Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

INfected PC

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

INfected PC

Unread postby pokhim » March 14th, 2009, 10:37 am

Hello my Pc is infected and I keep getting a pop up 'you have a security problem do you want to scan for viruses?' a window called 'desktoprepairtool' then pops up which launches one of 3 scanners and pretend to scan the pc after which is asking me to download something. I've used AVG and Spybot SD and Malware remover but it will not go away please can you help me.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:36:50, on 14/03/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
H:\WINDOWS\System32\smss.exe
H:\WINDOWS\system32\winlogon.exe
H:\WINDOWS\system32\services.exe
H:\WINDOWS\system32\lsass.exe
H:\WINDOWS\system32\svchost.exe
H:\WINDOWS\System32\svchost.exe
H:\WINDOWS\system32\spoolsv.exe
H:\WINDOWS\system32\userinit.exe
H:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
H:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
H:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
H:\Program Files\Bonjour\mDNSResponder.exe
H:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
H:\Program Files\Java\jre6\bin\jqs.exe
H:\WINDOWS\system32\nvsvc32.exe
H:\WINDOWS\system32\svchost.exe
H:\PROGRA~1\AVG\AVG8\avgrsx.exe
H:\WINDOWS\Explorer.EXE
H:\WINDOWS\RTHDCPL.EXE
H:\WINDOWS\system32\RUNDLL32.EXE
H:\Program Files\Microsoft IntelliType Pro\itype.exe
H:\Program Files\Microsoft IntelliPoint\ipoint.exe
H:\Program Files\COMODO\SafeSurf\cssurf.exe
H:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe
H:\Program Files\Java\jre6\bin\jusched.exe
H:\Program Files\iTunes\iTunesHelper.exe
H:\PROGRA~1\AVG\AVG8\avgtray.exe
H:\WINDOWS\system32\ctfmon.exe
H:\Program Files\KWorld Multimedia\HyperMediaCenter\DTVR\Scheduled.exe
H:\Documents and Settings\Tariq Benson\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
H:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
H:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
H:\Program Files\iPod\bin\iPodService.exe
H:\Program Files\Mozilla Firefox\firefox.exe
H:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - AutorunsDisabled - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - H:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - H:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - H:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - H:\Program Files\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - H:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - H:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE H:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE H:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [itype] "H:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [IntelliPoint] "H:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [COMODO SafeSurf] "H:\Program Files\COMODO\SafeSurf\cssurf.exe" -s
O4 - HKLM\..\Run: [Adobe Photo Downloader] "H:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "H:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "H:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "H:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "H:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] H:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [CTFMON.EXE] H:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Center Agent] H:\Program Files\KWorld Multimedia\HyperMediaCenter\DTVR\Scheduled.exe
O4 - HKCU\..\Run: [Google Update] "H:\Documents and Settings\Tariq Benson\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [MSMSGS] "H:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] H:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] H:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] H:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] H:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] H:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: AutorunsDisabled
O4 - Global Startup: Remote Control.lnk = H:\Program Files\KWorld Multimedia\TV Tuner Card Utilities\HMCP3XCtl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://H:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - AutorunsDisabled - (no file)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - H:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - H:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - H:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - H:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: H:\WINDOWS\system32\cssdll32.dll
O20 - Winlogon Notify: avgrsstarter - H:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Adobe Active File Monitor V6 (AdobeActiveFileMonitor6.0) - Unknown owner - H:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
O23 - Service: Apple Mobile Device - Apple Inc. - H:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - H:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - H:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - H:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - H:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - H:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - H:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - H:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - H:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - H:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - H:\Program Files\Spyware Doctor\pctsSvc.exe

--
End of file - 8056 bytes
pokhim
Regular Member
 
Posts: 32
Joined: October 30th, 2006, 2:01 pm
Advertisement
Register to Remove

Re: INfected PC

Unread postby jmw3 » March 18th, 2009, 9:05 am

Hello & Welcome to Malware Removal
Please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click ensure Notify me when a reply is posted is ticked on the Post A Reply page.

In the meantime please note the following:
  • Any recommendations made are for your computer problems only and should NOT be used on any other computer.
  • Please DO NOT run any scans/tools or other fixes unless I ask you to. This is very important for several reasons. Here are just two of them:
    1. The tools that we use are very powerful and can cause >>irreparable damage<< to your computer if not used correctly.
    2. Commercial scanners, for the most part can not completely remove some of the more "resistant" infections. This makes it much more difficult to get rid of completely.
  • If you get stuck or are unsure of something please ask for a further explanation, do not guess.
  • Continue to respond to this thread until I give you the All Clean!
Please note that the forum is very busy and if I don't hear from you within five days this thread will be closed.
If for any reason you cannot complete instructions within that time, that's fine, just put a post here so that I know you're still here. We get a lot of people who simply leave & if there is no contact for that amount of time I will have to assume you have abandoned your topic.

Thanks

DDS
Download DDS.scr by sUBs from one of the following links & save it to your desktop.
http://www.techsupportforum.com/sectools/sUBs/dds
http://download.bleepingcomputer.com/sUBs/dds.scr
http://www.forospyware.com/sUBs/dds

  • Double-Click on dds.scr and a command window will appear. This is normal
  • Shortly after a log will appear
  • Click Yes at the next prompt, another log named attach.txt will appear
  • A window will open instructing you to post both logs. Copy the contents of both logs & post in your next reply
Gmer
Download gmer.zip from Gmer here & save it to your desktop.
  • Extract the contents of the zipped file to desktop
  • Double click the exe file. If asked to allow gmer.sys driver to load, please consent
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO

    Image
    Click the image to enlarge it
  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • Sections
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file.
  • Save it where you can easily find it, such as your desktop, and post it in reply
**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries


To post in next reply:
DDS log
Contents of Attach.txt
Gmer log
User avatar
jmw3
MRU Emeritus
MRU Emeritus
 
Posts: 4621
Joined: February 12th, 2008, 2:36 am
Location: Port Hedland, Western Australia

Re: INfected PC

Unread postby pokhim » March 18th, 2009, 2:40 pm

DDS (Ver_09-03-16.01) - NTFSx86
Run by Tariq Benson at 18:34:31.76 on 18/03/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.2047.1446 [GMT 0:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)
FW: COMODO Firewall Pro *enabled*

============== Running Processes ===============

H:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
H:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
H:\WINDOWS\system32\spoolsv.exe
H:\WINDOWS\system32\userinit.exe
H:\WINDOWS\Explorer.EXE
H:\WINDOWS\RTHDCPL.EXE
H:\WINDOWS\system32\RUNDLL32.EXE
H:\Program Files\Microsoft IntelliType Pro\itype.exe
H:\Program Files\Microsoft IntelliPoint\ipoint.exe
H:\Program Files\COMODO\SafeSurf\cssurf.exe
H:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe
H:\Program Files\Java\jre6\bin\jusched.exe
H:\Program Files\iTunes\iTunesHelper.exe
H:\PROGRA~1\AVG\AVG8\avgtray.exe
H:\WINDOWS\system32\ctfmon.exe
H:\Program Files\KWorld Multimedia\HyperMediaCenter\DTVR\Scheduled.exe
H:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
H:\Documents and Settings\Tariq Benson\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
H:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
H:\Program Files\KWorld Multimedia\TV Tuner Card Utilities\HMCP3XCtl.exe
H:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
H:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
H:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
H:\Program Files\Bonjour\mDNSResponder.exe
H:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
H:\Program Files\Java\jre6\bin\jqs.exe
H:\WINDOWS\system32\nvsvc32.exe
H:\WINDOWS\system32\svchost.exe -k imgsvc
H:\PROGRA~1\AVG\AVG8\avgrsx.exe
H:\Program Files\iPod\bin\iPodService.exe
H:\Program Files\Mozilla Firefox\firefox.exe
H:\Documents and Settings\Tariq Benson\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
BHO: AutorunsDisabled - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - h:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - h:\program files\avg\avg8\avgssie.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - h:\program files\java\jre6\bin\ssv.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - h:\program files\google\googletoolbarnotifier\4.1.805.4472\swg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - h:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - h:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [CTFMON.EXE] h:\windows\system32\ctfmon.exe
uRun: [Center Agent] h:\program files\kworld multimedia\hypermediacenter\dtvr\Scheduled.exe
uRun: [Google Update] "h:\documents and settings\tariq benson\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [MSMSGS] "h:\program files\messenger\msmsgs.exe" /background
uRun: [SpybotSD TeaTimer] h:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [NvCplDaemon] RUNDLL32.EXE h:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE h:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [itype] "h:\program files\microsoft intellitype pro\itype.exe"
mRun: [IntelliPoint] "h:\program files\microsoft intellipoint\ipoint.exe"
mRun: [COMODO SafeSurf] "h:\program files\comodo\safesurf\cssurf.exe" -s
mRun: [Adobe Photo Downloader] "h:\program files\adobe\photoshop elements 6.0\apdproxy.exe"
mRun: [Adobe Reader Speed Launcher] "h:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [SunJavaUpdateSched] "h:\program files\java\jre6\bin\jusched.exe"
mRun: [QuickTime Task] "h:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "h:\program files\itunes\iTunesHelper.exe"
mRun: [AVG8_TRAY] h:\progra~1\avg\avg8\avgtray.exe
dRun: [CTFMON.EXE] h:\windows\system32\CTFMON.EXE
StartupFolder: h:\docume~1\alluse~1\startm~1\programs\startup\remote~1.lnk - h:\program files\kworld multimedia\tv tuner card utilities\HMCP3XCtl.exe
StartupFolder: h:\docume~1\alluse~1\startm~1\programs\startup\autoru~1\adober~1.lnk - h:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
IE: E&xport to Microsoft Excel - h:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - h:\program files\messenger\msmsgs.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - h:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - h:\progra~1\micros~4\office11\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - h:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
AppInit_DLLs: h:\windows\system32\cssdll32.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - h:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - h:\docume~1\tariqb~1\applic~1\mozilla\firefox\profiles\vke9wa5d.default\
FF - component: h:\program files\avg\avg8\firefox\components\avgssff.dll
FF - plugin: h:\documents and settings\tariq benson\local settings\application data\google\update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: h:\program files\google\google updater\2.4.1368.5602\npCIDetect13.dll

============= SERVICES / DRIVERS ===============

R0 pavboot;pavboot;h:\windows\system32\drivers\pavboot.sys [2009-3-17 28544]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;h:\windows\system32\drivers\avgldx86.sys [2009-1-1 325128]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;h:\windows\system32\drivers\avgmfx86.sys [2009-1-1 27656]
R2 AdobeActiveFileMonitor6.0;Adobe Active File Monitor V6;h:\program files\adobe\photoshop elements 6.0\PhotoshopElementsFileAgent.exe [2007-9-10 124832]
R2 avg8wd;AVG Free8 WatchDog;h:\progra~1\avg\avg8\avgwdsvc.exe [2009-1-1 298264]
R3 3xHybrid;3xHybrid service;h:\windows\system32\drivers\3xHybrid.sys [2008-6-3 674048]
S3 getPlus(R) Helper;getPlus(R) Helper;h:\program files\nos\bin\getPlus_HelperSvc.exe [2008-10-21 33752]

=============== Created Last 30 ================

2009-03-17 22:14 28,544 a------- h:\windows\system32\drivers\pavboot.sys
2009-03-17 22:14 <DIR> --d----- h:\program files\Panda Security
2009-03-14 14:12 <DIR> --d----- h:\program files\Trend Micro
2009-03-14 13:12 102,664 a------- h:\windows\system32\drivers\tmcomm.sys
2009-03-14 13:11 <DIR> --d----- h:\documents and settings\tariq benson\.housecall6.6
2009-03-14 01:39 <DIR> --d----- h:\docume~1\tariqb~1\applic~1\Malwarebytes
2009-03-14 01:39 15,504 a------- h:\windows\system32\drivers\mbam.sys
2009-03-14 01:39 38,496 a------- h:\windows\system32\drivers\mbamswissarmy.sys
2009-03-14 01:39 <DIR> --d----- h:\program files\Malwarebytes' Anti-Malware
2009-03-14 01:39 <DIR> --d----- h:\docume~1\alluse~1\applic~1\Malwarebytes
2009-03-14 00:47 <DIR> --d----- h:\windows\pss
2009-03-14 00:17 <DIR> --d----- h:\program files\Spybot - Search & Destroy
2009-03-14 00:17 <DIR> --d----- h:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-03-11 22:31 221,184 a------- h:\windows\system32\wmpns.dll
2009-03-08 21:42 <DIR> --d----- h:\program files\MSXML 4.0
2009-03-06 21:11 15,104 ac------ h:\windows\system32\dllcache\usbscan.sys
2009-03-06 21:11 15,104 a------- h:\windows\system32\drivers\usbscan.sys
2009-03-06 21:11 5,632 a------- h:\windows\system32\ptpusb.dll
2009-03-06 21:11 159,232 a------- h:\windows\system32\ptpusd.dll
2009-03-05 21:13 <DIR> --d----- h:\docume~1\tariqb~1\applic~1\Samsung
2009-03-05 21:12 174,592 a------- h:\windows\system32\framedyn.dll
2009-03-05 21:12 5,632 a------- h:\windows\system32\drivers\StarOpen.sys

==================== Find3M ====================

2009-03-14 00:00 33,280 a------- h:\windows\system32\userinit.exe
2009-02-09 11:13 1,846,784 a------- h:\windows\system32\win32k.sys
2009-02-03 18:49 325,128 a------- h:\windows\system32\drivers\avgldx86.sys
2009-02-03 18:49 10,520 a------- h:\windows\system32\avgrsstx.dll
2008-12-20 23:15 826,368 a------- h:\windows\system32\wininet.dll
2008-10-31 11:20 32,768 a--sh--- h:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008103120081101\index.dat

============= FINISH: 18:34:53.00 ===============


NLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-03-16.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 03/06/2008 21:43:16
System Uptime: 18/03/2009 18:24:46 (0 hours ago)

Motherboard: MICRO-STAR INTERNATIONAL CO.,LTD | | MS-7392
Processor: Intel(R) Core(TM)2 Duo CPU E4600 @ 2.40GHz | CPU 1 | 2399/200mhz

==== Disk Partitions =========================

D: is Removable
E: is Removable
F: is Removable
G: is CDROM ()
H: is FIXED (NTFS) - 466 GiB total, 377.571 GiB free.
I: is Removable
J: is CDROM ()

==== Disabled Device Manager Items =============

Class GUID: {4D36E96C-E325-11CE-BFC1-08002BE10318}
Description: nVidia WDM Video Capture (universal)
Device ID: DISPLAY\NVCAP\5&176A3AAB&0&CA000002&01&00
Manufacturer: nVidia
Name: nVidia WDM Video Capture (universal)
PNP Device ID: DISPLAY\NVCAP\5&176A3AAB&0&CA000002&01&00
Service: nvcap

Class GUID: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA}
Description: HID Non-User Input Data Filter
Device ID: HID\VID_045E&PID_00F9&MI_01&COL01\7&33472782&0&0000
Manufacturer: Microsoft
Name: HID Non-User Input Data Filter
PNP Device ID: HID\VID_045E&PID_00F9&MI_01&COL01\7&33472782&0&0000
Service: NuidFltr

Class GUID: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA}
Description: HID Non-User Input Data Filter
Device ID: HID\VID_045E&PID_00F9&MI_01&COL03\7&33472782&0&0002
Manufacturer: Microsoft
Name: HID Non-User Input Data Filter
PNP Device ID: HID\VID_045E&PID_00F9&MI_01&COL03\7&33472782&0&0002
Service: NuidFltr

==== System Restore Points ===================

RP144: 18/12/2008 23:43:24 - Software Distribution Service 3.0
RP145: 20/12/2008 11:25:35 - System Checkpoint
RP146: 21/12/2008 13:50:53 - System Checkpoint
RP147: 22/12/2008 16:54:47 - System Checkpoint
RP148: 22/12/2008 16:57:40 - Installed Java(TM) 6 Update 11
RP149: 23/12/2008 17:43:15 - System Checkpoint
RP150: 26/12/2008 16:07:18 - System Checkpoint
RP151: 29/12/2008 18:54:08 - System Checkpoint
RP152: 31/12/2008 15:40:18 - System Checkpoint
RP153: 01/01/2009 15:12:39 - Installed AVG Free 8.0
RP154: 01/01/2009 15:43:05 - Avg8 Update
RP155: 02/01/2009 23:12:08 - System Checkpoint
RP156: 04/01/2009 14:01:24 - System Checkpoint
RP157: 06/01/2009 20:46:28 - System Checkpoint
RP158: 07/01/2009 22:09:43 - System Checkpoint
RP159: 10/01/2009 16:54:30 - System Checkpoint
RP160: 11/01/2009 17:27:04 - System Checkpoint
RP161: 14/01/2009 19:49:50 - System Checkpoint
RP162: 14/01/2009 22:56:08 - Software Distribution Service 3.0
RP163: 16/01/2009 18:57:30 - System Checkpoint
RP164: 18/01/2009 11:53:08 - System Checkpoint
RP165: 19/01/2009 21:58:05 - System Checkpoint
RP166: 21/01/2009 19:35:21 - System Checkpoint
RP167: 22/01/2009 20:15:37 - System Checkpoint
RP168: 24/01/2009 16:03:49 - System Checkpoint
RP169: 25/01/2009 18:10:40 - System Checkpoint
RP170: 27/01/2009 20:39:21 - System Checkpoint
RP171: 28/01/2009 23:45:47 - System Checkpoint
RP172: 01/02/2009 21:52:30 - System Checkpoint
RP173: 03/02/2009 18:48:23 - Avg8 Update
RP174: 03/02/2009 18:49:41 - Avg8 Update
RP175: 04/02/2009 20:16:18 - System Checkpoint
RP176: 05/02/2009 20:20:27 - System Checkpoint
RP177: 06/02/2009 20:56:31 - System Checkpoint
RP178: 07/02/2009 21:12:52 - System Checkpoint
RP179: 09/02/2009 19:02:15 - System Checkpoint
RP180: 10/02/2009 18:24:15 - Avg8 Update
RP181: 10/02/2009 22:14:14 - Software Distribution Service 3.0
RP182: 13/02/2009 20:38:52 - Avg8 Update
RP183: 15/02/2009 13:48:12 - System Checkpoint
RP184: 15/02/2009 20:50:12 - Installed Samsung PC Studio 3 USB Driver Installer
RP185: 17/02/2009 20:59:06 - System Checkpoint
RP186: 19/02/2009 19:39:15 - System Checkpoint
RP187: 20/02/2009 21:19:52 - System Checkpoint
RP188: 04/03/2009 17:42:43 - Software Distribution Service 3.0
RP189: 05/03/2009 19:30:25 - System Checkpoint
RP190: 05/03/2009 21:11:48 - Installed Samsung PC Studio 3
RP191: 07/03/2009 10:48:33 - System Checkpoint
RP192: 08/03/2009 16:47:13 - Avg8 Update
RP193: 08/03/2009 21:42:14 - Software Distribution Service 3.0
RP194: 10/03/2009 21:29:27 - System Checkpoint
RP195: 11/03/2009 22:31:17 - Software Distribution Service 3.0
RP196: 12/03/2009 23:21:51 - Software Distribution Service 3.0
RP197: 14/03/2009 11:18:53 - System Checkpoint
RP198: 15/03/2009 11:22:48 - System Checkpoint
RP199: 17/03/2009 19:44:02 - Avg8 Update

==== Installed Programs ======================

Acrobat.com
Adobe AIR
Adobe Flash Player Plugin
Adobe Photoshop Elements 6.0
Adobe Reader 9
Apple Mobile Device Support
Apple Software Update
µTorrent
AVG Free 8.0
Bonjour
CCleaner (remove only)
COMODO SafeSurf
Critical Update for Windows Media Player 11 (KB959772)
FXCM Trading Station II
Google Chrome
Google Earth
Google Updater
High Definition Audio Driver Package - KB888111
HijackThis 2.0.2
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
HyperMediaCenter
iTunes
Java(TM) 6 Update 11
KWorld TV Tuner Card Utilities
KWorld TV713X BDA Driver
Malwarebytes' Anti-Malware
Microsoft .NET Framework 2.0
Microsoft Application Error Reporting
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft IntelliPoint 6.2
Microsoft IntelliType Pro 6.2
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft National Language Support Downlevel APIs
Microsoft Office Standard Edition 2003
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Mozilla Firefox (3.0.7)
MSXML 4.0 SP2 (KB954430)
MSXML 6.0 Parser (KB933579)
NVIDIA Drivers
NVIDIA WDM Drivers
Panda ActiveScan 2.0
PowerISO
QuickTime
Realtek High Definition Audio Driver
SAMSUNG Mobile Composite Device Software
SAMSUNG Mobile Modem Driver Set
Samsung Mobile phone USB driver Software
SAMSUNG Mobile USB Modem 1.0 Software
SAMSUNG Mobile USB Modem Software
Samsung PC Studio 3
Samsung PC Studio 3 USB Driver Installer
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB936782)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Spelling Dictionaries Support For Adobe Reader 9
Spybot - Search & Destroy
Update for Windows XP (KB942763)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
VideoLAN VLC media player 0.8.6f
WebFldrs XP
William Hill Poker
Windows Driver Package - MobileTop (sshpmdm) Modem (02/23/2007 2.5.0.0)
Windows Driver Package - MobileTop (sshpusb) USB (02/23/2007 2.5.0.0)
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player Firefox Plugin
Windows XP Service Pack 3
XpertVision 5.7

==== Event Viewer Messages From Past Week ========

11/03/2009 20:34:11, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
14/03/2009 00:58:14, error: Service Control Manager [7034] - The NVIDIA Display Driver Service service terminated unexpectedly. It has done this 1 time(s).
14/03/2009 01:01:19, error: Service Control Manager [7031] - The Print Spooler service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
14/03/2009 01:02:22, error: Service Control Manager [7031] - The Print Spooler service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
14/03/2009 01:45:14, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume1'. It has stopped monitoring the volume.

==== End Of File ===========================


GMER 1.0.15.14939 - http://www.gmer.net
Rootkit scan 2009-03-18 18:39:35
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

SSDT spnv.sys ZwCreateKey [0xF74DA0E0]
SSDT spnv.sys ZwEnumerateKey [0xF74F7CA2]
SSDT spnv.sys ZwEnumerateValueKey [0xF74F8030]
SSDT spnv.sys ZwOpenKey [0xF74DA0C0]
SSDT spnv.sys ZwQueryKey [0xF74F8108]
SSDT spnv.sys ZwQueryValueKey [0xF74F7F88]
SSDT spnv.sys ZwSetValueKey [0xF74F819A]

INT 0x62 ? 8A791BF8
INT 0x63 ? 8A791BF8
INT 0x63 ? 8A791BF8
INT 0x63 ? 8A56EBF8
INT 0x63 ? 8A791BF8
INT 0x73 ? 8A56EBF8
INT 0x82 ? 8A791BF8
INT 0x83 ? 8A56EBF8
INT 0xB4 ? 8A56EBF8

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 8A7901F8
Device \Driver\usbuhci \Device\USBPDO-0 8A56D1F8
Device \Driver\usbuhci \Device\USBPDO-1 8A56D1F8
Device \Driver\usbuhci \Device\USBPDO-2 8A56D1F8
Device \Driver\usbuhci \Device\USBPDO-3 8A56D1F8
Device \Driver\usbehci \Device\USBPDO-4 8A5401F8
Device \Driver\Ftdisk \Device\HarddiskVolume1 8A7231F8
Device \Driver\Cdrom \Device\CdRom0 8A52E1F8
Device \Driver\Cdrom \Device\CdRom1 8A52E1F8
Device \Driver\usbstor \Device\00000069 8A452500
Device \Driver\PCI_PNP6800 \Device\0000003d spnv.sys
Device \Driver\PCI_PNP6800 \Device\0000003d spnv.sys
Device \Driver\NetBT \Device\NetBt_Wins_Export 8A59A500
Device \Driver\NetBT \Device\NetbiosSmb 8A59A500
Device \Driver\NetBT \Device\NetBT_Tcpip_{75316CB9-E6C4-4F73-876F-CF4C96F2EE61} 8A59A500
Device \Driver\usbuhci \Device\USBFDO-0 8A56D1F8
Device \Driver\usbstor \Device\0000006c 8A452500
Device \Driver\usbstor \Device\0000006d 8A452500
Device \Driver\usbuhci \Device\USBFDO-1 8A56D1F8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 8A4AA500
Device \Driver\usbstor \Device\0000006e 8A452500
Device \Driver\usbuhci \Device\USBFDO-2 8A56D1F8
Device \FileSystem\MRxSmb \Device\LanmanRedirector 8A4AA500
Device \Driver\usbstor \Device\0000006f 8A452500
Device \Driver\usbuhci \Device\USBFDO-3 8A56D1F8
Device \Driver\usbehci \Device\USBFDO-4 8A5401F8
Device \Driver\Ftdisk \Device\FtControl 8A7231F8
Device \Driver\sptd \Device\3526624300 spnv.sys
Device \Driver\akii2nj1 \Device\Scsi\akii2nj11Port4Path0Target0Lun0 8A5221F8
Device \Driver\akii2nj1 \Device\Scsi\akii2nj11 8A5221F8
Device \FileSystem\Cdfs \Cdfs 8A3A2500

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 H:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x5D 0x29 0xDB 0xCA ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xB8 0x02 0x96 0x2F ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xDB 0x60 0x28 0x6E ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 H:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x5D 0x29 0xDB 0xCA ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xB8 0x02 0x96 0x2F ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xDB 0x60 0x28 0x6E ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 H:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x5D 0x29 0xDB 0xCA ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xB8 0x02 0x96 0x2F ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xDB 0x60 0x28 0x6E ...

---- EOF - GMER 1.0.15 ----
pokhim
Regular Member
 
Posts: 32
Joined: October 30th, 2006, 2:01 pm

Re: INfected PC

Unread postby jmw3 » March 18th, 2009, 11:38 pm

Hi

MRU P2P Policy
IMPORTANT I notice there are signs of one or more P2P (Peer to Peer) File Sharing Programs on your computer.

µTorrent

I'd like you to read the MRU policy for P2P Programs.
Go to Control Panel > Add/Remove Programs and uninstall the programs listed above (in red) & any other P2P programs.

Note about poker games:
You appear to be a fan of games. but I think it's important to note that often these kind of programs are installed with other unwanted software, namely spyware or adware. If you did not install these programs yourself, or you do not use them any more, I would definitely recommend that you uninstall them from your computer, even if it is simply a precautionary measure. The amount of different poker software which arises on the internet means it is impossible to keep track of which ones are infected and which ones are not. If you do use the software, and wish to continue doing so, please ignore this. If you do decide to go ahead and remove the poker software, you should be able uninstall them via add/remove which can be found in the control panel. Let me know if you have any problems whilst doing so.
Here are links to some poker sites regarded as safe for your reference.
http://www.pokerstars.net/ - This is a free to use/play site.
http://www.pokerstars.com - This is the paid for version.

Combofix
Download ComboFix from one of these locations:
Link 1
Link 2
Link 3

**IMPORTANT !!! Save ComboFix.exe to your Desktop**

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
    A guide to do this can be found here
  • Double click on ComboFix.exe & follow the prompts
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
Image

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
Image

  • Click on Yes, to continue scanning for malware.
  • When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply.
A word of warning: Neither I nor sUBs are responsible for any damage you may cause to your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


To post in next reply:
Combofix log
User avatar
jmw3
MRU Emeritus
MRU Emeritus
 
Posts: 4621
Joined: February 12th, 2008, 2:36 am
Location: Port Hedland, Western Australia

Re: INfected PC

Unread postby pokhim » March 19th, 2009, 6:58 pm

HI thanks for your help, I have removed the P2P software and some other junk i no longer use. I had lots of touble disabling my firewall COMODO Firewall Pro as I can't find it anywhere. Its not in my system try or add/remove programs or in my program files and i've searched for it with the windows search function. Windows does however say it is active and when i go to security centre and disable to windows firewall itn just says 'on' and 'COMODO Firewall Pro is still running'. I am away until Monday but will be back. I did however do the ComboFix and here is the log:

ComboFix 09-03-18.01 - Tariq Benson 2009-03-19 22:47:51.5 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1599 [GMT 0:00]
Running from: h:\documents and settings\Tariq Benson\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
FW: COMODO Firewall Pro *enabled*
.

((((((((((((((((((((((((( Files Created from 2009-02-19 to 2009-03-19 )))))))))))))))))))))))))))))))
.

2009-03-19 22:30 . 2009-03-19 22:30 1,917 --a------ h:\windows\imsins.BAK
2009-03-14 14:12 . 2009-03-14 14:12 <DIR> d-------- h:\program files\Trend Micro
2009-03-14 13:12 . 2009-03-14 13:12 102,664 --a------ h:\windows\system32\drivers\tmcomm.sys
2009-03-14 13:11 . 2009-03-14 13:14 <DIR> d-------- h:\documents and settings\Tariq Benson\.housecall6.6
2009-03-14 01:39 . 2009-03-14 01:39 <DIR> d-------- h:\program files\Malwarebytes' Anti-Malware
2009-03-14 01:39 . 2009-03-14 01:39 <DIR> d-------- h:\documents and settings\Tariq Benson\Application Data\Malwarebytes
2009-03-14 01:39 . 2009-03-14 01:39 <DIR> d-------- h:\documents and settings\All Users\Application Data\Malwarebytes
2009-03-14 01:39 . 2009-02-11 10:19 38,496 --a------ h:\windows\system32\drivers\mbamswissarmy.sys
2009-03-14 01:39 . 2009-02-11 10:19 15,504 --a------ h:\windows\system32\drivers\mbam.sys
2009-03-14 01:10 . 2009-03-14 19:50 <DIR> d-a------ h:\documents and settings\All Users\Application Data\TEMP
2009-03-14 00:17 . 2009-03-14 00:18 <DIR> d-------- h:\program files\Spybot - Search & Destroy
2009-03-14 00:17 . 2009-03-19 22:34 <DIR> d-------- h:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-03-11 22:31 . 2004-08-04 12:00 221,184 --a------ h:\windows\system32\wmpns.dll
2009-03-08 21:42 . 2009-03-08 21:42 <DIR> d-------- h:\program files\MSXML 4.0
2009-03-06 21:11 . 2008-04-14 00:12 159,232 --a------ h:\windows\system32\ptpusd.dll
2009-03-06 21:11 . 2008-04-13 18:45 15,104 --a------ h:\windows\system32\drivers\usbscan.sys
2009-03-06 21:11 . 2008-04-13 18:45 15,104 --a--c--- h:\windows\system32\dllcache\usbscan.sys
2009-03-06 21:11 . 2001-08-17 22:36 5,632 --a------ h:\windows\system32\ptpusb.dll
2009-03-05 21:13 . 2009-03-05 21:13 <DIR> d-------- h:\documents and settings\Tariq Benson\Application Data\Samsung
2009-03-05 21:12 . 2009-03-05 21:12 <DIR> d-------- h:\program files\DIFX
2009-03-05 21:12 . 2006-05-03 22:53 174,592 --a------ h:\windows\system32\framedyn.dll
2009-03-05 21:12 . 2006-07-24 16:05 5,632 --a------ h:\windows\system32\drivers\StarOpen.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-19 22:02 --------- d-----w h:\program files\Bonjour
2009-03-19 21:30 253,688 ----a-w h:\windows\system32\cssdll32.dll
2009-03-19 21:20 --------- d-----w h:\documents and settings\All Users\Application Data\Google Updater
2009-03-14 00:00 33,280 ----a-w h:\windows\system32\userinit.exe
2009-03-05 21:11 --------- d--h--w h:\program files\InstallShield Installation Information
2009-02-15 20:50 --------- d-----w h:\program files\Samsung
2009-02-09 11:13 1,846,784 ----a-w h:\windows\system32\win32k.sys
2009-02-06 22:42 --------- d-----w h:\program files\CCleaner
2009-02-03 18:49 325,128 ----a-w h:\windows\system32\drivers\avgldx86.sys
2009-02-03 18:49 10,520 ----a-w h:\windows\system32\avgrsstx.dll
2009-02-03 18:49 --------- d-----w h:\documents and settings\All Users\Application Data\Avg8
2009-01-25 12:25 --------- d-----w h:\program files\William Hill Poker
2008-12-20 23:15 826,368 ----a-w h:\windows\system32\wininet.dll
2008-10-31 11:20 32,768 --sha-w h:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008103120081101\index.dat
.

------- Sigcheck -------

2004-08-04 12:00 24576 39b1ffb03c2296323832acbae50d2aff h:\windows\$NtServicePackUninstall$\userinit.exe
2008-04-14 00:12 26112 a93aee1928a9d7ce3e16d24ec7380f89 h:\windows\ServicePackFiles\i386\userinit.exe
2009-03-14 00:00 33280 3183d1d03b649775ccf7590d96ca0af4 h:\windows\system32\userinit.exe
.
((((((((((((((((((((((((((((( SnapShot@2009-03-19_21.25.00.65 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-03-19 22:39:35 16,384 ----atw h:\windows\Temp\Perflib_Perfdata_9c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="h:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"Center Agent"="h:\program files\KWorld Multimedia\HyperMediaCenter\DTVR\Scheduled.exe" [2007-08-22 1518592]
"Google Update"="h:\documents and settings\Tariq Benson\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-23 133104]
"SpybotSD TeaTimer"="h:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="h:\windows\system32\NvCpl.dll" [2007-09-16 8491008]
"NvMediaCenter"="h:\windows\system32\NvMcTray.dll" [2007-09-16 81920]
"itype"="h:\program files\Microsoft IntelliType Pro\itype.exe" [2007-08-31 988584]
"IntelliPoint"="h:\program files\Microsoft IntelliPoint\ipoint.exe" [2007-08-31 1037736]
"Adobe Photo Downloader"="h:\program files\Adobe\Photoshop Elements 6.0\apdproxy.exe" [2007-09-10 67488]
"Adobe Reader Speed Launcher"="h:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"SunJavaUpdateSched"="h:\program files\Java\jre6\bin\jusched.exe" [2008-11-10 136600]
"QuickTime Task"="h:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"iTunesHelper"="h:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"AVG8_TRAY"="h:\progra~1\AVG\AVG8\avgtray.exe" [2009-02-03 1601304]
"RTHDCPL"="RTHDCPL.EXE" [2007-06-13 h:\windows\RTHDCPL.exe]
"nwiz"="nwiz.exe" [2007-09-16 h:\windows\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="h:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

h:\documents and settings\All Users\Start Menu\Programs\Startup\
Remote Control.lnk - h:\program files\KWorld Multimedia\TV Tuner Card Utilities\HMCP3XCtl.exe [2008-06-03 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-02-03 18:49 10520 h:\windows\system32\avgrsstx.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MSMSGS"="h:\program files\Messenger\msmsgs.exe" /background

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"h:\\Program Files\\William Hill Poker\\UA.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"h:\\Program Files\\Messenger\\msmsgs.exe"=
"h:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"h:\\Program Files\\iTunes\\iTunes.exe"=
"h:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"35438:TCP"= 35438:TCP:P2P sharing

R1 AvgLdx86;AVG Free AVI Loader Driver x86;h:\windows\system32\drivers\avgldx86.sys [2009-01-01 325128]
R2 avg8wd;AVG Free8 WatchDog;h:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-01-01 298264]
R3 3xHybrid;3xHybrid service;h:\windows\system32\drivers\3xHybrid.sys [2008-06-03 674048]
S2 AdobeActiveFileMonitor6.0;Adobe Active File Monitor V6;h:\program files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe [2007-09-10 124832]
S3 getPlus(R) Helper;getPlus(R) Helper;h:\program files\NOS\bin\getPlus_HelperSvc.exe [2008-10-21 33752]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3ec6fe52-37e5-11dd-9be5-001d923bd7a7}]
\Shell\AutoRun\command - K:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2008-12-30 h:\windows\Tasks\AppleSoftwareUpdate.job
- h:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2009-03-19 h:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-602162358-329068152-839522115-1004.job
- h:\documents and settings\Tariq Benson\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-23 18:26]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - h:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - h:\documents and settings\Tariq Benson\Application Data\Mozilla\Firefox\Profiles\vke9wa5d.default\
FF - component: h:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - plugin: h:\documents and settings\Tariq Benson\Local Settings\Application Data\Google\Update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: h:\program files\Google\Google Updater\2.4.1368.5602\npCIDetect13.dll
FF - plugin: h:\program files\Mozilla Firefox\plugins\np-mswmp.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-19 22:48:43
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-03-19 22:49:26
ComboFix-quarantined-files.txt 2009-03-19 22:49:24
ComboFix2.txt 2009-03-19 22:20:27
ComboFix3.txt 2009-03-19 22:04:25
ComboFix4.txt 2009-03-19 21:44:42
ComboFix5.txt 2009-03-19 22:47:44

Pre-Run: 405,468,909,568 bytes free
Post-Run: 405,461,753,856 bytes free

145 --- E O F --- 2009-03-12 23:22:49
pokhim
Regular Member
 
Posts: 32
Joined: October 30th, 2006, 2:01 pm

Re: INfected PC

Unread postby jmw3 » March 19th, 2009, 11:17 pm

Hi
I am away until Monday but will be back.
OK... thanks for letting me know.

Is there some reason you ran Combofix 5 times? Combofix should not be used without the guidance of an Authorised Helper trained in it's use. The program can cause irreparable damage if not used correctly. Please DO NOT run it again unless I ask you to.

Before we continue I'd like to see the logs from the previous Combofix runs so please do this:
Navigate to:
H:\Qoobox
In that folder you will find the logs for the previous runs of Combofix & a Quarantined Files log.
Highlight the following logs & zip them up:
ComboFix-quarantined-files.txt
ComboFix2.txt
ComboFix3.txt
ComboFix4.txt
ComboFix5.txt

Name the zip file something like Combologs.zip & save it somewhere convenient such as your desktop, then attach it in your next reply. To attach the zip file:
In the Post A Reply page click the Upload Attachment tab, click Browse & navigate to the Combologs.zip file, then click Add the file.
User avatar
jmw3
MRU Emeritus
MRU Emeritus
 
Posts: 4621
Joined: February 12th, 2008, 2:36 am
Location: Port Hedland, Western Australia

Re: INfected PC

Unread postby pokhim » March 22nd, 2009, 5:23 pm

HI thanks for helping me. The problem is still here.

I ran comobix more than once because I didn't know that i had the firewall on and I thought I should take it off before I did it again. Sorry but I didn't know about that it was a bad thing to do.

I hope the logs help. I have a pop up which tells me that malware defender 2009 shall scan my PC for infections and then the java script runs which pretends to scan. This is happening quite regularly.

thanks for helping me.
You do not have the required permissions to view the files attached to this post.
pokhim
Regular Member
 
Posts: 32
Joined: October 30th, 2006, 2:01 pm

Re: INfected PC

Unread postby jmw3 » March 23rd, 2009, 1:36 am

I ran comobix more than once because I didn't know that i had the firewall on and I thought I should take it off before I did it again. Sorry but I didn't know about that it was a bad thing to do.
OK... no worries. It wasn't a bad thing. It just that Combofix can render a computer useless if used incorrectly.

View Hidden Files & Folders Windows XP
To view Hidden Files & Folders do the following:
Click Start
Open My Computer
Select the Tools menu and click Folder Options
Select the View Tab
Under the Hidden files and folders heading select Show hidden files and folders
Uncheck the Hide protected operating system files (recommended) option
Click Yes to confirm
Click OK

Upload Files for Scanning
Go to VirSCAN & upload the following Files & Path.
  • Copy & paste the following File & Path in the text box next to the Browse button
    Code: Select all
    h:\windows\system32\userinit.exe
  • Click Upload
  • Wait for scans to finish then copy & paste the results into your next reply
Do the same for the following (one at a time):
Code: Select all
h:\windows\$NtServicePackUninstall$\userinit.exe
h:\windows\ServicePackFiles\i386\userinit.exe
User avatar
jmw3
MRU Emeritus
MRU Emeritus
 
Posts: 4621
Joined: February 12th, 2008, 2:36 am
Location: Port Hedland, Western Australia

Re: INfected PC

Unread postby pokhim » March 23rd, 2009, 6:16 pm

h:\windows\system32\userinit.exe

VirSCAN.org Scanned Report :
Scanned time : 2009/03/23 22:03:47 (GMT)
Scanner results: 73% Scanner(27/37) found malware!
File Name : userinit.exe
File Size : 33280 byte
File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5 : 3183d1d03b649775ccf7590d96ca0af4
SHA1 : 28d31930f3b57701633fed59cbef533577430ec2
Online report : http://virscan.org/report/a85a0a0b754b5 ... 6d7ce.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 4.0.0.32 20090318163345 2009-03-18 2.56 Trojan-Dropper.Agent!IK
AhnLab V3 2009.03.24.00 2009.03.24 2009-03-24 1.08 -
AntiVir 7.9.0.120 7.1.2.205 2009-03-23 1.94 TR/Dldr.Agent.bkyp
Antiy 2.0.18 20090323.2224254 2009-03-23 0.12 Trojan/Win32.Agent.bkyp[Downloader]
Authentium 5.1.1 200903232136 2009-03-23 1.47 -
AVAST! 3.0.1 090322-0 2009-03-22 0.91 Win32:Trojan-gen {Other}
AVG 7.5.52.442 270.11.15/2004 2009-03-16 2.00 -
BitDefender 7.81008.2815284 7.24376 2009-03-24 2.61 Trojan.Agent.AMIT
CA (VET) 9.0.0.143 31.6.6413 2009-03-24 4.00 Win32/FakeAlert.ADU trojan.
ClamAV 0.94.2 9155 2009-03-24 0.01 -
Comodo 3.8 1082 2009-03-23 0.54 TrojWare.Win32.Trojan.Agent.Gen
CP Secure 1.1.0.715 2009.03.24 2009-03-24 7.60 Troj.Downloader.W32.Agent.bkyp
Dr.Web 4.44.0.9170 2009.03.23 2009-03-23 4.26 -
F-Prot 4.4.4.56 20090323 2009-03-23 1.41 -
F-Secure 5.51.6100 2009.03.23.06 2009-03-23 5.14 Trojan-Downloader.Win32.Agent.bkyp [AVP]
Fortinet 2.81-3.117 10.194 2009-03-23 0.17 W32/Agent.BKYP!tr.dldr
GData 19.4183/19.272 20090323 2009-03-23 3.44 Trojan-Downloader.Win32.Agent.bkyp [Engine:A]
ViRobot 20090320 2009.03.20 2009-03-20 0.40 -
Ikarus T3.1.01.48 2009.03.23.72466 2009-03-23 2.83 Trojan-Dropper.Agent
JiangMin 11.0.706 2009.03.23 2009-03-23 1.59 TrojanDownloader.Agent.bcao
Kaspersky 5.5.10 2009.03.23 2009-03-23 0.17 Trojan-Downloader.Win32.Agent.bkyp
KingSoft 2009.2.5.15 2009.3.23.20 2009-03-23 0.57 Win32.TrojDownloader.Agent.33280
McAfee 5.3.00 5562 2009-03-23 2.69 Generic Downloader.x
Microsoft 1.4502 2009.03.23 2009-03-23 4.18 TrojanDownloader:Win32/Renos.HT
mks_vir 2.01 2009.03.23 2009-03-23 2.79 -
Norman 6.00.06 6.00.00 2009-03-23 8.01 W32/Agent.MDKQ
Panda 9.05.01 2009.03.22 2009-03-22 1.75 Trj/Downloader.MDW
Trend Micro 8.700-1004 5.912.16 2009-03-23 0.02 TROJ_AGENT.AMQW
Quick Heal 10.00 2009.03.23 2009-03-23 0.98 -
Rising 20.0 21.22.02.00 2009-03-23 0.90 Trojan.Win32.Nodef.fzd
Sophos 2.84.1 4.39 2009-03-24 2.21 Mal/EncPk-HJ
Sunbelt 5055 5055 2009-03-23 0.57 Trojan-Downloader.Win32.Agent.bkyp
Symantec 1.3.0.24 20090323.003 2009-03-23 0.05 Trojan.Initbar
nProtect 20090323.02 3375326 2009-03-23 4.04 Trojan-Downloader/W32.Agent.33280.AX
The Hacker 6.3.3.4 v00288 2009-03-23 0.78 Trojan/Downloader.Agent.bkyp
VBA32 3.12.10.1 20090322.1902 2009-03-22 2.73 Win32.TrojanDownloader.Zlob.CZG
VirusBuster 4.5.11.10 10.102.19/989383 2009-03-23 1.25 -


h:\windows\$NtServicePackUninstall$\userinit.exe

VirSCAN.org Scanned Report :
Scanned time : 2009/03/23 22:08:20 (GMT)
Scanner results: 3% Scanner(1/37) found malware!
File Name : userinit.exe
File Size : 24576 byte
File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5 : 39b1ffb03c2296323832acbae50d2aff
SHA1 : e5aedcbe25a97c89101f1f3860ff846e94d70445
Online report : http://virscan.org/report/62673f4534c08 ... 86a86.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 4.0.0.32 20090318163345 2009-03-18 2.44 -
AhnLab V3 2009.03.24.00 2009.03.24 2009-03-24 1.07 -
AntiVir 7.9.0.120 7.1.2.205 2009-03-23 1.94 -
Antiy 2.0.18 20090323.2224254 2009-03-23 0.12 -
Authentium 5.1.1 200903232136 2009-03-23 1.14 -
AVAST! 3.0.1 090322-0 2009-03-22 0.01 -
AVG 7.5.52.442 270.11.15/2004 2009-03-16 1.97 -
BitDefender 7.81008.2815284 7.24376 2009-03-24 2.62 -
CA (VET) 9.0.0.143 31.6.6413 2009-03-24 2.91 -
ClamAV 0.94.2 9155 2009-03-24 0.01 -
Comodo 3.8 1082 2009-03-23 0.53 -
CP Secure 1.1.0.715 2009.03.24 2009-03-24 7.62 -
Dr.Web 4.44.0.9170 2009.03.23 2009-03-23 4.28 -
F-Prot 4.4.4.56 20090323 2009-03-23 1.16 -
F-Secure 5.51.6100 2009.03.23.06 2009-03-23 3.60 -
Fortinet 2.81-3.117 10.194 2009-03-23 0.21 -
GData 19.4183/19.272 20090323 2009-03-23 4.16 -
ViRobot 20090320 2009.03.20 2009-03-20 0.40 -
Ikarus T3.1.01.48 2009.03.23.72466 2009-03-23 2.81 -
JiangMin 11.0.706 2009.03.23 2009-03-23 1.64 -
Kaspersky 5.5.10 2009.03.23 2009-03-23 0.07 -
KingSoft 2009.2.5.15 2009.3.23.20 2009-03-23 0.59 -
McAfee 5.3.00 5562 2009-03-23 2.70 -
Microsoft 1.4502 2009.03.23 2009-03-23 4.57 -
mks_vir 2.01 2009.03.23 2009-03-23 2.68 Trojan.Exploit.Iis.Printeroverflow.C
Norman 6.00.06 6.00.00 2009-03-23 8.01 -
Panda 9.05.01 2009.03.22 2009-03-22 1.58 -
Trend Micro 8.700-1004 5.912.16 2009-03-23 0.03 -
Quick Heal 10.00 2009.03.23 2009-03-23 1.02 -
Rising 20.0 21.22.02.00 2009-03-23 0.83 -
Sophos 2.84.1 4.39 2009-03-24 2.16 -
Sunbelt 5055 5055 2009-03-23 0.56 -
Symantec 1.3.0.24 20090323.003 2009-03-23 0.05 -
nProtect 20090323.02 3375326 2009-03-23 4.22 -
The Hacker 6.3.3.4 v00288 2009-03-23 1.11 -
VBA32 3.12.10.1 20090322.1902 2009-03-22 1.86 -
VirusBuster 4.5.11.10 10.102.19/989383 2009-03-23 1.22 -

h:\windows\ServicePackFiles\i386\userinit.exe

VirSCAN.org Scanned Report :
Scanned time : 2009/03/23 22:12:10 (GMT)
Scanner results: All Scanners reported not find malware!
File Name : userinit.exe
File Size : 26112 byte
File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5 : a93aee1928a9d7ce3e16d24ec7380f89
SHA1 : 513f8bdf67a5a9e09803cfb61f590b39f2683853
Online report : http://virscan.org/report/17a2413e03ffc ... 3c5bf.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 4.0.0.32 20090318163345 2009-03-18 2.43 -
AhnLab V3 2009.03.24.00 2009.03.24 2009-03-24 1.07 -
AntiVir 7.9.0.120 7.1.2.205 2009-03-23 1.96 -
Antiy 2.0.18 20090323.2224254 2009-03-23 0.12 -
Authentium 5.1.1 200903232136 2009-03-23 1.10 -
AVAST! 3.0.1 090322-0 2009-03-22 0.01 -
AVG 7.5.52.442 270.11.15/2004 2009-03-16 1.96 -
BitDefender 7.81008.2815284 7.24376 2009-03-24 2.61 -
CA (VET) 9.0.0.143 31.6.6413 2009-03-24 9.85 -
ClamAV 0.94.2 9155 2009-03-24 0.01 -
Comodo 3.8 1082 2009-03-23 0.52 -
CP Secure 1.1.0.715 2009.03.24 2009-03-24 7.71 -
Dr.Web 4.44.0.9170 2009.03.23 2009-03-23 4.27 -
F-Prot 4.4.4.56 20090323 2009-03-23 1.09 -
F-Secure 5.51.6100 2009.03.23.06 2009-03-23 5.00 -
Fortinet 2.81-3.117 10.194 2009-03-23 0.20 -
GData 19.4183/19.272 20090323 2009-03-23 3.37 -
ViRobot 20090320 2009.03.20 2009-03-20 0.40 -
Ikarus T3.1.01.48 2009.03.23.72466 2009-03-23 2.88 -
JiangMin 11.0.706 2009.03.23 2009-03-23 1.59 -
Kaspersky 5.5.10 2009.03.23 2009-03-23 0.07 -
KingSoft 2009.2.5.15 2009.3.23.20 2009-03-23 0.57 -
McAfee 5.3.00 5562 2009-03-23 2.70 -
Microsoft 1.4502 2009.03.24 2009-03-24 4.18 -
mks_vir 2.01 2009.03.23 2009-03-23 2.71 -
Norman 6.00.06 6.00.00 2009-03-23 8.01 -
Panda 9.05.01 2009.03.22 2009-03-22 1.57 -
Trend Micro 8.700-1004 5.912.16 2009-03-23 0.03 -
Quick Heal 10.00 2009.03.23 2009-03-23 1.01 -
Rising 20.0 21.22.02.00 2009-03-23 0.83 -
Sophos 2.84.1 4.39 2009-03-24 2.15 -
Sunbelt 5055 5055 2009-03-23 0.61 -
Symantec 1.3.0.24 20090323.003 2009-03-23 0.07 -
nProtect 20090323.02 3375326 2009-03-23 4.10 -
The Hacker 6.3.3.4 v00288 2009-03-23 0.57 -
VBA32 3.12.10.1 20090322.1902 2009-03-22 1.87 -
VirusBuster 4.5.11.10 10.102.19/989383 2009-03-23 1.22 -

As requested.

Your help is much appreciated.
pokhim
Regular Member
 
Posts: 32
Joined: October 30th, 2006, 2:01 pm

Re: INfected PC

Unread postby jmw3 » March 23rd, 2009, 6:44 pm

Disable Spybot's TeaTimer 1.5 & 1.6
  • If you have version 1.5, right click the Spybot Icon in the system tray near the clock (looks like a blue/white calendar with a padlock symbol)
  • Click once on Resident Protection, then right click the Spybot icon again and make sure Resident Protection is now Unchecked. The Spybot icon in the System tray should now be now colorless
  • Go to Start > All Programs > Spybot - Search & Destroy > Spybot Search & Destroy
  • Click on Mode > Advanced Mode. When it prompts you, click Yes
  • On the left hand side, click on Tools
  • Check this box if it is not yet ticked: Resident
  • You will notice that Resident is now added under Tools. Click on Resident
  • Uncheck this box: Resident "TeaTimer" (Protection of over-all system settings) active
  • Exit Spybot Search & Destroy
  • Restart your computer for the changes to take effect
CFScript
Close any open browsers.
Open notepad and copy/paste the text in the code box below into it:

Code: Select all
FCopy::
h:\windows\ServicePackFiles\i386\userinit.exe | h:\windows\system32\userinit.exe

Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"35438:TCP"=-
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3ec6fe52-37e5-11dd-9be5-001d923bd7a7}]

Save this as CFScript.txt, in the same location as ComboFix.exe

Image

Refering to the picture above, drag CFScript into ComboFix.exe
When finished, it shall produce a log for you at "C:\ComboFix.txt"
Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall
A word of warning: Neither I nor sUBs are responsible for any damage you may cause to your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


Malwarebytes' Anti-Malware
  • Open Malwarebytes' Anti-Malware, click the Update tab then Check for Updates
  • If an update is found, it will download and install the latest version. Version 1.34 & Definition 1889 at the time of this post
  • Once the program has loaded, select Perform full scan, then click Scan
  • When the scan is complete, click OK, then Show Results to view the results
  • Be sure that everything is checked, and click Remove Selected
  • When completed, a log will open in Notepad. Please copy and paste the log back into your next reply
    Note:
  • The log can also be found here:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
  • Or via the Logs tab when Malwarebytes' Anti-Malware is started
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so. Failure to reboot will prevent MBAM from removing all the malware.
If you receive an (Error Loading) error on reboot please reboot a second time . It is normal for this error to occur once and does not need to be reported unless it returns on future reboots.


To post in next reply:
Combofix log
Malwarebytes log
New HijackThis log
Let me know how the computer is running / problems
User avatar
jmw3
MRU Emeritus
MRU Emeritus
 
Posts: 4621
Joined: February 12th, 2008, 2:36 am
Location: Port Hedland, Western Australia

Re: INfected PC

Unread postby pokhim » March 25th, 2009, 7:07 pm

Hi, as requested

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:02:21, on 25/03/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
H:\WINDOWS\System32\smss.exe
H:\WINDOWS\system32\winlogon.exe
H:\WINDOWS\system32\services.exe
H:\WINDOWS\system32\lsass.exe
H:\WINDOWS\system32\svchost.exe
H:\WINDOWS\System32\svchost.exe
H:\WINDOWS\system32\spoolsv.exe
H:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
H:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
H:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
H:\Program Files\Bonjour\mDNSResponder.exe
H:\Program Files\Java\jre6\bin\jqs.exe
H:\WINDOWS\system32\nvsvc32.exe
H:\WINDOWS\system32\svchost.exe
H:\PROGRA~1\AVG\AVG8\avgrsx.exe
H:\WINDOWS\RTHDCPL.EXE
H:\WINDOWS\system32\RUNDLL32.EXE
H:\Program Files\Microsoft IntelliType Pro\itype.exe
H:\Program Files\Microsoft IntelliPoint\ipoint.exe
H:\Program Files\Java\jre6\bin\jusched.exe
H:\Program Files\iTunes\iTunesHelper.exe
H:\PROGRA~1\AVG\AVG8\avgtray.exe
H:\WINDOWS\system32\ctfmon.exe
H:\Program Files\KWorld Multimedia\HyperMediaCenter\DTVR\Scheduled.exe
H:\Program Files\Microsoft IntelliType Pro\dpupdchk.exe
H:\Documents and Settings\Tariq Benson\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
H:\Program Files\KWorld Multimedia\TV Tuner Card Utilities\HMCP3XCtl.exe
H:\Program Files\iPod\bin\iPodService.exe
H:\WINDOWS\explorer.exe
H:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - AutorunsDisabled - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - H:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - H:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - H:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - H:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - H:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - H:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE H:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE H:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [itype] "H:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [IntelliPoint] "H:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "H:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "H:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "H:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "H:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "H:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] H:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [CTFMON.EXE] H:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Center Agent] H:\Program Files\KWorld Multimedia\HyperMediaCenter\DTVR\Scheduled.exe
O4 - HKCU\..\Run: [Google Update] "H:\Documents and Settings\Tariq Benson\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] H:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] H:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: AutorunsDisabled
O4 - Global Startup: Remote Control.lnk = H:\Program Files\KWorld Multimedia\TV Tuner Card Utilities\HMCP3XCtl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://H:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - AutorunsDisabled - (no file)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - H:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - H:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - H:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - H:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - H:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Adobe Active File Monitor V6 (AdobeActiveFileMonitor6.0) - Unknown owner - H:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
O23 - Service: Apple Mobile Device - Apple Inc. - H:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - H:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - H:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - H:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - H:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: Google Software Updater (gusvc) - Google - H:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - H:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - H:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - H:\WINDOWS\system32\nvsvc32.exe

--
End of file - 6823 bytes



Malwarebytes' Anti-Malware 1.34
Database version: 1898
Windows 5.1.2600 Service Pack 3

25/03/2009 22:34:28
mbam-log-2009-03-25 (22-34-28).txt

Scan type: Full Scan (D:\|E:\|F:\|G:\|H:\|I:\|J:\|)
Objects scanned: 125026
Time elapsed: 16 minute(s), 28 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


ComboFix 09-03-23.01 - Tariq Benson 2009-03-25 22:11:57.6 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1595 [GMT 0:00]
Running from: h:\documents and settings\Tariq Benson\Desktop\ComboFix.exe
Command switches used :: h:\documents and settings\Tariq Benson\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
FW: COMODO Firewall Pro *enabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
--------------- FCopy ---------------

h:\windows\ServicePackFiles\i386\userinit.exe --> h:\windows\system32\userinit.exe
.
((((((((((((((((((((((((( Files Created from 2009-02-25 to 2009-03-25 )))))))))))))))))))))))))))))))
.

2009-03-19 22:30 . 2009-03-19 22:30 1,917 --a------ h:\windows\imsins.BAK
2009-03-14 14:12 . 2009-03-14 14:12 <DIR> d-------- h:\program files\Trend Micro
2009-03-14 13:12 . 2009-03-14 13:12 102,664 --a------ h:\windows\system32\drivers\tmcomm.sys
2009-03-14 13:11 . 2009-03-14 13:14 <DIR> d-------- h:\documents and settings\Tariq Benson\.housecall6.6
2009-03-14 01:39 . 2009-03-14 01:39 <DIR> d-------- h:\program files\Malwarebytes' Anti-Malware
2009-03-14 01:39 . 2009-03-14 01:39 <DIR> d-------- h:\documents and settings\Tariq Benson\Application Data\Malwarebytes
2009-03-14 01:39 . 2009-03-14 01:39 <DIR> d-------- h:\documents and settings\All Users\Application Data\Malwarebytes
2009-03-14 01:39 . 2009-02-11 10:19 38,496 --a------ h:\windows\system32\drivers\mbamswissarmy.sys
2009-03-14 01:39 . 2009-02-11 10:19 15,504 --a------ h:\windows\system32\drivers\mbam.sys
2009-03-14 01:10 . 2009-03-14 19:50 <DIR> d-a------ h:\documents and settings\All Users\Application Data\TEMP
2009-03-14 00:17 . 2009-03-14 00:18 <DIR> d-------- h:\program files\Spybot - Search & Destroy
2009-03-14 00:17 . 2009-03-19 22:34 <DIR> d-------- h:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-03-11 22:31 . 2004-08-04 12:00 221,184 --a------ h:\windows\system32\wmpns.dll
2009-03-08 21:42 . 2009-03-08 21:42 <DIR> d-------- h:\program files\MSXML 4.0
2009-03-06 21:11 . 2008-04-14 00:12 159,232 --a------ h:\windows\system32\ptpusd.dll
2009-03-06 21:11 . 2008-04-13 18:45 15,104 --a------ h:\windows\system32\drivers\usbscan.sys
2009-03-06 21:11 . 2008-04-13 18:45 15,104 --a--c--- h:\windows\system32\dllcache\usbscan.sys
2009-03-06 21:11 . 2001-08-17 22:36 5,632 --a------ h:\windows\system32\ptpusb.dll
2009-03-05 21:13 . 2009-03-05 21:13 <DIR> d-------- h:\documents and settings\Tariq Benson\Application Data\Samsung
2009-03-05 21:12 . 2009-03-05 21:12 <DIR> d-------- h:\program files\DIFX
2009-03-05 21:12 . 2006-05-03 22:53 174,592 --a------ h:\windows\system32\framedyn.dll
2009-03-05 21:12 . 2006-07-24 16:05 5,632 --a------ h:\windows\system32\drivers\StarOpen.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-24 21:00 --------- d-----w h:\documents and settings\All Users\Application Data\Google Updater
2009-03-19 22:02 --------- d-----w h:\program files\Bonjour
2009-03-19 21:30 253,688 ----a-w h:\windows\system32\cssdll32.dll
2009-03-05 21:11 --------- d--h--w h:\program files\InstallShield Installation Information
2009-02-15 20:50 --------- d-----w h:\program files\Samsung
2009-02-09 11:13 1,846,784 ----a-w h:\windows\system32\win32k.sys
2009-02-06 22:42 --------- d-----w h:\program files\CCleaner
2009-02-03 18:49 325,128 ----a-w h:\windows\system32\drivers\avgldx86.sys
2009-02-03 18:49 10,520 ----a-w h:\windows\system32\avgrsstx.dll
2009-02-03 18:49 --------- d-----w h:\documents and settings\All Users\Application Data\Avg8
2009-01-25 12:25 --------- d-----w h:\program files\William Hill Poker
2008-10-31 11:20 32,768 --sha-w h:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008103120081101\index.dat
.

((((((((((((((((((((((((((((( SnapShot@2009-03-19_21.25.00.65 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-04-14 00:12:38 26,112 -c--a-w h:\windows\system32\dllcache\userinit.exe
+ 2009-03-25 22:05:56 16,384 ----atw h:\windows\Temp\Perflib_Perfdata_154.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="h:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"Center Agent"="h:\program files\KWorld Multimedia\HyperMediaCenter\DTVR\Scheduled.exe" [2007-08-22 1518592]
"Google Update"="h:\documents and settings\Tariq Benson\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-23 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="h:\windows\system32\NvCpl.dll" [2007-09-16 8491008]
"NvMediaCenter"="h:\windows\system32\NvMcTray.dll" [2007-09-16 81920]
"itype"="h:\program files\Microsoft IntelliType Pro\itype.exe" [2007-08-31 988584]
"IntelliPoint"="h:\program files\Microsoft IntelliPoint\ipoint.exe" [2007-08-31 1037736]
"Adobe Photo Downloader"="h:\program files\Adobe\Photoshop Elements 6.0\apdproxy.exe" [2007-09-10 67488]
"Adobe Reader Speed Launcher"="h:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"SunJavaUpdateSched"="h:\program files\Java\jre6\bin\jusched.exe" [2008-11-10 136600]
"QuickTime Task"="h:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"iTunesHelper"="h:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"AVG8_TRAY"="h:\progra~1\AVG\AVG8\avgtray.exe" [2009-02-03 1601304]
"RTHDCPL"="RTHDCPL.EXE" [2007-06-13 h:\windows\RTHDCPL.exe]
"nwiz"="nwiz.exe" [2007-09-16 h:\windows\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="h:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

h:\documents and settings\All Users\Start Menu\Programs\Startup\
Remote Control.lnk - h:\program files\KWorld Multimedia\TV Tuner Card Utilities\HMCP3XCtl.exe [2008-06-03 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-02-03 18:49 10520 h:\windows\system32\avgrsstx.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MSMSGS"="h:\program files\Messenger\msmsgs.exe" /background

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"h:\\Program Files\\William Hill Poker\\UA.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"h:\\Program Files\\Messenger\\msmsgs.exe"=
"h:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"h:\\Program Files\\iTunes\\iTunes.exe"=
"h:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;h:\windows\system32\drivers\avgldx86.sys [2009-01-01 325128]
R2 AdobeActiveFileMonitor6.0;Adobe Active File Monitor V6;h:\program files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe [2007-09-10 124832]
R2 avg8wd;AVG Free8 WatchDog;h:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-01-01 298264]
R3 3xHybrid;3xHybrid service;h:\windows\system32\drivers\3xHybrid.sys [2008-06-03 674048]
S3 getPlus(R) Helper;getPlus(R) Helper;h:\program files\NOS\bin\getPlus_HelperSvc.exe [2008-10-21 33752]
.
Contents of the 'Scheduled Tasks' folder

2008-12-30 h:\windows\Tasks\AppleSoftwareUpdate.job
- h:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2009-03-25 h:\windows\Tasks\Google Software Updater.job
- h:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-03-23 22:23]

2009-03-25 h:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-602162358-329068152-839522115-1004.job
- h:\documents and settings\Tariq Benson\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-23 18:26]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - h:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - h:\documents and settings\Tariq Benson\Application Data\Mozilla\Firefox\Profiles\vke9wa5d.default\
FF - component: h:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - plugin: h:\documents and settings\Tariq Benson\Local Settings\Application Data\Google\Update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: h:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: h:\program files\Mozilla Firefox\plugins\np-mswmp.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-25 22:13:25
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-03-25 22:14:10
ComboFix-quarantined-files.txt 2009-03-25 22:14:08
ComboFix2.txt 2009-03-19 22:49:27
ComboFix3.txt 2009-03-19 22:20:27
ComboFix4.txt 2009-03-19 22:04:25
ComboFix5.txt 2009-03-25 22:11:28

Pre-Run: 405,424,787,456 bytes free
Post-Run: 405,417,459,712 bytes free

144 --- E O F --- 2009-03-12 23:22:49


The computer seeems to be running fine now. There are no pop ups and there is no bubble in the bottom right hand corner.

What shall I do now? Shall i put back on tea timer? can you give me some advice please. Also a quick techy question, explorer.exe doesn't run on startup anymore, I have to manually start task manager then run > explorer. I think it might be something to do with regedit, can you guide me on that quickly please.

thanks very much sir, you are a true genius.
pokhim
Regular Member
 
Posts: 32
Joined: October 30th, 2006, 2:01 pm

Re: INfected PC

Unread postby jmw3 » March 25th, 2009, 9:30 pm

Hi

Leave TeaTimer off until we are finished. It can interfere with the cleaning process. Feel free to keep your AV enabled though.

ATF Cleaner
Download ATF Cleaner here by Atribune.
    Double-click ATF-Cleaner.exe to run the program
    Under Main choose: Select All
    Click the Empty Selected button
If you use Firefox browser
    Click Firefox at the top and choose: Select All
    Click the Empty Selected button
    NOTE: If you would like to keep your saved passwords, please click No at the prompt
If you use Opera browser
    Click Opera at the top and choose: Select All
    Click the Empty Selected button
    NOTE: If you would like to keep your saved passwords, please click No at the prompt
Click Exit on the Main menu to close the program.

Update Java Runtime
You are using an old version of Java. Sun's Java is sometimes updated in order to eliminate the exploitation of vulnerabilities in an existing version. For this reason, it's extremely important that you keep the program up to date, & also remove the older more vulnerable versions from your system. The most current version of Sun Java is: Java Runtime Environment Version 6 Update 13.
  • Download the latest version of Java Runtime Environment (JRE) 6 Here
  • Scroll down to where it says "Java SE Runtime Environment (JRE) 6 Update 13. The Java SE Runtime Environment (JRE) allows end-users to run Java applications."
  • Click the Download button to the right
  • Select the Windows platform from the dropdown menu
  • Read the License Agreement and then check the box that says: "I agree to the Java SE Runtime Environment 6 with JavaFX License Agreement". Click on Continue.The page will refresh
  • Click on the link to download Windows Offline Installation & save the file to your desktop
  • Close any programs you may have running - especially your web browser
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs & remove all older versions of Java
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java(TM) 6) in the name
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions
  • Reboot your computer once all Java components are removed
  • Then from your desktop double-click on jre-6u13-windows-i586-p.exe to install the newest version
  • After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
    • On the General tab, under Temporary Internet Files, click the Settings button
    • Next, click on the Delete Files button
    • There are two options in the window to clear the cache - Leave BOTH Checked
        Applications and Applets
        Trace and Log Files
    • Click OK on Delete Temporary Files Window
      Note: This deletes ALL the Downloaded Applications and Applets from the CACHE
    • Click OK to leave the Temporary Files Window
    • Click OK to leave the Java Control Panel
Kaspersky Online Scan
Do an online scan with >Kaspersky Online Scanner<
  • Read through the requirements and privacy statement and click on Accept button
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run
  • When the downloads have finished, click on Settings
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
      Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  • Click on My Computer under Scan
  • Once the scan is complete, it will display the results. Click on View Scan Report
  • You will see a list of infected items there. Click on Save Report As...
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button
  • Please post this log in your next reply
To post in next reply:
Kaspersky scan log

We'll have look at the Explorer issue once we know the machine is clean.
User avatar
jmw3
MRU Emeritus
MRU Emeritus
 
Posts: 4621
Joined: February 12th, 2008, 2:36 am
Location: Port Hedland, Western Australia

Re: INfected PC

Unread postby jmw3 » March 28th, 2009, 12:02 am

How you going with this? Still need help?
User avatar
jmw3
MRU Emeritus
MRU Emeritus
 
Posts: 4621
Joined: February 12th, 2008, 2:36 am
Location: Port Hedland, Western Australia

Re: INfected PC

Unread postby pokhim » March 28th, 2009, 10:49 am

really sorry,

my comp is running fine. it is just taking forever for kapersky to run the scan and I have not had the time to let it run. I am letting it do it rught now and will post the log later today. thanks for helping.
pokhim
Regular Member
 
Posts: 32
Joined: October 30th, 2006, 2:01 pm

Re: INfected PC

Unread postby jmw3 » March 28th, 2009, 11:10 am

OK... no worries
User avatar
jmw3
MRU Emeritus
MRU Emeritus
 
Posts: 4621
Joined: February 12th, 2008, 2:36 am
Location: Port Hedland, Western Australia
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 89 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware