Tech Support banner

Status
Not open for further replies.
1 - 17 of 17 Posts

·
Registered
Joined
·
10 Posts
Discussion Starter #1
It began when I was browsing and out-of-the-blue a popup saying "HDD Failure - etc. etc. We recommend you restart your machine" came up, it looked legit so I checked out my PC to see some desktop items (not all) had dissappeared. Naturally I restarted machine and went on my normal user;

- my desktop was completely black and their were no icons, their were only a few programs listed in all programs aswell.

- A program called "Windows XP Fix" was running, it was obviously false software, I managed to delete its root (i think) from All Users / Application Data / 01032483.exe (or something)

- A program called browser+ was in my All Programs which it let me uninstall.

- If i go to a different user there's desktop icons and i can use my browser (still limited All Programs though) but if i click on a link it sends me to different web pages like canadasasquach.com or matalan.com (lol?) it's really messed :/)

Stuff is attached I appreciate your help <3
- Axel

.
DDS (Ver_2011-06-23.01) - NTFSx86
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_24
Run by Mum at 2:48:22 on 2011-07-09
.
============== Running Processes ===============
.
\??\C:\PROGRA~1\AVG\AVG10\avgchsvx.exe
\??\C:\PROGRA~1\AVG\AVG10\avgrsx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\WINDOWS\system32\netdde.exe
C:\WINDOWS\system32\msdtc.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\aspnet_state.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\locator.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Windows Live\installer\WLSetupSvc.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Program Files\Windows Media Player\WMPNetwk.exe
C:\WINDOWS\System32\dmadmin.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Mum\Desktop\dds.scr
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\svchost.exe -k imgsvc
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://bt.my.yahoo.com/
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: H - No File
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg10\avgssie.dll
BHO: XfireXO Toolbar: {5e5ab302-7f65-44cd-8211-c1d4caaccea3} - c:\program files\xfirexo\tbXfir.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5612.1312\swg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: TextAloud: {f053c368-5458-45b2-9b4d-d8914bdddbff} - c:\progra~1\textal~1\TAForIE.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
TB: XfireXO Toolbar: {5e5ab302-7f65-44cd-8211-c1d4caaccea3} - c:\program files\xfirexo\tbXfir.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
TB: {A33FA729-D155-4B23-842B-2C665ECABDB6} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [QuickTime Task] "c:\program files\quicktime alternative\qttask.exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_05\bin\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [nwiz] nwiz.exe /install
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
mPolicies-system: DisableTaskMgr = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1196858352703
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1196859068215
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: DhcpNameServer = 194.168.4.100 194.168.8.100
TCP: Interfaces\{35247C58-ED26-41D1-9BC0-1FED5C4BD53B} : DhcpNameServer = 194.168.4.100 194.168.8.100
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
Hosts: 78.47.251.150 easyanticheat.se # misleading site
Hosts: 78.47.251.150 www.easyanticheat.se # misleading site
Hosts: 78.47.251.150 easyanticheat.com # misleading site
Hosts: 78.47.251.150 www.easyanticheat.com # misleading site
Hosts: 78.47.251.150 easyanticheat.org # misleading site
.
Note: multiple HOSTS entries found. Please refer to Attach.txt
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\mum\application data\mozilla\firefox\profiles\rach9dra.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - prefs.js: keyword.URL - hxxp://search.avg.com/route/?d=4ddb483c&v=7.005.030.004&i=23&tp=ab&iy=&ychte=uk&lng=en-GB&q=
FF - component: c:\program files\avg\avg10\firefox\components\avgssff.dll
FF - component: c:\program files\avg\avg10\toolbar\firefox\[email protected]\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\avg\avg10\toolbar\firefox\[email protected]\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\avg\avg10\toolbar\firefox\[email protected]\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\avg\avg10\toolbar\firefox\[email protected]\components\xpavgtbapi.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60531.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
.
============= SERVICES / DRIVERS ===============
.
R? AVG Security Toolbar Service;AVG Security Toolbar Service
R? AVGIDSAgent;AVGIDSAgent
R? AVGIDSDriver;AVGIDSDriver
R? AVGIDSFilter;AVGIDSFilter
R? AVGIDSShim;AVGIDSShim
R? avgwd;AVG WatchDog
R? clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86
R? CV2K1;CommView Network Monitor
R? WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0
S? AVGIDSEH;AVGIDSEH
S? Avgldx86;AVG AVI Loader Driver
S? Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield
S? Avgrkx86;AVG Anti-Rootkit Driver
S? Avgtdix;AVG TDI Driver
S? ts_lb;ts_lb
S? TSCOMM;CommStudio Virtual Adapter by TamoSoft
.
=============== Created Last 30 ================
.
2011-07-08 16:58:52 -------- d-----w- C:\68bdb2c9d069f81345
2011-07-05 10:18:34 2106216 ----a-w- c:\program files\mozilla firefox\D3DCompiler_43.dll
2011-07-05 10:18:33 1998168 ----a-w- c:\program files\mozilla firefox\d3dx9_43.dll
2011-06-25 02:17:09 -------- d-----w- c:\program files\Xenimus
.
==================== Find3M ====================
.
2011-07-01 09:07:49 22328 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2011-07-01 09:07:25 66872 ----a-w- c:\windows\system32\PnkBstrA.exe
2011-06-25 03:59:53 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-04-14 20:28:42 134480 ----a-w- c:\windows\system32\drivers\AVGIDSDriver.sys
.
============= FINISH: 2:55:24.57 ===============
 

Attachments

·
Security Team , Moderator, Analyst , Rangemaster,
Joined
·
29,790 Posts
Hello and Welcome to TSF.

Please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant notification by email, then click Add Subscription.

Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed.

------------------------------------------------------

One or more of the identified infections is a backdoor trojan/rootkit.

This type of infection allows hackers to remotely control your computer, log keystrokes, steal critical system information, and download and execute files without your knowledge.

If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Please refer to Microsoft's Online Safety article for tips on creating a strong password.

Do not change passwords or do any transactions from the infected computer until it has been cleaned.

------------------------------------------------------

If there are any personal files, pics, etc. on your computer you cannot live without, back them up now just as a precaution.

Emergency Backup Procedure - Tech Support Forum

------------------------------------------------------

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Please stay with me until given the 'all clear' even if symptoms seemingly abate.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by a helper.

------------------------------------------------------

Please download this file and run it.

If necessary, you can run it straight from a USB drive.

------------------------------------------------------

You will have to uninstall AVG in order to run ComboFix, as AVG targets ComboFix's embedded files and prevents ComboFix from running.

Uninstall AVG via Add or Remove Programs in your Control Panel, then reboot.

If ComboFix still detects AVG after uninstalling AVG and rebooting, try removing AVG remnants with AppRemover:

Please download AppRemover and Save it to your Desktop.
  • Double-click AppRemover.exe and follow the prompt to run it then click 'Next'.
  • Vista/Win7 users, right-click and choose 'Run as administrator'.
  • Under 'Select Removal Type' select 'Cleanup a Failed Uninstall' then click 'Next'.
  • Once the scan is complete, follow the on-screen instructions to remove remnants of AVG.
  • Reboot your computer if not prompted already.
------------------------------------------------------

If ComboFix still detects AVG, stop and let me know.

------------------------------------------------------

Please download ComboFix and Save it to your Desktop.

**Note: It is important that it is saved directly to your desktop**

First, we need to install the Windows Recovery Console.

The Windows Recovery Console will allow you to boot up into a special recovery(repair) mode, if needed. This allows us to help you in the case that your computer has a problem after an attempted removal of malware. Also, ComboFix will not address certain types of malware unless the RC is installed. It is a simple procedure that will only take a few moments of your time.

Download the file from this Microsoft page:

For XP Home >> Download Details - Microsoft Download Center - Windows XP Home Edition with Service Pack 2 Utility: Setup Disks for Floppy Boot Install

For XP Pro >> Download Details - Microsoft Download Center - Windows XP Professional with Service Pack 2 Utility: Setup Disks for Floppy Boot Install

Save it as it is originally named to your Desktop.

Now close all open windows and programs, including all antivirus and antispyware programs. Get help here



Then drag the setup package onto ComboFix.exe and drop it. Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Recovery Console.

As part of installing the Recovery Console, ComboFix will begin to run. Your desktop may disappear. This is normal. It will return.

ComboFix will now automatically install the Windows Recovery Console onto your computer, which will show up as a new option when booting up your computer. Do not select the Windows Recovery Console option when you start your computer unless requested to by a helper.

Once the Recovery Console is installed, this blue window will appear:



Please continue as follows:

  • Close/disable all antivirus and antispyware programs so they do not interfere with the running of ComboFix. Get help here
  • Please click Yes to continue scanning for malware.
  • Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
When the tool is finished, it will produce a log for you.

Please post that log, C:\ComboFix.txt, in your next reply.

------------------------------------------------------
 

·
Registered
Joined
·
10 Posts
Discussion Starter #3
Everything seems to be more or less 90% in order, the main problem I have now is the browser taking me to random pages.

Thanks for the help again doc'. :)

ComboFix 11-07-09.02 - Axel 09/07/2011 19:34:02.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.44.1033.18.1535.1024 [GMT 1:00]
Running from: c:\documents and settings\Axel\Desktop\ComboFix.exe
.
ADS - system32: deleted 12 bytes in 1 streams.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Axel\Desktop\Windows XP Fix.lnk
c:\windows\system32\$winnt$.inf
c:\windows\vb.ini
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_USNJSVC
-------\Service_usnjsvc
.
.
((((((((((((((((((((((((( Files Created from 2011-06-09 to 2011-07-09 )))))))))))))))))))))))))))))))
.
.
2011-07-09 16:15 . 2011-07-09 16:15 -------- d-----w- c:\documents and settings\Axel\Application Data\Malwarebytes
2011-07-09 16:14 . 2011-05-29 08:11 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-09 16:14 . 2011-07-09 16:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-07-09 16:14 . 2011-07-09 16:15 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-07-09 16:14 . 2011-05-29 08:11 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-07-09 03:02 . 2011-07-09 03:02 -------- d--h--w- c:\windows\system32\GroupPolicy
2011-07-09 02:52 . 2011-07-09 03:00 -------- d-----w- c:\documents and settings\Axel\Local Settings\Application Data\ConduitEngine
2011-07-09 02:51 . 2011-07-09 02:52 -------- d-----w- c:\program files\ConduitEngine
2011-07-09 02:51 . 2011-07-09 02:51 0 ----a-w- c:\windows\system32\ConduitEngine.tmp
2011-07-08 16:58 . 2011-07-08 16:59 -------- d-----w- C:\68bdb2c9d069f81345
2011-07-05 10:18 . 2011-07-05 10:18 2106216 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_43.dll
2011-07-05 10:18 . 2011-07-05 10:18 1998168 ----a-w- c:\program files\Mozilla Firefox\d3dx9_43.dll
2011-06-25 02:17 . 2011-06-25 04:00 -------- d-----w- c:\program files\Xenimus
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-07-01 09:07 . 2011-03-08 01:56 22328 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2011-07-01 09:07 . 2007-12-23 01:08 22328 ---ha-w- c:\documents and settings\Axel\Application Data\PnkBstrK.sys
2011-07-01 09:07 . 2007-12-23 01:08 66872 ----a-w- c:\windows\system32\PnkBstrA.exe
2011-06-25 03:59 . 2011-06-01 23:46 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-07-05 10:18 . 2011-05-06 14:37 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{5e5ab302-7f65-44cd-8211-c1d4caaccea3}"= "c:\program files\XfireXO\prxtbXfi0.dll" [2011-01-17 175912]
.
[HKEY_CLASSES_ROOT\clsid\{5e5ab302-7f65-44cd-8211-c1d4caaccea3}]
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{30F9B915-B755-4826-820B-08FBA6BD249D}]
2011-01-17 14:54 175912 ----a-w- c:\program files\ConduitEngine\prxConduitEngine.dll
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5e5ab302-7f65-44cd-8211-c1d4caaccea3}]
2011-01-17 14:54 175912 ----a-w- c:\program files\XfireXO\prxtbXfi0.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{5e5ab302-7f65-44cd-8211-c1d4caaccea3}"= "c:\program files\XfireXO\prxtbXfi0.dll" [2011-01-17 175912]
.
[HKEY_CLASSES_ROOT\clsid\{5e5ab302-7f65-44cd-8211-c1d4caaccea3}]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{5E5AB302-7F65-44CD-8211-C1D4CAACCEA3}"= "c:\program files\XfireXO\prxtbXfi0.dll" [2011-01-17 175912]
.
[HKEY_CLASSES_ROOT\clsid\{5e5ab302-7f65-44cd-8211-c1d4caaccea3}]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-04-19 68856]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-10-07 13574144]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-10-07 86016]
"QuickTime Task"="c:\program files\QuickTime Alternative\qttask.exe" [2010-09-08 421888]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 144784]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"nwiz"="nwiz.exe" [2008-10-07 1630208]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-11 49152]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-05-29 449584]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-03 15360]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-3-11 210520]
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Bluetooth.lnk
backup=c:\windows\pss\Bluetooth.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk
backup=c:\windows\pss\Google Updater.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
2008-03-21 08:30 486856 ----a-w- c:\program files\DAEMON Tools Lite\daemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-11-12 16:33 141600 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2004-10-13 16:24 1694208 ------w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
2007-10-18 11:34 5724184 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
2010-11-20 14:02 1242448 ----a-w- c:\program files\Valve\Steam\Steam.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2008-04-19 23:44 68856 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"avg8wd"=2 (0x2)
"avg8emc"=2 (0x2)
"avgwd"=2 (0x2)
"AVGIDSAgent"=2 (0x2)
"AVG Security Toolbar Service"=3 (0x3)
"Apple Mobile Device"=2 (0x2)
"CLTNetCnService"=2 (0x2)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\vulcan135\\half-life 2 deathmatch\\hl2.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\vulcan135\\source sdk base\\hl2.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\WINDOWS\\system32\\rtcshare.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\Program Files\\Trillian\\trillian.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Documents and Settings\\Axel\\Kitserver2010\\pes2010.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Documents and Settings\\Axel\\Desktop\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"c:\\Program Files\\Xfire\\Xfire.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\vulcan135\\counter-strike source\\hl2.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6073:TCP"= 6073:TCP:pORT_6073
"17367:TCP"= 17367:TCP:pORT_17367
"12901:TCP"= 12901:TCP:pORT_12901
"65301:TCP"= 65301:TCP:pORT_65301
"44470:TCP"= 44470:TCP:pORT_44470
"24184:TCP"= 24184:TCP:pORT_24184
"38242:TCP"= 38242:TCP:pORT_38242
"64166:TCP"= 64166:TCP:pORT_64166
"46653:TCP"= 46653:TCP:pORT_46653
"46645:TCP"= 46645:TCP:pORT_46645
"6860:TCP"= 6860:TCP:pORT_6860
"57860:TCP"= 57860:TCP:pORT_57860
"18641:TCP"= 18641:TCP:pORT_18641
"52914:TCP"= 52914:TCP:pORT_52914
"18211:TCP"= 18211:TCP:pORT_18211
"41105:TCP"= 41105:TCP:pORT_41105
"5707:TCP"= 5707:TCP:pORT_5707
"33419:TCP"= 33419:TCP:pORT_33419
"20883:TCP"= 20883:TCP:pORT_20883
"59785:TCP"= 59785:TCP:pORT_59785
"13336:TCP"= 13336:TCP:pORT_13336
"22476:TCP"= 22476:TCP:pORT_22476
"61308:TCP"= 61308:TCP:pORT_61308
"38020:TCP"= 38020:TCP:pORT_38020
"45200:TCP"= 45200:TCP:pORT_45200
"52933:TCP"= 52933:TCP:pORT_52933
"7351:TCP"= 7351:TCP:pORT_7351
"31001:TCP"= 31001:TCP:pORT_31001
"40485:TCP"= 40485:TCP:pORT_40485
"11836:TCP"= 11836:TCP:pORT_11836
"17430:TCP"= 17430:TCP:pORT_17430
"63172:TCP"= 63172:TCP:pORT_63172
"17513:TCP"= 17513:TCP:pORT_17513
"23453:TCP"= 23453:TCP:pORT_23453
"46074:TCP"= 46074:TCP:pORT_46074
"27203:TCP"= 27203:TCP:pORT_27203
"25106:TCP"= 25106:TCP:pORT_25106
"31992:TCP"= 31992:TCP:pORT_31992
"30290:TCP"= 30290:TCP:pORT_30290
"7851:TCP"= 7851:TCP:pORT_7851
"36835:TCP"= 36835:TCP:pORT_36835
"50813:TCP"= 50813:TCP:pORT_50813
"55527:TCP"= 55527:TCP:pORT_55527
"57515:TCP"= 57515:TCP:pORT_57515
"41565:TCP"= 41565:TCP:pORT_41565
"32833:TCP"= 32833:TCP:pORT_32833
"6879:TCP"= 6879:TCP:pORT_6879
"30988:TCP"= 30988:TCP:pORT_30988
"60761:TCP"= 60761:TCP:pORT_60761
"8361:TCP"= 8361:TCP:pORT_8361
"13320:TCP"= 13320:TCP:pORT_13320
"17477:TCP"= 17477:TCP:pORT_17477
"24476:TCP"= 24476:TCP:pORT_24476
"23914:TCP"= 23914:TCP:pORT_23914
"16680:TCP"= 16680:TCP:pORT_16680
"10226:TCP"= 10226:TCP:pORT_10226
"34300:TCP"= 34300:TCP:pORT_34300
"18816:TCP"= 18816:TCP:pORT_18816
"54480:TCP"= 54480:TCP:pORT_54480
"57367:TCP"= 57367:TCP:pORT_57367
"15138:TCP"= 15138:TCP:pORT_15138
"17708:TCP"= 17708:TCP:pORT_17708
"58628:TCP"= 58628:TCP:pORT_58628
"43258:TCP"= 43258:TCP:pORT_43258
"35656:TCP"= 35656:TCP:pORT_35656
"47379:TCP"= 47379:TCP:pORT_47379
"51215:TCP"= 51215:TCP:pORT_51215
"62105:TCP"= 62105:TCP:pORT_62105
"15309:TCP"= 15309:TCP:pORT_15309
"29939:TCP"= 29939:TCP:pORT_29939
"41094:TCP"= 41094:TCP:pORT_41094
"23378:TCP"= 23378:TCP:pORT_23378
"56043:TCP"= 56043:TCP:pORT_56043
"47755:TCP"= 47755:TCP:pORT_47755
"35285:TCP"= 35285:TCP:pORT_35285
"44223:TCP"= 44223:TCP:pORT_44223
"6226:TCP"= 6226:TCP:pORT_6226
"47185:TCP"= 47185:TCP:pORT_47185
"34161:TCP"= 34161:TCP:pORT_34161
"50652:TCP"= 50652:TCP:pORT_50652
"37496:TCP"= 37496:TCP:pORT_37496
"65397:TCP"= 65397:TCP:pORT_65397
"54516:TCP"= 54516:TCP:pORT_54516
"44298:TCP"= 44298:TCP:pORT_44298
"32461:TCP"= 32461:TCP:pORT_32461
"30053:TCP"= 30053:TCP:pORT_30053
"40363:TCP"= 40363:TCP:pORT_40363
"9164:TCP"= 9164:TCP:pORT_9164
"54742:TCP"= 54742:TCP:pORT_54742
"38521:TCP"= 38521:TCP:pORT_38521
"62134:TCP"= 62134:TCP:pORT_62134
"27067:TCP"= 27067:TCP:pORT_27067
"6695:TCP"= 6695:TCP:pORT_6695
"32575:TCP"= 32575:TCP:pORT_32575
"33902:TCP"= 33902:TCP:pORT_33902
"16617:TCP"= 16617:TCP:pORT_16617
"48862:TCP"= 48862:TCP:pORT_48862
"55617:TCP"= 55617:TCP:pORT_55617
"51183:TCP"= 51183:TCP:pORT_51183
"20770:TCP"= 20770:TCP:pORT_20770
"39578:TCP"= 39578:TCP:pORT_39578
"46993:TCP"= 46993:TCP:pORT_46993
"6320:TCP"= 6320:TCP:pORT_6320
"38528:TCP"= 38528:TCP:pORT_38528
"32325:TCP"= 32325:TCP:pORT_32325
"29400:TCP"= 29400:TCP:pORT_29400
"22383:TCP"= 22383:TCP:pORT_22383
"12869:TCP"= 12869:TCP:pORT_12869
"54863:TCP"= 54863:TCP:pORT_54863
"37547:TCP"= 37547:TCP:pORT_37547
"21836:TCP"= 21836:TCP:pORT_21836
"28122:TCP"= 28122:TCP:pORT_28122
"29376:TCP"= 29376:TCP:pORT_29376
"23445:TCP"= 23445:TCP:pORT_23445
"6774:TCP"= 6774:TCP:pORT_6774
"12223:TCP"= 12223:TCP:pORT_12223
"13212:TCP"= 13212:TCP:pORT_13212
"54950:TCP"= 54950:TCP:pORT_54950
"11523:TCP"= 11523:TCP:pORT_11523
"59263:TCP"= 59263:TCP:pORT_59263
"47129:TCP"= 47129:TCP:pORT_47129
"48750:TCP"= 48750:TCP:pORT_48750
"27001:TCP"= 27001:TCP:pORT_27001
"6785:TCP"= 6785:TCP:pORT_6785
"6337:TCP"= 6337:TCP:pORT_6337
"8388:TCP"= 8388:TCP:pORT_8388
"30070:TCP"= 30070:TCP:pORT_30070
"39176:TCP"= 39176:TCP:pORT_39176
"58199:TCP"= 58199:TCP:pORT_58199
"28493:TCP"= 28493:TCP:pORT_28493
"22410:TCP"= 22410:TCP:pORT_22410
"20645:TCP"= 20645:TCP:pORT_20645
"55910:TCP"= 55910:TCP:pORT_55910
"18523:TCP"= 18523:TCP:pORT_18523
"44058:TCP"= 44058:TCP:pORT_44058
"8518:TCP"= 8518:TCP:pORT_8518
"54371:TCP"= 54371:TCP:pORT_54371
"59689:TCP"= 59689:TCP:pORT_59689
"61453:TCP"= 61453:TCP:pORT_61453
"8263:TCP"= 8263:TCP:pORT_8263
"7805:TCP"= 7805:TCP:pORT_7805
"58023:TCP"= 58023:TCP:pORT_58023
"12141:TCP"= 12141:TCP:pORT_12141
"57087:TCP"= 57087:TCP:pORT_57087
"12785:TCP"= 12785:TCP:pORT_12785
"31773:TCP"= 31773:TCP:pORT_31773
"61930:TCP"= 61930:TCP:pORT_61930
"43376:TCP"= 43376:TCP:pORT_43376
"12270:TCP"= 12270:TCP:pORT_12270
"42605:TCP"= 42605:TCP:pORT_42605
"41164:TCP"= 41164:TCP:pORT_41164
"34851:TCP"= 34851:TCP:pORT_34851
"41223:TCP"= 41223:TCP:pORT_41223
"25414:TCP"= 25414:TCP:pORT_25414
"29845:TCP"= 29845:TCP:pORT_29845
"59588:TCP"= 59588:TCP:pORT_59588
"38918:TCP"= 38918:TCP:pORT_38918
"36683:TCP"= 36683:TCP:pORT_36683
"57652:TCP"= 57652:TCP:pORT_57652
"31023:TCP"= 31023:TCP:pORT_31023
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
.
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [05/12/2007 16:59 717296]
R1 ts_lb;ts_lb;c:\windows\system32\drivers\ts_lb.sys [16/06/2009 18:16 24376]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [09/07/2011 17:14 366640]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [09/07/2011 17:14 22712]
R3 TSCOMM;CommStudio Virtual Adapter by TamoSoft;c:\windows\system32\drivers\tscomm.sys [16/06/2009 18:14 39976]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [18/03/2010 13:16 130384]
S3 CV2K1;CommView Network Monitor;c:\windows\system32\drivers\cv2k1.sys [16/06/2009 18:14 18984]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [09/07/2011 17:14 39984]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [18/03/2010 13:16 753504]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
2011-07-09 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-04-19 17:57]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.youtube.com/
TCP: DhcpNameServer = 194.168.4.100 194.168.8.100
FF - ProfilePath - c:\documents and settings\Axel\Application Data\Mozilla\Firefox\Profiles\azv9fhnv.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2304157&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - XfireXO Customized Web Search
FF - prefs.js: keyword.URL - hxxp://search.avg.com/route/?d=4ddb483c&v=7.005.030.004&i=23&tp=ab&iy=&ychte=uk&lng=en-GB&q=
.
- - - - ORPHANS REMOVED - - - -
.
URLSearchHooks-{A3BC75A2-1F87-4686-AA43-5347D756017C} - (no file)
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
HKCU-Run-JUaDAjhRvP - c:\documents and settings\All Users\Application Data\JUaDAjhRvP.exe
MSConfigStartUp-AVG8_TRAY - c:\progra~1\AVG\AVG8\avgtray.exe
MSConfigStartUp-AVG_TRAY - c:\program files\AVG\AVG10\avgtray.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2011-07-10 00:03
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-789336058-682003330-2048957927-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:93,aa,68,fb,b2,4e,d8,c3,c9,98,a3,9d,73,92,9a,70,9b,8e,6c,62,ea,0c,da,
a9,44,48,64,2f,ff,06,f7,d0,c8,04,49,ec,6f,e3,19,6e,c5,65,c3,b4,b1,89,64,ed,\
"??"=hex:71,71,78,41,7b,81,fe,c6,e2,a2,da,bd,a4,ab,0f,66
.
[HKEY_USERS\S-1-5-21-789336058-682003330-2048957927-1003\Software\SecuROM\License information*]
"datasecu"=hex:f5,70,8c,21,c0,57,50,b9,c9,9f,bc,ea,88,94,37,3b,ee,9b,37,86,94,
e6,84,ed,31,22,f3,2e,22,b3,fe,57,81,04,51,ae,f9,18,a7,21,67,2b,98,24,e0,a5,\
"rkeysecu"=hex:33,67,04,f2,8e,76,b9,70,79,c5,d9,28,4b,a1,8e,68
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(3084)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\btncopy.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\SCardSvr.exe
c:\windows\system32\netdde.exe
c:\windows\system32\msdtc.exe
c:\windows\Microsoft.NET\Framework\v4.0.30319\aspnet_state.exe
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\program files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\HPZipm12.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\locator.exe
c:\windows\system32\dllhost.exe
c:\program files\Windows Live\installer\WLSetupSvc.exe
c:\windows\system32\wbem\wmiapsrv.exe
c:\program files\Windows Media Player\WMPNetwk.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\RUNDLL32.EXE
c:\program files\Java\jre1.6.0_05\bin\jucheck.exe
c:\program files\Internet Explorer\IEXPLORE.EXE
.
**************************************************************************
.
Completion time: 2011-07-10 00:22:12 - machine was rebooted
ComboFix-quarantined-files.txt 2011-07-09 23:21
ComboFix2.txt 2010-07-30 15:54
.
Pre-Run: 37,584,519,168 bytes free
Post-Run: 38,016,487,424 bytes free
.
Current=4 Default=4 Failed=3 LastKnownGood=5 Sets=1,2,3,4,5
- - End Of File - - 2618A1413496865505406394E128078B
 

·
Security Team , Moderator, Analyst , Rangemaster,
Joined
·
29,790 Posts
Hello Axel. I see you have Norton 360 installed. I would enable it and update it.

Never have more than one antivirus installed. Even though it isn't running it can interfere with the resident antivirus.

Are you aware of all those globally open ports on your machine?

Any reason you haven't installed SP3?

------------------------------------------------------

Download TDSSKiller.exe and Save it to your Desktop.

Double-click TDSSKiller.exe then click 'Start scan'.

If no infection is found, click 'Close' twice and let me know.

If an infection is found, click 'Continue' to Cure the infection.

**Note: If you do not see the 'Cure' option, you MUST select 'Skip'.

Once the system scan is completed, click 'Reboot now'.

It will produce a log here > C:\TDSSKiller.2.5.9.0_date_time_log.txt

Please navigate to the file, double-click to open it, and copy/paste the contents in your next reply.

------------------------------------------------------
 

·
Registered
Joined
·
10 Posts
Discussion Starter #5
1~Okay I will update norton.

2~ I was not aware so many ports were open, is this above average? I have been experiencing much packet loss with my provider Virgin Media could this be relevant to that at all?

3~ When I try to do a windows update the window gets stuck and it says "Explorer Script Error" or something like that, and I have to click close about 50 times before it goes away.

-----

I cannot run TDSSKiller, I double click on it and nothing happens, I've tried run as admin. :S
 

·
Security Team , Moderator, Analyst , Rangemaster,
Joined
·
29,790 Posts
Hello again, Axel. Not familiar with Virgin Media.

Try running TDSSKiller in Safe Mode:
  • Restart your computer.
  • After hearing your computer beep once during startup, but before the Windows icon appears, start pressing the F8 key.
  • In some systems, this may be the F5 key.
  • Instead of Windows loading as normal, a menu should appear.
  • Use the up arrow key to highlight Safe Mode and press 'Enter'.
  • Login on your usual account.
------------------------------------------------------

Go Start > Run and copy/paste the following single-line command into the Run box and click OK:

cmd /c peV -ltf "%systemdrive%\volsnap.sys" >log.txt&log.txt&del log.txt

A Notepad file will open. Post the contents of log.txt in your next reply.

------------------------------------------------------
 

·
Registered
Joined
·
10 Posts
Discussion Starter #7
I have deleted and re-downloaded TDSSKiller and have tried to run it in Safe Mode and it still would not run. (the hour glass comes up for a split second and then nothing happens) In both administrator and with other accounts, I also tried to run in compatibility modes and it would still not open.

----

I have also typed cmd /c peV -ltf "%systemdrive%\volsnap.sys" >log.txt&log.txt&del log.txt into run but a blank command prompt comes up and no log.txt or notepad file have opened for twenty minutes.

I'm sorry my computer's very bad.
 

·
Security Team , Moderator, Analyst , Rangemaster,
Joined
·
29,790 Posts
Hello again, Axel.

Disable your antivirus and antispyware applications, usually via a right-click on the System Tray icon. They may otherwise interfere with ComboFix.

Open Notepad and copy/paste all the text in the codebox below into Notepad:

Code:
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"avg8wd"=-
"avg8emc"=-
"avgwd"=-
"AVGIDSAgent"=-
"AVG Security Toolbar Service"=-
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\uTorrent\\uTorrent.exe"=-
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6073:TCP"=-
"17367:TCP"=-
"12901:TCP"=-
"65301:TCP"=-
"44470:TCP"=-
"24184:TCP"=-
"38242:TCP"=-
"64166:TCP"=-
"46653:TCP"=-
"46645:TCP"=-
"6860:TCP"=-
"57860:TCP"=-
"18641:TCP"=-
"52914:TCP"=-
"18211:TCP"=-
"41105:TCP"=-
"5707:TCP"=-
"33419:TCP"=-
"20883:TCP"=-
"59785:TCP"=-
"13336:TCP"=-
"22476:TCP"=-
"61308:TCP"=-
"38020:TCP"=-
"45200:TCP"=-
"52933:TCP"=-
"7351:TCP"=-
"31001:TCP"=-
"40485:TCP"=-
"11836:TCP"=-
"17430:TCP"=-
"63172:TCP"=-
"17513:TCP"=-
"23453:TCP"=-
"46074:TCP"=-
"27203:TCP"=-
"25106:TCP"=-
"31992:TCP"=-
"30290:TCP"=-
"7851:TCP"=-
"36835:TCP"=-
"50813:TCP"=-
"55527:TCP"=-
"57515:TCP"=-
"41565:TCP"=-
"32833:TCP"=-
"6879:TCP"=-
"30988:TCP"=-
"60761:TCP"=-
"8361:TCP"=-
"13320:TCP"=-
"17477:TCP"=-
"24476:TCP"=-
"23914:TCP"=-
"16680:TCP"=-
"10226:TCP"=-
"34300:TCP"=-
"18816:TCP"=-
"54480:TCP"=-
"57367:TCP"=-
"15138:TCP"=-
"17708:TCP"=-
"58628:TCP"=-
"43258:TCP"=-
"35656:TCP"=-
"47379:TCP"=-
"51215:TCP"=-
"62105:TCP"=-
"15309:TCP"=-
"29939:TCP"=-
"41094:TCP"=-
"23378:TCP"=-
"56043:TCP"=-
"47755:TCP"=-
"35285:TCP"=-
"44223:TCP"=-
"6226:TCP"=-
"47185:TCP"=-
"34161:TCP"=-
"50652:TCP"=-
"37496:TCP"=-
"65397:TCP"=-
"54516:TCP"=-
"44298:TCP"=-
"32461:TCP"=-
"30053:TCP"=-
"40363:TCP"=-
"9164:TCP"=-
"54742:TCP"=-
"38521:TCP"=-
"62134:TCP"=-
"27067:TCP"=-
"6695:TCP"=-
"32575:TCP"=-
"33902:TCP"=-
"16617:TCP"=-
"48862:TCP"=-
"55617:TCP"=-
"51183:TCP"=-
"20770:TCP"=-
"39578:TCP"=-
"46993:TCP"=-
"6320:TCP"=-
"38528:TCP"=-
"32325:TCP"=-
"29400:TCP"=-
"22383:TCP"=-
"12869:TCP"=-
"54863:TCP"=-
"37547:TCP"=-
"21836:TCP"=-
"28122:TCP"=-
"29376:TCP"=-
"23445:TCP"=-
"6774:TCP"=-
"12223:TCP"=-
"13212:TCP"=-
"54950:TCP"=-
"11523:TCP"=-
"59263:TCP"=-
"47129:TCP"=-
"48750:TCP"=-
"27001:TCP"=-
"6785:TCP"=-
"6337:TCP"=-
"8388:TCP"=-
"30070:TCP"=-
"39176:TCP"=-
"58199:TCP"=-
"28493:TCP"=-
"22410:TCP"=-
"20645:TCP"=-
"55910:TCP"=-
"18523:TCP"=-
"44058:TCP"=-
"8518:TCP"=-
"54371:TCP"=-
"59689:TCP"=-
"61453:TCP"=-
"8263:TCP"=-
"7805:TCP"=-
"58023:TCP"=-
"12141:TCP"=-
"57087:TCP"=-
"12785:TCP"=-
"31773:TCP"=-
"61930:TCP"=-
"43376:TCP"=-
"12270:TCP"=-
"42605:TCP"=-
"41164:TCP"=-
"34851:TCP"=-
"41223:TCP"=-
"25414:TCP"=-
"29845:TCP"=-
"59588:TCP"=-
"38918:TCP"=-
"36683:TCP"=-
"57652:TCP"=-
"31023:TCP"=-
"3724:TCP"=-
Save this Notepad file as CFScript.txt to your Desktop and then close the file.





Referring to the picture above, drag CFScript onto ComboFix.

If you are prompted to update ComboFix and have an internet connection, please choose Yes

Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.

When finished, it shall produce a log for you. Please post that log, ComboFix.txt, in your next reply.

Please re-enable your antivirus before posting the ComboFix.txt log.

------------------------------------------------------
 

·
Registered
Joined
·
10 Posts
Discussion Starter #9
I've tried this about three times now and have just left my computer for 3 hours to complete the scan but every time it seems to run fine for one or two minutes but then stall on Stage_25

Any ideas?
 

·
Security Team , Moderator, Analyst , Rangemaster,
Joined
·
29,790 Posts
Hello again, Axel. After 30 minutes, let us know.

Try the dragging and dropping in Safe Mode:
  • Restart your computer.
  • After hearing your computer beep once during startup, but before the Windows icon appears, start pressing the F8 key.
  • In some systems, this may be the F5 key.
  • Instead of Windows loading as normal, a menu should appear.
  • Use the up arrow key to highlight Safe Mode and press 'Enter'.
  • Login on your usual account.
------------------------------------------------------

If ComboFix reboots your computer, take it back to Safe Mode by pressing the F8 key.

------------------------------------------------------
 

·
Registered
Joined
·
10 Posts
Discussion Starter #11
It ran fine in Safe Mode. It prompted me that AVG was still active but I have unistalled it. I tried to use Appkiller but I was given an "Internet Explorer Script Error."

The Redirects are still there.

I'd just like to point on the fact that a window came up and said "Backing up registry \System\ntrwn(or something)\hiv-backup < It just looked dodgy.

I've been trying to upgrade to SP3 but I keep getting this error: the file c:\windows\system32\ntoskrnl.exe is open or in use by another program.

LOG:
__________________

ComboFix 11-07-10.05 - Axel 13/07/2011 0:58.5.2 - x86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.2.1252.44.1033.18.1535.1160 [GMT 1:00]
Running from: c:\documents and settings\Axel\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Axel\Desktop\CFScript.txt.txt
AV: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
F:\Autorun.inf
.
.
((((((((((((((((((((((((( Files Created from 2011-06-13 to 2011-07-13 )))))))))))))))))))))))))))))))
.
.
2011-07-09 16:15 . 2011-07-09 16:15 -------- d-----w- c:\documents and settings\Axel\Application Data\Malwarebytes
2011-07-09 16:14 . 2011-05-29 08:11 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-09 16:14 . 2011-07-09 16:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-07-09 16:14 . 2011-07-09 16:15 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-07-09 16:14 . 2011-05-29 08:11 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-07-09 03:02 . 2011-07-09 03:02 -------- d-----w- c:\windows\system32\GroupPolicy
2011-07-09 02:52 . 2011-07-09 03:00 -------- d-----w- c:\documents and settings\Axel\Local Settings\Application Data\ConduitEngine
2011-07-09 02:51 . 2011-07-09 02:52 -------- d-----w- c:\program files\ConduitEngine
2011-07-09 02:51 . 2011-07-09 02:51 0 ----a-w- c:\windows\system32\ConduitEngine.tmp
2011-07-08 16:58 . 2011-07-08 16:59 -------- d-----w- C:\68bdb2c9d069f81345
2011-07-05 10:18 . 2011-07-05 10:18 2106216 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_43.dll
2011-07-05 10:18 . 2011-07-05 10:18 1998168 ----a-w- c:\program files\Mozilla Firefox\d3dx9_43.dll
2011-06-25 02:17 . 2011-06-25 04:00 -------- d-----w- c:\program files\Xenimus
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-07-01 09:07 . 2011-03-08 01:56 22328 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2011-07-01 09:07 . 2007-12-23 01:08 22328 ----a-w- c:\documents and settings\Axel\Application Data\PnkBstrK.sys
2011-07-01 09:07 . 2007-12-23 01:08 66872 ----a-w- c:\windows\system32\PnkBstrA.exe
2011-06-25 03:59 . 2011-06-01 23:46 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-05-04 03:52 . 2010-05-07 18:33 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-05-04 01:25 . 2008-04-02 21:58 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-07-05 10:18 . 2011-05-06 14:37 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((( [email protected]_23.04.17 )))))))))))))))))))))))))))))))))))))))))
.
+ 2002-08-29 11:00 . 2011-07-12 23:31 582312 c:\windows\system32\perfh009.dat
+ 2002-08-29 11:00 . 2011-07-12 23:31 120098 c:\windows\system32\perfc009.dat
- 2011-02-19 17:16 . 2011-02-02 21:40 157472 c:\windows\system32\javaws.exe
+ 2011-07-10 20:33 . 2011-05-04 03:52 157472 c:\windows\system32\javaws.exe
+ 2011-07-10 20:33 . 2011-05-04 03:52 145184 c:\windows\system32\javaw.exe
- 2011-02-19 17:16 . 2011-02-02 21:40 145184 c:\windows\system32\javaw.exe
+ 2011-07-10 20:33 . 2011-05-04 03:52 145184 c:\windows\system32\java.exe
- 2011-02-19 17:16 . 2011-02-02 21:40 145184 c:\windows\system32\java.exe
+ 2011-07-10 20:35 . 2011-07-10 20:35 203776 c:\windows\Installer\20a331.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{5e5ab302-7f65-44cd-8211-c1d4caaccea3}"= "c:\program files\XfireXO\prxtbXfi0.dll" [2011-01-17 175912]
.
[HKEY_CLASSES_ROOT\clsid\{5e5ab302-7f65-44cd-8211-c1d4caaccea3}]
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{30F9B915-B755-4826-820B-08FBA6BD249D}]
2011-01-17 14:54 175912 ----a-w- c:\program files\ConduitEngine\prxConduitEngine.dll
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5e5ab302-7f65-44cd-8211-c1d4caaccea3}]
2011-01-17 14:54 175912 ----a-w- c:\program files\XfireXO\prxtbXfi0.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{5e5ab302-7f65-44cd-8211-c1d4caaccea3}"= "c:\program files\XfireXO\prxtbXfi0.dll" [2011-01-17 175912]
.
[HKEY_CLASSES_ROOT\clsid\{5e5ab302-7f65-44cd-8211-c1d4caaccea3}]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{5E5AB302-7F65-44CD-8211-C1D4CAACCEA3}"= "c:\program files\XfireXO\prxtbXfi0.dll" [2011-01-17 175912]
.
[HKEY_CLASSES_ROOT\clsid\{5e5ab302-7f65-44cd-8211-c1d4caaccea3}]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-04-19 68856]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-10-07 13574144]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-10-07 86016]
"QuickTime Task"="c:\program files\QuickTime Alternative\qttask.exe" [2010-09-08 421888]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"nwiz"="nwiz.exe" [2008-10-07 1630208]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-11 49152]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-05-29 449584]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-03 15360]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-3-11 210520]
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Bluetooth.lnk
backup=c:\windows\pss\Bluetooth.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk
backup=c:\windows\pss\Google Updater.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
2008-03-21 08:30 486856 ----a-w- c:\program files\DAEMON Tools Lite\daemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-11-12 16:33 141600 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2004-10-13 16:24 1694208 ------w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
2007-10-18 11:34 5724184 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
2010-11-20 14:02 1242448 ----a-w- c:\program files\Valve\Steam\Steam.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2008-04-19 23:44 68856 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Apple Mobile Device"=2 (0x2)
"CLTNetCnService"=2 (0x2)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\vulcan135\\half-life 2 deathmatch\\hl2.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\vulcan135\\source sdk base\\hl2.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\WINDOWS\\system32\\rtcshare.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\Program Files\\Trillian\\trillian.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Documents and Settings\\Axel\\Kitserver2010\\pes2010.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Documents and Settings\\Axel\\Desktop\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"c:\\Program Files\\Xfire\\Xfire.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\vulcan135\\counter-strike source\\hl2.exe"=
.
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [05/12/2007 16:59 717296]
S1 ts_lb;ts_lb;c:\windows\system32\drivers\ts_lb.sys [16/06/2009 18:16 24376]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [18/03/2010 13:16 130384]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [09/07/2011 17:14 366640]
S3 CV2K1;CommView Network Monitor;c:\windows\system32\drivers\cv2k1.sys [16/06/2009 18:14 18984]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [09/07/2011 17:14 22712]
S3 TSCOMM;CommStudio Virtual Adapter by TamoSoft;c:\windows\system32\drivers\tscomm.sys [16/06/2009 18:14 39976]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [18/03/2010 13:16 753504]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
2011-07-12 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-04-19 17:57]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.youtube.com/
TCP: DhcpNameServer = 194.168.4.100 194.168.8.100
FF - ProfilePath - c:\documents and settings\Axel\Application Data\Mozilla\Firefox\Profiles\azv9fhnv.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2304157&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - XfireXO Customized Web Search
FF - prefs.js: keyword.URL - hxxp://search.avg.com/route/?d=4ddb483c&v=7.005.030.004&i=23&tp=ab&iy=&ychte=uk&lng=en-GB&q=
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2011-07-13 01:33
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-789336058-682003330-2048957927-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:93,aa,68,fb,b2,4e,d8,c3,c9,98,a3,9d,73,92,9a,70,9b,8e,6c,62,ea,0c,da,
a9,44,48,64,2f,ff,06,f7,d0,c8,04,49,ec,6f,e3,19,6e,c5,65,c3,b4,b1,89,64,ed,\
"??"=hex:71,71,78,41,7b,81,fe,c6,e2,a2,da,bd,a4,ab,0f,66
.
[HKEY_USERS\S-1-5-21-789336058-682003330-2048957927-1003\Software\SecuROM\License information*]
"datasecu"=hex:f5,70,8c,21,c0,57,50,b9,c9,9f,bc,ea,88,94,37,3b,ee,9b,37,86,94,
e6,84,ed,31,22,f3,2e,22,b3,fe,57,81,04,51,ae,f9,18,a7,21,67,2b,98,24,e0,a5,\
"rkeysecu"=hex:33,67,04,f2,8e,76,b9,70,79,c5,d9,28,4b,a1,8e,68
.
Completion time: 2011-07-13 01:50:41
ComboFix-quarantined-files.txt 2011-07-13 00:50
ComboFix2.txt 2011-07-09 23:22
ComboFix3.txt 2010-07-30 15:54
.
Pre-Run: 37,188,964,352 bytes free
Post-Run: 37,224,529,920 bytes free
.
Current=4 Default=4 Failed=3 LastKnownGood=5 Sets=1,2,3,4,5
- - End Of File - - 08CFCB3853228080258718D271C4CDEE
 

·
Security Team , Moderator, Analyst , Rangemaster,
Joined
·
29,790 Posts
Hello again, Axel. Please don't install SP3 until you are clean. I thought you were going to get Norton running.

You ran dds under the Mum account. Then you ran ComboFix under the Axel account.

Which account is your normal account?

------------------------------------------------------
 

·
Registered
Joined
·
10 Posts
Discussion Starter #13
Axel is my normal account and the account that was worse effected (I was on it when the virus attacked my machine.) The user "Axel" wasn't able to run any programs, it was only after I ran MBAM on "Mum" that I was able to do anything on my main user "Axel." This is why dds was ran on "Mum."

Thanks for the help again mate :)
 

·
Security Team , Moderator, Analyst , Rangemaster,
Joined
·
29,790 Posts
Hello again, Axel. You're very welcome. Please stay with the Axel account for now.

Please download FixTDSS.exe and save it to your desktop.
  • Close all programs.
  • Double-click FixTDSS.exe and click 'I Accept' to accept to the terms.
  • Click 'Proceed' then 'OK' to allow FixTDSS.exe to reboot the machine.
  • Upon reboot, the tool may scan your system. Please be patient.
  • If no infection is found, it will report 'Backdoor.Tideserv has not been found on your computer'. Click 'OK'.
  • If an infection is found, it will report '***Infected '. Click 'Repair'.
  • You should get the message 'Repair was successful'or Repair succeeded'.
  • Let me know what the tool reported in your next reply.
------------------------------------------------------
 

·
Security Team , Moderator, Analyst , Rangemaster,
Joined
·
29,790 Posts
Hello again, Axel. Glad to hear it.

------------------------------------------------------

Please follow these instructions for de-registering AVG:

**Note: Make sure you only delete AVG products.

  • Go Start > Run and copy/paste wbemtest into the Run box and click 'OK'.
  • Click 'Connect'.
  • Copy/paste root\securitycenter into the box and click 'Connect'.
  • Click 'Query'.
  • Copy/paste SELECT * FROM AntiVirusProduct under 'Enter Query' and click 'Apply'.
  • If there is more than one result, it means there is more than one Antivirus program registered.
  • Double-click on each result to view the properties for that Antivirus product.
  • Identify the product(s) registered by scrolling down to 'companyName' then click 'Close'.
  • In the 'Query Result' window, click 'Delete' for any Antivirus software that is no longer installed.
  • Click 'Close', then 'Exit' and let me know if it worked.
------------------------------------------------------

Please download Malwarebytes' Anti-Malware and Save it to your Desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to the following:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • If an update is found, it will download and install the latest version.
  • Under the Scanner tab, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad and you may be prompted to Restart your computer.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy/Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.


------------------------------------------------------

Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs):

Java(TM) 6 Update 4
Java(TM) 6 Update 5


These are all outdated, and security risks by having them installed still. Reboot your computer once all those Java components are removed.

Going forward, Java will overwrite existing installs, so removing older versions should not be required after this.

In fact, you should be able to update your current Java, Java(TM) 6 Update 24, by going to Control Panel (Classic View) and double-clicking on the Java icon (looks like a coffee cup). Click on the Update tab. On the lower right, click on Update Now. An update should begin. Allow the install of the new Java.

Make sure you untick the box next to whatever free program they prompt you to install, unless you want it.
  • After the install is complete, go back to your Control Panel(using Classic View) and click the Java icon. (looks like a coffee cup)
    • On the General tab, under Temporary Internet Files, click the Settings button.
    • Next, click on the Delete Files button.
    • There are two options in the window to clear the cache - Leave BOTH Checked
      • Applications and Applets
      • Trace and Log Files
    • Click OK on Delete Temporary Files Window.
      Note: This deletes ALL the Downloaded Applications and Applets from the CACHE
    • Click OK to leave the Temporary Files Window.
    • Click OK to leave the Java Control Panel.
------------------------------------------------------

Please run this online scan to help look for remnants. Ensure your external and/or USB drives are inserted during the scan.

Go here and click 'ESET Online Scanner'.
  • If you are not using Internet Explorer, double-click esetsmartinstaller_enu.exe to install it, then click 'Run'.
  • Turn off the real-time scanner of any existing antivirus program while performing the online scan.
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • If using Internet Explorer, allow the ActiveX control to install when asked.
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings and ensure these options are ticked:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Next to 'Current scan targets: Operating memory, Local drives', click the Change.. button.
  • Tick all the boxes that correspond to your external/inserted drives.
  • Click Start
  • Wait for the scan to finish, then click 'Finish'.
  • Use Notepad to open the logfile located at C:\Program Files\Eset\Eset Online Scanner\log.txt
  • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  • Copy/paste that log as a reply to this topic.
------------------------------------------------------

Please post the following in your next reply:

MBAM log
ESET report
 

·
Security Team , Moderator, Analyst , Rangemaster,
Joined
·
29,790 Posts
Still with us, Axel? Any trouble with those last instructions? I generally unsubscribe from threads after 3 days of inactivity. If you do not reply within 24 hours, this thread will be closed.

------------------------------------------------------
 
1 - 17 of 17 Posts
Status
Not open for further replies.
Top