Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Problem with internet browsers and flash/java [Solved]


  • Please log in to reply

#16
emeraldnzl

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 20,051 posts
Hello Absurdny,

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

REGLOCK::
[HKEY_LOCAL_MACHINE\software\Adobe\Premiere\7.0\Help]


Save this as CFScript.txt, in the same location as ComboFix.exe

Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Next

Kaspersky on line scanner is very thorough. It can take a long time and for periods may seem not to be working. Just be patient and let it do its job.

Kaspersky works with Internet Explorer and Firefox 3. It uses Java Runtime Environment (JRE) Java 1.6.0_7 or later.

Please download JavaRa to your desktop and unzip it to its own folder
  • Run JavaRa.exe, pick the language of your choice and click Select. Then click Remove Older Versions.
  • Accept any prompts.
  • Open JavaRa.exe again and select Search For Updates.
  • Select Update Using Sun Java's Website then click Search and click on the Open Webpage button. Download and install the latest Java Runtime Environment (JRE) version for your computer.
Now go to Kaspersky website and perform an online antivirus scan.

Note: you will need to turn off your security programs to allow Kaspersky to do its job.

  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
    • Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  • Click on My Computer under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
Copy and paste that information in your next post.

So when you return please post
  • ComboFix.txt
  • Kaspersky scan results
  • and tell me how your machine is performing now

  • 0

Advertisements


#17
Absurdny

Absurdny

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
The computer seems to be loading webpages fast and running smoother. Java buttons still do not work in Firefox though

Here are the logs:

ComboFix 09-02-19.01 - Absurd 2009-02-22 14:12:09.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3007.2245 [GMT -5:00]
Running from: d:\documents and settings\Absurd\Desktop\ComboFix.exe
Command switches used :: d:\documents and settings\Absurd\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
FW: COMODO Firewall *disabled*
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2009-01-22 to 2009-02-22 )))))))))))))))))))))))))))))))
.

2009-02-21 18:38 . 2009-02-21 18:38 268 --ah----- D:\sqmdata19.sqm
2009-02-21 18:38 . 2009-02-21 18:38 244 --ah----- D:\sqmnoopt19.sqm
2009-02-21 18:34 . 2009-02-21 18:34 <DIR> d-------- D:\_OTMoveIt
2009-02-21 18:24 . 2009-02-21 18:24 268 --ah----- D:\sqmdata18.sqm
2009-02-21 18:24 . 2009-02-21 18:24 244 --ah----- D:\sqmnoopt18.sqm
2009-02-21 17:49 . 2009-02-21 17:49 268 --ah----- D:\sqmdata17.sqm
2009-02-21 17:49 . 2009-02-21 17:49 244 --ah----- D:\sqmnoopt17.sqm
2009-02-21 15:53 . 2009-02-21 15:53 268 --ah----- D:\sqmdata16.sqm
2009-02-21 15:53 . 2009-02-21 15:53 244 --ah----- D:\sqmnoopt16.sqm
2009-02-21 09:12 . 2009-02-21 09:12 268 --ah----- D:\sqmdata15.sqm
2009-02-21 09:12 . 2009-02-21 09:12 244 --ah----- D:\sqmnoopt15.sqm
2009-02-21 01:24 . 2009-02-21 01:24 <DIR> d-------- d:\documents and settings\Absurd\Application Data\Viewpoint
2009-02-21 00:16 . 2009-02-21 00:17 <DIR> d-------- D:\rsit
2009-02-16 16:05 . 2009-02-16 16:05 <DIR> d-------- d:\program files\Trend Micro
2009-02-16 14:01 . 2009-02-16 14:01 268 --ah----- D:\sqmdata14.sqm
2009-02-16 14:01 . 2009-02-16 14:01 244 --ah----- D:\sqmnoopt14.sqm
2009-02-15 20:31 . 2009-02-15 20:31 410,984 --a------ d:\windows\system32\deploytk.dll
2009-02-15 17:42 . 2009-02-15 17:42 268 --ah----- D:\sqmdata13.sqm
2009-02-15 17:42 . 2009-02-15 17:42 244 --ah----- D:\sqmnoopt13.sqm
2009-02-15 02:20 . 2009-02-15 13:14 287 --a------ d:\windows\LEXSTAT.INI
2009-02-15 02:19 . 2009-02-15 02:19 <DIR> d-------- d:\program files\Lexmark 640 Series
2009-02-15 02:19 . 2004-05-24 13:23 311,296 --a------ d:\windows\system32\LEXBCES.EXE
2009-02-15 02:19 . 1997-04-08 20:08 299,520 --a------ d:\windows\uninst.exe
2009-02-15 02:19 . 2004-05-24 13:21 201,216 --a------ d:\windows\system32\LEXP2P32.DLL
2009-02-15 02:19 . 2004-05-24 13:42 200,704 --a------ d:\windows\system32\lexlmpm.dll
2009-02-15 02:19 . 2004-05-24 13:26 198,144 --a------ d:\windows\system32\LEX2KUSB.DLL
2009-02-15 02:19 . 2004-05-24 13:22 174,592 --a------ d:\windows\system32\LEXPPS.EXE
2009-02-15 02:19 . 2004-05-24 13:22 147,456 --a------ d:\windows\system32\LEXBCE.DLL
2009-02-15 02:19 . 2006-03-28 05:29 73,728 --a------ d:\windows\system32\lxdapwr.dll
2009-02-14 07:10 . 2009-02-14 07:10 268 --ah----- D:\sqmdata12.sqm
2009-02-14 07:10 . 2009-02-14 07:10 244 --ah----- D:\sqmnoopt12.sqm
2009-02-14 06:33 . 2009-02-14 06:33 0 --a------ d:\windows\nsreg.dat
2009-02-14 06:31 . 2009-02-14 06:31 <DIR> d-------- d:\documents and settings\stickam\Application Data\Logitech
2009-02-14 06:31 . 2009-02-21 23:03 <DIR> d-------- d:\documents and settings\stickam
2009-02-14 06:01 . 2009-02-14 06:01 <DIR> d-------- d:\documents and settings\Absurd\Application Data\MSNInstaller
2009-02-14 05:54 . 2009-02-14 05:54 268 --ah----- D:\sqmdata11.sqm
2009-02-14 05:54 . 2009-02-14 05:54 244 --ah----- D:\sqmnoopt11.sqm
2009-02-12 15:50 . 2009-02-12 15:50 268 --ah----- D:\sqmdata10.sqm
2009-02-12 15:50 . 2009-02-12 15:50 244 --ah----- D:\sqmnoopt10.sqm
2009-02-12 14:36 . 2009-02-12 14:36 268 --ah----- D:\sqmdata09.sqm
2009-02-12 14:36 . 2009-02-12 14:36 244 --ah----- D:\sqmnoopt09.sqm
2009-02-12 14:08 . 2009-02-12 14:08 268 --ah----- D:\sqmdata08.sqm
2009-02-12 14:08 . 2009-02-12 14:08 244 --ah----- D:\sqmnoopt08.sqm
2009-01-27 18:49 . 2009-01-27 18:49 <DIR> d-------- d:\program files\AviSynth 2.5
2009-01-27 18:49 . 2009-01-27 18:49 43,698 --a------ d:\windows\system32\xvid-uninstall.exe
2009-01-27 18:48 . 2009-01-27 18:48 <DIR> d-------- d:\program files\Gabest
2009-01-27 18:47 . 2009-01-27 18:49 <DIR> d-------- d:\program files\AutoGK
2009-01-27 18:24 . 2009-01-27 18:25 <DIR> d-------- d:\program files\E.M. DVD Copy
2009-01-27 17:51 . 2009-01-27 17:51 <DIR> d-------- d:\documents and settings\Absurd\Application Data\NeroDigital™
2009-01-27 15:32 . 2009-01-27 15:32 <DIR> d--h----- D:\BJPrinter
2009-01-27 15:32 . 2002-02-12 14:00 97,280 --a------ d:\windows\system32\CNMLM3w.DLL
2009-01-27 15:32 . 2002-01-17 11:48 36,864 --a------ d:\windows\system32\CNMCP3W.EXE
2009-01-27 15:32 . 2002-02-12 14:00 5,632 --a------ d:\windows\system32\CNMVS3w.DLL
2009-01-27 15:28 . 2008-04-14 00:17 25,856 --a------ d:\windows\system32\drivers\usbprint.sys
2009-01-27 15:28 . 2008-04-14 00:17 25,856 --a--c--- d:\windows\system32\dllcache\usbprint.sys
2009-01-27 14:57 . 2009-01-27 14:57 <DIR> d-------- d:\program files\DVDx
2009-01-26 23:01 . 2009-01-26 23:01 <DIR> d-------- d:\windows\Hot Item Finder
2009-01-26 23:01 . 2009-01-26 23:07 <DIR> d-------- d:\program files\HotItemFinder
2009-01-26 22:43 . 2009-01-26 22:43 <DIR> d-------- d:\windows\AuctionYen
2009-01-26 22:43 . 2009-01-26 23:00 <DIR> d-------- d:\program files\AuctionYen
2009-01-25 01:23 . 2009-01-25 01:23 <DIR> d-------- d:\program files\eBay
2009-01-25 01:23 . 2009-01-25 01:23 <DIR> d-------- d:\documents and settings\All Users\eBay
2009-01-23 00:36 . 2009-01-23 00:37 <DIR> d-------- d:\program files\InventoryBuilder
2009-01-22 02:07 . 2009-01-22 02:09 <DIR> d-------- d:\program files\SmartFTP Client

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-22 04:14 --------- d-----w d:\documents and settings\Absurd\Application Data\DMCache
2009-02-22 04:02 --------- d-----w d:\program files\AVG
2009-02-22 04:01 --------- d-----w d:\documents and settings\All Users\Application Data\avg8
2009-02-22 03:38 --------- d-----w d:\program files\TVAnts
2009-02-22 03:36 --------- d--h--w d:\program files\InstallShield Installation Information
2009-02-22 03:23 --------- d-----w d:\program files\Microsoft Bootvis
2009-02-22 03:22 --------- d-----w d:\program files\Google
2009-02-22 02:30 --------- d-----w d:\program files\Bonjour
2009-02-21 04:23 --------- d-----w d:\program files\Viewpoint
2009-02-21 04:23 --------- d-----w d:\documents and settings\All Users\Application Data\Viewpoint
2009-02-16 16:45 --------- d-----w d:\program files\SUPERAntiSpyware
2009-02-16 06:11 --------- d-----w d:\program files\Malwarebytes' Anti-Malware
2009-02-16 01:44 --------- d-----w d:\program files\Java
2009-02-11 15:19 38,496 ----a-w d:\windows\system32\drivers\mbamswissarmy.sys
2009-02-11 15:19 15,504 ----a-w d:\windows\system32\drivers\mbam.sys
2009-02-07 13:56 325,128 ----a-w d:\windows\system32\drivers\avgldx86.sys
2009-02-07 13:56 107,272 ----a-w d:\windows\system32\drivers\avgtdix.sys
2009-02-07 13:56 10,520 ----a-w d:\windows\system32\avgrsstx.dll
2009-01-23 05:36 25 ----a-w d:\program files\InventoryBuildersettings.ini
2009-01-22 12:08 --------- d-----w d:\program files\Common Files\Macromedia
2009-01-22 04:00 --------- d-----w d:\documents and settings\Absurd\Application Data\SmartFTP
2009-01-19 09:51 31,504 ----a-w d:\windows\system32\drivers\cmdhlp.sys
2009-01-19 09:51 147,192 ----a-w d:\windows\system32\guard32.dll
2009-01-19 09:50 101,776 ----a-w d:\windows\system32\drivers\cmdguard.sys
2009-01-19 08:59 --------- d-----w d:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-01-19 08:59 --------- d-----w d:\documents and settings\Absurd\Application Data\SUPERAntiSpyware.com
2009-01-19 08:46 --------- d-----w d:\documents and settings\Administrator.UNPARALL-5F4EE2\Application Data\Malwarebytes
2009-01-19 08:31 --------- d-----w d:\program files\Common Files\Wise Installation Wizard
2009-01-15 00:48 --------- d-----w d:\program files\Hammertap
2009-01-07 18:33 3,519 ----a-w d:\windows\bcm1C.tmp
2008-08-14 16:31 1 ----a-w d:\documents and settings\Absurd\SI.bin
2008-04-07 03:47 22,328 ----a-w d:\documents and settings\Absurd\Application Data\PnkBstrK.sys
.

((((((((((((((((((((((((((((( SnapShot@2009-02-21_22.53.21.73 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-02-22 04:14:29 16,384 ----atw d:\windows\temp\Perflib_Perfdata_100.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVIDIA nTune"="d:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-09-04 81920]
"Aim6"="d:\program files\AIM6\aim6.exe" [2008-06-12 50528]
"IDMan"="d:\program files\Internet Download Manager\IDMan.exe" [2007-06-20 800256]
"SUPERAntiSpyware"="d:\program files\SUPERAntiSpyware\11b60ed9-558f-4a2f-bedc-e58aa3a9e0f8.exe" [2008-12-22 1830128]
"msnmsgr"="d:\program files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DigidesignMMERefresh"="g:\digidesign\Digidesign\Drivers\MMERefresh.exe" [2007-10-30 77824]
"M-Audio Taskbar Icon"="d:\windows\System32\M-AudioTaskBarIcon.exe" [2005-12-13 91136]
"COMODO Firewall Pro"="d:\program files\COMODO\Firewall\cfp.exe" [2009-01-19 1797880]
"COMODO Internet Security"="d:\program files\COMODO\Firewall\cfp.exe" [2009-01-19 1797880]
"AVG8_TRAY"="d:\progra~1\AVG\AVG8\avgtray.exe" [2009-02-21 1601304]
"nwiz"="nwiz.exe" [2007-12-05 d:\windows\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="d:\program files\MySpace\IM\MySpaceIM.exe" [2008-04-17 9117696]

d:\documents and settings\Absurd\Start Menu\Programs\Startup\
Adobe Gamma.lnk - d:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-07-14 113664]

d:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - d:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-07-14 113664]
Logitech SetPoint.lnk - d:\program files\Logitech\SetPoint\SetPoint.exe [2008-04-02 789008]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoChangeAnimation"= 0 (0x0)
"NoStrCmpLogical"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"MemCheckBoxInRunDlg"= 0 (0x0)
"NoStrCmpLogical"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "d:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 11:05 356352 d:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-01-09 12:30 72208 d:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-02-07 08:56 10520 d:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=d:\windows\system32\guard32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ac3filter"= ac3filter.acm

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"d:\\Program Files\\GIGABYTE\\@BIOS\\gwflash.exe"=
"d:\\WINDOWS\\system32\\PnkBstrA.exe"=
"d:\\WINDOWS\\system32\\PnkBstrB.exe"=
"d:\\Program Files\\GIGABYTE\\EasyTune4\\update.exe"=
"d:\\Program Files\\Common Files\\Nero\\Nero Web\\SetupX.exe"=
"e:\\rainbow 6 vegas 2\\Rainbow Six Vegas 2\\Binaries\\R6Vegas2_Game.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"d:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"d:\\Program Files\\AIM6\\aim6.exe"=
"d:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"d:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"g:\\Avast\\avgupd.exe"=
"d:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"d:\\Program Files\\iTunes\\iTunes.exe"=
"d:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"d:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=
"d:\\Program Files\\SmartFTP Client\\SmartFTP.exe"=
"c:\\Dreamweaver 8\\Dreamweaver.exe"=
"d:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"d:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"d:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

R0 DigiFilter;DigiFilter;d:\windows\system32\drivers\DigiFilt.sys [2008-04-04 16384]
R0 sfsync03;StarForce Protection Synchronization Driver (version 3.x);d:\windows\system32\drivers\sfsync03.sys [2005-12-06 35328]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;d:\windows\system32\drivers\avgldx86.sys [2008-10-27 325128]
R1 AvgTdiX;AVG Free8 Network Redirector;d:\windows\system32\drivers\avgtdix.sys [2008-10-27 107272]
R1 cmdGuard;COMODO Firewall Pro Sandbox Driver;d:\windows\system32\drivers\cmdguard.sys [2008-07-08 101776]
R1 cmdHlp;COMODO Firewall Pro Helper Driver;d:\windows\system32\drivers\cmdhlp.sys [2008-07-08 31504]
R1 SASDIFSV;SASDIFSV;d:\program files\SUPERAntiSpyware\sasdifsv.sys [2008-12-22 8944]
R1 SASKUTIL;SASKUTIL;d:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2008-12-22 55024]
R2 avg8emc;AVG Free8 E-mail Scanner;d:\progra~1\AVG\AVG8\avgemc.exe [2009-02-21 903960]
R2 avg8wd;AVG Free8 WatchDog;d:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-02-21 298264]
R2 MAudioUSBService;M-Audio USB Installer;d:\program files\M-Audio\Fast Track Pro\MAUSBInst.exe [2008-06-08 49152]
R3 MAUSB;Service for M-Audio Fast Track Pro Driver (WDM);d:\windows\system32\drivers\mausb.sys [2008-06-08 102528]
R3 SASENUM;SASENUM;d:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-12-22 7408]
R3 SUPERWEBCAM;SuperWebcam, WDM Virtual Video Capture Device;d:\windows\system32\drivers\superwebcam.sys [2008-04-02 31872]
S3 ETDrv;ETDrv;d:\windows\system32\drivers\ETDrv.sys [2008-04-07 185280]
S3 GVTDrv;GVTDrv;d:\windows\system32\drivers\GVTDrv.sys [2008-04-07 24944]
S3 MAUSBFTP;Service for M-Audio Fast Track Pro (WDM);d:\windows\system32\drivers\mausb.sys [2008-06-08 102528]
.
Contents of the 'Scheduled Tasks' folder

2009-02-17 d:\windows\Tasks\Uniblue SpeedUpMyPC Nag.job
- d:\program files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe [2007-05-16 10:45]

2008-04-03 d:\windows\Tasks\Uniblue SpeedUpMyPC.job
- d:\program files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe [2007-05-16 10:45]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: Download All Links with IDM - d:\program files\Internet Download Manager\IEGetAll.htm
IE: Download with IDM - d:\program files\Internet Download Manager\IEExt.htm
Trusted Zone: stickam.com\www
TCP: {2BA77C4F-C5DA-4A32-BD8D-C0D21D48050B} = 167.206.254.2,167.206.254.1
FF - ProfilePath - d:\documents and settings\Absurd\Application Data\Mozilla\Firefox\Profiles\lmgq9aad.default\
FF - prefs.js: browser.search.selectedEngine - Search
FF - plugin: d:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: d:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
FF - plugin: g:\downloads\adobe\Reader\browser\nppdf32.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-22 14:15:29
Windows 5.1.2600 Service Pack 3 NTFS

detected NTDLL code modification:
ZwClose

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1390067357-1935655697-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{43994940-0A76-B9E2-F1CB-C506B574D3E1}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"hafdokpcgjhpicod"=hex:6e,62,61,6c,69,70,69,6e,6c,63,6a,62,6e,62,62,62,6e,6b,
6f,63,69,62,6d,68,62,6f,6b,63,65,6f,6e,69,6f,6d,68,70,6c,64,62,67,6d,6f,64,\
"jafdokpcgjhpicodiifh"=hex:66,61,61,6c,6b,70,6a,62,6a,62,6c,69,00,06
"panepddoiadpipfamhcalkabhkefmmlo"=hex:65,61,61,6c,6c,70,70,61,68,66,00,69

[HKEY_USERS\S-1-5-21-1390067357-1935655697-839522115-1004\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:3c,10,da,82,f9,db,48,11,d9,7f,fc,87,ab,11,47,28,5a,3f,7b,4b,1d,45,f1,
41,84,42,6d,4d,3d,24,51,57,25,d2,27,c9,eb,65,bd,32,54,d2,f5,3e,10,ea,57,f8,\
"??"=hex:aa,f8,e9,f9,d4,11,1c,24,45,24,ef,c9,3e,c1,c2,96

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{1727FC36-5D3D-4896-9DEE-AFE8A6A530BF}\Version*Version]
"Version"=hex:ac,6b,4e,f9,2e,07,46,fc,be,30,0c,b0,01,30,18,29,be,30,0c,b0,01,
30,18,29,be,30,0c,b0,01,30,18,29,be,30,0c,b0,01,30,18,29,be,30,0c,b0,01,30,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{524c79c3-e349-42ec-ac21-97f6e2154ab8}]
@Denied: (Full) (Everyone)
"Model"=dword:000000c2
"Therad"=dword:0000000f
"MData"=hex(0):2b,8f,78,29,5a,0c,ce,ec,48,d4,68,e5,9f,6a,96,3e,ab,de,c5,81,26,
38,95,44,85,b1,12,f9,90,dd,23,a1,49,8c,bf,1a,9d,fe,41,71,cb,3f,46,a4,7c,ab,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}]
@Denied: (Full) (Everyone)
"scansk"=hex(0):7b,84,7b,03,0a,a5,a2,62,4b,84,89,32,ad,57,a2,5d,12,ea,b6,3c,50,
6b,fd,90,36,06,f2,1d,df,0a,0c,f7,60,b0,95,3b,90,69,bd,1c,00,00,00,00,00,00,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}]
@Denied: (Full) (Everyone)
"scansk"=hex(0):cd,56,a9,70,ca,1a,9c,a7,01,d5,66,44,1a,d2,f0,46,22,95,6b,de,bc,
28,54,81,bb,c5,ae,20,82,16,74,d3,0a,1b,7c,5b,63,37,84,0f,00,00,00,00,00,00,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{81206d2a-a17d-4619-be46-ef500303c97f}]
@Denied: (Full) (Everyone)
"Model"=dword:0000007c
"Therad"=dword:0000001e
"MData"=hex(0):2b,8f,78,29,5a,0c,ce,ec,48,d4,68,e5,9f,6a,96,3e,ab,de,c5,81,26,
38,95,44,85,b1,12,f9,90,dd,23,a1,49,8c,bf,1a,9d,fe,41,71,cb,3f,46,a4,7c,ab,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(744)
d:\program files\SUPERAntiSpyware\SASWINLO.dll
d:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
d:\program files\common files\logishrd\bluetooth\LBTServ.dll
d:\windows\System32\BCMLogon.dll
.
Completion time: 2009-02-22 14:17:29
ComboFix-quarantined-files.txt 2009-02-22 19:16:46
ComboFix2.txt 2009-02-22 04:18:51
ComboFix3.txt 2009-02-22 03:54:37

Pre-Run: 2,665,996,288 bytes free
Post-Run: 2,651,967,488 bytes free

284 --- E O F --- 2009-02-21 22:20:54

--------------------------------------------------------------------------------------------------------------

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Sunday, February 22, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Sunday, February 22, 2009 19:38:06
Records in database: 1831354
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\
J:\
K:\

Scan statistics:
Files scanned: 513543
Threat name: 11
Infected objects: 22
Suspicious objects: 0
Duration of the scan: 08:05:36


File name / Threat name / Threats count
C:\Desktop aug 4th\Eye_Candy_Impact_by-sameer\Alien.Skin.Eye.Candy.v5.1.exe Infected: Trojan-Dropper.Win32.Agent.qgq 1
C:\Desktop aug 4th\slr mods\zmodeler_v107\zmodeler_v107.exe Infected: Trojan.Win32.DelAll.aa 1
C:\Temporary Internet Files\Content.IE5\HPLG6G0R\offline[1].mmz Infected: not-a-virus:RiskTool.Win32.Deleter.f 1
D:\Program Files\ZModeler\zmuninst.exe Infected: Trojan.Win32.DelAll.ac 1
E:\Documents and Settings\All Users\Application Data\AOL\UserProfiles\All Users\antiSpyware\dat\ppclean.exe Infected: Virus.Win32.Virut.q 1
E:\Documents and Settings\Studio\Local Settings\Temporary Internet Files\Content.IE5\OZPRUIZ1\ppclean[1].exe Infected: Virus.Win32.Virut.q 1
F:\Documents and Settings\All Users\Application Data\AOL Downloads\lpaolcom_setupSTUS\comps\toolbar\toolbr.exe Infected: not-a-virus:AdWare.Win32.SearchIt.t 1
F:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\28301546.tmp Infected: Trojan.Java.ClassLoader.k 1
F:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\640226EE.tmp Infected: Trojan.Java.ClassLoader.i 1
F:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\643D1AAE.exe Infected: Packed.Win32.Klone.j 1
F:\Documents and Settings\Michael\CMS_RS_Grabber_v1.4.8\Grabber.exe Infected: Virus.Win32.Virut.q 1
F:\Program Files\KORG\KORG USB-MIDI Driver\EzSetup64.exe Infected: Virus.Win32.Virut.q 1
F:\Program Files\KORG\KORG USB-MIDI Driver\UnInstDrv64.exe Infected: Virus.Win32.Virut.q 1
F:\Program Files\Magix\Samplitude_V8_professional\cdburnprofiler.exe Infected: Virus.Win32.Virut.q 1
F:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.621 1
F:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\Apache.exe Infected: Virus.Win32.Virut.q 1
F:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\openssl.exe Infected: Virus.Win32.Virut.q 1
F:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\instlsp64.exe Infected: Virus.Win32.Virut.q 1
F:\Program Files\ProxyFinderEnterprise\ProxyFinder.exe Infected: Virus.Win32.Virut.q 1
F:\Program Files\Windows NT\prokycoqyq.html Infected: Trojan-Clicker.HTML.IFrame.dn 1
F:\WINDOWS\Installer\{1BA16E5A-72B9-44B7-9FDA-FB6CE7FF6C0C}\Icon158F1431.exe Infected: Virus.Win32.Virut.q 1
F:\WINDOWS\Installer\{1BA16E5A-72B9-44B7-9FDA-FB6CE7FF6C0C}\Icon16CBC2752.exe Infected: Virus.Win32.Virut.q 1

The selected area was scanned.

Edited by Absurdny, 22 February 2009 - 10:32 PM.

  • 0

#18
emeraldnzl

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 20,051 posts
Hello Absurdny,

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

KillAll::

File::
C:\Desktop aug 4th\Eye_Candy_Impact_by-sameer\Alien.Skin.Eye.Candy.v5.1.exe
C:\Desktop aug 4th\slr mods\zmodeler_v107\zmodeler_v107.exe
C:\Temporary Internet Files\Content.IE5\HPLG6G0R\offline[1].mmz
D:\Program Files\ZModeler\zmuninst.exe
E:\Documents and Settings\All Users\Application Data\AOL\UserProfiles\All Users\antiSpyware\dat\ppclean.exe
E:\Documents and Settings\Studio\Local Settings\Temporary Internet Files\Content.IE5\OZPRUIZ1\ppclean[1].exe
F:\Documents and Settings\All Users\Application Data\AOL Downloads\lpaolcom_setupSTUS\comps\toolbar\toolbr.exe
F:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\28301546.tmp
F:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\640226EE.tmp
F:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\643D1AAE.exe
F:\Documents and Settings\Michael\CMS_RS_Grabber_v1.4.8\Grabber.exe
F:\Program Files\KORG\KORG USB-MIDI Driver\EzSetup64.exe
F:\Program Files\KORG\KORG USB-MIDI Driver\UnInstDrv64.exe
F:\Program Files\Magix\Samplitude_V8_professional\cdburnprofiler.exe
F:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\Apache.exe
F:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\openssl.exe
F:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\instlsp64.exe
F:\Program Files\ProxyFinderEnterprise\ProxyFinder.exe
F:\Program Files\Windows NT\prokycoqyq.html
F:\WINDOWS\Installer\{1BA16E5A-72B9-44B7-9FDA-FB6CE7FF6C0C}\Icon158F1431.exe
F:\WINDOWS\Installer\{1BA16E5A-72B9-44B7-9FDA-FB6CE7FF6C0C}\Icon16CBC2752.exe


Save this as CFScript.txt, in the same location as ComboFix.exe

Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Next


You have used Malwarebytes before. If you still have it on your machine please update and run. Post the scan report back here.

If you no-longer have Malwarebytes please download from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

So when you return please post
  • ComboFix.txt
  • MBAM report

  • 0

#19
Absurdny

Absurdny

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
Here are the logs you requested:

ComboFix 09-02-19.01 - Absurd 2009-02-23 13:56:59.5 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3007.2376 [GMT -5:00]
Running from: d:\documents and settings\Absurd\Desktop\ComboFix.exe
Command switches used :: d:\documents and settings\Absurd\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
FW: COMODO Firewall *disabled*
* Created a new restore point

FILE ::
c:\desktop aug 4th\Eye_Candy_Impact_by-sameer\Alien.Skin.Eye.Candy.v5.1.exe
c:\desktop aug 4th\slr mods\zmodeler_v107\zmodeler_v107.exe
c:\temporary internet files\Content.IE5\HPLG6G0R\offline[1].mmz
d:\program files\ZModeler\zmuninst.exe
e:\documents and settings\All Users\Application Data\AOL\UserProfiles\All Users\antiSpyware\dat\ppclean.exe
e:\documents and settings\Studio\Local Settings\Temporary Internet Files\Content.IE5\OZPRUIZ1\ppclean[1].exe
f:\documents and settings\All Users\Application Data\AOL Downloads\lpaolcom_setupSTUS\comps\toolbar\toolbr.exe
f:\documents and settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\28301546.tmp
f:\documents and settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\640226EE.tmp
f:\documents and settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\643D1AAE.exe
f:\documents and settings\Michael\CMS_RS_Grabber_v1.4.8\Grabber.exe
f:\program files\KORG\KORG USB-MIDI Driver\EzSetup64.exe
f:\program files\KORG\KORG USB-MIDI Driver\UnInstDrv64.exe
f:\program files\Magix\Samplitude_V8_professional\cdburnprofiler.exe
f:\program files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\Apache.exe
f:\program files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\openssl.exe
f:\program files\NVIDIA Corporation\NetworkAccessManager\bin\instlsp64.exe
f:\program files\ProxyFinderEnterprise\ProxyFinder.exe
f:\program files\Windows NT\prokycoqyq.html
f:\windows\Installer\{1BA16E5A-72B9-44B7-9FDA-FB6CE7FF6C0C}\Icon158F1431.exe
f:\windows\Installer\{1BA16E5A-72B9-44B7-9FDA-FB6CE7FF6C0C}\Icon16CBC2752.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\desktop aug 4th\Eye_Candy_Impact_by-sameer\Alien.Skin.Eye.Candy.v5.1.exe
c:\desktop aug 4th\slr mods\zmodeler_v107\zmodeler_v107.exe
c:\temporary internet files\Content.IE5\HPLG6G0R\offline[1].mmz
d:\program files\ZModeler\zmuninst.exe
d:\windows\system32\msvcsv60.dll
e:\documents and settings\All Users\Application Data\AOL\UserProfiles\All Users\antiSpyware\dat\ppclean.exe
e:\documents and settings\Studio\Local Settings\Temporary Internet Files\Content.IE5\OZPRUIZ1\ppclean[1].exe
f:\documents and settings\All Users\Application Data\AOL Downloads\lpaolcom_setupSTUS\comps\toolbar\toolbr.exe
f:\documents and settings\Michael\CMS_RS_Grabber_v1.4.8\Grabber.exe
f:\program files\KORG\KORG USB-MIDI Driver\EzSetup64.exe
f:\program files\KORG\KORG USB-MIDI Driver\UnInstDrv64.exe
f:\program files\Magix\Samplitude_V8_professional\cdburnprofiler.exe
f:\program files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\Apache.exe
f:\program files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\openssl.exe
f:\program files\NVIDIA Corporation\NetworkAccessManager\bin\instlsp64.exe
f:\program files\ProxyFinderEnterprise\ProxyFinder.exe
f:\program files\Windows NT\prokycoqyq.html
f:\windows\Installer\{1BA16E5A-72B9-44B7-9FDA-FB6CE7FF6C0C}\Icon158F1431.exe
f:\windows\Installer\{1BA16E5A-72B9-44B7-9FDA-FB6CE7FF6C0C}\Icon16CBC2752.exe

.
((((((((((((((((((((((((( Files Created from 2009-01-23 to 2009-02-23 )))))))))))))))))))))))))))))))
.

2009-02-22 14:28 . 2009-02-22 14:28 <DIR> d-------- d:\program files\Java
2009-02-22 14:28 . 2009-02-22 14:28 73,728 --a------ d:\windows\system32\javacpl.cpl
2009-02-21 18:38 . 2009-02-21 18:38 268 --ah----- D:\sqmdata19.sqm
2009-02-21 18:38 . 2009-02-21 18:38 244 --ah----- D:\sqmnoopt19.sqm
2009-02-21 18:34 . 2009-02-21 18:34 <DIR> d-------- D:\_OTMoveIt
2009-02-21 18:24 . 2009-02-21 18:24 268 --ah----- D:\sqmdata18.sqm
2009-02-21 18:24 . 2009-02-21 18:24 244 --ah----- D:\sqmnoopt18.sqm
2009-02-21 17:49 . 2009-02-21 17:49 268 --ah----- D:\sqmdata17.sqm
2009-02-21 17:49 . 2009-02-21 17:49 244 --ah----- D:\sqmnoopt17.sqm
2009-02-21 15:53 . 2009-02-21 15:53 268 --ah----- D:\sqmdata16.sqm
2009-02-21 15:53 . 2009-02-21 15:53 244 --ah----- D:\sqmnoopt16.sqm
2009-02-21 09:12 . 2009-02-21 09:12 268 --ah----- D:\sqmdata15.sqm
2009-02-21 09:12 . 2009-02-21 09:12 244 --ah----- D:\sqmnoopt15.sqm
2009-02-21 01:24 . 2009-02-21 01:24 <DIR> d-------- d:\documents and settings\Absurd\Application Data\Viewpoint
2009-02-21 00:16 . 2009-02-21 00:17 <DIR> d-------- D:\rsit
2009-02-16 16:05 . 2009-02-16 16:05 <DIR> d-------- d:\program files\Trend Micro
2009-02-16 14:01 . 2009-02-16 14:01 268 --ah----- D:\sqmdata14.sqm
2009-02-16 14:01 . 2009-02-16 14:01 244 --ah----- D:\sqmnoopt14.sqm
2009-02-15 20:31 . 2009-02-22 14:28 410,984 --a------ d:\windows\system32\deploytk.dll
2009-02-15 17:42 . 2009-02-15 17:42 268 --ah----- D:\sqmdata13.sqm
2009-02-15 17:42 . 2009-02-15 17:42 244 --ah----- D:\sqmnoopt13.sqm
2009-02-15 02:20 . 2009-02-15 13:14 287 --a------ d:\windows\LEXSTAT.INI
2009-02-15 02:19 . 2009-02-15 02:19 <DIR> d-------- d:\program files\Lexmark 640 Series
2009-02-15 02:19 . 2004-05-24 13:23 311,296 --a------ d:\windows\system32\LEXBCES.EXE
2009-02-15 02:19 . 1997-04-08 20:08 299,520 --a------ d:\windows\uninst.exe
2009-02-15 02:19 . 2004-05-24 13:21 201,216 --a------ d:\windows\system32\LEXP2P32.DLL
2009-02-15 02:19 . 2004-05-24 13:42 200,704 --a------ d:\windows\system32\lexlmpm.dll
2009-02-15 02:19 . 2004-05-24 13:26 198,144 --a------ d:\windows\system32\LEX2KUSB.DLL
2009-02-15 02:19 . 2004-05-24 13:22 174,592 --a------ d:\windows\system32\LEXPPS.EXE
2009-02-15 02:19 . 2004-05-24 13:22 147,456 --a------ d:\windows\system32\LEXBCE.DLL
2009-02-15 02:19 . 2006-03-28 05:29 73,728 --a------ d:\windows\system32\lxdapwr.dll
2009-02-14 07:10 . 2009-02-14 07:10 268 --ah----- D:\sqmdata12.sqm
2009-02-14 07:10 . 2009-02-14 07:10 244 --ah----- D:\sqmnoopt12.sqm
2009-02-14 06:33 . 2009-02-14 06:33 0 --a------ d:\windows\nsreg.dat
2009-02-14 06:31 . 2009-02-14 06:31 <DIR> d-------- d:\documents and settings\stickam\Application Data\Logitech
2009-02-14 06:31 . 2009-02-21 23:03 <DIR> d-------- d:\documents and settings\stickam
2009-02-14 06:01 . 2009-02-14 06:01 <DIR> d-------- d:\documents and settings\Absurd\Application Data\MSNInstaller
2009-02-14 05:54 . 2009-02-14 05:54 268 --ah----- D:\sqmdata11.sqm
2009-02-14 05:54 . 2009-02-14 05:54 244 --ah----- D:\sqmnoopt11.sqm
2009-02-12 15:50 . 2009-02-12 15:50 268 --ah----- D:\sqmdata10.sqm
2009-02-12 15:50 . 2009-02-12 15:50 244 --ah----- D:\sqmnoopt10.sqm
2009-02-12 14:36 . 2009-02-12 14:36 268 --ah----- D:\sqmdata09.sqm
2009-02-12 14:36 . 2009-02-12 14:36 244 --ah----- D:\sqmnoopt09.sqm
2009-02-12 14:08 . 2009-02-12 14:08 268 --ah----- D:\sqmdata08.sqm
2009-02-12 14:08 . 2009-02-12 14:08 244 --ah----- D:\sqmnoopt08.sqm
2009-01-27 18:49 . 2009-01-27 18:49 <DIR> d-------- d:\program files\AviSynth 2.5
2009-01-27 18:49 . 2009-01-27 18:49 43,698 --a------ d:\windows\system32\xvid-uninstall.exe
2009-01-27 18:48 . 2009-01-27 18:48 <DIR> d-------- d:\program files\Gabest
2009-01-27 18:47 . 2009-01-27 18:49 <DIR> d-------- d:\program files\AutoGK
2009-01-27 18:24 . 2009-01-27 18:25 <DIR> d-------- d:\program files\E.M. DVD Copy
2009-01-27 17:51 . 2009-01-27 17:51 <DIR> d-------- d:\documents and settings\Absurd\Application Data\NeroDigital™
2009-01-27 15:32 . 2009-01-27 15:32 <DIR> d--h----- D:\BJPrinter
2009-01-27 15:32 . 2002-02-12 14:00 97,280 --a------ d:\windows\system32\CNMLM3w.DLL
2009-01-27 15:32 . 2002-01-17 11:48 36,864 --a------ d:\windows\system32\CNMCP3W.EXE
2009-01-27 15:32 . 2002-02-12 14:00 5,632 --a------ d:\windows\system32\CNMVS3w.DLL
2009-01-27 15:28 . 2008-04-14 00:17 25,856 --a------ d:\windows\system32\drivers\usbprint.sys
2009-01-27 15:28 . 2008-04-14 00:17 25,856 --a--c--- d:\windows\system32\dllcache\usbprint.sys
2009-01-27 14:57 . 2009-01-27 14:57 <DIR> d-------- d:\program files\DVDx
2009-01-26 23:01 . 2009-01-26 23:01 <DIR> d-------- d:\windows\Hot Item Finder
2009-01-26 23:01 . 2009-01-26 23:07 <DIR> d-------- d:\program files\HotItemFinder
2009-01-26 22:43 . 2009-01-26 22:43 <DIR> d-------- d:\windows\AuctionYen
2009-01-26 22:43 . 2009-01-26 23:00 <DIR> d-------- d:\program files\AuctionYen
2009-01-25 01:23 . 2009-01-25 01:23 <DIR> d-------- d:\program files\eBay
2009-01-25 01:23 . 2009-01-25 01:23 <DIR> d-------- d:\documents and settings\All Users\eBay
2009-01-23 00:36 . 2009-01-23 00:37 <DIR> d-------- d:\program files\InventoryBuilder

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-23 19:02 --------- d-----w d:\documents and settings\Absurd\Application Data\DMCache
2009-02-23 18:57 --------- d-----w d:\program files\ZModeler
2009-02-22 04:02 --------- d-----w d:\program files\AVG
2009-02-22 04:01 --------- d-----w d:\documents and settings\All Users\Application Data\avg8
2009-02-22 03:38 --------- d-----w d:\program files\TVAnts
2009-02-22 03:36 --------- d--h--w d:\program files\InstallShield Installation Information
2009-02-22 03:23 --------- d-----w d:\program files\Microsoft Bootvis
2009-02-22 03:22 --------- d-----w d:\program files\Google
2009-02-22 02:30 --------- d-----w d:\program files\Bonjour
2009-02-21 04:23 --------- d-----w d:\program files\Viewpoint
2009-02-21 04:23 --------- d-----w d:\documents and settings\All Users\Application Data\Viewpoint
2009-02-16 16:45 --------- d-----w d:\program files\SUPERAntiSpyware
2009-02-16 06:11 --------- d-----w d:\program files\Malwarebytes' Anti-Malware
2009-02-11 15:19 38,496 ----a-w d:\windows\system32\drivers\mbamswissarmy.sys
2009-02-11 15:19 15,504 ----a-w d:\windows\system32\drivers\mbam.sys
2009-02-07 13:56 325,128 ----a-w d:\windows\system32\drivers\avgldx86.sys
2009-02-07 13:56 107,272 ----a-w d:\windows\system32\drivers\avgtdix.sys
2009-01-23 05:36 25 ----a-w d:\program files\InventoryBuildersettings.ini
2009-01-22 12:08 --------- d-----w d:\program files\Common Files\Macromedia
2009-01-22 07:09 --------- d-----w d:\program files\SmartFTP Client
2009-01-22 04:00 --------- d-----w d:\documents and settings\Absurd\Application Data\SmartFTP
2009-01-19 09:51 31,504 ----a-w d:\windows\system32\drivers\cmdhlp.sys
2009-01-19 09:50 101,776 ----a-w d:\windows\system32\drivers\cmdguard.sys
2009-01-19 08:59 --------- d-----w d:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-01-19 08:59 --------- d-----w d:\documents and settings\Absurd\Application Data\SUPERAntiSpyware.com
2009-01-19 08:46 --------- d-----w d:\documents and settings\Administrator.UNPARALL-5F4EE2\Application Data\Malwarebytes
2009-01-19 08:31 --------- d-----w d:\program files\Common Files\Wise Installation Wizard
2009-01-15 00:48 --------- d-----w d:\program files\Hammertap
2009-01-07 18:33 3,519 ----a-w d:\windows\bcm1C.tmp
2008-08-14 16:31 1 ----a-w d:\documents and settings\Absurd\SI.bin
2008-04-07 03:47 22,328 ----a-w d:\documents and settings\Absurd\Application Data\PnkBstrK.sys
.

((((((((((((((((((((((((((((( SnapShot@2009-02-21_22.53.21.73 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-02-22 19:28:44 144,792 ----a-w d:\windows\system32\java.exe
+ 2009-02-22 19:28:44 144,792 ----a-w d:\windows\system32\javaw.exe
+ 2009-02-22 19:28:44 148,888 ----a-w d:\windows\system32\javaws.exe
+ 2009-02-23 19:02:00 16,384 ----atw d:\windows\temp\Perflib_Perfdata_f0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVIDIA nTune"="d:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-09-04 81920]
"Aim6"="d:\program files\AIM6\aim6.exe" [2008-06-12 50528]
"IDMan"="d:\program files\Internet Download Manager\IDMan.exe" [2007-06-20 800256]
"SUPERAntiSpyware"="d:\program files\SUPERAntiSpyware\11b60ed9-558f-4a2f-bedc-e58aa3a9e0f8.exe" [2008-12-22 1830128]
"msnmsgr"="d:\program files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DigidesignMMERefresh"="g:\digidesign\Digidesign\Drivers\MMERefresh.exe" [2007-10-30 77824]
"M-Audio Taskbar Icon"="d:\windows\System32\M-AudioTaskBarIcon.exe" [2005-12-13 91136]
"COMODO Firewall Pro"="d:\program files\COMODO\Firewall\cfp.exe" [2009-01-19 1797880]
"COMODO Internet Security"="d:\program files\COMODO\Firewall\cfp.exe" [2009-01-19 1797880]
"AVG8_TRAY"="d:\progra~1\AVG\AVG8\avgtray.exe" [2009-02-21 1601304]
"SunJavaUpdateSched"="d:\program files\Java\jre6\bin\jusched.exe" [2009-02-22 148888]
"nwiz"="nwiz.exe" [2007-12-05 d:\windows\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="d:\program files\MySpace\IM\MySpaceIM.exe" [2008-04-17 9117696]

d:\documents and settings\Absurd\Start Menu\Programs\Startup\
Adobe Gamma.lnk - d:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-07-14 113664]

d:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - d:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-07-14 113664]
Logitech SetPoint.lnk - d:\program files\Logitech\SetPoint\SetPoint.exe [2008-04-02 789008]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoChangeAnimation"= 0 (0x0)
"NoStrCmpLogical"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"MemCheckBoxInRunDlg"= 0 (0x0)
"NoStrCmpLogical"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "d:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 11:05 356352 d:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-01-09 12:30 72208 d:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-02-07 08:56 10520 d:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=d:\windows\system32\guard32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ac3filter"= ac3filter.acm

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"d:\\Program Files\\GIGABYTE\\@BIOS\\gwflash.exe"=
"d:\\WINDOWS\\system32\\PnkBstrA.exe"=
"d:\\WINDOWS\\system32\\PnkBstrB.exe"=
"d:\\Program Files\\GIGABYTE\\EasyTune4\\update.exe"=
"d:\\Program Files\\Common Files\\Nero\\Nero Web\\SetupX.exe"=
"e:\\rainbow 6 vegas 2\\Rainbow Six Vegas 2\\Binaries\\R6Vegas2_Game.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"d:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"d:\\Program Files\\AIM6\\aim6.exe"=
"d:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"d:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"g:\\Avast\\avgupd.exe"=
"d:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"d:\\Program Files\\iTunes\\iTunes.exe"=
"d:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"d:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=
"d:\\Program Files\\SmartFTP Client\\SmartFTP.exe"=
"c:\\Dreamweaver 8\\Dreamweaver.exe"=
"d:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"d:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"d:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

R0 DigiFilter;DigiFilter;d:\windows\system32\drivers\DigiFilt.sys [2008-04-04 16384]
R0 sfsync03;StarForce Protection Synchronization Driver (version 3.x);d:\windows\system32\drivers\sfsync03.sys [2005-12-06 35328]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;d:\windows\system32\drivers\avgldx86.sys [2008-10-27 325128]
R1 AvgTdiX;AVG Free8 Network Redirector;d:\windows\system32\drivers\avgtdix.sys [2008-10-27 107272]
R1 cmdGuard;COMODO Firewall Pro Sandbox Driver;d:\windows\system32\drivers\cmdguard.sys [2008-07-08 101776]
R1 cmdHlp;COMODO Firewall Pro Helper Driver;d:\windows\system32\drivers\cmdhlp.sys [2008-07-08 31504]
R1 SASDIFSV;SASDIFSV;d:\program files\SUPERAntiSpyware\sasdifsv.sys [2008-12-22 8944]
R1 SASKUTIL;SASKUTIL;d:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2008-12-22 55024]
R2 avg8emc;AVG Free8 E-mail Scanner;d:\progra~1\AVG\AVG8\avgemc.exe [2009-02-21 903960]
R2 avg8wd;AVG Free8 WatchDog;d:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-02-21 298264]
R2 MAudioUSBService;M-Audio USB Installer;d:\program files\M-Audio\Fast Track Pro\MAUSBInst.exe [2008-06-08 49152]
R3 MAUSB;Service for M-Audio Fast Track Pro Driver (WDM);d:\windows\system32\drivers\mausb.sys [2008-06-08 102528]
R3 SASENUM;SASENUM;d:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-12-22 7408]
R3 SUPERWEBCAM;SuperWebcam, WDM Virtual Video Capture Device;d:\windows\system32\drivers\superwebcam.sys [2008-04-02 31872]
S3 ETDrv;ETDrv;d:\windows\system32\drivers\ETDrv.sys [2008-04-07 185280]
S3 GVTDrv;GVTDrv;d:\windows\system32\drivers\GVTDrv.sys [2008-04-07 24944]
S3 MAUSBFTP;Service for M-Audio Fast Track Pro (WDM);d:\windows\system32\drivers\mausb.sys [2008-06-08 102528]
.
Contents of the 'Scheduled Tasks' folder

2009-02-17 d:\windows\Tasks\Uniblue SpeedUpMyPC Nag.job
- d:\program files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe [2007-05-16 10:45]

2008-04-03 d:\windows\Tasks\Uniblue SpeedUpMyPC.job
- d:\program files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe [2007-05-16 10:45]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: Download All Links with IDM - d:\program files\Internet Download Manager\IEGetAll.htm
IE: Download with IDM - d:\program files\Internet Download Manager\IEExt.htm
Trusted Zone: stickam.com\www
TCP: {2BA77C4F-C5DA-4A32-BD8D-C0D21D48050B} = 167.206.254.2,167.206.254.1
FF - ProfilePath - d:\documents and settings\Absurd\Application Data\Mozilla\Firefox\Profiles\lmgq9aad.default\
FF - prefs.js: browser.search.selectedEngine - Search
FF - component: d:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - plugin: d:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: d:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
FF - plugin: g:\downloads\adobe\Reader\browser\nppdf32.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-23 14:02:08
Windows 5.1.2600 Service Pack 3 NTFS

detected NTDLL code modification:
ZwClose

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1390067357-1935655697-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{43994940-0A76-B9E2-F1CB-C506B574D3E1}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"hafdokpcgjhpicod"=hex:6e,62,61,6c,69,70,69,6e,6c,63,6a,62,6e,62,62,62,6e,6b,
6f,63,69,62,6d,68,62,6f,6b,63,65,6f,6e,69,6f,6d,68,70,6c,64,62,67,6d,6f,64,\
"jafdokpcgjhpicodiifh"=hex:66,61,61,6c,6b,70,6a,62,6a,62,6c,69,00,06
"panepddoiadpipfamhcalkabhkefmmlo"=hex:65,61,61,6c,6c,70,70,61,68,66,00,69

[HKEY_USERS\S-1-5-21-1390067357-1935655697-839522115-1004\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:3c,10,da,82,f9,db,48,11,d9,7f,fc,87,ab,11,47,28,5a,3f,7b,4b,1d,45,f1,
41,84,42,6d,4d,3d,24,51,57,25,d2,27,c9,eb,65,bd,32,54,d2,f5,3e,10,ea,57,f8,\
"??"=hex:aa,f8,e9,f9,d4,11,1c,24,45,24,ef,c9,3e,c1,c2,96

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{1727FC36-5D3D-4896-9DEE-AFE8A6A530BF}\Version*Version]
"Version"=hex:ac,6b,4e,f9,2e,07,46,fc,be,30,0c,b0,01,30,18,29,be,30,0c,b0,01,
30,18,29,be,30,0c,b0,01,30,18,29,be,30,0c,b0,01,30,18,29,be,30,0c,b0,01,30,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{524c79c3-e349-42ec-ac21-97f6e2154ab8}]
@Denied: (Full) (Everyone)
"Model"=dword:000000c2
"Therad"=dword:0000000f
"MData"=hex(0):2b,8f,78,29,5a,0c,ce,ec,48,d4,68,e5,9f,6a,96,3e,ab,de,c5,81,26,
38,95,44,85,b1,12,f9,90,dd,23,a1,49,8c,bf,1a,9d,fe,41,71,cb,3f,46,a4,7c,ab,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}]
@Denied: (Full) (Everyone)
"scansk"=hex(0):7b,84,7b,03,0a,a5,a2,62,4b,84,89,32,ad,57,a2,5d,12,ea,b6,3c,50,
6b,fd,90,36,06,f2,1d,df,0a,0c,f7,60,b0,95,3b,90,69,bd,1c,00,00,00,00,00,00,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}]
@Denied: (Full) (Everyone)
"scansk"=hex(0):cd,56,a9,70,ca,1a,9c,a7,01,d5,66,44,1a,d2,f0,46,22,95,6b,de,bc,
28,54,81,bb,c5,ae,20,82,16,74,d3,0a,1b,7c,5b,63,37,84,0f,00,00,00,00,00,00,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{81206d2a-a17d-4619-be46-ef500303c97f}]
@Denied: (Full) (Everyone)
"Model"=dword:0000007c
"Therad"=dword:0000001e
"MData"=hex(0):2b,8f,78,29,5a,0c,ce,ec,48,d4,68,e5,9f,6a,96,3e,ab,de,c5,81,26,
38,95,44,85,b1,12,f9,90,dd,23,a1,49,8c,bf,1a,9d,fe,41,71,cb,3f,46,a4,7c,ab,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(744)
d:\program files\SUPERAntiSpyware\SASWINLO.dll
d:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
d:\program files\common files\logishrd\bluetooth\LBTServ.dll
d:\windows\System32\BCMLogon.dll
.
------------------------ Other Running Processes ------------------------
.
d:\windows\system32\LEXBCES.EXE
d:\program files\Common Files\Autodata Limited Shared\Service\ADCDLicSvc.exe
d:\windows\system32\LEXPPS.EXE
d:\program files\Bonjour\mDNSResponder.exe
d:\program files\COMODO\Firewall\cmdagent.exe
d:\program files\Java\jre6\bin\jqs.exe
d:\program files\Nero\Nero8\Nero BackItUp\NBService.exe
d:\program files\NVIDIA Corporation\nTune\nTuneService.exe
d:\windows\system32\IoctlSvc.exe
d:\windows\system32\PnkBstrA.exe
d:\program files\AVG\AVG8\avgrsx.exe
d:\progra~1\AVG\AVG8\avgnsx.exe
d:\program files\AVG\AVG8\avgcsrvx.exe
d:\windows\system32\wscntfy.exe
d:\windows\system32\rundll32.exe
d:\program files\Internet Download Manager\IEMonitor.exe
d:\program files\Common Files\Logishrd\KHAL2\KHALMNPR.exe
.
**************************************************************************
.
Completion time: 2009-02-23 14:06:38 - machine was rebooted
ComboFix-quarantined-files.txt 2009-02-23 19:06:03
ComboFix2.txt 2009-02-22 19:17:32
ComboFix3.txt 2009-02-22 04:18:51
ComboFix4.txt 2009-02-22 03:54:37

Pre-Run: 4,358,213,632 bytes free
Post-Run: 4,405,899,264 bytes free

356 --- E O F --- 2009-02-21 22:20:54
--------------------------------------------------------------------------------------------------------------------------------

Malwarebytes' Anti-Malware 1.34
Database version: 1795
Windows 5.1.2600 Service Pack 3

2/23/2009 2:15:46 PM
mbam-log-2009-02-23 (14-15-46).txt

Scan type: Quick Scan
Objects scanned: 74737
Time elapsed: 3 minute(s), 8 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
  • 0

#20
emeraldnzl

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 20,051 posts
Looking good.

Before we go to cleaning away the tools we have been using I think we should just check to make sure nothing has regenerated.

Please run Kaspersky again and post back results back here.

Also please tell me how your machine is performing now.
  • 0

#21
Absurdny

Absurdny

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
My java buttons are working in firefox now :). But I still have threats :). I have so many hard drives in this computer it takes so long to scan. Here is my scan log:

KASPERSKY ONLINE SCANNER 7 REPORT
Tuesday, February 24, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Monday, February 23, 2009 20:51:16
Records in database: 1835849
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\
J:\
K:\

Scan statistics:
Files scanned: 508244
Threat name: 3
Infected objects: 5
Suspicious objects: 0
Duration of the scan: 08:45:55


File name / Threat name / Threats count
D:\Qoobox\Quarantine\D\Program Files\ZModeler\zmuninst.exe.vir Infected: Trojan.Win32.DelAll.ac 1
D:\System Volume Information\_restore{85607E0E-6EDE-4DC4-B8C8-A34CB984A99E}\RP360\A0173492.exe Infected: Trojan.Win32.DelAll.ac 1
E:\System Volume Information\_restore{85607E0E-6EDE-4DC4-B8C8-A34CB984A99E}\RP360\A0173493.exe Infected: Virus.Win32.Virut.q 1
E:\System Volume Information\_restore{85607E0E-6EDE-4DC4-B8C8-A34CB984A99E}\RP360\A0173494.exe Infected: Virus.Win32.Virut.q 1
F:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.621 1

The selected area was scanned.

Edited by Absurdny, 24 February 2009 - 02:53 AM.

  • 0

#22
emeraldnzl

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 20,051 posts
Hello Absurdny,

Normally I would say don't worry about those because they are either in System Restore or in the tools we have been using and will be dealt with as we clean up.

However, those two showing in System Restore are particularly bad. In fact if the Virut one is a true diagnoses and it has spread at all we are in real trouble.

I think we need to hit it with a big gun immediately and hope we have got it in time.

Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, in the menu, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
Post a copy of the report back here.
  • 0

#23
Absurdny

Absurdny

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
I am still scanning at the moment but I just wanted to let you know that the following spot "E:\System Volume Information" is not a system drive and that system restore info is not related to the current system hard drive. What happened was the "E" drive used to be the system drive out of another computer that I had important information on. That computer ended up breaking and I bought a new computer. Instead of formatting that hard drive and losing all my important info, I just plugged that drive into this computer so I could access that information. Hopefully you understand what I mean by this.

Edited by Absurdny, 24 February 2009 - 05:55 PM.

  • 0

#24
emeraldnzl

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 20,051 posts

I just plugged that drive into this computer so I could access that information.


Well that is hopeful. At least it wouldn't hurt your existing machine in normal course however Virut is incredibly infectious and when you access that drive it may infect across...hopefully not.

If you existing computer is not yet compromised I would strongly advise you to disconnect that infected hard drive and reformat it separately or just not use it until a realistic cure for Virut comes along. When I say realistic I am referring to the claims of some anti virus products that say they can cure Virut. At the moment I know of no program that can completely clear it although Dr Web has has some success in reducing it or maybe even clearing it in it's very early stages. A number of programs can stop it getting on your machine but as I say, I know of no credible way to clear it once it gets a hold.
  • 0

#25
Absurdny

Absurdny

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
Here is the log:

PCOptimizerPro_2.exe\data001;C:\Apps\G4RG4RPOPV433G4RG4R\PC Optimizer Pro v4.3.3\PCOptimizerPro_2.exe;Probably BACKDOOR.Trojan;;
PCOptimizerPro_2.exe;C:\Apps\G4RG4RPOPV433G4RG4R\PC Optimizer Pro v4.3.3;Archive contains infected objects;Moved.;
Updater.exe;C:\Games\madden;Trojan.DownLoader.origin;Incurable.Moved.;
Setup.exe;C:\Linksys Driver\WMP300N_20071019\AutoRun;Probably BACKDOOR.Trojan;Incurable.Moved.;
A0173604.exe\data001;C:\System Volume Information\_restore{85607E0E-6EDE-4DC4-B8C8-A34CB984A99E}\RP361\A0173604.exe;Probably BACKDOOR.Trojan;;
A0173604.exe;C:\System Volume Information\_restore{85607E0E-6EDE-4DC4-B8C8-A34CB984A99E}\RP361;Archive contains infected objects;Moved.;
A0173605.exe;C:\System Volume Information\_restore{85607E0E-6EDE-4DC4-B8C8-A34CB984A99E}\RP361;Trojan.DownLoader.origin;Incurable.Moved.;
dCodeFormat.Dsr;C:\Visual Basic\Addins\Ulli's_Code_Formatter;Modification of W97M.Pexas;Moved.;
SDFix.exe\SDFix\apps\Process.exe;D:\Documents and Settings\Absurd\Desktop\SDFix.exe;Tool.Prockill;;
SDFix.exe;D:\Documents and Settings\Absurd\Desktop;Archive contains infected objects;Moved.;
SmitfraudFix.exe\SmitfraudFix\Process.exe;D:\Documents and Settings\Absurd\Desktop\SmitfraudFix.exe;Tool.Prockill;;
SmitfraudFix.exe\SmitfraudFix\restart.exe;D:\Documents and Settings\Absurd\Desktop\SmitfraudFix.exe;Tool.ShutDown.14;;
SmitfraudFix.exe;D:\Documents and Settings\Absurd\Desktop;Archive contains infected objects;Moved.;
WMP300N_20071019.exe\WMP300N_20071019/AutoRun/Setup.exe;D:\Documents and Settings\Absurd\Desktop\WMP300N_20071019.exe;Probably BACKDOOR.Trojan;;
WMP300N_20071019.exe;D:\Documents and Settings\Absurd\Desktop;Archive contains infected objects;Moved.;
Process.exe;D:\Documents and Settings\Absurd\Desktop\SmitfraudFix;Tool.Prockill;Incurable.Moved.;
restart.exe;D:\Documents and Settings\Absurd\Desktop\SmitfraudFix;Tool.ShutDown.14;Incurable.Moved.;
gwave523.exe\GoldWave.exe;D:\Documents and Settings\Absurd\My Documents\Downloads\Programs\gwave523.exe;Trojan.PWS.Ageloc.15;;
gwave523.exe;D:\Documents and Settings\Absurd\My Documents\Downloads\Programs;Archive contains infected objects;Moved.;
GoldWave.exe;D:\Program Files\GoldWave;Trojan.PWS.Ageloc.15;Deleted.;
Process.exe;D:\SDFix\apps;Tool.Prockill;Incurable.Moved.;
A0173522.bat;D:\System Volume Information\_restore{85607E0E-6EDE-4DC4-B8C8-A34CB984A99E}\RP360;Probably BATCH.Virus;Incurable.Moved.;
A0173540.EXE;D:\System Volume Information\_restore{85607E0E-6EDE-4DC4-B8C8-A34CB984A99E}\RP360;Program.PsExec.170;Incurable.Moved.;
A0173611.exe\SDFix\apps\Process.exe;D:\System Volume Information\_restore{85607E0E-6EDE-4DC4-B8C8-A34CB984A99E}\RP361\A0173611.exe;Tool.Prockill;;
A0173611.exe;D:\System Volume Information\_restore{85607E0E-6EDE-4DC4-B8C8-A34CB984A99E}\RP361;Archive contains infected objects;Moved.;
A0173612.exe\SmitfraudFix\Process.exe;D:\System Volume Information\_restore{85607E0E-6EDE-4DC4-B8C8-A34CB984A99E}\RP361\A0173612.exe;Tool.Prockill;;
A0173612.exe\SmitfraudFix\restart.exe;D:\System Volume Information\_restore{85607E0E-6EDE-4DC4-B8C8-A34CB984A99E}\RP361\A0173612.exe;Tool.ShutDown.14;;
A0173612.exe;D:\System Volume Information\_restore{85607E0E-6EDE-4DC4-B8C8-A34CB984A99E}\RP361;Archive contains infected objects;Moved.;
A0173613.exe\WMP300N_20071019/AutoRun/Setup.exe;D:\System Volume Information\_restore{85607E0E-6EDE-4DC4-B8C8-A34CB984A99E}\RP361\A0173613.exe;Probably BACKDOOR.Trojan;;
A0173613.exe;D:\System Volume Information\_restore{85607E0E-6EDE-4DC4-B8C8-A34CB984A99E}\RP361;Archive contains infected objects;Moved.;
A0173614.exe;D:\System Volume Information\_restore{85607E0E-6EDE-4DC4-B8C8-A34CB984A99E}\RP361;Trojan.PWS.Ageloc.15;Deleted.;
auctionbits.exe;E:\Documents and Settings\Absurd\Favorites\Desktop\Auction-Ebooks\Auction-Ebooks;Trojan.DownLoad.6523;Deleted.;
ultimateauctionebooks.exe;E:\Documents and Settings\Absurd\Favorites\Desktop\Auction-Ebooks\Auction-Ebooks\ultimateauctionebooks;Trojan.DownLoad.6523;Deleted.;
Process.exe;E:\Documents and Settings\Absurd\Favorites\Desktop\SmitfraudFix\SmitfraudFix;Tool.Prockill;Incurable.Moved.;
restart.exe;E:\Documents and Settings\Absurd\Favorites\Desktop\SmitfraudFix\SmitfraudFix;Tool.ShutDown.14;Incurable.Moved.;
setup.exe;E:\Documents and Settings\All Users\Application Data\AOL\UserProfiles\All Users\SUDS\CACHE\3869.9.20;Probably BACKDOOR.Trojan;Incurable.Moved.;
inst.exe;E:\Documents and Settings\All Users\Application Data\AOL\UserProfiles\All Users\SUDS\CACHE\3899.1.16;Probably BACKDOOR.Trojan;Incurable.Moved.;
setup.exe;E:\Documents and Settings\All Users\Application Data\AOL\UserProfiles\All Users\SUDS\CACHE\3991.4.16;Probably BACKDOOR.Trojan;Incurable.Moved.;
aolcinst.exe\core.cab\GTDOWNAO_106.ocx;E:\Documents and Settings\All Users\Application Data\AOL Downloads\aolcom_setupSTUS\comps\coach\aolcinst.exe;Adware.Gdown;;
aolcinst.exe;E:\Documents and Settings\All Users\Application Data\AOL Downloads\aolcom_setupSTUS\comps\coach;Archive contains infected objects;Moved.;
inst.exe;E:\Documents and Settings\All Users\Application Data\AOL Downloads\ssc_suite_installer_102.100.1.1_av;Probably BACKDOOR.Trojan;Incurable.Moved.;
avinst.exe\data004;E:\Documents and Settings\All Users\Application Data\AOL Downloads\ssc_suite_installer_102.100.1.1_av\comps\avinst.exe;Probably BACKDOOR.Trojan;;
avinst.exe;E:\Documents and Settings\All Users\Application Data\AOL Downloads\ssc_suite_installer_102.100.1.1_av\comps;Archive contains infected objects;Moved.;
inst.exe;E:\Documents and Settings\All Users\Application Data\AOL Downloads\ssc_suite_installer_2.5.3.1_suite;Probably BACKDOOR.Trojan;Incurable.Moved.;
avinst.exe\data004;E:\Documents and Settings\All Users\Application Data\AOL Downloads\ssc_suite_installer_2.5.3.1_suite\comps\avinst.exe;Probably BACKDOOR.Trojan;;
avinst.exe;E:\Documents and Settings\All Users\Application Data\AOL Downloads\ssc_suite_installer_2.5.3.1_suite\comps;Archive contains infected objects;Moved.;
fwinst.exe/data004\data007;E:\Documents and Settings\All Users\Application Data\AOL Downloads\ssc_suite_installer_2.5.3.1_suite\comps\fwinst.exe/data004;Probably BACKDOOR.Trojan;;
data004;E:\Documents and Settings\All Users\Application Data\AOL Downloads\ssc_suite_installer_2.5.3.1_suite\comps;Archive contains infected objects;;
fwinst.exe;E:\Documents and Settings\All Users\Application Data\AOL Downloads\ssc_suite_installer_2.5.3.1_suite\comps;Archive contains infected objects;Moved.;
setup.exe;E:\Documents and Settings\All Users\Application Data\AOL Downloads\triton_suite_install_2.0.7.1;Probably BACKDOOR.Trojan;Incurable.Moved.;
CR-PIS12.exe.bac_a03912;E:\Documents and Settings\online\.housecall\Quarantine;Trojan.PWS.Banker.23491;Deleted.;
R-PI~1.BAC;E:\Documents and Settings\online\.housecall\Quarantine;Trojan.PWS.Banker.23491;Deleted.;
A0173615.exe;E:\System Volume Information\_restore{85607E0E-6EDE-4DC4-B8C8-A34CB984A99E}\RP361;Trojan.DownLoad.6523;Deleted.;
A0173616.exe;E:\System Volume Information\_restore{85607E0E-6EDE-4DC4-B8C8-A34CB984A99E}\RP361;Trojan.DownLoad.6523;Deleted.;
A0173617.exe\core.cab\GTDOWNAO_106.ocx;E:\System Volume Information\_restore{85607E0E-6EDE-4DC4-B8C8-A34CB984A99E}\RP361\A0173617.exe;Adware.Gdown;;
A0173617.exe;E:\System Volume Information\_restore{85607E0E-6EDE-4DC4-B8C8-A34CB984A99E}\RP361;Archive contains infected objects;Moved.;
A0173618.exe\data004;E:\System Volume Information\_restore{85607E0E-6EDE-4DC4-B8C8-A34CB984A99E}\RP361\A0173618.exe;Probably BACKDOOR.Trojan;;
A0173618.exe;E:\System Volume Information\_restore{85607E0E-6EDE-4DC4-B8C8-A34CB984A99E}\RP361;Archive contains infected objects;Moved.;
A0173619.exe\data004;E:\System Volume Information\_restore{85607E0E-6EDE-4DC4-B8C8-A34CB984A99E}\RP361\A0173619.exe;Probably BACKDOOR.Trojan;;
A0173619.exe;E:\System Volume Information\_restore{85607E0E-6EDE-4DC4-B8C8-A34CB984A99E}\RP361;Archive contains infected objects;Moved.;
A0173620.exe/data004\data007;E:\System Volume Information\_restore{85607E0E-6EDE-4DC4-B8C8-A34CB984A99E}\RP361\A0173620.exe/data004;Probably BACKDOOR.Trojan;;
data004;E:\System Volume Information\_restore{85607E0E-6EDE-4DC4-B8C8-A34CB984A99E}\RP361;Archive contains infected objects;;
A0173620.exe;E:\System Volume Information\_restore{85607E0E-6EDE-4DC4-B8C8-A34CB984A99E}\RP361;Archive contains infected objects;Moved.;
A0194134.exe;E:\System Volume Information\_restore{DA4898E6-9BE4-4F61-9480-8D5DB9011338}\RP200;Probably BACKDOOR.Trojan;Incurable.Moved.;
aolcinst.exe\core.cab\GTDOWNAO_106.ocx;F:\Documents and Settings\All Users\Application Data\AOL Downloads\lpaolcom_setupSTUS\comps\coach\aolcinst.exe;Adware.Gdown;;
aolcinst.exe;F:\Documents and Settings\All Users\Application Data\AOL Downloads\lpaolcom_setupSTUS\comps\coach;Archive contains infected objects;Moved.;
tssetup.exe\data002;F:\Documents and Settings\All Users\Application Data\AOL Downloads\lpaolcom_setupSTUS\comps\tpspd\tssetup.exe;Probably DLOADER.Trojan;;
tssetup.exe;F:\Documents and Settings\All Users\Application Data\AOL Downloads\lpaolcom_setupSTUS\comps\tpspd;Archive contains infected objects;Moved.;
inst.exe;F:\Documents and Settings\All Users\Application Data\AOL Downloads\triton_suite_install_6.0.28.1;Probably BACKDOOR.Trojan;Incurable.Moved.;
ocpinst.exe\data529;F:\Documents and Settings\All Users\Application Data\AOL Downloads\triton_suite_install_6.0.28.1\ocpinst.exe;Probably BACKDOOR.Trojan;;
ocpinst.exe;F:\Documents and Settings\All Users\Application Data\AOL Downloads\triton_suite_install_6.0.28.1;Archive contains infected objects;Moved.;
inst.exe;F:\Documents and Settings\All Users\Application Data\AOL Downloads\triton_suite_install_6.0.28.3;Probably BACKDOOR.Trojan;Incurable.Moved.;
ocpinst.exe\data529;F:\Documents and Settings\All Users\Application Data\AOL Downloads\triton_suite_install_6.0.28.3\ocpinst.exe;Probably BACKDOOR.Trojan;;
ocpinst.exe;F:\Documents and Settings\All Users\Application Data\AOL Downloads\triton_suite_install_6.0.28.3;Archive contains infected objects;Moved.;
VBAOL10.CHM\html/olobjAddressEntries.htm;F:\Documents and Settings\Michael\Shared\Microsoft.Office.Professional.2003.full.version --ENGLISH--.iso.KC6X2TV3OK7ZYZAOKVFU66;Modification of VBS.Generic.205;;
FILES\PFILES\MSOFFICE\OFFICE11\1033\VBAOL10.CHM;F:\Documents and Settings\Michael\Shared\Microsoft.Office.Professional.2003.full.version --ENGLISH--.iso.KC6X2TV3OK7ZYZAOKVFU66;Container contains infected objects;;
Microsoft.Office.Professional.2003.full.version --ENGLISH--.iso.KC6X2TV3OK7ZYZAOKVFU66YSSZEOTL5H2ZS3PKQ.dctmp;F:\Documents and Settings\Michael\Shared;Archive contains infected objects;Moved.;
aspupdate\data017;F:\Program Files\Common Files\AOL\AOL Spyware Protection\Update\aspupdate;Probably BACKDOOR.Trojan;;
aspupdate;F:\Program Files\Common Files\AOL\AOL Spyware Protection\Update;Archive contains infected objects;Moved.;
GTDownAO_106.ocx;F:\Program Files\Common Files\AolCoach\en_en;Adware.Gdown;Incurable.Moved.;
ASAPUTIL.EXE\data003;F:\Program Files\DC++\Incomplete\Office2003.iso.SGLKEQK23H6J2YAGB4RNZQ4GQ2HEKG3VHIXQ2YI.dctmp/EXTRAS\ASAPUTIL.EXE;W97M.Iseng;;
EXTRAS\ASAPUTIL.EXE;F:\Program Files\DC++\Incomplete\Office2003.iso.SGLKEQK23H6J2YAGB4RNZQ4GQ2HEKG3VHIXQ2YI.dctmp/EXTRAS;Archive contains infected objects;;
Office2003.iso.SGLKEQK23H6J2YAGB4RNZQ4GQ2HEKG3VHIXQ2YI.dctmp;F:\Program Files\DC++\Incomplete;Archive contains infected objects;Moved.;
mirc.exe;F:\Program Files\mIRC;Program.mIRC.621;Incurable.Moved.;
A0169493.exe;F:\System Volume Information\_restore{79365AE3-106D-4C48-96EE-2F5058AB9011}\RP246;Program.mIRC.621;Incurable.Moved.;
A0171101.exe;F:\System Volume Information\_restore{79365AE3-106D-4C48-96EE-2F5058AB9011}\RP252;Program.mIRC.621;Incurable.Moved.;
A0172092.exe;F:\System Volume Information\_restore{79365AE3-106D-4C48-96EE-2F5058AB9011}\RP252;Program.mIRC.621;Incurable.Moved.;
A0173084.exe;F:\System Volume Information\_restore{79365AE3-106D-4C48-96EE-2F5058AB9011}\RP254;Program.mIRC.621;Incurable.Moved.;
A0174204.exe;F:\System Volume Information\_restore{79365AE3-106D-4C48-96EE-2F5058AB9011}\RP257;Program.mIRC.621;Incurable.Moved.;
A0175422.exe;F:\System Volume Information\_restore{79365AE3-106D-4C48-96EE-2F5058AB9011}\RP258;Program.mIRC.621;Incurable.Moved.;
A0175560.exe;F:\System Volume Information\_restore{79365AE3-106D-4C48-96EE-2F5058AB9011}\RP258;Probably BACKDOOR.Trojan;Incurable.Moved.;
A0177599.exe;F:\System Volume Information\_restore{79365AE3-106D-4C48-96EE-2F5058AB9011}\RP260;Probably BACKDOOR.Trojan;Incurable.Moved.;
A0180680.exe;F:\System Volume Information\_restore{79365AE3-106D-4C48-96EE-2F5058AB9011}\RP261;Program.mIRC.621;Incurable.Moved.;
A0189344.exe;F:\System Volume Information\_restore{79365AE3-106D-4C48-96EE-2F5058AB9011}\RP270;Program.mIRC.621;Incurable.Moved.;
A0173496.exe;F:\System Volume Information\_restore{85607E0E-6EDE-4DC4-B8C8-A34CB984A99E}\RP360;Trojan.Spambot;Deleted.;
A0173504.exe;F:\System Volume Information\_restore{85607E0E-6EDE-4DC4-B8C8-A34CB984A99E}\RP360;Win32.Virut.5;Incurable.Moved.;
A0173621.exe\core.cab\GTDOWNAO_106.ocx;F:\System Volume Information\_restore{85607E0E-6EDE-4DC4-B8C8-A34CB984A99E}\RP361\A0173621.exe;Adware.Gdown;;
A0173621.exe;F:\System Volume Information\_restore{85607E0E-6EDE-4DC4-B8C8-A34CB984A99E}\RP361;Archive contains infected objects;Moved.;
A0173622.exe\data002;F:\System Volume Information\_restore{85607E0E-6EDE-4DC4-B8C8-A34CB984A99E}\RP361\A0173622.exe;Probably DLOADER.Trojan;;
A0173622.exe;F:\System Volume Information\_restore{85607E0E-6EDE-4DC4-B8C8-A34CB984A99E}\RP361;Archive contains infected objects;Moved.;
A0173634.exe\data529;F:\System Volume Information\_restore{85607E0E-6EDE-4DC4-B8C8-A34CB984A99E}\RP361\A0173634.exe;Probably BACKDOOR.Trojan;;
A0173634.exe;F:\System Volume Information\_restore{85607E0E-6EDE-4DC4-B8C8-A34CB984A99E}\RP361;Archive contains infected objects;Moved.;
A0173635.exe\data529;F:\System Volume Information\_restore{85607E0E-6EDE-4DC4-B8C8-A34CB984A99E}\RP361\A0173635.exe;Probably BACKDOOR.Trojan;;
A0173635.exe;F:\System Volume Information\_restore{85607E0E-6EDE-4DC4-B8C8-A34CB984A99E}\RP361;Archive contains infected objects;Moved.;
  • 0

Advertisements


#26
emeraldnzl

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 20,051 posts
Ok, it says it has removed Virut, lets run MBAM and kaspersky on line scanner again and see what, if anything, is left.

You have used Malwarebytes before. If you still have it on your machine please update and run. Post the scan report back here.

If you no-longer have Malwarebytes please download from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Next

Kaspersky on line scanner is very thorough. It can take a long time and for periods may seem not to be working. Just be patient and let it do its job.

Kaspersky works with Internet Explorer and Firefox 3.

Go to Kaspersky website and perform an online antivirus scan.

Note: you will need to turn off your security programs to allow Kaspersky to do its job.

  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
    • Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  • Click on My Computer under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
Copy and paste that information in your next post.

So when you return please post
  • MBAM report
  • Kaspersky scan results

  • 0

#27
Absurdny

Absurdny

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
Malwarebytes' Anti-Malware 1.34
Database version: 1802
Windows 5.1.2600 Service Pack 3

2/25/2009 2:47:13 PM
mbam-log-2009-02-25 (14-47-13).txt

Scan type: Quick Scan
Objects scanned: 76852
Time elapsed: 3 minute(s), 37 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

-------------------------------------------------------------------------------------------------------------------

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Thursday, February 26, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Wednesday, February 25, 2009 19:34:54
Records in database: 1844209
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\
J:\
K:\

Scan statistics:
Files scanned: 508766
Threat name: 3
Infected objects: 14
Suspicious objects: 0
Duration of the scan: 09:08:59


File name / Threat name / Threats count
D:\Documents and Settings\Absurd\DoctorWeb\Quarantine\A0169493.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.621 1
D:\Documents and Settings\Absurd\DoctorWeb\Quarantine\A0171101.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.621 1
D:\Documents and Settings\Absurd\DoctorWeb\Quarantine\A0172092.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.621 1
D:\Documents and Settings\Absurd\DoctorWeb\Quarantine\A0173084.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.621 1
D:\Documents and Settings\Absurd\DoctorWeb\Quarantine\A0173504.exe Infected: Virus.Win32.Virut.q 1
D:\Documents and Settings\Absurd\DoctorWeb\Quarantine\A0174204.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.621 1
D:\Documents and Settings\Absurd\DoctorWeb\Quarantine\A0175422.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.621 1
D:\Documents and Settings\Absurd\DoctorWeb\Quarantine\A0180680.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.621 1
D:\Documents and Settings\Absurd\DoctorWeb\Quarantine\A0189344.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.621 1
D:\Documents and Settings\Absurd\DoctorWeb\Quarantine\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.621 1
D:\Qoobox\Quarantine\D\Program Files\ZModeler\zmuninst.exe.vir Infected: Trojan.Win32.DelAll.ac 1
D:\System Volume Information\_restore{85607E0E-6EDE-4DC4-B8C8-A34CB984A99E}\RP360\A0173492.exe Infected: Trojan.Win32.DelAll.ac 1
E:\System Volume Information\_restore{85607E0E-6EDE-4DC4-B8C8-A34CB984A99E}\RP360\A0173493.exe Infected: Virus.Win32.Virut.q 1
E:\System Volume Information\_restore{85607E0E-6EDE-4DC4-B8C8-A34CB984A99E}\RP360\A0173494.exe Infected: Virus.Win32.Virut.q 1

The selected area was scanned.
  • 0

#28
emeraldnzl

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 20,051 posts
Hello Absurdny,

Lets see if we can get those bad ones this way.

1. Please download The Avenger by Swandog46 to your Desktop.
  • Right click on the Avenger.zip folder and select "Extract All..."
  • Follow the prompts and extract the avenger folder to your desktop
2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Files to delete:
D:\System Volume Information\_restore{85607E0E-6EDE-4DC4-B8C8-A34CB984A99E}\RP360\A0173492.exe
E:\System Volume Information\_restore{85607E0E-6EDE-4DC4-B8C8-A34CB984A99E}\RP360\A0173493.exe
E:\System Volume Information\_restore{85607E0E-6EDE-4DC4-B8C8-A34CB984A99E}\RP360\A0173494.exe

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


3. Now, open the avenger folder and start The Avenger program by clicking on its icon.
  • Right click on the window under Input script here:, and select Paste.
  • You can also click on this window and press (Ctrl+V) to paste the contents of the clipboard.
  • Click on Execute
  • Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh Hijackthis log .
  • 0

#29
Absurdny

Absurdny

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
Computer seems much faster. Even the restarts are very fast now. Here are the logs:

Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at D:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File "D:\System Volume Information\_restore{85607E0E-6EDE-4DC4-B8C8-A34CB984A99E}\RP360\A0173492.exe" deleted successfully.
File "E:\System Volume Information\_restore{85607E0E-6EDE-4DC4-B8C8-A34CB984A99E}\RP360\A0173493.exe" deleted successfully.
File "E:\System Volume Information\_restore{85607E0E-6EDE-4DC4-B8C8-A34CB984A99E}\RP360\A0173494.exe" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

-----------------------------------------------------------------------------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:05:43 AM, on 2/26/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\LEXBCES.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\system32\LEXPPS.EXE
D:\Program Files\Common Files\Autodata Limited Shared\Service\ADCDLicSvc.exe
D:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
D:\Program Files\Bonjour\mDNSResponder.exe
D:\Program Files\COMODO\Firewall\cmdagent.exe
G:\digidesign\Digidesign\Drivers\MMERefresh.exe
D:\Program Files\Java\jre6\bin\jqs.exe
D:\Program Files\M-Audio\Fast Track Pro\MAUSBInst.exe
D:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
D:\PROGRA~1\AVG\AVG8\avgrsx.exe
D:\PROGRA~1\AVG\AVG8\avgnsx.exe
D:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
D:\WINDOWS\system32\IoctlSvc.exe
D:\WINDOWS\system32\PnkBstrA.exe
D:\WINDOWS\system32\svchost.exe
D:\PROGRA~1\AVG\AVG8\avgemc.exe
D:\Program Files\AVG\AVG8\avgcsrvx.exe
D:\WINDOWS\system32\wuauclt.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\wscntfy.exe
D:\WINDOWS\system32\NOTEPAD.EXE
D:\Program Files\COMODO\Firewall\cfp.exe
D:\PROGRA~1\AVG\AVG8\avgtray.exe
D:\WINDOWS\system32\rundll32.exe
D:\Program Files\Java\jre6\bin\jusched.exe
D:\Program Files\AIM6\aim6.exe
D:\Program Files\Logitech\SetPoint\SetPoint.exe
D:\Program Files\Internet Download Manager\IEMonitor.exe
D:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
D:\Program Files\AIM6\aolsoftware.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O2 - BHO: IDMIEHlprObj Class - {0055C089-8582-441B-A0BF-17B458C2A3A8} - D:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - G:\Downloads\adobe\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - D:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - D:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - D:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - D:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [DigidesignMMERefresh] G:\digidesign\Digidesign\Drivers\MMERefresh.exe
O4 - HKLM\..\Run: [M-Audio Taskbar Icon] D:\WINDOWS\System32\M-AudioTaskBarIcon.exe
O4 - HKLM\..\Run: [COMODO Firewall Pro] "D:\Program Files\COMODO\Firewall\cfp.exe" -h
O4 - HKLM\..\Run: [COMODO Internet Security] "D:\Program Files\COMODO\Firewall\cfp.exe" -h
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AVG8_TRAY] D:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [NVIDIA nTune] "D:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
O4 - HKCU\..\Run: [Aim6] "D:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [IDMan] D:\Program Files\Internet Download Manager\IDMan.exe /onboot
O4 - HKCU\..\Run: [SUPERAntiSpyware] D:\Program Files\SUPERAntiSpyware\11b60ed9-558f-4a2f-bedc-e58aa3a9e0f8.exe
O4 - HKCU\..\Run: [msnmsgr] "D:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] D:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] D:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = D:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = D:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Logitech SetPoint.lnk = D:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: Download All Links with IDM - D:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download with IDM - D:\Program Files\Internet Download Manager\IEExt.htm
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - D:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - D:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{2BA77C4F-C5DA-4A32-BD8D-C0D21D48050B}: NameServer = 167.206.254.2,167.206.254.1
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - D:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: D:\WINDOWS\system32\guard32.dll
O20 - Winlogon Notify: !SASWinLogon - D:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgrsstarter - D:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Adobe LM Service - Adobe Systems - D:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Autodata Limited License Service - Autodata Limited - D:\Program Files\Common Files\Autodata Limited Shared\Service\ADCDLicSvc.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - D:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - D:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - D:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - Unknown owner - D:\Program Files\COMODO\Firewall\cmdagent.exe
O23 - Service: Digidesign MME Refresh Service (DigiRefresh) - Digidesign, A Division of Avid Technology, Inc. - G:\digidesign\Digidesign\Drivers\MMERefresh.exe
O23 - Service: digiSPTIService - Digidesign, A Division of Avid Technology, Inc. - G:\digidesign\Digidesign\Pro Tools\digiSPTIService.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - D:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - D:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - D:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - D:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: M-Audio USB Installer (MAudioUSBService) - M-Audio - D:\Program Files\M-Audio\Fast Track Pro\MAUSBInst.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - D:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - D:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: nTune Service (nTuneService) - NVIDIA - D:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - D:\WINDOWS\system32\IoctlSvc.exe
O23 - Service: PnkBstrA - Unknown owner - D:\WINDOWS\system32\PnkBstrA.exe

--
End of file - 8309 bytes
  • 0

#30
emeraldnzl

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 20,051 posts
That looks encouraging although I am hesitant to be too joyful about it because I thought we had got everything a little while back. :)

Lets run that Kaspersky on line scan again and see how we are doing. :)

Post the results back here.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP