Malwarebytes' Anti-Malware 1.38
Database version: 2378
Windows 5.1.2600 Service Pack 2
7/6/2009 11:36:17 AM
mbam-log-2009-07-06 (11-36-17).txt
Scan type: Quick Scan
Objects scanned: 93249
Time elapsed: 11 minute(s), 41 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\WINDOWS\system32\drivers\str.sys (Rootkit.Agent) -> Delete on reboot.
-----------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:40:44 AM, on 7/6/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
O1 - Hosts: ::1 localhost
O1 - Hosts: 209.44.111.62 antispy.microsoft.com
O1 - Hosts: 209.44.111.62 antiaware-pro.com
O1 - Hosts: 209.44.111.62 www.antiaware-pro.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Alison\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1120864279749
O17 - HKLM\System\CCS\Services\Tcpip\..\{8EDFC43E-BE23-4C9C-9166-CBCD477E76A3}: NameServer = 192.168.2.1
O20 - AppInit_DLLs: smvteh.dll
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: NVIDIA Display Driver Service (Omega 1.6693) (Q) (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
--
End of file - 6433 bytes
Full Version: rootkit help
Please download the following tool>>>
http://rootrepeal.googlepages.com/
Extract from zip/rar and run Rootrepeal.exe
At the bottom of the software is a list of buttons, goto Report button and click on it.
Next select scan and make sure all box's are checked(Tick) except SSDT.
Press OK and next select drive to be scanned(Should be C),
Copy and paste the output log generated into your next reply.
Thanks in advance
http://rootrepeal.googlepages.com/
Extract from zip/rar and run Rootrepeal.exe
At the bottom of the software is a list of buttons, goto Report button and click on it.
Next select scan and make sure all box's are checked(Tick) except SSDT.
Press OK and next select drive to be scanned(Should be C),
Copy and paste the output log generated into your next reply.
Thanks in advance
ROOTREPEAL © AD, 2007-2009
==================================================
Scan Time: 2009/07/06 15:54
Program Version: Version 1.3.0.0
Windows Version: Windows XP SP2
==================================================
Drivers
-------------------
Name: 00000982
Image Path: 00000982
Address: 0x81C08000 Size: 41221 File Visible: No Signed: -
Status: -
Name: 00000982
Image Path: 00000982
Address: 0xEBEA3000 Size: 70656 File Visible: No Signed: -
Status: Hidden from Windows API!
Name: dump_nvatabus.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_nvatabus.sys
Address: 0xEBE2B000 Size: 81920 File Visible: No Signed: -
Status: -
Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF8A4A000 Size: 8192 File Visible: No Signed: -
Status: -
Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xEC1D4000 Size: 49152 File Visible: No Signed: -
Status: -
Name: schmvhnv.sys
Image Path: schmvhnv.sys
Address: 0xF8536000 Size: 61440 File Visible: No Signed: -
Status: -
Name: ubutuf.sys
Image Path: ubutuf.sys
Address: 0xF8546000 Size: 61440 File Visible: No Signed: -
Status: -
Hidden/Locked Files
-------------------
Path: C:\WINDOWS\system32\drivers\str.sys
Status: Invisible to the Windows API!
Path: c:\documents and settings\alison\local settings\temp\etilqs_poxqqwfc0qpypdkydcxg
Status: Allocation size mismatch (API: 32768, Raw: 0)
Stealth Objects
-------------------
Object: Hidden Thread [ETHREAD: 0x81f09250, TID: 424]
Process: svchost.exe (PID: 888) Address: 0x00771f3c Size: -
Hidden Services
-------------------
Service Name: ijyjccj
Image Path: C:\WINDOWS\system32\drivers\yazghhuj.sys
==EOF==
==================================================
Scan Time: 2009/07/06 15:54
Program Version: Version 1.3.0.0
Windows Version: Windows XP SP2
==================================================
Drivers
-------------------
Name: 00000982
Image Path: 00000982
Address: 0x81C08000 Size: 41221 File Visible: No Signed: -
Status: -
Name: 00000982
Image Path: 00000982
Address: 0xEBEA3000 Size: 70656 File Visible: No Signed: -
Status: Hidden from Windows API!
Name: dump_nvatabus.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_nvatabus.sys
Address: 0xEBE2B000 Size: 81920 File Visible: No Signed: -
Status: -
Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF8A4A000 Size: 8192 File Visible: No Signed: -
Status: -
Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xEC1D4000 Size: 49152 File Visible: No Signed: -
Status: -
Name: schmvhnv.sys
Image Path: schmvhnv.sys
Address: 0xF8536000 Size: 61440 File Visible: No Signed: -
Status: -
Name: ubutuf.sys
Image Path: ubutuf.sys
Address: 0xF8546000 Size: 61440 File Visible: No Signed: -
Status: -
Hidden/Locked Files
-------------------
Path: C:\WINDOWS\system32\drivers\str.sys
Status: Invisible to the Windows API!
Path: c:\documents and settings\alison\local settings\temp\etilqs_poxqqwfc0qpypdkydcxg
Status: Allocation size mismatch (API: 32768, Raw: 0)
Stealth Objects
-------------------
Object: Hidden Thread [ETHREAD: 0x81f09250, TID: 424]
Process: svchost.exe (PID: 888) Address: 0x00771f3c Size: -
Hidden Services
-------------------
Service Name: ijyjccj
Image Path: C:\WINDOWS\system32\drivers\yazghhuj.sys
==EOF==
Hi ya,
Please update and run MBAM quickscan.Allow it to remove what it finds then reboot!
Run MBAM QS again to find out if the previous detected objects are still surviving ?
Please update and run MBAM quickscan.Allow it to remove what it finds then reboot!
Run MBAM QS again to find out if the previous detected objects are still surviving ?
Rescan looks clean this time, thank you very much for your help
Hi ya,
If possible i would like to see a couple more reports before we sound the all clear
STEP 01
If possible i would like to see a couple more reports before we sound the all clear
STEP 01
Please visit this webpage for instructions for downloading ComboFix to your DESKTOP : how-to-use-combofix
Please ensure you read this guide carefully and install the Recovery Console first.
NOTE!!: You must save and run ComboFix.exe on your DESKTOP and not from any other folder.
Also, DO NOT click the mouse or launch any other applications while this is running or it may stall the program
Additional links to download the tool:
ComboFix.exe
ComboFix.exe
ComboFix.exe
Note: The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.
Once installed, you should see a blue screen prompt that says:
The Recovery Console was successfully installed.
Please continue as follows:
- Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
- Click Yes to allow ComboFix to continue scanning for malware.
- When the tool is finished, it will produce a report for you.
- Please post the C:\ComboFix.txt along with a new HijackThis log so we may continue cleaning the system.
sure thing
ComboFix 09-07-06.A0 - Alison 07/07/2009 13:36.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.289 [GMT -4:00]
Running from: c:\documents and settings\Alison\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\bdqbexul.ini
c:\windows\Tasks\tongdead.job
c:\windows\system32\proquota.exe was missing
Restored copy from - c:\windows\ServicePackFiles\i386\proquota.exe
.
((((((((((((((((((((((((( Files Created from 2009-06-07 to 2009-07-07 )))))))))))))))))))))))))))))))
.
2009-07-07 17:39 . 2004-08-04 07:56 50176 -c--a-w- c:\windows\system32\dllcache\proquota.exe
2009-07-07 17:39 . 2004-08-04 07:56 50176 ----a-w- c:\windows\system32\proquota.exe
2009-07-06 15:38 . 2009-07-06 15:38 -------- d-----w- c:\program files\Trend Micro
2009-07-06 14:35 . 2009-03-30 14:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2009-07-06 14:35 . 2009-03-24 20:08 55640 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-07-06 14:35 . 2009-02-13 16:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2009-07-06 14:35 . 2009-02-13 16:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2009-07-06 14:35 . 2009-07-06 14:35 -------- d-----w- c:\program files\Avira
2009-07-06 14:35 . 2009-07-06 14:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2009-07-03 14:30 . 2009-07-03 14:30 3561743 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-06-12 02:36 . 2009-06-12 02:36 152576 ----a-w- c:\documents and settings\Alison\Application Data\Sun\Java\jre1.6.0_14\lzma.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-07 01:45 . 2008-05-29 18:59 -------- d-----w- c:\program files\Steam
2009-07-06 15:39 . 2005-09-22 23:12 -------- d-----w- c:\documents and settings\Alison\Application Data\uTorrent
2009-07-03 14:30 . 2009-02-13 04:24 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-17 15:27 . 2009-02-13 04:24 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-17 15:27 . 2009-02-13 04:24 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-12 02:37 . 2005-07-18 02:43 -------- d-----w- c:\program files\Java
2009-05-21 15:33 . 2008-12-02 04:55 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-05-08 15:46 . 2009-05-08 15:46 55 ----a-w- c:\documents and settings\Alison\Application Data\RenPy\persistent\act1.katawa-shoujo.com
2009-04-16 13:02 . 2009-04-16 13:02 152576 ----a-w- c:\documents and settings\Alison\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AIM"="c:\program files\AIM\aim.exe" [2006-08-01 67112]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2006-07-31 4617720]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"Steam"="c:\program files\Steam\Steam.exe" [2009-07-03 1217784]
"Google Update"="c:\documents and settings\Alison\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-10-12 133104]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 32768]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2004-10-29 4620288]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2004-10-29 86016]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-01-06 290088]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-21 148888]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2009-06-17 414992]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2004-10-29 921600]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-7-11 113664]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\BitTorrent\\btdownloadgui.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Documents and Settings\\Alison\\My Documents\\utorrent.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8085:TCP"= 8085:TCP:drv
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [7/6/2009 10:35 AM 108289]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2/13/2009 12:24 AM 195856]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2/13/2009 12:24 AM 19096]
S2 ijyjccj;ijyjccj;\??\c:\windows\system32\drivers\yazghhuj.sys --> c:\windows\system32\drivers\yazghhuj.sys [?]
S3 XDva277;XDva277;\??\c:\windows\system32\XDva277.sys --> c:\windows\system32\XDva277.sys [?]
.
Contents of the 'Scheduled Tasks' folder
2009-07-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1482476501-1078145449-839522115-1003Core.job
- c:\documents and settings\Alison\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-10-12 03:55]
2009-07-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1482476501-1078145449-839522115-1003UA.job
- c:\documents and settings\Alison\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-10-12 03:55]
.
- - - - ORPHANS REMOVED - - - -
HKCU-Run-Skype - c:\program files\Skype\Phone\Skype.exe
HKCU-Run-ares - c:\program files\Ares\Ares.exe
HKLM-Run-Cmaudio - cmicnfg.cpl
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
TCP: {8EDFC43E-BE23-4C9C-9166-CBCD477E76A3} = 192.168.2.1
FF - ProfilePath - c:\documents and settings\Alison\Application Data\Mozilla\Firefox\Profiles\mwhwomav.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\documents and settings\Alison\Local Settings\Application Data\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPAdbESD.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npOGAPlugin.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDFE0BD779-44EE-4A4B-AA2E-743C63F2E5E6", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDFE0BD779-44EE-4A4B-AA2E-743C63F2E5E6", "AllAccess");
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-07 13:40
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
**************************************************************************
.
Completion time: 2009-07-07 13:43
ComboFix-quarantined-files.txt 2009-07-07 17:42
Pre-Run: 6,949,666,816 bytes free
Post-Run: 7,772,901,376 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
134 --- E O F --- 2009-01-14 08:00
---------------------------------------------------------------------------------------------------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:47:08 PM, on 7/7/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O1 - Hosts: ::1 localhost
O1 - Hosts: 209.44.111.62 antispy.microsoft.com
O1 - Hosts: 209.44.111.62 antiaware-pro.com
O1 - Hosts: 209.44.111.62 www.antiaware-pro.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Alison\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1120864279749
O17 - HKLM\System\CCS\Services\Tcpip\..\{8EDFC43E-BE23-4C9C-9166-CBCD477E76A3}: NameServer = 192.168.2.1
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: NVIDIA Display Driver Service (Omega 1.6693) (Q) (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
--
End of file - 6311 bytes
ComboFix 09-07-06.A0 - Alison 07/07/2009 13:36.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.289 [GMT -4:00]
Running from: c:\documents and settings\Alison\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\bdqbexul.ini
c:\windows\Tasks\tongdead.job
c:\windows\system32\proquota.exe was missing
Restored copy from - c:\windows\ServicePackFiles\i386\proquota.exe
.
((((((((((((((((((((((((( Files Created from 2009-06-07 to 2009-07-07 )))))))))))))))))))))))))))))))
.
2009-07-07 17:39 . 2004-08-04 07:56 50176 -c--a-w- c:\windows\system32\dllcache\proquota.exe
2009-07-07 17:39 . 2004-08-04 07:56 50176 ----a-w- c:\windows\system32\proquota.exe
2009-07-06 15:38 . 2009-07-06 15:38 -------- d-----w- c:\program files\Trend Micro
2009-07-06 14:35 . 2009-03-30 14:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2009-07-06 14:35 . 2009-03-24 20:08 55640 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-07-06 14:35 . 2009-02-13 16:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2009-07-06 14:35 . 2009-02-13 16:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2009-07-06 14:35 . 2009-07-06 14:35 -------- d-----w- c:\program files\Avira
2009-07-06 14:35 . 2009-07-06 14:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2009-07-03 14:30 . 2009-07-03 14:30 3561743 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-06-12 02:36 . 2009-06-12 02:36 152576 ----a-w- c:\documents and settings\Alison\Application Data\Sun\Java\jre1.6.0_14\lzma.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-07 01:45 . 2008-05-29 18:59 -------- d-----w- c:\program files\Steam
2009-07-06 15:39 . 2005-09-22 23:12 -------- d-----w- c:\documents and settings\Alison\Application Data\uTorrent
2009-07-03 14:30 . 2009-02-13 04:24 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-17 15:27 . 2009-02-13 04:24 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-17 15:27 . 2009-02-13 04:24 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-12 02:37 . 2005-07-18 02:43 -------- d-----w- c:\program files\Java
2009-05-21 15:33 . 2008-12-02 04:55 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-05-08 15:46 . 2009-05-08 15:46 55 ----a-w- c:\documents and settings\Alison\Application Data\RenPy\persistent\act1.katawa-shoujo.com
2009-04-16 13:02 . 2009-04-16 13:02 152576 ----a-w- c:\documents and settings\Alison\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AIM"="c:\program files\AIM\aim.exe" [2006-08-01 67112]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2006-07-31 4617720]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"Steam"="c:\program files\Steam\Steam.exe" [2009-07-03 1217784]
"Google Update"="c:\documents and settings\Alison\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-10-12 133104]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 32768]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2004-10-29 4620288]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2004-10-29 86016]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-01-06 290088]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-21 148888]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2009-06-17 414992]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2004-10-29 921600]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-7-11 113664]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\BitTorrent\\btdownloadgui.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Documents and Settings\\Alison\\My Documents\\utorrent.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8085:TCP"= 8085:TCP:drv
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [7/6/2009 10:35 AM 108289]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2/13/2009 12:24 AM 195856]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2/13/2009 12:24 AM 19096]
S2 ijyjccj;ijyjccj;\??\c:\windows\system32\drivers\yazghhuj.sys --> c:\windows\system32\drivers\yazghhuj.sys [?]
S3 XDva277;XDva277;\??\c:\windows\system32\XDva277.sys --> c:\windows\system32\XDva277.sys [?]
.
Contents of the 'Scheduled Tasks' folder
2009-07-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1482476501-1078145449-839522115-1003Core.job
- c:\documents and settings\Alison\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-10-12 03:55]
2009-07-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1482476501-1078145449-839522115-1003UA.job
- c:\documents and settings\Alison\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-10-12 03:55]
.
- - - - ORPHANS REMOVED - - - -
HKCU-Run-Skype - c:\program files\Skype\Phone\Skype.exe
HKCU-Run-ares - c:\program files\Ares\Ares.exe
HKLM-Run-Cmaudio - cmicnfg.cpl
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
TCP: {8EDFC43E-BE23-4C9C-9166-CBCD477E76A3} = 192.168.2.1
FF - ProfilePath - c:\documents and settings\Alison\Application Data\Mozilla\Firefox\Profiles\mwhwomav.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\documents and settings\Alison\Local Settings\Application Data\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPAdbESD.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npOGAPlugin.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDFE0BD779-44EE-4A4B-AA2E-743C63F2E5E6", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDFE0BD779-44EE-4A4B-AA2E-743C63F2E5E6", "AllAccess");
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-07 13:40
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
**************************************************************************
.
Completion time: 2009-07-07 13:43
ComboFix-quarantined-files.txt 2009-07-07 17:42
Pre-Run: 6,949,666,816 bytes free
Post-Run: 7,772,901,376 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
134 --- E O F --- 2009-01-14 08:00
---------------------------------------------------------------------------------------------------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:47:08 PM, on 7/7/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O1 - Hosts: ::1 localhost
O1 - Hosts: 209.44.111.62 antispy.microsoft.com
O1 - Hosts: 209.44.111.62 antiaware-pro.com
O1 - Hosts: 209.44.111.62 www.antiaware-pro.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Alison\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1120864279749
O17 - HKLM\System\CCS\Services\Tcpip\..\{8EDFC43E-BE23-4C9C-9166-CBCD477E76A3}: NameServer = 192.168.2.1
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: NVIDIA Display Driver Service (Omega 1.6693) (Q) (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
--
End of file - 6311 bytes
Hi ya,
Please open HijackThis and Fixcheck the following entries only
O1 - Hosts: 209.44.111.62 antispy.microsoft.com
O1 - Hosts: 209.44.111.62 antiaware-pro.com
O1 - Hosts: 209.44.111.62 www.antiaware-pro.com
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
Combofix report and HJT looking good to go so how is the pc now ?
Please open HijackThis and Fixcheck the following entries only
O1 - Hosts: 209.44.111.62 antispy.microsoft.com
O1 - Hosts: 209.44.111.62 antiaware-pro.com
O1 - Hosts: 209.44.111.62 www.antiaware-pro.com
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
Combofix report and HJT looking good to go so how is the pc now ?
Everything seems okay to me.
Ok well i can see no more malware issue's in the logs so will give ya the all clear
Here's some handy reading tho Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.
We hope our application has helped you eradicate this malicious Malware.
If your current anti-virus solution let this infection through please consider purchasing the PRO version of Malwarebytes' Anti-Malware for additional protection against these types of malware.
Safe surfing
Here's some handy reading tho Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.
We hope our application has helped you eradicate this malicious Malware.
If your current anti-virus solution let this infection through please consider purchasing the PRO version of Malwarebytes' Anti-Malware for additional protection against these types of malware.
Safe surfing
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.