Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Rootkit removal! [Closed]


  • This topic is locked This topic is locked

#1
Barbosa321

Barbosa321

    Member

  • Member
  • PipPip
  • 14 posts
This is a converstion i copy and paste from a person that worked for geek squad,which wants to charge me 144 dollars for help on this matter, in this convo i explain whats wrong with my pc


A message has appeared on NOD32 saying my computer is infected with Win32/Rootkit.I trojan but it cannot remove it. I read earlier on a thread that this can be removed but I cannot
Derek [09:20 AM] :
now, idid alot,and i do mean alot of research and even found step by step what to do,the problem is,its still not working for me
Derek [09:21 AM] :
when i try to run kaspersy,scan online,i get a blue screen,when i try to run rootkit removal,it gets a c: unable to mount error
Derek [09:21 AM] :
little by little itse taking over my computer
Agent Jason J. [09:22 AM] :
Yeah rootkits are nasty
Derek [09:22 AM] :
ive ever read somewhere saying theres been cases of these virus staying in the bio
Derek [09:22 AM] :
which is nuts
Derek [09:22 AM] :
i downloaded a program called ulimate boot cd,but im not sure on how to use it
Derek [09:23 AM] :
seem like al this started after i switch my anti virus,from anti ver,to nod32
Derek [09:23 AM] :
and not its picking up even more trojans
Derek [09:23 AM] :
now**
Agent Jason J. [09:24 AM] :
ok one moment please
Derek [09:24 AM] :
ok
Agent Jason J. [09:31 AM] :
Ok, well it seemsl ike you've gotten pretty far on your own.. if you need us to finish it up, though, we do offer virus removal services
Derek [09:31 AM] :
but not for free right? lol
Agent Jason J. [09:31 AM] :
lol no.
Derek [09:32 AM] :
i just needed more advise though i have an idea on what to do but i though maybe you coule explain more
Derek [09:32 AM] :
see i read this on a forum....
Derek [09:32 AM] :
y first run of RKR showed *all* drives "Error mounting..."
All drives do have labels.
Turns out the particular rootkit on this server has found a way to prevent drive scanning by RKR!
.
I ran RootRepeal, booted from Ultimate Boot CD, took care of the nasties in the RR and RKR reports, rebooted from the HD. RKR can now see all drives.
.
Salvaged the server using both RKR & RR alternately.
Derek [09:33 AM] :
i realy really dont wan to format my drive
  • 0

Advertisements


#2
Barbosa321

Barbosa321

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
i have tried certain rootkit removals and most crash,or i get a cant mont c drive error,and when i try to turn kaspersy key online scan also crash,and ive tried other rootkit removals progs like Gromozon Rootkit Removal Tool which claim to not find anything,but my nod32 picks up
Rootkit.Agent.ODG, Win32/Olmarik.JU trojan
globalroot\systemroot\system32\hjgruikaybiwjd.dll,i also get a blue screen with error message of driver_not_less_or_equal,when i try to run kaspery online scan,or even spybot search and destroy,all because of this virus,i need expert help here,asap
  • 0

#3
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
hi

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**
  • If you are using Firefox, make sure that your download settings are as follows:
    • Tools->Options->Main tab
    • Set to "Always ask me where to Save the files".
  • During the download, rename Combofix to Combo-Fix as follows:

    Posted Image

    Posted Image

  • It is important you rename Combofix during the download, but not after.
  • Please do not rename Combofix to other names, but only to the one indicated.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      -----------------------------------------------------------

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------

  • Double click on combo-Fix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\Combo-Fix.txt" for further review.
**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**
  • 0

#4
Barbosa321

Barbosa321

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
ComboFix 09-07-23.01 - Owner 07/23/2009 12:31.1.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.166 [GMT -4:00]
Running from: c:\documents and settings\Owner\My Documents\Downloads\ComboFix.exe
AV: AVG Internet Security *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Outdated) {00000000-0000-0000-0000-000000000000}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {804E5358-FFA4-00DA-0D24-347CA8A3377C}
AV: ESET NOD32 Antivirus 4.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: AVG Firewall *disabled* {8decf618-9569-4340-b34a-d78d28969b66}
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Owner\Favorites\Download programs.url
c:\documents and settings\Owner\Favorites\Games.url
c:\documents and settings\Owner\Favorites\Translator.url
c:\documents and settings\Owner\Favorites\VIDEOS.url
c:\documents and settings\Owner\Start Menu\Programs\Download programs.url
c:\documents and settings\Owner\Start Menu\Programs\Translator.url
c:\program files\iMeshBar
c:\program files\iMeshBar\bar\Cache\files.ini
c:\program files\WinPCap
c:\program files\WinPCap\daemon_mgm.exe
c:\program files\WinPCap\INSTALL.LOG
c:\program files\WinPCap\NetMonInstaller.exe
c:\program files\WinPCap\npf_mgm.exe
c:\program files\WinPCap\rpcapd.exe
c:\program files\WinPCap\Uninstall.exe
c:\recycler\NPROTECT
c:\windows\dll
c:\windows\dll\log.rtc
c:\windows\Installer\15eebf.msi
c:\windows\Installer\27fd167.msp
c:\windows\Installer\27fd17a.msp
c:\windows\Installer\27fd18d.msp
c:\windows\Installer\27fd1b2.msp
c:\windows\Installer\27fd236.msp
c:\windows\Installer\27fd23d.msp
c:\windows\Installer\27fd262.msp
c:\windows\Installer\27fd273.msp
c:\windows\Installer\27fd282.msp
c:\windows\Installer\27fd288.msp
c:\windows\Installer\27fd28f.msp
c:\windows\Installer\27fd2b5.msp
c:\windows\Installer\27fd2cc.msp
c:\windows\Installer\27fd2df.msp
c:\windows\Installer\2d979cd.msp
c:\windows\Installer\2d979e0.msp
c:\windows\Installer\2d97a02.msp
c:\windows\Installer\2d97a15.msp
c:\windows\Installer\2d97a27.msp
c:\windows\Installer\54b7c.msi
c:\windows\Installer\a937cf6.msi
c:\windows\SNMPAPI.DLL
c:\windows\system32\drivers\armada.sys
c:\windows\system32\drivers\hjgruiymtveyid.sys
c:\windows\system32\drivers\npf.sys
c:\windows\system32\hjgruiacxjybpn.dat
c:\windows\system32\hjgruidlvjdnva.dat
c:\windows\system32\hjgruikaybiwjd.dll
c:\windows\system32\hjgruilog.dat
c:\windows\system32\hjgruioylvfefy.dll
c:\windows\system32\i
c:\windows\system32\Packet.dll
c:\windows\system32\pthreadVC.dll
c:\windows\system32\WanPacket.dll
c:\windows\system32\wpcap.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_hjgruiytpxtxlv
-------\Legacy_NPF
-------\Legacy_SMSC
-------\Legacy_ZESOFT
-------\Service_NPF
-------\Service_SMSC
-------\Legacy_Armada_Cleaner
-------\Service_Armada_Cleaner


((((((((((((((((((((((((( Files Created from 2009-06-23 to 2009-07-23 )))))))))))))))))))))))))))))))
.

2009-07-23 15:49 . 2009-07-23 15:50 -------- dc----w- C:\rsit
2009-07-23 14:33 . 2009-07-13 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-23 14:33 . 2009-07-13 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-23 14:33 . 2009-07-23 14:33 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-23 14:28 . 2009-07-23 14:28 -------- d-----w- c:\program files\ERUNT
2009-07-23 12:01 . 2009-07-23 12:09 -------- dc----w- C:\UBCD4Win
2009-07-23 06:47 . 2009-07-23 06:47 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\ESET
2009-07-23 03:23 . 2009-07-23 03:23 -------- dc----w- c:\documents and settings\All Users\Application Data\Downloaded Installations
2009-07-23 03:23 . 2009-07-23 03:23 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-07-23 03:23 . 2009-07-23 03:23 335752 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-07-23 03:23 . 2009-07-23 03:23 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-07-23 03:22 . 2009-07-23 03:22 -------- d-----w- c:\windows\system32\drivers\Avg
2009-07-23 03:21 . 2009-07-23 03:21 50968 ----a-w- c:\windows\system32\avgfwdx.dll
2009-07-23 03:21 . 2009-07-23 03:21 29208 ----a-w- c:\windows\system32\drivers\avgfwdx.sys
2009-07-23 03:21 . 2009-07-23 03:21 -------- d-----w- c:\program files\AVG
2009-07-23 03:21 . 2009-07-23 03:21 -------- dc----w- c:\documents and settings\All Users\Application Data\avg8
2009-07-23 03:03 . 2009-07-23 03:03 -------- d-----w- c:\docume~1\Owner\APPLIC~1\AVG8
2009-07-22 21:43 . 2009-07-22 23:09 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-07-22 13:56 . 2008-03-03 22:21 568 ---ha-w- c:\windows\nod32fixtemdono.reg
2009-07-22 13:56 . 2008-03-03 18:25 5702 ---ha-w- c:\windows\nod32restoretemdono.reg
2009-07-22 13:45 . 2009-07-22 13:45 -------- d-----w- c:\program files\ESET
2009-07-22 13:22 . 2009-07-22 13:22 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\ESET
2009-07-22 13:08 . 2009-07-22 13:08 -------- dc----w- c:\documents and settings\All Users\Application Data\ESET
2009-07-22 04:17 . 2009-07-22 04:16 102664 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-07-22 04:15 . 2009-07-22 04:23 -------- d-----w- c:\documents and settings\Owner\.housecall6.6
2009-07-22 04:10 . 2009-07-22 04:08 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-07-22 03:07 . 2009-07-22 03:07 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-07-21 21:20 . 2009-07-21 21:20 -------- d-----w- c:\program files\Desktop Icon Toy
2009-07-21 20:25 . 2009-07-21 20:25 -------- d-----w- c:\docume~1\Owner\APPLIC~1\Thinking Minds Budiling Bytes
2009-07-21 20:25 . 2009-07-21 22:06 -------- d-----w- c:\program files\CubeDesktop
2009-07-21 19:53 . 2009-07-21 19:53 -------- d-----w- c:\docume~1\Owner\APPLIC~1\OtakuSoftware
2009-07-21 19:51 . 2009-07-22 02:28 -------- d-----w- c:\program files\DeskSpace
2009-07-21 15:43 . 2009-07-21 15:43 -------- dc----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-07-21 15:42 . 2009-07-21 15:42 -------- d-----w- c:\program files\Bonjour
2009-07-21 03:29 . 2009-07-21 03:29 -------- d-----w- c:\program files\SpywareBlaster
2009-07-21 01:41 . 2009-07-21 01:41 -------- d-----w- c:\windows\system32\XPSViewer
2009-07-21 01:40 . 2009-07-21 01:40 -------- d-----w- c:\program files\Reference Assemblies
2009-07-21 01:40 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-07-21 01:40 . 2008-07-06 12:06 117760 ----a-w- c:\windows\system32\prntvpt.dll
2009-07-21 01:40 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-07-21 01:40 . 2009-07-21 01:40 -------- dc----w- C:\25f7e9435b9b1fc8479dd17aaac0
2009-07-21 01:40 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2009-07-21 01:40 . 2008-07-06 12:06 575488 ----a-w- c:\windows\system32\xpsshhdr.dll
2009-07-21 01:40 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2009-07-21 01:40 . 2008-07-06 12:06 1676288 ----a-w- c:\windows\system32\xpssvcs.dll
2009-07-20 23:46 . 2009-07-21 17:49 -------- d-----w- c:\program files\TeaTimer (Spybot - Search & Destroy)
2009-07-20 20:29 . 2009-07-20 20:45 -------- dc----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-07-20 18:25 . 2009-07-20 18:27 -------- d-----w- c:\docume~1\Owner\APPLIC~1\Winamp
2009-07-20 18:25 . 2009-07-20 18:26 -------- d-----w- c:\program files\Winamp
2009-07-20 12:45 . 2009-07-20 13:57 -------- d-----w- c:\program files\VS Revo Group
2009-07-20 12:21 . 2008-11-10 15:41 32656 ----a-w- c:\windows\system32\msonpmon.dll
2009-07-20 12:18 . 2009-07-21 01:41 -------- d-----w- c:\program files\MSBuild
2009-07-20 12:10 . 2009-07-20 12:10 -------- d-----w- c:\program files\Microsoft Visual Studio 8
2009-07-19 18:36 . 2009-07-19 19:18 -------- d-----w- c:\docume~1\Owner\APPLIC~1\IDM
2009-07-19 18:36 . 2009-07-20 11:47 -------- d-----w- c:\docume~1\Owner\APPLIC~1\DMCache
2009-07-19 18:35 . 2009-07-20 12:31 -------- d-----w- c:\program files\Internet Download Manager
2009-07-19 17:57 . 2009-07-19 18:09 -------- d-----w- c:\program files\SpeedBit Video Accelerator
2009-07-19 17:51 . 2009-07-19 18:14 -------- dc----w- c:\documents and settings\All Users\Application Data\SpeedBit
2009-07-19 17:51 . 2009-07-19 18:05 -------- d-----w- c:\program files\SpeedBit Toolbar
2009-07-19 17:51 . 2009-07-19 18:16 -------- d-----w- c:\program files\DAP
2009-07-19 17:42 . 2009-07-19 17:50 -------- d-----w- c:\docume~1\Owner\APPLIC~1\R-Wipe&Clean
2009-07-19 16:00 . 2009-07-19 17:24 -------- d-----w- c:\docume~1\Owner\APPLIC~1\Auslogics
2009-07-19 15:57 . 2009-07-23 02:57 -------- dc--a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-07-19 15:56 . 2009-07-19 15:56 -------- d-----w- c:\program files\Auslogics
2009-07-19 13:53 . 2009-07-23 02:49 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-07-17 21:22 . 2009-07-17 21:23 -------- d-----w- c:\windows\system32\NtmsData
2009-07-12 23:02 . 2009-07-12 23:02 -------- dc----w- c:\documents and settings\All Users\Application Data\acccore
2009-07-12 22:59 . 2009-07-12 23:02 -------- d-----w- c:\program files\AIM6
2009-07-11 03:17 . 2007-09-17 14:34 136528 -c--a-w- c:\documents and settings\All Users\Application Data\AOL\UserProfiles\All Users\SUDS\CACHE\4397.2.4\radioupd.exe
2009-07-03 14:21 . 2008-10-17 01:02 607472 ----a-w- c:\documents and settings\All Users\Application Data\Yahoo!\YUpdater\yupdater.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-23 12:11 . 2009-03-15 21:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-07-23 03:23 . 2009-07-23 03:23 12552 ----a-w- c:\windows\system32\drivers\avgrkx86.sys.install_backup
2009-07-23 02:49 . 2004-12-10 21:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-07-22 04:08 . 2005-10-09 00:39 -------- d-----w- c:\program files\Java
2009-07-22 01:21 . 2005-10-06 18:34 8224 -c--a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-21 16:17 . 2006-12-28 18:45 -------- d-----w- c:\program files\iTunes
2009-07-21 15:44 . 2005-10-25 20:14 -------- d-----w- c:\docume~1\Owner\APPLIC~1\Apple Computer
2009-07-21 15:43 . 2005-10-25 20:11 -------- dc----w- c:\documents and settings\All Users\Application Data\Apple Computer
2009-07-21 14:31 . 2008-08-22 00:51 1306624 ----a-w- c:\windows\system32\msxml6(2).dll
2009-07-21 01:17 . 2009-06-15 22:52 -------- d-----w- c:\program files\Microsoft Works
2009-07-20 20:45 . 2004-12-10 21:38 -------- d-----w- c:\program files\Lavasoft
2009-07-20 17:29 . 2008-09-01 17:17 -------- d-----w- c:\docume~1\Owner\APPLIC~1\Yahoo!
2009-07-20 17:29 . 2008-08-23 19:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2009-07-20 17:28 . 2007-09-19 19:34 -------- d-s---w- c:\program files\Yahoo!
2009-07-20 16:25 . 2004-10-26 05:36 225280 ----a-w- c:\windows\system32\igfxpph.dll
2009-07-20 03:01 . 2006-08-06 00:59 -------- d-----w- c:\docume~1\Owner\APPLIC~1\uTorrent
2009-07-19 16:47 . 2008-11-06 11:42 348160 ----a-w- c:\windows\system32\msvcr71.dll
2009-07-19 16:47 . 2008-11-06 11:42 499712 ----a-w- c:\windows\system32\msvcp71.dll
2009-07-19 15:51 . 2006-06-22 18:59 -------- d-----w- c:\program files\Trend Micro
2009-07-19 15:45 . 2008-09-01 17:18 -------- d-----w- c:\docume~1\Owner\APPLIC~1\Viewpoint
2009-07-19 15:35 . 2004-10-26 04:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2009-07-19 15:35 . 2004-10-26 04:19 -------- d-----w- c:\program files\Viewpoint
2009-07-14 01:27 . 2004-11-05 22:11 -------- d-----w- c:\program files\Real
2009-07-14 01:23 . 2005-10-19 22:22 -------- d-----w- c:\program files\DivX
2009-07-10 19:30 . 2008-06-20 11:55 -------- dc----w- c:\documents and settings\All Users\Application Data\AOL
2009-07-10 19:16 . 2005-10-22 02:45 -------- d-----w- c:\program files\Rhyme & Verse Demo
2009-07-10 19:16 . 2005-10-05 23:15 -------- d-----w- c:\program files\Microsoft AntiSpyware
2009-07-10 19:16 . 2004-10-26 05:31 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-07-10 19:16 . 2004-11-05 22:13 -------- d-----w- c:\program files\Google
2009-07-10 19:16 . 2007-12-05 18:05 -------- dcsh--w- c:\program files\Common Files\WindowsLiveInstaller
2009-07-10 19:16 . 2006-08-17 21:53 -------- d-----w- c:\program files\Common Files\Vbox
2009-07-10 19:16 . 2004-11-05 22:11 -------- d-----w- c:\program files\Common Files\Real
2009-07-10 19:16 . 2009-06-10 13:06 -------- d-----w- c:\program files\Common Files\aolshare
2009-07-10 19:16 . 2005-12-14 00:33 -------- d-----w- c:\program files\Common Files\AOL
2009-07-10 19:16 . 2005-10-14 15:08 -------- d-----w- c:\program files\Common Files\Adobe
2009-07-10 19:16 . 2005-10-05 20:07 -------- d-----w- c:\program files\Ares P2P
2009-07-10 19:16 . 2004-10-26 06:10 -------- d-----w- c:\program files\Britannica
2009-07-10 18:45 . 2008-08-23 18:50 -------- d-----w- c:\program files\Windows Live
2009-07-02 07:12 . 2009-04-02 23:03 -------- d-----w- c:\docume~1\Owner\APPLIC~1\Move Networks
2009-07-01 23:56 . 2005-10-13 16:41 -------- d-----w- c:\program files\Rhymesaurus 1.4
2009-06-25 07:08 . 2006-08-03 14:01 -------- d-----w- c:\program files\Microsoft SQL Server
2009-06-23 22:45 . 2009-03-26 19:00 -------- d-----w- c:\docume~1\Owner\APPLIC~1\LimeWire
2009-06-23 22:14 . 2009-03-15 19:13 -------- d-----w- c:\docume~1\Owner\APPLIC~1\GetRightToGo
2009-06-20 17:17 . 2009-06-20 17:17 -------- d-----w- c:\docume~1\Owner\APPLIC~1\acccore
2009-06-16 14:36 . 2002-09-03 17:06 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:36 . 2002-09-03 16:33 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-11 10:32 . 2005-10-06 05:28 4720 -c--a-w- c:\windows\mozver.dat
2009-06-10 13:12 . 2009-06-10 13:06 -------- d-----w- c:\program files\AOL 9.1
2009-06-10 13:11 . 2009-06-10 13:11 -------- d-----w- c:\docume~1\Owner\APPLIC~1\AOL
2009-06-10 13:09 . 2009-06-10 13:09 -------- d-----w- c:\program files\Common Files\Software Update Utility
2009-06-10 13:05 . 2009-06-10 13:05 99200 -c--a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\waol\0.4334.34.14\comps\sm\sminstlp.exe
2009-06-10 13:05 . 2009-06-10 13:04 1895720 -c--a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\waol\0.4334.34.14\waol-0.4334.34.14.exe
2009-06-10 13:04 . 2009-06-10 13:04 142040 -c--a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\waol\0.4334.34.14\comps\aolload\alsetup.exe
2009-06-10 13:04 . 2009-06-10 13:03 8139800 -c--a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\waol\0.4334.34.14\comps\acs\acssetup.exe
2009-06-10 13:03 . 2009-06-10 13:03 11312 -c--a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\waol\0.4334.34.14\comps\acs\ecuchk.dll
2009-06-10 13:03 . 2009-06-10 13:03 260040 -c--a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\waol\0.4334.34.14\comps\acs\ecuinst.exe
2009-06-10 13:03 . 2009-06-10 13:03 601728 -c--a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\waol\0.4334.34.14\comps\unagi\ampx.english.exe
2009-06-10 13:03 . 2009-06-10 13:03 67120 -c--a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\waol\0.4334.34.14\comps\ccu\instSup.dll
2009-06-10 13:03 . 2009-06-10 13:03 15920 -c--a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\waol\0.4334.34.14\comps\ccu\ocpchk.dll
2009-06-10 13:03 . 2009-06-10 13:03 10800 -c--a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\waol\0.4334.34.14\comps\afix\wsfixchk.dll
2009-06-10 13:03 . 2009-06-10 13:03 355592 -c--a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\waol\0.4334.34.14\comps\afix\afixinst.exe
2009-06-10 13:03 . 2009-06-10 13:03 54832 -c--a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\waol\0.4334.34.14\comps\parcon\AOLParconLink.exe
2009-06-10 13:02 . 2009-06-10 13:02 607392 -c--a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\waol\0.4334.34.14\comps\tpspd\wbsetup.exe
2009-06-10 13:02 . 2009-06-10 13:02 2100784 -c--a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\waol\0.4334.34.14\comps\toolbar\aol_toolbar_dual.exe
2009-06-10 13:02 . 2009-06-10 13:02 127224 -c--a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\waol\0.4334.34.14\comps\afix\afixlang.exe
2009-06-10 13:02 . 2009-06-10 13:02 2439824 -c--a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\waol\0.4334.34.14\comps\ccu\ocpinsti.exe
2009-06-10 13:02 . 2009-06-10 13:01 711520 -c--a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\waol\0.4334.34.14\comps\sysinfo\SinfInst.exe
2009-06-10 13:01 . 2009-06-10 13:01 62816 -c--a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\waol\0.4334.34.14\comps\ocp\ocpgc.exe
2009-06-10 13:01 . 2009-06-10 12:55 35387072 -c--a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\waol\0.4334.34.14\noneCodesignFilesBundle.exe
2009-06-10 12:55 . 2009-06-10 12:55 359184 -c--a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\waol\0.4334.34.14\comps\tb\tbsetup.exe
2009-06-10 12:55 . 2009-06-10 12:55 75104 -c--a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\waol\0.4334.34.14\comps\ocp\instSup.dll
2009-06-10 12:55 . 2009-06-10 12:55 223152 -c--a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\waol\0.4334.34.14\comps\afix\wsfinst.exe
2009-06-10 12:55 . 2009-06-10 12:55 175224 -c--a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\waol\0.4334.34.14\comps\sm\stmninst.exe
2009-06-10 12:55 . 2009-06-10 12:54 1475416 -c--a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\waol\0.4334.34.14\comps\ocp\ocpinst.exe
2009-06-10 12:54 . 2009-06-10 12:54 15712 -c--a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\waol\0.4334.34.14\comps\ocp\ocpchk.dll
2009-06-10 12:54 . 2009-06-10 12:54 390704 -c--a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\waol\0.4334.34.14\comps\afix\WinsockFix.exe
2009-06-10 12:54 . 2008-09-01 17:18 -------- dc----w- c:\documents and settings\All Users\Application Data\AOL Downloads
2009-06-03 19:09 . 2002-09-03 16:53 1291264 ----a-w- c:\windows\system32\quartz.dll
2009-05-14 19:49 . 2009-05-14 19:49 94360 ----a-w- c:\windows\system32\drivers\epfwtdir.sys
2009-05-14 19:47 . 2009-05-14 19:47 107256 ----a-w- c:\windows\system32\drivers\ehdrv.sys
2009-05-14 19:41 . 2009-05-14 19:41 114472 ----a-w- c:\windows\system32\drivers\eamon.sys
2009-05-13 05:15 . 2005-06-18 03:49 915456 ----a-w- c:\windows\system32\wininet.dll
2009-05-07 15:32 . 2002-09-03 16:39 345600 ----a-w- c:\windows\system32\localspl.dll
2006-08-06 03:21 . 2006-08-06 03:21 774144 -c--a-w- c:\program files\RngInterstitial.dll
2009-07-15 20:30 . 2009-07-21 17:26 137208 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"AOL Fast Start"="c:\program files\AOL 9.1\AOL.EXE" [2008-11-06 50472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-07-21 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-10-19 126976]
"MSConfig"="c:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2008-04-14 169984]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-22 148888]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2009-05-14 2029640]

c:\documents and settings\Owner\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0SsiEfr.e\0SsiEfr.e\0SsiEfr.e

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\1134520414\\ee\\aolsoftware.exe"=
"c:\\Program Files\\Common Files\\AOL\\1134520414\\ee\\aim6.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Java\\jre1.5.0_05\\bin\\javaw.exe"=
"c:\\Program Files\\Azureus\\Azureus.exe"=
"c:\\WINDOWS\\system32\\dplaysvr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AOL 9.1\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\3.0\\aoltpsd3.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Ares Vista\\AresVista.exe"=
"c:\\Program Files\\Java\\jre1.6.0_05\\bin\\javaw.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgam.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [7/22/2009 11:23 PM 335752]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [7/22/2009 11:23 PM 108552]
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [5/14/2009 3:47 PM 107256]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [5/14/2009 3:49 PM 94360]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [7/22/2009 11:22 PM 298776]
R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [5/14/2009 3:47 PM 731840]
R2 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [11/24/2008 10:31 PM 29263712]
R3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [7/22/2009 11:21 PM 29208]
S0 AvgRkx86;avgrkx86.sys;c:\windows\system32\Drivers\avgrkx86.sys --> c:\windows\system32\Drivers\avgrkx86.sys [?]
S2 avgfws8;AVG8 Firewall;c:\progra~1\AVG\AVG8\avgfws8.exe --> c:\progra~1\AVG\AVG8\avgfws8.exe [?]
S2 NOD32FiXTemDono;Eset Nod32 Boot;c:\windows\system32\regedt32.exe [9/3/2002 12:56 PM 3584]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [7/22/2009 11:21 PM 29208]
S3 Cyber02Hide;Cyber02Hide;\??\c:\windows\system32\drivers\Cyber02Hide.sys --> c:\windows\system32\drivers\Cyber02Hide.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-AVG8_TRAY - c:\progra~1\AVG\AVG8\avgtray.exe


.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://start.verizon.net/vznisp/portal/main.aspx
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949}
DPF: Broadcaster Publisher - hxxp://www.broadcaster.com/on2/broadcaster_publisher.CAB
DPF: DigiChat Applet - hxxp://host7.digichat.com/DigiChat/DigiClasses/Client_IE.cab
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - hxxp://217.23.231.4/activex/AMC.cab
FF - ProfilePath - c:\docume~1\Owner\APPLIC~1\Mozilla\Firefox\Profiles\a5zbfp8v.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.aol.com/aolcom/search?invocationType=tb50ffTB50CLie7&query=
FF - prefs.js: browser.search.selectedEngine - AOL Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://search.speedbit.com/searchresults.asp?src=default&q=
FF - component: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\a5zbfp8v.default\extensions\{7affbfae-c4e2-4915-8c0f-00fa3ec610a1}\components\WinampPlayer.dll
FF - plugin: c:\progra~1\Yahoo!\Common\npyaxmpb.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npCID.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npracplug.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\Real\RealArcade\Plugins\Mozilla\npracplug.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-23 12:47
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-343818398-1500820517-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{5A02C8D5-8CA8-EA77-79D7-A18C3B9A0517}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"abjfpaknpoejmbndmdlokgaldnbdadnnma"=hex:6a,61,6e,6c,69,6f,65,68,6c,65,6d,63,
68,6c,61,61,65,64,64,6b,00,00
"pahffkfeodjanblddiknbomnplcliokf"=hex:6a,61,6e,6c,69,6f,65,68,6c,65,6d,63,68,
6c,61,61,65,64,64,6b,00,00

[HKEY_USERS\S-1-5-21-343818398-1500820517-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{94B386A8-E8CE-E3FF-B8F1-F9E0A1715643}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"haogejbmlencknem"=hex:6e,62,6a,6a,70,65,6b,6e,62,66,6c,67,65,6e,63,67,62,6d,
61,68,62,67,63,70,6d,70,6b,68,70,6d,6b,6a,65,6d,64,63,67,6b,61,61,6d,6a,6d,\
"jaogejbmlencknemmdoo"=hex:66,61,6a,6a,6e,65,70,69,61,69,64,69,00,02
"pagdfkngpjailchiihgahcfmillbdkoe"=hex:63,61,63,6d,6b,6a,00,69

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\Ø•€|ÿÿÿÿ•€|ù•Ôw*]
"5E7CEC10DF0760D4F8DAFB12FDC06CCD"="02:\\Software\\Adobe\\FeatureSubscriptions\\DVAAdobeDocMeta\\{01CEC7E5-70FD-4D06-8FAD-BF21DF0CC6DC}\\Registered"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2468)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\AOL\ACS\AOLacsd.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\program files\AOL 9.1\waol.exe
c:\windows\system32\wscntfy.exe
c:\program files\AOL 9.1\shellmon.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\control.exe
c:\windows\system32\control.exe
.
**************************************************************************
.
Completion time: 2009-07-23 13:01 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-23 17:01

Pre-Run: 10,170,712,064 bytes free
Post-Run: 11,821,903,872 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

448 --- E O F --- 2009-07-21 02:58



heres my logg,i received alot of corrupted files windows,files such as,cf2128.exe c:\$mft, tells me to run chkdsk
  • 0

#5
Barbosa321

Barbosa321

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
heres my hijack this log


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:16:02 PM, on 7/23/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Java\jre6\bin\jqs.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AOL 9.1\waol.exe
C:\Program Files\AOL 9.1\shellmon.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Adobe\Adobe Audition 2.0\Audition.exe
C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.verizon...ortal/main.aspx
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\AOL 9.1\AOL.EXE" -b
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Broadcaster Publisher - http://www.broadcast...r_publisher.CAB
O16 - DPF: DigiChat Applet - http://host7.digicha...s/Client_IE.cab
O16 - DPF: Yahoo! Pool 2 - http://download.game...ts/y/pote_x.cab
O16 - DPF: {13EC55CF-D993-475B-9ACA-F4A384957956} (Controller Class) - https://www.windowso...nSSWebAgent.CAB
O16 - DPF: {2019DC25-D1C0-11D6-97B3-0008A124F542} (StreamPlug Class) - http://www.streamplu...lug/beta/SP.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail....es/MSNPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1128547808296
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://download.divx...owserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1149969443875
O16 - DPF: {7DFDB8FD-B498-4958-B930-38021B94351D} (imlUCID Class) - http://imlive.com/ch...urce/ImlCID.cab
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalci....1.11_en_dl.cab
O16 - DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - http://217.23.231.4/activex/AMC.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: AVG8 Firewall (avgfws8) - Unknown owner - C:\PROGRA~1\AVG\AVG8\avgfws8.exe (file missing)
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: ESET HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: ESET Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - C:\Program Files\WinPcap\rpcapd.exe (file missing)
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

--
End of file - 8231 bytes
  • 0

#6
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
you need to remove AVG or Eset, cant have both running

Download Rooter.exe to your desktop
  • Then doubleclick it to start the tool
  • A Notepad file containing the report will open, also found at %systemdrive%\Rooter.txt. Post that here



Download TFC to your desktop
  • Open the file and close any other windows.
  • It will close all programs itself when run, make sure to let it run uninterrupted.
  • Click the Start button to begin the process. The program should not take long to finish its job
  • Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean




Please download Malwarebytes' Anti-Malware from Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.






Go to Kaspersky website and perform an online antivirus scan.

  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
    • Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  • Click on My Computer under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.

  • 0

#7
Barbosa321

Barbosa321

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
Security mismatch on rootkit logg???what does this mean??
  • 0

#8
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
where did you see that ?

go on with the other scans please
  • 0

#9
Barbosa321

Barbosa321

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
rootkitrevealer is where i got that mistach security log,let me paste the log give me a moment,and also, i had already remove avg
  • 0

#10
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
I don't need to see that log

please follow my instructions only
  • 0

Advertisements


#11
Barbosa321

Barbosa321

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
Rooter.exe (v1.0.2) by Eric_71
.
SeDebugPrivilege granted successfully ...
.
Windows XP Home Edition (5.1.2600) Service Pack 3
[32_bits] - x86 Family 15 Model 2 Stepping 9, GenuineIntel
.
[wscsvc] (Security Center) RUNNING (state:4)
[SharedAccess] RUNNING (state:4)
Windows Firewall -> Enabled
.
Internet Explorer 8.0.6001.18702
Mozilla Firefox 3.5.1 (en-US)
.
A:\ [Removable]
C:\ [Fixed-NTFS] .. ( Total:37 Go - Free:11 Go )
D:\ [Fixed-FAT32] .. ( Total:7 Go - Free:7 Go )
E:\ [Fixed-FAT32] .. ( Total:5 Go - Free:4 Go )
.
Scan : 15:36.25
Path : C:\Documents and Settings\Owner\My Documents\Downloads\Rooter.exe
User : Owner ( Administrator -> YES )
.
----------------------\\ Processes
.
Locked [System Process] (0)
______ System (4)
______ \SystemRoot\System32\smss.exe (564)
______ \??\C:\WINDOWS\system32\csrss.exe (660)
______ \??\C:\WINDOWS\system32\winlogon.exe (732)
______ C:\WINDOWS\system32\services.exe (776)
______ C:\WINDOWS\system32\lsass.exe (788)
______ C:\WINDOWS\system32\svchost.exe (940)
______ C:\WINDOWS\system32\svchost.exe (1008)
______ C:\WINDOWS\System32\svchost.exe (1044)
______ C:\WINDOWS\System32\svchost.exe (1100)
______ C:\WINDOWS\system32\svchost.exe (1152)
______ C:\WINDOWS\Explorer.EXE (1444)
______ C:\WINDOWS\system32\spoolsv.exe (1484)
______ C:\WINDOWS\System32\svchost.exe (1612)
______ C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe (1644)
______ C:\Program Files\Bonjour\mDNSResponder.exe (1656)
______ C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe (1672)
______ C:\Program Files\Java\jre6\bin\jqs.exe (1732)
______ c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe (1772)
______ c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe (2032)
______ c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe (2044)
______ C:\WINDOWS\System32\svchost.exe (176)
______ C:\WINDOWS\system32\wdfmgr.exe (320)
______ C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe (388)
______ C:\WINDOWS\system32\hkcmd.exe (824)
______ C:\Program Files\Java\jre6\bin\jusched.exe (1080)
______ C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe (1128)
______ C:\WINDOWS\system32\ctfmon.exe (1164)
______ C:\Program Files\AOL 9.1\waol.exe (1208)
______ C:\WINDOWS\System32\alg.exe (2124)
______ C:\Program Files\AOL 9.1\shellmon.exe (3456)
______ C:\Program Files\SpywareBlaster\spywareblaster.exe (2432)
______ C:\Program Files\SpywareBlaster\spywareblaster.exe (3072)
______ C:\Program Files\Mozilla Firefox\firefox.exe (3620)
______ C:\WINDOWS\system32\notepad.exe (584)
______ C:\Documents and Settings\Owner\My Documents\Downloads\Rooter.exe (3172)
.
----------------------\\ Device\Harddisk0\
.
\Device\Harddisk0 [Sectors : 63 x 512 Bytes]
.
\Device\Harddisk0\Partition1 --[ MBR ]-- (Start_Offset:32256 | Length:39991279104)
.
----------------------\\ Scheduled Tasks
.
C:\WINDOWS\Tasks\desktop.ini
C:\WINDOWS\Tasks\SA.DAT
.
----------------------\\ Registry
.
.
----------------------\\ Files & Folders
.
C:\DOCUME~1\Owner\Favorites\KEYGEN.CC - Download keygen crack serial patch.url
C:\DOCUME~1\Owner\Favorites\KEYGEN.CC - Download keygen crack serial patch.url
C:\DOCUME~1\Owner\My Documents\BitTorrent Downloads\Sony - Sound Forge v8.0d incl keygen\Sony - Sound Forge v8.0d incl keygen.rar
==> Cracks & Keygens <==
.
----------------------\\ Scan completed at 15:36.55
.
C:\Rooter$\Rooter_1.txt - (23/07/2009 | 15:36.55).c
  • 0

#12
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
do this after

Please download OTM
  • Save it to your desktop.
  • Please double-click OTM to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    :Processes
    
    :Services
    
    :Reg
    
    :Files
    C:\DOCUME~1\Owner\Favorites\KEYGEN.CC - Download keygen crack serial patch.url
    C:\DOCUME~1\Owner\Favorites\KEYGEN.CC - Download keygen crack serial patch.url
    C:\DOCUME~1\Owner\My Documents\BitTorrent Downloads\Sony - Sound Forge v8.0d incl keygen
    :Commands
    [purity]
    [emptytemp]
    [Reboot]
  • Return to OTM, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTM and reboot your PC.
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.
  • 0

#13
Barbosa321

Barbosa321

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
do the otm after what???
  • 0

#14
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
after post #6 above

the mbam and kaspersky step
  • 0

#15
Barbosa321

Barbosa321

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
i did the TFC already what do i do next?
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP