11 replies to this topic

[tallisall]

Hi, I am helping a friend whit his Dell Latitude D600 laptop that won't get on the internet. Downloaded and installed AVG free antivirus and did a manual update. Ater scan, found numerous tracking cookies, but that was all. System specs are xp-pro-sp2, intel 1.6ghz cpu, 512mb ram. Downloaded malwarebytes and manual updates on my machine and copied them to memory stick and put them in a download folder on his laptop. Malwarebytes installed and then I ran the update, but when you try to start it nothing happens. I also tried to install superantispyware and got a windows error. Please look at my hijackthis log. Thanks

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:07:38 PM, on 5/4/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\S24EvMon.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\system32\1XConfig.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\RegSrvc.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Search\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.att.net/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Dell Wireless Manager UI] C:\WINDOWS\system32\WLTRAY
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ZCfgSvc.exe] C:\WINDOWS\system32\ZCfgSvc.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{4AE7F45F-7ACF-4901-9FE8-F516D7F33F0D}: NameServer = 85.255.112.80,85.255.112.168
O17 - HKLM\System\CCS\Services\Tcpip\..\{8FFFD97D-40AE-488E-98E1-21903505AA6A}: NameServer = 85.255.112.80,85.255.112.168
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.112.80,85.255.112.168
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.112.80,85.255.112.168
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.112.80,85.255.112.168
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\system32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\system32\S24EvMon.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

--
End of file - 4332 bytes

[tallisall]

tallisall, on May 4 2009, 03:48 PM, said:

Hi, I am helping a friend whit his Dell Latitude D600 laptop that won't get on the internet. Downloaded and installed AVG free antivirus and did a manual update. Ater scan, found numerous tracking cookies, but that was all. System specs are xp-pro-sp2, intel 1.6ghz cpu, 512mb ram. Downloaded malwarebytes and manual updates on my machine and copied them to memory stick and put them in a download folder on his laptop. Malwarebytes installed and then I ran the update, but when you try to start it nothing happens. I also tried to install superantispyware and got a windows error. Please look at my hijackthis log. Thanks

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:07:38 PM, on 5/4/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\S24EvMon.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\system32\1XConfig.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\RegSrvc.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Search\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.att.net/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Dell Wireless Manager UI] C:\WINDOWS\system32\WLTRAY
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ZCfgSvc.exe] C:\WINDOWS\system32\ZCfgSvc.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{4AE7F45F-7ACF-4901-9FE8-F516D7F33F0D}: NameServer = 85.255.112.80,85.255.112.168
O17 - HKLM\System\CCS\Services\Tcpip\..\{8FFFD97D-40AE-488E-98E1-21903505AA6A}: NameServer = 85.255.112.80,85.255.112.168
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.112.80,85.255.112.168
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.112.80,85.255.112.168
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.112.80,85.255.112.168
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\system32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\system32\S24EvMon.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

--
End of file - 4332 bytes

It's been 48 hrs. Will someone please look at my log. I know that you are very busy, but I'm just frustrated. Thanks

[miekiemoes]

Hi,

First please take a look and see if any of these posts help you to get MBAM running or not.

Potential Malware infection issues to review to get MBAM running

• MB won't run(Fix) - Total-Security (FakeAlert)
  
• MBAM wont run (Fix) - av360 (Fakealert)
  
• MBAM wont install or will not run. - CLB Rootkit driver=TDSS/Seneka/GAOPDX/UAC

If none of above apply in your case, then try if Malwarebytes works when you rename mbam.exe.
Also try to run Mbam from Windows Safe mode.

[tallisall]

Hi, I visited the links that you provided and downloaded the files from there. RootRepeal either didn't run or it found nothing. I checked files tab, then scan, nothing. Then told it to save report and all I got was this.

ROOTREPEAL © AD, 2007-2008
==================================================
Scan Time: 2009/05/07 09:39
Program Version: Version 1.2.3.0
Windows Version: Windows XP SP2
==================================================

I then ran processexplorer and got this

Process PID CPU Description Company Name
System Idle Process 0 97.03
Interrupts n/a Hardware Interrupts
DPCs n/a Deferred Procedure Calls
System 4
smss.exe 760 Windows NT Session Manager Microsoft Corporation
csrss.exe 832 Client Server Runtime Process Microsoft Corporation
winlogon.exe 856 Windows NT Logon Application Microsoft Corporation
services.exe 900 0.99 Services and Controller app Microsoft Corporation
ati2evxx.exe 1068 ATI External Event Utility EXE Module ATI Technologies Inc.
svchost.exe 1080 Generic Host Process for Win32 Services Microsoft Corporation
1XConfig.exe 672 8021XConfig Module Intel Corporation
svchost.exe 1164 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 1304 Generic Host Process for Win32 Services Microsoft Corporation
wuauclt.exe 2964 Windows Update Automatic Updates Microsoft Corporation
S24EvMon.exe 1344 Event Monitor - Supports driver extensions to NIC Driver for wireless adapters. Intel Corporation
svchost.exe 1404 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 1508 Generic Host Process for Win32 Services Microsoft Corporation
WLTRYSVC.EXE 424
BCMWLTRY.EXE 436 Dell Wireless WLAN Card Wireless Network Controller Dell Inc
spoolsv.exe 512 Spooler SubSystem App Microsoft Corporation
scardsvr.exe 576 Smart Card Resource Management Server Microsoft Corporation
svchost.exe 876 Generic Host Process for Win32 Services Microsoft Corporation
avgwdsvc.exe 1488 AVG Watchdog Service AVG Technologies CZ, s.r.o.
avgrsx.exe 2112 AVG Resident Shield Service AVG Technologies CZ, s.r.o.
avgnsx.exe 2128 AVG Network scanner Service AVG Technologies CZ, s.r.o.
RegSrvc.exe 1676 RegSrvc Module Intel Corporation
MsPMSPSv.exe 816 WMDM PMSP Service Microsoft Corporation
avgemc.exe 2076 AVG E-Mail Scanner AVG Technologies CZ, s.r.o.
avgcsrvx.exe 2252 AVG Scanning Core Module - Server Part AVG Technologies CZ, s.r.o.
alg.exe 2996 Application Layer Gateway Service Microsoft Corporation
lsass.exe 912 LSA Shell (Export Version) Microsoft Corporation
ZCfgSvc.exe 1808 ZeroCfgSvc MFC Application Intel Corporation
ati2evxx.exe 1868 ATI External Event Utility EXE Module ATI Technologies Inc.
explorer.exe 1964 0.99 Windows Explorer Microsoft Corporation
WLTRAY.EXE 800 Dell Wireless WLAN Card Wireless Network Tray Applet Dell Inc
atiptaxx.exe 820 ATI Desktop Control Panel ATI Technologies, Inc.
PRONoMgr.exe 980 PRONotifyMgr Module Intel® Corporation
avgtray.exe 1092 AVG Tray Monitor AVG Technologies CZ, s.r.o.
msmsgs.exe 1204 Windows Messenger Microsoft Corporation
procexp.exe 308 0.99 Sysinternals Process Explorer Sysinternals - www.sysinternals.com


I forgot to mention in the first post that I had also attempted to load Spybot Search and Destroy as well as tried to launch Trend Micro's Housecalls. Housecalls locked up trying to download its files to the machine. Hope this will help.
Thanks

[miekiemoes]

Hi,

Did you rename mbam.exe (present in the Program Files\MalwareBytes Antimalware folder) as I mentioned? Because renaming in your case should work.
No need to post logs from Process Explorer since I already see in your HijackThislog what processes are running.

Anyway, if renaming won't work either, then * Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingc...to-use-combofix

Post the log from ComboFix in your next reply.

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix..This because Security Software may see some components ComboFix uses (prep.com for example) as suspicious and blocks the tool, or even deletes it. Please visit HERE if you don't know how.

[tallisall]

Hi, and thanks for the help. I did change the mbam.exe name, but it would not run in real or safe mode. Just did Combofix and here is the log.

ComboFix 09-05-07.06 - D600 05/07/2009 13:35.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.247 [GMT -7:00]
Running from: c:\documents and settings\D600\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Autorun.inf
c:\docume~1\D600\LOCALS~1\Temp\tmp1.tmp
c:\docume~1\D600\LOCALS~1\Temp\tmp2.tmp
c:\windows\system32\drivers\gxvxckoenbmxlwvyxtuwylvcxrubuaordqgik.sys
c:\windows\system32\drivers\gxvxcxrsduxrstacxepalqphbimovnmfvpqyx.sys
c:\windows\system32\gxvxccounter
c:\windows\system32\gxvxcvwvivipmngriqlrxhohbmyojjpfmkddu.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_GXVXCSERV.SYS


((((((((((((((((((((((((( Files Created from 2009-04-07 to 2009-05-07 )))))))))))))))))))))))))))))))
.

2009-05-07 17:11 . 2009-05-07 17:11 0 ----a-w c:\windows\nsreg.dat
2009-05-07 17:11 . 2009-05-07 17:11 -------- d-----w c:\documents and settings\D600\Local Settings\Application Data\Mozilla
2009-05-07 15:21 . 2009-05-07 15:21 552 ----a-w c:\windows\system32\d3d8caps.dat
2009-05-04 20:55 . 2009-05-07 17:03 -------- d-----w C:\Downloads
2009-05-04 20:46 . 2001-08-17 20:48 12160 -c--a-w c:\windows\system32\dllcache\mouhid.sys
2009-05-04 20:46 . 2001-08-17 20:48 12160 ----a-w c:\windows\system32\drivers\mouhid.sys
2009-05-04 20:46 . 2001-08-17 21:02 9600 -c--a-w c:\windows\system32\dllcache\hidusb.sys
2009-05-04 20:46 . 2001-08-17 21:02 9600 ----a-w c:\windows\system32\drivers\hidusb.sys
2009-05-04 20:33 . 2009-05-07 19:14 -------- d--h--w C:\$AVG8.VAULT$
2009-05-04 20:28 . 2009-05-04 21:18 -------- d-----w C:\Search
2009-04-24 19:19 . 2009-04-24 19:19 -------- d-----w c:\program files\InterActual
2009-04-24 02:21 . 2009-04-24 02:21 -------- d-----w c:\documents and settings\D600\Application Data\Titanium Gears
2009-04-24 02:18 . 2009-04-24 02:18 -------- d-----w c:\program files\Music Oasis
2009-04-24 02:16 . 2009-04-24 02:16 -------- d-----w c:\documents and settings\D600\Application Data\Yahoo!
2009-04-24 02:16 . 2009-04-24 02:17 -------- d-----w c:\documents and settings\All Users\Application Data\Yahoo! Companion
2009-04-24 02:16 . 2009-04-24 02:16 -------- d-----w c:\program files\Yahoo!
2009-04-24 02:03 . 2009-04-24 02:03 -------- d-----w c:\documents and settings\D600\Local Settings\Application Data\Identities
2009-04-24 01:19 . 2009-04-24 01:19 -------- d-----w c:\documents and settings\LocalService\Local Settings\Application Data\Google
2009-04-20 13:23 . 2009-04-20 13:23 -------- d-----w c:\documents and settings\LocalService\Application Data\AVGTOOLBAR
2009-04-20 13:23 . 2009-04-20 13:23 -------- d-----w c:\documents and settings\LocalService\Local Settings\Application Data\Conduit
2009-04-20 13:23 . 2009-04-24 01:19 -------- d-----w c:\documents and settings\LocalService\Local Settings\Application Data\P2P_Max
2009-04-20 02:31 . 2009-04-20 02:31 10520 ----a-w c:\windows\system32\avgrsstx.dll
2009-04-20 02:31 . 2009-04-20 02:31 108552 ----a-w c:\windows\system32\drivers\avgtdix.sys
2009-04-20 02:31 . 2009-04-20 02:31 325640 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-04-20 02:31 . 2009-05-07 19:02 -------- d-----w c:\windows\system32\drivers\Avg
2009-04-20 02:31 . 2009-04-20 02:37 -------- d-----w c:\documents and settings\D600\Application Data\AVGTOOLBAR
2009-04-20 02:30 . 2009-04-20 02:30 -------- d-----w c:\program files\AVG
2009-04-20 02:30 . 2009-04-20 02:30 -------- d-----w c:\documents and settings\All Users\Application Data\avg8
2009-04-18 01:24 . 2009-04-18 01:24 -------- d-----w c:\documents and settings\D600\Local Settings\Application Data\Ares
2009-04-17 23:57 . 2009-04-17 23:57 -------- d-----w c:\program files\Windows Media Connect 2
2009-04-17 23:56 . 2009-04-17 23:56 -------- d-----w c:\windows\system32\drivers\UMDF
2009-04-17 23:04 . 2009-04-17 23:04 -------- d-s---w c:\documents and settings\D600\UserData
2009-04-17 22:46 . 2009-04-17 22:46 -------- d-----w c:\windows\system32\Adobe
2009-04-17 22:44 . 2009-04-24 11:01 -------- d-----w c:\program files\Google
2009-04-17 22:03 . 2008-06-13 13:10 272128 -c----w c:\windows\system32\dllcache\bthport.sys
2009-04-17 22:03 . 2008-06-13 13:10 272128 ------w c:\windows\system32\drivers\bthport.sys
2009-04-17 22:01 . 2009-02-06 17:22 2136064 -c----w c:\windows\system32\dllcache\ntkrnlmp.exe
2009-04-17 22:01 . 2009-02-06 17:24 2180480 -c----w c:\windows\system32\dllcache\ntoskrnl.exe
2009-04-17 22:01 . 2009-02-06 16:49 2015744 -c----w c:\windows\system32\dllcache\ntkrpamp.exe
2009-04-17 22:01 . 2009-02-06 16:49 2057728 -c----w c:\windows\system32\dllcache\ntkrnlpa.exe
2009-04-17 22:00 . 2008-10-24 11:10 453632 -c----w c:\windows\system32\dllcache\mrxsmb.sys
2009-04-17 21:56 . 2007-07-27 16:41 26488 ----a-w c:\windows\system32\spupdsvc.exe
2009-04-17 21:56 . 2009-04-18 01:43 -------- d--h--w c:\windows\$hf_mig$

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-04 21:14 . 2003-10-30 04:05 87263 ----a-w c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-04-30 21:58 . 2003-10-30 04:17 -------- d-----w c:\program files\Modem Helper
2009-03-19 15:08 . 2009-03-19 15:08 499712 ----a-w c:\windows\system32\msvcp71.dll
2009-03-19 15:08 . 2009-03-19 15:08 348160 ----a-w c:\windows\system32\msvcr71.dll
2009-03-06 14:44 . 2004-08-12 13:26 283648 ----a-w c:\windows\system32\pdh.dll
2009-02-20 08:30 . 2004-08-12 13:33 659456 ----a-w c:\windows\system32\wininet.dll
2009-02-20 08:30 . 2004-08-12 13:19 81920 ----a-w c:\windows\system32\ieencode.dll
2009-02-09 10:20 . 2004-08-12 13:27 399360 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 10:20 . 2004-08-12 13:21 723456 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 10:20 . 2004-08-12 13:25 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 10:20 . 2004-08-12 13:17 616960 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 10:19 . 2004-08-12 13:33 1846272 ----a-w c:\windows\system32\win32k.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-08-04 1667584]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Dell Wireless Manager UI"="c:\windows\system32\WLTRAY" [X]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-04-06 339968]
"ZCfgSvc.exe"="c:\windows\system32\ZCfgSvc.exe" [2005-07-05 639040]
"PRONoMgr.exe"="c:\program files\Intel\NCS\PROSet\PRONoMgr.exe" [2005-06-27 135168]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-04-20 1932568]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring]
2005-07-05 08:33 188482 ----a-w c:\windows\system32\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-04-20 02:31 10520 ----a-w c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [4/19/2009 7:31 PM 325640]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [4/19/2009 7:31 PM 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [4/19/2009 7:30 PM 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [4/19/2009 7:30 PM 298264]
R3 OZSCR;O2Micro SmartCardBus Smartcard Reader;c:\windows\system32\drivers\ozscr.sys [10/29/2003 10:08 PM 92550]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{def03fe0-38ed-11de-a4dc-000cf159575c}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL F:\m.exe /s
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6} - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.att.net/
FF - ProfilePath - c:\documents and settings\D600\Application Data\Mozilla\Firefox\Profiles\bxdlv1eh.default\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-07 13:36
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(860)
c:\windows\system32\Ati2evxx.dll
c:\windows\System32\BCMLogon.dll
c:\windows\system32\LgNotify.dll
.
Completion time: 2009-05-07 13:37
ComboFix-quarantined-files.txt 2009-05-07 20:37

Pre-Run: 36,434,497,536 bytes free
Post-Run: 36,461,101,056 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

149 --- E O F --- 2009-04-19 02:12

[miekiemoes]

Hi,

This looks OK again.

* Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Let me know in your next reply how things are now.

[tallisall]

Hi,
It seems to be running much better. Should I now try to run Malwarebytes? Also did another hijackthis log and will include it in this post. I would like to ask you, I normally use Malwarebytes, Superantispyware and Spybot search and destroy on my machine with ccleaner for cleanup. I run 1 of the 3 each week. I use AVGfree for the antivirus. Is this good enough?
Thanks, for all the help.Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:17:38 PM, on 5/7/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\S24EvMon.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\1XConfig.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\RegSrvc.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\SoftwareDistribution\Download\2bc0b3c55e0c166e04844934d1c7c342\update\update.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Search\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.att.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Dell Wireless Manager UI] C:\WINDOWS\system32\WLTRAY
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ZCfgSvc.exe] C:\WINDOWS\system32\ZCfgSvc.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\system32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\system32\S24EvMon.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

--
End of file - 4269 bytes

[miekiemoes]

Hi,

This log looks clean again. And yes, your current protection is enough.

Yes, you should now be able to run MalwareBytes. The malware you were dealing with locked/blocked malwarebytes, so make sure this won't happen anymore. For that, Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!

[tallisall]

Hi,
Thanks again for all your help. I just successfully ran both Malwarebytes and Superantispyware.

[miekiemoes]

You're most welcome

[miekiemoes]

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.