Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Suspected rootkit - tdsskiller, avg and malwarebytes haven't worke


  • This topic is locked This topic is locked

#16
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
OK try this way at the command prompt type the following with a return after each command

CD..
CD windows
CD ERDNT
CD Hiv-backup
erdnt.exe


Have you tried the last known good option ?
  • 0

Advertisements


#17
SG888

SG888

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
Haven't tried last known good, and will try what you suggested now
  • 0

#18
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
OK if the first bit fails then use last known good
  • 0

#19
SG888

SG888

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
It seems as though erdnt.exe isn't recognised
I ended up in C:\windows\erdnt\HIV-backup> and then I typed erdnt.exe and it said command not recognized type help for a list on known commands
  • 0

#20
SG888

SG888

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
Ok windows has started and combofix says it's preparing a log report but not to open any programs till it's finished. its in a window with a blue background. Ah I think its about to finish. Yes the reports popped up so i'll send it from my computer.
  • 0

#21
SG888

SG888

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
ComboFix 11-10-19.06 - Sam Ghazaros 19/10/2011 21:58:03.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.3582.2594 [GMT 1:00]
Running from: c:\documents and settings\Sam Ghazaros\Desktop\ComboFix.exe
AV: AVG Internet Security 2012 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: AVG Firewall *Enabled* {8decf618-9569-4340-b34a-d78d28969b66}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\dasetup.log
c:\windows\system32\Cache
c:\windows\system32\Cache\272512937d9e61a4.fb
c:\windows\system32\Cache\287204568329e189.fb
c:\windows\system32\Cache\28bc8f716fd76a47.fb
c:\windows\system32\Cache\2c53092c95605355.fb
c:\windows\system32\Cache\3917078cb68ec657.fb
c:\windows\system32\Cache\4eed8adfaecca5f2.fb
c:\windows\system32\Cache\590ba23ce359fd0c.fb
c:\windows\system32\Cache\610289e025a3ee9a.fb
c:\windows\system32\Cache\651c5d3cdbfb8bd1.fb
c:\windows\system32\Cache\6c59ac5e7e7a3ad0.fb
c:\windows\system32\Cache\ad10a52aff5e038d.fb
c:\windows\system32\Cache\d201ef9910cd39de.fb
c:\windows\system32\Cache\d2e94710a5708128.fb
c:\windows\system32\Cache\d79b9dfe81484ec4.fb
c:\windows\system32\Cache\extensions\[email protected]\chrome.manifest
c:\windows\system32\Cache\extensions\[email protected]\chrome\avg.jar
c:\windows\system32\Cache\extensions\[email protected]\components\FF4\IToolbarhomewmp.xpt
c:\windows\system32\Cache\extensions\[email protected]\components\FF4\toolbarhomewmp.dll
c:\windows\system32\Cache\extensions\[email protected]\components\IToolbarhomewmp.xpt
c:\windows\system32\Cache\extensions\[email protected]\components\toolbarhomeApi.js
c:\windows\system32\Cache\extensions\[email protected]\components\toolbarhomewmp.dll
c:\windows\system32\Cache\extensions\[email protected]\icon.png
c:\windows\system32\Cache\extensions\[email protected]\install.rdf
c:\windows\system32\Cache\extensions\[email protected]\locale\en-US\global.dtd
c:\windows\system32\Cache\extensions\[email protected]\locale\en-US\global.properties
c:\windows\system32\Cache\extensions\[email protected]\modules\avg.xml
c:\windows\system32\Cache\extensions\[email protected]\modules\avgJsm.js
c:\windows\system32\Cache\extensions\[email protected]\modules\configuration.js
c:\windows\system32\Cache\extensions\[email protected]\modules\configuration_0.css
c:\windows\system32\Cache\extensions\[email protected]\modules\configuration_0.xul
c:\windows\system32\Cache\extensions\[email protected]\modules\EmailNotifier.js
c:\windows\system32\Cache\extensions\[email protected]\modules\HistoryCleaner.js
c:\windows\system32\Cache\extensions\[email protected]\modules\locale\cs\global.dtd
c:\windows\system32\Cache\extensions\[email protected]\modules\locale\cs\global.properties
c:\windows\system32\Cache\extensions\[email protected]\modules\locale\da\global.dtd
c:\windows\system32\Cache\extensions\[email protected]\modules\locale\da\global.properties
c:\windows\system32\Cache\extensions\[email protected]\modules\locale\de\global.dtd
c:\windows\system32\Cache\extensions\[email protected]\modules\locale\de\global.properties
c:\windows\system32\Cache\extensions\[email protected]\modules\locale\en\global.dtd
c:\windows\system32\Cache\extensions\[email protected]\modules\locale\en\global.properties
c:\windows\system32\Cache\extensions\[email protected]\modules\locale\es-es\global.dtd
c:\windows\system32\Cache\extensions\[email protected]\modules\locale\es-es\global.properties
c:\windows\system32\Cache\extensions\[email protected]\modules\locale\es\global.dtd
c:\windows\system32\Cache\extensions\[email protected]\modules\locale\es\global.properties
c:\windows\system32\Cache\extensions\[email protected]\modules\locale\fr\global.dtd
c:\windows\system32\Cache\extensions\[email protected]\modules\locale\fr\global.properties
c:\windows\system32\Cache\extensions\[email protected]\modules\locale\hu\global.dtd
c:\windows\system32\Cache\extensions\[email protected]\modules\locale\hu\global.properties
c:\windows\system32\Cache\extensions\[email protected]\modules\locale\id\global.dtd
c:\windows\system32\Cache\extensions\[email protected]\modules\locale\id\global.properties
c:\windows\system32\Cache\extensions\[email protected]\modules\locale\it\global.dtd
c:\windows\system32\Cache\extensions\[email protected]\modules\locale\it\global.properties
c:\windows\system32\Cache\extensions\[email protected]\modules\locale\ja\global.dtd
c:\windows\system32\Cache\extensions\[email protected]\modules\locale\ja\global.properties
c:\windows\system32\Cache\extensions\[email protected]\modules\locale\ko\global.dtd
c:\windows\system32\Cache\extensions\[email protected]\modules\locale\ko\global.properties
c:\windows\system32\Cache\extensions\[email protected]\modules\locale\ms\global.dtd
c:\windows\system32\Cache\extensions\[email protected]\modules\locale\ms\global.properties
c:\windows\system32\Cache\extensions\[email protected]\modules\locale\nl\global.dtd
c:\windows\system32\Cache\extensions\[email protected]\modules\locale\nl\global.properties
c:\windows\system32\Cache\extensions\[email protected]\modules\locale\pl\global.dtd
c:\windows\system32\Cache\extensions\[email protected]\modules\locale\pl\global.properties
c:\windows\system32\Cache\extensions\[email protected]\modules\locale\pt-br\global.dtd
c:\windows\system32\Cache\extensions\[email protected]\modules\locale\pt-br\global.properties
c:\windows\system32\Cache\extensions\[email protected]\modules\locale\pt\global.dtd
c:\windows\system32\Cache\extensions\[email protected]\modules\locale\pt\global.properties
c:\windows\system32\Cache\extensions\[email protected]\modules\locale\ru\global.dtd
c:\windows\system32\Cache\extensions\[email protected]\modules\locale\ru\global.properties
c:\windows\system32\Cache\extensions\[email protected]\modules\locale\sk\global.dtd
c:\windows\system32\Cache\extensions\[email protected]\modules\locale\sk\global.properties
c:\windows\system32\Cache\extensions\[email protected]\modules\locale\sr\global.dtd
c:\windows\system32\Cache\extensions\[email protected]\modules\locale\sr\global.properties
c:\windows\system32\Cache\extensions\[email protected]\modules\locale\tr\global.dtd
c:\windows\system32\Cache\extensions\[email protected]\modules\locale\tr\global.properties
c:\windows\system32\Cache\extensions\[email protected]\modules\locale\zh-cn\global.dtd
c:\windows\system32\Cache\extensions\[email protected]\modules\locale\zh-cn\global.properties
c:\windows\system32\Cache\extensions\[email protected]\modules\locale\zh-tw\global.dtd
c:\windows\system32\Cache\extensions\[email protected]\modules\locale\zh-tw\global.properties
c:\windows\system32\Cache\extensions\[email protected]\modules\Preferences.js
c:\windows\system32\Cache\extensions\[email protected]\modules\propertiesJsm.js
c:\windows\system32\Cache\extensions\[email protected]\modules\skin\about.png
c:\windows\system32\Cache\extensions\[email protected]\modules\skin\ajax-loader.gif
c:\windows\system32\Cache\extensions\[email protected]\modules\skin\calc.png
c:\windows\system32\Cache\extensions\[email protected]\modules\skin\close.png
c:\windows\system32\Cache\extensions\[email protected]\modules\skin\current.png
c:\windows\system32\Cache\extensions\[email protected]\modules\skin\Facebook.gif
c:\windows\system32\Cache\extensions\[email protected]\modules\skin\feedback.png
c:\windows\system32\Cache\extensions\[email protected]\modules\skin\feedicon.png
c:\windows\system32\Cache\extensions\[email protected]\modules\skin\help.png
c:\windows\system32\Cache\extensions\[email protected]\modules\skin\icon_search.png
c:\windows\system32\Cache\extensions\[email protected]\modules\skin\icon18.png
c:\windows\system32\Cache\extensions\[email protected]\modules\skin\information-24.png
c:\windows\system32\Cache\extensions\[email protected]\modules\skin\labs.png
c:\windows\system32\Cache\extensions\[email protected]\modules\skin\loader.gif
c:\windows\system32\Cache\extensions\[email protected]\modules\skin\note.png
c:\windows\system32\Cache\extensions\[email protected]\modules\skin\questionmarkIcon.png
c:\windows\system32\Cache\extensions\[email protected]\modules\skin\RadioBg.png
c:\windows\system32\Cache\extensions\[email protected]\modules\skin\RadioEqu.png
c:\windows\system32\Cache\extensions\[email protected]\modules\skin\RadioEqu_on.gif
c:\windows\system32\Cache\extensions\[email protected]\modules\skin\RadioHandle.png
c:\windows\system32\Cache\extensions\[email protected]\modules\skin\RadioMenuArrow_off.png
c:\windows\system32\Cache\extensions\[email protected]\modules\skin\RadioMenuArrow_on.png
c:\windows\system32\Cache\extensions\[email protected]\modules\skin\RadioPlay_off.png
c:\windows\system32\Cache\extensions\[email protected]\modules\skin\RadioPlay_on.png
c:\windows\system32\Cache\extensions\[email protected]\modules\skin\RadioStop_off.png
c:\windows\system32\Cache\extensions\[email protected]\modules\skin\RadioStop_on.png
c:\windows\system32\Cache\extensions\[email protected]\modules\skin\RadioVol.png
c:\windows\system32\Cache\extensions\[email protected]\modules\skin\RadioVolBg.png
c:\windows\system32\Cache\extensions\[email protected]\modules\skin\RealLogo.png
c:\windows\system32\Cache\extensions\[email protected]\modules\skin\search.png
c:\windows\system32\Cache\extensions\[email protected]\modules\skin\SecuredSearch.png
c:\windows\system32\Cache\extensions\[email protected]\modules\skin\sliderWhite.png
c:\windows\system32\Cache\extensions\[email protected]\modules\skin\weather.gif
c:\windows\system32\Cache\extensions\[email protected]\modules\skin\window-close.png
c:\windows\system32\Cache\extensions\[email protected]\modules\skin\windows.png
c:\windows\system32\Cache\extensions\[email protected]\modules\skin\WMPLogo.png
c:\windows\system32\lannui.sys
c:\windows\system32\lsprst7.dll
c:\windows\system32\ssprs.dll
.
.
((((((((((((((((((((((((( Files Created from 2011-09-20 to 2011-10-20 )))))))))))))))))))))))))))))))
.
.
2011-10-20 20:31 . 2011-10-20 20:31 -------- d--h--w- c:\windows\system32\WLANProfiles
2011-10-18 13:06 . 2011-10-18 13:06 1025 ----a-w- c:\windows\system32\clauth2.dll
2011-10-18 13:06 . 2011-10-18 13:06 1025 ----a-w- c:\windows\system32\clauth1.dll
2011-10-18 13:06 . 2011-10-18 13:06 1025 ----a-w- c:\windows\system32\sysprs7.dll
2011-10-18 13:06 . 2011-10-18 13:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Minnetonka Audio Software
2011-10-18 09:09 . 2007-02-25 05:05 2203520 ----a-w- c:\windows\system32\drivers\NETw4x32.sys
2011-10-18 09:09 . 2007-02-15 11:31 2756608 ----a-w- c:\windows\system32\NETw4r32.dll
2011-10-18 09:09 . 2007-02-15 11:30 679936 ----a-w- c:\windows\system32\NETw4c32.dll
2011-10-18 07:37 . 2011-10-18 07:37 -------- d-----w- C:\TDSSKiller_Quarantine
2011-10-14 15:43 . 2011-10-14 15:43 -------- d-----w- c:\program files\iPod
2011-10-14 15:43 . 2011-10-14 15:45 -------- d-----w- c:\program files\iTunes
2011-10-14 15:29 . 2011-10-14 15:29 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Apple Computer
2011-10-14 15:06 . 2011-10-14 15:06 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin7.dll
2011-10-14 15:06 . 2011-10-14 15:05 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin6.dll
2011-10-14 15:06 . 2011-10-14 15:05 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin5.dll
2011-10-14 15:06 . 2011-10-14 15:05 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin4.dll
2011-10-14 15:06 . 2011-10-14 15:05 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin3.dll
2011-10-14 15:06 . 2011-10-14 15:05 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin2.dll
2011-10-14 15:06 . 2011-10-14 15:05 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin.dll
2011-10-14 12:10 . 2011-10-14 12:12 364544 ----a-w- c:\windows\system32\WDBtnMgr.exe
2011-10-13 12:02 . 2011-10-13 12:02 -------- d-----w- c:\documents and settings\Sam Ghazaros\Local Settings\Application Data\Mozilla
2011-10-13 10:42 . 2011-10-13 12:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2011-10-13 10:42 . 2011-10-13 11:52 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-10-12 19:31 . 2011-10-12 19:31 -------- d-----w- C:\tdsskiller
2011-10-12 16:21 . 2011-10-12 16:21 -------- d-----w- c:\documents and settings\Sam Ghazaros\Application Data\Malwarebytes
2011-10-12 16:20 . 2011-10-12 16:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-10-12 16:20 . 2011-10-18 09:01 -------- d-----w- c:\program files\MALWAREBYTES ANTI-MALWARE
2011-10-12 16:20 . 2011-10-12 16:20 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-10-12 16:20 . 2011-08-31 16:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-10-12 11:34 . 2011-10-12 11:34 -------- d-----w- c:\documents and settings\Sam Ghazaros\Application Data\EDrawings
2011-10-12 11:00 . 2011-10-12 11:00 -------- d-----w- c:\program files\Common Files\eDrawings2012
2011-10-12 10:55 . 2011-10-12 10:55 -------- d-----w- c:\documents and settings\Sam Ghazaros\Local Settings\Application Data\DassaultSystemes
2011-10-12 10:55 . 2011-10-12 10:55 -------- d-----w- c:\documents and settings\Sam Ghazaros\Application Data\DassaultSystemes
2011-10-12 10:55 . 2011-10-12 10:55 -------- d-----w- c:\documents and settings\All Users\Application Data\DassaultSystemes
2011-10-09 11:14 . 2011-10-09 11:17 -------- d-----w- c:\documents and settings\Sam Ghazaros\Application Data\AVG
2011-10-09 11:13 . 2011-10-16 20:48 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2011-10-07 20:42 . 2011-10-07 20:42 -------- d-----w- C:\$AVG
2011-10-07 20:23 . 2011-10-07 20:23 -------- d-----w- c:\documents and settings\Sam Ghazaros\Application Data\AVG Secure Search
2011-10-07 20:11 . 2011-10-07 20:11 -------- d-----w- C:\AVG2012
2011-10-07 20:11 . 2011-10-07 20:11 -------- d-----w- c:\windows\system32\wbem\extensions
2011-10-07 20:10 . 2011-10-07 20:10 -------- d-----w- c:\windows\system32\drivers\extensions
2011-10-07 20:10 . 2011-10-07 20:10 14336 -c--a-w- c:\windows\system32\dllcache\extensions\[email protected]\components\toolbarhomewmp.dll
2011-10-07 20:10 . 2011-10-07 20:10 11776 -c--a-w- c:\windows\system32\dllcache\extensions\[email protected]\components\FF4\toolbarhomewmp.dll
2011-10-07 20:10 . 2011-10-07 20:10 -------- d-----w- c:\program files\Common Files\AVG Secure Search
2011-10-07 20:10 . 2011-10-07 20:10 -------- d-----w- c:\program files\AVG Secure Search
2011-10-07 20:09 . 2011-10-19 12:03 -------- d-----w- c:\windows\system32\drivers\AVG
2011-10-07 20:09 . 2011-10-18 09:00 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG2012
2011-10-07 20:08 . 2011-10-16 20:48 -------- d-----w- c:\program files\AVG
2011-10-07 20:04 . 2011-10-07 20:04 -------- d-----w- c:\windows\Internet Logs
2011-10-07 20:00 . 2011-10-07 20:00 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files
2011-10-07 19:57 . 2011-10-19 08:23 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
2011-10-07 08:25 . 2011-10-07 08:25 -------- d-sh--w- c:\documents and settings\Sam Ghazaros\IECompatCache
2011-10-06 14:57 . 2011-10-07 11:32 -------- d-----w- c:\documents and settings\Sam Ghazaros\Application Data\AVS4YOU
2011-10-06 14:50 . 2011-10-16 20:46 -------- d-----w- c:\program files\Common Files\AVSMedia
2011-10-06 14:50 . 2011-10-06 14:50 -------- d-----w- c:\windows\system32\drivers\umdf
2011-10-06 14:49 . 2011-10-07 08:18 -------- d-----w- c:\windows\SxsCaPendDel
2011-10-06 14:48 . 2011-10-16 20:46 -------- d-----w- c:\program files\AVS4YOU
2011-10-06 14:48 . 2011-10-06 14:57 -------- d-----w- c:\documents and settings\All Users\Application Data\AVS4YOU
2011-10-06 14:48 . 2011-06-22 10:51 24576 ----a-w- c:\windows\system32\msxml3a.dll
2011-10-03 14:27 . 2011-10-03 14:27 -------- d-----w- c:\documents and settings\All Users\Application Data\nView_Profiles
2011-10-03 08:37 . 2011-07-21 13:59 64512 ----a-w- c:\windows\system32\drivers\Lbd.sys
2011-10-02 14:11 . 2011-10-13 12:24 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-09-25 18:00 . 2011-09-25 18:00 56336 ----a-w- c:\windows\system32\drivers\RapportKELL.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-10-18 09:13 . 2011-08-06 19:50 21425 ----a-w- c:\windows\system32\drivers\AegisP.sys
2011-10-12 19:30 . 2011-10-12 19:30 1541309 ----a-w- C:\tdsskiller.zip
2011-09-26 10:41 . 2008-07-29 18:59 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 10:41 . 2004-08-04 10:00 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 10:41 . 2004-08-04 10:00 20480 ----a-w- c:\windows\system32\oleaccrc.dll
2011-09-13 05:30 . 2011-09-13 05:30 32592 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2011-09-09 09:12 . 2004-08-04 10:00 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-06 13:20 . 2004-08-04 10:00 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-08-30 22:05 . 2011-08-30 22:05 83816 ----a-w- c:\windows\system32\dns-sd.exe
2011-08-30 22:05 . 2011-08-30 22:05 73064 ----a-w- c:\windows\system32\dnssd.dll
2011-08-30 22:05 . 2011-08-30 22:05 50536 ----a-w- c:\windows\system32\jdns_sd.dll
2011-08-30 22:05 . 2011-08-30 22:05 178536 ----a-w- c:\windows\system32\dnssdX.dll
2011-08-22 23:48 . 2006-03-04 03:33 916480 ----a-w- c:\windows\system32\wininet.dll
2011-08-22 23:48 . 2004-08-04 10:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-08-22 23:48 . 2004-08-04 10:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-08-22 11:56 . 2004-08-04 10:00 385024 ----a-w- c:\windows\system32\html.iec
2011-08-18 09:08 . 2011-08-18 09:08 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-08-18 09:08 . 2011-08-18 09:08 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-08-17 13:49 . 2004-08-04 10:00 138496 ----a-w- c:\windows\system32\drivers\afd.sys
2011-08-08 05:08 . 2011-08-08 05:08 40016 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2011-08-06 20:59 . 2011-08-06 20:59 101720 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-08-06 19:40 . 2011-08-06 19:40 45056 ----a-r- c:\documents and settings\Sam Ghazaros\Application Data\Microsoft\Installer\{42929F0F-CE14-47AF-9FC7-FF297A603021}\NewShortcut1_42929F0FCE1447AF9FC7FF297A603021_1.exe
2011-09-29 07:09 . 2011-10-13 12:02 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{95B7759C-8C7F-4BF1-B163-73684A933233}]
2011-10-07 20:10 1451336 ----a-w- c:\program files\AVG Secure Search\8.0.0.34\AVG Secure Search_toolbar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{95B7759C-8C7F-4BF1-B163-73684A933233}"= "c:\program files\AVG Secure Search\8.0.0.34\AVG Secure Search_toolbar.dll" [2011-10-07 1451336]
.
[HKEY_CLASSES_ROOT\clsid\{95b7759c-8c7f-4bf1-b163-73684a933233}]
[HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj.1]
[HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-02-21 819200]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-02-21 970752]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-04-28 8429568]
"nwiz"="nwiz.exe" [2007-04-28 1626112]
"NVHotkey"="nvHotkey.dll" [2007-04-28 67584]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-04-28 81920]
"SigmatelSysTrayApp"="stsystra.exe" [2007-02-19 303104]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2007-04-17 159744]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
"Document Manager"="c:\program files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe" [2007-01-30 102400]
"SecureUpgrade"="c:\program files\Wave Systems Corp\SecureUpgrade.exe" [2007-01-22 212992]
"EmbassySecurityCheck"="c:\program files\Wave Systems Corp\EMBASSY Security Setup\EMBASSYSecurityCheck.exe" [2007-02-01 65536]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-10-14 623992]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"PMBVolumeWatcher"="c:\program files\Sony\PMB\PMBVolumeWatcher.exe" [2010-03-24 599328]
"AVG_TRAY"="c:\program files\AVG\AVG2012\avgtray.exe" [2011-09-23 2404704]
"vProt"="c:\program files\AVG Secure Search\vprot.exe" [2011-10-07 218440]
"WD Button Manager"="WDBtnMgr.exe" [2011-10-14 364544]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-07-05 421888]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-10-09 421736]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\wxvault.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^CineFormActiveMetadataStatusViewer.exe]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\CineFormActiveMetadataStatusViewer.exe
backup=c:\windows\pss\CineFormActiveMetadataStatusViewer.exeCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SketchBook Snapshot.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\SketchBook Snapshot.lnk
backup=c:\windows\pss\SketchBook Snapshot.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ------w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
2006-08-17 08:00 1116920 ----a-w- c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
.
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [03/10/2011 09:37 64512]
R2 Wave UCSPlus;Wave UCSPlus;c:\windows\system32\dllhost.exe [04/08/2004 11:00 5120]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;"c:\program files\Lavasoft\Ad-Aware\AAWService.exe" --> c:\program files\Lavasoft\Ad-Aware\AAWService.exe [?]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;\??\c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys --> c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys [?]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - FLEXNET_LICENSING_SERVICE
.
Contents of the 'Scheduled Tasks' folder
.
2011-10-13 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 16:57]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uInternet Settings,ProxyOverride = *.local
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
LSP: c:\windows\system32\biolsp.dll
TCP: DhcpNameServer = 192.168.1.254
Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files\Common Files\AVG Secure Search\ViProtocolInstaller\8.0.1\ViProtocol.dll
FF - ProfilePath - c:\documents and settings\Sam Ghazaros\Application Data\Mozilla\Firefox\Profiles\m3038bqe.default\
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - (no file)
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-10-20 22:28
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version*Version]
"Version"=hex:c5,6c,a4,04,d5,d5,b9,ff,8a,a0,75,ca,68,9d,07,77,ca,9d,af,62,df,
a8,49,d4,e7,20,29,1e,69,62,71,9e,47,35,35,e1,2c,bf,c1,bc,02,24,18,9e,44,57,\
.
[HKEY_LOCAL_MACHINE\software\Minnetonka Audio Software\SurCode Dolby Digital Premiere\Version*Version]
"Version"=hex:c5,6c,a4,04,d5,d5,b9,ff,8a,a0,75,ca,68,9d,07,77,ca,9d,af,62,df,
a8,49,d4,e7,20,29,1e,69,62,71,9e,47,35,35,e1,2c,bf,c1,bc,02,24,18,9e,44,57,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(876)
c:\windows\system32\waveGina.dll
c:\windows\system32\AmRes_en.dll
c:\windows\system32\OEM_Resources.dll
c:\program files\Wave Systems Corp\Dell Preboot Manager\PrebootBiosManager.dll
c:\windows\system32\pbadrvdll.dll
c:\program files\Wave Systems Corp\Authentication Manager\authcontrol.dll
c:\program files\Wave Systems Corp\Authentication Manager\authentec.dll
c:\program files\Wave Systems Corp\Authentication Manager\ATSC63.dll
c:\program files\Wave Systems Corp\Authentication Manager\upek.dll
c:\windows\system32\BioAPI100.dll
c:\windows\system32\BIOAPI_MDS300.dll
c:\windows\system\tfmessbsp.dll
.
- - - - - - - > 'lsass.exe'(932)
c:\windows\system32\wvauth.dll
c:\windows\system32\biolsp.dll
c:\windows\system32\WININET.dll
c:\program files\Wave Systems Corp\Authentication Manager\authcontrol.dll
c:\windows\system32\AmRes_en.dll
c:\program files\Wave Systems Corp\Authentication Manager\UserCredentialStore.dll
.
- - - - - - - > 'Explorer.exe'(4032)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\WLKeeper.exe
c:\windows\System32\SCardSvr.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\SigmaTel\C-Major Audio\WDM\StacSV.exe
c:\program files\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\msdtc.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\RUNDLL32.EXE
c:\windows\stsystra.exe
c:\program files\DellTPad\ApMsgFwd.exe
c:\program files\DellTPad\HidFind.exe
c:\program files\Intel\Wireless\Bin\Dot1XCfg.exe
c:\program files\DellTPad\Apntex.exe
c:\windows\system32\WDBtnMgr.exe
c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
.
**************************************************************************
.
Completion time: 2011-10-20 22:33:08 - machine was rebooted
ComboFix-quarantined-files.txt 2011-10-20 21:33
.
Pre-Run: 14,037,454,848 bytes free
Post-Run: 14,372,270,080 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - A002761C94B52EE1D1F8C7C85C097E8D
  • 0

#22
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Was it last known good that restored it ?

It seems as though combofix took out a lot of AVG - is that functioning properly ? The location of the cache is weird though

Could you now check your browsers for functionality please
  • 0

#23
SG888

SG888

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
Browsers seem to be working well. Avgs window opens but with none of the components.
  • 0

#24
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
I am wondering whether it was infected

Download an new copy of AVG and select the repair option... Details here

Please download Malwarebytes' Anti-Malware

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.
  • 0

#25
SG888

SG888

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
Here's the MBAM log; it says no malicious items were detected.

Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 7994

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

21/10/2011 20:09:53
mbam-log-2011-10-21 (20-09-53).txt

Scan type: Quick scan
Objects scanned: 174435
Time elapsed: 2 minute(s), 6 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
  • 0

Advertisements


#26
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Is AVG behaving now ? What other problems are you experiencing ?
  • 0

#27
SG888

SG888

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
AVG still won't repair or install,
the browsers seem to work - fairly well actually. Chrome works again

The computer still seems to think that the wireless card is a usb device though. I haven't tried other software yet.

So the only problem that I know of now is that AVG won't work and I don't know how to make it work.

Also, how do I prevent infections?? and where might this one have come from?
  • 0

#28
SG888

SG888

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
Also, when the computer starts comes up with an unusual screen before windows begins - the one that offers to use the last known good config.

Other software seems to be working though on the plus side!
  • 0

#29
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
OK lets uninstall AVG and go for a fresh install

Download AVG remover from here
Uninstall AVG from the control panel
Reboot and run the removal tool
Reinstall AVG

Then re-run aswMBR and allow it to download the virus definitions and run a virus scan posting the log on completion
  • 0

#30
SG888

SG888

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
Here's the MBR log - I must admit that earlier I reinstalled AVG by removing it using Revo uninstaller and reinstalling it again.

aswMBR version 0.9.8.986 Copyright© 2011 AVAST Software
Run date: 2011-10-21 21:16:45
-----------------------------
21:16:45.734 OS Version: Windows 5.1.2600 Service Pack 3
21:16:45.734 Number of processors: 2 586 0xF0A
21:16:45.734 ComputerName: THREAD-85B85E0E UserName: Sam Ghazaros
21:16:46.125 Initialize success
21:30:03.359 AVAST engine defs: 11102101
21:30:20.453 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-e
21:30:20.453 Disk 0 Vendor: ST9120823ASG 3.ADD Size: 114473MB BusType: 3
21:30:22.468 Disk 0 MBR read successfully
21:30:22.468 Disk 0 MBR scan
21:30:22.500 Disk 0 Windows XP default MBR code
21:30:22.500 Disk 0 scanning sectors +234436545
21:30:22.578 Disk 0 scanning C:\WINDOWS\system32\drivers
21:30:34.906 Service scanning
21:30:38.687 Modules scanning
21:30:42.640 Disk 0 trace - called modules:
21:30:42.640
21:30:42.984 AVAST engine scan C:\WINDOWS
21:30:50.875 AVAST engine scan C:\WINDOWS\system32
21:32:57.609 AVAST engine scan C:\WINDOWS\system32\drivers
21:33:10.875 AVAST engine scan C:\Documents and Settings\Sam Ghazaros
21:37:12.265 AVAST engine scan C:\Documents and Settings\All Users
21:38:12.375 Scan finished successfully
21:41:00.937 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Sam Ghazaros\Desktop\MBR.dat"
21:41:00.953 The log file has been saved successfully to "C:\Documents and Settings\Sam Ghazaros\Desktop\aswMBR.txt"
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP