Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

"security center" (blue & white shield) malware


  • Please log in to reply

#1
clindsey

clindsey

    New Member

  • Member
  • Pip
  • 3 posts
Malwarebytes, Gmer & OTL log. See notes at bottom.

Malwarebytes' Anti-Malware 1.44
Database version: 3871
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.11

3/15/2010 4:35:07 PM
mbam-log-2010-03-15 (16-35-07).txt

Scan type: Quick Scan
Objects scanned: 114753
Time elapsed: 11 minute(s), 29 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-03-15 16:41:50
Windows 5.1.2600 Service Pack 3
Running: 04 gmer.exe; Driver: C:\DOCUME~1\KIMBIE~1\LOCALS~1\Temp\uwporfoc.sys


---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Classes\CLSID\{454884EE-A952-6288-D98E4C6628C57FD8}\{4E2828CC-5D4E-CAA4-0B0E2FF0C61DD876}\{D33FFB02-83E4-6D49-8432C9C83D6B1A26}
Reg HKLM\SOFTWARE\Classes\CLSID\{454884EE-A952-6288-D98E4C6628C57FD8}\{4E2828CC-5D4E-CAA4-0B0E2FF0C61DD876}\{D33FFB02-83E4-6D49-8432C9C83D6B1A26}@NRDFOBLVNAUE2QOGEQXAH1Y2DD1 0x01 0x00 0x01 0x00 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{74099617-91C0-6CB0-475BC8650FC6C929}\{C2CB2410-92BB-FC4E-376913EB15620FA4}\{B6CDFCFD-0A38-7380-A1288DE48E078F85}
Reg HKLM\SOFTWARE\Classes\CLSID\{74099617-91C0-6CB0-475BC8650FC6C929}\{C2CB2410-92BB-FC4E-376913EB15620FA4}\{B6CDFCFD-0A38-7380-A1288DE48E078F85}@NRDFOBLVNAUE2QOGEQXAH1Y2DD1 0x01 0x00 0x01 0x00 ...

---- EOF - GMER 1.0.15 ----




OTL:
OTL logfile created on: 3/17/2010 10:03:18 AM - Run 2
OTL by OldTimer - Version 3.1.36.1 Folder = C:\Documents and Settings\All Users\Documents
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.11)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

190.00 Mb Total Physical Memory | 88.00 Mb Available Physical Memory | 46.00% Memory free
754.00 Mb Paging File | 691.00 Mb Available in Paging File | 92.00% Paging File free
Paging file location(s): C:\pagefile.sys 576 576 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 17.09 Gb Total Space | 6.16 Gb Free Space | 36.03% Space Free | Partition Type: FAT32
Drive D: | 17.27 Gb Total Space | 17.26 Gb Free Space | 99.99% Space Free | Partition Type: FAT32
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: ACER-2E68C49B20
Current User Name: Administrator
Logged in as Administrator.

Current Boot Mode: SafeMode
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2010/03/11 15:26:38 | 000,554,496 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\All Users\Documents\05 OTL.exe
PRC - [2008/04/13 19:12:20 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe


========== Modules (SafeList) ==========

MOD - [2010/03/11 15:26:38 | 000,554,496 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\All Users\Documents\05 OTL.exe


========== Win32 Services (SafeList) ==========

SRV - [2009/08/26 16:25:32 | 000,297,752 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Stopped] -- C:\Program Files\AVG\AVG8\avgwdsvc.exe -- (avg8wd)
SRV - [2004/08/16 15:17:20 | 001,287,168 | ---- | M] (OSA Technologies Inc.) [Auto | Stopped] -- C:\Acer\eManager\anbmServ.exe -- (anbmService)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://global.acer.com



O1 HOSTS File: ([2004/08/04 05:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (AVG Technologies CZ, s.r.o.)
O2 - BHO: (AVG Security Toolbar BHO) - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll ()
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\Program Files\Google\GoogleToolbar1.dll (Google Inc.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (&Google) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\Program Files\Google\GoogleToolbar1.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (AVG Security Toolbar) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll ()
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O4 - HKLM..\Run: [AVG8_TRAY] C:\Program Files\AVG\AVG8\avgtray.exe (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [eRecoveryService] C:\WINDOWS\system32\Check.exe (acer Inc.)
O4 - HKLM..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [LaunchApp] C:\WINDOWS\Alaunch.exe (Acer Inc.)
O4 - HKLM..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe ()
O4 - HKLM..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [SiS Windows KeyHook] C:\WINDOWS\system32\Keyhook.exe (Silicon Integrated Systems Corporation)
O4 - HKLM..\Run: [SiSPower] C:\WINDOWS\System32\SiSPower.dll (Silicon Integrated Systems Corporation)
O4 - HKLM..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe (Synaptics, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe (Silicon Integrated Systems Corporation)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\REALTEK USB Wireless LAN Utility.lnk = C:\Program Files\REALTEK USB Wireless LAN Driver and Utility\RtWLan.exe (Realtek Semiconductor Corp.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} http://download.micr.../OGAControl.cab (Office Genuine Advantage Validation Tool)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://go.microsoft....k/?linkid=39204 (Windows Genuine Advantage Validation Tool)
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} http://office.micros...ntent/opuc3.cab (Office Update Installation Engine)
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} http://www2.snapfish...fishActivia.cab (Snapfish Activia)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.micros...b?1145248233515 (MUWebControl Class)
O16 - DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} http://office.micros...ntent/opuc4.cab (Office Update Installation Engine)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macr...ash/swflash.cab (Shockwave Flash Object)
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (AVG Technologies CZ, s.r.o.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\avgrsstarter: DllName - avgrsstx.dll - C:\WINDOWS\System32\avgrsstx.dll (AVG Technologies CZ, s.r.o.)
O24 - Desktop WallPaper: C:\WINDOWS\Web\Wallpaper\Acer.bmp
O24 - Desktop BackupWallPaper: C:\WINDOWS\Web\Wallpaper\Acer.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2005/03/09 09:51:26 | 000,000,100 | ---- | M] () - C:\AUTOEXEC.BAT -- [ FAT32 ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*

========== Files/Folders - Created Within 14 Days ==========

[2010/03/17 10:01:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Ipswitch
[2010/03/17 10:00:12 | 000,000,000 | --SD | C] -- C:\Documents and Settings\Administrator\Application Data\Microsoft
[2010/03/17 10:00:12 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Administrator\Application Data
[2010/03/17 10:00:12 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Administrator\My Documents\My Pictures
[2010/03/17 10:00:12 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Administrator\My Documents\My Music
[2010/03/17 10:00:12 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Administrator\Favorites
[2010/03/17 10:00:12 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\Administrator\Cookies
[2010/03/17 10:00:12 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\Administrator\NetHood
[2010/03/17 10:00:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Identities
[2010/03/17 10:00:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop
[2010/03/17 10:00:11 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Administrator\SendTo
[2010/03/17 10:00:11 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Administrator\Recent
[2010/03/17 10:00:11 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Administrator\Start Menu
[2010/03/17 10:00:11 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Administrator\My Documents
[2010/03/17 10:00:11 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\Administrator\Templates
[2010/03/17 10:00:11 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\Administrator\PrintHood
[2010/03/17 10:00:11 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\Administrator\Local Settings
[2010/03/17 10:00:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft
[2010/03/17 08:41:24 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Documents\Logs
[2010/03/15 16:45:44 | 000,000,000 | -HSD | C] -- C:\FOUND.000
[2010/03/11 15:56:23 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010/03/11 15:54:21 | 000,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2010/03/11 15:26:04 | 000,554,496 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\All Users\Documents\05 OTL.exe
[2010/03/11 15:07:42 | 000,791,393 | ---- | C] (Lars Hederer ) -- C:\Documents and Settings\All Users\Documents\00b erunt_setup.exe
[2010/03/11 15:06:41 | 000,444,416 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\All Users\Documents\00a Temp File Cleaner.exe
[2010/03/11 14:02:51 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/03/11 14:02:49 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2010/03/11 14:02:47 | 000,019,160 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/03/11 14:02:46 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/03/11 13:59:49 | 005,115,824 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\All Users\Documents\mbam-setup.exe
[2010/03/11 13:11:48 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\PersonSecurityUninstall
[2010/03/11 13:11:24 | 000,000,000 | ---D | C] -- C:\Program Files\PersonSecurity
[2007/08/24 08:18:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Symantec
[2006/12/02 21:43:05 | 000,843,840 | ---- | C] (Google) -- C:\Program Files\GoogleToolbarInstaller.exe
[2005/03/07 11:54:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[2005/03/07 11:54:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2005/03/07 11:41:08 | 000,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2005/03/07 11:41:08 | 000,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft

========== Files - Modified Within 14 Days ==========

[2010/03/17 09:59:42 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/03/17 08:19:26 | 000,000,692 | ---- | M] () -- C:\WINDOWS\System32\eRLog.ini
[2010/03/17 08:15:08 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/03/17 08:14:38 | 000,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/03/15 16:13:52 | 000,000,604 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/03/15 09:14:18 | 000,230,392 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/03/11 15:26:38 | 000,554,496 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\All Users\Documents\05 OTL.exe
[2010/03/11 15:07:58 | 000,791,393 | ---- | M] (Lars Hederer ) -- C:\Documents and Settings\All Users\Documents\00b erunt_setup.exe
[2010/03/11 15:07:16 | 000,444,416 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\All Users\Documents\00a Temp File Cleaner.exe
[2010/03/11 13:59:18 | 005,115,824 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\All Users\Documents\mbam-setup.exe
[2010/03/11 08:06:04 | 000,000,942 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-455042350-1569273540-333046627-1005Core1cab947a4e4b8f0.job

========== Files Created - No Company Name ==========

[2010/03/17 10:00:11 | 000,786,432 | -H-- | C] () -- C:\Documents and Settings\Administrator\NTUSER.DAT
[2010/03/17 10:00:11 | 000,000,178 | -HS- | C] () -- C:\Documents and Settings\Administrator\ntuser.ini
[2010/03/11 15:11:08 | 000,293,376 | ---- | C] () -- C:\Documents and Settings\All Users\Documents\04 gmer.exe
[2010/03/11 14:02:56 | 000,000,604 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/01/04 12:29:20 | 000,007,241 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\hpzinstall.log
[2009/07/17 16:47:37 | 000,000,147 | ---- | C] () -- C:\WINDOWS\TmProxy.ini
[2007/03/05 13:34:28 | 000,676,224 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.DLL
[2007/02/03 00:59:50 | 000,000,588 | ---- | C] () -- C:\WINDOWS\etel19.ini
[2007/01/21 19:01:49 | 000,000,589 | ---- | C] () -- C:\WINDOWS\etel5.ini
[2005/12/09 08:26:07 | 000,001,356 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
[2005/11/02 10:52:55 | 000,000,000 | ---- | C] () -- C:\WINDOWS\iPlayer.INI
[2005/10/27 11:18:31 | 000,000,175 | ---- | C] () -- C:\WINDOWS\cdplayer.ini
[2005/10/14 13:29:06 | 000,000,047 | ---- | C] () -- C:\WINDOWS\winhlp32.ini
[2005/10/14 13:29:06 | 000,000,047 | ---- | C] () -- C:\WINDOWS\winhelp.ini
[2005/10/14 13:23:48 | 000,017,552 | ---- | C] () -- C:\WINDOWS\System32\TTYTWIN.DRV
[2005/10/14 13:21:59 | 000,022,480 | ---- | C] () -- C:\WINDOWS\System32\PFMAPI16.DLL
[2005/10/14 13:21:59 | 000,020,992 | ---- | C] () -- C:\WINDOWS\System32\PFMAPI32.DLL
[2005/09/28 16:12:57 | 000,185,414 | ---- | C] () -- C:\WINDOWS\System32\Autorun.ini
[2005/07/15 03:44:48 | 000,000,169 | ---- | C] () -- C:\WINDOWS\RtlRack.ini
[2005/07/15 00:05:40 | 000,000,391 | ---- | C] () -- C:\Program Files\Shortcut to Shared Documents.lnk
[2005/07/14 06:49:03 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2005/07/14 06:32:23 | 000,000,692 | ---- | C] () -- C:\WINDOWS\System32\eRLog.ini
[2005/03/09 09:50:56 | 000,001,024 | ---- | C] () -- C:\WINDOWS\System32\NTIMP3.dll
[2005/03/07 12:32:10 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2005/03/07 12:22:45 | 000,000,313 | ---- | C] () -- C:\WINDOWS\uninstall.ini
[2005/03/07 12:22:45 | 000,000,033 | ---- | C] () -- C:\WINDOWS\Acer.ini
[2005/03/07 12:15:13 | 000,001,024 | ---- | C] () -- C:\WINDOWS\System32\NTIBUN4.dll
[2005/03/07 12:14:29 | 000,001,024 | ---- | C] () -- C:\WINDOWS\System32\NTIMPEG2.dll
[2005/03/07 12:14:29 | 000,001,024 | ---- | C] () -- C:\WINDOWS\System32\NTIFCD3.dll
[2005/03/07 12:14:29 | 000,001,024 | ---- | C] () -- C:\WINDOWS\System32\NTICDMK7.dll
[2005/03/07 12:07:16 | 000,083,997 | ---- | C] () -- C:\WINDOWS\VGAsetup.ini
[2005/03/07 12:07:04 | 000,201,667 | ---- | C] () -- C:\WINDOWS\System32\VGAunistlog.ini
[2005/03/07 12:01:47 | 000,135,168 | ---- | C] () -- C:\WINDOWS\System32\RtlCPAPI.dll
[2005/03/07 11:54:46 | 000,037,776 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2005/03/07 11:46:14 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2001/12/26 16:12:30 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\multiplex_vcd.dll
[2001/09/03 23:46:38 | 000,110,592 | ---- | C] () -- C:\WINDOWS\System32\Hmpg12.dll
[2001/07/30 16:33:56 | 000,118,784 | ---- | C] () -- C:\WINDOWS\System32\HMPV2_ENC.dll
[2001/07/23 22:04:36 | 000,118,784 | ---- | C] () -- C:\WINDOWS\System32\HMPV2_ENC_MMX.dll
[1999/01/22 13:46:58 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\MSRTEDIT.DLL
[1980/01/01 00:00:00 | 000,002,790 | ---- | C] () -- C:\WINDOWS\ANTIV.INI
[1980/01/01 00:00:00 | 000,000,091 | ---- | C] () -- C:\WINDOWS\ALaunch.ini

========== LOP Check ==========

[2009/06/01 11:44:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\BVRP Software
[2009/06/01 11:44:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\NetgearLANUpdate
[2009/08/26 16:25:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AVG Security Toolbar
[2010/02/11 09:37:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Temp

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >
[2004/02/09 17:29:02 | 000,036,864 | ---- | M] () -- C:\TimeCalc.exe


< MD5 for: AGP440.SYS >
[2004/08/04 05:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\i386\sp2.cab:AGP440.sys
[2008/05/14 12:53:38 | 023,852,652 | ---- | M] () .cab file -- C:\i386\sp3.cab:AGP440.sys
[2004/08/04 05:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:AGP440.sys
[2008/05/14 12:53:38 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:AGP440.sys
[2008/04/13 13:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ServicePackFiles\i386\agp440.sys
[2008/04/13 13:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\system32\drivers\agp440.sys

< MD5 for: ATAPI.SYS >
[2004/08/04 05:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\i386\sp2.cab:atapi.sys
[2008/05/14 12:53:38 | 023,852,652 | ---- | M] () .cab file -- C:\i386\sp3.cab:atapi.sys
[2004/08/04 05:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:atapi.sys
[2008/05/14 12:53:38 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:atapi.sys
[2008/04/13 13:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ServicePackFiles\i386\atapi.sys
[2008/04/13 13:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys
[2004/08/04 05:00:00 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\$NtServicePackUninstall$\atapi.sys

< MD5 for: EVENTLOG.DLL >
[2008/04/13 19:11:54 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ServicePackFiles\i386\eventlog.dll
[2008/04/13 19:11:54 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\eventlog.dll
[2004/08/04 05:00:00 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll

< MD5 for: NETLOGON.DLL >
[2008/04/13 19:12:02 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ServicePackFiles\i386\netlogon.dll
[2008/04/13 19:12:02 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\netlogon.dll
[2004/08/04 05:00:00 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\$NtServicePackUninstall$\netlogon.dll

< MD5 for: SCECLI.DLL >
[2004/08/04 05:00:00 | 000,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\$NtServicePackUninstall$\scecli.dll
[2008/04/13 19:12:06 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ServicePackFiles\i386\scecli.dll
[2008/04/13 19:12:06 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\scecli.dll

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\system32\drivers\*.sys /lockedfiles >

< %systemroot%\System32\config\*.sav >
[2005/03/07 11:40:12 | 000,872,448 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav
[2005/03/07 11:40:12 | 000,634,880 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
[2005/03/07 11:40:12 | 000,094,208 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
< End of report >


Had to run OTL in safe mode. Malwarebytes won't run in the normal OS anymore either. After running OTL, I got this error message: "Access violation at address 00402F52 in module 'OTL.exe'. Read of address 0001C5FC"

Other symptoms: After startup, desktop icons disappear, leaving only the XP-mimicking "security Center" Blue and white shield in taskbar

Edited by clindsey, 18 March 2010 - 10:03 AM.

  • 0

Advertisements


#2
RKinner

RKinner

    Malware Expert

  • Expert
  • 23,727 posts
  • MVP
See if you can run combofix:

Download but do not yet run ComboFix
:!: If you have a previous version of Combofix.exe, delete it and download a fresh copy. :!:

:!: It must be saved to your desktop, do not run it :!:

:!: Disable your Antivirus software when downloading or running Combofix. If it has Script Blocking features, please disable these as well. See: http://www.bleepingc...opic114351.html


Download and Rename this file -- (call it george.exe ) to your Desktop -- from either of these two sources:
http://download.blee...Bs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Doubleclick on george to start the program.



* :!: Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.


* A window may open with a series of Disclaimers. Accept the Disclaimers to start the fix. Allow it to install the Recovery Console then Continue. When the scan completes Notepad will open with with your results log open. Do a File, Exit and answer 'Yes' to save changes.


A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

A file will be created at => C:\Combofix.txt. I'll need to see that in your reply.

Re-activate your protection programs at this time :!:

Ron
  • 0

#3
clindsey

clindsey

    New Member

  • Topic Starter
  • Member
  • Pip
  • 3 posts
ComboFix 10-03-21.05 - Kim Biehl 03/22/2010 10:42:17.1.1 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.190.14 [GMT -5:00]
Running from: c:\documents and settings\Kim Biehl\Desktop\C-Fix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\autorun.ini
c:\windows\Uninstall.ini
c:\windows\winhelp.ini

.
((((((((((((((((((((((((( Files Created from 2010-02-22 to 2010-03-22 )))))))))))))))))))))))))))))))
.

2010-03-17 15:01 . 2010-03-17 15:01 -------- d-----w- c:\documents and settings\Administrator\Application Data\Ipswitch
2010-03-15 21:45 . 2010-03-15 21:45 -------- d-----w- C:\FOUND.000
2010-03-11 20:54 . 2010-03-11 20:54 -------- d-----w- c:\program files\ERUNT
2010-03-11 19:03 . 2010-03-11 19:03 -------- d-----w- c:\documents and settings\Kim Biehl\Application Data\Malwarebytes
2010-03-11 19:02 . 2010-01-07 21:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-11 19:02 . 2010-03-11 19:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-03-11 19:02 . 2010-01-07 21:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-11 19:02 . 2010-03-11 19:02 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-11 18:11 . 2010-03-11 18:11 -------- d-----w- c:\program files\Common Files\PersonSecurityUninstall
2010-03-11 18:11 . 2010-03-11 18:11 -------- d-----w- c:\program files\PersonSecurity
2010-03-10 20:50 . 2009-10-23 14:28 3558912 ------w- c:\windows\system32\dllcache\moviemk.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-11 14:37 . 2010-02-11 14:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Temp
2010-01-25 11:47 . 2010-02-11 14:38 3777816 ----a-w- c:\documents and settings\All Users\Application Data\Temp\AVG\setup.exe
2010-01-05 09:00 . 1980-01-01 05:00 832512 ----a-w- c:\windows\system32\wininet.dll
2010-01-05 09:00 . 1980-01-01 05:00 78336 ------w- c:\windows\system32\ieencode.dll
2010-01-05 09:00 . 1980-01-01 05:00 17408 ------w- c:\windows\system32\corpol.dll
2010-01-04 19:38 . 2010-01-04 17:29 187036 ----a-w- c:\windows\hpwins23.dat
2009-12-31 15:50 . 1980-01-01 05:00 353792 ------w- c:\windows\system32\drivers\srv.sys
2006-12-03 02:43 . 2006-12-03 02:43 843840 ----a-w- c:\program files\GoogleToolbarInstaller.exe
2005-07-15 05:05 . 2005-07-15 05:05 391 ----a-w- c:\program files\Shortcut to Shared Documents.lnk
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-11-25 18:01 1230080 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\Kim Biehl\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-08-26 133104]
"PersonSecurity"="c:\program files\PersonSecurity\psecurity.exe" [2010-03-11 1282048]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LaunchApp"="Alaunch" [X]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-10-08 98394]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-10-08 688218]
"AGRSMMSG"="AGRSMMSG.exe" [2004-10-08 88363]
"SiSPower"="SiSPower.dll" [2005-02-26 49152]
"SiS Windows KeyHook"="c:\windows\system32\keyhook.exe" [2005-03-04 32768]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"eRecoveryService"="c:\windows\System32\Check.exe" [2005-03-23 245760]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2010-03-22 2046816]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-10-13 155648]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Utility Tray.lnk - c:\windows\system32\sistray.exe [2005-3-7 331776]
REALTEK USB Wireless LAN Utility.lnk - c:\program files\REALTEK USB Wireless LAN Driver and Utility\RtWLan.exe [2009-11-30 794624]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-26 21:26 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Corel Desktop Application Director 8.LNK]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Corel Desktop Application Director 8.LNK
backup=c:\windows\pss\Corel Desktop Application Director 8.LNKCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LManager]
2005-03-28 17:30 315392 ----a-w- c:\program files\Launch Manager\QtZgAcer.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2005-10-13 22:12 155648 ----a-w- c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
2006-03-01 21:22 577536 ----a-r- c:\windows\soundman.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2007-08-24 13:43 68856 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPodService"=3 (0x3)
"WMPNetworkSvc"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\{FA0F0A01-4631-4161-A6C2-948BF694382E}\\Setup\\hpznui01.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [8/26/2009 4:26 PM 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [8/26/2009 4:26 PM 108552]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [8/26/2009 4:25 PM 297752]
R2 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\drivers\EAPPkt.sys [11/30/2009 8:25 AM 38144]
R3 RTLWUSB;Realtek RTL8187 Wireless 802.11g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8187.sys [11/30/2009 8:25 AM 235648]
S3 PLUsbbc2;High-Speed USB Bridge Cable Driver;c:\windows\system32\drivers\usbbc2.sys [10/11/2005 11:59 AM 8960]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
.
Contents of the 'Scheduled Tasks' folder

2010-03-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-455042350-1569273540-333046627-1005Core1cab947a4e4b8f0.job
- c:\documents and settings\Kim Biehl\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-08-26 19:58]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.aol.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
Trusted Zone: microsoft.com\download.windowsupdate
Trusted Zone: microsoft.com\update
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-iTunesHelper - c:\program files\iTunes\iTunesHelper.exe
MSConfigStartUp-PCMService - c:\program files\Arcade\PCMService.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-22 10:47
Windows 5.1.2600 Service Pack 3 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{454884EE-A952-6288-D98E4C6628C57FD8}\{4E2828CC-5D4E-CAA4-0B0E2FF0C61DD876}\{D33FFB02-83E4-6D49-8432C9C83D6B1A26}*]
"NRDFOBLVNAUE2QOGEQXAH1Y2DD1"=hex:01,00,01,00,00,00,00,00,b0,0a,ac,41,7a,16,04,
de,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74099617-91C0-6CB0-475BC8650FC6C929}\{C2CB2410-92BB-FC4E-376913EB15620FA4}\{B6CDFCFD-0A38-7380-A1288DE48E078F85}*]
"NRDFOBLVNAUE2QOGEQXAH1Y2DD1"=hex:01,00,01,00,00,00,00,00,b0,0a,ac,41,7a,16,04,
de,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61
.
Completion time: 2010-03-22 10:49:37
ComboFix-quarantined-files.txt 2010-03-22 15:49

Pre-Run: 6,192,840,704 bytes free
Post-Run: 6,167,085,056 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - C9D7A2B32C843B8245B285EECDC2725E

I had trouble getting that to run/download recovery console. Finally got it to work. Let me know what to do from here. Thanks!
  • 0

#4
RKinner

RKinner

    Malware Expert

  • Expert
  • 23,727 posts
  • MVP
Copy the text between the lines of stars by highlighting and Ctrl + c.

******************************************

Killall:

Folder::
c:\program files\PersonSecurity

RegNull::
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{454884EE-A952-6288-D98E4C6628C57FD8}\{4E2828CC-5D4E-CAA4-0B0E2FF0C61DD876}\{D33FFB02-83E4-6D49-8432C9C83D6B1A26}*]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74099617-91C0-6CB0-475BC8650FC6C929}\{C2CB2410-92BB-FC4E-376913EB15620FA4}\{B6CDFCFD-0A38-7380-A1288DE48E078F85}*]

RegLock::
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{454884EE-A952-6288-D98E4C6628C57FD8}\{4E2828CC-5D4E-CAA4-0B0E2FF0C61DD876}\{D33FFB02-83E4-6D49-8432C9C83D6B1A26}]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74099617-91C0-6CB0-475BC8650FC6C929}\{C2CB2410-92BB-FC4E-376913EB15620FA4}\{B6CDFCFD-0A38-7380-A1288DE48E078F85}]

Registry::
[-HKEY_LOCAL_MACHINE\software\Classes\CLSID\{454884EE-A952-6288-D98E4C6628C57FD8}\{4E2828CC-5D4E-CAA4-0B0E2FF0C61DD876}\{D33FFB02-83E4-6D49-8432C9C83D6B1A26}]
[-HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74099617-91C0-6CB0-475BC8650FC6C929}\{C2CB2410-92BB-FC4E-376913EB15620FA4}\{B6CDFCFD-0A38-7380-A1288DE48E078F85}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PersonSecurity"=-



******************************************

Now open notepad (Start, Run, notepad, OK) and Ctrl + V to paste the text into Notepad. Make sure you got it all then File, SAVE AS, (to your Desktop), CFScript , OK. Close notepad. (Overwrite the old one if it's still there.) You should see a file CFScript.txt on your desktop.

Drag it over to george and let it start as before.

Post the new log.

Your antivirus AVG8 is obsolete. You could upgrade to AVG9 but I think Avast 5 would be a better choice. Download Avast first:

http://www.avast.com...s-download#tab4

Choose your language version. I assume English (41MB) is the correct one for you so press the Download after it. Save it to your desktop.

Disconnect from the internet, uninstall AVG8,
(If it won't uninstall there is a removal tool: http://www.avg.com/u...download-tools)
install avast, reboot (and reconnect to the internet). I would pass on the Bootscan. It takes many hours to complete and you need to check in with it every once in a while. After it updates let it run a full scan.

You will need to register with them but it's free.
http://www.avast.com...e-antivirus.php

Ron
  • 0

#5
clindsey

clindsey

    New Member

  • Topic Starter
  • Member
  • Pip
  • 3 posts
ComboFix 10-03-21.05 - Kim Biehl 03/22/2010 13:55:03.2.1 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.190.89 [GMT -5:00]
Running from: c:\documents and settings\Kim Biehl\Desktop\C-Fix.exe
Command switches used :: c:\documents and settings\All Users\Documents\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\PersonSecurity
c:\program files\PersonSecurity\psecurity.exe

.
((((((((((((((((((((((((( Files Created from 2010-02-22 to 2010-03-22 )))))))))))))))))))))))))))))))
.

2010-03-17 15:01 . 2010-03-17 15:01 -------- d-----w- c:\documents and settings\Administrator\Application Data\Ipswitch
2010-03-15 21:45 . 2010-03-15 21:45 -------- d-----w- C:\FOUND.000
2010-03-11 20:54 . 2010-03-11 20:54 -------- d-----w- c:\program files\ERUNT
2010-03-11 19:03 . 2010-03-11 19:03 -------- d-----w- c:\documents and settings\Kim Biehl\Application Data\Malwarebytes
2010-03-11 19:02 . 2010-01-07 21:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-11 19:02 . 2010-03-11 19:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-03-11 19:02 . 2010-01-07 21:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-11 19:02 . 2010-03-11 19:02 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-11 18:11 . 2010-03-11 18:11 -------- d-----w- c:\program files\Common Files\PersonSecurityUninstall
2010-03-10 20:50 . 2009-10-23 14:28 3558912 ------w- c:\windows\system32\dllcache\moviemk.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-11 14:37 . 2010-02-11 14:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Temp
2010-01-25 11:47 . 2010-02-11 14:38 3777816 ----a-w- c:\documents and settings\All Users\Application Data\Temp\AVG\setup.exe
2010-01-05 09:00 . 1980-01-01 05:00 832512 ------w- c:\windows\system32\wininet.dll
2010-01-05 09:00 . 1980-01-01 05:00 78336 ------w- c:\windows\system32\ieencode.dll
2010-01-05 09:00 . 1980-01-01 05:00 17408 ------w- c:\windows\system32\corpol.dll
2010-01-04 19:38 . 2010-01-04 17:29 187036 ----a-w- c:\windows\hpwins23.dat
2009-12-31 15:50 . 1980-01-01 05:00 353792 ------w- c:\windows\system32\drivers\srv.sys
2006-12-03 02:43 . 2006-12-03 02:43 843840 ----a-w- c:\program files\GoogleToolbarInstaller.exe
2005-07-15 05:05 . 2005-07-15 05:05 391 ----a-w- c:\program files\Shortcut to Shared Documents.lnk
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-11-25 18:01 1230080 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\Kim Biehl\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-08-26 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LaunchApp"="Alaunch" [X]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-10-08 98394]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-10-08 688218]
"AGRSMMSG"="AGRSMMSG.exe" [2004-10-08 88363]
"SiSPower"="SiSPower.dll" [2005-02-26 49152]
"SiS Windows KeyHook"="c:\windows\system32\keyhook.exe" [2005-03-04 32768]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"eRecoveryService"="c:\windows\System32\Check.exe" [2005-03-23 245760]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2010-03-22 2046816]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-10-13 155648]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Utility Tray.lnk - c:\windows\system32\sistray.exe [2005-3-7 331776]
REALTEK USB Wireless LAN Utility.lnk - c:\program files\REALTEK USB Wireless LAN Driver and Utility\RtWLan.exe [2009-11-30 794624]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-26 21:26 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Corel Desktop Application Director 8.LNK]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Corel Desktop Application Director 8.LNK
backup=c:\windows\pss\Corel Desktop Application Director 8.LNKCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LManager]
2005-03-28 17:30 315392 ----a-w- c:\program files\Launch Manager\QtZgAcer.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2005-10-13 22:12 155648 ----a-w- c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
2006-03-01 21:22 577536 ----a-r- c:\windows\soundman.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2007-08-24 13:43 68856 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPodService"=3 (0x3)
"WMPNetworkSvc"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\{FA0F0A01-4631-4161-A6C2-948BF694382E}\\Setup\\hpznui01.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [8/26/2009 4:26 PM 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [8/26/2009 4:26 PM 108552]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [8/26/2009 4:25 PM 297752]
R2 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\drivers\EAPPkt.sys [11/30/2009 8:25 AM 38144]
R3 RTLWUSB;Realtek RTL8187 Wireless 802.11g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8187.sys [11/30/2009 8:25 AM 235648]
S3 PLUsbbc2;High-Speed USB Bridge Cable Driver;c:\windows\system32\drivers\usbbc2.sys [10/11/2005 11:59 AM 8960]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
.
Contents of the 'Scheduled Tasks' folder

2010-03-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-455042350-1569273540-333046627-1005Core1cab947a4e4b8f0.job
- c:\documents and settings\Kim Biehl\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-08-26 19:58]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.aol.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
Trusted Zone: microsoft.com\download.windowsupdate
Trusted Zone: microsoft.com\update
.
- - - - ORPHANS REMOVED - - - -

AddRemove-PersonSecurity - c:\program files\PersonSecurity\psecurity.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-22 14:04
Windows 5.1.2600 Service Pack 3 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(208)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\acer\eManager\anbmServ.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\windows\AGRSMMSG.exe
c:\windows\system32\Rundll32.exe
c:\documents and settings\Kim Biehl\Local Settings\Application Data\Google\Update\1.2.183.17\GoogleCrashHandler.exe
c:\windows\system32\wscntfy.exe
c:\program files\acer\eRecovery\Monitor.exe
.
**************************************************************************
.
Completion time: 2010-03-22 14:12:40 - machine was rebooted
ComboFix-quarantined-files.txt 2010-03-22 19:12
ComboFix2.txt 2010-03-22 15:49

Pre-Run: 6,183,124,992 bytes free
Post-Run: 6,107,938,816 bytes free

- - End Of File - - A10F5BCA2A2C662D191FFE8EF75EBDA4


Will try avast. Comp seems OK now. Thanks!

  • 0

#6
RKinner

RKinner

    Malware Expert

  • Expert
  • 23,727 posts
  • MVP
We need to clean up System Restore. Follow Jim's procedure here:
http://forum.aumha.o...581099691bf108f


I usually recommend a free BitDefender online scan as a final check to see if we missed anything. http://www.bitdefend...nline/free.html

If windows blocks the active x then try putting Bitdefender in your trusted sites: In IE, Tool, Internet Options, Security, Trusted Sites, Sites. Then uncheck the HTTPS box and put in *.bitdefender.com then ADD. OK.

Bad files in C:\qoobox or \_OTL are stuff we have already removed from active life so nothing to worry about.

If BitDefender comes back clean then you can uninstall or delete any tools we had you download and their logs.

You may not have the latest Java. Get the latest at:

http://www.java.com/...nload/index.jsp


Once you install it, go into Control Panel, Add/Remove Software and remove any old versions (which may call themselves: Java Runtime, Runtime Environment, Runtime, JRE, Java Virtual Machine, Virtual Machine, Java VM, JVM, VM, J2RE, J2SE)



Also make sure you have the latest versions of any adobe.com products you use like Shockwave, Flash or Acrobat. Adobe is fond of foisting GetPlus on you. You can let them install it and then afterwards, go into Control Panel, Add/Remove Software and remove it. It probably doesn't hurt to leave it but I don't see the need for it and it has caused problems in the past.

Whether you use adobe reader, acrobat or fox-it to read pdf files you need to disable Javascript in the program. There is an exploit out there now that can use it to get on your PC. For Adobe Reader: Start, All Programs, Adobe Reader, Edit, Preferences, Click on Javascript in the left column and uncheck Enable Acrobat Javascript. OK Close program. It's the same for Foxit reader except you uncheck Enable Javascript Actions.

I recommend you install the free WinPatrol 2010 from http://www.winpatrol.com/download.html

It's a small program that will sit in your systray and warn you if something tries to make changes to your system.

Ron
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP