Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Virus diables antivirus and blocks AV websites


  • Please log in to reply

#1
sandeepforever

sandeepforever

    Member

  • Member
  • PipPip
  • 12 posts
Hi,

I have a Dell Inspiron 2200 running on Windows XP. The Antivirus I use is AVG (free). For almost 2-3 months, I have had the following symptoms:

1. Comp is terribly slow. Especially while booting up. The network connections take forever to load!
2. Antivirus will not get any updates. It will report a connection failure with the site.
3. Antivirus will stop working. AVG window will say "No components installed"!
4. I cannot visit any antivirus website.

After some research, I found that the problem was with a process called svchost.exe (NETWORK SERVICE). I have 2 such processes running all the time in the task manager. One is a malware process. Other one is the windows process. However, I am unable to distinguish! So, I take a chance and kill one process.

If I kill the malware process, I am able to run AV, update AV and open AV websites. If I kill the windows process, comp shuts down.

Now, I ran AV a few times (trial and error of finding the right network service process) but none of the ones I tried could fix the problem. So, everytime I shut down and reboot, the malware (and the bad svchost.exe) is back!

I am totally at my wits end and hope someone here can help me out! I followed the instructions on the guidelines post and I have the log files of malwarebytes and GMER. However, I am unable to complete the OTL scan. It says "scanning Netsvcs settings..." and does not proceed from there. The task manager shows OTL and services.exe combining to eat up 100%. And OTL stops responding. I have waited for over 30 minutes for OTL to resume but it just does not.

Here is the GMER log:

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2009-12-26 01:11:32
Windows 5.1.2600 Service Pack 2
Running: gmer.exe; Driver: C:\DOCUME~1\KGBED8~1.RAM\LOCALS~1\Temp\fxtdqpow.sys


---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

Device \FileSystem\Fastfat \Fat A92A2C8A

---- Services - GMER 1.0.15 ----

Service C:\WINDOWS\system32\svchost.exe (*** hidden *** ) [AUTO] gxnnwxr <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\[email protected] Shell Config
Reg HKLM\SYSTEM\CurrentControlSet\Services\[email protected] 32
Reg HKLM\SYSTEM\CurrentControlSet\Services\[email protected] 2
Reg HKLM\SYSTEM\CurrentControlSet\Services\[email protected] 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\[email protected] %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\CurrentControlSet\Services\[email protected] LocalSystem
Reg HKLM\SYSTEM\CurrentControlSet\Services\[email protected] Allows remote users to view through WEB browsers your authorized multimedia content managed by Roxio Media Manager9.
Reg HKLM\SYSTEM\CurrentControlSet\Services\gxnnwxr\Parameters
Reg HKLM\SYSTEM\CurrentControlSet\Services\gxnnwxr\[email protected] C:\WINDOWS\system32\qzlyolb.dll
Reg HKLM\SYSTEM\ControlSet003\Services\[email protected] Shell Config
Reg HKLM\SYSTEM\ControlSet003\Services\[email protected] 32
Reg HKLM\SYSTEM\ControlSet003\Services\[email protected] 2
Reg HKLM\SYSTEM\ControlSet003\Services\[email protected] 0
Reg HKLM\SYSTEM\ControlSet003\Services\[email protected] %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\ControlSet003\Services\[email protected] LocalSystem
Reg HKLM\SYSTEM\ControlSet003\Services\[email protected] Allows remote users to view through WEB browsers your authorized multimedia content managed by Roxio Media Manager9.
Reg HKLM\SYSTEM\ControlSet003\Services\gxnnwxr\Parameters (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\gxnnwxr\[email protected] C:\WINDOWS\system32\qzlyolb.dll
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{ED0F8295-5CD3-A346-3CE8-31F3E54F870F}

---- EOF - GMER 1.0.15 ----

Here is the mbam log:
Malwarebytes' Anti-Malware 1.42
Database version: 3289
Windows 5.1.2600 Service Pack 2
Internet Explorer 7.0.5730.11

12/25/2009 11:23:24 PM
mbam-log-2009-12-25 (23-23-24).txt

Scan type: Quick Scan
Objects scanned: 122200
Time elapsed: 15 minute(s), 41 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 1
Registry Data Items Infected: 4
Folders Infected: 3
Files Infected: 24

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\NOD32KVBIT (Trojan.Frethog) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\aspimgr (Trojan.Asprox) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xp-39fa7609 (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue (Hijack.System.Hidden) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.

Folders Infected:
C:\Program Files\Newfolder Fix Wizard (Rogue.NewFolderFixWizard) -> Quarantined and deleted successfully.
C:\Program Files\Newfolder Fix Wizard\backuped (Rogue.NewFolderFixWizard) -> Quarantined and deleted successfully.
C:\Documents and Settings\K.G. Ramesh\Local Settings\Temp\E_4 (Worm.AutoRun) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\RegEx.fnr (Worm.AutoRun) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\com.run (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\dp1.fne (Worm.AutoRun) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\eAPI.fne (Worm.AutoRun) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\krnln.fnr (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\shell.fne (Worm.AutoRun) -> Quarantined and deleted successfully.
C:\Documents and Settings\K.G. Ramesh\Local Settings\Temp\MicrosoftPowerPoint\svchost.exe (Worm.Muha) -> Quarantined and deleted successfully.
C:\Documents and Settings\K.G. Ramesh\Local Settings\Temp\E_4\com.run (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\K.G. Ramesh\Local Settings\Temp\E_4\dp1.fne (Worm.AutoRun) -> Quarantined and deleted successfully.
C:\Documents and Settings\K.G. Ramesh\Local Settings\Temp\E_4\eAPI.fne (Worm.AutoRun) -> Quarantined and deleted successfully.
C:\Documents and Settings\K.G. Ramesh\Local Settings\Temp\E_4\krnln.fnr (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\K.G. Ramesh\Local Settings\Temp\E_4\RegEx.fnr (Worm.AutoRun) -> Quarantined and deleted successfully.
C:\Documents and Settings\K.G. Ramesh\Local Settings\Temp\E_4\shell.fne (Worm.AutoRun) -> Quarantined and deleted successfully.
C:\Documents and Settings\K.G. Ramesh\Local Settings\Temp\E_4\internet.fne (Worm.AutoRun) -> Quarantined and deleted successfully.
C:\Documents and Settings\K.G. Ramesh\Local Settings\Temp\E_4\spec.fne (Worm.AutoRun) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\internet.fne (Worm.AutoRun) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\og.dll (Worm.AutoRun) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\og.EDT (Worm.AutoRun) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\spec.fne (Worm.AutoRun) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ul.dll (Worm.AutoRun) -> Quarantined and deleted successfully.
C:\Documents and Settings\K.G. Ramesh\Local Settings\Temp\_check32.bat (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\AhnRpta.exe (Trojan.Backdoor) -> Quarantined and deleted successfully.
C:\WINDOWS\s32.txt (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\ws386.ini (Malware.Trace) -> Quarantined and deleted successfully.

-------------------------------------

Hoping for some light at the end of this tunnel! Thanks all!
  • 0

Advertisements


#2
fenzodahl512

fenzodahl512

  • Malware Removal
  • 9,863 posts
Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix.. Please visit HERE if you don't know how.. Please re-enable them back after performing all steps given..

Please download ComboFix by sUBs from HERE or HERE and save it to your Desktop.

During the download, rename Combofix to Combo-Fix as follows:

Posted Image

Posted Image


It is important you rename Combofix during the download, but not after.

**NOTE: If you are using Firefox, make sure that your download settings are as follows:
  • Tools->Options->Main tab
  • Set to "Always ask me where to Save the files".


After that, double-click and run Combo-Fix. Let it finish its job and post the log here

If ComboFix asked you to install Recovery Console, please do so.. It will be your best interest..

Note: DON'T do anything with your computer while ComboFix is running.. Let ComboFix finishes its job..
  • 0

#3
sandeepforever

sandeepforever

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Here is the ComboFix log:

ComboFix 09-12-26.02 - K.G. Ramesh 12/27/2009 12:12:57.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.247.85 [GMT 5.5:30]
Running from: c:\documents and settings\K.G. Ramesh\Desktop\Combo-Fix.exe
AV: avast! antivirus 4.8.1368 [VPS 091226-1] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\K.G. Ramesh\Application Data\EurekaLog
c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe
c:\windows\g32.txt
c:\windows\system32\dumphive.exe
c:\windows\system32\Penx.dat
c:\windows\system32\qzlyolb.dll
c:\windows\system32\SrchSTS.exe
c:\windows\system32\tmp.reg
c:\windows\system32\VCCLSID.exe
c:\windows\system32\WS2Fix.exe
c:\windows\system32\Xpen.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ASPIMGR
-------\Legacy_AVPSYS
-------\Legacy_GXNNWXR
-------\Service_gxnnwxr


((((((((((((((((((((((((( Files Created from 2009-11-27 to 2009-12-27 )))))))))))))))))))))))))))))))
.

2009-12-26 18:02 . 2009-11-24 23:48 23120 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-12-26 18:02 . 2009-11-24 23:49 48560 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2009-12-26 18:02 . 2009-11-24 23:47 27408 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2009-12-26 18:02 . 2009-11-24 23:47 97480 ----a-w- c:\windows\system32\AvastSS.scr
2009-12-26 18:02 . 2009-11-24 23:50 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2009-12-26 18:02 . 2009-11-24 23:50 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2009-12-26 18:02 . 2009-11-24 23:51 93424 ----a-w- c:\windows\system32\drivers\aswmon.sys
2009-12-26 18:02 . 2009-11-24 23:50 94160 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2009-12-26 18:02 . 2009-11-24 23:54 1280480 ----a-w- c:\windows\system32\aswBoot.exe
2009-12-26 18:02 . 2009-12-26 18:02 -------- d-----w- c:\program files\Alwil Software
2009-12-25 17:29 . 2009-12-25 17:34 -------- d-----w- c:\documents and settings\All Users\Application Data\SecTaskMan
2009-12-25 17:28 . 2009-12-25 17:29 -------- d-----w- c:\program files\Security Task Manager1
2009-12-25 17:28 . 2009-12-25 17:28 -------- d-----w- c:\program files\Security Task Manager
2009-12-24 05:21 . 2009-12-24 05:21 -------- d-----w- c:\documents and settings\K.G. Ramesh\Application Data\Malwarebytes
2009-12-24 05:21 . 2009-12-03 10:44 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-24 05:20 . 2009-12-24 05:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-12-24 05:20 . 2009-12-24 05:21 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-24 05:20 . 2009-12-03 10:43 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-24 05:04 . 2009-12-24 05:04 -------- d-----w- c:\program files\Smart Virus Remover
2009-12-22 05:50 . 2009-12-22 05:50 -------- d-----w- c:\documents and settings\K.G. Ramesh\Application Data\TweetDeckFast.FFF259DC0CE2657847BBB4AFF0E62062EFC56543.1
2009-12-22 05:49 . 2009-12-22 05:50 -------- d-----w- c:\program files\TweetDeck
2009-12-22 05:49 . 2009-12-22 05:49 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-12-20 09:07 . 2009-12-22 05:17 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-12-20 09:07 . 2009-12-21 15:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-12-20 08:13 . 2009-12-20 08:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Simply Super Software
2009-12-20 08:13 . 2009-12-20 08:13 -------- d-----w- c:\documents and settings\K.G. Ramesh\Application Data\Simply Super Software
2009-12-10 10:20 . 2004-08-04 11:00 743936 ----a-w- c:\windows\system32\dllcache\helpsvc.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-26 12:25 . 2008-11-21 04:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-12-25 17:29 . 2009-12-25 17:29 1241 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_D380CF5DCDD542844ABB1B5FECC907FA.dll
2009-12-25 17:29 . 2009-12-25 17:29 1328 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_C4079E39989058B49A4B6ED814A9C708.dll
2009-12-25 17:29 . 2009-12-25 17:29 1328 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_42951C08C48E49647A6229BA38A62213.dll
2009-12-25 17:29 . 2009-12-25 17:29 10 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_2894BB3325CD68840AB34F5C8CB0EE98.dll
2009-12-25 17:29 . 2009-12-25 17:29 10 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_1FFEDB53016A65940AD05154C3113659.dll
2009-12-22 06:37 . 2008-12-16 05:33 -------- d-----w- c:\documents and settings\K.G. Ramesh\Application Data\DNA
2009-12-22 05:17 . 2008-12-16 05:33 -------- d-----w- c:\program files\DNA
2009-12-20 08:40 . 2009-11-06 06:26 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-12-20 08:20 . 2008-04-27 10:43 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-12-14 06:57 . 2009-11-12 05:31 -------- d-----w- c:\documents and settings\K.G. Ramesh\Application Data\Skype
2009-12-14 04:41 . 2009-11-12 05:32 -------- d-----w- c:\documents and settings\K.G. Ramesh\Application Data\skypePM
2009-11-25 16:20 . 2009-02-21 14:38 256 ----a-w- c:\windows\system32\pool.bin
2009-11-25 15:37 . 2006-01-08 22:51 -------- d-----w- c:\program files\Google
2009-11-12 05:33 . 2009-11-12 05:33 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2009-11-12 05:26 . 2009-11-12 05:24 -------- d-----r- c:\program files\Skype
2009-11-12 05:24 . 2009-11-12 05:24 -------- d-----w- c:\program files\Common Files\Skype
2009-11-12 05:24 . 2009-11-12 05:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2009-10-31 05:44 . 2009-10-24 07:53 -------- d-----w- c:\documents and settings\K.G. Ramesh\Application Data\BitTorrent
2009-10-30 19:52 . 2009-10-30 19:51 -------- d-----w- c:\program files\MPlayer for Windows
2008-07-22 11:12 . 2008-07-22 11:12 2 --shatr- c:\windows\winstart.bat
2007-10-18 07:19 . 2006-01-09 10:28 104 --sh--r- c:\windows\system32\76DD126630.sys
2007-10-18 07:20 . 2006-01-09 10:28 4704 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Dell Wireless Manager UI"="c:\windows\system32\WLTRAY" [X]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-07-20 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-07-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-07-20 114688]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-08 148888]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\autoMe]
2004-08-04 11:00 114688 ----a-w- c:\windows\system32\wscript.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent DNA]
2009-11-07 09:34 323392 ----a-w- c:\program files\DNA\btdna.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BlackBerryAutoUpdate]
2008-11-04 06:39 615696 ----a-w- c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMXLauncher]
2005-01-27 07:02 86016 ----a-w- c:\program files\Dell\Media Experience\DMXLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
2005-02-23 22:19 53248 ------w- c:\program files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\gcasServ]
2005-11-15 18:12 473928 ----a-w- c:\program files\Microsoft AntiSpyware\gcasServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
2007-01-01 21:22 3739648 ----a-w- c:\program files\Google\Google Talk\googletalk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2005-12-15 05:48 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]
2007-08-30 05:20 205480 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2007-08-30 05:20 205480 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2006-09-10 23:10 86960 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MPlayerForWindows_UpdateReminder]
2009-10-11 22:48 217156 ----a-w- c:\program files\MPlayer for Windows\AutoUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
2001-07-09 06:20 155648 ----a-w- c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PRONoMgrWired]
2004-12-09 19:58 86016 ----a-w- c:\program files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2005-11-28 12:05 98304 ----a-w- c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
2005-11-28 12:05 26112 ----a-w- c:\program files\Real\RealPlayer\realplay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
2008-09-19 05:07 236016 ----a-w- c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
2005-06-25 01:36 729178 ----a-w- c:\program files\Synaptics\SynTP\SynTPEnh.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8865:TCP"= 8865:TCP:iyunikf

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [12/26/2009 11:32 PM 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [12/26/2009 11:32 PM 20560]
S3 hwcdcmdm0;HUAWEI Mobile Connect - 3G Modem;c:\windows\system32\drivers\ewusbmdm.sys [6/23/2006 10:33 AM 63104]
S3 hwusbser;HUAWEI Mobile Connect - 3G Application Interface;c:\windows\system32\drivers\ewusbser.sys [6/23/2006 10:33 AM 63104]
.
------- Supplementary Scan -------
.
uStart Page = about:blank
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
DPF: {DAF7E6E6-D53A-439A-B28D-12271406B8A9} - hxxp://mobileapps.blackberry.com/devicesoftware/AxLoader.cab
FF - ProfilePath - c:\documents and settings\K.G. Ramesh\Application Data\Mozilla\Firefox\Profiles\7gjenmwo.default\
FF - component: c:\documents and settings\K.G. Ramesh\Application Data\Mozilla\Firefox\Profiles\7gjenmwo.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - plugin: c:\progra~1\Yahoo!\Common\npyaxmpb.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

---- FIREFOX POLICIES ----

// Stop reusing active windows:
FF - user.js: advanced.system.supportDDEExec - false
// Instead of annoying error dialog messages, display pages:
FF - user.js: browser.xul.error_pages.enabled - true);user_pref(yahoo.homepage.dontask, true.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-AVG8_TRAY - c:\progra~1\AVG\AVG8\avgtray.exe
MSConfigStartUp-cdoosoft - c:\docume~1\KGBED8~1.RAM\LOCALS~1\Temp\herss.exe
MSConfigStartUp-dc - c:\windows\dc.exe
MSConfigStartUp-dc2k5 - c:\windows\SVIQ.EXE
MSConfigStartUp-eFax 4 - c:\program files\eFax Messenger 4.3\J2GDllCmd.exe
MSConfigStartUp-Execute - c:\progra~1\MONEYM~1\expiry.exe
MSConfigStartUp-Fun - c:\windows\system\Fun.exe
MSConfigStartUp-Load - c:\windows\inf\Other.exe
MSConfigStartUp-Run - c:\windows\system32\config\Win.exe
ActiveSetup-{32D9E38E-D115-66D9-0806-070808060604} - c:\windows\system32\WinSecSys.exe
AddRemove-WebCyberCoach_wtrb - c:\program files\WebCyberCoach\b_Dell\WCC_Wipe.exe WebCyberCoach ext\wtrb



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-27 12:36
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3895740936-2798633014-98352900-1006\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{ED0F8295-5CD3-A346-3CE8-31F3E54F870F}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(804)
c:\windows\System32\BCMLogon.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\wltrysvc.exe
c:\windows\System32\bcmwltry.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\windows\system32\WLTRAY.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
c:\windows\system32\HPZipm12.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\program files\Java\jre6\bin\jucheck.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\wscntfy.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
.
**************************************************************************
.
Completion time: 2009-12-27 12:48:37 - machine was rebooted
ComboFix-quarantined-files.txt 2009-12-27 07:18

Pre-Run: 5,062,463,488 bytes free
Post-Run: 4,967,464,960 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - 1971563855373C2BB8BC07DEFA95BCBC

Thanks again!
  • 0

#4
fenzodahl512

fenzodahl512

  • Malware Removal
  • 9,863 posts
1. Please open Notepad
  • If you don't know how, just go to Start >> Run >> copy/paste notepad.exe >> Enter

2. Now copy/paste the entire content of the codebox below into the Notepad window:

KillAll::

Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8865:TCP"=

SkipFix::

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe/KittyFix.exe as depicted in the animation below. This will start ComboFix/KittyFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.




Well.. How's the computer now? :)

Please do this step before you sleep or when you don't use the computer as it will take quite a while..

Go to Kaspersky Online Scanner

1. Read through the requirements and privacy statement and click on Accept button.
2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
3. When the downloads have finished, click on Settings.
4. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:

Spyware, Adware, Dialers, and other potentially dangerous programs
Archives
Mail databases


5. Click on My Computer under Scan.
6. Once the scan is complete, it will display the results. Click on View Scan Report.
7. You will see a list of infected items there. Click on Save Report As....
8. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.
  • 0

#5
sandeepforever

sandeepforever

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Hi,

I tried all the instructions you gave. Here is what has happened:

1. ComboFix - worked like a dream. The log is pasted below.
2. Kaspersky online scan - I left it overnight and the scan had frozen at 60%. No viruses had been detected till then. I will try to run it again tonight and check.
3. HiJackThis - I downloaded the installation file (hijackthis.msi) but it says it is an invalid installation file.

Awaiting further instructions! :-) Btw, the comp is much better now. I can browse AV websites. And it does seem to be faster!

There is one persistant problem though, which I had forgotten to mention. when I use Firefox, the process does not terminate for a long time (or never) even after I close the browser. I have to go to the Task Manager and kill the process. Is this a sign of a virus? Or is it a known issue with firefox?

Thanks! Here is the combofix log:

ComboFix 09-12-26.02 - K.G. Ramesh 12/27/2009 13:22:25.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.247.93 [GMT 5.5:30]
Running from: c:\documents and settings\K.G. Ramesh\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\K.G. Ramesh\Desktop\CFScript.txt
AV: avast! antivirus 4.8.1368 [VPS 091226-1] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
- REDUCED FUNCTIONALITY MODE -
.

((((((((((((((((((((((((( Files Created from 2009-11-27 to 2009-12-27 )))))))))))))))))))))))))))))))
.

2009-12-26 18:02 . 2009-11-24 23:48 23120 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-12-26 18:02 . 2009-11-24 23:49 48560 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2009-12-26 18:02 . 2009-11-24 23:47 27408 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2009-12-26 18:02 . 2009-11-24 23:47 97480 ----a-w- c:\windows\system32\AvastSS.scr
2009-12-26 18:02 . 2009-11-24 23:50 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2009-12-26 18:02 . 2009-11-24 23:50 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2009-12-26 18:02 . 2009-11-24 23:51 93424 ----a-w- c:\windows\system32\drivers\aswmon.sys
2009-12-26 18:02 . 2009-11-24 23:50 94160 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2009-12-26 18:02 . 2009-11-24 23:54 1280480 ----a-w- c:\windows\system32\aswBoot.exe
2009-12-26 18:02 . 2009-12-26 18:02 -------- d-----w- c:\program files\Alwil Software
2009-12-25 17:29 . 2009-12-25 17:34 -------- d-----w- c:\documents and settings\All Users\Application Data\SecTaskMan
2009-12-25 17:28 . 2009-12-25 17:29 -------- d-----w- c:\program files\Security Task Manager1
2009-12-25 17:28 . 2009-12-25 17:28 -------- d-----w- c:\program files\Security Task Manager
2009-12-24 05:21 . 2009-12-24 05:21 -------- d-----w- c:\documents and settings\K.G. Ramesh\Application Data\Malwarebytes
2009-12-24 05:21 . 2009-12-03 10:44 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-24 05:20 . 2009-12-24 05:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-12-24 05:20 . 2009-12-24 05:21 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-24 05:20 . 2009-12-03 10:43 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-24 05:04 . 2009-12-24 05:04 -------- d-----w- c:\program files\Smart Virus Remover
2009-12-22 05:50 . 2009-12-22 05:50 -------- d-----w- c:\documents and settings\K.G. Ramesh\Application Data\TweetDeckFast.FFF259DC0CE2657847BBB4AFF0E62062EFC56543.1
2009-12-22 05:49 . 2009-12-22 05:50 -------- d-----w- c:\program files\TweetDeck
2009-12-22 05:49 . 2009-12-22 05:49 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-12-20 09:07 . 2009-12-22 05:17 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-12-20 09:07 . 2009-12-21 15:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-12-20 08:13 . 2009-12-20 08:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Simply Super Software
2009-12-20 08:13 . 2009-12-20 08:13 -------- d-----w- c:\documents and settings\K.G. Ramesh\Application Data\Simply Super Software
2009-12-10 10:20 . 2004-08-04 11:00 743936 ----a-w- c:\windows\system32\dllcache\helpsvc.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-26 12:25 . 2008-11-21 04:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-12-22 06:37 . 2008-12-16 05:33 -------- d-----w- c:\documents and settings\K.G. Ramesh\Application Data\DNA
2009-12-22 05:17 . 2008-12-16 05:33 -------- d-----w- c:\program files\DNA
2009-12-20 08:40 . 2009-11-06 06:26 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-12-20 08:20 . 2008-04-27 10:43 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-12-14 06:57 . 2009-11-12 05:31 -------- d-----w- c:\documents and settings\K.G. Ramesh\Application Data\Skype
2009-12-14 04:41 . 2009-11-12 05:32 -------- d-----w- c:\documents and settings\K.G. Ramesh\Application Data\skypePM
2009-11-25 16:20 . 2009-02-21 14:38 256 ----a-w- c:\windows\system32\pool.bin
2009-11-25 15:37 . 2006-01-08 22:51 -------- d-----w- c:\program files\Google
2009-11-12 05:33 . 2009-11-12 05:33 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2009-11-12 05:26 . 2009-11-12 05:24 -------- d-----r- c:\program files\Skype
2009-11-12 05:24 . 2009-11-12 05:24 -------- d-----w- c:\program files\Common Files\Skype
2009-11-12 05:24 . 2009-11-12 05:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2009-10-31 05:44 . 2009-10-24 07:53 -------- d-----w- c:\documents and settings\K.G. Ramesh\Application Data\BitTorrent
2009-10-30 19:52 . 2009-10-30 19:51 -------- d-----w- c:\program files\MPlayer for Windows
2008-07-22 11:12 . 2008-07-22 11:12 2 --shatr- c:\windows\winstart.bat
2007-10-18 07:19 . 2006-01-09 10:28 104 --sh--r- c:\windows\system32\76DD126630.sys
2007-10-18 07:20 . 2006-01-09 10:28 4704 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Dell Wireless Manager UI"="c:\windows\system32\WLTRAY" [X]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-07-20 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-07-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-07-20 114688]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-08 148888]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\autoMe]
2004-08-04 11:00 114688 ----a-w- c:\windows\system32\wscript.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent DNA]
2009-11-07 09:34 323392 ----a-w- c:\program files\DNA\btdna.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BlackBerryAutoUpdate]
2008-11-04 06:39 615696 ----a-w- c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMXLauncher]
2005-01-27 07:02 86016 ----a-w- c:\program files\Dell\Media Experience\DMXLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
2005-02-23 22:19 53248 ------w- c:\program files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\gcasServ]
2005-11-15 18:12 473928 ----a-w- c:\program files\Microsoft AntiSpyware\gcasServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
2007-01-01 21:22 3739648 ----a-w- c:\program files\Google\Google Talk\googletalk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2005-12-15 05:48 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]
2007-08-30 05:20 205480 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2007-08-30 05:20 205480 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2006-09-10 23:10 86960 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MPlayerForWindows_UpdateReminder]
2009-10-11 22:48 217156 ----a-w- c:\program files\MPlayer for Windows\AutoUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
2001-07-09 06:20 155648 ----a-w- c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PRONoMgrWired]
2004-12-09 19:58 86016 ----a-w- c:\program files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2005-11-28 12:05 98304 ----a-w- c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
2005-11-28 12:05 26112 ----a-w- c:\program files\Real\RealPlayer\realplay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
2008-09-19 05:07 236016 ----a-w- c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
2005-06-25 01:36 729178 ----a-w- c:\program files\Synaptics\SynTP\SynTPEnh.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8865:TCP"= 8865:TCP:iyunikf

R3 hwcdcmdm0;HUAWEI Mobile Connect - 3G Modem;c:\windows\system32\DRIVERS\ewusbmdm.sys [2004-08-11 63104]
R3 hwusbser;HUAWEI Mobile Connect - 3G Application Interface;c:\windows\system32\DRIVERS\ewusbser.sys [2004-08-11 63104]
S0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2008-06-19 28544]
S1 aswSP;avast! Self Protection; [x]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2009-11-24 20560]
S2 SVKP;SVKP;c:\windows\system32\SVKP.sys [2007-12-22 2368]

.
------- Supplementary Scan -------
.
uStart Page = about:blank
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
DPF: {DAF7E6E6-D53A-439A-B28D-12271406B8A9} - hxxp://mobileapps.blackberry.com/devicesoftware/AxLoader.cab
FF - ProfilePath - c:\documents and settings\K.G. Ramesh\Application Data\Mozilla\Firefox\Profiles\7gjenmwo.default\
FF - component: c:\documents and settings\K.G. Ramesh\Application Data\Mozilla\Firefox\Profiles\7gjenmwo.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - plugin: c:\progra~1\Yahoo!\Common\npyaxmpb.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

---- FIREFOX POLICIES ----

// Stop reusing active windows:
FF - user.js: advanced.system.supportDDEExec - false
// Instead of annoying error dialog messages, display pages:
FF - user.js: browser.xul.error_pages.enabled - true);user_pref(yahoo.homepage.dontask, true.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-27 13:35
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3895740936-2798633014-98352900-1006\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{ED0F8295-5CD3-A346-3CE8-31F3E54F870F}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(800)
c:\windows\System32\BCMLogon.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\wltrysvc.exe
c:\windows\System32\bcmwltry.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\windows\system32\WLTRAY.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
c:\windows\system32\HPZipm12.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Java\jre6\bin\jucheck.exe
c:\windows\system32\wscntfy.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
.
**************************************************************************
.
Completion time: 2009-12-27 13:43:25 - machine was rebooted
ComboFix-quarantined-files.txt 2009-12-27 08:13
ComboFix2.txt 2009-12-27 07:18

Pre-Run: 4,967,591,936 bytes free
Post-Run: 4,927,250,432 bytes free

- - End Of File - - 56077774D49D3D48BE9615108F250E71
  • 0

#6
fenzodahl512

fenzodahl512

  • Malware Removal
  • 9,863 posts
Erm.. Not sure, but can you repeat the CFScript as you did before? This time with below script

KillAll::

Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8865:TCP"=

File::
c:\windows\winstart.bat

Posted Image

Do you know anything about "Security Task Manager"?

About the Kaspersky, when you're scanning with Kaspersky, did you disable Avast? :)
  • 0

#7
sandeepforever

sandeepforever

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Hi,

Thanks a ton again!

Here is the latest ComboFix log.

I did disable avast before trying kaspersky. And, I do have secutiry task manager installed. Dont know too much about it though.

ComboFix 09-12-27.03 - K.G. Ramesh 12/28/2009 18:35:14.3.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.247.97 [GMT 5.5:30]
Running from: c:\documents and settings\K.G. Ramesh\Desktop\AV Stuff\Combo-Fix.exe
Command switches used :: c:\documents and settings\K.G. Ramesh\Desktop\AV Stuff\CFScript.txt
AV: avast! antivirus 4.8.1368 [VPS 091227-1] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

FILE ::
"c:\windows\winstart.bat"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\winstart.bat

.
((((((((((((((((((((((((( Files Created from 2009-11-28 to 2009-12-28 )))))))))))))))))))))))))))))))
.

2009-12-26 18:02 . 2009-11-24 23:48 23120 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-12-26 18:02 . 2009-11-24 23:49 48560 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2009-12-26 18:02 . 2009-11-24 23:47 27408 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2009-12-26 18:02 . 2009-11-24 23:47 97480 ----a-w- c:\windows\system32\AvastSS.scr
2009-12-26 18:02 . 2009-11-24 23:50 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2009-12-26 18:02 . 2009-11-24 23:50 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2009-12-26 18:02 . 2009-11-24 23:51 93424 ----a-w- c:\windows\system32\drivers\aswmon.sys
2009-12-26 18:02 . 2009-11-24 23:50 94160 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2009-12-26 18:02 . 2009-11-24 23:54 1280480 ----a-w- c:\windows\system32\aswBoot.exe
2009-12-26 18:02 . 2009-12-26 18:02 -------- d-----w- c:\program files\Alwil Software
2009-12-25 17:29 . 2009-12-25 17:34 -------- d-----w- c:\documents and settings\All Users\Application Data\SecTaskMan
2009-12-25 17:28 . 2009-12-25 17:29 -------- d-----w- c:\program files\Security Task Manager1
2009-12-25 17:28 . 2009-12-25 17:28 -------- d-----w- c:\program files\Security Task Manager
2009-12-24 05:21 . 2009-12-24 05:21 -------- d-----w- c:\documents and settings\K.G. Ramesh\Application Data\Malwarebytes
2009-12-24 05:21 . 2009-12-03 10:44 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-24 05:20 . 2009-12-24 05:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-12-24 05:20 . 2009-12-24 05:21 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-24 05:20 . 2009-12-03 10:43 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-24 05:04 . 2009-12-24 05:04 -------- d-----w- c:\program files\Smart Virus Remover
2009-12-22 05:50 . 2009-12-22 05:50 -------- d-----w- c:\documents and settings\K.G. Ramesh\Application Data\TweetDeckFast.FFF259DC0CE2657847BBB4AFF0E62062EFC56543.1
2009-12-22 05:49 . 2009-12-22 05:50 -------- d-----w- c:\program files\TweetDeck
2009-12-22 05:49 . 2009-12-22 05:49 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-12-20 09:07 . 2009-12-22 05:17 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-12-20 09:07 . 2009-12-21 15:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-12-20 08:13 . 2009-12-20 08:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Simply Super Software
2009-12-20 08:13 . 2009-12-20 08:13 -------- d-----w- c:\documents and settings\K.G. Ramesh\Application Data\Simply Super Software
2009-12-10 10:20 . 2004-08-04 11:00 743936 ----a-w- c:\windows\system32\dllcache\helpsvc.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-27 17:39 . 2005-11-28 11:56 -------- d-----w- c:\program files\Java
2009-12-26 12:25 . 2008-11-21 04:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-12-22 06:37 . 2008-12-16 05:33 -------- d-----w- c:\documents and settings\K.G. Ramesh\Application Data\DNA
2009-12-22 05:17 . 2008-12-16 05:33 -------- d-----w- c:\program files\DNA
2009-12-20 08:40 . 2009-11-06 06:26 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-12-20 08:20 . 2008-04-27 10:43 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-12-14 06:57 . 2009-11-12 05:31 -------- d-----w- c:\documents and settings\K.G. Ramesh\Application Data\Skype
2009-12-14 04:41 . 2009-11-12 05:32 -------- d-----w- c:\documents and settings\K.G. Ramesh\Application Data\skypePM
2009-11-25 16:20 . 2009-02-21 14:38 256 ----a-w- c:\windows\system32\pool.bin
2009-11-25 15:37 . 2006-01-08 22:51 -------- d-----w- c:\program files\Google
2009-11-12 05:33 . 2009-11-12 05:33 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2009-11-12 05:26 . 2009-11-12 05:24 -------- d-----r- c:\program files\Skype
2009-11-12 05:24 . 2009-11-12 05:24 -------- d-----w- c:\program files\Common Files\Skype
2009-11-12 05:24 . 2009-11-12 05:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2009-10-31 05:44 . 2009-10-24 07:53 -------- d-----w- c:\documents and settings\K.G. Ramesh\Application Data\BitTorrent
2009-10-30 19:52 . 2009-10-30 19:51 -------- d-----w- c:\program files\MPlayer for Windows
2009-10-10 22:47 . 2008-12-25 09:33 411368 ----a-w- c:\windows\system32\deploytk.dll
2007-10-18 07:19 . 2006-01-09 10:28 104 --sh--r- c:\windows\system32\76DD126630.sys
2007-10-18 07:20 . 2006-01-09 10:28 4704 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Dell Wireless Manager UI"="c:\windows\system32\WLTRAY" [X]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-07-20 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-07-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-07-20 114688]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-10 149280]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\autoMe]
2004-08-04 11:00 114688 ----a-w- c:\windows\system32\wscript.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent DNA]
2009-11-07 09:34 323392 ----a-w- c:\program files\DNA\btdna.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BlackBerryAutoUpdate]
2008-11-04 06:39 615696 ----a-w- c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMXLauncher]
2005-01-27 07:02 86016 ----a-w- c:\program files\Dell\Media Experience\DMXLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
2005-02-23 22:19 53248 ------w- c:\program files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\gcasServ]
2005-11-15 18:12 473928 ----a-w- c:\program files\Microsoft AntiSpyware\gcasServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
2007-01-01 21:22 3739648 ----a-w- c:\program files\Google\Google Talk\googletalk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2005-12-15 05:48 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]
2007-08-30 05:20 205480 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2007-08-30 05:20 205480 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2006-09-10 23:10 86960 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MPlayerForWindows_UpdateReminder]
2009-10-11 22:48 217156 ----a-w- c:\program files\MPlayer for Windows\AutoUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
2001-07-09 06:20 155648 ----a-w- c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PRONoMgrWired]
2004-12-09 19:58 86016 ----a-w- c:\program files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2005-11-28 12:05 98304 ----a-w- c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
2005-11-28 12:05 26112 ----a-w- c:\program files\Real\RealPlayer\realplay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
2008-09-19 05:07 236016 ----a-w- c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
2005-06-25 01:36 729178 ----a-w- c:\program files\Synaptics\SynTP\SynTPEnh.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8865:TCP"= 8865:TCP:iyunikf

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [7/22/2008 11:03 AM 28544]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [12/26/2009 11:32 PM 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [12/26/2009 11:32 PM 20560]
R2 SVKP;SVKP;c:\windows\system32\SVKP.sys [12/22/2007 10:51 PM 2368]
S3 hwcdcmdm0;HUAWEI Mobile Connect - 3G Modem;c:\windows\system32\drivers\ewusbmdm.sys [6/23/2006 10:33 AM 63104]
S3 hwusbser;HUAWEI Mobile Connect - 3G Application Interface;c:\windows\system32\drivers\ewusbser.sys [6/23/2006 10:33 AM 63104]
.
------- Supplementary Scan -------
.
uStart Page = about:blank
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
DPF: {DAF7E6E6-D53A-439A-B28D-12271406B8A9} - hxxp://mobileapps.blackberry.com/devicesoftware/AxLoader.cab
FF - ProfilePath - c:\documents and settings\K.G. Ramesh\Application Data\Mozilla\Firefox\Profiles\7gjenmwo.default\
FF - component: c:\documents and settings\K.G. Ramesh\Application Data\Mozilla\Firefox\Profiles\7gjenmwo.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - plugin: c:\progra~1\Yahoo!\Common\npyaxmpb.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

---- FIREFOX POLICIES ----

// Stop reusing active windows:
FF - user.js: advanced.system.supportDDEExec - false
// Instead of annoying error dialog messages, display pages:
FF - user.js: browser.xul.error_pages.enabled - true);user_pref(yahoo.homepage.dontask, true.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-28 18:55
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3895740936-2798633014-98352900-1006\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{ED0F8295-5CD3-A346-3CE8-31F3E54F870F}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(796)
c:\windows\System32\BCMLogon.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\wltrysvc.exe
c:\windows\System32\bcmwltry.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\windows\system32\WLTRAY.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
c:\windows\system32\HPZipm12.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\windows\system32\wscntfy.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
.
**************************************************************************
.
Completion time: 2009-12-28 19:07:54 - machine was rebooted
ComboFix-quarantined-files.txt 2009-12-28 13:37
ComboFix2.txt 2009-12-27 08:13
ComboFix3.txt 2009-12-27 07:18

Pre-Run: 4,712,951,808 bytes free
Post-Run: 4,793,061,376 bytes free

- - End Of File - - 2E1BAACBF56D87A165BA0C027BA95E4C
  • 0

#8
fenzodahl512

fenzodahl512

  • Malware Removal
  • 9,863 posts
Repeat the CFScript with this script:

Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8865:TCP"=-

Posted Image


Please run a free online scan with the ESET Online Scanner
Note: You will need to use Internet Explorer for this scan.
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the ActiveX control to install
  • Click Start
  • Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  • Click Scan
    Wait for the scan to finish
  • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic

How's the computer now? :)
  • 0

#9
sandeepforever

sandeepforever

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Great stuff! Everytime something new comes up I think! Thanks for all the help.

Here is the new combofix log:
ComboFix 09-12-27.03 - K.G. Ramesh 12/28/2009 20:05:50.4.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.247.91 [GMT 5.5:30]
Running from: c:\documents and settings\K.G. Ramesh\Desktop\AV Stuff\Combo-Fix.exe
Command switches used :: c:\documents and settings\K.G. Ramesh\Desktop\AV Stuff\CFScript.txt
AV: avast! antivirus 4.8.1368 [VPS 091227-1] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((( Files Created from 2009-11-28 to 2009-12-28 )))))))))))))))))))))))))))))))
.

2009-12-27 17:31 . 2009-12-27 17:31 152576 ----a-w- c:\documents and settings\K.G. Ramesh\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-12-27 17:28 . 2009-12-27 17:28 79488 ----a-w- c:\documents and settings\K.G. Ramesh\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2009-12-26 18:02 . 2009-11-24 23:48 23120 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-12-26 18:02 . 2009-11-24 23:49 48560 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2009-12-26 18:02 . 2009-11-24 23:47 27408 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2009-12-26 18:02 . 2009-11-24 23:47 97480 ----a-w- c:\windows\system32\AvastSS.scr
2009-12-26 18:02 . 2009-11-24 23:50 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2009-12-26 18:02 . 2009-11-24 23:50 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2009-12-26 18:02 . 2009-11-24 23:51 93424 ----a-w- c:\windows\system32\drivers\aswmon.sys
2009-12-26 18:02 . 2009-11-24 23:50 94160 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2009-12-26 18:02 . 2009-11-24 23:54 1280480 ----a-w- c:\windows\system32\aswBoot.exe
2009-12-26 18:02 . 2009-12-26 18:02 -------- d-----w- c:\program files\Alwil Software
2009-12-25 17:28 . 2009-12-25 17:28 -------- d-----w- c:\program files\Security Task Manager
2009-12-24 05:21 . 2009-12-24 05:21 -------- d-----w- c:\documents and settings\K.G. Ramesh\Application Data\Malwarebytes
2009-12-24 05:21 . 2009-12-03 10:44 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-24 05:20 . 2009-12-24 05:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-12-24 05:20 . 2009-12-24 05:21 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-24 05:20 . 2009-12-03 10:43 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-24 05:04 . 2009-12-24 05:04 -------- d-----w- c:\program files\Smart Virus Remover
2009-12-22 05:50 . 2009-12-22 05:50 -------- d-----w- c:\documents and settings\K.G. Ramesh\Application Data\TweetDeckFast.FFF259DC0CE2657847BBB4AFF0E62062EFC56543.1
2009-12-22 05:50 . 2009-12-22 05:44 38784 ----a-w- c:\documents and settings\K.G. Ramesh\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-12-22 05:49 . 2009-12-22 05:50 -------- d-----w- c:\program files\TweetDeck
2009-12-22 05:49 . 2009-12-22 05:49 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-12-20 09:07 . 2009-12-22 05:17 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-12-20 09:07 . 2009-12-21 15:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-12-20 08:13 . 2009-12-20 08:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Simply Super Software
2009-12-20 08:13 . 2009-12-20 08:13 -------- d-----w- c:\documents and settings\K.G. Ramesh\Application Data\Simply Super Software
2009-12-19 13:48 . 2009-12-16 09:12 43008 ----a-w- c:\documents and settings\K.G. Ramesh\Application Data\Mozilla\Firefox\Profiles\7gjenmwo.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
2009-12-19 13:48 . 2009-12-16 09:12 340480 ----a-w- c:\documents and settings\K.G. Ramesh\Application Data\Mozilla\Firefox\Profiles\7gjenmwo.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll
2009-12-19 13:48 . 2009-12-16 09:11 346624 ----a-w- c:\documents and settings\K.G. Ramesh\Application Data\Mozilla\Firefox\Profiles\7gjenmwo.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll
2009-12-19 13:48 . 2009-12-16 09:12 872960 ----a-w- c:\documents and settings\K.G. Ramesh\Application Data\Mozilla\Firefox\Profiles\7gjenmwo.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
2009-12-10 10:20 . 2004-08-04 11:00 743936 ----a-w- c:\windows\system32\dllcache\helpsvc.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-27 17:39 . 2005-11-28 11:56 -------- d-----w- c:\program files\Java
2009-12-26 12:25 . 2008-11-21 04:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-12-25 17:34 . 2009-12-25 17:29 -------- d-----w- c:\documents and settings\All Users\Application Data\SecTaskMan
2009-12-22 06:37 . 2008-12-16 05:33 -------- d-----w- c:\documents and settings\K.G. Ramesh\Application Data\DNA
2009-12-22 05:44 . 2009-12-25 17:05 38784 ----a-w- c:\documents and settings\Administrator\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-12-22 05:17 . 2008-12-16 05:33 -------- d-----w- c:\program files\DNA
2009-12-20 08:40 . 2009-11-06 06:26 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-12-20 08:20 . 2008-04-27 10:43 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-12-14 06:57 . 2009-11-12 05:31 -------- d-----w- c:\documents and settings\K.G. Ramesh\Application Data\Skype
2009-12-14 04:41 . 2009-11-12 05:32 -------- d-----w- c:\documents and settings\K.G. Ramesh\Application Data\skypePM
2009-11-25 16:20 . 2009-02-21 14:38 256 ----a-w- c:\windows\system32\pool.bin
2009-11-25 15:37 . 2006-01-08 22:51 -------- d-----w- c:\program files\Google
2009-11-12 05:33 . 2009-11-12 05:33 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2009-11-12 05:26 . 2009-11-12 05:24 -------- d-----r- c:\program files\Skype
2009-11-12 05:24 . 2009-11-12 05:24 -------- d-----w- c:\program files\Common Files\Skype
2009-11-12 05:24 . 2009-11-12 05:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2009-10-31 05:44 . 2009-10-24 07:53 -------- d-----w- c:\documents and settings\K.G. Ramesh\Application Data\BitTorrent
2009-10-30 19:52 . 2009-10-30 19:51 -------- d-----w- c:\program files\MPlayer for Windows
2009-10-10 22:47 . 2008-12-25 09:33 411368 ----a-w- c:\windows\system32\deploytk.dll
2007-10-18 07:19 . 2006-01-09 10:28 104 --sh--r- c:\windows\system32\76DD126630.sys
2007-10-18 07:20 . 2006-01-09 10:28 4704 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Dell Wireless Manager UI"="c:\windows\system32\WLTRAY" [X]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-07-20 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-07-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-07-20 114688]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-10 149280]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\autoMe]
2004-08-04 11:00 114688 ----a-w- c:\windows\system32\wscript.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent DNA]
2009-11-07 09:34 323392 ----a-w- c:\program files\DNA\btdna.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BlackBerryAutoUpdate]
2008-11-04 06:39 615696 ----a-w- c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMXLauncher]
2005-01-27 07:02 86016 ----a-w- c:\program files\Dell\Media Experience\DMXLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
2005-02-23 22:19 53248 ------w- c:\program files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\gcasServ]
2005-11-15 18:12 473928 ----a-w- c:\program files\Microsoft AntiSpyware\gcasServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
2007-01-01 21:22 3739648 ----a-w- c:\program files\Google\Google Talk\googletalk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2005-12-15 05:48 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]
2007-08-30 05:20 205480 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2007-08-30 05:20 205480 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2006-09-10 23:10 86960 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MPlayerForWindows_UpdateReminder]
2009-10-11 22:48 217156 ----a-w- c:\program files\MPlayer for Windows\AutoUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
2001-07-09 06:20 155648 ----a-w- c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PRONoMgrWired]
2004-12-09 19:58 86016 ----a-w- c:\program files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2005-11-28 12:05 98304 ----a-w- c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
2005-11-28 12:05 26112 ----a-w- c:\program files\Real\RealPlayer\realplay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
2008-09-19 05:07 236016 ----a-w- c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
2005-06-25 01:36 729178 ----a-w- c:\program files\Synaptics\SynTP\SynTPEnh.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [7/22/2008 11:03 AM 28544]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [12/26/2009 11:32 PM 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [12/26/2009 11:32 PM 20560]
R2 SVKP;SVKP;c:\windows\system32\SVKP.sys [12/22/2007 10:51 PM 2368]
S3 hwcdcmdm0;HUAWEI Mobile Connect - 3G Modem;c:\windows\system32\drivers\ewusbmdm.sys [6/23/2006 10:33 AM 63104]
S3 hwusbser;HUAWEI Mobile Connect - 3G Application Interface;c:\windows\system32\drivers\ewusbser.sys [6/23/2006 10:33 AM 63104]
.
------- Supplementary Scan -------
.
uStart Page = about:blank
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
DPF: {DAF7E6E6-D53A-439A-B28D-12271406B8A9} - hxxp://mobileapps.blackberry.com/devicesoftware/AxLoader.cab
FF - ProfilePath - c:\documents and settings\K.G. Ramesh\Application Data\Mozilla\Firefox\Profiles\7gjenmwo.default\
FF - component: c:\documents and settings\K.G. Ramesh\Application Data\Mozilla\Firefox\Profiles\7gjenmwo.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - plugin: c:\progra~1\Yahoo!\Common\npyaxmpb.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

---- FIREFOX POLICIES ----

// Stop reusing active windows:
FF - user.js: advanced.system.supportDDEExec - false
// Instead of annoying error dialog messages, display pages:
FF - user.js: browser.xul.error_pages.enabled - true);user_pref(yahoo.homepage.dontask, true.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-28 20:16
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3895740936-2798633014-98352900-1006\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{ED0F8295-5CD3-A346-3CE8-31F3E54F870F}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(796)
c:\windows\System32\BCMLogon.dll
.
Completion time: 2009-12-28 20:22:30
ComboFix-quarantined-files.txt 2009-12-28 14:52
ComboFix2.txt 2009-12-28 13:37
ComboFix3.txt 2009-12-27 08:13
ComboFix4.txt 2009-12-27 07:18

Pre-Run: 4,783,788,032 bytes free
Post-Run: 4,759,048,192 bytes free

- - End Of File - - AF921AA2CF21954EAA59892BFB7ACBA9


And here is the ESET scan log. Here, I had to run it twice - the first time, I realized that Avast was running in the background. I stopped the scan at 75%. It detected and quarantined 3 viruses. The second time, I shut down Avast and the scan completed with 3 more viruses detected. Here is the log:

[email protected] as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=7.00.6000.16640 (vista_gdr.080213-1606)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=8c8d81d58f25a54887117899f897e573
# end=stopped
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2009-12-28 05:56:05
# local_time=2009-12-28 11:26:05 (+0530, India Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 2
# compatibility_mode=769 16775125 100 98 0 198303988 68011 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=39329
# found=3
# cleaned=3
# scan_time=1937
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinBankerfgv.zip Win32/Bagle.gen.zip worm (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinBankerfgv1.zip Win32/Bagle.gen.zip worm (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinBankerfgv2.zip Win32/Bagle.gen.zip worm (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
# version=7
# iexplore.exe=7.00.6000.16640 (vista_gdr.080213-1606)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=8c8d81d58f25a54887117899f897e573
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2009-12-28 06:47:31
# local_time=2009-12-29 12:17:31 (+0530, India Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 2
# compatibility_mode=769 16775141 100 98 1520 198306214 70237 0
# compatibility_mode=8192 67108863 100 0 1249 1249 0 0
# scanned=85456
# found=3
# cleaned=3
# scan_time=2791
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP2\A0000902.inf Win32/Sohanad.NCB worm (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\aspimgr.exe_ probably a variant of Win32/Agent.NEQ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\WINSECSYS.EXE.del Win32/Poison trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
  • 0

#10
fenzodahl512

fenzodahl512

  • Malware Removal
  • 9,863 posts
Looks good to me.. Lets do some cleanup...


Please download OTC and save it to Desktop.
  • Make sure you have internet connection..
  • Double-click OTC
  • Click the CleanUp! button.
  • Select Yes when the "Begin cleanup Process?" prompt appears.
  • If you are prompted to Reboot during the cleanup, select Yes



Please read these excellent articles write by my friends:
Preventing Malware and Safe Computing by Rorschach112
What makes your machine slow? by Artellos


Also, please read these excellent articles by miekiemoes :
Help! My computer is slow!
How to prevent Malware


Read these great info's about safe internet surfing..

http://www.pcpitstop...safesurfing.asp
http://bluefive.pair...afe_surfing.htm




Please reply to this thread once more and tell us about the computer behaviour before we can close this thread :)



Have a safe and happy computing day!


Regards
fenzodahl512
  • 0

#11
sandeepforever

sandeepforever

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Fenzodahl512,

Thanks a ton mate! I do believe that you have sorted out my system. :)

I can definitely feel the difference when I open programs (word/ excel etc). The memory has been freed from the virus I think. Everything works much faster.

However, on the recommendation of this site, I have installed avast AV. This thing eats up a lot of resources at startup and I am unable to remove it from start up. I can live with it...but is there a better solution? I dont really like having these resident protection systems. I just run a scan every 5 days...full scan.

Should I just go ahead and remove avast and stick with AVG?

Thanks a ton again! You guys rock!
  • 0

#12
fenzodahl512

fenzodahl512

  • Malware Removal
  • 9,863 posts
My personal recommendation is to uninstall Avast and AVG, and use Avira instead.. Also free AV, and light on resources :)
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP