Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

My PC is ill

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: My PC is ill

Unread postby Airscape » March 21st, 2010, 6:32 pm

Hi beckanoodle123,


Download/Run ComboFix

We will continue with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
If you need help to disable your protection programs see here.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Also, please give me an update on your problems?

Thanks.
User avatar
Airscape
Regular Member
 
Posts: 1858
Joined: November 1st, 2008, 11:06 pm
Advertisement
Register to Remove

Re: My PC is ill

Unread postby beckanoodle123 » March 22nd, 2010, 10:25 am

ComboFix 10-03-21.04 - Becky 22/03/2010 14:06:09.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1271.826 [GMT 0:00]
Running from: c:\documents and settings\Becky\My Documents\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\1.bat
c:\windows\system32\IEBHO.dll
c:\windows\system32\iebho00.dll
c:\windows\system32\iebho01.dll
c:\windows\system32\iebho02.dll
c:\windows\system32\iebho03.dll
c:\windows\system32\iebho04.dll
c:\windows\system32\iebho05.dll
c:\windows\system32\iebho06.dll
c:\windows\system32\iebho07.dll
c:\windows\system32\iebho08.dll
c:\windows\system32\iebho09.dll
c:\windows\system32\iebho0A.dll
c:\windows\system32\iebho0B.dll
c:\windows\system32\iebho0C.dll
c:\windows\system32\iebho0D.dll
c:\windows\system32\iebho0E.dll
c:\windows\system32\iebho0F.dll
c:\windows\system32\iebho10.dll
c:\windows\system32\iebho11.dll
c:\windows\system32\iebho12.dll
c:\windows\system32\iebho13.dll
c:\windows\system32\iebho14.dll
c:\windows\system32\iebho15.dll
c:\windows\system32\iebho16.dll
c:\windows\system32\iebho17.dll
c:\windows\system32\iebho18.dll
c:\windows\system32\iebho19.dll
c:\windows\system32\iebho1A.dll
c:\windows\system32\iebho1B.dll
c:\windows\system32\iebho1C.dll
c:\windows\system32\iebho1D.dll
c:\windows\system32\iebho1E.dll

Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected
Restored copy from - Kitty ate it :p
Infected copy of c:\windows\system32\userinit.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\userinit.exe

.
((((((((((((((((((((((((( Files Created from 2010-02-22 to 2010-03-22 )))))))))))))))))))))))))))))))
.

2010-03-20 18:38 . 2010-03-20 18:38 -------- d-----w- C:\rsit
2010-03-17 16:13 . 2010-03-17 16:13 -------- d-----w- c:\program files\Common Files\Java
2010-03-17 16:11 . 2010-03-17 16:11 503808 ----a-w- c:\documents and settings\Becky\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-2ccb05be-n\msvcp71.dll
2010-03-17 16:11 . 2010-03-17 16:11 348160 ----a-w- c:\documents and settings\Becky\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-2ccb05be-n\msvcr71.dll
2010-03-17 16:11 . 2010-03-17 16:11 499712 ----a-w- c:\documents and settings\Becky\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-2ccb05be-n\jmc.dll
2010-03-17 16:11 . 2010-03-17 16:11 61440 ----a-w- c:\documents and settings\Becky\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-30b97b46-n\decora-sse.dll
2010-03-17 16:11 . 2010-03-17 16:11 12800 ----a-w- c:\documents and settings\Becky\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-30b97b46-n\decora-d3d.dll
2010-03-17 16:10 . 2010-03-17 16:10 79488 ----a-w- c:\documents and settings\Becky\Application Data\Sun\Java\jre1.6.0_18\gtapi.dll
2010-03-17 16:10 . 2010-03-17 16:10 152576 ----a-w- c:\documents and settings\Becky\Application Data\Sun\Java\jre1.6.0_18\lzma.dll
2010-03-17 16:02 . 2010-03-17 16:02 -------- d-----w- c:\program files\Trend Micro
2010-03-15 09:54 . 2010-03-15 09:54 -------- d-----w- C:\wi.dows
2010-03-14 10:58 . 2010-03-15 09:55 523264 ----a-w- c:\windows\system32\my.dll
2010-03-14 09:12 . 2010-03-14 09:12 360584 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtdix.sys
2010-03-14 09:12 . 2010-03-14 09:12 333192 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgldx86.sys
2010-03-14 09:12 . 2010-03-14 09:12 28424 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgmfx86.sys
2010-03-14 09:12 . 2010-03-14 09:12 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-03-14 09:10 . 2010-03-01 20:42 1007896 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.exe
2010-03-14 09:10 . 2010-03-01 20:42 800536 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avginet.dll
2010-03-14 09:10 . 2010-03-01 20:42 613656 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgiproxy.exe
2010-03-14 09:10 . 2010-03-01 20:42 1658136 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.dll
2010-03-12 20:12 . 2010-03-12 20:12 5115824 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-03-11 19:24 . 2009-10-23 15:28 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe
2010-03-08 18:26 . 2010-03-08 18:27 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-03-05 18:27 . 2010-03-20 03:31 0 ----a-w- c:\documents and settings\Becky\Local Settings\Application Data\prvlcl.dat
2010-03-04 14:55 . 2008-04-14 00:12 26112 ----a-w- c:\windows\system32\stu2.exe
2010-03-04 07:37 . 2010-03-04 07:37 -------- d-----w- c:\documents and settings\Becky\Application Data\AVG8
2010-03-03 15:21 . 2009-11-25 13:01 1230080 ----a-w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar\IEToolbar.dll
2010-03-02 09:34 . 2010-03-01 20:42 3777280 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\setup.exe
2010-03-02 09:34 . 2010-03-01 20:42 1260800 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgfrw.exe
2010-03-01 20:55 . 2010-03-01 20:55 -------- d-----w- c:\documents and settings\Becky\Local Settings\Application Data\AVG Security Toolbar
2010-03-01 20:43 . 2010-03-14 10:57 -------- d-----w- C:\$AVG
2010-03-01 20:42 . 2010-03-03 15:21 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2010-03-01 20:42 . 2010-03-04 07:40 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-02-25 19:10 . 2010-02-12 10:03 293376 ------w- c:\windows\system32\browserchoice.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-18 07:03 . 2009-03-08 08:49 -------- d-----w- c:\documents and settings\Becky\Application Data\Spotify
2010-03-17 21:29 . 2010-01-02 09:59 -------- d-----w- c:\documents and settings\Becky\Application Data\vlc
2010-03-17 16:11 . 2008-12-14 18:44 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-03-14 09:12 . 2008-12-14 11:42 242696 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-03-14 09:12 . 2008-12-14 11:42 29512 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-03-14 09:11 . 2008-12-14 11:42 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-03-12 20:12 . 2009-12-27 14:57 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-12 20:05 . 2008-12-14 11:50 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-03-12 20:03 . 2008-12-14 11:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-03-12 08:39 . 2010-01-02 10:00 -------- d-----w- c:\documents and settings\Becky\Application Data\dvdcss
2010-03-11 22:34 . 2008-12-14 15:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-03-11 19:13 . 2009-11-11 16:50 79488 ----a-w- c:\documents and settings\Becky\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-03-03 15:35 . 2009-02-14 15:26 -------- d-----w- c:\program files\Mindjet
2010-03-01 20:42 . 2008-12-14 11:42 -------- d-----w- c:\program files\AVG
2010-02-27 18:33 . 2004-08-04 12:00 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-02-18 12:17 . 2010-02-18 12:16 -------- d-----w- c:\program files\Common Files\Adobe
2010-02-18 12:14 . 2010-02-18 12:14 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-02-02 07:26 . 2009-09-24 01:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2010-02-01 20:22 . 2010-02-01 20:22 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2010-02-01 20:15 . 2009-12-28 08:58 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-02-01 20:14 . 2010-02-01 20:13 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2010-01-25 10:02 . 2010-02-01 20:12 31936 ----a-w- c:\documents and settings\Becky\Application Data\Mozilla\Firefox\Profiles\x93oa6ye.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
2010-01-25 10:02 . 2010-02-01 20:12 29344 ----a-w- c:\documents and settings\Becky\Application Data\Mozilla\Firefox\Profiles\x93oa6ye.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\chrome\content\getPlusPlus_Adobe_reg.exe
2010-01-07 16:07 . 2009-12-27 14:57 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 16:07 . 2009-12-27 14:57 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-05 10:00 . 2004-08-04 12:00 832512 ----a-w- c:\windows\system32\wininet.dll
2010-01-05 10:00 . 2004-08-04 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-05 10:00 . 2004-08-04 12:00 17408 ----a-w- c:\windows\system32\corpol.dll
2009-12-31 16:50 . 2004-08-04 12:00 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-23 20:33 . 2009-12-23 20:33 388096 ----a-r- c:\documents and settings\Becky\Application Data\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-12-28 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"MMReminderService"="c:\program files\Mindjet\MindManager 8\MMReminderService.exe" [2008-12-11 37656]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-05-29 198160]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2009-10-10 203264]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-10 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-03-14 09:12 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Spotify\\spotify.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [14/12/2008 11:42 216200]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [14/12/2008 11:42 242696]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [14/03/2010 09:12 308064]
R3 INIDVD;Initio USB DVD Filter Driver;c:\windows\system32\drivers\inidvd.sys [02/12/2009 12:17 7936]
S2 gupdate1c9e07682d48ba0;Google Update Service (gupdate1c9e07682d48ba0);c:\program files\Google\Update\GoogleUpdate.exe [29/05/2009 15:59 133104]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2009-11-01 c:\windows\Tasks\Driver Robot.job
- c:\program files\Driver Robot\1.1.0.3\DriverRobot.exe [2009-09-24 11:06]

2010-03-22 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-29 15:59]

2010-03-20 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-29 15:59]

2010-03-22 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 15:07]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
FF - ProfilePath - c:\documents and settings\Becky\Application Data\Mozilla\Firefox\Profiles\x93oa6ye.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
FF - prefs.js: keyword.URL - hxxp://uk.yhs.search.yahoo.com/avg/sear ... -web_uk&p=
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll
FF - plugin: c:\documents and settings\Becky\Application Data\Mozilla\Firefox\Profiles\x93oa6ye.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-NBKeyScan - c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe
AddRemove-V3945s Digital Camera Driver - c:\progra~1\V3945S~1\UNWISE.EXE
AddRemove-V3945s User's Manual - c:\progra~1\V3945S~2\UNWISE.EXE



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-22 14:14
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\INIDVD]
"ImagePath"=multi:"system32\DRIVERS\inidvd.sys\00"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\INIDVD]
"ImagePath"=multi:"system32\DRIVERS\inidvd.sys\00"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2424)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac
c:\program files\AVG\AVG9\avgnsx.exe
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2010-03-22 14:19:46 - machine was rebooted
ComboFix-quarantined-files.txt 2010-03-22 14:19

Pre-Run: 3,132,497,920 bytes free
Post-Run: 3,289,821,184 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - D3F7A1AB90BCC9AF47101F94FF7B7DB6

---------------------------------------------------------------------

Hi, the main visible symptom is still unwanted internet pages coming up instead of the ones I request. many thanks, beckanoodle123
beckanoodle123
Regular Member
 
Posts: 18
Joined: December 23rd, 2009, 4:53 pm

Re: My PC is ill

Unread postby Airscape » March 24th, 2010, 4:13 pm

Hi

With malware infections being as they are today, it's strongly recommended to have the Windows Recovery Console pre-installed on your machine before doing any malware removal. The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.
  • Go to Microsoft's website => http://support.microsoft.com/kb/310994
  • Scroll down to Step 1 (where it says: Step 1: Download the Setup disk program), & select the download that's appropriate for your Operating System. Download the file & save it as it's originally named.
    Note: If you have SP3, use the SP2 package.
  • Save the file to the desktop of your computer
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
    Image
  • Drag the setup package onto ComboFix.exe and drop it
  • Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console
    Image
  • At the next prompt, click No to exit

-----------------------

TDSSKiller

  • Please Download TDSSKiller.zip and save it on your desktop.
  • Extract (unzip) its contents to your Desktop.
  • Double-click the TDSSKiller Folder on your desktop.
  • Right-click on TDSSKiller.exe and click Copy then Paste it directly on to your Desktop.
  • Highlight and copy the text in the codebox below, Do not include the word Code:
    Code: Select all
    "%userprofile%\Desktop\TDSSKiller.exe" -v
  • Click Start, click Run... and paste the text above into the Open: line and click OK.
  • If malicious services or files have been detected, the utility will prompt to reboot the PC in order to complete the disinfection procedure. Please reboot when prompted.
  • After reboot, the driver will delete malicious registry keys and files as well as remove itself from the services list.
  • a log file should be created on your C: drive named something like TDSSKiller 2.1.1 Mar 24 2010 02:40:02
  • To find the log click Start > Computer > C:.
  • Please post the contents of that log in your next reply.

------------------

Run Malwarebytes' Anti-Malware

Launch Malwarebytes' Anti-Malware and click the Update tab >>> then Check for Updates.
  • If an update is found, it will download and install the latest version.
    Please make sure you have the latest database version before continuing.
  • Back at the Scanner, tab select Perform Quick Scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad and you may be prompted to restart to finish cleaning.... see Extra Note below.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.

Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart your computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

-------------------

Please post back with the following:
1.TDSS killer log
2.MBAM log
3.New HijackThis log

How is the pc running?
User avatar
Airscape
Regular Member
 
Posts: 1858
Joined: November 1st, 2008, 11:06 pm

Re: My PC is ill

Unread postby beckanoodle123 » March 25th, 2010, 5:50 am

Sorry I am confused, I got as far as getting TDSSkiller.exe on my desktop but do not understand the instructions after. What do I click start on? many thanks, beckanoodle
beckanoodle123
Regular Member
 
Posts: 18
Joined: December 23rd, 2009, 4:53 pm

Re: My PC is ill

Unread postby Airscape » March 25th, 2010, 12:21 pm

the start button, sorry.
User avatar
Airscape
Regular Member
 
Posts: 1858
Joined: November 1st, 2008, 11:06 pm

Re: My PC is ill

Unread postby beckanoodle123 » March 25th, 2010, 1:37 pm

Sorry that was me being dumb! Thanks again for your continued help. Good news on this one - everything came up with no infections:

Malwarebytes' Anti-Malware 1.44
Database version: 3913
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

25/03/2010 17:34:03
mbam-log-2010-03-25 (17-34-03).txt

Scan type: Quick Scan
Objects scanned: 117134
Time elapsed: 4 minute(s), 14 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

----------------------------------------------

17:13:37:453 3892 TDSS rootkit removing tool 2.2.8.1 Mar 22 2010 10:43:04
17:13:37:453 3892 ================================================================================
17:13:37:453 3892 SystemInfo:

17:13:37:453 3892 OS Version: 5.1.2600 ServicePack: 3.0
17:13:37:453 3892 Product type: Workstation
17:13:37:453 3892 ComputerName: STARS-FBA1F2893
17:13:37:453 3892 UserName: Becky
17:13:37:453 3892 Windows directory: C:\WINDOWS
17:13:37:453 3892 Processor architecture: Intel x86
17:13:37:453 3892 Number of processors: 1
17:13:37:453 3892 Page size: 0x1000
17:13:37:453 3892 Boot type: Normal boot
17:13:37:453 3892 ================================================================================
17:13:37:453 3892 UnloadDriverW: NtUnloadDriver error 2
17:13:37:453 3892 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
17:13:37:500 3892 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
17:13:37:500 3892 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
17:13:37:500 3892 wfopen_ex: Trying to KLMD file open
17:13:37:500 3892 wfopen_ex: File opened ok (Flags 2)
17:13:37:500 3892 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
17:13:37:500 3892 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
17:13:37:500 3892 wfopen_ex: Trying to KLMD file open
17:13:37:500 3892 wfopen_ex: File opened ok (Flags 2)
17:13:37:500 3892 Initialize success
17:13:37:500 3892
17:13:37:500 3892 Scanning Services ...
17:13:37:937 3892 Raw services enum returned 328 services
17:13:37:937 3892
17:13:37:937 3892 Scanning Kernel memory ...
17:13:37:937 3892 Devices to scan: 2
17:13:37:937 3892
17:13:37:937 3892 Driver Name: Disk
17:13:37:937 3892 IRP_MJ_CREATE : F763DBB0
17:13:37:937 3892 IRP_MJ_CREATE_NAMED_PIPE : 804FA88E
17:13:37:937 3892 IRP_MJ_CLOSE : F763DBB0
17:13:37:937 3892 IRP_MJ_READ : F7637D1F
17:13:37:937 3892 IRP_MJ_WRITE : F7637D1F
17:13:37:937 3892 IRP_MJ_QUERY_INFORMATION : 804FA88E
17:13:37:937 3892 IRP_MJ_SET_INFORMATION : 804FA88E
17:13:37:937 3892 IRP_MJ_QUERY_EA : 804FA88E
17:13:37:937 3892 IRP_MJ_SET_EA : 804FA88E
17:13:37:937 3892 IRP_MJ_FLUSH_BUFFERS : F76382E2
17:13:37:937 3892 IRP_MJ_QUERY_VOLUME_INFORMATION : 804FA88E
17:13:37:937 3892 IRP_MJ_SET_VOLUME_INFORMATION : 804FA88E
17:13:37:937 3892 IRP_MJ_DIRECTORY_CONTROL : 804FA88E
17:13:37:937 3892 IRP_MJ_FILE_SYSTEM_CONTROL : 804FA88E
17:13:37:937 3892 IRP_MJ_DEVICE_CONTROL : F76383BB
17:13:37:937 3892 IRP_MJ_INTERNAL_DEVICE_CONTROL : F763BF28
17:13:37:937 3892 IRP_MJ_SHUTDOWN : F76382E2
17:13:37:937 3892 IRP_MJ_LOCK_CONTROL : 804FA88E
17:13:37:937 3892 IRP_MJ_CLEANUP : 804FA88E
17:13:37:937 3892 IRP_MJ_CREATE_MAILSLOT : 804FA88E
17:13:37:937 3892 IRP_MJ_QUERY_SECURITY : 804FA88E
17:13:37:937 3892 IRP_MJ_SET_SECURITY : 804FA88E
17:13:37:937 3892 IRP_MJ_POWER : F7639C82
17:13:37:937 3892 IRP_MJ_SYSTEM_CONTROL : F763E99E
17:13:37:937 3892 IRP_MJ_DEVICE_CHANGE : 804FA88E
17:13:37:937 3892 IRP_MJ_QUERY_QUOTA : 804FA88E
17:13:37:937 3892 IRP_MJ_SET_QUOTA : 804FA88E
17:13:37:968 3892 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
17:13:37:968 3892
17:13:37:968 3892 Driver Name: atapi
17:13:37:968 3892 IRP_MJ_CREATE : F74A46F2
17:13:37:968 3892 IRP_MJ_CREATE_NAMED_PIPE : 804FA88E
17:13:37:968 3892 IRP_MJ_CLOSE : F74A46F2
17:13:37:968 3892 IRP_MJ_READ : 804FA88E
17:13:37:968 3892 IRP_MJ_WRITE : 804FA88E
17:13:37:968 3892 IRP_MJ_QUERY_INFORMATION : 804FA88E
17:13:37:968 3892 IRP_MJ_SET_INFORMATION : 804FA88E
17:13:37:968 3892 IRP_MJ_QUERY_EA : 804FA88E
17:13:37:968 3892 IRP_MJ_SET_EA : 804FA88E
17:13:37:968 3892 IRP_MJ_FLUSH_BUFFERS : 804FA88E
17:13:37:968 3892 IRP_MJ_QUERY_VOLUME_INFORMATION : 804FA88E
17:13:37:968 3892 IRP_MJ_SET_VOLUME_INFORMATION : 804FA88E
17:13:37:968 3892 IRP_MJ_DIRECTORY_CONTROL : 804FA88E
17:13:37:968 3892 IRP_MJ_FILE_SYSTEM_CONTROL : 804FA88E
17:13:37:968 3892 IRP_MJ_DEVICE_CONTROL : F74A4712
17:13:37:968 3892 IRP_MJ_INTERNAL_DEVICE_CONTROL : F74A0852
17:13:37:968 3892 IRP_MJ_SHUTDOWN : 804FA88E
17:13:37:968 3892 IRP_MJ_LOCK_CONTROL : 804FA88E
17:13:37:968 3892 IRP_MJ_CLEANUP : 804FA88E
17:13:37:968 3892 IRP_MJ_CREATE_MAILSLOT : 804FA88E
17:13:37:968 3892 IRP_MJ_QUERY_SECURITY : 804FA88E
17:13:37:968 3892 IRP_MJ_SET_SECURITY : 804FA88E
17:13:37:968 3892 IRP_MJ_POWER : F74A473C
17:13:37:968 3892 IRP_MJ_SYSTEM_CONTROL : F74AB336
17:13:37:968 3892 IRP_MJ_DEVICE_CHANGE : 804FA88E
17:13:37:968 3892 IRP_MJ_QUERY_QUOTA : 804FA88E
17:13:37:968 3892 IRP_MJ_SET_QUOTA : 804FA88E
17:13:37:968 3892 C:\WINDOWS\system32\DRIVERS\atapi.sys - Verdict: 1
17:13:37:968 3892
17:13:37:968 3892 Completed
17:13:37:968 3892
17:13:37:968 3892 Results:
17:13:37:968 3892 Memory objects infected / cured / cured on reboot: 0 / 0 / 0
17:13:37:968 3892 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
17:13:37:968 3892 File objects infected / cured / cured on reboot: 0 / 0 / 0
17:13:37:968 3892
17:13:37:968 3892 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system
17:13:37:968 3892 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software
17:13:37:968 3892 KLMD(ARK) unloaded successfully
beckanoodle123
Regular Member
 
Posts: 18
Joined: December 23rd, 2009, 4:53 pm

Re: My PC is ill

Unread postby Airscape » March 26th, 2010, 10:33 am

Hi,

How is the pc running now?


Upload a file

Please goto Jotti or Virustotal to upload a suspicious file.
Click on the Browse button next to the white box.
Navigate to the file below and click on it.

c:\windows\system32\my.dll

Click the Open button.
Click the Submit/Sendfile button.
The file will be scanned by several anti-virus programs, please be patient while it finishes.
Once complete, copy/paste all results from each AV in your next reply.

-----------------------------

Run HijackThis and click Do a system scan and save a logfile
It will scan and the log should open in notepad.
Please post this log along with the Jotti or Virustotal results.
User avatar
Airscape
Regular Member
 
Posts: 1858
Joined: November 1st, 2008, 11:06 pm

Re: My PC is ill

Unread postby beckanoodle123 » March 28th, 2010, 2:14 pm

I am away for the weekend and wont be back til mon . tuesday. will post reply then. many thanks, beckanoodle123
beckanoodle123
Regular Member
 
Posts: 18
Joined: December 23rd, 2009, 4:53 pm

Re: My PC is ill

Unread postby Elrond » March 29th, 2010, 12:44 am

Please do not close this topic until March 31 at the earliest.
Added to protect the topic.
User avatar
Elrond
Admin/Teacher Emeritus
 
Posts: 8818
Joined: February 17th, 2005, 9:14 pm
Location: Jerusalem

Re: My PC is ill

Unread postby beckanoodle123 » March 29th, 2010, 2:20 pm

hope this is readable! if not, let me know. computer seems to be running much better, though I've started getting advertising emails (but assume that could be from previous problems).

ntivirus Version Last Update Result
a-squared 4.5.0.50 2010.03.29 -
AhnLab-V3 5.0.0.2 2010.03.29 -
AntiVir 7.10.5.247 2010.03.29 -
Antiy-AVL 2.0.3.7 2010.03.29 -
Authentium 5.2.0.5 2010.03.29 -
Avast 4.8.1351.0 2010.03.29 -
Avast5 5.0.332.0 2010.03.29 -
AVG 9.0.0.787 2010.03.29 -
BitDefender 7.2 2010.03.29 -
CAT-QuickHeal 10.00 2010.03.29 -
ClamAV 0.96.0.0-git 2010.03.29 -
Comodo 4427 2010.03.29 -
DrWeb 5.0.2.03220 2010.03.29 -
eSafe 7.0.17.0 2010.03.28 -
eTrust-Vet 35.2.7394 2010.03.29 -
F-Prot 4.5.1.85 2010.03.29 -
F-Secure 9.0.15370.0 2010.03.29 -
Fortinet 4.0.14.0 2010.03.29 -
GData 19 2010.03.29 -
Ikarus T3.1.1.80.0 2010.03.29 -
Jiangmin 13.0.900 2010.03.29 -
K7AntiVirus 7.10.1004 2010.03.22 -
Kaspersky 7.0.0.125 2010.03.29 -
McAfee 5934 2010.03.28 -
McAfee+Artemis 5934 2010.03.28 -
McAfee-GW-Edition 6.8.5 2010.03.29 -
Microsoft 1.5605 2010.03.29 -
NOD32 4982 2010.03.29 -
Norman 6.04.10 2010.03.29 -
nProtect 2009.1.8.0 2010.03.29 -
Panda 10.0.2.2 2010.03.28 -
PCTools 7.0.3.5 2010.03.29 -
Prevx 3.0 2010.03.29 -
Rising 22.41.00.04 2010.03.29 -
Sophos 4.52.0 2010.03.29 Mal/FakeAV-CN
Sunbelt 6112 2010.03.29 -
Symantec 20091.2.0.41 2010.03.29 Suspicious.Insight
TheHacker 6.5.2.0.247 2010.03.29 -
TrendMicro 9.120.0.1004 2010.03.29 -
VBA32 3.12.12.2 2010.03.29 -
ViRobot 2010.3.29.2250 2010.03.29 -
VirusBuster 5.0.27.0 2010.03.29 -
Additional information
File size: 523264 bytes
MD5...: 57719f6adb355a03806583e59967495b
SHA1..: 606193b3a33acf2d9d356bc5c4526fb08a06b4ec
SHA256: 74d7a700963a2b191f0c4baaeee27283e0e144bfe9331a2b4d51c7e751472cdd
ssdeep: 3072:3d8rOEIuHtX2kBFxeXl7n4YlQkwD0D9eYqB7ea4tf2X3ws49ckg6xwTV:t4
OE5B2Cxy7VQBD0D9y4Q3wswcIxC
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x6af8
timedatestamp.....: 0x45854379 (Sun Dec 17 13:17:45 2006)
machinetype.......: 0x14c (I386)

( 5 sections )
name viradd virsiz rawdsiz ntrpy md5
.DATA 0x1000 0xe99f 0xea00 1.53 e6ebd84533e0e405aa3eb9f207452370
.idata 0x10000 0x821 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
.bss 0x11000 0x6fc82 0x6fe00 3.90 c639d3271edcff1900969b9811863fa1
.tadt 0x81000 0x7dc 0x800 1.35 2db87ee3903d7840cdea8c1dd5f3f240
.data 0x82000 0x7ba 0x600 0.00 53e979547d8c2ea86560ac45de08ae25

( 0 imports )

( 0 exports )
RDS...: NSRL Reference Data Set
-
pdfid.: -
trid..: Win16/32 Executable Delphi generic (25.5%)
Clipper DOS Executable (24.9%)
Generic Win/DOS Executable (24.7%)
DOS Executable Generic (24.6%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
sigcheck:
publisher....: n/a
copyright....: n/a
product......: n/a
description..: n/a
original name: n/a
internal name: n/a
file version.: n/a
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:17:41, on 29/03/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16981)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Mindjet\MindManager 8\MMReminderService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\cmd.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [MMReminderService] C:\Program Files\Mindjet\MindManager 8\MMReminderService.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [DivXUpdate] "C:\Program Files\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O9 - Extra button: Send to Mindjet MindManager - {2F72393D-2472-4F82-B600-ED77F354B7FF} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} (get_atlcom Class) - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Update Service (gupdate1c9e07682d48ba0) (gupdate1c9e07682d48ba0) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

--
End of file - 6617 bytes
beckanoodle123
Regular Member
 
Posts: 18
Joined: December 23rd, 2009, 4:53 pm

Re: My PC is ill

Unread postby Airscape » March 30th, 2010, 4:05 pm

Hi, how is the pc running now?


Uninstall AVG toolbar via Start > Control Panel > Add/Remove Programs > click Remove
Don't worry if it's not present.

-------------------------------------

Backup the registry
  1. Download ERUNT to your desktop from HERE
  2. Double-click on the file to install the program
  3. Uncheck the NTREGOPT desktop shortcut option
  4. Click No when you get the option to run ERUNT at Windows startup.
  5. During the installation, check Launch ERUNT
  6. Accept the defaults for running a backup
  7. ERUNT will then back up your registry
Note: If it's necessary to restore the registry, open the backup folder and start ERDNT.exe

-----------------------------------

Run CFScript
  • Click > Start > Run > type Notepad > click OK
  • Copy/Paste the following text inside the code box into Notepad:

    Code: Select all
    KillAll::
    
    dirlook::
    C:\wi.dows
    
    Files::
    c:\windows\system32\my.dll
    
    Folder::
    c:\documents and settings\All Users\Application Data\AVG Security Toolbar
    c:\documents and settings\Becky\Local Settings\Application Data\AVG Security Toolbar
    
    Registry::
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{CCC7A320-B3CA-4199-B1A6-9F516DD69829}]
    [-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser\{CCC7A320-B3CA-4199-B1A6-9F516DD69829}]
    [-HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]
    

  • Goto File > Save as... and save it CFScript.txt
  • Now drag the CFScript.txt file into ComboFix.exe as shown in the animation below... This will start ComboFix again.
    Image
  • The tool may require a reboot - this is normal.
  • When finished, it shall produce a log for you at "C:\ComboFix.txt"
Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

-----------------------------------

TFC(Temp File Cleaner)
  • Double-click TFC.exe to run the program.
  • Click the Start button in bottom left of TFC
  • If prompted, click "Yes" to reboot.

Note: Save your work. TFC will automatically close any open programs, let it run uninterrupted.
It should not take longer than a couple of minutes, and may only take a few seconds. Only if needed will you be prompted to reboot.

-----------------------------------

ESET Online Scanner
Note: Use Internet Explorer for this scan.
  • Go to this link and click on the ESET Online scanner button.
  • At the EULA screen click on YES, I accept the Terms of Use and click Start
  • Click to allow the Active X control and then click on Install
  • Under Computer scan settings UNcheck Remove found threats
  • Under Advanced settings Check Scan for potentially unsafe applications then click Start
  • The scanner will then download the virus signature database and run a scan, please be patient.
  • When the scan is complete, save the log produced then select Uninstall application on close
  • The log can also be found at "C:\Program Files\ESET\EsetOnlineScanner\log.txt"
  • Please Copy/Paste that log into your next reply.

-------------------------------------------------

Please post back with the following:
C:\ComboFix.txt
C:\Program Files\ESET\EsetOnlineScanner\log.txt
How is the pc running?
User avatar
Airscape
Regular Member
 
Posts: 1858
Joined: November 1st, 2008, 11:06 pm

Re: My PC is ill

Unread postby beckanoodle123 » March 31st, 2010, 1:18 pm

do I reinstall AVG?

computer is running ok, no apparent problems. how does it look from your perspective?

ComboFix 10-03-29.04 - Becky 31/03/2010 16:03:25.3.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1271.816 [GMT 1:00]
Running from: c:\documents and settings\Becky\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Becky\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2010-02-28 to 2010-03-31 )))))))))))))))))))))))))))))))
.

2010-03-31 14:58 . 2010-03-31 14:58 -------- d-----w- c:\program files\ERUNT
2010-03-29 13:43 . 2010-03-29 13:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2010-03-29 13:43 . 2010-03-29 13:43 -------- d-----w- c:\documents and settings\Becky\Application Data\Office Genuine Advantage
2010-03-25 07:48 . 2010-03-25 09:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2010-03-25 07:48 . 2010-03-25 07:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2010-03-25 07:48 . 2010-03-25 07:48 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2010-03-24 19:34 . 2010-03-24 19:33 754984 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Setup\Resource.dll
2010-03-24 19:34 . 2010-03-24 19:33 986904 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Setup\DivXSetup.exe
2010-03-24 19:34 . 2010-03-24 19:34 56766 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DivXPlusShortcuts\Uninstaller.exe
2010-03-24 19:34 . 2010-03-24 19:34 56978 ----a-w- c:\documents and settings\All Users\Application Data\DivX\WebPlayer\Uninstaller.exe
2010-03-24 19:34 . 2010-03-24 19:34 53600 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Update\Uninstaller.exe
2010-03-24 19:34 . 2010-03-24 19:34 57409 ----a-w- c:\documents and settings\All Users\Application Data\DivX\ControlPanel\Uninstaller.exe
2010-03-24 19:34 . 2010-03-24 19:34 52963 ----a-w- c:\documents and settings\All Users\Application Data\DivX\MSVC80CRTRedist\Uninstaller.exe
2010-03-24 19:34 . 2010-03-24 19:34 54073 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Qt4.5\Uninstaller.exe
2010-03-24 19:33 . 2010-03-24 19:34 -------- d-----w- c:\program files\Common Files\DivX Shared
2010-03-24 19:33 . 2010-03-24 19:34 -------- d-----w- c:\program files\DivX
2010-03-24 19:33 . 2010-03-24 19:34 -------- d-----w- c:\documents and settings\All Users\Application Data\DivX
2010-03-22 17:53 . 2010-03-22 17:53 439816 ----a-w- c:\documents and settings\Becky\Application Data\Real\Update\setup3.10\setup.exe
2010-03-20 18:38 . 2010-03-20 18:38 -------- d-----w- C:\rsit
2010-03-17 16:13 . 2010-03-17 16:13 -------- d-----w- c:\program files\Common Files\Java
2010-03-17 16:11 . 2010-03-17 16:11 503808 ----a-w- c:\documents and settings\Becky\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-2ccb05be-n\msvcp71.dll
2010-03-17 16:11 . 2010-03-17 16:11 348160 ----a-w- c:\documents and settings\Becky\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-2ccb05be-n\msvcr71.dll
2010-03-17 16:11 . 2010-03-17 16:11 499712 ----a-w- c:\documents and settings\Becky\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-2ccb05be-n\jmc.dll
2010-03-17 16:11 . 2010-03-17 16:11 61440 ----a-w- c:\documents and settings\Becky\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-30b97b46-n\decora-sse.dll
2010-03-17 16:11 . 2010-03-17 16:11 12800 ----a-w- c:\documents and settings\Becky\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-30b97b46-n\decora-d3d.dll
2010-03-17 16:10 . 2010-03-17 16:10 79488 ----a-w- c:\documents and settings\Becky\Application Data\Sun\Java\jre1.6.0_18\gtapi.dll
2010-03-17 16:10 . 2010-03-17 16:10 152576 ----a-w- c:\documents and settings\Becky\Application Data\Sun\Java\jre1.6.0_18\lzma.dll
2010-03-17 16:02 . 2010-03-17 16:02 -------- d-----w- c:\program files\Trend Micro
2010-03-15 09:54 . 2010-03-15 09:54 -------- d-----w- C:\wi.dows
2010-03-14 10:58 . 2010-03-15 09:55 523264 ----a-w- c:\windows\system32\my.dll
2010-03-14 09:12 . 2010-03-14 09:12 360584 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtdix.sys
2010-03-14 09:12 . 2010-03-14 09:12 333192 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgldx86.sys
2010-03-14 09:12 . 2010-03-14 09:12 28424 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgmfx86.sys
2010-03-14 09:10 . 2010-03-01 20:42 1007896 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.exe
2010-03-14 09:10 . 2010-03-01 20:42 800536 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avginet.dll
2010-03-14 09:10 . 2010-03-01 20:42 613656 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgiproxy.exe
2010-03-14 09:10 . 2010-03-01 20:42 1658136 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.dll
2010-03-12 20:12 . 2010-03-12 20:12 5115824 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-03-11 19:24 . 2009-10-23 15:28 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe
2010-03-08 18:26 . 2010-03-08 18:27 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-03-05 18:27 . 2010-03-31 13:31 0 ----a-w- c:\documents and settings\Becky\Local Settings\Application Data\prvlcl.dat
2010-03-04 14:55 . 2008-04-14 00:12 26112 ----a-w- c:\windows\system32\stu2.exe
2010-03-02 09:34 . 2010-03-01 20:42 3777280 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\setup.exe
2010-03-02 09:34 . 2010-03-01 20:42 1260800 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgfrw.exe
2010-03-01 20:43 . 2010-03-14 10:57 -------- d-----w- C:\$AVG
2010-03-01 20:42 . 2010-03-31 14:52 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-31 13:36 . 2009-03-08 08:49 -------- d-----w- c:\documents and settings\Becky\Application Data\Spotify
2010-03-25 16:51 . 2010-01-02 09:59 -------- d-----w- c:\documents and settings\Becky\Application Data\vlc
2010-03-25 07:44 . 2008-12-14 12:17 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-03-24 16:54 . 2010-01-02 10:00 -------- d-----w- c:\documents and settings\Becky\Application Data\dvdcss
2010-03-17 16:11 . 2008-12-14 18:44 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-03-12 20:12 . 2009-12-27 14:57 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-12 20:05 . 2008-12-14 11:50 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-03-12 20:03 . 2008-12-14 11:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-03-11 22:34 . 2008-12-14 15:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-03-11 19:13 . 2009-11-11 16:50 79488 ----a-w- c:\documents and settings\Becky\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-03-03 15:35 . 2009-02-14 15:26 -------- d-----w- c:\program files\Mindjet
2010-03-01 20:42 . 2008-12-14 11:42 -------- d-----w- c:\program files\AVG
2010-02-27 18:33 . 2004-08-04 12:00 96512 ------w- c:\windows\system32\drivers\atapi.sys
2010-02-18 12:17 . 2010-02-18 12:16 -------- d-----w- c:\program files\Common Files\Adobe
2010-02-18 12:14 . 2010-02-18 12:14 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-02-12 10:03 . 2010-02-25 19:10 293376 ------w- c:\windows\system32\browserchoice.exe
2010-02-02 07:26 . 2009-09-24 01:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2010-02-01 20:22 . 2010-02-01 20:22 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2010-02-01 20:15 . 2009-12-28 08:58 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-02-01 20:14 . 2010-02-01 20:13 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2010-01-25 10:02 . 2010-02-01 20:12 31936 ----a-w- c:\documents and settings\Becky\Application Data\Mozilla\Firefox\Profiles\x93oa6ye.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
2010-01-25 10:02 . 2010-02-01 20:12 29344 ----a-w- c:\documents and settings\Becky\Application Data\Mozilla\Firefox\Profiles\x93oa6ye.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\chrome\content\getPlusPlus_Adobe_reg.exe
2010-01-07 16:07 . 2009-12-27 14:57 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 16:07 . 2009-12-27 14:57 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-05 10:00 . 2004-08-04 12:00 832512 ------w- c:\windows\system32\wininet.dll
2010-01-05 10:00 . 2004-08-04 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-05 10:00 . 2004-08-04 12:00 17408 ----a-w- c:\windows\system32\corpol.dll
2009-12-31 16:50 . 2004-08-04 12:00 353792 ----a-w- c:\windows\system32\drivers\srv.sys
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of C:\wi.dows ----



((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-12-28 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"MMReminderService"="c:\program files\Mindjet\MindManager 8\MMReminderService.exe" [2008-12-11 37656]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-05-29 198160]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-03-18 207360]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-10 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-03-05 1135912]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\Becky\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Spotify\\spotify.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

S2 gupdate1c9e07682d48ba0;Google Update Service (gupdate1c9e07682d48ba0);c:\program files\Google\Update\GoogleUpdate.exe [29/05/2009 16:59 133104]
S3 INIDVD;Initio USB DVD Filter Driver;c:\windows\system32\drivers\inidvd.sys [02/12/2009 13:17 7936]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2009-11-01 c:\windows\Tasks\Driver Robot.job
- c:\program files\Driver Robot\1.1.0.3\DriverRobot.exe [2009-09-24 11:06]

2010-03-31 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-29 15:59]

2010-03-31 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-29 15:59]

2010-03-31 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 15:07]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
FF - ProfilePath - c:\documents and settings\Becky\Application Data\Mozilla\Firefox\Profiles\x93oa6ye.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
FF - prefs.js: keyword.URL - hxxp://uk.yhs.search.yahoo.com/avg/sear ... -web_uk&p=
FF - plugin: c:\documents and settings\Becky\Application Data\Mozilla\Firefox\Profiles\x93oa6ye.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-31 16:09
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\INIDVD]
"ImagePath"=multi:"system32\DRIVERS\inidvd.sys\00"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\INIDVD]
"ImagePath"=multi:"system32\DRIVERS\inidvd.sys\00"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(320)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2010-03-31 16:15:07 - machine was rebooted
ComboFix-quarantined-files.txt 2010-03-31 15:15
ComboFix2.txt 2010-03-25 09:37
ComboFix3.txt 2010-03-22 14:19

Pre-Run: 2,823,704,576 bytes free
Post-Run: 2,764,247,040 bytes free

- - End Of File - - B5C4CB2056716D477FDB5536C2765ABD
---------------------------------------

eset Online scanner scan results: 71 infected files


C:\Program Files\Driver Robot\1.1.0.3\DriverRobot.exe Win32/Adware.DriverRobot application
C:\Program Files\TrendMicro\HiJackThis\backups\backup-20091223-203741-917.dll Win32/Toolbar.MyWebSearch application
C:\Qoobox\Quarantine\C\WINDOWS\system32\iebho.dll.vir a variant of Win32/Kryptik.CLY trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\iebho00.dll.vir a variant of Win32/Kryptik.CLY trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\iebho01.dll.vir a variant of Win32/Kryptik.CLY trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\iebho02.dll.vir a variant of Win32/Kryptik.CLY trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\iebho03.dll.vir a variant of Win32/Kryptik.CLY trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\iebho04.dll.vir a variant of Win32/Kryptik.CLY trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\iebho05.dll.vir a variant of Win32/Kryptik.CLY trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\iebho06.dll.vir a variant of Win32/Kryptik.CLY trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\iebho07.dll.vir a variant of Win32/Kryptik.CLY trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\iebho08.dll.vir a variant of Win32/Kryptik.CLY trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\iebho09.dll.vir a variant of Win32/Kryptik.CLY trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\iebho0A.dll.vir a variant of Win32/Kryptik.CLY trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\iebho0B.dll.vir a variant of Win32/Kryptik.CLY trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\iebho0C.dll.vir a variant of Win32/Kryptik.CLY trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\iebho0D.dll.vir a variant of Win32/Kryptik.CLY trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\iebho0E.dll.vir a variant of Win32/Kryptik.CLY trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\iebho0F.dll.vir a variant of Win32/Kryptik.CLY trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\iebho10.dll.vir a variant of Win32/Kryptik.CLY trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\iebho11.dll.vir a variant of Win32/Kryptik.CLY trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\iebho12.dll.vir a variant of Win32/Kryptik.CLY trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\iebho13.dll.vir a variant of Win32/Kryptik.CLY trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\iebho14.dll.vir a variant of Win32/Kryptik.CLY trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\iebho15.dll.vir a variant of Win32/Kryptik.CLY trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\iebho16.dll.vir a variant of Win32/Kryptik.CLY trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\iebho17.dll.vir a variant of Win32/Kryptik.CLY trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\iebho18.dll.vir a variant of Win32/Kryptik.CLY trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\iebho19.dll.vir a variant of Win32/Kryptik.CLY trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\iebho1A.dll.vir a variant of Win32/Kryptik.CLY trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\iebho1B.dll.vir a variant of Win32/Kryptik.CLY trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\iebho1C.dll.vir a variant of Win32/Kryptik.CLY trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\iebho1D.dll.vir a variant of Win32/Kryptik.CLY trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\iebho1E.dll.vir a variant of Win32/Kryptik.CLY trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\userinit.exe.vir Win32/TrojanDownloader.FakeAlert.AAA trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\atapi.sys.vir Win32/Olmarik.UI trojan
C:\System Volume Information\_restore{591FEBF4-3494-44D7-BD54-9755CAB99621}\RP368\A0060326.dll a variant of Win32/Kryptik.CLY trojan
C:\System Volume Information\_restore{591FEBF4-3494-44D7-BD54-9755CAB99621}\RP373\A0064605.dll a variant of Win32/Kryptik.CLY trojan
C:\System Volume Information\_restore{591FEBF4-3494-44D7-BD54-9755CAB99621}\RP379\A0067069.dll a variant of Win32/Kryptik.CLY trojan
C:\System Volume Information\_restore{591FEBF4-3494-44D7-BD54-9755CAB99621}\RP379\A0067070.dll a variant of Win32/Kryptik.CLY trojan
C:\System Volume Information\_restore{591FEBF4-3494-44D7-BD54-9755CAB99621}\RP379\A0067071.dll a variant of Win32/Kryptik.CLY trojan
C:\System Volume Information\_restore{591FEBF4-3494-44D7-BD54-9755CAB99621}\RP379\A0067072.dll a variant of Win32/Kryptik.CLY trojan
C:\System Volume Information\_restore{591FEBF4-3494-44D7-BD54-9755CAB99621}\RP379\A0067073.dll a variant of Win32/Kryptik.CLY trojan
C:\System Volume Information\_restore{591FEBF4-3494-44D7-BD54-9755CAB99621}\RP379\A0067074.dll a variant of Win32/Kryptik.CLY trojan
C:\System Volume Information\_restore{591FEBF4-3494-44D7-BD54-9755CAB99621}\RP379\A0067075.dll a variant of Win32/Kryptik.CLY trojan
C:\System Volume Information\_restore{591FEBF4-3494-44D7-BD54-9755CAB99621}\RP379\A0067076.dll a variant of Win32/Kryptik.CLY trojan
C:\System Volume Information\_restore{591FEBF4-3494-44D7-BD54-9755CAB99621}\RP379\A0067077.dll a variant of Win32/Kryptik.CLY trojan
C:\System Volume Information\_restore{591FEBF4-3494-44D7-BD54-9755CAB99621}\RP379\A0067078.dll a variant of Win32/Kryptik.CLY trojan
C:\System Volume Information\_restore{591FEBF4-3494-44D7-BD54-9755CAB99621}\RP379\A0067079.dll a variant of Win32/Kryptik.CLY trojan
C:\System Volume Information\_restore{591FEBF4-3494-44D7-BD54-9755CAB99621}\RP379\A0067080.dll a variant of Win32/Kryptik.CLY trojan
C:\System Volume Information\_restore{591FEBF4-3494-44D7-BD54-9755CAB99621}\RP379\A0067081.dll a variant of Win32/Kryptik.CLY trojan
C:\System Volume Information\_restore{591FEBF4-3494-44D7-BD54-9755CAB99621}\RP379\A0067082.dll a variant of Win32/Kryptik.CLY trojan
C:\System Volume Information\_restore{591FEBF4-3494-44D7-BD54-9755CAB99621}\RP379\A0067083.dll a variant of Win32/Kryptik.CLY trojan
C:\System Volume Information\_restore{591FEBF4-3494-44D7-BD54-9755CAB99621}\RP379\A0067084.dll a variant of Win32/Kryptik.CLY trojan
C:\System Volume Information\_restore{591FEBF4-3494-44D7-BD54-9755CAB99621}\RP379\A0067085.dll a variant of Win32/Kryptik.CLY trojan
C:\System Volume Information\_restore{591FEBF4-3494-44D7-BD54-9755CAB99621}\RP379\A0067086.dll a variant of Win32/Kryptik.CLY trojan
C:\System Volume Information\_restore{591FEBF4-3494-44D7-BD54-9755CAB99621}\RP379\A0067087.dll a variant of Win32/Kryptik.CLY trojan
C:\System Volume Information\_restore{591FEBF4-3494-44D7-BD54-9755CAB99621}\RP379\A0067088.dll a variant of Win32/Kryptik.CLY trojan
C:\System Volume Information\_restore{591FEBF4-3494-44D7-BD54-9755CAB99621}\RP379\A0067089.dll a variant of Win32/Kryptik.CLY trojan
C:\System Volume Information\_restore{591FEBF4-3494-44D7-BD54-9755CAB99621}\RP379\A0067090.dll a variant of Win32/Kryptik.CLY trojan
C:\System Volume Information\_restore{591FEBF4-3494-44D7-BD54-9755CAB99621}\RP379\A0067091.dll a variant of Win32/Kryptik.CLY trojan
C:\System Volume Information\_restore{591FEBF4-3494-44D7-BD54-9755CAB99621}\RP379\A0067092.dll a variant of Win32/Kryptik.CLY trojan
C:\System Volume Information\_restore{591FEBF4-3494-44D7-BD54-9755CAB99621}\RP379\A0067093.dll a variant of Win32/Kryptik.CLY trojan
C:\System Volume Information\_restore{591FEBF4-3494-44D7-BD54-9755CAB99621}\RP379\A0067094.dll a variant of Win32/Kryptik.CLY trojan
C:\System Volume Information\_restore{591FEBF4-3494-44D7-BD54-9755CAB99621}\RP379\A0067095.dll a variant of Win32/Kryptik.CLY trojan
C:\System Volume Information\_restore{591FEBF4-3494-44D7-BD54-9755CAB99621}\RP379\A0067096.dll a variant of Win32/Kryptik.CLY trojan
C:\System Volume Information\_restore{591FEBF4-3494-44D7-BD54-9755CAB99621}\RP379\A0067097.dll a variant of Win32/Kryptik.CLY trojan
C:\System Volume Information\_restore{591FEBF4-3494-44D7-BD54-9755CAB99621}\RP379\A0067098.dll a variant of Win32/Kryptik.CLY trojan
C:\System Volume Information\_restore{591FEBF4-3494-44D7-BD54-9755CAB99621}\RP379\A0067099.dll a variant of Win32/Kryptik.CLY trojan
C:\System Volume Information\_restore{591FEBF4-3494-44D7-BD54-9755CAB99621}\RP379\A0067100.dll a variant of Win32/Kryptik.CLY trojan
C:\WINDOWS\system32\my.dll a variant of Win32/Kryptik.CLY trojan
beckanoodle123
Regular Member
 
Posts: 18
Joined: December 23rd, 2009, 4:53 pm

Re: My PC is ill

Unread postby Airscape » March 31st, 2010, 4:55 pm

only remove the AVG toolbar (if present) not the anti virus, sorry.
User avatar
Airscape
Regular Member
 
Posts: 1858
Joined: November 1st, 2008, 11:06 pm

Re: My PC is ill

Unread postby Airscape » April 2nd, 2010, 12:06 pm

how does it look from your perspective?

There is still a little more to do yet.

Have you recently installed a symantec program? (Norton Anti-Virus, etc)

Uninstall All versions of Driver Robot through Control Panel > Add/Remove programs

---------------------------------------

Please delete your current copy of ComboFix and download a new version. Make sure it's on the Desktop.

http://www.bleepingcomputer.com/combofi ... e-combofix

Please disable all security programs before running ComboFix as they will likely interfere. Usually via a right-click on the system tray icon.
To disable the Resident Shield, please:
Open AVG User Interface.
Double-click on the Resident Shield.
Un-tick the option Resident Shield active.
Save the changes.


Run CFScript
  • Click > Start > Run > type Notepad > click OK
  • Copy/Paste the following text inside the code box into Notepad:

    Code: Select all
    KillAll::
    File::
    c:\windows\system32\my.dll
    C:\windows\Tasks\Driver Robot.job
    
    Folder::
    C:\Program Files\Driver Robot

  • Goto File > Save as... and save it CFScript.txt
  • Now drag the CFScript.txt file into ComboFix.exe as shown in the animation below... This will start ComboFix again.
    Image
  • The tool may require a reboot - this is normal.
  • When finished, it shall produce a log for you at "C:\ComboFix.txt"
Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Please do not forget to activate the AVG Resident Shield again

--------------------------------------

Please post back with the following:
C:\ComboFix.txt
How is the pc running?

Thanks.
User avatar
Airscape
Regular Member
 
Posts: 1858
Joined: November 1st, 2008, 11:06 pm

Re: My PC is ill

Unread postby beckanoodle123 » April 4th, 2010, 4:38 am

ComboFix 10-04-03.02 - Becky 04/04/2010 9:24.4.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1271.582 [GMT 1:00]
Running from: c:\documents and settings\Becky\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Becky\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

FILE ::
"c:\windows\system32\my.dll"
"c:\windows\Tasks\Driver Robot.job"
.
/wow section - STAGE 7


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\AppPatch\AcAdProc.dll
c:\windows\system32\my.dll
c:\windows\Tasks\Driver Robot.job

.
((((((((((((((((((((((((( Files Created from 2010-03-04 to 2010-04-04 )))))))))))))))))))))))))))))))
.

2010-04-01 13:28 . 2010-04-01 13:28 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-04-01 13:28 . 2010-04-01 13:28 242696 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-04-01 13:28 . 2010-04-01 13:28 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-04-01 13:28 . 2010-04-01 13:28 29512 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-04-01 13:27 . 2010-04-04 07:23 -------- d-----w- c:\windows\system32\drivers\Avg
2010-03-31 15:26 . 2010-03-31 15:26 -------- d-----w- c:\program files\ESET
2010-03-31 14:58 . 2010-03-31 14:58 -------- d-----w- c:\program files\ERUNT
2010-03-29 13:43 . 2010-03-29 13:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2010-03-29 13:43 . 2010-03-29 13:43 -------- d-----w- c:\documents and settings\Becky\Application Data\Office Genuine Advantage
2010-03-25 07:48 . 2010-03-25 09:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2010-03-25 07:48 . 2010-03-25 07:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2010-03-25 07:48 . 2010-03-25 07:48 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2010-03-24 19:34 . 2010-03-24 19:33 754984 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Setup\Resource.dll
2010-03-24 19:34 . 2010-03-24 19:33 986904 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Setup\DivXSetup.exe
2010-03-24 19:34 . 2010-03-24 19:34 56766 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DivXPlusShortcuts\Uninstaller.exe
2010-03-24 19:34 . 2010-03-24 19:34 56978 ----a-w- c:\documents and settings\All Users\Application Data\DivX\WebPlayer\Uninstaller.exe
2010-03-24 19:34 . 2010-03-24 19:34 53600 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Update\Uninstaller.exe
2010-03-24 19:34 . 2010-03-24 19:34 57409 ----a-w- c:\documents and settings\All Users\Application Data\DivX\ControlPanel\Uninstaller.exe
2010-03-24 19:34 . 2010-03-24 19:34 52963 ----a-w- c:\documents and settings\All Users\Application Data\DivX\MSVC80CRTRedist\Uninstaller.exe
2010-03-24 19:34 . 2010-03-24 19:34 54073 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Qt4.5\Uninstaller.exe
2010-03-24 19:33 . 2010-03-24 19:34 -------- d-----w- c:\program files\Common Files\DivX Shared
2010-03-24 19:33 . 2010-03-24 19:34 -------- d-----w- c:\program files\DivX
2010-03-24 19:33 . 2010-03-24 19:34 -------- d-----w- c:\documents and settings\All Users\Application Data\DivX
2010-03-22 17:53 . 2010-03-22 17:53 439816 ----a-w- c:\documents and settings\Becky\Application Data\Real\Update\setup3.10\setup.exe
2010-03-20 18:38 . 2010-03-20 18:38 -------- d-----w- C:\rsit
2010-03-17 16:13 . 2010-03-17 16:13 -------- d-----w- c:\program files\Common Files\Java
2010-03-17 16:11 . 2010-03-17 16:11 503808 ----a-w- c:\documents and settings\Becky\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-2ccb05be-n\msvcp71.dll
2010-03-17 16:11 . 2010-03-17 16:11 348160 ----a-w- c:\documents and settings\Becky\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-2ccb05be-n\msvcr71.dll
2010-03-17 16:11 . 2010-03-17 16:11 499712 ----a-w- c:\documents and settings\Becky\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-2ccb05be-n\jmc.dll
2010-03-17 16:11 . 2010-03-17 16:11 61440 ----a-w- c:\documents and settings\Becky\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-30b97b46-n\decora-sse.dll
2010-03-17 16:11 . 2010-03-17 16:11 12800 ----a-w- c:\documents and settings\Becky\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-30b97b46-n\decora-d3d.dll
2010-03-17 16:10 . 2010-03-17 16:10 79488 ----a-w- c:\documents and settings\Becky\Application Data\Sun\Java\jre1.6.0_18\gtapi.dll
2010-03-17 16:10 . 2010-03-17 16:10 152576 ----a-w- c:\documents and settings\Becky\Application Data\Sun\Java\jre1.6.0_18\lzma.dll
2010-03-17 16:02 . 2010-03-17 16:02 -------- d-----w- c:\program files\Trend Micro
2010-03-15 09:54 . 2010-03-15 09:54 -------- d-----w- C:\wi.dows
2010-03-14 09:12 . 2010-03-14 09:12 360584 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtdix.sys
2010-03-14 09:12 . 2010-03-14 09:12 333192 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgldx86.sys
2010-03-14 09:12 . 2010-03-14 09:12 28424 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgmfx86.sys
2010-03-12 20:12 . 2010-03-12 20:12 5115824 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-03-11 19:24 . 2009-10-23 15:28 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe
2010-03-08 18:26 . 2010-03-08 18:27 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-03-05 18:27 . 2010-04-04 07:59 394128 ----a-w- c:\documents and settings\Becky\Local Settings\Application Data\prvlcl.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-04 07:53 . 2009-03-08 08:49 -------- d-----w- c:\documents and settings\Becky\Application Data\Spotify
2010-04-03 20:08 . 2010-01-02 09:59 -------- d-----w- c:\documents and settings\Becky\Application Data\vlc
2010-04-03 19:20 . 2010-01-02 10:00 -------- d-----w- c:\documents and settings\Becky\Application Data\dvdcss
2010-04-01 13:23 . 2010-03-01 20:42 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-03-25 07:44 . 2008-12-14 12:17 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-03-17 16:11 . 2008-12-14 18:44 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-03-12 20:12 . 2009-12-27 14:57 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-12 20:05 . 2008-12-14 11:50 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-03-12 20:03 . 2008-12-14 11:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-03-11 22:34 . 2008-12-14 15:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-03-11 19:13 . 2009-11-11 16:50 79488 ----a-w- c:\documents and settings\Becky\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-03-03 15:35 . 2009-02-14 15:26 -------- d-----w- c:\program files\Mindjet
2010-03-01 20:42 . 2008-12-14 11:42 -------- d-----w- c:\program files\AVG
2010-02-27 18:33 . 2004-08-04 12:00 96512 ------w- c:\windows\system32\drivers\atapi.sys
2010-02-18 12:17 . 2010-02-18 12:16 -------- d-----w- c:\program files\Common Files\Adobe
2010-02-18 12:14 . 2010-02-18 12:14 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-02-12 10:03 . 2010-02-25 19:10 293376 ------w- c:\windows\system32\browserchoice.exe
2010-02-01 20:14 . 2010-02-01 20:13 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2010-01-25 10:02 . 2010-02-01 20:12 31936 ----a-w- c:\documents and settings\Becky\Application Data\Mozilla\Firefox\Profiles\x93oa6ye.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
2010-01-25 10:02 . 2010-02-01 20:12 29344 ----a-w- c:\documents and settings\Becky\Application Data\Mozilla\Firefox\Profiles\x93oa6ye.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\chrome\content\getPlusPlus_Adobe_reg.exe
2010-01-07 16:07 . 2009-12-27 14:57 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 16:07 . 2009-12-27 14:57 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-12-28 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"MMReminderService"="c:\program files\Mindjet\MindManager 8\MMReminderService.exe" [2008-12-11 37656]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-05-29 198160]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-03-18 207360]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-10 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-03-05 1135912]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\Becky\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-04-01 13:28 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Spotify\\spotify.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [01/04/2010 14:28 216200]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [01/04/2010 14:28 242696]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [01/04/2010 14:26 308064]
R3 INIDVD;Initio USB DVD Filter Driver;c:\windows\system32\drivers\inidvd.sys [02/12/2009 13:17 7936]
S2 gupdate1c9e07682d48ba0;Google Update Service (gupdate1c9e07682d48ba0);c:\program files\Google\Update\GoogleUpdate.exe [29/05/2009 16:59 133104]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2010-04-04 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-29 15:59]

2010-04-04 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-29 15:59]

2010-04-04 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 15:07]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
FF - ProfilePath - c:\documents and settings\Becky\Application Data\Mozilla\Firefox\Profiles\x93oa6ye.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
FF - prefs.js: keyword.URL - hxxp://uk.yhs.search.yahoo.com/avg/sear ... -web_uk&p=
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\Becky\Application Data\Mozilla\Firefox\Profiles\x93oa6ye.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-04 09:31
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\INIDVD]
"ImagePath"=multi:"system32\DRIVERS\inidvd.sys\00"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\INIDVD]
"ImagePath"=multi:"system32\DRIVERS\inidvd.sys\00"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2548)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac
c:\program files\AVG\AVG9\avgnsx.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2010-04-04 09:36:45 - machine was rebooted
ComboFix-quarantined-files.txt 2010-04-04 08:36
ComboFix2.txt 2010-03-31 15:15
ComboFix3.txt 2010-03-25 09:37
ComboFix4.txt 2010-03-22 14:19

Pre-Run: 2,749,497,344 bytes free
Post-Run: 2,945,761,280 bytes free

- - End Of File - - CB5C09DEE5183FF49F1593195400A88F

PC APPEARS TO BE RUNNING FINE
beckanoodle123
Regular Member
 
Posts: 18
Joined: December 23rd, 2009, 4:53 pm
Advertisement
Register to Remove

PreviousNext

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: pgmigg and 47 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware