Newbie
Hi
I've run Malwarebytes and its managed to remove quite a few of the infections that were on my computer already (including System Defender and Antivirus Pro 2010) but now it keeps showing Rootkit.Agent and however many times I select to remove it, its still there when the computer is restarted. I also have problems with Internet Explorer, when I select a link on google, it redirects me to random webpages. Lastly, I did have problems with changing the desktop background image, it was disabled for a while but I think its ok now (not sure if that is relevant or not).
Please can you give me some instructions on how to remove the Rootkit.Agent and any other lingering infection/virus/worm on my pc as I seem to have had them all recently!
This is the log from Malwarebytes:
Malwarebytes' Anti-Malware 1.44
Database version: 3581
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702
17/01/2010 11:38:26
mbam-log-2010-01-17 (11-38-10).txt
Scan type: Quick Scan
Objects scanned: 113369
Time elapsed: 7 minute(s), 47 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\WINDOWS\system32\drivers\nqnnxw.sys (Rootkit.Agent) -> No action taken.
thanks
Senior Member
The log says "No action taken", so you either posted the log from before fixes, or you didn't apply any fix.
Please, re-do.
Newbie
Hi
Here's the log redone. I have run this quite a few times and after restarting and running malwarebytes again, the virus is still there. thanks!
Malwarebytes' Anti-Malware 1.44
Database version: 3581
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702
17/01/2010 19:34:09
mbam-log-2010-01-17 (19-34-09).txt
Scan type: Quick Scan
Objects scanned: 113347
Time elapsed: 6 minute(s), 59 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\WINDOWS\system32\drivers\nqnnxw.sys (Rootkit.Agent) -> Delete on reboot.
Senior Member
Please download ComboFix from Here or Here to your Desktop.
**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
- Please, never rename Combofix unless instructed.
- Close any open browsers.
- Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
- Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
- Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
NOTE. If Combofix asks you to install Recovery Console, please allow it.
- Close any open browsers.
- WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
- Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
- If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
- Double click on combofix.exe & follow the prompts.
- When finished, it will produce a report for you.
- Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**
Make sure, you re-enable your security programs, when you're done with Combofix.
DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
Newbie
Heres the log from ComboFix:
ComboFix 10-01-16.04 - Becky 17/01/2010 20:03:38.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.2046.1575 [GMT 0:00]
Running from: c:\documents and settings\Becky\Desktop\ComboFix.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\docume~1\Becky\LOCALS~1\Temp\tmp1.tmp
c:\documents and settings\All Users\Documents\obegohuva.bat
c:\documents and settings\All Users\Documents\ysod.reg
c:\documents and settings\Becky\Application Data\iniasd.txt
c:\documents and settings\Becky\Application Data\SystemProc
c:\documents and settings\Becky\Local Settings\Application Data\wyva.vbs
c:\program files\Mozilla Firefox\extensions\{8CE11043-9A15-4207-A565-0C94C42D590D}
c:\program files\Mozilla Firefox\extensions\{8CE11043-9A15-4207-A565-0C94C42D590D}\chrome.manifest
c:\program files\Mozilla Firefox\extensions\{8CE11043-9A15-4207-A565-0C94C42D590D}\chrome\content\timer.xul
c:\program files\Mozilla Firefox\extensions\{8CE11043-9A15-4207-A565-0C94C42D590D}\install.rdf
c:\recycler\S-1-5-21-2792737836-4270530095-701979231-1003
C:\s
C:\VDM20.tmp
C:\VDM21.tmp
C:\VDM24.tmp
C:\VDM25.tmp
c:\windows\dyto.bat
c:\windows\nuva.inf
c:\windows\odabo.scr
c:\windows\run.log
c:\windows\system32\18467.exe
c:\windows\system32\drivers\nqnnxw.sys
c:\windows\system32\xa.tmp
c:\windows\tugapu.dll
c:\windows\xezihujapa.dll
D:\Autorun.inf
c:\windows\system32\proquota.exe was missing
Restored copy from - c:\windows\ServicePackFiles\i386\proquota.exe
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_SSHNAS
-------\Legacy_nqnnxw
-------\Service_nqnnxw
((((((((((((((((((((((((( Files Created from 2009-12-17 to 2010-01-17 )))))))))))))))))))))))))))))))
.
2010-01-17 20:17 . 2008-04-14 00:12 50176 -c--a-w- c:\windows\system32\dllcache\proquota.exe
2010-01-17 20:17 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
2010-01-17 10:40 . 2010-01-17 10:53 -------- d-----w- C:\$AVG
2010-01-17 10:39 . 2010-01-17 10:39 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-01-17 10:39 . 2010-01-17 10:39 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-01-17 10:39 . 2010-01-17 10:39 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-01-17 10:39 . 2010-01-17 10:39 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-01-17 10:39 . 2010-01-17 10:41 -------- d-----w- c:\windows\system32\drivers\Avg
2010-01-17 10:39 . 2010-01-17 11:05 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2010-01-17 10:39 . 2010-01-17 17:17 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-01-17 01:46 . 2010-01-17 01:51 -------- d-----w- c:\program files\The Serpent of Isis
2010-01-17 00:29 . 2010-01-17 00:29 -------- d-----w- c:\documents and settings\Becky\Application Data\Playrix Entertainment
2010-01-16 17:35 . 2010-01-16 17:35 -------- d-----w- c:\documents and settings\Becky\Local Settings\Application Data\Threat Expert
2010-01-16 17:30 . 2009-11-10 10:26 767952 ----a-w- c:\windows\BDTSupport.dll
2010-01-16 17:30 . 2009-11-10 10:28 149456 ----a-w- c:\windows\SGDetectionTool.dll
2010-01-16 17:30 . 2009-11-10 10:28 165840 ----a-w- c:\windows\PCTBDRes.dll
2010-01-16 17:30 . 2009-11-10 10:28 1640400 ----a-w- c:\windows\PCTBDCore.dll
2010-01-16 17:30 . 2009-10-28 01:36 1152444 ----a-w- c:\windows\UDB.zip
2010-01-16 17:30 . 2008-11-26 12:08 131 ----a-w- c:\windows\IDB.zip
2010-01-16 17:27 . 2009-10-30 11:11 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2010-01-16 17:27 . 2009-11-09 11:20 207792 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2010-01-16 17:27 . 2009-10-06 16:31 87784 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2010-01-16 17:27 . 2009-09-03 09:45 70408 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2010-01-16 17:27 . 2010-01-16 17:31 -------- d-----w- c:\program files\Common Files\PC Tools
2010-01-16 17:27 . 2010-01-16 17:41 -------- d-----w- c:\program files\Spyware Doctor
2010-01-16 17:27 . 2010-01-16 17:27 -------- d-----w- c:\documents and settings\Becky\Application Data\PC Tools
2010-01-16 17:27 . 2010-01-16 17:27 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2010-01-16 12:21 . 2010-01-16 12:21 118256 ----a-w- c:\windows\system32\-jEtVCPJab.exe
2010-01-12 23:17 . 2009-11-21 15:51 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2010-01-01 18:40 . 2010-01-01 18:40 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2009-12-29 00:59 . 2009-12-29 00:59 -------- d-sh--w- c:\documents and settings\All Users\Application Data\WSQLBJAID_APDM
2009-12-29 00:56 . 2009-12-29 00:59 -------- d-sh--w- c:\documents and settings\All Users\Application Data\394514d
2009-12-23 23:20 . 2009-12-23 23:20 -------- d-----w- c:\documents and settings\Becky\Application Data\blg
2009-12-23 23:20 . 2009-12-23 23:20 -------- d-----w- c:\documents and settings\All Users\Application Data\blg
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2010-01-17 20:25 . 2008-02-07 20:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Kontiki
2010-01-17 20:20 . 2009-05-30 13:45 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-01-17 14:44 . 2006-08-01 17:43 6448 ----a-w- c:\documents and settings\Becky\Application Data\wklnhst.dat
2010-01-17 10:39 . 2010-01-17 10:47 3776280 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\setup.exe
2010-01-17 10:39 . 2010-01-17 10:47 3967256 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcorex.dll
2010-01-17 10:39 . 2010-01-17 10:47 2352920 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgresf.dll
2010-01-17 10:39 . 2010-01-17 10:47 4043032 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgui.exe
2010-01-17 10:39 . 2010-01-17 10:47 2033432 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtray.exe
2010-01-17 10:39 . 2010-01-17 10:47 916248 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcfgx.dll
2010-01-17 10:39 . 2008-08-17 15:21 -------- d-----w- c:\program files\AVG
2010-01-17 10:26 . 2009-10-08 20:58 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-17 10:26 . 2010-01-01 11:39 5115824 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-01-17 01:41 . 2009-05-30 13:45 -------- d-----w- c:\program files\bfgclient
2010-01-17 01:41 . 2010-01-17 01:40 3054384 ----a-w- c:\documents and settings\All Users\Application Data\BigFishGamesCache\Upgrade\Unpack\bfgsetup_s1_ l1.exe
2010-01-17 01:40 . 2009-05-30 13:45 -------- d-----w- c:\documents and settings\All Users\Application Data\BigFishGamesCache
2010-01-09 11:27 . 2008-10-05 10:25 -------- d-----w- c:\program files\DNA
2010-01-07 19:17 . 2009-11-30 20:11 -------- d-----w- c:\program files\iPod
2010-01-07 19:13 . 2008-08-22 22:50 -------- d-----w- c:\documents and settings\Becky\Application Data\Apple Computer
2010-01-07 19:12 . 2009-02-11 21:10 -------- d-----w- c:\program files\Bonjour
2010-01-07 16:07 . 2009-10-08 20:58 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 16:07 . 2009-10-08 20:58 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-06 20:07 . 2010-01-06 20:07 143264 ----a-w- c:\documents and settings\All Users\Application Data\BigFishGamesCache\Upgrade\stub\serpent-of-isis_s1_l1_gF2816T1L1_d757478336.exe
2010-01-06 20:07 . 2010-01-06 20:07 2997384 ----a-w- c:\documents and settings\All Users\Application Data\BigFishGamesCache\Upgrade\clientinstaller\bfg setup_s1_l1.exe
2010-01-01 10:55 . 2010-01-01 10:55 152576 ----a-w- c:\documents and settings\Becky\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2010-01-01 10:55 . 2009-11-29 21:32 79488 ----a-w- c:\documents and settings\Becky\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-01-01 10:18 . 2009-06-15 20:07 -------- d-----w- c:\program files\PokerStars.NET
2009-12-25 22:58 . 2009-02-11 21:22 -------- d-----w- c:\program files\iTunes
2009-12-09 22:58 . 2009-12-09 22:57 -------- d-----w- c:\documents and settings\Becky\Application Data\TitanicMystery
2009-12-09 22:57 . 2009-11-15 22:14 -------- d-----w- c:\program files\1912 - Titanic Mystery
2009-11-30 20:49 . 2009-11-30 20:49 34980 ---ha-w- c:\windows\system32\mlfcache.dat
2009-11-30 20:11 . 2009-11-30 20:10 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-11-30 20:11 . 2008-08-22 22:48 -------- d-----w- c:\program files\Common Files\Apple
2009-11-30 20:09 . 2009-11-30 20:08 -------- d-----w- c:\program files\QuickTime
2009-11-30 20:02 . 2009-11-30 20:02 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
2009-11-30 20:00 . 2009-02-11 21:09 -------- d-----w- c:\program files\Safari
2009-11-30 19:57 . 2009-11-30 19:57 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\Safari 5.31.21.10\SetupAdmin.exe
2009-11-25 13:01 . 2010-01-17 11:05 1230080 ----a-w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar\IEToolbar.dll
2009-11-22 21:30 . 2009-11-22 21:30 -------- d-----w- c:\documents and settings\Becky\Application Data\Big Fish Games
2009-11-21 15:51 . 2004-09-10 01:08 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-10-29 07:45 . 2004-09-10 08:09 916480 ----a-w- c:\windows\system32\wininet.dll
2009-10-21 05:38 . 2004-09-10 01:09 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2004-09-10 01:09 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2004-08-04 06:00 265728 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-08 19:23 . 2009-10-08 19:23 19993 ----a-w- c:\program files\Common Files\noleb.pif
2009-10-08 19:23 . 2009-10-08 19:23 16598 ----a-w- c:\program files\Common Files\iwimyq.com
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]
[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-11-25 13:01 1230080 ----a-w- c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]
[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]
[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"kdx"="c:\program files\Kontiki\KHost.exe" [2007-04-23 1032640]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe" [2009-02-15 39408]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"DSLAGENTEXE"="dslagent.exe USB" [X]
"Ptipbmf"="ptipbmf.dll" [2004-10-07 118784]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-10-25 7122944]
"nwiz"="nwiz.exe" [2005-10-25 1519616]
"High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" [2004-08-13 61952]
"CHotkey"="mHotkey.exe" [2001-12-26 472576]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-25 98394]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-25 688218]
"StillMnt"="Bs350u2r.exe" [2004-10-28 36864]
"SoundMan"="SOUNDMAN.EXE" [2004-11-25 77824]
"AlcWzrd"="ALCWZRD.EXE" [2004-11-25 2747392]
"RoxioDragToDisc"="c:\program files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe" [2005-09-22 1695744]
"GSICONEXE"="gsicon.exe" [2003-05-14 90112]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2006-07-15 26112]
"kdx"="c:\program files\Kontiki\KHost.exe" [2007-04-23 1032640]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-10 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-01-17 2033432]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run]
"ctfmon.exe"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
BlueSoleil.lnk - c:\program files\IVT Corporation\BlueSoleil\BlueSoleil.exe [2005-6-15 1208320]
[HKEY_USERS\.default\software\microsoft\windows\cur rentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-01-17 10:39 12464 ----a-w- c:\windows\system32\avgrsstx.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Microsoft Games\\Zoo Tycoon 2\\zt.exe"=
"c:\\Program Files\\iMesh Applications\\iMesh\\iMesh.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword_PitBoss.exe"=
"c:\\Program Files\\Kontiki\\KService.exe"=
"c:\\Program Files\\Anno 1701\\Anno1701.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Firefly Studios\\CivCity Rome\\CivCity Rome.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"%windir%\\system32\\drivers\\svchost.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [16/01/2010 17:27 207792]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [17/01/2010 10:39 333192]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [17/01/2010 10:39 360584]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [17/01/2010 10:39 285392]
R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\Spyware Doctor\BDT\BDTUpdateService.exe [16/01/2010 17:30 112592]
R3 Slazldrv;SmartLink AMR_PCI Driver;c:\windows\system32\drivers\slazldrv.sys [25/11/2004 19:57 223112]
S1 dhf725d;dhf725d;c:\windows\system32\drivers\dhf725 d.sys --> c:\windows\system32\drivers\dhf725d.sys [?]
S1 dij959b;dij959b;c:\windows\system32\drivers\dij959 b.sys --> c:\windows\system32\drivers\dij959b.sys [?]
S1 dqe051b;dqe051b;c:\windows\system32\drivers\dqe051 b.sys --> c:\windows\system32\drivers\dqe051b.sys [?]
S1 hpib857;hpib857;c:\windows\system32\drivers\hpib85 7.sys --> c:\windows\system32\drivers\hpib857.sys [?]
S1 ianbf43;ianbf43;c:\windows\system32\drivers\ianbf4 3.sys --> c:\windows\system32\drivers\ianbf43.sys [?]
S1 kplcaf3;kplcaf3;c:\windows\system32\drivers\kplcaf 3.sys --> c:\windows\system32\drivers\kplcaf3.sys [?]
S1 opff50c;opff50c;c:\windows\system32\drivers\opff50 c.sys --> c:\windows\system32\drivers\opff50c.sys [?]
S1 pns57f9;pns57f9;c:\windows\system32\drivers\pns57f 9.sys --> c:\windows\system32\drivers\pns57f9.sys [?]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [16/01/2010 17:27 359624]
.
Contents of the 'Scheduled Tasks' folder
2010-01-08 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 12:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
.
- - - - ORPHANS REMOVED - - - -
Toolbar-Locked - (no file)
HKLM-Run-lphcrjlj0eg2p - c:\windows\system32\lphcrjlj0eg2p.exe
AddRemove-AOL YGP Screensaver - c:\program files\Common Files\AOL\Screensaver\uninst_ygpss.exe
AddRemove-Usenet.to_is1 - c:\program files\Usenet.to\unins000.exe
************************************************** ************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2010-01-17 20:21
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
************************************************** ************************
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, GMER - Rootkit Detector and Remover
device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys PCTCore.sys >>UNKNOWN [0x8A8A5618]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xba96cf28
\Driver\ACPI -> ACPI.sys @ 0xba75fcb8
\Driver\atapi -> atapi.sys @ 0xba5c0852
IoDeviceObjectType -> ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
\Device\Harddisk0\DR0 -> ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
NDIS: 802.11g MiniPCI Wireless Network Adapter -> SendCompleteHandler -> NDIS.sys @ 0xba45cbd4
PacketIndicateHandler -> NDIS.sys @ 0xba468a21
SendHandler -> NDIS.sys @ 0xba45cd44
user & kernel MBR OK
************************************************** ************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-2634387147-1957605736-1916086949-1006\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:c8,29,84,9b,e8,1c,11,d0,f9,09,56,a1,09,3c ,ce,39,4e,59,fe,f7,e5,2b,ec,
3f,79,c2,82,06,d9,dd,4a,34,be,cf,04,0f,9d,9b,43,18 ,7a,c0,cd,69,74,14,45,d9,\
"??"=hex:ab,a1,2d,ae,71,47,97,9c,5d,99,9b,e7,bc,07 ,f6,26
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(1016)
c:\windows\system32\WININET.dll
- - - - - - - > 'lsass.exe'(1076)
c:\windows\system32\WININET.dll
- - - - - - - > 'explorer.exe'(2656)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Roxio\Easy Media Creator 7\Drag to Disc\Shellex.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\IVT Corporation\BlueSoleil\BTNtService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\windows\system32\CTsvcCDA.EXE
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Kontiki\KService.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\windows\system32\slserv.exe
c:\windows\system32\UAService7.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\windows\mHotkey.exe
c:\windows\SOUNDMAN.EXE
c:\windows\Bs350u2\StillMnt.exe
c:\windows\system32\gsicon.exe
c:\windows\system32\dslagent.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Windows Live\Contacts\wlcomm.exe
.
************************************************** ************************
.
Completion time: 2010-01-17 20:31:24 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-17 20:31
Pre-Run: 10,082,344,960 bytes free
Post-Run: 10,657,013,760 bytes free
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOW S
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Micro soft Windows XP Home Edition" /noexecute=optin /fastdetect
- - End Of File - - B2E26E90101F1F795CB21B28EDF0C8E7
What comes next?
Senior Member
While I'm reviewing Combofix log...
Download HijackThis:
HijackThis - Trend Micro USA
by clicking on Installer under Version 2.0.2
[DO NOT download version 2.0.3 (beta)]
Install, and run it.
Post HijackTHis log.
Do NOT attempt to fix anything!
NOTE. If you're using Vista, or 7, right click on HijackThis, and click Run as Administrator
Senior Member
1. Please open Notepad
- Click Start , then Run
- Type notepad .exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:
Code:KillAll:: File:: c:\windows\system32\-jEtVCPJab.exe c:\program files\Common Files\noleb.pif c:\program files\Common Files\iwimyq.com c:\windows\system32\drivers\pns57f 9.sys c:\windows\system32\drivers\opff50 c.sys c:\windows\system32\drivers\kplcaf 3.sys c:\windows\system32\drivers\ianbf4 3.sys c:\windows\system32\drivers\hpib85 7.sys c:\windows\system32\drivers\dqe051 b.sys c:\windows\system32\drivers\dij959 b.sys c:\windows\system32\drivers\dhf725 d.sys Folder:: Driver:: dhf725d dij959b dqe051b hpib857 ianbf43 kplcaf3 opff50c pns57f9 Registry:: RegLockDel:: MBR::
3. Save the above as CFScript.txt
4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.
5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
- Combofix.txt
- A new HijackThis log.
Newbie
