Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Otl can not run [Solved]


  • This topic is locked This topic is locked

#16
Suus

Suus

    Member

  • Topic Starter
  • Member
  • PipPip
  • 28 posts
Yes :yes: the cleaning part worked, the batfile worked and the computer restarted automaticly.

Then I downloaded Roguekiller and run it.
It happened very fast! Cant believe al is scanned.
Anyway here is the logfile:

RogueKiller V7.5.4 [06/07/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo...13-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User: Anke [Admin rights]
Mode: Scan -- Date: 06/11/2012 20:13:52

¤¤¤ Bad processes: 0 ¤¤¤

¤¤¤ Registry Entries: 3 ¤¤¤
[BLACKLIST Value] HKLM\[...]\Run : SW20 (C:\WINDOWS\system32\sw20.exe) -> FOUND
[BLACKLIST Value] HKLM\[...]\Run : SW24 (C:\WINDOWS\system32\sw24.exe) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤
[FAKED] ati1rvxx.sys : c:\windows\system32\drivers\ati1rvxx.sys --> CANNOT FIX
[FAKED] ati2mtaa.sys : c:\windows\system32\drivers\ati2mtaa.sys --> CANNOT FIX
[FAKED] atinxsxx.sys : c:\windows\system32\drivers\atinxsxx.sys --> CANNOT FIX
[FAKED] cdfs.sys : c:\windows\system32\drivers\cdfs.sys --> CANNOT FIX
[FAKED] cdrom.sys : c:\windows\system32\drivers\cdrom.sys --> CANNOT FIX
[FAKED] fltmgr.sys : c:\windows\system32\drivers\fltmgr.sys --> CANNOT FIX
[FAKED] imagesrv.sys : c:\windows\system32\drivers\imagesrv.sys --> CANNOT FIX
[FAKED] mf.sys : c:\windows\system32\drivers\mf.sys --> CANNOT FIX
[FAKED] mrxsmb.sys : c:\windows\system32\drivers\mrxsmb.sys --> CANNOT FIX
[FAKED] mtlstrm.sys : c:\windows\system32\drivers\mtlstrm.sys --> CANNOT FIX
[FAKED] nic1394.sys : c:\windows\system32\drivers\nic1394.sys --> CANNOT FIX
[FAKED] nvnrm.sys : c:\windows\system32\drivers\nvnrm.sys --> CANNOT FIX
[FAKED] nwlnknb.sys : c:\windows\system32\drivers\nwlnknb.sys --> CANNOT FIX
[FAKED] ohci1394.sys : c:\windows\system32\drivers\ohci1394.sys --> CANNOT FIX
[FAKED] rdpdr.sys : c:\windows\system32\drivers\rdpdr.sys --> CANNOT FIX
[FAKED] serial.sys : c:\windows\system32\drivers\serial.sys --> CANNOT FIX
[FAKED] slnt7554.sys : c:\windows\system32\drivers\slnt7554.sys --> CANNOT FIX

¤¤¤ Driver: [LOADED] ¤¤¤
SSDT[111] : NtNotifyChangeKey @ 0x8061CDD0 -> HOOKED (\SystemRoot\system32\DRIVERS\avgidsshimx.sys @ 0xB2880004)
SSDT[112] : NtNotifyChangeMultipleKeys @ 0x8061BA04 -> HOOKED (\SystemRoot\system32\DRIVERS\avgidsshimx.sys @ 0xB28800D4)
SSDT[122] : NtOpenProcess @ 0x805C13E2 -> HOOKED (\SystemRoot\system32\DRIVERS\avgidsshimx.sys @ 0xB287FD76)
SSDT[257] : NtTerminateProcess @ 0x805C866A -> HOOKED (\SystemRoot\system32\DRIVERS\avgidsshimx.sys @ 0xB287FE1E)
SSDT[258] : NtTerminateThread @ 0x805C8864 -> HOOKED (\SystemRoot\system32\DRIVERS\avgidsshimx.sys @ 0xB287FEBA)
SSDT[277] : NtWriteVirtualMemory @ 0x805A994E -> HOOKED (\SystemRoot\system32\DRIVERS\avgidsshimx.sys @ 0xB287FF56)
S_SSDT[383] : Unknown -> HOOKED (\SystemRoot\system32\DRIVERS\avgidsshimx.sys @ 0xB288059E)
S_SSDT[414] : Unknown -> HOOKED (\SystemRoot\system32\DRIVERS\avgidsshimx.sys @ 0xB288050A)
S_SSDT[416] : Unknown -> HOOKED (\SystemRoot\system32\DRIVERS\avgidsshimx.sys @ 0xB288054A)
S_SSDT[549] : Unknown -> HOOKED (\SystemRoot\system32\DRIVERS\avgidsshimx.sys @ 0xB288049C)

¤¤¤ Infection : ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
127.0.0.1 localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: HDT722525DLA380 +++++
--- User ---
[MBR] ce8fe7bbb296254bdf66d40ba7e65309
[BSP] 50b5d03c2881f2d1f93e77d44105183e : Windows XP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 29996 Mo
1 - [XXXXXX] EXTEN-LBA (0x0f) [VISIBLE] Offset (sectors): 61432560 | Size: 101065 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 268414020 | Size: 107411 Mo
User = LL1 ... OK!
Error reading LL2 MBR!

Finished : << RKreport[2].txt >>
RKreport[1].txt ; RKreport[2].txt
  • 0

Advertisements


#17
Dakeyras

Dakeyras

    Anti-Malware Mammoth

  • Expert
  • 9,714 posts
Hi. :)

Yes :yes: the cleaning part worked, the batfile worked and the computer restarted automaticly.

Good and what you mentioned prior about it is not a cause for concern and if you ever opt to use it again it should be quicker, though that would depend on the amount of temp files also etc.

Then I downloaded Roguekiller and run it.
It happened very fast! Cant believe al is scanned.

Yes it can be at times. Though it appears you ran it twice, any particular reason for that? Anyway lets proceed as follows shall we...

Scan with SystemLook:

Please download SystemLook from one of the links below and save it to your Desktop.

Download Mirror #1
Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following quote-box(do not copy the word quote) into the main textfield:

:filefind
ati1rvxx.sys
ati2mtaa.sys
atinxsxx.sys
cdfs.sys
cdrom.sys
fltmgr.sys
imagesrv.sys
mf.sys
mrxsmb.sys
mtlstrm.sys
nic1394.sys
nvnrm.sys
nwlnknb.sys
ohci1394.sys
rdpdr.sys
serial.sys
slnt7554.sys

  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Download/Run ComboFix:

Please visit this webpage for download links, and instructions for running the tool:

How to use ComboFix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs <-- Click on this link.

Please include the C:\ComboFix.txt in your next reply for further review.

Note: If ComboFix detects Rootkit activitity and asks to reboot the system, please allow this to be done.

If you recieve an error "Illegal operation attempted on a registry key that has been marked for deletion." Please restart the computer.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
This tool is not a toy and not for everyday use. ComboFix Should Not be used unless requested by a forum helper


When completed the above, please post back the following in the order asked for:

  • How is your computer performing now, any other symptoms and or problems encountered?
  • SystemLook Log.
  • ComboFix Log.

  • 0

#18
Suus

Suus

    Member

  • Topic Starter
  • Member
  • PipPip
  • 28 posts
Hi again,

Thanks for your reply and I will work on it in the evening if its possible since I have a verru busy day.
I cant remeber I ran the Rocgekiller twice. I just copied the text that opend on the file. Howver, after i posted my answer and closed the browser I noticed 2 txt on my desktop. I checked and it seems they ate identically. However I can post them both if thats neccessary.

Thanks and again and I hope I can move on later today. Otherwise it will be tomorrow after work.
  • 0

#19
Dakeyras

Dakeyras

    Anti-Malware Mammoth

  • Expert
  • 9,714 posts
OK and thank you for the clarification, no need to post the other RogueKiller log...anyway post the requested SystemLook and ComboFix logs when ready. :)
  • 0

#20
Suus

Suus

    Member

  • Topic Starter
  • Member
  • PipPip
  • 28 posts
Can make it tonight :))

Ran the look.exe and here are the results:

SystemLook 30.07.11 by jpshortstuff
Log created at 18:53 on 12/06/2012 by Anke
Administrator - Elevation successful

========== filefind ==========

Searching for "ati1rvxx.sys"
C:\WINDOWS\ServicePackFiles\i386\ati1rvxx.sys --a--c- 63663 bytes [13:00 10/01/2006] [20:29 03/08/2004] BCAF267B10620F8C93F6E87AB726E145
C:\WINDOWS\SoftwareDistribution\Download\822ceb2331d0360bde8948c432c9beec\ati1rvxx.sys --a--c- 63663 bytes [04:16 03/09/2008] [20:29 03/08/2004] BCAF267B10620F8C93F6E87AB726E145
C:\WINDOWS\system32\dllcache\ati1rvxx.sys --a--c- 63663 bytes [13:00 10/01/2006] [20:29 03/08/2004] BCAF267B10620F8C93F6E87AB726E145
C:\WINDOWS\system32\drivers\ati1rvxx.sys --a--c- 63663 bytes [13:00 10/01/2006] [20:29 03/08/2004] BCAF267B10620F8C93F6E87AB726E145

Searching for "ati2mtaa.sys"
C:\WINDOWS\ServicePackFiles\i386\ati2mtaa.sys --a--c- 327168 bytes [13:00 10/01/2006] [22:54 03/08/2004] 63657F4D48597B8E4C27C5FEABFB0553
C:\WINDOWS\SoftwareDistribution\Download\822ceb2331d0360bde8948c432c9beec\ati2mtaa.sys --a--c- 327168 bytes [04:16 03/09/2008] [22:54 03/08/2004] 63657F4D48597B8E4C27C5FEABFB0553
C:\WINDOWS\system32\dllcache\ati2mtaa.sys --a--c- 327168 bytes [13:00 10/01/2006] [22:54 03/08/2004] 63657F4D48597B8E4C27C5FEABFB0553
C:\WINDOWS\system32\drivers\ati2mtaa.sys --a--c- 327168 bytes [13:00 10/01/2006] [22:54 03/08/2004] 63657F4D48597B8E4C27C5FEABFB0553

Searching for "atinxsxx.sys "
C:\WINDOWS\ServicePackFiles\i386\atinxsxx.sys --a--c- 63488 bytes [13:00 10/01/2006] [20:29 03/08/2004] 77B575D7AAB35D5908AE6CE681608D62
C:\WINDOWS\SoftwareDistribution\Download\822ceb2331d0360bde8948c432c9beec\atinxsxx.sys --a--c- 63488 bytes [04:16 03/09/2008] [20:29 03/08/2004] 77B575D7AAB35D5908AE6CE681608D62
C:\WINDOWS\system32\dllcache\atinxsxx.sys --a--c- 63488 bytes [13:00 10/01/2006] [20:29 03/08/2004] 77B575D7AAB35D5908AE6CE681608D62
C:\WINDOWS\system32\drivers\atinxsxx.sys --a--c- 63488 bytes [13:00 10/01/2006] [20:29 03/08/2004] 77B575D7AAB35D5908AE6CE681608D62

Searching for "cdfs.sys "
C:\WINDOWS\$NtServicePackUninstall$\cdfs.sys -----c- 63744 bytes [19:14 03/09/2008] [21:14 03/08/2004] CD7D5152DF32B47F4E36F710B35AAE02
C:\WINDOWS\ServicePackFiles\i386\cdfs.sys --a--c- 63744 bytes [13:00 10/01/2006] [19:14 13/04/2008] C885B02847F5D2FD45A24E219ED93B32
C:\WINDOWS\SoftwareDistribution\Download\822ceb2331d0360bde8948c432c9beec\cdfs.sys --a--c- 63744 bytes [04:16 03/09/2008] [19:14 13/04/2008] C885B02847F5D2FD45A24E219ED93B32
C:\WINDOWS\system32\dllcache\cdfs.sys --a--c- 63744 bytes [10:00 07/09/2001] [19:14 13/04/2008] C885B02847F5D2FD45A24E219ED93B32
C:\WINDOWS\system32\drivers\cdfs.sys --a--c- 63744 bytes [10:00 07/09/2001] [19:14 13/04/2008] C885B02847F5D2FD45A24E219ED93B32

Searching for "cdrom.sys "
C:\WINDOWS\$NtServicePackUninstall$\cdrom.sys -----c- 49536 bytes [19:14 03/09/2008] [20:59 03/08/2004] AF9C19B3100FE010496B1A27181FBF72
C:\WINDOWS\ServicePackFiles\i386\cdrom.sys --a--c- 62976 bytes [13:00 10/01/2006] [18:40 13/04/2008] 1F4260CC5B42272D71F79E570A27A4FE
C:\WINDOWS\SoftwareDistribution\Download\822ceb2331d0360bde8948c432c9beec\cdrom.sys --a--c- 62976 bytes [04:16 03/09/2008] [18:40 13/04/2008] 1F4260CC5B42272D71F79E570A27A4FE
C:\WINDOWS\system32\dllcache\cdrom.sys --a--c- 62976 bytes [10:00 07/09/2001] [18:40 13/04/2008] 1F4260CC5B42272D71F79E570A27A4FE
C:\WINDOWS\system32\drivers\cdrom.sys --a--c- 62976 bytes [10:00 07/09/2001] [18:40 13/04/2008] 1F4260CC5B42272D71F79E570A27A4FE

Searching for "fltmgr.sys "
C:\WINDOWS\$hf_mig$\KB922582\SP2QFE\fltmgr.sys --a--c- 128768 bytes [16:54 14/09/2006] [09:43 21/08/2006] 5A85CD3D07273E3F6FE72EE9C6431632
C:\WINDOWS\$NtServicePackUninstall$\fltmgr.sys -----c- 128896 bytes [19:15 03/09/2008] [09:14 21/08/2006] 3D234FB6D6EE875EB009864A299BEA29
C:\WINDOWS\$NtUninstallKB922582$\fltmgr.sys --a--c- 124800 bytes [16:54 14/09/2006] [21:01 03/08/2004] 157754F0DF355A9E0A6F54721914F9C6
C:\WINDOWS\ServicePackFiles\i386\fltmgr.sys --a--c- 129792 bytes [13:00 10/01/2006] [18:32 13/04/2008] B2CF4B0786F8212CB92ED2B50C6DB6B0
C:\WINDOWS\SoftwareDistribution\Download\822ceb2331d0360bde8948c432c9beec\fltmgr.sys --a--c- 129792 bytes [04:16 03/09/2008] [18:32 13/04/2008] B2CF4B0786F8212CB92ED2B50C6DB6B0
C:\WINDOWS\system32\dllcache\fltmgr.sys --a--c- 129792 bytes [13:00 10/01/2006] [18:32 13/04/2008] B2CF4B0786F8212CB92ED2B50C6DB6B0
C:\WINDOWS\system32\drivers\fltmgr.sys --a--c- 129792 bytes [13:00 10/01/2006] [18:32 13/04/2008] B2CF4B0786F8212CB92ED2B50C6DB6B0

Searching for "imagesrv.sys "
C:\WINDOWS\system32\drivers\imagesrv.sys --a--c- 127488 bytes [10:08 15/08/2005] [10:08 15/08/2005] 9C4BBACF4E9B9543C3CE23F1FE556941

Searching for "mf.sys "
C:\WINDOWS\$NtServicePackUninstall$\mf.sys -----c- 63744 bytes [19:14 03/09/2008] [21:07 03/08/2004] 729D83E56C29C510258A6E9E79FFDDC3
C:\WINDOWS\ServicePackFiles\i386\mf.sys --a--c- 63744 bytes [13:00 10/01/2006] [18:36 13/04/2008] A7DA20AB18A1BDAE28B0F349E57DA0D1
C:\WINDOWS\SoftwareDistribution\Download\822ceb2331d0360bde8948c432c9beec\mf.sys --a--c- 63744 bytes [04:17 03/09/2008] [18:36 13/04/2008] A7DA20AB18A1BDAE28B0F349E57DA0D1
C:\WINDOWS\system32\dllcache\mf.sys --a--c- 63744 bytes [19:58 17/08/2001] [18:36 13/04/2008] A7DA20AB18A1BDAE28B0F349E57DA0D1
C:\WINDOWS\system32\drivers\mf.sys --a--c- 63744 bytes [19:58 17/08/2001] [18:36 13/04/2008] A7DA20AB18A1BDAE28B0F349E57DA0D1

Searching for "mrxsmb.sys "
C:\WINDOWS\$hf_mig$\KB2511455\SP3QFE\mrxsmb.sys --a--c- 457472 bytes [06:10 15/04/2011] [13:19 17/02/2011] FB7DFD15D760AD339837A470F0E780D3
C:\WINDOWS\$hf_mig$\KB2536276\SP3QFE\mrxsmb.sys --a--c- 457856 bytes [08:39 17/06/2011] [16:47 29/04/2011] 8DD801E28EB76FDA2A38907882A0036F
C:\WINDOWS\$hf_mig$\KB2536276-v2\SP3QFE\mrxsmb.sys --a--c- 457856 bytes [17:43 10/08/2011] [13:29 15/07/2011] FB2FCCC70F7174C7BF64F48E96D3ADF4
C:\WINDOWS\$hf_mig$\KB885250\SP2QFE\mrxsmb.sys --a--c- 451584 bytes [02:51 19/01/2005] [02:51 19/01/2005] 7B195060FF456FA65954C72C5C1640FF
C:\WINDOWS\$hf_mig$\KB885835\SP2QFE\mrxsmb.sys --a--c- 448128 bytes [00:15 28/10/2004] [00:15 28/10/2004] A1BE3CB080DCC0A8270D21E3CA3B7005
C:\WINDOWS\$hf_mig$\KB914389\SP2QFE\mrxsmb.sys --a--c- 454400 bytes [10:16 05/05/2006] [10:16 05/05/2006] 7412CE77C6FD823F8889B4DF420C680B
C:\WINDOWS\$hf_mig$\KB957097\SP3QFE\mrxsmb.sys --a--c- 455936 bytes [17:32 13/11/2008] [11:41 24/10/2008] 7170AB42B51954DEF2781A4D1CCE65F4
C:\WINDOWS\$hf_mig$\KB978251\SP3QFE\mrxsmb.sys --a--c- 456832 bytes [14:48 10/02/2010] [17:25 04/12/2009] 602549D1E8A622E5746991F6C56B21CA
C:\WINDOWS\$hf_mig$\KB980232\SP3QFE\mrxsmb.sys --a--c- 457216 bytes [22:03 14/04/2010] [11:57 24/02/2010] D09B9F0B9960DD41E73127B7814C115F
C:\WINDOWS\$NtServicePackUninstall$\mrxsmb.sys -----c- 453120 bytes [19:14 03/09/2008] [09:41 05/05/2006] 025AF03CE51645C62F3B6907A7E2BE5E
C:\WINDOWS\$NtUninstallKB2511455$\mrxsmb.sys -----c- 455680 bytes [17:56 15/04/2011] [13:11 24/02/2010] F3AEFB11ABC521122B67095044169E98
C:\WINDOWS\$NtUninstallKB2536276$\mrxsmb.sys -----c- 455936 bytes [11:55 17/06/2011] [13:18 17/02/2011] 0EA4D8ED179B75F8AFA7998BA22285CA
C:\WINDOWS\$NtUninstallKB2536276-v2$\mrxsmb.sys -----c- 456320 bytes [18:06 10/08/2011] [16:19 29/04/2011] 0DC719E9B15E902346E87E9DCD5751FA
C:\WINDOWS\$NtUninstallKB885250$\mrxsmb.sys --a--c- 448128 bytes [14:29 10/01/2006] [00:14 28/10/2004] C9D17DAA82B917CF2FD6E4F595974934
C:\WINDOWS\$NtUninstallKB885835$\mrxsmb.sys --a--c- 451456 bytes [14:29 10/01/2006] [21:15 03/08/2004] 1FD607FC67F7F7C633C3DA65BFC53D18
C:\WINDOWS\$NtUninstallKB914389$\mrxsmb.sys --a--c- 451584 bytes [21:53 16/06/2006] [03:26 19/01/2005] 5DDC9A1B2EB5A4BF010CE8C019A18C1F
C:\WINDOWS\$NtUninstallKB957097$\mrxsmb.sys -----c- 456576 bytes [17:37 13/11/2008] [19:17 13/04/2008] 68755F0FF16070178B54674FE5B847B0
C:\WINDOWS\$NtUninstallKB978251$\mrxsmb.sys -----c- 455296 bytes [15:29 10/02/2010] [11:21 24/10/2008] 60AE98742484E7AB80C3C1450E708148
C:\WINDOWS\$NtUninstallKB980232$\mrxsmb.sys -----c- 455424 bytes [22:13 14/04/2010] [18:22 04/12/2009] 421F7B922CEC5A5F340E7574A98F7B7C
C:\WINDOWS\Driver Cache\i386\mrxsmb.sys -----c- 456320 bytes [17:32 13/11/2008] [13:29 15/07/2011] 7D304A5EB4344EBEEAB53A2FE3FFB9F0
C:\WINDOWS\ServicePackFiles\i386\mrxsmb.sys --a--c- 456576 bytes [13:00 10/01/2006] [19:17 13/04/2008] 68755F0FF16070178B54674FE5B847B0
C:\WINDOWS\SoftwareDistribution\Download\822ceb2331d0360bde8948c432c9beec\mrxsmb.sys --a--c- 456576 bytes [04:17 03/09/2008] [19:17 13/04/2008] 68755F0FF16070178B54674FE5B847B0
C:\WINDOWS\system32\dllcache\mrxsmb.sys --a---- 456320 bytes [10:00 07/09/2001] [13:29 15/07/2011] 7D304A5EB4344EBEEAB53A2FE3FFB9F0
C:\WINDOWS\system32\drivers\mrxsmb.sys --a--c- 456320 bytes [10:00 07/09/2001] [13:29 15/07/2011] 7D304A5EB4344EBEEAB53A2FE3FFB9F0

Searching for "mtlstrm.sys "
C:\WINDOWS\ServicePackFiles\i386\mtlstrm.sys --a--c- 1309184 bytes [13:00 10/01/2006] [20:41 03/08/2004] 54886A652BF5685192141DF304E923FD
C:\WINDOWS\SoftwareDistribution\Download\822ceb2331d0360bde8948c432c9beec\mtlstrm.sys --a--c- 1309184 bytes [04:17 03/09/2008] [20:41 03/08/2004] 54886A652BF5685192141DF304E923FD
C:\WINDOWS\system32\dllcache\mtlstrm.sys --a--c- 1309184 bytes [13:00 10/01/2006] [20:41 03/08/2004] 54886A652BF5685192141DF304E923FD
C:\WINDOWS\system32\drivers\mtlstrm.sys --a--c- 1309184 bytes [13:00 10/01/2006] [20:41 03/08/2004] 54886A652BF5685192141DF304E923FD

Searching for "nic1394.sys "
C:\WINDOWS\$NtServicePackUninstall$\nic1394.sys -----c- 61824 bytes [19:14 03/09/2008] [20:58 03/08/2004] 5C5C53DB4FEF16CF87B9911C7E8C6FBC
C:\WINDOWS\ServicePackFiles\i386\nic1394.sys --a--c- 61824 bytes [13:00 10/01/2006] [18:51 13/04/2008] E9E47CFB2D461FA0FC75B7A74C6383EA
C:\WINDOWS\SoftwareDistribution\Download\822ceb2331d0360bde8948c432c9beec\nic1394.sys --a--c- 61824 bytes [04:17 03/09/2008] [18:51 13/04/2008] E9E47CFB2D461FA0FC75B7A74C6383EA
C:\WINDOWS\system32\dllcache\nic1394.sys --a--c- 61824 bytes [19:46 17/08/2001] [18:51 13/04/2008] E9E47CFB2D461FA0FC75B7A74C6383EA
C:\WINDOWS\system32\drivers\nic1394.sys --a--c- 61824 bytes [19:46 17/08/2001] [18:51 13/04/2008] E9E47CFB2D461FA0FC75B7A74C6383EA

Searching for "nvnrm.sys "
C:\Program Files\Setup Files\NVIDIA nForce4 System Driver v666\Ethernet\nvnrm.sys --a--c- 261888 bytes [01:22 06/04/2005] [01:22 06/04/2005] F0C8AE1FEFB954367E2DA224AA97537D
C:\WINDOWS\system32\drivers\nvnrm.sys --a--c- 261888 bytes [13:10 10/01/2006] [01:22 06/04/2005] F0C8AE1FEFB954367E2DA224AA97537D
C:\WINDOWS\system32\ReinstallBackups\0008\DriverFiles\nvnrm.sys -ra--c- 275584 bytes [14:00 10/01/2006] [08:42 24/11/2004] 1DB63A3126303185256F7350EB8A50C9

Searching for "nwlnknb.sys "
C:\WINDOWS\system32\dllcache\nwlnknb.sys --a--c- 63232 bytes [10:00 07/09/2001] [10:00 07/09/2001] 56D34A67C05E94E16377C60609741FF8
C:\WINDOWS\system32\drivers\nwlnknb.sys --a--c- 63232 bytes [10:00 07/09/2001] [10:00 07/09/2001] 56D34A67C05E94E16377C60609741FF8

Searching for "ohci1394.sys "
C:\WINDOWS\$NtServicePackUninstall$\ohci1394.sys -----c- 61056 bytes [19:14 03/09/2008] [21:10 03/08/2004] 0951DB8E5823EA366B0E408D71E1BA2A
C:\WINDOWS\ServicePackFiles\i386\ohci1394.sys --a--c- 61696 bytes [13:00 10/01/2006] [18:46 13/04/2008] CA33832DF41AFB202EE7AEB05145922F
C:\WINDOWS\SoftwareDistribution\Download\822ceb2331d0360bde8948c432c9beec\ohci1394.sys --a--c- 61696 bytes [04:17 03/09/2008] [18:46 13/04/2008] CA33832DF41AFB202EE7AEB05145922F
C:\WINDOWS\system32\dllcache\ohci1394.sys --a--c- 61696 bytes [10:00 07/09/2001] [18:46 13/04/2008] CA33832DF41AFB202EE7AEB05145922F
C:\WINDOWS\system32\drivers\ohci1394.sys --a--c- 61696 bytes [10:00 07/09/2001] [18:46 13/04/2008] CA33832DF41AFB202EE7AEB05145922F

Searching for "rdpdr.sys "
C:\WINDOWS\$NtServicePackUninstall$\rdpdr.sys -----c- 196864 bytes [19:14 03/09/2008] [21:01 03/08/2004] A2CAE2C60BC37E0751EF9DDA7CEAF4AD
C:\WINDOWS\ServicePackFiles\i386\rdpdr.sys --a--c- 196224 bytes [13:00 10/01/2006] [18:32 13/04/2008] 15CABD0F7C00C47C70124907916AF3F1
C:\WINDOWS\SoftwareDistribution\Download\822ceb2331d0360bde8948c432c9beec\rdpdr.sys --a--c- 196224 bytes [04:17 03/09/2008] [18:32 13/04/2008] 15CABD0F7C00C47C70124907916AF3F1
C:\WINDOWS\system32\dllcache\rdpdr.sys --a--c- 196224 bytes [12:46 10/01/2006] [18:32 13/04/2008] 15CABD0F7C00C47C70124907916AF3F1
C:\WINDOWS\system32\drivers\rdpdr.sys --a--c- 196224 bytes [12:46 10/01/2006] [18:32 13/04/2008] 15CABD0F7C00C47C70124907916AF3F1

Searching for "serial.sys "
C:\WINDOWS\$NtServicePackUninstall$\serial.sys -----c- 65920 bytes [19:14 03/09/2008] [22:55 03/08/2004] 97E86D03D082D369CB025113B4B7B781
C:\WINDOWS\ServicePackFiles\i386\serial.sys --a--c- 65536 bytes [13:00 10/01/2006] [16:36 14/04/2008] 92C21762653BB2CE51147EB8A9AA654F
C:\WINDOWS\SoftwareDistribution\Download\822ceb2331d0360bde8948c432c9beec\serial.sys --a--c- 65536 bytes [04:17 03/09/2008] [16:36 14/04/2008] 92C21762653BB2CE51147EB8A9AA654F
C:\WINDOWS\system32\dllcache\serial.sys --a--c- 65536 bytes [10:00 07/09/2001] [16:36 14/04/2008] 92C21762653BB2CE51147EB8A9AA654F
C:\WINDOWS\system32\drivers\serial.sys --a--c- 65536 bytes [10:00 07/09/2001] [16:36 14/04/2008] 92C21762653BB2CE51147EB8A9AA654F

Searching for "slnt7554.sys"
C:\WINDOWS\ServicePackFiles\i386\slnt7554.sys --a--c- 129535 bytes [13:00 10/01/2006] [20:41 03/08/2004] D9673011648A71ED1E1F77B831BC85E6
C:\WINDOWS\SoftwareDistribution\Download\822ceb2331d0360bde8948c432c9beec\slnt7554.sys --a--c- 129535 bytes [04:17 03/09/2008] [20:41 03/08/2004] D9673011648A71ED1E1F77B831BC85E6
C:\WINDOWS\system32\dllcache\slnt7554.sys --a--c- 129535 bytes [13:00 10/01/2006] [20:41 03/08/2004] D9673011648A71ED1E1F77B831BC85E6
C:\WINDOWS\system32\drivers\slnt7554.sys --a--c- 129535 bytes [13:00 10/01/2006] [20:41 03/08/2004] D9673011648A71ED1E1F77B831BC85E6

-= EOF =-

Now I will run Combofix...
  • 0

#21
Suus

Suus

    Member

  • Topic Starter
  • Member
  • PipPip
  • 28 posts
Hi again,
At first I could not download Combofix from the link you gave me, however you also gave a link for the Combofix tutorial and there I found a Combofix download that worked for me 

So, I disabled my AVG and the shield of AVG until next restart and then I ran Combofix

Combofix noticed I did not have a Microsoft Recovery Console installed and then it installed one for me :thumbsup:

Here is the report:

ComboFix 12-06-12.01 - Anke 12-06-2012 19:40:57.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.31.1043.18.1023.500 [GMT 2:00]
Gestart vanuit: c:\documents and settings\Anke\Bureaublad\ComboFix.exe
AV: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
.
(((((((((((((((((((((((((((((((((( Andere Verwijderingen )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\_backupD
c:\_backupd\sts.txt
c:\documents and settings\All Users.WINDOWS\Application Data\TEMP
c:\documents and settings\Anke\Application Data\PriceGong
c:\documents and settings\Anke\Application Data\PriceGong\Data\1.txt
c:\documents and settings\Anke\Application Data\PriceGong\Data\a.txt
c:\documents and settings\Anke\Application Data\PriceGong\Data\b.txt
c:\documents and settings\Anke\Application Data\PriceGong\Data\c.txt
c:\documents and settings\Anke\Application Data\PriceGong\Data\d.txt
c:\documents and settings\Anke\Application Data\PriceGong\Data\e.txt
c:\documents and settings\Anke\Application Data\PriceGong\Data\f.txt
c:\documents and settings\Anke\Application Data\PriceGong\Data\g.txt
c:\documents and settings\Anke\Application Data\PriceGong\Data\h.txt
c:\documents and settings\Anke\Application Data\PriceGong\Data\i.txt
c:\documents and settings\Anke\Application Data\PriceGong\Data\j.txt
c:\documents and settings\Anke\Application Data\PriceGong\Data\k.txt
c:\documents and settings\Anke\Application Data\PriceGong\Data\l.txt
c:\documents and settings\Anke\Application Data\PriceGong\Data\m.txt
c:\documents and settings\Anke\Application Data\PriceGong\Data\mru.xml
c:\documents and settings\Anke\Application Data\PriceGong\Data\n.txt
c:\documents and settings\Anke\Application Data\PriceGong\Data\o.txt
c:\documents and settings\Anke\Application Data\PriceGong\Data\p.txt
c:\documents and settings\Anke\Application Data\PriceGong\Data\q.txt
c:\documents and settings\Anke\Application Data\PriceGong\Data\r.txt
c:\documents and settings\Anke\Application Data\PriceGong\Data\s.txt
c:\documents and settings\Anke\Application Data\PriceGong\Data\t.txt
c:\documents and settings\Anke\Application Data\PriceGong\Data\u.txt
c:\documents and settings\Anke\Application Data\PriceGong\Data\v.txt
c:\documents and settings\Anke\Application Data\PriceGong\Data\w.txt
c:\documents and settings\Anke\Application Data\PriceGong\Data\wlu.txt
c:\documents and settings\Anke\Application Data\PriceGong\Data\x.txt
c:\documents and settings\Anke\Application Data\PriceGong\Data\y.txt
c:\documents and settings\Anke\Application Data\PriceGong\Data\z.txt
c:\documents and settings\Anke\WINDOWS
c:\windows\IsUn0413.exe
c:\windows\system32\Cache
c:\windows\system32\Cache\1cd2a1d287e68bb6.fb
c:\windows\system32\Cache\272512937d9e61a4.fb
c:\windows\system32\Cache\287204568329e189.fb
c:\windows\system32\Cache\28bc8f716fd76a47.fb
c:\windows\system32\Cache\2c53092c95605355.fb
c:\windows\system32\Cache\3917078cb68ec657.fb
c:\windows\system32\Cache\590ba23ce359fd0c.fb
c:\windows\system32\Cache\59dfd5520e39bb39.fb
c:\windows\system32\Cache\5b4ec600a44d4ed4.fb
c:\windows\system32\Cache\610289e025a3ee9a.fb
c:\windows\system32\Cache\651c5d3cdbfb8bd1.fb
c:\windows\system32\Cache\6c59ac5e7e7a3ad0.fb
c:\windows\system32\Cache\a8556537add6dfc5.fb
c:\windows\system32\Cache\ad10a52aff5e038d.fb
c:\windows\system32\Cache\c4d28dca2e7648be.fb
c:\windows\system32\Cache\d201ef9910cd39de.fb
c:\windows\system32\Cache\d2e94710a5708128.fb
c:\windows\system32\Cache\d79b9dfe81484ec4.fb
c:\windows\system32\Cache\e0de16f883bea794.fb
c:\windows\system32\ceebbcb_s.dll
c:\windows\system32\OLDBC3.tmp
c:\windows\system32\PowerToyReadme.htm
c:\windows\system32\regdacl
c:\windows\system32\regdacl\doc\RegAudit.GIF
c:\windows\system32\regdacl\doc\RegAudit_e.htm
c:\windows\system32\regdacl\doc\RegDACL.GIF
c:\windows\system32\regdacl\doc\RegDACL_el.htm
c:\windows\system32\regdacl\doc\RegDACL_er1.htm
c:\windows\system32\regdacl\doc\RegDACL_er2.htm
c:\windows\system32\regdacl\doc\RegDACL_er3.htm
c:\windows\system32\regdacl\doc\RegDACLe.htm
c:\windows\system32\regdacl\doc\RegLast_e.htm
c:\windows\system32\regdacl\doc\RegOwner.GIF
c:\windows\system32\regdacl\doc\RegOwner_e.htm
c:\windows\system32\regdacl\doc\SMWNCV.cmd
c:\windows\system32\regdacl\Freeware_en.txt
c:\windows\system32\regdacl\Orderinfo.htm
c:\windows\system32\regdacl\RegToolsHelp.htm
c:\windows\system32\SET1063.tmp
c:\windows\system32\SET2F1.tmp
c:\windows\system32\SET2FD.tmp
c:\windows\system32\SET30A.tmp
.
.
(((((((((((((((((((( Bestanden Gemaakt van 2012-05-12 to 2012-06-12 ))))))))))))))))))))))))))))))
.
.
2012-06-10 13:20 . 2012-06-10 13:20 388096 ----a-r- c:\documents and settings\Anke\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2012-06-10 12:22 . 2012-06-10 12:22 -------- d-----w- c:\documents and settings\Anke\Local Settings\Application Data\WiseConvert
2012-06-10 12:21 . 2012-06-10 13:21 -------- d-----w- c:\program files\WiseConvert
2012-06-10 12:17 . 2012-06-10 12:17 -------- d-----w- c:\program files\ERUNT
2012-06-08 08:13 . 2012-06-08 08:13 -------- d-----w- c:\documents and settings\Anke\Local Settings\Application Data\AVG Secure Search
2012-06-05 17:12 . 2012-06-05 17:12 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2012-06-02 21:06 . 2012-06-02 21:06 -------- d-----w- C:\rsit
2012-06-01 16:10 . 2012-06-01 16:10 -------- d-----w- c:\program files\ESET
2012-05-27 14:06 . 2012-05-27 14:06 -------- d-----w- c:\documents and settings\Anke\Local Settings\Application Data\Sun
2012-05-20 17:04 . 2012-05-20 17:04 -------- d-----w- c:\program files\Common Files\Java
2012-05-20 17:02 . 2012-05-20 17:02 -------- d-----w- c:\program files\Oracle
2012-05-20 17:02 . 2012-05-20 17:02 -------- d-----w- c:\documents and settings\Anke\Application Data\Oracle
2012-05-20 17:02 . 2012-04-04 16:47 772504 ----a-w- c:\windows\system32\npDeployJava1.dll
2012-05-20 16:22 . 2012-05-20 16:22 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin7.dll
2012-05-20 16:22 . 2012-05-20 16:22 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin6.dll
2012-05-20 16:22 . 2012-05-20 16:22 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin5.dll
2012-05-20 16:22 . 2012-05-20 16:22 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin4.dll
2012-05-20 16:22 . 2012-05-20 16:22 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin3.dll
2012-05-20 16:22 . 2012-05-20 16:22 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin2.dll
2012-05-20 16:22 . 2012-05-20 16:22 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin.dll
2012-05-20 15:53 . 2012-05-20 15:53 -------- d-----w- c:\program files\iPod
.
.
.
((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-05-31 13:22 . 2001-09-07 10:00 602624 ----a-w- c:\windows\system32\crypt32.dll
2012-05-20 17:02 . 2012-03-09 20:10 143872 ----a-w- c:\windows\system32\javacpl.cpl
2012-05-12 07:17 . 2012-04-04 16:48 419488 -c--a-w- c:\windows\system32\FlashPlayerApp.exe
2012-05-12 07:17 . 2011-05-13 19:07 70304 -c--a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-04-19 02:50 . 2012-04-19 02:50 24896 ----a-w- c:\windows\system32\drivers\avgidshx.sys
2012-04-18 18:56 . 2012-04-18 18:56 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2012-04-18 18:56 . 2012-04-18 18:56 69632 ----a-w- c:\windows\system32\QuickTime.qts
2012-04-11 13:55 . 2001-09-06 17:53 2073472 -c--a-w- c:\windows\system32\ntkrnlpa.exe
2012-04-11 13:55 . 2001-09-07 10:00 1862400 ----a-w- c:\windows\system32\win32k.sys
2012-04-11 13:55 . 2001-09-07 10:00 2196992 -c--a-w- c:\windows\system32\ntoskrnl.exe
2012-03-19 03:17 . 2010-11-09 21:20 301248 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2006-07-27 14:00 . 2006-07-27 14:00 11071378 -c--a-w- c:\program files\ndntnlst.exe
2006-06-24 17:27 . 2006-06-24 17:27 9976964 -c--a-w- c:\program files\nentnlst.exe
2006-05-23 16:54 . 2006-05-23 16:54 590 -c--a-w- c:\program files\layout.bin
1998-10-27 11:06 . 1998-10-27 11:06 27648 -c--a-w- c:\program files\_ISDel.exe
1998-09-29 14:34 . 1998-09-29 14:34 34816 -c--a-w- c:\program files\_Setup.dll
2001-09-07 10:00 94784 -csha-w- c:\windows\twain.dll
2008-04-14 17:02 50688 -csha-w- c:\windows\twain_32.dll
2011-02-08 13:33 978944 -csha-w- c:\windows\system32\mfc42.dll
2008-04-14 17:02 57344 -csha-w- c:\windows\system32\msvcirt.dll
2008-04-14 17:02 413696 --sha-w- c:\windows\system32\msvcp60.dll
2008-04-14 17:02 343040 --sha-w- c:\windows\system32\msvcrt.dll
2010-12-20 17:32 551936 --sha-w- c:\windows\system32\oleaut32.dll
2008-04-14 17:02 84992 -csha-w- c:\windows\system32\olepro32.dll
2008-04-14 17:03 12288 -csha-w- c:\windows\system32\regsvr32.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{95B7759C-8C7F-4BF1-B163-73684A933233}]
2012-06-08 08:13 2067328 ----a-w- c:\program files\AVG Secure Search\11.0.0.9\AVG Secure Search_toolbar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{95B7759C-8C7F-4BF1-B163-73684A933233}"= "c:\program files\AVG Secure Search\11.0.0.9\AVG Secure Search_toolbar.dll" [2012-06-08 2067328]
.
[HKEY_CLASSES_ROOT\clsid\{95b7759c-8c7f-4bf1-b163-73684a933233}]
[HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj.1]
[HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\lib\NMBgMonitor.exe" [2005-09-16 94208]
"CTSyncU.exe"="c:\program files\Creative\Sync Manager Unicode\CTSyncU.exe" [2007-07-17 868352]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-06-03 68856]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SW20"="c:\windows\system32\sw20.exe" [2005-06-29 212992]
"SW24"="c:\windows\system32\sw24.exe" [2005-07-04 69632]
"SoundMan"="SOUNDMAN.EXE" [2005-04-15 77824]
"Share-to-Web Namespace Daemon"="c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-11 69632]
"CTCheck"="c:\program files\Creative\Creative ZEN\ZEN Media Explorer\CTCheck.exe" [2007-11-06 397312]
"AVG_TRAY"="c:\program files\AVG\AVG2012\avgtray.exe" [2012-04-05 2587008]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-12-14 47904]
"AirPort Base Station Agent"="c:\program files\AirMac\APAgent.exe" [2009-11-11 771360]
"vProt"="c:\program files\AVG Secure Search\vprot.exe" [2012-06-08 1116544]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-20 59240]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2012-02-29 15494464]
"NvMediaCenter"="NvMCTray.dll" [2012-02-29 108352]
"nwiz"="c:\program files\NVIDIA Corporation\nview\nwiz.exe" [2012-02-29 1634112]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-03-06 421736]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2012-04-18 421888]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"SynchronousMachineGroupPolicy"= 0 (0x0)
"SynchronousUserGroupPolicy"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ c:\progra~1\AVG\AVG2012\avgrsx.exe /sync /restart
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 17:03 1695232 ------w- c:\program files\Messenger\msmsgs.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Documents and Settings\\Anke\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\Anke\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Phoenix Viewer\\SLVoice.exe"=
"c:\\Program Files\\Phoenix Viewer\\SLPlugin.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Dvd- of cd-deling\\ODSAgent.exe"=
"c:\\Program Files\\Dvd- of cd-deling\\RemoteInstallMacOSX.exe"=
"c:\\Program Files\\Google\\Google Earth\\plugin\\geplugin.exe"=
"c:\\Program Files\\AirMac\\APAgent.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\NVIDIA Corporation\\NVIDIA Update Core\\daemonu.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgmfapx.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgnsx.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgemcx.exe"=
.
R0 AVGIDSHX;AVGIDSHX;c:\windows\system32\drivers\avgidshx.sys [19-04-2012 4:50 24896]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [07-09-2010 4:48 31952]
R0 BtHidBus;Bluetooth HID Bus Service;c:\windows\system32\drivers\BtHidBus.sys [17-06-2009 14:01 20744]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [07-09-2010 4:48 235216]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [09-11-2010 23:20 301248]
R2 avgwd;AVG WatchDog;c:\program files\AVG\AVG2012\avgwdsvc.exe [14-02-2012 4:53 193288]
R2 GLiIoEye;GLiIoEye;c:\windows\system32\drivers\GLiIoEye.sys [16-10-2009 15:35 4736]
R2 vToolbarUpdater11.0.2;vToolbarUpdater11.0.2;c:\program files\Common Files\AVG Secure Search\vToolbarUpdater\11.0.2\ToolbarUpdater.exe [08-06-2012 10:13 932736]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\avgidsdriverx.sys [23-12-2011 13:32 139856]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\avgidsfilterx.sys [23-12-2011 13:32 24144]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\avgidsshimx.sys [23-12-2011 13:32 17232]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]
S2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG2012\avgidsagent.exe [30-04-2012 9:44 5106744]
S2 gupdate;Google Updateservice (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [01-05-2011 15:18 136176]
S2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe [23-02-2012 19:49 2348352]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [04-04-2012 18:48 257696]
S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\AVG\AVG10\Toolbar\ToolbarBroker.exe [03-12-2010 22:29 1025352]
S3 btnetBUs;Bluetooth PAN Bus Service;c:\windows\system32\drivers\btnetBus.sys [17-06-2009 14:02 29192]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [01-05-2011 15:18 136176]
S3 IvtBtBUs;IVT Bluetooth Bus Service;c:\windows\system32\drivers\IvtBtBus.sys [17-06-2009 14:01 25480]
.
--- Andere Services/Drivers In Geheugen ---
.
*NewlyCreated* - CRYSTALSYSINFO
.
Inhoud van de 'Gedeelde Taken' map
.
2012-06-12 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-04 07:17]
.
2012-02-02 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 16:57]
.
2012-06-09 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-06-03 19:16]
.
2012-06-12 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-05-01 13:18]
.
2012-06-12 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-05-01 13:18]
.
2012-06-12 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-343818398-1606980848-725345543-1003Core.job
- c:\documents and settings\Anke\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-08-01 16:48]
.
2012-06-12 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-343818398-1606980848-725345543-1003UA.job
- c:\documents and settings\Anke\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-08-01 16:48]
.
2012-06-12 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 13:07]
.
.
------- Bijkomende Scan -------
.
uStart Page = hxxp://www.startpagina.nl/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
Trusted Zone: microsoft.com \www
Trusted Zone: raet.nl\webmail
TCP: DhcpNameServer = 62.179.104.196 213.46.228.196
Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files\Common Files\AVG Secure Search\ViProtocolInstaller\11.0.2\ViProtocol.dll
.
- - - - ORPHANS VERWIJDERD - - - -
.
URLSearchHooks-{ebd898f8-fcf6-4694-bc3b-eabc7271eeb1} - (no file)
WebBrowser-{BA14329E-9550-4989-B3F2-9732E92D17CC} - (no file)
WebBrowser-{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - (no file)
WebBrowser-{EBD898F8-FCF6-4694-BC3B-EABC7271EEB1} - (no file)
HKCU-Run-DriverCure - c:\program files\ParetoLogic\DriverCure\DriverCure.exe
HKLM-Run-ROC_roc_dec12 - c:\program files\AVG Secure Search\ROC_roc_dec12.exe
AddRemove-Network Stumbler - c:\program files\Network Stumbler\uninst.exe
AddRemove-Picasa 3 - c:\program files\Picasa2\Uninstall.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-06-12 19:47
Windows 5.1.2600 Service Pack 3 NTFS
.
scannen van verborgen processen ...
.
scannen van verborgen autostart items ...
.
scannen van verborgen bestanden ...
.
Scan succesvol afgerond
verborgen bestanden: 0
.
**************************************************************************
.
--------------------- VERGRENDELDE REGISTER SLEUTELS ---------------------
.
[HKEY_USERS\S-1-5-21-343818398-1606980848-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*]%2*:*]
@Class="Shell"
.
[HKEY_USERS\S-1-5-21-343818398-1606980848-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*]%2*:*\OpenWithList]
@Class="Shell"
.
[HKEY_USERS\S-1-5-21-343818398-1606980848-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*c%w* *]
@Class="Shell"
.
[HKEY_USERS\S-1-5-21-343818398-1606980848-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*c%w* *\OpenWithList]
@Class="Shell"
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\Ø•€|ÿÿÿÿ •€|ù•9~ *]
"3140110900063D11C8EF10054038389C"="C?\\WINDOWS\\system32\\FM20ENU.DLL"
.
Voltooingstijd: 2012-06-12 19:50:34
ComboFix-quarantined-files.txt 2012-06-12 17:50
.
Pre-Run: 7.432.114.176 bytes beschikbaar
Post-Run: 7.532.908.544 bytes beschikbaar
.
WindowsXP-KB310994-SP2-Pro-BootDisk-NLD.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
.
- - End Of File - - 4112E5C1B001879C18B39E9C337FF794

I noticed a PriceGong ‘thing” and I never downloaded that nor do I recall installing anything with prices.
How can it be here? Is it totally removed by Combofix now?

Edited by Suus, 12 June 2012 - 12:17 PM.

  • 0

#22
Dakeyras

Dakeyras

    Anti-Malware Mammoth

  • Expert
  • 9,714 posts
Hi. :)

At first I could not download Combofix from the link you gave me, however you also gave a link for the Combofix tutorial and there I found a Combofix download that worked for me

The only link I provided was to the actual tutorial, unless you mistakenly thought the wording Download/Run ComboFix was a actual link, which it is not or meant to be. Merely a highlighted type of post separator between my posted instructions etc.

Combofix noticed I did not have a Microsoft Recovery Console installed and then it installed one for me :thumbsup:

Good, that is part of ComboFix's routine when ran on a XP system and the Recovery Console is a useful feature to have present. Though it can also be invoked if a machine is actually booted up with the XP Installation CD-ROM also.

Either way as mentioned it is worthwhile having it actually installed in-case the unforeseen occurs, such as say a non booting issue for example.

I noticed a PriceGong ‘thing” and I never downloaded that nor do I recall installing anything with prices.
How can it be here? Is it totally removed by Combofix now?

PriceGong is a type of Adware browser add-on that in most case's it gains a foothold via what is known as drive by download tactics. To then install itself unbeknownst to a individual's machine when visiting say a form of online shopping site that is not fully secure for example.

Though it can be installed on purpose if a individual wants the nefarious software but in your case was most likely the former. Anyway it appears only remnants were present and not a cause for concern now.

Reset SP3 Firewall:

Click on Start >> Run... and cut/paste in the following and click on OK
firewall.cpl
Click on the Advanced tab >> Restore Defaults >> At the prompt click on Yes >> OK

Now click on the General tab >> select On(recommended) >> OK.

Malwarebytes Anti-Malware:

  • Launch the application, Check for Updates >> Perform quick scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

Panda Online Scan:

Please go here to run Panda's ActiveScan

  • Once you are on the Panda site, click the Scan your PC now button
  • A new window will open...select the option Quick scan then click on the Scan Now button
  • Allow the ActiveX control to be installed. It will start downloading the files it requires for the scan. Note: This may take a couple of minutes
  • Run the ActiveX control, if requested. The screen will then show the scanning progress - the scan will take a while to finish. Please be patient.
  • When the scan has finished, click on Export To
  • Save the file as Activescan.txt to your Desktop
  • Close the Activescan window then go to your Desktop
  • Double-click on Activescan.txt and it will open in Notepad
  • In Notepad, click Edit > Select all, then Edit > Copy
  • Reply to this thread and click Ctrl+V to paste the log in your reply
When completed the above, please post back the following in the order asked for:

  • How is your computer performing now, any further symptoms and or problems encountered?
  • Malwarebytes Anti-Malware Log.
  • Panda ActiveScan Log.

  • 0

#23
Suus

Suus

    Member

  • Topic Starter
  • Member
  • PipPip
  • 28 posts
Tnx Dakeyras!

I resetted my firewal like you said btw. Was there something wrong with it?
Here are the results of the Malwarebytesscan:

Malwarebytes Anti-Malware 1.61.0.1400
www.malwarebytes.org

Databaseversie: v2012.06.13.05

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Anke :: PCANKE [administrator]

13-06-2012 19:15:24
mbam-log-2012-06-13 (19-15-24).txt

Scantype: Snelle scan
Ingeschakelde scanopties: Geheugen | Opstartitems | Register | Bestanden en mappen | Heuristiek/Extra | Heuristiek/Shuriken | PUP | PUM
Uitgeschakelde scanopties: P2P
Objecten gescand: 378702
Verstreken tijd: 7 minuut/minuten, 4 seconde(n)

Geheugenprocessen gedetecteerd: 0
(Geen kwaadaardige objecten gedetecteerd)

Geheugenmodulen gedetecteerd: 0
(Geen kwaadaardige objecten gedetecteerd)

Registersleutels gedetecteerd: 0
(Geen kwaadaardige objecten gedetecteerd)

Registerwaarden gedetecteerd: 0
(Geen kwaadaardige objecten gedetecteerd)

Registerdata gedetecteerd: 0
(Geen kwaadaardige objecten gedetecteerd)

Mappen gedetecteerd: 0
(Geen kwaadaardige objecten gedetecteerd)

Bestanden gedetecteerd: 0
(Geen kwaadaardige objecten gedetecteerd)

(einde)

Now I will proceed with the Panda online scanner ...

Edited by Suus, 13 June 2012 - 11:27 AM.

  • 0

#24
Dakeyras

Dakeyras

    Anti-Malware Mammoth

  • Expert
  • 9,714 posts
OK. :thumbsup:
  • 0

#25
Suus

Suus

    Member

  • Topic Starter
  • Member
  • PipPip
  • 28 posts
Hi again,

After 2 hours the Panda online scan was at 22%. So i had to run it during the night. This morning I saw it had completed and found infected files! It asked me if I wanted to remove those items should I do that? Will the logfile show me the files even after removing them? I did not have much time to search the logfile but after my work tonight I will be back ans search it.

Thanks again for your help😄
  • 0

Advertisements


#26
Dakeyras

Dakeyras

    Anti-Malware Mammoth

  • Expert
  • 9,714 posts
No do not take any action on what has been classed as infected for now, it may just be tracking cookies and or has detected the quarantine folder of what ComboFix removed prior for example.

However I think it prudent to err on the side of caution at this time. So too reiterate do not let the online scan remove anything and just save a copy of the log-file and then post it back in this topic for my review and we will go from there. :)
  • 0

#27
Suus

Suus

    Member

  • Topic Starter
  • Member
  • PipPip
  • 28 posts
Back again; I think its ok, here is the logfile from Panda:

;***********************************************************************************************************************************************************************************
ANALYSIS: 2012-06-14 17:52:02
PROTECTIONS: 1
MALWARE: 2
SUSPECTS: 0
;***********************************************************************************************************************************************************************************
PROTECTIONS
Description Version Active Updated
;===================================================================================================================================================================================
AVG Anti-Virus Free Edition 2012 2012.0 Yes Yes
;===================================================================================================================================================================================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===================================================================================================================================================================================
00167704 Cookie/Xiti TrackingCookie No 0 Yes No c:\documents and settings\anke\cookies\6s6pzwi1.txt
04002741 Generic Malware Virus/Trojan No 0 Yes No d:\documents and settings\anke\mijn documenten\programma's\malw\reglooks.exe
;===================================================================================================================================================================================
SUSPECTS
Sent Location
;===================================================================================================================================================================================
;===================================================================================================================================================================================
VULNERABILITIES
Id Severity Description
;===================================================================================================================================================================================
;===================================================================================================================================================================================


However...OTL still does not run :confused:

Edited by Suus, 14 June 2012 - 10:01 AM.

  • 0

#28
Dakeyras

Dakeyras

    Anti-Malware Mammoth

  • Expert
  • 9,714 posts
Hi. :)

However...OTL still does not run

Intriguing however we can come back to this shortly...for now delete OTL(or whatever version you may have) and empty the Recycle Bin.

Next:

Do you recognise the below at all and or did you download it yourself?

d:\documents and settings\anke\mijn documenten\programma's\malw\reglooks.exe

If you do not recognise it, merely delete it and and empty the Recycle Bin.

Next:

Launch Internet Explorer >> Tools >> Internet Options >> Advanced

Under Browsing, deselect Enable third-party browser extensions >> Apply >> OK

Now reboot(restart) your machine.

Next:

Download a new version of OTL and save it to your Desktop.

Now check if OTL will launch, do not scan with it merely inform myself if it will launch or not.
  • 0

#29
Suus

Suus

    Member

  • Topic Starter
  • Member
  • PipPip
  • 28 posts
Hi again,

I did all you asked, however I still have the same application error by trying to run OTL. :( Somehow I cant attatch that file here, it has a docx-extension.
  • 0

#30
Dakeyras

Dakeyras

    Anti-Malware Mammoth

  • Expert
  • 9,714 posts
Hi. :)

What you mentioned is Microsoft Office file type extension, so please check the properties of OTL via right clicking on it and see if it is named OTL.docx.

If it is right click on OTL again and select Rename >> rename it OTL.exe

Next:

Now to stop this happening again a repair of your Microsoft Office installation should rectify that as follows...

Click on Start >> Control Panel >> Add/Remove Programs >> Click once on

Microsoft Office 2007

To highlight >> Change >> select Repair >> Continue

Next:

Now check if OTL will launch, do not scan with it merely inform myself if it will launch or not.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP