Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Aarrrgh! Antivirus disabled - crazy virus - can't remove

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: Aarrrgh! Antivirus disabled - crazy virus - can't remove

Unread postby uprisetv » April 29th, 2009, 5:27 pm

weird question - is it possible that the file can be unuploadable?

It's a seemingly small file, I cannot seem to upload it past 61%. I tried attaching to email and sending it to virustotal, but the email accounts stop uploading it after about 60% as well. Other files seem to attach to email OK. It's a strange mystery. Any suggestions? In the meantime, I will keep trying several methods to try to upload the file.
uprisetv
Regular Member
 
Posts: 47
Joined: April 20th, 2009, 10:09 pm
Advertisement
Register to Remove

Re: Aarrrgh! Antivirus disabled - crazy virus - can't remove

Unread postby Shaba » April 29th, 2009, 11:56 pm

Infection can block it.

Please try if you can upload these:

c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\ndis.sys
c:\windows\system32\dllcache\ndis.sys
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: Aarrrgh! Antivirus disabled - crazy virus - can't remove

Unread postby uprisetv » April 30th, 2009, 12:27 pm

booted up in linux and sent the file that way - I will also try the other method through windows in a moment - thxs:


Virustotal results

Antivirus Version Last Update Result
a-squared 4.0.0.101 2009.04.30 Rkit!IK
AhnLab-V3 5.0.0.2 2009.04.30 Win-Trojan/Agent.213376
AntiVir 7.9.0.160 2009.04.30 RKIT/Protector.BC
Antiy-AVL 2.0.3.1 2009.04.30 -
Authentium 5.1.2.4 2009.04.30 -
Avast 4.8.1335.0 2009.04.29 Win32:Rootkit-CC
AVG 8.5.0.327 2009.04.30 Rootkit-Agent.DI
BitDefender 7.2 2009.04.30 Trojan.Kobcka.HN
CAT-QuickHeal 10.00 2009.04.30 -
ClamAV 0.94.1 2009.04.30 Trojan.Rootkit-1539
Comodo 1141 2009.04.29 Unclassified Malware
DrWeb 4.44.0.09170 2009.04.30 Trojan.NtRootKit.2670
eSafe 7.0.17.0 2009.04.30 Win32.RKITProtector
eTrust-Vet 31.6.6484 2009.04.30 -
F-Prot 4.4.4.56 2009.04.29 -
F-Secure 8.0.14470.0 2009.04.30 Virus.Win32.Protector.a
Fortinet 3.117.0.0 2009.04.30 W32/NtRootkit.AD!tr
GData 19 2009.04.30 Trojan.Kobcka.HN
Ikarus T3.1.1.49.0 2009.04.30 Rkit
K7AntiVirus 7.10.720 2009.04.30 -
Kaspersky 7.0.0.125 2009.04.30 Virus.Win32.Protector.a
McAfee 5601 2009.04.30 Generic.dx!r
McAfee+Artemis 5601 2009.04.30 Generic.dx!r
McAfee-GW-Edition 6.7.6 2009.04.30 Rootkit.Protector.BC
Microsoft 1.4602 2009.04.30 Virus:Win32/Cutwail.F
NOD32 4046 2009.04.30 Win32/Rootkit.Agent.ILO
Norman 6.01.05 2009.04.30 -
nProtect 2009.1.8.0 2009.04.29 -
Panda 10.0.0.14 2009.04.30 Trj/CI.A
PCTools 4.4.2.0 2009.04.30 -
Prevx1 3.0 2009.04.30 -
Rising 21.27.31.00 2009.04.30 -
Sophos 4.41.0 2009.04.30 Mal/Fakedis-A
Sunbelt 3.2.1858.2 2009.04.29 -
Symantec 1.4.4.12 2009.04.30 Trojan.Neprodoor!inf
TheHacker 6.3.4.1.317 2009.04.29 Trojan/Agent.inf
TrendMicro 8.950.0.1092 2009.04.30 -
VBA32 3.12.10.4 2009.04.30 -
ViRobot 2009.4.30.1716 2009.04.30 Trojan.Win32.RT-Agent.198016
VirusBuster 4.6.5.0 2009.04.30 -
Additional information
File size: 213376 bytes
MD5...: 29cb83d1a129d983b6b5135da6a72ea5
SHA1..: bf20787bc0a859f6e0ac4767876956a85d4ae84d
SHA256: 01244e8f252d7e8705ca972b1e7e0e29dc80c5b4f07727beab0108f261c5054c
SHA512: 74b6623f4e423df17222ae01c766d39081220d2adb82ff07627793b14fb62ada
459ee1500be390361c58a54aa1b7af123a134ce28706212019034119d4f1f448
ssdeep: 3072:4cU5PouX7vzzAwkE8T3xLHn4BQIYeBod1LzR0ySQAlbeRE4UrOjoxf:4BPo
6vwLHLxzn4BvYeBooHbHjrOjof
PEiD..: -
TrID..: File type identification
Clipper DOS Executable (33.3%)
Generic Win/DOS Executable (33.0%)
DOS Executable Generic (33.0%)
VXD Driver (0.5%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.1%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x4d0
timedatestamp.....: 0x49e61666 (Wed Apr 15 17:16:22 2009)
machinetype.......: 0x14c (I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x400 0xc9d 0xd00 5.65 564c4f73e2f9ce5dacc2e6eb4cb3b622
.rdata 0x1100 0x74 0x80 4.80 9d66ee836e48e82ba29b5ae293f1e996
.data 0x1180 0xc 0x80 0.00 f09f35a5637839458e462e6350ecbce4
.reloc 0x1200 0x32f2a 0x32f80 7.98 1f15a4f5fdf00dec51f62a10dbe66db5

( 0 imports )

( 0 exports )
PDFiD.: -
RDS...: NSRL Reference Data Set
uprisetv
Regular Member
 
Posts: 47
Joined: April 20th, 2009, 10:09 pm

Re: Aarrrgh! Antivirus disabled - crazy virus - can't remove

Unread postby Shaba » April 30th, 2009, 12:44 pm

OK we need next recovery console.

Please install it as described in combofix link, rerun combofix and post back a fresh combofix log.
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: Aarrrgh! Antivirus disabled - crazy virus - can't remove

Unread postby uprisetv » April 30th, 2009, 10:21 pm

COMBOFIX LOG (appears the computer's date and time is now messed up - interesting):

ComboFix 09-04-30.05 - anand 03/23/2006 0:41.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3070.2607 [GMT -5:00]
Running from: c:\documents and settings\anand\Desktop\ComboFix.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Outdated)
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\f23567.dat
c:\windows\system32\msblcd32.dll

.
((((((((((((((((((((((((( Files Created from 2006-02-23 to 2006-03-23 )))))))))))))))))))))))))))))))
.

2009-04-21 05:51 . 2009-04-21 06:34 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-04-21 05:51 . 2009-04-21 05:52 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-04-21 04:59 . 2009-04-21 04:59 -------- d-----w c:\program files\Unlocker
2009-04-21 02:02 . 2009-04-21 03:40 -------- d-----w c:\windows\BDOSCAN8
2009-04-20 03:50 . 2006-03-23 05:06 -------- d-----w c:\program files\Lavasoft
2009-04-17 16:10 . 2009-04-17 16:10 -------- d-sh--w c:\documents and settings\NetworkService\IETldCache
2009-04-17 04:42 . 2009-04-17 04:42 2 ---h--w c:\windows\t55ft2832f44.dat
2009-04-17 04:42 . 2009-04-17 04:42 2 ---h--w c:\windows\t55ft2803f44.dat
2009-04-17 02:42 . 2009-04-17 02:42 2 ---h--w c:\windows\t55ft2772f44.dat
2009-04-15 15:27 . 2009-04-15 15:27 410984 ----a-w c:\windows\system32\deploytk.dll
2009-04-05 17:35 . 2009-04-05 17:35 -------- d-----w c:\documents and settings\anand\Local Settings\Application Data\Google
2009-04-03 17:30 . 2009-04-03 17:30 -------- d-sh--w c:\documents and settings\LocalService\IETldCache
2009-04-03 16:27 . 2009-04-03 16:28 -------- dc-h--w c:\windows\ie8
2009-04-03 16:24 . 2009-02-28 04:55 105984 -c--a-w c:\windows\system32\dllcache\iecompat.dll
2009-04-03 15:22 . 2009-04-03 15:29 -------- d-----w c:\documents and settings\anand\Application Data\RegTool
2009-03-23 21:27 . 2009-03-24 17:20 -------- d-----w c:\program files\Jazz_Guitar_Solos_Vol_1-4
2009-03-23 21:27 . 2009-03-23 21:27 -------- d-----w c:\program files\Roland
2009-03-23 21:26 . 2009-03-23 21:26 -------- d-----w c:\program files\PowerTracks DirectX Plugins
2009-03-23 21:02 . 2009-03-28 18:12 -------- d-----w c:\program files\bb
2009-03-22 23:25 . 2009-03-22 23:25 -------- d-----w c:\program files\Common Files\Native Instruments
2009-03-22 23:25 . 2009-03-22 23:25 -------- d-----w c:\program files\Common Files\Digidesign
2009-03-22 18:10 . 2009-03-22 18:10 -------- d-----w c:\program files\7-Zip
2009-03-10 17:08 . 2009-03-10 17:08 -------- d-sh--w c:\windows\system32\config\systemprofile\IETldCache
2009-03-10 00:00 . 2009-03-10 00:00 -------- d-sh--w c:\documents and settings\anand\IECompatCache
2009-03-06 01:26 . 2009-03-06 01:26 -------- d-sh--w c:\documents and settings\anand\PrivacIE
2009-03-06 01:26 . 2009-03-06 01:26 -------- d-sh--w c:\documents and settings\anand\IETldCache
2009-03-05 16:01 . 2009-04-03 15:23 -------- d-----w c:\windows\ie8updates
2009-03-02 00:10 . 2009-03-03 04:35 -------- d-----w c:\documents and settings\anand\Application Data\U3
2009-02-25 16:50 . 2009-03-13 05:45 -------- d-----w c:\documents and settings\anand\Application Data\dvdcss
2009-02-23 20:49 . 2009-02-23 20:49 -------- d-----w c:\documents and settings\anand\Application Data\FLV Extract
2009-02-22 04:50 . 2009-02-22 04:50 -------- d-----w c:\documents and settings\anand\Application Data\Antares
2009-02-22 04:50 . 2009-03-29 05:52 -------- d-----w c:\program files\Antares Audio Technologies
2009-02-22 04:50 . 2003-06-20 18:28 1777664 ----a-w c:\windows\system32\gdiplus.dll
2009-02-15 20:07 . 2009-02-15 22:15 -------- d-----w c:\documents and settings\anand\Application Data\vlc
2009-02-15 20:06 . 2009-02-15 20:06 -------- d-----w c:\program files\VideoLAN
2009-02-03 19:12 . 2009-02-03 19:12 -------- d-----w c:\documents and settings\All Users\Application Data\NCH Swift Sound
2009-02-03 19:12 . 2009-02-03 19:12 -------- d-----w c:\program files\NCH Software
2009-02-03 19:12 . 2009-02-03 19:20 -------- d-----w c:\documents and settings\anand\Application Data\NCH Swift Sound
2009-02-03 19:11 . 2009-02-03 19:12 -------- d-----w c:\program files\NCH Swift Sound
2009-01-27 18:30 . 2009-01-27 18:30 -------- d-----w c:\program files\ViewsIncreaser.com
2009-01-20 20:09 . 2009-01-20 20:09 -------- d-----w c:\program files\Windows Resource Kits
2009-01-15 00:44 . 2009-01-15 00:44 -------- d-----w c:\program files\ffdshow
2009-01-07 23:20 . 2009-01-07 23:20 134144 -c--a-w c:\windows\system32\dllcache\sqmapi.dll
2008-11-25 00:45 . 2008-11-25 01:39 -------- d-----w c:\program files\MediaCoder
2008-11-24 23:21 . 2008-11-24 23:21 -------- d-----w c:\documents and settings\anand\Application Data\InterVideo
2008-11-24 22:58 . 2008-11-24 22:58 -------- d-----w c:\documents and settings\anand\Application Data\Ulead Systems
2008-11-24 22:57 . 2008-11-24 22:57 -------- d-----w c:\documents and settings\anand\Application Data\Corel
2008-11-24 22:57 . 2008-11-24 22:57 8 -csh--r c:\windows\system32\4C48B0F6EE.sys
2008-11-24 22:57 . 2009-03-12 16:59 2828 -csha-w c:\windows\system32\KGyGaAvL.sys
2008-11-24 21:45 . 2002-11-22 08:57 204800 -c--a-w c:\windows\system32\IVIresizeW7.dll
2008-11-24 21:45 . 2002-11-22 08:57 188416 -c--a-w c:\windows\system32\IVIresizePX.dll
2008-11-24 21:45 . 2002-11-22 08:57 192512 -c--a-w c:\windows\system32\IVIresizeP6.dll
2008-11-24 21:45 . 2002-11-22 08:57 192512 -c--a-w c:\windows\system32\IVIresizeM6.dll
2008-11-24 21:45 . 2002-11-22 08:57 20480 ----a-w c:\windows\system32\IVIresize.dll
2008-11-24 21:45 . 2002-11-22 08:57 200704 ----a-w c:\windows\system32\IVIresizeA6.dll
2008-11-24 21:44 . 2008-11-24 21:44 -------- d-----w c:\program files\InterVideo
2008-11-24 21:42 . 2008-11-24 21:39 10368 -c--a-w c:\windows\system32\drivers\iviaspi.sys
2008-11-24 21:40 . 2008-11-24 21:40 -------- d-----w c:\program files\Common Files\InterVideo
2008-11-24 21:39 . 2008-11-24 21:39 -------- d-----w c:\program files\Common Files\Protexis
2008-11-24 21:36 . 2008-11-25 01:38 -------- d-----w c:\program files\Corel
2008-11-24 21:36 . 2008-11-24 21:38 -------- d-----w c:\program files\Common Files\Ulead Systems
2008-10-31 21:41 . 2008-10-31 21:48 -------- d-----w c:\program files\iCall
2008-10-13 19:55 . 2009-01-07 23:20 26112 ----a-w c:\windows\system32\idndl.dll
2008-10-13 19:55 . 2009-01-07 23:20 24576 ----a-w c:\windows\system32\nlsdl.dll
2008-10-13 19:55 . 2009-01-07 23:20 23552 ----a-w c:\windows\system32\normaliz.dll
2008-10-13 19:04 . 2009-02-05 17:07 -------- d-----w c:\documents and settings\anand\Local Settings\Application Data\Deployment
2008-10-10 18:42 . 2009-01-07 23:20 265720 ----a-w c:\windows\system32\msdbg2.dll
2008-10-10 16:59 . 2008-10-11 14:27 -------- d-----w c:\program files\ProxyWay
2008-10-02 00:38 . 2008-10-02 00:40 -------- d-----w c:\documents and settings\anand\.unlimitedftp
2008-09-30 21:43 . 2008-09-30 21:43 1286152 ----a-w c:\windows\system32\msxml4.dll
2008-09-07 05:38 . 2008-09-07 05:38 -------- d-----w c:\program files\Trend Micro
2008-09-07 05:06 . 2008-09-07 05:06 -------- d--h--w c:\windows\system32\GroupPolicy
2008-09-07 02:44 . 2006-03-23 05:06 -------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2008-09-07 02:22 . 2008-06-02 20:19 29576 -c--a-w c:\windows\system32\drivers\kcom.sys
2008-09-07 02:22 . 2008-08-25 16:36 40840 -c--a-w c:\windows\system32\drivers\ikfilesec.sys
2008-09-07 02:22 . 2008-08-25 16:36 81288 -c--a-w c:\windows\system32\drivers\iksyssec.sys
2008-09-07 02:22 . 2008-08-25 16:36 66952 -c--a-w c:\windows\system32\drivers\iksysflt.sys
2008-09-07 02:22 . 2008-09-07 05:13 -------- d-----w c:\program files\Spyware Doctor
2008-09-07 02:22 . 2008-09-07 02:22 -------- d-----w c:\documents and settings\anand\Application Data\PC Tools
2008-09-07 02:00 . 2008-09-03 04:58 88576 -c--a-w c:\windows\system32\AntiXPVSTFix.exe
2008-09-06 22:55 . 2007-08-14 18:04 9216 ----a-w c:\windows\system32\ffnd.exe
2008-09-06 22:42 . 2008-09-06 22:42 -------- d-----w c:\documents and settings\anand\Local Settings\Application Data\FreeFixer
2008-09-06 22:42 . 2008-09-06 22:42 -------- d-----w c:\program files\FreeFixer
2008-09-06 22:05 . 2006-07-07 18:16 69632 -c--a-w c:\windows\system32\NI_DFD_1_2_9.dll
2008-09-06 22:05 . 2008-09-06 22:05 -------- d-----w c:\program files\Digidesign
2008-09-06 22:04 . 2009-03-22 23:24 -------- d-----w c:\program files\Native Instruments
2008-09-06 21:58 . 2008-09-06 21:58 -------- d-----w c:\program files\uTorrent
2008-08-30 02:46 . 2009-04-24 22:11 -------- d-----w c:\windows\system32\CatRoot_bak
2008-07-20 23:03 . 2008-07-20 23:03 -------- d-----w c:\program files\AC3Filter
2008-07-15 21:31 . 2009-04-22 15:22 -------- d-----w c:\documents and settings\anand\Application Data\BitTorrent
2008-07-15 21:30 . 2008-07-20 05:34 -------- d-----w c:\program files\BitTorrent
2008-07-08 17:44 . 2008-07-08 17:44 -------- d-----w c:\documents and settings\All Users\Application Data\Spiralfrog
2008-06-24 21:29 . 2004-08-04 12:00 221184 -c--a-w c:\windows\system32\wmpns.dll
2008-06-21 14:43 . 2008-06-21 14:43 75 -csh--r c:\windows\CT5PRET.BIN
2008-06-21 14:41 . 2008-06-21 14:41 -------- d-----w c:\documents and settings\anand\Application Data\InstallShield
2008-06-21 03:30 . 2008-06-21 03:30 -------- d-----w c:\program files\Common Files\Reallusion
2008-06-17 04:08 . 2005-04-12 15:21 225280 -c--a-w c:\windows\system32\rewire.dll
2008-06-17 04:07 . 2008-06-17 04:09 -------- d-----w c:\program files\Image-Line
2008-06-17 03:52 . 2008-06-17 03:52 -------- d-----w c:\program files\Turbo Tube
2008-06-10 19:36 . 2008-06-21 15:31 74 -c-ha-w c:\windows\sysdws.dat
2008-06-10 19:34 . 2008-06-10 19:34 -------- d-----w c:\program files\Ulead Systems
2008-06-10 19:34 . 2008-11-24 21:41 -------- d-----w c:\documents and settings\All Users\Application Data\Ulead Systems
2008-06-10 17:54 . 2008-06-10 17:56 -------- d-----w c:\documents and settings\anand\Application Data\PgcEdit
2008-06-10 17:27 . 2008-06-13 13:10 272128 -c--a-w c:\windows\system32\dllcache\bthport.sys
2008-06-10 17:27 . 2008-06-13 13:10 272128 -c----w c:\windows\system32\drivers\bthport.sys
2008-06-05 19:21 . 2004-08-02 21:55 249344 -c--a-w c:\windows\fxssvc.exe
2008-06-05 19:19 . 2004-05-23 05:28 132608 -c--a-w c:\windows\fxsclntR.dll
2008-06-05 19:19 . 2004-05-23 05:28 271360 -c--a-w c:\windows\fxscomex.dll
2008-06-05 19:18 . 2003-12-06 20:37 68096 -c--a-w c:\windows\fxscom.dll
2008-06-05 19:17 . 2004-05-23 05:28 443392 ----a-w c:\windows\fxsapi.dll
2008-06-02 18:01 . 2008-06-02 18:01 -------- d-----w c:\program files\Daniusoft
2008-05-31 03:47 . 2008-05-31 03:47 128 -c--a-w c:\documents and settings\anand\Local Settings\Application Data\fusioncache.dat
2008-05-31 03:44 . 2008-07-08 18:02 -------- d-----w c:\documents and settings\anand\Local Settings\Application Data\SpiralfrogClient
2008-05-31 03:44 . 2008-06-24 21:32 -------- d-----w c:\documents and settings\anand\Local Settings\Application Data\ApplicationHistory
2008-05-31 03:44 . 2008-09-06 22:59 -------- d-----w c:\program files\SpiralFrog
2008-05-31 02:08 . 2008-05-31 02:08 -------- d-----w c:\windows\Downloaded Installations
2008-05-24 16:22 . 2008-05-27 19:16 -------- d-----w c:\program files\RS Email Spider Demo
2008-05-16 21:16 . 2008-05-25 16:24 -------- d-----w c:\program files\Rapid-Emailer
2008-05-16 21:16 . 2008-05-16 21:16 -------- d-----w c:\program files\AF Uninstalls
2008-05-03 21:17 . 2008-05-03 21:17 -------- d-----w c:\documents and settings\anand\Local Settings\Application Data\Turbo_Tube
2008-03-25 02:53 . 2008-02-28 22:09 25600 -c--a-w c:\windows\system32\dzwrapper.dll
2008-03-25 02:53 . 2008-02-28 22:04 9056256 -c--a-w c:\windows\system32\dzcore.dll
2008-03-25 02:53 . 2008-02-28 22:10 65536 -c--a-w c:\windows\system32\dzcarrara.dll
2008-03-25 02:53 . 2008-02-28 22:09 32256 -c--a-w c:\windows\system32\dzbryce6.dll
2008-03-25 02:53 . 2008-02-28 19:04 2076672 -c--a-w c:\windows\system32\dz3delight.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-28 20:49 . 2004-08-04 12:00 103424 ----a-w c:\windows\system32\szdvcup.dll
2009-04-28 01:02 . 2006-03-28 23:47 -------- d-----w c:\program files\Sound Forge
2009-04-20 03:30 . 2004-08-04 12:00 213376 -c--a-w c:\windows\system32\drivers\ndis.sys
2009-03-08 09:34 . 2004-08-04 12:00 914944 ----a-w c:\windows\system32\wininet.dll
2009-03-08 09:34 . 2004-08-04 12:00 43008 ----a-w c:\windows\system32\licmgr10.dll
2009-03-08 09:33 . 2004-08-04 12:00 18944 ----a-w c:\windows\system32\corpol.dll
2009-03-08 09:33 . 2004-08-04 12:00 420352 ----a-w c:\windows\system32\vbscript.dll
2009-03-08 09:32 . 2004-08-04 12:00 72704 ----a-w c:\windows\system32\admparse.dll
2009-03-08 09:32 . 2004-08-04 12:00 71680 ----a-w c:\windows\system32\iesetup.dll
2009-03-08 09:31 . 2004-08-04 12:00 34816 ----a-w c:\windows\system32\imgutil.dll
2009-03-08 09:31 . 2004-08-04 12:00 48128 ----a-w c:\windows\system32\mshtmler.dll
2009-03-08 09:31 . 2004-08-04 12:00 45568 ----a-w c:\windows\system32\mshta.exe
2009-03-08 09:22 . 2004-08-04 12:00 156160 ----a-w c:\windows\system32\msls31.dll
2009-03-06 14:00 . 2004-08-04 12:00 284160 ----a-w c:\windows\system32\pdh.dll
2009-02-09 10:19 . 2004-08-04 12:00 1846272 ----a-w c:\windows\system32\win32k.sys
2009-02-09 10:01 . 2004-08-04 12:00 728576 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 10:01 . 2004-08-04 12:00 617984 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 10:01 . 2004-08-04 12:00 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 10:01 . 2004-08-04 12:00 715264 ----a-w c:\windows\system32\ntdll.dll
2009-02-06 10:29 . 2004-08-04 12:00 2142720 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:22 . 2004-08-04 12:00 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 09:54 . 2004-08-04 12:00 35328 ----a-w c:\windows\system32\sc.exe
2009-02-06 09:49 . 2004-08-03 22:59 2020864 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-03 20:08 . 2004-08-04 12:00 55808 ----a-w c:\windows\system32\secur32.dll
2008-12-20 22:43 . 2004-08-04 12:00 1287680 ----a-w c:\windows\system32\quartz.dll
2008-12-16 12:47 . 2004-08-04 12:00 351232 ----a-w c:\windows\system32\winhttp.dll
2008-12-11 11:57 . 2004-08-04 12:00 333184 ----a-w c:\windows\system32\drivers\srv.sys
2008-12-05 07:12 . 2004-08-04 12:00 144896 ----a-w c:\windows\system32\schannel.dll
2008-10-24 11:10 . 2004-08-04 12:00 453632 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-23 13:01 . 2004-08-04 12:00 283648 ----a-w c:\windows\system32\gdi32.dll
2008-10-16 19:13 . 2006-09-09 05:33 1809944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 19:12 . 2006-09-09 05:33 202776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 19:12 . 2006-09-09 05:33 323608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 19:12 . 2006-09-09 05:33 561688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 19:09 . 2006-09-09 05:33 51224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 19:09 . 2004-08-04 12:00 92696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 19:08 . 2006-09-09 05:33 34328 ----a-w c:\windows\system32\wups.dll
2008-10-03 10:15 . 2004-08-04 12:00 247326 ----a-w c:\windows\system32\strmdll.dll
2008-09-04 16:42 . 2004-08-04 12:00 1106944 ----a-w c:\windows\system32\msxml3.dll
2008-08-14 09:51 . 2004-08-04 12:00 138368 ----a-w c:\windows\system32\drivers\afd.sys
2008-07-07 20:32 . 2004-08-04 12:00 253952 ----a-w c:\windows\system32\es.dll
2008-06-24 23:12 . 2006-10-19 03:47 295936 ------w c:\windows\system32\wmpeffects.dll
2008-06-24 16:23 . 2004-08-04 12:00 74240 ----a-w c:\windows\system32\mscms.dll
2008-06-20 17:41 . 2004-08-04 12:00 245248 ----a-w c:\windows\system32\mswsock.dll
2008-06-20 10:45 . 2004-08-04 12:00 360320 -c--a-w c:\windows\system32\drivers\tcpip.sys
2008-06-20 09:52 . 2004-08-04 12:00 225920 -c--a-w c:\windows\system32\drivers\tcpip6.sys
2008-06-18 10:03 . 2004-08-04 12:00 938496 ----a-w c:\windows\system32\WMNetmgr.dll
2008-06-18 06:09 . 2004-08-04 12:00 100864 ----a-w c:\windows\system32\logagent.exe
2008-06-12 14:16 . 2006-09-09 05:31 161792 ----a-w c:\windows\system32\msdtcuiu.dll
2008-06-12 14:16 . 2006-09-09 05:31 956928 ----a-w c:\windows\system32\msdtctm.dll
2008-06-12 14:16 . 2006-09-09 05:31 91648 ----a-w c:\windows\system32\mtxoci.dll
2008-06-12 14:16 . 2006-09-09 05:31 58880 ----a-w c:\windows\system32\msdtclog.dll
2008-06-12 14:16 . 2006-09-09 05:31 428032 ----a-w c:\windows\system32\msdtcprx.dll
2008-06-12 14:16 . 2004-08-04 12:00 66560 ----a-w c:\windows\system32\mtxclu.dll
2008-05-08 12:28 . 2004-08-04 12:00 202752 -c--a-w c:\windows\system32\drivers\rmcast.sys
2008-04-11 18:50 . 2006-09-09 05:33 683520 -c--a-w c:\windows\system32\inetcomm.dll
2008-03-27 08:12 . 2004-08-04 12:00 151583 ----a-w c:\windows\system32\msjint40.dll
2008-02-26 11:59 . 2004-08-04 12:00 294912 ----a-w c:\windows\system32\msctf.dll
2008-02-20 05:32 . 2004-08-04 12:00 45568 ----a-w c:\windows\system32\dnsrslvr.dll
2007-12-27 17:45 . 1996-12-09 06:00 71680 -c--a-w c:\windows\ST5UNST.EXE
2007-12-18 09:51 . 2004-08-04 12:00 179584 -c--a-w c:\windows\system32\drivers\mrxdav.sys
2007-12-04 18:38 . 2004-08-04 12:00 550912 ----a-w c:\windows\system32\oleaut32.dll
2007-11-13 10:25 . 2004-08-04 12:00 20480 -c--a-w c:\windows\system32\drivers\secdrv.sys
2007-10-27 23:40 . 2004-08-04 12:00 222720 ----a-w c:\windows\system32\wmasf.dll
2007-07-09 13:09 . 2004-08-04 12:00 584192 ----a-w c:\windows\system32\rpcrt4.dll
2007-07-06 12:46 . 2004-08-04 12:00 95744 -c--a-w c:\windows\system32\mqsec.dll
2007-07-06 12:46 . 2004-08-04 12:00 660992 -c--a-w c:\windows\system32\mqqm.dll
2007-07-06 12:46 . 2004-08-04 12:00 48640 -c--a-w c:\windows\system32\mqupgrd.dll
2007-07-06 12:46 . 2004-08-04 12:00 471552 -c--a-w c:\windows\system32\mqutil.dll
2007-07-06 12:46 . 2004-08-04 12:00 47104 -c--a-w c:\windows\system32\mqdscli.dll
2007-07-06 12:46 . 2004-08-04 12:00 177152 -c--a-w c:\windows\system32\mqrt.dll
2007-07-06 12:46 . 2004-08-04 12:00 16896 -c--a-w c:\windows\system32\mqise.dll
2007-07-06 12:46 . 2004-08-04 12:00 138240 -c--a-w c:\windows\system32\mqad.dll
2007-07-06 10:05 . 2004-08-04 12:00 72960 -c--a-w c:\windows\system32\drivers\mqac.sys
2007-06-13 10:23 . 2004-08-04 12:00 1033216 ----a-w c:\windows\explorer.exe
2007-04-25 08:49 . 2008-11-24 21:39 328 -c----w c:\program files\GuideMenuSetup.iss
2007-04-23 10:32 . 2004-08-04 12:00 364160 -c--a-w c:\windows\system32\drivers\update.sys
2007-04-20 16:01 . 2007-04-20 16:01 2678 -c--a-w c:\windows\java\Packages\Data\28O5JF13.DAT
2007-04-20 16:01 . 2007-04-20 16:01 2678 -c--a-w c:\windows\java\Packages\Data\D7DRBXZ7.DAT
2007-04-20 16:01 . 2007-04-20 16:01 2678 -c--a-w c:\windows\java\Packages\Data\F7ZLV3NH.DAT
2007-04-20 16:01 . 2007-04-20 16:01 2678 -c--a-w c:\windows\java\Packages\Data\C9JH73RV.DAT
2007-04-20 16:01 . 2007-04-20 16:01 2678 -c--a-w c:\windows\java\Packages\Data\17L7NVHV.DAT
2007-04-18 16:12 . 2004-08-04 12:00 2854400 ----a-w c:\windows\system32\msi.dll
2007-04-10 21:18 . 2007-04-10 21:18 2232 -c--a-w c:\windows\java\Packages\Data\BHZJF1NZ.DAT
2007-04-10 21:18 . 2007-04-10 21:18 155995 -c--a-w c:\windows\java\Packages\24D7NVNN.ZIP
2007-04-06 03:28 . 2008-11-24 21:42 1237 -c----w c:\program files\WinDVDSetup.iss
2007-03-17 13:43 . 2004-08-04 12:00 292864 ----a-w c:\windows\system32\winsrv.dll
2007-03-08 15:36 . 2004-08-04 12:00 577536 ----a-w c:\windows\system32\user32.dll
2007-03-08 15:36 . 2004-08-04 12:00 40960 -c--a-w c:\windows\system32\mf3216.dll
2007-02-09 11:10 . 2004-08-04 12:00 574464 -c--a-w c:\windows\system32\drivers\ntfs.sys
2007-02-05 20:17 . 2004-08-04 12:00 185344 ----a-w c:\windows\system32\upnphost.dll
2006-12-04 20:21 . 2004-08-04 12:00 414720 -c--a-w c:\windows\system32\msscp.dll
2006-12-01 01:32 . 2006-09-09 12:53 -------- d-----w c:\program files\MediaFACE II
2006-11-27 23:36 . 2006-11-27 23:36 1143 -c--a-w c:\program files\uninstal.log
2006-11-01 19:17 . 2004-08-04 12:00 927504 -c--a-w c:\windows\system32\mfc40u.dll
2006-10-19 13:56 . 2004-08-04 12:00 713216 ----a-w c:\windows\system32\sxs.dll
2006-10-19 03:58 . 2005-01-28 19:44 8704 -c--a-w c:\windows\system32\wdfmgr.exe
2006-10-19 03:58 . 2005-01-28 19:44 8704 -c--a-w c:\windows\system32\uwdf.exe
2006-10-19 02:00 . 2005-01-28 19:44 38528 -c--a-w c:\windows\system32\drivers\wpdusb.sys
2006-10-16 16:15 . 2004-08-04 12:00 122880 ----a-w c:\windows\system32\oledlg.dll
.

------- Sigcheck -------

[-] 2008-04-13 19:20 182656 1DF7F42665C94B825322FAE71721130D c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\ndis.sys
[-] 2009-04-20 03:30 213376 29CB83D1A129D983B6B5135DA6A72EA5 c:\windows\system32\dllcache\ndis.sys
[-] 2009-04-20 03:30 213376 29CB83D1A129D983B6B5135DA6A72EA5 c:\windows\system32\drivers\ndis.sys
.
((((((((((((((((((((((((((((( SnapShot@2009-04-28_20.54.20 )))))))))))))))))))))))))))))))))))))))))
.
+ 2006-03-23 05:15 . 2006-03-23 05:15 16384 c:\windows\Temp\Perflib_Perfdata_464.dat
+ 2004-08-04 12:00 . 2004-08-04 12:00 43520 c:\windows\system32\wbem\proquota.exe
- 2004-08-04 12:00 . 2009-04-28 20:46 72228 c:\windows\system32\perfc009.dat
+ 2004-08-04 12:00 . 2006-03-23 05:20 72228 c:\windows\system32\perfc009.dat
- 2006-09-09 05:39 . 2009-04-21 05:41 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2006-09-09 05:39 . 2009-04-29 22:14 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2006-09-09 05:39 . 2009-04-21 05:41 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2006-09-09 05:39 . 2009-04-29 22:14 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2006-09-09 05:39 . 2009-04-29 22:14 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2006-09-09 05:39 . 2009-04-21 05:41 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2001-07-14 22:32 . 2001-07-14 22:32 69632 c:\windows\setupupd\temp\wsdueng.dll
- 2009-04-21 00:13 . 2007-11-30 11:18 26488 c:\windows\$hf_mig$\KB958644\update\spcustom.dll
- 2009-04-21 00:13 . 2007-11-30 11:18 17272 c:\windows\$hf_mig$\KB958644\spmsg.dll
- 2004-08-04 12:00 . 2009-04-28 20:46 425628 c:\windows\system32\perfh009.dat
+ 2004-08-04 12:00 . 2006-03-23 05:20 425628 c:\windows\system32\perfh009.dat
- 2009-04-21 00:13 . 2007-11-30 11:18 382840 c:\windows\$hf_mig$\KB958644\update\updspapi.dll
- 2009-04-21 00:13 . 2007-11-30 11:18 755576 c:\windows\$hf_mig$\KB958644\update\update.exe
- 2009-04-21 00:13 . 2007-11-30 11:18 231288 c:\windows\$hf_mig$\KB958644\spuninst.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CC53E145-6F19-4F17-902E-798095EAAC4F}]
2004-08-04 12:00 103424 ----a-w c:\windows\system32\ufgfcpw.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="-" [X]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-05-01 602182]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-05-01 667718]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2006-09-28 125168]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-04-15 148888]
"NVHotkey"="nvHotkey.dll" - c:\windows\system32\nvhotkey.dll [2006-05-01 73728]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-9-14 113664]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"EnableProfileQuota"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-764903313-1208633371-1849977318-30842\Scripts\Logon\0\0]
"Script"=\\mmreibc.prv\SysVol\mmreibc.prv\scripts\532Agents.bat

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Marcus & Millichap VPN Client Software.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Marcus & Millichap VPN Client Software.lnk
backup=c:\windows\pss\Marcus & Millichap VPN Client Software.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"NVSvc"=2 (0x2)
"NICCONFIGSVC"=2 (0x2)
"IDriverT"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"="0x00000000"
"UpdatesDisableNotify"="0x00000000"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Sony\\Vegas 7.0\\VegSrv70.exe"=
"c:\\Documents and Settings\\anand\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\anand\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=

R0 Lbd;Lbd; [x]
R0 ntcdrdrv;ntcdrdrv; [x]
R3 emifilt;Emagic EMI Filter Service;c:\windows\system32\drivers\emifilt.sys [2002-10-31 9984]
R3 emiload;Emagic EMI Device Firmware Loader Service;c:\windows\system32\Drivers\emiload.sys [2002-10-31 599424]
R3 NUVision;NUVision II Video Service;c:\windows\system32\DRIVERS\nuvvid2.sys [2001-10-28 153760]
R3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2008-06-13 356920]
S0 hqrsavbr;hqrsavbr;c:\windows\system32\drivers\hqrsavbr.sys [2004-08-04 23424]
S2 SavRoam;SavRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [2006-09-28 116464]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-03-01 101936]


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a67b9bef-0559-11de-bef6-0015c51f4eff}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2006-03-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1757981266-436374069-839522115-1003.job
- c:\documents and settings\anand\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-04-05 17:35]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
Trusted Zone: adobe.com\get
Trusted Zone: adobe.com\www
Trusted Zone: livemocha.com\www
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2006-03-23 00:44
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1757981266-436374069-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{A3297DEA-CB89-027D-D41B-308A379B5644}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"abhndggbkamanjjcfihakcojmalmnpcmaa"=hex:66,61,62,62,62,6c,67,6e,70,66,69,62,
00,00
"maknehgkbkkhlgckmcdlfohbgc"=hex:67,61,6b,6c,6c,6d,6f,63,69,6a,6e,6c,63,6f,00,
00
.
Completion time: 2006-03-23 0:45
ComboFix-quarantined-files.txt 2006-03-23 05:45
ComboFix2.txt 2009-04-28 20:57

Pre-Run: 8,945,143,808 bytes free
Post-Run: 9,050,906,624 bytes free

374 --- E O F --- 2009-04-22 08:00
uprisetv
Regular Member
 
Posts: 47
Joined: April 20th, 2009, 10:09 pm

Re: Aarrrgh! Antivirus disabled - crazy virus - can't remove

Unread postby Shaba » May 1st, 2009, 2:27 am

That will be corrected later.

Please delete your copy of combofix and download another copy from here

Note: DO NOT let it update itself if it asks for that or fix will fail!

Please post back a fresh combofix log afterwards.
Last edited by Shaba on May 1st, 2009, 1:08 pm, edited 1 time in total.
Reason: link removed.
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: Aarrrgh! Antivirus disabled - crazy virus - can't remove

Unread postby uprisetv » May 1st, 2009, 1:02 pm

ComboFix 09-04-30.056 - anand 05/01/2009 11:40.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3070.2572 [GMT -5:00]
Running from: c:\documents and settings\anand\Desktop\KittyFix.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated)
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

Infected copy of c:\windows\system32\drivers\ndis.sys was found and disinfected
Restored copy from - The cat ate it :)

.
((((((((((((((((((((((((( Files Created from 2009-04-01 to 2009-05-01 )))))))))))))))))))))))))))))))
.

2009-04-21 05:51 . 2009-04-21 06:34 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-04-21 05:51 . 2009-04-21 05:52 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-04-21 04:59 . 2009-04-21 04:59 -------- d-----w c:\program files\Unlocker
2009-04-21 02:02 . 2009-04-21 03:40 -------- d-----w c:\windows\BDOSCAN8
2009-04-20 03:50 . 2006-03-23 05:06 -------- d-----w c:\program files\Lavasoft
2009-04-17 16:10 . 2009-04-17 16:10 -------- d-sh--w c:\documents and settings\NetworkService\IETldCache
2009-04-17 04:42 . 2009-04-17 04:42 2 ---h--w c:\windows\t55ft2832f44.dat
2009-04-17 04:42 . 2009-04-17 04:42 2 ---h--w c:\windows\t55ft2803f44.dat
2009-04-17 02:42 . 2009-04-17 02:42 2 ---h--w c:\windows\t55ft2772f44.dat
2009-04-15 15:27 . 2009-04-15 15:27 410984 ----a-w c:\windows\system32\deploytk.dll
2009-04-05 17:35 . 2009-04-05 17:35 -------- d-----w c:\documents and settings\anand\Local Settings\Application Data\Google
2009-04-03 17:30 . 2009-04-03 17:30 -------- d-sh--w c:\documents and settings\LocalService\IETldCache
2009-04-03 16:27 . 2009-04-03 16:28 -------- dc-h--w c:\windows\ie8
2009-04-03 16:24 . 2009-02-28 04:55 105984 -c--a-w c:\windows\system32\dllcache\iecompat.dll
2009-04-03 15:22 . 2009-04-03 15:29 -------- d-----w c:\documents and settings\anand\Application Data\RegTool

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-01 16:39 . 2004-08-04 12:00 182912 ----a-w c:\windows\system32\drivers\ndis.sys
2009-04-28 20:49 . 2004-08-04 12:00 103424 ----a-w c:\windows\system32\szdvcup.dll
2009-04-28 01:02 . 2006-03-28 23:47 -------- d-----w c:\program files\Sound Forge
2009-04-27 04:47 . 2006-09-09 12:50 36128 -c--a-w c:\documents and settings\anand\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-19 15:33 . 2007-04-11 18:12 60 ----a-w c:\windows\wpd99.drv
2009-04-15 15:27 . 2007-12-27 19:17 -------- d-----w c:\program files\Java
2009-04-01 16:49 . 2007-01-19 00:06 34552 -c--a-w c:\documents and settings\anand\Application Data\GDIPFONTCACHEV1.DAT
2009-03-29 05:52 . 2009-02-22 04:50 -------- d-----w c:\program files\Antares Audio Technologies
2009-03-28 18:12 . 2009-03-23 21:02 -------- d-----w c:\program files\bb
2009-03-24 17:20 . 2009-03-23 21:27 -------- d-----w c:\program files\Jazz_Guitar_Solos_Vol_1-4
2009-03-23 21:27 . 2009-03-23 21:27 -------- d-----w c:\program files\Roland
2009-03-23 21:27 . 2006-09-09 11:46 -------- d--h--w c:\program files\InstallShield Installation Information
2009-03-23 21:26 . 2009-03-23 21:26 -------- d-----w c:\program files\PowerTracks DirectX Plugins
2009-03-22 23:25 . 2009-03-22 23:25 -------- d-----w c:\program files\Common Files\Native Instruments
2009-03-22 23:25 . 2009-03-22 23:25 -------- d-----w c:\program files\Common Files\Digidesign
2009-03-22 23:24 . 2008-09-06 22:04 -------- d-----w c:\program files\Native Instruments
2009-03-22 18:10 . 2009-03-22 18:10 -------- d-----w c:\program files\7-Zip
2009-03-12 16:59 . 2008-11-24 22:57 2828 -csha-w c:\windows\system32\KGyGaAvL.sys
2009-03-08 09:34 . 2004-08-04 12:00 914944 ----a-w c:\windows\system32\wininet.dll
2009-03-08 09:34 . 2004-08-04 12:00 43008 ----a-w c:\windows\system32\licmgr10.dll
2009-03-08 09:33 . 2004-08-04 12:00 18944 ----a-w c:\windows\system32\corpol.dll
2009-03-08 09:33 . 2004-08-04 12:00 420352 ----a-w c:\windows\system32\vbscript.dll
2009-03-08 09:32 . 2004-08-04 12:00 72704 ----a-w c:\windows\system32\admparse.dll
2009-03-08 09:32 . 2004-08-04 12:00 71680 ----a-w c:\windows\system32\iesetup.dll
2009-03-08 09:31 . 2004-08-04 12:00 34816 ----a-w c:\windows\system32\imgutil.dll
2009-03-08 09:31 . 2004-08-04 12:00 48128 ----a-w c:\windows\system32\mshtmler.dll
2009-03-08 09:31 . 2004-08-04 12:00 45568 ----a-w c:\windows\system32\mshta.exe
2009-03-08 09:22 . 2004-08-04 12:00 156160 ----a-w c:\windows\system32\msls31.dll
2009-03-06 14:00 . 2004-08-04 12:00 284160 ----a-w c:\windows\system32\pdh.dll
2009-02-09 10:19 . 2004-08-04 12:00 1846272 ----a-w c:\windows\system32\win32k.sys
2009-02-09 10:01 . 2004-08-04 12:00 728576 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 10:01 . 2004-08-04 12:00 617984 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 10:01 . 2004-08-04 12:00 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 10:01 . 2004-08-04 12:00 715264 ----a-w c:\windows\system32\ntdll.dll
2009-02-06 10:29 . 2004-08-04 12:00 2142720 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:22 . 2004-08-04 12:00 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 09:54 . 2004-08-04 12:00 35328 ----a-w c:\windows\system32\sc.exe
2009-02-06 09:49 . 2004-08-03 22:59 2020864 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-03 20:08 . 2004-08-04 12:00 55808 ----a-w c:\windows\system32\secur32.dll
2007-04-25 08:49 . 2008-11-24 21:39 328 -c----w c:\program files\GuideMenuSetup.iss
2007-04-06 03:28 . 2008-11-24 21:42 1237 -c----w c:\program files\WinDVDSetup.iss
2006-11-27 23:36 . 2006-11-27 23:36 1143 -c--a-w c:\program files\uninstal.log
1998-02-10 22:34 . 2007-04-05 17:10 128000 -c--a-w c:\program files\UNWISE.EXE
2008-06-21 14:43 . 2008-06-21 14:43 75 -csh--r c:\windows\CT5PRET.BIN
2008-11-24 22:57 . 2008-11-24 22:57 8 -csh--r c:\windows\system32\4C48B0F6EE.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CC53E145-6F19-4F17-902E-798095EAAC4F}]
2004-08-04 12:00 103424 ----a-w c:\windows\system32\ufgfcpw.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="-" [X]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-05-01 602182]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-05-01 667718]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2006-09-28 125168]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-04-15 148888]
"NVHotkey"="nvHotkey.dll" - c:\windows\system32\nvhotkey.dll [2006-05-01 73728]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-9-14 113664]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"EnableProfileQuota"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-764903313-1208633371-1849977318-30842\Scripts\Logon\0\0]
"Script"=\\mmreibc.prv\SysVol\mmreibc.prv\scripts\532Agents.bat

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Marcus & Millichap VPN Client Software.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Marcus & Millichap VPN Client Software.lnk
backup=c:\windows\pss\Marcus & Millichap VPN Client Software.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"NVSvc"=2 (0x2)
"NICCONFIGSVC"=2 (0x2)
"IDriverT"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"="0x00000000"
"UpdatesDisableNotify"="0x00000000"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Sony\\Vegas 7.0\\VegSrv70.exe"=
"c:\\Documents and Settings\\anand\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\anand\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=

R0 Lbd;Lbd; [x]
R0 ntcdrdrv;ntcdrdrv; [x]
R3 emifilt;Emagic EMI Filter Service;c:\windows\system32\drivers\emifilt.sys [2002-10-31 9984]
R3 emiload;Emagic EMI Device Firmware Loader Service;c:\windows\system32\Drivers\emiload.sys [2002-10-31 599424]
R3 NUVision;NUVision II Video Service;c:\windows\system32\DRIVERS\nuvvid2.sys [2001-10-28 153760]
R3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2008-06-13 356920]
S0 hqrsavbr;hqrsavbr;c:\windows\system32\drivers\hqrsavbr.sys [2004-08-04 23424]
S2 SavRoam;SavRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [2006-09-28 116464]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-03-01 101936]


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a67b9bef-0559-11de-bef6-0015c51f4eff}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-05-01 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1757981266-436374069-839522115-1003.job
- c:\documents and settings\anand\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-04-05 17:35]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
Trusted Zone: adobe.com\get
Trusted Zone: adobe.com\www
Trusted Zone: livemocha.com\www
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-01 11:58
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1757981266-436374069-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{A3297DEA-CB89-027D-D41B-308A379B5644}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"abhndggbkamanjjcfihakcojmalmnpcmaa"=hex:66,61,62,62,62,6c,67,6e,70,66,69,62,
00,00
"maknehgkbkkhlgckmcdlfohbgc"=hex:67,61,6b,6c,6c,6d,6f,63,69,6a,6e,6c,63,6f,00,
00
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2360)
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\WLKEEPER.exe
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\windows\system32\BRSS01A.EXE
c:\windows\system32\scardsvr.exe
c:\program files\Marcus & Millichap\VPN Client Software\cvpnd.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\windows\system32\emitray.exe
c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\progra~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
c:\program files\Microsoft LifeCam\MSCamSvc.exe
c:\program files\Common Files\Protexis\License Service\PSIService.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
c:\windows\system32\fxssvc.exe
c:\windows\system32\rundll32.exe
c:\progra~1\Intel\Wireless\Bin\Dot1XCfg.exe
.
**************************************************************************
.
Completion time: 2009-05-01 12:01 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-01 17:00
ComboFix2.txt 2006-03-23 05:45
ComboFix3.txt 2009-04-28 20:57

Pre-Run: 8,822,489,088 bytes free
Post-Run: 8,919,162,880 bytes free

217 --- E O F --- 2009-04-22 08:00
uprisetv
Regular Member
 
Posts: 47
Joined: April 20th, 2009, 10:09 pm

Re: Aarrrgh! Antivirus disabled - crazy virus - can't remove

Unread postby Shaba » May 1st, 2009, 1:13 pm

Good, it worked :)

  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    Code: Select all
    http://www.malwareremoval.com/forum/viewtopic.php?f=11&t=42105
    
    Collect::
    c:\windows\system32\ufgfcpw.dll
    c:\windows\system32\drivers\hqrsavbr.sys
    
    Driver::
    hqrsavbr
    
    Registry::
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "c:\\Program Files\\BitTorrent\\bittorrent.exe"=-
    

  • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.

    Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: Aarrrgh! Antivirus disabled - crazy virus - can't remove

Unread postby uprisetv » May 1st, 2009, 5:30 pm

ComboFix 09-04-30.056 - anand 05/01/2009 16:16.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3070.2572 [GMT -5:00]
Running from: c:\documents and settings\anand\Desktop\KittyFix.exe
Command switches used :: c:\documents and settings\anand\Desktop\CFScript.txt
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated)

file zipped: c:\windows\system32\drivers\hqrsavbr.sys
file zipped: c:\windows\system32\ufgfcpw.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\hqrsavbr.sys
c:\windows\system32\ufgfcpw.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_HQRSAVBR
-------\Service_hqrsavbr


((((((((((((((((((((((((( Files Created from 2009-04-01 to 2009-05-01 )))))))))))))))))))))))))))))))
.

2009-04-21 05:51 . 2009-04-21 06:34 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-04-21 05:51 . 2009-04-21 05:52 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-04-21 04:59 . 2009-04-21 04:59 -------- d-----w c:\program files\Unlocker
2009-04-21 02:02 . 2009-04-21 03:40 -------- d-----w c:\windows\BDOSCAN8
2009-04-20 03:50 . 2006-03-23 05:06 -------- d-----w c:\program files\Lavasoft
2009-04-17 16:10 . 2009-04-17 16:10 -------- d-sh--w c:\documents and settings\NetworkService\IETldCache
2009-04-17 04:42 . 2009-04-17 04:42 2 ---h--w c:\windows\t55ft2832f44.dat
2009-04-17 04:42 . 2009-04-17 04:42 2 ---h--w c:\windows\t55ft2803f44.dat
2009-04-17 02:42 . 2009-04-17 02:42 2 ---h--w c:\windows\t55ft2772f44.dat
2009-04-15 15:27 . 2009-04-15 15:27 410984 ----a-w c:\windows\system32\deploytk.dll
2009-04-05 17:35 . 2009-04-05 17:35 -------- d-----w c:\documents and settings\anand\Local Settings\Application Data\Google
2009-04-03 17:30 . 2009-04-03 17:30 -------- d-sh--w c:\documents and settings\LocalService\IETldCache
2009-04-03 16:27 . 2009-04-03 16:28 -------- dc-h--w c:\windows\ie8
2009-04-03 16:24 . 2009-02-28 04:55 105984 -c--a-w c:\windows\system32\dllcache\iecompat.dll
2009-04-03 15:22 . 2009-04-03 15:29 -------- d-----w c:\documents and settings\anand\Application Data\RegTool

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-01 21:16 . 2004-08-04 12:00 23424 ----a-w c:\windows\system32\drivers\vjhbnosj.sys
2009-05-01 21:07 . 2006-03-28 23:47 -------- d-----w c:\program files\Sound Forge
2009-05-01 16:39 . 2004-08-04 12:00 182912 ----a-w c:\windows\system32\drivers\ndis.sys
2009-04-28 20:49 . 2004-08-04 12:00 103424 ----a-w c:\windows\system32\szdvcup.dll
2009-04-27 04:47 . 2006-09-09 12:50 36128 -c--a-w c:\documents and settings\anand\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-19 15:33 . 2007-04-11 18:12 60 ----a-w c:\windows\wpd99.drv
2009-04-15 15:27 . 2007-12-27 19:17 -------- d-----w c:\program files\Java
2009-04-01 16:49 . 2007-01-19 00:06 34552 -c--a-w c:\documents and settings\anand\Application Data\GDIPFONTCACHEV1.DAT
2009-03-29 05:52 . 2009-02-22 04:50 -------- d-----w c:\program files\Antares Audio Technologies
2009-03-28 18:12 . 2009-03-23 21:02 -------- d-----w c:\program files\bb
2009-03-24 17:20 . 2009-03-23 21:27 -------- d-----w c:\program files\Jazz_Guitar_Solos_Vol_1-4
2009-03-23 21:27 . 2009-03-23 21:27 -------- d-----w c:\program files\Roland
2009-03-23 21:27 . 2006-09-09 11:46 -------- d--h--w c:\program files\InstallShield Installation Information
2009-03-23 21:26 . 2009-03-23 21:26 -------- d-----w c:\program files\PowerTracks DirectX Plugins
2009-03-22 23:25 . 2009-03-22 23:25 -------- d-----w c:\program files\Common Files\Native Instruments
2009-03-22 23:25 . 2009-03-22 23:25 -------- d-----w c:\program files\Common Files\Digidesign
2009-03-22 23:24 . 2008-09-06 22:04 -------- d-----w c:\program files\Native Instruments
2009-03-22 18:10 . 2009-03-22 18:10 -------- d-----w c:\program files\7-Zip
2009-03-12 16:59 . 2008-11-24 22:57 2828 -csha-w c:\windows\system32\KGyGaAvL.sys
2009-03-08 09:34 . 2004-08-04 12:00 914944 ----a-w c:\windows\system32\wininet.dll
2009-03-08 09:34 . 2004-08-04 12:00 43008 ----a-w c:\windows\system32\licmgr10.dll
2009-03-08 09:33 . 2004-08-04 12:00 18944 ----a-w c:\windows\system32\corpol.dll
2009-03-08 09:33 . 2004-08-04 12:00 420352 ----a-w c:\windows\system32\vbscript.dll
2009-03-08 09:32 . 2004-08-04 12:00 72704 ----a-w c:\windows\system32\admparse.dll
2009-03-08 09:32 . 2004-08-04 12:00 71680 ----a-w c:\windows\system32\iesetup.dll
2009-03-08 09:31 . 2004-08-04 12:00 34816 ----a-w c:\windows\system32\imgutil.dll
2009-03-08 09:31 . 2004-08-04 12:00 48128 ----a-w c:\windows\system32\mshtmler.dll
2009-03-08 09:31 . 2004-08-04 12:00 45568 ----a-w c:\windows\system32\mshta.exe
2009-03-08 09:22 . 2004-08-04 12:00 156160 ----a-w c:\windows\system32\msls31.dll
2009-03-06 14:00 . 2004-08-04 12:00 284160 ----a-w c:\windows\system32\pdh.dll
2009-02-09 10:19 . 2004-08-04 12:00 1846272 ----a-w c:\windows\system32\win32k.sys
2009-02-09 10:01 . 2004-08-04 12:00 728576 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 10:01 . 2004-08-04 12:00 617984 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 10:01 . 2004-08-04 12:00 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 10:01 . 2004-08-04 12:00 715264 ----a-w c:\windows\system32\ntdll.dll
2009-02-06 10:29 . 2004-08-04 12:00 2142720 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:22 . 2004-08-04 12:00 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 09:54 . 2004-08-04 12:00 35328 ----a-w c:\windows\system32\sc.exe
2009-02-06 09:49 . 2004-08-03 22:59 2020864 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-03 20:08 . 2004-08-04 12:00 55808 ----a-w c:\windows\system32\secur32.dll
2007-04-25 08:49 . 2008-11-24 21:39 328 -c----w c:\program files\GuideMenuSetup.iss
2007-04-06 03:28 . 2008-11-24 21:42 1237 -c----w c:\program files\WinDVDSetup.iss
2006-11-27 23:36 . 2006-11-27 23:36 1143 -c--a-w c:\program files\uninstal.log
1998-02-10 22:34 . 2007-04-05 17:10 128000 -c--a-w c:\program files\UNWISE.EXE
2008-06-21 14:43 . 2008-06-21 14:43 75 -csh--r c:\windows\CT5PRET.BIN
2008-11-24 22:57 . 2008-11-24 22:57 8 -csh--r c:\windows\system32\4C48B0F6EE.sys
.

((((((((((((((((((((((((((((( SnapShot@2009-05-01_16.58.26 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-05-01 21:24 . 2009-05-01 21:24 16384 c:\windows\Temp\Perflib_Perfdata_498.dat
+ 2004-08-04 12:00 . 2009-05-01 17:01 72228 c:\windows\system32\perfc009.dat
- 2004-08-04 12:00 . 2009-05-01 14:48 72228 c:\windows\system32\perfc009.dat
+ 2004-08-04 12:00 . 2009-05-01 17:01 425628 c:\windows\system32\perfh009.dat
- 2004-08-04 12:00 . 2009-05-01 14:48 425628 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="-" [X]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-05-01 602182]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-05-01 667718]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2006-09-28 125168]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-04-15 148888]
"NVHotkey"="nvHotkey.dll" - c:\windows\system32\nvhotkey.dll [2006-05-01 73728]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-9-14 113664]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"EnableProfileQuota"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-764903313-1208633371-1849977318-30842\Scripts\Logon\0\0]
"Script"=\\mmreibc.prv\SysVol\mmreibc.prv\scripts\532Agents.bat

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Marcus & Millichap VPN Client Software.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Marcus & Millichap VPN Client Software.lnk
backup=c:\windows\pss\Marcus & Millichap VPN Client Software.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"NVSvc"=2 (0x2)
"NICCONFIGSVC"=2 (0x2)
"IDriverT"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"="0x00000000"
"UpdatesDisableNotify"="0x00000000"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Sony\\Vegas 7.0\\VegSrv70.exe"=
"c:\\Documents and Settings\\anand\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\anand\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=

R3 emifilt;Emagic EMI Filter Service;c:\windows\system32\drivers\emifilt.sys [2002-10-31 9984]
R3 emiload;Emagic EMI Device Firmware Loader Service;c:\windows\system32\Drivers\emiload.sys [2002-10-31 599424]


--- Other Services/Drivers In Memory ---

*Deregistered* - EraserUtilDrv10910

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a67b9bef-0559-11de-bef6-0015c51f4eff}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-05-01 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1757981266-436374069-839522115-1003.job
- c:\documents and settings\anand\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-04-05 17:35]
.
- - - - ORPHANS REMOVED - - - -

BHO-{CC53E145-6F19-4F17-902E-798095EAAC4F} - c:\windows\system32\ufgfcpw.dll


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
Trusted Zone: adobe.com\get
Trusted Zone: adobe.com\www
Trusted Zone: livemocha.com\www
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-01 16:25
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1757981266-436374069-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{A3297DEA-CB89-027D-D41B-308A379B5644}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"abhndggbkamanjjcfihakcojmalmnpcmaa"=hex:66,61,62,62,62,6c,67,6e,70,66,69,62,
00,00
"maknehgkbkkhlgckmcdlfohbgc"=hex:67,61,6b,6c,6c,6d,6f,63,69,6a,6e,6c,63,6f,00,
00
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3052)
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\WLKEEPER.exe
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\windows\system32\BRSS01A.EXE
c:\windows\system32\scardsvr.exe
c:\program files\Marcus & Millichap\VPN Client Software\cvpnd.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\windows\system32\emitray.exe
c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\progra~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
c:\program files\Microsoft LifeCam\MSCamSvc.exe
c:\program files\Common Files\Protexis\License Service\PSIService.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Symantec AntiVirus\SavRoam.exe
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
c:\windows\system32\fxssvc.exe
c:\windows\system32\rundll32.exe
c:\progra~1\Intel\Wireless\Bin\Dot1XCfg.exe
.
**************************************************************************
.
Completion time: 2009-05-01 16:27 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-01 21:27
ComboFix2.txt 2009-05-01 17:01
ComboFix3.txt 2006-03-23 05:45
ComboFix4.txt 2009-04-28 20:57

Pre-Run: 8,620,556,288 bytes free
Post-Run: 8,622,133,248 bytes free

229 --- E O F --- 2009-04-22 08:00
uprisetv
Regular Member
 
Posts: 47
Joined: April 20th, 2009, 10:09 pm

Re: Aarrrgh! Antivirus disabled - crazy virus - can't remove

Unread postby Shaba » May 2nd, 2009, 2:05 am

And one round is still needed:

  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    Code: Select all
    File::
    c:\windows\system32\drivers\vjhbnosj.sys
    

  • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.

    Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: Aarrrgh! Antivirus disabled - crazy virus - can't remove

Unread postby uprisetv » May 2nd, 2009, 11:53 am

ComboFix 09-04-30.056 - anand 05/02/2009 10:49.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3070.2539 [GMT -5:00]
Running from: c:\documents and settings\anand\Desktop\KittyFix.exe
Command switches used :: c:\documents and settings\anand\Desktop\CFScript.txt
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated)

FILE ::
c:\windows\system32\drivers\vjhbnosj.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\vjhbnosj.sys

.
((((((((((((((((((((((((( Files Created from 2009-04-02 to 2009-05-02 )))))))))))))))))))))))))))))))
.

2009-04-21 05:51 . 2009-04-21 06:34 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-04-21 05:51 . 2009-04-21 05:52 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-04-21 04:59 . 2009-04-21 04:59 -------- d-----w c:\program files\Unlocker
2009-04-21 02:02 . 2009-04-21 03:40 -------- d-----w c:\windows\BDOSCAN8
2009-04-20 03:50 . 2006-03-23 05:06 -------- d-----w c:\program files\Lavasoft
2009-04-17 16:10 . 2009-04-17 16:10 -------- d-sh--w c:\documents and settings\NetworkService\IETldCache
2009-04-17 04:42 . 2009-04-17 04:42 2 ---h--w c:\windows\t55ft2832f44.dat
2009-04-17 04:42 . 2009-04-17 04:42 2 ---h--w c:\windows\t55ft2803f44.dat
2009-04-17 02:42 . 2009-04-17 02:42 2 ---h--w c:\windows\t55ft2772f44.dat
2009-04-15 15:27 . 2009-04-15 15:27 410984 ----a-w c:\windows\system32\deploytk.dll
2009-04-05 17:35 . 2009-04-05 17:35 -------- d-----w c:\documents and settings\anand\Local Settings\Application Data\Google
2009-04-03 17:30 . 2009-04-03 17:30 -------- d-sh--w c:\documents and settings\LocalService\IETldCache
2009-04-03 16:27 . 2009-04-03 16:28 -------- dc-h--w c:\windows\ie8
2009-04-03 16:24 . 2009-02-28 04:55 105984 -c--a-w c:\windows\system32\dllcache\iecompat.dll
2009-04-03 15:22 . 2009-04-03 15:29 -------- d-----w c:\documents and settings\anand\Application Data\RegTool

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-02 06:11 . 2006-03-28 23:47 -------- d-----w c:\program files\Sound Forge
2009-05-01 16:39 . 2004-08-04 12:00 182912 ----a-w c:\windows\system32\drivers\ndis.sys
2009-04-28 20:49 . 2004-08-04 12:00 103424 ----a-w c:\windows\system32\szdvcup.dll
2009-04-27 04:47 . 2006-09-09 12:50 36128 -c--a-w c:\documents and settings\anand\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-19 15:33 . 2007-04-11 18:12 60 ----a-w c:\windows\wpd99.drv
2009-04-15 15:27 . 2007-12-27 19:17 -------- d-----w c:\program files\Java
2009-04-01 16:49 . 2007-01-19 00:06 34552 -c--a-w c:\documents and settings\anand\Application Data\GDIPFONTCACHEV1.DAT
2009-03-29 05:52 . 2009-02-22 04:50 -------- d-----w c:\program files\Antares Audio Technologies
2009-03-28 18:12 . 2009-03-23 21:02 -------- d-----w c:\program files\bb
2009-03-24 17:20 . 2009-03-23 21:27 -------- d-----w c:\program files\Jazz_Guitar_Solos_Vol_1-4
2009-03-23 21:27 . 2009-03-23 21:27 -------- d-----w c:\program files\Roland
2009-03-23 21:27 . 2006-09-09 11:46 -------- d--h--w c:\program files\InstallShield Installation Information
2009-03-23 21:26 . 2009-03-23 21:26 -------- d-----w c:\program files\PowerTracks DirectX Plugins
2009-03-22 23:25 . 2009-03-22 23:25 -------- d-----w c:\program files\Common Files\Native Instruments
2009-03-22 23:25 . 2009-03-22 23:25 -------- d-----w c:\program files\Common Files\Digidesign
2009-03-22 23:24 . 2008-09-06 22:04 -------- d-----w c:\program files\Native Instruments
2009-03-22 18:10 . 2009-03-22 18:10 -------- d-----w c:\program files\7-Zip
2009-03-12 16:59 . 2008-11-24 22:57 2828 -csha-w c:\windows\system32\KGyGaAvL.sys
2009-03-08 09:34 . 2004-08-04 12:00 914944 ----a-w c:\windows\system32\wininet.dll
2009-03-08 09:34 . 2004-08-04 12:00 43008 ----a-w c:\windows\system32\licmgr10.dll
2009-03-08 09:33 . 2004-08-04 12:00 18944 ----a-w c:\windows\system32\corpol.dll
2009-03-08 09:33 . 2004-08-04 12:00 420352 ----a-w c:\windows\system32\vbscript.dll
2009-03-08 09:32 . 2004-08-04 12:00 72704 ----a-w c:\windows\system32\admparse.dll
2009-03-08 09:32 . 2004-08-04 12:00 71680 ----a-w c:\windows\system32\iesetup.dll
2009-03-08 09:31 . 2004-08-04 12:00 34816 ----a-w c:\windows\system32\imgutil.dll
2009-03-08 09:31 . 2004-08-04 12:00 48128 ----a-w c:\windows\system32\mshtmler.dll
2009-03-08 09:31 . 2004-08-04 12:00 45568 ----a-w c:\windows\system32\mshta.exe
2009-03-08 09:22 . 2004-08-04 12:00 156160 ----a-w c:\windows\system32\msls31.dll
2009-03-06 14:00 . 2004-08-04 12:00 284160 ----a-w c:\windows\system32\pdh.dll
2009-02-09 10:19 . 2004-08-04 12:00 1846272 ----a-w c:\windows\system32\win32k.sys
2009-02-09 10:01 . 2004-08-04 12:00 728576 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 10:01 . 2004-08-04 12:00 617984 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 10:01 . 2004-08-04 12:00 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 10:01 . 2004-08-04 12:00 715264 ----a-w c:\windows\system32\ntdll.dll
2009-02-06 10:29 . 2004-08-04 12:00 2142720 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:22 . 2004-08-04 12:00 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 09:54 . 2004-08-04 12:00 35328 ----a-w c:\windows\system32\sc.exe
2009-02-06 09:49 . 2004-08-03 22:59 2020864 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-03 20:08 . 2004-08-04 12:00 55808 ----a-w c:\windows\system32\secur32.dll
2007-04-25 08:49 . 2008-11-24 21:39 328 -c----w c:\program files\GuideMenuSetup.iss
2007-04-06 03:28 . 2008-11-24 21:42 1237 -c----w c:\program files\WinDVDSetup.iss
2006-11-27 23:36 . 2006-11-27 23:36 1143 -c--a-w c:\program files\uninstal.log
1998-02-10 22:34 . 2007-04-05 17:10 128000 -c--a-w c:\program files\UNWISE.EXE
2008-06-21 14:43 . 2008-06-21 14:43 75 -csh--r c:\windows\CT5PRET.BIN
2008-11-24 22:57 . 2008-11-24 22:57 8 -csh--r c:\windows\system32\4C48B0F6EE.sys
.

((((((((((((((((((((((((((((( SnapShot@2009-05-01_16.58.26 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-05-01 21:24 . 2009-05-01 21:24 16384 c:\windows\Temp\Perflib_Perfdata_498.dat
+ 2004-08-04 12:00 . 2009-05-01 21:28 72228 c:\windows\system32\perfc009.dat
- 2004-08-04 12:00 . 2009-05-01 14:48 72228 c:\windows\system32\perfc009.dat
+ 2004-08-04 12:00 . 2009-05-01 21:28 425628 c:\windows\system32\perfh009.dat
- 2004-08-04 12:00 . 2009-05-01 14:48 425628 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="-" [X]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-05-01 602182]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-05-01 667718]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2006-09-28 125168]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-04-15 148888]
"NVHotkey"="nvHotkey.dll" - c:\windows\system32\nvhotkey.dll [2006-05-01 73728]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-9-14 113664]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"EnableProfileQuota"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-764903313-1208633371-1849977318-30842\Scripts\Logon\0\0]
"Script"=\\mmreibc.prv\SysVol\mmreibc.prv\scripts\532Agents.bat

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Marcus & Millichap VPN Client Software.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Marcus & Millichap VPN Client Software.lnk
backup=c:\windows\pss\Marcus & Millichap VPN Client Software.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"NVSvc"=2 (0x2)
"NICCONFIGSVC"=2 (0x2)
"IDriverT"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"="0x00000000"
"UpdatesDisableNotify"="0x00000000"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Sony\\Vegas 7.0\\VegSrv70.exe"=
"c:\\Documents and Settings\\anand\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\anand\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=

R3 emifilt;Emagic EMI Filter Service;c:\windows\system32\drivers\emifilt.sys [2002-10-31 9984]
R3 emiload;Emagic EMI Device Firmware Loader Service;c:\windows\system32\Drivers\emiload.sys [2002-10-31 599424]


--- Other Services/Drivers In Memory ---

*Deregistered* - EraserUtilDrv10910

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a67b9bef-0559-11de-bef6-0015c51f4eff}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-05-01 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1757981266-436374069-839522115-1003.job
- c:\documents and settings\anand\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-04-05 17:35]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
Trusted Zone: adobe.com\get
Trusted Zone: adobe.com\www
Trusted Zone: livemocha.com\www
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-02 10:50
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1757981266-436374069-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{A3297DEA-CB89-027D-D41B-308A379B5644}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"abhndggbkamanjjcfihakcojmalmnpcmaa"=hex:66,61,62,62,62,6c,67,6e,70,66,69,62,
00,00
"maknehgkbkkhlgckmcdlfohbgc"=hex:67,61,6b,6c,6c,6d,6f,63,69,6a,6e,6c,63,6f,00,
00
.
Completion time: 2009-05-02 10:51
ComboFix-quarantined-files.txt 2009-05-02 15:51
ComboFix2.txt 2009-05-01 21:27
ComboFix3.txt 2009-05-01 17:01
ComboFix4.txt 2006-03-23 05:45
ComboFix5.txt 2009-05-02 15:49

Pre-Run: 8,575,729,664 bytes free
Post-Run: 8,572,989,440 bytes free

188 --- E O F --- 2009-04-22 08:00
uprisetv
Regular Member
 
Posts: 47
Joined: April 20th, 2009, 10:09 pm

Re: Aarrrgh! Antivirus disabled - crazy virus - can't remove

Unread postby Shaba » May 2nd, 2009, 12:13 pm

Please go to Kaspersky website and perform an online antivirus scan.

  1. Read through the requirements and privacy statement and click on Accept button.
  2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  3. When the downloads have finished, click on Settings.
  4. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
      Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
  5. Click on My Computer under Scan.
  6. Once the scan is complete, it will display the results. Click on View Scan Report.
  7. You will see a list of infected items there. Click on Save Report As....
  8. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  9. Please post this log in your next reply along with a fresh HijackThis log.
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: Aarrrgh! Antivirus disabled - crazy virus - can't remove

Unread postby uprisetv » May 2nd, 2009, 7:02 pm

too slow - keeps failing to run :(
uprisetv
Regular Member
 
Posts: 47
Joined: April 20th, 2009, 10:09 pm

Re: Aarrrgh! Antivirus disabled - crazy virus - can't remove

Unread postby Shaba » May 3rd, 2009, 1:53 am

Scan can take some time, yes.

If it won't run you can run this instead:

Please go to ESET Online Scanner - © ESET All Rights Reserved... to run an online scan.
Note: You - will - need to use Internet Explorer for this scan!
  1. Check the box next to "YES, I accept the Terms of Use."
  2. Click "Start"
  3. Click Yes... at the run ActiveX prompt. Click Install... at the install ActiveX prompt.
    Once installed, the scanner will be initialized.
  4. Click "Start". Make sure that the options:
    • Remove found threats is UNCHECKED
    • Scan unwanted applications is CHECKED
  5. Click "Scan"
  6. Wait for the scan to finish... it may take a while... please be patient. When the scan is finished...
  7. Use Notepad to open the log file located at C:\Program Files\EsetOnlineScanner\log.txt
  8. Copy and paste the contents of log.txt in your next reply.
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: Aarrrgh! Antivirus disabled - crazy virus - can't remove

Unread postby uprisetv » May 3rd, 2009, 2:43 am

neither seem to load - but I'll keep trying.
uprisetv
Regular Member
 
Posts: 47
Joined: April 20th, 2009, 10:09 pm
Advertisement
Register to Remove

PreviousNext

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 289 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware