25 replies to this topic

[steve jones]

Like many others here it seems I've followed the instructions and can't run any anti malware stuff. Message is "You may not havethe appropriate permissions to access the item". I am at my wits end - pls help.

Steve Jones

[sjpritch25]

Welcome to Malwarebytes!!!!

Please download Win32kDiag.exe by AD to your Desktop.
Double-click on Win32kDiag.exe.
It will create Win32kDiag.txt on your Desktop.
In your next reply, please include the log. Thanks

[my1smthop]

sjpritch25, on Sep 30 2009, 12:17 AM, said:

Welcome to Malwarebytes!!!!

Please download Win32kDiag.exe by AD to your Desktop.
Double-click on Win32kDiag.exe.
It will create Win32kDiag.txt on your Desktop.
In your next reply, please include the log. Thanks

What can you do if your downloads disappear? I tried to download this as I'm having the same problem. It will download then it goes bye-bye.

[steve jones]

Many thanks for the response - this is one amazing site and you guys are so knowledgable! Now a confession...while waiting for your reply I read loads of similar posts and your expert responses. I thought I could safely try Combofix and it might have saved some time if I could produce a reply log quickly, so I did that (after stopping all virus checkers/popup stoppers as instructed). Combofix found and fixed a couple of problems. I them reloaded Malwarebytes and it ran OK! A quick scan found and fixed a couple more nasties. Then a full scan found some more and removed them. Finally I ran another full scan, found no errors and my PC appears to be back to normal.

I am not at that PC right now so can't give details of any logs. I must admit I'm wary of 'messing' any further if I am essentially virus free. What do you think? I am quite happy to be guided by you brilliant folk.

[sjpritch25]

I'll leave it up to you. But i would like to see the logs from mbam and ComboFix.

[steve jones]

Thanks for the warm welcome Sjpritch25, and having noticed that the laptop seems to be starting up more slowly than usual I would appreciate if you could have a look at the logs. Also I tried to run HiJack This today and I still get the 'no permissions' message so evidently I'm not yet fixed. I've now remembered that Combofix ran but for some reason didn't find the internet connection and failed to load the Recovery Console. It did however report a problem. I then ran it again (which I think I've since read was wrong to do!) after double checking my internet connection. This time it did load Recovery Console and I think it found some problems - no doubt the logs will tell you what was found.

After first run;

ComboFix 09-09-28.01 - Steve Jones 29/09/2009 21:07.1.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.3069.2640 [GMT 1:00]
Running from: c:\documents and settings\Steve Jones\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

Infected copy of c:\windows\system32\eventlog.dll was found and disinfected
Restored copy from - c:\windows\system32\dllcache\eventlog.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_UACd.sys
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Service_UACd.sys


((((((((((((((((((((((((( Files Created from 2009-08-28 to 2009-09-29 )))))))))))))))))))))))))))))))
.

2009-09-29 19:17 . 2009-09-29 19:17 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-09-29 19:06 . 2009-09-29 19:08 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Microsoft
2009-09-29 19:06 . 2009-09-29 19:08 -------- d-----w- c:\documents and settings\Administrator
2009-09-28 18:53 . 2009-09-10 13:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-28 18:53 . 2009-09-10 13:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-28 18:53 . 2009-09-29 19:17 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-28 17:20 . 2009-09-28 17:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-09-28 13:53 . 2009-09-29 19:16 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2009-09-28 12:32 . 2009-09-28 17:10 -------- d-----w- C:\$AVG8.VAULT$
2009-09-28 12:31 . 2009-09-28 12:31 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-09-28 12:31 . 2009-09-28 12:31 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-09-28 12:31 . 2009-09-28 12:31 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-09-28 12:31 . 2009-09-28 12:31 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-09-28 12:30 . 2009-09-28 12:30 -------- d-----w- c:\windows\system32\drivers\Avg
2009-09-28 12:30 . 2009-09-28 17:32 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-09-28 12:23 . 2009-09-28 12:23 -------- d-----w- c:\documents and settings\Steve Jones\Application Data\AVG8
2009-09-28 12:22 . 2009-09-28 12:22 848672 ----a-w- c:\program files\avg_free_stb_en_8_32_free.exe
2009-09-27 22:55 . 2009-09-29 19:24 0 ----a-r- c:\windows\win32k.sys
2009-09-27 12:55 . 2009-09-27 13:16 -------- d-----w- C:\THE_GRUDGE3
2009-09-16 21:42 . 2009-09-18 16:19 -------- d-----w- C:\ANDREA_ENCODED
2009-09-11 07:58 . 2004-08-03 22:10 15360 -c--a-w- c:\windows\system32\dllcache\mpe.sys
2009-09-11 07:58 . 2004-08-03 22:10 15360 ----a-w- c:\windows\system32\drivers\MPE.sys
2009-09-11 07:57 . 2004-08-03 23:56 363520 -c--a-w- c:\windows\system32\dllcache\psisdecd.dll
2009-09-11 07:57 . 2004-08-03 23:56 363520 ----a-w- c:\windows\system32\PsisDecd.dll
2009-09-11 07:57 . 2004-08-03 22:10 11776 -c--a-w- c:\windows\system32\dllcache\bdasup.sys
2009-09-11 07:57 . 2004-08-03 22:10 11776 ----a-w- c:\windows\system32\drivers\BdaSup.sys
2009-09-11 07:57 . 2007-08-19 03:36 26496 ----a-w- c:\windows\system32\drivers\AVerA310USB.sys
2009-09-11 07:57 . 2007-08-19 03:35 42496 ----a-w- c:\windows\system32\drivers\AVerA310Cap.sys
2009-09-11 07:57 . 2009-09-11 07:57 -------- d-----w- c:\program files\AVerMedia
2009-09-11 07:57 . 2007-08-23 16:09 -------- d-----w- c:\program files\TVTuner_AverMedia_A310_v1.1.0.22_vista_x86(WHQL)
2009-09-10 23:06 . 2009-09-10 23:06 36864 ----a-w- c:\windows\unslive.exe
2009-09-10 23:06 . 2009-09-10 23:06 -------- d-----w- C:\tape-indices
2009-09-10 23:05 . 2009-09-13 15:26 -------- d-----w- c:\program files\ScenalyzerLive.4.0_by_softland.biz_
2009-09-09 20:59 . 2009-09-09 20:59 -------- d-----w- C:\MILO_ENCODED
2009-09-02 11:16 . 2009-09-02 11:16 -------- d-----w- c:\windows\BUVC_AP
2009-08-31 14:25 . 2009-08-31 14:25 -------- d-----w- c:\documents and settings\All Users\Application Data\vsosdk
2009-08-31 14:01 . 2009-08-31 14:37 -------- d-----w- c:\program files\DVDFab 6

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-29 19:08 . 2009-09-29 19:08 -------- d-----w- c:\documents and settings\Administrator\Application Data\Intel
2009-09-29 19:08 . 2009-09-29 19:08 -------- d-----w- c:\program files\Trend Micro
2009-09-29 19:08 . 2009-09-29 19:08 -------- d-----w- c:\documents and settings\Steve Jones\Application Data\Malwarebytes
2009-09-28 12:09 . 2009-05-03 18:54 43736 ----a-w- c:\documents and settings\Steve Jones\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-27 19:29 . 2009-05-09 08:56 -------- d-----w- c:\documents and settings\Steve Jones\Application Data\LimeWire
2009-09-02 11:16 . 2009-05-03 15:42 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-08-30 10:25 . 2009-05-09 12:34 -------- d-----w- c:\documents and settings\All Users\Application Data\DVD Shrink
2009-08-25 22:45 . 2009-08-25 22:45 -------- d-----w- c:\program files\Network Stumbler
2009-08-19 14:41 . 2009-08-19 14:41 -------- d-----w- c:\program files\LG Electronics
2009-08-19 14:41 . 2009-08-19 14:41 -------- d-----w- c:\program files\LGUSBModemDriver_WHQL_ML_Ver_4.9.5_All
2009-08-19 13:56 . 2009-08-19 13:56 -------- d-----w- c:\program files\CCleaner
2009-08-19 12:33 . 2009-08-19 12:33 -------- d-----w- c:\program files\Autoruns
2009-08-16 14:37 . 2009-06-22 07:30 762640 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-08-16 12:28 . 2009-08-16 12:27 -------- d-----w- c:\documents and settings\All Users\Application Data\EPSON
2009-08-16 12:27 . 2009-08-16 12:27 -------- d-----w- c:\program files\EPSON
2009-08-13 21:05 . 2009-08-13 21:05 -------- d-----w- c:\program files\Bethesda Softworks
2009-08-13 20:25 . 2009-08-13 20:25 -------- d-----w- c:\program files\DVD Decrypter
2009-08-13 20:14 . 2009-08-13 20:13 -------- d-----w- c:\documents and settings\Steve Jones\Application Data\RipIt4Me
2009-08-13 20:11 . 2009-08-13 20:11 202071 ----a-w- c:\program files\RipIt4Me.zip
2009-08-11 12:18 . 2009-08-11 10:10 -------- d-----w- c:\documents and settings\Steve Jones\Application Data\DAEMON Tools Lite
2009-08-04 12:27 . 2009-08-04 12:27 -------- d--h--r- c:\documents and settings\Steve Jones\Application Data\SecuROM
2009-08-04 12:27 . 2009-08-04 12:27 107888 ----a-w- c:\windows\system32\CmdLineExt.dll
2009-08-04 11:13 . 2009-08-04 11:13 -------- d-----w- c:\documents and settings\Steve Jones\Application Data\Apple Computer
2009-08-04 10:08 . 2009-08-04 10:08 -------- d-----w- c:\program files\vso
2009-08-04 10:07 . 2009-08-04 10:06 2496707 ----a-w- c:\program files\vsoDivxToDVD_setup_v0.5.2b.exe
2009-08-01 10:48 . 2009-08-01 10:48 0 ----a-w- c:\windows\nsreg.dat
2009-07-15 06:24 . 2009-08-19 14:41 24832 ----a-w- c:\windows\system32\drivers\lgusbmodem.sys
2009-07-15 06:23 . 2009-08-19 14:41 13056 ----a-w- c:\windows\system32\drivers\lgusbbus.sys
2009-06-21 17:42 . 2009-06-21 17:42 608578 ----a-w- c:\program files\700_DDI_CB.exe
2009-05-15 08:46 . 2009-05-15 08:46 4669067 ----a-w- c:\program files\ICS_Dx32.exe
2009-05-13 09:54 . 2009-05-13 09:54 7303913 ----a-w- c:\program files\12.2.0.0_X_Drivers.zip
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelZeroConfig"="c:\program files\Intel\WiFi\bin\ZCfgSvc.exe" [2008-08-20 1368064]
"IntelWireless"="c:\program files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" [2008-08-20 1191936]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-12-06 1024000]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-12-08 13594624]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-12-08 86016]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-09-28 2007832]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2008-12-08 1657376]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-09-28 12:31 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [28/09/2009 13:31 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [28/09/2009 13:31 108552]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [28/09/2009 13:30 297752]
R2 mdvrmng;Mobile IP Route Manager;c:\windows\system32\drivers\mdvrmng.sys [03/05/2009 20:40 10240]
R3 A310;AVerMedia A310 DVB-T;c:\windows\system32\drivers\AVerA310USB.sys [11/09/2009 08:57 26496]
R3 BDASwCap;AVerMedia A310 BDA DVBT Capture Device;c:\windows\system32\drivers\AVerA310Cap.sys [11/09/2009 08:57 42496]
S3 itecir;ITECIR Infrared Receiver;c:\windows\system32\drivers\itecir.sys [03/05/2009 16:59 54784]
S3 L1e;Miniport Driver for Atheros AR8121/AR8113/AR8114 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1e51x86.sys [03/05/2009 13:55 36864]
S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32.sys [24/09/2008 16:09 41376]
S4 gupdate1c9fdad1e7e45f2;Google Update Service (gupdate1c9fdad1e7e45f2);c:\program files\Google\Update\GoogleUpdate.exe [05/07/2009 21:13 133104]
.
Contents of the 'Scheduled Tasks' folder

2009-09-02 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-05 20:13]

2009-09-02 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-05 20:13]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
FF - ProfilePath - c:\documents and settings\Steve Jones\Application Data\Mozilla\Firefox\Profiles\crhzgivt.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - plugin: c:\program files\Google\Update\1.2.183.7\npGoogleOneClick8.dll
.
- - - - ORPHANS REMOVED - - - -

AddRemove-AVerMedia A310 (MiniCard - c:\program files\AVerMedia\AVerMedia A310 (MiniCard



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-29 21:11
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(680)
c:\windows\system32\netprovcredman.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\program files\Intel\WiFi\bin\S24EvMon.exe
c:\windows\system32\agrsmsvc.exe
c:\program files\Intel\WiFi\bin\EvtEng.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Common Files\Intel\WirelessCommon\RegSrvc.exe
c:\windows\system32\wscntfy.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\wbem\unsecapp.exe
.
**************************************************************************
.
Completion time: 2009-09-29 21:13 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-29 20:13

Pre-Run: 190,704,914,432 bytes free
Post-Run: 191,328,882,688 bytes free

186

After second run;

ComboFix 09-09-28.01 - Steve Jones 29/09/2009 21:28.2.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.3069.2491 [GMT 1:00]
Running from: c:\documents and settings\Steve Jones\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((( Files Created from 2009-08-28 to 2009-09-29 )))))))))))))))))))))))))))))))
.

2009-09-29 19:17 . 2009-09-29 19:17 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-09-29 19:06 . 2009-09-29 19:08 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Microsoft
2009-09-29 19:06 . 2009-09-29 19:08 -------- d-----w- c:\documents and settings\Administrator
2009-09-28 18:53 . 2009-09-10 13:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-28 18:53 . 2009-09-10 13:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-28 18:53 . 2009-09-29 19:17 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-28 17:20 . 2009-09-28 17:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-09-28 13:53 . 2009-09-29 19:16 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2009-09-28 12:32 . 2009-09-28 17:10 -------- d-----w- C:\$AVG8.VAULT$
2009-09-28 12:31 . 2009-09-28 12:31 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-09-28 12:31 . 2009-09-28 12:31 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-09-28 12:31 . 2009-09-28 12:31 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-09-28 12:31 . 2009-09-28 12:31 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-09-28 12:30 . 2009-09-28 12:30 -------- d-----w- c:\windows\system32\drivers\Avg
2009-09-28 12:30 . 2009-09-28 17:32 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-09-28 12:23 . 2009-09-28 12:23 -------- d-----w- c:\documents and settings\Steve Jones\Application Data\AVG8
2009-09-28 12:22 . 2009-09-28 12:22 848672 ----a-w- c:\program files\avg_free_stb_en_8_32_free.exe
2009-09-27 22:55 . 2009-09-29 19:24 0 ----a-r- c:\windows\win32k.sys
2009-09-27 12:55 . 2009-09-27 13:16 -------- d-----w- C:\THE_GRUDGE3
2009-09-16 21:42 . 2009-09-18 16:19 -------- d-----w- C:\ANDREA_ENCODED
2009-09-11 07:58 . 2004-08-03 22:10 15360 -c--a-w- c:\windows\system32\dllcache\mpe.sys
2009-09-11 07:58 . 2004-08-03 22:10 15360 ----a-w- c:\windows\system32\drivers\MPE.sys
2009-09-11 07:57 . 2004-08-03 23:56 363520 -c--a-w- c:\windows\system32\dllcache\psisdecd.dll
2009-09-11 07:57 . 2004-08-03 23:56 363520 ----a-w- c:\windows\system32\PsisDecd.dll
2009-09-11 07:57 . 2004-08-03 22:10 11776 -c--a-w- c:\windows\system32\dllcache\bdasup.sys
2009-09-11 07:57 . 2004-08-03 22:10 11776 ----a-w- c:\windows\system32\drivers\BdaSup.sys
2009-09-11 07:57 . 2007-08-19 03:36 26496 ----a-w- c:\windows\system32\drivers\AVerA310USB.sys
2009-09-11 07:57 . 2007-08-19 03:35 42496 ----a-w- c:\windows\system32\drivers\AVerA310Cap.sys
2009-09-11 07:57 . 2009-09-11 07:57 -------- d-----w- c:\program files\AVerMedia
2009-09-11 07:57 . 2007-08-23 16:09 -------- d-----w- c:\program files\TVTuner_AverMedia_A310_v1.1.0.22_vista_x86(WHQL)
2009-09-10 23:06 . 2009-09-10 23:06 36864 ----a-w- c:\windows\unslive.exe
2009-09-10 23:06 . 2009-09-10 23:06 -------- d-----w- C:\tape-indices
2009-09-10 23:05 . 2009-09-13 15:26 -------- d-----w- c:\program files\ScenalyzerLive.4.0_by_softland.biz_
2009-09-09 20:59 . 2009-09-09 20:59 -------- d-----w- C:\MILO_ENCODED
2009-09-02 11:16 . 2009-09-02 11:16 -------- d-----w- c:\windows\BUVC_AP
2009-08-31 14:25 . 2009-08-31 14:25 -------- d-----w- c:\documents and settings\All Users\Application Data\vsosdk
2009-08-31 14:01 . 2009-08-31 14:37 -------- d-----w- c:\program files\DVDFab 6

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-29 19:08 . 2009-09-29 19:08 -------- d-----w- c:\documents and settings\Administrator\Application Data\Intel
2009-09-29 19:08 . 2009-09-29 19:08 -------- d-----w- c:\program files\Trend Micro
2009-09-29 19:08 . 2009-09-29 19:08 -------- d-----w- c:\documents and settings\Steve Jones\Application Data\Malwarebytes
2009-09-28 12:09 . 2009-05-03 18:54 43736 ----a-w- c:\documents and settings\Steve Jones\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-27 19:29 . 2009-05-09 08:56 -------- d-----w- c:\documents and settings\Steve Jones\Application Data\LimeWire
2009-09-02 11:16 . 2009-05-03 15:42 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-08-30 10:25 . 2009-05-09 12:34 -------- d-----w- c:\documents and settings\All Users\Application Data\DVD Shrink
2009-08-25 22:45 . 2009-08-25 22:45 -------- d-----w- c:\program files\Network Stumbler
2009-08-19 14:41 . 2009-08-19 14:41 -------- d-----w- c:\program files\LG Electronics
2009-08-19 14:41 . 2009-08-19 14:41 -------- d-----w- c:\program files\LGUSBModemDriver_WHQL_ML_Ver_4.9.5_All
2009-08-19 13:56 . 2009-08-19 13:56 -------- d-----w- c:\program files\CCleaner
2009-08-19 12:33 . 2009-08-19 12:33 -------- d-----w- c:\program files\Autoruns
2009-08-16 14:37 . 2009-06-22 07:30 762640 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-08-16 12:28 . 2009-08-16 12:27 -------- d-----w- c:\documents and settings\All Users\Application Data\EPSON
2009-08-16 12:27 . 2009-08-16 12:27 -------- d-----w- c:\program files\EPSON
2009-08-13 21:05 . 2009-08-13 21:05 -------- d-----w- c:\program files\Bethesda Softworks
2009-08-13 20:25 . 2009-08-13 20:25 -------- d-----w- c:\program files\DVD Decrypter
2009-08-13 20:14 . 2009-08-13 20:13 -------- d-----w- c:\documents and settings\Steve Jones\Application Data\RipIt4Me
2009-08-13 20:11 . 2009-08-13 20:11 202071 ----a-w- c:\program files\RipIt4Me.zip
2009-08-11 12:18 . 2009-08-11 10:10 -------- d-----w- c:\documents and settings\Steve Jones\Application Data\DAEMON Tools Lite
2009-08-04 12:27 . 2009-08-04 12:27 -------- d--h--r- c:\documents and settings\Steve Jones\Application Data\SecuROM
2009-08-04 12:27 . 2009-08-04 12:27 107888 ----a-w- c:\windows\system32\CmdLineExt.dll
2009-08-04 11:13 . 2009-08-04 11:13 -------- d-----w- c:\documents and settings\Steve Jones\Application Data\Apple Computer
2009-08-04 10:08 . 2009-08-04 10:08 -------- d-----w- c:\program files\vso
2009-08-04 10:07 . 2009-08-04 10:06 2496707 ----a-w- c:\program files\vsoDivxToDVD_setup_v0.5.2b.exe
2009-08-01 10:48 . 2009-08-01 10:48 0 ----a-w- c:\windows\nsreg.dat
2009-07-15 06:24 . 2009-08-19 14:41 24832 ----a-w- c:\windows\system32\drivers\lgusbmodem.sys
2009-07-15 06:23 . 2009-08-19 14:41 13056 ----a-w- c:\windows\system32\drivers\lgusbbus.sys
2009-06-21 17:42 . 2009-06-21 17:42 608578 ----a-w- c:\program files\700_DDI_CB.exe
2009-05-15 08:46 . 2009-05-15 08:46 4669067 ----a-w- c:\program files\ICS_Dx32.exe
2009-05-13 09:54 . 2009-05-13 09:54 7303913 ----a-w- c:\program files\12.2.0.0_X_Drivers.zip
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelZeroConfig"="c:\program files\Intel\WiFi\bin\ZCfgSvc.exe" [2008-08-20 1368064]
"IntelWireless"="c:\program files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" [2008-08-20 1191936]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-12-06 1024000]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-12-08 13594624]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-12-08 86016]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-09-28 2007832]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2008-12-08 1657376]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-09-28 12:31 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [28/09/2009 13:31 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [28/09/2009 13:31 108552]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [28/09/2009 13:30 297752]
R2 mdvrmng;Mobile IP Route Manager;c:\windows\system32\drivers\mdvrmng.sys [03/05/2009 20:40 10240]
R3 A310;AVerMedia A310 DVB-T;c:\windows\system32\drivers\AVerA310USB.sys [11/09/2009 08:57 26496]
R3 BDASwCap;AVerMedia A310 BDA DVBT Capture Device;c:\windows\system32\drivers\AVerA310Cap.sys [11/09/2009 08:57 42496]
S3 itecir;ITECIR Infrared Receiver;c:\windows\system32\drivers\itecir.sys [03/05/2009 16:59 54784]
S3 L1e;Miniport Driver for Atheros AR8121/AR8113/AR8114 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1e51x86.sys [03/05/2009 13:55 36864]
S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32.sys [24/09/2008 16:09 41376]
S4 gupdate1c9fdad1e7e45f2;Google Update Service (gupdate1c9fdad1e7e45f2);c:\program files\Google\Update\GoogleUpdate.exe [05/07/2009 21:13 133104]

--- Other Services/Drivers In Memory ---

*Deregistered* - PROCEXP113
.
Contents of the 'Scheduled Tasks' folder

2009-09-02 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-05 20:13]

2009-09-02 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-05 20:13]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
FF - ProfilePath - c:\documents and settings\Steve Jones\Application Data\Mozilla\Firefox\Profiles\crhzgivt.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - plugin: c:\program files\Google\Update\1.2.183.7\npGoogleOneClick8.dll
.
- - - - ORPHANS REMOVED - - - -

AddRemove-AVerMedia A310 (MiniCard - c:\program files\AVerMedia\AVerMedia A310 (MiniCard



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-29 21:30
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(680)
c:\windows\system32\netprovcredman.dll
.
Completion time: 2009-09-29 21:31
ComboFix-quarantined-files.txt 2009-09-29 20:31
ComboFix2.txt 2009-09-29 20:13

Pre-Run: 191,328,825,344 bytes free
Post-Run: 191,310,147,584 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

168

MBAM Quick scan log;

Malwarebytes' Anti-Malware 1.41
Database version: 2873
Windows 5.1.2600 Service Pack 2

29/09/2009 21:35:40
mbam-log-2009-09-29 (21-35-36).txt

Scan type: Quick Scan
Objects scanned: 96683
Time elapsed: 1 minute(s), 33 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\win32k.sys (Trojan.Dropper) -> No action taken.
C:\Documents and Settings\Steve Jones\Desktop\winlogon.exe (Heuristics.Reserved.Word.Exploit) -> No action taken.

MBAM Full Scan log;

Malwarebytes' Anti-Malware 1.41
Database version: 2873
Windows 5.1.2600 Service Pack 2

29/09/2009 22:05:30
full scan mbam-log-2009-09-29 (22-05-07).txt

Scan type: Full Scan (C:\|)
Objects scanned: 167887
Time elapsed: 24 minute(s), 12 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Qoobox\Quarantine\C\WINDOWS\system32\eventlog.dll.vir (Trojan.Sirefef) -> No action taken.
C:\System Volume Information\_restore{955106F3-E2AF-4D07-9A85-13D1C4FD7D76}\RP113\A0042405.dll (Trojan.Sirefef) -> No action taken.


I hope this all as you needed. Many thanks again for your assistance.

Steve Jones

[sjpritch25]

please make sure you remove all of those items mbam detected.

Also, combofix removed a rootkit that was still present on your system.


Please download Win32kDiag.exe by AD to your Desktop.

• Click on Start->Run, and copy-paste the following command (the bolded text) into the "Open" box, and click OK.
  
• When it's finished, there will be a log called Win32kDiag.txt on your desktop.
  
• Please open it with notepad and post the contents here.

"%userprofile%\desktop\win32kdiag.exe" -f -r



Using Internet Explorer or Firefox, visit Kaspersky Online Scanner

1. Click Accept, when prompted to download and install the program files and database of malware definitions.

2. To optimize scanning time and produce a more sensible report for review:

• Close any open programs
  
• Turn off the real time scanner of any existing antivirus program while performing the online scan. Click HERE to see how to disable the most common antivirus programs.

3. Click Run at the Security prompt.

The program will then begin downloading and installing and will also update the database.
Please be patient as this can take quite a long time to download.

• Once the update is complete, click on Settings.
  
• Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
  
  
  • Spyware, adware, dialers, and other riskware
    
  • Archives
    
  • E-mail databases
• Click on My Computer under the green Scan bar to the left to start the scan.
  
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  
• Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  
• Click View report... at the bottom.
  
• Click the Save report... button.
  
  
  
  
  
• Change the Files of type dropdown box to Text file (.txt) and name the file KasReport.txt to save the file to your desktop so that you may post it in your next reply

[steve jones]

Thanks for that. I didn't realise that MBAM didn't automatically remove the infected files. Did I not Can you advise how I best do that now? I will do the other bits asap and report back.
Cheers again.

Steve

[steve jones]

Oops - ignore the 'did I not' bit above. Sorry!

[sjpritch25]

I just wanted to make sure you clicked on Remove Selected botton after the scan finished. According to the log that was not the case.

Please continue with the rest of my instructions.

[steve jones]

To be honest I can't remember being given that Remove Selected option, but given I can't find the files it would seem I must have been? Doh!

I am at work now and have left the Kaspersky check running at home. Will post later this eve UK time. I'm a little worried because I ran the Win32kDiag.exe and the log file seemed like only a few lines long. Others I've seen posted here have loads of entries? Anyhow, will post it up later.

Steve

[steve jones]

Update on the 2 items I need to remove;

1) C:\Qoobox\Quarantine\C\WINDOWS\system32\eventlog.dll.vir (Trojan.Sirefef)
This file isn't found by a search. Could it have already been deleted or is it somehow invisible to me?

2)C:\System Volume Information\_restore{955106F3-E2AF-4D07-9A85-13D1C4FD7D76}\RP113\A0042405.dll (Trojan.Sirefef)
This file isn't found by a search, and I can't access the System Volume Information folder ("Access is denied").

The log from Win32Diag follows;

Running from: C:\Documents and Settings\Steve Jones\desktop\win32kdiag.exe

Log file at : C:\Documents and Settings\Steve Jones\Desktop\Win32kDiag.txt

Removing all found mount points.

Attempting to reset file permissions.

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...





Finished!

Kaspersky reported nothing! Is that good?

Steve

[sjpritch25]

Are you getting any permission errors on any applications?

[steve jones]

MBAB running a fast scan again no problem. Hijack This still gives permissions error - poss because its been sitting on the desktop from the start of the problem? Does it need deleting and reloading perhaps? Other than that the laptop appears to be running OK.

[steve jones]

If I am now clear (although my desktop icons do take longer to 'fill in' on starting up XP than they used to?) could you pls advise how to best remove the various bits that are now on my desktop;
Win32Diag
HiJack Ths
ComboFix

Is it safest to delete MBAM and reload an updated version every time I do a scan of my system?

Many thanks

Steve Jones

[sjpritch25]

You can just uninstall and re-install Hijackthis if you like.

Go to Start ---> Run ---> Type ComboFix /u and press Enter.


You can delete win32diag from your desktop.


How much memory is installed on the pc?

[steve jones]

Will do as you advise - thanks. The laptop has 4 gig installed but running 32 bit XP I think it only uses 3 gig?

Steve

[sjpritch25]

see if this speeds things up. You will probably need to reboot for it to start

Go to Start ---> Run --> Type chkdsk C: /f and press Enter.


Let me know how things are running

[steve jones]

Will try to do that when I get home from wotk tonight, thanks. As a matter of interest, when I switched the laptop on yesterday it said I needed to accept microsoft updates, then it started to load SP3. I panicked cos I thought I was already running SP3, so stopped the download. Can you tell from my logs posted earlier which I already have please?

Steve

[sjpritch25]

Right-click on your My Computer icon and choose Properties. Click on the General Tab. That will tell you what service pack is installed. Let me know