possible malware problem?

View previous topic View next topic Go down

possible malware problem?

Post by dingdandoo on 1st July 2009, 11:06 am

for the past week or so my computer has been constantly slow and i have not been able to update my avira antivirus, plus i keep getting a lot of requests from my firewall about windows services and has been going crazy a lot. When i ran trend micro hijack this a message appeared saying one of the hosts may have been hijacked. thanks in advance, here is my log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:48:52, on 30/06/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18248)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Windows\sttray.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\System32\rundll32.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\System32\wsqmcons.exe
C:\Windows\system32\sdclt.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Windows\Explorer.EXE
C:\Program Files\PKR\pokerapp.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Windows\system32\SearchFilterHost.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer provided by Dell
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O1 - Hosts: ::1 localhost
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: ZILLAbar Browser Helper Object - {1827766B-9F49-4854-8034-F6EE26FCB1EC} - C:\Program Files\STOPzilla!\SZSG.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dll
O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: STOPzilla Browser Helper Object - {E3215F20-3212-11D6-9F8B-00D0B743919D} - C:\Program Files\STOPzilla!\SZIEBHO.dll
O3 - Toolbar: STOPzilla - {98828DED-A591-462F-83BA-D2F62A68B8B8} - C:\Program Files\STOPzilla!\SZSG.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [WPCUMI] C:\Windows\system32\WpcUmi.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [MSConfig] "C:\Windows\system32\msconfig.exe" /auto
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [PKR Pal] "C:\Program Files\PKR\pkrpal.exe" -osboot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2009] c:\program files\uniblue\registrybooster\StartRegistryBooster.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O8 - Extra context menu item: Add to AMV Converter... - C:\Program Files\MP3 Player Utilities 4.15\AMVConverter\grab.html
O8 - Extra context menu item: Add to Google Photos Screensa&ver - [You must be registered and logged in to see this link.]
O8 - Extra context menu item: E&xport to Microsoft Excel - [You must be registered and logged in to see this link.]
O8 - Extra context menu item: MediaManager tool grab multimedia file - C:\Program Files\MP3 Player Utilities 4.15\MediaManager\grab.html
O9 - Extra button: Sky - {08E730A4-FB02-45BD-A900-01E4AD8016F6} - [You must be registered and logged in to see this link.] (file missing)
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O13 - Gopher Prefix:
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - [You must be registered and logged in to see this link.]
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\Windows\System32\ZoneLabs\vsmon.exe

--
End of file - 10659 bytes

dingdandoo
Intermediate
Intermediate

Posts Posts : 77
Joined Joined : 2008-12-10
OS OS : windows vista home basic
Points Points : 29669
# Likes # Likes : 0

View user profile

Back to top Go down

Re: possible malware problem?

Post by Belahzur on 1st July 2009, 2:52 pm

Well, since Avira won't update, it needs to be removed because you also have AVG on the system.

  • Open HijackThis.
  • When Hijack This opens, click "Open the Misc Tools section"
  • Then select "Open Uninstall Manager"
  • Click on "Save List..." (generates uninstall_list.txt)
  • Click Save, copy and paste the results in your next post.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: possible malware problem?

Post by dingdandoo on 1st July 2009, 3:32 pm

thanks for your help belazhur, here is the list:

4oD
7-Zip 4.65
Acrobat.com
Adobe AIR
Adobe AIR
Adobe Flash Player 10 Plugin
Adobe Flash Player ActiveX
Adobe Reader 9.1
Adobe Shockwave Player 11
Apple Mobile Device Support
Apple Software Update
AVG Free 8.5
AVS4YOU Software Navigator 1.2
Bonjour
BT Home Hub
CCleaner (remove only)
Championship Manager 2006
Clean Uninstaller
Dell System Customization Wizard
DellSupport
Disc2Phone
DivX Web Player
Elecard MPEG-2 Decoder&Streaming Pack
FLV Player 2.0 (build 25)
GIMP 2.6.6
GOM Player
Google Earth
Google Updater
GPL MPEG-1/2 DirectShow Decoder Filter
Highlight Viewer (Windows Live Toolbar)
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Indeo® Software
iTunes
Java(TM) 6 Update 14
king.com (remove only)
Malwarebytes' Anti-Malware
Map Button (Windows Live Toolbar)
Messenger Plus! Live & Sponsor (CiD)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB929729)
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft Device Emulator version 1.0 - ENU
Microsoft Document Explorer 2005
Microsoft Document Explorer 2005
Microsoft Office XP Professional with FrontPage
Microsoft Search Enhancement Pack
Microsoft Silverlight
Microsoft SQL Server 2005
Microsoft SQL Server 2005 Express Edition (SQLEXPRESS)
Microsoft SQL Server 2005 Mobile [ENU] Developer Tools
Microsoft SQL Server 2005 Tools Express Edition
Microsoft SQL Server Native Client
Microsoft SQL Server Setup Support Files (English)
Microsoft SQL Server VSS Writer
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual J# 2.0 Redistributable Package
Microsoft Visual Studio 2005 Professional Edition - ENU
Microsoft Visual Studio 2005 Professional Edition - ENU Service Pack 1 (KB926601)
Microsoft Windows Logo
Microsoft Works
Mozilla Firefox (3.0.11)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB941833)
MSXML 4.0 SP2 (KB954430)
Nokia Connectivity Cable Driver
Nokia PC Connectivity Solution
Nokia PC Suite
NVIDIA Drivers
Nvu 1.0
Opera 9.62
Orange Preload
Picasa 3
PKR
Pop-Up Stopper Free Edition
PowerDVD
PSP Video 9 2.25
QuickTime
RealPlayer
Roxio Creator Audio
Roxio Creator BDAV Plugin
Roxio Creator Copy
Roxio Creator Data
Roxio Creator DE
Roxio Creator Tools
Roxio Drag-to-Disc
Roxio Express Labeler
Roxio MyDVD DE
Roxio Update Manager
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for Microsoft Visual Studio 2005 Professional Edition - ENU (KB937061)
Security Update for Microsoft Visual Studio 2005 Professional Edition - ENU (KB947738)
SigmaTel Audio
Sky Broadband
Smart Defrag 1.10
Smart Menus (Windows Live Toolbar)
Sonic Activation Module
STOPzilla
Ultra PSP Movie Converter 4.2.0716
Update for Microsoft Visual Studio 2005 Professional Edition - ENU (KB932232)
URL Assistant
User's Guides
VC80CRTRedist - 8.0.50727.762
VeohTV BETA
VideoLAN VLC media player 0.8.6d
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
WinAVIVideoConverter
Windows Live Favorites for Windows Live Toolbar
Windows Live Messenger
Windows Live OneCare safety scanner
Windows Live OneCare safety scanner
Windows Live Sign-in Assistant
Windows Live Toolbar Extension (Windows Live Toolbar)
Windows Live Upload Tool
Windows Media Player Firefox Plugin
Yahoo! Install Manager
Yahoo! Toolbar
ZoneAlarm

dingdandoo
Intermediate
Intermediate

Posts Posts : 77
Joined Joined : 2008-12-10
OS OS : windows vista home basic
Points Points : 29669
# Likes # Likes : 0

View user profile

Back to top Go down

Re: possible malware problem?

Post by Belahzur on 1st July 2009, 3:45 pm

Hello.
Have you already uninstalled Avira?

Go to Start > Control Panel > Add/Remove Programs and remove the following programs.

    Messenger Plus! Live & Sponsor (CiD)

The CiD is an adware infection, it comes with sponsors when you install them with Messenger Plus.

I see you have VLC player installed. You are running are old versions and needs updating.

Download and install [You must be registered and logged in to see this link.]
When installing, it will ask if you want to uninstall the old version first before it can install the new version, so please select yes and allow it to install.


  • Download combofix from here
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]
  • We need to disable your local AV (Anti-virus) before running Combofix.
  • See [You must be registered and logged in to see this link.] for how to disable your AV. (AVG8)
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.



  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will then get this next prompt that asks if you want to continue the malware scan, select yes



  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: possible malware problem?

Post by dingdandoo on 1st July 2009, 6:02 pm

yeh belazhur avira is uninstalled, here is the combofix log:
ComboFix 09-07-01.01 - steven 01/07/2009 18:40.4 - NTFSx86
Microsoft® Windows Vista™ Home Basic 6.0.6001.1.1252.44.1033.18.958.362 [GMT 1:00]
Running from: c:\users\steven\Downloads\Combo-Fix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
SP: AVG Anti-Virus Free *enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\programdata\Microsoft\Network\Downloader\qmgr0.dat
c:\programdata\Microsoft\Network\Downloader\qmgr1.dat
c:\windows\system32\gxvxccount

----- BITS: Possible infected sites -----

[You must be registered and logged in to see this link.]
.
((((((((((((((((((((((((( Files Created from 2009-06-01 to 2009-07-01 )))))))))))))))))))))))))))))))
.

2009-06-29 20:12 . 2009-06-29 20:12 -------- d-----w- c:\programdata\WindowsSearch
2009-06-29 15:38 . 2009-06-29 15:38 -------- d-----w- C:\PerfLogs
2009-06-28 14:17 . 2009-06-28 10:44 2052888 ----a-w- c:\programdata\avg8\update\backup\avgcorex.dll
2009-06-28 12:02 . 2009-06-28 12:02 -------- d-----w- c:\users\steven\AppData\Local\AVG Security Toolbar
2009-06-28 10:46 . 2009-06-28 10:46 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-06-28 10:46 . 2009-06-28 10:46 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-06-28 10:46 . 2009-06-28 10:46 327688 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-06-28 10:46 . 2009-06-28 10:46 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-06-28 10:45 . 2009-07-01 10:54 -------- d-----w- c:\windows\system32\drivers\Avg
2009-06-28 10:45 . 2009-06-28 10:45 -------- d-----w- c:\programdata\AVG Security Toolbar
2009-06-24 13:34 . 2009-06-24 13:34 -------- d-----w- c:\program files\GIMP-2.0
2009-06-20 10:08 . 2009-04-21 11:55 2033152 ----a-w- c:\windows\system32\win32k.sys
2009-06-20 10:08 . 2009-04-23 12:42 636928 ----a-w- c:\windows\system32\localspl.dll
2009-06-07 18:31 . 2009-06-07 18:31 0 ----a-w- c:\users\chubby\AppData\Roaming\FrostWire\.NetworkShare\Incomplete\T-4506256-LimeWireWin4.16.6.exe
2009-06-07 18:22 . 2009-06-07 20:21 -------- d-----w- c:\users\chubby\AppData\Roaming\FrostWire
2009-06-06 14:00 . 2009-06-06 14:00 0 ----a-w- c:\users\steven\AppData\Roaming\FrostWire\.NetworkShare\Incomplete\T-4506256-LimeWireWin4.16.6.exe
2009-06-06 13:26 . 2009-07-01 15:14 -------- d-----w- c:\users\steven\AppData\Roaming\FrostWire
2009-06-06 13:25 . 2009-07-01 15:15 -------- d-----w- c:\program files\FrostWire
2009-06-05 10:44 . 2009-06-05 10:44 -------- d-----w- c:\program files\7-Zip
2009-06-03 11:11 . 2008-06-20 01:17 97800 ----a-w- c:\windows\system32\infocardapi.dll
2009-06-03 11:11 . 2008-06-20 01:18 105016 ----a-w- c:\windows\system32\PresentationCFFRasterizerNative_v0300.dll
2009-06-03 11:11 . 2008-06-20 01:17 622080 ----a-w- c:\windows\system32\icardagt.exe
2009-06-03 11:11 . 2008-06-20 01:18 43544 ----a-w- c:\windows\system32\PresentationHostProxy.dll
2009-06-03 11:11 . 2008-06-20 01:17 11264 ----a-w- c:\windows\system32\icardres.dll
2009-06-03 11:10 . 2008-06-20 01:18 781344 ----a-w- c:\windows\system32\PresentationNative_v0300.dll
2009-06-03 11:10 . 2008-06-20 01:18 326160 ----a-w- c:\windows\system32\PresentationHost.exe
2009-06-03 10:32 . 2008-07-27 18:00 96760 ----a-w- c:\windows\system32\dfshim.dll
2009-06-03 10:32 . 2008-07-27 18:00 282112 ----a-w- c:\windows\system32\mscoree.dll
2009-06-03 10:32 . 2008-07-27 18:00 41984 ----a-w- c:\windows\system32\netfxperf.dll
2009-06-03 10:31 . 2008-07-27 18:00 158720 ----a-w- c:\windows\system32\mscorier.dll
2009-06-03 10:31 . 2008-07-27 18:00 83968 ----a-w- c:\windows\system32\mscories.dll
2009-06-02 18:01 . 2009-07-01 17:30 -------- d-s---w- C:\ComboFix
2009-06-02 11:39 . 2009-07-01 17:54 -------- d-----w- c:\users\steven\AppData\Local\temp
2009-06-02 11:39 . 2009-07-01 17:54 -------- d-----w- c:\users\chubby\AppData\Local\temp
2009-06-02 11:39 . 2009-06-02 11:39 -------- d-----w- c:\users\dolly\AppData\Local\temp
2009-06-02 10:36 . 2009-06-02 10:36 2560 ----a-w- c:\windows\_MSRSTRT.EXE

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-01 17:23 . 2009-01-10 21:14 -------- d-----w- c:\program files\MSN Messenger
2009-07-01 15:25 . 2007-06-22 12:10 352614 ---ha-w- c:\windows\system32\drivers\vsconfig.xml
2009-06-30 19:16 . 2008-04-04 00:29 -------- d-----w- c:\programdata\Google Updater
2009-06-30 11:35 . 2009-04-23 15:29 -------- d-----w- c:\program files\PKR
2009-06-30 11:17 . 2008-12-10 16:48 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-29 17:26 . 2009-06-29 17:26 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_00_00.Wdf
2009-06-29 15:54 . 2006-11-02 12:35 -------- d-----w- c:\program files\Windows Calendar
2009-06-29 15:54 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2009-06-29 15:54 . 2006-11-02 12:35 -------- d-----w- c:\program files\Windows Sidebar
2009-06-29 15:53 . 2006-11-02 12:35 -------- d-----w- c:\program files\Windows Collaboration
2009-06-29 15:53 . 2006-11-02 12:35 -------- d-----w- c:\program files\Windows Photo Gallery
2009-06-29 15:53 . 2006-11-02 12:35 -------- d-----w- c:\program files\Windows Defender
2009-06-29 15:38 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat
2009-06-29 14:42 . 2006-11-02 10:32 101888 ----a-w- c:\windows\system32\ifxcardm.dll
2009-06-29 14:41 . 2006-11-02 10:32 82432 ----a-w- c:\windows\system32\axaltocm.dll
2009-06-29 13:18 . 2007-03-14 00:42 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-06-29 13:16 . 2006-11-02 12:35 -------- d-----w- c:\program files\Microsoft Games
2009-06-29 13:00 . 2007-03-14 00:57 -------- d-----w- c:\program files\Common Files\Adobe
2009-06-28 10:44 . 2008-05-28 18:07 -------- d-----w- c:\programdata\avg8
2009-06-24 14:04 . 2009-03-26 14:26 -------- d-----w- c:\users\steven\AppData\Roaming\gtk-2.0
2009-06-23 11:56 . 2007-03-14 00:57 -------- d-----w- c:\program files\Microsoft Works
2009-06-22 11:08 . 2007-07-16 06:59 8160 ----a-w- c:\users\steven\AppData\Local\d3d9caps.dat
2009-06-17 10:27 . 2008-12-10 16:49 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-17 10:27 . 2008-12-10 16:49 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-14 23:16 . 2009-06-15 07:23 1177088 ----a-w- c:\windows\Internet Logs\xDB8AD1.tmp
2009-06-07 08:01 . 2007-04-14 16:11 -------- d-----w- c:\users\chubby\AppData\Roaming\LimeWire
2009-06-05 10:29 . 2008-08-07 00:22 -------- d-----w- c:\program files\Common Files\AVSMedia
2009-06-05 10:29 . 2008-08-07 00:22 -------- d-----w- c:\program files\AVS4YOU
2009-06-02 12:34 . 2009-01-20 13:21 -------- d-----w- c:\program files\Lavasoft
2009-06-02 12:34 . 2007-06-21 09:30 -------- d-----w- c:\programdata\Lavasoft
2009-06-02 11:10 . 2007-03-14 00:50 -------- d-----w- c:\programdata\Roxio
2009-06-02 10:47 . 2007-12-20 11:06 -------- d-----w- c:\users\steven\AppData\Roaming\uTorrent
2009-06-01 10:33 . 2009-06-01 10:33 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-06-01 10:28 . 2008-12-10 23:38 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-06-01 10:12 . 2009-06-01 10:12 -------- d-----w- c:\programdata\Sunbelt
2009-05-31 11:24 . 2009-05-31 11:24 -------- d-----w- c:\program files\Trend Micro
2009-05-30 17:33 . 2007-03-16 16:12 778 ----a-w- c:\users\steven\AppData\Roaming\wklnhst.dat
2009-05-20 22:51 . 2009-05-20 22:51 -------- d-----w- c:\users\chubby\AppData\Roaming\GRETECH
2009-05-18 17:38 . 2009-05-18 17:38 -------- d-----w- c:\users\steven\AppData\Roaming\Uniblue
2009-05-18 14:50 . 2009-05-18 14:50 2967799 ----a-w- c:\programdata\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-05-15 06:39 . 2007-09-20 06:56 21655498 ----a-w- c:\windows\Internet Logs\tvDebug.zip
2009-05-01 18:30 . 2009-05-01 18:30 3366912 ----a-w- c:\windows\system32\GPhotos.scr
2009-04-24 16:05 . 2009-06-20 10:07 827904 ----a-w- c:\windows\system32\wininet.dll
2009-04-24 16:02 . 2009-06-20 10:07 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-04-24 13:44 . 2009-06-20 10:07 26624 ----a-w- c:\windows\system32\ieUnatt.exe
2009-04-23 12:43 . 2009-06-20 10:07 784896 ----a-w- c:\windows\system32\rpcrt4.dll
2008-01-05 18:08 . 2008-01-05 18:06 80 --sha-r- c:\windows\System32\41C336709D.dll
2007-06-30 18:34 . 2007-06-10 15:08 88 --sha-r- c:\windows\System32\63F43ECA55.sys
2007-06-30 18:34 . 2007-06-10 15:08 3506 --sha-w- c:\windows\System32\KGyGaAvL.sys
2007-03-14 08:27 . 2007-03-14 08:26 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

dingdandoo
Intermediate
Intermediate

Posts Posts : 77
Joined Joined : 2008-12-10
OS OS : windows vista home basic
Points Points : 29669
# Likes # Likes : 0

View user profile

Back to top Go down

Re: possible malware problem?

Post by dingdandoo on 1st July 2009, 6:03 pm

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-06-14 15:07 1004800 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-19 1233920]
"msnmsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WPCUMI"="c:\windows\system32\WpcUmi.exe" [2006-11-02 176128]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-01-09 959976]
"MSConfig"="c:\windows\system32\msconfig.exe" [2008-01-19 227840]
"PKR Pal"="c:\program files\PKR\pkrpal.exe" [2009-06-30 2346088]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-06-01 148888]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-06-28 1948440]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2006-12-08 90191]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-12-08 7766016]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-12-08 81920]
"SigmatelSysTrayApp"="sttray.exe" - c:\windows\sttray.exe [2007-02-08 303104]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnk.CommonStartup
backupExtension=.CommonStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-2478390336-1506789915-2723413947-1000]
"EnableNotificationsRef"=dword:00000004

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{E40E23A0-3F53-4E0A-BD10-A6F87E251B89}"= UDP:c:\program files\Common Files\McAfee\MNA\McNASvc.exe:McAfee Network Agent
"{A1500816-CCD4-4FA5-B76A-43FA30F5AF9D}"= UDP:c:\program files\Grisoft\AVG Free\avginet.exe:avginet.exe
"{936A4CEF-1F4D-48BF-B8E8-46B3CB11E1D2}"= TCP:c:\program files\Grisoft\AVG Free\avginet.exe:avginet.exe
"{FE92EC84-6EDD-4601-8DB8-0EA078D942AE}"= UDP:c:\program files\Grisoft\AVG Free\avgamsvr.exe:avgamsvr.exe
"{7E3F38D0-992F-48FF-83A3-E6ACBBB1334F}"= TCP:c:\program files\Grisoft\AVG Free\avgamsvr.exe:avgamsvr.exe
"{2F0B0DAA-0C98-44F7-8E3E-B167E16C1D36}"= UDP:c:\program files\Grisoft\AVG Free\avgcc.exe:avgcc.exe
"{952BB71B-9C91-4C79-B841-6CC26896AF02}"= TCP:c:\program files\Grisoft\AVG Free\avgcc.exe:avgcc.exe
"{CF17122B-C2DC-4003-AD51-E38F5DD3A8F3}"= UDP:c:\program files\Kontiki\KService.exe:Delivery Manager Service
"{43B4FE5E-A35C-42DD-9104-E7F46B51E470}"= TCP:c:\program files\Kontiki\KService.exe:Delivery Manager Service
"TCP Query User{3A25364A-1E94-4E25-BB3E-825531804BE0}c:\\program files\\veoh networks\\veoh\\veohclient.exe"= UDP:c:\program files\veoh networks\veoh\veohclient.exe:Veoh Client
"UDP Query User{47C6BC9E-D305-4226-8A02-6BEF3DB853A5}c:\\program files\\veoh networks\\veoh\\veohclient.exe"= TCP:c:\program files\veoh networks\veoh\veohclient.exe:Veoh Client
"{616B929E-BBE3-4A0D-B542-5714045FA654}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{561491F4-2307-4B91-A0F9-D3F134A2B2B5}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{C66A02AB-3363-49E1-8B88-D71B2713272B}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{9DAE95AE-BFF2-4391-8121-6505EAB7D258}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"{B51033C1-52C9-421B-9D5E-046CC46E20DD}"= c:\program files\MSN Messenger\livecall.exe:Windows Live Messenger 8.1 (Phone)
"{B6B1053A-8745-4DA4-A6B2-484DE7D0ECB3}"= UDP:c:\program files\FrostWire\FrostWire.exe:FrostWire
"{C9697AF8-9CA4-49F1-91AC-2E2EA72B4725}"= TCP:c:\program files\FrostWire\FrostWire.exe:FrostWire
"{40745C7E-841A-45A5-B331-9BFE1387DFB2}"= c:\program files\AVG\AVG8\avgupd.exe:avgupd.exe
"{539357B6-D147-45F5-A967-823F31210801}"= c:\program files\AVG\AVG8\avgnsx.exe:avgnsx.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

R0 szkg5;szkg;c:\windows\System32\drivers\SZKG.sys [12/12/2007 1:28 PM 30208]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\drivers\avgldx86.sys [6/28/2009 11:46 AM 327688]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\drivers\avgtdix.sys [6/28/2009 11:46 AM 108552]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [6/28/2009 11:44 AM 298776]
S3 s115mdfl;Sony Ericsson Device 115 USB WMC Modem Filter;c:\windows\System32\drivers\s115mdfl.sys [4/23/2007 1:54 PM 15112]
S3 s115mdm;Sony Ericsson Device 115 USB WMC Modem Driver;c:\windows\System32\drivers\s115mdm.sys [4/23/2007 1:54 PM 108680]
S3 s115mgmt;Sony Ericsson Device 115 USB WMC Device Management Drivers (WDM);c:\windows\System32\drivers\s115mgmt.sys [4/23/2007 1:54 PM 100488]
S3 s115obex;Sony Ericsson Device 115 USB WMC OBEX Interface;c:\windows\System32\drivers\s115obex.sys [4/23/2007 1:54 PM 98568]
S3 w300mgmt;Sony Ericsson W300 USB WMC Device Management Drivers (WDM);c:\windows\System32\drivers\w300mgmt.sys [3/16/2007 7:03 PM 87824]
S3 w300obex;Sony Ericsson W300 USB WMC OBEX Interface;c:\windows\System32\drivers\w300obex.sys [3/16/2007 7:02 PM 85696]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [2/22/2007 7:39 PM 2808664]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
.
Contents of the 'Scheduled Tasks' folder

2009-07-01 c:\windows\Tasks\User_Feed_Synchronization-{1DFEA306-C0E8-4072-80CC-2A847A29AA5D}.job
- c:\windows\system32\msfeedssync.exe [2008-09-15 07:33]

2009-07-01 c:\windows\Tasks\User_Feed_Synchronization-{378FC4FB-AC9A-4968-BFF3-D0FD99701AD2}.job
- c:\windows\system32\msfeedssync.exe [2008-09-15 07:33]

2009-07-01 c:\windows\Tasks\User_Feed_Synchronization-{9B8571A5-D99F-405F-8499-8AAD102A1E2D}.job
- c:\windows\system32\msfeedssync.exe [2008-09-15 07:33]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Uniblue RegistryBooster 2009 - c:\program files\uniblue\registrybooster\StartRegistryBooster.exe


.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
IE: Add to AMV Converter... - c:\program files\MP3 Player Utilities 4.15\AMVConverter\grab.html
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000
IE: MediaManager tool grab multimedia file - c:\program files\MP3 Player Utilities 4.15\MediaManager\grab.html
IE: {{08E730A4-FB02-45BD-A900-01E4AD8016F6} - [You must be registered and logged in to see this link.]
LSP: c:\program files\Common Files\iS3\Anti-Spyware\iS3lsp.dll
LSP: c:\windows\system32\wpclsp.dll
Trusted Zone: pwsforums.com\www
FF - ProfilePath - c:\users\steven\AppData\Roaming\Mozilla\Firefox\Profiles\5cv9ex7j.default\
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll
FF - component: c:\program files\Real\RealPlayer\browserrecord\components\nprpbrowserrecordplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1368.5602\npCIDetect13.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmidas.dll
FF - plugin: c:\program files\Opera\program\plugins\npdivx32.dll
FF - plugin: c:\program files\Opera\program\plugins\Npindeo.dll
FF - plugin: c:\program files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll
FF - plugin: c:\users\steven\Picassa\Google\Picasa3\npPicasa2.dll
FF - plugin: c:\users\steven\Picassa\Google\Picasa3\npPicasa3.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-07-01 18:54
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\users\steven\AppData\Local\Temp\catchme.dll 53248 bytes executable
c:\windows\TEMP\TMP0000006A03A3C70BE57DCDFB 524288 bytes executable

scan completed successfully
hidden files: 2

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0005\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0006\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0007\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0008\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2009-07-01 19:00
ComboFix-quarantined-files.txt 2009-07-01 18:00
ComboFix2.txt 2009-06-02 11:39

Pre-Run: 18,186,936,320 bytes free
Post-Run: 17,982,832,640 bytes free

Current=1 Default=1 Failed=0 LastKnownGood=19 Sets=1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19
300 --- E O F --- 2009-06-29 15:03

dingdandoo
Intermediate
Intermediate

Posts Posts : 77
Joined Joined : 2008-12-10
OS OS : windows vista home basic
Points Points : 29669
# Likes # Likes : 0

View user profile

Back to top Go down

Re: possible malware problem?

Post by Belahzur on 1st July 2009, 6:19 pm

Hello.

I see that you are running Frostwire.
P2P(Peer to peer) applications are designed to help you easily share and distribute files between you and a group of people. But they can also be used to distribute malware, and thus are not considered safe.
The removal of these programs is optional, but highly recommended.

  • Click Start >> Control Panel.
  • Under the Programs click Uninstall a Program
  • Highlight Frostwire
  • Click on the Uninstall/Change button at the top.

Now open a new notepad file.
Input this into the notepad file:

File::
c:\windows\Internet Logs\xDB8AD1.tmp
c:\windows\Internet Logs\tvDebug.zip

Folder::
c:\users\chubby\AppData\Roaming\FrostWire
c:\users\steven\AppData\Roaming\FrostWire
c:\program files\FrostWire
c:\users\chubby\AppData\Roaming\FrostWire

Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{E40E23A0-3F53-4E0A-BD10-A6F87E251B89}"=-
"{B6B1053A-8745-4DA4-A6B2-484DE7D0ECB3}"=-
"{C9697AF8-9CA4-49F1-91AC-2E2EA72B4725}"=-

Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:


This will open combofix again, agree to it's terms and allow it to run.
It may want to reboot after it's done. (It will warn you if it wants to)
Post the resulting log back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: possible malware problem?

Post by dingdandoo on 2nd July 2009, 7:10 pm

belazhur, here is the log for the last combofix run:
ComboFix 09-07-01.01 - steven 02/07/2009 8:11.5 - NTFSx86
Microsoft® Windows Vista™ Home Basic 6.0.6001.1.1252.44.1033.18.958.241 [GMT 1:00]
Running from: c:\users\steven\Downloads\Combo-Fix.exe
Command switches used :: c:\users\steven\Downloads\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
SP: AVG Anti-Virus Free *enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

FILE ::
"c:\windows\Internet Logs\tvDebug.zip"
"c:\windows\Internet Logs\xDB8AD1.tmp"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\FrostWire
c:\program files\FrostWire\aopalliance.jar
c:\program files\FrostWire\clink.jar
c:\program files\FrostWire\commons-codec-1.3.jar
c:\program files\FrostWire\commons-logging.jar
c:\program files\FrostWire\daap.jar
c:\program files\FrostWire\forms.jar
c:\program files\FrostWire\foxtrot.jar
c:\program files\FrostWire\FrostWire.exe
c:\program files\FrostWire\FrostWire.jar
c:\program files\FrostWire\gettext-commons.jar
c:\program files\FrostWire\guice-1.0.jar
c:\program files\FrostWire\httpclient-4.0-alpha3.jar
c:\program files\FrostWire\httpcore-4.0-beta2.jar
c:\program files\FrostWire\httpcore-nio-4.0-beta2.jar
c:\program files\FrostWire\httpcore-niossl-4.0-alpha7.jar
c:\program files\FrostWire\icu4j.jar
c:\program files\FrostWire\jaudiotagger.jar
c:\program files\FrostWire\jcraft.jar
c:\program files\FrostWire\jdic.dll
c:\program files\FrostWire\jdic.jar
c:\program files\FrostWire\jdic_stub.jar
c:\program files\FrostWire\jflac.jar
c:\program files\FrostWire\jl.jar
c:\program files\FrostWire\jmdns.jar
c:\program files\FrostWire\jogg.jar
c:\program files\FrostWire\jorbis.jar
c:\program files\FrostWire\jython.jar
c:\program files\FrostWire\log4j.jar
c:\program files\FrostWire\looks.jar
c:\program files\FrostWire\lw-all.jar
c:\program files\FrostWire\messages.jar
c:\program files\FrostWire\mp3spi.jar
c:\program files\FrostWire\onion-common.jar
c:\program files\FrostWire\onion-fec.jar
c:\program files\FrostWire\ProgressTabs.jar
c:\program files\FrostWire\SystemUtilities.dll
c:\program files\FrostWire\themes.jar
c:\program files\FrostWire\tray.dll
c:\program files\FrostWire\tritonus.jar
c:\program files\FrostWire\vorbisspi.jar
c:\users\chubby\AppData\Roaming\FrostWire\.NetworkShare\Incomplete\T-4506256-LimeWireWin4.16.6.exe
c:\users\chubby\AppData\Roaming\FrostWire\createtimes.cache
c:\users\chubby\AppData\Roaming\FrostWire\downloads.dat
c:\users\chubby\AppData\Roaming\FrostWire\fileurns.bak
c:\users\chubby\AppData\Roaming\FrostWire\fileurns.cache
c:\users\chubby\AppData\Roaming\FrostWire\frostwire.props
c:\users\chubby\AppData\Roaming\FrostWire\installation.props
c:\users\chubby\AppData\Roaming\FrostWire\intent.props
c:\users\chubby\AppData\Roaming\FrostWire\library.dat
c:\users\chubby\AppData\Roaming\FrostWire\mojito.props
c:\users\chubby\AppData\Roaming\FrostWire\overlays.dat
c:\users\chubby\AppData\Roaming\FrostWire\overlays\default.png
c:\users\chubby\AppData\Roaming\FrostWire\overlays\glass_waves_overlay.jpg
c:\users\chubby\AppData\Roaming\FrostWire\seenMessages.dat
c:\users\chubby\AppData\Roaming\FrostWire\tables.props
c:\users\chubby\AppData\Roaming\FrostWire\themes\frostwirePro_theme.fwtp
c:\users\chubby\AppData\Roaming\FrostWire\themes\frostwirePro_theme\theme.txt
c:\users\chubby\AppData\Roaming\FrostWire\version.xml
c:\users\chubby\AppData\Roaming\FrostWire\xml\data\audio.sxml2
c:\users\steven\AppData\Roaming\FrostWire\.NetworkShare\Incomplete\T-4506256-LimeWireWin4.16.6.exe
c:\users\steven\AppData\Roaming\FrostWire\createtimes.cache
c:\users\steven\AppData\Roaming\FrostWire\downloads.dat
c:\users\steven\AppData\Roaming\FrostWire\fileurns.bak
c:\users\steven\AppData\Roaming\FrostWire\fileurns.cache
c:\users\steven\AppData\Roaming\FrostWire\filters.props
c:\users\steven\AppData\Roaming\FrostWire\frostwire.props
c:\users\steven\AppData\Roaming\FrostWire\gnutella.net
c:\users\steven\AppData\Roaming\FrostWire\installation.props
c:\users\steven\AppData\Roaming\FrostWire\intent.props
c:\users\steven\AppData\Roaming\FrostWire\library.dat
c:\users\steven\AppData\Roaming\FrostWire\mojito.props
c:\users\steven\AppData\Roaming\FrostWire\overlays.dat
c:\users\steven\AppData\Roaming\FrostWire\overlays\default.png
c:\users\steven\AppData\Roaming\FrostWire\overlays\frostclick_default_overlay.jpg
c:\users\steven\AppData\Roaming\FrostWire\questions.props
c:\users\steven\AppData\Roaming\FrostWire\responses.cache
c:\users\steven\AppData\Roaming\FrostWire\seenMessages.dat
c:\users\steven\AppData\Roaming\FrostWire\spam.dat
c:\users\steven\AppData\Roaming\FrostWire\tables.props
c:\users\steven\AppData\Roaming\FrostWire\themes\frostwirePro_theme.fwtp
c:\users\steven\AppData\Roaming\FrostWire\themes\frostwirePro_theme\theme.txt
c:\users\steven\AppData\Roaming\FrostWire\themes\frostwirePro_theme\version.txt
c:\users\steven\AppData\Roaming\FrostWire\ttrees.cache
c:\users\steven\AppData\Roaming\FrostWire\ttroot.cache
c:\users\steven\AppData\Roaming\FrostWire\version.xml
c:\users\steven\AppData\Roaming\FrostWire\xml\data\audio.sxml2
c:\windows\Internet Logs\tvDebug.zip
c:\windows\Internet Logs\xDB8AD1.tmp

.
((((((((((((((((((((((((( Files Created from 2009-06-02 to 2009-07-02 )))))))))))))))))))))))))))))))
.

2009-07-01 22:18 . 2009-07-01 22:18 -------- d-----w- c:\programdata\Messenger Plus!
2009-07-01 18:43 . 2009-07-01 18:43 -------- d-----w- c:\program files\Windows Live
2009-07-01 18:43 . 2009-07-01 18:43 -------- d-----w- c:\program files\Messenger Plus! Live
2009-07-01 18:35 . 2009-07-01 18:35 -------- d-----w- c:\windows\Sun
2009-07-01 18:01 . 2009-07-02 07:27 -------- d-----w- c:\users\steven\AppData\Local\temp
2009-07-01 18:01 . 2009-07-01 18:01 -------- d-----w- c:\users\dolly\AppData\Local\temp
2009-07-01 18:01 . 2009-07-01 18:01 -------- d-----w- c:\users\chubby\AppData\Local\temp
2009-06-29 20:12 . 2009-06-29 20:12 -------- d-----w- c:\programdata\WindowsSearch
2009-06-29 15:38 . 2009-06-29 15:38 -------- d-----w- C:\PerfLogs
2009-06-28 14:17 . 2009-06-28 10:44 2052888 ----a-w- c:\programdata\avg8\update\backup\avgcorex.dll
2009-06-28 12:02 . 2009-06-28 12:02 -------- d-----w- c:\users\steven\AppData\Local\AVG Security Toolbar
2009-06-28 10:46 . 2009-06-28 10:46 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-06-28 10:46 . 2009-06-28 10:46 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-06-28 10:46 . 2009-06-28 10:46 327688 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-06-28 10:46 . 2009-06-28 10:46 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-06-28 10:45 . 2009-07-01 10:54 -------- d-----w- c:\windows\system32\drivers\Avg
2009-06-28 10:45 . 2009-06-28 10:45 -------- d-----w- c:\programdata\AVG Security Toolbar
2009-06-24 13:34 . 2009-06-24 13:34 -------- d-----w- c:\program files\GIMP-2.0
2009-06-20 10:08 . 2009-04-21 11:55 2033152 ----a-w- c:\windows\system32\win32k.sys
2009-06-20 10:08 . 2009-04-23 12:42 636928 ----a-w- c:\windows\system32\localspl.dll
2009-06-07 18:22 . 2009-07-02 07:26 -------- d-----w- c:\users\chubby\AppData\Roaming\FrostWire
2009-06-06 13:26 . 2009-07-02 07:26 -------- d-----w- c:\users\steven\AppData\Roaming\FrostWire
2009-06-05 10:44 . 2009-06-05 10:44 -------- d-----w- c:\program files\7-Zip
2009-06-03 11:11 . 2008-06-20 01:17 97800 ----a-w- c:\windows\system32\infocardapi.dll
2009-06-03 11:11 . 2008-06-20 01:18 105016 ----a-w- c:\windows\system32\PresentationCFFRasterizerNative_v0300.dll
2009-06-03 11:11 . 2008-06-20 01:17 622080 ----a-w- c:\windows\system32\icardagt.exe
2009-06-03 11:11 . 2008-06-20 01:18 43544 ----a-w- c:\windows\system32\PresentationHostProxy.dll
2009-06-03 11:11 . 2008-06-20 01:17 11264 ----a-w- c:\windows\system32\icardres.dll
2009-06-03 11:10 . 2008-06-20 01:18 781344 ----a-w- c:\windows\system32\PresentationNative_v0300.dll
2009-06-03 11:10 . 2008-06-20 01:18 326160 ----a-w- c:\windows\system32\PresentationHost.exe
2009-06-03 10:32 . 2008-07-27 18:00 96760 ----a-w- c:\windows\system32\dfshim.dll
2009-06-03 10:32 . 2008-07-27 18:00 282112 ----a-w- c:\windows\system32\mscoree.dll
2009-06-03 10:32 . 2008-07-27 18:00 41984 ----a-w- c:\windows\system32\netfxperf.dll
2009-06-03 10:31 . 2008-07-27 18:00 158720 ----a-w- c:\windows\system32\mscorier.dll
2009-06-03 10:31 . 2008-07-27 18:00 83968 ----a-w- c:\windows\system32\mscories.dll
2009-06-02 18:01 . 2009-07-01 17:30 -------- d-s---w- C:\ComboFix
2009-06-02 10:36 . 2009-06-02 10:36 2560 ----a-w- c:\windows\_MSRSTRT.EXE

dingdandoo
Intermediate
Intermediate

Posts Posts : 77
Joined Joined : 2008-12-10
OS OS : windows vista home basic
Points Points : 29669
# Likes # Likes : 0

View user profile

Back to top Go down

Re: possible malware problem?

Post by dingdandoo on 2nd July 2009, 7:11 pm

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-02 06:46 . 2007-06-22 12:10 352614 ---ha-w- c:\windows\system32\drivers\vsconfig.xml
2009-07-01 20:18 . 2008-04-04 00:29 -------- d-----w- c:\programdata\Google Updater
2009-07-01 18:43 . 2009-01-10 21:14 -------- d-----w- c:\program files\MSN Messenger
2009-06-30 11:35 . 2009-04-23 15:29 -------- d-----w- c:\program files\PKR
2009-06-30 11:17 . 2008-12-10 16:48 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-29 17:26 . 2009-06-29 17:26 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_00_00.Wdf
2009-06-29 15:54 . 2006-11-02 12:35 -------- d-----w- c:\program files\Windows Calendar
2009-06-29 15:54 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2009-06-29 15:54 . 2006-11-02 12:35 -------- d-----w- c:\program files\Windows Sidebar
2009-06-29 15:53 . 2006-11-02 12:35 -------- d-----w- c:\program files\Windows Collaboration
2009-06-29 15:53 . 2006-11-02 12:35 -------- d-----w- c:\program files\Windows Photo Gallery
2009-06-29 15:53 . 2006-11-02 12:35 -------- d-----w- c:\program files\Windows Defender
2009-06-29 15:38 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat
2009-06-29 14:42 . 2006-11-02 10:32 101888 ----a-w- c:\windows\system32\ifxcardm.dll
2009-06-29 14:41 . 2006-11-02 10:32 82432 ----a-w- c:\windows\system32\axaltocm.dll
2009-06-29 13:18 . 2007-03-14 00:42 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-06-29 13:16 . 2006-11-02 12:35 -------- d-----w- c:\program files\Microsoft Games
2009-06-29 13:00 . 2007-03-14 00:57 -------- d-----w- c:\program files\Common Files\Adobe
2009-06-28 10:44 . 2008-05-28 18:07 -------- d-----w- c:\programdata\avg8
2009-06-24 14:04 . 2009-03-26 14:26 -------- d-----w- c:\users\steven\AppData\Roaming\gtk-2.0
2009-06-23 11:56 . 2007-03-14 00:57 -------- d-----w- c:\program files\Microsoft Works
2009-06-22 11:08 . 2007-07-16 06:59 8160 ----a-w- c:\users\steven\AppData\Local\d3d9caps.dat
2009-06-17 10:27 . 2008-12-10 16:49 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-17 10:27 . 2008-12-10 16:49 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-07 08:01 . 2007-04-14 16:11 -------- d-----w- c:\users\chubby\AppData\Roaming\LimeWire
2009-06-05 10:29 . 2008-08-07 00:22 -------- d-----w- c:\program files\Common Files\AVSMedia
2009-06-05 10:29 . 2008-08-07 00:22 -------- d-----w- c:\program files\AVS4YOU
2009-06-02 12:34 . 2009-01-20 13:21 -------- d-----w- c:\program files\Lavasoft
2009-06-02 12:34 . 2007-06-21 09:30 -------- d-----w- c:\programdata\Lavasoft
2009-06-02 11:10 . 2007-03-14 00:50 -------- d-----w- c:\programdata\Roxio
2009-06-02 10:47 . 2007-12-20 11:06 -------- d-----w- c:\users\steven\AppData\Roaming\uTorrent
2009-06-01 10:33 . 2009-06-01 10:33 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-06-01 10:28 . 2008-12-10 23:38 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-06-01 10:12 . 2009-06-01 10:12 -------- d-----w- c:\programdata\Sunbelt
2009-05-31 11:24 . 2009-05-31 11:24 -------- d-----w- c:\program files\Trend Micro
2009-05-30 17:33 . 2007-03-16 16:12 778 ----a-w- c:\users\steven\AppData\Roaming\wklnhst.dat
2009-05-20 22:51 . 2009-05-20 22:51 -------- d-----w- c:\users\chubby\AppData\Roaming\GRETECH
2009-05-18 17:38 . 2009-05-18 17:38 -------- d-----w- c:\users\steven\AppData\Roaming\Uniblue
2009-05-18 14:50 . 2009-05-18 14:50 2967799 ----a-w- c:\programdata\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-05-01 18:30 . 2009-05-01 18:30 3366912 ----a-w- c:\windows\system32\GPhotos.scr
2009-04-24 16:05 . 2009-06-20 10:07 827904 ----a-w- c:\windows\system32\wininet.dll
2009-04-24 16:02 . 2009-06-20 10:07 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-04-24 13:44 . 2009-06-20 10:07 26624 ----a-w- c:\windows\system32\ieUnatt.exe
2009-04-23 12:43 . 2009-06-20 10:07 784896 ----a-w- c:\windows\system32\rpcrt4.dll
2008-01-05 18:08 . 2008-01-05 18:06 80 --sha-r- c:\windows\System32\41C336709D.dll
2007-06-30 18:34 . 2007-06-10 15:08 88 --sha-r- c:\windows\System32\63F43ECA55.sys
2007-06-30 18:34 . 2007-06-10 15:08 3506 --sha-w- c:\windows\System32\KGyGaAvL.sys
2007-03-14 08:27 . 2007-03-14 08:26 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((( [You must be registered and logged in to see this link.] )))))))))))))))))))))))))))))))))))))))))
.
+ 2006-11-02 13:02 . 2009-07-02 06:50 65238 c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2007-03-16 11:53 . 2009-07-02 06:50 28486 c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2478390336-1506789915-2723413947-1000_UserData.bin
+ 2007-03-16 11:47 . 2009-07-02 06:46 32768 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2007-03-16 11:47 . 2009-07-01 15:24 32768 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2007-03-16 11:47 . 2009-07-02 06:46 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2007-03-16 11:47 . 2009-07-01 15:24 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2007-03-16 11:47 . 2009-07-01 15:24 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2007-03-16 11:47 . 2009-07-02 06:46 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-01-10 21:15 . 2009-01-10 21:15 29926 c:\windows\Installer\{571700F0-DB9D-4B3A-B03D-35A14BB5939F}\MsblIco.Exe
+ 2009-07-01 18:11 . 2009-07-01 18:11 29926 c:\windows\Installer\{571700F0-DB9D-4B3A-B03D-35A14BB5939F}\MsblIco.Exe
+ 2009-07-01 15:23 . 2009-07-02 06:46 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2009-07-01 15:23 . 2009-07-01 15:23 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2009-07-01 15:23 . 2009-07-02 06:46 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2009-07-01 15:23 . 2009-07-01 15:23 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-06-14 15:07 1004800 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-19 1233920]
"msnmsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WPCUMI"="c:\windows\system32\WpcUmi.exe" [2006-11-02 176128]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-01-09 959976]
"MSConfig"="c:\windows\system32\msconfig.exe" [2008-01-19 227840]
"PKR Pal"="c:\program files\PKR\pkrpal.exe" [2009-06-30 2346088]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-06-01 148888]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-06-28 1948440]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2006-12-08 90191]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-12-08 7766016]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-12-08 81920]
"SigmatelSysTrayApp"="sttray.exe" - c:\windows\sttray.exe [2007-02-08 303104]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnk.CommonStartup
backupExtension=.CommonStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-2478390336-1506789915-2723413947-1000]
"EnableNotificationsRef"=dword:00000004

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)

dingdandoo
Intermediate
Intermediate

Posts Posts : 77
Joined Joined : 2008-12-10
OS OS : windows vista home basic
Points Points : 29669
# Likes # Likes : 0

View user profile

Back to top Go down

Re: possible malware problem?

Post by dingdandoo on 2nd July 2009, 7:11 pm

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{A1500816-CCD4-4FA5-B76A-43FA30F5AF9D}"= UDP:c:\program files\Grisoft\AVG Free\avginet.exe:avginet.exe
"{936A4CEF-1F4D-48BF-B8E8-46B3CB11E1D2}"= TCP:c:\program files\Grisoft\AVG Free\avginet.exe:avginet.exe
"{FE92EC84-6EDD-4601-8DB8-0EA078D942AE}"= UDP:c:\program files\Grisoft\AVG Free\avgamsvr.exe:avgamsvr.exe
"{7E3F38D0-992F-48FF-83A3-E6ACBBB1334F}"= TCP:c:\program files\Grisoft\AVG Free\avgamsvr.exe:avgamsvr.exe
"{2F0B0DAA-0C98-44F7-8E3E-B167E16C1D36}"= UDP:c:\program files\Grisoft\AVG Free\avgcc.exe:avgcc.exe
"{952BB71B-9C91-4C79-B841-6CC26896AF02}"= TCP:c:\program files\Grisoft\AVG Free\avgcc.exe:avgcc.exe
"{CF17122B-C2DC-4003-AD51-E38F5DD3A8F3}"= UDP:c:\program files\Kontiki\KService.exe:Delivery Manager Service
"{43B4FE5E-A35C-42DD-9104-E7F46B51E470}"= TCP:c:\program files\Kontiki\KService.exe:Delivery Manager Service
"TCP Query User{3A25364A-1E94-4E25-BB3E-825531804BE0}c:\\program files\\veoh networks\\veoh\\veohclient.exe"= UDP:c:\program files\veoh networks\veoh\veohclient.exe:Veoh Client
"UDP Query User{47C6BC9E-D305-4226-8A02-6BEF3DB853A5}c:\\program files\\veoh networks\\veoh\\veohclient.exe"= TCP:c:\program files\veoh networks\veoh\veohclient.exe:Veoh Client
"{616B929E-BBE3-4A0D-B542-5714045FA654}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{561491F4-2307-4B91-A0F9-D3F134A2B2B5}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{C66A02AB-3363-49E1-8B88-D71B2713272B}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{9DAE95AE-BFF2-4391-8121-6505EAB7D258}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"{B51033C1-52C9-421B-9D5E-046CC46E20DD}"= c:\program files\MSN Messenger\livecall.exe:Windows Live Messenger 8.1 (Phone)
"{40745C7E-841A-45A5-B331-9BFE1387DFB2}"= c:\program files\AVG\AVG8\avgupd.exe:avgupd.exe
"{539357B6-D147-45F5-A967-823F31210801}"= c:\program files\AVG\AVG8\avgnsx.exe:avgnsx.exe
"{77649BAC-ECD0-4A61-AFD4-89DCABB47A3E}"= c:\program files\MSN Messenger\livecall.exe:Windows Live Messenger 8.1 (Phone)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

R0 szkg5;szkg;c:\windows\System32\drivers\SZKG.sys [12/12/2007 1:28 PM 30208]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\drivers\avgldx86.sys [6/28/2009 11:46 AM 327688]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\drivers\avgtdix.sys [6/28/2009 11:46 AM 108552]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [6/28/2009 11:44 AM 298776]
S3 s115mdfl;Sony Ericsson Device 115 USB WMC Modem Filter;c:\windows\System32\drivers\s115mdfl.sys [4/23/2007 1:54 PM 15112]
S3 s115mdm;Sony Ericsson Device 115 USB WMC Modem Driver;c:\windows\System32\drivers\s115mdm.sys [4/23/2007 1:54 PM 108680]
S3 s115mgmt;Sony Ericsson Device 115 USB WMC Device Management Drivers (WDM);c:\windows\System32\drivers\s115mgmt.sys [4/23/2007 1:54 PM 100488]
S3 s115obex;Sony Ericsson Device 115 USB WMC OBEX Interface;c:\windows\System32\drivers\s115obex.sys [4/23/2007 1:54 PM 98568]
S3 w300mgmt;Sony Ericsson W300 USB WMC Device Management Drivers (WDM);c:\windows\System32\drivers\w300mgmt.sys [3/16/2007 7:03 PM 87824]
S3 w300obex;Sony Ericsson W300 USB WMC OBEX Interface;c:\windows\System32\drivers\w300obex.sys [3/16/2007 7:02 PM 85696]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [2/22/2007 7:39 PM 2808664]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
.
Contents of the 'Scheduled Tasks' folder

2009-07-02 c:\windows\Tasks\User_Feed_Synchronization-{1DFEA306-C0E8-4072-80CC-2A847A29AA5D}.job
- c:\windows\system32\msfeedssync.exe [2008-09-15 07:33]

2009-07-02 c:\windows\Tasks\User_Feed_Synchronization-{378FC4FB-AC9A-4968-BFF3-D0FD99701AD2}.job
- c:\windows\system32\msfeedssync.exe [2008-09-15 07:33]

2009-07-02 c:\windows\Tasks\User_Feed_Synchronization-{9B8571A5-D99F-405F-8499-8AAD102A1E2D}.job
- c:\windows\system32\msfeedssync.exe [2008-09-15 07:33]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
IE: Add to AMV Converter... - c:\program files\MP3 Player Utilities 4.15\AMVConverter\grab.html
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000
IE: MediaManager tool grab multimedia file - c:\program files\MP3 Player Utilities 4.15\MediaManager\grab.html
IE: {{08E730A4-FB02-45BD-A900-01E4AD8016F6} - [You must be registered and logged in to see this link.]
LSP: c:\program files\Common Files\iS3\Anti-Spyware\iS3lsp.dll
LSP: c:\windows\system32\wpclsp.dll
Trusted Zone: pwsforums.com\www
FF - ProfilePath - c:\users\steven\AppData\Roaming\Mozilla\Firefox\Profiles\5cv9ex7j.default\
FF - plugin: c:\program files\Google\Google Updater\2.4.1368.5602\npCIDetect13.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmidas.dll
FF - plugin: c:\program files\Opera\program\plugins\npdivx32.dll
FF - plugin: c:\program files\Opera\program\plugins\Npindeo.dll
FF - plugin: c:\program files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll
FF - plugin: c:\users\steven\Picassa\Google\Picasa3\npPicasa2.dll
FF - plugin: c:\users\steven\Picassa\Google\Picasa3\npPicasa3.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-07-02 08:27
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0005\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0006\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0007\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0008\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2009-07-02 8:34
ComboFix-quarantined-files.txt 2009-07-02 07:34
ComboFix2.txt 2009-07-01 18:00
ComboFix3.txt 2009-06-02 11:39

Pre-Run: 17,837,096,960 bytes free
Post-Run: 17,683,083,264 bytes free

Current=1 Default=1 Failed=0 LastKnownGood=19 Sets=1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19
393 --- E O F --- 2009-06-29 15:03

dingdandoo
Intermediate
Intermediate

Posts Posts : 77
Joined Joined : 2008-12-10
OS OS : windows vista home basic
Points Points : 29669
# Likes # Likes : 0

View user profile

Back to top Go down

Re: possible malware problem?

Post by Origin on 2nd July 2009, 7:13 pm

Please download and run this tool.

Download Malwarebytes' Anti-Malware from [You must be registered and logged in to see this link.]

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Post the contents of the MBAM Log.


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31503
# Likes # Likes : 0

View user profile

Back to top Go down

Re: possible malware problem?

Post by dingdandoo on 2nd July 2009, 7:54 pm

thnaks for your help origin and belazhur, no malware was found in the scan, here is the log:
Malwarebytes' Anti-Malware 1.38
Database version: 2365
Windows 6.0.6001 Service Pack 1

02/07/2009 20:53:55
mbam-log-2009-07-02 (20-53-55).txt

Scan type: Quick Scan
Objects scanned: 102592
Time elapsed: 16 minute(s), 31 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

dingdandoo
Intermediate
Intermediate

Posts Posts : 77
Joined Joined : 2008-12-10
OS OS : windows vista home basic
Points Points : 29669
# Likes # Likes : 0

View user profile

Back to top Go down

Re: possible malware problem?

Post by Origin on 2nd July 2009, 7:58 pm

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /u



This will also reset your restore points.

How is the machine running now?


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31503
# Likes # Likes : 0

View user profile

Back to top Go down

Re: possible malware problem?

Post by dingdandoo on 3rd July 2009, 1:10 pm

thanks for your help guys, everything is working ok. just a problem which is not a malware problem is with my computer, iam using a dell machine and most of the time in the past week when i turn it on, the power button stays orange, i then turn off the computer and for some reason it comes back on? any idea why that is?

dingdandoo
Intermediate
Intermediate

Posts Posts : 77
Joined Joined : 2008-12-10
OS OS : windows vista home basic
Points Points : 29669
# Likes # Likes : 0

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum