View Full Version : Hijack This will not create log file when run!!
eddiemac1
2009-11-19, 22:05
Hi there,
Looking for a bit of help getting rid of some pesky malware.
i have an issue where when i try run any form of antivirus (spybot, avg etc) i get an error of "Windows cannot access the specified device, path or file. You may not have the appropriate permissions to accessthe item."
I have tried renaming Spybot running in safemode etc.
I have made a copy of my registry using ERUNT.
Now when i try and use hijack this it starts appears to run and then shuts down as soon as it completes. when i then try and run the app for the seconf time i get the error again of "Windows cannot access the specified device, path or file. You may not have the appropriate permissions to accessthe item."
when i download the executable again it will run but no log.
Need some help and or advice please.
Thanks in advance,
Please note that all instructions given are customised for this computer only,
the tools used may cause damage if used on a computer with different infections.
If you think you have similar problems, please post a log in the HJT forum and wait for help.
Hello and welcome to the forums
My name is Katana and I will be helping you to remove any infection(s) that you may have.
Please observe these rules while we work:
Please Read All Instructions Carefully
If you don't understand something, stop and ask! Don't keep going on.
Please do not run any other tools or scans whilst I am helping you
Failure to reply within 5 days will result in the topic being closed.
Please continue to respond until I give you the "All Clear"
(Just because you can't see a problem doesn't mean it isn't there)
If you can do those few things, everything should go smoothly http://www.countingcows.de/laechel.gif
Some of the logs I request will be quite large, You may need to split them over a couple of replies.
Please Note, your security programs may give warnings for some of the tools I will ask you to use.
Be assured, any links I give are safe
----------------------------------------------------------------------------------------
Download and Run ComboFix (by sUBs)
Please visit this webpage for instructions for downloading and running ComboFix:
Bleeping Computer ComboFix Tutorial (http://www.bleepingcomputer.com/combofix/how-to-use-combofix)
You must download it to and run it from your Desktop
Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
Double click combofix.exe & follow the prompts.
When finished, it will produce a log. Please save that log to post in your next reply
Re-enable all the programs that were disabled during the running of ComboFix..
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper
For instructions on how to disable your security programs, please see this topic
How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs (http://www.bleepingcomputer.com/forums/topic114351.html)
eddiemac1
2009-11-23, 19:05
Hi there,
Firstly id just like to say a big thank you for helping me out. Your help is appreciated.
i ran Combofix, the first time i tried to run it it gave a warning of
"You may be infected with a file patching virus 'Virut'"
It then stopped and disapeared from the desktop
i downloaded it again and ran it it performed as per the instructions on the web site link you provided.
from the log i am sure you can see it found and deleted several files but i am sure we are not finished yet.
I am off work for the next two days so will attempt to reply back to any further instructions promptly.
Thanks again.
eddiemac1
2009-11-23, 19:06
here is the log
ComboFix 09-11-22.08 - stewart Macleod 23/11/2009 17:22.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.195 [GMT 0:00]
Running from: c:\users\stewart Macleod\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\users\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\users\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\users\stewart Macleod\Application Data\inst.exe
c:\windows\msa.exe
c:\windows\system32\cooper.mine
c:\windows\system32\Data
c:\windows\system32\nvrtm.dll
c:\windows\system32\tdlclk.dll
c:\windows\system32\tdlcmd.dll
c:\windows\system32\tdlwsp.dll
----- BITS: Possible infected sites -----
hxxp://opt3.biz
c:\windows\system32\DRIVERS\viamraid.sys . . . is infected!!
Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected
Restored copy from - Kitty ate it :p
Infected copy of c:\windows\system32\userinit.exe was found and disinfected
Restored copy from - c:\windows\system32\dllcache\userinit.exe
Infected copy of c:\windows\system32\eventlog.dll was found and disinfected
Restored copy from - c:\windows\system32\dllcache\eventlog.dll
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
((((((((((((((((((((((((( Files Created from 2009-10-23 to 2009-11-23 )))))))))))))))))))))))))))))))
.
2009-11-23 17:18 . 2003-11-28 02:42 71040 ----a-w- c:\windows\system32\drivers\viasprid.sys
2009-11-23 17:18 . 2003-11-28 02:42 71040 ----a-r- c:\windows\system32\drivers\viasprid_2.sys
2009-11-19 20:43 . 2009-11-19 20:43 -------- d-----w- c:\program files\Trend Micro
2009-11-19 20:39 . 2009-11-19 20:40 -------- d-----w- c:\program files\ERUNT
2009-11-18 21:25 . 2009-11-18 21:25 -------- d--h--w- c:\windows\system32\GroupPolicy
2009-11-18 21:17 . 2009-11-18 21:17 70144 ----a-w- c:\users\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-18 21:15 . 2009-11-18 21:15 -------- d-sh--w- c:\users\Administrator\IETldCache
2009-11-18 21:15 . 2009-11-18 21:15 -------- d-sh--w- c:\users\\Administrator\IETldCache
2009-11-18 17:45 . 2009-11-18 17:45 114176 ----a-r- c:\windows\system32\mswpfx32.exe
2009-11-16 18:30 . 2007-10-31 00:33 26112 ----a-w- c:\windows\system32\stu2.exe
2009-11-05 23:33 . 2009-11-05 23:33 -------- d-----w- c:\users\stewart Macleod\output
2009-11-05 23:33 . 2009-11-05 23:33 -------- d-----w- c:\users\\stewart Macleod\output
2009-11-05 22:49 . 2009-11-19 20:02 -------- d-----w- c:\program files\BBC Radio Ripper
2009-10-28 18:12 . 2009-10-28 18:12 147456 ----a-w- c:\windows\system32\nmklo.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-23 17:38 . 2007-12-08 16:42 578048 ----a-w- c:\windows\system32\user32.dll
2009-11-23 17:21 . 2008-02-18 19:16 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-11-23 12:50 . 2009-10-19 09:38 0 ----a-r- c:\windows\win32k.sys
2009-11-19 21:53 . 2009-09-22 23:45 10 ----a-w- c:\windows\popcinfo.dat
2009-11-19 20:00 . 2008-02-10 01:40 -------- d-----w- c:\program files\Soulseek
2009-11-19 17:48 . 2008-02-09 15:24 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-11-18 22:09 . 2008-02-09 15:24 -------- d-----w- c:\users\All Users\Application Data\Spybot - Search & Destroy
2009-11-16 23:46 . 2008-02-09 19:19 -------- d-----w- c:\users\stewart Macleod\Application Data\Vso
2009-11-12 00:21 . 2008-02-18 16:29 -------- d-----w- c:\users\All Users\Application Data\Microsoft Help
2009-11-07 18:24 . 2009-07-08 21:14 -------- d-----w- c:\program files\Songbird
2009-11-02 20:42 . 2009-10-10 10:28 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-09-26 23:34 . 2009-09-26 23:34 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_ccdcmb_01007.Wdf
2009-09-26 23:34 . 2009-09-26 23:34 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01007_Coinstaller_Critical.Wdf
2009-09-26 23:25 . 2009-09-26 23:25 -------- d-----w- c:\users\All Users\Application Data\Nokia
2009-09-26 23:21 . 2008-02-09 20:02 -------- d-----w- c:\program files\Nokia
2009-09-26 23:17 . 2008-02-09 20:02 -------- d-----w- c:\program files\Common Files\Nokia
2009-09-26 23:16 . 2009-09-26 23:16 -------- d-----w- c:\program files\MSXML 6.0
2009-09-26 23:15 . 2009-09-26 23:15 3351812 ----a-w- c:\users\All Users\Application Data\Installations\{F983B4FE-547B-4C44-BAF7-4F4DBA93D548}\Installer\CommonCustomActions\msxml6Exec.exe
2009-09-26 23:15 . 2009-09-26 23:15 36864 ----a-w- c:\users\All Users\Application Data\Installations\{F983B4FE-547B-4C44-BAF7-4F4DBA93D548}\Installer\CommonCustomActions\Sleep.exe
2009-09-26 23:15 . 2009-09-26 23:15 3181612 ----a-w- c:\users\All Users\Application Data\Installations\{F983B4FE-547B-4C44-BAF7-4F4DBA93D548}\Installer\CommonCustomActions\vcredistExec.exe
2009-09-26 23:14 . 2009-09-26 23:14 -------- d-----w- c:\users\All Users\Application Data\Installations
2009-09-26 23:11 . 2009-09-26 23:16 24501456 ----a-w- c:\users\All Users\Application Data\Installations\{F983B4FE-547B-4C44-BAF7-4F4DBA93D548}\NokiaSoftwareUpdaterSetup_en.exe
2009-09-11 14:18 . 2007-10-31 00:31 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03 . 2007-10-31 00:31 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 08:08 . 2007-12-05 16:21 916480 ----a-w- c:\windows\system32\wininet.dll
2009-08-28 17:36 . 2009-03-16 18:37 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-08-28 17:36 . 2009-03-16 18:37 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-08-28 17:36 . 2008-02-09 14:17 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-08-26 08:00 . 2007-10-31 00:32 247326 ----a-w- c:\windows\system32\strmdll.dll
.
Infected c:\windows\system32\user32.dll hex repaired
------- Sigcheck -------
[7] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
[7] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\system32\dllcache\tcpip.sys
[-] 2008-04-13 . 93EA8D04EC73A85DB02EB8805988F733 . 361344 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\59fc8f12b80caa991163249076d0bcca\tcpip.sys
[-] 2007-10-11 . 270684847A8EF5C51FFF58457E4DC8C6 . 361088 . . [5.1.2600.9999] . . c:\windows\system32\drivers\tcpip.sys
[-] 2008-04-14 . BD38D1EBE24A46BD3EDA059560AFBA12 . 1054208 . . [6.0] . . c:\windows\SoftwareDistribution\Download\59fc8f12b80caa991163249076d0bcca\asms\60\msft\windows\common\controls\comctl32.dll
[-] 2008-04-14 . 06F247492BC786CE5C24A23E178C711A . 617472 . . [5.82] . . c:\windows\SoftwareDistribution\Download\59fc8f12b80caa991163249076d0bcca\comctl32.dll
[-] 2007-12-08 . EE3C29F2EBA27F0081855DCE586CE39A . 692736 . . [5.82] . . c:\windows\system32\comctl32.dll
[-] 2009-11-23 . 72266B82D796C816B7F0A44D8B7E3216 . 578048 . . [5.1.2600.3244] . . c:\windows\system32\user32.dll
[-] 2009-11-23 . 72266B82D796C816B7F0A44D8B7E3216 . 578048 . . [5.1.2600.3244] . . c:\windows\system32\dllcache\user32.dll
[-] 2008-04-14 . B26B135FF1B9F60C9388B4A7D16F600B . 578560 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\59fc8f12b80caa991163249076d0bcca\user32.dll
[-] 2008-04-14 . 12896823FB95BFB3DC9B46BCAEDC9923 . 1033728 . . [6.00.2900.5512] . . c:\windows\SoftwareDistribution\Download\59fc8f12b80caa991163249076d0bcca\explorer.exe
[-] 2007-12-08 . 644B75CE88F50D64D609CC6C72EA5CF2 . 1424384 . . [6.00.2900.3244] . . c:\windows\explorer.exe
[-] 2008-04-14 . 9DD07AF82244867CA36681EA2D29CE79 . 1614848 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\59fc8f12b80caa991163249076d0bcca\sfcfiles.dll
[-] 2007-12-05 . 70D88E6BCF06DD1A53DC1E0381C1B320 . 1614336 . . [5.1.2600.3244] . . c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816]
[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-07-24 08:55 1090816 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816]
[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816]
[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VisualTaskTips"="c:\windows\System32\VisualTaskTips\VisualTaskTips.exe" [2007-09-05 36352]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-03 866584]
"ehTray"="c:\windows\ehome\ehtray.exe" [2007-10-31 50176]
"SecurDisc"="c:\program files\Nero\Nero8\InCD\NBHGui.exe" [2007-10-15 2045224]
"InCD"="c:\program files\Nero\Nero8\InCD\InCD.exe" [2007-10-15 1077032]
"PCSuiteTrayApplication"="c:\program files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2006-11-08 222208]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-11-02 2028312]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-04-13 185896]
"BluetoothAuthenticationAgent"="bthprops.cpl" - c:\windows\system32\bthprops.cpl [2007-10-31 110592]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2007-10-31 15360]
"MsnMsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2007-09-26 1232384]
"VisualTaskTips"="c:\windows\System32\VisualTaskTips\VisualTaskTips.exe" [2007-09-05 36352]
"TopDesk"="c:\windows\System32\TopDesk\topdesk.exe" [2007-11-16 1937920]
"PcSync"="c:\program files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2006-11-09 1634304]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_2"="shell32" [X]
"ProfileFolderName"="hc" [X]
"IESetDefaultSearchScope"="hc" [X]
"CheckUpdates"="wuauclt" [X]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsNetHood"= 1 (0x1)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsNetHood"= 1 (0x1)
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsNetHood"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\system32\userinit.exe,c:\windows\system32\mswpfx32.exe,"
"UIHost"=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,53,79,73,74,65,6d,33,32,\
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-28 17:36 11952 ----a-w- c:\windows\system32\avgrsstx.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, credssp.dll, msnsspc.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\TVUPlayer\\TVUPlayer.exe"=
"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\SopCast\\SopCast.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Users\\stewart Macleod\\Application Data\\Macromedia\\Flash Player\\www.macromedia.com\\bin\\octoshape\\octoshape.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\FlashFXP\\FlashFXP.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\Songbird\\songbird.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Nokia\\Nokia Software Updater\\nsu_ui_client.exe"=
"c:\\Program Files\\Common Files\\Nokia\\Service Layer\\A\\nsl_host_process.exe"=
R0 viasprid;viasprid;c:\windows\system32\drivers\viasprid.sys [23/11/2009 17:18 71040]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [16/03/2009 18:37 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [16/03/2009 18:37 108552]
R3 3xHybrid;3xHybrid service;c:\windows\system32\drivers\3xHybrid.sys [09/02/2008 19:26 584960]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [16/03/2009 18:36 297752]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [03/11/2006 18:19 13592]
S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [26/09/2009 23:21 136704]
S3 nmwcdnsuc;Nokia USB Flashing Generic;c:\windows\system32\drivers\nmwcdnsuc.sys [26/09/2009 23:21 8320]
.
Contents of the 'Scheduled Tasks' folder
2009-01-03 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
2009-11-23 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 18:20]
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = hxxp://free.grisoft.com/doc/registration/us/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\stewart Macleod\Application Data\Mozilla\Firefox\Profiles\zdmyav5x.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
FF - prefs.js: keyword.URL - hxxp://uk.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_uk&p=
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll
FF - plugin: c:\users\All Users\Application Data\id Software\QuakeLive\npquakezero.dll
FF - plugin: c:\users\stewart Macleod\Application Data\Mozilla\Firefox\Profiles\zdmyav5x.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-23 17:49
Windows 5.1.2600 Service Pack 3, v.5857 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
c:\windows\system32\mswpfx32.exe 114176 bytes executable
scan completed successfully
hidden files: 1
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(652)
c:\windows\system32\SETUPAPI.dll
c:\windows\system32\wininet.dll
c:\windows\system32\COMRes.dll
- - - - - - - > 'lsass.exe'(708)
c:\windows\system32\SETUPAPI.dll
c:\windows\system32\wininet.dll
- - - - - - - > 'explorer.exe'(2632)
c:\windows\system32\WININET.dll
c:\windows\System32\VisualTaskTips\VttHooks.dll
c:\windows\system32\COMRes.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\SETUPAPI.dll
c:\windows\system32\NETSHELL.dll
c:\windows\system32\credui.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\wpdshserviceobj.dll
c:\program files\Nokia\Nokia PC Suite 6\PhoneBrowser.dll
c:\program files\Nokia\Nokia PC Suite 6\PCSCM.dll
c:\program files\PC Connectivity Solution\ConnAPI.DLL
c:\program files\Nokia\Nokia PC Suite 6\Lang\PhoneBrowser_eng.nlr
c:\program files\Nokia\Nokia PC Suite 6\Resource\PhoneBrowser_Nokia.ngr
c:\windows\system32\portabledevicetypes.dll
c:\windows\system32\portabledeviceapi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVG\AVG8\avgrsx.exe
c:\windows\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2009-11-23 17:54 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-23 17:53
Pre-Run: 4,518,277,120 bytes free
Post-Run: 4,519,358,464 bytes free
- - End Of File - - 13DFCA4C0D99A1B4E035CA5475FE1C73
i am sure we are not finished yet.
Not by a long way :mad:
That log shows several dubious files still, plus some evidence of registry corruption.
The first message from Combofix worries me the most though.
Virut is a very nasty piece of work, and we need to make sure that it isn't present.
Do you have the XP install disc at all ?
----------------------------------------------------------------------------------------
Step 1
Malwarebytes' Anti-Malware
Please download Malwarebytes' Anti-Malware (http://www.malwarebytes.org/mbam-download.php) to your desktop.
Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to
Update Malwarebytes' Anti-Malware
and Launch Malwarebytes' Anti-Malware
then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform full scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When completed, a log will open in Notepad. please copy and paste the log into your next reply
If requested, please reboot
If you accidently close it, the log file is saved here and will be named like this:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
----------------------------------------------------------------------------------------
Step 2
Custom CFScript
Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
http://forums.spybot.info/showthread.php?p=348391#post348391
Suspect::[4]
c:\windows\system32\comctl32.dll
c:\windows\system32\user32.dll
c:\windows\explorer.exe
c:\windows\system32\sfcfiles.dll
c:\windows\system32\mswpfx32.exe
c:\windows\system32\stu2.exe
c:\windows\system32\nmklo.dll
c:\windows\system32\DRIVERS\viamraid.sys
Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"=-
[-HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
ADS::
Save this as CFScript.txt and place it on your desktop.
http://i51.photobucket.com/albums/f387/Katana_1970/CFScriptb.gif
Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
**Note**
When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis. Ensure you are connected to the internet and click OK on the message box.
Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.
----------------------------------------------------------------------------------------
Logs/Information to Post in Reply
Please post the following logs/Information in your reply
Some of the logs I request will be quite large, You may need to split them over a couple of replies.
MalwareBytes Log
Combofix Log
eddiemac1
2009-11-24, 04:18
malware bytes log
Malwarebytes' Anti-Malware 1.41
Database version: 3221
Windows 5.1.2600 Service Pack 3, v.5857
24/11/2009 02:41:45
mbam-log-2009-11-24 (02-41-45).txt
Scan type: Full Scan (A:\|C:\|D:\|E:\|)
Objects scanned: 194171
Time elapsed: 47 minute(s), 11 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 32
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 10
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CLASSES_ROOT\videoegg.activexloader (Adware.VideoEgg) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\videoegg.activexloader.1 (Adware.VideoEgg) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{168dc258-1455-4e61-8590-9dac2f27b675} (Adware.VideoEgg) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{1a8642f1-dc80-4edc-a39d-0fb62a58b455} (Adware.VideoEgg) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{3f91eb90-ef62-44ee-a685-fac29af111cd} (Adware.VideoEgg) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{5c29c7e4-5321-4cad-be2e-877666bed5df} (Adware.VideoEgg) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{83dfb6ee-ab18-41b5-86d4-b544a141d67e} (Adware.VideoEgg) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{88d6cf0e-cf70-4c24-bf6e-e4e414bc649c} (Adware.VideoEgg) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{8f6a82a2-d7b1-443e-bb9f-f7dc887dd618} (Adware.VideoEgg) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{9856e2d8-ffb2-4fe5-8cad-d5ad6a35a804} (Adware.VideoEgg) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a3d06987-c35e-49e4-8fe2-ac67b9fbfb4c} (Adware.VideoEgg) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a58c497b-3ee2-45e7-9594-daca6be2a0d0} (Adware.VideoEgg) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{ad0a3058-fd49-4f98-a514-fd055201835e} (Adware.VideoEgg) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{ad5915ea-b61a-4dba-b5c8-ef4b2df0a3c7} (Adware.VideoEgg) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{af2e62b6-f9e1-4d4f-a10a-9dc8e6dcbcc0} (Adware.VideoEgg) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{bb187c0d-6f53-4f3e-9590-98fd3a7364a2} (Adware.VideoEgg) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{c5041fd9-4819-4dc4-b20e-c950b5b03d2a} (Adware.VideoEgg) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{d17726cc-d4dd-4c4a-9671-471d56e413b5} (Adware.VideoEgg) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{db8cce99-59c6-4552-8bfc-058feb38d6ce} (Adware.VideoEgg) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{dc3a04ee-cdd7-4407-915c-a5502f97eecd} (Adware.VideoEgg) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{e1a63484-a022-4d42-830a-fbd411514440} (Adware.VideoEgg) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{e282c728-189d-419e-8ee2-1601f4b39ba5} (Adware.VideoEgg) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494e6cec-7483-a4ee-0938-895519a84bc7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494e6cec-7483-a4ee-0938-895519a84bc7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\MozillaPlugins\@videoegg.com/publisher,version=1.5 (Adware.VideoEgg) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\VideoEgg (Adware.VideoEgg) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\MozillaPlugins\@videoegg.com/publisher,version=1.5 (Adware.VideoEgg) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\VideoEgg (Adware.VideoEgg) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) -> Quarantined and deleted successfully.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\Qoobox\Quarantine\C\WINDOWS\system32\eventlog.dll.vir (Trojan.Sirefef) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\tdlclk.dll.vir (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\tdlcmd.dll.vir (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\tdlwsp.dll.vir (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D91CE712-235D-460D-90F5-DBC3B8093394}\RP1\A0000042.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D91CE712-235D-460D-90F5-DBC3B8093394}\RP1\A0000043.dll (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D91CE712-235D-460D-90F5-DBC3B8093394}\RP1\A0000044.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D91CE712-235D-460D-90F5-DBC3B8093394}\RP1\A0000045.dll (Trojan.Sirefef) -> Quarantined and deleted successfully.
C:\WINDOWS\win32k.sys (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\d3dx10d.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
eddiemac1
2009-11-24, 04:20
combo fix log after malware bytes was run and script was dropped into it.
ComboFix 09-11-22.08 - stewart Macleod 24/11/2009 2:55.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.107 [GMT 0:00]
Running from: c:\users\stewart Macleod\Desktop\ComboFix.exe
Command switches used :: c:\users\stewart Macleod\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
* Created a new restore point
file zipped: c:\windows\explorer.exe
file zipped: c:\windows\system32\comctl32.dll
file zipped: c:\windows\system32\drivers\viamraid.sys
file zipped: c:\windows\system32\mswpfx32.exe
file zipped: c:\windows\system32\nmklo.dll
file zipped: c:\windows\system32\sfcfiles.dll
file zipped: c:\windows\system32\stu2.exe
file zipped: c:\windows\system32\user32.dll
.
((((((((((((((((((((((((( Files Created from 2009-10-24 to 2009-11-24 )))))))))))))))))))))))))))))))
.
2009-11-24 01:51 . 2009-11-24 01:51 -------- d-----w- c:\users\stewart Macleod\Application Data\Malwarebytes
2009-11-24 01:51 . 2009-09-10 14:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-24 01:50 . 2009-11-24 01:51 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-24 01:50 . 2009-11-24 01:50 -------- d-----w- c:\users\All Users\Application Data\Malwarebytes
2009-11-24 01:50 . 2009-09-10 14:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-23 17:18 . 2003-11-28 02:42 71040 ----a-w- c:\windows\system32\drivers\viasprid.sys
2009-11-23 17:18 . 2003-11-28 02:42 71040 ----a-r- c:\windows\system32\drivers\viasprid_2.sys
2009-11-19 20:43 . 2009-11-19 20:43 -------- d-----w- c:\program files\Trend Micro
2009-11-19 20:39 . 2009-11-19 20:40 -------- d-----w- c:\program files\ERUNT
2009-11-18 21:25 . 2009-11-18 21:25 -------- d--h--w- c:\windows\system32\GroupPolicy
2009-11-18 21:17 . 2009-11-18 21:17 70144 ----a-w- c:\users\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-18 21:15 . 2009-11-18 21:15 -------- d-sh--w- c:\users\Administrator\IETldCache
2009-11-18 21:15 . 2009-11-18 21:15 -------- d-sh--w- c:\users\\Administrator\IETldCache
2009-11-16 18:30 . 2007-10-31 00:33 26112 ----a-w- c:\windows\system32\stu2.exe
2009-11-05 23:33 . 2009-11-05 23:33 -------- d-----w- c:\users\stewart Macleod\output
2009-11-05 23:33 . 2009-11-05 23:33 -------- d-----w- c:\users\\stewart Macleod\output
2009-11-05 22:49 . 2009-11-19 20:02 -------- d-----w- c:\program files\BBC Radio Ripper
2009-10-28 18:12 . 2009-10-28 18:12 147456 ----a-w- c:\windows\system32\nmklo.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-23 17:38 . 2007-12-08 16:42 578048 ----a-w- c:\windows\system32\user32.dll
2009-11-23 17:21 . 2008-02-18 19:16 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-11-19 21:53 . 2009-09-22 23:45 10 ----a-w- c:\windows\popcinfo.dat
2009-11-19 20:00 . 2008-02-10 01:40 -------- d-----w- c:\program files\Soulseek
2009-11-19 17:48 . 2008-02-09 15:24 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-11-18 22:09 . 2008-02-09 15:24 -------- d-----w- c:\users\All Users\Application Data\Spybot - Search & Destroy
2009-11-16 23:46 . 2008-02-09 19:19 -------- d-----w- c:\users\stewart Macleod\Application Data\Vso
2009-11-12 00:21 . 2008-02-18 16:29 -------- d-----w- c:\users\All Users\Application Data\Microsoft Help
2009-11-07 18:24 . 2009-07-08 21:14 -------- d-----w- c:\program files\Songbird
2009-11-02 20:42 . 2009-10-10 10:28 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-09-26 23:34 . 2009-09-26 23:34 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_ccdcmb_01007.Wdf
2009-09-26 23:34 . 2009-09-26 23:34 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01007_Coinstaller_Critical.Wdf
2009-09-26 23:25 . 2009-09-26 23:25 -------- d-----w- c:\users\All Users\Application Data\Nokia
2009-09-26 23:21 . 2008-02-09 20:02 -------- d-----w- c:\program files\Nokia
2009-09-26 23:17 . 2008-02-09 20:02 -------- d-----w- c:\program files\Common Files\Nokia
2009-09-26 23:16 . 2009-09-26 23:16 -------- d-----w- c:\program files\MSXML 6.0
2009-09-26 23:15 . 2009-09-26 23:15 3351812 ----a-w- c:\users\All Users\Application Data\Installations\{F983B4FE-547B-4C44-BAF7-4F4DBA93D548}\Installer\CommonCustomActions\msxml6Exec.exe
2009-09-26 23:15 . 2009-09-26 23:15 36864 ----a-w- c:\users\All Users\Application Data\Installations\{F983B4FE-547B-4C44-BAF7-4F4DBA93D548}\Installer\CommonCustomActions\Sleep.exe
2009-09-26 23:15 . 2009-09-26 23:15 3181612 ----a-w- c:\users\All Users\Application Data\Installations\{F983B4FE-547B-4C44-BAF7-4F4DBA93D548}\Installer\CommonCustomActions\vcredistExec.exe
2009-09-26 23:14 . 2009-09-26 23:14 -------- d-----w- c:\users\All Users\Application Data\Installations
2009-09-26 23:11 . 2009-09-26 23:16 24501456 ----a-w- c:\users\All Users\Application Data\Installations\{F983B4FE-547B-4C44-BAF7-4F4DBA93D548}\NokiaSoftwareUpdaterSetup_en.exe
2009-09-11 14:18 . 2007-10-31 00:31 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03 . 2007-10-31 00:31 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 08:08 . 2007-12-05 16:21 916480 ------w- c:\windows\system32\wininet.dll
2009-08-28 17:36 . 2009-03-16 18:37 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-08-28 17:36 . 2009-03-16 18:37 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-08-28 17:36 . 2008-02-09 14:17 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-08-26 08:00 . 2007-10-31 00:32 247326 ----a-w- c:\windows\system32\strmdll.dll
.
------- Sigcheck -------
[7] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
[7] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\system32\dllcache\tcpip.sys
[-] 2008-04-13 . 93EA8D04EC73A85DB02EB8805988F733 . 361344 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\59fc8f12b80caa991163249076d0bcca\tcpip.sys
[-] 2007-10-11 . 270684847A8EF5C51FFF58457E4DC8C6 . 361088 . . [5.1.2600.9999] . . c:\windows\system32\drivers\tcpip.sys
[-] 2008-04-14 . BD38D1EBE24A46BD3EDA059560AFBA12 . 1054208 . . [6.0] . . c:\windows\SoftwareDistribution\Download\59fc8f12b80caa991163249076d0bcca\asms\60\msft\windows\common\controls\comctl32.dll
[-] 2008-04-14 . 06F247492BC786CE5C24A23E178C711A . 617472 . . [5.82] . . c:\windows\SoftwareDistribution\Download\59fc8f12b80caa991163249076d0bcca\comctl32.dll
[-] 2007-12-08 . EE3C29F2EBA27F0081855DCE586CE39A . 692736 . . [5.82] . . c:\windows\system32\comctl32.dll
[-] 2009-11-23 . 72266B82D796C816B7F0A44D8B7E3216 . 578048 . . [5.1.2600.3244] . . c:\windows\system32\user32.dll
[-] 2009-11-23 . 72266B82D796C816B7F0A44D8B7E3216 . 578048 . . [5.1.2600.3244] . . c:\windows\system32\dllcache\user32.dll
[-] 2008-04-14 . B26B135FF1B9F60C9388B4A7D16F600B . 578560 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\59fc8f12b80caa991163249076d0bcca\user32.dll
[-] 2008-04-14 . 12896823FB95BFB3DC9B46BCAEDC9923 . 1033728 . . [6.00.2900.5512] . . c:\windows\SoftwareDistribution\Download\59fc8f12b80caa991163249076d0bcca\explorer.exe
[-] 2007-12-08 . 644B75CE88F50D64D609CC6C72EA5CF2 . 1424384 . . [6.00.2900.3244] . . c:\windows\explorer.exe
[-] 2008-04-14 . 9DD07AF82244867CA36681EA2D29CE79 . 1614848 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\59fc8f12b80caa991163249076d0bcca\sfcfiles.dll
[-] 2007-12-05 . 70D88E6BCF06DD1A53DC1E0381C1B320 . 1614336 . . [5.1.2600.3244] . . c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((( SnapShot@2009-11-23_17.45.45 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-02-09 13:22 . 2009-11-24 02:45 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2008-02-09 13:22 . 2009-11-23 17:45 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-02-09 13:22 . 2009-11-24 02:45 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-02-09 13:22 . 2009-11-23 17:45 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-02-09 13:22 . 2009-11-24 02:45 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2008-02-09 13:22 . 2009-11-23 17:45 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-10-19 09:43 . 2009-11-24 02:45 245760 c:\windows\system32\config\systemprofile\IETldCache\index.dat
- 2009-10-19 09:43 . 2009-11-23 17:20 245760 c:\windows\system32\config\systemprofile\IETldCache\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816]
[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-07-24 08:55 1090816 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816]
[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816]
[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VisualTaskTips"="c:\windows\System32\VisualTaskTips\VisualTaskTips.exe" [2007-09-05 36352]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2007-10-31 50176]
"SecurDisc"="c:\program files\Nero\Nero8\InCD\NBHGui.exe" [2007-10-15 2045224]
"InCD"="c:\program files\Nero\Nero8\InCD\InCD.exe" [2007-10-15 1077032]
"PCSuiteTrayApplication"="c:\program files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2006-11-08 222208]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-11-02 2028312]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-04-13 185896]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"BluetoothAuthenticationAgent"="bthprops.cpl" - c:\windows\system32\bthprops.cpl [2007-10-31 110592]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2007-10-31 15360]
"MsnMsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2007-09-26 1232384]
"VisualTaskTips"="c:\windows\System32\VisualTaskTips\VisualTaskTips.exe" [2007-09-05 36352]
"TopDesk"="c:\windows\System32\TopDesk\topdesk.exe" [2007-11-16 1937920]
"PcSync"="c:\program files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2006-11-09 1634304]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsNetHood"= 1 (0x1)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsNetHood"= 1 (0x1)
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsNetHood"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\system32\userinit.exe,c:\windows\system32\mswpfx32.exe,"
"UIHost"=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,53,79,73,74,65,6d,33,32,\
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-28 17:36 11952 ----a-w- c:\windows\system32\avgrsstx.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, credssp.dll, msnsspc.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\TVUPlayer\\TVUPlayer.exe"=
"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\SopCast\\SopCast.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Users\\stewart Macleod\\Application Data\\Macromedia\\Flash Player\\www.macromedia.com\\bin\\octoshape\\octoshape.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\FlashFXP\\FlashFXP.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\Songbird\\songbird.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Nokia\\Nokia Software Updater\\nsu_ui_client.exe"=
"c:\\Program Files\\Common Files\\Nokia\\Service Layer\\A\\nsl_host_process.exe"=
R0 viasprid;viasprid;c:\windows\system32\drivers\viasprid.sys [23/11/2009 17:18 71040]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [16/03/2009 18:37 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [16/03/2009 18:37 108552]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [16/03/2009 18:36 297752]
R3 3xHybrid;3xHybrid service;c:\windows\system32\drivers\3xHybrid.sys [09/02/2008 19:26 584960]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [03/11/2006 18:19 13592]
S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [26/09/2009 23:21 136704]
S3 nmwcdnsuc;Nokia USB Flashing Generic;c:\windows\system32\drivers\nmwcdnsuc.sys [26/09/2009 23:21 8320]
.
Contents of the 'Scheduled Tasks' folder
2009-01-03 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
2009-11-24 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 18:20]
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = hxxp://free.grisoft.com/doc/registration/us/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\stewart Macleod\Application Data\Mozilla\Firefox\Profiles\zdmyav5x.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
FF - prefs.js: keyword.URL - hxxp://uk.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_uk&p=
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll
FF - plugin: c:\users\All Users\Application Data\id Software\QuakeLive\npquakezero.dll
FF - plugin: c:\users\stewart Macleod\Application Data\Mozilla\Firefox\Profiles\zdmyav5x.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-24 03:07
Windows 5.1.2600 Service Pack 3, v.5857 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(652)
c:\windows\system32\SETUPAPI.dll
c:\windows\system32\wininet.dll
c:\windows\system32\COMRes.dll
- - - - - - - > 'lsass.exe'(708)
c:\windows\system32\SETUPAPI.dll
c:\windows\system32\wininet.dll
- - - - - - - > 'explorer.exe'(152)
c:\windows\system32\WININET.dll
c:\windows\System32\VisualTaskTips\VttHooks.dll
c:\windows\system32\COMRes.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\SETUPAPI.dll
c:\windows\system32\NETSHELL.dll
c:\windows\system32\credui.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\wpdshserviceobj.dll
c:\windows\system32\portabledevicetypes.dll
c:\windows\system32\portabledeviceapi.dll
.
Completion time: 2009-11-24 03:14
ComboFix-quarantined-files.txt 2009-11-24 03:14
ComboFix2.txt 2009-11-23 17:54
Pre-Run: 4,430,610,432 bytes free
Post-Run: 4,399,882,240 bytes free
- - End Of File - - 379DB6AD8E1F40F03E6D6876BBF792EC
Upload was successful
I'm afraid I have unpleasant news for you. You have evidence of at least one Very Dangerous infection on this machine.
It allow outsiders COMPLETE access to every keystroke, account, and password you use while on this machine, and complete access to any other data present...
IF this computer has been used for any kind of important data, my best recommendation is to Disconnect from Internet, Re-Format the entire drive and re-install your Operating system and Applications.
We can likely clean the infected files off the computer, and if you wish we will attempt to do so, but we cannot be sure that the infection didn't do something to your system to reduce the system security. In that instance, even after removal of the infection, you could be subject to another attack or takeover as soon as you re-connect to the Internet.
The Decision Whether to ReFormat or Not should be based on:
The use of the computer - this is the primary factor in the decision whether to re-format and re-install, or just disinfect.
The variety of malware - this influences the decision on whether to re-format and re-install, or just disinfect. IN THIS CASE we have the worst kind.
If the Computer has been used for any important data, you are strongly advised to do the following, immediately:
Disconnect the infected computer from the internet and from any networked computers until the computer can be cleaned.
Back up all important data on the machine. Do not back up any Applications (programs). Those should be re-installed from the original source CDs or websites.
If you have ever used this computer for shopping, banking, or any transactions relating to your financial well being:
Call all of your banks, credit card companies, and financial institutions, informing them that you may be a victim of identity theft, and to put a watch on your accounts or change all your account numbers.
From a clean computer, change ALL your online passwords -- for ISP login, email, banks, financial accounts, PayPal, eBay, online companies, and any online forums or groups you belong to.
DO NOT change passwords or do any transactions while using the infected computer because the attacker will get the new password and transaction information.
Take any other steps you think appropriate for an attempted identity theft.
While you are deciding whether to ReFormat and Re-Install, a useful link is here: http://www.dslreports.com/faq/10063
Please let me know what you decide.
eddiemac1
2009-11-24, 13:38
That is not good news.
If i do reformatt and reinstall. would i loose all the data on the e drive. By that i mean if i back up the data on the e drive then reformatt and reinstall windows will the infection or infections return as soon as the data on the e drive is returned.
There isnt anything on the c drive where windows was installed to that i am that bothered about loosing.
Also everytime i have tried to reinstall windows from the Windows disk previously it has not worked as the disk is old and pre service pack 2, So every time i want to roll it back it would say something like the version of windows on the machine is newer than that on the disk. Then it would not allow the installation to go ahead.
eddiemac1
2009-11-24, 18:27
I have actually decided that im getting a new pc.
This one is ancient and i was going to do it in the new year anyway so have brought it forward by a few months.
However. i still want the files on the e drive. its mainly music and a few home videos. i wanted to just put it in the new pc as a second hard drive. if i do this will the virus's and trojans etc install themselves on the new pc and if so how can i prevent this if i can atall.
If the question is to vague let me knwo and i will try and be more specific.
And dont worry you didnt panic me into buying a new pc it was something i was thinking about but this has just pushed me to doing it a bit earlier than originally planned.
Bring on the backdoors into windows 7 :) !!:D:
However. i still want the files on the e drive.
OK, let's clear all the actively infected files off the machine and then you can take out the E drive.
Step 1
Custom CFScript
Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
File::
c:\windows\system32\stu2.exe
c:\windows\system32\nmklo.dll
c:\windows\popcinfo.dat
c:\windows\system32\mswpfx32.exe
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\\windows\\system32\\userinit.exe,"
FCopy::
c:\windows\SoftwareDistribution\Download\59fc8f12b80caa991163249076d0bcca\asms\60\msft\windows\common\controls\comctl32.dll|c:\windows\system32\comctl32.dll
c:\windows\SoftwareDistribution\Download\59fc8f12b80caa991163249076d0bcca\user32.dll|c:\windows\system32\user32.dll
c:\windows\SoftwareDistribution\Download\59fc8f12b80caa991163249076d0bcca\explorer.exe|c:\windows\explorer.exe
c:\windows\SoftwareDistribution\Download\59fc8f12b80caa991163249076d0bcca\sfcfiles.dll|c:\windows\system32\sfcfiles.dll
ADS::
Save this as CFScript.txt and place it on your desktop.
http://i51.photobucket.com/albums/f387/Katana_1970/CFScriptb.gif
Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it will produce a log for you. Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper
----------------------------------------------------------------------------------------
Step 2
Kaspersky Online Scanner .
Your Antivirus and/or Antispyware may give a warning during the scan. This is perfectly normal
NOTE:- This scan is best done from IE (Internet Explorer)
NOTE:- Vista users should start IE by Start(Vista Orb) >> Internet Explorer >> Right-Click Run As Admin
Go Here http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html
Read the Requirements and limitations before you click Accept.
Once the database has downloaded, click My Computer in the left pane
Now go and put the kettle on !
When the scan has completed, click Save Report As...
Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.
**Note**
To optimize scanning time and produce a more sensible report for review: Close any open programs.
Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.
Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.
----------------------------------------------------------------------------------------
Logs/Information to Post in Reply
Please post the following logs/Information in your reply
Some of the logs I request will be quite large, You may need to split them over a couple of replies.
Combofix Log
Kaspersky Log
eddiemac1
2009-11-25, 18:21
combo fix log,
During the fix it ask me to insert my windows disk, i have an xp home edition from dell disk but it kept saying it is the wrong disk, it is apparently the ultimate edition of XP that is now on this machine. BUt here is the log.
ComboFix 09-11-24.04 - stewart Macleod 25/11/2009 10:50.3.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.244 [GMT 0:00]
Running from: c:\users\stewart Macleod\Desktop\ComboFix.exe
Command switches used :: c:\users\stewart Macleod\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FILE ::
"c:\windows\popcinfo.dat"
"c:\windows\system32\mswpfx32.exe"
"c:\windows\system32\nmklo.dll"
"c:\windows\system32\stu2.exe"
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\popcinfo.dat
c:\windows\system32\mswpfx32.exe
c:\windows\system32\nmklo.dll
c:\windows\system32\stu2.exe
.
--------------- FCopy ---------------
c:\windows\SoftwareDistribution\Download\59fc8f12b80caa991163249076d0bcca\asms\60\msft\windows\common\controls\comctl32.dll --> c:\windows\system32\comctl32.dll
c:\windows\SoftwareDistribution\Download\59fc8f12b80caa991163249076d0bcca\user32.dll --> c:\windows\system32\user32.dll
c:\windows\SoftwareDistribution\Download\59fc8f12b80caa991163249076d0bcca\explorer.exe --> c:\windows\explorer.exe
c:\windows\SoftwareDistribution\Download\59fc8f12b80caa991163249076d0bcca\sfcfiles.dll --> c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((( Files Created from 2009-10-25 to 2009-11-25 )))))))))))))))))))))))))))))))
.
2009-11-24 01:51 . 2009-11-24 01:51 -------- d-----w- c:\users\stewart Macleod\Application Data\Malwarebytes
2009-11-24 01:51 . 2009-09-10 14:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-24 01:50 . 2009-11-24 01:51 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-24 01:50 . 2009-11-24 01:50 -------- d-----w- c:\users\All Users\Application Data\Malwarebytes
2009-11-24 01:50 . 2009-09-10 14:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-23 17:18 . 2003-11-28 02:42 71040 ----a-w- c:\windows\system32\drivers\viasprid.sys
2009-11-23 17:18 . 2003-11-28 02:42 71040 ----a-r- c:\windows\system32\drivers\viasprid_2.sys
2009-11-19 20:43 . 2009-11-19 20:43 -------- d-----w- c:\program files\Trend Micro
2009-11-19 20:39 . 2009-11-19 20:40 -------- d-----w- c:\program files\ERUNT
2009-11-18 21:25 . 2009-11-18 21:25 -------- d--h--w- c:\windows\system32\GroupPolicy
2009-11-18 21:17 . 2009-11-18 21:17 70144 ----a-w- c:\users\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-18 21:15 . 2009-11-18 21:15 -------- d-sh--w- c:\users\Administrator\IETldCache
2009-11-18 21:15 . 2009-11-18 21:15 -------- d-sh--w- c:\users\\Administrator\IETldCache
2009-11-05 23:33 . 2009-11-05 23:33 -------- d-----w- c:\users\stewart Macleod\output
2009-11-05 23:33 . 2009-11-05 23:33 -------- d-----w- c:\users\\stewart Macleod\output
2009-11-05 22:49 . 2009-11-19 20:02 -------- d-----w- c:\program files\BBC Radio Ripper
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-23 17:21 . 2008-02-18 19:16 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-11-19 20:00 . 2008-02-10 01:40 -------- d-----w- c:\program files\Soulseek
2009-11-19 17:48 . 2008-02-09 15:24 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-11-18 22:09 . 2008-02-09 15:24 -------- d-----w- c:\users\All Users\Application Data\Spybot - Search & Destroy
2009-11-16 23:46 . 2008-02-09 19:19 -------- d-----w- c:\users\stewart Macleod\Application Data\Vso
2009-11-12 00:21 . 2008-02-18 16:29 -------- d-----w- c:\users\All Users\Application Data\Microsoft Help
2009-11-07 18:24 . 2009-07-08 21:14 -------- d-----w- c:\program files\Songbird
2009-11-02 20:42 . 2009-10-10 10:28 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-09-26 23:34 . 2009-09-26 23:34 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_ccdcmb_01007.Wdf
2009-09-26 23:34 . 2009-09-26 23:34 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01007_Coinstaller_Critical.Wdf
2009-09-26 23:25 . 2009-09-26 23:25 -------- d-----w- c:\users\All Users\Application Data\Nokia
2009-09-26 23:21 . 2008-02-09 20:02 -------- d-----w- c:\program files\Nokia
2009-09-26 23:17 . 2008-02-09 20:02 -------- d-----w- c:\program files\Common Files\Nokia
2009-09-26 23:16 . 2009-09-26 23:16 -------- d-----w- c:\program files\MSXML 6.0
2009-09-26 23:15 . 2009-09-26 23:15 3351812 ----a-w- c:\users\All Users\Application Data\Installations\{F983B4FE-547B-4C44-BAF7-4F4DBA93D548}\Installer\CommonCustomActions\msxml6Exec.exe
2009-09-26 23:15 . 2009-09-26 23:15 36864 ----a-w- c:\users\All Users\Application Data\Installations\{F983B4FE-547B-4C44-BAF7-4F4DBA93D548}\Installer\CommonCustomActions\Sleep.exe
2009-09-26 23:15 . 2009-09-26 23:15 3181612 ----a-w- c:\users\All Users\Application Data\Installations\{F983B4FE-547B-4C44-BAF7-4F4DBA93D548}\Installer\CommonCustomActions\vcredistExec.exe
2009-09-26 23:14 . 2009-09-26 23:14 -------- d-----w- c:\users\All Users\Application Data\Installations
2009-09-26 23:11 . 2009-09-26 23:16 24501456 ----a-w- c:\users\All Users\Application Data\Installations\{F983B4FE-547B-4C44-BAF7-4F4DBA93D548}\NokiaSoftwareUpdaterSetup_en.exe
2009-09-11 14:18 . 2007-10-31 00:31 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03 . 2007-10-31 00:31 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 08:08 . 2007-12-05 16:21 916480 ------w- c:\windows\system32\wininet.dll
2009-08-28 17:36 . 2009-03-16 18:37 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-08-28 17:36 . 2009-03-16 18:37 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-08-28 17:36 . 2008-02-09 14:17 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
.
------- Sigcheck -------
[7] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
[7] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\system32\dllcache\tcpip.sys
[-] 2008-04-13 . 93EA8D04EC73A85DB02EB8805988F733 . 361344 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\59fc8f12b80caa991163249076d0bcca\tcpip.sys
[-] 2007-10-11 . 270684847A8EF5C51FFF58457E4DC8C6 . 361088 . . [5.1.2600.9999] . . c:\windows\system32\drivers\tcpip.sys
[-] 2008-04-14 . BD38D1EBE24A46BD3EDA059560AFBA12 . 1054208 . . [6.0] . . c:\windows\SoftwareDistribution\Download\59fc8f12b80caa991163249076d0bcca\asms\60\msft\windows\common\controls\comctl32.dll
[-] 2008-04-14 . BD38D1EBE24A46BD3EDA059560AFBA12 . 1054208 . . [6.0] . . c:\windows\system32\comctl32.dll
[-] 2008-04-14 . 06F247492BC786CE5C24A23E178C711A . 617472 . . [5.82] . . c:\windows\SoftwareDistribution\Download\59fc8f12b80caa991163249076d0bcca\comctl32.dll
[-] 2009-11-23 . 72266B82D796C816B7F0A44D8B7E3216 . 578048 . . [5.1.2600.3244] . . c:\windows\system32\dllcache\user32.dll
[-] 2008-04-14 . B26B135FF1B9F60C9388B4A7D16F600B . 578560 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\59fc8f12b80caa991163249076d0bcca\user32.dll
[-] 2008-04-14 . B26B135FF1B9F60C9388B4A7D16F600B . 578560 . . [5.1.2600.3244] . . c:\windows\system32\user32.dll
[-] 2008-04-14 . 12896823FB95BFB3DC9B46BCAEDC9923 . 1033728 . . [6.00.2900.5512] . . c:\windows\explorer.exe
[-] 2008-04-14 . 12896823FB95BFB3DC9B46BCAEDC9923 . 1033728 . . [6.00.2900.5512] . . c:\windows\SoftwareDistribution\Download\59fc8f12b80caa991163249076d0bcca\explorer.exe
[-] 2008-04-14 . 9DD07AF82244867CA36681EA2D29CE79 . 1614848 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\59fc8f12b80caa991163249076d0bcca\sfcfiles.dll
[-] 2008-04-14 . 9DD07AF82244867CA36681EA2D29CE79 . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((( SnapShot@2009-11-23_17.45.45 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-02-09 13:22 . 2009-11-24 12:09 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2008-02-09 13:22 . 2009-11-23 17:45 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-02-09 13:22 . 2009-11-24 12:09 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-02-09 13:22 . 2009-11-23 17:45 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-02-09 13:22 . 2009-11-24 12:09 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2008-02-09 13:22 . 2009-11-23 17:45 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-10-19 09:43 . 2009-11-24 12:09 245760 c:\windows\system32\config\systemprofile\IETldCache\index.dat
- 2009-10-19 09:43 . 2009-11-23 17:20 245760 c:\windows\system32\config\systemprofile\IETldCache\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816]
[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-07-24 08:55 1090816 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816]
[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816]
[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VisualTaskTips"="c:\windows\System32\VisualTaskTips\VisualTaskTips.exe" [2007-09-05 36352]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2007-10-31 50176]
"SecurDisc"="c:\program files\Nero\Nero8\InCD\NBHGui.exe" [2007-10-15 2045224]
"InCD"="c:\program files\Nero\Nero8\InCD\InCD.exe" [2007-10-15 1077032]
"PCSuiteTrayApplication"="c:\program files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2006-11-08 222208]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-11-02 2028312]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-04-13 185896]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"BluetoothAuthenticationAgent"="bthprops.cpl" - c:\windows\system32\bthprops.cpl [2007-10-31 110592]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2007-10-31 15360]
"MsnMsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2007-09-26 1232384]
"VisualTaskTips"="c:\windows\System32\VisualTaskTips\VisualTaskTips.exe" [2007-09-05 36352]
"TopDesk"="c:\windows\System32\TopDesk\topdesk.exe" [2007-11-16 1937920]
"PcSync"="c:\program files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2006-11-09 1634304]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsNetHood"= 1 (0x1)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsNetHood"= 1 (0x1)
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsNetHood"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,53,79,73,74,65,6d,33,32,\
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-28 17:36 11952 ----a-w- c:\windows\system32\avgrsstx.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, credssp.dll, msnsspc.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\TVUPlayer\\TVUPlayer.exe"=
"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\SopCast\\SopCast.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Users\\stewart Macleod\\Application Data\\Macromedia\\Flash Player\\www.macromedia.com\\bin\\octoshape\\octoshape.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\FlashFXP\\FlashFXP.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\Songbird\\songbird.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Nokia\\Nokia Software Updater\\nsu_ui_client.exe"=
"c:\\Program Files\\Common Files\\Nokia\\Service Layer\\A\\nsl_host_process.exe"=
R0 viasprid;viasprid;c:\windows\system32\drivers\viasprid.sys [23/11/2009 17:18 71040]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [16/03/2009 18:37 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [16/03/2009 18:37 108552]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [16/03/2009 18:36 297752]
R3 3xHybrid;3xHybrid service;c:\windows\system32\drivers\3xHybrid.sys [09/02/2008 19:26 584960]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [03/11/2006 18:19 13592]
S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [26/09/2009 23:21 136704]
S3 nmwcdnsuc;Nokia USB Flashing Generic;c:\windows\system32\drivers\nmwcdnsuc.sys [26/09/2009 23:21 8320]
.
Contents of the 'Scheduled Tasks' folder
2009-01-03 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
2009-11-25 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 18:20]
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = hxxp://free.grisoft.com/doc/registration/us/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\stewart Macleod\Application Data\Mozilla\Firefox\Profiles\zdmyav5x.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
FF - prefs.js: keyword.URL - hxxp://uk.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_uk&p=
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll
FF - plugin: c:\users\All Users\Application Data\id Software\QuakeLive\npquakezero.dll
FF - plugin: c:\users\stewart Macleod\Application Data\Mozilla\Firefox\Profiles\zdmyav5x.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.
- - - - ORPHANS REMOVED - - - -
AddRemove-RealJukebox 1.0 - c:\program files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
AddRemove-RealPlayer 6.0 - c:\program files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-25 11:01
Windows 5.1.2600 Service Pack 3, v.5857 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(652)
c:\windows\system32\SETUPAPI.dll
- - - - - - - > 'lsass.exe'(708)
c:\windows\system32\SETUPAPI.dll
.
Completion time: 2009-11-25 11:05
ComboFix-quarantined-files.txt 2009-11-25 11:04
ComboFix2.txt 2009-11-24 03:15
ComboFix3.txt 2009-11-23 17:54
Pre-Run: 4,340,195,328 bytes free
Post-Run: 4,298,817,536 bytes free
- - End Of File - - A66C7A5C75A74296B7560B878FC88DBA
eddiemac1
2009-11-25, 18:21
and here is the Kapersky scan
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Wednesday, November 25, 2009
Operating system: Microsoft Windows XP Professional Service Pack 3, v.5857 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Wednesday, November 25, 2009 11:14:07
Records in database: 3288712
--------------------------------------------------------------------------------
Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes
Scan area - My Computer:
A:\
C:\
D:\
E:\
Scan statistics:
Objects scanned: 79231
Threats found: 9
Infected objects found: 19
Suspicious objects found: 0
Scan duration: 03:24:02
File name / Threat / Threats count
C:\Program Files\Windows Media Player\WMPSkin.exe Infected: not-a-virus:RiskTool.Win32.WFPDisabler.a 1
C:\Program Files\Windows Media Player\WMPSkin.exe Infected: Worm.Win32.AutoIt.r 1
C:\Qoobox\Quarantine\C\WINDOWS\msa.exe.vir Infected: Packed.Win32.Krap.ag 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\cooper.mine.vir Infected: Packed.Win32.Krap.ah 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\atapi.sys.vir Infected: Rootkit.Win32.TDSS.u 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\nmklo.dll.vir Infected: Backdoor.Win32.Agent.ajkm 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\nvrtm.dll.vir Infected: Backdoor.Win32.Agent.alzo 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\user32.dll.vir.vir Infected: Trojan.Win32.Patched.gq 1
C:\Qoobox\Quarantine\[4]-Submit_2009-11-24_02.54.02.zip Infected: Trojan-Banker.Win32.Bancos.iyi 1
C:\Qoobox\Quarantine\[4]-Submit_2009-11-24_02.54.02.zip Infected: Backdoor.Win32.Agent.ajkm 1
C:\Qoobox\Quarantine\[4]-Submit_2009-11-25_10.49.45.zip Infected: Trojan-Banker.Win32.Bancos.iyi 1
C:\System Volume Information\_restore{D91CE712-235D-460D-90F5-DBC3B8093394}\RP1\A0000037.dll Infected: Trojan.Win32.Patched.gq 1
C:\System Volume Information\_restore{D91CE712-235D-460D-90F5-DBC3B8093394}\RP1\A0000038.DLL Infected: Trojan.Win32.Patched.gq 1
C:\System Volume Information\_restore{D91CE712-235D-460D-90F5-DBC3B8093394}\RP1\A0000040.exe Infected: Packed.Win32.Krap.ag 1
C:\System Volume Information\_restore{D91CE712-235D-460D-90F5-DBC3B8093394}\RP1\A0000041.dll Infected: Backdoor.Win32.Agent.alzo 1
C:\System Volume Information\_restore{D91CE712-235D-460D-90F5-DBC3B8093394}\RP4\A0000516.dll Infected: Backdoor.Win32.Agent.ajkm 1
C:\WINDOWS\system32\sfr.exe Infected: not-a-virus:RiskTool.Win32.WFPDisabler.a 1
C:\WINDOWS\system32\xxetaldgjw Infected: Trojan.Win32.Patched.gq 1
C:\WINDOWS\system32\yqkx Infected: Trojan.Win32.Patched.gq 1
Selected area has been scanned.
i have an xp home edition from dell disk but it kept saying it is the wrong disk, it is apparently the ultimate edition of XP that is now on this machine.
Someone has upgraded the machine to XP Pro.
If you didn't buy this upgrade, then whoever did it didn't do you any favours.
It is likely to be an illegal OS.
Since you are buying a new machine, it is rather moot now though :bigthumb:
After running this next CF Script, you are safe to remove the E drive and connect it to the new machine.
Custom CFScript
Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
http://forums.spybot.info/showthread.php?p=348711#post348711
Collect::[4]
C:\WINDOWS\system32\sfr.exe
C:\WINDOWS\system32\xxetaldgjw
C:\WINDOWS\system32\yqkx
ADS::
Save this as CFScript.txt and place it on your desktop.
http://i51.photobucket.com/albums/f387/Katana_1970/CFScriptb.gif
Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
**Note**
When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis. Ensure you are connected to the internet and click OK on the message box.
Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.
eddiemac1
2009-11-26, 00:03
ok good to hear,
I'll take the e drive out tomorrow after after work providing your ok with what the script says i do with out it for a week till the new machine arrives. Unless this log throws up any suprises and you advise me of anything else i need to do to clean it up.
but here is the Combo log.
ComboFix 09-11-24.04 - stewart Macleod 25/11/2009 22:39.4.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.325 [GMT 0:00]
Running from: c:\users\stewart Macleod\Desktop\ComboFix.exe
Command switches used :: c:\users\stewart Macleod\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
file zipped: c:\windows\system32\sfr.exe
file zipped: c:\windows\system32\xxetaldgjw
file zipped: c:\windows\system32\yqkx
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\sfr.exe
c:\windows\system32\xxetaldgjw
c:\windows\system32\yqkx
.
((((((((((((((((((((((((( Files Created from 2009-10-25 to 2009-11-25 )))))))))))))))))))))))))))))))
.
2009-11-25 11:28 . 2009-11-25 11:28 -------- d-sh--w- c:\users\stewart Macleod\PrivacIE
2009-11-25 11:28 . 2009-11-25 11:28 -------- d-sh--w- c:\users\\stewart Macleod\PrivacIE
2009-11-24 01:51 . 2009-11-24 01:51 -------- d-----w- c:\users\stewart Macleod\Application Data\Malwarebytes
2009-11-24 01:51 . 2009-09-10 14:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-24 01:50 . 2009-11-24 01:51 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-24 01:50 . 2009-11-24 01:50 -------- d-----w- c:\users\All Users\Application Data\Malwarebytes
2009-11-24 01:50 . 2009-09-10 14:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-23 17:18 . 2003-11-28 02:42 71040 ----a-w- c:\windows\system32\drivers\viasprid.sys
2009-11-23 17:18 . 2003-11-28 02:42 71040 ----a-r- c:\windows\system32\drivers\viasprid_2.sys
2009-11-19 20:43 . 2009-11-19 20:43 -------- d-----w- c:\program files\Trend Micro
2009-11-19 20:39 . 2009-11-19 20:40 -------- d-----w- c:\program files\ERUNT
2009-11-18 21:25 . 2009-11-18 21:25 -------- d--h--w- c:\windows\system32\GroupPolicy
2009-11-18 21:17 . 2009-11-18 21:17 70144 ----a-w- c:\users\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-18 21:15 . 2009-11-18 21:15 -------- d-sh--w- c:\users\Administrator\IETldCache
2009-11-18 21:15 . 2009-11-18 21:15 -------- d-sh--w- c:\users\\Administrator\IETldCache
2009-11-05 23:33 . 2009-11-05 23:33 -------- d-----w- c:\users\stewart Macleod\output
2009-11-05 23:33 . 2009-11-05 23:33 -------- d-----w- c:\users\\stewart Macleod\output
2009-11-05 22:49 . 2009-11-19 20:02 -------- d-----w- c:\program files\BBC Radio Ripper
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-25 11:28 . 2009-06-25 16:56 -------- d-----w- c:\users\All Users\Application Data\AVG Security Toolbar
2009-11-23 17:21 . 2008-02-18 19:16 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-11-19 20:00 . 2008-02-10 01:40 -------- d-----w- c:\program files\Soulseek
2009-11-19 17:48 . 2008-02-09 15:24 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-11-18 22:09 . 2008-02-09 15:24 -------- d-----w- c:\users\All Users\Application Data\Spybot - Search & Destroy
2009-11-16 23:46 . 2008-02-09 19:19 -------- d-----w- c:\users\stewart Macleod\Application Data\Vso
2009-11-12 00:21 . 2008-02-18 16:29 -------- d-----w- c:\users\All Users\Application Data\Microsoft Help
2009-11-07 18:24 . 2009-07-08 21:14 -------- d-----w- c:\program files\Songbird
2009-11-02 20:42 . 2009-10-10 10:28 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-09-26 23:34 . 2009-09-26 23:34 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_ccdcmb_01007.Wdf
2009-09-26 23:34 . 2009-09-26 23:34 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01007_Coinstaller_Critical.Wdf
2009-09-26 23:25 . 2009-09-26 23:25 -------- d-----w- c:\users\All Users\Application Data\Nokia
2009-09-26 23:21 . 2008-02-09 20:02 -------- d-----w- c:\program files\Nokia
2009-09-26 23:17 . 2008-02-09 20:02 -------- d-----w- c:\program files\Common Files\Nokia
2009-09-26 23:16 . 2009-09-26 23:16 -------- d-----w- c:\program files\MSXML 6.0
2009-09-26 23:15 . 2009-09-26 23:15 3351812 ----a-w- c:\users\All Users\Application Data\Installations\{F983B4FE-547B-4C44-BAF7-4F4DBA93D548}\Installer\CommonCustomActions\msxml6Exec.exe
2009-09-26 23:15 . 2009-09-26 23:15 36864 ----a-w- c:\users\All Users\Application Data\Installations\{F983B4FE-547B-4C44-BAF7-4F4DBA93D548}\Installer\CommonCustomActions\Sleep.exe
2009-09-26 23:15 . 2009-09-26 23:15 3181612 ----a-w- c:\users\All Users\Application Data\Installations\{F983B4FE-547B-4C44-BAF7-4F4DBA93D548}\Installer\CommonCustomActions\vcredistExec.exe
2009-09-26 23:14 . 2009-09-26 23:14 -------- d-----w- c:\users\All Users\Application Data\Installations
2009-09-26 23:11 . 2009-09-26 23:16 24501456 ----a-w- c:\users\All Users\Application Data\Installations\{F983B4FE-547B-4C44-BAF7-4F4DBA93D548}\NokiaSoftwareUpdaterSetup_en.exe
2009-09-11 14:18 . 2007-10-31 00:31 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03 . 2007-10-31 00:31 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 08:08 . 2007-12-05 16:21 916480 ------w- c:\windows\system32\wininet.dll
2009-08-28 17:36 . 2009-03-16 18:37 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-08-28 17:36 . 2009-03-16 18:37 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-08-28 17:36 . 2008-02-09 14:17 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
.
------- Sigcheck -------
[7] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
[7] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\system32\dllcache\tcpip.sys
[-] 2008-04-13 . 93EA8D04EC73A85DB02EB8805988F733 . 361344 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\59fc8f12b80caa991163249076d0bcca\tcpip.sys
[-] 2007-10-11 . 270684847A8EF5C51FFF58457E4DC8C6 . 361088 . . [5.1.2600.9999] . . c:\windows\system32\drivers\tcpip.sys
[-] 2008-04-14 . BD38D1EBE24A46BD3EDA059560AFBA12 . 1054208 . . [6.0] . . c:\windows\SoftwareDistribution\Download\59fc8f12b80caa991163249076d0bcca\asms\60\msft\windows\common\controls\comctl32.dll
[-] 2008-04-14 . BD38D1EBE24A46BD3EDA059560AFBA12 . 1054208 . . [6.0] . . c:\windows\system32\comctl32.dll
[-] 2008-04-14 . 06F247492BC786CE5C24A23E178C711A . 617472 . . [5.82] . . c:\windows\SoftwareDistribution\Download\59fc8f12b80caa991163249076d0bcca\comctl32.dll
[-] 2009-11-23 . 72266B82D796C816B7F0A44D8B7E3216 . 578048 . . [5.1.2600.3244] . . c:\windows\system32\dllcache\user32.dll
[-] 2008-04-14 . B26B135FF1B9F60C9388B4A7D16F600B . 578560 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\59fc8f12b80caa991163249076d0bcca\user32.dll
[-] 2008-04-14 . B26B135FF1B9F60C9388B4A7D16F600B . 578560 . . [5.1.2600.5512] . . c:\windows\system32\user32.dll
[-] 2008-04-14 . 12896823FB95BFB3DC9B46BCAEDC9923 . 1033728 . . [6.00.2900.5512] . . c:\windows\explorer.exe
[-] 2008-04-14 . 12896823FB95BFB3DC9B46BCAEDC9923 . 1033728 . . [6.00.2900.5512] . . c:\windows\SoftwareDistribution\Download\59fc8f12b80caa991163249076d0bcca\explorer.exe
[-] 2008-04-14 . 9DD07AF82244867CA36681EA2D29CE79 . 1614848 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\59fc8f12b80caa991163249076d0bcca\sfcfiles.dll
[-] 2008-04-14 . 9DD07AF82244867CA36681EA2D29CE79 . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((( SnapShot@2009-11-23_17.45.45 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-02-09 13:22 . 2009-11-24 12:09 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2008-02-09 13:22 . 2009-11-23 17:45 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-02-09 13:22 . 2009-11-24 12:09 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-02-09 13:22 . 2009-11-23 17:45 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-10-19 09:43 . 2009-11-24 12:09 245760 c:\windows\system32\config\systemprofile\IETldCache\index.dat
- 2009-10-19 09:43 . 2009-11-23 17:20 245760 c:\windows\system32\config\systemprofile\IETldCache\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816]
[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-07-24 08:55 1090816 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816]
[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816]
[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VisualTaskTips"="c:\windows\System32\VisualTaskTips\VisualTaskTips.exe" [2007-09-05 36352]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2007-10-31 50176]
"SecurDisc"="c:\program files\Nero\Nero8\InCD\NBHGui.exe" [2007-10-15 2045224]
"InCD"="c:\program files\Nero\Nero8\InCD\InCD.exe" [2007-10-15 1077032]
"PCSuiteTrayApplication"="c:\program files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2006-11-08 222208]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-11-02 2028312]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-04-13 185896]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"BluetoothAuthenticationAgent"="bthprops.cpl" - c:\windows\system32\bthprops.cpl [2007-10-31 110592]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2007-10-31 15360]
"MsnMsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2007-09-26 1232384]
"VisualTaskTips"="c:\windows\System32\VisualTaskTips\VisualTaskTips.exe" [2007-09-05 36352]
"TopDesk"="c:\windows\System32\TopDesk\topdesk.exe" [2007-11-16 1937920]
"PcSync"="c:\program files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2006-11-09 1634304]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsNetHood"= 1 (0x1)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsNetHood"= 1 (0x1)
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsNetHood"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,53,79,73,74,65,6d,33,32,\
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-28 17:36 11952 ----a-w- c:\windows\system32\avgrsstx.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, credssp.dll, msnsspc.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\TVUPlayer\\TVUPlayer.exe"=
"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\SopCast\\SopCast.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Users\\stewart Macleod\\Application Data\\Macromedia\\Flash Player\\www.macromedia.com\\bin\\octoshape\\octoshape.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\FlashFXP\\FlashFXP.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\Songbird\\songbird.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Nokia\\Nokia Software Updater\\nsu_ui_client.exe"=
"c:\\Program Files\\Common Files\\Nokia\\Service Layer\\A\\nsl_host_process.exe"=
R0 viasprid;viasprid;c:\windows\system32\drivers\viasprid.sys [23/11/2009 17:18 71040]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [16/03/2009 18:37 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [16/03/2009 18:37 108552]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [16/03/2009 18:36 297752]
R3 3xHybrid;3xHybrid service;c:\windows\system32\drivers\3xHybrid.sys [09/02/2008 19:26 584960]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [03/11/2006 18:19 13592]
S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [26/09/2009 23:21 136704]
S3 nmwcdnsuc;Nokia USB Flashing Generic;c:\windows\system32\drivers\nmwcdnsuc.sys [26/09/2009 23:21 8320]
.
Contents of the 'Scheduled Tasks' folder
2009-01-03 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
2009-11-25 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 18:20]
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = hxxp://free.grisoft.com/doc/registration/us/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\stewart Macleod\Application Data\Mozilla\Firefox\Profiles\zdmyav5x.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
FF - prefs.js: keyword.URL - hxxp://uk.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_uk&p=
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll
FF - plugin: c:\users\All Users\Application Data\id Software\QuakeLive\npquakezero.dll
FF - plugin: c:\users\stewart Macleod\Application Data\Mozilla\Firefox\Profiles\zdmyav5x.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-25 22:48
Windows 5.1.2600 Service Pack 3, v.5857 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(648)
c:\windows\system32\SETUPAPI.dll
c:\windows\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.3244_x-ww_d74fff41\comctl32.dll
- - - - - - - > 'lsass.exe'(704)
c:\windows\system32\SETUPAPI.dll
.
Completion time: 2009-11-25 22:53
ComboFix-quarantined-files.txt 2009-11-25 22:52
ComboFix2.txt 2009-11-25 11:05
ComboFix3.txt 2009-11-24 03:15
ComboFix4.txt 2009-11-23 17:54
Pre-Run: 4,200,321,024 bytes free
Post-Run: 4,266,651,648 bytes free
- - End Of File - - 934206ED0D5C7E71E0DFBF68B3A7C704
Upload was successful
There is nothing active showing there now, so it's safe to take the drive out.
If you reformat the machine and then reinstall the OS, you could keep it as a spare :)
----------------------------------------------------------- -----------------------------------------------------------
The following is some info to help you stay safe and clean.
You may already have some of the following programs, but I include the full list for the benefit of all the other people who will be reading this thread in the future.
( Vista users must ensure that any programs are Vista compatible BEFORE installing )
Online Scanners
I would recommend a scan at one or more of the following sites at least once a month.
http://www.pandasecurity.com/activescan
http://www.kaspersky.com/kos/eng/partner/71706/kavwebscan.html
!!! Make sure that all your programs are updated !!!
Secunia Software Inspector does all the work for you, .... see HERE (http://secunia.com/software_inspector/) for details
AntiSpyware
AntiSpyware is not the same thing as Antivirus.
Different AntiSpyware programs detect different things, so in this case it is recommended that you have more than one.
You should only have one running all the time, the other/s should be used "on demand" on a regular basis.
Most of the programs in this list have a free (for Home Users ) and paid versions,
it is worth paying for one and having "realtime" protection, unless you intend to do a manual scan often.
Spybot - Search & Destroy (http://www.safer-networking.org/) <<< A must have program It includes host protection and registry protection A hosts file is a bit like a phone book, it points to the actual numeric address (i.e. the IP address) from the human friendly name of a website. This feature can be used to block malicious websites
MalwareBytes Anti-malware (http://www.malwarebytes.org/mbam.php) <<< A New and effective program
a-squared Free (http://www.emsisoft.com/en/software/free/) <<< A good "realtime" or "on demand" scanner
superantispyware (http://www.superantispyware.com/) <<< A good "realtime" or "on demand" scanner
Prevention
These programs don't detect malware, they help stop it getting on your machine in the first place.
Each does a different job, so you can have more than one
Winpatrol (http://www.winpatrol.com) An excellent startup manager and then some !! Notifies you if programs are added to startup Allows delayed startup A must have addition
SpywareBlaster 4.0 (http://www.javacoolsoftware.com/spywareblaster.html) SpywareBlaster sets killbits in the registry to prevent known malicious activex controls from installing themselves on your computer.
SpywareGuard 2.2 (http://www.javacoolsoftware.com/spywareguard.html) SpywareGuard provides real-time protection against spyware. Not required if you have other "realtime" antispyware or Winpatrol
ZonedOut (http://www.funkytoad.com/index.php?option=com_content&view=article&id=15&Itemid=33) Formerly known as IE-SPYAD, adds a long list of sites and domains associated with known advertisers and marketers to the Restricted sites zone of Internet Explorer.
MVPS HOSTS (http://www.mvps.org/winhelp2002/hosts.zip) This little program packs a powerful punch as it blocks ads, banners, 3rd party Cookies, 3rd party page counters, web bugs, and many hijackers. For information on how to download and install, please read this tutorial (http://www.mvps.org/winhelp2002/hosts.htm) by WinHelp2002. Not required if you are using other host file protections
Internet Browsers
Microsoft has worked hard to make IE.7 a more secure browser, unfortunately whilst it is still the leading browser of choice it will always be under attack from the bad guys.
Using a different web browser can help stop malware getting on your machine.
Make your Internet Explorer more secure - This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialise and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.
If you are still using IE6 then either update, or get one of the following.
FireFox (http://www.mozilla.com/en-US/firefox/) With many addons available that make customization easy this is a very popular choice NoScript and AdBlockPlus addons are essential
Opera (http://www.opera.com/) Another popular alternative
Netscape (http://browser.netscape.com/addons) Another popular alternative Also has Addons available
Cleaning Temporary Internet Files and Tracking Cookies
Temporary Internet Files are mainly the files that are downloaded when you open a web page.
Unfortunately, if the site you visit is of a dubious nature or has been hacked, they can also be an entry point for malware.
It is a good idea to empty the Temporary Internet Files folder on a regular basis.
Tracking Cookies are files that websites use to monitor which sites you visit and how often.
A lot of Antispyware scanners pick up these tracking cookies and flag them as unwanted.
CAUTION :- If you delete all your cookies you will lose any autologin information for sites that you visit, and will need your passwords
Both of these can be cleaned manually, but a quicker option is to use a program
ATF Cleaner (http://www.atribune.org/index.php?option=com_content&task=view&id=25&Itemid=25) Free and very simple to use
CCleaner (http://www.ccleaner.com/) Free and very flexible, you can chose which cookies to keep
Also PLEASE read this article.....So How Did I Get Infected In The First Place (http://forum.malwareremoval.com/viewtopic.php?t=4959)
The last and most important thing I can tell you is UPDATE.
If you don't update your security programs (Antivirus, Antispyware even Windows) then you are at risk.
Malware changes on a day to day basis. You should update every week at the very least.
If you follow this advice then (with a bit of luck) you will never have to hear from me again :D
If you could post back one more time to let me know everything is OK, then I can have this thread archived.
Happy surfing K'
eddiemac1
2009-11-26, 19:34
Thanks for all your help.
everything appears to be fine, i have taken the e drive out already.
I am going to reformat the whole machine back to Windows xp so i have one final question for you if thats not to cheeky.
You couldnt point me in the direction of a forum topic or tutorial that tells you how to roll back to a previous version so i dont get the same crap windows message telling me the version i have is newer so you cant have the old,
I dont expect you to have to tell me how to do it just a quick guide that i can follow.
And i really do apprieciate everything. Once i get the new pc i will certainly be making a small donation. I hhave been recomending the site to everyone i know today at work.
:thanks::thanks::thanks::thanks::thanks::thanks::thanks::thanks::thanks:
I am going to reformat the whole machine back to Windows xp so i have one final question for you if thats not to cheeky.
You couldnt point me in the direction of a forum topic or tutorial that tells you how to roll back to a previous version so i dont get the same crap windows message telling me the version i have is newer so you cant have the old,
It's not cheeky at all :)
If you have an XP install disc, then you should be able to boot from it and get an option to install or repair.
If you choose install rather than repair, then it should format the drive and let you start from scratch.