Branding_print



Go Back   Web User Forums > Security > HijackThis logs help and analysis
Reload this Page Nasty Virus - HJT won't install
Register FAQ / Help Calendar Search Today's Posts Mark Forums Read

Reply
Page 1 of 2 1 2
 
Thread Tools Search this Thread Display Modes
  #1  
Old 05-09-09, 18:33
piana_tuna piana_tuna is offline
256Kbps
  
Join Date: Jul 2005
Location: Chicago, USA
Posts: 35
Default Nasty Virus - HJT won't install
Hi. My son's desktop, running Windows XP 5.1, SP3, has contracted a virus. I downloaded the HJT installer (tried all 3 recommended mirrors) but the virus won't let me install HJT! What do I do now?
The virus has (I think) installed something it calls "Antivirus Pro 2010" which it tries to run often. Also a companion "Advanced Virus Remover" program, with a clever icon that mimicks the Windows 4-color logo in the shape of a shield.
Virus has also changed the desktop background, removing the image that was there and replacing it with a large black warning box: "YOUR SYSTEM IS INFECTED" and "It is recommended to use spyware removal tool to prevent data loss." Lots of pop-ups warning of infections.
Anyway, I need your help with getting HJT to install and run. I have it installed on another computer here at home -- can I just copy & paste it?
Thanks in advance,
Piana Tuna
Reply With Quote
  #2  
Old 05-09-09, 20:24
bricat's Avatar
bricat bricat is online now
Global Moderator
256Tbps
  
Join Date: Jun 2003
Location: belfast
Posts: 32,385
Default Re: Nasty Virus - HJT won't install
After you have downloaded COMBOFIX to your DESKTOP you may have to right click on it and choose RENAME and change it's name to COMBO-FIX.EXE

Please download ComboFix from Here or Here to your Desktop.

<font color="Blue">**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**</font>
  1. Please, never rename Combofix unless instructed.
  2. Close any open browsers.
  3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    <ul type="square">
  4. <font color="red">Very Important!</font> Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  5. <font color="green">Click on</font> this link <font color="green">to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.</font>
<ul type="square">[*]Close any open browsers.[*]<font color="Red">WARNING:</font> Combofix will disconnect your machine from the Internet as soon as it starts[*]Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.[*]If there is no internet connection after running Combofix, then restart your computer to restore back your connection.[/list][*]Double click on combofix.exe &amp; follow the prompts.[*]When finished, it will produce a report for you. [*]Please post the "C:\ComboFix.txt" along with a new HijackThis log (If you can get HJT to run) for further review.[/list]<font color="blue">**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**</font>
__________________
IF I HAVE SAVED YOU MONEY, PLEASE CONSIDER GIVING A DONATION TO HELP IN MY FIGHT AGAINST MALWARE.

Those are my principles. If you don't like them I have others
Reply With Quote
  #3  
Old 06-09-09, 04:18
piana_tuna piana_tuna is offline
256Kbps
  
Join Date: Jul 2005
Location: Chicago, USA
Posts: 35
Default Re: Nasty Virus - HJT won't install
Hello BriCat! Thanks for your help.

Here is the ComboFix report:

ComboFix 09-09-05.02 - ab 09/05/2009 21:48.1.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.661 [GMT -5:00]
Running from: c:\documents and settings\ab\Desktop\Combo-Fix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\ab\Application Data\figewici.lib
c:\documents and settings\ab\Application Data\ifiqameka.bat
c:\documents and settings\ab\Application Data\Microsoft\Internet Explorer\Quick Launch\Advanced Virus Remover.lnk
c:\documents and settings\ab\Application Data\Microsoft\Internet Explorer\Quick Launch\AntivirusPro_2010.lnk
c:\documents and settings\ab\Cookies\cetenep.exe
c:\documents and settings\ab\Local Settings\Application Data\emyhewolu.dl
c:\documents and settings\ab\Local Settings\Application Data\pakekul.pif
c:\documents and settings\ab\Local Settings\Application Data\tequhe.ban
c:\documents and settings\ab\Local Settings\Application Data\zesu.pif
c:\documents and settings\ab\Start Menu\Advanced Virus Remover.lnk
c:\documents and settings\All Users\Application Data\iqikowux.reg
c:\documents and settings\All Users\Application Data\taha.exe
c:\documents and settings\All Users\Application Data\uvuhos.inf
c:\documents and settings\All Users\Documents\isefeg.com
c:\documents and settings\All Users\Documents\vepegu.com
C:\fyblb.exe
C:\install.exe
c:\program files\AdvancedVirusRemover
c:\program files\AdvancedVirusRemover\PAVRM.exe
c:\program files\Common Files\agyb.reg
c:\program files\Common Files\dexynucero.dll
c:\program files\Common Files\lyhy.com
c:\program files\Common Files\uceqan.inf
c:\recycler\S-1-5-21-299502267-2147122587-1417001333-1001
c:\windows\bamudyc.inf
c:\windows\braviax.exe
c:\windows\cru629.dat
c:\windows\system32\_scui.cpl
c:\windows\system32\~.exe
c:\windows\system32\11478.exe
c:\windows\system32\15724.exe
c:\windows\system32\18467.exe
c:\windows\system32\19169.exe
c:\windows\system32\23281.exe
c:\windows\system32\24464.exe
c:\windows\system32\26500.exe
c:\windows\system32\26962.exe
c:\windows\system32\28145.exe
c:\windows\system32\29358.exe
c:\windows\system32\41.exe
c:\windows\system32\5705.exe
c:\windows\system32\6334.exe
c:\windows\system32\braviax.exe
c:\windows\system32\critical_warning.html
c:\windows\system32\cru629.dat
c:\windows\system32\dllcache\beep.sys
c:\windows\system32\doxu.inf
c:\windows\system32\drivers\728e3cc3.sys
c:\windows\system32\drivers\UACmovmpfmitl.sys
c:\windows\system32\E95THK16.EXE
c:\windows\system32\encapi32.dll
c:\windows\system32\ijocovise.scr
c:\windows\system32\ivol.bin
c:\windows\system32\lowsec
c:\windows\system32\lowsec\local.ds
c:\windows\system32\lowsec\user.ds
c:\windows\system32\omibeqibyr.pif
c:\windows\system32\UACbwprdtnqlr.dll
c:\windows\system32\UACdqosysivbl.dll
c:\windows\system32\UACdxkpicmejc.dat
c:\windows\system32\UACewbevxvkdi.dll
c:\windows\system32\UACgnnsrasrwd.dll
c:\windows\system32\uacinit.dll
c:\windows\system32\winhelper.dll
c:\windows\system32\winupdate.exe
c:\windows\system32\wisdstr.exe
c:\windows\xemore.vbs

c:\windows\system32\drivers\beep.sys . . . is infected!!

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_UACd.sys
-------\Legacy_UACd.sys
-------\Service_728e3cc3


((((((((((((((((((((((((( Files Created from 2009-08-06 to 2009-09-06 )))))))))))))))))))))))))))))))
.

2009-09-06 01:28 . 2009-09-06 01:28 -------- d-----w- C:\spoolerlogs
2009-09-04 11:16 . 2009-09-04 12:04 31232 ----a-w- c:\windows\system32\wingenocx.dll
2009-09-04 11:14 . 2009-09-04 16:01 -------- d-----w- c:\program files\Protection System
2009-09-04 10:48 . 2009-09-04 13:48 -------- d-----w- c:\program files\AntivirusPro_2010
2009-09-04 10:40 . 2009-09-04 10:40 24491 ----a-w- C:\hpbyv.exe
2009-09-03 14:31 . 2009-09-04 10:23 -------- d-----w- c:\documents and settings\ab\Application Data\BitTorrent
2009-09-03 14:31 . 2009-09-03 14:31 -------- d-----w- c:\program files\BitTorrent
2009-08-14 05:00 . 2009-08-14 05:00 -------- d-----w- c:\program files\NVIDIA Corporation
2009-08-14 05:00 . 2009-08-14 05:00 -------- d-----w- c:\documents and settings\All Users\Application Data\NVIDIA Corporation
2009-08-14 04:08 . 2009-08-27 00:55 43520 ----a-w- c:\windows\system32\CmdLineExt03.dll
2009-08-12 19:58 . 2009-07-10 13:27 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2009-09-04 16:02 . 2009-04-23 07:06 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-09-04 10:48 . 2009-09-04 10:48 10888 ----a-w- c:\program files\Common Files\ybimacid.lib
2009-09-04 10:48 . 2009-09-04 10:48 10660 ----a-w- c:\program files\Common Files\ifiz.lib
2009-09-04 07:50 . 2008-04-25 16:48 -------- d-----w- c:\program files\Steam
2009-08-28 13:01 . 2009-04-23 07:06 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-08-28 13:01 . 2009-04-23 07:06 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-08-28 13:01 . 2009-04-23 07:06 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-08-15 20:39 . 2008-07-15 21:21 -------- d-----w- c:\program files\LucasArts
2009-08-15 20:39 . 2008-02-26 01:44 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-08-05 09:01 . 2006-02-28 12:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-05 03:02 . 2008-03-23 03:50 -------- d-----w- c:\documents and settings\All Users\Application Data\CA
2009-08-03 05:27 . 2002-01-01 13:01 -------- d-----w- c:\program files\WorldOfGoo
2009-07-27 01:31 . 2009-07-17 20:40 -------- d-----w- c:\documents and settings\ab\Application Data\Apple Computer
2009-07-27 01:16 . 2009-07-27 01:16 -------- d-----w- c:\program files\Ubi Soft
2009-07-25 21:34 . 2009-07-25 21:33 -------- d-----w- c:\program files\iTunes
2009-07-25 21:33 . 2009-07-25 21:33 -------- d-----w- c:\program files\iPod
2009-07-25 21:33 . 2009-07-17 20:35 -------- d-----w- c:\program files\Common Files\Apple
2009-07-17 20:39 . 2009-07-17 20:39 -------- d-----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-07-17 20:39 . 2008-09-29 18:30 -------- d-----w- c:\program files\Bonjour
2009-07-17 20:38 . 2008-11-03 01:06 -------- d-----w- c:\program files\QuickTime
2009-07-17 20:37 . 2009-07-17 20:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2009-07-17 20:36 . 2009-07-17 20:36 -------- d-----w- c:\program files\Apple Software Update
2009-07-17 19:01 . 2006-02-28 12:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 18:54 . 2009-05-01 03:02 2189856 ----a-w- c:\windows\system32\nvcuvid.dll
2009-07-14 18:54 . 2009-05-01 03:02 2002944 ----a-w- c:\windows\system32\nvcuda.dll
2009-07-14 18:54 . 2009-05-01 03:02 1706528 ----a-w- c:\windows\system32\nvcuvenc.dll
2009-07-14 18:54 . 2009-05-01 03:02 1597690 ----a-w- c:\windows\system32\nvdata.bin
2009-07-14 18:54 . 2008-04-25 18:31 485920 ----a-w- c:\windows\system32\nvudisp.exe
2009-07-14 18:54 . 2008-04-25 18:30 10457088 ----a-w- c:\windows\system32\nvoglnt.dll
2009-07-14 18:54 . 2008-04-25 18:30 868352 ----a-w- c:\windows\system32\nvapi.dll
2009-07-14 18:54 . 2008-04-25 18:30 151552 ----a-w- c:\windows\system32\nvcodins.dll
2009-07-14 18:54 . 2008-04-25 18:30 151552 ----a-w- c:\windows\system32\nvcod.dll
2009-07-14 18:54 . 2008-04-25 18:30 7741664 ----a-w- c:\windows\system32\drivers\nv4_mini.sys
2009-07-14 18:54 . 2008-04-25 18:30 5842816 ----a-w- c:\windows\system32\nv4_disp.dll
2009-07-14 18:35 . 2009-07-14 18:35 2173472 ----a-w- c:\windows\system32\nvcplui.exe
2009-07-14 18:35 . 2009-07-14 18:35 81920 ----a-w- c:\windows\system32\nvwddi.dll
2009-07-14 18:35 . 2009-07-14 18:35 4026368 ----a-w- c:\windows\system32\nvvitvs.dll
2009-07-14 18:35 . 2009-07-14 18:35 3170304 ----a-w- c:\windows\system32\nvwss.dll
2009-07-14 18:34 . 2009-07-14 18:34 86016 ----a-w- c:\windows\system32\nvmctray.dll
2009-07-14 18:34 . 2009-07-14 18:34 4923392 ----a-w- c:\windows\system32\nvdisps.dll
2009-07-14 18:34 . 2009-07-14 18:34 3547136 ----a-w- c:\windows\system32\nvgames.dll
2009-07-14 18:34 . 2009-07-14 18:34 188416 ----a-w- c:\windows\system32\nvmccss.dll
2009-07-14 18:34 . 2009-07-14 18:34 168004 ----a-w- c:\windows\system32\nvsvc32.exe
2009-07-14 18:34 . 2009-07-14 18:34 143360 ----a-w- c:\windows\system32\nvcolor.exe
2009-07-14 18:34 . 2009-07-14 18:34 13877248 ----a-w- c:\windows\system32\nvcpl.dll
2009-07-14 18:34 . 2009-07-14 18:34 1286144 ----a-w- c:\windows\system32\nvmobls.dll
2009-07-14 18:34 . 2009-07-14 18:34 229376 ----a-w- c:\windows\system32\nvmccs.dll
2009-07-14 04:43 . 2006-02-28 12:00 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-10 22:30 . 2009-07-10 22:28 -------- d-----w- c:\program files\Ableton
2009-07-10 12:01 . 2009-05-26 01:38 485920 ----a-w- c:\windows\system32\NVUNINST.EXE
2009-06-29 16:12 . 2006-02-28 12:00 827392 ----a-w- c:\windows\system32\wininet.dll
2009-06-29 16:12 . 2006-02-28 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-06-29 16:12 . 2006-02-28 12:00 17408 ----a-w- c:\windows\system32\corpol.dll
2009-06-25 08:25 . 2006-02-28 12:00 730112 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:25 . 2006-02-28 12:00 56832 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:25 . 2006-02-28 12:00 54272 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:25 . 2006-02-28 12:00 301568 ----a-w- c:\windows\system32\kerberos.dll
2009-06-25 08:25 . 2006-02-28 12:00 147456 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:25 . 2006-02-28 12:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-24 11:18 . 2006-02-28 12:00 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2009-06-16 14:36 . 2006-02-28 12:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:36 . 2006-02-28 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-12 12:31 . 2006-02-28 12:00 76288 ----a-w- c:\windows\system32\telnet.exe
2009-06-10 14:19 . 2008-02-25 23:53 2066432 ----a-w- c:\windows\system32\mstscax.dll
2009-06-10 14:13 . 2006-02-28 12:00 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 06:14 . 2006-02-28 12:00 132096 ----a-w- c:\windows\system32\wkssvc.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries &amp; legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-04 866584]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-08-28 2007832]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2009-07-09 1657376]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-07-14 13877248]
"NvMediaCenter"="c:\windows\system32\NvMcTray. dll" [2009-07-14 86016]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1 \DW\dwtrig20.exe" [2007-03-14 39264]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-28 13:01 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"midi3"=xgusb.cpl

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"gusvc"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\EA GAMES\\The Battle for Middle-earth (tm)\\game.dat"=
"c:\\Program Files\\Starcraft\\StarCraft.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\silent hunter 3\\sh3.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\Steam\\steamapps\\orcthatisdrunk\\garrysmod \\hl2.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Steam\\steamapps\\orcthatisdrunk\\half-life 2 deathmatch\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\orcthatisdrunk\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=
"c:\\Program Files\\Steam\\steamapps\\orcthatisdrunk\\team fortress 2\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\spolvid\\team fortress 2\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\spolvid\\garrysmod\\hl2.e xe"=
"c:\\Program Files\\2K Games\\Firaxis Games\\Sid Meier's Civilization 4 Gold\\Beyond the Sword\\Civ4BeyondSword.exe"=
"c:\\Program Files\\2K Games\\Firaxis Games\\Sid Meier's Civilization 4 Gold\\Beyond the Sword\\Civ4BeyondSword_PitBoss.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\LucasArts\\Star Wars Galactic Battlegrounds Saga\\Game\\battlegrounds_x1.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\GloballyOpenPorts\List]
"1723:TCP"= 1723:TCP:@xpsp2res.dll,-22015
"1701:UDP"= 1701:UDP:@xpsp2res.dll,-22016
"500:UDP"= 500:UDP:@xpsp2res.dll,-22017

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [4/23/2009 2:06 AM 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [4/23/2009 2:06 AM 108552]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [4/23/2009 2:06 AM 297752]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [8/2/2008 12:41 PM 24652]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 10:19 PM 13592]
S3 efipsk;efipsk;\??\c:\docume~1\ab\LOCALS~1\Temp\efi psk.sys --&gt; c:\docume~1\ab\LOCALS~1\Temp\efipsk.sys [?]
S3 Kinetic Books License Service;Kinetic Books License Service;c:\program files\Common Files\Kinetic Books Shared\Service\KineticBooksLicenseService.exe [10/3/2008 3:27 PM 79360]
.
Contents of the 'Scheduled Tasks' folder

2009-09-06 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 03:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={sear...f8&amp;oe=utf8
mStart Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&amp;xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} - hxxp://www.nvidia.com/content/Driver...reqlab_nvd.cab
.

************************************************** ************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-05 21:59
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-682003330-854245398-725345543-1004\Software\SecuROM\License information*]
"datasecu"=hex:d6,4e,ce,22,ad,ce,86,f7,9c,1f,64,39 ,cf,fb,f5,9c,3c,55,8e,0b,d5,
8d,d0,64,0b,ac,0b,40,fe,57,1b,4a,2c,96,77,5c,51,94 ,d1,86,34,af,3b,24,87,ba,\
"rkeysecu"=hex:cb,bd,f2,61,5a,4e,c6,95,f2,29,8b,82 ,ba,6b,3d,44
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - &gt; 'explorer.exe'(808)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\rundll32.exe
c:\program files\iPod\bin\iPodService.exe
.
************************************************** ************************
.
Completion time: 2009-09-06 22:04 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-06 03:04

Pre-Run: 81,997,443,072 bytes free
Post-Run: 82,171,461,632 bytes free

302 --- E O F --- 2009-08-31 03:42


Here is HJT log (yes, it works now!)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:09:04 PM, on 9/5/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16876)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O2 - BHO: &amp;Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &amp;Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [nwiz] C:\Program Files\NVIDIA Corporation\nView\nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\RunOnce: [Shockwave Updater] C:\WINDOWS\system32\Adobe\SHOCKW~1\SWHELP~1.EXE -Update -1100465 -"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)" -"http://a.kongregate.com/games/tmb_steve/merlins-revenge-2/frame/1243568782343?gameplays_count=3&amp;user_id=208840 &amp;username=DrunkenOrc"
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe " -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe " -t (User 'Default user')
O8 - Extra context menu item: E&amp;xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search &amp; Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.nvidia.com/content/Driver...sysreqlab3.cab
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} (System Requirements Lab) - http://www.nvidia.com/content/Driver...reqlab_nvd.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper200711281.dll
O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} (Measurement Services Client v.3.12) - http://www.yougamers.com/systeminfo/MSC3.cab
O16 - DPF: {DB7BF79A-FC51-4B5A-92BC-A65731174380} (InstantAction Game Launcher) - http://www.instantaction.com/download/iaplayer.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Kinetic Books License Service - Kinetic Books - C:\Program Files\Common Files\Kinetic Books Shared\Service\KineticBooksLicenseService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Automatic Updates (wuauserv) - Unknown owner - C:\WINDOWS\

--
End of file - 7471 bytes


What's next?
Piana Tuna
Reply With Quote
  #4  
Old 06-09-09, 11:35
bricat's Avatar
bricat bricat is online now
Global Moderator
256Tbps
  
Join Date: Jun 2003
Location: belfast
Posts: 32,385
Default Re: Nasty Virus - HJT won't install
Please copy this page to *Notepad* and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

It's IMPORTANT to carry out the instructions in the sequence listed below.


1. Close any open browsers.

2. <font color="red"><u>Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.</u></font>


Open *notepad* and copy/paste the text in the quotebox below into it:

[ QUOTE ]


Killall::

File::
c:\windows\system32\wingenocx.dll
C:\hpbyv.exe


Folder::
c:\program files\Protection System
c:\program files\AntivirusPro_2010


Rootkit::
c:\docume~1\ab\LOCALS~1\Temp\efipsk.sys

Driver::
efipsk



[/ QUOTE ]

Save this as CFScript.txt, in the same location as ComboFix.exe which is on the Desktop.




Referring to the picture above, drag CFScript.txt into ComboFix.exe.

This will start ComboFix again.(it may ask you to reboot your computer)

When finished, it shall produce a log for you at C:\ComboFix.txt

Please copy and paste the ComboFix.txt along with a fresh HijackThis log in your next reply please and
let me know how it is running.


*Note:
<font color="red">Do not mouseclick combofix's window whilst it's running. That may cause it to stall*</font>
__________________
IF I HAVE SAVED YOU MONEY, PLEASE CONSIDER GIVING A DONATION TO HELP IN MY FIGHT AGAINST MALWARE.

Those are my principles. If you don't like them I have others
Reply With Quote
  #5  
Old 06-09-09, 18:48
piana_tuna piana_tuna is offline
256Kbps
  
Join Date: Jul 2005
Location: Chicago, USA
Posts: 35
Default Re: Nasty Virus - HJT won't install
Hello again. When I ran ComboFix this time there was a message saying that a newer version was available, but I did not download it. Didn't want to rock the boat.

The computer is running much better -- Thank you! No more pop-ups and the Nasty Notice on the desktop is gone.

I am concerned that when I click on Start --&gt; All Programs, I still see a floder labeled 'Antivirus Pro 2010' and 2 options in that folder: 'Antivirus Pro 2010' and 'Uninstall' but when I go to Control Panel --&gt; Add/Remove Programs, Antivirus Pro does not show up on the list. How can I get rid of it safely? This is not a program I installed -- I assume the virus did.

Below are the 2 report logs you asked for, both were run today (Sunday)

Thanks again,
Piana Tuna


ComboFix log:

ComboFix 09-09-05.02 - ab 09/06/2009 11:43.3.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.611 [GMT -5:00]
Running from: c:\documents and settings\ab\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\ab\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

FILE ::
"C:\hpbyv.exe"
"c:\windows\system32\wingenocx.dll"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\AntivirusPro_2010
c:\program files\AntivirusPro_2010\AntivirusPro_2010.cfg
c:\program files\AntivirusPro_2010\AntivirusPro_2010.exe
c:\program files\AntivirusPro_2010\AVEngn.dll
c:\program files\AntivirusPro_2010\data\daily.cvd
c:\program files\AntivirusPro_2010\Microsoft.VC80.CRT\Microso ft.VC80.CRT.manifest
c:\program files\AntivirusPro_2010\Microsoft.VC80.CRT\msvcm80 .dll
c:\program files\AntivirusPro_2010\Microsoft.VC80.CRT\msvcp80 .dll
c:\program files\AntivirusPro_2010\Microsoft.VC80.CRT\msvcr80 .dll
c:\program files\AntivirusPro_2010\pthreadVC2.dll
c:\program files\Protection System
c:\program files\Protection System\blacklist.cga
c:\program files\Protection System\core.cga
c:\program files\Protection System\help.ico

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_EFIPSK
-------\Service_efipsk


((((((((((((((((((((((((( Files Created from 2009-08-06 to 2009-09-06 )))))))))))))))))))))))))))))))
.

2009-09-06 03:08 . 2009-09-06 03:08 -------- d-----w- c:\program files\Trend Micro
2009-09-06 01:28 . 2009-09-06 01:28 -------- d-----w- C:\spoolerlogs
2009-09-03 14:31 . 2009-09-04 10:23 -------- d-----w- c:\documents and settings\ab\Application Data\BitTorrent
2009-09-03 14:31 . 2009-09-03 14:31 -------- d-----w- c:\program files\BitTorrent
2009-08-14 05:00 . 2009-08-14 05:00 -------- d-----w- c:\program files\NVIDIA Corporation
2009-08-14 05:00 . 2009-08-14 05:00 -------- d-----w- c:\documents and settings\All Users\Application Data\NVIDIA Corporation
2009-08-14 04:08 . 2009-08-27 00:55 43520 ----a-w- c:\windows\system32\CmdLineExt03.dll
2009-08-12 19:58 . 2009-07-10 13:27 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2009-09-04 16:02 . 2009-04-23 07:06 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-09-04 10:48 . 2009-09-04 10:48 10888 ----a-w- c:\program files\Common Files\ybimacid.lib
2009-09-04 10:48 . 2009-09-04 10:48 10660 ----a-w- c:\program files\Common Files\ifiz.lib
2009-09-04 07:50 . 2008-04-25 16:48 -------- d-----w- c:\program files\Steam
2009-08-28 13:01 . 2009-04-23 07:06 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-08-28 13:01 . 2009-04-23 07:06 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-08-28 13:01 . 2009-04-23 07:06 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-08-15 20:39 . 2008-07-15 21:21 -------- d-----w- c:\program files\LucasArts
2009-08-15 20:39 . 2008-02-26 01:44 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-08-05 09:01 . 2006-02-28 12:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-05 03:02 . 2008-03-23 03:50 -------- d-----w- c:\documents and settings\All Users\Application Data\CA
2009-08-03 05:27 . 2002-01-01 13:01 -------- d-----w- c:\program files\WorldOfGoo
2009-07-27 01:31 . 2009-07-17 20:40 -------- d-----w- c:\documents and settings\ab\Application Data\Apple Computer
2009-07-27 01:16 . 2009-07-27 01:16 -------- d-----w- c:\program files\Ubi Soft
2009-07-25 21:34 . 2009-07-25 21:33 -------- d-----w- c:\program files\iTunes
2009-07-25 21:33 . 2009-07-25 21:33 -------- d-----w- c:\program files\iPod
2009-07-25 21:33 . 2009-07-17 20:35 -------- d-----w- c:\program files\Common Files\Apple
2009-07-17 20:39 . 2009-07-17 20:39 -------- d-----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-07-17 20:39 . 2008-09-29 18:30 -------- d-----w- c:\program files\Bonjour
2009-07-17 20:38 . 2008-11-03 01:06 -------- d-----w- c:\program files\QuickTime
2009-07-17 20:37 . 2009-07-17 20:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2009-07-17 20:36 . 2009-07-17 20:36 -------- d-----w- c:\program files\Apple Software Update
2009-07-17 19:01 . 2006-02-28 12:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 18:54 . 2009-05-01 03:02 2189856 ----a-w- c:\windows\system32\nvcuvid.dll
2009-07-14 18:54 . 2009-05-01 03:02 2002944 ----a-w- c:\windows\system32\nvcuda.dll
2009-07-14 18:54 . 2009-05-01 03:02 1706528 ----a-w- c:\windows\system32\nvcuvenc.dll
2009-07-14 18:54 . 2009-05-01 03:02 1597690 ----a-w- c:\windows\system32\nvdata.bin
2009-07-14 18:54 . 2008-04-25 18:31 485920 ----a-w- c:\windows\system32\nvudisp.exe
2009-07-14 18:54 . 2008-04-25 18:30 10457088 ----a-w- c:\windows\system32\nvoglnt.dll
2009-07-14 18:54 . 2008-04-25 18:30 868352 ----a-w- c:\windows\system32\nvapi.dll
2009-07-14 18:54 . 2008-04-25 18:30 151552 ----a-w- c:\windows\system32\nvcodins.dll
2009-07-14 18:54 . 2008-04-25 18:30 151552 ----a-w- c:\windows\system32\nvcod.dll
2009-07-14 18:54 . 2008-04-25 18:30 7741664 ----a-w- c:\windows\system32\drivers\nv4_mini.sys
2009-07-14 18:54 . 2008-04-25 18:30 5842816 ----a-w- c:\windows\system32\nv4_disp.dll
2009-07-14 18:35 . 2009-07-14 18:35 2173472 ----a-w- c:\windows\system32\nvcplui.exe
2009-07-14 18:35 . 2009-07-14 18:35 81920 ----a-w- c:\windows\system32\nvwddi.dll
2009-07-14 18:35 . 2009-07-14 18:35 4026368 ----a-w- c:\windows\system32\nvvitvs.dll
2009-07-14 18:35 . 2009-07-14 18:35 3170304 ----a-w- c:\windows\system32\nvwss.dll
2009-07-14 18:34 . 2009-07-14 18:34 86016 ----a-w- c:\windows\system32\nvmctray.dll
2009-07-14 18:34 . 2009-07-14 18:34 4923392 ----a-w- c:\windows\system32\nvdisps.dll
2009-07-14 18:34 . 2009-07-14 18:34 3547136 ----a-w- c:\windows\system32\nvgames.dll
2009-07-14 18:34 . 2009-07-14 18:34 188416 ----a-w- c:\windows\system32\nvmccss.dll
2009-07-14 18:34 . 2009-07-14 18:34 168004 ----a-w- c:\windows\system32\nvsvc32.exe
2009-07-14 18:34 . 2009-07-14 18:34 143360 ----a-w- c:\windows\system32\nvcolor.exe
2009-07-14 18:34 . 2009-07-14 18:34 13877248 ----a-w- c:\windows\system32\nvcpl.dll
2009-07-14 18:34 . 2009-07-14 18:34 1286144 ----a-w- c:\windows\system32\nvmobls.dll
2009-07-14 18:34 . 2009-07-14 18:34 229376 ----a-w- c:\windows\system32\nvmccs.dll
2009-07-14 04:43 . 2006-02-28 12:00 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-10 22:30 . 2009-07-10 22:28 -------- d-----w- c:\program files\Ableton
2009-07-10 12:01 . 2009-05-26 01:38 485920 ----a-w- c:\windows\system32\NVUNINST.EXE
2009-06-29 16:12 . 2006-02-28 12:00 827392 ------w- c:\windows\system32\wininet.dll
2009-06-29 16:12 . 2006-02-28 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-06-29 16:12 . 2006-02-28 12:00 17408 ----a-w- c:\windows\system32\corpol.dll
2009-06-25 08:25 . 2006-02-28 12:00 730112 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:25 . 2006-02-28 12:00 56832 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:25 . 2006-02-28 12:00 54272 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:25 . 2006-02-28 12:00 301568 ----a-w- c:\windows\system32\kerberos.dll
2009-06-25 08:25 . 2006-02-28 12:00 147456 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:25 . 2006-02-28 12:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-24 11:18 . 2006-02-28 12:00 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2009-06-16 14:36 . 2006-02-28 12:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:36 . 2006-02-28 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-12 12:31 . 2006-02-28 12:00 76288 ----a-w- c:\windows\system32\telnet.exe
2009-06-10 14:19 . 2008-02-25 23:53 2066432 ----a-w- c:\windows\system32\mstscax.dll
2009-06-10 14:13 . 2006-02-28 12:00 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 06:14 . 2006-02-28 12:00 132096 ----a-w- c:\windows\system32\wkssvc.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-09-06_02.59.08 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-09-06 16:53 . 2009-09-06 16:53 16384 c:\windows\temp\Perflib_Perfdata_738.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries &amp; legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-04 866584]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-08-28 2007832]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2009-07-09 1657376]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-07-14 13877248]
"NvMediaCenter"="c:\windows\system32\NvMcTray. dll" [2009-07-14 86016]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1 \DW\dwtrig20.exe" [2007-03-14 39264]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-28 13:01 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"midi3"=xgusb.cpl

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"gusvc"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\EA GAMES\\The Battle for Middle-earth (tm)\\game.dat"=
"c:\\Program Files\\Starcraft\\StarCraft.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\silent hunter 3\\sh3.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\Steam\\steamapps\\orcthatisdrunk\\garrysmod \\hl2.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Steam\\steamapps\\orcthatisdrunk\\half-life 2 deathmatch\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\orcthatisdrunk\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=
"c:\\Program Files\\Steam\\steamapps\\orcthatisdrunk\\team fortress 2\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\spolvid\\team fortress 2\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\spolvid\\garrysmod\\hl2.e xe"=
"c:\\Program Files\\2K Games\\Firaxis Games\\Sid Meier's Civilization 4 Gold\\Beyond the Sword\\Civ4BeyondSword.exe"=
"c:\\Program Files\\2K Games\\Firaxis Games\\Sid Meier's Civilization 4 Gold\\Beyond the Sword\\Civ4BeyondSword_PitBoss.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\LucasArts\\Star Wars Galactic Battlegrounds Saga\\Game\\battlegrounds_x1.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\GloballyOpenPorts\List]
"1723:TCP"= 1723:TCP:@xpsp2res.dll,-22015
"1701:UDP"= 1701:UDP:@xpsp2res.dll,-22016
"500:UDP"= 500:UDP:@xpsp2res.dll,-22017

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [4/23/2009 2:06 AM 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [4/23/2009 2:06 AM 108552]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [4/23/2009 2:06 AM 297752]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [8/2/2008 12:41 PM 24652]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 10:19 PM 13592]
S3 Kinetic Books License Service;Kinetic Books License Service;c:\program files\Common Files\Kinetic Books Shared\Service\KineticBooksLicenseService.exe [10/3/2008 3:27 PM 79360]
.
Contents of the 'Scheduled Tasks' folder

2009-09-06 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 03:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={sear...f8&amp;oe=utf8
mStart Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&amp;xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} - hxxp://www.nvidia.com/content/Driver...reqlab_nvd.cab
.

************************************************** ************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-06 11:54
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-682003330-854245398-725345543-1004\Software\SecuROM\License information*]
"datasecu"=hex:d6,4e,ce,22,ad,ce,86,f7,9c,1f,64,39 ,cf,fb,f5,9c,3c,55,8e,0b,d5,
8d,d0,64,0b,ac,0b,40,fe,57,1b,4a,2c,96,77,5c,51,94 ,d1,86,34,af,3b,24,87,ba,\
"rkeysecu"=hex:cb,bd,f2,61,5a,4e,c6,95,f2,29,8b,82 ,ba,6b,3d,44
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - &gt; 'explorer.exe'(3344)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\rundll32.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
.
************************************************** ************************
.
Completion time: 2009-09-06 12:00 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-06 17:00

Pre-Run: 82,137,018,368 bytes free
Post-Run: 82,101,059,584 bytes free

244 --- E O F --- 2009-08-31 03:42




<u>Hijack This Log</u> :

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:11:24 PM, on 9/6/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16876)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O2 - BHO: &amp;Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &amp;Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [nwiz] C:\Program Files\NVIDIA Corporation\nView\nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\RunOnce: [Shockwave Updater] C:\WINDOWS\system32\Adobe\SHOCKW~1\SWHELP~1.EXE -Update -1100465 -"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)" -"http://a.kongregate.com/games/tmb_steve/merlins-revenge-2/frame/1243568782343?gameplays_count=3&amp;user_id=208840 &amp;username=DrunkenOrc"
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe " -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe " -t (User 'Default user')
O8 - Extra context menu item: E&amp;xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search &amp; Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.nvidia.com/content/Driver...sysreqlab3.cab
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} (System Requirements Lab) - http://www.nvidia.com/content/Driver...reqlab_nvd.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper200711281.dll
O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} (Measurement Services Client v.3.12) - http://www.yougamers.com/systeminfo/MSC3.cab
O16 - DPF: {DB7BF79A-FC51-4B5A-92BC-A65731174380} (InstantAction Game Launcher) - http://www.instantaction.com/download/iaplayer.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Kinetic Books License Service - Kinetic Books - C:\Program Files\Common Files\Kinetic Books Shared\Service\KineticBooksLicenseService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 7271 bytes
Reply With Quote
  #6  
Old 06-09-09, 19:50
bricat's Avatar
bricat bricat is online now
Global Moderator
256Tbps
  
Join Date: Jun 2003
Location: belfast
Posts: 32,385
Default Re: Nasty Virus - HJT won't install
navigate to :-

C:\Documents and Settings\All Users\Start Menu\Programs

you can delete the orphaned entry for Antivirus Pro 2010 there.


that looks clean now, just some tidying up to do.

combofix cleanup.

<u>Time for some housekeeping</u><ul type="square">
[*] Click START then RUN[*] Now type Combofix /u in the runbox and click OK


[*] When shown the disclaimer, Select "<font color="red">2</font>"[/list]
<u>The above procedure will</u>:<ul type="square">
[*] Delete the following:
  • ComboFix and its associated files and folders.
  • VundoFix backups, if present
  • The C:\Deckard folder, if present
  • The C:_OtMoveIt folder, if present
[*] Reset the clock settings.[*] Hide file extensions, if required.[*] Hide System/Hidden files, if required.[*] Reset System Restore.[/list]
Then :-

<font color="blue">Download and scan with</font> CCleaner
  1. <font color="red">CCleaner installs the Yahoo Toolbar as an option which IS checkmarked by default during the installation.</font>
    IF you do NOT want it, REMOVE the checkmark when provided with the option OR download the toolbar-free or Slim versions instead of the Standard Build.
  2. Before first use, select Options &gt; Advanced and UNCHECK <font color="blue">"Only delete files in Windows Temp folder older than 48 hours" </font>
    Then select "Cookies"
    Move any cookies you wish to retain, e.g. login cookies, in the left-hand window to the right-hand window by highlighting them and clicking the right arrow in the centre.
  3. Then select the items you wish to clean up.
    In the Windows Tab:

    <font color="green">• Clean all entries in the "Internet Explorer" section.
    • Clean all the entries in the "Windows Explorer" section.
    • Clean all entries in the "System" section.
    • Clean all entries in the "Advanced" section.
    • Clean any others that you choose.    </font>


    In the Applications Tab:

    <font color="green">• Clean all entries in the Mozilla Firefox Section.
    • Clean all in the Opera section if you use it.
    • Clean Sun Java in the Internet Section.
    • Clean any others that you choose.
    </font>
  4. Click the "Run Cleaner" button.
  5. A pop up box will appear advising this process will permanently delete files from your system.
  6. Click "OK" and it will scan and clean your system.
  7. Click "exit" when done.

then DEFRAG your C:\ drive.

to help speed up your system.

then let us know how the computer is running.


HOW DID I GET INFECTED
__________________
IF I HAVE SAVED YOU MONEY, PLEASE CONSIDER GIVING A DONATION TO HELP IN MY FIGHT AGAINST MALWARE.

Those are my principles. If you don't like them I have others
Reply With Quote
  #7  
Old 08-09-09, 01:15
piana_tuna piana_tuna is offline
256Kbps
  
Join Date: Jul 2005
Location: Chicago, USA
Posts: 35
Default Re: Nasty Virus - HJT won't install
Sorry to report that when I go to:
C:\Documents and Settings\All Users\Start Menu\Programs
"Antivirus Pro 2010" is not there. But it still shows up when I click on
Start --&gt; All Programs. Hmmm... Could the folder be "hidden"?

I had better luck with deleting ComboFix. That seems to be gone.

We use C Cleaner regularly.

I defragged twice. It "looks" much better now.

The computer works much better, EXCEPT that my son reports that when he tries to play any 'graphics intensive' game or program, the machine locks or freezes up. Examples: Civilization IV, Cave Story, Steam (a program that runs other games, like Half Life, Gary's Mod, Counter Strike Source, etc.) About 30 seconds to a minute into the game or program, there is no response from mouse or keyboard.

But I have not had any problems when connecting to the internet or just running simple spreadsheet programs here locally.

Thanks again for all your help. Any further thoughts?
Piana Tuna
Reply With Quote
  #8  
Old 08-09-09, 07:01
piana_tuna piana_tuna is offline
256Kbps
  
Join Date: Jul 2005
Location: Chicago, USA
Posts: 35
Default Re: Nasty Virus - HJT won't install
p.s. Now the computer is hanging up even when trying to print or save a Word document. But still having no trouble on-line, here at this site or elsewhere!

Piana Tuna
Reply With Quote
  #9  
Old 08-09-09, 09:02
bricat's Avatar
bricat bricat is online now
Global Moderator
256Tbps
  
Join Date: Jun 2003
Location: belfast
Posts: 32,385
Default Re: Nasty Virus - HJT won't install
Please download Malwarebytes' Anti-Malware from <font color="#2E8B57">Here</font>.

Double Click mbam-setup.exe to install the application.
<ul type="square">[*]Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.[*]If an update is found, it will download and install the latest version.[*]Once the program has loaded, select "Perform Quick Scan", then click Scan.[*]The scan may take some time to finish,so please be patient.[*]When the scan is complete, click OK, then Show Results to view the results.[*]Make sure that everything is checked, and click Remove Selected.[*]When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)[*]The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.[*]Copy&amp;Paste the entire report in your next reply.[/list]Extra Note:

<font color="red">If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediatly.</font>
__________________
IF I HAVE SAVED YOU MONEY, PLEASE CONSIDER GIVING A DONATION TO HELP IN MY FIGHT AGAINST MALWARE.

Those are my principles. If you don't like them I have others
Reply With Quote
  #10  
Old 08-09-09, 19:19
piana_tuna piana_tuna is offline
256Kbps
  
Join Date: Jul 2005
Location: Chicago, USA
Posts: 35
Default Re: Nasty Virus - HJT won't install
Better now, I think. At least, Antivirus Pro 2010 does not appear in the Start menu!

However, the mouse and keyboard just froze when I tried to save a small document in Word just now.

Have not had a chance to test "intense games" yet -- that is my son's department!


Here is the log from MBAM:

Malwarebytes' Anti-Malware 1.40
Database version: 2758
Windows 5.1.2600 Service Pack 3

9/8/2009 1:01:08 PM
mbam-log-2009-09-08 (13-01-08).txt

Scan type: Quick Scan
Objects scanned: 88821
Time elapsed: 4 minute(s), 44 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 4
Folders Infected: 2
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\AntivirusPro_2010 (Rogue.AntiVirusPro2010) -&gt; Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -&gt; Bad: (1) Good: (0) -&gt; Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -&gt; Bad: (1) Good: (0) -&gt; Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -&gt; Bad: (1) Good: (0) -&gt; Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -&gt; Bad: (1) Good: (0) -&gt; Quarantined and deleted successfully.

Folders Infected:
C:\Documents and Settings\All Users\Start Menu\Programs\Protection System (Rogue.ProtectionSystem) -&gt; Quarantined and deleted successfully.
C:\Documents and Settings\ab\Start Menu\Programs\AntivirusPro_2010 (Rogue.AntiVirusPro2010) -&gt; Quarantined and deleted successfully.

Files Infected:
(No malicious items detected)
Reply With Quote
Reply
Page 1 of 2 1 2

Bookmarks

« Previous Thread | Next Thread »
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump

Webuser.co.uk

Web User Alerts

Web User Network

Site Policies

Magazine Subscription

Contacts


Search

Search

© Copyright IPC Media Limited 2009, All rights reserved





All times are GMT. The time now is 23:21.

Contact Us - Web User - Archive - Privacy Statement - Terms of Service - Top

Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2010, Jelsoft Enterprises Ltd.
© Copyright IPC Media Limited 2010, All rights reserved