Tech Support Forum banner
Status
Not open for further replies.
1 - 8 of 8 Posts

·
Registered
Joined
·
21 Posts
Discussion Starter · #1 ·
Recently, my computer has been acting up rather oddly. I've let my brother attempt to fix it, but I'm still getting WinPatrol warnings ontop of a few other issues.

Furthermore, I've haven't had much time to deal with the issue immediately, so imagine my surprise when the WinPatrol warnings went from blocking the same programs over and over again started to warn me of different programs while the previous ones just seemed to have start coming, and one time when I logged on my explore.exe didn't function correctly(although this issue was handled easily).

Also, when I click on links in my Fire-Fox web browser, it occassionally leads me to another totally unrelated page. For example, when I was trying to visit this website from a standard google search, I somehow ended up in an "airsplat" area.

And most alarming, my computer has been shutting down unexpectedly after getting the "blue screen" error message. This usually happens when I try running my mp3's music software (zune.exe), but it has happened when my browser is running quite a few programs at once. I'm not sure if this is part of the virus, as my brother said he did remove some stuff that should've "solved the issue," but it doesn't seemed to have work, so I think it should be safe to mention that HijackThis and MalwarBytes Anti-Malware would've been the tools he used.

Here's urls to screenshots showing the current pop-ups I'm getting from WinPatrol:

http://img18.imageshack.us/img18/1650/popnjs.png

http://img18.imageshack.us/img18/8103/pop2o.png

Here's the DDS log (I've disabled both COMODO and AVG):


DDS (Ver_09-03-16.01) - NTFSx86
Run by Robert Stinson at 18:17:50.85 on Sun 05/03/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.502.94 [GMT -4:00]

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
FW: COMODO Firewall *disabled*

============== Running Processes ===============

C:\WINDOWS\system32\savedump.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Nexon\MapleStory\npkcmsvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
c:\WINDOWS\system32\ZuneBusEnum.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\mqsvc.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\COMODO\SafeSurf\cssurf.exe
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Robert Stinson\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.comodo.com/search/
uInternet Connection Wizard,ShellNext = hxxp://securityresponse.symantec.com/avcenter/vinfodb.html?prodid=nav2006
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: &RoboForm: {724d43a0-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
TB: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [RoboForm] "c:\program files\siber systems\ai roboform\RoboTaskBarIcon.exe"
uRun: [Steam] "c:\program files\steam\Steam.exe" -silent
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [RecGuard] c:\windows\sminst\RecGuard.exe
mRun: [QPService] "c:\program files\hp\quickplay\QPService.exe"
mRun: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
mRun: [MsmqIntCert] regsvr32 /s mqrt.dll
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [hpWirelessAssistant] c:\program files\hpq\hp wireless assistant\HP Wireless Assistant.exe
mRun: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [WinPatrol] c:\program files\billp studios\winpatrol\winpatrol.exe -expressboot
mRun: [COMODO SafeSurf] "c:\program files\comodo\safesurf\cssurf.exe" -s
mRun: [COMODO Internet Security] "c:\program files\comodo\comodo internet security\cfp.exe" -h
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Zune Launcher] "c:\program files\zune\ZuneLauncher.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
dRun: [autochk] rundll32.exe c:\windows\system32\config\system~1\protect.dll,[email protected]
dRun: [<NO NAME>] c:\windows\temp\zif9hj.exe
dRun: [uidenhiufgsduiazghs] c:\windows\temp\zif9hj.exe
dRun: [Diagnostic Manager] c:\windows\temp\1290102880.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpphot~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
uPolicies-explorer: NoFolderOptions = 1 (0x1)
uPolicies-system: DisableRegistryTools = 1 (0x1)
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
dPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
dPolicies-explorer: NoFolderOptions = 1 (0x1)
dPolicies-system: DisableTaskMgr = 1 (0x1)
dPolicies-system: DisableRegistryTools = 1 (0x1)
IE: Customize Menu - file://c:\program files\siber systems\ai roboform\RoboFormComCustomizeIEMenu.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: Fill Forms - file://c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: RoboForm Toolbar - file://c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F46} - c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F49} - c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
IE: {724d43aa-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
Trusted Zone: internet
Trusted Zone: mcafee.com
DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} - hxxps://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab
DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: ,
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, digeste.dll
LSA: Authentication Packages = msv1_0 c:\windows\system32\tuVlifdC

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\robert~1\applic~1\mozilla\firefox\profiles\kvtenac7.default\
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - component: c:\program files\avg\avg8\toolbarff\components\vmAVGConnector.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-4-27 325896]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-4-27 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-4-27 108552]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [2009-2-6 110992]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2009-2-6 24336]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-4-27 298776]
R2 cmdAgent;COMODO Internet Security Helper Service;c:\program files\comodo\comodo internet security\cmdagent.exe [2009-2-6 700152]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-6 99328]
S3 CBPMp50;CBPMp50 NDIS Protocol Driver;c:\windows\system32\drivers\cbpmp50.sys --> c:\windows\system32\drivers\CBPMp50.sys [?]
S3 CBPSp50;CBPSp50 NDIS Protocol Driver;c:\windows\system32\drivers\CBPSp50.sys [2008-3-22 27072]

=============== Created Last 30 ================

2009-05-03 16:18 46 a------- c:\windows\system32\p2hhr.bat
2009-05-03 16:17 15,000 a------- c:\windows\system32\afnoinkdsfe.dll
2009-05-03 16:17 17,920 a------- c:\windows\system32\ak1.exe
2009-04-30 17:10 3,840 a------- c:\windows\system32\drivers\BANTExt.sys
2009-04-30 17:10 <DIR> --d----- c:\program files\Belarc
2009-04-27 17:17 1 a------- c:\windows\system32\uniq.tll
2009-04-27 17:12 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-04-27 17:12 108,552 a------- c:\windows\system32\drivers\avgtdix.sys
2009-04-27 17:12 325,896 a------- c:\windows\system32\drivers\avgldx86.sys
2009-04-27 17:12 <DIR> --d----- c:\windows\system32\drivers\Avg
2009-04-15 16:14 729,088 -------- c:\windows\system32\dllcache\lsasrv.dll
2009-04-15 16:14 473,600 -------- c:\windows\system32\dllcache\fastprox.dll
2009-04-15 16:14 453,120 -------- c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-15 16:14 401,408 -------- c:\windows\system32\dllcache\rpcss.dll
2009-04-15 16:14 284,160 -------- c:\windows\system32\dllcache\pdh.dll
2009-04-15 16:14 227,840 -------- c:\windows\system32\dllcache\wmiprvse.exe
2009-04-15 16:14 110,592 -------- c:\windows\system32\dllcache\services.exe
2009-04-15 16:14 35,328 -------- c:\windows\system32\dllcache\sc.exe
2009-04-15 16:14 714,752 -------- c:\windows\system32\dllcache\ntdll.dll
2009-04-15 16:14 617,472 -------- c:\windows\system32\dllcache\advapi32.dll
2009-04-15 07:17 1,203,922 -------- c:\windows\system32\dllcache\sysmain.sdb
2009-04-15 07:17 215,552 -------- c:\windows\system32\dllcache\wordpad.exe
2009-04-15 07:17 2,560 -------- c:\windows\system32\xpsp4res.dll

==================== Find3M ====================

2009-04-22 15:14 8,424 a------- c:\docume~1\robert~1\applic~1\wklnhst.dat
2009-04-06 15:32 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 15:32 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-03-21 10:06 989,696 -------- c:\windows\system32\dllcache\kernel32.dll
2009-03-06 10:22 284,160 a------- c:\windows\system32\pdh.dll
2009-03-02 20:18 826,368 a------- c:\windows\system32\wininet.dll
2009-03-02 20:18 826,368 -------- c:\windows\system32\dllcache\wininet.dll
2009-03-01 23:14 40 a------- c:\documents and settings\robert stinson\language.dat
2009-02-28 23:24 410,984 a------- c:\windows\system32\deploytk.dll
2009-02-28 00:54 636,072 -------- c:\windows\system32\dllcache\iexplore.exe
2009-02-27 16:18 155,384 a------- c:\windows\system32\guard32.dll
2009-02-20 06:20 70,656 -------- c:\windows\system32\dllcache\ie4uinit.exe
2009-02-20 06:20 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2009-02-20 01:14 161,792 -------- c:\windows\system32\dllcache\ieakui.dll
2009-02-09 08:10 729,088 a------- c:\windows\system32\lsasrv.dll
2009-02-09 08:10 714,752 a------- c:\windows\system32\ntdll.dll
2009-02-09 08:10 617,472 a------- c:\windows\system32\advapi32.dll
2009-02-09 08:10 401,408 a------- c:\windows\system32\rpcss.dll
2009-02-09 07:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-02-09 07:13 1,846,784 -------- c:\windows\system32\dllcache\win32k.sys
2009-02-07 19:02 2,066,048 a------- c:\windows\system32\ntkrnlpa.exe
2009-02-07 19:02 2,066,048 -------- c:\windows\system32\dllcache\ntkrnlpa.exe
2009-02-06 07:11 110,592 a------- c:\windows\system32\services.exe
2009-02-06 07:08 2,189,056 a------- c:\windows\system32\ntoskrnl.exe
2009-02-06 07:08 2,189,056 -------- c:\windows\system32\dllcache\ntoskrnl.exe
2009-02-06 07:06 2,145,280 -------- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-02-06 06:39 35,328 a------- c:\windows\system32\sc.exe
2009-02-06 06:32 2,023,936 -------- c:\windows\system32\dllcache\ntkrpamp.exe
2009-02-06 04:03 249,592 a------- c:\windows\system32\cssdll32.dll
2009-02-03 15:59 56,832 a------- c:\windows\system32\secur32.dll
2009-02-03 15:59 56,832 -------- c:\windows\system32\dllcache\secur32.dll
2008-12-18 22:18 1,890 a--sh--- c:\docume~1\alluse~1\applic~1\KGyGaAvL.sys
2008-10-24 17:10 88 ---shr-- c:\docume~1\alluse~1\applic~1\BA3B99E923.sys
2009-01-03 20:55 688,713 a--sh--- c:\windows\system32\LTsrAJlm.ini2

============= FINISH: 18:18:29.76 ===============
 

Attachments

·
Premium Member
Joined
·
29,790 Posts
Hello and Welcome to TSF.

Please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant notification by email, then click Add Subscription.

Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed.

------------------------------------------------------

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Please stay with me until given the 'all clear' even if symptoms seemingly abate.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by a helper.

------------------------------------------------------

Please visit this webpage for download links, and instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all antivirus and antimalware programs so they do not interfere with the running of ComboFix.

Get help here

Please post the C:\ComboFix.txt in your next reply for further review.

------------------------------------------------------
 

·
Registered
Joined
·
21 Posts
Discussion Starter · #3 ·
Alright, I ran it, and here's a log.

____________________________


ComboFix 09-05-03.6 - Robert Stinson 05/04/2009 22:35.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.502.148 [GMT -4:00]
Running from: c:\documents and settings\Robert Stinson\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
FW: COMODO Firewall *enabled*
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\windows\system32\afnoinkdsfe.dll
c:\windows\system32\Agent.OMZ.Fix.exe
c:\windows\system32\ak1.exe
c:\windows\system32\CdfilVut.ini
c:\windows\system32\CdfilVut.ini2
c:\windows\system32\iscpsoad.ini
c:\windows\system32\LTsrAJlm.ini
c:\windows\system32\LTsrAJlm.ini2
c:\windows\system32\p2hhr.bat
c:\windows\system32\qfcbixic.ini
c:\windows\system32\uniq.tll
c:\windows\temp\1035259130.exe
c:\windows\temp\1076352880.exe
c:\windows\temp\1290102880.exe

----- BITS: Possible infected sites -----

hxxp://resources.zune.net
.
((((((((((((((((((((((((( Files Created from 2009-04-05 to 2009-05-05 )))))))))))))))))))))))))))))))
.

2009-04-30 21:10 . 2008-02-27 17:49 3840 ----a-w c:\windows\system32\drivers\BANTExt.sys
2009-04-30 21:10 . 2009-04-30 21:10 -------- d-----w c:\program files\Belarc
2009-04-27 21:18 . 2009-05-03 20:18 -------- d-----w c:\windows\system32\config\systemprofile\Application Data\AVGTOOLBAR
2009-04-27 21:12 . 2009-05-01 21:47 11952 ----a-w c:\windows\system32\avgrsstx.dll
2009-04-27 21:12 . 2009-05-01 21:47 108552 ----a-w c:\windows\system32\drivers\avgtdix.sys
2009-04-27 21:12 . 2009-05-01 21:47 325896 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-04-27 21:12 . 2009-05-04 21:48 -------- d-----w c:\windows\system32\drivers\Avg
2009-04-27 07:22 . 2009-04-27 07:30 -------- d-----w c:\program files\Zune
2009-04-15 20:14 . 2009-03-06 14:22 284160 ------w c:\windows\system32\dllcache\pdh.dll
2009-04-15 20:14 . 2009-02-06 10:39 35328 ------w c:\windows\system32\dllcache\sc.exe
2009-04-15 20:14 . 2009-02-09 12:10 401408 ------w c:\windows\system32\dllcache\rpcss.dll
2009-04-15 20:14 . 2009-02-06 11:11 110592 ------w c:\windows\system32\dllcache\services.exe
2009-04-15 20:14 . 2009-02-09 12:10 473600 ------w c:\windows\system32\dllcache\fastprox.dll
2009-04-15 20:14 . 2009-02-06 10:10 227840 ------w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-15 20:14 . 2009-02-09 12:10 453120 ------w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-15 20:14 . 2009-02-09 12:10 729088 ------w c:\windows\system32\dllcache\lsasrv.dll
2009-04-15 20:14 . 2009-02-09 12:10 617472 ------w c:\windows\system32\dllcache\advapi32.dll
2009-04-15 20:14 . 2009-02-09 12:10 714752 ------w c:\windows\system32\dllcache\ntdll.dll
2009-04-15 11:17 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-15 11:17 . 2008-04-21 12:08 215552 ------w c:\windows\system32\dllcache\wordpad.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-05 02:48 . 2009-02-23 23:37 -------- d-----w c:\program files\Steam
2009-04-29 01:14 . 2008-12-11 00:51 -------- d-----w c:\program files\Trend Micro
2009-04-26 01:12 . 2008-10-24 06:49 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-22 19:14 . 2007-01-09 02:41 8424 ----a-w c:\documents and settings\Robert Stinson\Application Data\wklnhst.dat
2009-04-14 13:28 . 2007-04-28 04:43 664 ----a-w c:\windows\system32\d3d9caps.dat
2009-04-06 19:32 . 2008-10-24 06:49 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 19:32 . 2008-10-24 06:49 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-03-06 14:22 . 2006-03-16 04:00 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-03 00:18 . 2006-03-16 04:00 826368 ----a-w c:\windows\system32\wininet.dll
2009-03-02 03:14 . 2009-03-02 03:14 40 ----a-w c:\documents and settings\Robert Stinson\language.dat
2009-03-01 03:24 . 2008-12-10 00:07 410984 ----a-w c:\windows\system32\deploytk.dll
2009-02-27 20:23 . 2009-02-06 08:00 24336 ----a-w c:\windows\system32\drivers\cmdhlp.sys
2009-02-27 20:18 . 2009-02-06 08:00 155384 ----a-w c:\windows\system32\guard32.dll
2009-02-27 20:18 . 2009-02-06 08:00 110992 ----a-w c:\windows\system32\drivers\cmdguard.sys
2009-02-20 18:09 . 2006-03-16 04:00 78336 ----a-w c:\windows\system32\ieencode.dll
2009-02-09 12:10 . 2006-03-16 04:00 729088 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2006-03-16 04:00 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2006-03-16 04:00 617472 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 12:10 . 2006-03-16 04:00 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 11:13 . 2006-03-16 04:00 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-07 23:02 . 2006-03-16 04:00 2066048 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-06 11:11 . 2006-03-16 04:00 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 11:08 . 2006-03-16 04:00 2189056 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:39 . 2006-03-16 04:00 35328 ----a-w c:\windows\system32\sc.exe
2009-02-06 08:03 . 2009-02-06 08:04 249592 ----a-w c:\windows\system32\cssdll32.dll
.

------- Sigcheck -------

[-] 2005-03-10 15:49 295424 C29A5286E64D97385178452D5F307B98 c:\windows\$NtServicePackUninstall$\termsrv.dll
[7] 2008-04-14 00:12 295424 FF3477C03BE7201C294C35F684B3479F c:\windows\ServicePackFiles\i386\termsrv.dll
[-] 2008-11-28 04:52 295424 63999D0ABD8DABFD76A9C07F6E104868 c:\windows\system32\termsrv.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2008-12-12 160592]
"Steam"="c:\program files\Steam\Steam.exe" [2009-02-23 1410296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-06-17 794713]
"RecGuard"="c:\windows\SMINST\RecGuard.exe" [2005-10-11 1187840]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2006-07-19 102400]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-06-19 163840]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 81920]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 249856]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-03-22 94208]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-22 118784]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-22 77824]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-05-04 458752]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]
"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2008-10-09 333120]
"COMODO SafeSurf"="c:\program files\COMODO\SafeSurf\cssurf.exe" [2009-02-06 278264]
"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2009-02-27 1851128]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-01 136600]
"Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2008-12-12 157312]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-05-01 1947928]
"MsmqIntCert"="mqrt.dll" - c:\windows\system32\mqrt.dll [2008-04-14 177152]
"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" - c:\windows\system32\CHDAudPropShortcut.exe [2006-06-02 61952]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-24 29696]
HP Photosmart Premier Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2005-9-24 73728]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-05-01 21:47 11952 ----a-w c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\mqsvc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"%windir%\\system32\\drivers\\svchost.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Steam\\SteamApps\\lythrax\\team fortress 2\\hl2.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

R3 CBPMp50;CBPMp50 NDIS Protocol Driver; [x]
R3 CBPSp50;CBPSp50 NDIS Protocol Driver;c:\windows\system32\Drivers\CBPSp50.sys [2006-11-29 27072]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2009-05-01 325896]
S1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2009-05-01 108552]
S1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\DRIVERS\cmdguard.sys [2009-02-27 110992]
S1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\DRIVERS\cmdhlp.sys [2009-02-27 24336]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-05-01 298776]

.
- - - - ORPHANS REMOVED - - - -

BHO-{C2BA40A1-74F3-42BD-F434-12345A2C8953} - c:\windows\system32\afnoinkdsfe.dll
HKU-Default-Run-autochk - c:\windows\system32\config\SYSTEM~1\protect.dll
HKU-Default-Run-uidenhiufgsduiazghs - c:\windows\TEMP\zif9hj.exe
HKU-Default-Run-Diagnostic Manager - c:\windows\TEMP\1290102880.exe
SharedTaskScheduler-{C2BA40A1-74F3-42BD-F434-12345A2C8953} - c:\windows\system32\afnoinkdsfe.dll


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.comodo.com/search/
uInternet Connection Wizard,ShellNext = hxxp://securityresponse.symantec.com/avcenter/vinfodb.html?prodid=nav2006
IE: Customize Menu - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
IE: Fill Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
IE: RoboForm Toolbar - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
Trusted Zone: internet
Trusted Zone: mcafee.com
FF - ProfilePath - c:\documents and settings\Robert Stinson\Application Data\Mozilla\Firefox\Profiles\kvtenac7.default\
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG8\ToolbarFF\components\vmAVGConnector.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-04 22:48
Windows 5.1.2600 Service Pack 3 NTFS

detected NTDLL code modification:
ZwClose, ZwOpenFile

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\system32\drivers\ovfsthfyvxrafumumpsbyxnulkdlvoyndoyyje.sys 83968 bytes executable
c:\docume~1\ROBERT~1\LOCALS~1\Temp\ovfsthghetrximnj.tmp 343040 bytes executable
c:\docume~1\ROBERT~1\LOCALS~1\Temp\ovfsthocvpowofvg.tmp 133632 bytes executable
c:\docume~1\ROBERT~1\LOCALS~1\Temp\ovfsthx000 0 bytes
c:\docume~1\ROBERT~1\LOCALS~1\Temp\ovfsthxomttrwypp.tmp 107520 bytes executable
c:\windows\system32\ovfsthbfddxvffyoytenctniygaiggjpxmvpgv.dat 43 bytes
c:\windows\system32\ovfsthkhlmogvfkpovqgrmtlodkrushwtngqus.dll 18432 bytes executable
c:\windows\system32\ovfsthkndjixqdublxdcutlcanxupacctnvfbl.dll 18944 bytes executable
c:\windows\system32\ovfsthrqstoimclcwfnparrxecxjbqfybokhca.dat 93725 bytes
c:\windows\system32\ovfsthsetjgujbvkmlrondavqtkcyhwptemvmd.dll 60928 bytes executable

scan completed successfully
hidden files: 10

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ovfsthqakaidltiqmhsaomlrnjyrfsiebwykvk]
"imagepath"="\systemroot\system32\drivers\ovfsthfyvxrafumumpsbyxnulkdlvoyndoyyje.sys"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(904)
c:\windows\system32\guard32.dll

- - - - - - - > 'lsass.exe'(964)
c:\windows\system32\guard32.dll

- - - - - - - > 'explorer.exe'(3176)
c:\windows\system32\guard32.dll
c:\program files\BillP Studios\WinPatrol\PATROLPRO.DLL
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\COMODO\COMODO Internet Security\cmdagent.exe
c:\windows\system32\msdtc.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\nexon\MapleStory\npkcmsvc.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\windows\system32\ZuneBusEnum.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\mqsvc.exe
c:\windows\system32\mqtgsvc.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wscntfy.exe
c:\windows\ehome\ehmsas.exe
c:\program files\HP\Digital Imaging\bin\hpqimzone.exe
.
**************************************************************************
.
Completion time: 2009-05-05 22:53 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-05 02:53
ComboFix2.txt 2008-12-14 22:25

Pre-Run: 33,713,618,944 bytes free
Post-Run: 33,623,396,352 bytes free

235 --- E O F --- 2009-04-28 22:50
 

·
Premium Member
Joined
·
29,790 Posts
Hello Micmaq.

Please copy this page to Notepad and Save it to your Desktop in order to assist you when carrying out the following instructions.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding.
Ensure that there aren't any opened browsers when you are carrying out the procedures below.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

------------------------------------------------------

Please uninstall the following via Start->(or My Computer)->Control Panel->Add or Remove Programs if it still exists:

Viewpoint Media Player<<This is considered foistware instead of malware since it is installed without users approval, but doesn't spy or do anything "bad". Please read here and here

------------------------------------------------------

I see you have P2P software ( uTorrent ) installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It may be contributing to your current situation. This page will give you further information.

Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.

References for the risk of these programs are here, here, and here.

I would strongly recommend that you uninstall it, however that choice is up to you. If you choose to remove this program, you can do so via Control Panel >> Add or Remove Programs.

------------------------------------------------------

I noticed you have Ask Toolbar installed.

Please read this and decide if you want to keep it >> http://www.benedelman.org/spyware/ask-toolbars/

You can uninstall it via Add or Remove Programs in your Control Panel.

------------------------------------------------------

Close any open browsers.

Disable your antivirus and antispyware applications, usually via a right-click on the System Tray icon. They may otherwise interfere with ComboFix.

Open Notepad and copy/paste all the text in the codebox below into Notepad:

Code:
http://www.techsupportforum.com/f284/seemingly-virus-problems-and-other-things-blue-screen-372845.html#post2119227

Collect::
c:\windows\system32\drivers\ovfsthfyvxrafumumpsbyxnulkdlvoyndoyyje.sys
c:\windows\system32\ovfsthbfddxvffyoytenctniygaiggjpxmvpgv.dat
c:\windows\system32\ovfsthkhlmogvfkpovqgrmtlodkrushwtngqus.dll
c:\windows\system32\ovfsthkndjixqdublxdcutlcanxupacctnvfbl.dll
c:\windows\system32\ovfsthrqstoimclcwfnparrxecxjbqfybokhca.dat
c:\windows\system32\ovfsthsetjgujbvkmlrondavqtkcyhwptemvmd.dll

File::
c:\docume~1\ROBERT~1\LOCALS~1\Temp\ovfsthghetrximnj.tmp
c:\docume~1\ROBERT~1\LOCALS~1\Temp\ovfsthocvpowofvg.tmp
c:\docume~1\ROBERT~1\LOCALS~1\Temp\ovfsthx000
c:\docume~1\ROBERT~1\LOCALS~1\Temp\ovfsthxomttrwypp.tmp

FCopy::
c:\windows\ServicePackFiles\i386\termsrv.dll | c:\windows\system32\termsrv.dll

Driver::
ovfsthqakaidltiqmhsaomlrnjyrfsiebwykvk
ovfsthfyvxrafumumpsbyxnulkdlvoyndoyyje

DDS::
Trusted Zone: internet
Trusted Zone: mcafee.com
Save this Notepad file as CFScript.txt to your Desktop and then close the file.





Referring to the picture above, drag CFScript onto ComboFix

If you are prompted to update ComboFix and have an internet connection, please choose Yes

Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.

When finished, it shall produce a log for you. Please post that log, ComboFix.txt in your next reply.

------------------------------------------------------

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
  • Ensure you are connected to the internet and click OK on the message box.
If you do not get a message box, please do the following:

There should be a file named [4][email protected] with today's date, located here:

C:\QooBox\Quarantine\[4][email protected]

Using the 'Browse' button, please submit it to this site ==> http://www.bleepingcomputer.com/submit-malware.php?channel=4

Please let me know if you successfully submitted the file. Thanks.

------------------------------------------------------
 

·
Registered
Joined
·
21 Posts
Discussion Starter · #5 ·
Ahh, sorry it took me so long to reply. Minor bothers rendered my internet-connection down for a few days.

Anyways, I did the following and here's the log:

____________

ComboFix 09-05-03.6 - Robert Stinson 05/11/2009 2:09.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.502.178 [GMT -4:00]
Running from: c:\documents and settings\Robert Stinson\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Robert Stinson\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
FW: COMODO Firewall *disabled*

FILE ::
c:\docume~1\ROBERT~1\LOCALS~1\Temp\ovfsthghetrximnj.tmp
c:\docume~1\ROBERT~1\LOCALS~1\Temp\ovfsthocvpowofvg.tmp
c:\docume~1\ROBERT~1\LOCALS~1\Temp\ovfsthx000
c:\docume~1\ROBERT~1\LOCALS~1\Temp\ovfsthxomttrwypp.tmp

file zipped: c:\windows\system32\drivers\ovfsthfyvxrafumumpsbyxnulkdlvoyndoyyje.sys
file zipped: c:\windows\system32\ovfsthbfddxvffyoytenctniygaiggjpxmvpgv.dat
file zipped: c:\windows\system32\ovfsthkhlmogvfkpovqgrmtlodkrushwtngqus.dll
file zipped: c:\windows\system32\ovfsthkndjixqdublxdcutlcanxupacctnvfbl.dll
file zipped: c:\windows\system32\ovfsthrqstoimclcwfnparrxecxjbqfybokhca.dat
file zipped: c:\windows\system32\ovfsthsetjgujbvkmlrondavqtkcyhwptemvmd.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\ROBERT~1\LOCALS~1\Temp\ovfsthghetrximnj.tmp
c:\docume~1\ROBERT~1\LOCALS~1\Temp\ovfsthocvpowofvg.tmp
c:\docume~1\ROBERT~1\LOCALS~1\Temp\ovfsthx000
c:\docume~1\ROBERT~1\LOCALS~1\Temp\ovfsthxomttrwypp.tmp
c:\documents and settings\Robert Stinson\protect.dll
c:\documents and settings\Robert Stinson\Start Menu\Programs\Startup\ChkDisk.dll
c:\documents and settings\Robert Stinson\Start Menu\Programs\Startup\ChkDisk.lnk
c:\windows\system32\autochk.dll
c:\windows\system32\config\systemprofile\protect.dll
c:\windows\system32\drivers\ovfsthfyvxrafumumpsbyxnulkdlvoyndoyyje.sys
c:\windows\system32\ovfsthbfddxvffyoytenctniygaiggjpxmvpgv.dat
c:\windows\system32\ovfsthkhlmogvfkpovqgrmtlodkrushwtngqus.dll
c:\windows\system32\ovfsthkndjixqdublxdcutlcanxupacctnvfbl.dll
c:\windows\system32\ovfsthrqstoimclcwfnparrxecxjbqfybokhca.dat
c:\windows\system32\ovfsthsetjgujbvkmlrondavqtkcyhwptemvmd.dll

.
--------------- FCopy ---------------

c:\windows\ServicePackFiles\i386\termsrv.dll --> c:\windows\system32\termsrv.dll
.
((((((((((((((((((((((((( Files Created from 2009-04-11 to 2009-05-11 )))))))))))))))))))))))))))))))
.

2009-05-10 23:13 . 2009-05-10 23:28 27648 ----a-w c:\windows\system32\lmn_setup.exe
2009-04-30 21:10 . 2008-02-27 17:49 3840 ----a-w c:\windows\system32\drivers\BANTExt.sys
2009-04-30 21:10 . 2009-04-30 21:10 -------- d-----w c:\program files\Belarc
2009-04-27 21:18 . 2009-05-03 20:18 -------- d-----w c:\windows\system32\config\systemprofile\Application Data\AVGTOOLBAR
2009-04-27 21:12 . 2009-05-01 21:47 11952 ----a-w c:\windows\system32\avgrsstx.dll
2009-04-27 21:12 . 2009-05-01 21:47 108552 ----a-w c:\windows\system32\drivers\avgtdix.sys
2009-04-27 21:12 . 2009-05-01 21:47 325896 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-04-27 21:12 . 2009-05-04 21:48 -------- d-----w c:\windows\system32\drivers\Avg
2009-04-27 07:22 . 2009-04-27 07:30 -------- d-----w c:\program files\Zune
2009-04-15 20:14 . 2009-03-06 14:22 284160 ------w c:\windows\system32\dllcache\pdh.dll
2009-04-15 20:14 . 2009-02-06 10:39 35328 ------w c:\windows\system32\dllcache\sc.exe
2009-04-15 20:14 . 2009-02-09 12:10 401408 ------w c:\windows\system32\dllcache\rpcss.dll
2009-04-15 20:14 . 2009-02-06 11:11 110592 ------w c:\windows\system32\dllcache\services.exe
2009-04-15 20:14 . 2009-02-09 12:10 473600 ------w c:\windows\system32\dllcache\fastprox.dll
2009-04-15 20:14 . 2009-02-06 10:10 227840 ------w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-15 20:14 . 2009-02-09 12:10 453120 ------w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-15 20:14 . 2009-02-09 12:10 729088 ------w c:\windows\system32\dllcache\lsasrv.dll
2009-04-15 20:14 . 2009-02-09 12:10 617472 ------w c:\windows\system32\dllcache\advapi32.dll
2009-04-15 20:14 . 2009-02-09 12:10 714752 ------w c:\windows\system32\dllcache\ntdll.dll
2009-04-15 11:17 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-15 11:17 . 2008-04-21 12:08 215552 ------w c:\windows\system32\dllcache\wordpad.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-10 23:12 . 2009-02-23 23:37 -------- d-----w c:\program files\Steam
2009-05-10 04:46 . 2007-01-09 02:41 9274 ----a-w c:\documents and settings\Robert Stinson\Application Data\wklnhst.dat
2009-04-29 01:14 . 2008-12-11 00:51 -------- d-----w c:\program files\Trend Micro
2009-04-26 01:12 . 2008-10-24 06:49 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-14 13:28 . 2007-04-28 04:43 664 ----a-w c:\windows\system32\d3d9caps.dat
2009-04-06 19:32 . 2008-10-24 06:49 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 19:32 . 2008-10-24 06:49 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-03-06 14:22 . 2006-03-16 04:00 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-03 00:18 . 2006-03-16 04:00 826368 ----a-w c:\windows\system32\wininet.dll
2009-03-02 03:14 . 2009-03-02 03:14 40 ----a-w c:\documents and settings\Robert Stinson\language.dat
2009-03-01 03:24 . 2008-12-10 00:07 410984 ----a-w c:\windows\system32\deploytk.dll
2009-02-27 20:23 . 2009-02-06 08:00 24336 ----a-w c:\windows\system32\drivers\cmdhlp.sys
2009-02-27 20:18 . 2009-02-06 08:00 155384 ----a-w c:\windows\system32\guard32.dll
2009-02-27 20:18 . 2009-02-06 08:00 110992 ----a-w c:\windows\system32\drivers\cmdguard.sys
2009-02-20 18:09 . 2006-03-16 04:00 78336 ----a-w c:\windows\system32\ieencode.dll
.

((((((((((((((((((((((((((((( [email protected]_02.48.41 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-05-11 06:13 . 2009-05-11 06:13 16384 c:\windows\temp\Perflib_Perfdata_304.dat
+ 2009-05-09 20:37 . 2009-05-10 23:28 24064 c:\windows\system32\config\systemprofile\Start Menu\Programs\Startup\ChkDisk.dll
+ 2009-04-26 23:32 . 2009-05-11 05:58 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2009-04-26 23:32 . 2009-05-05 02:40 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2006-08-09 12:04 . 2009-05-11 05:58 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2006-08-09 12:04 . 2009-05-05 02:40 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2006-08-09 12:04 . 2009-05-05 02:40 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2006-08-09 12:04 . 2009-05-11 05:58 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2006-03-16 04:00 . 2008-04-14 00:12 295424 c:\windows\system32\dllcache\termsrv.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2008-12-12 160592]
"Steam"="c:\program files\Steam\Steam.exe" [2009-02-23 1410296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-06-17 794713]
"RecGuard"="c:\windows\SMINST\RecGuard.exe" [2005-10-11 1187840]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2006-07-19 102400]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-06-19 163840]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 81920]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 249856]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-03-22 94208]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-22 118784]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-22 77824]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-05-04 458752]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]
"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2008-10-09 333120]
"COMODO SafeSurf"="c:\program files\COMODO\SafeSurf\cssurf.exe" [2009-02-06 278264]
"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2009-02-27 1851128]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-01 136600]
"Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2008-12-12 157312]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-05-01 1947928]
"MsmqIntCert"="mqrt.dll" - c:\windows\system32\mqrt.dll [2008-04-14 177152]
"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" - c:\windows\system32\CHDAudPropShortcut.exe [2006-06-02 61952]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"autochk"="c:\windows\system32\config\SYSTEM~1\protect.dll" [BU]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-24 29696]
HP Photosmart Premier Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2005-9-24 73728]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-05-01 21:47 11952 ----a-w c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\mqsvc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"%windir%\\system32\\drivers\\svchost.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Steam\\SteamApps\\lythrax\\team fortress 2\\hl2.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

R3 CBPMp50;CBPMp50 NDIS Protocol Driver; [x]
R3 CBPSp50;CBPSp50 NDIS Protocol Driver;c:\windows\system32\Drivers\CBPSp50.sys [2006-11-29 27072]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2009-05-01 325896]
S1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2009-05-01 108552]
S1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\DRIVERS\cmdguard.sys [2009-02-27 110992]
S1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\DRIVERS\cmdhlp.sys [2009-02-27 24336]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-05-01 298776]

.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.comodo.com/search/
uInternet Connection Wizard,ShellNext = hxxp://securityresponse.symantec.com/avcenter/vinfodb.html?prodid=nav2006
IE: Customize Menu - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
IE: Fill Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
IE: RoboForm Toolbar - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
FF - ProfilePath - c:\documents and settings\Robert Stinson\Application Data\Mozilla\Firefox\Profiles\kvtenac7.default\
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG8\ToolbarFF\components\vmAVGConnector.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-11 02:14
Windows 5.1.2600 Service Pack 3 NTFS

detected NTDLL code modification:
ZwClose, ZwOpenFile

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(916)
c:\windows\system32\guard32.dll

- - - - - - - > 'lsass.exe'(976)
c:\windows\system32\guard32.dll

- - - - - - - > 'explorer.exe'(3520)
c:\windows\system32\guard32.dll
c:\program files\BillP Studios\WinPatrol\PATROLPRO.DLL
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\COMODO\COMODO Internet Security\cmdagent.exe
c:\windows\system32\msdtc.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\nexon\MapleStory\npkcmsvc.exe
c:\windows\system32\ZuneBusEnum.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\mqsvc.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\windows\system32\mqtgsvc.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wscntfy.exe
c:\windows\ehome\ehmsas.exe
c:\program files\HP\Digital Imaging\bin\hpqimzone.exe
.
**************************************************************************
.
Completion time: 2009-05-11 2:21 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-11 06:21
ComboFix2.txt 2009-05-05 02:53
ComboFix3.txt 2008-12-14 22:25

Pre-Run: 34,097,704,960 bytes free
Post-Run: 34,079,666,176 bytes free

227 --- E O F --- 2009-04-28 22:50
 

·
Premium Member
Joined
·
29,790 Posts
Hello again, Micmaq.

Please copy this page to Notepad and Save it to your Desktop in order to assist you when carrying out the following instructions.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding.
Ensure that there aren't any opened browsers when you are carrying out the procedures below.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

------------------------------------------------------

It appears you didn't submit the file for analysis.

There should be a file named [4][email protected] with today's date, located here:

C:\QooBox\Quarantine\[4][email protected]

Using the 'Browse' button, please submit it to this site ==> http://www.bleepingcomputer.com/submit-malware.php?channel=4

Please let me know if you successfully submitted the file. Thanks.

------------------------------------------------------

Close any open browsers.

Disable your antivirus and antispyware applications, usually via a right-click on the System Tray icon. They may otherwise interfere with ComboFix.

Open Notepad and copy/paste all the text in the codebox below into Notepad:

Code:
http://www.techsupportforum.com/f284/seemingly-virus-problems-and-other-things-blue-screen-372845.html#post2129922

Collect::
c:\windows\system32\config\systemprofile\Start Menu\Programs\Startup\ChkDisk.dll

Registry::
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"autochk"=-
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=-
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\drivers\\svchost.exe"=-
Save this Notepad file as CFScript.txt to your Desktop and then close the file.





Referring to the picture above, drag CFScript onto ComboFix

If you are prompted to update ComboFix and have an internet connection, please choose Yes

Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.

When finished, it shall produce a log for you. Please post that log, ComboFix.txt in your next reply.

------------------------------------------------------

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
  • Ensure you are connected to the internet and click OK on the message box.
If you do not get a message box, please do the following:

There should be a file named [4][email protected] with today's date, located here:

C:\QooBox\Quarantine\[4][email protected]

Using the 'Browse' button, please submit it to this site ==> http://www.bleepingcomputer.com/submit-malware.php?channel=4

Please let me know if you successfully submitted the file. Thanks.

------------------------------------------------------
 

·
Premium Member
Joined
·
29,790 Posts
Still with us, MicMaq? Any trouble with those last instructions?
 

·
Premium Member
Joined
·
29,790 Posts
Due to lack of response, this topic will now be closed. If you need continued support, please begin a new thread, and provide a link to this topic. This applies only to the original topic starter. Everyone else please begin a New Topic, after following the steps outlined here:

IMPORTANT - Read This Before Posting For Malware Removal Help

------------------------------------------------------
 
1 - 8 of 8 Posts
Status
Not open for further replies.
Top