aware\AAWService.exe" --> c:\program files\Lavasoft\Ad-Aware\AAWService.exe [?]
S3 s716bus;Sony Ericsson Device 716 driver (WDM);c:\windows\system32\drivers\s716bus.sys [12/4/2008 9:11 PM 83208]
S3 s716mdfl;Sony Ericsson Device 716 USB WMC Modem Filter;c:\windows\system32\drivers\s716mdfl.sys [12/4/2008 9:13 PM 15112]
S3 s716mdm;Sony Ericsson Device 716 USB WMC Modem Driver;c:\windows\system32\drivers\s716mdm.sys [12/4/2008 9:13 PM 108552]
S3 s716mgmt;Sony Ericsson Device 716 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s716mgmt.sys [12/4/2008 9:13 PM 100360]
S3 s716nd5;Sony Ericsson Device 716 USB Ethernet Emulation SEMC716 (NDIS);c:\windows\system32\drivers\s716nd5.sys [12/4/2008 9:14 PM 23176]
S3 s716obex;Sony Ericsson Device 716 USB WMC OBEX Interface;c:\windows\system32\drivers\s716obex.sys [12/4/2008 9:13 PM 98568]
S3 s716unic;Sony Ericsson Device 716 USB Ethernet Emulation SEMC716 (WDM);c:\windows\system32\drivers\s716unic.sys [12/4/2008 9:14 PM 98952]
.
Contents of the 'Scheduled Tasks' folder
2009-09-12 c:\windows\Tasks\User_Feed_Synchronization-{8DC78ABA-12EA-4701-ABD1-03B9EAD7A800}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 16:58]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoomail.com/
uInternet Settings,ProxyOverride = *.local
IE: &AIM Toolbar Search - c:\documents and settings\All Users\Application Data\AIM Toolbar\ieToolbar\resources\en-US\local\search.html
IE: Add to AMV Convert Tool... - c:\program files\MP3 Player Utilities 4.00\AMVConverter\grab.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000
IE: MediaManager tool grab multimedia file - c:\program files\MP3 Player Utilities 4.00\MediaManager\grab.html
DPF: {028C3B99-F9B0-4188-8C2C-D71CA84824D5} - hxxp://83.228.43.70:9999/program/SonySncCs1011View.cab
DPF: {6C0AE182-9095-4377-8DC9-CD586E31E486} - hxxp://80.253.55.165/c20viewer.cab
DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - hxxp://www.rusenski.info/activex/AMC.cab
FF - ProfilePath - c:\documents and settings\Nana\Application Data\Mozilla\Firefox\Profiles\mo9hd92j.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrie7&query=
FF - prefs.js: browser.search.selectedEngine - ICQ Search
FF - prefs.js: browser.startup.homepage - www.yahoomail.com (http://www.yahoomail.com)
FF - prefs.js: keyword.URL - hxxp://search.icq.com/search/afe_results.php?ch_id=afex&q=
FF - plugin: c:\documents and settings\Nana\Application Data\Mozilla\plugins\npoctoshape.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPOJI610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Octoshape Streaming Services\Nana\octoprogram-L03-NMS0810164_SUA_000\npoctoshape.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.
- - - - ORPHANS REMOVED - - - -
WebBrowser-{4F11ACBB-393F-4C86-A214-FF3D0D155CC3} - (no file)
HKLM-Run-ppmate - c:\program files\PPMate\PPMate\ppmate.exe
Notify-NavLogon - (no file)
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-13 11:29
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\AdobeActiveFileMonitor6.0Alerter]
"ImagePath"="c:\documents and settings\Nana\wpv401237130579.cpx run"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(1276)
c:\windows\system32\Ati2evxx.dll
- - - - - - - > 'explorer.exe'(2228)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\BCMWLTRY.EXE
c:\windows\system32\ati2evxx.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\program files\FileZilla Server\FileZilla server.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Dell\QuickSet\NicConfigSvc.exe
c:\program files\Common Files\Protexis\License Service\PSIService.exe
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\AIM6\aolsoftware.exe
.
**************************************************************************
.
Completion time: 2009-09-13 11:36 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-13 16:36
Pre-Run: 54,962,405,376 bytes free
Post-Run: 54,850,732,032 bytes free
256 --- E O F --- 2007-09-25 11:22
===========================
Edit: FYI ;)
"BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance) (http://forums.spybot.info/showthread.php?t=288)
If the infection prevents HJT from running, please start a topic, make note of the situation and wait for a response. Please do not add logs from other scans. :) Do NOT run 'FIXES' before helpers have analyzed the HJT log (http://forums.spybot.info/showthread.php?t=16806)
NOTE: ComboFix is not a general purpose cleaning tool!
It should only be run under the supervision of someone who has been trained and continues their education in its use. The Waiting Room (http://forums.spybot.info/forumdisplay.php?f=37)
Post here if still waiting for help in the Malware Forum, (AFTER) FOUR days (http://forums.spybot.info/showthread.php?t=1137)
(Tashi advised me to start a new topic)
I think that I have some malware, because my computer wouldn't let me start Spybot (it says that I don't have permission) or Ad-ware.
I can't provide you with HJT logs, either, because the computer won't let me run HijackThis anymore, either. I just installed it, but after a while the window disappeared. Now I can't start the application at all.
Thanks in advance.
Can anyone help?
Here's my ComboFix Log:
ComboFix 09-09-12.A0 - Nana 09/13/2009 11:00.2.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1251.1.1033.18.1022.441 [GMT -5:00]
Running from: D:\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\somgomiselfr.exe
.
---- Previous Run -------
.
c:\windows\keysetup.1700[1].exe
c:\windows\msa.exe
c:\windows\pp21cn.dll
c:\windows\run.log
c:\windows\sonce122730.dat
c:\windows\system32\lowsec
c:\windows\system32\lowsec\local.ds
c:\windows\system32\lowsec\user.ds
c:\windows\system32\Memman.vxd
c:\windows\system32\skinboxer43.dll
c:\windows\wiaserviv.log
Infected copy of c:\windows\system32\eventlog.dll was found and disinfected
Restored copy from - c:\i386\eventlog.dll
-- Previous Run --
Infected copy of c:\windows\system32\eventlog.dll was found and disinfected
Restored copy from - c:\i386\eventlog.dll
--------
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_UACd.sys
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Service_UACd.sys
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
((((((((((((((((((((((((( Files Created from 2009-08-13 to 2009-09-13 )))))))))))))))))))))))))))))))
.
2009-09-12 23:41 . 2009-09-12 23:41 47616 ----a-w- C:\Win32kDiagonal.exe
2009-09-12 05:05 . 2009-09-12 05:05 -------- d-----w- c:\program files\Trend Micro
2009-09-12 04:54 . 2009-09-12 14:21 -------- d-----w- c:\program files\Spybot - Search & Destroytest
2009-09-12 04:40 . 2009-09-12 04:40 -------- d-----w- c:\program files\VS Revo Group
2009-09-12 04:12 . 2009-09-13 15:59 -------- d--h--w- c:\windows\PIF
2009-09-12 02:26 . 2009-09-12 02:26 -------- d-----w- c:\program files\CleanUp!
2009-09-12 02:13 . 2009-07-03 14:49 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-09-12 02:11 . 2009-09-12 04:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-09-11 23:50 . 2009-09-12 04:42 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-09-11 17:21 . 2009-09-11 17:21 4825088 ----a-w- c:\program files\neob.exe
2009-09-10 05:13 . 2009-09-11 23:05 -------- d-----w- c:\program files\Spybot - Search & Destroy1
2009-09-09 01:47 . 2009-09-09 02:48 -------- d-----w- C:\NbN assistant editors
2009-09-05 00:57 . 2009-09-05 01:41 -------- d-----w- c:\documents and settings\EYJA winners trip Berlin
2009-08-16 18:10 . 2009-08-16 18:10 -------- d-----w- c:\program files\Freeware PDF Unlocker
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-13 15:52 . 2006-10-03 01:19 -------- d-----w- c:\documents and settings\Nana\Application Data\Skype
2009-09-13 13:09 . 2008-02-28 03:09 -------- d-----w- c:\documents and settings\Nana\Application Data\skypePM
2009-09-12 14:40 . 2009-05-02 15:45 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-09-12 14:21 . 2006-11-08 07:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-09-11 23:17 . 2009-05-03 03:25 5632 --sha-w- c:\program files\Thumbs.db
2009-09-11 23:07 . 2006-11-08 07:23 -------- d-----w- c:\program files\spybot
2009-09-10 19:18 . 2006-09-27 00:19 -------- d-----w- c:\program files\Google
2009-09-10 03:13 . 2009-09-10 03:13 991741 ----a-w- c:\windows\system32\xa.tmp
2009-09-05 00:53 . 2009-08-09 16:02 -------- d-----w- c:\documents and settings\Nana\Application Data\FileZilla
2009-08-28 14:42 . 2009-05-02 15:45 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-08-28 14:42 . 2009-05-02 15:45 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-08-28 14:42 . 2007-03-13 18:34 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-08-10 12:07 . 2009-08-09 16:06 -------- d-----w- c:\program files\FileZilla Server
2009-08-10 04:35 . 2009-08-10 04:33 39160414 ----a-w- c:\program files\ManageEngine_EventLogAnalyzer.exe
2009-08-09 16:02 . 2009-08-09 16:02 -------- d-----w- c:\program files\FileZilla FTP Client
2009-08-09 16:02 . 2009-08-09 16:02 2873754 ----a-w- c:\program files\FileZilla_Server-0_9_32.exe
2009-08-09 16:01 . 2009-08-09 16:01 4001773 ----a-w- c:\program files\FileZilla_3.2.6.1_win32-setup.exe
2009-08-06 18:30 . 2009-08-06 18:30 -------- d-----w- c:\program files\ffdshow
2009-08-06 18:26 . 2009-08-06 18:26 -------- d-----w- c:\program files\PlayFLV
2009-07-27 22:26 . 2009-07-27 22:14 -------- d-----w- c:\program files\Favorite-Games
2009-06-07 14:28 . 2009-06-07 14:28 3168382 ----a-w- c:\program files\SopCast_3.0.3_by_Myp2p.eu_official.zip
2009-06-07 14:22 . 2009-06-07 14:21 3006976 ----a-w- c:\program files\TvantsSetup.exe
2009-05-02 15:40 . 2009-05-02 15:39 64470784 ----a-w- c:\program files\avg_free_stf_en_85_325a1500.exe
2009-03-30 18:12 . 2009-03-30 18:11 13440584 ----a-w- c:\program files\Install_AIM.exe
2009-03-21 18:13 . 2009-03-21 18:13 267372 ----a-w- c:\program files\21032009(001).jpg
2009-03-21 14:10 . 2009-03-21 14:03 22285608 ----a-w- c:\program files\SkypeSetup.exe
2009-03-16 14:30 . 2009-03-16 14:30 1301304 ----a-w- c:\program files\WindowsXP-KB917021-v3-x86-ENU.exe
2007-11-26 02:18 . 2007-11-26 02:18 28868320 ----a-w- c:\program files\FileFormatConverters.exe
2007-11-26 02:15 . 2007-11-26 02:15 25685128 ----a-w- c:\program files\wordview_en-us.exe
2006-12-28 11:03 . 2006-12-28 11:03 1914 ----a-w- c:\program files\NADYA.sv2i
2006-12-28 11:03 . 2006-12-28 11:03 5636096 ----a-w- c:\program files\D_Drive001.v2i
2007-10-09 21:50 . 2006-10-04 18:26 168 --sh--r- c:\windows\system32\8B206616FF.sys
2007-10-09 21:50 . 2006-10-04 18:26 6580 --sha-w- c:\windows\system32\KGyGaAvL.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"Octoshape Streaming Services"="c:\program files\Octoshape Streaming Services\Nana\OctoshapeClient.exe" [2006-02-13 214648]
"Aim6"="c:\program files\AIM6\aim6.exe" [2009-05-19 49968]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2005-12-19 1347584]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]
"PCMService"="c:\program files\Dell\Media Experience\PCMService.exe" [2004-04-12 290816]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-10 49152]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-02-16 282624]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-12-03 185896]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-03-15 257088]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Elements 6.0\apdproxy.exe" [2007-09-11 67488]
"Sony Ericsson PC Suite"="c:\program files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2007-05-28 528384]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"Skype Recorder"="c:\program files\Skype Recorder\Skype Recorder.exe" [2010-12-04 748544]
"FileZilla Server Interface"="c:\program files\FileZilla Server\FileZilla Server Interface.exe" [2009-06-21 1226240]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-08-28 2007832]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2006-03-24 282624]
c:\documents and settings\Nana\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-12-28 113664]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-12-28 113664]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-9-26 24576]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
VPN Client.lnk - c:\windows\Installer\{14FCFE7C-AB86-428A-9D2E-BFB6F5A7AA6E}\Icon3E5562ED7.ico [2008-10-8 6144]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-28 14:42 11952 ----a-w- c:\windows\system32\avgrsstx.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Sopcast\\SopCast.exe"=
"c:\\Program Files\\TVants\\Tvants.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Octoshape Streaming Services\\Nana\\OctoshapeClient.exe"=
"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\ICQ6\\ICQ.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\SmartFTP Client\\SmartFTP.exe"=
"c:\\Documents and Settings\\Nana\\Application Data\\Macromedia\\Flash Player\\www.macromedia.com\\bin\\octoshape\\octoshape.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9741:TCP"= 9741:TCP:BitComet 9741 TCP
"9741:UDP"= 9741:UDP:BitComet 9741 UDP
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [9/11/2009 9:13 PM 64160]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [5/2/2009 10:45 AM 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [5/2/2009 10:45 AM 108552]
R2 AdobeActiveFileMonitor6.0;Adobe Active File Monitor V6;c:\program files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe [9/11/2007 1:45 AM 124832]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [5/2/2009 10:45 AM 297752]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [3/30/2009 1:13 PM 24652]
S2 AdobeActiveFileMonitor6.0Alerter;Adobe Active File Monitor V6 AdobeActiveFileMonitor6.0Alerter;c:\documents and settings\Nana\wpv401237130579.cpx run --> c:\documents and settings\Nana\wpv401237130579.cpx run [?]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;"c:\program files\Lavasoft\Ad-Aware\AAWService.exe" --> c:\program files\Lavasoft\Ad-Aware\AAWService.exe [?]
S3 s716bus;Sony Ericsson Device 716 driver (WDM);c:\windows\system32\drivers\s716bus.sys [12/4/2008 9:11 PM 83208]
S3 s716mdfl;Sony Ericsson Device 716 USB WMC Modem Filter;c:\windows\system32\drivers\s716mdfl.sys [12/4/2008 9:13 PM 15112]
S3 s716mdm;Sony Ericsson Device 716 USB WMC Modem Driver;c:\windows\system32\drivers\s716mdm.sys [12/4/2008 9:13 PM 108552]
S3 s716mgmt;Sony Ericsson Device 716 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s716mgmt.sys [12/4/2008 9:13 PM 100360]
S3 s716nd5;Sony Ericsson Device 716 USB Ethernet Emulation SEMC716 (NDIS);c:\windows\system32\drivers\s716nd5.sys [12/4/2008 9:14 PM 23176]
S3 s716obex;Sony Ericsson Device 716 USB WMC OBEX Interface;c:\windows\system32\drivers\s716obex.sys [12/4/2008 9:13 PM 98568]
S3 s716unic;Sony Ericsson Device 716 USB Ethernet Emulation SEMC716 (WDM);c:\windows\system32\drivers\s716unic.sys [12/4/2008 9:14 PM 98952]
.
Contents of the 'Scheduled Tasks' folder
2009-09-12 c:\windows\Tasks\User_Feed_Synchronization-{8DC78ABA-12EA-4701-ABD1-03B9EAD7A800}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 16:58]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoomail.com/
uInternet Settings,ProxyOverride = *.local
IE: &AIM Toolbar Search - c:\documents and settings\All Users\Application Data\AIM Toolbar\ieToolbar\resources\en-US\local\search.html
IE: Add to AMV Convert Tool... - c:\program files\MP3 Player Utilities 4.00\AMVConverter\grab.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000
IE: MediaManager tool grab multimedia file - c:\program files\MP3 Player Utilities 4.00\MediaManager\grab.html
DPF: {028C3B99-F9B0-4188-8C2C-D71CA84824D5} - hxxp://83.228.43.70:9999/program/SonySncCs1011View.cab
DPF: {6C0AE182-9095-4377-8DC9-CD586E31E486} - hxxp://80.253.55.165/c20viewer.cab
DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - hxxp://www.rusenski.info/activex/AMC.cab
FF - ProfilePath - c:\documents and settings\Nana\Application Data\Mozilla\Firefox\Profiles\mo9hd92j.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrie7&query=
FF - prefs.js: browser.search.selectedEngine - ICQ Search
FF - prefs.js: browser.startup.homepage - www.yahoomail.com (http://www.yahoomail.com)
FF - prefs.js: keyword.URL - hxxp://search.icq.com/search/afe_results.php?ch_id=afex&q=
FF - plugin: c:\documents and settings\Nana\Application Data\Mozilla\plugins\npoctoshape.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPOJI610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Octoshape Streaming Services\Nana\octoprogram-L03-NMS0810164_SUA_000\npoctoshape.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.
- - - - ORPHANS REMOVED - - - -
WebBrowser-{4F11ACBB-393F-4C86-A214-FF3D0D155CC3} - (no file)
HKLM-Run-ppmate - c:\program files\PPMate\PPMate\ppmate.exe
Notify-NavLogon - (no file)
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-13 11:29
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\AdobeActiveFileMonitor6.0Alerter]
"ImagePath"="c:\documents and settings\Nana\wpv401237130579.cpx run"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(1276)
c:\windows\system32\Ati2evxx.dll
- - - - - - - > 'explorer.exe'(2228)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\BCMWLTRY.EXE
c:\windows\system32\ati2evxx.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\program files\FileZilla Server\FileZilla server.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Dell\QuickSet\NicConfigSvc.exe
c:\program files\Common Files\Protexis\License Service\PSIService.exe
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\AIM6\aolsoftware.exe
.
**************************************************************************
.
Completion time: 2009-09-13 11:36 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-13 16:36
Pre-Run: 54,962,405,376 bytes free
Post-Run: 54,850,732,032 bytes free
256 --- E O F --- 2007-09-25 11:22
===========================
Edit: FYI ;)
"BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance) (http://forums.spybot.info/showthread.php?t=288)
If the infection prevents HJT from running, please start a topic, make note of the situation and wait for a response. Please do not add logs from other scans. :) Do NOT run 'FIXES' before helpers have analyzed the HJT log (http://forums.spybot.info/showthread.php?t=16806)
NOTE: ComboFix is not a general purpose cleaning tool!
It should only be run under the supervision of someone who has been trained and continues their education in its use. The Waiting Room (http://forums.spybot.info/forumdisplay.php?f=37)
Post here if still waiting for help in the Malware Forum, (AFTER) FOUR days (http://forums.spybot.info/showthread.php?t=1137)