Sign In
Create Account
1
Hi, i originally posted here http://www.malwareby...showtopic=28631 about my problem.
I have tried installing MBAM but when i click the desktop icon, startmenu link or the exe directly nothing happens.
Following the advice in the ' I'm infected - What do I do now?' thread i download HijackThis and installed it but it has the same problem. I attempt to start the program and nothing happens.
If i have Task Manager open i can see that each time i try to open HijackThis a HijackThis.exe appears in processes, but no window opens and i cannot access the program.
-
This topic is locked
Back to top
#2
Posted 26 October 2009 - 06:47 AM
-
- Administrators
-
- 22,578 posts
Forum Deity
- Gender:Male
- Location:US
Please download and run the following tool to help allow other programs to run. (courtesy of BleepingComputer.com)
There are 4 different versions. If one of them won't run then download and try to run the other one.
Vista and Win7 users need to right click and choose Run as Admin
You only need to get one of them to run, not all of them.
Once you've gotten one of them to run then try to immediately run the following.
Please download ComboFix from Here or Here to your Desktop.
**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**
If you still cannot get this to run, try booting into Safe Mode, and run it there.
To boot into Safe Mode, tap F8 after BIOS, and just before the Windows logo appears. A list of options will appear, select "Safe Mode."
If this doesn't work either, try the same method (above method), but name Combofix.exe to iexplore.exe instead, or winlogon.exe..
This because It also happens in some cases that malware blocks EVERY process except for what is in its own whitelist, so this whitelist also includes system important processes such as iexplore.exe, explorer.exe, winlogon.exe...
There are 4 different versions. If one of them won't run then download and try to run the other one.
Vista and Win7 users need to right click and choose Run as Admin
You only need to get one of them to run, not all of them.
Once you've gotten one of them to run then try to immediately run the following.
Please download ComboFix from Here or Here to your Desktop.
**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**
- If you are using Firefox, make sure that your download settings are as follows:
- Tools->Options->Main tab
- Set to "Always ask me where to Save the files".
- Tools->Options->Main tab
- During the download, rename Combofix to Combo-Fix as follows:
- It is important you rename Combofix during the download, but not after.
- Please do not rename Combofix to other names, but only to the one indicated.
- Close any open browsers.
- Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
-----------------------------------------------------------
- Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
- Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
-----------------------------------------------------------
- Close any open browsers.
- WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
- Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
- If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
-----------------------------------------------------------
- Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
- Double click on combo-Fix.exe & follow the prompts.
- When finished, it will produce a report for you.
- Please post the "C:\Combo-Fix.txt" along with a new HijackThis log for further review.
If you still cannot get this to run, try booting into Safe Mode, and run it there.
To boot into Safe Mode, tap F8 after BIOS, and just before the Windows logo appears. A list of options will appear, select "Safe Mode."
If this doesn't work either, try the same method (above method), but name Combofix.exe to iexplore.exe instead, or winlogon.exe..
This because It also happens in some cases that malware blocks EVERY process except for what is in its own whitelist, so this whitelist also includes system important processes such as iexplore.exe, explorer.exe, winlogon.exe...
#3
Posted 26 October 2009 - 07:43 PM
-
- Members
-
- 6 posts
New Member
I have followed your advice, here is the ComboFix log:
ComboFix 09-10-25.02 - Owner 26/10/2009 19:25.1.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3583.3122 [GMT 0:00]
Running from: c:\documents and settings\Owner\Desktop\Combo-Fix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\drivers\MSIVXmppxiqjejdjxytdwrspyoojtumgilixm.sys
c:\windows\system32\lowsec
c:\windows\system32\lowsec\local.ds
c:\windows\system32\lowsec\user.ds
c:\windows\system32\MSIVXcount
c:\windows\system32\MSIVXncodoicmlkjalupsvrohtuvwpjcxelxx.dll
c:\windows\system32\MSIVXylkmvrgmfnusnqohddoxxtpbsnkspheo.dll
c:\windows\system32\sdra64.exe
c:\windows\Tasks\{5B57CF47-0BFA-43c6-ACF9-3B3653DCADBA}.job
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Service_MSIVXserv.sys
-------\Legacy_MSIVXserv.sys
((((((((((((((((((((((((( Files Created from 2009-09-26 to 2009-10-26 )))))))))))))))))))))))))))))))
.
2009-10-26 00:11 . 2009-10-26 00:11 -------- d-----w- c:\documents and settings\Owner\Application Data\AgeOfBooty
2009-10-25 23:30 . 2009-10-26 00:26 -------- d-----w- c:\documents and settings\Owner\Application Data\The Path
2009-10-25 22:29 . 2009-10-25 22:33 -------- d-----w- C:\$AVG
2009-10-25 22:29 . 2009-10-25 22:29 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2009-10-25 22:29 . 2009-10-25 22:29 -------- d-----w- c:\windows\SxsCaPendDel
2009-10-25 12:27 . 2009-10-26 19:12 -------- d-----w- c:\program files\Steam
2009-10-18 13:10 . 2009-10-22 18:36 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-01 18:58 . 2009-10-01 18:58 -------- d-sh--w- c:\documents and settings\Owner\IECompatCache
2009-09-30 17:01 . 2009-09-30 17:01 -------- d-----w- c:\program files\Windows Media Connect 2
2009-09-30 17:00 . 2009-09-30 17:00 -------- d-----w- C:\488132914c351078a9
2009-09-30 17:00 . 2009-09-30 17:00 -------- d-----w- c:\windows\system32\drivers\UMDF
2009-09-30 17:00 . 2009-09-30 17:00 -------- d-----w- C:\ac2e2281932c0294316848a4af
2009-09-29 17:34 . 2009-09-29 17:34 -------- d-----w- c:\windows\ie8updates
2009-09-29 16:07 . 2009-08-29 08:08 594432 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2009-09-29 16:07 . 2009-08-29 08:08 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2009-09-29 16:07 . 2009-08-29 08:08 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-09-29 16:07 . 2009-08-29 08:08 1985536 -c----w- c:\windows\system32\dllcache\iertutil.dll
2009-09-29 16:07 . 2009-08-29 08:08 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-09-28 21:05 . 2009-09-28 21:05 -------- d-sh--w- c:\documents and settings\Owner\PrivacIE
2009-09-28 21:03 . 2009-09-28 21:03 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-09-28 21:03 . 2009-09-28 21:03 -------- d-sh--w- c:\documents and settings\Owner\IETldCache
2009-09-28 20:16 . 2009-09-28 20:16 -------- dc-h--w- c:\windows\ie8
2009-09-27 21:01 . 2009-09-27 21:01 -------- d-----w- c:\program files\Belkin
2009-09-27 13:13 . 2009-09-27 13:13 21035 ----a-w- c:\windows\system32\drivers\AegisP.sys
2009-09-27 02:04 . 2009-09-27 02:05 -------- d-----w- C:\246a30d5d3d7396955c716383a
2009-09-27 02:04 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-09-27 02:04 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2009-09-27 02:04 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2009-09-27 02:04 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-09-26 19:50 . 2008-06-13 11:05 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
2009-09-26 19:50 . 2009-08-04 19:44 2189184 -c----w- c:\windows\system32\dllcache\ntoskrnl.exe
2009-09-26 19:50 . 2009-08-04 15:13 2145280 -c----w- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-09-26 19:50 . 2009-08-04 14:20 2023936 -c----w- c:\windows\system32\dllcache\ntkrpamp.exe
2009-09-26 19:50 . 2009-08-04 14:20 2066048 -c----w- c:\windows\system32\dllcache\ntkrnlpa.exe
2009-09-26 19:50 . 2008-10-24 11:21 455296 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-26 19:24 . 2009-08-15 14:40 -------- d-----w- c:\program files\Common Files\Akamai
2009-10-26 17:34 . 2009-07-01 15:31 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-10-26 00:56 . 2009-07-20 14:38 -------- d-----w- c:\documents and settings\Owner\Application Data\vlc
2009-10-25 22:29 . 2009-07-01 15:31 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-10-25 22:29 . 2009-07-01 15:31 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-10-25 22:29 . 2009-07-01 15:31 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2009-10-25 22:29 . 2009-07-01 15:31 -------- d-----w- c:\program files\AVG
2009-10-25 21:36 . 2009-07-01 21:41 -------- d-----w- c:\documents and settings\Owner\Application Data\uTorrent
2009-10-18 23:00 . 2009-07-02 23:23 -------- d-----w- c:\documents and settings\Owner\Application Data\FrostWire
2009-10-02 18:48 . 2009-08-01 16:58 -------- d-----w- c:\documents and settings\Owner\Application Data\dvdcss
2009-09-30 21:42 . 2009-07-23 20:56 -------- d-----w- c:\program files\FrostWire
2009-09-27 02:11 . 2009-06-30 09:51 12328 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-26 14:40 . 2009-06-29 17:11 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-09-26 12:40 . 2009-09-26 12:40 -------- d-----w- c:\program files\Network Stumbler
2009-09-23 19:14 . 2009-07-15 19:22 -------- d-----w- c:\documents and settings\Owner\Application Data\Apple Computer
2009-09-23 16:46 . 2009-09-23 16:46 -------- d-----w- c:\program files\iTunes
2009-09-23 16:46 . 2009-09-23 16:46 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-09-23 16:46 . 2009-09-23 16:46 -------- d-----w- c:\program files\iPod
2009-09-23 16:46 . 2009-07-15 19:47 -------- d-----w- c:\program files\Common Files\Apple
2009-09-23 16:44 . 2009-09-23 16:44 -------- d-----w- c:\program files\QuickTime
2009-09-11 14:18 . 2008-04-14 12:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03 . 2008-04-14 12:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 08:08 . 2008-04-14 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2009-08-28 23:49 . 2009-08-28 23:49 -------- d-----w- c:\program files\Perfect World Entertainment
2009-08-28 18:42 . 2009-07-15 19:47 40448 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-08-28 18:42 . 2009-07-15 19:47 2065696 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-08-26 08:00 . 2008-04-14 12:00 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-05 09:01 . 2008-04-14 12:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-04 15:13 . 2008-04-14 12:00 2145280 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-08-04 14:20 . 2008-04-14 00:01 2023936 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-07-29 04:37 . 2008-04-14 12:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-07-29 04:37 . 2008-04-14 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-08 19:48 . 2009-09-05 15:10 103173 ----a-w- c:\program files\makeDesktopIcon.exe
2005-11-30 16:28 . 2009-09-05 15:12 0 ----a-w- c:\program files\DIRECT PLAY By blaze69.crc
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="c:\program files\steam\steam.exe" [2009-10-25 1217808]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GEST"="=" [X]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-03-17 61440]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-21 305440]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2008-12-09 18063872]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Belkin Wireless G Desktop Card Client Utility.lnk - c:\program files\Belkin\F5D7000v7032\Belkinwcui.exe [2009-9-27 1560576]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-10-25 22:29 12464 ----a-w- c:\windows\system32\avgrsstx.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer"=DrvTrNTm.dll
"wave"=DrvTrNTm.dll
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Flagship Studios\\Hellgate London\\Launcher.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Electronic Arts\\Burnout™ Paradise The Ultimate Box\\BurnoutLauncher.exe"=
"c:\\Program Files\\Electronic Arts\\Burnout™ Paradise The Ultimate Box\\BurnoutConfigTool.exe"=
"c:\\Program Files\\Electronic Arts\\Burnout™ Paradise The Ultimate Box\\BurnoutParadise.exe"=
"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\FrostWire\\FrostWire.exe"=
"c:\\AeriaGames\\MegaTen\\ImagineUpdate.exe"=
"c:\\AeriaGames\\MegaTen\\ImagineClient.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\machinarium demo\\machinarium.exe"=
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [01/07/2009 15:31 333192]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [01/07/2009 15:31 360584]
R2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe -k Akamai [14/04/2008 12:00 14336]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [25/10/2009 22:29 906520]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [25/10/2009 22:29 285392]
R3 Belkin700F;Belkin Wireless G Desktop Card Service v7;c:\windows\system32\drivers\BLKWGDv7.sys [01/07/2009 15:10 303616]
R3 TotRec7;Total Recorder WDM audio driver;c:\windows\system32\drivers\TotRec7.sys [30/07/2009 18:57 120472]
S3 SjyPkt;SjyPkt;\??\c:\windows\System32\Drivers\SjyPkt.sys --> c:\windows\System32\Drivers\SjyPkt.sys [?]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Akamai REG_MULTI_SZ Akamai
.
Contents of the 'Scheduled Tasks' folder
2009-10-22 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\uw0r3wgj.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
AddRemove-DAEMON Tools Toolbar - c:\program files\DAEMON Tools Toolbar\uninst.exe
AddRemove-MixVibes.exe - c:\program files\MixVibesDVS\uninstall.exe
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-26 19:28
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-1757981266-1957994488-682003330-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:8e,1a,72,61,c7,3b,b8,f2,e2,08,16,0a,78,70,91,1c,39,b3,b0,e7,5a,e5,6b,
c1,75,8b,9e,74,58,6c,11,d9,ee,57,57,09,93,b5,76,d8,03,16,3e,ea,98,71,0d,2b,\
"??"=hex:6f,49,1e,e1,7d,eb,0e,d0,be,48,da,ff,af,36,13,95
[HKEY_USERS\S-1-5-21-1757981266-1957994488-682003330-1003\Software\SecuROM\License information*]
"datasecu"=hex:62,11,09,a4,d8,73,79,f7,c3,e9,08,ea,14,9d,23,5c,d1,bd,d3,1d,d6,
93,c0,9a,4c,1c,3a,4c,84,cd,08,be,60,bd,83,85,ce,38,b3,7c,94,aa,f6,54,34,6a,\
"rkeysecu"=hex:9c,8f,32,06,c4,8a,25,c0,18,47,03,29,18,d6,eb,ee
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(548)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-10-26 19:29
ComboFix-quarantined-files.txt 2009-10-26 19:29
Pre-Run: 363,503,685,632 bytes free
Post-Run: 363,999,092,736 bytes free
Current=4 Default=4 Failed=1 LastKnownGood=5 Sets=1,2,3,4,5
- - End Of File - - AE0BB43C3B07F39EAC35F2C85541B813
And following that HijackThis would now run, here is the HijackThis log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:33:13, on 26/10/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\AVG\AVG9\avgemc.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Belkin\F5D7000v7032\Belkinwcui.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [GEST] =
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - Global Startup: Belkin Wireless G Desktop Card Client Utility.lnk = ?
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Free E-mail Scanner (avg9emc) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgemc.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
--
End of file - 4895 bytes
ComboFix 09-10-25.02 - Owner 26/10/2009 19:25.1.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3583.3122 [GMT 0:00]
Running from: c:\documents and settings\Owner\Desktop\Combo-Fix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\drivers\MSIVXmppxiqjejdjxytdwrspyoojtumgilixm.sys
c:\windows\system32\lowsec
c:\windows\system32\lowsec\local.ds
c:\windows\system32\lowsec\user.ds
c:\windows\system32\MSIVXcount
c:\windows\system32\MSIVXncodoicmlkjalupsvrohtuvwpjcxelxx.dll
c:\windows\system32\MSIVXylkmvrgmfnusnqohddoxxtpbsnkspheo.dll
c:\windows\system32\sdra64.exe
c:\windows\Tasks\{5B57CF47-0BFA-43c6-ACF9-3B3653DCADBA}.job
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Service_MSIVXserv.sys
-------\Legacy_MSIVXserv.sys
((((((((((((((((((((((((( Files Created from 2009-09-26 to 2009-10-26 )))))))))))))))))))))))))))))))
.
2009-10-26 00:11 . 2009-10-26 00:11 -------- d-----w- c:\documents and settings\Owner\Application Data\AgeOfBooty
2009-10-25 23:30 . 2009-10-26 00:26 -------- d-----w- c:\documents and settings\Owner\Application Data\The Path
2009-10-25 22:29 . 2009-10-25 22:33 -------- d-----w- C:\$AVG
2009-10-25 22:29 . 2009-10-25 22:29 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2009-10-25 22:29 . 2009-10-25 22:29 -------- d-----w- c:\windows\SxsCaPendDel
2009-10-25 12:27 . 2009-10-26 19:12 -------- d-----w- c:\program files\Steam
2009-10-18 13:10 . 2009-10-22 18:36 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-01 18:58 . 2009-10-01 18:58 -------- d-sh--w- c:\documents and settings\Owner\IECompatCache
2009-09-30 17:01 . 2009-09-30 17:01 -------- d-----w- c:\program files\Windows Media Connect 2
2009-09-30 17:00 . 2009-09-30 17:00 -------- d-----w- C:\488132914c351078a9
2009-09-30 17:00 . 2009-09-30 17:00 -------- d-----w- c:\windows\system32\drivers\UMDF
2009-09-30 17:00 . 2009-09-30 17:00 -------- d-----w- C:\ac2e2281932c0294316848a4af
2009-09-29 17:34 . 2009-09-29 17:34 -------- d-----w- c:\windows\ie8updates
2009-09-29 16:07 . 2009-08-29 08:08 594432 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2009-09-29 16:07 . 2009-08-29 08:08 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2009-09-29 16:07 . 2009-08-29 08:08 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-09-29 16:07 . 2009-08-29 08:08 1985536 -c----w- c:\windows\system32\dllcache\iertutil.dll
2009-09-29 16:07 . 2009-08-29 08:08 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-09-28 21:05 . 2009-09-28 21:05 -------- d-sh--w- c:\documents and settings\Owner\PrivacIE
2009-09-28 21:03 . 2009-09-28 21:03 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-09-28 21:03 . 2009-09-28 21:03 -------- d-sh--w- c:\documents and settings\Owner\IETldCache
2009-09-28 20:16 . 2009-09-28 20:16 -------- dc-h--w- c:\windows\ie8
2009-09-27 21:01 . 2009-09-27 21:01 -------- d-----w- c:\program files\Belkin
2009-09-27 13:13 . 2009-09-27 13:13 21035 ----a-w- c:\windows\system32\drivers\AegisP.sys
2009-09-27 02:04 . 2009-09-27 02:05 -------- d-----w- C:\246a30d5d3d7396955c716383a
2009-09-27 02:04 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-09-27 02:04 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2009-09-27 02:04 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2009-09-27 02:04 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-09-26 19:50 . 2008-06-13 11:05 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
2009-09-26 19:50 . 2009-08-04 19:44 2189184 -c----w- c:\windows\system32\dllcache\ntoskrnl.exe
2009-09-26 19:50 . 2009-08-04 15:13 2145280 -c----w- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-09-26 19:50 . 2009-08-04 14:20 2023936 -c----w- c:\windows\system32\dllcache\ntkrpamp.exe
2009-09-26 19:50 . 2009-08-04 14:20 2066048 -c----w- c:\windows\system32\dllcache\ntkrnlpa.exe
2009-09-26 19:50 . 2008-10-24 11:21 455296 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-26 19:24 . 2009-08-15 14:40 -------- d-----w- c:\program files\Common Files\Akamai
2009-10-26 17:34 . 2009-07-01 15:31 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-10-26 00:56 . 2009-07-20 14:38 -------- d-----w- c:\documents and settings\Owner\Application Data\vlc
2009-10-25 22:29 . 2009-07-01 15:31 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-10-25 22:29 . 2009-07-01 15:31 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-10-25 22:29 . 2009-07-01 15:31 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2009-10-25 22:29 . 2009-07-01 15:31 -------- d-----w- c:\program files\AVG
2009-10-25 21:36 . 2009-07-01 21:41 -------- d-----w- c:\documents and settings\Owner\Application Data\uTorrent
2009-10-18 23:00 . 2009-07-02 23:23 -------- d-----w- c:\documents and settings\Owner\Application Data\FrostWire
2009-10-02 18:48 . 2009-08-01 16:58 -------- d-----w- c:\documents and settings\Owner\Application Data\dvdcss
2009-09-30 21:42 . 2009-07-23 20:56 -------- d-----w- c:\program files\FrostWire
2009-09-27 02:11 . 2009-06-30 09:51 12328 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-26 14:40 . 2009-06-29 17:11 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-09-26 12:40 . 2009-09-26 12:40 -------- d-----w- c:\program files\Network Stumbler
2009-09-23 19:14 . 2009-07-15 19:22 -------- d-----w- c:\documents and settings\Owner\Application Data\Apple Computer
2009-09-23 16:46 . 2009-09-23 16:46 -------- d-----w- c:\program files\iTunes
2009-09-23 16:46 . 2009-09-23 16:46 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-09-23 16:46 . 2009-09-23 16:46 -------- d-----w- c:\program files\iPod
2009-09-23 16:46 . 2009-07-15 19:47 -------- d-----w- c:\program files\Common Files\Apple
2009-09-23 16:44 . 2009-09-23 16:44 -------- d-----w- c:\program files\QuickTime
2009-09-11 14:18 . 2008-04-14 12:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03 . 2008-04-14 12:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 08:08 . 2008-04-14 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2009-08-28 23:49 . 2009-08-28 23:49 -------- d-----w- c:\program files\Perfect World Entertainment
2009-08-28 18:42 . 2009-07-15 19:47 40448 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-08-28 18:42 . 2009-07-15 19:47 2065696 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-08-26 08:00 . 2008-04-14 12:00 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-05 09:01 . 2008-04-14 12:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-04 15:13 . 2008-04-14 12:00 2145280 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-08-04 14:20 . 2008-04-14 00:01 2023936 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-07-29 04:37 . 2008-04-14 12:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-07-29 04:37 . 2008-04-14 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-08 19:48 . 2009-09-05 15:10 103173 ----a-w- c:\program files\makeDesktopIcon.exe
2005-11-30 16:28 . 2009-09-05 15:12 0 ----a-w- c:\program files\DIRECT PLAY By blaze69.crc
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="c:\program files\steam\steam.exe" [2009-10-25 1217808]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GEST"="=" [X]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-03-17 61440]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-21 305440]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2008-12-09 18063872]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Belkin Wireless G Desktop Card Client Utility.lnk - c:\program files\Belkin\F5D7000v7032\Belkinwcui.exe [2009-9-27 1560576]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-10-25 22:29 12464 ----a-w- c:\windows\system32\avgrsstx.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer"=DrvTrNTm.dll
"wave"=DrvTrNTm.dll
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Flagship Studios\\Hellgate London\\Launcher.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Electronic Arts\\Burnout™ Paradise The Ultimate Box\\BurnoutLauncher.exe"=
"c:\\Program Files\\Electronic Arts\\Burnout™ Paradise The Ultimate Box\\BurnoutConfigTool.exe"=
"c:\\Program Files\\Electronic Arts\\Burnout™ Paradise The Ultimate Box\\BurnoutParadise.exe"=
"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\FrostWire\\FrostWire.exe"=
"c:\\AeriaGames\\MegaTen\\ImagineUpdate.exe"=
"c:\\AeriaGames\\MegaTen\\ImagineClient.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\machinarium demo\\machinarium.exe"=
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [01/07/2009 15:31 333192]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [01/07/2009 15:31 360584]
R2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe -k Akamai [14/04/2008 12:00 14336]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [25/10/2009 22:29 906520]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [25/10/2009 22:29 285392]
R3 Belkin700F;Belkin Wireless G Desktop Card Service v7;c:\windows\system32\drivers\BLKWGDv7.sys [01/07/2009 15:10 303616]
R3 TotRec7;Total Recorder WDM audio driver;c:\windows\system32\drivers\TotRec7.sys [30/07/2009 18:57 120472]
S3 SjyPkt;SjyPkt;\??\c:\windows\System32\Drivers\SjyPkt.sys --> c:\windows\System32\Drivers\SjyPkt.sys [?]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Akamai REG_MULTI_SZ Akamai
.
Contents of the 'Scheduled Tasks' folder
2009-10-22 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\uw0r3wgj.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
AddRemove-DAEMON Tools Toolbar - c:\program files\DAEMON Tools Toolbar\uninst.exe
AddRemove-MixVibes.exe - c:\program files\MixVibesDVS\uninstall.exe
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-26 19:28
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-1757981266-1957994488-682003330-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:8e,1a,72,61,c7,3b,b8,f2,e2,08,16,0a,78,70,91,1c,39,b3,b0,e7,5a,e5,6b,
c1,75,8b,9e,74,58,6c,11,d9,ee,57,57,09,93,b5,76,d8,03,16,3e,ea,98,71,0d,2b,\
"??"=hex:6f,49,1e,e1,7d,eb,0e,d0,be,48,da,ff,af,36,13,95
[HKEY_USERS\S-1-5-21-1757981266-1957994488-682003330-1003\Software\SecuROM\License information*]
"datasecu"=hex:62,11,09,a4,d8,73,79,f7,c3,e9,08,ea,14,9d,23,5c,d1,bd,d3,1d,d6,
93,c0,9a,4c,1c,3a,4c,84,cd,08,be,60,bd,83,85,ce,38,b3,7c,94,aa,f6,54,34,6a,\
"rkeysecu"=hex:9c,8f,32,06,c4,8a,25,c0,18,47,03,29,18,d6,eb,ee
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(548)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-10-26 19:29
ComboFix-quarantined-files.txt 2009-10-26 19:29
Pre-Run: 363,503,685,632 bytes free
Post-Run: 363,999,092,736 bytes free
Current=4 Default=4 Failed=1 LastKnownGood=5 Sets=1,2,3,4,5
- - End Of File - - AE0BB43C3B07F39EAC35F2C85541B813
And following that HijackThis would now run, here is the HijackThis log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:33:13, on 26/10/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\AVG\AVG9\avgemc.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Belkin\F5D7000v7032\Belkinwcui.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [GEST] =
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - Global Startup: Belkin Wireless G Desktop Card Client Utility.lnk = ?
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Free E-mail Scanner (avg9emc) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgemc.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
--
End of file - 4895 bytes
#4
Posted 27 October 2009 - 01:29 AM
-
- Administrators
-
- 22,578 posts
Forum Deity
- Gender:Male
- Location:US
Update and Scan with Malwarebytes' Anti-Malware
[indent]
[/indent][indent]Please temporarily disable your current Anti-Virus in order to run this Online Scanner.
Using Internet Explorer:[indent]
Using Another Browser[indent]
- Start MalwareBytes AntiMalware (Vista users must Right click and choose RunAs Admin)
- Please DO NOT run MBAM in Safe Mode unless requested to, you MUST run it in normal Windows mode.
- Update Malwarebytes' Anti-Malware
- Select the Update tab
- Click Update
- Update Malwarebytes' Anti-Malware
- When the update is complete, select the Scanner tab
- Select Perform quick scan, then click Scan.
- When the scan is complete, click OK, then Show Results to view the results.
- Be sure that everything is checked, and click Remove Selected.
- When completed, a log will open in Notepad. please copy and paste the log into your next reply
- If you accidently close it, the log file is saved here and will be named like this:
- C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
- If you accidently close it, the log file is saved here and will be named like this:
[indent]
[/indent][indent]Please temporarily disable your current Anti-Virus in order to run this Online Scanner.Using Internet Explorer:[indent]
- Vista and Windows 7 users need to right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select "Run as Administrator" from the context menu.
- Click here to run the Eset Online Scanner using Internet Explorer.
- Click on the ESET Online Scanner button.
- Click on the checkbox Yes, I accpet the Terms of Use and click on the Start button.
- By default the ActiveX installer will be blocked by Internet Explorer. You should see a yellow banner at the top of the Window.
- Click the top of the Window and select "Run ActiveX Control" and then click the Run button on the next dialog box.
- Click the Retry button if prompted to resend the request to load and run the ActiveX control from ESET
- Make sure you Uncheck the Remove found threats checkbox in case we need you to submit a copy of any files found.
- Click on the Advanced settings selection in the middle and place a checkmark on the following items
- Scan for potentially unwanted applications
- Scan for potentially unsafe applications
- Enable Anti-Stealth technology
- Under Current scan targets: click the Change... item and make sure it's set to Local drives and the Operating memory
- Then click on the Start button and it will start downloading signature database files to update the program
- Once the database files are downloaded it should automatically start scanning your system for threats.
- When the scanner is done please click on the List of found threats and click on Export to text file...
- Save the file as NOD32_SCAN.TXT to your Desktop
- Click the << Back button. For now do not uninstall the program or delete the quarantine files, just click the Finish button.
- The next screen is advertisement to purchase the product. You can just close that window for now.
- If we need to run the program later on it can be ran from here: C:\Program Files\ESET\ESET Online Scanner\OnlineScannerApp.exe
- Open the file you saved to your Desktop as NOD32_SCAN.TXT and select all and copy/paste it back on your next reply
Using Another Browser[indent]
- Please click here to launch the application which installs and launches ESET Online Scanner in a separate window.
- You will first need to save the file to your Desktop and double-click on it to run it. Vista and Windows 7 users need to right-click and choose "Run as Administrator"
- You will should be prompted with "Do you want to run this file?", click on the Run button.
- Click on the checkbox Yes, I accpet the Terms of Use and click on the Start button.
- The program will download further files to use with the scanner and allow you to change options.
- Make sure you Uncheck the Remove found threats checkbox in case we need you to submit a copy of any files found.
- Click on the Advanced settings selection in the middle and place a checkmark on the following items
- Scan for potentially unwanted applications
- Scan for potentially unsafe applications
- Enable Anti-Stealth technology
- Under Current scan targets: click the Change... item and make sure it's set to Local drives and the Operating memory
- Then click on the Start button and it will start downloading signature database files to update the program
- Once the database files are downloaded it should automatically start scanning your system for threats.
- When the scanner is done please click on the List of found threats and click on Export to text file...
- Save the file as NOD32_SCAN.TXT to your Desktop
- Click the << Back button. For now do not uninstall the program or delete the quarantine files, just click the Finish button.
- The next screen is advertisement to purchase the product. You can just close that window for now.
- If we need to run the program later on it can be ran from here: C:\Program Files\ESET\ESET Online Scanner\OnlineScannerApp.exe
- Open the file you saved to your Desktop as NOD32_SCAN.TXT and select all and copy/paste it back on your next reply
#5
Posted 27 October 2009 - 06:22 PM
-
- Members
-
- 6 posts
New Member
MBAM LOG
Malwarebytes' Anti-Malware 1.41
Database version: 3042
Windows 5.1.2600 Service Pack 3
27/10/2009 17:45:48
mbam-log-2009-10-27 (17-45-48).txt
Scan type: Quick Scan
Objects scanned: 90837
Time elapsed: 3 minute(s), 40 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{c48635ad-d6b5-3ee4-aaa2-540d5a173658} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{c48635ad-d6b5-3ee4-aaa2-540d5a173658} (Backdoor.Bot) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{48ec1b4c-6e2f-452c-acde-a425b9672ef6}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.115,85.255.112.205 -> Quarantined and deleted successfully.
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
NOD32_SCAN
C:\Qoobox\Quarantine\C\WINDOWS\system32\MSIVXncodoicmlkjalupsvrohtuvwpjcxelxx.dll.vir Win32/Olmarik.JI trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\MSIVXylkmvrgmfnusnqohddoxxtpbsnkspheo.dll.vir Win32/TrojanClicker.Agent.NHI trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\MSIVXmppxiqjejdjxytdwrspyoojtumgilixm.sys.vir Win32/TrojanClicker.Agent.NHJ trojan
Malwarebytes' Anti-Malware 1.41
Database version: 3042
Windows 5.1.2600 Service Pack 3
27/10/2009 17:45:48
mbam-log-2009-10-27 (17-45-48).txt
Scan type: Quick Scan
Objects scanned: 90837
Time elapsed: 3 minute(s), 40 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{c48635ad-d6b5-3ee4-aaa2-540d5a173658} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{c48635ad-d6b5-3ee4-aaa2-540d5a173658} (Backdoor.Bot) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{48ec1b4c-6e2f-452c-acde-a425b9672ef6}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.115,85.255.112.205 -> Quarantined and deleted successfully.
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
NOD32_SCAN
C:\Qoobox\Quarantine\C\WINDOWS\system32\MSIVXncodoicmlkjalupsvrohtuvwpjcxelxx.dll.vir Win32/Olmarik.JI trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\MSIVXylkmvrgmfnusnqohddoxxtpbsnkspheo.dll.vir Win32/TrojanClicker.Agent.NHI trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\MSIVXmppxiqjejdjxytdwrspyoojtumgilixm.sys.vir Win32/TrojanClicker.Agent.NHJ trojan
#6
Posted 28 October 2009 - 01:42 AM
-
- Administrators
-
- 22,578 posts
Forum Deity
- Gender:Male
- Location:US
Please download and run these tools which are designed to restore some standard policy settings. They are not harmful.
Please download and run the following too. When it asks you to restart the computer please do.
http://oldtimer.geekstogo.com/OTC.exe
Let me know how the computer is running now and if there are still any signs of an infection.
- VArestorepolicies.INF
- Download this INF repair file from here: VArestorepolicies.zip by MS-MVP Miekiemoes
- Unzip or open the file VArestorepolicies.zip
- Open the folder VArestorepolicies and Right-click the file inside, VArestorepolicies.INF and choose Install
- FixPolicies.exe
- Download this self-extracting ZIP archive from here: FixPolicies.exe by MS-MVP Bill Castner and save it to your desktop.
- Double-click FixPolicies.exe
- Click the "Install" button on the bottom toolbar of the box that will open
- The program will create a new Folder called FixPolicies
- Double-click to Open the new Folder, and then double-click the file within: Fix_Policies.cmd
- A black box will briefly appear and then close
- These fixes may prove temporary. Active malware may revert these changes on your next startup. You can safely run these utilities again.
Please download and run the following too. When it asks you to restart the computer please do.
http://oldtimer.geekstogo.com/OTC.exe
Let me know how the computer is running now and if there are still any signs of an infection.
#7
Posted 28 October 2009 - 05:19 PM
-
- Members
-
- 6 posts
New Member
First of all, let me just thank you for all your help 
I've downloaded and ran the above programs.
Computer does seem to be running fine now.
AVG hasn't located any more Trojans in its past 2 scheduled scans and i ran MBAM again and it found no infections.
The fake Microsoft pop ups i was getting when surfing the internet trying to convince me to download a piece of security software seem to have ceased.
And the obviously 'hijacked' web adverts on certain sites, (eg. every advert on myspace and imdb being for some sort of penis growth pills) have also gone.
So the infection does seem to have been dealt with.
James
I've downloaded and ran the above programs.
Computer does seem to be running fine now.
AVG hasn't located any more Trojans in its past 2 scheduled scans and i ran MBAM again and it found no infections.
The fake Microsoft pop ups i was getting when surfing the internet trying to convince me to download a piece of security software seem to have ceased.
And the obviously 'hijacked' web adverts on certain sites, (eg. every advert on myspace and imdb being for some sort of penis growth pills) have also gone.
So the infection does seem to have been dealt with.
James
#8
Posted 30 October 2009 - 07:09 AM
-
- Administrators
-
- 22,578 posts
Forum Deity
- Gender:Male
- Location:US
Great, all looks good now.
I'll close your post soon so that other don't post into it and leave you with this information and suggestions.
So how did I get infected in the first place?
[indent]At this time your system appears to be clean. Nothing else in the logs indicates that you are still infected.
Now that you appear to be clean, please follow these simple steps in order to keep your computer clean and secure:
Here are some free programs I recommend that could help you improve your computer's security.
Install SpyWare Blaster
Download it from here
Find here the tutorial on how to use Spyware Blaster here
Install WinPatrol
Download it from here
Here you can find information about how WinPatrol works here
Install FireTrust SiteHound
You can find information and download it from here
Install hpHosts
Download it from here
hpHosts is a community managed and maintained hosts file that allows an additional layer of protection against access to ad,
tracking and malicious websites. This prevents your computer from connecting to these untrusted sites
by redirecting them to 127.0.0.1 which is your own local computer.
hpHosts Support Forum
Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.
You can use one of these sites to check if any updates are needed for your pc.
Secunia Software Inspector
F-secure Health Check
Visit Microsoft often to get the latest updates for your computer.
http://www.update.microsoft.com
Note 1: If you are running Windows XP SP2, you should upgrade to SP3.
Note 2: Users of Norton Internet Security 2008 should uninstall the software before they install Service Pack 3.
The security suite can then be reinstalled afterwards.
The windows firewall is not sufficient to protect your system. It doesn't monitor outgoing traffic and this is a must.
I recommend Online Armor Free
A little outdated but good reading on how to prevent Malware
Keep safe online and happy surfing.
Since this issue is resolved I will close the thread to prevent others from posting into it. If you need assistance please start your own topic and someone will be happy to assist you.
The fixes and advice in this thread are for this machine only. Do not apply to your machine unless you Fully Understand how these programs work and what you're doing. Please start a thread of your own and someone will be happy to help you, just follow the Pre-Hijackthis instructions found here before posting Pre- HJT Post Instructions
Also don't forget that we offer FREE assistance with General PC questions and repair here PC Help
If you're pleased with the product Malwarebytes and the service provided you, please let your friends, family, and co-workers know. http://www.malwarebytes.org[/indent]
I'll close your post soon so that other don't post into it and leave you with this information and suggestions.
So how did I get infected in the first place?
[indent]At this time your system appears to be clean. Nothing else in the logs indicates that you are still infected.
Now that you appear to be clean, please follow these simple steps in order to keep your computer clean and secure:
Here are some free programs I recommend that could help you improve your computer's security.
Install SpyWare Blaster
Download it from here
Find here the tutorial on how to use Spyware Blaster here
Install WinPatrol
Download it from here
Here you can find information about how WinPatrol works here
Install FireTrust SiteHound
You can find information and download it from here
Install hpHosts
Download it from here
hpHosts is a community managed and maintained hosts file that allows an additional layer of protection against access to ad,
tracking and malicious websites. This prevents your computer from connecting to these untrusted sites
by redirecting them to 127.0.0.1 which is your own local computer.
hpHosts Support Forum
Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.
You can use one of these sites to check if any updates are needed for your pc.
Secunia Software Inspector
F-secure Health Check
Visit Microsoft often to get the latest updates for your computer.
http://www.update.microsoft.com
Note 1: If you are running Windows XP SP2, you should upgrade to SP3.
Note 2: Users of Norton Internet Security 2008 should uninstall the software before they install Service Pack 3.
The security suite can then be reinstalled afterwards.
The windows firewall is not sufficient to protect your system. It doesn't monitor outgoing traffic and this is a must.
I recommend Online Armor Free
A little outdated but good reading on how to prevent Malware
Keep safe online and happy surfing.
Since this issue is resolved I will close the thread to prevent others from posting into it. If you need assistance please start your own topic and someone will be happy to assist you.
The fixes and advice in this thread are for this machine only. Do not apply to your machine unless you Fully Understand how these programs work and what you're doing. Please start a thread of your own and someone will be happy to help you, just follow the Pre-Hijackthis instructions found here before posting Pre- HJT Post Instructions
Also don't forget that we offer FREE assistance with General PC questions and repair here PC Help
If you're pleased with the product Malwarebytes and the service provided you, please let your friends, family, and co-workers know. http://www.malwarebytes.org[/indent]
#9
Posted 30 October 2009 - 03:44 PM
-
- Members
-
- 6 posts
New Member
Thanks again for all your help.
I'll certainly have a look at those other security programs now.
I'll certainly have a look at those other security programs now.
#10
Posted 30 October 2009 - 10:26 PM
-
- Administrators
-
- 22,578 posts
Forum Deity
- Gender:Male
- Location:US
Thank you. Take care and stay safe out there and tell your friends and family about Malwarebytes
1 user(s) are reading this topic
0 members, 1 guests, 0 anonymous users
