[Not curable - Sality] Cant open Antvirus/Antispyware etc websites.

  1. 14-03-2011  #1
    asprin
    asprin is offline Newbie

    [Not curable - Sality] Cant open Antvirus/Antispyware etc websites.

    I've been experiencing this weird problem for the past couple of days.

    1. I cant open any websites which will allow me to disinfect my computer (including online scan websites). Also, of note, I cant open the microsoft website too. All other websites work fine.

    2. I got Avast and Avira downloaded from a separate computer and then transferred the setup files onto my computer. The irritating thing is that I cant install them. Whenever I try to run them, they start their install process and then automatically shut down after 5-6 seconds. After their shutdown, they are not listed in the task manager either.

    3. I went through Broni's "Read This First - IMPORTANT Instructions (updated 8/1/2010) " thread. The problem is I cant access the websites to download any of the tools mentioned there (AV, MBAM etc). So I had no option but to post here without going through the steps mentioned there.

    I'm on Windows XP SP2.

    Any help would be appreciated.

    Thanks.

    Nisar.
  2. 14-03-2011  #2
    broni
    broni is offline Senior Member
    Welcome aboard

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running tools or applying updates other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.


    ================================================== ===============================================

    I got Avast and Avira downloaded from a separate computer and then transferred the setup files onto my computer
    Do the very same with tool required in preliminaries.
  3. 15-03-2011  #3
    asprin
    asprin is offline Newbie
    Quote Originally Posted by broni View Post

    Do the very same with tool required in preliminaries.
    Thanks for the reply. I transferred the pre-tools and tried to run them, but again I couldn't. They are shutting down as soon as they are about to start. However, in researching more on similar problems, I came across ComboFix, which I was able to run. It did delete some files and claimed to have cleaned the system, but in actuality I'm still infected. I still cant access security websites and MS website.

    I'm pasting the log obtained through ComboFix.

    ComboFix 11-03-13.01 - Positive 03/14/2011 4:29.1.2 - x86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1015.802 [GMT -8:00]
    Running from: c:\documents and settings\Positive\Desktop\ComboFix.exe
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    C:\autorun.inf
    C:\pwxo.pif
    c:\windows\system32\48.exe
    c:\windows\system32\csrsc.exe
    D:\Autorun.inf
    E:\Autorun.inf
    E:\huvjv.pif
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    -------\Legacy_ABP470N5
    -------\Legacy_WINSPOOLSVC
    -------\Service_abp470n5
    -------\Service_amsint32
    -------\Service_WinSpoolSvc
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-02-14 to 2011-03-14 )))))))))))))))))))))))))))))))
    .
    .
    2011-03-14 08:13 . 2011-03-14 08:13 -------- d-----w- C:\OS
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
    .
    .
    .
    ------- Sigcheck -------
    .
    [7] 2004-08-04 . 9F4B36614A0FC234525BA224957DE55C . 359040 . . [5.1.2600.2180] . . c:\windows\system32\dllcache\tcpip.sys
    [-] 2004-08-04 . A3886230C2B22BF4D3C452B90B1C45CB . 359808 . . [5.1.2600.2892] . . c:\windows\system32\drivers\tcpip.sys
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
    "SigmatelSysTrayApp"="sttray.exe" [2007-05-06 475136]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\policies\system]
    "EnableLUA"= 0 (0x0)
    .
    [HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\policies\system]
    "DisableTaskMgr"= 1 (0x1)
    "DisableRegistryTools"= 1 (0x1)
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
    2004-08-04 09:06 1737216 ------w- c:\program files\Messenger\msmsgs.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
    2001-07-09 19:50 225280 ----a-w- c:\windows\system32\NeroCheck.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=dword:00000001
    "FirewallOverride"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
    "AntiVirusOverride"=dword:00000001
    "AntiVirusDisableNotify"=dword:00000001
    "FirewallDisableNotify"=dword:00000001
    "FirewallOverride"=dword:00000001
    "UpdatesDisableNotify"=dword:00000001
    "UacDisableNotify"=dword:00000001
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile]
    "EnableFirewall"= 0 (0x0)
    "DisableNotifications"= 1 (0x1)
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
    "d:\\cdqw.exe"=
    "c:\\WINDOWS\\system32\\cmd.exe"=
    "c:\\Program Files\\Messenger\\msmsgs.exe"=
    "c:\\WINDOWS\\system32\\serivces.exe"=
    "c:\\WINDOWS\\System32\\fewh.exe"=
    "c:\\WINDOWS\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\GloballyOpenPorts\List]
    "8311:TCP"= 8311:TCP:*isabled:kmfgpt
    .
    R2 PlugPlayCM;Plug and Play Manager;c:\windows\system32\serivces.exe [3/13/2011 10:12 PM 47616]
    S2 xbigq;qefvmy;c:\windows\system32\svchost.exe -k netsvcs [8/4/2004 12:56 AM 14336]
    S3 GGSAFERDriver;GGSAFER Driver;\??\c:\program files\Garena\safedrv.sys --> c:\program files\Garena\safedrv.sys [?]
    .
    --- Other Services/Drivers In Memory ---
    .
    *NewlyCreated* - AMSINT32
    .
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
    xbigq
    .
    .
    ------- Supplementary Scan -------
    .
    FF - ProfilePath - c:\documents and settings\Positive\Application Data\Mozilla\Firefox\Profiles\9ea6smtx.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.in/firefox?client=firefox-a&rls=org.mozilla:en-USfficial
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    .
    - - - - ORPHANS REMOVED - - - -
    .
    AddRemove-Nero - Burning Rom!UninstallKey - c:\program files\Ahead\nero\uninstall\UNNERO.exe
    .
    .
    .
    ************************************************** ************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
    Rootkit scan 2011-03-14 04:31
    Windows 5.1.2600 Service Pack 2 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    ************************************************** ************************
    .
    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\x bigq]
    "ServiceDll"="c:\windows\system32\mebdc.dll"
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\sttray.exe
    c:\program files\SigmaTel\C-Major Audio\WDM\STacSV.exe
    c:\windows\system32\imapi.exe
    .
    ************************************************** ************************
    .
    Completion time: 2011-03-14 04:32:53 - machine was rebooted
    ComboFix-quarantined-files.txt 2011-03-14 12:32
    .
    Pre-Run: 5,534,703,616 bytes free
    Post-Run: 5,449,912,320 bytes free
    .
    WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOW S
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    UnsupportedDebug="do not select this" /debug
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Micro soft Windows XP Professional" /noexecute=optin /fastdetect
    .
    - - End Of File - - 16185BEB0E2B341DDAADF4D793955B6D


    Awaiting further instructions.
  4. 15-03-2011  #4
    broni
    broni is offline Senior Member
    1. Please open Notepad
    • Click Start , then Run
    • Type notepad .exe in the Run Box.


    2. Now copy/paste the entire content of the codebox below into the Notepad window:

    Code:
    FCopy::
c:\windows\system32\dllcache\tcpip.sys | c:\windows\system32\drivers\tcpip.sys

File::
c:\windows\system32\mebdc.dll

Driver::
xbigq
qefvmy
PlugPlayCM

NetSvc::
xbigq

Registry::
[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\policies\system]
"DisableTaskMgr"=-
"DisableRegistryTools"=-
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000000
"FirewallOverride"=dword:00000000
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000000
"AntiVirusDisableNotify"=dword:00000000
"FirewallDisableNotify"=dword:00000000
"FirewallOverride"=dword:00000000
"UpdatesDisableNotify"=dword:00000000
"UacDisableNotify"=dword:00000000
[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile]
"EnableFirewall"= dword:00000001
"DisableNotifications"=-
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\xbigq]

    3. Save the above as CFScript.txt

    4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

    5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.




    6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    • Combofix.txt
  5. 16-03-2011  #5
    asprin
    asprin is offline Newbie
    Done. It said there was a rootkit.

    Attaching the text file.
    Attached Files
  6. 16-03-2011  #6
    broni
    broni is offline Senior Member
    All logs have to be pasted.
  7. 16-03-2011  #7
    asprin
    asprin is offline Newbie
    Sorry about that.

    ComboFix 11-03-15.03 - Positive 03/16/2011 9:30.2.2 - x86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1015.806 [GMT -8:00]
    Running from: c:\documents and settings\Positive\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\Positive\Desktop\CFScript.txt
    .
    FILE ::
    "c:\windows\system32\mebdc.dll"
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    C:\Autorun.inf
    C:\chteeb.pif
    c:\windows\system32\mebdc.dll
    D:\Autorun.inf
    E:\Autorun.inf
    .
    .
    --------------- FCopy ---------------
    .
    c:\windows\system32\dllcache\tcpip.sys --> c:\windows\system32\drivers\tcpip.sys
    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    -------\Legacy_ABP470N5
    -------\Legacy_PLUGPLAYCM
    -------\Legacy_XBIGQ
    -------\Service_abp470n5
    -------\Service_amsint32
    -------\Service_PlugPlayCM
    -------\Service_xbigq
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-02-16 to 2011-03-16 )))))))))))))))))))))))))))))))
    .
    .
    2011-03-14 16:34 . 2011-03-14 16:34 -------- d-----w- C:\Intel
    2011-03-14 08:13 . 2011-03-14 08:13 -------- d-----w- C:\OS
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
    .
    .
    .
    ((((((((((((((((((((((((((((( SnapShot@2011-03-14_12.31.32 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2006-12-02 08:46 . 2006-12-02 08:46 65536 c:\windows\WinSxS\x86_Microsoft.VC80.OpenMP_1fc8b3 b9a1e18e3b_8.0.50727.762_x-ww_6c18549a\vcomp.dll
    + 2006-12-02 08:08 . 2006-12-02 08:08 49152 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3 b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80KOR.dll
    + 2006-12-02 08:08 . 2006-12-02 08:08 49152 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3 b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80JPN.dll
    + 2006-12-02 08:08 . 2006-12-02 08:08 61440 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3 b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80ITA.dll
    + 2006-12-02 08:08 . 2006-12-02 08:08 61440 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3 b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80FRA.dll
    + 2006-12-02 08:08 . 2006-12-02 08:08 61440 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3 b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80ESP.dll
    + 2006-12-02 08:08 . 2006-12-02 08:08 57344 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3 b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80ENU.dll
    + 2006-12-02 08:08 . 2006-12-02 08:08 65536 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3 b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80DEU.dll
    + 2006-12-02 08:08 . 2006-12-02 08:08 45056 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3 b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80CHT.dll
    + 2006-12-02 08:08 . 2006-12-02 08:08 40960 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3 b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80CHS.dll
    + 2006-12-02 08:26 . 2006-12-02 08:26 57856 c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a 1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfcm80u.dll
    + 2006-12-02 08:25 . 2006-12-02 08:25 69632 c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a 1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfcm80.dll
    + 2006-12-02 06:56 . 2006-12-02 06:56 96256 c:\windows\WinSxS\x86_Microsoft.VC80.ATL_1fc8b3b9a 1e18e3b_8.0.50727.762_x-ww_cbb27474\ATL80.dll
    - 2011-03-14 10:34 . 2011-03-14 10:39 44835 c:\windows\War3Unin.dat
    + 2011-03-14 17:18 . 2011-03-14 17:25 44835 c:\windows\War3Unin.dat
    + 2011-03-16 17:32 . 2011-03-16 17:32 16384 c:\windows\Temp\Perflib_Perfdata_fec.dat
    + 2011-03-16 17:33 . 2011-03-16 17:33 16384 c:\windows\Temp\Perflib_Perfdata_91c.dat
    - 2004-08-04 00:56 . 2004-08-04 09:05 74240 c:\windows\system32\usbui.dll
    + 2004-08-04 00:56 . 2004-08-04 08:56 74240 c:\windows\system32\usbui.dll
    + 2011-03-15 14:27 . 2005-05-04 22:45 13536 c:\windows\system32\spmsg.dll
    + 2011-03-14 16:34 . 2004-08-04 08:56 74240 c:\windows\system32\ReinstallBackups\0008\DriverFi les\i386\usbui.dll
    + 2011-03-14 16:34 . 2004-08-04 07:08 57600 c:\windows\system32\ReinstallBackups\0008\DriverFi les\i386\usbhub.sys
    + 2011-03-14 16:34 . 2004-08-04 07:08 26624 c:\windows\system32\ReinstallBackups\0008\DriverFi les\i386\usbehci.sys
    + 2011-03-14 16:34 . 2004-08-04 08:56 74240 c:\windows\system32\ReinstallBackups\0007\DriverFi les\i386\usbui.dll
    + 2011-03-14 16:34 . 2004-08-04 07:08 20480 c:\windows\system32\ReinstallBackups\0007\DriverFi les\i386\usbuhci.sys
    + 2011-03-14 16:34 . 2004-08-04 07:08 57600 c:\windows\system32\ReinstallBackups\0007\DriverFi les\i386\usbhub.sys
    + 2011-03-14 16:34 . 2004-08-04 08:56 74240 c:\windows\system32\ReinstallBackups\0006\DriverFi les\i386\usbui.dll
    + 2011-03-14 16:34 . 2004-08-04 07:08 20480 c:\windows\system32\ReinstallBackups\0006\DriverFi les\i386\usbuhci.sys
    + 2011-03-14 16:34 . 2004-08-04 07:08 57600 c:\windows\system32\ReinstallBackups\0006\DriverFi les\i386\usbhub.sys
    + 2011-03-14 16:34 . 2004-08-04 08:56 74240 c:\windows\system32\ReinstallBackups\0005\DriverFi les\i386\usbui.dll
    + 2011-03-14 16:34 . 2004-08-04 07:08 20480 c:\windows\system32\ReinstallBackups\0005\DriverFi les\i386\usbuhci.sys
    + 2011-03-14 16:34 . 2004-08-04 07:08 57600 c:\windows\system32\ReinstallBackups\0005\DriverFi les\i386\usbhub.sys
    + 2011-03-14 16:34 . 2004-08-04 09:05 74240 c:\windows\system32\ReinstallBackups\0004\DriverFi les\i386\usbui.dll
    + 2011-03-14 16:34 . 2004-08-04 07:08 20480 c:\windows\system32\ReinstallBackups\0004\DriverFi les\i386\usbuhci.sys
    + 2011-03-14 16:34 . 2004-08-04 07:08 57600 c:\windows\system32\ReinstallBackups\0004\DriverFi les\i386\usbhub.sys
    + 2011-03-14 16:34 . 2004-08-04 06:59 25088 c:\windows\system32\ReinstallBackups\0003\DriverFi les\i386\pciidex.sys
    + 2011-03-14 16:34 . 2004-08-04 06:59 95360 c:\windows\system32\ReinstallBackups\0003\DriverFi les\i386\atapi.sys
    + 2011-03-14 16:34 . 2004-08-04 06:59 25088 c:\windows\system32\ReinstallBackups\0002\DriverFi les\i386\pciidex.sys
    + 2011-03-14 16:34 . 2004-08-04 06:59 95360 c:\windows\system32\ReinstallBackups\0002\DriverFi les\i386\atapi.sys
    + 2011-03-14 16:34 . 2001-08-24 04:30 35840 c:\windows\system32\ReinstallBackups\0001\DriverFi les\i386\isapnp.sys
    + 2004-08-04 08:56 . 2005-05-04 22:45 15360 c:\windows\system32\msisip.dll
    + 2004-08-04 08:56 . 2005-05-04 22:45 78848 c:\windows\system32\msiexec.exe
    + 2011-03-14 16:35 . 2007-03-02 06:23 50688 c:\windows\system32\Lang\HDMI\ENU\HDMIENU.dll
    + 2011-03-14 16:35 . 2007-02-26 03:58 57344 c:\windows\system32\igxprd32.dll
    + 2011-03-14 16:35 . 2007-02-26 02:33 47616 c:\windows\system32\igfxsrvc.dll
    + 2011-03-14 16:35 . 2007-02-26 02:33 24576 c:\windows\system32\igfxexps.dll
    + 2011-03-14 16:35 . 2007-02-26 03:58 57344 c:\windows\system32\DRVSTORE\igxp32_D7846FA57FFF9C 724FB44CFE347538B5749BB131\igxprd32.dll
    + 2011-03-14 16:35 . 2007-02-26 02:33 47616 c:\windows\system32\DRVSTORE\igxp32_D7846FA57FFF9C 724FB44CFE347538B5749BB131\igfxsrvc.dll
    + 2011-03-14 16:35 . 2007-02-26 02:33 24576 c:\windows\system32\DRVSTORE\igxp32_D7846FA57FFF9C 724FB44CFE347538B5749BB131\igfxexps.dll
    + 2001-08-24 04:30 . 2001-08-17 21:58 35840 c:\windows\system32\drivers\isapnp.sys
    - 2001-08-24 04:30 . 2001-08-24 04:30 35840 c:\windows\system32\drivers\isapnp.sys
    + 2004-08-04 00:56 . 2004-08-04 08:56 74240 c:\windows\system32\dllcache\usbui.dll
    + 2004-08-04 07:08 . 2004-08-04 07:08 20480 c:\windows\system32\dllcache\usbuhci.sys
    + 2004-08-04 07:08 . 2004-08-04 07:08 57600 c:\windows\system32\dllcache\usbhub.sys
    + 2004-08-04 07:08 . 2004-08-04 07:08 26624 c:\windows\system32\dllcache\usbehci.sys
    + 2004-08-04 06:59 . 2004-08-04 06:59 25088 c:\windows\system32\dllcache\pciidex.sys
    + 2004-08-04 08:56 . 2005-05-04 22:45 15360 c:\windows\system32\dllcache\msisip.dll
    + 2004-08-04 08:56 . 2005-05-04 22:45 78848 c:\windows\system32\dllcache\msiexec.exe
    + 2001-08-24 04:30 . 2001-08-17 21:58 35840 c:\windows\system32\dllcache\isapnp.sys
    + 2004-08-04 06:59 . 2004-08-04 06:59 95360 c:\windows\system32\dllcache\atapi.sys
    + 2011-03-14 17:18 . 2011-03-14 17:25 2829 c:\windows\War3Unin.pif
    - 2011-03-14 10:34 . 2011-03-14 10:38 2829 c:\windows\War3Unin.pif
    + 2011-03-14 16:34 . 2004-08-04 08:56 7168 c:\windows\system32\ReinstallBackups\0008\DriverFi les\i386\hccoin.dll
    + 2011-03-14 16:34 . 2001-08-17 21:51 3328 c:\windows\system32\ReinstallBackups\0003\DriverFi les\i386\pciide.sys
    + 2011-03-14 16:34 . 2001-08-24 04:30 3328 c:\windows\system32\ReinstallBackups\0002\DriverFi les\i386\pciide.sys
    - 2001-08-24 04:30 . 2001-08-24 04:30 3328 c:\windows\system32\drivers\pciide.sys
    + 2001-08-24 04:30 . 2001-08-17 21:51 3328 c:\windows\system32\drivers\pciide.sys
    + 2001-08-24 04:30 . 2001-08-17 21:51 3328 c:\windows\system32\dllcache\pciide.sys
    + 2006-12-02 06:54 . 2006-12-02 06:54 626688 c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a 1e18e3b_8.0.50727.762_x-ww_6b128700\msvcr80.dll
    + 2006-12-02 06:54 . 2006-12-02 06:54 548864 c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a 1e18e3b_8.0.50727.762_x-ww_6b128700\msvcp80.dll
    + 2006-12-02 06:54 . 2006-12-02 06:54 479232 c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a 1e18e3b_8.0.50727.762_x-ww_6b128700\msvcm80.dll
    + 2011-03-14 17:18 . 2011-03-14 17:25 208896 c:\windows\War3Unin.exe
    + 2011-03-14 16:34 . 2004-08-04 07:08 142976 c:\windows\system32\ReinstallBackups\0008\DriverFi les\i386\usbport.sys
    + 2011-03-14 16:34 . 2004-08-04 07:08 142976 c:\windows\system32\ReinstallBackups\0007\DriverFi les\i386\usbport.sys
    + 2011-03-14 16:34 . 2004-08-04 07:08 142976 c:\windows\system32\ReinstallBackups\0006\DriverFi les\i386\usbport.sys
    + 2011-03-14 16:34 . 2004-08-04 07:08 142976 c:\windows\system32\ReinstallBackups\0005\DriverFi les\i386\usbport.sys
    + 2011-03-14 16:34 . 2004-08-04 07:08 142976 c:\windows\system32\ReinstallBackups\0004\DriverFi les\i386\usbport.sys
    + 2004-08-04 08:56 . 2005-05-04 22:45 884736 c:\windows\system32\msimsg.dll
    - 2004-08-04 08:56 . 2004-08-04 08:56 884736 c:\windows\system32\msimsg.dll
    + 2004-08-04 08:56 . 2005-05-04 22:45 271360 c:\windows\system32\msihnd.dll
    + 2011-03-14 16:35 . 2007-03-02 06:23 393216 c:\windows\system32\igxpun.exe
    + 2011-03-14 16:35 . 2007-02-26 03:58 149504 c:\windows\system32\igxpgd32.dll
    + 2011-03-14 16:35 . 2007-02-26 02:59 450560 c:\windows\system32\igldev32.dll
    + 2011-03-14 16:35 . 2007-02-26 02:33 163840 c:\windows\system32\igfxzoom.exe
    + 2011-03-14 16:35 . 2007-02-26 02:34 212992 c:\windows\system32\igfxtray.exe
    + 2011-03-14 16:35 . 2007-02-26 02:33 245760 c:\windows\system32\igfxsrvc.exe
    + 2011-03-14 16:36 . 2007-02-26 02:33 172032 c:\windows\system32\igfxres.dll
    + 2011-03-14 16:35 . 2007-02-26 02:34 200704 c:\windows\system32\igfxpph.dll
    + 2011-03-14 16:35 . 2007-02-26 02:33 200704 c:\windows\system32\igfxpers.exe
    + 2011-03-14 16:35 . 2007-02-26 02:33 159744 c:\windows\system32\igfxext.exe
    + 2011-03-14 16:35 . 2007-02-26 02:33 135168 c:\windows\system32\igfxdo.dll
    + 2011-03-14 16:35 . 2007-02-26 02:33 204800 c:\windows\system32\igfxdev.dll
    + 2011-03-14 16:35 . 2007-02-26 04:34 204800 c:\windows\system32\igfxCoIn_v4785.dll
    + 2011-03-14 16:35 . 2007-02-26 02:35 528384 c:\windows\system32\igfxcfg.exe
    + 2011-03-14 16:35 . 2007-02-26 02:34 225280 c:\windows\system32\hkcmd.exe
    + 2011-03-14 16:35 . 2007-02-26 02:33 102400 c:\windows\system32\hccutils.dll
    + 2011-03-14 16:35 . 2007-02-26 03:58 149504 c:\windows\system32\DRVSTORE\igxp32_D7846FA57FFF9C 724FB44CFE347538B5749BB131\igxpgd32.dll
    + 2011-03-14 16:35 . 2007-02-26 04:34 204800 c:\windows\system32\DRVSTORE\igxp32_D7846FA57FFF9C 724FB44CFE347538B5749BB131\igxpco32.dll
    + 2011-03-14 16:35 . 2007-02-26 03:59 701840 c:\windows\system32\DRVSTORE\igxp32_D7846FA57FFF9C 724FB44CFE347538B5749BB131\igmedkrn.dll
    + 2011-03-14 16:35 . 2007-02-26 02:59 450560 c:\windows\system32\DRVSTORE\igxp32_D7846FA57FFF9C 724FB44CFE347538B5749BB131\igldev32.dll
    + 2011-03-14 16:35 . 2007-02-26 02:33 163840 c:\windows\system32\DRVSTORE\igxp32_D7846FA57FFF9C 724FB44CFE347538B5749BB131\igfxzoom.exe
    + 2011-03-14 16:35 . 2007-02-26 02:34 131072 c:\windows\system32\DRVSTORE\igxp32_D7846FA57FFF9C 724FB44CFE347538B5749BB131\igfxtray.exe
    + 2011-03-14 16:35 . 2007-02-26 02:33 245760 c:\windows\system32\DRVSTORE\igxp32_D7846FA57FFF9C 724FB44CFE347538B5749BB131\igfxsrvc.exe
    + 2011-03-14 16:35 . 2007-02-26 02:34 200704 c:\windows\system32\DRVSTORE\igxp32_D7846FA57FFF9C 724FB44CFE347538B5749BB131\igfxpph.dll
    + 2011-03-14 16:35 . 2007-02-26 02:33 131072 c:\windows\system32\DRVSTORE\igxp32_D7846FA57FFF9C 724FB44CFE347538B5749BB131\igfxpers.exe
    + 2011-03-14 16:35 . 2007-02-26 02:33 159744 c:\windows\system32\DRVSTORE\igxp32_D7846FA57FFF9C 724FB44CFE347538B5749BB131\igfxext.exe
    + 2011-03-14 16:35 . 2007-02-26 02:33 135168 c:\windows\system32\DRVSTORE\igxp32_D7846FA57FFF9C 724FB44CFE347538B5749BB131\igfxdo.dll
    + 2011-03-14 16:35 . 2007-02-26 02:33 204800 c:\windows\system32\DRVSTORE\igxp32_D7846FA57FFF9C 724FB44CFE347538B5749BB131\igfxdev.dll
    + 2011-03-14 16:35 . 2007-02-26 02:35 528384 c:\windows\system32\DRVSTORE\igxp32_D7846FA57FFF9C 724FB44CFE347538B5749BB131\igfxcfg.exe
    + 2011-03-14 16:35 . 2007-02-26 02:34 155648 c:\windows\system32\DRVSTORE\igxp32_D7846FA57FFF9C 724FB44CFE347538B5749BB131\hkcmd.exe
    + 2011-03-14 16:35 . 2007-02-26 02:33 102400 c:\windows\system32\DRVSTORE\igxp32_D7846FA57FFF9C 724FB44CFE347538B5749BB131\hccutils.dll
    + 2004-08-04 07:08 . 2004-08-04 07:08 142976 c:\windows\system32\dllcache\usbport.sys
    + 2004-08-04 08:56 . 2005-05-04 22:45 884736 c:\windows\system32\dllcache\msimsg.dll
    - 2004-08-04 08:56 . 2004-08-04 08:56 884736 c:\windows\system32\dllcache\msimsg.dll
    + 2004-08-04 08:56 . 2005-05-04 22:45 271360 c:\windows\system32\dllcache\msihnd.dll
    + 2011-03-14 16:35 . 2006-11-10 00:25 319456 c:\windows\system32\difxapi.dll
    + 2011-03-14 16:08 . 2011-03-14 16:08 688128 c:\windows\Installer\1512f2.msi
    + 2011-03-15 14:31 . 2011-03-15 14:31 331264 c:\windows\Installer\12126d.msi
    + 2006-12-02 08:25 . 2006-12-02 08:25 1093120 c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a 1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfc80u.dll
    + 2006-12-02 08:25 . 2006-12-02 08:25 1101824 c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a 1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfc80.dll
    + 2004-08-04 08:56 . 2005-05-04 22:45 2890240 c:\windows\system32\msi.dll
    + 2011-03-14 16:35 . 2007-02-26 03:59 2555904 c:\windows\system32\igxpdx32.dll
    + 2011-03-14 16:35 . 2007-02-26 03:58 1612576 c:\windows\system32\igxpdv32.dll
    + 2011-03-14 16:35 . 2007-02-26 02:58 2334720 c:\windows\system32\iglicd32.dll
    + 2011-03-14 16:35 . 2007-02-26 02:33 3293184 c:\windows\system32\igfxress.dll
    + 2011-03-14 16:35 . 2007-02-26 03:59 5700096 c:\windows\system32\DRVSTORE\igxp32_D7846FA57FFF9C 724FB44CFE347538B5749BB131\igxpmp32.sys
    + 2011-03-14 16:35 . 2007-02-26 03:59 2555904 c:\windows\system32\DRVSTORE\igxp32_D7846FA57FFF9C 724FB44CFE347538B5749BB131\igxpdx32.dll
    + 2011-03-14 16:35 . 2007-02-26 03:58 1612576 c:\windows\system32\DRVSTORE\igxp32_D7846FA57FFF9C 724FB44CFE347538B5749BB131\igxpdv32.dll
    + 2011-03-14 16:35 . 2007-02-26 02:58 2334720 c:\windows\system32\DRVSTORE\igxp32_D7846FA57FFF9C 724FB44CFE347538B5749BB131\iglicd32.dll
    + 2011-03-14 16:35 . 2007-02-26 02:33 3293184 c:\windows\system32\DRVSTORE\igxp32_D7846FA57FFF9C 724FB44CFE347538B5749BB131\igfxress.dll
    + 2011-03-14 16:35 . 2007-02-26 02:46 2383872 c:\windows\system32\DRVSTORE\igxp32_D7846FA57FFF9C 724FB44CFE347538B5749BB131\ig4icd32.dll
    + 2011-03-14 16:35 . 2007-02-26 02:49 1486848 c:\windows\system32\DRVSTORE\igxp32_D7846FA57FFF9C 724FB44CFE347538B5749BB131\ig4dev32.dll
    + 2011-03-14 16:35 . 2007-02-26 03:59 5700096 c:\windows\system32\drivers\igxpmp32.sys
    + 2004-08-04 08:56 . 2005-05-04 22:45 2890240 c:\windows\system32\dllcache\msi.dll
    + 2011-03-15 16:39 . 2011-03-15 16:39 1247744 c:\windows\Installer\7dac95.msi
    .
    -- Snapshot reset to current date --
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
    "SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]
    "Skype"="c:\program files\Skype\Phone\Skype.exe" [2008-11-07 21633320]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
    "SigmatelSysTrayApp"="sttray.exe" [2007-05-06 475136]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-02-26 212992]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-02-26 225280]
    "Persistence"="c:\windows\system32\igfxpers.ex e" [2007-02-26 200704]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\policies\system]
    "EnableLUA"= 0 (0x0)
    .
    [HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\policies\system]
    "DisableTaskMgr"= 1 (0x1)
    "DisableRegistryTools"= 1 (0x1)
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
    2004-08-04 09:06 1737216 ------w- c:\program files\Messenger\msmsgs.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
    2001-07-09 19:50 225280 ----a-w- c:\windows\system32\NeroCheck.exe
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile]
    "EnableFirewall"= 0 (0x0)
    "DisableNotifications"= 1 (0x1)
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
    "c:\\Documents and Settings\\Positive\\Desktop\\ComboFix.exe"=
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\GloballyOpenPorts\List]
    "8311:TCP"= 8311:TCP:*isabled:kmfgpt
    .
    S3 GGSAFERDriver;GGSAFER Driver;\??\c:\program files\Garena\safedrv.sys --> c:\program files\Garena\safedrv.sys [?]
    .
    --- Other Services/Drivers In Memory ---
    .
    *NewlyCreated* - ABP470N5
    .
    .
    ------- Supplementary Scan -------
    .
    FF - ProfilePath - c:\documents and settings\Positive\Application Data\Mozilla\Firefox\Profiles\9ea6smtx.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.in/firefox?client=firefox-a&rls=org.mozilla:en-USfficial
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Skype extension: {AB2CE124-6272-4b12-94A9-7303C7397BD1} - c:\program files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}
    .
    .
    ************************************************** ************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-03-16 09:33
    Windows 5.1.2600 Service Pack 2 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    ************************************************** ************************
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\SigmaTel\C-Major Audio\WDM\STacSV.exe
    c:\windows\sttray.exe
    c:\windows\system32\igfxsrvc.exe
    c:\windows\system32\imapi.exe
    .
    ************************************************** ************************
    .
    Completion time: 2011-03-16 09:34:54 - machine was rebooted
    ComboFix-quarantined-files.txt 2011-03-16 17:34
    ComboFix2.txt 2011-03-14 12:32
    .
    Pre-Run: 5,086,175,232 bytes free
    Post-Run: 5,105,917,952 bytes free
    .
    - - End Of File - - BAB9F16247B51111E13654EA9EA1F20B
    Last edited by broni; 16-03-2011 at 07:38 PM.
  8. 16-03-2011  #8
    broni
    broni is offline Senior Member
    Please, don't wrap logs in code brackets.

    How are the issues?

    1. Please open Notepad
    • Click Start , then Run
    • Type notepad .exe in the Run Box.


    2. Now copy/paste the entire content of the codebox below into the Notepad window:

    Code:
    Registry::
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=-
"DisableRegistryTools"=-
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"=dword:00000001
"DisableNotifications"=-
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8311:TCP"=-

    3. Save the above as CFScript.txt

    4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

    5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.




    6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    • Combofix.txt
  9. 17-03-2011  #9
    asprin
    asprin is offline Newbie
    Pretty much the same result. I still cant make the AV to run. My task manager and Regedit are disabled. Only thing that seemed to have solved is the 'Autoplay' option under each partition of the hard disk. That went away. Anyway, here is the log:

    ComboFix 11-03-15.03 - Positive 03/17/2011 12:10:28.3.2 - x86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1015.799 [GMT -8:00]
    Running from: c:\documents and settings\Positive\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\Positive\Desktop\CFScript.txt
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    C:\autorun.inf
    C:\dlix.pif
    c:\windows\system32\csrsc.exe
    c:\windows\system32\mebdc.dll
    D:\Autorun.inf
    D:\rngrxc.pif
    E:\autorun.inf
    E:\dgvw.pif
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    -------\Legacy_WINSPOOLSVC
    -------\Service_amsint32
    -------\Service_WinSpoolSvc
    -------\Legacy_ekgnosjle
    -------\Service_ekgnosjle
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-02-17 to 2011-03-17 )))))))))))))))))))))))))))))))
    .
    .
    2011-03-14 16:34 . 2011-03-14 16:34 -------- d-----w- C:\Intel
    2011-03-14 08:13 . 2011-03-14 08:13 -------- d-----w- C:\OS
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
    .
    .
    .
    ------- Sigcheck -------
    .
    [7] 2004-08-04 . 9F4B36614A0FC234525BA224957DE55C . 359040 . . [5.1.2600.2180] . . c:\windows\ERDNT\cache\tcpip.sys
    [7] 2004-08-04 . 9F4B36614A0FC234525BA224957DE55C . 359040 . . [5.1.2600.2180] . . c:\windows\system32\dllcache\tcpip.sys
    [-] 2004-08-04 . A3886230C2B22BF4D3C452B90B1C45CB . 359808 . . [5.1.2600.2892] . . c:\windows\system32\drivers\tcpip.sys
    .
    .
    ((((((((((((((((((((((((((((( SnapShot_2011-03-16_17.33.41 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2011-03-17 20:12 . 2011-03-17 20:12 16384 c:\windows\Temp\Perflib_Perfdata_f40.dat
    + 2011-03-17 20:14 . 2011-03-17 20:14 16384 c:\windows\Temp\Perflib_Perfdata_afc.dat
    + 1999-11-25 01:40 . 1999-11-25 01:40 40960 c:\windows\system32\VBAME.DLL
    + 2011-03-14 06:12 . 2011-03-16 17:36 47616 c:\windows\system32\serivces.exe
    - 2011-03-14 06:12 . 2011-03-14 06:12 47616 c:\windows\system32\serivces.exe
    + 1998-03-25 04:54 . 1998-03-25 04:54 15872 c:\windows\system32\SCP32.DLL
    + 1998-08-09 18:07 . 1998-08-09 18:07 94208 c:\windows\system32\MSSTKPRP.DLL
    + 1998-06-18 02:08 . 1998-06-18 02:08 53248 c:\windows\system32\MFC42ENU.DLL
    + 1999-10-18 03:01 . 1999-10-18 03:01 26384 c:\windows\system32\FM20ENU.DLL
    + 2011-03-16 17:38 . 2011-03-16 17:38 47616 c:\windows\system32\fewh.exe
    - 2011-03-14 06:28 . 2011-03-14 07:30 47616 c:\windows\system32\fewh.exe
    + 2001-01-22 11:25 . 2001-01-22 11:25 32768 c:\windows\system32\ATHPRXY.DLL
    + 2011-03-16 18:48 . 2011-03-16 18:48 90112 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\xlicons.exe
    + 2011-03-16 18:48 . 2011-03-16 18:48 45056 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\wordicon.exe
    + 2011-03-16 18:48 . 2011-03-16 18:48 22528 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\unbndico.exe
    + 2011-03-16 18:48 . 2011-03-16 18:48 30720 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\pptico.exe
    + 2011-03-16 18:48 . 2011-03-16 18:48 16384 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\PEicons.exe
    + 2011-03-16 18:48 . 2011-03-16 18:48 34304 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\misc.exe
    + 2011-03-16 18:48 . 2011-03-16 18:48 81920 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\fpicon.exe
    + 2011-03-16 18:48 . 2011-03-16 18:48 3584 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\opwicon.exe
    + 2011-03-16 18:48 . 2011-03-16 18:48 8192 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\mspicons.exe
    + 2011-03-16 18:48 . 2011-03-16 18:48 2560 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\cagicon.exe
    + 2000-04-04 01:52 . 2000-04-04 01:52 151552 c:\windows\system32\RDOCURS.DLL
    + 2000-05-24 05:45 . 2000-05-24 05:45 118784 c:\windows\system32\MSSTDFMT.DLL
    + 2000-05-11 21:06 . 2000-05-11 21:06 397312 c:\windows\system32\MSRDO20.DLL
    + 2011-03-13 21:52 . 2011-03-17 05:51 107808 c:\windows\system32\FNTCACHE.DAT
    + 2011-03-17 17:36 . 2011-03-17 17:36 688128 c:\windows\Installer\1da6b0.msi
    + 2011-03-16 18:48 . 2011-03-16 18:48 114688 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\outicon.exe
    + 2011-03-16 18:48 . 2011-03-16 18:48 167936 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\accicons.exe
    + 2011-03-17 17:36 . 2011-03-17 17:36 371272 c:\windows\Installer\{5335DADB-34BA-4AE8-A519-648D78498846}\SkypeIcon.exe
    + 1999-10-18 03:01 . 1999-10-18 03:01 1129232 c:\windows\system32\FM20.DLL
    + 2011-03-16 18:48 . 2011-03-16 18:48 3485184 c:\windows\Installer\444070.msi
    + 2011-03-17 17:36 . 2011-03-17 17:36 1574912 c:\windows\Installer\1da6a8.msi
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
    "SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]
    "Skype"="c:\program files\Skype\Phone\Skype.exe" [2011-03-08 17115016]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
    "SigmatelSysTrayApp"="sttray.exe" [2007-05-06 475136]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-02-26 212992]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-02-26 225280]
    "Persistence"="c:\windows\system32\igfxpers.ex e" [2007-02-26 200704]
    .
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 157088]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\policies\system]
    "EnableLUA"= 0 (0x0)
    .
    [HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\policies\system]
    "DisableTaskMgr"= 1 (0x1)
    "DisableRegistryTools"= 1 (0x1)
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
    2004-08-04 09:06 1737216 ------w- c:\program files\Messenger\msmsgs.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
    2001-07-09 19:50 225280 ----a-w- c:\windows\system32\NeroCheck.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=dword:00000001
    "FirewallOverride"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
    "AntiVirusOverride"=dword:00000001
    "AntiVirusDisableNotify"=dword:00000001
    "FirewallDisableNotify"=dword:00000001
    "FirewallOverride"=dword:00000001
    "UpdatesDisableNotify"=dword:00000001
    "UacDisableNotify"=dword:00000001
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
    "d:\\Apps\\Warcraft Support\\WarKey61_EN\\WarKey.exe"=
    "c:\\WINDOWS\\system32\\serivces.exe"=
    .
    R2 PlugPlayCM;Plug and Play Manager;c:\windows\system32\serivces.exe [3/13/2011 10:12 PM 47616]
    S2 ekgnosjle;Network Windows;c:\windows\system32\svchost.exe -k netsvcs [8/4/2004 12:56 AM 14336]
    S3 abp470n5;abp470n5;\??\c:\windows\system32\drivers\ njrmhn.sys --> c:\windows\system32\drivers\njrmhn.sys [?]
    S3 GGSAFERDriver;GGSAFER Driver;\??\c:\program files\Garena\safedrv.sys --> c:\program files\Garena\safedrv.sys [?]
    .
    --- Other Services/Drivers In Memory ---
    .
    *NewlyCreated* - AMSINT32
    .
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
    ekgnosjle
    .
    .
    ------- Supplementary Scan -------
    .
    FF - ProfilePath - c:\documents and settings\Positive\Application Data\Mozilla\Firefox\Profiles\9ea6smtx.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.facebook.com/home.php?ref=hp
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Skype extension: {AB2CE124-6272-4b12-94A9-7303C7397BD1} - c:\program files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}
    .
    .
    ************************************************** ************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
    Rootkit scan 2011-03-17 12:14
    Windows 5.1.2600 Service Pack 2 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    ************************************************** ************************
    .
    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\e kgnosjle]
    "ServiceDll"="c:\windows\system32\mebdc.dll"
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\sttray.exe
    c:\windows\system32\igfxsrvc.exe
    c:\program files\SigmaTel\C-Major Audio\WDM\STacSV.exe
    .
    ************************************************** ************************
    .
    Completion time: 2011-03-17 12:15:05 - machine was rebooted
    ComboFix-quarantined-files.txt 2011-03-17 20:15
    ComboFix2.txt 2011-03-16 17:34
    ComboFix3.txt 2011-03-14 12:32
    .
    Pre-Run: 5,617,991,680 bytes free
    Post-Run: 5,550,219,264 bytes free
    .
    - - End Of File - - FB9106A3501F46484ED8AF1DE2C28C33
  10. 17-03-2011  #10
    broni
    broni is offline Senior Member
    Save 20% on AVG Internet Security 2012 Suite!
    Download TDSSKiller and save it to your desktop.
    • Extract (unzip) its contents to your desktop.
    • Open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
    • If an infected file is detected, the default action will be Cure, click on Continue.
    • If a suspicious file is detected, the default action will be Skip, click on Continue.
    • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
    • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
    • If a reboot is required, the report can also be found in your root directory (usually C:\ folder) in the form of TDSSKiller_xxxx_log.txt. Please copy and paste the contents of that file here.
+ Reply to Thread
Page 1 of 3 1 2 3 LastLast
« Problem trying to follow instructions on stick note for removing Mal-Ware | AVG Antivirus »