Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Board index Malware Removal ForumsInfected? Virus, malware, adware, ransomware, oh my!

need major help

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.
Topic locked

Re: need major help

Unread postby jayhovah » November 2nd, 2009, 5:29 pm

GooredFix by jpshortstuff (24.09.09.1)
Log created at 16:26 on 02/11/2009 (temp)
Firefox version 3.5.4 (en-US)

========== GooredScan ==========


========== GooredLog ==========

C:\Program Files\Mozilla Firefox\extensions\
{972ce4c6-7e08-4474-a285-3208198ce6fd} [10:14 30/01/2008]
{B13721C7-F507-4982-B2E5-502A71474FED} [01:00 05/09/2009]
{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} [02:56 03/02/2008]
{CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} [19:15 10/08/2008]
{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} [17:31 18/03/2008]
{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} [02:22 18/08/2008]
{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} [21:22 30/10/2009]
{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} [20:54 22/07/2009]
{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} [04:35 20/08/2009]

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
"jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff" [20:54 22/07/2009]
"{ABDE892B-13A8-4d1b-88E6-365A6E755758}"="C:\Program Files\Real\RealPlayer\browserrecord\firefox\ext" [04:52 02/10/2009]

-=E.O.F=-
jayhovah
Regular Member
 
Posts: 22
Joined: October 24th, 2009, 4:59 pm
Top
Advertisement
Register to Remove

Re: need major help

Unread postby peku006 » November 2nd, 2009, 5:35 pm

Restore HijackThis entries
The HijackThis log backup contains all entries that have been deleted...both good and bad entries.
Let's restore the deleted entries, that we need.
  1. Run HijackThis
  2. Press the "View the list of backups"...button from the Main Menu
      If you are not at the Main Menu...
    • Press the "Config"... bottom, on the bottom, right side of screen
  3. Press the "Backups"...button at the top, under the Configuration section.
  4. Place a check in the box of the entries below..
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2009-10-24]
    O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll [2009-10-24]
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 [2009-10-24]
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl [2009-10-24]
    O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll [2009-10-24]
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 [2009-10-24]
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.yahoo.com/ [2009-10-24]
    O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file) [2009-10-24]
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [2009-10-24]
    O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll [2009-10-24]
    O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll [2009-10-24]
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2009-10-24]
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 [2009-10-24]
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2009-10-24]
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 [2009-10-24]
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll [2009-10-24]
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll [2009-10-24]
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup [2009-10-24]
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" [2009-10-24]
    O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe [2009-10-24]
    O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe [2009-10-24]
    O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\WINDOWS\system32\shdocvw.dll [2009-10-24]
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" [2009-10-24]
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background [2009-10-24]
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime [2009-10-24]
    O4 - Startup: OpenOffice.org 3.1.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe [2009-10-24]
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe [2009-10-24]
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe [2009-10-24]
    O4 - Startup: Mozilla Firefox (2).lnk = C:\Program Files\Mozilla Firefox\firefox.exe [2009-10-24]
    O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl [2009-10-24]
    O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe [2009-10-24]
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot [2009-10-24]
    O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript [2009-10-24]
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit [2009-10-24]
    O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2009-10-24]
    O4 - Global Startup: Ralink Wireless Utility.lnk = C:\Program Files\RALINK\Common\RaUI.exe [2009-10-24]
    O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet [2009-10-24]
    O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe [2009-10-24]
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install [2009-10-24]
    O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE [2009-10-24]
    O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE [2009-10-24]
    O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\2PortalMon.exe [2009-10-24]
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe [2009-10-24]
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe [2009-10-24]
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe [2009-10-24]
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe [2009-10-24]
    O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe [2009-10-24]
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll [2009-10-24]
    O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll [2009-10-24]
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe [2009-10-24]
    O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe [2009-10-24]
    O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe [2009-10-24]
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe [2009-10-24]
    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe [2009-10-24]
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL [2009-10-24]
  5. When all entries have been checked...press the "Restore"...button to the right.
  6. When the restore is done...Press the "Back"...button.
  7. Press the "Scan"..button. When the scan is completed
  8. Press the "Save log" ...button. Save logfile to your desktop.
  9. A Notepad window will open, with a copy of the "hijackthis.log".
Please copy/paste the contents of the hijackthis.log file in your next reply.

Thanks peku006
User avatar
peku006
MRU Emeritus
MRU Emeritus
 
Posts: 3357
Joined: May 14th, 2007, 2:18 pm
Location: Norway
Top

Re: need major help

Unread postby jayhovah » November 2nd, 2009, 6:26 pm

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:25:46 PM, on 11/2/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\OpenOffice.org 3\program\swriter.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.yahoo.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\2PortalMon.exe
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [32015011] C:\DOCUME~1\ALLUSE~1\APPLIC~1\32015011\32015011.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Startup: Mozilla Firefox (2).lnk = C:\Program Files\Mozilla Firefox\firefox.exe
O4 - Startup: OpenOffice.org 3.1.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe
O4 - Global Startup: Ralink Wireless Utility.lnk = C:\Program Files\RALINK\Common\RaUI.exe
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 6913 bytes
jayhovah
Regular Member
 
Posts: 22
Joined: October 24th, 2009, 4:59 pm
Top

Re: need major help

Unread postby peku006 » November 3rd, 2009, 4:13 am

Hi jayhovah

We will continue with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
If you need help to disable your protection programs see here.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply

Thanks peku006
User avatar
peku006
MRU Emeritus
MRU Emeritus
 
Posts: 3357
Joined: May 14th, 2007, 2:18 pm
Location: Norway
Top

Re: need major help

Unread postby jayhovah » November 3rd, 2009, 2:39 pm

for some reason its not giving me the option to turn of AVG. i went into advanced settings and all the options are grayed out. i cant even uninstall it to run the combo fix. i have AVG 8.5, am i missing something?
jayhovah
Regular Member
 
Posts: 22
Joined: October 24th, 2009, 4:59 pm
Top

Re: need major help

Unread postby peku006 » November 3rd, 2009, 2:45 pm

Hi

Did you read these instructions
User avatar
peku006
MRU Emeritus
MRU Emeritus
 
Posts: 3357
Joined: May 14th, 2007, 2:18 pm
Location: Norway
Top

Re: need major help

Unread postby jayhovah » November 3rd, 2009, 3:43 pm

yea i did for the AVG that i have. still grayed out.
jayhovah
Regular Member
 
Posts: 22
Joined: October 24th, 2009, 4:59 pm
Top

Re: need major help

Unread postby peku006 » November 3rd, 2009, 3:51 pm

Hi

"grayed out".........it means that it is not active...try run combofix again
User avatar
peku006
MRU Emeritus
MRU Emeritus
 
Posts: 3357
Joined: May 14th, 2007, 2:18 pm
Location: Norway
Top

Re: need major help

Unread postby jayhovah » November 3rd, 2009, 4:14 pm

even if the combo fix still says its running?
jayhovah
Regular Member
 
Posts: 22
Joined: October 24th, 2009, 4:59 pm
Top

Re: need major help

Unread postby peku006 » November 3rd, 2009, 4:31 pm

Yes
User avatar
peku006
MRU Emeritus
MRU Emeritus
 
Posts: 3357
Joined: May 14th, 2007, 2:18 pm
Location: Norway
Top

Re: need major help

Unread postby jayhovah » November 3rd, 2009, 5:35 pm

ComboFix 09-11-03.01 - temp 11/03/2009 16:12.1.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1983.1685 [GMT -5:00]
Running from: c:\documents and settings\temp\Desktop\ComboFix.exe
AV: AVG Anti-Virus *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Arick\Application Data\Google\T-Scan
c:\documents and settings\Arick\Application Data\WeatherDPA
c:\documents and settings\Arick\Application Data\WeatherDPA\Weather\WeatherStartup.xml
c:\windows\system32\config\systemprofile\Desktop\Security Tool.lnk
c:\windows\system32\config\systemprofile\Start Menu\Programs\Security Tool.lnk

Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected
Restored copy from - Kitty ate it :p
.
((((((((((((((((((((((((( Files Created from 2009-10-03 to 2009-11-03 )))))))))))))))))))))))))))))))
.

2009-11-03 19:37 . 2009-11-03 19:37 -------- d-----w- c:\program files\JRE
2009-10-31 08:11 . 2009-10-31 08:11 -------- d-----w- c:\documents and settings\temp\Application Data\acccore
2009-10-31 08:11 . 2009-10-31 08:11 -------- d-----w- c:\documents and settings\temp\Local Settings\Application Data\AOL
2009-10-31 08:04 . 2009-10-31 08:04 -------- d-----w- c:\documents and settings\temp\Local Settings\Application Data\AOL OCP
2009-10-31 08:04 . 2009-10-31 08:04 -------- d-----w- c:\documents and settings\All Users\Application Data\acccore
2009-10-31 08:04 . 2009-10-31 08:12 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL OCP
2009-10-31 08:04 . 2009-10-31 08:04 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL
2009-10-31 08:04 . 2009-10-31 08:04 -------- d-----w- c:\program files\Common Files\AOL
2009-10-31 08:03 . 2009-10-31 08:11 -------- d-----w- c:\program files\AIM6
2009-10-30 10:53 . 2009-10-30 10:53 -------- d-----w- c:\program files\Utherverse Digital Inc
2009-10-29 23:10 . 2009-10-29 23:10 -------- d-----w- c:\documents and settings\temp\Application Data\AVG8
2009-10-29 22:29 . 2009-10-29 22:48 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-10-29 15:06 . 2009-10-29 15:06 22016 ----a-w- c:\windows\system32\tdlwsp.dll
2009-10-28 19:12 . 2009-10-28 19:12 -------- d-----w- C:\rsit
2009-10-25 06:24 . 2009-10-25 06:24 -------- d-----w- c:\program files\iPod
2009-10-25 06:24 . 2009-10-25 06:24 -------- d-----w- c:\program files\iTunes
2009-10-25 06:24 . 2009-10-25 06:24 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-10-25 06:21 . 2009-10-25 06:22 -------- d-----w- c:\program files\QuickTime
2009-10-24 23:48 . 2009-10-24 23:48 -------- d-----w- c:\program files\Trend Micro
2009-10-24 21:18 . 2009-10-24 21:18 -------- d-----w- c:\documents and settings\Guest\Application Data\Malwarebytes
2009-10-24 19:44 . 2009-10-24 19:44 -------- d-----w- c:\documents and settings\temp\Application Data\Malwarebytes
2009-10-24 19:44 . 2009-09-10 21:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-24 19:44 . 2009-10-24 21:02 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-24 19:44 . 2009-10-24 19:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-24 19:44 . 2009-09-10 21:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-20 07:45 . 2009-08-16 15:08 178176 ----a-w- c:\windows\system32\unrar.dll
2009-10-20 07:45 . 2009-05-29 21:37 205824 ----a-w- c:\windows\system32\xvidvfw.dll
2009-10-20 07:45 . 2009-05-29 21:31 881664 ----a-w- c:\windows\system32\xvidcore.dll
2009-10-20 07:45 . 2004-01-25 16:18 217088 ----a-w- c:\windows\system32\yv12vfw.dll
2009-10-20 07:45 . 2009-10-13 18:00 85504 ----a-w- c:\windows\system32\ff_vfw.dll
2009-10-20 07:45 . 2009-10-20 07:45 -------- d-----w- c:\program files\K-Lite Codec Pack
2009-10-19 06:43 . 2009-10-19 06:43 -------- d-----w- c:\windows\system32\CatRoot_bak
2009-10-19 06:09 . 2009-10-19 06:09 -------- d-----w- c:\documents and settings\Guest\Local Settings\Application Data\Yahoo!
2009-10-19 00:45 . 2009-08-04 14:20 2023936 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-10-19 00:45 . 2009-08-04 15:13 2145280 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-10-15 20:59 . 2009-10-15 20:59 -------- d-----w- c:\documents and settings\Guest\Application Data\U3
2009-10-12 20:20 . 2009-10-12 20:20 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-10-11 03:43 . 2009-10-11 03:43 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-10-07 07:32 . 2009-10-07 07:32 -------- d-----w- C:\NetZeroInstaller

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-03 20:34 . 2008-05-13 04:20 -------- d-----w- c:\documents and settings\temp\Application Data\uTorrent
2009-11-03 19:37 . 2009-07-22 20:57 -------- d-----w- c:\program files\OpenOffice.org 3
2009-11-01 07:24 . 2008-10-22 02:16 445 ----a-w- c:\windows\EntPack.dat
2009-10-31 10:10 . 2008-04-19 18:11 -------- d-----w- c:\documents and settings\temp\Application Data\Apple Computer
2009-10-31 08:04 . 2008-04-17 05:14 -------- d-----w- c:\program files\Viewpoint
2009-10-31 08:04 . 2008-04-17 05:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2009-10-31 08:01 . 2008-04-17 05:14 -------- d-----w- c:\program files\AIM
2009-10-30 21:22 . 2008-02-03 02:56 -------- d-----w- c:\program files\Java
2009-10-30 21:10 . 2008-02-29 06:40 -------- d-----w- c:\program files\LimeWire
2009-10-30 06:12 . 2008-06-11 03:30 -------- d-----w- c:\documents and settings\Guest\Application Data\Apple Computer
2009-10-29 23:28 . 2009-06-19 13:06 -------- d-----w- c:\program files\AVG
2009-10-29 23:27 . 2009-06-19 13:06 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-10-25 06:24 . 2008-04-13 04:54 -------- d-----w- c:\program files\Common Files\Apple
2009-10-24 21:04 . 2009-04-15 21:44 -------- d-----w- c:\program files\Angle Interactive
2009-10-23 22:19 . 2008-03-16 03:35 -------- d-----w- c:\documents and settings\Kenny\Application Data\LimeWire
2009-10-20 07:45 . 2008-11-23 03:59 -------- d-----w- c:\program files\ffdshow
2009-10-19 03:37 . 2008-01-29 13:05 21275 ----a-w- c:\windows\system32\drivers\AegisP.sys
2009-10-14 14:48 . 2009-09-26 05:52 -------- d-----w- c:\documents and settings\temp\Application Data\FrostWire
2009-10-12 02:12 . 2009-09-20 23:19 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-10-11 03:34 . 2009-09-05 01:00 -------- d-----w- c:\documents and settings\temp\Application Data\Skype
2009-10-11 03:34 . 2009-09-05 01:04 -------- d-----w- c:\documents and settings\temp\Application Data\skypePM
2009-10-11 03:33 . 2008-03-23 01:08 -------- d-----w- c:\documents and settings\temp\Application Data\LimeWire
2009-10-08 13:51 . 2009-10-04 16:53 -------- d-sh--w- c:\documents and settings\Guest\Application Data\lowsec
2009-10-04 19:28 . 2008-04-14 20:33 -------- d-----w- c:\documents and settings\Kenny\Application Data\Apple Computer
2009-10-04 05:50 . 2009-10-04 05:34 -------- d-----w- c:\program files\Phantasy Star Online Blue Burst
2009-10-02 04:52 . 2009-10-02 04:51 -------- d-----w- c:\program files\Common Files\Real
2009-10-02 04:51 . 2009-10-02 04:51 -------- d-----w- c:\program files\Common Files\xing shared
2009-10-02 04:51 . 2008-02-01 20:31 499712 ----a-w- c:\windows\system32\msvcp71.dll
2009-10-02 04:51 . 2009-10-02 04:51 -------- d-----w- c:\program files\Real
2009-09-15 03:55 . 2008-06-11 03:30 20528 ----a-w- c:\documents and settings\Guest\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-11 14:18 . 2009-09-11 14:18 136192 ----a-w- c:\windows\system32\SET3D9.tmp
2009-09-10 04:49 . 2009-09-10 04:09 -------- d-----w- c:\documents and settings\Kenny\Application Data\Skype
2009-09-10 04:10 . 2009-09-10 04:10 19896 ---ha-w- c:\windows\system32\mlfcache.dat
2009-09-09 23:14 . 2008-03-04 23:46 20528 ----a-w- c:\documents and settings\Kenny\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-08 15:12 . 2009-07-15 05:02 -------- d-----w- c:\program files\Safari
2009-09-06 03:45 . 2007-11-21 14:05 20528 ----a-w- c:\documents and settings\temp\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-05 19:27 . 2008-02-29 06:40 -------- d-----w- c:\documents and settings\Arick\Application Data\LimeWire
2009-09-05 04:21 . 2008-05-28 01:11 20528 ----a-w- c:\documents and settings\Arick\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-05 03:21 . 2009-09-05 03:21 -------- d-----w- c:\program files\Microsoft
2009-09-05 03:21 . 2009-09-05 03:20 -------- d-----w- c:\program files\Windows Live
2009-09-05 03:21 . 2009-09-05 03:21 -------- d-----w- c:\program files\Windows Live SkyDrive
2009-09-05 03:15 . 2009-09-05 03:15 -------- d-----w- c:\program files\Common Files\Windows Live
2009-09-05 01:04 . 2009-09-05 01:04 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2009-09-05 01:00 . 2009-09-05 01:00 -------- d-----r- c:\program files\Skype
2009-09-05 01:00 . 2009-09-05 01:00 -------- d-----w- c:\program files\Common Files\Skype
2009-09-05 01:00 . 2009-09-05 01:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2009-09-04 21:03 . 2009-09-04 21:03 58880 ----a-w- c:\windows\system32\SET3ED.tmp
2009-08-29 08:08 . 2009-10-14 07:35 916480 ----a-w- c:\windows\system32\SET3FF.tmp
2009-08-29 08:08 . 2009-10-14 07:35 1208832 ----a-w- c:\windows\system32\SET400.tmp
2009-08-29 08:08 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2009-08-29 08:08 . 2009-10-14 07:35 5940224 ----a-w- c:\windows\system32\SET402.tmp
2009-08-29 08:08 . 2009-10-14 07:35 594432 ----a-w- c:\windows\system32\SET404.tmp
2009-08-29 08:08 . 2009-10-14 07:35 55296 ----a-w- c:\windows\system32\SET403.tmp
2009-08-29 08:08 . 2009-10-14 07:35 1985536 ----a-w- c:\windows\system32\SET407.tmp
2009-08-29 08:08 . 2009-10-14 07:35 11069440 ----a-w- c:\windows\system32\SET409.tmp
2009-08-29 02:42 . 2009-07-15 04:39 2065696 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-08-29 02:42 . 2008-04-13 04:54 40448 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-08-26 08:00 . 2004-08-04 12:00 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-06 23:24 . 2007-11-21 12:27 327896 ----a-w- c:\windows\system32\wucltui.dll
2009-08-06 23:24 . 2007-11-21 12:27 209632 ----a-w- c:\windows\system32\wuweb.dll
2009-08-06 23:24 . 2007-11-21 12:27 35552 ----a-w- c:\windows\system32\wups.dll
2009-08-06 23:24 . 2007-07-31 03:19 44768 ----a-w- c:\windows\system32\wups2.dll
2009-08-06 23:24 . 2007-11-21 12:27 53472 ----a-w- c:\windows\system32\wuauclt.exe
2009-08-06 23:24 . 2004-08-04 12:00 96480 ----a-w- c:\windows\system32\cdm.dll
2009-08-06 23:23 . 2007-11-21 12:27 575704 ----a-w- c:\windows\system32\wuapi.dll
2009-08-06 23:23 . 2009-09-05 16:36 274288 ----a-w- c:\windows\system32\mucltui.dll
2009-08-06 23:23 . 2009-09-05 16:36 215920 ----a-w- c:\windows\system32\muweb.dll
2009-08-06 23:23 . 2007-11-21 12:27 1929952 ----a-w- c:\windows\system32\wuaueng.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"Aim6"="c:\program files\AIM6\aim6.exe" [2009-05-26 49968]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-06-01 94208]
"AIM"="c:\program files\AIM\aim.exe" [2006-08-01 67112]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-31 7634944]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-21 305440]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-10-02 198160]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"2wSysTray"="c:\program files\2Wire\2PortalMon.exe" [2004-05-25 393216]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-10-31 86016]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-09-30 2023704]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2007-07-05 16380416]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2006-10-31 1622016]

c:\documents and settings\temp\Start Menu\Programs\Startup\
Mozilla Firefox (2).lnk - c:\program files\Mozilla Firefox\firefox.exe [2008-1-30 908280]
OpenOffice.org 3.1.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2009-8-18 384000]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Ralink Wireless Utility.lnk - c:\program files\RALINK\Common\RaUI.exe [2008-1-29 614400]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-07-31 13:42 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp psc 1000 series.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\hp psc 1000 series.lnk
backup=c:\windows\pss\hp psc 1000 series.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hpoddt01.exe.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\hpoddt01.exe.lnk
backup=c:\windows\pss\hpoddt01.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Ralink Wireless Utility.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Ralink Wireless Utility.lnk
backup=c:\windows\pss\Ralink Wireless Utility.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Kenny^Start Menu^Programs^Startup^OpenOffice.org 2.3.lnk]
path=c:\documents and settings\Kenny\Start Menu\Programs\Startup\OpenOffice.org 2.3.lnk
backup=c:\windows\pss\OpenOffice.org 2.3.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Kenny^Start Menu^Programs^Startup^OpenOffice.org 2.4.lnk]
path=c:\documents and settings\Kenny\Start Menu\Programs\Startup\OpenOffice.org 2.4.lnk
backup=c:\windows\pss\OpenOffice.org 2.4.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^temp^Start Menu^Programs^Startup^ESPN BottomLine.lnk]
path=c:\documents and settings\temp\Start Menu\Programs\Startup\ESPN BottomLine.lnk
backup=c:\windows\pss\ESPN BottomLine.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^temp^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=c:\documents and settings\temp\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=c:\windows\pss\LimeWire On Startup.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^temp^Start Menu^Programs^Startup^Yahoo! Messenger (2).lnk]
path=c:\documents and settings\temp\Start Menu\Programs\Startup\Yahoo! Messenger (2).lnk
backup=c:\windows\pss\Yahoo! Messenger (2).lnkStartup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=

R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [10/31/2009 3:04 AM 24652]
S3 phil2vid;Philips USB VGA Camera;c:\windows\system32\drivers\philcam2.sys [1/29/2008 11:34 AM 173696]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - MBR
*Deregistered* - mbr
*Deregistered* - PROCEXP113
.
Contents of the 'Scheduled Tasks' folder

2009-11-03 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2008-05-16 c:\windows\Tasks\FRU Task 2003-04-10 00:56ewlett-Packard2003-04-10 00:56p psc 1200 series272A572217594EBCF1CEE215E352B92AD073FDE4201706787.job
- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-10 01:56]

2008-05-16 c:\windows\Tasks\FRU Task 2003-04-10 00:56ewlett-Packard2003-04-10 00:56p psc 1200 series272A572217594EBCF1CEE215E352B92AD073FDE4201707429.job
- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-10 01:56]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://yahoo.sbc.com/dsl
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uInternet Connection Wizard,ShellNext = hxxp://www.yahoo.com/
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: &Search
FF - ProfilePath - c:\documents and settings\temp\Application Data\Mozilla\Firefox\Profiles\np858xja.default\
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - component: c:\program files\Real\RealPlayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-32015011 - c:\docume~1\ALLUSE~1\APPLIC~1\32015011\32015011.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-03 16:24
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-11-03 16:25
ComboFix-quarantined-files.txt 2009-11-03 21:25

Pre-Run: 172,578,263,040 bytes free
Post-Run: 173,938,987,008 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect /usepmtimer
jayhovah
Regular Member
 
Posts: 22
Joined: October 24th, 2009, 4:59 pm
Top

Re: need major help

Unread postby peku006 » November 4th, 2009, 3:29 am

Hi jayhovah

1 - Run CFScript

Open Notepad and copy/paste the text in the box into the window:

Code: Select all
File::
c:\windows\system32\tdlwsp.dll



  • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.

    Image
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

2 - Run Hijackthis
Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad

3 - Status Check
Please reply with


1. the ComboFix log(C:\ComboFix.txt)
2. a fresh HijackThis log

Thanks peku006
User avatar
peku006
MRU Emeritus
MRU Emeritus
 
Posts: 3357
Joined: May 14th, 2007, 2:18 pm
Location: Norway
Top

Re: need major help

Unread postby jayhovah » November 7th, 2009, 12:13 am

ComboFix 09-11-06.01 - temp 11/06/2009 23:05.2.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1983.1414 [GMT -5:00]
Running from: c:\documents and settings\temp\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\temp\Desktop\CFScript.txt
AV: AVG Anti-Virus *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Kenny\Cookies\hpothb07.dat

.
((((((((((((((((((((((((( Files Created from 2009-10-07 to 2009-11-07 )))))))))))))))))))))))))))))))
.

2009-11-04 05:16 . 2009-11-04 05:20 -------- d-----w- C:\OLDGAMES
2009-11-04 05:12 . 2009-11-04 05:38 -------- d-----w- C:\DOSBox-0.73
2009-11-04 05:06 . 2009-11-04 05:06 -------- d-----w- c:\documents and settings\temp\Local Settings\Application Data\DOSBox
2009-11-03 19:37 . 2009-11-03 19:37 -------- d-----w- c:\program files\JRE
2009-10-31 08:11 . 2009-10-31 08:11 -------- d-----w- c:\documents and settings\temp\Application Data\acccore
2009-10-31 08:11 . 2009-10-31 08:11 -------- d-----w- c:\documents and settings\temp\Local Settings\Application Data\AOL
2009-10-31 08:04 . 2009-10-31 08:04 -------- d-----w- c:\documents and settings\temp\Local Settings\Application Data\AOL OCP
2009-10-31 08:04 . 2009-10-31 08:04 -------- d-----w- c:\documents and settings\All Users\Application Data\acccore
2009-10-31 08:04 . 2009-10-31 08:12 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL OCP
2009-10-31 08:04 . 2009-10-31 08:04 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL
2009-10-31 08:04 . 2009-10-31 08:04 -------- d-----w- c:\program files\Common Files\AOL
2009-10-31 08:03 . 2009-10-31 08:11 -------- d-----w- c:\program files\AIM6
2009-10-30 10:53 . 2009-10-30 10:53 -------- d-----w- c:\program files\Utherverse Digital Inc
2009-10-29 23:10 . 2009-10-29 23:10 -------- d-----w- c:\documents and settings\temp\Application Data\AVG8
2009-10-29 22:29 . 2009-10-29 22:48 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-10-29 15:06 . 2009-10-29 15:06 22016 ----a-w- c:\windows\system32\tdlwsp.dll
2009-10-28 19:12 . 2009-10-28 19:12 -------- d-----w- C:\rsit
2009-10-25 06:24 . 2009-10-25 06:24 -------- d-----w- c:\program files\iPod
2009-10-25 06:24 . 2009-10-25 06:24 -------- d-----w- c:\program files\iTunes
2009-10-25 06:24 . 2009-10-25 06:24 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-10-25 06:21 . 2009-10-25 06:22 -------- d-----w- c:\program files\QuickTime
2009-10-25 06:13 . 2009-10-25 06:13 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.1.8\SetupAdmin.exe
2009-10-24 23:48 . 2009-10-24 23:48 -------- d-----w- c:\program files\Trend Micro
2009-10-24 21:18 . 2009-10-24 21:18 -------- d-----w- c:\documents and settings\Guest\Application Data\Malwarebytes
2009-10-24 19:44 . 2009-10-24 19:44 -------- d-----w- c:\documents and settings\temp\Application Data\Malwarebytes
2009-10-24 19:44 . 2009-09-10 21:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-24 19:44 . 2009-10-24 21:02 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-24 19:44 . 2009-10-24 19:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-24 19:44 . 2009-09-10 21:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-20 07:45 . 2009-08-16 15:08 178176 ----a-w- c:\windows\system32\unrar.dll
2009-10-20 07:45 . 2009-05-29 21:37 205824 ----a-w- c:\windows\system32\xvidvfw.dll
2009-10-20 07:45 . 2009-05-29 21:31 881664 ----a-w- c:\windows\system32\xvidcore.dll
2009-10-20 07:45 . 2004-01-25 16:18 217088 ----a-w- c:\windows\system32\yv12vfw.dll
2009-10-20 07:45 . 2009-10-13 18:00 85504 ----a-w- c:\windows\system32\ff_vfw.dll
2009-10-20 07:45 . 2009-10-20 07:45 -------- d-----w- c:\program files\K-Lite Codec Pack
2009-10-19 06:43 . 2009-10-19 06:43 -------- d-----w- c:\windows\system32\CatRoot_bak
2009-10-19 06:09 . 2009-10-19 06:09 -------- d-----w- c:\documents and settings\Guest\Local Settings\Application Data\Yahoo!
2009-10-19 00:45 . 2009-08-04 14:20 2023936 ------w- c:\windows\system32\ntkrnlpa.exe
2009-10-19 00:45 . 2009-08-04 15:13 2145280 ------w- c:\windows\system32\ntoskrnl.exe
2009-10-15 20:59 . 2009-10-15 20:59 -------- d-----w- c:\documents and settings\Guest\Application Data\U3
2009-10-12 20:20 . 2009-10-12 20:20 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-10-11 03:43 . 2009-10-11 03:43 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-07 04:04 . 2008-05-13 04:20 -------- d-----w- c:\documents and settings\temp\Application Data\uTorrent
2009-11-06 20:18 . 2008-06-11 03:30 20528 ----a-w- c:\documents and settings\Guest\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-03 20:49 . 2009-07-22 21:11 1 ----a-w- c:\documents and settings\temp\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2009-11-03 19:37 . 2009-07-22 20:57 -------- d-----w- c:\program files\OpenOffice.org 3
2009-11-01 07:24 . 2008-10-22 02:16 445 ----a-w- c:\windows\EntPack.dat
2009-10-31 10:10 . 2008-04-19 18:11 -------- d-----w- c:\documents and settings\temp\Application Data\Apple Computer
2009-10-31 08:04 . 2008-04-17 05:14 -------- d-----w- c:\program files\Viewpoint
2009-10-31 08:04 . 2008-04-17 05:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2009-10-31 08:01 . 2008-04-17 05:14 -------- d-----w- c:\program files\AIM
2009-10-30 21:22 . 2008-02-03 02:56 -------- d-----w- c:\program files\Java
2009-10-30 21:16 . 2009-02-08 05:39 152576 ----a-w- c:\documents and settings\temp\Application Data\Sun\Java\jre1.6.0_11\lzma.dll
2009-10-30 21:10 . 2008-02-29 06:40 -------- d-----w- c:\program files\LimeWire
2009-10-30 06:12 . 2008-06-11 03:30 -------- d-----w- c:\documents and settings\Guest\Application Data\Apple Computer
2009-10-29 23:28 . 2009-06-19 13:06 -------- d-----w- c:\program files\AVG
2009-10-29 23:27 . 2009-06-19 13:06 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-10-25 06:24 . 2008-04-13 04:54 -------- d-----w- c:\program files\Common Files\Apple
2009-10-24 21:04 . 2009-04-15 21:44 -------- d-----w- c:\program files\Angle Interactive
2009-10-23 22:19 . 2008-03-16 03:35 -------- d-----w- c:\documents and settings\Kenny\Application Data\LimeWire
2009-10-20 07:45 . 2008-11-23 03:59 -------- d-----w- c:\program files\ffdshow
2009-10-20 03:38 . 2009-09-26 04:39 1 ----a-w- c:\documents and settings\Guest\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2009-10-19 03:37 . 2008-01-29 13:05 21275 ----a-w- c:\windows\system32\drivers\AegisP.sys
2009-10-15 02:00 . 2009-08-16 17:47 1 ----a-w- c:\documents and settings\Kenny\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2009-10-14 14:48 . 2009-09-26 05:52 -------- d-----w- c:\documents and settings\temp\Application Data\FrostWire
2009-10-12 02:12 . 2009-09-20 23:19 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-10-11 03:34 . 2009-09-05 01:00 -------- d-----w- c:\documents and settings\temp\Application Data\Skype
2009-10-11 03:34 . 2009-09-05 01:04 -------- d-----w- c:\documents and settings\temp\Application Data\skypePM
2009-10-11 03:33 . 2008-03-23 01:08 -------- d-----w- c:\documents and settings\temp\Application Data\LimeWire
2009-10-08 13:51 . 2009-10-04 16:53 -------- d-sh--w- c:\documents and settings\Guest\Application Data\lowsec
2009-10-04 19:28 . 2008-04-14 20:33 -------- d-----w- c:\documents and settings\Kenny\Application Data\Apple Computer
2009-10-04 05:50 . 2009-10-04 05:34 -------- d-----w- c:\program files\Phantasy Star Online Blue Burst
2009-10-02 04:52 . 2009-10-02 04:51 -------- d-----w- c:\program files\Common Files\Real
2009-10-02 04:51 . 2009-10-02 04:51 -------- d-----w- c:\program files\Common Files\xing shared
2009-10-02 04:51 . 2008-02-01 20:31 499712 ----a-w- c:\windows\system32\msvcp71.dll
2009-10-02 04:51 . 2009-10-02 04:51 -------- d-----w- c:\program files\Real
2009-09-26 06:23 . 2009-09-26 06:23 0 ----a-w- c:\documents and settings\temp\Application Data\FrostWire\.NetworkShare\Incomplete\T-4506256-LimeWireWin4.16.6.exe
2009-09-11 14:18 . 2009-09-11 14:18 136192 ----a-w- c:\windows\system32\SET3D9.tmp
2009-09-10 04:49 . 2009-09-10 04:09 -------- d-----w- c:\documents and settings\Kenny\Application Data\Skype
2009-09-10 04:10 . 2009-09-10 04:10 19896 ---ha-w- c:\windows\system32\mlfcache.dat
2009-09-09 23:14 . 2008-03-04 23:46 20528 ----a-w- c:\documents and settings\Kenny\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-08 15:12 . 2009-07-15 05:02 -------- d-----w- c:\program files\Safari
2009-09-06 03:45 . 2007-11-21 14:05 20528 ----a-w- c:\documents and settings\temp\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-05 04:26 . 2009-09-05 04:26 0 ----a-w- c:\documents and settings\Arick\Application Data\LimeWire\.NetworkShare\Incomplete\T-4506256-LimeWireWin4.16.6.exe
2009-09-05 04:21 . 2008-05-28 01:11 20528 ----a-w- c:\documents and settings\Arick\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-05 01:04 . 2009-09-05 01:04 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2009-09-04 21:03 . 2009-09-04 21:03 58880 ----a-w- c:\windows\system32\SET3ED.tmp
2009-08-29 08:08 . 2009-10-14 07:35 916480 ----a-w- c:\windows\system32\SET3FF.tmp
2009-08-29 08:08 . 2009-10-14 07:35 1208832 ----a-w- c:\windows\system32\SET400.tmp
2009-08-29 08:08 . 2004-08-04 12:00 916480 ------w- c:\windows\system32\wininet.dll
2009-08-29 08:08 . 2009-10-14 07:35 5940224 ----a-w- c:\windows\system32\SET402.tmp
2009-08-29 08:08 . 2009-10-14 07:35 594432 ----a-w- c:\windows\system32\SET404.tmp
2009-08-29 08:08 . 2009-10-14 07:35 55296 ----a-w- c:\windows\system32\SET403.tmp
2009-08-29 08:08 . 2009-10-14 07:35 1985536 ----a-w- c:\windows\system32\SET407.tmp
2009-08-29 08:08 . 2009-10-14 07:35 11069440 ----a-w- c:\windows\system32\SET409.tmp
2009-08-29 02:42 . 2009-07-15 04:39 2065696 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-08-29 02:42 . 2008-04-13 04:54 40448 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-08-26 08:00 . 2004-08-04 12:00 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-20 04:33 . 2009-08-20 04:33 152576 ----a-w- c:\documents and settings\Arick\Application Data\Sun\Java\jre1.6.0_15\lzma.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-11-03_21.24.19 )))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 4670704]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"Aim6"="c:\program files\AIM6\aim6.exe" [2009-05-26 49968]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-06-01 94208]
"AIM"="c:\program files\AIM\aim.exe" [2006-08-01 67112]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-31 7634944]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-21 305440]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-10-02 198160]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"2wSysTray"="c:\program files\2Wire\2PortalMon.exe" [2004-05-25 393216]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-10-31 86016]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-09-30 2023704]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2007-07-05 16380416]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2006-10-31 1622016]

c:\documents and settings\temp\Start Menu\Programs\Startup\
Mozilla Firefox (2).lnk - c:\program files\Mozilla Firefox\firefox.exe [2008-1-30 908280]
OpenOffice.org 3.1.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2009-8-18 384000]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Ralink Wireless Utility.lnk - c:\program files\RALINK\Common\RaUI.exe [2008-1-29 614400]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-07-31 13:42 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp psc 1000 series.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\hp psc 1000 series.lnk
backup=c:\windows\pss\hp psc 1000 series.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hpoddt01.exe.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\hpoddt01.exe.lnk
backup=c:\windows\pss\hpoddt01.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Ralink Wireless Utility.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Ralink Wireless Utility.lnk
backup=c:\windows\pss\Ralink Wireless Utility.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Kenny^Start Menu^Programs^Startup^OpenOffice.org 2.3.lnk]
path=c:\documents and settings\Kenny\Start Menu\Programs\Startup\OpenOffice.org 2.3.lnk
backup=c:\windows\pss\OpenOffice.org 2.3.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Kenny^Start Menu^Programs^Startup^OpenOffice.org 2.4.lnk]
path=c:\documents and settings\Kenny\Start Menu\Programs\Startup\OpenOffice.org 2.4.lnk
backup=c:\windows\pss\OpenOffice.org 2.4.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^temp^Start Menu^Programs^Startup^ESPN BottomLine.lnk]
path=c:\documents and settings\temp\Start Menu\Programs\Startup\ESPN BottomLine.lnk
backup=c:\windows\pss\ESPN BottomLine.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^temp^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=c:\documents and settings\temp\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=c:\windows\pss\LimeWire On Startup.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^temp^Start Menu^Programs^Startup^Yahoo! Messenger (2).lnk]
path=c:\documents and settings\temp\Start Menu\Programs\Startup\Yahoo! Messenger (2).lnk
backup=c:\windows\pss\Yahoo! Messenger (2).lnkStartup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=

R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [10/31/2009 3:04 AM 24652]
S3 phil2vid;Philips USB VGA Camera;c:\windows\system32\drivers\philcam2.sys [1/29/2008 11:34 AM 173696]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - MBR
*Deregistered* - mbr
*Deregistered* - PROCEXP113
.
Contents of the 'Scheduled Tasks' folder

2009-11-03 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2008-05-16 c:\windows\Tasks\FRU Task 2003-04-10 00:56ewlett-Packard2003-04-10 00:56p psc 1200 series272A572217594EBCF1CEE215E352B92AD073FDE4201706787.job
- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-10 01:56]

2008-05-16 c:\windows\Tasks\FRU Task 2003-04-10 00:56ewlett-Packard2003-04-10 00:56p psc 1200 series272A572217594EBCF1CEE215E352B92AD073FDE4201707429.job
- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-10 01:56]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://yahoo.sbc.com/dsl
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uInternet Connection Wizard,ShellNext = hxxp://www.yahoo.com/
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: &Search
FF - ProfilePath - c:\documents and settings\temp\Application Data\Mozilla\Firefox\Profiles\np858xja.default\
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - component: c:\program files\Real\RealPlayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-06 23:09
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-11-07 23:11
ComboFix-quarantined-files.txt 2009-11-07 04:11
ComboFix2.txt 2009-11-03 21:25

Pre-Run: 173,462,208,512 bytes free
Post-Run: 173,427,552,256 bytes free

- - End Of File - - 9E4FECB0769765D03B50CE5B42DF18D5
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:13:05 PM, on 11/6/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.yahoo.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\2PortalMon.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Startup: Mozilla Firefox (2).lnk = C:\Program Files\Mozilla Firefox\firefox.exe
O4 - Startup: OpenOffice.org 3.1.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe
O4 - Global Startup: Ralink Wireless Utility.lnk = C:\Program Files\RALINK\Common\RaUI.exe
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 5981 bytes
jayhovah
Regular Member
 
Posts: 22
Joined: October 24th, 2009, 4:59 pm
Top

Re: need major help

Unread postby peku006 » November 7th, 2009, 4:45 am

Hi jayhovah

  • Download RootRepeal from the following location and save it to your desktop.
  • Unzip it to your Desktop
  • Double click RootRepeal.exe to start the program
  • Click on the Report tab at the bottom of the program window
  • Click the Scan button
  • In the Select Scan dialog, check:
    • Drivers
    • Files
    • Processes
    • SSDT
    • Stealth Objects
    • Hidden Services
    • Shadow SSDT
  • Click the OK button
  • Check the box for your main system drive (Usually C:), and Click OK to start the scan

    The scan can take some time. DO NOT run any other programs while the scan is running
  • When the scan is complete, the Save Report button will become available
  • Click this and save the report to your Desktop as RootRepeal.txt
  • Go to File, then Exit to close the program

peku006
User avatar
peku006
MRU Emeritus
MRU Emeritus
 
Posts: 3357
Joined: May 14th, 2007, 2:18 pm
Location: Norway
Top

Re: need major help

Unread postby jayhovah » November 11th, 2009, 1:20 am

k thats done.
sorry it took so long. DSL was actin up.
now what?
jayhovah
Regular Member
 
Posts: 22
Joined: October 24th, 2009, 4:59 pm
Top
Advertisement
Register to Remove
PreviousNext
Topic locked

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 133 guests

The teamDelete all board cookiesAll times are UTC - 5 hours [ DST ]

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware

Board index