Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

RE GreyKnight Pre .. VirusRemover 2008 problem [Solved]


  • This topic is locked This topic is locked

#16
fenzodahl512

fenzodahl512

  • Malware Removal
  • 9,863 posts
Hello... Lets do this first.. (If you already scan for GMER, just let it finish >> post the log here >> proceed with below step..) :)


Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix.. Please visit HERE if you don't know how.. Please re-enable them back after performing all steps given..

Please download ComboFix by sUBs from one of the locations below, and save it to your Desktop.

Link 1
Link 2
Link 3

Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.

If ComboFix asked you to install Recovery Console, please do so.. It will be your best interest..

When finished, it shall produce a log for you. Post that log and a fresh HijackThis log in your next reply..

Note: DON'T do anything with your computer while ComboFix is running.. Let ComboFix finishes its job..
  • 0

Advertisements


#17
dowsp

dowsp

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 544 posts
Hi Fenzodahl512


I will retry again but my laptop seems to be very slow and it may take a few hours to do full scan.

I will try and follow your instructions as best I can,

I had one AV checker Mcaffee that sometimes opens up when I 1st start to be updated after the free trial ended.
BUT as far as I know it wont be active otherwise.

the main AVG one I have only updates in mornings usallu and as far as I know is swiched off.

It may be tomorrow before you can reply again

Hope to post the log before then..

cheers
  • 0

#18
dowsp

dowsp

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 544 posts
I overlooked your other reply

i am not fully clear with your suggestion with combofix in ref to 'subs'

Please download ComboFix by sUBs from one of the locations below, and save it to your Desktop.

Link 1
Link 2
Link 3

BUT I already have a combo fix file on my laptops desktop

should i do this before or rather than do a rescan ?
  • 0

#19
dowsp

dowsp

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 544 posts
I am chancing running combo fix prior to a rescan

BUT It seems VERY SLOW... I cannot recall how long to expect a scan to be done/comleted.

I hope that it is not corrupted in any way.. otherwise I may have to rupload another updated version

I will give it so long (30mins) to see what it does.
  • 0

#20
fenzodahl512

fenzodahl512

  • Malware Removal
  • 9,863 posts
Let it run until it produces a report..

sUBs is the creator of ComboFix..

I have to sleep now.. Its already 2am in Malaysia.. See you soon after 10 am tomorrow :)
  • 0

#21
dowsp

dowsp

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 544 posts
I had a msg from combo saying it had expired / ran out DONT understand HOW or why. I thought it was permanant.

It then offered an alternative... which im unsure exactly byt i clciked ok.. I hoped it was an update.

its still very slow..
  • 0

#22
fenzodahl512

fenzodahl512

  • Malware Removal
  • 9,863 posts
That is because you running the old version of ComboFix..

Let ComboFix download the updates, and if that fails, you have to delete the ComboFix and download a fresh one from the links I give to you above..
  • 0

#23
dowsp

dowsp

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 544 posts
Hi Fenz


You may be right

I got a msg saying that it had expired BUT I had an option to run it on a reduced functionality mode.

I initially tried it but after almost 2 hrs of a few messages saying that it was doing the scan nothing resulted.

I then thought could i do it in safemode... and I tried it..

CAN I ASK IS IT POSSIBLE TO BE ONLINE IN SAFEMODE... I COULDNT CONNECT ?

Anyway it did manage to run and create a log... and Ive a copy here that I am posting..


That is because you running the old version of ComboFix..

Let ComboFix download the updates, and if that fails, you have to delete the ComboFix and download a fresh one from the links I give to you above..


TONIGHT however I will delete the old version of combofix and upload a new one from your links and do it all again if i can..

I willl then post a hijack this log

Unfortunately my Laptop is very slow so I suspect its very badly infected..

thanks for your help so far

dowsp

--------------------------------------------------------------------------------

ComboFix 08-12-21.04 - Peter Nightingale 2009-02-17 19:37:44.7 - NTFSx86 MINIMAL
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.510.370 [GMT 0:00]
Running from: c:\documents and settings\Peter \Desktop\ComboFix.exe
.
- REDUCED FUNCTIONALITY MODE -
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\windows\wiaserviv.log

.
((((((((((((((((((((((((( Files Created from 2009-01-17 to 2009-02-17 )))))))))))))))))))))))))))))))
.

2009-02-17 15:41 . 2009-02-17 15:46 250 --a------ c:\windows\gmer.ini
2009-02-17 15:11 . 2009-02-17 15:13 <DIR> d-------- C:\rsit
2009-02-16 23:06 . 2009-02-16 23:06 30,976 --a------ c:\windows\SYSTEM32\DRIVERS\iccmkgzczivhp.sys
2009-02-02 09:22 . 2009-02-02 09:25 <DIR> d-------- c:\program files\AviSynth 2.5
2009-02-02 09:22 . 2009-02-02 09:25 43,698 --a------ c:\windows\SYSTEM32\xvid-uninstall.exe
2009-02-02 09:21 . 2009-02-02 09:21 <DIR> d-------- c:\program files\Gabest
2009-02-02 09:20 . 2009-02-02 09:25 <DIR> d-------- c:\program files\AutoGK
2009-02-02 07:33 . 2009-02-02 07:34 <DIR> d-------- c:\program files\Any Video Converter
2009-02-02 07:33 . 2009-02-02 07:34 <DIR> d-------- c:\documents and settings\Peter \Application Data\Any Video Converter

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-17 02:45 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-02-16 21:05 --------- d-----w c:\program files\CoffeeCup Software
2009-02-16 20:37 --------- d-----w c:\documents and settings\Peter \Application Data\Skype
2009-02-16 08:00 --------- d-----w c:\documents and settings\LocalService\Application Data\AVG7
2009-02-11 10:19 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-11 10:19 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-02-02 09:32 --------- d-----w c:\documents and settings\Peter \Application Data\uTorrent
2008-12-23 19:48 --------- d-----w c:\documents and settings\Peter \Application Data\Malwarebytes
2008-12-23 19:48 --------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-22 09:39 --------- d-----w c:\program files\Enigma Software Group
2008-12-22 03:59 --------- d-----w c:\documents and settings\All Users\Application Data\avg7
2008-10-02 17:13 56,912 ----a-w c:\documents and settings\Peter \g2mdlhlpx.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Tesco internet phone"="c:\program files\Tesco internet phone\TescoIP.exe" [2007-01-30 6942720]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MCUpdateExe"="c:\progra~1\mcafee.com\agent\McUpdate.exe" [2004-08-17 184320]
"MCAgentExe"="c:\progra~1\mcafee.com\agent\McAgent.exe" [2004-08-17 245760]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2005-09-12 180269]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-03-16 98304]
"McRegWiz"="c:\progra~1\McAfee.com\Agent\mcregwiz.exe" [2004-07-29 139264]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]
"AVG7_Run"="c:\progra~1\Grisoft\AVGFRE~1\avgw.exe" [2007-01-12 219136]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring]
2004-01-12 06:55 110592 c:\windows\SYSTEM32\LgNotify.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, digeste.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AOL 9.0 Tray Icon.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\AOL 9.0 Tray Icon.lnk
backup=c:\windows\pss\AOL 9.0 Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^DSLMON.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\DSLMON.lnk
backup=c:\windows\pss\DSLMON.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SnagIt 7.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\SnagIt 7.lnk
backup=c:\windows\pss\SnagIt 7.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=c:\windows\pss\WinZip Quick Pick.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Peter ^Start Menu^Programs^Startup^Microsoft Find Fast.lnk]
path=c:\documents and settings\Peter \Start Menu\Programs\Startup\Microsoft Find Fast.lnk
backup=c:\windows\pss\Microsoft Find Fast.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Peter ^Start Menu^Programs^Startup^Office Startup.lnk]
path=c:\documents and settings\Peter \Start Menu\Programs\Startup\Office Startup.lnk
backup=c:\windows\pss\Office Startup.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Spyware Protection]
--a------ 2004-02-16 14:04 147456 c:\progra~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]
--a------ 2004-09-13 11:33 155648 c:\program files\Apoint\Apoint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]
--a------ 2008-10-24 07:19 590848 c:\progra~1\Grisoft\AVGFRE~1\avgcc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell Photo AIO Printer 922]
--a------ 2004-11-10 19:36 290816 c:\program files\Dell Photo AIO Printer 922\dlbtbmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell QuickSet]
--a------ 2004-10-07 19:44 610304 c:\program files\Dell\QuickSet\quickset.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
--a------ 2004-07-19 07:51 306688 c:\program files\Dell Support\DSAgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
--a------ 2004-12-06 01:05 127035 c:\windows\SYSTEM32\dla\tfswctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
--------- 2004-10-12 16:54 57344 c:\program files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
--a------ 2006-03-11 13:34 190464 c:\program files\Google\Google Desktop Search\GoogleDesktop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2005-09-20 08:32 77824 c:\windows\SYSTEM32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
--a------ 2005-09-20 08:32 77824 c:\windows\SYSTEM32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
--a------ 2005-09-20 08:36 114688 c:\windows\SYSTEM32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a------ 2005-09-20 08:35 94208 c:\windows\SYSTEM32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe]
--a------ 2004-08-17 18:26 245760 c:\progra~1\McAfee.com\Agent\mcagent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\McRegWiz]
--a------ 2004-07-29 14:55 139264 c:\progra~1\McAfee.com\Agent\mcregwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe]
--a------ 2004-08-17 18:29 184320 c:\progra~1\McAfee.com\Agent\mcupdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MPFExe]
--a------ 2004-08-22 15:31 1327104 c:\progra~1\McAfee.com\PERSON~1\MpfTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 16:24 1694208 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NapsterShell]
--a------ 2006-06-17 13:29 319488 c:\program files\Napster\napster.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PRONoMgr.exe]
--a------ 2003-05-28 17:32 86016 c:\program files\Intel\NCS\PROSet\PRONoMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2005-03-16 01:11 98304 c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
--a------ 2005-09-12 04:36 208941 c:\program files\Real\RealPlayer\realplay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
--a------ 2006-03-13 10:10 19543592 c:\program files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpeedTouch USB Diagnostics]
--a------ 2004-01-26 11:38 866816 c:\program files\Thomson\SpeedTouch USB\dragdiag.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2003-11-19 17:48 32881 c:\program files\Java\j2re1.4.2_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2005-09-12 04:36 180269 c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
--a------ 2004-01-07 01:01 110592 c:\program files\Common Files\Sonic\Update Manager\sgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VirusScan Online]
--a------ 2004-08-17 16:55 180224 c:\progra~1\McAfee.com\VSO\mcvsshld.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VSOCheckTask]
--a------ 2004-07-01 15:15 139264 c:\progra~1\McAfee.com\VSO\mcmnhdlr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

S2 rckaji;rckaji;\??\c:\windows\system32\drivers\iccmkgzczivhp.sys [2009-02-16 30976]
S3 NaiFiltr;NaiFiltr;c:\windows\system32\DRIVERS\NaiFiltr.sys [2005-03-16 23296]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - e:\wd_windows_tools\Setup.exe
.
Contents of the 'Scheduled Tasks' folder

2009-02-17 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 11:20]

2009-01-16 c:\windows\Tasks\McAfee.com Scan for Viruses - My Computer (DGR76K1J-Peter Nightingale).job
- c:\program files\mcafee.com\vso\mcmnhdlr.exe [2004-07-01 15:15]

2009-02-17 c:\windows\Tasks\McAfee.com Update Check (DGR76K1J-Owner).job
- c:\progra~1\mcafee.com\agent\mcupdate.exe [2004-08-17 18:29]

2009-02-17 c:\windows\Tasks\McAfee.com Update Check (DGR76K1J-Owner).job
- c:\progra~1\mcafee.com\agent [2006-04-12 15:24]

2009-02-17 c:\windows\Tasks\McAfee.com Update Check (DGR76K1J-Peter ).job
- c:\progra~1\mcafee.com\agent\mcupdate.exe [2004-08-17 18:29]

2009-02-17 c:\windows\Tasks\McAfee.com Update Check (DGR76K1J-Peter ).job
- c:\progra~1\mcafee.com\agent [2006-04-12 15:24]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://finance.groups.yahoo.com/group/dowtimings/
mStart Page = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = hxxp://www.dell.co.uk/myway
uSearchURL,(Default) = hxxp://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
FF - ProfilePath - c:\documents and settings\Peter \Application Data\Mozilla\Firefox\Profiles\ejftmv6o.default\
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava11.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava12.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava13.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava14.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava32.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJPI142_03.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPOJI610.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-17 19:38:25
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(216)
c:\windows\system32\LgNotify.dll
.
Completion time: 2009-02-17 19:41:01
ComboFix-quarantined-files.txt 2009-02-17 19:39:58
ComboFix2.txt 2008-12-24 13:24:49
ComboFix3.txt 2008-12-23 23:12:21
ComboFix4.txt 2008-02-01 23:19:41
ComboFix5.txt 2009-02-17 17:52:09

Pre-Run: 1,794,187,264 bytes free
Post-Run: 1,781,059,584 bytes free

211 --- E O F --- 2009-02-13 03:06:25
  • 0

#24
dowsp

dowsp

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 544 posts
Hi Fenz

I could not find out how to delete the old version of combofix on my desk top.

I tried add and remove programmes and Start .. All programmmes.... but it was not listed in either.
I cannot also seem to delete it from the desk top itself...

SO.... I created a new folder called CFix on my desk top and uploaded one of the new versions that you
gave me...

I then went back into safemode and ran it (as normal mode was just far too slow ) ... IT created a new log
and I am posting it here now..

SO HOPEFULLY.. This is an updated version and the correct one..


I then used safemode to obtain a 'Hijack this' log as again trying to run it in normal mode is again too slow.

I will post that seperately next....


----------------------


ComboFix 09-02-15.01 - Peter 2009-02-17 21:19:56.7 - NTFSx86 MINIMAL
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.510.386 [GMT 0:00]
Running from: c:\documents and settings\Peter \Desktop\CFix\ComboFix.exe
AV: AVG 7.5.552 *On-access scanning disabled* (Updated)
FW: McAfee Personal Firewall Plus *disabled*
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\patch.exe

.
((((((((((((((((((((((((( Files Created from 2009-01-17 to 2009-02-17 )))))))))))))))))))))))))))))))
.

2009-02-17 15:41 . 2009-02-17 15:46 250 --a------ c:\windows\gmer.ini
2009-02-17 15:11 . 2009-02-17 15:13 <DIR> d-------- C:\rsit
2009-02-16 23:06 . 2009-02-16 23:06 30,976 --a------ c:\windows\SYSTEM32\DRIVERS\iccmkgzczivhp.sys
2009-02-02 09:22 . 2009-02-02 09:25 <DIR> d-------- c:\program files\AviSynth 2.5
2009-02-02 09:22 . 2009-02-02 09:25 43,698 --a------ c:\windows\SYSTEM32\xvid-uninstall.exe
2009-02-02 09:21 . 2009-02-02 09:21 <DIR> d-------- c:\program files\Gabest
2009-02-02 09:20 . 2009-02-02 09:25 <DIR> d-------- c:\program files\AutoGK
2009-02-02 07:33 . 2009-02-02 07:34 <DIR> d-------- c:\program files\Any Video Converter
2009-02-02 07:33 . 2009-02-02 07:34 <DIR> d-------- c:\documents and settings\Peter\Application Data\Any Video Converter

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-17 02:45 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-02-16 21:05 --------- d-----w c:\program files\CoffeeCup Software
2009-02-16 20:37 --------- d-----w c:\documents and settings\Peter \Application Data\Skype
2009-02-16 08:00 --------- d-----w c:\documents and settings\LocalService\Application Data\AVG7
2009-02-11 10:19 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-11 10:19 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-02-02 09:32 --------- d-----w c:\documents and settings\Peter \Application Data\uTorrent
2008-12-23 19:48 --------- d-----w c:\documents and settings\Peter \Application Data\Malwarebytes
2008-12-23 19:48 --------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-22 09:39 --------- d-----w c:\program files\Enigma Software Group
2008-12-22 03:59 --------- d-----w c:\documents and settings\All Users\Application Data\avg7
2008-12-12 17:33 3,060,224 ------w c:\windows\SYSTEM32\DLLCACHE\mshtml.dll
2008-12-11 11:57 333,184 ------w c:\windows\SYSTEM32\DLLCACHE\srv.sys
2008-10-02 17:13 56,912 ----a-w c:\documents and settings\Peter \g2mdlhlpx.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Tesco internet phone"="c:\program files\Tesco internet phone\TescoIP.exe" [2007-01-30 6942720]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MCUpdateExe"="c:\progra~1\mcafee.com\agent\McUpdate.exe" [2004-08-17 184320]
"MCAgentExe"="c:\progra~1\mcafee.com\agent\McAgent.exe" [2004-08-17 245760]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2005-09-12 180269]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-03-16 98304]
"McRegWiz"="c:\progra~1\McAfee.com\Agent\mcregwiz.exe" [2004-07-29 139264]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]
"AVG7_Run"="c:\progra~1\Grisoft\AVGFRE~1\avgw.exe" [2007-01-12 219136]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring]
2004-01-12 06:55 110592 c:\windows\SYSTEM32\LgNotify.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AOL 9.0 Tray Icon.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\AOL 9.0 Tray Icon.lnk
backup=c:\windows\pss\AOL 9.0 Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^DSLMON.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\DSLMON.lnk
backup=c:\windows\pss\DSLMON.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SnagIt 7.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\SnagIt 7.lnk
backup=c:\windows\pss\SnagIt 7.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=c:\windows\pss\WinZip Quick Pick.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Peter ^Start Menu^Programs^Startup^Microsoft Find Fast.lnk]
path=c:\documents and settings\Peter \Start Menu\Programs\Startup\Microsoft Find Fast.lnk
backup=c:\windows\pss\Microsoft Find Fast.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Peter ^Start Menu^Programs^Startup^Office Startup.lnk]
path=c:\documents and settings\Peter \Start Menu\Programs\Startup\Office Startup.lnk
backup=c:\windows\pss\Office Startup.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Spyware Protection]
--a------ 2004-02-16 14:04 147456 c:\progra~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]
--a------ 2004-09-13 11:33 155648 c:\program files\Apoint\Apoint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]
--a------ 2008-10-24 07:19 590848 c:\progra~1\Grisoft\AVGFRE~1\avgcc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell Photo AIO Printer 922]
--a------ 2004-11-10 19:36 290816 c:\program files\Dell Photo AIO Printer 922\dlbtbmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell QuickSet]
--a------ 2004-10-07 19:44 610304 c:\program files\Dell\QuickSet\quickset.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
--a------ 2004-07-19 07:51 306688 c:\program files\Dell Support\DSAgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
--a------ 2004-12-06 01:05 127035 c:\windows\SYSTEM32\dla\tfswctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
--------- 2004-10-12 16:54 57344 c:\program files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
--a------ 2006-03-11 13:34 190464 c:\program files\Google\Google Desktop Search\GoogleDesktop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2005-09-20 08:32 77824 c:\windows\SYSTEM32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
--a------ 2005-09-20 08:32 77824 c:\windows\SYSTEM32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
--a------ 2005-09-20 08:36 114688 c:\windows\SYSTEM32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a------ 2005-09-20 08:35 94208 c:\windows\SYSTEM32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe]
--a------ 2004-08-17 18:26 245760 c:\progra~1\McAfee.com\Agent\mcagent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\McRegWiz]
--a------ 2004-07-29 14:55 139264 c:\progra~1\McAfee.com\Agent\mcregwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe]
--a------ 2004-08-17 18:29 184320 c:\progra~1\McAfee.com\Agent\mcupdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MPFExe]
--a------ 2004-08-22 15:31 1327104 c:\progra~1\McAfee.com\PERSON~1\MpfTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 16:24 1694208 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NapsterShell]
--a------ 2006-06-17 13:29 319488 c:\program files\Napster\napster.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PRONoMgr.exe]
--a------ 2003-05-28 17:32 86016 c:\program files\Intel\NCS\PROSet\PRONoMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2005-03-16 01:11 98304 c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
--a------ 2005-09-12 04:36 208941 c:\program files\Real\RealPlayer\realplay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
--a------ 2006-03-13 10:10 19543592 c:\program files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpeedTouch USB Diagnostics]
--a------ 2004-01-26 11:38 866816 c:\program files\Thomson\SpeedTouch USB\dragdiag.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2003-11-19 17:48 32881 c:\program files\Java\j2re1.4.2_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2005-09-12 04:36 180269 c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
--a------ 2004-01-07 01:01 110592 c:\program files\Common Files\Sonic\Update Manager\sgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VirusScan Online]
--a------ 2004-08-17 16:55 180224 c:\progra~1\McAfee.com\VSO\mcvsshld.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VSOCheckTask]
--a------ 2004-07-01 15:15 139264 c:\progra~1\McAfee.com\VSO\mcmnhdlr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

S2 rckaji;rckaji;c:\windows\SYSTEM32\DRIVERS\iccmkgzczivhp.sys [2009-02-16 30976]
S3 NaiFiltr;NaiFiltr;c:\windows\SYSTEM32\DRIVERS\NaiFiltr.sys [2005-03-16 23296]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - e:\wd_windows_tools\Setup.exe
.
Contents of the 'Scheduled Tasks' folder

2009-02-17 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 11:20]

2009-01-16 c:\windows\Tasks\McAfee.com Scan for Viruses - My Computer (DGR76K1J-Peter ).job
- c:\program files\mcafee.com\vso\mcmnhdlr.exe [2004-07-01 15:15]

2009-02-17 c:\windows\Tasks\McAfee.com Update Check (DGR76K1J-Owner).job
- c:\progra~1\mcafee.com\agent\mcupdate.exe [2004-08-17 18:29]

2009-02-17 c:\windows\Tasks\McAfee.com Update Check (DGR76K1J-Owner).job
- c:\progra~1\mcafee.com\agent [2006-04-12 15:24]

2009-02-17 c:\windows\Tasks\McAfee.com Update Check (DGR76K1J-Peter ).job
- c:\progra~1\mcafee.com\agent\mcupdate.exe [2004-08-17 18:29]

2009-02-17 c:\windows\Tasks\McAfee.com Update Check (DGR76K1J-Peter ).job
- c:\progra~1\mcafee.com\agent [2006-04-12 15:24]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://finance.groups.yahoo.com/group/d/
mStart Page = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = hxxp://www.dell.co.uk/myway
uSearchURL,(Default) = hxxp://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
FF - ProfilePath - c:\documents and settings\Peter \Application Data\Mozilla\Firefox\Profiles\ejftmv6o.default\
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava11.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava12.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava13.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava14.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava32.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJPI142_03.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPOJI610.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-17 21:23:33
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(216)
c:\windows\system32\LgNotify.dll
.
Completion time: 2009-02-17 21:26:33
ComboFix-quarantined-files.txt 2009-02-17 21:25:30
ComboFix2.txt 2009-02-17 19:41:02
ComboFix3.txt 2008-12-24 13:24:49
ComboFix4.txt 2008-12-23 23:12:21
ComboFix5.txt 2009-02-17 21:17:02

Pre-Run: 1,784,717,312 bytes free
Post-Run: 1,771,732,992 bytes free

208 --- E O F --- 2009-02-13 03:06:25
  • 0

#25
dowsp

dowsp

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 544 posts
Here is the Hijack This log that I did in safe mode.. hope its acceptable..


------------------------------------------------------


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:47:17, on 17/02/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Safe mode

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://finance.group...oo.com/group/d/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.co.uk/0...S01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.co.uk/myway
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\McAgent.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [McRegWiz] C:\PROGRA~1\McAfee.com\Agent\mcregwiz.exe /autorun
O4 - HKCU\..\Run: [Tesco internet phone] "C:\Program Files\Tesco internet phone\TescoIP.exe" /autostart
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com...obat/nos/gp.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: dlbt_device - Dell - C:\WINDOWS\system32\dlbtcoms.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: KService - Unknown owner - C:\Program Files\Kontiki\KService.exe (file missing)
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\system32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\system32\S24EvMon.exe

--
End of file - 5615 bytes
  • 0

Advertisements


#26
dowsp

dowsp

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 544 posts
Hi Fenz

This may be the last post I make until you come back online..

As all the various programmes have run very slow in normal mode,

I managed to run most so far in safemode.. such as combofix and Hijack this...

I Just tried to run another BUT I was not able to re run GMER ....in safemode..

so I wont be able to post a log file from it UNLESS I manage to re run it sucessfuly back in normal mode which I tried earlier and it was taking a very long time only to give a short file within an hour.

I may also try and see if I can run Trend micros free antivirus although I tried it last night and again it was very slow that I had to give up.. That was before I had used Malwarebytes AV that managed to at least quarantine
the main corrupted files...

I will have to see if I get lucky ..

otherwise Ill need to await to see if you can suggest anything else.

cheers dowsp


-----------

Ok.. stop it, save the logfile (whatever you have) >> post it here, then do below...

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

Double-click gmer.exe. The program will begin to run.

**Caution**
These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised!

If possible rootkit activity is found, you will be asked if you would like to perform a full scan.
Click NO
In the right panel, you will see a bunch of boxes that have been checked ... leave everything checked and ensure the Show all box is un-checked.
Now click the Scan button.
Once the scan is complete, you may receive another notice about rootkit activity.
Click OK.
GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "GMER.txt"
Save it where you can easily find it, such as your desktop.

Post the contents of GMER.txt in your next reply.
  • 0

#27
dowsp

dowsp

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 544 posts
Hi

I tried running GMER again and it just seems to go no where after about 40 minutes just being stuck on one file that is being checked..



When I ran a previous Anti Virus... Malwarebytes, it quarentened the main files containing the virus/malware..

Many of them were shown as being in either programme or windows files...

I then tried running trend micro on just a specific set of files at a time.... such as programme files, windows etc
rather than just 'C' drive..

but even with dealing with just one folder from the c drive such as programme files, Trendmicro could not deal with it as although It it appears to be scanning, It comes up with a message saying that the system is running vert slow.. Trend micro seems a slow programme at the best of time...


so I am not sure what I can do from here...Only Prey that you or someone can advise me..

cheers dowsp
  • 0

#28
dowsp

dowsp

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 544 posts
Here is a copy of the files that Malwarebytes AVirus found..if it is of any help...

Some are from a past virus, but the latest ones are from Feb 17th 09.. as Xp Police anti virus.

Attached Thumbnails

  • virus_list_on_malawarebytes.GIF

Edited by dowsp, 16 February 2009 - 09:31 PM.

  • 0

#29
fenzodahl512

fenzodahl512

  • Malware Removal
  • 9,863 posts
Please download CleanUp! by stevengould.org and save it to your Desktop.
  • Double-click CleanUp452.exe and install CleanUp! to your computer
  • Open CleanUp! and click on Options.. button.
  • Under General tab, choose Standard CleanUp! and then click Ok
  • Click on the CleanUp! button. When it asked you to logoff Windows, click on Yes
  • Let your Windows rebooted (or do it manually) and continue with the next step






This is important step.. Tell me whether you successfully upload the file or not.. Please zip it first before sending it to the upload channel..

Please show hidden files and folders

Please visit this site and upload below file.. At the comment section, just say "fenzodahl512 asked to upload the file"

C:\WINDOWS\system32\drivers\iccmkgzczivhp.sys




1. Please open Notepad
  • Click Start, then Run
  • Type notepad.exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

KillAll::

Driver::
rckaji

Rootkit::
C:\WINDOWS\system32\drivers\iccmkgzczivhp.sys

File::
C:\WINDOWS\system32\drivers\iccmkgzczivhp.sys

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

  • 0

#30
dowsp

dowsp

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 544 posts
Hi Fenz

Nice to see you back, hope you had a good sleep..
I am still at it trying to solve my problem :-( getting tired...zzz

I managed to do the clean up files..

I also managed to follow show the hidden files instruction so far from major geeks forum..

BUT I was a bit unsure after a msg suggested it may make computer inoperable..

I am not sure if I should have found or deleted further files here as yet and made a notepad log. or if this is later.


I have looked to try and find the windows file that you indicated ...through bleeping computer and I am unable to find it... Its certainly not listed in the Windows / system32 / driver folder in the alphabetical order of i...

C:\WINDOWS\system32\drivers\iccmkgzczivhp.sys

I am not sure what to do from here ???


---------------------------------------


This is important step.. Tell me whether you successfully upload the file or not.. Please zip it first before sending it to the upload channel..

Please show hidden files and folders

Please visit this site and upload below file.. At the comment section, just say "fenzodahl512 asked to upload the file"

C:\WINDOWS\system32\drivers\iccmkgzczivhp.sys
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP