Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Antivir Solution Pro


  • This topic is locked This topic is locked

#1
something exciting

something exciting

    Member

  • Member
  • PipPip
  • 22 posts
Hey

It appears that my computer is infected, as I have messages popping up on my screen from an antivirus software that I do not own and have never downloaded (Antivir Solution Pro).
I am unable to open taskmanager or many of my .exe applications (have tried audacity, spotify, adobe application reader)
Please can you help

Thanks in advance

Matt
  • 0

Advertisements


#2
ldtate

ldtate

    Malware Expert

  • Expert
  • 1,874 posts
  • MVP
Posted Image

DO NOT use any TOOLS such as Combofix, or HijackThis fixes without supervision.

Doing so could make your pc inoperatible and could require a full reinstall of your OS, losing all your programs and data.


Stay with this topic until I give you the final 'All clean' post.


Vista users:
1. These tools MUST be run from the executable. (.exe)
2. With Admin Rights (Right click, choose "Run as Administrator") every time you run them



1) exeHelper
Please download exeHelper to your desktop.
Double-click on exeHelper.com to run the fix.
A black window should pop up, press any key to close once the fix is completed.
Post the contents of log.txt (Will be created in the directory where you ran exeHelper.com)
Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).
  • 0

#3
something exciting

something exciting

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
hello Idtate

Thanks for the quick reply

Unfortunately the exeHelper file also gets quickly blocked before it can run, it does generate a notepad file, however this also gets closed
I have like a quater of a second to read it when i try to open notepad, and it only says:
________________________________________________________________________________
___________
xeHelper by Raktor
Build 20100414
Run at
________________________________________________________________________________
___________

Matt
  • 0

#4
ldtate

ldtate

    Malware Expert

  • Expert
  • 1,874 posts
  • MVP
Are you running 64 or 32 bit windows?
  • 0

#5
something exciting

something exciting

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
32 bit Win XP Home edition
  • 0

#6
ldtate

ldtate

    Malware Expert

  • Expert
  • 1,874 posts
  • MVP
Good.

If you have another PC to download tools to a USB device like a thumb drive, this will be easier to do.
If you don't have another pc, you'll still need something like a thumb drive and run the tool from that that device.


DO NOT use any TOOLS such as Combofix, or HijackThis fixes without supervision.

Doing so could make your pc inoperatible and could require a full reinstall of your OS, losing all your programs and data.



If need be, download the tools needed to a flash drive or other removable media, and run them from the USB device.


Stay with this topic until I give you the all clean post.

You might want to print these instructions out.


Download Combofix from any of the links below but rename it to ABCD.exe before saving it to your desktop.

Link 1
Link 2 If using this link, Right Click and select Save As.


Double click on the ABCD.exe ComboFix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt so we can continue cleaning the system.

**Note: If Combofix (ABCD) won't run from the desktop, try running it from the USB device.


--------------------------------------------------------------------

With malware infections being as they are today, it's strongly recommended to have the Windows Recovery Console pre-installed on your machine before doing any malware removal.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.


Go to Microsoft's website => http://support.microsoft.com/kb/310994

Scroll down to Step 1, and select the download that's appropriate for your Operating System. Download the file & save it as it's originally named.

Note: If you have SP3, use the SP2 package. Vista and Windows 7 users skip this part


Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

Posted Image


  • Drag the setup package onto ComboFix.exe and drop it.

  • Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.


    Posted Image


  • At the next prompt, click 'Yes' to run the full ComboFix scan.

  • When the tool is finished, it will produce a report for you.
Please post the C:\ComboFix.txt in your next reply using Copy/Paste.


Notes:

Give it atleast 20-30 minutes to finish if needed.

1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Also please describe how your computer behaves in your next reply.
  • 0

#7
something exciting

something exciting

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
Hey Idtate

At first I could not run combifix (even from the USB), however I managed to get it started in the end.
____________________________________________________________
here is the log as requested:

ComboFix 10-07-15.05 - Ge Bill 17/07/2010 16:57:31.4.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.3327.2369 [GMT 1:00]
Running from: c:\documents and settings\Ge Bill\Desktop\ABCD.exe
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: NVIDIA Firewall *disabled* {EDC10449-64D1-46c7-A59A-EC20D662F26D}
FW: Online Armor Firewall *enabled* {B797DAA0-7E2E-4711-8BB3-D12744F1922A}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Ge Bill\Application Data\EurekaLog
c:\documents and settings\Ge Bill\DesktopSmK5Qo_save2pc.exe
c:\documents and settings\Ge Bill\Local Settings\Application Data\xpnovcsec
c:\documents and settings\Ge Bill\Local Settings\Application Data\xpnovcsec\nmrvamwtssd.exe
c:\documents and settings\SopCast\Setup-SopCast-1.0.0-2006-10-9.exe
c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIABE.exe

.
((((((((((((((((((((((((( Files Created from 2010-06-17 to 2010-07-17 )))))))))))))))))))))))))))))))
.

2010-07-17 15:38 . 2010-07-17 15:39 -------- d-----w- C:\32788R22FWJFW
2010-07-14 16:13 . 2010-06-14 14:31 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe
2010-07-09 07:24 . 2010-06-09 23:01 9200 ------w- c:\windows\system32\drivers\cdralw2k.sys
2010-07-09 07:24 . 2010-06-09 23:01 9072 ------w- c:\windows\system32\drivers\cdr4_xp.sys
2010-07-09 07:24 . 2010-06-09 23:01 45648 ------w- c:\windows\system32\drivers\PxHelp20.sys
2010-07-09 07:24 . 2010-06-09 23:01 133616 ------w- c:\windows\system32\pxafs.dll
2010-06-30 18:44 . 2010-06-28 20:57 38848 ----a-w- c:\windows\avastSS.scr
2010-06-26 18:30 . 2010-06-30 23:41 -------- d-----w- C:\Warhammer Online - Age of Reckoning

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-17 16:22 . 2008-10-17 14:43 -------- d-----w- c:\documents and settings\Ge Bill\Application Data\DNA
2010-07-17 15:59 . 2010-01-27 14:28 -------- d-----w- c:\documents and settings\Ge Bill\Application Data\Skype
2010-07-17 15:49 . 2006-09-09 13:11 -------- d-----w- c:\program files\Steam
2010-07-17 15:40 . 2009-09-03 17:06 -------- d-----w- c:\program files\Trillian
2010-07-17 15:02 . 2010-01-27 14:36 -------- d-----w- c:\documents and settings\Ge Bill\Application Data\skypePM
2010-07-17 11:31 . 2009-02-16 19:11 -------- d-----w- c:\documents and settings\Ge Bill\Application Data\Spotify
2010-07-17 10:31 . 2008-10-17 14:43 -------- d-----w- c:\program files\DNA
2010-07-14 22:23 . 2009-02-22 21:12 -------- d-----w- c:\documents and settings\Ge Bill\Application Data\Audacity
2010-07-09 07:26 . 2010-06-09 12:28 -------- d-----w- c:\documents and settings\All Users\Application Data\DivX
2010-07-09 07:25 . 2010-06-09 13:02 -------- d-----w- c:\program files\DivX
2010-07-07 09:00 . 2006-09-09 10:08 26104 -c--a-w- c:\documents and settings\Ge Bill\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-07-02 20:35 . 2007-02-13 14:35 -------- d-----w- c:\documents and settings\Ge Bill\Application Data\dvdcss
2010-06-28 20:57 . 2010-03-23 23:21 165032 ----a-w- c:\windows\system32\aswBoot.exe
2010-06-28 20:37 . 2010-03-23 23:21 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-06-28 20:37 . 2010-03-23 23:21 165456 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-06-28 20:33 . 2010-03-23 23:21 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-06-28 20:32 . 2010-03-23 23:21 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-06-28 20:32 . 2010-03-23 23:21 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-06-28 20:32 . 2010-03-23 23:21 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-06-28 20:32 . 2010-03-23 23:21 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-06-28 15:24 . 2006-09-28 15:00 -------- d-----w- c:\program files\Common Files\Adobe
2010-06-26 18:18 . 2010-03-24 20:17 -------- d-----w- c:\program files\SpywareGuard
2010-06-19 17:25 . 2007-09-11 15:18 218808 ----a-w- c:\windows\system32\PnkBstrB.exe
2010-06-19 16:59 . 2007-09-11 15:19 137256 -c--a-w- c:\windows\system32\drivers\PnkBstrK.sys
2010-06-17 13:30 . 2009-06-10 17:54 -------- d-----w- c:\program files\Diablo II
2010-06-14 14:31 . 2006-09-08 19:58 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-06-12 13:32 . 2009-06-11 19:08 249856 ------w- c:\windows\Setup1.exe
2010-06-12 13:32 . 2009-06-11 19:08 73216 ----a-w- c:\windows\ST6UNST.EXE
2010-06-09 23:01 . 2010-06-09 13:03 126448 ------w- c:\windows\system32\pxinsi64.exe
2010-06-09 23:01 . 2010-06-09 13:03 123888 ------w- c:\windows\system32\pxcpyi64.exe
2010-06-09 13:10 . 2010-06-09 12:34 -------- d-----w- c:\documents and settings\Ge Bill\Application Data\DivX
2010-06-09 13:03 . 2010-06-09 13:03 -------- d-----w- c:\program files\Common Files\DivX Shared
2010-06-08 16:08 . 2009-06-10 18:02 37807 ----a-w- c:\windows\DIIUnin.dat
2010-06-04 09:01 . 2010-04-22 13:39 -------- d-----w- c:\program files\Ask.com
2010-06-04 07:11 . 2008-10-21 18:51 -------- d-----w- c:\program files\Microsoft Silverlight
2010-05-04 17:20 . 2006-02-28 12:00 832512 ----a-w- c:\windows\system32\wininet.dll
2010-05-04 17:20 . 2009-08-12 17:32 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-05-04 17:20 . 2006-02-28 12:00 17408 ----a-w- c:\windows\system32\corpol.dll
2010-05-02 05:22 . 2006-02-28 12:00 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-20 05:30 . 2006-02-28 12:00 285696 ----a-w- c:\windows\system32\atmfd.dll
2003-12-18 10:33 . 2006-09-29 00:40 20102 ----a-w- c:\program files\Readme.txt
2003-09-03 06:46 . 2006-09-29 00:40 10960 ----a-w- c:\program files\EULA.txt
2006-05-03 09:06 . 2008-04-25 10:28 163328 --sh--r- c:\windows\system32\flvDX.dll
2007-02-21 10:47 . 2008-04-25 10:28 31232 -csh--r- c:\windows\system32\msfDX.dll
2007-12-17 12:43 . 2008-04-25 10:28 27648 -csh--w- c:\windows\system32\Smab0.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-05-26 1385864]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2009-10-07 323392]
"Gainward"="c:\program files\EXPERTool ATI\TBPanel.exe" [2008-09-05 2300456]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2010-03-09 26100520]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-07-21 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nTrayFw"="c:\program files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe" [2005-07-26 270336]
"wltray.exe"="c:\windows\system32\wltray.exe" [2005-06-08 778318]
"EPSON Stylus C66 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I2S1.EXE" [2004-01-13 99840]
"RTHDCPL"="RTHDCPL.EXE" [2008-12-30 18082304]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-29 61440]
"LVCOMSX"="c:\windows\system32\LVCOMSX.EXE" [2004-12-14 221184]
"LogitechVideoRepair"="c:\program files\Logitech\Video\ISStart.exe" [2004-12-14 458752]
"LogitechVideoTray"="c:\program files\Logitech\Video\LogiTray.exe" [2004-12-14 217088]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-03-26 142120]
"@OnlineArmor GUI"="c:\program files\Tall Emu\Online Armor\oaui.exe" [2010-03-13 6658552]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-06-03 1144104]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2010-06-17 40368]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\Ge Bill\Start Menu\Programs\Startup\
SpywareGuard.lnk - c:\program files\SpywareGuard\sgmain.exe [2003-8-29 360448]
Trillian.lnk - c:\program files\Trillian\trillian.exe [2010-6-30 2066272]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-3-5 113664]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{4F07DA45-8170-4859-9B5F-037EF2970034}"= "c:\progra~1\TALLEM~1\ONLINE~1\oaevent.dll" [2010-03-13 925688]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Ge Bill^Start Menu^Programs^Startup^Wallpaper Changer.lnk]
path=c:\documents and settings\Ge Bill\Start Menu\Programs\Startup\Wallpaper Changer.lnk
backup=c:\windows\pss\Wallpaper Changer.lnkStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-03-26 00:10 142120 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
2010-05-08 14:12 1238352 ----a-w- c:\program files\Steam\steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\NVIDIA Corporation\\NetworkAccessManager\\Apache Group\\Apache2\\bin\\Apache.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Steam\\steamapps\\[email protected]\\counter-strike\\hl.exe"=
"c:\\WINDOWS\\system32\\java.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\THQ\\Dawn Of War\\W40kWA.exe"=
"c:\\Program Files\\Steam\\steamapps\\[email protected]\\half-life\\hl.exe"=
"c:\\Program Files\\Steam\\steamapps\\[email protected]\\source sdk base\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\[email protected]\\half-life 2\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\[email protected]\\dark messiah might and magic multi-player\\mm.exe"=
"c:\\WINDOWS\\system32\\dplaysvr.exe"=
"c:\\Program Files\\THQ\\Dawn of War - Dark Crusade\\DarkCrusade.exe"=
"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\SAGENT4.EXE"=
"c:\\Program Files\\FlashGet\\flashget.exe"=
"c:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Steam\\steam.exe"=
"c:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Steam\\steamapps\\[email protected]\\insurgency\\hl2.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\Steam\\steamapps\\[email protected]\\dark messiah might and magic multi-player\\runme.exe"=
"c:\\Program Files\\Spotify\\spotify.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\red orchestra\\System\\RedOrchestra.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\left 4 dead\\left4dead.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\r.u.s.e. beta\\Ruse.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Steam\\steamapps\\[email protected]\\source sdk base 2007\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\battlefield bad company 2\\BFBC2Game.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\battlefield bad company 2\\Support\\EA Help\\Electronic_Arts_Technical_Support.htm"=
"c:\\Program Files\\Steam\\steamapps\\common\\blood bowl\\BB.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\blood bowl\\Manual.pdf"=
"c:\\Program Files\\Steam\\steamapps\\common\\blood bowl\\StrategyGuide.pdf"=
"c:\\Program Files\\Steam\\steamapps\\common\\audiosurf\\engine\\QuestViewer.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Steam\\steamapps\\[email protected]\\counter-strike source\\hl2.exe"=

R0 UGURU;UGURU;c:\windows\system32\drivers\uGuru.sys [08/09/2006 21:10 14848]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [24/03/2010 00:21 165456]
R1 OADevice;OADriver;c:\windows\system32\drivers\OADriver.sys [12/04/2010 02:07 226680]
R1 OAmon;OAmon;c:\windows\system32\drivers\OAmon.sys [12/04/2010 02:07 24440]
R1 OAnet;OAnet;c:\windows\system32\drivers\OAnet.sys [12/04/2010 02:07 29560]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [24/03/2010 00:21 17744]
R2 OAcat;Online Armor Helper Service;c:\program files\Tall Emu\Online Armor\oacat.exe [12/04/2010 02:07 1284600]
R2 SvcOnlineArmor;Online Armor;c:\program files\Tall Emu\Online Armor\oasrv.exe [12/04/2010 02:07 3360760]
R3 amdtools;AMD Special Tools Driver;c:\windows\system32\drivers\AmdTools.sys [08/09/2006 21:25 29696]
R3 ManyCam;ManyCam Virtual Webcam, WDM Video Capture Driver;c:\windows\system32\drivers\ManyCam.sys [14/01/2008 11:06 21632]
S2 gupdate1ca0a4fc0b10040;Google Update Service (gupdate1ca0a4fc0b10040);c:\program files\Google\Update\GoogleUpdate.exe [21/07/2009 23:08 133104]
S3 ALLOW-IO;ALLOW-IO;\??\d:\allow-io.sys --> d:\ALLOW-IO.sys [?]
S3 Alpham;Ideazon ZBoard Composite Keyboard Driver;c:\windows\system32\drivers\Alpham.sys [12/03/2006 13:11 37248]
S3 asbp2poa;asbp2poa;\??\c:\docume~1\GEBILL~1\LOCALS~1\Temp\asbp2poa.sys --> c:\docume~1\GEBILL~1\LOCALS~1\Temp\asbp2poa.sys [?]
S3 cpuz130;cpuz130;\??\c:\docume~1\GEBILL~1\LOCALS~1\Temp\cpuz130\cpuz_x32.sys --> c:\docume~1\GEBILL~1\LOCALS~1\Temp\cpuz130\cpuz_x32.sys [?]
S3 hamachi_oem;PlayLinc Adapter;c:\windows\system32\drivers\gan_adapter.sys [29/08/2006 00:54 10664]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [23/03/2010 23:36 38224]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\sqladhlp.exe [11/07/2008 01:28 47128]
S4 RsFx0102;RsFx0102 Driver;c:\windows\system32\drivers\RsFx0102.sys [10/07/2008 02:49 242712]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [11/07/2008 01:28 369688]
.
Contents of the 'Scheduled Tasks' folder

2010-07-14 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 11:34]

2010-07-17 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-07-21 22:07]

2010-07-17 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-21 22:08]

2010-07-17 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-21 22:08]

2010-07-17 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1004336348-1482476501-682003330-1004.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-24 22:09]

2010-07-09 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1004336348-1482476501-682003330-1004.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-24 22:09]

2010-07-17 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
- c:\program files\Ask.com\UpdateTask.exe [2010-05-26 14:23]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:5643
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: &Download All with FlashGet - c:\program files\FlashGet\jc_all.htm
IE: &Download with FlashGet - c:\program files\FlashGet\jc_link.htm
LSP: %SYSTEMROOT%\system32\nvappfilter.dll
FF - ProfilePath - c:\documents and settings\Ge Bill\Application Data\Mozilla\Firefox\Profiles\mtp96guk.default\
FF - prefs.js: browser.startup.homepage - www.google.co.uk
FF - prefs.js: network.proxy.type - 2
FF - component: c:\program files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}\components\SkypeFfComponent.dll
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1636.7222\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----


c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr
ef", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-gbynhqgs - c:\documents and settings\Ge Bill\Local Settings\Application Data\xpnovcsec\nmrvamwtssd.exe
HKLM-Run-\\Home-d9a975c32d\EPSON Stylus D88 Series - c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIABE.EXE
HKLM-Run-Auto EPSON Stylus D88 Series on Home-d9a975c32d - c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIABE.EXE
HKLM-Run-\\Homepc\EPSON Stylus D88 Series - c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIABE.EXE
HKLM-Run-gbynhqgs - c:\documents and settings\Ge Bill\Local Settings\Application Data\xpnovcsec\nmrvamwtssd.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-17 17:24
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(480)
c:\windows\system32\Ati2evxx.dll
c:\windows\System32\BCMLogon.dll

- - - - - - - > 'lsass.exe'(536)
c:\windows\system32\nvappfilter.dll
.
Completion time: 2010-07-17 17:38:30
ComboFix-quarantined-files.txt 2010-07-17 16:38
ComboFix2.txt 2010-04-12 00:40

Pre-Run: 17,527,484,416 bytes free
Post-Run: 18,145,214,464 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect /usepmtimer

- - End Of File - - 2E60BE3FEA37BE81487C21FAEB7FD6E2
____________________________________________________________

Thanks in advance

Matt
  • 0

#8
ldtate

ldtate

    Malware Expert

  • Expert
  • 1,874 posts
  • MVP
The biggest issue now is you have 2 Firewalls. You need to uninstall one of them.

FW: NVIDIA Firewall *disabled* {EDC10449-64D1-46c7-A59A-EC20D662F26D}
FW: Online Armor Firewall *enabled* {B797DAA0-7E2E-4711-8BB3-D12744F1922A}

Never install more than one Antivirus and Firewall! Rather than giving you extra protection, it will decrease the reliability of it seriously!
The reason for this is that if both products have their automatic (Real-Time) protection switched on, your system may lock up due to both software products attempting to access the same file at the same time.
Also because more than one Antivirus and Firewall installed are not compatible with each other, it can cause system performance problems and a serious system slowdown.



Copy/paste the text in the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Take your mouse, and place your cursor at the beginning of the text in the box below, then click and hold the left mouse button, while pulling your mouse over the text. This should highlight the text. Now release the left mouse button. Now, with the cursor over the highlighted text, right click the mouse for options, and select 'copy'. Now over the empty Notepad box, right click your mouse again, and select 'paste' and you will have copied and pasted the text.

File::
c:\docume~1\GEBILL~1\LOCALS~1\Temp\asbp2poa.sys 
c:\docume~1\GEBILL~1\LOCALS~1\Temp\cpuz130\cpuz_x32.sys

Folder::
c:\program files\Ask.com

Driver::
asbp2poa
cpuz130

Registry::
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\"{D4027C7F-154A-4066-A1AD-4243D8127440}"]
[-HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[-HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[-HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[-HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

Save this file to your desktop, Save this as "CFScript"

Here's how to do that:
1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...


Posted Image

Drag CFScript.txt into ComboFix.exe


Then post the results log using Copy / Paste


Also please describe how your computer behaves at the moment.
  • 0

#9
something exciting

something exciting

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
Hey again

Here is the new report:

ComboFix 10-07-16.01 - Ge Bill 17/07/2010 18:25:33.5.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.3327.2357 [GMT 1:00]
Running from: c:\documents and settings\Ge Bill\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Ge Bill\Desktop\CFScript.txt
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: Online Armor Firewall *enabled* {B797DAA0-7E2E-4711-8BB3-D12744F1922A}

FILE ::
"c:\docume~1\GEBILL~1\LOCALS~1\Temp\asbp2poa.sys"
"c:\docume~1\GEBILL~1\LOCALS~1\Temp\cpuz130\cpuz_x32.sys"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Ask.com
c:\program files\Ask.com\cobrand.ico
c:\program files\Ask.com\config.xml
c:\program files\Ask.com\favicon.ico
c:\program files\Ask.com\fv_10d.ico
c:\program files\Ask.com\GenericAskToolbar.dll
c:\program files\Ask.com\mupcfg.xml
c:\program files\Ask.com\SaUpdate.exe
c:\program files\Ask.com\UpdateTask.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ASBP2POA
-------\Legacy_CPUZ130
-------\Service_asbp2poa
-------\Service_cpuz130


((((((((((((((((((((((((( Files Created from 2010-06-17 to 2010-07-17 )))))))))))))))))))))))))))))))
.

2010-07-14 16:13 . 2010-06-14 14:31 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe
2010-07-09 07:24 . 2010-06-09 23:01 9200 ------w- c:\windows\system32\drivers\cdralw2k.sys
2010-07-09 07:24 . 2010-06-09 23:01 9072 ------w- c:\windows\system32\drivers\cdr4_xp.sys
2010-07-09 07:24 . 2010-06-09 23:01 45648 ------w- c:\windows\system32\drivers\PxHelp20.sys
2010-07-09 07:24 . 2010-06-09 23:01 133616 ------w- c:\windows\system32\pxafs.dll
2010-06-30 18:44 . 2010-06-28 20:57 38848 ----a-w- c:\windows\avastSS.scr
2010-06-26 18:30 . 2010-06-30 23:41 -------- d-----w- C:\Warhammer Online - Age of Reckoning

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-17 17:55 . 2008-10-17 14:43 -------- d-----w- c:\documents and settings\Ge Bill\Application Data\DNA
2010-07-17 17:46 . 2010-01-27 14:28 -------- d-----w- c:\documents and settings\Ge Bill\Application Data\Skype
2010-07-17 17:46 . 2010-01-27 14:36 -------- d-----w- c:\documents and settings\Ge Bill\Application Data\skypePM
2010-07-17 17:45 . 2009-09-03 17:06 -------- d-----w- c:\program files\Trillian
2010-07-17 17:45 . 2008-10-17 14:43 -------- d-----w- c:\program files\DNA
2010-07-17 17:15 . 2006-09-09 13:11 -------- d-----w- c:\program files\Steam
2010-07-17 17:14 . 2006-09-08 20:25 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-07-17 17:13 . 2006-09-08 20:08 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-07-17 17:13 . 2006-09-08 20:08 -------- d-----w- c:\program files\NVIDIA Corporation
2010-07-17 11:31 . 2009-02-16 19:11 -------- d-----w- c:\documents and settings\Ge Bill\Application Data\Spotify
2010-07-14 22:23 . 2009-02-22 21:12 -------- d-----w- c:\documents and settings\Ge Bill\Application Data\Audacity
2010-07-09 07:26 . 2010-06-09 12:28 -------- d-----w- c:\documents and settings\All Users\Application Data\DivX
2010-07-09 07:25 . 2010-06-09 13:02 -------- d-----w- c:\program files\DivX
2010-07-07 09:00 . 2006-09-09 10:08 26104 -c--a-w- c:\documents and settings\Ge Bill\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-07-02 20:35 . 2007-02-13 14:35 -------- d-----w- c:\documents and settings\Ge Bill\Application Data\dvdcss
2010-06-28 20:57 . 2010-03-23 23:21 165032 ----a-w- c:\windows\system32\aswBoot.exe
2010-06-28 20:37 . 2010-03-23 23:21 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-06-28 20:37 . 2010-03-23 23:21 165456 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-06-28 20:33 . 2010-03-23 23:21 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-06-28 20:32 . 2010-03-23 23:21 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-06-28 20:32 . 2010-03-23 23:21 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-06-28 20:32 . 2010-03-23 23:21 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-06-28 20:32 . 2010-03-23 23:21 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-06-28 15:24 . 2006-09-28 15:00 -------- d-----w- c:\program files\Common Files\Adobe
2010-06-26 18:18 . 2010-03-24 20:17 -------- d-----w- c:\program files\SpywareGuard
2010-06-19 17:25 . 2007-09-11 15:18 218808 ----a-w- c:\windows\system32\PnkBstrB.exe
2010-06-19 16:59 . 2007-09-11 15:19 137256 -c--a-w- c:\windows\system32\drivers\PnkBstrK.sys
2010-06-17 13:30 . 2009-06-10 17:54 -------- d-----w- c:\program files\Diablo II
2010-06-14 14:31 . 2006-09-08 19:58 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-06-12 13:32 . 2009-06-11 19:08 249856 ------w- c:\windows\Setup1.exe
2010-06-12 13:32 . 2009-06-11 19:08 73216 ----a-w- c:\windows\ST6UNST.EXE
2010-06-09 23:01 . 2010-06-09 13:03 126448 ------w- c:\windows\system32\pxinsi64.exe
2010-06-09 23:01 . 2010-06-09 13:03 123888 ------w- c:\windows\system32\pxcpyi64.exe
2010-06-09 13:10 . 2010-06-09 12:34 -------- d-----w- c:\documents and settings\Ge Bill\Application Data\DivX
2010-06-09 13:03 . 2010-06-09 13:03 -------- d-----w- c:\program files\Common Files\DivX Shared
2010-06-08 16:08 . 2009-06-10 18:02 37807 ----a-w- c:\windows\DIIUnin.dat
2010-06-04 07:11 . 2008-10-21 18:51 -------- d-----w- c:\program files\Microsoft Silverlight
2010-05-04 17:20 . 2006-02-28 12:00 832512 ----a-w- c:\windows\system32\wininet.dll
2010-05-04 17:20 . 2009-08-12 17:32 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-05-04 17:20 . 2006-02-28 12:00 17408 ----a-w- c:\windows\system32\corpol.dll
2010-05-02 05:22 . 2006-02-28 12:00 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-20 05:30 . 2006-02-28 12:00 285696 ----a-w- c:\windows\system32\atmfd.dll
2003-12-18 10:33 . 2006-09-29 00:40 20102 ----a-w- c:\program files\Readme.txt
2003-09-03 06:46 . 2006-09-29 00:40 10960 ----a-w- c:\program files\EULA.txt
2006-05-03 09:06 . 2008-04-25 10:28 163328 --sh--r- c:\windows\system32\flvDX.dll
2007-02-21 10:47 . 2008-04-25 10:28 31232 -csh--r- c:\windows\system32\msfDX.dll
2007-12-17 12:43 . 2008-04-25 10:28 27648 -csh--w- c:\windows\system32\Smab0.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2009-10-07 323392]
"Gainward"="c:\program files\EXPERTool ATI\TBPanel.exe" [2008-09-05 2300456]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2010-03-09 26100520]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-07-21 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"wltray.exe"="c:\windows\system32\wltray.exe" [2005-06-08 778318]
"EPSON Stylus C66 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I2S1.EXE" [2004-01-13 99840]
"RTHDCPL"="RTHDCPL.EXE" [2008-12-30 18082304]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-29 61440]
"LVCOMSX"="c:\windows\system32\LVCOMSX.EXE" [2004-12-14 221184]
"LogitechVideoRepair"="c:\program files\Logitech\Video\ISStart.exe" [2004-12-14 458752]
"LogitechVideoTray"="c:\program files\Logitech\Video\LogiTray.exe" [2004-12-14 217088]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-03-26 142120]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-06-03 1144104]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2010-06-17 40368]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\Ge Bill\Start Menu\Programs\Startup\
SpywareGuard.lnk - c:\program files\SpywareGuard\sgmain.exe [2003-8-29 360448]
Trillian.lnk - c:\program files\Trillian\trillian.exe [2010-6-30 2066272]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-3-5 113664]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{4F07DA45-8170-4859-9B5F-037EF2970034}"= "c:\progra~1\TALLEM~1\ONLINE~1\oaevent.dll" [2010-03-13 925688]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Ge Bill^Start Menu^Programs^Startup^Wallpaper Changer.lnk]
path=c:\documents and settings\Ge Bill\Start Menu\Programs\Startup\Wallpaper Changer.lnk
backup=c:\windows\pss\Wallpaper Changer.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-03-26 00:10 142120 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
2010-05-08 14:12 1238352 ----a-w- c:\program files\Steam\steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Steam\\steamapps\\[email protected]\\counter-strike\\hl.exe"=
"c:\\WINDOWS\\system32\\java.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\THQ\\Dawn Of War\\W40kWA.exe"=
"c:\\Program Files\\Steam\\steamapps\\[email protected]\\half-life\\hl.exe"=
"c:\\Program Files\\Steam\\steamapps\\[email protected]\\source sdk base\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\[email protected]\\half-life 2\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\[email protected]\\dark messiah might and magic multi-player\\mm.exe"=
"c:\\WINDOWS\\system32\\dplaysvr.exe"=
"c:\\Program Files\\THQ\\Dawn of War - Dark Crusade\\DarkCrusade.exe"=
"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\SAGENT4.EXE"=
"c:\\Program Files\\FlashGet\\flashget.exe"=
"c:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Steam\\steam.exe"=
"c:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Steam\\steamapps\\[email protected]\\insurgency\\hl2.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\Steam\\steamapps\\[email protected]\\dark messiah might and magic multi-player\\runme.exe"=
"c:\\Program Files\\Spotify\\spotify.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\red orchestra\\System\\RedOrchestra.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\left 4 dead\\left4dead.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\r.u.s.e. beta\\Ruse.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Steam\\steamapps\\[email protected]\\source sdk base 2007\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\battlefield bad company 2\\BFBC2Game.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\battlefield bad company 2\\Support\\EA Help\\Electronic_Arts_Technical_Support.htm"=
"c:\\Program Files\\Steam\\steamapps\\common\\blood bowl\\BB.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\blood bowl\\Manual.pdf"=
"c:\\Program Files\\Steam\\steamapps\\common\\blood bowl\\StrategyGuide.pdf"=
"c:\\Program Files\\Steam\\steamapps\\common\\audiosurf\\engine\\QuestViewer.exe"=
"c:\\Program Files\\Steam\\steamapps\\[email protected]\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 UGURU;UGURU;c:\windows\system32\drivers\uGuru.sys [08/09/2006 21:10 14848]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [24/03/2010 00:21 165456]
R1 OADevice;OADriver;c:\windows\system32\drivers\OADriver.sys [12/04/2010 02:07 226680]
R1 OAmon;OAmon;c:\windows\system32\drivers\OAmon.sys [12/04/2010 02:07 24440]
R1 OAnet;OAnet;c:\windows\system32\drivers\OAnet.sys [12/04/2010 02:07 29560]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [24/03/2010 00:21 17744]
R2 OAcat;Online Armor Helper Service;c:\program files\Tall Emu\Online Armor\oacat.exe [12/04/2010 02:07 1284600]
R2 SvcOnlineArmor;Online Armor;c:\program files\Tall Emu\Online Armor\oasrv.exe [12/04/2010 02:07 3360760]
R3 amdtools;AMD Special Tools Driver;c:\windows\system32\drivers\AmdTools.sys [08/09/2006 21:25 29696]
R3 ManyCam;ManyCam Virtual Webcam, WDM Video Capture Driver;c:\windows\system32\drivers\ManyCam.sys [14/01/2008 11:06 21632]
S2 gupdate1ca0a4fc0b10040;Google Update Service (gupdate1ca0a4fc0b10040);c:\program files\Google\Update\GoogleUpdate.exe [21/07/2009 23:08 133104]
S3 ALLOW-IO;ALLOW-IO;\??\d:\allow-io.sys --> d:\ALLOW-IO.sys [?]
S3 Alpham;Ideazon ZBoard Composite Keyboard Driver;c:\windows\system32\drivers\Alpham.sys [12/03/2006 13:11 37248]
S3 hamachi_oem;PlayLinc Adapter;c:\windows\system32\drivers\gan_adapter.sys [29/08/2006 00:54 10664]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [23/03/2010 23:36 38224]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\sqladhlp.exe [11/07/2008 01:28 47128]
S4 RsFx0102;RsFx0102 Driver;c:\windows\system32\drivers\RsFx0102.sys [10/07/2008 02:49 242712]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [11/07/2008 01:28 369688]
.
Contents of the 'Scheduled Tasks' folder

2010-07-14 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 11:34]

2010-07-17 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-07-21 22:07]

2010-07-17 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-21 22:08]

2010-07-17 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-21 22:08]

2010-07-17 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1004336348-1482476501-682003330-1004.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-24 22:09]

2010-07-09 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1004336348-1482476501-682003330-1004.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-24 22:09]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:5643
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: &Download All with FlashGet - c:\program files\FlashGet\jc_all.htm
IE: &Download with FlashGet - c:\program files\FlashGet\jc_link.htm
FF - ProfilePath - c:\documents and settings\Ge Bill\Application Data\Mozilla\Firefox\Profiles\mtp96guk.default\
FF - prefs.js: browser.startup.homepage - www.google.co.uk
FF - prefs.js: network.proxy.type - 2
FF - component: c:\program files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}\components\SkypeFfComponent.dll
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1636.7222\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----


c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr
ef", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

Toolbar-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-17 18:51
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(476)
c:\windows\system32\Ati2evxx.dll
c:\windows\System32\BCMLogon.dll

- - - - - - - > 'explorer.exe'(596)
c:\windows\system32\WININET.dll
c:\program files\Tall Emu\Online Armor\OAwatch.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\program files\SpywareGuard\dlprotect.dll
c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll
c:\windows\system32\wpdshext.dll
c:\windows\system32\Audiodev.dll
c:\windows\system32\WMVCore.DLL
c:\windows\system32\WMASF.DLL
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\System32\wltrysvc.exe
c:\windows\System32\bcmwltry.exe
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\E_S00RP1.EXE
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe
c:\windows\system32\PnkBstrA.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\windows\RTHDCPL.EXE
c:\program files\Logitech\Video\FxSvr2.exe
c:\program files\SpywareGuard\sgbhp.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Skype\Plugin Manager\skypePM.exe
.
**************************************************************************
.
Completion time: 2010-07-17 19:08:50 - machine was rebooted
ComboFix-quarantined-files.txt 2010-07-17 18:08
ComboFix2.txt 2010-04-12 00:40

Pre-Run: 18,153,242,624 bytes free
Post-Run: 18,103,148,544 bytes free

- - End Of File - - ADA05D3BAA39953920D2A1D75D455E6F

Thanks so much

Matt
  • 0

#10
ldtate

ldtate

    Malware Expert

  • Expert
  • 1,874 posts
  • MVP
How's it running now?
  • 0

#11
something exciting

something exciting

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
Dunno how to answer that
It appears to be running as normal, I have not had any pop-ups yet appearing claiming for me to download Antivir Solution Pro because my computer is "full of viruses", and windows explorer is not opening up windows of adult.com or viagra.com any more, I can also run .exe files now... if that is what you mean...?

Matt
  • 0

#12
ldtate

ldtate

    Malware Expert

  • Expert
  • 1,874 posts
  • MVP
Lets do this and I'll leave your topic open for a few days in case you need to post back.


Good job

The following will implement some cleanup procedures as well as reset System Restore points:

  • Click START run
  • Now type ComboFix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.


To be on the safe side, I would also change all my passwords.


Here's my usual all clean post

Log looks good :)


This infection appears to have been cleaned, but as the malware could be configured to run any program a remote attacker requires, it's impossible to be 100% sure that any machine is clean.


  • Make your Internet Explorer more secure - This can be done by following these simple instructions:[list=1]
  • From within Internet Explorer click on the Tools menu and then click on Options.
  • Click once on the Security tab
  • Click once on the Internet icon so it becomes highlighted.
  • Click once on the Custom Level button.
  • Change the Download signed ActiveX controls to Prompt
  • Change the Download unsigned ActiveX controls to Disable
  • Change the Initialize and script ActiveX controls not marked as safe to Disable
  • Change the Installation of desktop items to Prompt
  • Change the Launching programs and files in an IFRAME to Prompt
  • Change the Navigate sub-frames across different domains to Prompt
  • When all these settings have been made, click on the OK button.
  • If it prompts you as to whether or not you want to save the settings, press the Yes button.

  • Next press the Apply button and then the OK to exit the Internet Properties page.
  • Update your AntiVirus Software - It is imperative that you update your Antivirus software at least once a week
    (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer.
    Without a firewall your computer is succeptible to being hacked and taken over.
    I am very serious about this and see it happen almost every day with my clients.
    Simply using a Firewall in its default configuration can lower your risk greatly.

  • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly.
    This will ensure your computer has always the latest security updates available installed on your computer.
    If there are new updates to install, install them immediately, reboot your computer, and revisit the site
    until there are no more critical updates.

Only run one Anti-Virus and Firewall program.


I would suggest you read:
PC Safety and Security--What Do I Need?.
How to Prevent Malware:
  • 0

#13
something exciting

something exciting

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
Dear Idtate

I can't thank you enough for the help you have given me so far.

Matt
  • 0

#14
ldtate

ldtate

    Malware Expert

  • Expert
  • 1,874 posts
  • MVP

Dear Idtate

I can't thank you enough for the help you have given me so far.

Matt

You're more than welcome.
Post back in a day or two and let me know how it's doing :)
  • 0

#15
ldtate

ldtate

    Malware Expert

  • Expert
  • 1,874 posts
  • MVP
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP