Tech Support banner

Not open for further replies.
1 - 1 of 1 Posts

20 Posts
Discussion Starter · #1 ·
Hello, this a bit of an odd problem, but I've used this forum in the past with success, and hopefully I can get some advice on this problem.

About 2-3 weeks ago I made a post on these forums about my other computer receiving an email virus, and had eventually run ComboFix and everything was okay. On that computer I realized that for some reason the option to show hidden files had recently changed, and that I hadn't made it. I initially believed Combofix made the change, so I attempted (stupidly) to run Combofix on the computer I'm on now to test my theory. (I found out later that plugging in my iPod somehow turns the view mode off.) Anyhow, I ran ComboFix fine, uninstalled, then I found out the iPod was the problem. Just for laughs I decided to check the ComboFix log and found this entry.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

c:\documents and settings\Vincent\Application Data\inst.exe

A quick Google search told me that this was a pretty nasty trojan, and someone else on bleepingcomputer reported the same find being related with a major rootkit infection. With the computer I'm on now, I hardly download from the web and always run any .exe through VirusTotal and AVG before I run it. I have however recently plugged in a Flash Drive in this computer and my other computer, and am wondering if it may have caused the infection. I checked my secondary computer and found no such .exe file, but I'm still unsure.

The same person reporting the rootkit infection (I ran RootkitReveal as he did, and I believe it found no real problems) also claimed the program kept reappearing in ComboFix logs after it had allegedly been cleared. Hopefully this is not the case, as I do not have the Windows install CDs. I'm not going to try to use ComboFix again unless asked to, but hopefully someone on this forum can help clear up what might be going on.

I'm going to attach my ComboFix log in addition to the required supplements, as it is pretty crucial to this problem. I also have the logs from RootkitRevealer and HijackThis if needed.

Thanks again.

DDS (Ver_09-09-29.01) - NTFSx86
Run by Vincent at 18:50:24.62 on Fri 10/09/2009
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_14
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1396 [GMT -4:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Portrait Displays\Shared\DTSRVC.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\GIGABYTE\GEST\gest.exe
C:\Program Files\Portrait Displays\Pivot Software\wpctrl.exe
C:\Program Files\lg_fwupdate\fwupdate.exe
C:\Program Files\Portrait Displays\Pivot Software\floater.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Linksys\WUSB600N\WUSB600N.exe
C:\Program Files\GIGABYTE\GEST\GSvr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Vincent\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [GEST] c:\program files\gigabyte\gest\RUN.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [PivotSoftware] "c:\program files\portrait displays\pivot software\wpctrl.exe"
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [LGODDFU] "c:\program files\lg_fwupdate\fwupdate.exe" blrun
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\wirele~1.lnk - c:\program files\linksys\wusb600n\WUSB600N.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\vincent\applic~1\mozilla\firefox\profiles\ytw0gofz.default\
FF - prefs.js: browser.startup.homepage - hxxp://
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-5-31 335240]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-5-31 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-5-31 108552]
R1 CLBStor;InstantBurn Storage Helper Driver;c:\windows\system32\drivers\CLBStor.sys [2009-3-16 16048]
R2 {95808DC4-FA4A-4C74-92FE-5B863F82066B};{95808DC4-FA4A-4C74-92FE-5B863F82066B};c:\program files\cyberlink\powerdvd\000.fcl [2009-3-16 61424]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-5-31 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-5-31 297752]
R2 CLBUDF;CyberLink InstantBurn UDF Filesystem;c:\windows\system32\drivers\CLBUDF.sys [2009-3-16 162096]
R3 GEST Service;GEST Service for program management.;c:\program files\gigabyte\gest\GSvr.exe [2008-8-31 47624]
R3 rt2870;Linksys 802.11n USB Wireless LAN Card Driver;c:\windows\system32\drivers\rt2870.sys [2007-12-14 551680]
S3 WUSB54GV4SRV;Linksys Wireless-G USB Network Adapter Driver;c:\windows\system32\drivers\rt2500usb.sys [2008-9-7 79616]

=============== Created Last 30 ================

2009-10-09 15:56 <DIR> --ds---- C:\ComboFix
2009-10-09 15:47 <DIR> a-dshr-- C:\cmdcons
2009-10-06 16:26 <DIR> --d----- c:\program files\CDex_150
2009-10-03 09:44 <DIR> --d----- c:\program files\SystemRequirementsLab
2009-09-12 16:58 <DIR> --d----- C:\$AVG8.VAULT$

==================== Find3M ====================

2009-10-09 16:09 16,608 a------- c:\windows\gdrv.sys
2009-09-02 17:23 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-09-02 17:23 335,240 a------- c:\windows\system32\drivers\avgldx86.sys
2009-08-16 15:04 410,984 a------- c:\windows\system32\deploytk.dll
2009-08-05 05:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-07-17 15:01 58,880 a------- c:\windows\system32\atl.dll
2009-07-13 23:43 286,208 a------- c:\windows\system32\wmpdxm.dll
2008-11-23 11:28 47,360 a------- c:\docume~1\vincent\applic~1\pcouffin.sys
2008-09-07 20:31 22,328 a------- c:\docume~1\vincent\applic~1\PnkBstrK.sys

============= FINISH: 18:51:03.65 ===============


1 - 1 of 1 Posts
Not open for further replies.