Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

HelpIThinkIHaveAVirus


  • Please log in to reply

#1
mbungle

mbungle

    Member

  • Member
  • PipPip
  • 26 posts
My computer recently had antivir 2010 installed on it.

Right before antivir 2010 was put on my computer I had just purchased
Avast pro antivirus and installed it on my computer.

My girlfriend was using the stumble toolbar online and the
antivir 2010 window popped up "warning" that my computer was infected;
she assumed it was my newly purchased anti-virus program and installed
it. Uuuuggghhh.....

I ran malwarbytes to get rid of it, and it seemed successful at first, but
other strange things have started happening. I have new context menus
for something called sandbox and another one that says "run virtualized"
I am familiar with virtual machines. I've used virtualbox and virtualPC,
but is this legit? If it is I didn't purposefully install it and I don't like the
extra context menus. It does not appear in my add/remove programs list
or windows components.

I have noticed a couple more funny behaviors, namely, that avira's mail and
webscanner will not start automatically when I reboot my computer, and
if I try to set them to start automatically from the Services console
snap-in I get a very plain message with a yellow exclamation that says,
"access is denied" and it simply says "services" in the title bar. I have no
Idea why this would be since I am the administrator of the computer. It
appears that I can make the services start and stop, but I'm not sure
if anything is actually happening. Finally if I click on the "run
virutalized" context menu for a program that already has an instance running
sometimes the computer will crash.

My computer and the programs on it all seem to be running slower than usual
as well.

Malwarebyte's log (after I got rid of antivir 2010)

Malwarebytes' Anti-Malware 1.44
Database version: 3808
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

3/14/2010 3:22:37 PM
mbam-log-2010-03-14 (15-22-37).txt

Scan type: Full Scan (C:\|)
Objects scanned: 170518
Time elapsed: 18 minute(s), 50 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


GMER Log

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-03-14 16:59:31
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\Nicki\LOCALS~1\Temp\pgrcypoc.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/ALWIL Software) ZwClose [0xB806C85D]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/ALWIL Software) ZwCreateEvent [0xB8056ACA]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/ALWIL Software) ZwCreateEventPair [0xB8056B4E]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/ALWIL Software) ZwCreateIoCompletion [0xB8056CEA]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/ALWIL Software) ZwCreateKey [0xB806C211]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/ALWIL Software) ZwCreateMutant [0xB80569C6]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/ALWIL Software) ZwCreateSection [0xB8056BCA]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/ALWIL Software) ZwCreateSemaphore [0xB8056A48]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/ALWIL Software) ZwCreateTimer [0xB8056C6A]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/ALWIL Software) ZwDeleteKey [0xB806CF23]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/ALWIL Software) ZwDeleteValueKey [0xB806D02A]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/ALWIL Software) ZwDuplicateObject [0xB80574CC]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/ALWIL Software) ZwEnumerateKey [0xB806CD8E]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/ALWIL Software) ZwEnumerateValueKey [0xB806CBF9]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/ALWIL Software) ZwLoadDriver [0xB8054EA2]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/ALWIL Software) ZwOpenEvent [0xB8056B10]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/ALWIL Software) ZwOpenEventPair [0xB8056B8C]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/ALWIL Software) ZwOpenIoCompletion [0xB8056D2C]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/ALWIL Software) ZwOpenKey [0xB806C56D]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/ALWIL Software) ZwOpenMutant [0xB8056A0A]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/ALWIL Software) ZwOpenProcess [0xB80572B0]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/ALWIL Software) ZwOpenSection [0xB8056C20]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/ALWIL Software) ZwOpenSemaphore [0xB8056A8C]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/ALWIL Software) ZwOpenThread [0xB80573BE]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/ALWIL Software) ZwOpenTimer [0xB8056CAC]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/ALWIL Software) ZwQueryKey [0xB806CA74]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/ALWIL Software) ZwQueryObject [0xB80559C2]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/ALWIL Software) ZwQueryValueKey [0xB806C8C6]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRenameKey [0xB809B194]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/ALWIL Software) ZwReplyWaitReceivePort [0xB8057674]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/ALWIL Software) ZwReplyWaitReceivePortEx [0xB80571B8]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/ALWIL Software) ZwRestoreKey [0xB806B8AC]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/ALWIL Software) ZwSetSystemInformation [0xB8054F10]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0xB809AE4C]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/ALWIL Software) ZwShutdownSystem [0xB805504C]

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateProcessEx [0xB80A74FE]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ObInsertObject
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ObMakeTemporaryObject

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/ALWIL Software)

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)

Device \FileSystem\Fastfat \FatCdrom aswSP.SYS (avast! self protection module/ALWIL Software)

AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device \FileSystem\Fastfat \Fat aswSP.SYS (avast! self protection module/ALWIL Software)

AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)

---- EOF - GMER 1.0.15 ----

OTL Log

OTL logfile created on: 3/14/2010 5:00:47 PM - Run 3
OTL by OldTimer - Version 3.1.37.1 Folder = C:\Documents and Settings\Nicki\Desktop\NetSecX
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 79.00% Memory free
3.00 Gb Paging File | 3.00 Gb Available in Paging File | 96.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 292.97 Gb Total Space | 125.41 Gb Free Space | 42.81% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
Drive E: | 34.18 Gb Total Space | 30.77 Gb Free Space | 90.03% Space Free | Partition Type: NTFS
Drive F: | 7.58 Gb Total Space | 7.06 Gb Free Space | 93.20% Space Free | Partition Type: FAT32
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Drive Z: | 138.60 Gb Total Space | 134.00 Gb Free Space | 96.68% Space Free | Partition Type: NTFS

Computer Name: NICKICOMP
Current User Name: Nicki
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2010/03/14 13:31:46 | 000,555,008 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Nicki\Desktop\NetSecX\OTL.exe
PRC - [2010/03/09 04:24:10 | 002,769,336 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast5\AvastUI.exe
PRC - [2010/03/09 04:24:08 | 000,040,384 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
PRC - [2009/02/14 17:29:14 | 000,307,200 | ---- | M] (Creative Technology Ltd) -- C:\Program Files\Creative\Shared Files\CTAudSvc.exe
PRC - [2008/04/14 05:00:00 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2004/09/29 13:14:36 | 000,069,632 | ---- | M] (HP) -- C:\WINDOWS\system32\HPZipm12.exe


========== Modules (SafeList) ==========

MOD - [2010/03/14 13:31:46 | 000,555,008 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Nicki\Desktop\NetSecX\OTL.exe
MOD - [2010/03/09 04:13:20 | 000,134,144 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast5\snxBorder.dll
MOD - [2010/03/09 04:11:18 | 000,136,704 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast5\snxPlugins.dll


========== Win32 Services (SafeList) ==========

SRV - [2010/03/09 04:24:08 | 000,040,384 | ---- | M] (ALWIL Software) [On_Demand | Running] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Web Scanner)
SRV - [2010/03/09 04:24:08 | 000,040,384 | ---- | M] (ALWIL Software) [On_Demand | Running] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Mail Scanner)
SRV - [2010/03/09 04:24:08 | 000,040,384 | ---- | M] (ALWIL Software) [Auto | Running] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Antivirus)
SRV - [2010/01/12 14:29:13 | 000,079,360 | ---- | M] (Creative Labs) [On_Demand | Stopped] -- C:\Program Files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe -- (Creative Audio Engine Licensing Service)
SRV - [2009/12/08 15:41:42 | 000,120,232 | ---- | M] (stumbleupon.com) [On_Demand | Stopped] -- C:\Program Files\StumbleUpon\StumbleUponUpdateService.exe -- (StumbleUponUpdateService)
SRV - [2009/02/14 17:29:14 | 000,307,200 | ---- | M] (Creative Technology Ltd) [Auto | Running] -- C:\Program Files\Creative\Shared Files\CTAudSvc.exe -- (CTAudSvcService)
SRV - [2004/09/29 13:14:36 | 000,069,632 | ---- | M] (HP) [Auto | Running] -- C:\WINDOWS\system32\HPZipm12.exe -- (Pml Driver HPZ12)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========


IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.param.yahoo-fr: "chrf-ytbm"
FF - prefs.js..browser.search.param.yahoo-fr-cjkt: "chrf-ytbm"
FF - prefs.js..browser.search.param.yahoo-type: "${8}"
FF - prefs.js..browser.startup.homepage: "http://www.google.com/"
FF - prefs.js..extensions.enabledItems: [email protected]:1.0
FF - prefs.js..extensions.enabledItems: {AE93811A-5C9A-4d34-8462-F7B864FC4696}:3.63


FF - HKLM\software\mozilla\Mozilla Firefox 3.6\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/03/06 09:54:57 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/03/06 09:54:56 | 000,000,000 | ---D | M]

[2010/01/12 13:03:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Nicki\Application Data\Mozilla\Extensions
[2010/03/12 19:57:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Nicki\Application Data\Mozilla\Firefox\Profiles\befj2fn8.default\extensions
[2010/03/10 14:33:04 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Nicki\Application Data\Mozilla\Firefox\Profiles\befj2fn8.default\extensions\{AE93811A-5C9A-4d34-8462-F7B864FC4696}
[2010/03/12 19:57:19 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions

O1 HOSTS File: ([2008/04/14 05:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O2 - BHO: (StumbleUpon Launcher) - {145B29F4-A56B-4b90-BBAC-45784EBEBBB7} - C:\Program Files\StumbleUpon\StumbleUponIEBar.dll (stumbleupon.com)
O2 - BHO: (Groove GFS Browser Helper) - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O3 - HKLM\..\Toolbar: (StumbleUpon Toolbar) - {5093EB4C-3E93-40AB-9266-B607BA87BDC8} - C:\Program Files\StumbleUpon\StumbleUponIEBar.dll (stumbleupon.com)
O4 - HKLM..\Run: [avast5] C:\Program Files\Alwil Software\Avast5\AvastUI.exe (ALWIL Software)
O4 - HKLM..\Run: [KernelFaultCheck] File not found
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - Startup: C:\Documents and Settings\Nicki\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_18)
O16 - DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_18)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_18)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.m...ash/swflash.cab (Shockwave Flash Object)
O18 - Protocol\Handler\grooveLocalGWS {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\Nicki\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Nicki\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2010/01/12 02:18:38 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{3dae6c2f-24ad-11df-a5ea-001018095fe1}\Shell - "" = AutoRun
O33 - MountPoints2\{3dae6c2f-24ad-11df-a5ea-001018095fe1}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{3dae6c2f-24ad-11df-a5ea-001018095fe1}\Shell\AutoRun\command - "" = J:\HPLauncher.exe -- File not found
O33 - MountPoints2\{4def6cae-02dd-11df-a6fa-001018095fe1}\Shell - "" = AutoRun
O33 - MountPoints2\{4def6cae-02dd-11df-a6fa-001018095fe1}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{4def6cae-02dd-11df-a6fa-001018095fe1}\Shell\AutoRun\command - "" = F:\LaunchU3.exe -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: Ias - C:\WINDOWS\system32\ias [2010/01/11 17:57:59 | 000,000,000 | ---D | M]
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (16891835792228352)

========== Files/Folders - Created Within 14 Days ==========

[2010/03/14 13:42:26 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Nicki\Desktop\NetSecX
[2010/03/14 11:29:15 | 000,000,000 | -H-D | C] -- C:\WINDOWS\System32\GroupPolicy
[2010/03/14 11:27:29 | 000,000,000 | ---D | C] -- C:\WINDOWS\Minidump
[2010/03/10 15:01:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Nicki\Application Data\Media Player Classic
[2010/03/08 22:33:41 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Uninstall
[2010/03/08 22:33:28 | 000,000,000 | ---D | C] -- C:\Program Files\AV
[2010/03/08 18:09:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Nicki\Application Data\Real
[2010/03/08 18:06:20 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\appmgmt
[2010/03/08 18:04:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Nicki\Application Data\StumbleUpon
[2010/03/08 18:04:25 | 000,000,000 | ---D | C] -- C:\Program Files\StumbleUpon
[2010/03/08 01:08:41 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\nView_Profiles
[2010/03/06 09:46:34 | 000,000,000 | -H-D | C] -- C:\WINDOWS\ie8
[2010/03/01 13:07:14 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\ArcSoft
[2010/03/01 13:07:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Nicki\Application Data\ArcSoft
[2010/03/01 13:06:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Nicki\Application Data\HP SimpleSave Application
[2010/01/21 10:06:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[2010/01/12 02:21:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2010/01/12 02:18:35 | 000,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2010/01/12 02:18:35 | 000,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[2009/06/23 12:49:14 | 000,010,752 | ---- | C] ( ) -- C:\WINDOWS\System32\a3d.dll

========== Files - Modified Within 14 Days ==========

[2010/03/14 16:04:14 | 000,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/03/14 16:04:08 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/03/14 16:04:05 | 000,021,961 | ---- | M] () -- C:\WINDOWS\System32\nvapps.xml
[2010/03/14 16:03:54 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/03/14 16:03:53 | 1609,637,888 | -HS- | M] () -- C:\hiberfil.sys
[2010/03/14 13:51:28 | 000,030,912 | ---- | M] () -- C:\WINDOWS\System32\BMXStateBkp-{00000002-00000000-00000002-00001102-00000004-10031102}.rfx
[2010/03/14 13:51:28 | 000,030,912 | ---- | M] () -- C:\WINDOWS\System32\BMXState-{00000002-00000000-00000002-00001102-00000004-10031102}.rfx
[2010/03/14 13:51:28 | 000,030,120 | ---- | M] () -- C:\WINDOWS\System32\BMXCtrlState-{00000002-00000000-00000002-00001102-00000004-10031102}.rfx
[2010/03/14 13:51:28 | 000,030,120 | ---- | M] () -- C:\WINDOWS\System32\BMXBkpCtrlState-{00000002-00000000-00000002-00001102-00000004-10031102}.rfx
[2010/03/14 13:51:28 | 000,011,564 | ---- | M] () -- C:\WINDOWS\System32\DVCState-{00000002-00000000-00000002-00001102-00000004-10031102}.rfx
[2010/03/14 13:51:06 | 002,621,440 | -H-- | M] () -- C:\Documents and Settings\Nicki\NTUSER.DAT
[2010/03/14 13:51:06 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\Nicki\ntuser.ini
[2010/03/14 13:42:06 | 000,000,778 | ---- | M] () -- C:\Documents and Settings\Nicki\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk
[2010/03/14 11:29:04 | 000,356,120 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/03/14 11:29:04 | 000,311,604 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/03/14 11:29:04 | 000,039,992 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/03/13 20:51:24 | 000,164,864 | ---- | M] () -- C:\Documents and Settings\Nicki\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/03/13 12:10:40 | 574,930,944 | ---- | M] () -- C:\Documents and Settings\Nicki\Desktop\Real.Time.With.Bill.Maher.2010.03.12.HDTV.XviD-SYS.[VTV].avi
[2010/03/11 04:03:20 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/03/09 13:37:37 | 000,319,792 | ---- | M] (BitTorrent, Inc.) -- C:\Documents and Settings\Nicki\Desktop\utorrent.exe
[2010/03/09 13:19:35 | 000,002,626 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
[2010/03/09 04:24:05 | 000,153,184 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\aswBoot.exe
[2010/03/09 04:14:20 | 000,294,480 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswSnx.sys
[2010/03/09 04:12:54 | 000,046,672 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswTdi.sys
[2010/03/09 04:12:33 | 000,162,640 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswSP.sys
[2010/03/09 04:09:08 | 000,023,376 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswRdr.sys
[2010/03/09 04:08:41 | 000,100,432 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswmon2.sys
[2010/03/09 04:08:38 | 000,094,800 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswmon.sys
[2010/03/09 04:08:30 | 000,019,024 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswFsBlk.sys
[2010/03/09 04:08:15 | 000,028,880 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aavmker4.sys
[2010/03/08 22:50:59 | 000,000,116 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini
[2010/03/06 09:54:58 | 000,001,613 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2010/03/06 09:50:34 | 000,000,814 | ---- | M] () -- C:\Documents and Settings\Nicki\Desktop\Internet Explorer.lnk
[2010/03/05 19:18:04 | 000,000,365 | ---- | M] () -- C:\Documents and Settings\Nicki\Desktop\T.V. Shows.lnk
[2010/03/04 20:37:25 | 000,068,456 | ---- | M] () -- C:\Documents and Settings\Nicki\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

========== Files Created - No Company Name ==========

[2010/03/13 11:46:28 | 574,930,944 | ---- | C] () -- C:\Documents and Settings\Nicki\Desktop\Real.Time.With.Bill.Maher.2010.03.12.HDTV.XviD-SYS.[VTV].avi
[2010/03/08 22:40:58 | 1609,637,888 | -HS- | C] () -- C:\hiberfil.sys
[2010/03/06 09:54:58 | 000,001,613 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2010/03/06 09:50:34 | 000,000,814 | ---- | C] () -- C:\Documents and Settings\Nicki\Desktop\Internet Explorer.lnk
[2010/03/05 19:18:04 | 000,000,365 | ---- | C] () -- C:\Documents and Settings\Nicki\Desktop\T.V. Shows.lnk
[2010/01/17 18:18:00 | 000,178,176 | ---- | C] () -- C:\WINDOWS\System32\unrar.dll
[2010/01/17 18:17:59 | 000,000,038 | ---- | C] () -- C:\WINDOWS\avisplitter.ini
[2010/01/17 18:17:58 | 000,881,664 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2010/01/17 18:17:57 | 003,596,288 | ---- | C] () -- C:\WINDOWS\System32\qt-dx331.dll
[2010/01/17 18:17:57 | 000,205,824 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2010/01/17 18:17:56 | 000,000,547 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll.manifest
[2010/01/17 18:17:55 | 000,085,504 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll
[2010/01/17 17:08:40 | 000,000,334 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\hpzinstall.log
[2010/01/13 21:48:35 | 000,000,116 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2010/01/13 01:08:10 | 000,164,864 | ---- | C] () -- C:\Documents and Settings\Nicki\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/06/23 13:29:50 | 000,049,719 | ---- | C] () -- C:\WINDOWS\System32\instwdm.ini
[2009/06/23 13:29:48 | 000,000,054 | ---- | C] () -- C:\WINDOWS\System32\ctzapxx.ini
[2009/06/23 12:51:00 | 000,043,520 | ---- | C] () -- C:\WINDOWS\System32\CTBurst.dll
[2007/08/13 21:45:02 | 000,077,824 | ---- | C] () -- C:\WINDOWS\System32\ctmmactl.dll
[2007/04/12 09:10:28 | 000,105,728 | ---- | C] () -- C:\WINDOWS\System32\APOMgrH.dll
[2006/10/02 18:25:18 | 000,000,307 | ---- | C] () -- C:\WINDOWS\System32\kill.ini
[2005/04/01 17:16:00 | 000,540,672 | ---- | C] () -- C:\WINDOWS\System32\nvhwvid.dll

========== LOP Check ==========

[2010/02/28 10:39:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Alwil Software
[2010/03/14 13:27:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Nicki\Application Data\StumbleUpon
[2010/03/13 13:34:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Nicki\Application Data\uTorrent

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >


< MD5 for: AGP440.SYS >
[2008/04/14 05:00:00 | 020,056,462 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:AGP440.sys
[2008/04/13 17:06:40 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\system32\drivers\AGP440.SYS

< MD5 for: ATAPI.SYS >
[2008/04/14 05:00:00 | 020,056,462 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:atapi.sys
[2008/04/14 05:00:00 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys

< MD5 for: EVENTLOG.DLL >
[2008/04/14 05:00:00 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\dllcache\eventlog.dll
[2008/04/14 05:00:00 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\eventlog.dll

< MD5 for: NETLOGON.DLL >
[2008/04/14 05:00:00 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\dllcache\netlogon.dll
[2008/04/14 05:00:00 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\netlogon.dll

< MD5 for: SCECLI.DLL >
[2008/04/14 05:00:00 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\dllcache\scecli.dll
[2008/04/14 05:00:00 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\scecli.dll

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\system32\drivers\*.sys /lockedfiles >

< %systemroot%\System32\config\*.sav >
[2010/01/11 18:02:35 | 000,094,208 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
[2010/01/11 18:02:35 | 001,089,536 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
[2010/01/11 18:02:35 | 000,921,600 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav
< End of report >


There was no "extras" log as mentioned in the Malware and Spyware Cleaning Guide

My computer is running Windows XP Pro with SP3


Thanks,

Mbungle
  • 0

Advertisements


#2
RKinner

RKinner

    Malware Expert

  • Expert
  • 23,729 posts
  • MVP
Download but do not yet run ComboFix
:!: If you have a previous version of Combofix.exe, delete it and download a fresh copy. :!:

:!: It must be saved to your desktop, do not run it :!:

:!: Disable your Antivirus software when downloading or running Combofix. If it has Script Blocking features, please disable these as well. See: http://www.bleepingc...opic114351.html


Download and Rename this file -- (call it george.exe ) to your Desktop -- from either of these two sources:
http://download.blee...Bs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Doubleclick on george to start the program.



* :!: Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.


* A window may open with a series of Disclaimers. Accept the Disclaimers to start the fix. Allow it to install the Recovery Console then Continue. When the scan completes Notepad will open with with your results log open. Do a File, Exit and answer 'Yes' to save changes.


A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

A file will be created at => C:\Combofix.txt. I'll need to see that in your reply.

Re-activate your protection programs at this time :!:

Post Back (copy/paste the .txt files, do not use attachments)
After following the above, post back with:



1.Contents of C:\Combofix.txt;


Ron
  • 0

#3
mbungle

mbungle

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts
I am an imbecile...... after studying the other two computers I have (Running Windows 7 pro 64-bit & Vista 64-bit), also with Avast Pro installed, I noticed they all do the same thing; I simply failed to notice. The scanners start up on my 32-bit XP machine, it just takes a long time. Just in case my computer has anything on it I ran combofix, because even though it's old I don't think it should be this slow

Here's my george.txt:



ComboFix 10-03-17.06 - Nicki 03/18/2010 8:43.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1535.1052 [GMT -7:00]
Running from: c:\documents and settings\Nicki\Desktop\George.exe
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Common Files\Uninstall
K:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2010-02-18 to 2010-03-18 )))))))))))))))))))))))))))))))
.

2010-03-16 22:53 . 2001-08-18 05:36 5632 ----a-w- c:\windows\system32\ptpusb.dll
2010-03-16 22:53 . 2008-04-14 12:42 159232 ----a-w- c:\windows\system32\ptpusd.dll
2010-03-14 18:29 . 2010-03-14 20:59 -------- d--h--w- c:\windows\system32\GroupPolicy
2010-03-10 22:01 . 2010-03-10 22:01 -------- d-----w- c:\documents and settings\Nicki\Application Data\Media Player Classic
2010-03-09 05:33 . 2010-03-09 06:59 -------- d-----w- c:\program files\AV
2010-03-09 01:04 . 2010-03-14 20:27 -------- d-----w- c:\documents and settings\Nicki\Application Data\StumbleUpon
2010-03-09 01:04 . 2010-03-09 01:04 -------- d-----w- c:\program files\StumbleUpon
2010-03-08 08:08 . 2010-03-08 08:08 -------- d-----w- c:\documents and settings\All Users\Application Data\nView_Profiles
2010-03-06 16:46 . 2010-03-06 16:47 -------- dc-h--w- c:\windows\ie8
2010-03-01 20:07 . 2010-03-01 20:07 -------- d-----w- c:\documents and settings\All Users\Application Data\ArcSoft
2010-03-01 20:07 . 2010-03-01 20:07 -------- d-----w- c:\documents and settings\Nicki\Application Data\ArcSoft
2010-02-28 20:05 . 2010-03-14 20:42 -------- d-----w- c:\program files\ERUNT
2010-02-28 19:59 . 2010-02-28 19:59 -------- d-----w- c:\documents and settings\Nicki\Application Data\Malwarebytes
2010-02-28 19:59 . 2010-01-08 00:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-28 19:59 . 2010-02-28 19:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-02-28 19:59 . 2010-02-28 19:59 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-28 19:59 . 2010-01-08 00:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-28 17:40 . 2010-03-09 11:14 294480 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2010-02-28 17:39 . 2010-02-28 17:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-02-18 21:37 . 2010-03-09 07:01 -------- d-----w- c:\windows\Sun
2010-02-18 21:36 . 2010-02-18 21:36 503808 ----a-w- c:\documents and settings\Nicki\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-5f89655b-n\msvcp71.dll
2010-02-18 21:36 . 2010-02-18 21:36 499712 ----a-w- c:\documents and settings\Nicki\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-5f89655b-n\jmc.dll
2010-02-18 21:36 . 2010-02-18 21:36 348160 ----a-w- c:\documents and settings\Nicki\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-5f89655b-n\msvcr71.dll
2010-02-18 21:36 . 2010-02-18 21:36 61440 ----a-w- c:\documents and settings\Nicki\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-67979099-n\decora-sse.dll
2010-02-18 21:36 . 2010-02-18 21:36 12800 ----a-w- c:\documents and settings\Nicki\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-67979099-n\decora-d3d.dll
2010-02-18 21:36 . 2010-02-18 21:36 -------- d-----w- c:\program files\Common Files\Java
2010-02-18 21:36 . 2010-02-18 21:36 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-02-18 21:36 . 2010-02-18 21:36 -------- d-----w- c:\program files\Java

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-16 01:19 . 2010-01-18 21:35 -------- d-----w- c:\documents and settings\Nicki\Application Data\vlc
2010-03-15 22:44 . 2010-01-14 06:38 -------- d-----w- c:\documents and settings\All Users\Application Data\DVD Shrink
2010-03-13 20:34 . 2010-01-15 03:05 -------- d-----w- c:\documents and settings\Nicki\Application Data\uTorrent
2010-03-13 00:52 . 2010-01-25 04:06 -------- d-----w- c:\documents and settings\Nicki\Application Data\dvdcss
2010-03-11 11:02 . 2010-01-18 00:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-03-09 11:24 . 2010-01-18 21:32 153184 ----a-w- c:\windows\system32\aswBoot.exe
2010-03-09 11:12 . 2010-01-18 21:32 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-03-09 11:12 . 2010-01-18 21:32 162640 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-03-09 11:09 . 2010-01-18 21:32 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-03-09 11:08 . 2010-01-18 21:32 100432 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-03-09 11:08 . 2010-01-18 21:32 94800 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-03-09 11:08 . 2010-01-18 21:32 19024 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-03-09 11:08 . 2010-01-18 21:32 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-03-05 03:37 . 2010-01-12 09:32 68456 ----a-w- c:\documents and settings\Nicki\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-01 20:06 . 2010-03-01 20:06 -------- d-----w- c:\documents and settings\Nicki\Application Data\HP SimpleSave Application
2010-02-28 17:41 . 2010-01-18 21:32 -------- d-----w- c:\program files\Alwil Software
2010-02-11 18:53 . 2010-01-18 21:32 38848 ----a-w- c:\windows\system32\avastSS.scr
2010-02-11 17:30 . 2010-01-29 22:26 -------- d-----w- c:\program files\Yahoo!
2010-02-01 02:19 . 2010-01-29 22:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2010-01-29 22:30 . 2010-01-29 22:28 -------- d-----w- c:\documents and settings\Nicki\Application Data\Yahoo!
2010-01-27 01:43 . 2010-01-26 02:03 -------- d-----w- c:\program files\Common Files\Adobe
2010-01-25 04:05 . 2010-01-18 01:16 -------- d-----w- c:\program files\VideoLan (VLC)
2010-01-23 00:09 . 2010-01-12 17:57 -------- d-----w- c:\program files\Microsoft Silverlight
2010-01-18 21:17 . 2010-01-18 00:07 -------- d-----w- c:\program files\Microsoft Works
2010-01-18 01:17 . 2010-01-18 01:17 -------- d-----w- c:\program files\K-Lite Codec Pack
2010-01-18 00:11 . 2010-01-18 00:08 102262 ----a-w- c:\windows\hpoins05.dat
2010-01-18 00:11 . 2010-01-18 00:11 -------- d-----w- c:\program files\Common Files\Hewlett-Packard
2010-01-18 00:09 . 2010-01-18 00:09 -------- d-----w- c:\program files\HP
2010-01-18 00:07 . 2010-01-18 00:07 -------- d-----w- c:\program files\MSBuild
2010-01-14 09:38 . 2010-01-12 09:17 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2010-01-12 21:28 . 2010-01-12 21:11 444952 ----a-w- c:\windows\system32\wrap_oal.dll
2010-01-12 21:28 . 2010-01-12 21:11 109080 ----a-w- c:\windows\system32\OpenAL32.dll
2010-01-12 20:03 . 2010-01-12 20:03 0 ----a-w- c:\windows\nsreg.dat
2010-01-12 09:15 . 2010-01-12 09:15 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2009-12-31 16:50 . 2008-04-14 12:00 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-21 19:14 . 2008-04-14 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\snxPluginsShell]
@="{F4B3B0AA-13D1-4a36-BDA2-2055B0F3D5DE}"
[HKEY_CLASSES_ROOT\CLSID\{F4B3B0AA-13D1-4a36-BDA2-2055B0F3D5DE}]
2010-03-09 11:11 136704 ----a-w- c:\program files\Alwil Software\Avast5\snxPlugins.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-04-02 5562368]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-03-09 2769336]

c:\documents and settings\Nicki\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

[HKLM\~\startupfolder\C:^Documents and Settings^Nicki^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\documents and settings\Nicki\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2009-12-11 23:57 948672 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-12-22 09:57 35760 ----a-w- c:\program files\Adobe\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTHelper]
2009-06-23 19:48 19456 ----a-w- c:\windows\system32\CtHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTxfiHlp]
2007-04-09 20:32 19968 ----a-w- c:\windows\system32\Ctxfihlp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2008-10-25 19:44 31072 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 13:42 1695232 ------w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 19:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2005-04-02 00:16 86016 ----a-w- c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2005-04-02 00:16 1495040 ----a-w- c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-01-11 23:21 246504 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Documents and Settings\\Nicki\\Desktop\\utorrent.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=

R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2/28/2010 10:40 AM 294480]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [1/18/2010 2:32 PM 162640]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [1/18/2010 2:32 PM 19024]
R3 COMMONFX.SYS;COMMONFX.SYS;c:\windows\system32\drivers\COMMONFX.sys [6/23/2009 2:34 PM 99352]
R3 CTAUDFX.SYS;CTAUDFX.SYS;c:\windows\system32\drivers\CTAUDFX.sys [6/23/2009 2:34 PM 555032]
R3 CTSBLFX.SYS;CTSBLFX.SYS;c:\windows\system32\drivers\CTSBLFX.sys [6/23/2009 2:34 PM 566296]
S3 COMMONFX;COMMONFX;c:\windows\system32\drivers\COMMONFX.sys [6/23/2009 2:34 PM 99352]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [1/12/2010 2:29 PM 79360]
S3 CTAUDFX;CTAUDFX;c:\windows\system32\drivers\CTAUDFX.sys [6/23/2009 2:34 PM 555032]
S3 CTERFXFX.SYS;CTERFXFX.SYS;c:\windows\system32\drivers\CTERFXFX.sys [6/23/2009 2:35 PM 100888]
S3 CTERFXFX;CTERFXFX;c:\windows\system32\drivers\CTERFXFX.sys [6/23/2009 2:35 PM 100888]
S3 CTSBLFX;CTSBLFX;c:\windows\system32\drivers\CTSBLFX.sys [6/23/2009 2:34 PM 566296]
S3 StumbleUponUpdateService;StumbleUponUpdateService;c:\program files\StumbleUpon\StumbleUponUpdateService.exe [12/8/2009 3:41 PM 120232]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: StumbleUpon PhotoBlog It! - StumbleUponIEBar.dll/blogimage
TCP: {69E8F417-8795-4E12-B036-CEBA818D3513} = 68.116.46.115,68.116.46.70
FF - ProfilePath - c:\documents and settings\Nicki\Application Data\Mozilla\Firefox\Profiles\befj2fn8.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\program files\Adobe\Reader\browser\nppdf32.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.ytff.general.dontshowhpoffer - truec:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-18 08:46
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2010-03-18 08:47:34
ComboFix-quarantined-files.txt 2010-03-18 15:47

Pre-Run: 134,814,199,808 bytes free
Post-Run: 134,778,396,672 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows Server 2003, Enterprise" /noexecute=optout /fastdetect
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 012EBC3A44DFB93A1D327E8E8D3399F8
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP