|
|
digitaldave007
regular
Reg'd: Sat
Posts: 37
|
|
I just posted this in the Xp Forum but feel it is better suite here instead.
From searching the web it seems that lots of people have been infected with this particularly nasty piece of malware and I am beginning to reach the end of my tether!
I was online 2 nights ago, went to a website I visit quite often and had a pop up appear stating your system is infected etc. I've seen these type of things before. It seemed to be eating up all my CPU so re-started XP, and when got to desktop my background picture had gone blue and I lost all of the desktop icons. Tried opening task manager, a message appeared saying it was infected. The same thing happened when I tried to launch Malwarebytes and AVG.
Did some online research, located the random numerical .exe files in the Application data file deleted and restarted again. Made some modifications to the registry, restarted a few times in safe mode and tried to run Malwarebytes again. Sometimes it loads, other times get an error message saying it can't find the path name or something along those lines. I'm just not able to launch Malwarebytes and run the scan, like i said sometimes it loads and sometimes the scan starts for a few seconds and then closes down. I have been able to run an AVG scan but when it is complete it informs me that it couldn't remove some of the infected files. I tried running Hijack this to post a log here but getting the same message as Malwarebytes, there is obviously some process preventing me from doing this.
I would really appreciate your suggestions.
Thanks.
|
|
bricat
HijackThis Helper
Reg'd: Wed
Posts: 31982
Loc: belfast
|
|
hit CNTRL + ALT + DEL to bring up task manager.
click on processes at the top, scroll down and look for a file called 25143562.exe (or a number similar)
click on it to highlite it and click on END PROCESS.
Do not reboot, try running malwarebytes anti malware again.
--------------------
IF I HAVE SAVED YOU MONEY, PLEASE CONSIDER GIVING A DONATION TO HELP IN MY FIGHT AGAINST MALWARE.
 
When the only tool you own is a hammer, every problem begins to look like a nail. 
|
digitaldave007
regular
Reg'd: Sat
Posts: 37
|
|
Tried that, it's not appearing in the task manager list and the .exe isn't in the Appl Data folder either. It's obviously lurking in the background somewhere.
|
bricat
HijackThis Helper
Reg'd: Wed
Posts: 31982
Loc: belfast
|
|
have you tried running MBAM in SAFE MODE
--------------------
IF I HAVE SAVED YOU MONEY, PLEASE CONSIDER GIVING A DONATION TO HELP IN MY FIGHT AGAINST MALWARE.
When the only tool you own is a hammer, every problem begins to look like a nail.
|
digitaldave007
regular
Reg'd: Sat
Posts: 37
|
|
Tried that as well with no luck, it keeps getting blocked. How do I identify which process is blocking it? I guess they have used the same file name as a legitimate file.
|
bricat
HijackThis Helper
Reg'd: Wed
Posts: 31982
Loc: belfast
|
|
remove as many of these as you can find :-
How to manually remove Security Tool
Stop and remove SecurityTool processes:
Security Tool.exe
uninstall.exe
Locate and delete SecurityTool registry entries:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run “SecurityTool”
HKEY_CURRENT_USER\Software\Vista Antivirus 2010
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
Uninstall\SecurityTool
HKEY_LOCAL_MACHINE\SOFTWARE\SecurityTool
Detect and delete other SecurityTool files:
%System Root%\Samples
%User Profile%\Local Settings\Temp
%Program Files%\SecurityTool
%Documents and Settings%\All Users\Start Menu\Programs\SecurityTool
%Documents and Settings%\All Users\Application Data\SecurityTool
Security Tool.exe
uninstall.exe
then :-
Please download and install SUPERAntiSpyware Home Edition (free)- Once installed, update the program definitions when prompted.
- Click the "Preferences" button and then the "Scanning Control" tab.
- Under "Scanner Options" make sure the following are checked/selected:
- 1>> Close browsers before scanning.
- 2>> Scan for tracking cookies.
- 3>> Terminate memory threats before quarantining.
- 4>> Ignore System Restore/Volume Information on ME and XP.
- Deselect all other scanning options.
- Close SUPERAntiSpyware for use later.
Then boot up in SAFE MODE
Open SUPERAntiSpyware and click the "Scan your computer" button.- On the left, select "C:\Fixed Drive".
- On the right, under "Complete Scan", choose "Perform Complete Scan".
- Click "Next" to start the scan. Please be patient while it scans your computer.
- After the scan is complete a summary box will appear. Click "OK".
- Make sure everything in the white box has a check next to it, then click "Next".
- After quarantining anything found, you may be prompted to reboot, click "Yes".
- Paste the scan log in your next reply (Preferences > Statistics/Logs tab > double-click SUPERAntiSpyware Scan Log)
--------------------
IF I HAVE SAVED YOU MONEY, PLEASE CONSIDER GIVING A DONATION TO HELP IN MY FIGHT AGAINST MALWARE.
When the only tool you own is a hammer, every problem begins to look like a nail.
|
digitaldave007
regular
Reg'd: Sat
Posts: 37
|
|
Ok, tried to find those files and couldn't find any to delete. Tried searching for 'Security Tool' and no results.
Installed Super Anti Spyware as instructed, changed the preferences, re-started in Safe Mode, tried to launch the program and get the following error message:
"Windows cannot access the specified device, path or file.You may not have the appropriate permissions to access the item."
|
digitaldave007
regular
Reg'd: Sat
Posts: 37
|
|
Since my above post in which I was unable to run the scan, I re-started normally and ran the online scan which has produced the following;
SUPERAntiSpyware Scan Log
http://www.superantispyware.com
Generated 10/25/2009 at 01:35 PM
Application Version : 4.29.1002
Core Rules Database Version : 4189
Trace Rules Database Version: 2103
Scan type : Quick Scan
Total Scan Time : 00:58:02
Memory items scanned : 510
Memory threats detected : 0
Registry items scanned : 554
Registry threats detected : 13
File items scanned : 9785
File threats detected : 22
Unclassified.Unknown Origin
HKU\S-1-5-21-2667485867-234716120-416538077-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{598F4775-6FB6-477B-9842-E0426824E077}
Adware.Tracking Cookie
C:\Documents and Settings\David\Cookies\david@media.mtvnservices[1].txt
C:\Documents and Settings\David\Cookies\david@invitemedia[2].txt
C:\Documents and Settings\David\Cookies\david@imrworldwide[2].txt
C:\Documents and Settings\David\Cookies\david@admarketplace[1].txt
C:\Documents and Settings\David\Cookies\david@doubleclick[2].txt
C:\Documents and Settings\David\Cookies\david@lucidmedia[1].txt
C:\Documents and Settings\David\Cookies\david@media6degrees[2].txt
C:\Documents and Settings\David\Cookies\david@www.icityfind[1].txt
C:\Documents and Settings\David\Cookies\david@bridge1.admarketplace[1].txt
C:\Documents and Settings\David\Cookies\david@clicksor[2].txt
C:\Documents and Settings\David\Cookies\david@icityfind[1].txt
C:\Documents and Settings\Lara\Cookies\lara@adserver.aol[1].txt
C:\Documents and Settings\Lara\Cookies\lara@ww57.smartadserver[2].txt
C:\Documents and Settings\Lara\Cookies\lara@advertstream[1].txt
C:\Documents and Settings\Lara\Cookies\lara@www.smartadserver[2].txt
C:\Documents and Settings\Lara\Cookies\lara@ads.pointroll[1].txt
C:\Documents and Settings\Lara\Cookies\lara@content.yieldmanager[1].txt
C:\Documents and Settings\Lara\Cookies\lara@uk.at.atwola[1].txt
C:\Documents and Settings\Lara\Cookies\lara@www3.smartadserver[1].txt
Rootkit.Agent/Gen
HKLM\SOFTWARE\UAC
HKLM\SOFTWARE\UAC#EPROCESS_LEOffset
HKLM\SOFTWARE\UAC#EPROCESS_NameOffset
HKLM\SOFTWARE\UAC#affid
HKLM\SOFTWARE\UAC#type
HKLM\SOFTWARE\UAC#build
HKLM\SOFTWARE\UAC#subid
HKLM\SOFTWARE\UAC#cmddelay
HKLM\SOFTWARE\UAC\connections
HKLM\SOFTWARE\UAC\connections#a2674c18
HKLM\SOFTWARE\UAC\versions
Trojan.Agent/Gen
HKU\S-1-5-21-2667485867-234716120-416538077-1006\Software\PopRock
Trojan.Dropper/Win-NV
C:\WINDOWS\MSD.EXE
C:\WINDOWS\Prefetch\MSD.EXE-25EB529B.pf
|
bobnemesis
regular
Reg'd: Fri
Posts: 389
Loc: North Wales
|
|
You could try the following :-If MBAM will not run, go to the program directory of MBAM (e.g. C:\Program FIles\Malwarebytes Antimalware\) then rename mbam.exe to newtool.exe, double click newtool.exe to proceed in running a full scan.
What website were you visiting when this started, was it by chance Facebook??.
|
bricat
HijackThis Helper
Reg'd: Wed
Posts: 31982
Loc: belfast
|
|
did you tell SAS to remove all of those files ?
if so ,how is it running now ?
--------------------
IF I HAVE SAVED YOU MONEY, PLEASE CONSIDER GIVING A DONATION TO HELP IN MY FIGHT AGAINST MALWARE.
When the only tool you own is a hammer, every problem begins to look like a nail.
|
digitaldave007
regular
Reg'd: Sat
Posts: 37
|
|
Yes I did, still can't run scans like Malwarebytes or AVG. I assume there is still some process preventing me from doing this but don't know how to identify it. I don't know what to do next...:(
|
bricat
HijackThis Helper
Reg'd: Wed
Posts: 31982
Loc: belfast
|
|
If combofix won't run :-
right click on it and choose rename, change it's name to COMBO-FIX.EXE
download ComboFix from Here or Here to your Desktop.
**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
- Please, never rename Combofix unless instructed.
- Close any open browsers.
- Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
- Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
- Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
- Close any open browsers.
- WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
- Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
- If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.
Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
post the combofix log in a new thread in the Hijackthis forum
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**
--------------------
IF I HAVE SAVED YOU MONEY, PLEASE CONSIDER GIVING A DONATION TO HELP IN MY FIGHT AGAINST MALWARE.
When the only tool you own is a hammer, every problem begins to look like a nail.
|
digitaldave007
regular
Reg'd: Sat
Posts: 37
|
|
Thanks, I have used that before, but on a different computer! Will try tomorrow and then report back with the results.
|
digitaldave007
regular
Reg'd: Sat
Posts: 37
|
|
Hello,
Apologies for not replying yesterday, wa so stressed out over the weekend I had to take a break from it. Also, wanted to back up some files in case Combofix crashed the system. Anyway, here is the report. I have tried running a HJ report but it is still being blocked.
ComboFix 09-10-26.06 - David 27/10/2009 21:25.1.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.1023.620 [GMT 0:00]
Running from: c:\documents and settings\David\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\David\Application Data\inst.exe
c:\recycler\S-1-5-21-1021367686-3952511500-732925582-1003
c:\windows\run.log
c:\windows\system32\images
c:\windows\system32\images\3models.gif
c:\windows\system32\images\but3_off.gif
c:\windows\system32\images\but3_on.gif
c:\windows\system32\images\main_bot.gif
c:\windows\system32\images\main_mid.gif
c:\windows\system32\images\main_top.gif
c:\windows\system32\images\model1.gif
c:\windows\system32\images\panel_bot.gif
c:\windows\system32\images\panel_top.gif
c:\windows\system32\images\pc.gif
c:\windows\system32\images\pcw_award_cover.gif
c:\windows\system32\images\pcwcover.gif
c:\windows\system32\images\Thumbs.db
c:\windows\system32\images\topoff.gif
c:\windows\system32\images\topon.gif
c:\windows\system32\images\webscreen.gif
Infected copy of c:\windows\system32\eventlog.dll was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\eventlog.dll
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
((((((((((((((((((((((((( Files Created from 2009-09-27 to 2009-10-27 )))))))))))))))))))))))))))))))
.
2009-10-26 23:19 . 2009-10-26 23:19 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-10-26 20:52 . 2009-10-26 20:52 -------- d-----w- c:\program files\Trend Micro
2009-10-25 10:35 . 2009-10-25 10:35 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-10-25 10:34 . 2009-10-27 21:27 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-10-25 10:34 . 2009-10-25 10:34 -------- d-----w- c:\documents and settings\David\Application Data\SUPERAntiSpyware.com
2009-10-23 21:44 . 2009-10-23 21:44 -------- d-----w- c:\documents and settings\David\Local Settings\Application Data\Threat Expert
2009-10-23 20:57 . 2009-10-23 20:57 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-10-22 21:17 . 2009-09-10 14:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-22 21:17 . 2009-09-10 14:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-21 21:33 . 2009-10-27 21:13 0 ----a-r- c:\windows\win32k.sys
2009-10-21 21:29 . 2009-10-21 21:29 0 ----a-w- c:\windows\Xzihagijobake.bin
2009-10-21 21:29 . 2009-10-21 21:29 120 ----a-w- c:\windows\Rmidakidalo.dat
2009-10-21 21:29 . 2009-10-21 21:29 -------- d-----w- c:\documents and settings\David\Local Settings\Application Data\{E6264B27-973A-4737-A202-28679E0A65C2}
2009-10-03 16:22 . 2009-10-01 10:29 195440 ------w- c:\windows\system32\MpSigStub.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-27 21:08 . 2008-03-12 23:03 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-10-26 23:19 . 2006-03-15 21:47 -------- d-----w- c:\program files\Java
2009-10-26 23:15 . 2006-04-22 14:38 -------- d-----w- c:\program files\Common Files\Ahead
2009-10-26 22:41 . 2009-02-11 23:03 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-25 10:33 . 2006-03-31 16:33 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-10-23 22:08 . 2006-09-28 22:04 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-10-23 22:08 . 2006-09-28 22:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-10-23 17:16 . 2007-07-20 17:05 -------- d-----w- c:\program files\Yahoo!
2009-10-21 21:00 . 2009-04-21 16:53 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-10-19 21:42 . 2006-03-15 21:49 -------- d-----w- c:\documents and settings\David\Application Data\Azureus
2009-10-19 21:12 . 2006-03-28 17:03 -------- d-----w- c:\program files\Soulseek
2009-10-16 21:40 . 2008-01-19 19:06 -------- d-----w- c:\documents and settings\David\Application Data\U3
2009-10-15 21:04 . 2006-03-15 21:35 -------- d-----w- c:\program files\Azureus
2009-09-11 14:18 . 2005-09-09 22:03 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-08 21:53 . 2009-09-01 20:38 -------- d-----w- c:\documents and settings\David\Application Data\gtk-2.0
2009-09-04 21:03 . 2005-09-09 22:03 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-09-01 19:21 . 2009-09-01 19:21 -------- d-----w- c:\program files\GIMP-2.0
2009-08-29 08:08 . 2005-09-09 22:03 916480 ----a-w- c:\windows\system32\wininet.dll
2009-08-26 08:00 . 2005-09-09 22:03 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-24 18:13 . 2007-05-17 17:48 53384 -c--a-w- c:\documents and settings\Lara\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-22 12:49 . 2006-03-16 21:46 53384 -c--a-w- c:\documents and settings\David\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-22 12:30 . 2009-01-08 22:54 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-08-22 12:30 . 2009-01-08 22:53 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-08-22 12:30 . 2009-01-08 22:53 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-08-12 17:58 . 2009-08-12 17:58 70656 ----a-w- c:\windows\system32\drivers\etuwfjixrevpetsd.sys
2009-08-05 09:01 . 2005-09-09 22:03 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-04 18:52 . 2009-08-04 18:52 1193832 ----a-w- c:\windows\system32\FM20.DLL
2009-08-04 15:13 . 2004-08-03 23:18 2145280 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-08-04 14:20 . 2004-08-03 22:59 2023936 ----a-w- c:\windows\system32\ntkrnlpa.exe
2006-09-18 17:35 . 2006-09-18 17:35 278528 ----a-w- c:\program files\Common Files\FDEUnInstaller.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-09-02 1107200]
[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-09-02 10:58 1107200 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-09-02 1107200]
[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-09-02 1107200]
[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-03 68856]
"Power2GoExpress"="c:\program files\CyberLink\Power2Go\Power2GoExpress.exe" [2005-03-23 1630303]
"MsnMsgr"="c:\program files\MSN Messenger\msnmsgr.exe" [2007-01-19 5674352]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-10-12 2000112]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-01-05 7323648]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-26 149280]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-22 39264]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2006-3-24 25214]
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]
NkbMonitor.exe.lnk - c:\program files\Nikon\PictureProject\NkbMonitor.exe [2007-7-28 118784]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 15:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-22 12:30 11952 ----a-w- c:\windows\system32\avgrsstx.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\CyberLink\\PowerCinema\\PowerCinema.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Azureus\\Azureus.exe"=
"c:\\Program Files\\Adobe\\Adobe Version Cue CS2\\bin\\VersionCueCS2.exe"=
"c:\\Program Files\\Soulseek\\slsk.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Real\\RealOne Player\\realplay.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"%windir%\\system32\\drivers\\svchost.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [08/01/2009 22:53 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [21/04/2009 16:56 108552]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [12/10/2009 21:24 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [12/10/2009 21:24 74480]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [08/01/2009 22:53 297752]
S2 gupdate1c98bbffcf5952;Google Update Service (gupdate1c98bbffcf5952);c:\program files\Google\Update\GoogleUpdate.exe [10/02/2009 20:35 133104]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [03/11/2006 19:19 13592]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [12/10/2009 21:24 7408]
S4 m5287;m5287;c:\windows\system32\drivers\m5287.sys [25/11/2005 16:44 85888]
S4 m5289;m5289;c:\windows\system32\drivers\m5289.sys [25/11/2005 16:44 51840]
--- Other Services/Drivers In Memory ---
*Deregistered* - mbr
.
Contents of the 'Scheduled Tasks' folder
2009-06-16 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 11:34]
2009-10-27 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-10 20:34]
2009-10-27 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-10 20:34]
2009-10-21 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 19:20]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.google.co.uk/
mWindow Title = Microsoft Internet Explorer Provided by Wanadoo
uInternet Settings,ProxyOverride = <local>;*.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\David\Application Data\Mozilla\Firefox\Profiles\8bmhanjo.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - prefs.js: keyword.URL - hxxp://uk.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_uk&p=
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll
FF - plugin: c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\browser\nppdf32.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nppl3260.dll
FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nprjplug.dll
FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nprpjplug.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
FF - HiddenExtension: XULRunner: {E6264B27-973A-4737-A202-28679E0A65C2} - c:\documents and settings\David\Local Settings\Application Data\{E6264B27-973A-4737-A202-28679E0A65C2}\
.
- - - - ORPHANS REMOVED - - - -
WebBrowser-{472734EA-242A-422B-ADF8-83D1E48CC825} - (no file)
HKCU-Run-kdx - c:\program files\Kontiki\KHost.exe
HKCU-Run-BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} - c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-27 21:32
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(780)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
- - - - - - - > 'explorer.exe'(3392)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVG\AVG8\avgrsx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe
c:\program files\CyberLink\PowerCinema\Kernel\TV\CLSched.exe
c:\program files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
c:\program files\Diskeeper Corporation\Diskeeper\DkService.exe
c:\program files\CyberLink\Shared Files\CLML_NTService\CLMLService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Windows Media Player\WMPNetwk.exe
c:\combofix\CF16181.exe
c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\Acrobat_sl.exe
c:\combofix\PEV.cfxxe
.
**************************************************************************
.
Completion time: 2009-10-27 21:35 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-27 21:35
Pre-Run: 36,170,604,544 bytes free
Post-Run: 37,012,197,376 bytes free
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
- - End Of File - - 32E739738D74BC735C66DBB1A286C543
|
bricat
HijackThis Helper
Reg'd: Wed
Posts: 31982
Loc: belfast
|
|
Quote:
post the combofix log in a new thread in the Hijackthis forum
can you open a new thread in the HJT forum and post the combofix log there, thank you.
--------------------
IF I HAVE SAVED YOU MONEY, PLEASE CONSIDER GIVING A DONATION TO HELP IN MY FIGHT AGAINST MALWARE.
When the only tool you own is a hammer, every problem begins to look like a nail.
|
Previous
Index
Next
Threaded
Edit
Reply
Quote
