I recently contracted the Antivirus malware and it has locked up my antivirus/spyware programs from opening.
I downloaded and installed Malwarebytes' Anti-Malware and HijackThis but they won't open. The error message received when trying to open them is the following: "Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item."
Also, AVG will not open now as well. I rebooted in safe mode and ran the programs but nothing gets picked up.
PLEASE HELP!!!!
Marcus
Full Version: Antivirus 2010 (Malwarebytes & HJT Inoperable)
Hi and welcome to Malwarebytes.
Please visit this webpage for instructions for running ComboFix:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
-screen317
Please visit this webpage for instructions for running ComboFix:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
- When the tool is finished, it will produce a report for you.
- Please post the C:\ComboFix.txt along with a new HijackThis log so we may continue cleaning the system.
-screen317
QUOTE (screen317 @ Sep 26 2009, 07:57 PM) 
Hi and welcome to Malwarebytes.
Please visit this webpage for instructions for running ComboFix:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
-screen317
Please visit this webpage for instructions for running ComboFix:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
- When the tool is finished, it will produce a report for you.
- Please post the C:\ComboFix.txt along with a new HijackThis log so we may continue cleaning the system.
-screen317
Thanks for the quick response!
Here is the Combofix text file:
ComboFix 09-09-25.01 - Marcus 09/26/2009 20:47.1.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1573 [GMT -4:00]
Running from: c:\documents and settings\Marcus\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\$recycle.bin\S-1-5-21-4117253376-465198573-4017034940-1000
c:\documents and settings\All Users\Application Data\mocemijoci.pif
c:\documents and settings\All Users\Documents\pygupiho.vbs
c:\documents and settings\All Users\Documents\rity.reg
c:\documents and settings\All Users\Documents\ymevimos.sys
c:\documents and settings\Marcus\Application Data\eradiqywe.sys
c:\documents and settings\Marcus\Application Data\Microsoft\Internet Explorer\Quick Launch\AntivirusPro_2010.lnk
c:\documents and settings\Marcus\Cookies\givy.com
c:\documents and settings\Marcus\Cookies\kofazekusa.dll
c:\documents and settings\Marcus\Cookies\ujagapulik.dll
c:\documents and settings\Marcus\Cookies\waxozaz.lib
c:\documents and settings\Marcus\Local Settings\Application Data\avuhysam._dl
c:\documents and settings\Marcus\Local Settings\Application Data\ijat.dll
c:\documents and settings\Marcus\Local Settings\Application Data\vejypakyg.bat
c:\documents and settings\Marcus\Local Settings\Application Data\yqobupez._dl
c:\documents and settings\Marcus\Local Settings\Application Data\yzikite._dl
c:\documents and settings\Marcus\Local Settings\Temporary Internet Files\ecilaxo.ban
c:\documents and settings\Marcus\Local Settings\Temporary Internet Files\ojerepogu.reg
c:\documents and settings\Marcus\Local Settings\Temporary Internet Files\yrak.com
c:\documents and settings\Marcus\Start Menu\Programs\AntivirusPro_2010
c:\documents and settings\Marcus\Start Menu\Programs\AntivirusPro_2010\AntivirusPro_2010.lnk
c:\documents and settings\Marcus\Start Menu\Programs\AntivirusPro_2010\Uninstall.lnk
c:\program files\WinPCap
c:\program files\WinPCap\daemon_mgm.exe
c:\program files\WinPCap\INSTALL.LOG
c:\program files\WinPCap\npf_mgm.exe
c:\program files\WinPCap\rpcapd.exe
c:\program files\WinPCap\Uninstall.exe
c:\recycler\S-1-5-21-993081466-2568998575-392820215-1005
c:\recycler\S-1-5-21-993081466-2568998575-392820215-500
c:\windows\Downloaded Program Files\IDropPTB.dll
c:\windows\Installer\100072f5.msi
c:\windows\Installer\100072f6.msi
c:\windows\Installer\10007308.msi
c:\windows\Installer\10007310.msi
c:\windows\Installer\10007311.msi
c:\windows\Installer\105310b.msi
c:\windows\Installer\1196d5.msi
c:\windows\Installer\11ec90.msi
c:\windows\Installer\123a4a.msi
c:\windows\Installer\123a59.msi
c:\windows\Installer\123c97.msi
c:\windows\Installer\123cb0.msi
c:\windows\Installer\123cc4.msi
c:\windows\Installer\123d03.msi
c:\windows\Installer\123d15.msi
c:\windows\Installer\123d7a.msi
c:\windows\Installer\123d8b.msi
c:\windows\Installer\123e88.msi
c:\windows\Installer\129a18f3.msp
c:\windows\Installer\13a6c3ba.msp
c:\windows\Installer\13a6c3da.msp
c:\windows\Installer\13a6c3e2.msi
c:\windows\Installer\13a6c446.msi
c:\windows\Installer\13a6c44e.msi
c:\windows\Installer\13a6c456.msi
c:\windows\Installer\13a6c45e.msi
c:\windows\Installer\13a6c46e.msi
c:\windows\Installer\15119a2b.msp
c:\windows\Installer\153ee5.msi
c:\windows\Installer\153eed.msi
c:\windows\Installer\153efb.msi
c:\windows\Installer\153f09.msi
c:\windows\Installer\156c4d6.msi
c:\windows\Installer\166c9ff1.msp
c:\windows\Installer\1730b7.msi
c:\windows\Installer\1730be.msi
c:\windows\Installer\17f717e6.msi
c:\windows\Installer\187b25e.msi
c:\windows\Installer\187b269.msi
c:\windows\Installer\1ab69ec.msi
c:\windows\Installer\1ab69f3.msi
c:\windows\Installer\1b7bb9.msi
c:\windows\Installer\1b9498b.msi
c:\windows\Installer\1c5eb42.msi
c:\windows\Installer\1c5eb50.msi
c:\windows\Installer\1c5eb57.msi
c:\windows\Installer\1d7df0c2.msp
c:\windows\Installer\1da0f85.msi
c:\windows\Installer\1da127c.msi
c:\windows\Installer\1da1283.msi
c:\windows\Installer\1da128a.msi
c:\windows\Installer\1da1291.msi
c:\windows\Installer\1da1298.msi
c:\windows\Installer\1da12c0.msi
c:\windows\Installer\1da12c7.msi
c:\windows\Installer\1da12d0.msi
c:\windows\Installer\1f12d.msi
c:\windows\Installer\23a8659.msi
c:\windows\Installer\242fab9.msi
c:\windows\Installer\2586cc98.msi
c:\windows\Installer\2586cf49.msi
c:\windows\Installer\2586d0de.msi
c:\windows\Installer\27c3e82.msp
c:\windows\Installer\2cf5127.msi
c:\windows\Installer\2f69b6d.msi
c:\windows\Installer\33880205.msp
c:\windows\Installer\352782a.msi
c:\windows\Installer\363c2e.msi
c:\windows\Installer\363c46.msi
c:\windows\Installer\383d755a.msi
c:\windows\Installer\383d7564.msi
c:\windows\Installer\45911d.msi
c:\windows\Installer\4ae8eb.msi
c:\windows\Installer\5351692.msi
c:\windows\Installer\54cd12.msi
c:\windows\Installer\54cd19.msi
c:\windows\Installer\54cd20.msi
c:\windows\Installer\54cd28.msi
c:\windows\Installer\54cd2f.msi
c:\windows\Installer\54cd3a.msi
c:\windows\Installer\54cd41.msi
c:\windows\Installer\54cd48.msi
c:\windows\Installer\54cd4f.msi
c:\windows\Installer\54cd56.msi
c:\windows\Installer\54cd5e.msi
c:\windows\Installer\54cd67.msi
c:\windows\Installer\54cd6e.msi
c:\windows\Installer\54cd75.msi
c:\windows\Installer\54cd7c.msi
c:\windows\Installer\54cd83.msi
c:\windows\Installer\54cd8a.msi
c:\windows\Installer\54cd91.msi
c:\windows\Installer\54da0c.msi
c:\windows\Installer\55b48.msp
c:\windows\Installer\5af58e.msi
c:\windows\Installer\5b612e3.msi
c:\windows\Installer\5d204b0.msp
c:\windows\Installer\5d204c9.msp
c:\windows\Installer\5d205a7.msp
c:\windows\Installer\5d205b1.msp
c:\windows\Installer\5d2060f.msp
c:\windows\Installer\5d20623.msp
c:\windows\Installer\5d2063b.msp
c:\windows\Installer\5d20644.msp
c:\windows\Installer\601c1.msp
c:\windows\Installer\601c9.msp
c:\windows\Installer\69405a5.msi
c:\windows\Installer\69405b4.msi
c:\windows\Installer\69405bc.msi
c:\windows\Installer\69405c9.msi
c:\windows\Installer\694a9f4.msi
c:\windows\Installer\694aa05.msi
c:\windows\Installer\694aa0f.msi
c:\windows\Installer\694aa2c.msi
c:\windows\Installer\694aa3d.msi
c:\windows\Installer\694aa45.msi
c:\windows\Installer\694aa4d.msi
c:\windows\Installer\694aa55.msi
c:\windows\Installer\7389778.msi
c:\windows\Installer\78a05.msp
c:\windows\Installer\78a10.msi
c:\windows\Installer\78a19.msi
c:\windows\Installer\78a37.msp
c:\windows\Installer\7dae2.msi
c:\windows\Installer\80924.msi
c:\windows\Installer\80927.msi
c:\windows\Installer\80937.msi
c:\windows\Installer\80941.msi
c:\windows\Installer\80949.msi
c:\windows\Installer\80968.msi
c:\windows\Installer\8097a.msi
c:\windows\Installer\809a5.msi
c:\windows\Installer\809ae.msi
c:\windows\Installer\809ba.msi
c:\windows\Installer\809c7.msi
c:\windows\Installer\809da.msi
c:\windows\Installer\809ed.msi
c:\windows\Installer\8808ba.msi
c:\windows\Installer\8808f8.msi
c:\windows\Installer\880932.msi
c:\windows\Installer\88093b.msi
c:\windows\Installer\8c3e0c.msi
c:\windows\Installer\8c7e8e.msi
c:\windows\Installer\8c7e96.msi
c:\windows\Installer\8c7e9e.msi
c:\windows\Installer\8c7ea6.msi
c:\windows\Installer\a1e2db9.msp
c:\windows\Installer\a47c15.msi
c:\windows\Installer\a86ef8.msi
c:\windows\Installer\aa14fa.msi
c:\windows\Installer\b69a2d.msi
c:\windows\Installer\c2d2785.msi
c:\windows\Installer\c2d28e9.msi
c:\windows\Installer\c86ccd.msi
c:\windows\Installer\c86cd4.msi
c:\windows\Installer\cc230cd.msi
c:\windows\Installer\cc230d5.msi
c:\windows\Installer\cc230dd.msi
c:\windows\Installer\cc230e5.msi
c:\windows\Installer\cc230ed.msi
c:\windows\Installer\cc230f5.msi
c:\windows\Installer\cc230fd.msi
c:\windows\Installer\cc23113.msi
c:\windows\Installer\cc2311b.msi
c:\windows\Installer\cc2312c.msi
c:\windows\Installer\cc23134.msi
c:\windows\Installer\cc2313c.msi
c:\windows\Installer\cc23144.msi
c:\windows\Installer\cc2314d.msi
c:\windows\Installer\cc23163.msi
c:\windows\Installer\cc2316b.msi
c:\windows\Installer\cc23185.msi
c:\windows\Installer\cc2318d.msi
c:\windows\Installer\cc23195.msi
c:\windows\Installer\cc2319d.msi
c:\windows\Installer\de513c.msp
c:\windows\Installer\de5155.msp
c:\windows\Installer\de516e.msp
c:\windows\Installer\de5188.msp
c:\windows\Installer\de51d2.msp
c:\windows\Installer\de51ed.msp
c:\windows\Installer\de5205.msp
c:\windows\Installer\de521f.msp
c:\windows\Installer\de5238.msp
c:\windows\Installer\de5241.msi
c:\windows\Installer\de5259.msp
c:\windows\Installer\de5278.msp
c:\windows\Installer\e1152b.msi
c:\windows\Installer\e28383.msi
c:\windows\Installer\ea21a7.msi
c:\windows\Installer\ea76a.msi
c:\windows\Nt_File_Temp
c:\windows\Nt_File_Temp\__write_ok__
c:\windows\ph401.dll
c:\windows\system32\_scui.cpl
c:\windows\system32\~.exe
c:\windows\system32\lylop.vbs
c:\windows\system32\udom.bat
c:\windows\system32\wonikubes.inf
F:\Autorun.inf
Infected copy of c:\windows\system32\eventlog.dll was found and disinfected
Restored copy from - c:\windows\system32\logevent.dll
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
((((((((((((((((((((((((( Files Created from 2009-08-27 to 2009-09-27 )))))))))))))))))))))))))))))))
.
2009-09-27 00:29 . 2009-09-27 00:29 -------- d-----w- c:\documents and settings\Marcus\Application Data\HP
2009-09-26 20:52 . 2009-09-26 20:52 -------- d-----w- c:\program files\Trend Micro
2009-09-26 20:03 . 2009-09-26 20:05 0 ----a-r- c:\windows\win32k.sys
2009-09-26 17:10 . 2009-09-26 17:10 -------- d-----w- c:\documents and settings\All Users\Application Data\SITEguard
2009-09-26 17:09 . 2009-09-26 17:09 -------- d-----w- c:\program files\STOPzilla!
2009-09-26 17:09 . 2009-09-26 17:09 -------- d-----w- c:\program files\Common Files\iS3
2009-09-26 17:09 . 2009-09-26 17:10 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
2009-09-26 16:58 . 2009-09-26 16:58 -------- d-----w- C:\_OTM
2009-09-26 04:30 . 2009-09-26 04:30 -------- d-----w- c:\documents and settings\Marcus\Application Data\Malwarebytes
2009-09-26 04:30 . 2009-09-10 18:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-26 04:30 . 2009-09-26 17:34 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-26 04:30 . 2009-09-26 04:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-09-26 04:30 . 2009-09-10 18:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-15 02:06 . 2009-09-15 02:06 -------- d-----w- c:\documents and settings\Marcus\Local Settings\Application Data\AVG Security Toolbar
2009-09-09 22:01 . 1995-03-08 13:58 97792 ----a-w- c:\windows\system\WINSYS.DLL
2009-09-09 22:01 . 1995-02-28 15:14 164928 ----a-w- c:\windows\system\BWCC.DLL
2009-09-09 22:01 . 2009-09-09 22:01 -------- d-----w- C:\IT
2009-09-09 22:01 . 1998-10-29 20:45 307004 ----a-w- c:\windows\ISUN16.EXE
2009-09-09 22:01 . 1995-07-13 22:43 26768 ----a-w- c:\windows\system\CTL3D.DLL
2009-09-09 22:01 . 2009-09-09 22:01 -------- d-----w- c:\documents and settings\Marcus\WINDOWS
2009-09-05 06:51 . 2009-09-05 15:28 -------- d-----w- c:\documents and settings\Marcus\Application Data\Audacity
2009-09-05 06:36 . 2009-09-05 06:36 -------- d-----w- c:\program files\Audacity 1.3 Beta (Unicode)
2009-09-05 06:32 . 2009-09-05 06:32 -------- d-----w- c:\documents and settings\Marcus\Application Data\Sony
2009-09-05 05:53 . 2009-09-05 05:54 -------- d-----w- c:\program files\HI-TECH Software
2009-09-05 05:32 . 2009-09-05 05:46 -------- d-----w- C:\VXIPNP
2009-09-05 05:31 . 2009-09-05 05:31 -------- d-----w- c:\program files\IVI
2009-09-05 05:12 . 2009-09-18 03:17 -------- d-----w- c:\documents and settings\All Users\Application Data\National Instruments
2009-09-05 05:10 . 2009-09-05 05:10 -------- d-----w- c:\windows\system32\cvirte
2009-09-05 05:08 . 2009-09-05 05:51 -------- d-----w- c:\program files\National Instruments
2009-09-04 01:03 . 2009-09-10 19:06 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-08-28 19:28 . 2009-08-28 19:28 -------- d-----w- c:\program files\Microsoft WSE
2009-08-28 19:27 . 2009-09-10 18:16 -------- d-----w- c:\documents and settings\Marcus\Application Data\Autodesk
2009-08-28 19:25 . 2009-09-11 00:42 -------- d-----w- c:\documents and settings\Marcus\Local Settings\Application Data\Autodesk
2009-08-28 19:25 . 2009-08-28 19:27 -------- d-----w- c:\program files\DWG TrueView 2010
2009-08-28 19:21 . 2009-08-28 19:45 -------- d-----w- c:\program files\Autodesk
2009-08-28 15:12 . 2009-08-28 15:12 -------- d-----w- C:\Autodesk
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-27 01:05 . 2009-01-05 17:21 -------- d-----w- c:\program files\DNA
2009-09-27 01:05 . 2009-01-05 17:21 -------- d-----w- c:\documents and settings\Marcus\Application Data\DNA
2009-09-27 00:30 . 2006-04-19 15:36 156856 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-26 20:20 . 2007-01-26 02:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-09-26 20:09 . 2009-09-26 04:09 230000 ----a-w- c:\documents and settings\Marcus\Application Data\lizkavd.exe
2009-09-26 04:10 . 2009-09-26 04:10 18597 ----a-w- c:\documents and settings\All Users\Application Data\noluxufyto.dat
2009-09-26 04:10 . 2009-09-26 04:10 19250 ----a-w- c:\documents and settings\Marcus\Application Data\sinafi.dat
2009-09-26 04:03 . 2009-09-26 04:03 329216 ----a-w- c:\documents and settings\Marcus\Application Data\svcst.exe
2009-09-26 04:03 . 2009-09-26 04:03 329216 ----a-w- c:\documents and settings\Marcus\Application Data\seres.exe
2009-09-24 06:11 . 2008-11-10 03:09 -------- d-----w- c:\documents and settings\Marcus\Application Data\U3
2009-09-18 03:16 . 2008-09-05 00:57 -------- d-----w- c:\program files\Microsoft Silverlight
2009-09-18 03:14 . 2009-03-05 17:04 1281264 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-09-15 02:05 . 2008-09-13 20:06 -------- d-----w- c:\documents and settings\Marcus\Application Data\Move Networks
2009-09-05 05:44 . 2006-10-16 17:03 -------- d-----w- c:\program files\Common Files\Merge Modules
2009-08-28 21:34 . 2007-04-25 01:57 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet
2009-08-28 19:43 . 2006-09-19 02:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Autodesk
2009-08-28 19:42 . 2006-09-19 02:24 -------- d-----w- c:\program files\Common Files\Autodesk Shared
2009-08-28 05:36 . 2009-02-28 23:36 -------- d-----w- c:\program files\V CAST Music with Rhapsody
2009-08-18 21:43 . 2008-07-31 04:09 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-08-18 21:43 . 2008-07-31 04:09 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-08-18 21:43 . 2008-07-31 04:09 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-08-17 02:59 . 2009-08-17 02:59 -------- d-----w- c:\program files\Western Digital
2009-07-20 18:57 . 2009-07-20 18:57 17408 ----a-r- c:\windows\system32\SZIO5.dll
2009-07-20 18:56 . 2009-07-20 18:56 311296 ----a-r- c:\windows\system32\SZBase5.dll
2009-07-20 18:56 . 2009-07-20 18:56 540672 ----a-r- c:\windows\system32\SZComp5.dll
2009-07-09 19:52 . 2009-07-09 19:52 126976 ----a-r- c:\windows\system32\IS3HTUI5.dll
2009-07-09 19:52 . 2009-07-09 19:52 393216 ----a-r- c:\windows\system32\IS3DBA5.dll
2009-07-09 19:51 . 2009-07-09 19:51 385024 ----a-r- c:\windows\system32\IS3UI5.dll
2009-07-09 19:51 . 2009-07-09 19:51 61440 ----a-r- c:\windows\system32\IS3Hks5.dll
2009-07-09 19:51 . 2009-07-09 19:51 23040 ----a-r- c:\windows\system32\IS3XDat5.dll
2009-07-09 19:50 . 2009-07-09 19:50 225280 ----a-r- c:\windows\system32\IS3Win325.dll
2009-07-09 19:50 . 2009-07-09 19:50 94208 ----a-r- c:\windows\system32\IS3Inet5.dll
2009-07-09 19:50 . 2009-07-09 19:50 90112 ----a-r- c:\windows\system32\IS3Svc5.dll
2009-07-09 19:47 . 2009-07-09 19:47 724992 ----a-r- c:\windows\system32\IS3Base5.dll
2006-11-29 01:17 . 2006-11-29 01:17 604 -c-ha-w- c:\program files\STLL Notifier
2004-03-15 21:51 . 2004-03-15 21:51 114688 ----a-w- c:\program files\internet explorer\plugins\LV71ActiveXControl.dll
2006-01-23 14:32 . 2006-01-23 14:32 131072 ----a-w- c:\program files\internet explorer\plugins\LV80ActiveXControl.dll
2007-02-08 14:48 . 2007-02-08 14:48 133920 ----a-w- c:\program files\internet explorer\plugins\LV82ActiveXControl.dll
2007-07-24 23:03 . 2007-07-24 23:03 118784 ----a-w- c:\program files\internet explorer\plugins\LV85ActiveXControl.dll
2009-09-17 01:56 . 2007-12-27 04:14 67688 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2009-09-17 01:56 . 2007-12-27 04:14 54368 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2009-09-17 01:56 . 2007-12-27 04:14 34944 ----a-w- c:\program files\mozilla firefox\components\myspell.dll
2009-09-17 01:56 . 2007-12-27 04:14 46712 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll
2009-09-17 01:56 . 2007-12-27 04:14 172136 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
2006-07-09 13:37 . 2006-07-09 10:37 22 -csha-w- c:\windows\SMINST\HPCD.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-14 1004800]
[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-06-14 20:07 1004800 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-14 1004800]
[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-14 1004800]
[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="c:\program files\AIM6\aim6.exe" [2008-03-25 50528]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2009-01-05 342848]
"mserv"="c:\documents and settings\Marcus\Application Data\svcst.exe" [2009-09-26 329216]
"svchost"="c:\documents and settings\Marcus\Application Data\svcst.exe" [2009-09-26 329216]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-08-18 2007832]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-04 111936]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-18 136600]
"Antivirus Pro 2010"="c:\program files\AntivirusPro_2010\AntivirusPro_2010.exe" [2009-09-27 230000]
c:\documents and settings\Marcus\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-8-24 101784]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]
VPN Client.lnk - c:\windows\Installer\{51FB15F4-AD27-43BC-AD4B-DD0354FB6BBD}\Icon3E5562ED7.ico [2009-9-13 6144]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-18 21:43 11952 ----a-w- c:\windows\system32\avgrsstx.dll
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Bluetooth.lnk
backup=c:\windows\pss\Bluetooth.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk
backup=c:\windows\pss\HP Photosmart Premier Fast Start.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"FirewallDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\MATLAB\\R2008a\\bin\\win32\\MATLAB.exe"=
R0 nipbcfk;National Instruments Class Upper Filter Driver;c:\windows\system32\drivers\nipbcfk.sys [7/10/2007 8:08 PM 15448]
R0 szkg5;szkg;c:\windows\system32\drivers\SZKG.sys [5/12/2009 2:13 PM 61328]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [7/31/2008 12:09 AM 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [7/31/2008 12:09 AM 108552]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [1/29/2009 8:58 PM 297752]
R2 NiViPxiK;NI-VISA PXI Driver;c:\windows\system32\drivers\NiViPxiKl.sys [7/19/2007 11:56 AM 11360]
R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [8/22/2005 5:06 AM 231424]
S2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [1/29/2009 8:58 PM 908056]
S3 nidimk;nidimk;c:\windows\system32\drivers\nidimkl.sys [7/12/2007 6:18 PM 11360]
S3 nipalfwedl;nipalfwedl;c:\windows\system32\drivers\nipalfwedl.sys [7/18/2007 9:11 PM 11904]
S3 nipalusbedl;nipalusbedl;c:\windows\system32\drivers\nipalusbedl.sys [7/18/2007 9:12 PM 11896]
S3 NiViFWK;NI-VISA FireWire Driver;c:\windows\system32\drivers\NiViFWKl.sys [7/19/2007 11:48 AM 11384]
S3 NiViPciK;NI-VISA PCI Driver;c:\windows\system32\drivers\NiViPciKl.sys [7/19/2007 11:56 AM 11360]
.
Contents of the 'Scheduled Tasks' folder
2009-09-26 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=laptop
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Send To &Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
FF - ProfilePath - c:\documents and settings\Marcus\Application Data\Mozilla\Firefox\Profiles\jffeotct.default\
FF - prefs.js: network.proxy.type - 2
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
FF - component: c:\program files\Mozilla Firefox\extensions\talkback@mozilla.org\components\qfaservices.dll
.
- - - - ORPHANS REMOVED - - - -
HKCU-Run-MsnMsgr - c:\program files\Windows Live\Messenger\MsnMsgr.Exe
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-26 21:04
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
c:\windows\system32\pymiwy.pif 11350 bytes
c:\windows\system32\_scui.cpl 167424 bytes executable
c:\windows\system32\cygiv.exe 12639 bytes
scan completed successfully
hidden files: 3
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"cd042efbbd7f7af1647644e76e06692b"=hex:c8,28,51,af,b0,29,a3,98,a0,86,6b,0e,c0,
fb,20,8c,2e,e8,e1,00,eb,16,2b,de,4b,c4,88,ec,8a,82,79,8e,e2,63,26,f1,3f,c8,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"bca643cdc5c2726b20d2ecedcc62c59b"=hex:6a,9c,d6,61,af,45,84,18,ba,0d,0b,90,da,
7c,b0,52,46,47,15,b0,92,4b,c7,ef,79,84,5e,01,16,7b,de,0a,6a,9c,d6,61,af,45,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2c81e34222e8052573023a60d06dd016"=hex:25,da,ec,7e,55,20,c9,26,3c,f0,84,a3,82,
b2,b0,14,7a,45,05,fd,91,e8,6f,31,b5,93,a0,51,74,07,5c,eb,ff,7c,85,e0,43,d4,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2582ae41fb52324423be06337561aa48"=hex:3e,1e,9e,e0,57,5a,93,61,30,46,bf,8a,d4,
87,d1,1f,6b,65,49,6a,7e,99,74,f7,3d,aa,4d,00,f6,fc,36,a3,86,8c,21,01,be,91,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"caaeda5fd7a9ed7697d9686d4b818472"=hex:cd,44,cd,b9,a6,33,6c,cd,1a,7d,84,05,f2,
86,38,de,e9,02,6c,fa,fb,1d,47,57,41,7e,ad,d1,fb,ec,a8,69,f5,1d,4d,73,a8,13,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"a4a1bcf2cc2b8bc3716b74b2b4522f5d"=hex:50,93,e5,ab,ec,6a,4e,ab,f1,98,84,c3,f1,
35,ee,0e,50,93,e5,ab,ec,6a,4e,ab,81,02,97,db,83,8b,5a,36,df,20,58,62,78,6b,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"4d370831d2c43cd13623e232fed27b7b"=hex:fb,a7,78,e6,12,2f,9a,ea,e4,43,27,6b,3a,
d1,6e,f6,97,20,4e,9a,c7,f1,35,ee,8b,cd,d7,25,b3,4b,51,82,fb,a7,78,e6,12,2f,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1d68fe701cdea33e477eb204b76f993d"=hex:83,6c,56,8b,a0,85,96,ab,05,03,39,9e,ac,
47,3d,23,aa,52,c6,00,84,3c,26,64,b1,7a,28,1b,60,18,f4,55,01,3a,48,fc,e8,04,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1fac81b91d8e3c5aa4b0a51804d844a3"=hex:b2,46,9a,e2,1b,fe,1b,94,76,49,c1,7f,63,
92,06,16,b2,46,9a,e2,1b,fe,1b,94,c5,f5,e5,26,98,75,cf,5f,f6,0f,4e,58,98,5b,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"f5f62a6129303efb32fbe080bb27835b"=hex:37,a4,aa,c3,a6,15,56,0a,4e,84,1e,fe,5f,
fc,ba,32,37,a4,aa,c3,a6,15,56,0a,91,00,c6,7a,af,49,97,1b,3d,ce,ea,26,2d,45,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"fd4e2e1a3940b94dceb5a6a021f2e3c6"=hex:2a,b7,cc,b5,b9,7f,41,e7,85,28,1a,8c,29,
f0,ac,42,f8,31,0f,a9,5f,a0,ec,fb,8a,71,35,93,e9,af,b2,17,2a,b7,cc,b5,b9,7f,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"8a8aec57dd6508a385616fbc86791ec2"=hex:fa,ea,66,7f,d4,3b,6b,70,c8,64,00,69,8f,
19,5b,94,05,73,21,dd,54,d8,4a,c5,e7,df,fe,34,ba,89,52,68,6c,43,2d,1e,aa,22,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(1300)
c:\windows\system32\Ati2evxx.dll
- - - - - - - > 'explorer.exe'(984)
c:\windows\system32\msi.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\btncopy.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\windows\system32\drivers\CDAC11BA.EXE
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\windows\system32\lkcitdl.exe
c:\windows\system32\lkads.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\windows\system32\lktsrv.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\National Instruments\MAX\nimxs.exe
c:\program files\National Instruments\Shared\Security\nidmsrv.exe
c:\windows\system32\nisvcloc.exe
c:\program files\National Instruments\Shared\Tagger\tagsrv.exe
c:\windows\system32\PnkBstrA.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\documents and settings\Marcus\Application Data\seres.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wscntfy.exe
c:\program files\AIM6\aolsoftware.exe
c:\windows\system32\rundll32.exe
c:\program files\Internet Explorer\iexplore.exe
.
**************************************************************************
.
Completion time: 2009-09-27 21:14 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-27 01:14
Pre-Run: 17,025,937,408 bytes free
Post-Run: 20,903,510,016 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
569 --- E O F --- 2009-05-11 04:06
Here is the HijackThis log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:30:04 PM, on 9/26/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\lkcitdl.exe
C:\WINDOWS\system32\lkads.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\lktsrv.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\National Instruments\MAX\nimxs.exe
C:\Program Files\National Instruments\Shared\Security\nidmsrv.exe
C:\WINDOWS\system32\nisvcloc.exe
C:\Program Files\National Instruments\Shared\Tagger\tagsrv.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\DNA\btdna.exe
C:\Documents and Settings\Marcus\Application Data\svcst.exe
C:\Documents and Settings\Marcus\Application Data\seres.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\AntivirusPro_2010\AntivirusPro_2010.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\YouThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...n&pf=laptop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SITEguard BHO - {1827766B-9F49-4854-8034-F6EE26FCB1EC} - C:\Program Files\STOPzilla!\SZSG.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: STOPzilla Browser Helper Object - {E3215F20-3212-11D6-9F8B-00D0B743919D} - C:\Program Files\STOPzilla!\SZIEBHO.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O3 - Toolbar: STOPzilla - {98828DED-A591-462F-83BA-D2F62A68B8B8} - C:\Program Files\STOPzilla!\SZSG.dll
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_1_0
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [mserv] C:\Documents and Settings\Marcus\Application Data\svcst.exe
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Startup: palmOne Registration.lnk = C:\Program Files\palmOne\register.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: VPN Client.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - (no file)
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - (no file)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=laptop
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.srtest.com/srl_bin/sysreqlab3.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-01.sun.com/s/ESD5/JSCDL/jre...ows-i586-jc.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: Cisco Systems, Inc. (ITC) VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Lookout Citadel Server (LkCitadelServer) - National Instruments, Inc. - C:\WINDOWS\system32\lkcitdl.exe
O23 - Service: National Instruments PSP Server Locator (lkClassAds) - National Instruments Corporation - C:\WINDOWS\system32\lkads.exe
O23 - Service: National Instruments Time Synchronization (lkTimeSync) - National Instruments Corporation - C:\WINDOWS\system32\lktsrv.exe
O23 - Service: NI Configuration Manager (mxssvr) - National Instruments Corporation - C:\Program Files\National Instruments\MAX\nimxs.exe
O23 - Service: National Instruments Domain Service (NIDomainService) - National Instruments Corporation - C:\Program Files\National Instruments\Shared\Security\nidmsrv.exe
O23 - Service: NILM License Manager - Macrovision Corporation - C:\Program Files\National Instruments\Shared\License Manager\Bin\lmgrd.exe
O23 - Service: NI Service Locator (niSvcLoc) - National Instruments Corp. - C:\WINDOWS\system32\nisvcloc.exe
O23 - Service: National Instruments Variable Engine (NITaggerService) - National Instruments Corporation - C:\Program Files\National Instruments\Shared\Tagger\tagsrv.exe
O23 - Service: OpcEnum - OPC Foundation - C:\WINDOWS\system32\OpcEnum.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: STOPzilla Service (szserver) - Unknown owner - C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe
--
End of file - 10689 bytes
-Marcus
Hi Marcus,
Before we continue, please go to VirusTotal, and upload the following files for analysis:
c:\windows\system\WINSYS.DLL
c:\windows\system\BWCC.DLL
c:\windows\ISUN16.EXE
c:\windows\system\CTL3D.DLL
c:\windows\system32\drivers\SZKG.sys
c:\documents and settings\Marcus\Application Data\svcst.exe
Post the results in your reply.
-screen317
Before we continue, please go to VirusTotal, and upload the following files for analysis:
c:\windows\system\WINSYS.DLL
c:\windows\system\BWCC.DLL
c:\windows\ISUN16.EXE
c:\windows\system\CTL3D.DLL
c:\windows\system32\drivers\SZKG.sys
c:\documents and settings\Marcus\Application Data\svcst.exe
Post the results in your reply.
-screen317
QUOTE (screen317 @ Sep 26 2009, 09:40 PM)
Hi Marcus,
Before we continue, please go to VirusTotal, and upload the following files for analysis:
c:\windows\system\WINSYS.DLL
c:\windows\system\BWCC.DLL
c:\windows\ISUN16.EXE
c:\windows\system\CTL3D.DLL
c:\windows\system32\drivers\SZKG.sys
c:\documents and settings\Marcus\Application Data\svcst.exe
Post the results in your reply.
-screen317
Before we continue, please go to VirusTotal, and upload the following files for analysis:
c:\windows\system\WINSYS.DLL
c:\windows\system\BWCC.DLL
c:\windows\ISUN16.EXE
c:\windows\system\CTL3D.DLL
c:\windows\system32\drivers\SZKG.sys
c:\documents and settings\Marcus\Application Data\svcst.exe
Post the results in your reply.
-screen317
screen317,
After using ComboFix I was able to reload Malwarebytes' Anti-Malware and perform a full scan. 25 items came up as infected on the scan and these items were quaratined and deleted. I ran the files above through VirusTotal just to make sure. Please analyze these and make sure everything is clean.
NOTE: After performing a scan using Malwarebytes' Anti-Malware, the following exe file is no longer on the system.
c:\documents and settings\Marcus\Application Data\svcst.exe
File WINSYS.DLL received on 2009.09.27 03:26:00 (UTC)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 0/41 (0%)
Loading server information...
Your file is queued in position: 1.
Estimated start time is between 40 and 57 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.
You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:
Antivirus Version Last Update Result
a-squared 4.5.0.24 2009.09.26 -
AhnLab-V3 5.0.0.2 2009.09.26 -
AntiVir 7.9.1.25 2009.09.25 -
Antiy-AVL 2.0.3.7 2009.09.25 -
Authentium 5.1.2.4 2009.09.26 -
Avast 4.8.1351.0 2009.09.26 -
AVG 8.5.0.412 2009.09.26 -
BitDefender 7.2 2009.09.27 -
CAT-QuickHeal 10.00 2009.09.26 -
ClamAV 0.94.1 2009.09.27 -
Comodo 2449 2009.09.27 -
DrWeb 5.0.0.12182 2009.09.27 -
eSafe 7.0.17.0 2009.09.24 -
eTrust-Vet 31.6.6761 2009.09.25 -
F-Prot 4.5.1.85 2009.09.26 -
F-Secure 8.0.14470.0 2009.09.26 -
Fortinet 3.120.0.0 2009.09.26 -
GData 19 2009.09.27 -
Ikarus T3.1.1.72.0 2009.09.26 -
Jiangmin 11.0.800 2009.09.26 -
K7AntiVirus 7.10.855 2009.09.26 -
Kaspersky 7.0.0.125 2009.09.27 -
McAfee 5753 2009.09.26 -
McAfee+Artemis 5753 2009.09.26 -
McAfee-GW-Edition 6.8.5 2009.09.27 -
Microsoft 1.5005 2009.09.23 -
NOD32 4460 2009.09.26 -
Norman 6.01.09 2009.09.26 -
nProtect 2009.1.8.0 2009.09.27 -
Panda 10.0.2.2 2009.09.26 -
PCTools 4.4.2.0 2009.09.25 -
Prevx 3.0 2009.09.27 -
Rising 21.48.60.00 2009.09.27 -
Sophos 4.45.0 2009.09.27 -
Sunbelt 3.2.1858.2 2009.09.26 -
Symantec 1.4.4.12 2009.09.27 -
TheHacker 6.5.0.2.019 2009.09.26 -
TrendMicro 8.950.0.1094 2009.09.25 -
VBA32 3.12.10.11 2009.09.25 -
ViRobot 2009.9.26.1958 2009.09.26 -
VirusBuster 4.6.5.0 2009.09.26 -
Additional information
File size: 97792 bytes
MD5...: 98553d7ce73228bbfdd2e8e1f33b1170
SHA1..: 2c13c30f26fd25c67971937cfaba89b8745f3821
SHA256: 9a39dddbac0c7379f69c758e93c8780ee816b734d59183346ad7fb7a5038d22b
ssdeep: 1536:suXDASB7S1ZMtfL1Dd/YEI1TvigkmJN6uQd8Neob/0gyjCpnjl7lUcMtSJz
+2:suzASB7S1ZUUEMzigksRQloYHjCpnxln
PEiD..: -
PEInfo: -
RDS...: NSRL Reference Data Set
-
pdfid.: -
trid..: DOS Executable Borland Pascal 7.0x (33.7%)
Generic Win/DOS Executable (33.1%)
DOS Executable Generic (33.1%)
sigcheck:
publisher....: n/a
copyright....: n/a
product......: n/a
description..: n/a
original name: n/a
internal name: n/a
file version.: n/a
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned
File BWCC.DLL received on 2009.09.27 03:30:19 (UTC)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 0/41 (0%)
Loading server information...
Your file is queued in position: 1.
Estimated start time is between 40 and 57 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.
You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:
Antivirus Version Last Update Result
a-squared 4.5.0.24 2009.09.26 -
AhnLab-V3 5.0.0.2 2009.09.26 -
AntiVir 7.9.1.25 2009.09.25 -
Antiy-AVL 2.0.3.7 2009.09.25 -
Authentium 5.1.2.4 2009.09.26 -
Avast 4.8.1351.0 2009.09.26 -
AVG 8.5.0.412 2009.09.26 -
BitDefender 7.2 2009.09.27 -
CAT-QuickHeal 10.00 2009.09.26 -
ClamAV 0.94.1 2009.09.27 -
Comodo 2449 2009.09.27 -
DrWeb 5.0.0.12182 2009.09.27 -
eSafe 7.0.17.0 2009.09.24 -
eTrust-Vet 31.6.6761 2009.09.25 -
F-Prot 4.5.1.85 2009.09.26 -
F-Secure 8.0.14470.0 2009.09.26 -
Fortinet 3.120.0.0 2009.09.26 -
GData 19 2009.09.27 -
Ikarus T3.1.1.72.0 2009.09.26 -
Jiangmin 11.0.800 2009.09.26 -
K7AntiVirus 7.10.855 2009.09.26 -
Kaspersky 7.0.0.125 2009.09.27 -
McAfee 5753 2009.09.26 -
McAfee+Artemis 5753 2009.09.26 -
McAfee-GW-Edition 6.8.5 2009.09.27 -
Microsoft 1.5005 2009.09.23 -
NOD32 4460 2009.09.26 -
Norman 6.01.09 2009.09.26 -
nProtect 2009.1.8.0 2009.09.27 -
Panda 10.0.2.2 2009.09.26 -
PCTools 4.4.2.0 2009.09.25 -
Prevx 3.0 2009.09.27 -
Rising 21.48.60.00 2009.09.27 -
Sophos 4.45.0 2009.09.27 -
Sunbelt 3.2.1858.2 2009.09.26 -
Symantec 1.4.4.12 2009.09.27 -
TheHacker 6.5.0.2.019 2009.09.26 -
TrendMicro 8.950.0.1094 2009.09.25 -
VBA32 3.12.10.11 2009.09.25 -
ViRobot 2009.9.26.1958 2009.09.26 -
VirusBuster 4.6.5.0 2009.09.26 -
Additional information
File size: 164928 bytes
MD5...: f2bb8cb392cc9032b805db7b293a6776
SHA1..: f7ed7abe2bce88a1d0d61a91cdeac383ed0bbade
SHA256: f1cab59ff0daff8713be2348d7abb5eccdbe21777a2b297e617bc6edc11ac39b
ssdeep: 1536:k+ywvL4CTC3WNZvMT7RksKG6DuoC6s2BEufkZINDxQuc:k+3UCTC3W3MfSs
B6DpkZINDxQuc
PEiD..: -
PEInfo: -
RDS...: NSRL Reference Data Set
-
pdfid.: -
trid..: DOS Executable Borland C++ (68.3%)
Clipper DOS Executable (10.6%)
Generic Win/DOS Executable (10.5%)
DOS Executable Generic (10.5%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
sigcheck:
publisher....: Borland International
copyright....: Copyright © Borland Int_l. 1991-1993
product......: n/a
description..: Borland Windows Custom Control Library
original name: BWCC.DLL
internal name: BWCC
file version.: 2.04
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned
File ISUN16.EXE received on 2009.09.27 03:32:41 (UTC)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 0/41 (0%)
Loading server information...
Your file is queued in position: 1.
Estimated start time is between 40 and 57 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.
You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:
Antivirus Version Last Update Result
a-squared 4.5.0.24 2009.09.26 -
AhnLab-V3 5.0.0.2 2009.09.26 -
AntiVir 7.9.1.25 2009.09.25 -
Antiy-AVL 2.0.3.7 2009.09.25 -
Authentium 5.1.2.4 2009.09.26 -
Avast 4.8.1351.0 2009.09.26 -
AVG 8.5.0.412 2009.09.26 -
BitDefender 7.2 2009.09.27 -
CAT-QuickHeal 10.00 2009.09.26 -
ClamAV 0.94.1 2009.09.27 -
Comodo 2449 2009.09.27 -
DrWeb 5.0.0.12182 2009.09.27 -
eSafe 7.0.17.0 2009.09.24 -
eTrust-Vet 31.6.6761 2009.09.25 -
F-Prot 4.5.1.85 2009.09.26 -
F-Secure 8.0.14470.0 2009.09.26 -
Fortinet 3.120.0.0 2009.09.26 -
GData 19 2009.09.27 -
Ikarus T3.1.1.72.0 2009.09.26 -
Jiangmin 11.0.800 2009.09.26 -
K7AntiVirus 7.10.855 2009.09.26 -
Kaspersky 7.0.0.125 2009.09.27 -
McAfee 5753 2009.09.26 -
McAfee+Artemis 5753 2009.09.26 -
McAfee-GW-Edition 6.8.5 2009.09.27 -
Microsoft 1.5005 2009.09.23 -
NOD32 4460 2009.09.26 -
Norman 6.01.09 2009.09.26 -
nProtect 2009.1.8.0 2009.09.27 -
Panda 10.0.2.2 2009.09.26 -
PCTools 4.4.2.0 2009.09.25 -
Prevx 3.0 2009.09.27 -
Rising 21.48.60.00 2009.09.27 -
Sophos 4.45.0 2009.09.27 -
Sunbelt 3.2.1858.2 2009.09.26 -
Symantec 1.4.4.12 2009.09.27 -
TheHacker 6.5.0.2.019 2009.09.26 -
TrendMicro 8.950.0.1094 2009.09.25 -
VBA32 3.12.10.11 2009.09.25 -
ViRobot 2009.9.26.1958 2009.09.26 -
VirusBuster 4.6.5.0 2009.09.26 -
Additional information
File size: 307004 bytes
MD5...: de62a45dfd0c593cda013a48c71ea9db
SHA1..: 594509ad23fbd428ce9671ec61496f0e19c42656
SHA256: a1df12dea48b65e9f92db5ef75954a4b3012c1e94f3b49f4dfa37020d92df75a
ssdeep: 6144:JrpL7rmO6n1S+u0kJQMItbsdVew7CFbr9cptPqE:Jl6nk0kSrxsdE2CkL
PEiD..: -
PEInfo: -
RDS...: NSRL Reference Data Set
-
pdfid.: -
trid..: Win16 NE executable (generic) (89.4%)
Generic Win/DOS Executable (5.2%)
DOS Executable Generic (5.2%)
sigcheck:
publisher....: InstallShield Software Corporation
copyright....: Copyright InstallShield Corporation, Inc. 1990-1997
product......: InstallShield_ unInstaller
description..: InstallShield_ unInstaller
original name: n/a
internal name: n/a
file version.: 5, 51, 138, 0
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned
File CTL3D.DLL received on 2009.09.27 03:34:19 (UTC)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 0/40 (0%)
Loading server information...
Your file is queued in position: 1.
Estimated start time is between 40 and 57 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.
You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:
Antivirus Version Last Update Result
a-squared 4.5.0.24 2009.09.26 -
AhnLab-V3 5.0.0.2 2009.09.26 -
AntiVir 7.9.1.25 2009.09.25 -
Antiy-AVL 2.0.3.7 2009.09.25 -
Authentium 5.1.2.4 2009.09.26 -
Avast 4.8.1351.0 2009.09.26 -
AVG 8.5.0.412 2009.09.26 -
BitDefender 7.2 2009.09.27 -
CAT-QuickHeal 10.00 2009.09.26 -
ClamAV 0.94.1 2009.09.27 -
Comodo 2449 2009.09.27 -
DrWeb 5.0.0.12182 2009.09.27 -
eSafe 7.0.17.0 2009.09.24 -
eTrust-Vet 31.6.6761 2009.09.25 -
F-Prot 4.5.1.85 2009.09.26 -
F-Secure 8.0.14470.0 2009.09.26 -
Fortinet 3.120.0.0 2009.09.26 -
GData 19 2009.09.27 -
Ikarus T3.1.1.72.0 2009.09.26 -
Jiangmin 11.0.800 2009.09.26 -
K7AntiVirus 7.10.855 2009.09.26 -
Kaspersky 7.0.0.125 2009.09.27 -
McAfee+Artemis 5753 2009.09.26 -
McAfee-GW-Edition 6.8.5 2009.09.27 -
Microsoft 1.5005 2009.09.23 -
NOD32 4460 2009.09.26 -
Norman 6.01.09 2009.09.26 -
nProtect 2009.1.8.0 2009.09.27 -
Panda 10.0.2.2 2009.09.26 -
PCTools 4.4.2.0 2009.09.25 -
Prevx 3.0 2009.09.27 -
Rising 21.48.60.00 2009.09.27 -
Sophos 4.45.0 2009.09.27 -
Sunbelt 3.2.1858.2 2009.09.26 -
Symantec 1.4.4.12 2009.09.27 -
TheHacker 6.5.0.2.019 2009.09.26 -
TrendMicro 8.950.0.1094 2009.09.25 -
VBA32 3.12.10.11 2009.09.25 -
ViRobot 2009.9.26.1958 2009.09.26 -
VirusBuster 4.6.5.0 2009.09.26 -
Additional information
File size: 26768 bytes
MD5...: 14b7d9a6c0deb0eaa0227c769fbe0a62
SHA1..: c3514ea342e6b74ce0efac06783f208a7a7f4e32
SHA256: b8e49ee96df4c5c88a76425ac38def02d65cdc4dfdc6f76ce1bfb30c034e32f7
ssdeep: 384:zkbezWYx+F6gu1hEy69lLKchfOVQ22SBHu5QXQZQ0DVPYOZ0hU+rk7Jg:zRi
Yx+F6GySYOmV7QZNJYOChU+GJg
PEiD..: -
PEInfo: -
RDS...: NSRL Reference Data Set
-
pdfid.: -
trid..: Win32 Dynamic Link Library (generic) (87.9%)
Generic Win/DOS Executable (6.0%)
DOS Executable Generic (6.0%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
sigcheck:
publisher....: Microsoft Corporation
copyright....: Copyright © Microsoft Corp. 1992-1995
product......: 3D Windows Controls
description..: Ctl3D 3D Windows Controls
original name: n/a
internal name: CTL3D
file version.: 2.31.000
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned
File SZKG.sys received on 2009.09.27 03:38:15 (UTC)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 4/41 (9.76%)
Loading server information...
Your file is queued in position: ___.
Estimated start time is between ___ and ___ .
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.
You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:
Antivirus Version Last Update Result
a-squared 4.5.0.24 2009.09.26 -
AhnLab-V3 5.0.0.2 2009.09.26 Win-Trojan/Agent.54656.C
AntiVir 7.9.1.25 2009.09.25 -
Antiy-AVL 2.0.3.7 2009.09.25 Trojan/Win32.Agent.gen
Authentium 5.1.2.4 2009.09.26 -
Avast 4.8.1351.0 2009.09.26 -
AVG 8.5.0.412 2009.09.26 -
BitDefender 7.2 2009.09.27 -
CAT-QuickHeal 10.00 2009.09.26 -
ClamAV 0.94.1 2009.09.27 -
Comodo 2449 2009.09.27 -
DrWeb 5.0.0.12182 2009.09.27 -
eSafe 7.0.17.0 2009.09.24 Win32.RkitAgent.Jay
eTrust-Vet None 2009.09.25 -
F-Prot 4.5.1.85 2009.09.26 -
F-Secure 8.0.14470.0 2009.09.26 -
Fortinet 3.120.0.0 2009.09.26 PossibleThreat
GData 19 2009.09.27 -
Ikarus T3.1.1.72.0 2009.09.26 -
Jiangmin 11.0.800 2009.09.26 -
K7AntiVirus 7.10.855 2009.09.26 -
Kaspersky 7.0.0.125 2009.09.27 -
McAfee 5753 2009.09.26 -
McAfee+Artemis 5753 2009.09.26 -
McAfee-GW-Edition 6.8.5 2009.09.27 -
Microsoft 1.5005 2009.09.23 -
NOD32 4460 2009.09.26 -
Norman 6.01.09 2009.09.26 -
nProtect 2009.1.8.0 2009.09.27 -
Panda 10.0.2.2 2009.09.26 -
PCTools 4.4.2.0 2009.09.25 -
Prevx 3.0 2009.09.27 -
Rising 21.48.60.00 2009.09.27 -
Sophos 4.45.0 2009.09.27 -
Sunbelt 3.2.1858.2 2009.09.26 -
Symantec 1.4.4.12 2009.09.27 -
TheHacker 6.5.0.2.019 2009.09.26 -
TrendMicro 8.950.0.1094 2009.09.25 -
VBA32 3.12.10.11 2009.09.25 -
ViRobot 2009.9.26.1958 2009.09.26 -
VirusBuster 4.6.5.0 2009.09.26 -
Additional information
File size: 61328 bytes
MD5...: 2bb7c951bf74183a67efaaf614823076
SHA1..: 428f29db82ed6bb490f3d3f5e0e7d2ea9659393f
SHA256: eeb5aea0adca6108d7eeed7d5398f4229dcd915288e7c045aa4e022fd3adef33
ssdeep: 768:8jY9NWVngNuTIQmUg68Ad4gk19mHCD9gLa1tz/nUYJXyP5kLVbMmS:8jY9Ns
NF0+C19oCDKLazsiXMyJDS
PEiD..: -
PEInfo: PE Structure information
( base data )
entrypointaddress.: 0xbd72
timedatestamp.....: 0x49b9355a (Thu Mar 12 16:16:26 2009)
machinetype.......: 0x14c (I386)
( 9 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x500 0x8a4a 0x8a80 6.59 b0b6c8d15fad22deb51e4c181674edc6
.rdata 0x8f80 0x1904 0x1980 7.35 4e1d4219dbf2ff8c0966d7cc2dd4aca7
.data 0xa900 0x424 0x480 2.29 be63029635f9cdd332dd038ef5302910
.CRT 0xad80 0x1c 0x80 0.80 d30872640923fa0ced64d0bd0a11b9cb
.STL 0xae00 0x10 0x80 0.00 f09f35a5637839458e462e6350ecbce4
PAGE 0xae80 0xbc4 0xc00 6.03 32c0a1bf5dc19684a2fc5df216074ad9
INIT 0xba80 0xbc2 0xc00 6.02 e5a2806f42798b6828a38b6af7223963
.rsrc 0xc680 0x390 0x400 3.00 62c0718fa1734b12b399d7eac069e75f
.reloc 0xca80 0xaaa 0xb00 5.20 627266c0d613b2701003ff69b407a945
( 2 imports )
> ntoskrnl.exe: ObfDereferenceObject, ObQueryNameString, ObReferenceObjectByHandle, MmGetSystemRoutineAddress, memcpy, RtlDeleteRegistryValue, PsGetVersion, KeInitializeEvent, MmMapLockedPages, IoAcquireCancelSpinLock, IoReleaseCancelSpinLock, IofCompleteRequest, IoFreeMdl, MmUnmapLockedPages, KeWaitForSingleObject, PsTerminateSystemThread, KeQuerySystemTime, wcsncmp, ZwReadFile, ZwOpenFile, MmIsNonPagedSystemAddressValid, memset, ProbeForWrite, DbgPrint, ZwQueryDirectoryFile, ZwEnumerateKey, ZwOpenKey, IoGetCurrentProcess, KeSetEvent, ZwOpenSymbolicLinkObject, PsSetLoadImageNotifyRoutine, KeServiceDescriptorTable, ZwSetValueKey, ZwCreateFile, RtlCopyUnicodeString, ExAllocatePoolWithTag, ZwOpenProcess, RtlUpcaseUnicodeChar, swprintf, tolower, ZwSetInformationFile, KeGetCurrentThread, IoGetBaseFileSystemDeviceObject, IoFreeIrp, IofCallDriver, IoReuseIrp, IoAllocateIrp, IoGetRelatedDeviceObject, MmBuildMdlForNonPagedPool, IoAllocateMdl, KeTickCount, KeBugCheckEx, ZwQuerySymbolicLinkObject, ZwDeleteKey, ZwClose, RtlAppendUnicodeStringToString, RtlInitUnicodeString, ExFreePoolWithTag, PsSetCreateProcessNotifyRoutine, IoDeleteDevice, IoCreateSymbolicLink, IoDeleteSymbolicLink, IoRegisterShutdownNotification, IoUnregisterShutdownNotification, IoCreateDevice, ZwWriteFile, ZwQueryInformationFile, memmove, ZwCreateKey, ZwEnumerateValueKey, PsCreateSystemThread, RtlUnwind, ExAllocatePool
> HAL.dll: KfRaiseIrql, KfLowerIrql, ExReleaseFastMutex, ExAcquireFastMutex, KfReleaseSpinLock, KfAcquireSpinLock
( 0 exports )
RDS...: NSRL Reference Data Set
-
pdfid.: -
trid..: Win32 Executable Generic (58.4%)
Clipper DOS Executable (13.8%)
Generic Win/DOS Executable (13.7%)
DOS Executable Generic (13.7%)
VXD Driver (0.2%)
sigcheck:
publisher....: iS3 Inc.
copyright....: Copyright ©2005-2009 iS3 Inc . All rights reserved.
product......: Stopzilla
description..: szkg Device Driver
original name: szkg.sys
internal name: Avenger V
file version.: 2.40.0
comments.....: n/a
signers......: iS3, Inc.
VeriSign Class 3 Code Signing 2004 CA
Class 3 Public Primary Certification Authority
signing date.: 8:12 PM 5/12/2009
verified.....: -
Hi,
Post the last log from MBAM please; I would like to see what else it removed.
Next, please open Notepad. Copy and paste the text in the Code box below into Notepad:
Save this as CFScript.txt
Refering to the picture above, drag CFScript.txt into ComboFix.exe
When finished, it shall produce a log for you. Post that log in your next reply.
**Note**
When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
-screen317
Post the last log from MBAM please; I would like to see what else it removed.
Next, please open Notepad. Copy and paste the text in the Code box below into Notepad:
CODE
http://www.malwarebytes.org/forums/index.php?showtopic=25982
Collect::
c:\windows\system32\drivers\SZKG.sys
Driver::
szkg5
Collect::
c:\windows\system32\drivers\SZKG.sys
Driver::
szkg5
Save this as CFScript.txt
Refering to the picture above, drag CFScript.txt into ComboFix.exe
When finished, it shall produce a log for you. Post that log in your next reply.
**Note**
When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
- Ensure you are connected to the internet and click OK on the message box.
-screen317
Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.
Other members who need assistance please start your own topic in a new thread. Thanks!
Other members who need assistance please start your own topic in a new thread. Thanks!
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.