Malware Doctor

View previous topic View next topic Go down

Malware Doctor

Post by TrevoJ on Tue Jun 23, 2009 9:33 pm

Malware Doctory showed up on my computer about 1 month ago. It stole most of my functions such as regedit and Task Manager, and it would not allow me to run any anti virus or anti spy-ware programs. It also, I assume, caused Symantec "email sent" windows to pop up like crazy. I spent days figuring out how to get rid of it via random posts on the internet, not the best idea I know. Nonetheless after receiving much information and doing a lot of trial and error I now have little trouble from the malware, in-fact I never see Malware doctor anymore, nor do I have trouble with regedit or task manager. But one thing that concerns me is that the Symantec "email sent" windows still jump up like crazy whenever I restart the computer. I have ran malware malabytes and AVG over 20 times in the past month but I can't thwart these little buggers. Also I am concerned because I can't run system restore even though I have restore points dating 3 months back. Can you take a look at my Hijack This file and advise me on the best course of action to get my computer back to normal? Thank you kindly.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:20:43 AM, on 6/24/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
c:\WINDOWS\system32\ZuneBusEnum.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Employee\Local Settings\Application Data\Google\Google Talk Plugin\googletalkplugin.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Employee\Desktop\Hijack(GP)This.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=3080209
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=3080209
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - [You must be registered and logged in to see this link.]
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - [You must be registered and logged in to see this link.]
O16 - DPF: {F773E7B2-62A9-4524-9109-87D2F0BEFAA4} (ChessControl Class) - [You must be registered and logged in to see this link.]
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: avast!Antivirus - Unknown owner - C:\WINDOWS\System32\avast!Antivirus.exe (file missing)
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service (lavasoft ad-aware service) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
O23 - Service: Automatic Updates (wuauserv) - Unknown owner - C:\WINDOWS\

--
End of file - 10365 bytes


Last edited by TrevoJ on Tue Jun 23, 2009 9:42 pm; edited 1 time in total (Reason for editing : sp)

TrevoJ
Novice
Novice

Posts Posts : 18
Joined Joined : 2009-06-23
Gender Gender : Male
OS OS : XP
Points Points : 27250
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Malware Doctor

Post by Belahzur on Tue Jun 23, 2009 10:08 pm

Hello.
Before we can do any removal, a few things need to go.

  • Open HijackThis.
  • When Hijack This opens, click "Open the Misc Tools section"
  • Then select "Open Uninstall Manager"
  • Click on "Save List..." (generates uninstall_list.txt)
  • Click Save, copy and paste the results in your next post.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Malware Doctor

Post by TrevoJ on Tue Jun 23, 2009 10:12 pm

2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
Ad-Aware
Ad-Aware
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 8.1.4
ALPS Touch Pad Driver
AppCore
Apple Software Update
AV
AVG Free 8.5
Bonjour
Broadcom Management Programs
Browser Address Error Redirector
ccCommon
Conexant HDA D110 MDC V.92 Modem
Costco Photo Organizer
Critical Update for Windows Media Player 11 (KB959772)
Digital Line Detect
DivX Web Player
e-Sword
FastStone Photo Resizer 2.8
Glary Utilities 2.4
Google Talk Plugin
High Definition Audio Driver Package - KB835221
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.0 (KB932471)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB932716-v2)
Hotfix for Windows XP (KB952287)
HP Deskjet 460
HP Deskjet 460 Series
Intel(R) Graphics Media Accelerator Driver
Intel(R) PROSet/Wireless Software
Internet Worm Protection
iTunes
J2SE Runtime Environment 5.0 Update 6
Java(TM) 6 Update 13
Java(TM) 6 Update 3
Java(TM) 6 Update 5
Java(TM) 6 Update 7
LingvoSoft Suite 2006 (English<->Romanian) for Windows
LiveUpdate 3.1 (Symantec Corporation)
LiveUpdate Notice (Symantec Corporation)
Malwarebytes' Anti-Malware
mCore
mDriver
mDrWiFi
mHlpDell
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft .NET Framework 3.0 Service Pack 1
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
Microsoft LifeCam
Microsoft National Language Support Downlevel APIs
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Professional Plus 2007
Microsoft Office Professional Plus 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Save as PDF or XPS Add-in for 2007 Microsoft Office programs
Microsoft Silverlight
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft User-Mode Driver Framework Feature Pack 1.7
Microsoft Visual C++ 2005 Redistributable
Microsoft WinUsb 1.0
mIWA
mLogView
mMHouse
Modem Helper
Mozilla Firefox (3.0.11)
Mozilla Thunderbird (2.0.0.19)
mPfMgr
mPfWiz
mProSafe
mSCfg
MSN
mSSO
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 6.0 Parser (KB933579)
mWlsSafe
mWMI
MYOB Plus 2004
mZConfig
NetWaiting
Norton AntiVirus
Norton AntiVirus (Symantec Corporation)
Norton AntiVirus Help
Norton AntiVirus Parent MSI
Norton AntiVirus SYMLT MSI
Norton Protection Center
PowerDVD
QuickSet
QuickTime
SearchAssist
Security Update for 2007 Microsoft Office System (KB951550)
Security Update for 2007 Microsoft Office System (KB951944)
Security Update for 2007 Microsoft Office System (KB960003)
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for Microsoft Office Excel 2007 (KB959997)
Security Update for Microsoft Office PowerPoint 2007 (KB957789)
Security Update for Microsoft Office Publisher 2007 (KB950114)
Security Update for Microsoft Office system 2007 (KB954326)
Security Update for Microsoft Office system 2007 (KB956828)
Security Update for Microsoft Office Word 2007 (KB956358)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB961373)
SigmaTel Audio
Skype™ 3.8
SPBBC 32bit
Spelling Dictionaries Support For Adobe Reader 8
Symantec
TweakNow RegCleaner Standard
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft Office Outlook 2007 (KB952142)
Update for Outlook 2007 Junk Email Filter (kb968503)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
VC80CRTRedist - 8.0.50727.762
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
Windows Imaging Component
Windows Live installer
Windows Live Messenger
Windows Live Photo Gallery
Windows Live Sign-in Assistant
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Format SDK Hotfix - KB891122
Windows Media Player 11
Windows Media Player 11
Windows Presentation Foundation
Windows XP Service Pack 3
Zune
Zune
Zune Language Pack (ES)
Zune Language Pack (FR)

TrevoJ
Novice
Novice

Posts Posts : 18
Joined Joined : 2009-06-23
Gender Gender : Male
OS OS : XP
Points Points : 27250
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Malware Doctor

Post by TrevoJ on Fri Jun 26, 2009 9:14 am

Bump.

TrevoJ
Novice
Novice

Posts Posts : 18
Joined Joined : 2009-06-23
Gender Gender : Male
OS OS : XP
Points Points : 27250
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Malware Doctor

Post by Belahzur on Sat Jun 27, 2009 1:41 am

Hello.

You are running two antivirus', I see from the uninstall list you have Norton/Symantec installed, along with AVG. This is a bad idea as they can conflict and cause more problems. I would recommend that you remove Symantec to avoid conflict and other future problems.

Completely Uninstall Norton software using:

Instructions

  1. Please download and save SymNRT.exe to your desktop.
  2. Close all programs and double click on the tool.
  3. Follow the on-screen instructions.
  4. Restart the computer if asked.
  5. Then delete the SymNRT.exe tool from your desktop.
  6. Open the Program Files folder on your local disk ( normally C: )
  7. Find and delete the following folders (if present):

    • Norton AntiVirus
    • Norton Internet Security
    • Norton SystemWorks
    • Norton Personal Firewall


Next, go to Start > Control Panel > Add/Remove Programs and remove the following programs.

    Adobe Reader 8.1.4
    Internet Worm Protection
    J2SE Runtime Environment 5.0 Update 6
    Java(TM) 6 Update 13
    Java(TM) 6 Update 3
    Java(TM) 6 Update 5
    Java(TM) 6 Update 7

Now submit a new Hijack This log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Malware Doctor

Post by TrevoJ on Sat Jun 27, 2009 9:35 am

I removed all the files you asked me to remove except for Internet Worm Protection because it did not show up on the Add/Remove fill list. I tried to look it up through search but it did not find any files under that name. Nonetheless here is my HijackThis logfile:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:17:30 PM, on 6/27/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
c:\WINDOWS\system32\ZuneBusEnum.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Employee\My Documents\Trevor\Security\Anti-virus\Hijack This\Hijack(GP)This.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=3080209
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=3080209
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [AdobeUpdater] "C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe"
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Employee\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - [You must be registered and logged in to see this link.]
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - [You must be registered and logged in to see this link.]
O16 - DPF: {F773E7B2-62A9-4524-9109-87D2F0BEFAA4} (ChessControl Class) - [You must be registered and logged in to see this link.]
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: avast!Antivirus - Unknown owner - C:\WINDOWS\System32\avast!Antivirus.exe (file missing)
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lavasoft Ad-Aware Service (lavasoft ad-aware service) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
O23 - Service: Automatic Updates (wuauserv) - Unknown owner - C:\WINDOWS\

--
End of file - 7638 bytes

TrevoJ
Novice
Novice

Posts Posts : 18
Joined Joined : 2009-06-23
Gender Gender : Male
OS OS : XP
Points Points : 27250
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Malware Doctor

Post by Belahzur on Sat Jun 27, 2009 5:33 pm

Hello.

  • Open HijackThis
  • Choose "Do a system scan only"
  • Check the boxes in front of these lines:


    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O23 - Service: avast!Antivirus - Unknown owner - C:\WINDOWS\System32\avast!Antivirus.exe (file missing)


  • Press "Fix Checked"
  • Close Hijack This.

Please download and run this tool.

Download Malwarebytes' Anti-Malware from [You must be registered and logged in to see this link.]

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Post the contents of the MBAM Log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Malware Doctor

Post by TrevoJ on Sat Jun 27, 2009 6:03 pm

Malwarebytes' Anti-Malware 1.37
Database version: 2265
Windows 5.1.2600 Service Pack 3

6/27/2009 9:02:39 PM
mbam-log-2009-06-27 (21-02-30).txt

Scan type: Quick Scan
Objects scanned: 86394
Time elapsed: 9 minute(s), 39 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\AGprotect (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\avast!Antivirus (Trojan.Agent) -> No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\Temp\BN1.tmp (Trojan.Agent) -> No action taken.
C:\WINDOWS\Temp\BN2.tmp (Trojan.Agent) -> No action taken.
C:\WINDOWS\Temp\BN3.tmp (Trojan.Agent) -> No action taken.
C:\WINDOWS\Temp\BN9.tmp (Trojan.Agent) -> No action taken.

TrevoJ
Novice
Novice

Posts Posts : 18
Joined Joined : 2009-06-23
Gender Gender : Male
OS OS : XP
Points Points : 27250
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Malware Doctor

Post by Belahzur on Sat Jun 27, 2009 6:20 pm

Hello.
You have a very old version of MBAM, please update it in the update tab.
Run a new scan and remove everything found.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Malware Doctor

Post by TrevoJ on Sat Jun 27, 2009 7:03 pm

Ok, the updated mbam just finished scanning.
It only found one file, which I removed:
C:\WINDOWS\system32\3361 (Trojan.Downloader) -> Quarantined and deleted successfully.

TrevoJ
Novice
Novice

Posts Posts : 18
Joined Joined : 2009-06-23
Gender Gender : Male
OS OS : XP
Points Points : 27250
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Malware Doctor

Post by Belahzur on Sat Jun 27, 2009 7:10 pm

Hello.
I want to use Combofix, I think there maybe a patched system file.

  • Download combofix from here
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]

    1. If you are using Firefox, make sure that your download settings are as follows:

    * Tools->Options->Main tab
    * Set to "Always ask me where to Save the files".

    2. During the download, rename Combofix to Combo-Fix as follows:





    3. It is important you rename Combofix during the download, but not after.
    4. Please do not rename Combofix to other names, but only to the one indicated.
    5. Close any open browsers.
    6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  • We need to disable your local AV (Anti-virus) before running Combofix.
  • See [You must be registered and logged in to see this link.] for how to disable your AV. (AVG8)
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.



  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will then get this next prompt that asks if you want to continue the malware scan, select yes



  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Malware Doctor

Post by TrevoJ on Sat Jun 27, 2009 7:45 pm

ComboFix 09-06-26.02 - Employee 06/27/2009 22:27.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.502.164 [GMT 3:00]
Running from: c:\documents and settings\Employee\Desktop\Combo-Fix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Install.txt
c:\windows\system32\Drivers\phuniau.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_avast!antivirus
-------\Legacy_msncache
-------\Legacy_ntalme
-------\Legacy_sopidkc
-------\Service_fyckbdy


((((((((((((((((((((((((( Files Created from 2009-05-27 to 2009-06-27 )))))))))))))))))))))))))))))))
.

2009-06-27 18:47 . 2009-06-27 18:47 3561743 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-06-27 08:17 . 2009-06-22 18:07 2052888 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcorex.dll
2009-06-22 18:30 . 2009-06-27 08:42 -------- d--h--w- C:\$AVG8.VAULT$
2009-06-22 18:24 . 2009-06-22 18:24 -------- d-----w- c:\documents and settings\Employee\Local Settings\Application Data\AVG Security Toolbar
2009-06-22 18:07 . 2009-06-22 18:07 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-06-22 18:07 . 2009-06-22 18:07 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-06-22 18:07 . 2009-06-22 18:07 327688 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-06-22 18:07 . 2009-06-22 18:07 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-06-22 18:07 . 2009-06-27 08:18 -------- d-----w- c:\windows\system32\drivers\Avg
2009-06-22 18:07 . 2009-06-22 18:07 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2009-06-22 18:06 . 2009-06-22 18:06 -------- d-----w- c:\program files\AVG
2009-06-22 18:06 . 2009-06-22 18:06 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-06-18 12:24 . 2009-06-18 12:24 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2009-06-18 12:16 . 2009-06-18 12:16 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-06-16 08:53 . 2009-06-16 08:53 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-06-14 09:07 . 2008-02-09 10:34 12328 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-13 12:35 . 2009-06-13 12:03 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-06-13 12:03 . 2009-06-13 12:03 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-06-13 12:03 . 2009-06-13 12:03 15688 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lsdelete.exe
2009-06-13 12:03 . 2009-06-13 12:03 83808 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\ShellExt.dll
2009-06-13 12:03 . 2009-06-13 12:03 40288 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\PrivacyClean.dll
2009-06-13 12:03 . 2009-06-13 12:03 212848 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\RPAPI.dll
2009-06-13 12:03 . 2009-06-13 12:03 64160 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Drivers\32\lbd.sys
2009-06-13 11:56 . 2009-06-14 09:15 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-06-13 11:56 . 2009-03-12 08:17 2902048 -c--a-w- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}\Ad-AwareAE.exe
2009-06-13 11:55 . 2009-06-13 11:55 -------- d-----w- c:\program files\Lavasoft
2009-06-13 07:43 . 2009-06-13 07:43 22024 ----a-w- c:\windows\system32\drivers\pxscan.sys
2009-06-12 11:07 . 2009-06-17 08:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-12 11:07 . 2009-06-17 08:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-12 09:22 . 2009-06-27 18:47 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-11 10:57 . 2009-06-11 10:57 -------- d-----w- c:\documents and settings\Employee\Local Settings\Application Data\Help
2009-05-31 22:32 . 2009-05-31 22:32 -------- d-----w- c:\documents and settings\Employee\Application Data\Malwarebytes
2009-05-31 22:32 . 2009-05-31 22:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-31 21:19 . 2004-06-08 19:41 45056 ----a-w- c:\windows\system32\IngDirectXDetect.dll
2009-05-31 21:19 . 2009-05-31 21:19 -------- d-----w- c:\program files\Ingenuware
2009-05-31 18:57 . 2009-05-31 18:57 -------- d--h--w- c:\windows\system32\WLANProfiles
2009-05-31 11:49 . 2009-06-27 19:23 182656 ----a-w- c:\windows\system32\dllcache\ndis.sys
2009-05-31 11:49 . 2009-05-31 18:14 -------- d-----w- c:\windows\dhcp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-27 19:29 . 2004-08-10 18:51 182656 ----a-w- c:\windows\system32\drivers\ndis.sys
2009-06-27 19:14 . 2008-12-15 05:37 -------- d-----w- c:\documents and settings\Employee\Application Data\Skype
2009-06-27 13:06 . 2008-12-15 05:41 -------- d-----w- c:\documents and settings\Employee\Application Data\skypePM
2009-06-27 08:53 . 2008-02-09 10:26 -------- d-----w- c:\program files\Java
2009-06-27 08:40 . 2008-02-22 17:37 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-06-27 08:32 . 2008-02-22 17:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-06-24 09:40 . 2008-02-22 15:15 -------- d-----w- c:\documents and settings\Employee\Application Data\U3
2009-06-18 19:54 . 2008-11-17 18:19 -------- d-----w- c:\program files\Mozilla Thunderbird
2009-06-16 04:42 . 2009-06-16 08:23 58880 ----a-w- c:\windows\system32\38.tmp
2009-06-16 04:42 . 2009-06-16 08:23 58880 ----a-w- c:\windows\system32\39.tmp
2009-06-15 06:55 . 2009-02-14 07:04 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2009-06-15 05:38 . 2009-02-13 14:24 -------- d-----w- c:\program files\DivX
2009-06-14 09:15 . 2009-06-14 09:15 -------- d-----w- c:\documents and settings\Administrator\Application Data\InstallShield
2009-06-13 11:55 . 2008-02-22 17:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-06-13 11:09 . 2009-03-21 17:36 -------- d-----w- c:\program files\Common Files\Apple
2009-06-12 13:23 . 2008-12-01 03:56 -------- d-----w- c:\program files\TikGames
2009-05-31 21:19 . 2008-02-09 10:29 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-05-31 21:13 . 2009-04-29 19:28 -------- d-----w- c:\program files\DatawareGames
2009-05-31 19:02 . 2009-05-31 19:02 -------- d-----w- c:\documents and settings\Guest\Application Data\Dell
2009-05-14 08:05 . 2008-02-22 17:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
.

TrevoJ
Novice
Novice

Posts Posts : 18
Joined Joined : 2009-06-23
Gender Gender : Male
OS OS : XP
Points Points : 27250
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Malware Doctor

Post by TrevoJ on Sat Jun 27, 2009 7:45 pm

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]
"Google Update"="c:\documents and settings\Employee\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-01-21 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2005-10-07 176128]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2007-05-14 1191936]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-10-08 995328]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-10-08 1101824]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-03-31 162584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-03-31 138008]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2007-06-09 128560]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-06-27 518488]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-06-22 1948440]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-2-9 24576]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-06-22 18:07 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\lavasoft ad-aware service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"
"HPWRTOOLBOX"=c:\program files\Hewlett-Packard\hp deskjet 460 series\Toolbox\HPWRTBX.exe "-i"
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
"LifeCam"="c:\program files\Microsoft LifeCam\LifeExp.exe"
"VX1000"=c:\windows\vVX1000.exe
"Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe"
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe"
"IgfxTray"=c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PowerDVD.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PDVDDXSrv.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
"c:\\Documents and Settings\\Employee\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\Employee\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"\\"= c:\\WINDOWS\\system\\svchost.exe
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [6/13/2009 3:03 PM 64160]
R0 pxscan;pxscan;c:\windows\system32\drivers\pxscan.sys [6/13/2009 10:43 AM 22024]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [6/22/2009 9:07 PM 327688]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [6/22/2009 9:07 PM 108552]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [6/22/2009 9:07 PM 298776]
R2 lavasoft ad-aware service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [3/9/2009 10:06 PM 1003344]
S0 pxsec;pxsec;c:\windows\system32\drivers\pxsec.sys --> c:\windows\system32\drivers\pxsec.sys [?]
S1 40dcf7ea;40dcf7ea;c:\windows\system32\drivers\40dcf7ea.sys --> c:\windows\system32\drivers\40dcf7ea.sys [?]
S1 47bd0e53;47bd0e53;c:\windows\system32\drivers\47bd0e53.sys --> c:\windows\system32\drivers\47bd0e53.sys [?]
S1 52de3afe;52de3afe;c:\windows\system32\drivers\52de3afe.sys --> c:\windows\system32\drivers\52de3afe.sys [?]
S1 60dc35e3;60dc35e3;c:\windows\system32\drivers\60dc35e3.sys --> c:\windows\system32\drivers\60dc35e3.sys [?]
S1 e47046e6;e47046e6;c:\windows\system32\drivers\e47046e6.sys --> c:\windows\system32\drivers\e47046e6.sys [?]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
Wmipsx
.
Contents of the 'Scheduled Tasks' folder

2009-06-27 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 11:04]

2009-06-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-835786232-2019414516-3820583977-1006Core.job
- c:\documents and settings\Employee\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-01-21 21:46]

2009-06-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-835786232-2019414516-3820583977-1006UA.job
- c:\documents and settings\Employee\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-01-21 21:46]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-AdobeUpdater - c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe


.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Employee\Application Data\Mozilla\Firefox\Profiles\hzbbw4ek.default\
FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - plugin: c:\documents and settings\Employee\Application Data\Mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\Employee\Local Settings\Application Data\Google\Update\1.2.183.7\npGoogleOneClick8.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-06-27 22:32
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(844)
c:\windows\system32\netprovcredman.dll

- - - - - - - > 'explorer.exe'(4012)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\netprovcredman.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
c:\program files\Microsoft LifeCam\MSCamS32.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Intel\Wireless\Bin\WLKEEPER.exe
c:\windows\system32\ZuneBusEnum.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\system32\wscntfy.exe
c:\program files\Apoint\hidfind.exe
c:\program files\Apoint\ApntEx.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Intel\Wireless\Bin\Dot1XCfg.exe
.
**************************************************************************
.
Completion time: 2009-06-27 22:41 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-27 19:40

Pre-Run: 40,910,655,488 bytes free
Post-Run: 40,859,865,088 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

240 --- E O F --- 2009-05-14 08:05

TrevoJ
Novice
Novice

Posts Posts : 18
Joined Joined : 2009-06-23
Gender Gender : Male
OS OS : XP
Points Points : 27250
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Malware Doctor

Post by Belahzur on Sat Jun 27, 2009 7:49 pm

Hello.

Now open a new notepad file.
Input this into the notepad file:

KILLALL::

DirLook::
c:\windows\dhcp
c:\program files\Ingenuware

File::
c:\windows\system32\38.tmp
c:\windows\system32\39.tmp

Driver::
pxsec
40dcf7ea
47bd0e53
52de3afe
60dc35e3
e47046e6

NetSvc::
Wmipsx

Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:


This will open combofix again, agree to it's terms and allow it to run.
It may want to reboot after it's done. (It will warn you if it wants to)
Post the resulting log back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Malware Doctor

Post by TrevoJ on Sat Jun 27, 2009 8:08 pm

ComboFix 09-06-26.02 - Employee 06/27/2009 22:54.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.502.158 [GMT 3:00]
Running from: c:\documents and settings\Employee\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Employee\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

FILE ::
"c:\windows\system32\38.tmp"
"c:\windows\system32\39.tmp"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\38.tmp
c:\windows\system32\39.tmp

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_pxsec
-------\Service_40dcf7ea
-------\Service_47bd0e53
-------\Service_52de3afe
-------\Service_60dc35e3
-------\Service_e47046e6
-------\Service_pxsec


((((((((((((((((((((((((( Files Created from 2009-05-27 to 2009-06-27 )))))))))))))))))))))))))))))))
.

2009-06-27 19:38 . 2009-06-27 19:38 -------- d-----w- c:\windows\system32\dllcache\cache
2009-06-27 18:47 . 2009-06-27 18:47 3561743 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-06-27 08:17 . 2009-06-22 18:07 2052888 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcorex.dll
2009-06-22 18:30 . 2009-06-27 08:42 -------- d--h--w- C:\$AVG8.VAULT$
2009-06-22 18:24 . 2009-06-22 18:24 -------- d-----w- c:\documents and settings\Employee\Local Settings\Application Data\AVG Security Toolbar
2009-06-22 18:07 . 2009-06-22 18:07 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-06-22 18:07 . 2009-06-22 18:07 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-06-22 18:07 . 2009-06-22 18:07 327688 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-06-22 18:07 . 2009-06-22 18:07 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-06-22 18:07 . 2009-06-27 08:18 -------- d-----w- c:\windows\system32\drivers\Avg
2009-06-22 18:07 . 2009-06-22 18:07 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2009-06-22 18:06 . 2009-06-22 18:06 -------- d-----w- c:\program files\AVG
2009-06-22 18:06 . 2009-06-22 18:06 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-06-18 12:24 . 2009-06-18 12:24 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2009-06-18 12:16 . 2009-06-18 12:16 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-06-16 08:53 . 2009-06-16 08:53 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-06-14 09:07 . 2008-02-09 10:34 12328 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-13 12:35 . 2009-06-13 12:03 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-06-13 12:03 . 2009-06-13 12:03 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-06-13 12:03 . 2009-06-13 12:03 15688 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lsdelete.exe
2009-06-13 12:03 . 2009-06-13 12:03 83808 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\ShellExt.dll
2009-06-13 12:03 . 2009-06-13 12:03 40288 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\PrivacyClean.dll
2009-06-13 12:03 . 2009-06-13 12:03 212848 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\RPAPI.dll
2009-06-13 12:03 . 2009-06-13 12:03 64160 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Drivers\32\lbd.sys
2009-06-13 11:56 . 2009-06-14 09:15 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-06-13 11:56 . 2009-03-12 08:17 2902048 -c--a-w- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}\Ad-AwareAE.exe
2009-06-13 11:55 . 2009-06-13 11:55 -------- d-----w- c:\program files\Lavasoft
2009-06-13 07:43 . 2009-06-13 07:43 22024 ----a-w- c:\windows\system32\drivers\pxscan.sys
2009-06-12 11:07 . 2009-06-17 08:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-12 11:07 . 2009-06-17 08:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-12 09:22 . 2009-06-27 18:47 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-11 10:57 . 2009-06-11 10:57 -------- d-----w- c:\documents and settings\Employee\Local Settings\Application Data\Help
2009-05-31 22:32 . 2009-05-31 22:32 -------- d-----w- c:\documents and settings\Employee\Application Data\Malwarebytes
2009-05-31 22:32 . 2009-05-31 22:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-31 21:19 . 2004-06-08 19:41 45056 ----a-w- c:\windows\system32\IngDirectXDetect.dll
2009-05-31 21:19 . 2009-05-31 21:19 -------- d-----w- c:\program files\Ingenuware
2009-05-31 19:03 . 2009-05-31 19:03 -------- d-----w- c:\documents and settings\Guest\Local Settings\Application Data\Mozilla
2009-05-31 19:03 . 2009-05-31 19:03 -------- d-----w- c:\documents and settings\Guest\Local Settings\Application Data\Apple Computer
2009-05-31 19:02 . 2009-05-31 19:02 -------- d-----w- c:\documents and settings\Guest\Application Data\Dell
2009-05-31 18:57 . 2009-05-31 18:57 -------- d--h--w- c:\windows\system32\WLANProfiles
2009-05-31 11:49 . 2009-06-27 19:23 182656 ----a-w- c:\windows\system32\dllcache\ndis.sys
2009-05-31 11:49 . 2009-05-31 18:14 -------- d-----w- c:\windows\dhcp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-27 19:29 . 2004-08-10 18:51 182656 ----a-w- c:\windows\system32\drivers\ndis.sys
2009-06-27 19:14 . 2008-12-15 05:37 -------- d-----w- c:\documents and settings\Employee\Application Data\Skype
2009-06-27 13:06 . 2008-12-15 05:41 -------- d-----w- c:\documents and settings\Employee\Application Data\skypePM
2009-06-27 08:53 . 2008-02-09 10:26 -------- d-----w- c:\program files\Java
2009-06-27 08:40 . 2008-02-22 17:37 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-06-27 08:32 . 2008-02-22 17:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-06-24 09:40 . 2008-02-22 15:15 -------- d-----w- c:\documents and settings\Employee\Application Data\U3
2009-06-18 19:54 . 2008-11-17 18:19 -------- d-----w- c:\program files\Mozilla Thunderbird
2009-06-15 06:55 . 2009-02-14 07:04 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2009-06-15 05:38 . 2009-02-13 14:24 -------- d-----w- c:\program files\DivX
2009-06-14 09:15 . 2009-06-14 09:15 -------- d-----w- c:\documents and settings\Administrator\Application Data\InstallShield
2009-06-13 11:55 . 2008-02-22 17:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-06-13 11:09 . 2009-03-21 17:36 -------- d-----w- c:\program files\Common Files\Apple
2009-06-12 13:23 . 2008-12-01 03:56 -------- d-----w- c:\program files\TikGames
2009-05-31 21:19 . 2008-02-09 10:29 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-05-31 21:13 . 2009-04-29 19:28 -------- d-----w- c:\program files\DatawareGames
2009-05-14 08:05 . 2008-02-22 17:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

TrevoJ
Novice
Novice

Posts Posts : 18
Joined Joined : 2009-06-23
Gender Gender : Male
OS OS : XP
Points Points : 27250
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Malware Doctor

Post by TrevoJ on Sat Jun 27, 2009 8:08 pm

---- Directory of c:\program files\Ingenuware ----

2009-05-31 22:53 . 2009-06-01 09:40 32 ----a-w- c:\program files\Ingenuware\ChessRally 2\456D706C6F796565_rated.dat
2009-05-31 21:22 . 2009-05-31 21:22 74 ----a-w- c:\program files\Ingenuware\ChessRally 2\Buddy List 4401454641554C0254\buddy_65EF23C02E435AC8545E.ini
2009-05-31 21:22 . 2009-05-31 21:22 86 ----a-w- c:\program files\Ingenuware\ChessRally 2\Buddy List 4401454641554C0254\buddy_A9D1D66FE20710BEC91C.ini
2009-05-31 21:22 . 2009-05-31 21:22 75 ----a-w- c:\program files\Ingenuware\ChessRally 2\Buddy List 4401454641554C0254\buddy_B55F70C324213E5E8D43.ini
2009-05-31 21:22 . 2009-05-31 21:22 78 ----a-w- c:\program files\Ingenuware\ChessRally 2\Buddy List 4401454641554C0254\buddy_E8698587F403C1F86F65.ini
2009-05-31 21:22 . 2009-05-31 21:22 77 ----a-w- c:\program files\Ingenuware\ChessRally 2\Buddy List 4401454641554C0254\buddy_F4E071077C1FB033E8F4.ini
2009-05-31 21:22 . 2009-05-31 21:22 84 ----a-w- c:\program files\Ingenuware\ChessRally 2\Buddy List 4401454641554C0254\buddy_67E3E8C1C34A2CE56377.ini
2009-05-31 21:22 . 2009-05-31 21:22 82 ----a-w- c:\program files\Ingenuware\ChessRally 2\Buddy List 4401454641554C0254\buddy_AB252EE5F247FB3B47BF.ini
2009-05-31 21:22 . 2009-05-31 21:22 85 ----a-w- c:\program files\Ingenuware\ChessRally 2\Buddy List 4401454641554C0254\buddy_F2B802055C8787E1C13B.ini
2009-05-31 21:22 . 2009-05-31 21:22 82 ----a-w- c:\program files\Ingenuware\ChessRally 2\Buddy List 4401454641554C0254\buddy_362E39F41BA89DC43692.ini
2009-05-31 21:22 . 2009-05-31 21:22 84 ----a-w- c:\program files\Ingenuware\ChessRally 2\Buddy List 4401454641554C0254\buddy_7031A589083A8138CA34.ini
2009-05-31 21:22 . 2009-05-31 21:22 77 ----a-w- c:\program files\Ingenuware\ChessRally 2\Buddy List 4401454641554C0254\buddy_BDE33F21B28DF4765CE0.ini
2009-05-31 21:22 . 2009-05-31 21:22 80 ----a-w- c:\program files\Ingenuware\ChessRally 2\Buddy List 4401454641554C0254\buddy_DD99A1E396853BC946DA.ini
2009-05-31 21:22 . 2009-05-31 21:22 77 ----a-w- c:\program files\Ingenuware\ChessRally 2\Buddy List 4401454641554C0254\buddy_D947FC174011D1D41541.ini
2009-05-31 21:22 . 2009-05-31 21:22 76 ----a-w- c:\program files\Ingenuware\ChessRally 2\Buddy List 4401454641554C0254\buddy_F7CC435E982474E846E5.ini
2009-05-31 21:22 . 2009-05-31 21:22 80 ----a-w- c:\program files\Ingenuware\ChessRally 2\Buddy List 4401454641554C0254\buddy_0C8E1BA415DA6675CFA7.ini
2009-05-31 21:22 . 2009-05-31 21:22 83 ----a-w- c:\program files\Ingenuware\ChessRally 2\Buddy List 4401454641554C0254\buddy_569CF24FBB7D24668ECF.ini
2009-05-31 21:22 . 2009-05-31 21:22 81 ----a-w- c:\program files\Ingenuware\ChessRally 2\Buddy List 4401454641554C0254\buddy_0A08347FB265342CB9A2.ini
2009-05-31 21:22 . 2009-05-31 21:22 76 ----a-w- c:\program files\Ingenuware\ChessRally 2\Buddy List 4401454641554C0254\buddy_E410D1C645D520169B63.ini
2009-05-31 21:22 . 2009-05-31 21:22 78 ----a-w- c:\program files\Ingenuware\ChessRally 2\Buddy List 4401454641554C0254\buddy_F0201D6997A29A70B2CC.ini
2009-05-31 21:22 . 2009-05-31 21:22 83 ----a-w- c:\program files\Ingenuware\ChessRally 2\Buddy List 4401454641554C0254\buddy_7F7E7F4B84AB98072084.ini
2009-05-31 21:22 . 2009-05-31 21:22 80 ----a-w- c:\program files\Ingenuware\ChessRally 2\Buddy List 4401454641554C0254\buddy_1F089F44037705C4B382.ini
2009-05-31 21:22 . 2009-05-31 21:22 79 ----a-w- c:\program files\Ingenuware\ChessRally 2\Buddy List 4401454641554C0254\buddy_5380B656A23631F04034.ini
2009-05-31 21:22 . 2009-05-31 21:22 77 ----a-w- c:\program files\Ingenuware\ChessRally 2\Buddy List 4401454641554C0254\buddy_6D216F76765F48E25E6E.ini
2009-05-31 21:22 . 2009-05-31 21:22 86 ----a-w- c:\program files\Ingenuware\ChessRally 2\Buddy List 4401454641554C0254\buddy_7926888D5A0C3C5EA29B.ini
2009-05-31 21:22 . 2009-05-31 21:22 78 ----a-w- c:\program files\Ingenuware\ChessRally 2\Buddy List 4401454641554C0254\buddy_AC4706986C3D867A0E27.ini
2009-05-31 21:22 . 2009-05-31 21:22 84 ----a-w- c:\program files\Ingenuware\ChessRally 2\Buddy List 4401454641554C0254\buddy_9FAA95883BB76EA9B916.ini
2009-05-31 21:22 . 2009-05-31 21:22 85 ----a-w- c:\program files\Ingenuware\ChessRally 2\Buddy List 4401454641554C0254\buddy_A3034DBF752F03FDABC0.ini
2009-05-31 21:22 . 2009-05-31 21:22 82 ----a-w- c:\program files\Ingenuware\ChessRally 2\Buddy List 4401454641554C0254\buddy_F9FDF977D8126727B34E.ini
2009-05-31 21:22 . 2009-05-31 21:22 85 ----a-w- c:\program files\Ingenuware\ChessRally 2\Buddy List 4401454641554C0254\buddy_0DC5648095FD0274BD74.ini
2009-05-31 21:22 . 2009-05-31 21:22 80 ----a-w- c:\program files\Ingenuware\ChessRally 2\Buddy List 4401454641554C0254\buddy_2504127CA645AE1EBB12.ini
2009-05-31 21:22 . 2009-05-31 21:22 81 ----a-w- c:\program files\Ingenuware\ChessRally 2\Buddy List 4401454641554C0254\buddy_28A5A3034A19C6740377.ini
2009-05-31 21:22 . 2009-05-31 21:22 77 ----a-w- c:\program files\Ingenuware\ChessRally 2\Buddy List 4401454641554C0254\buddy_E4148B93FB610FB93E9C.ini
2009-05-31 21:22 . 2009-05-31 21:22 76 ----a-w- c:\program files\Ingenuware\ChessRally 2\Buddy List 4401454641554C0254\buddy_73689259D60DC89DE272.ini
2009-05-31 21:22 . 2009-05-31 21:22 82 ----a-w- c:\program files\Ingenuware\ChessRally 2\Buddy List 4401454641554C0254\buddy_02933F891089743A25CD.ini
2009-05-31 21:22 . 2009-05-31 21:22 78 ----a-w- c:\program files\Ingenuware\ChessRally 2\Buddy List 4401454641554C0254\buddy_0E92267C60B92EAD8993.ini
2009-05-31 21:22 . 2009-05-31 21:22 80 ----a-w- c:\program files\Ingenuware\ChessRally 2\Buddy List 4401454641554C0254\buddy_1EA856C6306F587D15A2.ini
2009-05-31 21:22 . 2009-05-31 21:22 78 ----a-w- c:\program files\Ingenuware\ChessRally 2\Buddy List 4401454641554C0254\buddy_3F96374E37F6AA055F1F.ini
2009-05-31 21:22 . 2009-05-31 21:22 80 ----a-w- c:\program files\Ingenuware\ChessRally 2\Buddy List 4401454641554C0254\buddy_DB7446A835D9272028DC.ini
2009-05-31 21:22 . 2009-05-31 21:22 81 ----a-w- c:\program files\Ingenuware\ChessRally 2\Buddy List 4401454641554C0254\buddy_1EF4AD81D6F02852F8C2.ini
2009-05-31 21:22 . 2009-05-31 21:22 77 ----a-w- c:\program files\Ingenuware\ChessRally 2\Buddy List 4401454641554C0254\buddy_F541108EFE9241419956.ini
2009-05-31 21:22 . 2009-05-31 21:22 77 ----a-w- c:\program files\Ingenuware\ChessRally 2\Buddy List 4401454641554C0254\buddy_2A3D18C30E9544B41D5E.ini
2009-05-31 21:22 . 2009-05-31 21:22 85 ----a-w- c:\program files\Ingenuware\ChessRally 2\Buddy List 4401454641554C0254\buddy_5810059AA5F7B32CA535.ini
2009-05-31 21:22 . 2009-05-31 21:22 81 ----a-w- c:\program files\Ingenuware\ChessRally 2\Buddy List 4401454641554C0254\buddy_6FC46EDC25DB53B143C7.ini
2009-05-31 21:22 . 2009-05-31 21:22 79 ----a-w- c:\program files\Ingenuware\ChessRally 2\Buddy List 4401454641554C0254\buddy_7FB8EF0D187A6855F100.ini
2009-05-31 21:22 . 2009-05-31 21:22 78 ----a-w- c:\program files\Ingenuware\ChessRally 2\Buddy List 4401454641554C0254\buddy_B9274A42E0993CC258F8.ini
2009-05-31 21:22 . 2009-05-31 21:22 79 ----a-w- c:\program files\Ingenuware\ChessRally 2\Buddy List 4401454641554C0254\buddy_2E307D0041F90A6E6205.ini
2009-05-31 21:22 . 2009-05-31 21:22 77 ----a-w- c:\program files\Ingenuware\ChessRally 2\Buddy List 4401454641554C0254\buddy_C2C169B9FD6DDF768B20.ini
2009-05-31 21:22 . 2009-05-31 21:22 79 ----a-w- c:\program files\Ingenuware\ChessRally 2\Buddy List 4401454641554C0254\buddy_10CDC13E5FBE576549FB.ini
2009-05-31 21:22 . 2009-05-31 21:22 79 ----a-w- c:\program files\Ingenuware\ChessRally 2\Buddy List 4401454641554C0254\buddy_7951AA3547210CA30E6D.ini
2009-05-31 21:22 . 2009-05-31 21:22 81 ----a-w- c:\program files\Ingenuware\ChessRally 2\Buddy List 4401454641554C0254\buddy_81808F85CF18C8936A77.ini
2009-05-31 21:22 . 2009-05-31 21:22 78 ----a-w- c:\program files\Ingenuware\ChessRally 2\Buddy List 4401454641554C0254\buddy_89B1E62702127DEF5BFE.ini
2009-05-31 21:22 . 2009-05-31 21:22 79 ----a-w- c:\program files\Ingenuware\ChessRally 2\Buddy List 4401454641554C0254\buddy_8DF9FED8589395FE6E4E.ini
2009-05-31 21:22 . 2009-05-31 21:22 80 ----a-w- c:\program files\Ingenuware\ChessRally 2\Buddy List 4401454641554C0254\buddy_9AE034AB94E2E52FC4D1.ini
2009-05-31 21:22 . 2009-05-31 21:22 75 ----a-w- c:\program files\Ingenuware\ChessRally 2\Buddy List 4401454641554C0254\buddy_B92B7FC7A4739EAA1B4B.ini
2009-05-31 21:22 . 2009-05-31 21:22 79 ----a-w- c:\program files\Ingenuware\ChessRally 2\Buddy List 4401454641554C0254\buddy_20CB6BFDEB5A0138B1EF.ini
2009-05-31 21:22 . 2009-05-31 21:22 83 ----a-w- c:\program files\Ingenuware\ChessRally 2\Buddy List 4401454641554C0254\buddy_B9EB0858D8CD27951E82.ini
2009-05-31 21:22 . 2009-05-31 21:22 82 ----a-w- c:\program files\Ingenuware\ChessRally 2\Buddy List 4401454641554C0254\buddy_1919C096A0BEDC1AB36A.ini
2009-05-31 21:22 . 2009-05-31 21:22 77 ----a-w- c:\program files\Ingenuware\ChessRally 2\Buddy List 4401454641554C0254\buddy_45497006E7C8AF24F2CD.ini
2009-05-31 21:22 . 2009-05-31 21:22 84 ----a-w- c:\program files\Ingenuware\ChessRally 2\Buddy List 4401454641554C0254\buddy_C09C83486BCE91E46294.ini
2009-05-31 21:22 . 2009-05-31 21:22 77 ----a-w- c:\program files\Ingenuware\ChessRally 2\Buddy List 4401454641554C0254\buddy_E75463D39C3854933CE7.ini
2009-05-31 21:22 . 2009-05-31 21:22 78 ----a-w- c:\program files\Ingenuware\ChessRally 2\Buddy List 4401454641554C0254\buddy_FF18119E98995B0896FC.ini
2009-05-31 21:22 . 2009-05-03 18:25 1855 ----a-w- c:\program files\Ingenuware\ChessRally 2\Buddy List 4401454641554C0254\buddy_list.ini
2009-05-31 21:22 . 2009-05-03 18:25 0 ----a-w- c:\program files\Ingenuware\ChessRally 2\game.001
2009-05-31 21:22 . 2009-05-03 18:25 4096 ----a-w- c:\program files\Ingenuware\ChessRally 2\Buddy List 4401454641554C0254\buddy.idx
2009-05-31 21:22 . 2009-05-03 18:25 4096 ----a-w- c:\program files\Ingenuware\ChessRally 2\Buddy List 456D706C6F796565\buddy.idx
2009-05-31 21:22 . 2009-05-31 21:22 14 ----a-w- c:\program files\Ingenuware\ChessRally 2\Buddy List 456D706C6F796565\buddy_list.ini

---- Directory of c:\windows\dhcp ----



((((((((((((((((((((((((((((( [You must be registered and logged in to see this link.] )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-06-27 19:38 . 2008-10-16 19:09 51224 c:\windows\system32\dllcache\cache\wuauclt.exe
+ 2009-06-27 19:38 . 2008-04-14 00:12 82432 c:\windows\system32\dllcache\cache\ws2_32.dll
+ 2009-06-27 19:38 . 2008-04-14 00:12 26112 c:\windows\system32\dllcache\cache\userinit.exe
+ 2009-06-27 19:38 . 2008-04-14 00:12 14336 c:\windows\system32\dllcache\cache\svchost.exe
+ 2009-06-27 19:38 . 2008-04-14 00:12 57856 c:\windows\system32\dllcache\cache\spoolsv.exe
+ 2009-06-27 19:38 . 2008-04-14 00:12 17408 c:\windows\system32\dllcache\cache\powrprof.dll
+ 2009-06-27 19:38 . 2008-04-14 00:12 13312 c:\windows\system32\dllcache\cache\lsass.exe
+ 2009-06-27 19:38 . 2008-04-13 18:39 24576 c:\windows\system32\dllcache\cache\kbdclass.sys
+ 2009-06-27 19:38 . 2008-04-13 18:53 36608 c:\windows\system32\dllcache\cache\ip6fw.sys
+ 2009-06-27 19:38 . 2008-04-14 00:12 15360 c:\windows\system32\dllcache\cache\ctfmon.exe
+ 2009-06-27 19:38 . 2008-04-14 00:12 507904 c:\windows\system32\dllcache\cache\winlogon.exe
+ 2009-06-27 19:38 . 2009-03-03 00:18 826368 c:\windows\system32\dllcache\cache\wininet.dll
+ 2009-06-27 19:38 . 2008-04-14 00:12 578560 c:\windows\system32\dllcache\cache\user32.dll
+ 2009-06-27 19:38 . 2008-04-14 00:12 295424 c:\windows\system32\dllcache\cache\termsrv.dll
+ 2009-06-27 19:38 . 2008-06-20 11:51 361600 c:\windows\system32\dllcache\cache\tcpip.sys
+ 2009-06-27 19:38 . 2009-02-06 11:11 110592 c:\windows\system32\dllcache\cache\services.exe
+ 2009-06-27 19:38 . 2009-06-27 19:29 182656 c:\windows\system32\dllcache\cache\ndis.sys
+ 2009-06-27 19:38 . 2009-03-21 14:06 989696 c:\windows\system32\dllcache\cache\kernel32.dll
+ 2009-06-27 19:38 . 2008-04-14 00:11 110080 c:\windows\system32\dllcache\cache\imm32.dll
+ 2009-06-27 19:38 . 2008-04-14 00:12 1614848 c:\windows\system32\dllcache\cache\sfcfiles.dll
+ 2009-06-27 19:38 . 2009-02-06 11:06 2145280 c:\windows\system32\dllcache\cache\ntoskrnl.exe
+ 2009-06-27 19:38 . 2009-02-06 10:32 2023936 c:\windows\system32\dllcache\cache\ntkrnlpa.exe
+ 2009-06-27 19:38 . 2008-04-14 00:12 1033728 c:\windows\system32\dllcache\cache\explorer.exe
.

TrevoJ
Novice
Novice

Posts Posts : 18
Joined Joined : 2009-06-23
Gender Gender : Male
OS OS : XP
Points Points : 27250
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Malware Doctor

Post by TrevoJ on Sat Jun 27, 2009 8:08 pm

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]
"Google Update"="c:\documents and settings\Employee\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-01-21 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2005-10-07 176128]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2007-05-14 1191936]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-10-08 995328]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-10-08 1101824]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-03-31 162584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-03-31 138008]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2007-06-09 128560]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-06-27 518488]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-06-22 1948440]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-2-9 24576]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-06-22 18:07 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\lavasoft ad-aware service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"
"HPWRTOOLBOX"=c:\program files\Hewlett-Packard\hp deskjet 460 series\Toolbox\HPWRTBX.exe "-i"
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
"LifeCam"="c:\program files\Microsoft LifeCam\LifeExp.exe"
"VX1000"=c:\windows\vVX1000.exe
"Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe"
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe"
"IgfxTray"=c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PowerDVD.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PDVDDXSrv.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
"c:\\Documents and Settings\\Employee\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\Employee\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"\\"= c:\\WINDOWS\\system\\svchost.exe
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [6/13/2009 3:03 PM 64160]
R0 pxscan;pxscan;c:\windows\system32\drivers\pxscan.sys [6/13/2009 10:43 AM 22024]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [6/22/2009 9:07 PM 327688]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [6/22/2009 9:07 PM 108552]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [6/22/2009 9:07 PM 298776]
R2 lavasoft ad-aware service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [3/9/2009 10:06 PM 1003344]
.
Contents of the 'Scheduled Tasks' folder

2009-06-27 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 11:04]

2009-06-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-835786232-2019414516-3820583977-1006Core.job
- c:\documents and settings\Employee\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-01-21 21:46]

2009-06-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-835786232-2019414516-3820583977-1006UA.job
- c:\documents and settings\Employee\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-01-21 21:46]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Employee\Application Data\Mozilla\Firefox\Profiles\hzbbw4ek.default\
FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - plugin: c:\documents and settings\Employee\Application Data\Mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\Employee\Local Settings\Application Data\Google\Update\1.2.183.7\npGoogleOneClick8.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-06-27 22:59
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(844)
c:\windows\system32\netprovcredman.dll

- - - - - - - > 'explorer.exe'(4084)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\netprovcredman.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
c:\program files\Microsoft LifeCam\MSCamS32.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Intel\Wireless\Bin\WLKEEPER.exe
c:\windows\system32\ZuneBusEnum.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\system32\wscntfy.exe
c:\program files\Apoint\hidfind.exe
c:\program files\Apoint\ApntEx.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Intel\Wireless\Bin\Dot1XCfg.exe
.
**************************************************************************
.
Completion time: 2009-06-27 23:04 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-27 20:04
ComboFix2.txt 2009-06-27 19:41

Pre-Run: 40,800,817,152 bytes free
Post-Run: 40,787,865,600 bytes free

327 --- E O F --- 2009-06-27 19:51

TrevoJ
Novice
Novice

Posts Posts : 18
Joined Joined : 2009-06-23
Gender Gender : Male
OS OS : XP
Points Points : 27250
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Malware Doctor

Post by Belahzur on Sat Jun 27, 2009 8:18 pm

Hello.
Nearly done now. Smile

Now open a new notepad file.
Input this into the notepad file:

Folder::
c:\windows\dhcp

Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"\\"=-

Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:


This will open combofix again, agree to it's terms and allow it to run.
It may want to reboot after it's done. (It will warn you if it wants to)
Post the resulting log back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Malware Doctor

Post by TrevoJ on Sat Jun 27, 2009 8:29 pm

ComboFix 09-06-26.02 - Employee 06/27/2009 23:22.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.502.84 [GMT 3:00]
Running from: c:\documents and settings\Employee\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Employee\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\dhcp

.
((((((((((((((((((((((((( Files Created from 2009-05-27 to 2009-06-27 )))))))))))))))))))))))))))))))
.

2009-06-27 19:38 . 2009-06-27 19:38 -------- d-----w- c:\windows\system32\dllcache\cache
2009-06-27 18:47 . 2009-06-27 18:47 3561743 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-06-27 08:17 . 2009-06-22 18:07 2052888 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcorex.dll
2009-06-22 18:30 . 2009-06-27 08:42 -------- d--h--w- C:\$AVG8.VAULT$
2009-06-22 18:24 . 2009-06-22 18:24 -------- d-----w- c:\documents and settings\Employee\Local Settings\Application Data\AVG Security Toolbar
2009-06-22 18:07 . 2009-06-22 18:07 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-06-22 18:07 . 2009-06-22 18:07 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-06-22 18:07 . 2009-06-22 18:07 327688 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-06-22 18:07 . 2009-06-22 18:07 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-06-22 18:07 . 2009-06-27 08:18 -------- d-----w- c:\windows\system32\drivers\Avg
2009-06-22 18:07 . 2009-06-22 18:07 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2009-06-22 18:06 . 2009-06-22 18:06 -------- d-----w- c:\program files\AVG
2009-06-22 18:06 . 2009-06-22 18:06 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-06-18 12:24 . 2009-06-18 12:24 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2009-06-18 12:16 . 2009-06-18 12:16 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-06-16 08:53 . 2009-06-16 08:53 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-06-14 09:07 . 2008-02-09 10:34 12328 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-13 12:35 . 2009-06-13 12:03 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-06-13 12:03 . 2009-06-13 12:03 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-06-13 12:03 . 2009-06-13 12:03 15688 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lsdelete.exe
2009-06-13 12:03 . 2009-06-13 12:03 83808 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\ShellExt.dll
2009-06-13 12:03 . 2009-06-13 12:03 40288 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\PrivacyClean.dll
2009-06-13 12:03 . 2009-06-13 12:03 212848 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\RPAPI.dll
2009-06-13 12:03 . 2009-06-13 12:03 64160 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Drivers\32\lbd.sys
2009-06-13 11:56 . 2009-06-14 09:15 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-06-13 11:56 . 2009-03-12 08:17 2902048 -c--a-w- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}\Ad-AwareAE.exe
2009-06-13 11:55 . 2009-06-13 11:55 -------- d-----w- c:\program files\Lavasoft
2009-06-13 07:43 . 2009-06-13 07:43 22024 ----a-w- c:\windows\system32\drivers\pxscan.sys
2009-06-12 11:07 . 2009-06-17 08:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-12 11:07 . 2009-06-17 08:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-12 09:22 . 2009-06-27 18:47 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-11 10:57 . 2009-06-11 10:57 -------- d-----w- c:\documents and settings\Employee\Local Settings\Application Data\Help
2009-05-31 22:32 . 2009-05-31 22:32 -------- d-----w- c:\documents and settings\Employee\Application Data\Malwarebytes
2009-05-31 22:32 . 2009-05-31 22:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-31 21:19 . 2004-06-08 19:41 45056 ----a-w- c:\windows\system32\IngDirectXDetect.dll
2009-05-31 19:03 . 2009-05-31 19:03 -------- d-----w- c:\documents and settings\Guest\Local Settings\Application Data\Mozilla
2009-05-31 19:03 . 2009-05-31 19:03 -------- d-----w- c:\documents and settings\Guest\Local Settings\Application Data\Apple Computer
2009-05-31 19:02 . 2009-05-31 19:02 -------- d-----w- c:\documents and settings\Guest\Application Data\Dell
2009-05-31 18:57 . 2009-05-31 18:57 -------- d--h--w- c:\windows\system32\WLANProfiles
2009-05-31 11:49 . 2009-06-27 19:23 182656 ----a-w- c:\windows\system32\dllcache\ndis.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-27 19:29 . 2004-08-10 18:51 182656 ----a-w- c:\windows\system32\drivers\ndis.sys
2009-06-27 19:14 . 2008-12-15 05:37 -------- d-----w- c:\documents and settings\Employee\Application Data\Skype
2009-06-27 13:06 . 2008-12-15 05:41 -------- d-----w- c:\documents and settings\Employee\Application Data\skypePM
2009-06-27 08:53 . 2008-02-09 10:26 -------- d-----w- c:\program files\Java
2009-06-27 08:40 . 2008-02-22 17:37 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-06-27 08:32 . 2008-02-22 17:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-06-24 09:40 . 2008-02-22 15:15 -------- d-----w- c:\documents and settings\Employee\Application Data\U3
2009-06-18 19:54 . 2008-11-17 18:19 -------- d-----w- c:\program files\Mozilla Thunderbird
2009-06-15 06:55 . 2009-02-14 07:04 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2009-06-15 05:38 . 2009-02-13 14:24 -------- d-----w- c:\program files\DivX
2009-06-14 09:15 . 2009-06-14 09:15 -------- d-----w- c:\documents and settings\Administrator\Application Data\InstallShield
2009-06-13 11:55 . 2008-02-22 17:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-06-13 11:09 . 2009-03-21 17:36 -------- d-----w- c:\program files\Common Files\Apple
2009-06-12 13:23 . 2008-12-01 03:56 -------- d-----w- c:\program files\TikGames
2009-05-31 21:19 . 2008-02-09 10:29 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-05-31 21:13 . 2009-04-29 19:28 -------- d-----w- c:\program files\DatawareGames
2009-05-14 08:05 . 2008-02-22 17:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
.

((((((((((((((((((((((((((((( [You must be registered and logged in to see this link.] )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-06-27 19:38 . 2008-10-16 19:09 51224 c:\windows\system32\dllcache\cache\wuauclt.exe
+ 2009-06-27 19:38 . 2008-04-14 00:12 82432 c:\windows\system32\dllcache\cache\ws2_32.dll
+ 2009-06-27 19:38 . 2008-04-14 00:12 26112 c:\windows\system32\dllcache\cache\userinit.exe
+ 2009-06-27 19:38 . 2008-04-14 00:12 14336 c:\windows\system32\dllcache\cache\svchost.exe
+ 2009-06-27 19:38 . 2008-04-14 00:12 57856 c:\windows\system32\dllcache\cache\spoolsv.exe
+ 2009-06-27 19:38 . 2008-04-14 00:12 17408 c:\windows\system32\dllcache\cache\powrprof.dll
+ 2009-06-27 19:38 . 2008-04-14 00:12 13312 c:\windows\system32\dllcache\cache\lsass.exe
+ 2009-06-27 19:38 . 2008-04-13 18:39 24576 c:\windows\system32\dllcache\cache\kbdclass.sys
+ 2009-06-27 19:38 . 2008-04-13 18:53 36608 c:\windows\system32\dllcache\cache\ip6fw.sys
+ 2009-06-27 19:38 . 2008-04-14 00:12 15360 c:\windows\system32\dllcache\cache\ctfmon.exe
+ 2009-06-27 19:38 . 2008-04-14 00:12 507904 c:\windows\system32\dllcache\cache\winlogon.exe
+ 2009-06-27 19:38 . 2009-03-03 00:18 826368 c:\windows\system32\dllcache\cache\wininet.dll
+ 2009-06-27 19:38 . 2008-04-14 00:12 578560 c:\windows\system32\dllcache\cache\user32.dll
+ 2009-06-27 19:38 . 2008-04-14 00:12 295424 c:\windows\system32\dllcache\cache\termsrv.dll
+ 2009-06-27 19:38 . 2008-06-20 11:51 361600 c:\windows\system32\dllcache\cache\tcpip.sys
+ 2009-06-27 19:38 . 2009-02-06 11:11 110592 c:\windows\system32\dllcache\cache\services.exe
+ 2009-06-27 19:38 . 2009-06-27 19:29 182656 c:\windows\system32\dllcache\cache\ndis.sys
+ 2009-06-27 19:38 . 2009-03-21 14:06 989696 c:\windows\system32\dllcache\cache\kernel32.dll
+ 2009-06-27 19:38 . 2008-04-14 00:11 110080 c:\windows\system32\dllcache\cache\imm32.dll
+ 2009-06-27 19:38 . 2008-04-14 00:12 1614848 c:\windows\system32\dllcache\cache\sfcfiles.dll
+ 2009-06-27 19:38 . 2009-02-06 11:06 2145280 c:\windows\system32\dllcache\cache\ntoskrnl.exe
+ 2009-06-27 19:38 . 2009-02-06 10:32 2023936 c:\windows\system32\dllcache\cache\ntkrnlpa.exe
+ 2009-06-27 19:38 . 2008-04-14 00:12 1033728 c:\windows\system32\dllcache\cache\explorer.exe

TrevoJ
Novice
Novice

Posts Posts : 18
Joined Joined : 2009-06-23
Gender Gender : Male
OS OS : XP
Points Points : 27250
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Malware Doctor

Post by TrevoJ on Sat Jun 27, 2009 8:29 pm

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]
"Google Update"="c:\documents and settings\Employee\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-01-21 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2005-10-07 176128]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2007-05-14 1191936]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-10-08 995328]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-10-08 1101824]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-03-31 162584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-03-31 138008]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2007-06-09 128560]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-06-27 518488]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-06-22 1948440]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-2-9 24576]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-06-22 18:07 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\lavasoft ad-aware service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"
"HPWRTOOLBOX"=c:\program files\Hewlett-Packard\hp deskjet 460 series\Toolbox\HPWRTBX.exe "-i"
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
"LifeCam"="c:\program files\Microsoft LifeCam\LifeExp.exe"
"VX1000"=c:\windows\vVX1000.exe
"Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe"
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe"
"IgfxTray"=c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PowerDVD.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PDVDDXSrv.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
"c:\\Documents and Settings\\Employee\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\Employee\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [6/13/2009 3:03 PM 64160]
R0 pxscan;pxscan;c:\windows\system32\drivers\pxscan.sys [6/13/2009 10:43 AM 22024]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [6/22/2009 9:07 PM 327688]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [6/22/2009 9:07 PM 108552]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [6/22/2009 9:07 PM 298776]
R2 lavasoft ad-aware service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [3/9/2009 10:06 PM 1003344]
.
Contents of the 'Scheduled Tasks' folder

2009-06-27 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 11:04]

2009-06-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-835786232-2019414516-3820583977-1006Core.job
- c:\documents and settings\Employee\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-01-21 21:46]

2009-06-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-835786232-2019414516-3820583977-1006UA.job
- c:\documents and settings\Employee\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-01-21 21:46]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Employee\Application Data\Mozilla\Firefox\Profiles\hzbbw4ek.default\
FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - plugin: c:\documents and settings\Employee\Application Data\Mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\Employee\Local Settings\Application Data\Google\Update\1.2.183.7\npGoogleOneClick8.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-06-27 23:25
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(844)
c:\windows\system32\netprovcredman.dll

- - - - - - - > 'explorer.exe'(176)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-06-27 23:27
ComboFix-quarantined-files.txt 2009-06-27 20:27
ComboFix2.txt 2009-06-27 20:04
ComboFix3.txt 2009-06-27 19:41

Pre-Run: 40,799,744,000 bytes free
Post-Run: 40,785,440,768 bytes free

218 --- E O F --- 2009-06-27 19:51

TrevoJ
Novice
Novice

Posts Posts : 18
Joined Joined : 2009-06-23
Gender Gender : Male
OS OS : XP
Points Points : 27250
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Malware Doctor

Post by Belahzur on Sat Jun 27, 2009 8:38 pm

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /u



This will also reset your restore points.

How is the machine running now?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Malware Doctor

Post by TrevoJ on Sat Jun 27, 2009 8:43 pm

Right now it is running good.

Thank you so much for your help. You got me smiling Smile

TrevoJ
Novice
Novice

Posts Posts : 18
Joined Joined : 2009-06-23
Gender Gender : Male
OS OS : XP
Points Points : 27250
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Malware Doctor

Post by Belahzur on Sat Jun 27, 2009 8:45 pm

Below I have included a number of recommendations for how to protect your computer in order to prevent future malware infections. Please take these recommendations seriously; these few simple steps can stave off the vast majority of spyware problems. As happy as we are to help you, for your sake we would rather not have repeat customers. Goofy

1) Please navigate to [You must be registered and logged in to see this link.] and download all the "critical updates" for Windows. This can patch many of the security holes through which attackers can gain access to your computer.

Please either enable Automatic Updates under Start -> Control Panel -> Automatic Updates , or get into the habit of checking for Windows updates regularly. I cannot stress enough how important this is.

2) In order to protect yourself against spyware, you should consider installing and running the following free programs:

[You must be registered and logged in to see this link.]
A tutorial on using Ad-Aware to remove spyware from your computer may be found [You must be registered and logged in to see this link.].

[You must be registered and logged in to see this link.]
A tutorial on using Spybot to remove spyware from your computer may be found [You must be registered and logged in to see this link.]. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features.

[You must be registered and logged in to see this link.]
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found [You must be registered and logged in to see this link.].

[You must be registered and logged in to see this link.]
A tutorial on using SpywareGuard for realtime protection against spyware and hijackers may be found [You must be registered and logged in to see this link.].

Make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.

3) Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in popup blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from here:
[You must be registered and logged in to see this link.]
I also recommand the following add-ons for Firefox, they will help keep you safe from malicious scripts or activeX exploits.
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]

4) Also make sure to run your antivirus software regularly, and to keep it up-to-date.

To help you keep your software updated, please considering using this free software program that will check for program updates.
[You must be registered and logged in to see this link.]

5) Finally, consider maintaining a firewall. Some good free firewalls are [You must be registered and logged in to see this link.], or
[You must be registered and logged in to see this link.]
A tutorial on understanding and using firewalls may be found [You must be registered and logged in to see this link.].

Please also read Tony Klein's excellent article: [You must be registered and logged in to see this link.]

If you would take a moment to fill out our feedback form, we would appreciate it.
The link can be found [You must be registered and logged in to see this link.].

Hopefully this should take care of your problems! Good luck. Big Grin


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Malware Doctor

Post by TrevoJ on Sun Jun 28, 2009 11:06 am

Thanks again and thanks for the follow up information. It is great that you offer this information at the end to help educate. Honored

TrevoJ
Novice
Novice

Posts Posts : 18
Joined Joined : 2009-06-23
Gender Gender : Male
OS OS : XP
Points Points : 27250
# Likes # Likes : 0

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum