Newbie
Please help...I got infected with something 2 days ago and have not been able to get rid of it. I ran malwarebytes many times, as well as other spyware removers, cleaners, and avg scans, but it won't go away. Please help.
I don't know if you need all this, but i ran combofix first and then hijackthis, and this is what i got:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:27:55 PM, on 4/8/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\w.exe
C:\WINDOWS\System32\Rundll32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\PereSvc.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\1335.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Sign In
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = Hotmail, News, Sport, Music, Movies, Money, Cars, Shopping, Windows Live from MSN UK
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = Hotmail, News, Sport, Music, Movies, Money, Cars, Shopping, Windows Live from MSN UK
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Browser Defender BHO - {2A0F3D1B-0909-4FF4-B272-609CCE6054E7} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.4723.1820\s wg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O3 - Toolbar: PC Tools Browser Guard - {472734EA-242A-422B-ADF8-83D1E48CC825} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll
O4 - HKLM\..\Run: [fzwkht] RUNDLL32.EXE C:\WINDOWS\system32\msuqddft.dll,w
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe " -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe " -t (User 'Default user')
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6 FF0C6D236BF8.dll/cmsidewiki.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1233899197686
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Browser Defender Update Service - Threat Expert Ltd. - C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
O23 - Service: Google Update Service (gupdate1c9f86c194aaad0) (gupdate1c9f86c194aaad0) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: peresvc Service (peresvc) - Neto systems - C:\WINDOWS\system32\PereSvc.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
--
End of file - 6448 bytes
ComboFix 10-04-07.04 - jhk 04/08/2010 13:13:00.3.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.639.133 [GMT -4:00]
Running from: c:\documents and settings\jhk\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\Fonts\mlog
c:\windows\Fonts\services.exe
c:\windows\system32\2881.exe
c:\windows\system32\3536646.exe
c:\windows\system32\4070.exe
c:\windows\system32\5460734.exe
c:\windows\system32\6747706.exe
c:\windows\system32\7690348.exe
c:\windows\system32\BtwSvc.dll
c:\windows\system32\FInstall.sys
c:\windows\system32\Install.txt
c:\windows\system32\ms.bin
c:\windows\system32\msuqddft.dll
c:\windows\system32\opear.exe
c:\windows\system32\PereSvc.exe
c:\windows\system32\PowerDes.exe
c:\windows\system32\so.bin
c:\windows\system32\w.exe
c:\windows\TEMP\mta13187.dll
c:\windows\system32\userinit.exe . . . is infected!! . . .Failed to restore. Attempting to replace on reboot
Infected copy of c:\windows\system32\spoolsv.exe was found and disinfected
Restored copy from - c:\windows\$NtServicePackUninstall$\spoolsv.exe
c:\windows\explorer.exe . . . is infected!! . . .Failed to restore. Attempting to replace on reboot
Infected copy of c:\windows\system32\userinit.exe was found and disinfected
Restored copy from - c:\system volume information\_restore{7A4D7341-B821-4562-9D4D-29298DCBD595}\RP475\A0113058.exe
Infected copy of c:\windows\explorer.exe was found and disinfected
Restored copy from - c:\system volume information\_restore{7A4D7341-B821-4562-9D4D-29298DCBD595}\RP475\A0113060.exe
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_BTWSVC
-------\Service_BtwSvc
((((((((((((((((((((((((( Files Created from 2010-03-08 to 2010-04-08 )))))))))))))))))))))))))))))))
.
2010-04-08 18:08 . 2010-04-08 18:08 168178 ----a-w- c:\windows\system32\5891055.exe
2010-04-08 16:42 . 2010-04-08 16:42 -------- d-----w- c:\program files\Uniblue
2010-04-08 13:06 . 2010-04-09 01:37 36864 ----a-w- c:\windows\system32\d.bin
2010-04-08 02:06 . 2010-04-08 02:06 -------- d-----w- c:\documents and settings\jhk\Local Settings\Application Data\Threat Expert
2010-04-08 01:45 . 2009-10-08 15:31 767952 ----a-w- c:\windows\BDTSupport.dll
2010-04-08 01:45 . 2009-10-08 15:31 149456 ----a-w- c:\windows\SGDetectionTool.dll
2010-04-08 01:45 . 2009-10-02 18:19 1152470 ----a-w- c:\windows\UDB.zip
2010-04-08 01:45 . 2008-11-26 16:08 131 ----a-w- c:\windows\IDB.zip
2010-04-08 01:45 . 2009-10-08 15:31 165840 ----a-w- c:\windows\PCTBDRes.dll
2010-04-08 01:45 . 2009-10-08 15:31 1636304 ----a-w- c:\windows\PCTBDCore.dll
2010-04-08 01:44 . 2009-09-24 12:55 229304 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2010-04-08 01:43 . 2009-10-06 20:31 87784 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2010-04-08 01:43 . 2009-09-23 20:10 207280 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2010-04-08 01:43 . 2009-09-03 13:45 70408 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2010-04-08 01:43 . 2010-04-08 13:29 -------- d-----w- c:\program files\Spyware Doctor
2010-04-08 01:43 . 2010-04-08 01:46 -------- d-----w- c:\program files\Common Files\PC Tools
2010-04-08 01:43 . 2010-04-08 01:43 -------- d-----w- c:\documents and settings\jhk\Application Data\PC Tools
2010-04-08 01:43 . 2010-04-08 01:43 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2010-04-07 23:10 . 2010-04-07 23:10 -------- d-----w- c:\program files\Ace Utilities
2010-04-07 20:20 . 2010-04-07 20:20 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-04-07 20:19 . 2010-04-07 20:19 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-04-07 20:07 . 2010-04-08 14:29 -------- d-----w- c:\windows\system32\ZoneLabs
2010-04-07 20:07 . 2010-04-07 20:07 -------- d-----w- c:\program files\Zone Labs
2010-04-07 19:49 . 2010-04-07 19:49 -------- d-----w- c:\program files\Trend Micro
2010-04-06 20:56 . 2010-04-06 20:56 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCach e
2010-04-06 20:13 . 2010-04-06 20:13 -------- d-----w- c:\windows\system32\GroupPolicy
2010-04-06 19:48 . 2010-04-06 20:09 195584 --sha-w- c:\documents and settings\jhk\Local Settings\Application Data\2869154570.dll
2010-04-06 19:47 . 2010-04-06 19:47 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-04-06 19:36 . 2008-04-14 00:12 94208 ----a-w- c:\windows\system32\notepad.exe
2010-04-06 19:36 . 2010-04-07 00:05 -------- d-----w- c:\documents and settings\jhk\Application Data\F433A61D15FA8D0CD8EB45F116DD32E6
2010-04-06 04:42 . 2010-04-06 04:42 1685784 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.dll
2010-04-06 04:42 . 2010-04-06 04:42 1035032 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.exe
2010-04-06 04:26 . 2010-04-06 04:26 -------- d--h--w- c:\windows\PIF
2010-03-31 04:13 . 2010-03-31 04:13 -------- d-----w- c:\program files\NOS
2010-03-31 04:13 . 2010-03-22 19:53 32576 ----a-w- c:\documents and settings\jhk\Application Data\Mozilla\Firefox\Profiles\a9jjkxqh.default\ext ensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
2010-03-31 04:13 . 2010-03-31 04:13 29984 ----a-w- c:\documents and settings\jhk\Application Data\Mozilla\Firefox\Profiles\a9jjkxqh.default\ext ensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\chrome\content\getPlusPlus_Adobe_reg .exe
2010-03-23 17:47 . 2010-03-23 17:47 -------- d-----w- c:\program files\YouTube Downloader
2010-03-16 17:25 . 2010-04-08 14:29 -------- d-----w- c:\windows\Internet Logs
2010-03-16 17:16 . 2010-03-16 17:16 -------- d-----w- c:\program files\iPod
2010-03-14 17:54 . 2010-03-14 17:54 12464 ----a-w- c:\windows\system32\avgrsstx.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2010-04-08 18:07 . 2009-10-07 00:26 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-04-08 15:50 . 2009-11-11 12:55 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-04-08 14:32 . 2010-02-01 23:20 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-04-08 13:00 . 2009-02-17 18:10 -------- d-----w- c:\program files\Lavasoft
2010-04-08 13:00 . 2009-02-17 18:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-04-08 01:44 . 2009-02-16 18:14 -------- d-----w- c:\documents and settings\jhk\Application Data\uTorrent
2010-04-08 00:11 . 2009-02-06 01:05 13632 ----a-w- c:\windows\system32\drivers\omci.sys
2010-04-07 20:09 . 2009-02-07 21:21 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2010-04-07 17:15 . 2009-06-24 23:10 -------- d-----w- c:\program files\CleanUp!
2010-04-07 16:37 . 2009-10-15 12:10 -------- d-----w- c:\program files\iTunes
2010-04-07 00:55 . 2010-02-21 19:31 -------- d-----w- c:\documents and settings\All Users\Application Data\IObit
2010-04-07 00:55 . 2009-11-18 02:28 -------- d-----w- c:\program files\IObit
2010-04-07 00:05 . 2010-03-01 16:53 -------- d-----w- c:\program files\QuickTime
2010-04-06 20:51 . 2009-02-18 15:32 -------- d-----w- c:\program files\Windows Defender
2010-04-06 15:26 . 2010-02-20 16:11 -------- d-----w- c:\documents and settings\jhk\Application Data\vlc
2010-04-04 19:44 . 2009-02-06 07:34 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-04 19:43 . 2009-03-04 22:21 5918776 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-03-31 04:14 . 2009-02-07 22:13 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-03-30 12:03 . 2009-11-18 02:28 -------- d-----w- c:\documents and settings\jhk\Application Data\IObit
2010-03-30 04:46 . 2009-02-06 07:34 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-30 04:45 . 2009-02-06 07:34 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-16 17:16 . 2009-02-07 23:26 -------- d-----w- c:\program files\Common Files\Apple
2010-03-16 17:13 . 2009-02-07 23:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2010-03-14 17:54 . 2009-02-06 17:37 242696 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-03-14 17:54 . 2009-02-06 17:37 29512 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-03-14 17:52 . 2009-02-06 17:37 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-03-14 17:45 . 2010-02-25 04:23 -------- d-----w- c:\program files\uTorrent
2010-02-25 06:24 . 2001-08-18 12:00 916480 ------w- c:\windows\system32\wininet.dll
2010-02-21 17:25 . 2010-02-21 17:25 -------- d-----w- c:\documents and settings\jhk\Application Data\Uniblue
2010-02-21 17:19 . 2010-02-21 17:19 -------- d-----w- c:\program files\CCleaner
2010-02-18 17:40 . 2010-01-21 22:13 -------- d-----w- c:\program files\Veetle
2010-02-16 20:59 . 2010-02-16 20:59 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-02-15 22:41 . 2010-02-15 22:41 72488 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.3.15\SetupAdmin.exe
2010-01-14 16:12 . 2009-10-03 06:03 181120 ------w- c:\windows\system32\MpSigStub.exe
.
------- Sigcheck -------Code:<pre> c:\program files\Adobe\Reader 9.0\Reader\reader_sl .exe c:\program files\AVG\AVG9\avgtray .exe c:\program files\Common Files\Adobe\ARM\1.0\adobearm .exe c:\program files\Google\GoogleToolbarNotifier\googletoolbarnotifier .exe c:\program files\iTunes\ituneshelper .exe c:\program files\QuickTime\qttask .exe c:\program files\Windows Defender\msascui .exe </pre>
[-] 2008-04-14 . 8222A9615A4275D538D8072E7D8C901E . 82432 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\spoolsv.exe
[7] 2004-08-04 . 7435B108B935E42EA92CA94F59C8E717 . 57856 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\spoolsv.exe
[7] 2004-08-04 . 7435B108B935E42EA92CA94F59C8E717 . 57856 . . [5.1.2600.2180] . . c:\windows\ERDNT\cache\spoolsv.exe
[-] 2004-08-04 . BAAAEAE9BBAE25DC011291134956BE69 . 82432 . . [5.1.2600.2180] . . c:\windows\system32\spoolsv.exe
[-] 2008-04-14 . CA6B97DD34C26286764A3112D12C77CC . 50688 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\userinit.exe
[-] 2008-04-14 . 399203F8D95E1881BC1EEB01FF96A5AA . 50688 . . [5.1.2600.5512] . . c:\windows\system32\userinit.exe
[-] 2008-04-14 . 63CD25BE3F887ECEE7C72384499511E0 . 1058304 . . [6.00.2900.5512] . . c:\windows\explorer.exe
[-] 2008-04-14 . 984821EDC1B2E005DC022B64AB678E1E . 1058304 . . [6.00.2900.5512] . . c:\windows\ServicePackFiles\i386\explorer.exe
[-] 2004-08-04 . 0FB368A2F47E7C4D7463F58207C8973F . 1056768 . . [6.00.2900.2180] . . c:\windows\$NtServicePackUninstall$\explorer.exe
[-] 2004-08-04 . DAC66926DC11D504AFAB39F50555B579 . 38912 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\wscntfy.exe
c:\windows\System32\wscntfy.exe ... is missing !!
.
((((((((((((((((((((((((((((( SnapShot@2010-04-08_15.02.03 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-04-08 16:10 . 2010-04-08 16:10 16384 c:\windows\Temp\Perflib_Perfdata_1c0.dat
+ 2010-04-08 18:07 . 2010-04-08 18:07 16384 c:\windows\Temp\Perflib_Perfdata_1b4.dat
+ 2009-02-06 00:32 . 2010-04-08 18:07 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2009-02-06 00:32 . 2010-04-08 15:00 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2009-02-06 00:32 . 2010-04-08 15:00 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-02-06 00:32 . 2010-04-08 18:07 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2009-02-06 00:32 . 2010-04-08 15:00 16384 c:\windows\system32\config\systemprofile\Cookies\i ndex.dat
+ 2009-02-06 00:32 . 2010-04-08 18:07 16384 c:\windows\system32\config\systemprofile\Cookies\i ndex.dat
+ 2001-08-18 12:00 . 2001-08-18 12:00 61440 c:\windows\system32\1335.exe
+ 2010-04-08 18:09 . 2010-02-25 06:24 1209344 c:\windows\Temp\mpj84007.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"fzwkht"="c:\windows\system32\msuqddft.dll" [N/A]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-02-15 141608]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1 \DW\dwtrig20.exe" [2007-02-26 437160]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-03-14 17:54 12464 ----a-w- c:\windows\system32\avgrsstx.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\WinDefend]
@="Service"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ad-Watch]
c:\program files\Lavasoft\Ad-Aware\AAWTray.exe [N/A]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
2009-05-19 05:23 49968 ----a-w- c:\program files\AIM6\aim6.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-02-15 22:07 141608 ----a-w- c:\program files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
c:\program files\QuickTime\QTTask.exe [N/A]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe [N/A]
[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\run-]
"ctfmon.exe"=c:\windows\system32\ctfmon.exe
"Aim6"="c:\program files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\run-]
"NvCplDaemon"=RUNDLL32.EXE c:\windows\System32\NvCpl.dll,NvStartup
"nwiz"=nwiz.exe /install
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
"UserFaultCheck"=%systemroot%\system32\dumprep 0 -u
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe"
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile]
"DisableNotifications"= 1 (0x1)
[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [4/7/2010 9:43 PM 207280]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2/6/2009 1:37 PM 216200]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2/6/2009 1:37 PM 242696]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [3/14/2010 1:53 PM 308064]
R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\Spyware Doctor\BDT\BDTUpdateService.exe [4/7/2010 9:45 PM 112592]
R2 BtwSvc;BtwSvc;c:\windows\system32\svchost.exe -k netsvcs [8/18/2001 8:00 AM 14336]
R2 peresvc;peresvc Service;c:\windows\system32\PereSvc.exe [8/18/2001 8:00 AM 68608]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2/6/2009 5:28 PM 49152]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]
S2 gupdate1c9f86c194aaad0;Google Update Service (gupdate1c9f86c194aaad0);c:\program files\Google\Update\GoogleUpdate.exe [6/28/2009 11:45 PM 133104]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 8:19 PM 13592]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [4/7/2010 9:43 PM 358600]
--- Other Services/Drivers In Memory ---
*NewlyCreated* - BTWSVC
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder
2010-04-08 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-29 03:45]
2010-04-08 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-29 03:45]
2010-04-08 c:\windows\Tasks\User_Feed_Synchronization-{153443CC-C9DB-4BFD-AE89-72FDE58F6763}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 08:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://hotmail.com/
uInternet Settings,ProxyOverride = *.local
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6 FF0C6D236BF8.dll/cmsidewiki.html
Trusted Zone: turbotax.com
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\jhk\Application Data\Mozilla\Firefox\Profiles\a9jjkxqh.default\
FF - prefs.js: browser.startup.homepage - hxxp://home.iwon.com/iwon-homepage/home.jhtml
FF - plugin: c:\documents and settings\jhk\Application Data\Mozilla\Firefox\Profiles\a9jjkxqh.default\ext ensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.d ll
FF - plugin: c:\program files\Veetle\Player\npvlc.dll
FF - plugin: c:\program files\Veetle\plugins\npVeetle.dll
FF - plugin: c:\program files\Veetle\VLCBroadcast\npvbp.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- FIREFOX POLICIES ----
FF - user.js: browser.cache.memory.capacity - 16000
FF - user.js: browser.chrome.favicons - false
FF - user.js: browser.display.show_image_placeholders - true
FF - user.js: browser.turbo.enabled - true
FF - user.js: browser.urlbar.autocomplete.enabled - true
FF - user.js: browser.urlbar.autofill - true
FF - user.js: content.max.tokenizing.time - 3000000
FF - user.js: content.maxtextrun - 4095
FF - user.js: content.notify.backoffcount - 5
FF - user.js: content.notify.interval - 1000000
FF - user.js: content.notify.ontimer - true
FF - user.js: content.switch.threshold - 1000000
FF - user.js: dom.disable_window_status_change - true
FF - user.js: network.http.max-connections - 48
FF - user.js: network.http.max-connections-per-server - 16
FF - user.js: network.http.max-persistent-connections-per-proxy - 16
FF - user.js: network.http.max-persistent-connections-per-server - 8
FF - user.js: network.http.pipelining - true
FF - user.js: network.http.pipelining.firstrequest - true
FF - user.js: network.http.pipelining.maxrequests - 8
FF - user.js: network.http.proxy.pipelining - true
FF - user.js: network.http.request.max-start-delay - 0
FF - user.js: nglayout.initialpaint.delay - 1000
FF - user.js: plugin.expose_full_path - true
FF - user.js: ui.submenuDelay - 0
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabl ed", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_every where__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_bro ken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
************************************************** ************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2010-04-08 14:08
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
c:\windows\system32\5891055.exe 168178 bytes executable
scan completed successfully
hidden files: 1
************************************************** ************************
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, GMER - Rootkit Detector and Remover
device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys PCTCore.sys >>UNKNOWN [0x82E0CAC8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf8893f28
\Driver\ACPI -> ACPI.sys @ 0xf87e6cb8
\Driver\atapi -> atapi.sys @ 0xf879e852
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0598
ParseProcedure -> ntoskrnl.exe @ 0x8056ea15
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0598
ParseProcedure -> ntoskrnl.exe @ 0x8056ea15
NDIS: Intel(R) PRO/100 VE Network Connection -> SendCompleteHandler -> NDIS.sys @ 0xf8693bb0
PacketIndicateHandler -> NDIS.sys @ 0xf86a0a21
SendHandler -> NDIS.sys @ 0xf867e87b
user & kernel MBR OK
************************************************** ************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(668)
c:\windows\system32\WININET.dll
c:\program files\Bonjour\mdnsNSP.dll
- - - - - - - > 'lsass.exe'(728)
c:\windows\system32\WININET.dll
- - - - - - - > 'explorer.exe'(916)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\System32\nvsvc32.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\w.exe
c:\windows\System32\Rundll32.exe
c:\windows\system32\1335.exe
.
************************************************** ************************
.
Completion time: 2010-04-08 14:17:52 - machine was rebooted
ComboFix-quarantined-files.txt 2010-04-08 18:17
ComboFix2.txt 2010-04-08 15:11
ComboFix3.txt 2010-04-08 04:16
Pre-Run: 44,398,317,568 bytes free
Post-Run: 44,427,538,432 bytes free
- - End Of File - - 9476F67FCDD85D83669C40DE10E78C26
Senior Member
1. Please open Notepad
- Click Start , then Run
- Type notepad .exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:
Code:KillAll:: File:: c:\windows\system32\5891055.exe c:\windows\system32\d.bin Folder:: RenV:: c:\program files\Adobe\Reader 9.0\Reader\reader_sl .exe c:\program files\AVG\AVG9\avgtray .exe c:\program files\Common Files\Adobe\ARM\1.0\adobearm .exe c:\program files\Google\GoogleToolbarNotifier\googletoolbarnotifier .exe c:\program files\iTunes\ituneshelper .exe c:\program files\QuickTime\qttask .exe c:\program files\Windows Defender\msascui .exe FCopy:: c:\windows\$NtServicePackUninstall$\wscntfy.exe | c:\windows\System32\wscntfy.exe Driver:: Registry:: RegLockDel:: MBR::
3. Save the above as CFScript.txt
4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.
5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
- Combofix.txt
- A new HijackThis log.
Newbie
Broni, it's great to hear from you; thanks so much!
Here is the latest combofix post followed by the hijackthis post:
ComboFix 10-04-07.04 - jhk 04/08/2010 17:24:20.4.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.639.270 [GMT -4:00]
Running from: c:\documents and settings\jhk\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\jhk\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
* Created a new restore point
FILE ::
"c:\windows\system32\5891055.exe"
"c:\windows\system32\d.bin"
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\Install.txt
c:\windows\system32\5030023.exe
c:\windows\system32\5891055.exe
c:\windows\system32\9630549.exe
c:\windows\system32\9672.exe
c:\windows\system32\BtwSvc.dll
c:\windows\system32\d.bin
c:\windows\system32\FInstall.sys
c:\windows\system32\Install.txt
c:\windows\system32\ms.bin
c:\windows\system32\msuqddft.dll
c:\windows\system32\opear.exe
c:\windows\system32\PereSvc.exe
c:\windows\system32\PowerDes.exe
c:\windows\system32\so.bin
c:\windows\system32\w.exe
c:\windows\TEMP\mta13187.dll
Infected copy of c:\windows\system32\userinit.exe was found and disinfected
Restored copy from - c:\system volume information\_restore{7A4D7341-B821-4562-9D4D-29298DCBD595}\RP475\A0113085.exe
Infected copy of c:\windows\system32\spoolsv.exe was found and disinfected
Restored copy from - c:\windows\$NtServicePackUninstall$\spoolsv.exe
Infected copy of c:\windows\explorer.exe was found and disinfected
Restored copy from - c:\system volume information\_restore{7A4D7341-B821-4562-9D4D-29298DCBD595}\RP475\A0113088.exe
.
--------------- FCopy ---------------
c:\windows\$NtServicePackUninstall$\wscntfy.exe --> c:\windows\System32\wscntfy.exe
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_BTWSVC
-------\Service_BtwSvc
-------\Legacy_peresvc
-------\Service_peresvc
((((((((((((((((((((((((( Files Created from 2010-03-08 to 2010-04-08 )))))))))))))))))))))))))))))))
.
2010-04-08 21:44 . 2010-04-08 21:44 168178 ----a-w- c:\windows\system32\9108851.exe
2010-04-08 21:24 . 2004-08-04 07:56 38912 ----a-w- c:\windows\system32\wscntfy.exe
2010-04-08 16:42 . 2010-04-08 16:42 -------- d-----w- c:\program files\Uniblue
2010-04-08 02:06 . 2010-04-08 02:06 -------- d-----w- c:\documents and settings\jhk\Local Settings\Application Data\Threat Expert
2010-04-08 01:45 . 2009-10-08 15:31 767952 ----a-w- c:\windows\BDTSupport.dll
2010-04-08 01:45 . 2009-10-08 15:31 149456 ----a-w- c:\windows\SGDetectionTool.dll
2010-04-08 01:45 . 2009-10-02 18:19 1152470 ----a-w- c:\windows\UDB.zip
2010-04-08 01:45 . 2008-11-26 16:08 131 ----a-w- c:\windows\IDB.zip
2010-04-08 01:45 . 2009-10-08 15:31 165840 ----a-w- c:\windows\PCTBDRes.dll
2010-04-08 01:45 . 2009-10-08 15:31 1636304 ----a-w- c:\windows\PCTBDCore.dll
2010-04-08 01:44 . 2009-09-24 12:55 229304 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2010-04-08 01:43 . 2009-10-06 20:31 87784 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2010-04-08 01:43 . 2009-09-23 20:10 207280 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2010-04-08 01:43 . 2009-09-03 13:45 70408 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2010-04-08 01:43 . 2010-04-08 19:59 -------- d-----w- c:\program files\Spyware Doctor
2010-04-08 01:43 . 2010-04-08 01:46 -------- d-----w- c:\program files\Common Files\PC Tools
2010-04-08 01:43 . 2010-04-08 01:43 -------- d-----w- c:\documents and settings\jhk\Application Data\PC Tools
2010-04-08 01:43 . 2010-04-08 01:43 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2010-04-07 23:10 . 2010-04-07 23:10 -------- d-----w- c:\program files\Ace Utilities
2010-04-07 20:20 . 2010-04-07 20:20 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-04-07 20:19 . 2010-04-07 20:19 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-04-07 20:07 . 2010-04-08 14:29 -------- d-----w- c:\windows\system32\ZoneLabs
2010-04-07 20:07 . 2010-04-07 20:07 -------- d-----w- c:\program files\Zone Labs
2010-04-07 19:49 . 2010-04-07 19:49 -------- d-----w- c:\program files\Trend Micro
2010-04-06 20:56 . 2010-04-06 20:56 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCach e
2010-04-06 20:13 . 2010-04-06 20:13 -------- d-----w- c:\windows\system32\GroupPolicy
2010-04-06 19:48 . 2010-04-06 20:09 195584 --sha-w- c:\documents and settings\jhk\Local Settings\Application Data\2869154570.dll
2010-04-06 19:47 . 2010-04-06 19:47 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-04-06 19:36 . 2008-04-14 00:12 94208 ----a-w- c:\windows\system32\notepad.exe
2010-04-06 19:36 . 2010-04-07 00:05 -------- d-----w- c:\documents and settings\jhk\Application Data\F433A61D15FA8D0CD8EB45F116DD32E6
2010-04-06 04:42 . 2010-04-06 04:42 1685784 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.dll
2010-04-06 04:42 . 2010-04-06 04:42 1035032 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.exe
2010-04-06 04:26 . 2010-04-06 04:26 -------- d--h--w- c:\windows\PIF
2010-03-31 04:13 . 2010-03-31 04:13 -------- d-----w- c:\program files\NOS
2010-03-31 04:13 . 2010-03-22 19:53 32576 ----a-w- c:\documents and settings\jhk\Application Data\Mozilla\Firefox\Profiles\a9jjkxqh.default\ext ensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
2010-03-31 04:13 . 2010-03-31 04:13 29984 ----a-w- c:\documents and settings\jhk\Application Data\Mozilla\Firefox\Profiles\a9jjkxqh.default\ext ensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\chrome\content\getPlusPlus_Adobe_reg .exe
2010-03-23 17:47 . 2010-03-23 17:47 -------- d-----w- c:\program files\YouTube Downloader
2010-03-16 17:25 . 2010-04-08 14:29 -------- d-----w- c:\windows\Internet Logs
2010-03-16 17:16 . 2010-03-16 17:16 -------- d-----w- c:\program files\iPod
2010-03-14 17:54 . 2010-03-14 17:54 12464 ----a-w- c:\windows\system32\avgrsstx.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2010-04-08 21:43 . 2009-10-07 00:26 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-04-08 21:23 . 2010-03-01 16:53 -------- d-----w- c:\program files\QuickTime
2010-04-08 21:23 . 2009-02-18 15:32 -------- d-----w- c:\program files\Windows Defender
2010-04-08 21:23 . 2009-10-15 12:10 -------- d-----w- c:\program files\iTunes
2010-04-08 20:43 . 2010-02-20 16:11 -------- d-----w- c:\documents and settings\jhk\Application Data\vlc
2010-04-08 15:50 . 2009-11-11 12:55 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-04-08 14:32 . 2010-02-01 23:20 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-04-08 13:00 . 2009-02-17 18:10 -------- d-----w- c:\program files\Lavasoft
2010-04-08 13:00 . 2009-02-17 18:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-04-08 01:44 . 2009-02-16 18:14 -------- d-----w- c:\documents and settings\jhk\Application Data\uTorrent
2010-04-08 00:11 . 2009-02-06 01:05 13632 ----a-w- c:\windows\system32\drivers\omci.sys
2010-04-07 20:09 . 2009-02-07 21:21 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2010-04-07 17:15 . 2009-06-24 23:10 -------- d-----w- c:\program files\CleanUp!
2010-04-07 00:55 . 2010-02-21 19:31 -------- d-----w- c:\documents and settings\All Users\Application Data\IObit
2010-04-07 00:55 . 2009-11-18 02:28 -------- d-----w- c:\program files\IObit
2010-04-04 19:44 . 2009-02-06 07:34 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-04 19:43 . 2009-03-04 22:21 5918776 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-03-31 04:14 . 2009-02-07 22:13 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-03-30 12:03 . 2009-11-18 02:28 -------- d-----w- c:\documents and settings\jhk\Application Data\IObit
2010-03-30 04:46 . 2009-02-06 07:34 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-30 04:45 . 2009-02-06 07:34 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-16 17:16 . 2009-02-07 23:26 -------- d-----w- c:\program files\Common Files\Apple
2010-03-16 17:13 . 2009-02-07 23:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2010-03-14 17:54 . 2009-02-06 17:37 242696 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-03-14 17:54 . 2009-02-06 17:37 29512 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-03-14 17:52 . 2009-02-06 17:37 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-03-14 17:45 . 2010-02-25 04:23 -------- d-----w- c:\program files\uTorrent
2010-02-25 06:24 . 2001-08-18 12:00 916480 ------w- c:\windows\system32\wininet.dll
2010-02-21 17:25 . 2010-02-21 17:25 -------- d-----w- c:\documents and settings\jhk\Application Data\Uniblue
2010-02-21 17:19 . 2010-02-21 17:19 -------- d-----w- c:\program files\CCleaner
2010-02-18 17:40 . 2010-01-21 22:13 -------- d-----w- c:\program files\Veetle
2010-02-16 20:59 . 2010-02-16 20:59 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-02-15 22:41 . 2010-02-15 22:41 72488 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.3.15\SetupAdmin.exe
2010-01-14 16:12 . 2009-10-03 06:03 181120 ------w- c:\windows\system32\MpSigStub.exe
.
------- Sigcheck -------
[-] 2008-04-14 . CA6B97DD34C26286764A3112D12C77CC . 50688 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\userinit.exe
[-] 2008-04-14 . 1A31C52EDC1262A43FBA0ACD4BB7F135 . 50688 . . [5.1.2600.5512] . . c:\windows\system32\userinit.exe
[-] 2008-04-14 . 794DEB7E75187A732E3756AF071A8452 . 1058304 . . [6.00.2900.5512] . . c:\windows\explorer.exe
[-] 2008-04-14 . 984821EDC1B2E005DC022B64AB678E1E . 1058304 . . [6.00.2900.5512] . . c:\windows\ServicePackFiles\i386\explorer.exe
[-] 2004-08-04 . 0FB368A2F47E7C4D7463F58207C8973F . 1056768 . . [6.00.2900.2180] . . c:\windows\$NtServicePackUninstall$\explorer.exe
[-] 2004-08-04 . DAC66926DC11D504AFAB39F50555B579 . 38912 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\wscntfy.exe
[-] 2004-08-04 . DAC66926DC11D504AFAB39F50555B579 . 38912 . . [5.1.2600.2180] . . c:\windows\system32\wscntfy.exe
.
((((((((((((((((((((((((((((( SnapShot@2010-04-08_15.02.03 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-04-08 21:44 . 2010-04-08 21:44 16384 c:\windows\temp\Perflib_Perfdata_534.dat
- 2009-02-06 00:32 . 2010-04-08 15:00 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2009-02-06 00:32 . 2010-04-08 21:43 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2009-02-06 00:32 . 2010-04-08 21:43 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2009-02-06 00:32 . 2010-04-08 15:00 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-02-06 00:32 . 2010-04-08 21:43 16384 c:\windows\system32\config\systemprofile\Cookies\i ndex.dat
- 2009-02-06 00:32 . 2010-04-08 15:00 16384 c:\windows\system32\config\systemprofile\Cookies\i ndex.dat
+ 2001-08-18 12:00 . 2001-08-18 12:00 61440 c:\windows\system32\3423.exe
+ 2010-04-08 21:45 . 2010-02-25 06:24 1209344 c:\windows\temp\mpj74614.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-02-15 141608]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1 \DW\dwtrig20.exe" [2007-02-26 437160]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-03-14 17:54 12464 ----a-w- c:\windows\system32\avgrsstx.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\WinDefend]
@="Service"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
2009-05-19 05:23 49968 ----a-w- c:\program files\AIM6\aim6.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-02-15 22:07 141608 ----a-w- c:\program files\iTunes\ituneshelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-11-11 03:08 442368 ----a-w- c:\program files\QuickTime\qttask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2009-02-07 21:04 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\googletoolbarno tifier.exe
[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\run-]
"ctfmon.exe"=c:\windows\system32\ctfmon.exe
"Aim6"="c:\program files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\run-]
"NvCplDaemon"=RUNDLL32.EXE c:\windows\System32\NvCpl.dll,NvStartup
"nwiz"=nwiz.exe /install
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
"UserFaultCheck"=%systemroot%\system32\dumprep 0 -u
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe"
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile]
"DisableNotifications"= 1 (0x1)
[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [4/7/2010 9:43 PM 207280]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2/6/2009 1:37 PM 216200]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2/6/2009 1:37 PM 242696]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [3/14/2010 1:53 PM 308064]
R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\Spyware Doctor\BDT\BDTUpdateService.exe [4/7/2010 9:45 PM 112592]
R2 BtwSvc;BtwSvc;c:\windows\system32\svchost.exe -k netsvcs [8/18/2001 8:00 AM 14336]
R2 peresvc;peresvc Service;c:\windows\system32\PereSvc.exe [8/18/2001 8:00 AM 68608]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2/6/2009 5:28 PM 49152]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]
S2 gupdate1c9f86c194aaad0;Google Update Service (gupdate1c9f86c194aaad0);c:\program files\Google\Update\GoogleUpdate.exe [6/28/2009 11:45 PM 133104]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 8:19 PM 13592]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [4/7/2010 9:43 PM 358600]
--- Other Services/Drivers In Memory ---
*NewlyCreated* - BTWSVC
*NewlyCreated* - PERESVC
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder
2010-04-08 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-29 03:45]
2010-04-08 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-29 03:45]
2010-04-08 c:\windows\Tasks\User_Feed_Synchronization-{153443CC-C9DB-4BFD-AE89-72FDE58F6763}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 08:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://hotmail.com/
uInternet Settings,ProxyOverride = *.local
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6 FF0C6D236BF8.dll/cmsidewiki.html
Trusted Zone: turbotax.com
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\jhk\Application Data\Mozilla\Firefox\Profiles\a9jjkxqh.default\
FF - prefs.js: browser.startup.homepage - hxxp://home.iwon.com/iwon-homepage/home.jhtml
FF - plugin: c:\documents and settings\jhk\Application Data\Mozilla\Firefox\Profiles\a9jjkxqh.default\ext ensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.d ll
FF - plugin: c:\program files\Veetle\Player\npvlc.dll
FF - plugin: c:\program files\Veetle\plugins\npVeetle.dll
FF - plugin: c:\program files\Veetle\VLCBroadcast\npvbp.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- FIREFOX POLICIES ----
FF - user.js: browser.cache.memory.capacity - 16000
FF - user.js: browser.chrome.favicons - false
FF - user.js: browser.display.show_image_placeholders - true
FF - user.js: browser.turbo.enabled - true
FF - user.js: browser.urlbar.autocomplete.enabled - true
FF - user.js: browser.urlbar.autofill - true
FF - user.js: content.max.tokenizing.time - 3000000
FF - user.js: content.maxtextrun - 4095
FF - user.js: content.notify.backoffcount - 5
FF - user.js: content.notify.interval - 1000000
FF - user.js: content.notify.ontimer - true
FF - user.js: content.switch.threshold - 1000000
FF - user.js: dom.disable_window_status_change - true
FF - user.js: network.http.max-connections - 48
FF - user.js: network.http.max-connections-per-server - 16
FF - user.js: network.http.max-persistent-connections-per-proxy - 16
FF - user.js: network.http.max-persistent-connections-per-server - 8
FF - user.js: network.http.pipelining - true
FF - user.js: network.http.pipelining.firstrequest - true
FF - user.js: network.http.pipelining.maxrequests - 8
FF - user.js: network.http.proxy.pipelining - true
FF - user.js: network.http.request.max-start-delay - 0
FF - user.js: nglayout.initialpaint.delay - 1000
FF - user.js: plugin.expose_full_path - true
FF - user.js: ui.submenuDelay - 0
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabl ed", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_every where__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_bro ken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -
HKLM-Run-fzwkht - c:\windows\system32\msuqddft.dll
MSConfigStartUp-Ad-Watch - c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
************************************************** ************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2010-04-08 17:44
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
c:\windows\system32\Install.txt 265 bytes
scan completed successfully
hidden files: 1
************************************************** ************************
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, GMER - Rootkit Detector and Remover
device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys PCTCore.sys >>UNKNOWN [0x82DF3AC8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf8893f28
\Driver\ACPI -> ACPI.sys @ 0xf87e6cb8
\Driver\atapi -> atapi.sys @ 0xf879e852
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0598
ParseProcedure -> ntoskrnl.exe @ 0x8056ea15
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0598
ParseProcedure -> ntoskrnl.exe @ 0x8056ea15
NDIS: Intel(R) PRO/100 VE Network Connection -> SendCompleteHandler -> NDIS.sys @ 0xf8693bb0
PacketIndicateHandler -> NDIS.sys @ 0xf86a0a21
SendHandler -> NDIS.sys @ 0xf867e87b
user & kernel MBR OK
************************************************** ************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(668)
c:\windows\system32\WININET.dll
c:\program files\Bonjour\mdnsNSP.dll
- - - - - - - > 'lsass.exe'(728)
c:\windows\system32\WININET.dll
- - - - - - - > 'explorer.exe'(620)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\System32\nvsvc32.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\w.exe
c:\windows\System32\Rundll32.exe
.
************************************************** ************************
.
Completion time: 2010-04-08 17:53:37 - machine was rebooted
ComboFix-quarantined-files.txt 2010-04-08 21:53
ComboFix2.txt 2010-04-08 18:17
ComboFix3.txt 2010-04-08 15:11
ComboFix4.txt 2010-04-08 04:16
Pre-Run: 44,427,595,776 bytes free
Post-Run: 44,448,735,232 bytes free
- - End Of File - - A76C5CF829A01AE883517534EF6A3AD7
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:01:38 PM, on 4/8/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\w.exe
C:\WINDOWS\System32\Rundll32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\PereSvc.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\AVG\AVG9\avgui.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\3423.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Sign In
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = Hotmail, News, Sport, Music, Movies, Money, Cars, Shopping, Windows Live from MSN UK
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = Hotmail, News, Sport, Music, Movies, Money, Cars, Shopping, Windows Live from MSN UK
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Browser Defender BHO - {2A0F3D1B-0909-4FF4-B272-609CCE6054E7} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.4723.1820\s wg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O3 - Toolbar: PC Tools Browser Guard - {472734EA-242A-422B-ADF8-83D1E48CC825} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe " -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe " -t (User 'Default user')
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6 FF0C6D236BF8.dll/cmsidewiki.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1233899197686
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Browser Defender Update Service - Threat Expert Ltd. - C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
O23 - Service: Google Update Service (gupdate1c9f86c194aaad0) (gupdate1c9f86c194aaad0) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
--
End of file - 6350 bytes
Senior Member
Download TDSSKiller and save it to your Desktop.
Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.
"%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v
If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.
When it is done, a log file should be created on your C: drive called TDSSKiller.txt please copy and paste the contents of that file here.
================================================== ===========
Please download Profiles by noahdfear.
* Save it to your desktop.
* Double-click profiles.exe and post its log when you reply.
Newbie
My browsers (firefox, ie, and chrome) are not letting me get to the website to download tdskiller. Is there a way around this?
Senior Member
File attached
Newbie
thanks, this is what i got:
14:17:51:312 4028 TDSS rootkit removing tool 2.2.8.1 Mar 22 2010 10:43:04
14:17:51:312 4028 ================================================== ==============================
14:17:51:312 4028 SystemInfo:
14:17:51:312 4028 OS Version: 5.1.2600 ServicePack: 3.0
14:17:51:312 4028 Product type: Workstation
14:17:51:312 4028 ComputerName: JOHN
14:17:51:312 4028 UserName: jhk
14:17:51:312 4028 Windows directory: C:\WINDOWS
14:17:51:312 4028 Processor architecture: Intel x86
14:17:51:312 4028 Number of processors: 1
14:17:51:312 4028 Page size: 0x1000
14:17:51:375 4028 Boot type: Normal boot
14:17:51:375 4028 ================================================== ==============================
14:17:51:468 4028 UnloadDriverW: NtUnloadDriver error 2
14:17:51:468 4028 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
14:17:54:812 4028 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
14:17:54:968 4028 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
14:17:54:968 4028 wfopen_ex: Trying to KLMD file open
14:17:55:000 4028 wfopen_ex: File opened ok (Flags 2)
14:17:55:000 4028 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
14:17:55:093 4028 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
14:17:55:093 4028 wfopen_ex: Trying to KLMD file open
14:17:55:093 4028 wfopen_ex: File opened ok (Flags 2)
14:17:55:093 4028 Initialize success
14:17:55:093 4028
14:17:55:093 4028 Scanning Services ...
14:17:55:546 4028 Raw services enum returned 317 services
14:17:55:578 4028
14:17:55:578 4028 Scanning Kernel memory ...
14:17:55:578 4028 Devices to scan: 3
14:17:55:578 4028
14:17:55:578 4028 Driver Name: Disk
14:17:55:578 4028 IRP_MJ_CREATE : F8876BB0
14:17:55:578 4028 IRP_MJ_CREATE_NAMED_PIPE : 804FA88E
14:17:55:578 4028 IRP_MJ_CLOSE : F8876BB0
14:17:55:578 4028 IRP_MJ_READ : F8870D1F
14:17:55:578 4028 IRP_MJ_WRITE : F8870D1F
14:17:55:578 4028 IRP_MJ_QUERY_INFORMATION : 804FA88E
14:17:55:578 4028 IRP_MJ_SET_INFORMATION : 804FA88E
14:17:55:578 4028 IRP_MJ_QUERY_EA : 804FA88E
14:17:55:578 4028 IRP_MJ_SET_EA : 804FA88E
14:17:55:578 4028 IRP_MJ_FLUSH_BUFFERS : F88712E2
14:17:55:578 4028 IRP_MJ_QUERY_VOLUME_INFORMATION : 804FA88E
14:17:55:578 4028 IRP_MJ_SET_VOLUME_INFORMATION : 804FA88E
14:17:55:578 4028 IRP_MJ_DIRECTORY_CONTROL : 804FA88E
14:17:55:578 4028 IRP_MJ_FILE_SYSTEM_CONTROL : 804FA88E
14:17:55:578 4028 IRP_MJ_DEVICE_CONTROL : F88713BB
14:17:55:578 4028 IRP_MJ_INTERNAL_DEVICE_CONTROL : F8874F28
14:17:55:578 4028 IRP_MJ_SHUTDOWN : F88712E2
14:17:55:578 4028 IRP_MJ_LOCK_CONTROL : 804FA88E
14:17:55:578 4028 IRP_MJ_CLEANUP : 804FA88E
14:17:55:578 4028 IRP_MJ_CREATE_MAILSLOT : 804FA88E
14:17:55:578 4028 IRP_MJ_QUERY_SECURITY : 804FA88E
14:17:55:609 4028 IRP_MJ_SET_SECURITY : 804FA88E
14:17:55:609 4028 IRP_MJ_POWER : F8872C82
14:17:55:609 4028 IRP_MJ_SYSTEM_CONTROL : F887799E
14:17:55:609 4028 IRP_MJ_DEVICE_CHANGE : 804FA88E
14:17:55:609 4028 IRP_MJ_QUERY_QUOTA : 804FA88E
14:17:55:609 4028 IRP_MJ_SET_QUOTA : 804FA88E
14:17:55:812 4028 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
14:17:55:812 4028
14:17:55:812 4028 Driver Name: atapi
14:17:55:812 4028 IRP_MJ_CREATE : F87836F2
14:17:55:812 4028 IRP_MJ_CREATE_NAMED_PIPE : 804FA88E
14:17:55:812 4028 IRP_MJ_CLOSE : F87836F2
14:17:55:812 4028 IRP_MJ_READ : 804FA88E
14:17:55:812 4028 IRP_MJ_WRITE : 804FA88E
14:17:55:812 4028 IRP_MJ_QUERY_INFORMATION : 804FA88E
14:17:55:812 4028 IRP_MJ_SET_INFORMATION : 804FA88E
14:17:55:812 4028 IRP_MJ_QUERY_EA : 804FA88E
14:17:55:812 4028 IRP_MJ_SET_EA : 804FA88E
14:17:55:812 4028 IRP_MJ_FLUSH_BUFFERS : 804FA88E
14:17:55:812 4028 IRP_MJ_QUERY_VOLUME_INFORMATION : 804FA88E
14:17:55:812 4028 IRP_MJ_SET_VOLUME_INFORMATION : 804FA88E
14:17:55:812 4028 IRP_MJ_DIRECTORY_CONTROL : 804FA88E
14:17:55:812 4028 IRP_MJ_FILE_SYSTEM_CONTROL : 804FA88E
14:17:55:812 4028 IRP_MJ_DEVICE_CONTROL : F8783712
14:17:55:812 4028 IRP_MJ_INTERNAL_DEVICE_CONTROL : F877F852
14:17:55:812 4028 IRP_MJ_SHUTDOWN : 804FA88E
14:17:55:812 4028 IRP_MJ_LOCK_CONTROL : 804FA88E
14:17:55:812 4028 IRP_MJ_CLEANUP : 804FA88E
14:17:55:812 4028 IRP_MJ_CREATE_MAILSLOT : 804FA88E
14:17:55:812 4028 IRP_MJ_QUERY_SECURITY : 804FA88E
14:17:55:812 4028 IRP_MJ_SET_SECURITY : 804FA88E
14:17:55:828 4028 IRP_MJ_POWER : F878373C
14:17:55:828 4028 IRP_MJ_SYSTEM_CONTROL : F878A336
14:17:55:828 4028 IRP_MJ_DEVICE_CHANGE : 804FA88E
14:17:55:828 4028 IRP_MJ_QUERY_QUOTA : 804FA88E
14:17:55:828 4028 IRP_MJ_SET_QUOTA : 804FA88E
14:17:55:937 4028 C:\WINDOWS\system32\DRIVERS\atapi.sys - Verdict: 1
14:17:55:937 4028
14:17:55:937 4028 Driver Name: atapi
14:17:55:937 4028 IRP_MJ_CREATE : 82D7AAC8
14:17:55:937 4028 IRP_MJ_CREATE_NAMED_PIPE : 82D7AAC8
14:17:55:937 4028 IRP_MJ_CLOSE : 82D7AAC8
14:17:55:937 4028 IRP_MJ_READ : 82D7AAC8
14:17:55:937 4028 IRP_MJ_WRITE : 82D7AAC8
14:17:55:937 4028 IRP_MJ_QUERY_INFORMATION : 82D7AAC8
14:17:55:937 4028 IRP_MJ_SET_INFORMATION : 82D7AAC8
14:17:55:937 4028 IRP_MJ_QUERY_EA : 82D7AAC8
14:17:55:937 4028 IRP_MJ_SET_EA : 82D7AAC8
14:17:55:937 4028 IRP_MJ_FLUSH_BUFFERS : 82D7AAC8
14:17:55:937 4028 IRP_MJ_QUERY_VOLUME_INFORMATION : 82D7AAC8
14:17:55:937 4028 IRP_MJ_SET_VOLUME_INFORMATION : 82D7AAC8
14:17:55:937 4028 IRP_MJ_DIRECTORY_CONTROL : 82D7AAC8
14:17:55:937 4028 IRP_MJ_FILE_SYSTEM_CONTROL : 82D7AAC8
14:17:55:937 4028 IRP_MJ_DEVICE_CONTROL : 82D7AAC8
14:17:55:937 4028 IRP_MJ_INTERNAL_DEVICE_CONTROL : 82D7AAC8
14:17:55:937 4028 IRP_MJ_SHUTDOWN : 82D7AAC8
14:17:55:937 4028 IRP_MJ_LOCK_CONTROL : 82D7AAC8
14:17:55:937 4028 IRP_MJ_CLEANUP : 82D7AAC8
14:17:55:937 4028 IRP_MJ_CREATE_MAILSLOT : 82D7AAC8
14:17:55:937 4028 IRP_MJ_QUERY_SECURITY : 82D7AAC8
14:17:55:937 4028 IRP_MJ_SET_SECURITY : 82D7AAC8
14:17:55:937 4028 IRP_MJ_POWER : 82D7AAC8
14:17:55:937 4028 IRP_MJ_SYSTEM_CONTROL : 82D7AAC8
14:17:55:937 4028 IRP_MJ_DEVICE_CHANGE : 82D7AAC8
14:17:55:968 4028 IRP_MJ_QUERY_QUOTA : 82D7AAC8
14:17:55:968 4028 IRP_MJ_SET_QUOTA : 82D7AAC8
14:17:55:968 4028 Driver "atapi" infected by TDSS rootkit!
14:17093 4028 C:\WINDOWS\system32\DRIVERS\atapi.sys - Verdict: 1
14:17
14:17
14:17
14:17:57:031 4028 !dsvbh1
14:19:52:203 4028 dsvbh2
14:19:52:296 4028 fdfb2
14:19:52:296 4028 Backup copy found, using it..
14:19:52:484 4028 will be cured on next reboot
14:19:52:484 4028 Reboot required for cure complete..
14:19:52:500 4028 Cure on reboot scheduled successfully
14:19:52:500 4028
14:19:52:500 4028 Completed
14:19:52:500 4028
14:19:52:500 4028 Results:
14:19:52:531 4028 Memory objects infected / cured / cured on reboot: 1 / 0 / 0
14:19:52:531 4028 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
14:19:52:531 4028 File objects infected / cured / cured on reboot: 1 / 0 / 1
14:19:52:531 4028
14:19:52:562 4028 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system
14:19:52:562 4028 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software
14:19:52:562 4028 UnloadDriverW: NtUnloadDriver error 1
14:19:52:562 4028 KLMD(ARK) unloaded successfully
Newbie
sorry, i missed the part about profiles before.
here is that log:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
DefaultUserProfile REG_SZ Default User
AllUsersProfile REG_SZ All Users
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-18
ProfileImagePath REG_EXPAND_SZ %systemroot%\system32\config\systemprofile
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-19
ProfileImagePath REG_EXPAND_SZ %SystemDrive%\Documents and Settings\LocalService
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-20
ProfileImagePath REG_EXPAND_SZ %SystemDrive%\Documents and Settings\NetworkService
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-73586283-725345543-682003330-1004
ProfileImagePath REG_EXPAND_SZ %SystemDrive%\Documents and Settings\jhk
SystemRoot REG_SZ C:\WINDOWS
Senior Member
Very good
Delete your Combofix file, download fresh one, run it and post fresh log.
Newbie
Great to hear from you! Here are the latest logs:
ComboFix 10-04-08.06 - jhk 04/09/2010 20:54:59.5.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.639.265 [GMT -4:00]
Running from: c:\documents and settings\jhk\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
The following files were disabled during the run:
c:\windows\system32\config\systemprofile\Local Settings\Application Data\Windows Server\vfllgi.dll
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\jhk\Local Settings\Application Data\Windows Server
c:\documents and settings\jhk\Local Settings\Application Data\Windows Server\vfllgi.dll
c:\documents and settings\LocalService\Local Settings\Application Data\Windows Server
c:\documents and settings\LocalService\Local Settings\Application Data\Windows Server\vfllgi.dll
c:\documents and settings\NetworkService\Local Settings\Application Data\Windows Server
c:\documents and settings\NetworkService\Local Settings\Application Data\Windows Server\vfllgi.dll
c:\program files\Protection System
c:\windows\sc.exe
c:\windows\SC.INS
c:\windows\system32\4642908.exe
c:\windows\system32\6412012.exe
c:\windows\system32\6939356.exe
c:\windows\system32\8307.exe
c:\windows\system32\9108851.exe
c:\windows\system32\BtwSvc.dll
c:\windows\system32\FInstall.sys
c:\windows\system32\Install.txt
c:\windows\system32\ms.bin
c:\windows\system32\msepdlkp.dll
c:\windows\system32\msuqddft.dll
c:\windows\system32\opear.exe
c:\windows\system32\PereSvc.exe
c:\windows\system32\PowerDes.exe
c:\windows\system32\so.bin
c:\windows\system32\w.exe
c:\windows\TEMP\mta13187.dll
c:\windows\system32\userinit.exe . . . is infected!!
Infected copy of c:\windows\system32\spoolsv.exe was found and disinfected
Restored copy from - c:\windows\$NtServicePackUninstall$\spoolsv.exe
c:\windows\explorer.exe . . . is infected!!
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_BTWSVC
-------\Service_BtwSvc
((((((((((((((((((((((((( Files Created from 2010-03-10 to 2010-04-10 )))))))))))))))))))))))))))))))
.
2010-04-10 01:18 . 2010-04-10 01:19 -------- d-----w- c:\documents and settings\jhk\Local Settings\Application Data\Windows Server
2010-04-10 01:18 . 2010-04-10 01:18 169563 ----a-w- c:\windows\system32\6311609.exe
2010-04-10 01:18 . 2010-04-10 01:18 -------- d-----w- c:\program files\Protection System
2010-04-10 01:17 . 2010-04-10 01:19 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Windows Server
2010-04-10 01:13 . 2010-04-10 01:17 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Windows Server
2010-04-09 00:55 . 2010-04-10 02:08 36864 ----a-w- c:\windows\system32\d.bin
2010-04-08 21:24 . 2004-08-04 07:56 38912 ----a-w- c:\windows\system32\wscntfy.exe
2010-04-08 16:42 . 2010-04-08 16:42 -------- d-----w- c:\program files\Uniblue
2010-04-08 02:06 . 2010-04-08 02:06 -------- d-----w- c:\documents and settings\jhk\Local Settings\Application Data\Threat Expert
2010-04-08 01:45 . 2009-10-08 15:31 767952 ----a-w- c:\windows\BDTSupport.dll
2010-04-08 01:45 . 2009-10-08 15:31 149456 ----a-w- c:\windows\SGDetectionTool.dll
2010-04-08 01:45 . 2009-10-02 18:19 1152470 ----a-w- c:\windows\UDB.zip
2010-04-08 01:45 . 2008-11-26 16:08 131 ----a-w- c:\windows\IDB.zip
2010-04-08 01:45 . 2009-10-08 15:31 165840 ----a-w- c:\windows\PCTBDRes.dll
2010-04-08 01:45 . 2009-10-08 15:31 1636304 ----a-w- c:\windows\PCTBDCore.dll
2010-04-08 01:44 . 2009-09-24 12:55 229304 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2010-04-08 01:43 . 2009-10-06 20:31 87784 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2010-04-08 01:43 . 2009-09-23 20:10 207280 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2010-04-08 01:43 . 2009-09-03 13:45 70408 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2010-04-08 01:43 . 2010-04-09 22:44 -------- d-----w- c:\program files\Spyware Doctor
2010-04-08 01:43 . 2010-04-08 01:46 -------- d-----w- c:\program files\Common Files\PC Tools
2010-04-08 01:43 . 2010-04-08 01:43 -------- d-----w- c:\documents and settings\jhk\Application Data\PC Tools
2010-04-08 01:43 . 2010-04-08 01:43 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2010-04-07 23:10 . 2010-04-07 23:10 -------- d-----w- c:\program files\Ace Utilities
2010-04-07 20:20 . 2010-04-07 20:20 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-04-07 20:19 . 2010-04-07 20:19 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-04-07 20:07 . 2010-04-08 14:29 -------- d-----w- c:\windows\system32\ZoneLabs
2010-04-07 20:07 . 2010-04-07 20:07 -------- d-----w- c:\program files\Zone Labs
2010-04-07 19:49 . 2010-04-07 19:49 -------- d-----w- c:\program files\Trend Micro
2010-04-06 20:56 . 2010-04-06 20:56 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCach e
2010-04-06 20:13 . 2010-04-06 20:13 -------- d-----w- c:\windows\system32\GroupPolicy
2010-04-06 19:48 . 2010-04-06 20:09 195584 --sha-w- c:\documents and settings\jhk\Local Settings\Application Data\2869154570.dll
2010-04-06 19:47 . 2010-04-06 19:47 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-04-06 19:36 . 2008-04-14 00:12 94208 ----a-w- c:\windows\system32\notepad.exe
2010-04-06 19:36 . 2010-04-07 00:05 -------- d-----w- c:\documents and settings\jhk\Application Data\F433A61D15FA8D0CD8EB45F116DD32E6
2010-04-06 04:42 . 2010-04-06 04:42 1685784 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.dll
2010-04-06 04:42 . 2010-04-06 04:42 1035032 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.exe
2010-04-06 04:26 . 2010-04-06 04:26 -------- d--h--w- c:\windows\PIF
2010-03-31 04:13 . 2010-03-31 04:13 -------- d-----w- c:\program files\NOS
2010-03-31 04:13 . 2010-03-22 19:53 32576 ----a-w- c:\documents and settings\jhk\Application Data\Mozilla\Firefox\Profiles\a9jjkxqh.default\ext ensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
2010-03-31 04:13 . 2010-03-31 04:13 29984 ----a-w- c:\documents and settings\jhk\Application Data\Mozilla\Firefox\Profiles\a9jjkxqh.default\ext ensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\chrome\content\getPlusPlus_Adobe_reg .exe
2010-03-23 17:47 . 2010-03-23 17:47 -------- d-----w- c:\program files\YouTube Downloader
2010-03-16 17:25 . 2010-04-08 14:29 -------- d-----w- c:\windows\Internet Logs
2010-03-16 17:16 . 2010-03-16 17:16 -------- d-----w- c:\program files\iPod
2010-03-14 17:54 . 2010-03-14 17:54 12464 ----a-w- c:\windows\system32\avgrsstx.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2010-04-10 01:17 . 2009-10-07 00:26 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-04-09 23:28 . 2009-11-11 12:55 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-04-09 18:24 . 2009-02-06 02:09 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-04-08 21:23 . 2010-03-01 16:53 -------- d-----w- c:\program files\QuickTime
2010-04-08 21:23 . 2009-02-18 15:32 -------- d-----w- c:\program files\Windows Defender
2010-04-08 21:23 . 2009-10-15 12:10 -------- d-----w- c:\program files\iTunes
2010-04-08 20:43 . 2010-02-20 16:11 -------- d-----w- c:\documents and settings\jhk\Application Data\vlc
2010-04-08 14:32 . 2010-02-01 23:20 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-04-08 13:00 . 2009-02-17 18:10 -------- d-----w- c:\program files\Lavasoft
2010-04-08 13:00 . 2009-02-17 18:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-04-08 01:44 . 2009-02-16 18:14 -------- d-----w- c:\documents and settings\jhk\Application Data\uTorrent
2010-04-08 00:11 . 2009-02-06 01:05 13632 ----a-w- c:\windows\system32\drivers\omci.sys
2010-04-07 20:09 . 2009-02-07 21:21 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2010-04-07 17:15 . 2009-06-24 23:10 -------- d-----w- c:\program files\CleanUp!
2010-04-07 00:55 . 2010-02-21 19:31 -------- d-----w- c:\documents and settings\All Users\Application Data\IObit
2010-04-07 00:55 . 2009-11-18 02:28 -------- d-----w- c:\program files\IObit
2010-04-04 19:44 . 2009-02-06 07:34 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-04 19:43 . 2009-03-04 22:21 5918776 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-03-31 04:14 . 2009-02-07 22:13 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-03-30 12:03 . 2009-11-18 02:28 -------- d-----w- c:\documents and settings\jhk\Application Data\IObit
2010-03-30 04:46 . 2009-02-06 07:34 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-30 04:45 . 2009-02-06 07:34 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-16 17:16 . 2009-02-07 23:26 -------- d-----w- c:\program files\Common Files\Apple
2010-03-16 17:13 . 2009-02-07 23:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2010-03-14 17:54 . 2009-02-06 17:37 242696 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-03-14 17:54 . 2009-02-06 17:37 29512 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-03-14 17:52 . 2009-02-06 17:37 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-03-14 17:45 . 2010-02-25 04:23 -------- d-----w- c:\program files\uTorrent
2010-02-25 06:24 . 2001-08-18 12:00 916480 ------w- c:\windows\system32\wininet.dll
2010-02-21 17:25 . 2010-02-21 17:25 -------- d-----w- c:\documents and settings\jhk\Application Data\Uniblue
2010-02-21 17:19 . 2010-02-21 17:19 -------- d-----w- c:\program files\CCleaner
2010-02-18 17:40 . 2010-01-21 22:13 -------- d-----w- c:\program files\Veetle
2010-02-16 20:59 . 2010-02-16 20:59 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-02-15 22:41 . 2010-02-15 22:41 72488 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.3.15\SetupAdmin.exe
2010-01-14 16:12 . 2009-10-03 06:03 181120 ------w- c:\windows\system32\MpSigStub.exe
2010-01-10 00:54 . 2010-01-10 00:54 11 --sha-r- c:\windows\system32\GroupPolicy\User\Scripts\Logon \autorun.bat
.
------- Sigcheck -------
[-] 2008-04-14 . 8222A9615A4275D538D8072E7D8C901E . 82432 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\spoolsv.exe
[7] 2004-08-04 . 7435B108B935E42EA92CA94F59C8E717 . 57856 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\spoolsv.exe
[7] 2004-08-04 . 7435B108B935E42EA92CA94F59C8E717 . 57856 . . [5.1.2600.2180] . . c:\windows\ERDNT\cache\spoolsv.exe
[-] 2004-08-04 . 03045A72C932AA66823544CC258BD134 . 82432 . . [5.1.2600.2180] . . c:\windows\system32\spoolsv.exe
[-] 2008-04-14 . CA6B97DD34C26286764A3112D12C77CC . 50688 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\userinit.exe
[-] 2008-04-14 . 1A31C52EDC1262A43FBA0ACD4BB7F135 . 50688 . . [5.1.2600.5512] . . c:\windows\system32\userinit.exe
[-] 2008-04-14 . 794DEB7E75187A732E3756AF071A8452 . 1058304 . . [6.00.2900.5512] . . c:\windows\explorer.exe
[-] 2008-04-14 . 984821EDC1B2E005DC022B64AB678E1E . 1058304 . . [6.00.2900.5512] . . c:\windows\ServicePackFiles\i386\explorer.exe
[-] 2004-08-04 . 0FB368A2F47E7C4D7463F58207C8973F . 1056768 . . [6.00.2900.2180] . . c:\windows\$NtServicePackUninstall$\explorer.exe
[-] 2004-08-04 . DAC66926DC11D504AFAB39F50555B579 . 38912 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\wscntfy.exe
[-] 2004-08-04 . DAC66926DC11D504AFAB39F50555B579 . 38912 . . [5.1.2600.2180] . . c:\windows\system32\wscntfy.exe
.
((((((((((((((((((((((((((((( SnapShot@2010-04-08_15.02.03 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-04-10 01:17 . 2010-04-10 01:17 16384 c:\windows\temp\Perflib_Perfdata_1c0.dat
- 2009-02-06 00:32 . 2010-04-08 15:00 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2009-02-06 00:32 . 2010-04-10 01:17 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2009-02-06 00:32 . 2010-04-08 15:00 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-02-06 00:32 . 2010-04-10 01:17 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2010-04-06 20:56 . 2010-04-10 01:17 16384 c:\windows\system32\config\systemprofile\IETldCach e\index.dat
- 2010-04-06 20:56 . 2010-04-07 22:43 16384 c:\windows\system32\config\systemprofile\IETldCach e\index.dat
+ 2009-02-06 00:32 . 2010-04-10 01:17 16384 c:\windows\system32\config\systemprofile\Cookies\i ndex.dat
- 2009-02-06 00:32 . 2010-04-08 15:00 16384 c:\windows\system32\config\systemprofile\Cookies\i ndex.dat
+ 2001-08-18 12:00 . 2001-08-18 12:00 61440 c:\windows\system32\8416.exe
+ 2010-04-10 01:19 . 2010-02-25 06:24 1209344 c:\windows\temp\mpj27826.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-02-15 141608]
"fzwkht"="c:\windows\system32\msuqddft.dll" [BU]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1 \DW\dwtrig20.exe" [2007-02-26 437160]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\explorer.exe,"
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-03-14 17:54 12464 ----a-w- c:\windows\system32\avgrsstx.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\WinDefend]
@="Service"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
2009-05-19 05:23 49968 ----a-w- c:\program files\AIM6\aim6.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-02-15 22:07 141608 ----a-w- c:\program files\iTunes\ituneshelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-11-11 03:08 442368 ----a-w- c:\program files\QuickTime\qttask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2009-02-07 21:04 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\googletoolbarno tifier.exe
[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\run-]
"ctfmon.exe"=c:\windows\system32\ctfmon.exe
"Aim6"="c:\program files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\run-]
"NvCplDaemon"=RUNDLL32.EXE c:\windows\System32\NvCpl.dll,NvStartup
"nwiz"=nwiz.exe /install
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
"UserFaultCheck"=%systemroot%\system32\dumprep 0 -u
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe"
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
[HKEY_LOCAL_MACHINE\system\currentcontrolset\contro l\session manager\appcertdlls]
AppSecDll REG_SZ c:\windows\system32\config\systemprofile\Local Settings\Application Data\Windows Server\vfllgi.dll
[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile]
"DisableNotifications"= 1 (0x1)
[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\TEMP\\VRT3.tmp"=
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [4/7/2010 9:43 PM 207280]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2/6/2009 1:37 PM 216200]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2/6/2009 1:37 PM 242696]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [3/14/2010 1:53 PM 308064]
R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\Spyware Doctor\BDT\BDTUpdateService.exe [4/7/2010 9:45 PM 112592]
R2 BtwSvc;BtwSvc;c:\windows\system32\svchost.exe -k netsvcs [8/18/2001 8:00 AM 14336]
R2 peresvc;peresvc Service;c:\windows\system32\PereSvc.exe [8/18/2001 8:00 AM 70144]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2/6/2009 5:28 PM 49152]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]
S2 gupdate1c9f86c194aaad0;Google Update Service (gupdate1c9f86c194aaad0);c:\program files\Google\Update\GoogleUpdate.exe [6/28/2009 11:45 PM 133104]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 8:19 PM 13592]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [4/7/2010 9:43 PM 358600]
--- Other Services/Drivers In Memory ---
*NewlyCreated* - BTWSVC
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder
2010-04-10 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-29 03:45]
2010-04-10 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-29 03:45]
2010-04-09 c:\windows\Tasks\User_Feed_Synchronization-{153443CC-C9DB-4BFD-AE89-72FDE58F6763}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 08:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://hotmail.com/
uInternet Settings,ProxyOverride = *.local
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6 FF0C6D236BF8.dll/cmsidewiki.html
Trusted Zone: turbotax.com
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\jhk\Application Data\Mozilla\Firefox\Profiles\a9jjkxqh.default\
FF - prefs.js: browser.startup.homepage - hxxp://home.iwon.com/iwon-homepage/home.jhtml
FF - plugin: c:\documents and settings\jhk\Application Data\Mozilla\Firefox\Profiles\a9jjkxqh.default\ext ensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.d ll
FF - plugin: c:\program files\Veetle\Player\npvlc.dll
FF - plugin: c:\program files\Veetle\plugins\npVeetle.dll
FF - plugin: c:\program files\Veetle\VLCBroadcast\npvbp.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- FIREFOX POLICIES ----
FF - user.js: browser.cache.memory.capacity - 16000
FF - user.js: browser.chrome.favicons - false
FF - user.js: browser.display.show_image_placeholders - true
FF - user.js: browser.turbo.enabled - true
FF - user.js: browser.urlbar.autocomplete.enabled - true
FF - user.js: browser.urlbar.autofill - true
FF - user.js: content.max.tokenizing.time - 3000000
FF - user.js: content.maxtextrun - 4095
FF - user.js: content.notify.backoffcount - 5
FF - user.js: content.notify.interval - 1000000
FF - user.js: content.notify.ontimer - true
FF - user.js: content.switch.threshold - 1000000
FF - user.js: dom.disable_window_status_change - true
FF - user.js: network.http.max-connections - 48
FF - user.js: network.http.max-connections-per-server - 16
FF - user.js: network.http.max-persistent-connections-per-proxy - 16
FF - user.js: network.http.max-persistent-connections-per-server - 8
FF - user.js: network.http.pipelining - true
FF - user.js: network.http.pipelining.firstrequest - true
FF - user.js: network.http.pipelining.maxrequests - 8
FF - user.js: network.http.proxy.pipelining - true
FF - user.js: network.http.request.max-start-delay - 0
FF - user.js: nglayout.initialpaint.delay - 1000
FF - user.js: plugin.expose_full_path - true
FF - user.js: ui.submenuDelay - 0
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabl ed", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_every where__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_bro ken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -
HKLM-Run-aholbs - c:\windows\system32\msepdlkp.dll
SafeBoot-klmdb.sys
************************************************** ************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2010-04-09 21:18
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
c:\windows\system32\Install.txt 266 bytes
c:\windows\system32\ms.bin 35840 bytes executable
c:\windows\system32\6311609.exe 169563 bytes executable
c:\windows\system32\8416.exe 61440 bytes executable
scan completed successfully
hidden files: 4
************************************************** ************************
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, GMER - Rootkit Detector and Remover
device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys PCTCore.sys >>UNKNOWN [0x82D75AC8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf8893f28
\Driver\ACPI -> ACPI.sys @ 0xf87e6cb8
\Driver\atapi -> atapi.sys @ 0xf879e852
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0598
ParseProcedure -> ntoskrnl.exe @ 0x8056ea15
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0598
ParseProcedure -> ntoskrnl.exe @ 0x8056ea15
NDIS: Intel(R) PRO/100 VE Network Connection -> SendCompleteHandler -> NDIS.sys @ 0xf8693bb0
PacketIndicateHandler -> NDIS.sys @ 0xf86a0a21
SendHandler -> NDIS.sys @ 0xf867e87b
user & kernel MBR OK
************************************************** ************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(668)
c:\windows\system32\WININET.dll
c:\windows\system32\config\systemprofile\Local Settings\Application Data\Windows Server\vfllgi.dll
c:\program files\Bonjour\mdnsNSP.dll
- - - - - - - > 'lsass.exe'(732)
c:\windows\system32\WININET.dll
- - - - - - - > 'explorer.exe'(2220)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a 1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\System32\nvsvc32.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\w.exe
c:\windows\System32\Rundll32.exe
c:\windows\system32\8416.exe
.
************************************************** ************************
.
Completion time: 2010-04-09 21:27:46 - machine was rebooted
ComboFix-quarantined-files.txt 2010-04-10 01:27
ComboFix2.txt 2010-04-08 21:53
ComboFix3.txt 2010-04-08 18:17
ComboFix4.txt 2010-04-08 15:11
ComboFix5.txt 2010-04-10 00:50
Pre-Run: 45,234,626,560 bytes free
Post-Run: 45,208,256,512 bytes free
- - End Of File - - 49CC103E4B6F3CF1307CD6A61612E28F
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:30:33 PM, on 4/9/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\w.exe
C:\WINDOWS\System32\Rundll32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\PereSvc.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\8416.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Sign In
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = Hotmail, News, Sport, Music, Movies, Money, Cars, Shopping, Windows Live from MSN UK
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = Hotmail, News, Sport, Music, Movies, Money, Cars, Shopping, Windows Live from MSN UK
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *.local
F2 - REG:system.ini: UserInit=C:\WINDOWS\explorer.exe,
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Browser Defender BHO - {2A0F3D1B-0909-4FF4-B272-609CCE6054E7} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.4723.1820\s wg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O3 - Toolbar: PC Tools Browser Guard - {472734EA-242A-422B-ADF8-83D1E48CC825} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [fzwkht] RUNDLL32.EXE C:\WINDOWS\system32\msuqddft.dll,w
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe " -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe " -t (User 'Default user')
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6 FF0C6D236BF8.dll/cmsidewiki.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1233899197686
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Browser Defender Update Service - Threat Expert Ltd. - C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
O23 - Service: Google Update Service (gupdate1c9f86c194aaad0) (gupdate1c9f86c194aaad0) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: peresvc Service (peresvc) - Neto systems - C:\WINDOWS\system32\PereSvc.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
--
End of file - 6491 bytes
