|
|
|
|
|||||
|
|
|
|
|
|
|||
| Welcome
to Tech Support Forum home to more then 136,000 problems solved. Issues
have included: Spyware, Malware, Virus Issues, Windows, Microsoft,
Linux, Networking, Security, Hardware, and Gaming Getting your
problem solved is as easy as: 1. Registering for a free account 2. Asking your question 3. Receiving an answer Registered members: * See fewer ads. * And much more..
|
| Want to know how to post a question? click here | Having problems with spyware and pop-ups? First Steps |
|
|||||||
| Resolved HJT Threads Resolved spyware and popup issues. |
|
|
LinkBack | Thread Tools |
11-10-2008, 05:51 AM
|
#1 (permalink) |
|
Registered User
Join Date: Nov 2008
Location: Manchester, UK
Posts: 10
OS: xp
|
Trojan/Malware/popups
Hi, after turning on my PC on Saturday morning, I was bombarded with popups, some of which you could only hear and not see, I went into system restore only to find that I was unable to go back to any date previous
 IE would not show pictures, even after going into IE/tools/advanced and ticking the "show pictures" box when IE was restarted it automatically reverted back to unticking this option..I have run AVG and malwarebyte's anti-malware and they found several threats...but im worried im still infected, any help or advice would be greatly appriciated  Regards Logfile of random's system information tool 1.04 (written by random/random) Run by Terry at 2008-11-10 12:28:24 Microsoft Windows XP Home Edition Service Pack 3 System drive C: has 158 GB (66%) free of 238 GB Total RAM: 1023 MB (49% free) Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 12:28:59, on 10/11/2008 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16735) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\slserv.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\SOUNDMAN.EXE C:\WINDOWS\ALCWZRD.EXE C:\WINDOWS\ALCMTR.EXE C:\Program Files\LifeView DTV\RemoteControl.exe C:\Program Files\Microsoft IntelliPoint\point32.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\PROGRA~1\AVG\AVG8\avgtray.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\Program Files\Windows Media Player\WMPNSCFG.exe C:\PROGRA~1\AVG\AVG8\avgrsx.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\FinePixViewerS\QuickDCF2.exe C:\Program Files\Logitech\SetPoint\SetPoint.exe C:\Program Files\SEC\Natural Color Pro\NCProTray.exe C:\PROGRA~1\AVG\AVG8\avgemc.exe C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE C:\Program Files\Mozilla Firefox\firefox.exe C:\Documents and Settings\Terry\Desktop\RSIT.exe C:\Documents and Settings\Terry\Desktop\Terry.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R3 - URLSearchHook: (no name) - {a1b2f3fa-dd1d-470b-a23e-a133b2f8ef60} - (no file) O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE O4 - HKLM\..\Run: [DTVRemote] "C:\Program Files\LifeView DTV\RemoteControl.exe" O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe" O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [QuickTime Task] "C:\qttask.exe" -atboottime O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [lovefilm DLM Manager] C:\Program Files\LOVEFiLM International\Lovefilm Download Manager\Download Manager.exe O4 - HKCU\..\Run: [EPSON Stylus D92 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBZE.EXE /FU "C:\WINDOWS\TEMP\E_S86.tmp" /EF "HKCU" O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_1_0 O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Exif Launcher S.lnk = C:\Program Files\FinePixViewerS\QuickDCF2.exe O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe O4 - Global Startup: NCProTray.lnk = ? O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\ssv.dll O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {164B406B-0FD6-4E7F-BA7E-64D227D4CA37} - O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1171998185500 O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} - O16 - DPF: {CE3409C4-9E26-4F8E-83E4-778498F9E7B4} (PB_Uploader Class) - http://static.photobox.co.uk/sg/common/uploader_uni.cab O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll O20 - AppInit_DLLs: lyjdcu.dll,avgrsstx.dll glhugw.dll O20 - Winlogon Notify: pmnkLFXR - pmnkLFXR.dll (file missing) O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe -- End of file - 7679 bytes ======Scheduled tasks folder====== C:\WINDOWS\tasks\AppleSoftwareUpdate.job C:\WINDOWS\tasks\vnsojwww.job ======Registry dump====== [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar] {A057A204-BACC-4D26-9990-79A187E2698E} - AVG Security Toolbar - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL [2008-11-08 2055960] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] "High Definition Audio Property Page Shortcut"=C:\WINDOWS\system32\HDAShCut.exe [2005-01-07 61952] "SoundMan"=C:\WINDOWS\SOUNDMAN.EXE [2005-04-06 90112] "AlcWzrd"=C:\WINDOWS\ALCWZRD.EXE [2005-04-06 2805248] "Alcmtr"=C:\WINDOWS\ALCMTR.EXE [2005-04-11 65536] "DTVRemote"=C:\Program Files\LifeView DTV\RemoteControl.exe [2004-09-17 32768] "NeroFilterCheck"=C:\WINDOWS\system32\NeroCheck.exe [2001-07-09 155648] "IntelliPoint"=C:\Program Files\Microsoft IntelliPoint\point32.exe [2005-06-10 217088] "NvCplDaemon"=C:\WINDOWS\system32\NvCpl.dll [2008-05-16 13529088] "nwiz"=nwiz.exe /install [] "Kernel and Hardware Abstraction Layer"=C:\WINDOWS\KHALMNPR.EXE [2008-02-29 76304] "NvMediaCenter"=C:\WINDOWS\system32\NvMcTray.dll [2008-05-16 86016] "QuickTime Task"=C:\qttask.exe -atboottime [] "AVG8_TRAY"=C:\PROGRA~1\AVG\AVG8\avgtray.exe [2008-11-08 1234712] "SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2008-11-09 136600] [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-14 15360] "lovefilm DLM Manager"=C:\Program Files\LOVEFiLM International\Lovefilm Download Manager\Download Manager.exe [] "EPSON Stylus D92 Series"=C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBZE.EXE [2006-09-27 139264] "SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe [2008-09-16 1833296] "updateMgr"=C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe [2006-03-30 313472] "WMPNSCFG"=C:\Program Files\Windows Media Player\WMPNSCFG.exe [2006-10-18 204288] "MSMSGS"=C:\Program Files\Messenger\msmsgs.exe [2008-04-14 1695232] C:\Documents and Settings\All Users\Start Menu\Programs\Startup Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe Exif Launcher S.lnk - C:\Program Files\FinePixViewerS\QuickDCF2.exe Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe NCProTray.lnk - C:\Program Files\SEC\Natural Color Pro\NCProTray.exe [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows] "AppInit_DLLS"="lyjdcu.dll,avgrsstx.dll glhugw.dll" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\LBTWlgn] c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll [2008-05-02 72208] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\pmnkLFXR] pmnkLFXR.dll [] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon] C:\WINDOWS\system32\WgaLogon.dll [2007-03-15 236928] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad] WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa] "authentication packages"=msv1_0 C:\WINDOWS\system32\khfFWqno [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WdfLoadGroup] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System] "dontdisplaylastusername"=0 "legalnoticecaption"= "legalnoticetext"= "shutdownwithoutlogon"=1 "undockwithoutlogon"=1 [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer] "NoDriveTypeAutoRun"=157 "NoFolderOptions"=0 [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list] "%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" "C:\Program Files\Ares\Ares.exe"="C:\Program Files\Ares\Ares.exe:*:Enabled:Ares" "C:\Program Files\Xfire\xfire.exe"="C:\Program Files\Xfire\xfire.exe:*:Enabled:Xfire" "C:\Program Files\Valve\Steam\SteamApps\supaking\half-life 2 deathmatch\hl2.exe"="C:\Program Files\Valve\Steam\SteamApps\supaking\half-life 2 deathmatch\hl2.exe:*:Enabled:hl2" "C:\Program Files\PPLive\PPLive.exe"="C:\Program Files\PPLive\PPLive.exe:*:Enabled:PPLive" "C:\Program Files\PPStream\PPStream.exe"="C:\Program Files\PPStream\PPStream.exe:*:Enabled:PPStream" "C:\Program Files\TVAnts\Tvants.exe"="C:\Program Files\TVAnts\Tvants.exe:*:Enabled:TVAnts" "C:\Program Files\PPMate\PPMate\ppmate.exe"="C:\Program Files\PPMate\PPMate\ppmate.exe:*:Enabled:PPMate" "C:\Program Files\Valve\Steam\SteamApps\supaking\source sdk base\hl2.exe"="C:\Program Files\Valve\Steam\SteamApps\supaking\source sdk base\hl2.exe:*:Enabled:hl2" "C:\Program Files\KONAMI\Pro Evolution Soccer 6\PES6.exe"="C:\Program Files\KONAMI\Pro Evolution Soccer 6\PES6.exe:*:Enabled:pes6.exe" "C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe"="C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe:*:Enabled:Kodak Software Updater" "C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe"="C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe:*:Enabled:EasyShare" "C:\WINDOWS\system32\dpvsetup.exe"="C:\WINDOWS\system32\dpvsetup.exe:*:Enabled:Microsoft DirectPlay Voice Test" "C:\WINDOWS\system32\rundll32.exe"="C:\WINDOWS\system32\rundll32.exe:*:Enabled:Run a DLL as an App" "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe"="C:\Program Files\Veoh Networks\Veoh\VeohClient.exe:*:Enabled:Veoh Client" "C:\Program Files\Valve\Steam\SteamApps\supaking\counter-strike source\hl2.exe"="C:\Program Files\Valve\Steam\SteamApps\supaking\counter-strike source\hl2.exe:*:Enabled:hl2" "C:\Program Files\Valve\Steam\SteamApps\killerwurst1988\day of defeat source\hl2.exe"="C:\Program Files\Valve\Steam\SteamApps\killerwurst1988\day of defeat source\hl2.exe:*:Enabled:hl2" "C:\Program Files\Valve\Steam\SteamApps\killerwurst1988\half-life 2 deathmatch\hl2.exe"="C:\Program Files\Valve\Steam\SteamApps\killerwurst1988\half-life 2 deathmatch\hl2.exe:*:Enabled:hl2" "C:\Program Files\Valve\Steam\SteamApps\natalie664\half-life 2 deathmatch\hl2.exe"="C:\Program Files\Valve\Steam\SteamApps\natalie664\half-life 2 deathmatch\hl2.exe:*:Enabled:hl2" "C:\Program Files\Valve\Steam\Steam.exe"="C:\Program Files\Valve\Steam\Steam.exe:*:Enabled:Steam" "C:\WINDOWS\system32\PnkBstrA.exe"="C:\WINDOWS\system32\PnkBstrA.exe:*:Enabled:PnkBstrA" "C:\WINDOWS\system32\PnkBstrB.exe"="C:\WINDOWS\system32\PnkBstrB.exe:*:Enabled:PnkBstrB" "C:\Program Files\Valve\Steam\SteamApps\common\enemy territory quake wars demo\etqw.exe"="C:\Program Files\Valve\Steam\SteamApps\common\enemy territory quake wars demo\etqw.exe:*:Enabled:Enemy Territory: QUAKE Wars" "C:\Program Files\Winamp Remote\bin\Orb.exe"="C:\Program Files\Winamp Remote\bin\Orb.exe:*:Enabled:Orb" "C:\Program Files\Winamp Remote\bin\OrbTray.exe"="C:\Program Files\Winamp Remote\bin\OrbTray.exe:*:Enabled:OrbTray" "C:\Program Files\Winamp Remote\bin\OrbStreamerClient.exe"="C:\Program Files\Winamp Remote\bin\OrbStreamerClient.exe:*:Enabled:Orb Stream Client" "C:\Program Files\SopCast\SopCast.exe"="C:\Program Files\SopCast\SopCast.exe:*:Enabled:SopCast Main Application" "C:\Program Files\MC2\Sniper Elite\SniperElite.exe"="C:\Program Files\MC2\Sniper Elite\SniperElite.exe:*:Enabled:SniperElite" "C:\Program Files\Activision\Call of Duty 2\CoD2MP_s.exe"="C:\Program Files\Activision\Call of Duty 2\CoD2MP_s.exe:*:Enabled:CoD2MP_s" "C:\Program Files\SopCast\adv\SopAdver.exe"="C:\Program Files\SopCast\adv\SopAdver.exe:*:Enabled:SopCast Adver" "C:\Program Files\PPMate\ppmate.exe"="C:\Program Files\PPMate\ppmate.exe:*:Enabled:PPMate" "C:\Program Files\PPMate\ppamnet.exe"="C:\Program Files\PPMate\ppamnet.exe:*:Enabled:PPMate" "C:\Program Files\TmNationsForever\TmForever.exe"="C:\Program Files\TmNationsForever\TmForever.exe:*:Enabled:TmForever" "C:\Program Files\Valve\Steam\SteamApps\natalie664\counter-strike source\hl2.exe"="C:\Program Files\Valve\Steam\SteamApps\natalie664\counter-strike source\hl2.exe:*:Enabled:hl2" "C:\Program Files\MagicTune Premium\MagicTune.exe"="C:\Program Files\MagicTune Premium\MagicTune.exe:*:Enabled:MagicTune" "C:\Program Files\Bonjour\mDNSResponder.exe"="C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour" "C:\Program Files\iTunes\iTunes.exe"="C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes" "C:\Documents and Settings\Terry\temp\TeamViewer3\TeamViewer.exe"="C:\Documents and Settings\Terry\temp\TeamViewer3\TeamViewer.exe:*:Enabled:TeamViewer Remote Control Application" "%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000" "C:\Program Files\Valve\Steam\SteamApps\supaking\zombie panic! source\hl2.exe"="C:\Program Files\Valve\Steam\SteamApps\supaking\zombie panic! source\hl2.exe:*:Enabled:hl2" "C:\Program Files\Activision\Call of Duty - World at War Beta\CoDWaWbeta.exe"="C:\Program Files\Activision\Call of Duty - World at War Beta\CoDWaWbeta.exe:*:Enabled:Call of Duty(R): World at War Multiplayer" "C:\Program Files\AVG\AVG8\avgemc.exe"="C:\Program Files\AVG\AVG8\avgemc.exe:*:Enabled:avgemc.exe" "C:\Program Files\AVG\AVG8\avgupd.exe"="C:\Program Files\AVG\AVG8\avgupd.exe:*:Enabled:avgupd.exe" [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list] "%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" "%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000" ======List of files/folders created in the last 1 months====== 2008-11-10 12:28:24 ----D---- C:\rsit 2008-11-10 12:10:09 ----A---- C:\WINDOWS\gmer.ini 2008-11-10 12:10:07 ----A---- C:\WINDOWS\gmer_uninstall.cmd 2008-11-10 12:10:07 ----A---- C:\WINDOWS\gmer.exe 2008-11-10 12:10:07 ----A---- C:\WINDOWS\gmer.dll 2008-11-09 23  07 ----D---- C:\Documents and Settings\Terry\Application Data\Malwarebytes2008-11-09 23 02 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes2008-11-09 23 01 ----D---- C:\Program Files\Malwarebytes' Anti-Malware2008-11-09 17:57:56 ----D---- C:\Documents and Settings\Terry\Application Data\Mozilla 2008-11-09 17:57:44 ----D---- C:\Program Files\Mozilla Firefox 2008-11-09 17:54:19 ----A---- C:\WINDOWS\system32\javaws.exe 2008-11-09 17:54:19 ----A---- C:\WINDOWS\system32\deploytk.dll 2008-11-09 17:54:18 ----A---- C:\WINDOWS\system32\javaw.exe 2008-11-09 17:54:18 ----A---- C:\WINDOWS\system32\java.exe 2008-11-08 14:42:59 ----A---- C:\WINDOWS\wininit.ini 2008-11-08 10:56:57 ----HD---- C:\$AVG8.VAULT$ 2008-11-08 10:52:54 ----A---- C:\WINDOWS\system32\avgrsstx.dll 2008-11-08 10:52:41 ----D---- C:\Documents and Settings\Terry\Application Data\AVGTOOLBAR 2008-11-08 10:52:29 ----D---- C:\Program Files\AVG 2008-11-08 10:52:29 ----D---- C:\Documents and Settings\All Users\Application Data\avg8 2008-11-08 09:24:52 ----A---- C:\WINDOWS\system32\uipbmyazmmmtm.dll-uninst.exe 2008-11-08 08:51:31 ----A---- C:\WINDOWS\system32\amqrevolxw.exe 2008-11-08 08:46:29 ----A---- C:\WINDOWS\system32\635d2f11-.txt 2008-11-08 08:45:45 ----ASH---- C:\WINDOWS\system32\onqWFfhk.ini 2008-11-08 08:15:25 ----D---- C:\Documents and Settings\Terry\Application Data\IUpd721 2008-11-08 07:58:44 ----A---- C:\WINDOWS\system32\msuzwgcroqtw.exe 2008-11-08 07:56:56 ----D---- C:\WINDOWS\system32\xdt 2008-11-08 07:56:56 ----D---- C:\WINDOWS\system32\mir5 2008-11-08 07:56:56 ----D---- C:\WINDOWS\system32\IET 2008-11-08 07:56:56 ----D---- C:\WINDOWS\system32\CT6 2008-11-08 07:56:22 ----D---- C:\WINDOWS\system32\sX3i19 2008-11-01 09:37:22 ----A---- C:\WINDOWS\system32\ymzalkgkpnuufbc.dll 2008-10-29 23:49:09 ----A---- C:\WINDOWS\system32\XAudio2_2.dll 2008-10-29 23:49:09 ----A---- C:\WINDOWS\system32\XAPOFX1_1.dll 2008-10-29 23:49:09 ----A---- C:\WINDOWS\system32\xactengine3_2.dll 2008-10-29 23:49:09 ----A---- C:\WINDOWS\system32\D3DX9_39.dll 2008-10-29 23:49:09 ----A---- C:\WINDOWS\system32\d3dx10_39.dll 2008-10-29 23:49:09 ----A---- C:\WINDOWS\system32\D3DCompiler_39.dll 2008-10-29 23:49:08 ----A---- C:\WINDOWS\system32\XAudio2_1.dll 2008-10-29 23:49:08 ----A---- C:\WINDOWS\system32\XAPOFX1_0.dll 2008-10-29 23:49:08 ----A---- C:\WINDOWS\system32\xactengine3_1.dll 2008-10-29 23:49:08 ----A---- C:\WINDOWS\system32\X3DAudio1_4.dll 2008-10-29 23:49:07 ----A---- C:\WINDOWS\system32\XAudio2_0.dll 2008-10-29 23:49:07 ----A---- C:\WINDOWS\system32\D3DX9_38.dll 2008-10-29 23:49:07 ----A---- C:\WINDOWS\system32\d3dx10_38.dll 2008-10-29 23:49:07 ----A---- C:\WINDOWS\system32\D3DCompiler_38.dll 2008-10-29 23:49:06 ----A---- C:\WINDOWS\system32\xactengine3_0.dll 2008-10-29 23:49:05 ----A---- C:\WINDOWS\system32\X3DAudio1_3.dll 2008-10-29 23:49:03 ----A---- C:\WINDOWS\system32\d3dx10_37.dll 2008-10-29 23:49:03 ----A---- C:\WINDOWS\system32\D3DCompiler_37.dll 2008-10-29 23:48:50 ----A---- C:\WINDOWS\system32\D3DX9_37.dll 2008-10-29 23:47:49 ----D---- C:\WINDOWS\Logs 2008-10-28 22:36:00 ----A---- C:\WINDOWS\system32\divx_xx0c.dll 2008-10-28 22:36:00 ----A---- C:\WINDOWS\system32\divx_xx07.dll 2008-10-28 22:35:58 ----A---- C:\WINDOWS\system32\divx_xx11.dll 2008-10-28 22:35:58 ----A---- C:\WINDOWS\system32\divx_xx0a.dll 2008-10-28 22:35:56 ----A---- C:\WINDOWS\system32\DivX.dll 2008-10-24 14 26 ----HDC---- C:\WINDOWS\$NtUninstallKB946648$2008-10-24 14 18 ----HDC---- C:\WINDOWS\$NtUninstallKB951978$2008-10-24 14 08 ----HDC---- C:\WINDOWS\$NtUninstallKB958644$2008-10-23 07:46:47 ----D---- C:\WINDOWS\Prefetch 2008-10-23 07:44:22 ----HDC---- C:\WINDOWS\$NtUninstallKB957095$ 2008-10-23 07:44:15 ----HDC---- C:\WINDOWS\$NtUninstallKB956841$ 2008-10-23 07:44:09 ----HDC---- C:\WINDOWS\$NtUninstallKB956803$ 2008-10-23 07:44:01 ----HDC---- C:\WINDOWS\$NtUninstallKB954211$ 2008-10-23 07:43:53 ----HDC---- C:\WINDOWS\$NtUninstallKB952954$ 2008-10-23 07:43:47 ----HDC---- C:\WINDOWS\$NtUninstallKB952287$ 2008-10-23 07:43:40 ----HDC---- C:\WINDOWS\$NtUninstallKB951748$ 2008-10-23 07:43:35 ----HDC---- C:\WINDOWS\$NtUninstallKB951698$ 2008-10-23 07:43:28 ----HDC---- C:\WINDOWS\$NtUninstallKB951376-v2$ 2008-10-23 07:43:22 ----HDC---- C:\WINDOWS\$NtUninstallKB951376$ 2008-10-23 07:43:14 ----HDC---- C:\WINDOWS\$NtUninstallKB951066$ 2008-10-23 07:43:07 ----HDC---- C:\WINDOWS\$NtUninstallKB950974$ 2008-10-23 07:43:01 ----HDC---- C:\WINDOWS\$NtUninstallKB950762$ 2008-10-23 07:42:54 ----HDC---- C:\WINDOWS\$NtUninstallKB938464$ 2008-10-23 07:38:08 ----D---- C:\WINDOWS\system32\scripting 2008-10-23 07:38:08 ----D---- C:\WINDOWS\system32\en 2008-10-23 07:38:08 ----D---- C:\WINDOWS\l2schemas 2008-10-23 07:38:07 ----D---- C:\WINDOWS\system32\bits 2008-10-23 07:36:12 ----D---- C:\WINDOWS\ServicePackFiles 2008-10-16 21:41:58 ----D---- C:\Documents and Settings\Terry\Application Data\TeamViewer 2008-10-16 17:49:00 ----HDC---- C:\WINDOWS\$NtUninstallKB954211_0$ 2008-10-15 21:50:35 ----HDC---- C:\WINDOWS\$NtUninstallKB956803_0$ 2008-10-15 21:50:30 ----HDC---- C:\WINDOWS\$NtUninstallKB956391$ 2008-10-15 21:50:23 ----HDC---- C:\WINDOWS\$NtUninstallKB957095_0$ 2008-10-15 21:49:44 ----HDC---- C:\WINDOWS\$NtUninstallKB956841_0$ ======List of files/folders modified in the last 1 months====== 2008-11-10 12:28:59 ----D---- C:\WINDOWS\Temp 2008-11-10 12:10:09 ----D---- C:\WINDOWS 2008-11-10 12:10:07 ----D---- C:\WINDOWS\system32\drivers 2008-11-10 12 15 ----D---- C:\WINDOWS\system32\CatRoot22008-11-10 12:05:46 ----D---- C:\Program Files\Conduit 2008-11-10 12:04:41 ----A---- C:\WINDOWS\SchedLgU.Txt 2008-11-10 11:58:17 ----RD---- C:\Program Files 2008-11-10 11:57:16 ----SHD---- C:\WINDOWS\Installer 2008-11-10 11:57:07 ----D---- C:\Config.Msi 2008-11-10 00:50:46 ----AD---- C:\WINDOWS\system32 2008-11-09 23:30:39 ----D---- C:\Program Files\Java 2008-11-09 22:50:42 ----RASH---- C:\boot.ini 2008-11-09 22:50:42 ----A---- C:\WINDOWS\win.ini 2008-11-09 22:50:42 ----A---- C:\WINDOWS\system.ini 2008-11-09 19:51:17 ----HD---- C:\Program Files\InstallShield Installation Information 2008-11-09 17:54:54 ----SD---- C:\WINDOWS\Downloaded Program Files 2008-11-09 16:53:31 ----D---- C:\Documents and Settings\All Users\Application Data\DVD Shrink 2008-11-09 16:51:40 ----HD---- C:\WINDOWS\inf 2008-11-09 16:51:22 ----D---- C:\WINDOWS\ie7updates 2008-11-09 10:40:19 ----A---- C:\WINDOWS\NeroDigital.ini 2008-11-08 14:22:30 ----D---- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy 2008-11-08 14:20:03 ----D---- C:\Program Files\Spybot - Search & Destroy 2008-11-08 11:51:43 ----D---- C:\Program Files\PPMate 2008-11-08 10:51:00 ----SD---- C:\Documents and Settings\Terry\Application Data\Microsoft 2008-11-08 09:50:32 ----D---- C:\WINDOWS\SoftwareDistribution 2008-11-08 09:24:44 ----A---- C:\WINDOWS\imsins.BAK 2008-11-08 08:00:13 ----D---- C:\Program Files\Microsoft IntelliPoint 2008-11-08 07:58:34 ----RSHDC---- C:\WINDOWS\system32\dllcache 2008-11-08 07:56:44 ----SD---- C:\WINDOWS\Tasks 2008-11-07 23:30:30 ----D---- C:\Program Files\DivX 2008-11-05 15:10:22 ----D---- C:\Documents and Settings\Terry\Application Data\Apple Computer 2008-10-30 16:16:43 ----D---- C:\Documents and Settings\Terry\Application Data\Xfire 2008-10-30 14:38:20 ----SD---- C:\Program Files\Xfire 2008-10-29 23:49:10 ----D---- C:\WINDOWS\system32\DirectX 2008-10-29 23:48:41 ----HD---- C:\WINDOWS\msdownld.tmp 2008-10-27 10:44:31 ----A---- C:\WINDOWS\OEWABLog.txt 2008-10-26 06:52:01 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI 2008-10-24 14 29 ----D---- C:\Program Files\Messenger2008-10-24 14 26 ----HD---- C:\WINDOWS\$hf_mig$2008-10-23 07:46:54 ----A---- C:\WINDOWS\setuplog.txt 2008-10-23 07:46:16 ----D---- C:\WINDOWS\system32\Setup 2008-10-23 07:46:16 ----D---- C:\WINDOWS\AppPatch 2008-10-23 07:46:14 ----D---- C:\WINDOWS\system32\wbem 2008-10-23 07:46:12 ----RSD---- C:\WINDOWS\Fonts 2008-10-23 07:45:10 ----D---- C:\WINDOWS\security 2008-10-23 07:44:23 ----D---- C:\WINDOWS\system32\CatRoot 2008-10-23 07:38:28 ----D---- C:\WINDOWS\WinSxS 2008-10-23 07:38:19 ----D---- C:\WINDOWS\network diagnostic 2008-10-23 07:38:19 ----D---- C:\WINDOWS\ime 2008-10-23 07:38:19 ----D---- C:\WINDOWS\Help 2008-10-23 07:38:09 ----D---- C:\WINDOWS\system32\usmt 2008-10-23 07:38:09 ----D---- C:\WINDOWS\system32\en-US 2008-10-23 07:38:07 ----D---- C:\WINDOWS\PeerNet 2008-10-23 07:38:07 ----D---- C:\Program Files\Movie Maker 2008-10-23 07:36:06 ----D---- C:\WINDOWS\system32\Restore 2008-10-23 07:36:06 ----D---- C:\WINDOWS\system32\npp 2008-10-23 07:36:03 ----D---- C:\WINDOWS\msagent 2008-10-23 07:36:02 ----D---- C:\WINDOWS\srchasst 2008-10-23 07:35:59 ----D---- C:\Program Files\NetMeeting 2008-10-23 07:35:58 ----D---- C:\WINDOWS\system32\Com 2008-10-23 07:35:55 ----D---- C:\Program Files\Windows Media Player 2008-10-23 07:35:54 ----D---- C:\Program Files\Windows NT 2008-10-23 07:35:54 ----D---- C:\Program Files\Outlook Express 2008-10-23 07:35:51 ----D---- C:\Program Files\Common Files\System 2008-10-23 07:35:29 ----AD---- C:\WINDOWS\system32\oobe 2008-10-23 07:35:26 ----D---- C:\WINDOWS\system 2008-10-23 07:31:09 ----D---- C:\WINDOWS\system32\ReinstallBackups 2008-10-23 07:30:45 ----HDC---- C:\WINDOWS\$NtServicePackUninstall$ 2008-10-23 07:27:28 ----D---- C:\WINDOWS\EHome 2008-10-15 21:50:13 ----D---- C:\Program Files\Internet Explorer 2008-10-15 16:34:24 ----A---- C:\WINDOWS\system32\netapi32.dll ======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)====== R1 AvgLdx86;AVG Free AVI Loader Driver x86; C:\WINDOWS\System32\Drivers\avgldx86.sys [2008-11-08 97928] R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86; C:\WINDOWS\System32\Drivers\avgmfx86.sys [2008-11-08 26824] R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2008-04-13 36352] R1 kbdhid;Keyboard HID Driver; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2008-04-13 14592] R1 StarOpen;StarOpen; C:\WINDOWS\system32\drivers\StarOpen.sys [2006-07-24 5632] R2 AvgTdiX;AVG Free8 Network Redirector; C:\WINDOWS\System32\Drivers\avgtdix.sys [2008-11-08 76040] R3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\system32\DRIVERS\arp1394.sys [2008-04-13 60800] R3 GEARAspiWDM;GEARAspiWDM; C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys [2008-01-29 16168] R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2008-04-13 144384] R3 hidusb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368] R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\WINDOWS\system32\drivers\RtkHDAud.sys [2005-03-23 2547008] R3 LHidFilt;Logitech SetPoint KMDF HID Filter Driver; C:\WINDOWS\system32\DRIVERS\LHidFilt.Sys [2008-02-29 35344] R3 LMouFilt;Logitech SetPoint KMDF Mouse Filter Driver; C:\WINDOWS\system32\DRIVERS\LMouFilt.Sys [2008-02-29 36880] R3 LUsbFilt;Logitech SetPoint KMDF USB Filter; C:\WINDOWS\System32\Drivers\LUsbFilt.Sys [2008-02-29 28944] R3 LVHybrid;LVHybrid service; C:\WINDOWS\system32\DRIVERS\LVHybrid.sys [2004-09-07 699648] R3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-17 12160] R3 Mtlmnt5;Mtlmnt5; C:\WINDOWS\system32\DRIVERS\Mtlmnt5.sys [2003-07-16 221736] R3 NIC1394;1394 Net Driver; C:\WINDOWS\system32\DRIVERS\nic1394.sys [2008-04-13 61824] R3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2008-05-16 6557408] R3 RTL8023xp;Realtek 10/100/1000 NIC Family all in one NDIS XP Driver; C:\WINDOWS\system32\DRIVERS\Rtlnicxp.sys [2005-03-04 74496] R3 Slntamr;SmartLink AMR_PCI Driver; C:\WINDOWS\system32\DRIVERS\slntamr.sys [2003-08-20 548952] R3 SlWdmSup;SlWdmSup; C:\WINDOWS\system32\DRIVERS\SlWdmSup.sys [2003-07-02 39348] R3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-13 32128] R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-13 59520] R3 usbstor;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368] R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2008-04-13 20608] R3 Wdf01000;Wdf01000; C:\WINDOWS\system32\DRIVERS\Wdf01000.sys [2006-11-02 492000] S1 c09a9aba;c09a9aba; C:\WINDOWS\System32\drivers\c09a9aba.sys [] S1 NCPro;NCPro; C:\WINDOWS\system32\drivers\MTictwl.sys [] S2 CSS DVP;CSS DVP; C:\WINDOWS\system32\DRIVERS\css-dvp.sys [] S3 ASPI;Advanced SCSI Programming Interface Driver; \??\C:\WINDOWS\System32\DRIVERS\ASPI32.sys [] S3 CCDECODE;Closed Caption Decoder; C:\WINDOWS\system32\DRIVERS\CCDECODE.sys [2008-04-13 17024] S3 gmer;gmer; C:\WINDOWS\System32\DRIVERS\gmer.sys [2008-11-10 85969] S3 HdAudAddService;Microsoft UAA Function Driver for High Definition Audio Service; C:\WINDOWS\system32\drivers\HdAudio.sys [2005-01-07 145920] S3 k750bus;Sony Ericsson 750 driver (WDM); C:\WINDOWS\system32\DRIVERS\k750bus.sys [2005-02-11 55216] S3 k750mdfl;Sony Ericsson 750 USB WMC Modem Filter; C:\WINDOWS\system32\DRIVERS\k750mdfl.sys [2005-02-11 6576] S3 k750mdm;Sony Ericsson 750 USB WMC Modem Drivers; C:\WINDOWS\system32\DRIVERS\k750mdm.sys [2005-02-11 89872] S3 k750mgmt;Sony Ericsson 750 USB WMC Device Management Drivers; C:\WINDOWS\system32\DRIVERS\k750mgmt.sys [2005-02-11 81728] S3 k750obex;Sony Ericsson 750 USB WMC OBEX Interface Drivers; C:\WINDOWS\system32\DRIVERS\k750obex.sys [2005-02-11 79488] S3 MagicTune;MagicTune; C:\WINDOWS\system32\drivers\MTiCtwl.sys [] S3 MODEMCSA;Unimodem Streaming Filter Device; C:\WINDOWS\system32\drivers\MODEMCSA.sys [2001-08-17 16128] S3 MPE;BDA MPE Filter; C:\WINDOWS\system32\DRIVERS\MPE.sys [2008-04-13 15232] S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\WINDOWS\system32\drivers\MSTEE.sys [2008-04-13 5504] S3 Mtlstrm;Mtlstrm; C:\WINDOWS\system32\DRIVERS\Mtlstrm.sys [2003-07-02 1301128] S3 NABTSFEC;NABTS/FEC VBI Codec; C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys [2008-04-13 85248] S3 NdisIP;Microsoft TV/Video Connection; C:\WINDOWS\system32\DRIVERS\NdisIP.sys [2008-04-13 10880] S3 NtMtlFax;NtMtlFax; C:\WINDOWS\system32\DRIVERS\NtMtlFax.sys [2003-07-02 167384] S3 Point32;Microsoft IntelliPoint Filter Driver; C:\WINDOWS\system32\DRIVERS\point32.sys [2005-06-10 21760] S3 rtl8139;Realtek RTL8139(A/B/C)-based PCI Fast Ethernet Adapter NT Driver; C:\WINDOWS\system32\DRIVERS\RTL8139.SYS [2004-08-03 20992] S3 SLIP;BDA Slip De-Framer; C:\WINDOWS\system32\DRIVERS\SLIP.sys [2008-04-13 11136] S3 SlNtHal;SlNtHal; C:\WINDOWS\system32\DRIVERS\Slnthal.sys [2003-07-02 86128] S3 ssm_bus;SAMSUNG Mobile USB Device II 1.0 driver (WDM); C:\WINDOWS\system32\DRIVERS\ssm_bus.sys [2005-08-30 58320] S3 ssm_mdfl;SAMSUNG Mobile USB Modem II 1.0 Filter; C:\WINDOWS\system32\DRIVERS\ssm_mdfl.sys [2005-08-30 8336] S3 ssm_mdm;SAMSUNG Mobile USB Modem II 1.0 Drivers; C:\WINDOWS\system32\DRIVERS\ssm_mdm.sys [2005-08-30 94000] S3 streamip;BDA IPSink; C:\WINDOWS\system32\DRIVERS\StreamIP.sys [2008-04-13 15232] S3 USBAAPL;Apple Mobile USB Driver; C:\WINDOWS\System32\Drivers\usbaapl.sys [2008-07-22 32000] S3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-13 30208] S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-13 25856] S3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-13 15104] S3 WpdUsb;WpdUsb; C:\WINDOWS\system32\DRIVERS\wpdusb.sys [2006-10-18 38528] S3 WSTCODEC;World Standard Teletext Codec; C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS [2008-04-13 19200] S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944] S3 xusb21;Xbox 360 Wireless Receiver Driver Service 21; C:\WINDOWS\system32\DRIVERS\xusb21.sys [2007-08-28 55808] ======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)====== R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2008-07-22 116040] R2 avg8emc;AVG Free8 E-mail Scanner; C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-11-08 875288] R2 avg8wd;AVG Free8 WatchDog; C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-11-08 231704] R2 Bonjour Service;Bonjour Service; C:\Program Files\Bonjour\mDNSResponder.exe [2007-07-24 229376] R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2008-11-09 152984] R2 NVSvc;NVIDIA Display Driver Service; C:\WINDOWS\system32\nvsvc32.exe [2008-05-16 159812] R2 SLService;SmartLinkService; C:\WINDOWS\system32\slserv.exe [2003-07-02 45056] R2 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408] R2 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-14 14336] S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2007-10-24 33800] S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; c:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2007-10-24 70144] S3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2008-07-30 532264] S3 LBTServ;Logitech Bluetooth Service; C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe [2008-05-02 121360] -----------------EOF----------------- |
|
     |
| Important Information |
|
Join the #1 Tech Support Forum Today - It's Totally Free!
TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free. Join TechSupportforum.com Today - Click Here |
|
11-12-2008, 11:33 AM
|
#3 (permalink) |
|
Manager, Security Center, TSF Academy; Analyst, Security Team
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,254
OS: 2000 Pro; XP Pro; XP Home
|
Re: Trojan/Malware/popups
Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.
It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence. ---------------------------------------------------------------------------------------------
__________________
Practice Safe Surfing Because what you don't know, CAN hurt you.  Microsoft MVP - Consumer Security 2009
|
|
|
|
|
11-12-2008, 05:06 PM
|
#4 (permalink) |
|
Registered User
Join Date: Nov 2008
Location: Manchester, UK
Posts: 10
OS: xp
|
Re: Trojan/Malware/popups
Thank you for helping me. I really appriciate your help.
I followed your instructions and here is my log: ComboFix 08-11-11.01 - Terry 2008-11-12 23:44:24.1 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.578 [GMT 0:00] Running from: c:\documents and settings\Terry\Desktop\ComboFix.exe . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\LocalService\Application Data\twain_32 c:\documents and settings\LocalService\Application Data\twain_32\user.ds c:\documents and settings\NetworkService\Application Data\twain_32 c:\documents and settings\NetworkService\Application Data\twain_32\user.ds c:\documents and settings\Terry\Local Settings\Temporary Internet Files\fbk.sts c:\windows\system32\dbxDgrevCheck.dll c:\windows\system32\MSINET.oca c:\windows\Tasks\vnsojwww.job . ((((((((((((((((((((((((( Files Created from 2008-10-12 to 2008-11-12 ))))))))))))))))))))))))))))))) . 2008-11-11 23:59 . 2008-10-07 13:33 453,152 --a------ c:\windows\system32\nvudisp.exe 2008-11-11 23:59 . 2008-11-12 23:52 200,819 --a------ c:\windows\system32\nvapps.xml 2008-11-11 23:59 . 2008-10-07 13:33 18,477 --a------ c:\windows\system32\nvdisp.nvu 2008-11-11 23:58 . 2008-10-02 10:07 453,152 --a------ c:\windows\system32\NVUNINST.EXE 2008-11-10 12:28 . 2008-11-10 12:34 <DIR> d-------- C:\rsit 2008-11-10 12:10 . 2008-11-10 12:10 250 --a------ c:\windows\gmer.ini 2008-11-09 23:06 . 2008-11-09 23:06 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware 2008-11-09 23:06 . 2008-11-09 23:06 <DIR> d-------- c:\documents and settings\Terry\Application Data\Malwarebytes 2008-11-09 23:06 . 2008-11-09 23:06 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes 2008-11-09 23:06 . 2008-10-22 16:10 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys 2008-11-09 23:06 . 2008-10-22 16:10 15,504 --a------ c:\windows\system32\drivers\mbam.sys 2008-11-09 17:58 . 2008-11-09 17:58 0 --a------ c:\windows\nsreg.dat 2008-11-09 17:54 . 2008-11-09 17:54 410,976 --a------ c:\windows\system32\deploytk.dll 2008-11-08 14:42 . 2008-11-08 14:43 367 --a------ c:\windows\wininit.ini 2008-11-08 10:56 . 2008-11-23 16:27 <DIR> d--h----- C:\$AVG8.VAULT$ 2008-11-08 10:52 . 2008-11-12 12:23 <DIR> d-------- c:\windows\system32\drivers\Avg 2008-11-08 10:52 . 2008-11-08 10:52 <DIR> d-------- c:\program files\AVG 2008-11-08 10:52 . 2008-11-08 10:52 <DIR> d-------- c:\documents and settings\Terry\Application Data\AVGTOOLBAR 2008-11-08 10:52 . 2008-11-08 16:16 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8 2008-11-08 10:52 . 2008-11-08 10:52 97,928 --a------ c:\windows\system32\drivers\avgldx86.sys 2008-11-08 10:52 . 2008-11-08 10:52 76,040 --a------ c:\windows\system32\drivers\avgtdix.sys 2008-11-08 10:52 . 2008-11-08 10:52 10,520 --a------ c:\windows\system32\avgrsstx.dll 2008-11-08 09:24 . 2008-11-08 09:24 90,915 --a------ c:\windows\system32\uipbmyazmmmtm.dll-uninst.exe 2008-11-08 08:51 . 2008-11-08 08:51 77,895 --a------ c:\windows\system32\amqrevolxw.exe 2008-11-08 08:45 . 2008-11-08 14:44 888 --ahs---- c:\windows\system32\onqWFfhk.ini 2008-11-08 08:15 . 2008-11-08 08:15 <DIR> d-------- c:\documents and settings\Terry\Application Data\IUpd721 2008-11-08 07:58 . 2008-11-08 07:58 79,094 --a------ c:\windows\system32\msuzwgcroqtw.exe 2008-11-08 07:57 . 2008-11-08 08:38 0 --a------ c:\windows\system32\drivers\c09a9aba.sys 2008-11-08 07:57 . 2008-11-08 07:57 0 --a------ C:\1753148352 2008-11-08 07:56 . 2008-11-08 13:33 <DIR> d-------- c:\windows\system32\xdt 2008-11-08 07:56 . 2008-11-23 15:55 <DIR> d-------- c:\windows\system32\sX3i19 2008-11-08 07:56 . 2008-11-08 14:05 <DIR> d-------- c:\windows\system32\mir5 2008-11-08 07:56 . 2008-11-08 13:30 <DIR> d-------- c:\windows\system32\IET 2008-11-08 07:56 . 2008-11-08 14:03 <DIR> d-------- c:\windows\system32\CT6 2008-11-02 10:24 . 2008-11-02 10:25 <DIR> d-------- c:\documents and settings\Jacqui\Application Data\uTorrent 2008-11-01 09:37 . 2008-11-01 09:37 178,176 --a------ c:\windows\system32\ymzalkgkpnuufbc.dll 2008-10-29 23:48 . 2008-03-05 15:56 3,786,760 --a------ c:\windows\system32\D3DX9_37.dll 2008-10-29 23:47 . 2008-10-29 23:47 <DIR> d-------- c:\windows\Logs 2008-10-28 22:36 . 2008-10-28 22:36 823,296 --a------ c:\windows\system32\divx_xx0c.dll 2008-10-28 22:36 . 2008-10-28 22:36 823,296 --a------ c:\windows\system32\divx_xx07.dll 2008-10-28 22:35 . 2008-10-28 22:35 815,104 --a------ c:\windows\system32\divx_xx0a.dll 2008-10-28 22:35 . 2008-10-28 22:35 802,816 --a------ c:\windows\system32\divx_xx11.dll 2008-10-28 22:35 . 2008-10-28 22:35 729,088 --a------ c:\windows\system32\divxdec.ax 2008-10-28 22:35 . 2008-10-28 22:35 684,032 --a------ c:\windows\system32\DivX.dll 2008-10-24 06:48 . 2008-10-15 16:34 337,408 -----c--- c:\windows\system32\dllcache\netapi32.dll 2008-10-23 07:38 . 2008-10-23 07:38 <DIR> d-------- c:\windows\system32\scripting 2008-10-23 07:38 . 2008-10-23 07:38 <DIR> d-------- c:\windows\system32\en 2008-10-23 07:38 . 2008-10-23 07:38 <DIR> d-------- c:\windows\system32\bits 2008-10-23 07:38 . 2008-10-23 07:38 <DIR> d-------- c:\windows\l2schemas 2008-10-23 07:36 . 2008-10-23 07:36 <DIR> d-------- c:\windows\ServicePackFiles 2008-10-16 21:41 . 2008-10-16 21:41 <DIR> d-------- c:\documents and settings\Terry\temp 2008-10-16 21:41 . 2008-10-16 21:48 <DIR> d-------- c:\documents and settings\Terry\Application Data\TeamViewer 2008-10-15 15:40 . 2008-08-14 10:11 2,189,184 -----c--- c:\windows\system32\dllcache\ntoskrnl.exe 2008-10-15 15:40 . 2008-08-14 10:09 2,145,280 -----c--- c:\windows\system32\dllcache\ntkrnlmp.exe 2008-10-15 15:40 . 2008-08-14 09:33 2,066,048 -----c--- c:\windows\system32\dllcache\ntkrnlpa.exe 2008-10-15 15:40 . 2008-08-14 09:33 2,023,936 -----c--- c:\windows\system32\dllcache\ntkrpamp.exe 2008-10-15 15:39 . 2008-09-15 12:12 1,846,400 -----c--- c:\windows\system32\dllcache\win32k.sys 2008-10-15 15:10 . 2008-09-08 10:41 333,824 -----c--- c:\windows\system32\dllcache\srv.sys . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-11-10 12:05 --------- d-----w c:\program files\Conduit 2008-11-09 23:30 --------- d-----w c:\program files\Java 2008-11-09 19:51 --------- d--h--w c:\program files\InstallShield Installation Information 2008-11-09 16:53 --------- d-----w c:\documents and settings\All Users\Application Data\DVD Shrink 2008-11-08 14:22 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2008-11-08 14:20 --------- d-----w c:\program files\Spybot - Search & Destroy 2008-11-08 11:51 --------- d-----w c:\program files\PPMate 2008-11-08 09:53 7,308 ----a-w c:\documents and settings\Terry\Application Data\wklnhst.dat 2008-11-08 08:00 --------- d-----w c:\program files\Microsoft IntelliPoint 2008-11-07 23:30 --------- d-----w c:\program files\DivX 2008-11-05 15:10 --------- d-----w c:\documents and settings\Terry\Application Data\Apple Computer 2008-10-30 16:16 --------- d-----w c:\documents and settings\Terry\Application Data\Xfire 2008-10-30 14:38 --------- d-s---w c:\program files\Xfire 2008-10-30 00:06 22,328 ----a-w c:\documents and settings\Terry\Application Data\PnkBstrK.sys 2008-10-07 13:33 6,133,856 ----a-w c:\windows\system32\drivers\nv4_mini.sys 2008-07-22 14:32 6,340 ----a-w c:\documents and settings\Jacqui\Application Data\wklnhst.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360] "EPSON Stylus D92 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIBZE.EXE" [2006-09-27 139264] "updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472] "WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288] "MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "DTVRemote"="c:\program files\LifeView DTV\RemoteControl.exe" [2004-09-17 32768] "NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648] "IntelliPoint"="c:\program files\Microsoft IntelliPoint\point32.exe" [2005-06-10 217088] "AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-11-08 1234712] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-09 136600] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-10-07 13574144] "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-10-07 86016] "High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-07 c:\windows\system32\HdAShCut.exe] "SoundMan"="SOUNDMAN.EXE" [2005-04-06 c:\windows\SOUNDMAN.EXE] "AlcWzrd"="ALCWZRD.EXE" [2005-04-06 c:\windows\ALCWZRD.EXE] "Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-02-29 c:\windows\KHALMNPR.Exe] "nwiz"="nwiz.exe" [2008-10-07 c:\windows\system32\nwiz.exe] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-07-01 113664] Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 29696] Exif Launcher S.lnk - c:\program files\FinePixViewerS\QuickDCF2.exe [2008-07-16 303104] Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2008-10-28 805392] NCProTray.lnk - c:\program files\SEC\Natural Color Pro\NCProTray.exe [2008-08-22 49220] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn] 2008-05-02 02:42 72208 c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=lyjdcu.dll,avgrsstx.dll glhugw.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "VIDC.XFR1"= xfcodec.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup] @="" [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Xfire\\xfire.exe"= "c:\\Program Files\\Valve\\Steam\\SteamApps\\supaking\\half-life 2 deathmatch\\hl2.exe"= "c:\\Program Files\\PPLive\\PPLive.exe"= "c:\\Program Files\\TVAnts\\Tvants.exe"= "c:\\Program Files\\PPMate\\PPMate\\ppmate.exe"= "c:\\Program Files\\Valve\\Steam\\SteamApps\\supaking\\source sdk base\\hl2.exe"= "c:\\WINDOWS\\system32\\dpvsetup.exe"= "c:\\Program Files\\Valve\\Steam\\SteamApps\\supaking\\counter-strike source\\hl2.exe"= "c:\\Program Files\\Valve\\Steam\\SteamApps\\killerwurst1988\\day of defeat source\\hl2.exe"= "c:\\Program Files\\Valve\\Steam\\SteamApps\\killerwurst1988\\half-life 2 deathmatch\\hl2.exe"= "c:\\Program Files\\Valve\\Steam\\SteamApps\\natalie664\\half-life 2 deathmatch\\hl2.exe"= "c:\\Program Files\\Valve\\Steam\\Steam.exe"= "c:\\WINDOWS\\system32\\PnkBstrA.exe"= "c:\\Program Files\\SopCast\\SopCast.exe"= "c:\\Program Files\\MC2\\Sniper Elite\\SniperElite.exe"= "c:\\Program Files\\SopCast\\adv\\SopAdver.exe"= "c:\\Program Files\\PPMate\\ppmate.exe"= "c:\\Program Files\\Valve\\Steam\\SteamApps\\natalie664\\counter-strike source\\hl2.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Documents and Settings\\Terry\\temp\\TeamViewer3\\TeamViewer.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Valve\\Steam\\SteamApps\\supaking\\zombie panic! source\\hl2.exe"= "c:\\Program Files\\AVG\\AVG8\\avgemc.exe"= "c:\\Program Files\\AVG\\AVG8\\avgupd.exe"= "c:\\Program Files\\Valve\\Steam\\SteamApps\\common\\left 4 dead demo\\left4dead.exe"= R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-11-08 97928] R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2008-11-08 875288] R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-11-08 231704] R2 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\Drivers\avgtdix.sys [2008-11-08 76040] R3 LVHybrid;LVHybrid service;c:\windows\system32\DRIVERS\LVHybrid.sys [2004-09-07 699648] S1 c09a9aba;c09a9aba;c:\windows\system32\drivers\c09a9aba.sys [2008-11-08 0] S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\System32\DRIVERS\ASPI32.sys [2002-07-17 16512] . Contents of the 'Scheduled Tasks' folder 2008-11-04 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:57] . - - - - ORPHANS REMOVED - - - - HKCU-Run-lovefilm DLM Manager - c:\program files\LOVEFiLM International\Lovefilm Download Manager\Download Manager.exe HKLM-Run-QuickTime Task - C:\qttask.exe Notify-pmnkLFXR - pmnkLFXR.dll . ------- Supplementary Scan ------- . FireFox -: Profile - c:\documents and settings\Terry\Application Data\Mozilla\Firefox\Profiles\n75amry4.default\ FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.co.uk/ FF -: plugin - c:\program files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll FF -: plugin - c:\program files\DivX\DivX Content Uploader\npUpload.dll FF -: plugin - c:\program files\iTunes\Mozilla Plugins\npitunes.dll FF -: plugin - c:\program files\Java\jre6\bin\new_plugin\npdeploytk.dll FF -: plugin - c:\program files\Java\jre6\bin\new_plugin\npjp2.dll . ************************************************************************** catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-11-12 23:52:59 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . ------------------------ Other Running Processes ------------------------ . c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe c:\program files\Bonjour\mDNSResponder.exe c:\program files\Java\jre6\bin\jqs.exe c:\windows\system32\nvsvc32.exe c:\program files\Windows Media Player\wmpnetwk.exe c:\program files\AVG\AVG8\avgrsx.exe c:\windows\system32\rundll32.exe c:\program files\Common Files\Logishrd\KHAL2\KHALMNPR.exe . ************************************************************************** . Completion time: 2008-11-13 0:02:07 - machine was rebooted [Terry] ComboFix-quarantined-files.txt 2008-11-13 00:01:58 Pre-Run: 162,853,097,472 bytes free Post-Run: 164,317,126,656 bytes free 220 --- E O F --- 2008-10-24 14 30
|
|
|
|
|
11-12-2008, 05:39 PM
|
#5 (permalink) |
|
Manager, Security Center, TSF Academy; Analyst, Security Team
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,254
OS: 2000 Pro; XP Pro; XP Home
|
Re: Trojan/Malware/popups
Next steps...I need more information.
Please go to: VirusTotal
Please label each result so I know which file it's from.
__________________
Practice Safe Surfing Because what you don't know, CAN hurt you. Microsoft MVP - Consumer Security 2009
|
|
|
|
|
11-12-2008, 05:51 PM
|
#6 (permalink) |
|
Registered User
Join Date: Nov 2008
Location: Manchester, UK
Posts: 10
OS: xp
|
Re: Trojan/Malware/popups
Thanks for the quick response.
c:\windows\system32\amqrevolxw.exe Results : File dypoxvgjkesg.exe received on 11.07.2008 18:21:36 (CET) Current status: finished Result: 4/36 (11.11%) Compact Print results Antivirus Version Last Update Result AhnLab-V3 - - - AntiVir - - DR/Zlob.Gen Authentium - - - Avast - - - AVG - - - BitDefender - - - CAT-QuickHeal - - - ClamAV - - - DrWeb - - - eSafe - - - eTrust-Vet - - - Ewido - - - F-Prot - - - F-Secure - - - Fortinet - - - GData - - - Ikarus - - - K7AntiVirus - - - Kaspersky - - - McAfee - - - Microsoft - - - NOD32 - - - Norman - - Zlob.CXKY Panda - - - PCTools - - - Prevx1 - - Cloaked Malware Rising - - - SecureWeb-Gateway - - Trojan.Dropper.Zlob.Gen Sophos - - - Sunbelt - - - Symantec - - - TheHacker - - - TrendMicro - - - VBA32 - - - ViRobot - - - VirusBuster - - - Additional information MD5: 9c923edb3f31a2122ebc9becd13d9187 SHA1: 6ce5eeea3bd5e36134024d1428739ffe8fc7d432 SHA256: 6746193b258004ac43465a8a02427a6f8bca08d1938a53df5778c443418c0932 SHA512: 0fc6a3edf667ca707ba968829a925ad0e1727a873d3b9b208683ad3c95ebcea4065c5bdc0fd7ebfb5ff6a3dcb0e5d311d5f767bdc8e9d0bd001c9bd7145a2e84 c:\windows\system32\msuzwgcroqtw.exe Results : File msuzwgcroqtw.exe_ received on 11.10.2008 11:13:57 (CET) Current status: finished Result: 5/36 (13.89%) Compact Print results Antivirus Version Last Update Result AhnLab-V3 - - - AntiVir - - - Authentium - - - Avast - - - AVG - - - BitDefender - - - CAT-QuickHeal - - - ClamAV - - - DrWeb - - - eSafe - - - eTrust-Vet - - Win32/SillyDl.FWR Ewido - - - F-Prot - - - F-Secure - - Trojan-Downloader:W32/Zlob.HYY Fortinet - - - GData - - - Ikarus - - Trojan.Win32.Shutdowner.awy K7AntiVirus - - - Kaspersky - - - McAfee - - - Microsoft - - Adware:Win32/AdRotator NOD32 - - - Norman - - - Panda - - - PCTools - - - Prevx1 - - Cloaked Malware Rising - - - SecureWeb-Gateway - - - Sophos - - - Sunbelt - - - Symantec - - - TheHacker - - - TrendMicro - - - VBA32 - - - ViRobot - - - VirusBuster - - - Additional information MD5: 4820466190b22f32cbeec8b963d6c5bc SHA1: cbbb4345b10cd228d23663a3371b81067ceab49d SHA256: 400b3bdaea3c7af38cde8e0571278a3c919356b6d7f6245172f17f0ce90f2bc1 SHA512: cf621a2fdadbce51626067853f5485c94ac8cdd08f14df39d40d3b155218fb3bbc025ace535bea89be6e82539644f3f9c2c90b29b67e8a31a993f7648e9326de c:\windows\system32\ymzalkgkpnuufbc.dll Results : File ymzalkgkpnuufbc.dll_ received on 11.10.2008 21:38:44 (CET) Current status: finished Result: 8/36 (22.22%) Compact Print results Antivirus Version Last Update Result AhnLab-V3 - - - AntiVir - - - Authentium - - - Avast - - - AVG - - - BitDefender - - Generic.Adw.Rotator.90746EA7 CAT-QuickHeal - - - ClamAV - - - DrWeb - - - eSafe - - - eTrust-Vet - - - Ewido - - - F-Prot - - - F-Secure - - - Fortinet - - Adware/AdClicker GData - - Generic.Adw.Rotator.90746EA7 Ikarus - - Generic.Adw.Rotator K7AntiVirus - - - Kaspersky - - - McAfee - - - Microsoft - - Adware:Win32/AdRotator NOD32 - - - Norman - - - Panda - - Trj/KillAV.FJ PCTools - - - Prevx1 - - Cloaked Malware Rising - - - SecureWeb-Gateway - - - Sophos - - - Sunbelt - - - Symantec - - Adware.Begin2search TheHacker - - - TrendMicro - - - VBA32 - - - ViRobot - - - VirusBuster - - - Additional information MD5: fea986e378b233a5856137a63dd4638b SHA1: 8742806ab379b1b3119d057da1a2eb2b00b7097c SHA256: d4cb524472d081b7a61053a4d2ed3bfa75d6104cd2aa7a92de70bcdafc0c490b SHA512: 81953adc8ca02ecc82fcced7748e61ea56ebc5b08f267c3032782f57261fc166980d664c6eb1aa2f8c2302af3295543186ce74c8db48d3e9405bbd32f354764d c:\windows\system32\uipbmyazmmmtm.dll-uninst.exe Results : File uipbmyazmmmtm.dll-uninst.exe_ received on 10.28.2008 13:51:15 (CET) Current status: finished Result: 4/36 (11.11%) Compact Print results Antivirus Version Last Update Result AhnLab-V3 - - - AntiVir - - ADSPY/AdSpy.Gen Authentium - - - Avast - - - AVG - - - BitDefender - - - CAT-QuickHeal - - - ClamAV - - - DrWeb - - - eSafe - - - eTrust-Vet - - - Ewido - - - F-Prot - - - F-Secure - - - Fortinet - - - GData - - - Ikarus - - AdWare.AdSpy K7AntiVirus - - - Kaspersky - - - McAfee - - - Microsoft - - - NOD32 - - - Norman - - - Panda - - - PCTools - - - Prevx1 - - Cloaked Malware Rising - - - SecureWeb-Gateway - - Ad-Spyware.AdSpy.Gen Sophos - - - Sunbelt - - - Symantec - - - TheHacker - - - TrendMicro - - - VBA32 - - - ViRobot - - - VirusBuster - - - Additional information MD5: 71c450f9707d7d7dbc2063ceb80d2c41 SHA1: 7f34e468716d49619328d0c93393571b37185cb9 SHA256: 812d2dc300cebbe515e6b0f151c518bed81890f939dd5c690532a467ceb25580 SHA512: 1c1f44848ca3fbdfb02e0d42a17a992301212e9cb8e96447b6f8a6ba905fed2e57316f7d077a97ce29b803d4a7f3e95f06f638b4240d37c38b64e49a89ea6653 |
|
|
|
|
11-12-2008, 05:58 PM
|
#7 (permalink) | |
|
Manager, Security Center, TSF Academy; Analyst, Security Team
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,254
OS: 2000 Pro; XP Pro; XP Home
|
Re: Trojan/Malware/popups
Great, let's take out the trash.
Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix. It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence. ---------------------------------------------------------------------------------------------
__________________
Practice Safe Surfing Because what you don't know, CAN hurt you. Microsoft MVP - Consumer Security 2009
|
|
|
|
|
|
11-12-2008, 06:30 PM
|
#8 (permalink) |
|
Registered User
Join Date: Nov 2008
Location: Manchester, UK
Posts: 10
OS: xp
|
Re: Trojan/Malware/popups
Hi, thanks again for the quick response.
I followed all the steps, However when I got to step 4 above, combofix produced the log which ive inserted below...and then combofix closed itself down, so I did not notice any other message boxes.. ComboFix 08-11-11.01 - Terry 2008-11-13 1:07:00.2 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.561 [GMT 0:00] Running from: c:\documents and settings\Terry\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\Terry\Desktop\CFScript.txt * Created a new restore point FILE :: C:\1753148352 c:\windows\system32\onqWFfhk.ini . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\1753148352 c:\windows\system32\amqrevolxw.exe c:\windows\system32\drivers\c09a9aba.sys c:\windows\system32\msuzwgcroqtw.exe c:\windows\system32\onqWFfhk.ini c:\windows\system32\uipbmyazmmmtm.dll-uninst.exe c:\windows\system32\ymzalkgkpnuufbc.dll . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Service_c09a9aba ((((((((((((((((((((((((( Files Created from 2008-10-13 to 2008-11-13 ))))))))))))))))))))))))))))))) . 2008-11-11 23:59 . 2008-10-07 13:33 453,152 --a------ c:\windows\system32\nvudisp.exe 2008-11-11 23:59 . 2008-11-13 01:13 200,819 --a------ c:\windows\system32\nvapps.xml 2008-11-11 23:59 . 2008-10-07 13:33 18,477 --a------ c:\windows\system32\nvdisp.nvu 2008-11-11 23:58 . 2008-10-02 10:07 453,152 --a------ c:\windows\system32\NVUNINST.EXE 2008-11-10 12:28 . 2008-11-10 12:34 <DIR> d-------- C:\rsit 2008-11-10 12:10 . 2008-11-10 12:10 250 --a------ c:\windows\gmer.ini 2008-11-09 23:06 . 2008-11-09 23:06 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware 2008-11-09 23:06 . 2008-11-09 23:06 <DIR> d-------- c:\documents and settings\Terry\Application Data\Malwarebytes 2008-11-09 23:06 . 2008-11-09 23:06 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes 2008-11-09 23:06 . 2008-10-22 16:10 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys 2008-11-09 23:06 . 2008-10-22 16:10 15,504 --a------ c:\windows\system32\drivers\mbam.sys 2008-11-09 17:58 . 2008-11-09 17:58 0 --a------ c:\windows\nsreg.dat 2008-11-09 17:54 . 2008-11-09 17:54 410,976 --a------ c:\windows\system32\deploytk.dll 2008-11-08 14:42 . 2008-11-08 14:43 367 --a------ c:\windows\wininit.ini 2008-11-08 10:56 . 2008-11-23 16:27 <DIR> d--h----- C:\$AVG8.VAULT$ 2008-11-08 10:52 . 2008-11-12 12:23 <DIR> d-------- c:\windows\system32\drivers\Avg 2008-11-08 10:52 . 2008-11-08 10:52 <DIR> d-------- c:\program files\AVG 2008-11-08 10:52 . 2008-11-08 10:52 <DIR> d-------- c:\documents and settings\Terry\Application Data\AVGTOOLBAR 2008-11-08 10:52 . 2008-11-08 16:16 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8 2008-11-08 10:52 . 2008-11-08 10:52 97,928 --a------ c:\windows\system32\drivers\avgldx86.sys 2008-11-08 10:52 . 2008-11-08 10:52 76,040 --a------ c:\windows\system32\drivers\avgtdix.sys 2008-11-08 10:52 . 2008-11-08 10:52 10,520 --a------ c:\windows\system32\avgrsstx.dll 2008-11-08 08:15 . 2008-11-08 08:15 <DIR> d-------- c:\documents and settings\Terry\Application Data\IUpd721 2008-11-08 07:56 . 2008-11-08 13:33 <DIR> d-------- c:\windows\system32\xdt 2008-11-08 07:56 . 2008-11-23 15:55 <DIR> d-------- c:\windows\system32\sX3i19 2008-11-08 07:56 . 2008-11-08 14:05 <DIR> d-------- c:\windows\system32\mir5 2008-11-08 07:56 . 2008-11-08 13:30 <DIR> d-------- c:\windows\system32\IET 2008-11-08 07:56 . 2008-11-08 14:03 <DIR> d-------- c:\windows\system32\CT6 2008-11-02 10:24 . 2008-11-02 10:25 <DIR> d-------- c:\documents and settings\Jacqui\Application Data\uTorrent 2008-10-29 23:48 . 2008-03-05 15:56 3,786,760 --a------ c:\windows\system32\D3DX9_37.dll 2008-10-29 23:47 . 2008-10-29 23:47 <DIR> d-------- c:\windows\Logs 2008-10-28 22:36 . 2008-10-28 22:36 823,296 --a------ c:\windows\system32\divx_xx0c.dll 2008-10-28 22:36 . 2008-10-28 22:36 823,296 --a------ c:\windows\system32\divx_xx07.dll 2008-10-28 22:35 . 2008-10-28 22:35 815,104 --a------ c:\windows\system32\divx_xx0a.dll 2008-10-28 22:35 . 2008-10-28 22:35 802,816 --a------ c:\windows\system32\divx_xx11.dll 2008-10-28 22:35 . 2008-10-28 22:35 729,088 --a------ c:\windows\system32\divxdec.ax 2008-10-28 22:35 . 2008-10-28 22:35 684,032 --a------ c:\windows\system32\DivX.dll 2008-10-24 06:48 . 2008-10-15 16:34 337,408 -----c--- c:\windows\system32\dllcache\netapi32.dll 2008-10-23 07:38 . 2008-10-23 07:38 <DIR> d-------- c:\windows\system32\scripting 2008-10-23 07:38 . 2008-10-23 07:38 <DIR> d-------- c:\windows\system32\en 2008-10-23 07:38 . 2008-10-23 07:38 <DIR> d-------- c:\windows\system32\bits 2008-10-23 07:38 . 2008-10-23 07:38 <DIR> d-------- c:\windows\l2schemas 2008-10-23 07:36 . 2008-10-23 07:36 <DIR> d-------- c:\windows\ServicePackFiles 2008-10-16 21:41 . 2008-10-16 21:41 <DIR> d-------- c:\documents and settings\Terry\temp 2008-10-16 21:41 . 2008-10-16 21:48 <DIR> d-------- c:\documents and settings\Terry\Application Data\TeamViewer 2008-10-15 15:40 . 2008-08-14 10:11 2,189,184 -----c--- c:\windows\system32\dllcache\ntoskrnl.exe 2008-10-15 15:40 . 2008-08-14 10:09 2,145,280 -----c--- c:\windows\system32\dllcache\ntkrnlmp.exe 2008-10-15 15:40 . 2008-08-14 09:33 2,066,048 -----c--- c:\windows\system32\dllcache\ntkrnlpa.exe 2008-10-15 15:40 . 2008-08-14 09:33 2,023,936 -----c--- c:\windows\system32\dllcache\ntkrpamp.exe 2008-10-15 15:39 . 2008-09-15 12:12 1,846,400 -----c--- c:\windows\system32\dllcache\win32k.sys 2008-10-15 15:10 . 2008-09-08 10:41 333,824 -----c--- c:\windows\system32\dllcache\srv.sys . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-11-10 12:05 --------- d-----w c:\program files\Conduit 2008-11-09 23:30 --------- d-----w c:\program files\Java 2008-11-09 19:51 --------- d--h--w c:\program files\InstallShield Installation Information 2008-11-09 16:53 --------- d-----w c:\documents and settings\All Users\Application Data\DVD Shrink 2008-11-08 14:22 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2008-11-08 14:20 --------- d-----w c:\program files\Spybot - Search & Destroy 2008-11-08 11:51 --------- d-----w c:\program files\PPMate 2008-11-08 09:53 7,308 ----a-w c:\documents and settings\Terry\Application Data\wklnhst.dat 2008-11-08 08:00 --------- d-----w c:\program files\Microsoft IntelliPoint 2008-11-07 23:30 --------- d-----w c:\program files\DivX 2008-11-05 15:10 --------- d-----w c:\documents and settings\Terry\Application Data\Apple Computer 2008-10-30 16:16 --------- d-----w c:\documents and settings\Terry\Application Data\Xfire 2008-10-30 14:38 --------- d-s---w c:\program files\Xfire 2008-10-30 00:06 22,328 ----a-w c:\documents and settings\Terry\Application Data\PnkBstrK.sys 2008-10-07 13:33 6,133,856 ----a-w c:\windows\system32\drivers\nv4_mini.sys 2008-07-22 14:32 6,340 ----a-w c:\documents and settings\Jacqui\Application Data\wklnhst.dat . (((((((((((((((((((((((((((((((((((((((((((( Look ))))))))))))))))))))))))))))))))))))))))))))))))))))))))) . ---- Directory of c:\documents and settings\Terry\Application Data\IUpd721 ---- 2008-11-08 13:44 10809 --a------ c:\documents and settings\Terry\Application Data\IUpd721\Logs\scns.log ---- Directory of c:\windows\system32\CT6 ---- ---- Directory of c:\windows\system32\IET ---- ---- Directory of c:\windows\system32\mir5 ---- ---- Directory of c:\windows\system32\sX3i19 ---- ---- Directory of c:\windows\system32\xdt ---- ((((((((((((((((((((((((((((( snapshot@2008-11-13_ 0.01.33.73 ))))))))))))))))))))))))))))))))))))))))) . + 2008-11-13 01:11:35 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_614.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360] "EPSON Stylus D92 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIBZE.EXE" [2006-09-27 139264] "updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472] "WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288] "MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "DTVRemote"="c:\program files\LifeView DTV\RemoteControl.exe" [2004-09-17 32768] "NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648] "IntelliPoint"="c:\program files\Microsoft IntelliPoint\point32.exe" [2005-06-10 217088] "AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-11-08 1234712] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-09 136600] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-10-07 13574144] "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-10-07 86016] "High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-07 c:\windows\system32\HdAShCut.exe] "SoundMan"="SOUNDMAN.EXE" [2005-04-06 c:\windows\SOUNDMAN.EXE] "AlcWzrd"="ALCWZRD.EXE" [2005-04-06 c:\windows\ALCWZRD.EXE] "Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-02-29 c:\windows\KHALMNPR.Exe] "nwiz"="nwiz.exe" [2008-10-07 c:\windows\system32\nwiz.exe] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-07-01 113664] Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 29696] Exif Launcher S.lnk - c:\program files\FinePixViewerS\QuickDCF2.exe [2008-07-16 303104] Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2008-10-28 805392] NCProTray.lnk - c:\program files\SEC\Natural Color Pro\NCProTray.exe [2008-08-22 49220] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn] 2008-05-02 02:42 72208 c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=lyjdcu.dll,avgrsstx.dll glhugw.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "VIDC.XFR1"= xfcodec.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup] @="" [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Xfire\\xfire.exe"= "c:\\Program Files\\Valve\\Steam\\SteamApps\\supaking\\half-life 2 deathmatch\\hl2.exe"= "c:\\Program Files\\PPLive\\PPLive.exe"= "c:\\Program Files\\TVAnts\\Tvants.exe"= "c:\\Program Files\\PPMate\\PPMate\\ppmate.exe"= "c:\\Program Files\\Valve\\Steam\\SteamApps\\supaking\\source sdk base\\hl2.exe"= "c:\\WINDOWS\\system32\\dpvsetup.exe"= "c:\\Program Files\\Valve\\Steam\\SteamApps\\supaking\\counter-strike source\\hl2.exe"= "c:\\Program Files\\Valve\\Steam\\SteamApps\\killerwurst1988\\day of defeat source\\hl2.exe"= "c:\\Program Files\\Valve\\Steam\\SteamApps\\killerwurst1988\\half-life 2 deathmatch\\hl2.exe"= "c:\\Program Files\\Valve\\Steam\\SteamApps\\natalie664\\half-life 2 deathmatch\\hl2.exe"= "c:\\Program Files\\Valve\\Steam\\Steam.exe"= "c:\\WINDOWS\\system32\\PnkBstrA.exe"= "c:\\Program Files\\SopCast\\SopCast.exe"= "c:\\Program Files\\MC2\\Sniper Elite\\SniperElite.exe"= "c:\\Program Files\\SopCast\\adv\\SopAdver.exe"= "c:\\Program Files\\PPMate\\ppmate.exe"= "c:\\Program Files\\Valve\\Steam\\SteamApps\\natalie664\\counter-strike source\\hl2.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Documents and Settings\\Terry\\temp\\TeamViewer3\\TeamViewer.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Valve\\Steam\\SteamApps\\supaking\\zombie panic! source\\hl2.exe"= "c:\\Program Files\\AVG\\AVG8\\avgemc.exe"= "c:\\Program Files\\AVG\\AVG8\\avgupd.exe"= "c:\\Program Files\\Valve\\Steam\\SteamApps\\common\\left 4 dead demo\\left4dead.exe"= R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-11-08 97928] R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2008-11-08 875288] R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-11-08 231704] R2 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\Drivers\avgtdix.sys [2008-11-08 76040] R3 LVHybrid;LVHybrid service;c:\windows\system32\DRIVERS\LVHybrid.sys [2004-09-07 699648] S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\System32\DRIVERS\ASPI32.sys [2002-07-17 16512] . Contents of the 'Scheduled Tasks' folder 2008-11-04 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:57] . ************************************************************************** catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-11-13 01:12:22 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . ------------------------ Other Running Processes ------------------------ . c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe c:\program files\Bonjour\mDNSResponder.exe c:\program files\Java\jre6\bin\jqs.exe c:\windows\system32\nvsvc32.exe c:\program files\Windows Media Player\wmpnetwk.exe c:\program files\AVG\AVG8\avgrsx.exe c:\windows\system32\rundll32.exe c:\program files\Common Files\Logishrd\KHAL2\KHALMNPR.exe . ************************************************************************** . Completion time: 2008-11-13 1:21:47 - machine was rebooted ComboFix-quarantined-files.txt 2008-11-13 01:21:41 ComboFix2.txt 2008-11-13 00:02:13 Pre-Run: 164,383,268,864 bytes free Post-Run: 164,372,074,496 bytes free 218 --- E O F --- 2008-10-24 14 30
|
|
|
|
|
11-12-2008, 07:28 PM
|
#9 (permalink) |
|
Manager, Security Center, TSF Academy; Analyst, Security Team
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,254
OS: 2000 Pro; XP Pro; XP Home
|
Re: Trojan/Malware/popups
Ok, thanks...we can get to the information I'd like to see this way.
Please go to Start > Run and copy/paste the following, then press Enter: C:\QooBox\ComboFix-quarantined-files.txt Post the contents of the logfile which will open.
__________________
Practice Safe Surfing Because what you don't know, CAN hurt you. Microsoft MVP - Consumer Security 2009
|
|
|
|
|
11-13-2008, 03:28 AM
|
#10 (permalink) |
|
Registered User
Join Date: Nov 2008
Location: Manchester, UK
Posts: 10
OS: xp
|
Re: Trojan/Malware/popups
Hi, ok thanks....here is the results:
2007-04-26 04:30:16 A------- 29,184 C:\Qoobox\Quarantine\C\WINDOWS\system32\MSINET.oca.vir 2007-09-28 09:34:34 A------- 274,528 C:\Qoobox\Quarantine\C\WINDOWS\system32\dbxDgrevCheck.dll.vir 2008-11-01 09:37:22 A------- 178,176 C:\Qoobox\Quarantine\C\WINDOWS\system32\ymzalkgkpnuufbc.dll.vir 2008-11-08 07:56:44 A------- 294 C:\Qoobox\Quarantine\C\WINDOWS\Tasks\vnsojwww.job.vir 2008-11-08 07:56:52 A------- 4,095 C:\Qoobox\Quarantine\C\Documents and Settings\Terry\Local Settings\Temporary Internet Files\fbk.sts.vir 2008-11-08 07:57:07 A------- 0 C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\c09a9aba.sys.vir 2008-11-08 07:57:57 A------- 0 C:\Qoobox\Quarantine\C\1753148352.vir 2008-11-08 07:58:44 A------- 79,094 C:\Qoobox\Quarantine\C\WINDOWS\system32\msuzwgcroqtw.exe.vir 2008-11-08 08:10:13 A------- 743 C:\Qoobox\Quarantine\C\Documents and Settings\NetworkService\Application Data\twain_32\user.ds.vir 2008-11-08 08:45:45 A------- 888 C:\Qoobox\Quarantine\C\WINDOWS\system32\onqWFfhk.ini.vir 2008-11-08 08:51:31 A------- 77,895 C:\Qoobox\Quarantine\C\WINDOWS\system32\amqrevolxw.exe.vir 2008-11-08 08:55:18 A------- 208 C:\Qoobox\Quarantine\C\Documents and Settings\LocalService\Application Data\twain_32\user.ds.vir 2008-11-08 09:24:52 A------- 90,915 C:\Qoobox\Quarantine\C\WINDOWS\system32\uipbmyazmmmtm.dll-uninst.exe.vir 2008-11-12 23:20:42 A------- 216 C:\Qoobox\Quarantine\catchme.log 2008-11-12 23:47:18 A------- 7,921 C:\Qoobox\Quarantine\Registry_backups\tcpip.reg 2008-11-13 00:01:33 A------- 2 C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-CFSServ.exe.reg.dat 2008-11-13 00:01:33 A------- 2 C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-NDSTray.exe.reg.dat 2008-11-13 00:01:33 A------- 2 C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-TFncKy.reg.dat 2008-11-13 00:01:36 A------- 196 C:\Qoobox\Quarantine\Registry_backups\HKCU-Run-lovefilm DLM Manager.reg.dat 2008-11-13 00:01:37 A------- 131 C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-QuickTime Task.reg.dat 2008-11-13 00:01:42 A------- 498 C:\Qoobox\Quarantine\Registry_backups\Notify-pmnkLFXR.reg.dat 2008-11-13 01 57 A------- 291,357 C:\Qoobox\Quarantine\[4]-Submit_2008-11-13@1.06.zip2008-11-13 01:09:28 A------- 580 C:\Qoobox\Quarantine\Registry_backups\Service_c09a9aba.reg.dat |
|
|
|
|
11-13-2008, 08:05 AM
|
#11 (permalink) | |
|
Manager, Security Center, TSF Academy; Analyst, Security Team
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,254
OS: 2000 Pro; XP Pro; XP Home
|
Re: Trojan/Malware/popups
Thanks.
Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist: J2SE Runtime Environment 5.0 Update 11 These are all outdated, and security risks by having them installed still. Unfortunately, Java does not uninstall previous version when you update, nor tell you that you should. Leave Java(TM) 6 Update10 alone, as it is the most recent. --------------------------------------------------------------------------------------------- Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add or Remove Programs) if they exist: RON Tool Agadoo RON Tool Netupbanner You will likely receive notification that these have been uninstalled, or are otherwise corrupt, would you like to remove them from the list. Click on OK, or Yes. --------------------------------------------------------------------------------------------- Please perform this online scan to help look for remnants Establish an internet connection & perform an online scan with Firefox or Internet Explorer at Kaspersky Online Scanner **Note** To optimize scanning time and produce a more sensible report for review:
Click Accept, when prompted to download and install the program files and database of malware definitions.
--------------------------------------------------------------------------------------------- Let me know how the machine is behaving now. ---------------------------------------------------------------------------------------------
__________________
Practice Safe Surfing Because what you don't know, CAN hurt you. Microsoft MVP - Consumer Security 2009
|
|
|
|
|
|
11-13-2008, 12:05 PM
|
#12 (permalink) |
|
Registered User
Join Date: Nov 2008
Location: Manchester, UK
Posts: 10
OS: xp
|
Re: Trojan/Malware/popups
done....As for how the machine is behaving, sometimes I randomly hear the "error" noise that windows makes, whilst im browsing the internet, but no messages are displayed, just the sound, this has only happened since saturday (infection day) here is the text file from the online scanner :
-------------------------------------------------------------------------------- KASPERSKY ONLINE SCANNER 7 REPORT Thursday, November 13, 2008 Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600) Kaspersky Online Scanner 7 version: 7.0.25.0 Program database last update: Thursday, November 13, 2008 13:03:34 Records in database: 1383159 -------------------------------------------------------------------------------- Scan settings: Scan using the following database: extended Scan archives: yes Scan mail databases: no Scan area - My Computer: C:\ D:\ E:\ F:\ G:\ H:\ I:\ J:\ Scan statistics: Files scanned: 151114 Threat name: 2 Infected objects: 4 Suspicious objects: 0 Duration of the scan: 02:44:44 File name / Threat name / Threats count C:\Documents and Settings\Terry\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\cnte-dhncgts.jar-4eadc77c-74d65dfd.zip Infected: Trojan.Java.ClassLoader.as 3 C:\Documents and Settings\Terry\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\OP.jar-55ec6b27-7cbf6011.zip Infected: Trojan-Downloader.Java.OpenStream.ac 1 The selected area was scanned. Last edited by CreepZero; 11-13-2008 at 12:07 PM. |
|
|
|
|
11-13-2008, 12:23 PM
|
#13 (permalink) |
|
Manager, Security Center, TSF Academy; Analyst, Security Team
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,254
OS: 2000 Pro; XP Pro; XP Home
|
Re: Trojan/Malware/popups
Logs are looking essentially clear.
Go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
--------------------------------------------------------------------------------------------- Please download ATF Cleaner by Atribune.
For Technical Support, double-click the e-mail address located at the bottom of each menu. --------------------------------------------------------------------------------------------- Use the machine normally for a little while, and let me know if you're still hearing that error sound. If so, try to pinpoint exactly what's happening when it occurs.
__________________
Practice Safe Surfing Because what you don't know, CAN hurt you. Microsoft MVP - Consumer Security 2009
|
|
|
|
|
11-13-2008, 12:42 PM
|
#14 (permalink) |
|
Registered User
Join Date: Nov 2008
Location: Manchester, UK
Posts: 10
OS: xp
|
Re: Trojan/Malware/popups
ok, done I will report back and many thanks for all your help and swift responses, As I use firefox and Internet explorer, would you recomend that I use just one browser ?
|
|
|
|
|
11-13-2008, 12:45 PM
|
#15 (permalink) |
|
Manager, Security Center, TSF Academy; Analyst, Security Team
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,254
OS: 2000 Pro; XP Pro; XP Home
|
Re: Trojan/Malware/popups
I use Firefox for most things, but also use IE7 for others. Some sites require ActiveX controls, some sites simply render better in IE.
I'd say use them both if that's what you normally do.
__________________
Practice Safe Surfing Because what you don't know, CAN hurt you. Microsoft MVP - Consumer Security 2009
|
|
|
|
|
11-14-2008, 07:02 PM
|
#17 (permalink) |
|
Manager, Security Center, TSF Academy; Analyst, Security Team
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,254
OS: 2000 Pro; XP Pro; XP Home
|
Re: Trojan/Malware/popups
If all is well, we have some final housekeeping to perform, and I'll give you some protection information as well
Other than that, your logs appear clean.You should be good to go. We still have a few items to address. Go to  -> Run -> copy/paste in the following single line command & click OKcombofix /u  This will uninstall ComboFix. It will also implement some cleanup procedures and reset System Restore points. Now that your system is clean, to help protect your computer in the future I recommend that you follow these steps and look into the following free programs:
Scan here http://secunia.com/software_inspector/ for out of date & vulnerable common applications on your computer Here are some additional utilities that will further enhance your safety.
In light of your recent troubles, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles If you want to fight back the Malware Writers that have made your life a misery, please take a look here and read what you can do against it. Please respond to this thread one more time so we can mark this thread as resolved.
__________________
Practice Safe Surfing Because what you don't know, CAN hurt you. Microsoft MVP - Consumer Security 2009
|
|
|
|
|
11-16-2008, 08:42 AM
|
#19 (permalink) |
|
Manager, Security Center, TSF Academy; Analyst, Security Team
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,254
OS: 2000 Pro; XP Pro; XP Home
|
Re: Trojan/Malware/popups
Glad to have helped, Terry.
Surf Safely, and Think Prevention! Since this issue is resolved, this topic will be archived.
__________________
Practice Safe Surfing Because what you don't know, CAN hurt you. Microsoft MVP - Consumer Security 2009
|
|
|
|
| Thread Tools | |
|
|
