Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Resolved HJT Threads

User Tag List

AVG Anti Virus Hijacked

This is a discussion on AVG Anti Virus Hijacked within the Resolved HJT Threads forums, part of the Tech Support Forum category. It appears that my AVG Anti-Virus software has been hijacked and a new Anti-Virus malware is demanding I install it.


 
 
Thread Tools Search this Thread
Old 01-31-2010, 03:49 PM   #1
Guest
 
Join Date: Jan 2009
Posts: 27
OS:



It appears that my AVG Anti-Virus software has been hijacked and a new Anti-Virus malware is demanding I install it. It has disabled my control panel, disabled the Recovery Panel and is constantly trying to load webpages. I downloaded DDS as instructed but it will not run, I presume the malware is blocking it from running. The claims that bmctl.exe is infected and is blocking the application.

My system consists of:

Gateway GT5238E with Addtional RAM
Win XP OS
kcactionphoto is offline  
Sponsored Links
Advertisement
 
Old 01-31-2010, 06:54 PM   #2
Guest
 
Join Date: Jan 2009
Posts: 27
OS:



As I am trying to figure out what to do to fix this I am finidng that the only executable file that will now run is Explorer. None of the rest of my application software will function.
kcactionphoto is offline  
Old 02-02-2010, 05:47 PM   #3
TSF Security Manager
Emeritus
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 52,197
OS: XP Pro; XP Home; Win7 x86 & x64



If you have an active internet connection, copy/paste the links below into your browser, don't click them or the rogue might redirect. If you don't have an active internet connection, download the tools from another machine, and transfer them to the affected machine via USB flash drive.


Please download and run the following tool to help allow other programs to run. (courtesy of BleepingComputer.com)
There are 4 different versions. If one of them won't run then download and try to run the other one.
Vista and Win7 users need to right click and choose Run as Admin
You only need to get one of them to run, not all of them.


https://download.bleepingcomputer.com/grinler/rkill.exe
https://download.bleepingcomputer.com/grinler/rkill.com
https://download.bleepingcomputer.com/grinler/rkill.scr
https://download.bleepingcomputer.com/grinler/rkill.pif


Note:

You will likely see a message from this rogue telling you the file is infected. Ignore the message. Leave the message OPEN, do not close the message. Run rkill repeatedly until it's able to do it's job. This may take a few tries. You'll be able to tell rkill has done it's job when your desktop (explorer.exe) cycles off and then on again.

At this point, you should now be able to run analysis tools.

Once the tool has run, do NOT reboot the machine, and then try once again to run DDS and GMER.

If for some reason the machine reboots, repeat the process. Again, try not to restart the machine.
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of UNITE since 2006

Microsoft MVP Consumer Security 2009 - 2015
tetonbob is offline  
Sponsored Links
Advertisement
 
Old 02-03-2010, 02:25 AM   #4
Guest
 
Join Date: Jan 2009
Posts: 27
OS:



Third try on rkill finally got malware to stop blocking DDS. Computer running extremely slow. Security message changed from bmctl.exe is infected to bmop.exe is infected.

DDS report


DDS (Ver_09-12-01.01) - NTFSx86
Run by Owner at 22:39:40.55 on Tue 02/02/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1330 [GMT -6:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Intel\IntelDH\CCU\AlertService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\arservice.exe
C:\WINDOWS\system32\bmwebcfg.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Google\Update\1.2.183.13\GoogleCrashHandler.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\Pen_Tablet.exe
C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology Drivers\Elservice.exe
C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\ISSM.exe
C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\MCLServiceATL.exe
C:\WINDOWS\system32\Pen_Tablet.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Digital Media Reader\readericon45G.exe
C:\WINDOWS\zHotkey.exe
C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\Intel\IntelDH\CCU\CCU_TrayIcon.exe
C:\Program Files\Common Files\Intel\IntelDH\NMS\Support\IntelHCTAgent.exe
C:\WINDOWS\ARPWRMSG.EXE
C:\Program Files\Intel\IntelDH\CCU\CCU_Engine.exe
C:\Program Files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe
C:\Program Files\AT&T\Communication Manager\ATTCM.exe
C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Creative\MediaSource5\MtdAcqu.exe
C:\Program Files\CyberLink\Power2Go\Power2GoExpress.exe
C:\WINDOWS\system32\rsvp.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\AT&T\Communication Manager\RcAppSvc.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.BIN
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\AT&T\Communication Manager\bmctl.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Owner.KCACTIONPHOTO\Desktop\dds.com

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/ig
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=DTP&M=GT5238E
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Google Gears Helper: {e0fefe40-fbf9-42ae-ba58-794ca7e3fb53} - c:\program files\google\google gears\internet explorer\0.5.33.0\gears.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [CTSyncU.exe] "c:\program files\creative\sync manager unicode\CTSyncU.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MtdAcqu] "c:\program files\creative\mediasource5\MtdAcqu.exe" /s
uRun: [Power2GoExpress] "c:\program files\cyberlink\power2go\Power2GoExpress.exe" /Startup
uRun: [rwxtgrnf] c:\documents and settings\owner.kcactionphoto\local settings\application data\fnrssn\rixbsysguard.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [readericon] c:\program files\digital media reader\readericon45G.exe
mRun: [CHotkey] zHotkey.exe
mRun: [IntelAudioStudio] "c:\program files\intel audio studio\IntelAudioStudio.exe" TRAY
mRun: [Reminder] %WINDIR%\Creator\Remind_XP.exe
mRun: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\Iaanotif.exe
mRun: [CCUTRAYICON] c:\program files\intel\inteldh\ccu\CCU_TrayIcon.exe
mRun: [NMSSupport] "c:\program files\common files\intel\inteldh\nms\support\IntelHCTAgent.exe" /startup
mRun: [AlwaysReady Power Message APP] ARPWRMSG.EXE
mRun: [MSKDetectorExe] c:\program files\mcafee\spamkiller\MSKDetct.exe /uninstall
mRun: [USB2Check] RUNDLL32.EXE "c:\windows\system32\PCLECoInst.dll",CheckUSBController
mRun: [USBToolTip] "c:\program files\pinnacle\shared files\programs\usbtip\USBTip.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
mRun: [AT&T Communication Manager] "c:\program files\at&t\communication manager\ATTCM.exe" -a
mRun: [MaxMenuMgr] "c:\program files\seagate\seagatemanager\freeagent status\StxMenuMgr.exe"
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [rwxtgrnf] c:\documents and settings\owner.kcactionphoto\local settings\application data\fnrssn\rixbsysguard.exe
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\owner~1.kca\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 2.4\program\quickstart.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autoca~1.lnk - c:\program files\common files\autodesk shared\acstart16.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\nkbmon~1.lnk - c:\program files\nikon\pictureproject\NkbMonitor.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - {0B4350D1-055F-47A3-B112-5F2F2B0D6F08} - c:\program files\google\google gears\internet explorer\0.5.33.0\gears.dll
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
LSP: bmnet.dll
DPF: {0C92900E-4D5A-4F04-ACC9-729E1767BBAE} - hxxp://reasors.lifepics.com/net/Uploader/LPUploader45.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/F/D/9/FD9E437D-5BC8-4264-A093-DFA2C39D197E/LegitCheckControl.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://photos.walmart.com/WalmartActivia.cab
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
DPF: {5D637FAD-E202-48D1-8F18-5B9C459BD1E3} - hxxp://member.onemodelplace.com/_includes_manage_my_profile/ImageUploader5.cab
DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} - hxxp://www.mpix.com/Customer/Uploading/activex/ImageUploader4.cab
DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} - file://c:\program files\autocad lt 2002\AcDcToday.ocx
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} - hxxp://lads.myspace.com/upload/MySpaceUploader2.cab
DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} - hxxp://www.mpix.com/Customer/Uploading/activex/ImageUploader3.cab
DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} - file://c:\program files\autocad lt 2002\InstBanr.ocx
DPF: {C2B78FF1-6E5A-4854-AC24-E09A0E2411BA} - hxxp://static1.meetupstatic.com/applet/MeetUploader5.cab
DPF: {C6637286-300D-11D4-AE0A-0010830243BD} - file://c:\program files\autocad lt 2002\InstFred.ocx
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://freetrial.webex.com/client/T26L/webex/ieatgpc.cab
DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} - hxxp://upload.smugmug.com/photos/activex/XUpload.ocx
DPF: {F281A59C-7B65-11D3-8617-0010830243BD} - file://c:\program files\autocad lt 2002\AcPreview.ocx
TCP: {2147E6B8-2B7E-4352-A84A-01C001A89AB3} = 209.183.50.151 209.183.50.151
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll

============= SERVICES / DRIVERS ===============

R2 FreeAgentGoNext Service;Seagate Service;c:\program files\seagate\seagatemanager\sync\FreeAgentService.exe [2008-7-17 161064]
R2 MCLServiceATL;Intel(R) Application Tracker;c:\program files\intel\inteldh\intel media server\shells\MCLServiceATL.exe [2006-7-27 163840]
R2 TabletServicePen;TabletServicePen;c:\windows\system32\Pen_Tablet.exe [2008-10-25 3032360]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
R3 ATTRcAppSvc;AT&T RcAppSvc;c:\program files\at&t\communication manager\RcAppSvc.exe [2008-3-6 106496]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-8 135664]
S3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\drivers\wacmoumonitor.sys [2008-10-25 15144]

=============== Created Last 30 ================

2010-01-13 00:15:36 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll

==================== Find3M ====================

2010-01-27 03:11:42 20 ---h--w- c:\docume~1\alluse~1\applic~1\PKP_DLdw.DAT
2010-01-14 17:12:06 181120 ------w- c:\windows\system32\MpSigStub.exe
2009-12-21 19:14:05 916480 ----a-w- c:\windows\system32\wininet.dll
2009-12-17 23:14:00 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-12-05 14:54:53 76000 ---ha-w- c:\windows\system32\mlfcache.dat
2009-11-13 21:07:44 20 ---h--w- c:\docume~1\alluse~1\applic~1\PKP_DLec.DAT
2009-11-13 21:07:44 20 ---h--w- c:\docume~1\alluse~1\applic~1\PKP_DLds.DAT
2002-07-26 22:02:06 153088 ----a-w- c:\program files\UNWISE.EXE
2007-09-06 02:51:34 12208 --sha-w- c:\windows\system32\KGyGaAvL.sys
2008-09-24 12:50:20 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008092420080925\index.dat

============= FINISH: 22:40:20.12 ===============
kcactionphoto is offline  
Old 02-03-2010, 02:26 AM   #5
Guest
 
Join Date: Jan 2009
Posts: 27
OS:



Attached is the ARK.TXT and ATTACH.TXT files in a ZIP file as required.
Attached Files
File Type: zip Attach.zip (5.6 KB, 24 views)
kcactionphoto is offline  
Old 02-03-2010, 06:07 AM   #6
TSF Security Manager
Emeritus
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 52,197
OS: XP Pro; XP Home; Win7 x86 & x64



Good job.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by me or another helper at this forum.

---------------------------------------------------------------------------------------------

  1. Download ComboFix from one of these locations:

    Link 1
    Link 2

    * IMPORTANT !!! Place combofix.exe on your Desktop
  2. Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.


    You can get help on disabling your protection programs here
  3. Double click on combofix.exe & follow the prompts.
  4. As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed.

    Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.





    The Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware.

    With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.

    Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement.

    ComboFix will now automatically install the Microsoft Windows Recovery Console onto your computer, which will show up as a new option when booting up your computer. Do not select the Microsoft Windows Recovery Console option when you start your computer unless requested to by a helper.

    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see a message that says:

    The Recovery Console was successfully installed.



    Click on Yes, to continue scanning for malware.
  5. Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
  6. When finished, it shall produce a log for you. Post that log in your next reply

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


    ---------------------------------------------------------------------------------------------
  7. Ensure your AntiVirus and AntiSpyware applications are re-enabled.

    ---------------------------------------------------------------------------------------------
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of UNITE since 2006

Microsoft MVP Consumer Security 2009 - 2015
tetonbob is offline  
Old 02-03-2010, 05:49 PM   #7
Guest
 
Join Date: Jan 2009
Posts: 27
OS:



Ran Combofix as instructed. It ran through and generated the text file onsceen and then restarted the machine. It said that it was saving Combofix.txt under c:/combofix however the file is not there nor is it on my desktop. There is a file called mbr.txt in the folder but thmalware is still denying all executable files form running. It also now says that rundll32.exe is infected. I cannot open the mbr.txt file so I have attached it to this email instead.
Attached Files
File Type: txt mbr.txt (755 Bytes, 25 views)
kcactionphoto is offline  
Old 02-03-2010, 06:03 PM   #8
TSF Security Manager
Emeritus
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 52,197
OS: XP Pro; XP Home; Win7 x86 & x64



Hi -

You saw ComboFix open a log? At that point, the routine should be done, and ComboFix would not reboot the machine. Seems like something else has made it into the machine.

Run rkill again.

Open the temp folder > Start > Run > copy/paste %temp% press Enter. Look for log.txt
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of UNITE since 2006

Microsoft MVP Consumer Security 2009 - 2015
tetonbob is offline  
Old 02-03-2010, 09:02 PM   #9
Guest
 
Join Date: Jan 2009
Posts: 27
OS:



No log.txt file found. Should I run Combofix again?
kcactionphoto is offline  
Old 02-03-2010, 09:11 PM   #10
TSF Security Manager
Emeritus
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 52,197
OS: XP Pro; XP Home; Win7 x86 & x64



Yes. If need be, run rkill first. If need be, run ComboFix in Safe Mode.
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of UNITE since 2006

Microsoft MVP Consumer Security 2009 - 2015
tetonbob is offline  
Old 02-03-2010, 09:13 PM   #11
Guest
 
Join Date: Jan 2009
Posts: 27
OS:



Rkill worked after a few tries. Will run Combo fix again.
kcactionphoto is offline  
Old 02-03-2010, 09:29 PM   #12
Guest
 
Join Date: Jan 2009
Posts: 27
OS:



Results of Combofix

ComboFix 10-02-03.04 - Owner 02/03/2010 23:14:28.5.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1384 [GMT -6:00]
Running from: c:\documents and settings\Owner.KCACTIONPHOTO\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2010-01-04 to 2010-02-04 )))))))))))))))))))))))))))))))
.

2010-01-31 20:11 . 2010-01-31 20:11 -------- d-----w- c:\documents and settings\Owner.KCACTIONPHOTO\Local Settings\Application Data\fnrssn
2010-01-28 05:49 . 2010-01-28 05:49 -------- d-----w- c:\program files\Common Files\Java
2010-01-28 05:48 . 2010-01-28 05:48 503808 ----a-w- c:\documents and settings\Owner.KCACTIONPHOTO\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-2d6deeb8-n\msvcp71.dll
2010-01-28 05:48 . 2010-01-28 05:48 499712 ----a-w- c:\documents and settings\Owner.KCACTIONPHOTO\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-2d6deeb8-n\jmc.dll
2010-01-28 05:48 . 2010-01-28 05:48 348160 ----a-w- c:\documents and settings\Owner.KCACTIONPHOTO\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-2d6deeb8-n\msvcr71.dll
2010-01-28 05:48 . 2010-01-28 05:48 61440 ----a-w- c:\documents and settings\Owner.KCACTIONPHOTO\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-4f188fe3-n\decora-sse.dll
2010-01-28 05:48 . 2010-01-28 05:48 12800 ----a-w- c:\documents and settings\Owner.KCACTIONPHOTO\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-4f188fe3-n\decora-d3d.dll
2010-01-13 00:15 . 2009-11-21 15:51 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2010-01-09 03:44 . 2010-01-09 03:44 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2010-01-09 03:39 . 2010-01-09 03:40 -------- d-----w- c:\documents and settings\Owner.KCACTIONPHOTO\Local Settings\Application Data\Temp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-04 04:55 . 2008-04-13 12:35 -------- d-----w- c:\documents and settings\Owner.KCACTIONPHOTO\Application Data\OpenOffice.org2
2010-02-04 04:54 . 2007-12-18 03:34 -------- d-----w- c:\documents and settings\Owner.KCACTIONPHOTO\Application Data\WTablet
2010-02-04 00:55 . 2008-04-13 12:36 1 ----a-w- c:\documents and settings\Owner.KCACTIONPHOTO\Application Data\OpenOffice.org2\user\uno_packages\cache\stamp.sys
2010-01-28 05:48 . 2006-11-01 17:04 -------- d-----w- c:\program files\Java
2010-01-27 03:11 . 2008-10-20 03:36 20 ---h--w- c:\documents and settings\All Users\Application Data\PKP_DLdw.DAT
2010-01-15 03:47 . 2008-12-07 22:24 -------- d-----w- c:\program files\AutoCAD 2005
2010-01-14 17:12 . 2009-10-02 22:25 181120 ------w- c:\windows\system32\MpSigStub.exe
2010-01-09 03:40 . 2006-11-01 17:00 -------- d-----w- c:\program files\Google
2009-12-21 19:14 . 2006-06-17 09:23 916480 ------w- c:\windows\system32\wininet.dll
2009-12-17 23:14 . 2009-01-24 15:39 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-12-05 14:54 . 2009-12-05 14:54 76000 ---ha-w- c:\windows\system32\mlfcache.dat
2009-11-21 15:51 . 2006-06-17 09:23 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-11-13 21:07 . 2008-03-28 01:13 20 ---h--w- c:\documents and settings\All Users\Application Data\PKP_DLds.DAT
2009-11-13 21:07 . 2007-01-21 06:15 20 ---h--w- c:\documents and settings\All Users\Application Data\PKP_DLec.DAT
2009-11-08 06:02 . 2009-11-08 06:02 152576 ----a-w- c:\documents and settings\Owner.KCACTIONPHOTO\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-11-07 22:07 . 2009-11-07 22:07 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
2002-07-26 22:02 . 2007-08-30 00:56 153088 ----a-w- c:\program files\UNWISE.EXE
2008-03-21 00:40 . 2008-03-21 00:38 48 --sh--w- c:\windows\S220FA709.tmp
2007-09-06 02:51 . 2007-09-06 02:51 12208 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( [email protected]_01.30.11 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-02-04 04:54 . 2010-02-04 04:54 16384 c:\windows\Temp\Perflib_Perfdata_29c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"CTSyncU.exe"="c:\program files\Creative\Sync Manager Unicode\CTSyncU.exe" [2006-06-12 700416]
"MtdAcqu"="c:\program files\Creative\MediaSource5\MtdAcqu.exe" [2006-03-08 278528]
"Power2GoExpress"="c:\program files\CyberLink\Power2Go\Power2GoExpress.exe" [2006-01-12 2056285]
"rwxtgrnf"="c:\documents and settings\Owner.KCACTIONPHOTO\Local Settings\Application Data\fnrssn\rixbsysguard.exe" [2010-01-31 279296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]
"readericon"="c:\program files\Digital Media Reader\readericon45G.exe" [2005-12-10 139264]
"CHotkey"="zHotkey.exe" [2004-12-09 550912]
"IntelAudioStudio"="c:\program files\Intel Audio Studio\IntelAudioStudio.exe" [2006-07-13 9134080]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2005-02-26 966656]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-07-06 151552]
"CCUTRAYICON"="c:\program files\Intel\IntelDH\CCU\CCU_TrayIcon.exe" [2006-07-27 303104]
"NMSSupport"="c:\program files\Common Files\Intel\IntelDH\NMS\Support\IntelHCTAgent.exe" [2006-03-30 375296]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" [2005-08-03 77312]
"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2006-11-07 1121280]
"USBToolTip"="c:\program files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe" [2007-02-20 199752]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-08-08 135168]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-08-08 159744]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-08-08 131072]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-22 7700480]
"nwiz"="nwiz.exe" [2006-10-22 1622016]
"NvMediaCenter"="NvMCTray.dll" [2006-10-22 86016]
"AT&T Communication Manager"="c:\program files\AT&T\Communication Manager\ATTCM.exe" [2008-05-22 33280]
"MaxMenuMgr"="c:\program files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe" [2008-07-17 177448]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-04 866584]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-10-29 141600]
"rwxtgrnf"="c:\documents and settings\Owner.KCACTIONPHOTO\Local Settings\Application Data\fnrssn\rixbsysguard.exe" [2010-01-31 279296]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]

c:\documents and settings\Owner.KCACTIONPHOTO\Start Menu\Programs\Startup\
OpenOffice.org 2.4.lnk - c:\program files\OpenOffice.org 2.4\program\quickstart.exe [2008-1-21 393216]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-1-22 113664]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]
AutoCAD Startup Accelerator.lnk - c:\program files\Common Files\Autodesk Shared\acstart16.exe [2004-2-25 10872]
NkbMonitor.exe.lnk - c:\program files\Nikon\PictureProject\NkbMonitor.exe [2007-1-21 118784]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AT&T\\Communication Manager\\bmop.exe"=
"%windir%\\system32\\drivers\\svchost.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\LEXPPS.EXE"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowOutboundPacketTooBig"= 1 (0x1)

R2 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [7/17/2008 4:12 PM 161064]
R2 TabletServicePen;TabletServicePen;c:\windows\system32\Pen_Tablet.exe [10/25/2008 8:16 PM 3032360]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/8/2010 9:39 PM 135664]
S3 ATTRcAppSvc;AT&T RcAppSvc;c:\program files\AT&T\Communication Manager\RcAppSvc.exe [3/6/2008 3:10 PM 106496]
S3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\drivers\wacmoumonitor.sys [10/25/2008 8:16 PM 15144]
.
Contents of the 'Scheduled Tasks' folder

2010-02-02 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2010-02-04 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-09 03:39]

2010-02-04 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-09 03:39]

2010-02-04 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 01:20]

2010-02-03 c:\windows\Tasks\User_Feed_Synchronization-{DA8EBAEB-A28B-4BB1-AB6C-32BCDE706A87}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 09:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/ig
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=DTP&M=GT5238E
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
LSP: bmnet.dll
DPF: {0C92900E-4D5A-4F04-ACC9-729E1767BBAE} - hxxp://reasors.lifepics.com/net/Uploader/LPUploader45.cab
DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} - hxxp://lads.myspace.com/upload/MySpaceUploader2.cab
DPF: {C2B78FF1-6E5A-4854-AC24-E09A0E2411BA} - hxxp://static1.meetupstatic.com/applet/MeetUploader5.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, https://www.gmer.net
Rootkit scan 2010-02-03 23:24
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-4147759024-2819538226-2127927277-1007\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(840)
c:\windows\system32\bmnet.dll

- - - - - - - > 'explorer.exe'(5376)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-02-03 23:26:46
ComboFix-quarantined-files.txt 2010-02-04 05:26
ComboFix2.txt 2010-02-04 01:31
ComboFix3.txt 2009-01-24 15:47

Pre-Run: 47,156,391,936 bytes free
Post-Run: 47,125,626,880 bytes free

- - End Of File - - 5CBEED165315D4803DA195737920A3AF
kcactionphoto is offline  
Old 02-03-2010, 09:33 PM   #13
TSF Security Manager
Emeritus
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 52,197
OS: XP Pro; XP Home; Win7 x86 & x64



Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------
  1. Disable your AntiVirus and AntiSpyware applications (if present), usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
  2. Open notepad and copy/paste the text in the quotebox below into it:

    Quote:
    http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/457650-avg-anti-virus-hijacked.html#post2577798

    File::
    c:\windows\S220FA709.tmp
    Collect::
    c:\documents and settings\Owner.KCACTIONPHOTO\Local Settings\Application Data\fnrssn\rixbsysguard.exe
    Folder::
    c:\documents and settings\Owner.KCACTIONPHOTO\Local Settings\Application Data\fnrssn

    Save this as CFScript.txt




    Referring to the picture above, drag CFScript.txt into ComboFix.exe
  3. ComboFix may request an update; please allow it.
  4. Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
  5. When finished, it shall produce a log for you. Post that log in your next reply

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


    **Note**

    When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
    • Ensure you are connected to the internet and click OK on the message box.

    Please let me know if the file was successfully submitted . Thanks.

    ------------------------------------------------------
  6. Ensure your AntiVirus and AntiSpyware applications are re-enabled.

    ---------------------------------------------------------------------------------------------




Do you have an AntiVirus installed? I see no sign of an active AntiVirus...
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of UNITE since 2006

Microsoft MVP Consumer Security 2009 - 2015
tetonbob is offline  
Old 02-03-2010, 09:46 PM   #14
Guest
 
Join Date: Jan 2009
Posts: 27
OS:



When this started happening, AVG went nuts, was opening warning window and spawning tabs in explorer about 1 every three seconds and just locking up the computer. I uninstalled it before I got on here. Should I reinstall before running the script file?
kcactionphoto is offline  
Old 02-03-2010, 09:49 PM   #15
TSF Security Manager
Emeritus
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 52,197
OS: XP Pro; XP Home; Win7 x86 & x64



No, it will just get in the way. I'll let you know when it's ok to reinstall, or perhaps you'd like an alternative that's also free. Let me know about that when you post the log from ComboFix.
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of UNITE since 2006

Microsoft MVP Consumer Security 2009 - 2015
tetonbob is offline  
Old 02-03-2010, 10:00 PM   #16
Guest
 
Join Date: Jan 2009
Posts: 27
OS:



Ran script file via combofix. Combofix disabled my internet conection so I was unable to submit the files for inspection. Here is the last log...

ComboFix 10-02-03.04 - Owner 02/03/2010 23:51:38.6.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1301 [GMT -6:00]
Running from: c:\documents and settings\Owner.KCACTIONPHOTO\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner.KCACTIONPHOTO\Desktop\CFScript.txt

FILE ::
"c:\windows\S220FA709.tmp"

file zipped: c:\documents and settings\Owner.KCACTIONPHOTO\Local Settings\Application Data\fnrssn\rixbsysguard.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Owner.KCACTIONPHOTO\Local Settings\Application Data\{CF93F7B3-ED84-427A-812A-ED92918D339E}
c:\documents and settings\Owner.KCACTIONPHOTO\Local Settings\Application Data\{CF93F7B3-ED84-427A-812A-ED92918D339E}\chrome.manifest
c:\documents and settings\Owner.KCACTIONPHOTO\Local Settings\Application Data\{CF93F7B3-ED84-427A-812A-ED92918D339E}\chrome\content\_cfg.js
c:\documents and settings\Owner.KCACTIONPHOTO\Local Settings\Application Data\{CF93F7B3-ED84-427A-812A-ED92918D339E}\chrome\content\c.js
c:\documents and settings\Owner.KCACTIONPHOTO\Local Settings\Application Data\{CF93F7B3-ED84-427A-812A-ED92918D339E}\chrome\content\overlay.xul
c:\documents and settings\Owner.KCACTIONPHOTO\Local Settings\Application Data\{CF93F7B3-ED84-427A-812A-ED92918D339E}\install.rdf
c:\documents and settings\Owner.KCACTIONPHOTO\Local Settings\Application Data\fnrssn
c:\documents and settings\Owner.KCACTIONPHOTO\Local Settings\Application Data\fnrssn\rixbsysguard.exe
c:\windows\S220FA709.tmp

.
((((((((((((((((((((((((( Files Created from 2010-01-04 to 2010-02-04 )))))))))))))))))))))))))))))))
.

2010-01-28 05:49 . 2010-01-28 05:49 -------- d-----w- c:\program files\Common Files\Java
2010-01-28 05:48 . 2010-01-28 05:48 503808 ----a-w- c:\documents and settings\Owner.KCACTIONPHOTO\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-2d6deeb8-n\msvcp71.dll
2010-01-28 05:48 . 2010-01-28 05:48 499712 ----a-w- c:\documents and settings\Owner.KCACTIONPHOTO\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-2d6deeb8-n\jmc.dll
2010-01-28 05:48 . 2010-01-28 05:48 348160 ----a-w- c:\documents and settings\Owner.KCACTIONPHOTO\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-2d6deeb8-n\msvcr71.dll
2010-01-28 05:48 . 2010-01-28 05:48 61440 ----a-w- c:\documents and settings\Owner.KCACTIONPHOTO\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-4f188fe3-n\decora-sse.dll
2010-01-28 05:48 . 2010-01-28 05:48 12800 ----a-w- c:\documents and settings\Owner.KCACTIONPHOTO\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-4f188fe3-n\decora-d3d.dll
2010-01-13 00:15 . 2009-11-21 15:51 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2010-01-09 03:44 . 2010-01-09 03:44 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2010-01-09 03:39 . 2010-01-09 03:40 -------- d-----w- c:\documents and settings\Owner.KCACTIONPHOTO\Local Settings\Application Data\Temp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-04 04:55 . 2008-04-13 12:35 -------- d-----w- c:\documents and settings\Owner.KCACTIONPHOTO\Application Data\OpenOffice.org2
2010-02-04 04:54 . 2007-12-18 03:34 -------- d-----w- c:\documents and settings\Owner.KCACTIONPHOTO\Application Data\WTablet
2010-02-04 00:55 . 2008-04-13 12:36 1 ----a-w- c:\documents and settings\Owner.KCACTIONPHOTO\Application Data\OpenOffice.org2\user\uno_packages\cache\stamp.sys
2010-01-28 05:48 . 2006-11-01 17:04 -------- d-----w- c:\program files\Java
2010-01-27 03:11 . 2008-10-20 03:36 20 ---h--w- c:\documents and settings\All Users\Application Data\PKP_DLdw.DAT
2010-01-15 03:47 . 2008-12-07 22:24 -------- d-----w- c:\program files\AutoCAD 2005
2010-01-14 17:12 . 2009-10-02 22:25 181120 ------w- c:\windows\system32\MpSigStub.exe
2010-01-09 03:40 . 2006-11-01 17:00 -------- d-----w- c:\program files\Google
2009-12-21 19:14 . 2006-06-17 09:23 916480 ------w- c:\windows\system32\wininet.dll
2009-12-17 23:14 . 2009-01-24 15:39 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-12-05 14:54 . 2009-12-05 14:54 76000 ---ha-w- c:\windows\system32\mlfcache.dat
2009-11-21 15:51 . 2006-06-17 09:23 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-11-13 21:07 . 2008-03-28 01:13 20 ---h--w- c:\documents and settings\All Users\Application Data\PKP_DLds.DAT
2009-11-13 21:07 . 2007-01-21 06:15 20 ---h--w- c:\documents and settings\All Users\Application Data\PKP_DLec.DAT
2009-11-08 06:02 . 2009-11-08 06:02 152576 ----a-w- c:\documents and settings\Owner.KCACTIONPHOTO\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-11-07 22:07 . 2009-11-07 22:07 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
2002-07-26 22:02 . 2007-08-30 00:56 153088 ----a-w- c:\program files\UNWISE.EXE
2007-09-06 02:51 . 2007-09-06 02:51 12208 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( [email protected]_01.30.11 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-02-04 04:54 . 2010-02-04 04:54 16384 c:\windows\Temp\Perflib_Perfdata_29c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"CTSyncU.exe"="c:\program files\Creative\Sync Manager Unicode\CTSyncU.exe" [2006-06-12 700416]
"MtdAcqu"="c:\program files\Creative\MediaSource5\MtdAcqu.exe" [2006-03-08 278528]
"Power2GoExpress"="c:\program files\CyberLink\Power2Go\Power2GoExpress.exe" [2006-01-12 2056285]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]
"readericon"="c:\program files\Digital Media Reader\readericon45G.exe" [2005-12-10 139264]
"CHotkey"="zHotkey.exe" [2004-12-09 550912]
"IntelAudioStudio"="c:\program files\Intel Audio Studio\IntelAudioStudio.exe" [2006-07-13 9134080]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2005-02-26 966656]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-07-06 151552]
"CCUTRAYICON"="c:\program files\Intel\IntelDH\CCU\CCU_TrayIcon.exe" [2006-07-27 303104]
"NMSSupport"="c:\program files\Common Files\Intel\IntelDH\NMS\Support\IntelHCTAgent.exe" [2006-03-30 375296]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" [2005-08-03 77312]
"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2006-11-07 1121280]
"USBToolTip"="c:\program files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe" [2007-02-20 199752]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-08-08 135168]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-08-08 159744]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-08-08 131072]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-22 7700480]
"nwiz"="nwiz.exe" [2006-10-22 1622016]
"NvMediaCenter"="NvMCTray.dll" [2006-10-22 86016]
"AT&T Communication Manager"="c:\program files\AT&T\Communication Manager\ATTCM.exe" [2008-05-22 33280]
"MaxMenuMgr"="c:\program files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe" [2008-07-17 177448]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-04 866584]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-10-29 141600]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]

c:\documents and settings\Owner.KCACTIONPHOTO\Start Menu\Programs\Startup\
OpenOffice.org 2.4.lnk - c:\program files\OpenOffice.org 2.4\program\quickstart.exe [2008-1-21 393216]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-1-22 113664]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]
AutoCAD Startup Accelerator.lnk - c:\program files\Common Files\Autodesk Shared\acstart16.exe [2004-2-25 10872]
NkbMonitor.exe.lnk - c:\program files\Nikon\PictureProject\NkbMonitor.exe [2007-1-21 118784]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AT&T\\Communication Manager\\bmop.exe"=
"%windir%\\system32\\drivers\\svchost.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\LEXPPS.EXE"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowOutboundPacketTooBig"= 1 (0x1)

R2 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [7/17/2008 4:12 PM 161064]
R2 TabletServicePen;TabletServicePen;c:\windows\system32\Pen_Tablet.exe [10/25/2008 8:16 PM 3032360]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
R3 ATTRcAppSvc;AT&T RcAppSvc;c:\program files\AT&T\Communication Manager\RcAppSvc.exe [3/6/2008 3:10 PM 106496]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/8/2010 9:39 PM 135664]
S3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\drivers\wacmoumonitor.sys [10/25/2008 8:16 PM 15144]
.
Contents of the 'Scheduled Tasks' folder

2010-02-02 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2010-02-04 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-09 03:39]

2010-02-04 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-09 03:39]

2010-02-04 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 01:20]

2010-02-04 c:\windows\Tasks\User_Feed_Synchronization-{DA8EBAEB-A28B-4BB1-AB6C-32BCDE706A87}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 09:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/ig
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=DTP&M=GT5238E
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
LSP: bmnet.dll
TCP: {2147E6B8-2B7E-4352-A84A-01C001A89AB3} = 209.183.50.151 209.183.50.151
DPF: {0C92900E-4D5A-4F04-ACC9-729E1767BBAE} - hxxp://reasors.lifepics.com/net/Uploader/LPUploader45.cab
DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} - hxxp://lads.myspace.com/upload/MySpaceUploader2.cab
DPF: {C2B78FF1-6E5A-4854-AC24-E09A0E2411BA} - hxxp://static1.meetupstatic.com/applet/MeetUploader5.cab
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-rwxtgrnf - c:\documents and settings\Owner.KCACTIONPHOTO\Local Settings\Application Data\fnrssn\rixbsysguard.exe
HKLM-Run-rwxtgrnf - c:\documents and settings\Owner.KCACTIONPHOTO\Local Settings\Application Data\fnrssn\rixbsysguard.exe



**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-4147759024-2819538226-2127927277-1007\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(840)
c:\windows\system32\bmnet.dll
.
Completion time: 2010-02-03 23:56:05
ComboFix-quarantined-files.txt 2010-02-04 05:56
ComboFix2.txt 2010-02-04 05:26
ComboFix3.txt 2010-02-04 01:31
ComboFix4.txt 2009-01-24 15:47

Pre-Run: 47,152,599,040 bytes free
Post-Run: 47,121,850,368 bytes free

- - End Of File - - 0FE65C11DF4E3FB8CE585B94622F8174
kcactionphoto is offline  
Old 02-03-2010, 10:08 PM   #17
TSF Security Manager
Emeritus
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 52,197
OS: XP Pro; XP Home; Win7 x86 & x64



Please go to Start > Run and copy/paste the following, then press Enter:

C:\QooBox\ComboFix-quarantined-files.txt

Post the contents of the logfile which will open.

Please go to Start > Run and copy/paste the following, then press Enter:

C:\QooBox\ComboFix3.txt

Post the contents of the logfile which will open.
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of UNITE since 2006

Microsoft MVP Consumer Security 2009 - 2015
tetonbob is offline  
Old 02-03-2010, 10:13 PM   #18
Guest
 
Join Date: Jan 2009
Posts: 27
OS:



If you have any AV software advice I am all ears. I really appreciate your help.
kcactionphoto is offline  
Old 02-03-2010, 10:24 PM   #19
TSF Security Manager
Emeritus
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 52,197
OS: XP Pro; XP Home; Win7 x86 & x64



Please see instructions in my previous post, post #17, we'll go from there.
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of UNITE since 2006

Microsoft MVP Consumer Security 2009 - 2015
tetonbob is offline  
Old 02-04-2010, 03:58 AM   #20
Guest
 
Join Date: Jan 2009
Posts: 27
OS:



Log File #1

2010-02-04 05:54:52 . 2010-02-04 05:54:52 202 ----a-w- C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-rwxtgrnf.reg.dat
2010-02-04 05:54:50 . 2010-02-04 05:54:50 201 ----a-w- C:\Qoobox\Quarantine\Registry_backups\HKCU-Run-rwxtgrnf.reg.dat
2010-02-04 05:51:36 . 2010-02-04 05:51:36 272,767 ----a-w- C:\Qoobox\Quarantine\[4]-Submit_2010-02-03_23.51.35.zip
2010-02-04 01:30:47 . 2010-02-04 01:30:47 1,912 ----a-w- C:\Qoobox\Quarantine\Registry_backups\AddRemove-Convert XLS_is1.reg.dat
2010-02-04 01:30:35 . 2010-02-04 01:30:35 169 ----a-w- C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-USB2Check.reg.dat
2010-02-04 01:30:34 . 2010-02-04 01:30:34 481 ----a-w- C:\Qoobox\Quarantine\Registry_backups\WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829}.reg.dat
2010-02-04 01:30:33 . 2010-02-04 01:30:33 442 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829}.reg.dat
2010-02-04 01:30:32 . 2010-02-04 01:30:32 432 ----a-w- C:\Qoobox\Quarantine\Registry_backups\URLSearchHooks-{A3BC75A2-1F87-4686-AA43-5347D756017C}.reg.dat
2010-02-04 01:28:50 . 2010-02-04 05:53:29 9,815 ----a-w- C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2010-02-04 01:19:52 . 2010-02-04 05:50:56 153 ----a-w- C:\Qoobox\Quarantine\catchme.log
2010-01-31 20:11:48 . 2010-01-31 20:11:19 279,296 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Owner.KCACTIONPHOTO\Local Settings\Application Data\fnrssn\rixbsysguard.exe.vir
2009-03-08 21:42:18 . 2009-03-08 21:42:18 87,608 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Owner.KCACTIONPHOTO\Application Data\inst.exe.vir
2009-01-12 01:40:22 . 2009-01-12 01:40:22 3,321 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Owner.KCACTIONPHOTO\Local Settings\Application Data\{CF93F7B3-ED84-427A-812A-ED92918D339E}\chrome\content\c.js.vir
2009-01-12 01:40:22 . 2009-01-12 01:40:22 5,708 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Owner.KCACTIONPHOTO\Local Settings\Application Data\{CF93F7B3-ED84-427A-812A-ED92918D339E}\chrome\content\overlay.xul.vir
2009-01-12 01:40:22 . 2009-01-12 01:40:22 120 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Owner.KCACTIONPHOTO\Local Settings\Application Data\{CF93F7B3-ED84-427A-812A-ED92918D339E}\chrome.manifest.vir
2009-01-12 01:40:22 . 2009-01-12 01:40:22 770 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Owner.KCACTIONPHOTO\Local Settings\Application Data\{CF93F7B3-ED84-427A-812A-ED92918D339E}\install.rdf.vir
2009-01-12 01:40:22 . 2009-01-12 01:40:22 2,115 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Owner.KCACTIONPHOTO\Local Settings\Application Data\{CF93F7B3-ED84-427A-812A-ED92918D339E}\chrome\content\_cfg.js.vir
2008-03-21 00:38:50 . 2008-03-21 00:40:05 48 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\S220FA709.tmp.vir

Log File 2

ComboFix 10-02-03.04 - Owner 02/03/2010 19:20:42.4.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1366 [GMT -6:00]
Running from: c:\documents and settings\Owner.KCACTIONPHOTO\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Owner.KCACTIONPHOTO\Application Data\inst.exe
c:\windows\kb913800.exe
c:\windows\system32\PCLECoInst.dll

.
((((((((((((((((((((((((( Files Created from 2010-01-04 to 2010-02-04 )))))))))))))))))))))))))))))))
.

2010-01-31 20:11 . 2010-01-31 20:11 -------- d-----w- c:\documents and settings\Owner.KCACTIONPHOTO\Local Settings\Application Data\fnrssn
2010-01-28 05:49 . 2010-01-28 05:49 -------- d-----w- c:\program files\Common Files\Java
2010-01-28 05:48 . 2010-01-28 05:48 503808 ----a-w- c:\documents and settings\Owner.KCACTIONPHOTO\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-2d6deeb8-n\msvcp71.dll
2010-01-28 05:48 . 2010-01-28 05:48 499712 ----a-w- c:\documents and settings\Owner.KCACTIONPHOTO\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-2d6deeb8-n\jmc.dll
2010-01-28 05:48 . 2010-01-28 05:48 348160 ----a-w- c:\documents and settings\Owner.KCACTIONPHOTO\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-2d6deeb8-n\msvcr71.dll
2010-01-28 05:48 . 2010-01-28 05:48 61440 ----a-w- c:\documents and settings\Owner.KCACTIONPHOTO\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-4f188fe3-n\decora-sse.dll
2010-01-28 05:48 . 2010-01-28 05:48 12800 ----a-w- c:\documents and settings\Owner.KCACTIONPHOTO\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-4f188fe3-n\decora-d3d.dll
2010-01-13 00:15 . 2009-11-21 15:51 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2010-01-09 03:44 . 2010-01-09 03:44 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2010-01-09 03:39 . 2010-01-09 03:40 -------- d-----w- c:\documents and settings\Owner.KCACTIONPHOTO\Local Settings\Application Data\Temp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-04 00:55 . 2008-04-13 12:36 1 ----a-w- c:\documents and settings\Owner.KCACTIONPHOTO\Application Data\OpenOffice.org2\user\uno_packages\cache\stamp.sys
2010-02-04 00:55 . 2008-04-13 12:35 -------- d-----w- c:\documents and settings\Owner.KCACTIONPHOTO\Application Data\OpenOffice.org2
2010-02-03 10:13 . 2007-12-18 03:34 -------- d-----w- c:\documents and settings\Owner.KCACTIONPHOTO\Application Data\WTablet
2010-01-28 05:48 . 2006-11-01 17:04 -------- d-----w- c:\program files\Java
2010-01-27 03:11 . 2008-10-20 03:36 20 ---h--w- c:\documents and settings\All Users\Application Data\PKP_DLdw.DAT
2010-01-15 03:47 . 2008-12-07 22:24 -------- d-----w- c:\program files\AutoCAD 2005
2010-01-14 17:12 . 2009-10-02 22:25 181120 ------w- c:\windows\system32\MpSigStub.exe
2010-01-09 03:40 . 2006-11-01 17:00 -------- d-----w- c:\program files\Google
2009-12-21 19:14 . 2006-06-17 09:23 916480 ----a-w- c:\windows\system32\wininet.dll
2009-12-17 23:14 . 2009-01-24 15:39 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-12-05 14:54 . 2009-12-05 14:54 76000 ---ha-w- c:\windows\system32\mlfcache.dat
2009-11-21 15:51 . 2006-06-17 09:23 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-11-13 21:07 . 2008-03-28 01:13 20 ---h--w- c:\documents and settings\All Users\Application Data\PKP_DLds.DAT
2009-11-13 21:07 . 2007-01-21 06:15 20 ---h--w- c:\documents and settings\All Users\Application Data\PKP_DLec.DAT
2009-11-08 06:02 . 2009-11-08 06:02 152576 ----a-w- c:\documents and settings\Owner.KCACTIONPHOTO\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-11-07 22:07 . 2009-11-07 22:07 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
2002-07-26 22:02 . 2007-08-30 00:56 153088 ----a-w- c:\program files\UNWISE.EXE
2008-03-21 00:40 . 2008-03-21 00:38 48 --sh--w- c:\windows\S220FA709.tmp
2007-09-06 02:51 . 2007-09-06 02:51 12208 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"CTSyncU.exe"="c:\program files\Creative\Sync Manager Unicode\CTSyncU.exe" [2006-06-12 700416]
"MtdAcqu"="c:\program files\Creative\MediaSource5\MtdAcqu.exe" [2006-03-08 278528]
"Power2GoExpress"="c:\program files\CyberLink\Power2Go\Power2GoExpress.exe" [2006-01-12 2056285]
"rwxtgrnf"="c:\documents and settings\Owner.KCACTIONPHOTO\Local Settings\Application Data\fnrssn\rixbsysguard.exe" [2010-01-31 279296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]
"readericon"="c:\program files\Digital Media Reader\readericon45G.exe" [2005-12-10 139264]
"CHotkey"="zHotkey.exe" [2004-12-09 550912]
"IntelAudioStudio"="c:\program files\Intel Audio Studio\IntelAudioStudio.exe" [2006-07-13 9134080]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2005-02-26 966656]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-07-06 151552]
"CCUTRAYICON"="c:\program files\Intel\IntelDH\CCU\CCU_TrayIcon.exe" [2006-07-27 303104]
"NMSSupport"="c:\program files\Common Files\Intel\IntelDH\NMS\Support\IntelHCTAgent.exe" [2006-03-30 375296]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" [2005-08-03 77312]
"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2006-11-07 1121280]
"USBToolTip"="c:\program files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe" [2007-02-20 199752]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-08-08 135168]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-08-08 159744]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-08-08 131072]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-22 7700480]
"nwiz"="nwiz.exe" [2006-10-22 1622016]
"NvMediaCenter"="NvMCTray.dll" [2006-10-22 86016]
"AT&T Communication Manager"="c:\program files\AT&T\Communication Manager\ATTCM.exe" [2008-05-22 33280]
"MaxMenuMgr"="c:\program files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe" [2008-07-17 177448]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-04 866584]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-10-29 141600]
"rwxtgrnf"="c:\documents and settings\Owner.KCACTIONPHOTO\Local Settings\Application Data\fnrssn\rixbsysguard.exe" [2010-01-31 279296]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]

c:\documents and settings\Owner.KCACTIONPHOTO\Start Menu\Programs\Startup\
OpenOffice.org 2.4.lnk - c:\program files\OpenOffice.org 2.4\program\quickstart.exe [2008-1-21 393216]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-1-22 113664]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]
AutoCAD Startup Accelerator.lnk - c:\program files\Common Files\Autodesk Shared\acstart16.exe [2004-2-25 10872]
NkbMonitor.exe.lnk - c:\program files\Nikon\PictureProject\NkbMonitor.exe [2007-1-21 118784]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AT&T\\Communication Manager\\bmop.exe"=
"%windir%\\system32\\drivers\\svchost.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\LEXPPS.EXE"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowOutboundPacketTooBig"= 1 (0x1)

R2 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [7/17/2008 4:12 PM 161064]
R2 TabletServicePen;TabletServicePen;c:\windows\system32\Pen_Tablet.exe [10/25/2008 8:16 PM 3032360]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/8/2010 9:39 PM 135664]
S3 ATTRcAppSvc;AT&T RcAppSvc;c:\program files\AT&T\Communication Manager\RcAppSvc.exe [3/6/2008 3:10 PM 106496]
S3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\drivers\wacmoumonitor.sys [10/25/2008 8:16 PM 15144]
.
Contents of the 'Scheduled Tasks' folder

2010-02-02 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2010-02-03 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-09 03:39]

2010-02-04 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-09 03:39]

2010-02-03 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 01:20]

2010-02-03 c:\windows\Tasks\User_Feed_Synchronization-{DA8EBAEB-A28B-4BB1-AB6C-32BCDE706A87}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 09:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/ig
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=DTP&M=GT5238E
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
LSP: bmnet.dll
DPF: {0C92900E-4D5A-4F04-ACC9-729E1767BBAE} - hxxp://reasors.lifepics.com/net/Uploader/LPUploader45.cab
DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} - hxxp://lads.myspace.com/upload/MySpaceUploader2.cab
DPF: {C2B78FF1-6E5A-4854-AC24-E09A0E2411BA} - hxxp://static1.meetupstatic.com/applet/MeetUploader5.cab
.
- - - - ORPHANS REMOVED - - - -

URLSearchHooks-{A3BC75A2-1F87-4686-AA43-5347D756017C} - c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll
HKLM-Run-USB2Check - c:\windows\system32\PCLECoInst.dll
AddRemove-Convert XLS_is1 - c:\program files\Softinterface



**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-4147759024-2819538226-2127927277-1007\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(824)
c:\windows\system32\bmnet.dll
.
Completion time: 2010-02-03 19:31:47
ComboFix-quarantined-files.txt 2010-02-04 01:31
ComboFix2.txt 2009-01-24 15:47

Pre-Run: 38,423,429,120 bytes free
Post-Run: 47,155,609,600 bytes free

- - End Of File - - FA4B5DBA7BA6933F16B47496594A7A0E

2006-06-21 08:04:17 . 2006-03-21 10:23:12 23,040 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\kb913800.exe.vir
2004-04-07 00:05:48 . 2004-04-07 00:05:48 61,440 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\PCLECoInst.dll.vir
kcactionphoto is offline  
 

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is on
Smilies are on
[IMG] code is on
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Post a Question


» Site Navigation
 > FAQ
  > 10.0.0.2
Powered by vBadvanced CMPS v3.2.3


All times are GMT -7. The time now is 10:09 AM.


Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2020, vBulletin Solutions, Inc.
vBulletin Security provided by vBSecurity v2.2.2 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
User Alert System provided by Advanced User Tagging v3.1.0 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
Copyright 2001 - 2018, Tech Support Forum

Windows 10 - Windows 7 - Windows XP - Windows Vista - Trojan Removal - Spyware Removal - Virus Removal - Networking - Security - Top Web Hosts